hardware

118 Articles

Being An SPI Slave Can Be Trickier Than It Appears

January 8, 2019 by 10 Comments

Interfacing with the outside world is a fairly common microcontroller task. Outside of certain use cases microcontrollers are arguably primarily useful because of how easily they can interface with other devices. If we just wanted to read and write some data we wouldn’t have gotten that Arduino! But some tasks are more common than others; for instance we’re used to being on the master side of the interface equation, not the slave side. (That’s the job for the TI engineer who designed the temperature sensor, right?) As [Pat] discovered when mocking out a missing SPI GPIO extender, sometimes playing the other role can contain unexpected difficulties.

The simple case for a SPI slave is exactly that: simple. SPI can be wonderful in its apparent simplicity. Unlike I2C there are no weird addressing schemes, read/write bits, stop and start clock conditions. You toggle a clock line and a bit of data comes out, as long as you have the right polarity schemes of course. As a slave device the basic algorithm is of commensurate complexity. Setup an interrupt on the clock pin, wait for your chip select to be asserted, and on each clock edge shift out the next bit of the current word. Check out [Pat]’s eminently readable code to see how simple it can be.

But that last little bit is where the complexity lies. When you’re the master it’s like being the apex predator, the king of the jungle, the head program manager. You dictate the tempo and everyone on the bus dances to the beat of your clock edge. Sure the datasheet for that SRAM says it can’t run faster than 8 MHz but do you really believe it? Not until you try driving that clock a little quicker to see if there’s not a speedier transfer to be had! When you’re the slave you have to have a bit ready every clock edge. Period. Missing even a single bit due to, say, an errant print statement will trash the rest of transaction in ways which are hard to detect and recover from. And your slave code needs to be able to detect those problems in order to reset for the next transaction. Getting stuck waiting to send the 8th bit of a transaction that has ended won’t do.

Check out [Pat]’s very friendly post for a nice refresher on SPI and their discoveries working through the problems of building a SPI slave. There are some helpful tips about how to keep things responsive in a device performing other tasks.

Malicious Component Found On Server Motherboards Supplied To Numerous Companies

October 4, 2018 by 270 Comments

This morning Bloomberg is reporting a bombshell for hardware security. Companies like Amazon and Apple have found a malicious chip on their server motherboards. These are not counterfeit chips. They are not part of the motherboard design. These were added by the factory at the time of manufacture. The chip was placed among other signal conditioning components and is incredibly hard to spot as the nature of these motherboards includes hundreds of minuscule components.

Though Amazon and Apple have denied it, according to Bloomberg, a private security contractor in Canada found the hidden chip on server motherboards. Elemental Technologies, acquired by Amazon in 2015 for its video and graphics processing hardware, subcontracted Supermicro (Super Micro Computer, Inc.) to manufacture their server motherboards in China. It is unknown how many of the company’s products have this type of malicious hardware in them, equipment from Elemental Technologies has been supplied to the likes of government contractors as well as major banks and even reportedly used in the CIA’s drone operations.

How the Hack Works

The attacks work with the small chip being implanted onto the motherboard disguised as signal couplers. It is unclear how the chip gains access to the peripherals such as memory (as reported by Bloomberg) but it is possible it has something to do with accessing the bus. The chip controls some data lines on the motherboard that likely provide an attack vector for the baseboard management controller (BMC).

Hackaday spoke with Joe FitzPatrick (a well known hardware security guru who was quoted in the Bloomberg article). He finds this reported attack as a very believable approach to compromising servers. His take on the BMC is that it’s usually an ARM processor running an ancient version of Linux that has control over the major parts of the server. Any known vulnerability in the BMC would be an attack surface for the custom chip.

Data centers house thousands of individual servers that see no physical interaction from humans once installed. The BMC lets administrators control the servers remotely to reboot malfunctioning equipment among other administrative tasks. If this malicious chip can take control of the BMC, then it can provide remote access to whomever installed the chip. Reported investigations have revealed the hack in action with brief check-in communications from these chips though it’s difficult to say if they had already served their purpose or were being saved for a future date.

What Now?

Adding hardware to a design is fundamentally different than software-based hacking: it leaves physical evidence behind. Bloomberg reports on US government efforts to investigate the supply chain attached to these parts. It is worth noting though that the article doesn’t include any named sources while pointing the finger at China’s People’s Liberation Army.

The solution is not a simple one if servers with this malicious chip were already out in the field. Even if you know a motherboard has the additional component, finding it is not easy. Bloomberg also has unconfirmed reports that the next-generation of this attack places the malicious component between layers of the circuit board. If true, an x-ray would be required to spot the additional part.

A true solution for high-security applications will require specialized means of making sure that the resulting product is not altered in any way. This hack takes things to a whole new level and calls into question how we validate hardware that runs our networks.

Update: We changed the penultimate paragraph to include the word if: “…simple one if servers with…” as it has not been independently verified that servers were actually out in the field and companies have denied Bloomberg’s reporting that they were.

[Note: Image is a generic photo and not the actual hardware]

Show That Sega Saturn Save Battery Who’s Boss

September 20, 2018 by 26 Comments

Breaking out the Sega Saturn out of the closet for a hit of 90’s nostalgia comes with its own set of compromises: the wired controllers, the composite video, and worst of all that dead CR2032 battery behind the backdoor. Along with the death of that battery went your clock and all those precious hours put into your game save files. While the bulk of us kept feeding the insatiable SRAM, a friendly Canadian engineer named [René] decided to fix the problem for good with FRAM.

The issue with the battery-backed memory in the Saturn stems from the particularly power-hungry factory installed SRAM chip. Normally when the console is plugged-in to a main power source the CR2032 battery is not in use, though after several weeks in storage the battery slowly discharges. [René’s] proposed solution was to use a non-volatile form of RAM chip that would match the pinout of the factory SRAM as close as possible. This would allow for easier install with the minimum number of jumper wires.

Enter the FM1808 FRAM chip complete with a whopping 256 kb of addressable memory. The ferroelectric chip operates at the same voltage as the Saturn’s factory SRAM, and has the added benefit of being able to use a read/write mode similar to that of the Saturn’s original memory chip. Both chips conform to a DIP-28 footprint, and only a single jumper wire on pin 22 was required to hold the FM1808 chip’s output-enable signal active-low as opposed to the active-high enable signal on the Saturn’s factory memory chip. The before and after motherboard photos are below:

After a quick test run of multiple successful read and writes to memory, [René] unplugged his Saturn for a couple days and found that his save files had been maintained. According to the FM1808 datasheet, they should be there for the next 45 years or so. The only downside to the upgrade is that the clock & calendar settings were not maintained upon boot-up and reset to the year 1996. But that’s nothing a bit of button-mashing through couldn’t solve, because after all wasn’t the point of all this to relive a piece of the 90s?

For more Sega Saturn goodness, check out how the Sega Saturn was finally cracked after 20 years.

Badgelife, The Hardware Demoscene Documentary

August 20, 2018 by 19 Comments

Last week, tens of thousands of people headed home from Vegas, fresh out of this year’s DEF CON. This was a great year for DEF CON, especially when it comes to hardware. This was the year independent badges took over, thanks to a small community of people dedicated to creating small-run hardware, puzzles, and PCB art for thousands of conference-goers. This is badgelife, a demoscene of hardware, and this is just the beginning. It’s only going to get bigger from here on out.

We were lucky enough to sit down with a few of the creators behind the badges of this year’s DEF CON and the interviews were fantastic. Right here is a lesson on electronic design, manufacturing, and logistics. If you’ve ever wanted to be an engineer that ships a product instead of a lowly maker that ships a product, this is the greatest classroom in the world.

Continue reading “Badgelife, The Hardware Demoscene Documentary”

H2gO Keeps Us From Drying Out

July 28, 2018 by 19 Comments

The scientific community cannot always agree on how much water a person needs in a day, and since we are not Fremen, we should give it more thought than we do. For many people, remembering to take a sip now and then is all we need and the H2gO is built to remind [Angeliki Beyko] when to reach for the water bottle. A kitchen timer would probably get the job done, but we can assure you, that is not how we do things around here.

A cast silicone droplet lights up to show how much water you have drunk and pressing the center of the device means you have taken a drink. Under the hood, you find a twelve-node NeoPixel ring, a twelve millimeter momentary switch, and an Arduino Pro Mini holding it all together. A GitHub repo is linked in the article where you can find Arduino code, the droplet model, and links to all the parts. I do not think we will need a device to remind us when to use the bathroom after all this water.

Another intrepid hacker seeks to measure a person’s intake while another measures output.

Continue reading “H2gO Keeps Us From Drying Out”

SPIDriver Shows You What’s Going On

July 10, 2018 by 17 Comments

When you’re debugging two bits of electronics talking SPI to each other, there’s a lot that can go sideways. Starting from the ground up, the signals can be wrong: data not synced with clocks right, or phase inverted. On top of that, the actual data sent needs to make sense to the receiving device. Are you sending the right commands?

When nothing’s working, you’re fighting simultaneously on these two fronts and you might need different tools to debug each. An oscilloscope works great at the physical layer, while something like a Bus Pirate or fancier logic analyzer works better at the data layer because it can do parsing for you. [James Bowman]’s SPIDriver looks to us like a Bus Pirate with a screen — giving you a fighting chance on both fronts.

SPIDriver also has a couple more tricks up its sleeve: a voltage and current monitor for the device under test, so you don’t even have to break out your multimeter when you’re experiencing random resets. We asked [James] if these additions had a sad history behind them. He included this XKCD.

Everything about SPIDriver is open, so you can check out the hardware design, browse the code, and modify any and all of it to your taste. And speaking of open, [James] is also the man behind the Gameduino and an amazing FPGA Forth soft-CPU.

It’s fully crowd-funded, but it closes in a couple of days so if you want one, get on it soon.

And if you want to learn more about SPI debugging, we’ve written up a crash-course. With the gear and the know-how, you at least stand a fighting chance.

This Is The Year Conference Badges Get Their Own Badges

June 21, 2018 by 17 Comments

Over the last few years, the art and artistry of printed circuit boards has moved from business cards to the most desirable of all disposable electronics. I speak, of course, of badgelife. This is the community built on creating and distributing independent electronic conference badges at the various tech and security conferences around the globe.

Until now, badgelife has been a loose confederation of badgemakers and distributors outdoing themselves each year with ever more impressive boards, techniques, and always more blinky bling. The field is advancing so fast there is no comparison to what was being done in years past; where a simple PCB and blinking LED would have sufficed a decade ago, now we have customized microcontrollers direct from the factory, fancy new chips, and the greatest art you’ve ever seen.

Now we have reached a threshold. The badgelife community has gotten so big, the badges are getting their own badges. This is the year of the badge add-on. We’re all building tiny trinkets for our badges, and this time, they’ll all work together. We’re exactly one year away from a sweet Voltron robot made of badges.

Continue reading “This Is The Year Conference Badges Get Their Own Badges”