rp2040

148 Articles

Dumping script window, showing the bytes being dumped one by one from the STM chip

Need To Dump A Protected STM32F0x? Use Your Pico!

February 5, 2023 by 21 Comments

Sometimes, security mechanisms can be bypassed if you just do things slightly out of the ordinary. For instance, readout protection on microcontrollers is a given nowadays, to the point where it’s intentionally enabled and relied upon as a major technical measure to protect intellectual property. The gist is — when you connect to a microcontroller over its debug interface and then ask to read its flash memory, it will politely refuse. However, [Racerxdl] shows us that in practice, it’s not flawless protection – for certain chips, you just need to be a little quicker than usual.

Usually, flashing and debugging software will chat with the microcontroller for a bit, and probe parameters before going for any direct requests. However, if you skip the courtesy and bluntly get to the point immediately right after power is applied to the microcontroller, you can intimidate them just enough to give you one byte of its memory before it refuses to cooperate further. Since that can be any byte you wish, you can read the entire flash — one byte at a time.

You need to power cycle the chip before you can progress, so the hardware does involve a bit more than just an SWD interface, and it will take a fair bit more time than reading out a non-protected chip the usual way; plus, of course, the debugging interface needs to be active for this in the first place, which isn’t always the case. However, it still beats paying a few thousand dollars for a factory in China to decap your chip and read it out using a fancy machine.

[Racerxdl] didn’t just write a proof-of-concept for this attack – they implemented it for one of our favourite chips, the RP2040. As such, you no longer need an unobtainium STM32 to dump an unobtainium STM32.

To be clear, [Racerxdl] didn’t design this attack — it’s been around for some time now. Credit for that goes to Johanes Obermaier. All in all, this is a wonderful reminder that seemingly reliable security mechanisms can be foiled by the simplest tricks. For instance, if your chip erases the flash when you unlock its protection, you can just tell it not to.

Building A Fake Printer To Grab Screenshots Off The Parallel Port

February 3, 2023 by 36 Comments

[Tom Verbeure] recently found himself lamenting the need to take screen grabs from an Advantest R3273 spectrum analyzer with a phone camera, as the older gear requires you to either grab tables of data over an expensive GPIB interface card, or print them to paper. Then he realized, why not make a simple printer port add-on that looks like a printer, but sends the data over USB as a serial stream?

On the hardware side, the custom PCB (KiCAD project) is based on the Raspberry Pi Pico. Obvious form factor issues aside ([Tom] did revise the PCB to make it smaller) this is a shrewd move, as this is not a critical-path gadget so using the Pico as a USB-to-thing solution is a cost-effective way to get something working with minimal risk. One interesting design point was the use of the 74LVC161284 special function bus interface that handles the 5 V tolerance that the RP2040 lacks, whilst making the project compliant with IEEE-1284 — useful for the fussier instruments.

Using the service manual of the Sharp AP-PK11 copier/printer as a reference, [Tom] again, shows how to correctly use the chip, minimizing the design effort and scope for error. The complete project, with preliminary firmware and everything needed to build this thing, can be found on the project GitHub page. [Tom] does add a warning however that this project is still being worked on so adopters might wish to bear that in mind.

If you don’t own such fancy bench instrumentation, but grabbing screenshots from devices that don’t normally support it, is more your thing, then how about a tool to grab Game Boy screenshots?

Picture of the dumper board, with a ROM chip and a Pi Pico inserted

A Disposable Dumper For ROM Chips With A Pi Pico

February 2, 2023 by 26 Comments

ROM dumping is vital for preserving old hardware, and we’ve seen many hacks dedicated to letting someone dump a ROM and send its contents to some hacker stuck with a piece of technology that lost its firmware. However, that requires ROM dumping tools of some kind, and it’s often that the lucky ROM-equipped hacker doesn’t own such tools. Now, you could mail the chip to someone else, but postal services in many countries are known to be UDP-like — lossy and without delivery guarantees. The risk of leaving both hackers without a ROM chip is quite real, so, instead of mailing ROM chips or expensive devices around, [Amen] proposes a cheap and disposable flash dumping tool that you could mail instead.

The ROMs in question are 24-pin 2332 and 2364 chips, which run at 5 V and can easily be read with any microcontroller. Thus, his concept is a very simple board, with a Pi Pico and flash chip socket on it, as well as some resistors. Those are used to provide rudimentary GPIO over-voltage protection, since the RP2040 runs its GPIOs at 3.3 V. All the magic is in the software – the tool can both write the chip contents in the RP2040’s internal memory, as well as dump it over USB to the computer. Everything is open-source – if you ever need to dump a rare chip on the other side of the world, modify the design to your liking, order a few copies and then mail them to the hacker involved – losing such a package is way less significant than losing a ROM chip with last-of-its-kind firmware on it.

Old ROM chips are dying out, causing whole generations of hardware, like synths, to fade away – with tools like this one, you can lend a hand in preserving the legacy of many an industry and hobby, and many hackers do. Looking to learn about the basics of parallel flash dumping? This post from 2012 will be a good start, and then check out a more recent venture to learn how things are done with more recent parts.

Generating PAL Video With A Heavily Overclocked Pi Pico

January 24, 2023 by 19 Comments

Barely a week goes by without another hack blessing the RP2040 with a further interfacing superpower. This time it’s the turn of the humble PAL standard composite video interface. As many of us of at least a certain vintage will be familiar with, the Phase Alternate Line (PAL to friends) standard was used mainly in Europe (not France, they used SECAM like Russia, China, and co) and Australasia, and is a little different from the much earlier NTSC standard those in the US may fondly recollect. Anyway, [Fred] stresses that this hack isn’t for the faint-hearted, as the RP2040 needs one heck of an overclock (up to 312 MHz, some 241% over stock) to be able to pull off the needed amount of processing grunt. This is much more than yet another PIO hack.

The dual cores of the RP2040 are really being pushed here. The software is split into high and low-level functions, with the first core running rendering the various still images and video demos into a framebuffer. The second core runs in parallel and deals with all the nitty-gritty of formatting the frame buffer into a PAL-encoded signal, which is then sucked out by the DMA and pushed to the outside world via the PIO. There may be a few opportunities for speeding the code up even more, but [Fred] has clearly already done a huge amount of work there, just to get it working at all. The PIO code itself is very simple but is instructive as a good example of how to use multiple chained DMA channels to push data through the PIO at the fastest possible rate.

Continue reading “Generating PAL Video With A Heavily Overclocked Pi Pico”

RP2040 DMA Hack Makes Another ‘CPU Core’

January 20, 2023 by 16 Comments

[Bruce Land] of Cornell University will be a familiar name to many Hackaday readers, searching the site for ‘ECE4760′ will bring up many interesting topics around embedded programming. Every year [Bruce] releases yet more of the students’ work out into the wild to our great delight. This RP2040-based project is a bit more abstract than some previous work and shows yet another implementation of an older hack to utilise the DMA hardware of the RP2040 as another CPU core. While the primary focus of the RP2040 DMA subsystem is moving data between memory spaces, with minimal CPU intervention, the DMA control blocks have some fairly complex behaviour. This allows for a Turing-complete CPU to be implemented purely with the DMA hardware and a sprinkling of memory.

The method ties up three of the twelve DMA channels, and is estimated to have a similar performance to ‘an Arduino’ but [Bruce] doesn’t specify which one of the varied models that could be. But who cares anyway? Programming the CPU is a matter of leveraging the behaviour of the hardware, which is all memory mapped and targetable by the DMA. For example, the CPU can waggle GPIO pins by using the DMA to write values to the peripheral address space. The basic flow can be seen in the image above. DMA0 is used as the program counter, which points DMA1 to an array of DMA control blocks, a sequence of which codes for some of the ‘opcodes’ of the CPU model. DMA0 chains to (hands over control to) DMA1 which reads the control blocks and configures itself accordingly. DMA1 performs whatever data move is programmed, chains to DMA2, which in turn reprograms the DMA0 program counter to point to the next block in the list to be executed by DMA1.

Continue reading “RP2040 DMA Hack Makes Another ‘CPU Core’”

Gorgeous Sunflower Macropad Will Grow On You

January 7, 2023 by 3 Comments

Once [Hide-key] saw the likes of the banana and corn macro pads, they knew they had to throw their hat in this strange and wonderful ring. Some family members suggested a sunflower, and off they went looking for inspiring images, finally settling on a more iconic and less realistic design which we think is quite beautiful.

This lovely little macro pad has seven keys hiding under those petals, with the eighth major petal concealing a XIAO RP2040 microcontroller. The rest of the major petals actuate a low-profile Kailh choc in — what else? — brown. Don’t worry, the middle isn’t a wasteland — there’s a low-profile rotary encoder underneath. Part of the reason this flower looks so great is that [Hide-key] started with SLA prints, but the paint choices are aces as well. If you’d like to grow your own sunflower, everything about this garden is open-source.

Oh yes, we totally covered the banana and the banana split, though we must have missed out on the corn. We hear that when you try it with butter, everything changes.

Via KBD #109

a Pi Pico on a breadboard, running a 7-segment counter gateware, with a 7-segment digit and a pushbutton next to the Pico

Want To Play With FPGAs? Use Your Pico!

December 31, 2022 by 21 Comments

Ever want to play with an FPGA, but don’t have the hardware? Now, if you have one of those ever-abundant Pi Picos, you can start playing with Verilog without getting an FPGA board. The FakePGA project by [tvlad1234], based on the Verilator toolkit, provides you with a way to compile Verilog into C++ for the RP2040. FakePGA even integrates RP2040 GPIOs so that they work as digital pins for the simulated GPIOs, making it a significant step up from computer-aided FPGA code simulation

[tvlad1234] provides instructions for setting this up with Linux – Windows, though untested, could theoretically run this through WSL. Maximum clock speed is 5KHz – not much, but way better than not having any hardware to test with. Everything you’d want is in the GitHub repo – setup instructions, Verilog code requirements, and a few configuration caveats to keep in mind.

We cover a lot of projects where FPGAs are used to emulate hardware of various kinds, from ISA cards to an entire Game BoyCPU emulation on FPGAs is basically the norm — it’s just something easy to do with the kind of power that an FPGA provides. Having emulation in the opposite direction is unusual,  though, we’ve seen FPGAs being emulated with FPGAs, so perhaps it was inevitable after all. Of course, if you have neither a Pico nor an FPGA, there’s always browser based emulators.

Continue reading “Want To Play With FPGAs? Use Your Pico!”