Open Hardware Board For Robust USB Power Monitoring

We’ve all seen the little USB power meters that have become popular since nearly every portable device has adopted some variation of USB for charging. Placed between the power source and the device under test, they allow you to see voltage and current in real time. Perfect for determining how long you’ll be able to run a USB powered device on batteries, or finding out if a USB power supply has enough current to do the business.

[Jonas Persson] liked the idea of these cheap little gadgets, but wanted something a bit more scientific. His design, which he refers to as UPM, is essentially a “smart” version of those ubiquitous USB gadgets. Instead of just showing the data on a little LCD screen, it can now be viewed on the computer and analyzed. His little gadget even allows you to cut power to the device under test, potentially allowing for automated testing of things such as inrush current.

Essentially the UPM works in much the same way as the simple USB meters: one side of the device goes towards the upstream power source, and the device under test plugs into the other side. Between the two devices is a 16 bit ADC and differential amplifier which measures the voltage and current. There’s a header on the board which connects to the ADC if you wanted to connect the UPM to an external microcontroller or other data logging device.

But most likely you would be using the internal microcontroller to analyze the output of the ADC over I2C, which [Jonas] very cleverly connected to the upstream port with an integrated USB hub. One side of the hub goes off to the device being tested, and the other to the microcontroller. So the host device will see both the UPM’s integrated microcontroller and the target device at the same time. From there, you can use the ncurses user interface to monitor and control the device in real-time.

While the hardware looks more or less finished, [Jonas] has some more plans for the software side of UPM, including support for remote control and monitoring over TCP/IP as well as robust logging capabilities. This is definitely a very interesting project, and we’re excited to see it develop further.

In the past we’ve seen homebrew USB power meter builds, and even commercial offerings which boasted computer-based logging and analysis, so it was only a matter of time before somebody combined them into one.

From SPIDriver to I2CDriver

Communicating with microcontrollers and other embedded systems requires a communications standard. SPI is a great one, and is commonly used, but it’s not the only one available. There’s also I2C which has some advantages and disadvantages compared to SPI. The problem with both standards, however, is that modern computers don’t come with either built-in. To solve that problem and allow easier access to debugging in SPI, [James Bowman] built the SPIDriver a few months ago, and is now back by popular demand with a similar device for I2C, the I2CDriver.

Much like the SPIDriver, the I2C driver is a debugging tool that can be used at your computer with a USB interface. Working with I2C is often a hassle, with many things going on all at once that need to sync up just right in order to work at all, and this device allows the user to set up I2C devices in a fraction of the time. To start, it has a screen built in that shows information about the current device, like the signal lines and a graphical decoding of the current traffic. It also shows an address space map, and has programmable pullup resistors built in, and can send data about the I2C traffic back to its host PC for analysis.

The I2CDriver is also completely open source, from the hardware to the software, meaning you could build one from scratch if you have the will and the parts, or make changes to the code on your own to suit your specific needs. If you’re stuck using SPI still, though, you can still find the original SPIDriver tool to help you with your debugging needs with that protocol as well.

Arduino Gets a Command Line Interface

When using an Arduino, at least once you’ve made it past blinking LEDs, you might start making use of the serial connection to send and receive information from the microcontroller. Communicating with the board while it’s interacting with its environment is a crucial way to get information in real-time. Usually, that’s as far as it goes, but [Pieter] wanted to take it a step farther than that with his command line interpreter (CLI) for the Arduino.

The CLI allows the user to run Unix-like commands directly on the Arduino. This means control of GPIO and the rest of the features of the microcontroller via command line. The CLI communicates between the microcontroller and the ANSI/VT100 terminal emulator of your choosing on your computer, enabling a wealth of new methods of interacting with an Arduino.

The CLI requires a hex file to be loaded onto the Arduino that you can find at a separate site, also maintained by [Pieter]. Once that’s running, you can get all of that sweet command line goodness out of your Arduino. [Pieter] also has some examples on his project page, as well as the complete how-to to get this all set up and running. There’s a lot going on in the command line world, in Linux as well as windows. So there’s plenty to explore there as well.

Rooting the Amazon Fire TV Cube with an Arduino

Amazon might not be happy about it, but at least part of the success of their Fire TV Stick was due to the large hacking and modification scene that cropped up around the Android-powered device. A quick search on YouTube for “Fire Stick Hack” will bring up a seemingly endless array of videos, some with millions of views, which will show viewers how to install unofficial software on the little media dongle. Now it looks like their latest media device, the Fire TV Cube, is starting to attract the same kind of attention.

The team at [Exploitee.rs] has recently taken the wraps off their research which shows the new Fire TV Cube can be rooted with nothing more than an Arduino and an HDMI cable you’re willing to cut apart. Of course, it’s a bit more complicated than just that, but between the video they’ve provided and their WiKi, it looks like all the information is out there for anyone who wants to crack open their own Cube. Just don’t be surprised if it puts you on the Amazon Naughty List.

The process starts by putting the device’s Amlogic S905Z into Device Firmware Upgrade (DFU) mode, which is done by sending the string “boot@USB” to the board over the HDMI port’s I2C interface. That’s where the HDMI cable comes in: you can cut into one and wire it right up to your Arduino and run the sketch [Exploitee.rs] has provided to send the appropriate command. Of course, if you want to get fancy, you could use an HDMI breakout board instead.

With the board in DFU mode in you gain read and write access to the device’s eMMC flash, but that doesn’t exactly get you in because there’s still secure boot to contend with. But as these things tend to go, the team was able to identify a second exploit which could be used in conjunction with DFU mode to trick the device into disabling signature verification. Now with the ability to run unsigned code on the Fire TV Cube, [Exploitee.rs] implemented fastboot to make it easier to flash their custom rooted firmware images to the hardware.

As with the Fire TV Stick before it, make sure you understand the risks involved when you switch off a device’s security features. They’re often there to protect the end user as much as the manufacturer.

Continue reading “Rooting the Amazon Fire TV Cube with an Arduino”

Drawing On an OLED with an ATtiny85, No RAM Buffers Allowed

Small I2C OLED displays are common nowadays, and thanks to the work of helpful developers, there are also a variety of graphics libraries for using them. Most of them work by using a RAM buffer, which means that anything one wants to draw gets written to a buffer representing the screen, and the contents of that buffer are copied out to the display whenever it is updated. The drawback is that for some microcontrollers, there simply isn’t enough RAM for this approach to work. For example, a 128×64 monochrome OLED requires a 1024 byte buffer, but that’s bad news if a microcontroller has only 512 bytes of RAM in total like the ATtiny85. [David Johnson-Davies] has two solutions: a Tiny Graphics Library that needs no RAM buffer and an even slimmer Tiny Function Plotter, which we’ll discuss in order.

Tiny Function Plotter works on both SSD1306 and SH1106-based displays.

[David]’s Tiny Graphics Library works by taking advantage of a feature of SH1106 driver-based displays: the ability to read the display over I2C as well as write to it. With the ability to perform read-modify-write on a section at a time, using a large RAM buffer can be avoided. The only catch is that the library only works with OLEDs using the SH1106, but the good news is that these are very common at the usual Chinese resellers. ([David] notes that SH1106 is sometimes misspelled as “SSH1106”, so keep that in mind when searching.)

What about all those other SSD1306-based OLED displays out there? Are they out of luck? Not quite. [David] has one more trick up his sleeve: his Tiny Function Plotter works on the SSD1306 and also requires no RAM buffer. It’s unable to write text, but it can easily handle drawing graphs plotting things like values over time while needing very little overhead.

Another approach we’ve seen for using OLEDs driven by microcontrollers with limited memory is the solution [Michael] used in Tiny Sideways Tetris, which was done in part by realizing the smallest screen element he needed was a 4×4 block, and using that premise as the basis of a simple compression scheme.

Building a Proof of Concept Hardware Implant

You’ve no doubt heard about the “hardware implants” which were supposedly found on some server motherboards, which has led to all sorts of hand-wringing online. There’s no end of debate about the capabilities of such devices, how large they would need to be, and quite frankly, if they even exist to begin with. We’re through the looking-glass now, and there’s understandably a mad rush to learn as much as possible about the threat these types of devices represent.

EEPROM (left) can be edited to enable SMBus access on this card (header to the right)

[Nicolas Oberli] of Kudelski Security wanted to do more than idly speculate, so he decided to come up with a model of how an implanted hardware espionage device could interact with the host system. He was able to do this with off the shelf hardware, meaning anyone who’s so inclined can recreate this “Hardware Implant Playset” in their own home lab for experimentation. Obviously this is not meant to portray a practical attack in terms of the hardware itself, but gives some valuable insight into how such a device might function.

One of the most obvious attack vectors for hardware implants is what’s known as the Baseboard Management Controller (BMC). This is a chip used on modern motherboards to allow for remote control and monitoring of the system’s hardware, and promises to be a ripe target for attackers. There are a few sideband channels which can be used by the BMC chip to talk to other chips. To keep things simple [Nicolas] focused on the older I2C-derived SMBus (rather than the newer and more complex NC-SI), demonstrating what can be done once you have control of that bus.

Only problem was, he didn’t have a motherboard with a BMC to experiment with. After a little research, the answer came in the form of the Intel EXPI9301CTBLK network card, which features the 82574L SMBus chip. This allows for experimenting with a subset of SMBus functionality on any machine with a PCI-E slot. Even better, the card has an SMBus header on the top to plug into. [Nicolas] describes in detail how he enabled the SMBus interface by modifying the card’s EEPROM, which then allowed him to detect it with his HydraBus.

With the hardware setup, the rest of the write-up focuses on what you can do with direct control of SMBus on the network card. [Nicolas] demonstrates not only creating and sending Ethernet packets, but also intercepting an incoming packet. In both cases, a running instance of tcpdump on the host computer fails to see the packets even exist.

He goes on to explain that since SMBus is very similar to I2C and only requires four wires, the techniques shown could easily be moved from the Hydrabus dev board used in the demo, to a small microcontroller like the ATtiny85. But you would still need to find a way to add that microcontroller directly onto the network card without it being obvious to the casual observer.

Our previous coverage of suspected hardware implants sparked considerable discussion, and it looks like no matter what side of the fence you’re on, the debate isn’t going away anytime soon.

I2C Bootloader for ATtiny85 Lets Other Micros Push Firmware Updates

There are a few different ways of getting firmware onto one of AVR’s ATtiny85 microcontrollers, including bootloaders that allow for firmware to be updated without the need to plug the chip into a programmer. However, [casanovg] wasn’t satisfied with those so he sent us a tip letting us know he wrote an I2C bootloader for the ATtiny85 called Timonel. It takes into account a few particulars of the part, such as the fact that it lacks a protected memory area where a bootloader would normally reside, and it doesn’t have a native I2C interface, only the USI (Universal Serial Interface). He’s just released the first functional version for the ATtiny85, but there’s no reason it couldn’t be made to work with the ATtiny45 and ATtiny25 as well.

Timonel is designed for systems where there is a more powerful microcontroller or microprocessor running the show (such as an ESP8266, Arduino, or even a board like a Raspberry Pi.) In designs where the ATtinys are on an I2C bus performing peripheral functions such as running sensors, Timonel allows the firmware for these peripheral MCUs to be updated directly from the I2C bus master. Embedded below is a video demo of [casanovg] sending simple serial commands, showing a successful firmware update of an AVR ATtiny85 over I2C.

Continue reading “I2C Bootloader for ATtiny85 Lets Other Micros Push Firmware Updates”