[Hack a Day] 7 New Entries: Professional soldering guide

Professional soldering guide


solderguide

Curious Inventor pointed out a cache of training materials provided by IPC. IPC is a trade organization that publishes standards for producing and evaluating electronics. They’re great looking full color guides that most hobbyists will probably never get their hands on. They have low resolution video demos as well. Go snag them now in case they go away!

      

PSP 3000 hacked


Peripheral manufacturer Datel has been hard at work attempting to crack the PSP 3000 since its release. They’ve developed the Lite Blue Tool battery to force the PSP into service mode so hackers can run any arbitrary code they want. According to MaxConsole, Datel performed a silicon level investigation of the PSP’s chips to determine how to break into service mode. This means they decapsulated the the chips and reverse engineered any cryptographic protections. We’d love to hear exactly what chips were being used since some are fundamentally flawed.

Silicon hacking has always been a favorite topic of ours and we suggest you check out [Chris Tarnovsky]’s decapsulation technique to learn more about it.

      

iphone-dev team 3G soft unlock coming soon


The iphone-dev team has officially stated “all that remains is implementation“. They’ve developed all the pieces they need to perform a software unlock for the iPhone 3G, now it’s just a matter of putting them together in user friendly fashion. They’ve managed to run unsigned code on the baseband, developed custom AT tools, and are now showing injection of a background task. They will combine all of these techniques to override the carrier lock baseband code. As usual, they warn against performing any official firmware updates to the phone.

      

Augmented reality in Flash


augmentedreality

Digital Pictures Interactive has put together a great augmented reality demo. Unlike many others, it’s entirely Flash based, so there’s no install necessary. Print out the custom symbol and try it out for yourself in your browser. Augmented reality refers to any mashup that combines computer generated content with a live video stream. We see great potential for this technology and the large number of consumer webcams would certainly help consumer adoption. Video demo embedded below.

[via Waxy]

      

How-to: The Bus Pirate, universal serial interface


i2ceeprom

We’re always excited to get a new chip or SIM card to interface, but our enthusiasm is often dampened by the prototyping process. Interfacing any chip usually means breadboarding a circuit, writing code, and hauling out the programmer; maybe even a prototyping PCB.

A few years ago we built the first ‘Bus Pirate’, a universal bus interface that talks to most chips from a PC serial terminal. Several standard serial protocols are supported at 3.3-5volts, including I2C, SPI, and asynchronous serial. Additional ‘raw’ 2- and 3- wire libraries can interface almost any proprietary serial protocols. Since this has been such a useful tool for us, we cleaned up the code, documented the design, and released it here with specs, schematic, and source code.

Concept Overview

overview-diagram-new


The Bus Pirate is a serial terminal bridge to multiple IC interface protocols. We type commands into a serial terminal on the computer. The commands go to the Bus Pirate through the PC serial port. The Bus Pirate talks to a microchip in the proper protocol, and returns the results to the PC.

All pins output 3.3volts, but are 5volt tolerant. On-board 3.3volt and 5volt power supplies are available to power the connected chip. Software configurable I2C pull-up resistors complete the package.

terminal-450

The serial terminal interface works with any system: PC, Mac, Linux, Palm Pilots, WinCE devices, etc; no crapware required. We considered a USB device, but USB isn’t compatible with the huge number of hand-held devices that have a serial port. We also wanted a 3.3volt device with 5volt tolerant inputs, but most popular through-hole USB microcontollers were 5volt parts (e.g. the PIC18Fx550).

The Bus Pirate currently ’speaks’ three hardware protocols for high-speed interfacing, and has two software protocol libraries for easy bus manipulation. The theory and specification of each protocol is beyond what we can cover here, but check out some of these tutorials:

I2C

A slow 2 wire bus. Wikipedia is a great place to start for I2C background. I2C-Bus.org, Robot Electronics, Embedded Systems Academy, and Embedded.com have decent I2C tutorials.

SPI

A simple 3 wire bus. Wikipedia has background; Embedded.com has a great tutorial and comparison to I2C.

Universal Asynchronous Receiver Transmitter (UART or serial)

A clock and timing dependent serial protocol best known for its appearance as the PC serial port protocol. Wikipedia has background on asynchronous serial protocols.

Raw 2 wire

This is a generic 2 wire protocol library, similar to I2C but without an ACK bit. I2C and many proprietary 2 wire protocols can be formed using the bus manipulations available in this mode. Use this library to work with non-I2C 2 wire devices, like smartcards or Sensirion SHT11 temperature/humidity sensors.

Raw 3 wire

This is a generic 3 wire protocol library, similar to SPI but without the constraints of a hardware module. Use this library to work with devices that use non-8bit compatible 3-wire protocols, like the Sparkfun Nokia 6100 LCD knock-off. Many 3 wire protocols can be formed using the bus manipulations available in this mode.

Hardware

brd-450

Click for a full size PCB placement image (PNG). Screw terminals connect to the power supplies. A row of seven pin headers connect to the IO pins. Despite the label, only 7volts DC is required.

PIN
SPI
I2C
RS232
B9
MOSI
SDA
-
B8
CLK
SCL
-
B7
MISO
-
RX
B6
CS
-
TX
B5
AUX
AUX
AUX
Ground
GND
GND
GND

This table shows the pin connections for each bus mode. Raw 2 wire mode uses the same pin configuration as I2C. Raw 3 wire mode uses the same pin configuration as SPI.

cct-450

Click for a full size circuit image (PNG). The circuit and PCB are designed using the freeware version of Cadsoft Eagle. Download the project archive (ZIP).

PIC 24FJ64GA002

We used a PIC24FJ64GA002 microcontroller in the Bus Pirate; this is the same chip we used in our mini-server project. It’s fast enough to do everything we want (16MIPS), and the peripheral pin select feature allows the hardware SPI, UART, and I2C modules to share output pins. Each power pin needs a decoupling capacitor(C12,13), and the MCLR function requires a resistor (R7) between pin 1 and 3.3volts. The PIC has an internal voltage regulator that requires a 10uF tantalum capacitor (C3), though we used a plain electrolytic capacitor without issue. Read about programming and working with this chip in our PIC24F tutorial. If you don’t have a PIC debugger, several readers recommend the under-$40 ICD2 clones on eBay.

The PIC runs at 3.3volts, but the digital-only pins are 5volt tolerant for interfacing 5volt logic. Pins 14,15,16,17,18,21, and 22, are digital only, which we determined by looking through the datasheet and eliminating any pins with an analog connection type (table 1-2, pages 11-16). According to the datasheet, I2C pins are also 5volt tolerant. There’s a bunch of conflicting information on the web, but datasheet page 230, parameter DI28, clearly states that the max input for a 24FJ64GA002 I2C pin without analog circuitry is 5.5volts.

Pins 21 and 22 (RB10/11) can pull-up SDA/SCL through resistors R4 and R5.

MAX3223CPP

This chip converts 3.3volt serial output to +/-10volt RS232 signals compatible with a PC serial port. The MAX3223CPP is a 3-5volt version of the MAX202, with extra power saving features. MAX RS232 transceivers require four 0.1uF capacitors for a charge pump (C4,5,7,8), and one decoupling capacitor (C17). We used the same capacitors for everything.

We used a MAX3223CPP, which doesn’t seem to be available anymore. MAX3223EEPP+ is a pin-compatible newer version, available at Digikey for $7. Ouch! None of the 3223’s power saving features are used, so a cheaper, simpler 3.3volt RS232 transceiver should be substituted if at all possible.

Power supplies

Most chips can be powered from the Bus Pirate’s on-board 3.3volt and 5volt supplies. 5volts is supplied by a common 7805 regulator (VR2) and two decoupling capacitors (C9,10). An LM317 adjustable regulator (VR1) is set to 3.3volts using two resistors (R2,3), and requires two decoupling capacitors (C6,7). The circuit requires a 7-10volt DC supply (J1).

Part list

Part Value
IC1 PIC24FJ64GA002-DIP
IC2 MAX3223CPP (try MAX3223EEPP+)
C3 10uF capacitor (preferably tantalum)
C4-13,17 0.1uF capacitors
R1 330 ohm resistor
R2 240 ohm resistor
R3 390 ohm resistor
R4,5,7 2K2 ohm resistor
VR1 LM317
VR2 LM7805
X1 Screw clamp (3 terminals) *untested
X2 DB9 Female connector (serial port) *untested
ICSP,SV3 .1″ pin header, right angle
J1 Power jack, 2.1mm pin
LED1 3mm LED (optional)

Firmware

The firmware is written in C using the free demonstration version of the PIC C30 compiler. Learn all about working with this PIC in our introduction to the PIC 24F series. Download the project archive (ZIP).

main.c - Handles the user terminal interface.

busPirate.c - Abstraction routines that convert syntax to actions on the proper bus.

uartIO.c - IO routines for both hardware UARTs.

m_i2c_1.c - Software I2C routines by [Michael Pearce]. We couldn’t get the PIC hardware I2C to work, so we used this helpful library. The software doesn’t take into account the I2C speed setting, and seems to work at about 5KHz.

SPI.c - Routines that drive the hardware SPI module.

raw2wire.c - Software 2-wire interface library.

raw3wire.c - Software 3-wire (SPI) interface library.

User input is held in a 4000 byte buffer until a newline character (enter) is detected. If the first character of the input is a menu option (see below), the menu dialog is shown, otherwise the string is parsed for data to send over the bus (see syntax). The code consists of an embarrassing number of switch statements and spaghetti code.

Terminal interface

Rather than write a junk piece of software to control the device, we gave it a serial command line interface that will work with any ASCII terminal.  The bus pirate responds to commands with three digit result codes and a short message. The codes are designed with PC automation in mind. We’ve included a table of result codes in the project archive (zip).

Menu options

Menu options are single character commands that don’t involve data transfers. Enter the character, followed by <enter>, to access the menu.

? - Show a help menu with commands and syntax.

M - Set the bus mode (SPI, I2C, UART, raw 2 wire, raw 3 wire). Followed immediately by a prompt for speed, polarity, and output state (mode dependent).

  • Bus speeds: SPI:30, 125, 250, 1000KHz. I2C:100, 400, 1000KHz. UART: 300, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200bps. Raw modes: 1, 10, 50KHz.
  • Inverse clock setting sets the idle state opposite of normal (normal SPI:idle low; normal UART:idle high): SPI:idle high; UART:idle low.
  • Some modes have optional high-z output modes for use with pull-up resistors (Low=ground, High=input).

L - Toggle bit transmit/receive order: most/least significant bit first.

P - SDA/SCL pin pull-up resistor toggle (3.3volts). Only valid in I2C and raw 2 wire modes.

O - Set number output display format. The terminal can display numbers as decimal, hexadecimal, and binary ASCII values. A fourth format sends the raw, unprocessed byte for reading ASCII formatted text.

Syntax

A simple syntax is used to communicate with chips over a bus.  Syntax commands have generic functions that generally apply to all bus types.

A/a/@ - Toggle auxiliary pin. Capital “A” sets AUX high, small “a” sets to ground. @ sets aux to input (high impedance mode) and reads the pin value.

[ - Start data write. SPI/raw 3 wire: chip select enabled. I2C/raw 2 wire: start condition. RS232: open UART, discard received bytes.

{ - Start data write with reads. Same as [, except: SPI/raw 3 wire: show the read byte for each write. RS232: display data as it arrives asynchronously.

] or } - End data write. SPI/raw 3 wire: chip select disabled. I2C/raw 2 wire: stop condition. RS232: close UART.

R/r - Read byte. SPI/raw 3 wire: send dummy byte, return read. I2C: read byte with ACK. Raw 2 wire: read 8 bits. RS232: check UART for byte and return, or fail if empty. Use 0r1…255 for bulk reads up to 255 bytes.

0b - Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001.

0h or 0x - Write this HEX value. Format is 0h01 or 0×01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters.

0-255 - Write this decimal value. Any number not preceded by 0x, 0h, or 0b is interpreted as a decimal value.

, or space - Value delimiter. Use a coma or space to separate numbers. Any combination is fine, no delimiter is required between non-number values: {0xa6,0, 0 16 5 0b111 0haF}.

Direct bus manipulation commands for raw 2 wire mode and raw 3 wire mode.
^ - Send one clock tick. Use 0^1…255 for multiple clock ticks.

/ and \ - Toggle clock level high (/) and low (\). Includes clock delay (100uS).

-/_ - Toggle data state high (-) and low (_). Includes data setup delay (20uS).

! - Read one bit with clock.

. - Read data pin state (no clock).

& - Delay 1uS. Use 0&1…255 for multiple delays.

Using it

buspirate-24fv0a

Here are two examples that show the Bus Pirate in action. Terminals should be set to ASCII mode with local echo, we used the Windows serial terminal. The PC-side serial connection is 115200bps, 8N1. The Bus Pirate should respond to any single line feed type (0×0a, 0×0d), or both (Windows style).

I2C/SPI - Flash 24LC1025 EEPROM

Microchip’s EEPROMS are popular permanent-storage memory chips, the 24LC1025 has 128Kbytes of storage with an I2C interface.  We can test this chip without bread-boarding a big circuit or writing code.

i2ceeprom

The picture shows an 24LC1025 connected to the Bus Pirate. The EEPROM works from 2.7 to 5volts, so we used the 3.3volt supply from the Bus Pirate to power the circuit. The on-board SDA/SCL pull-up resistors hold the I2C bus high, and eliminate the need for external resistors. A single 0.1uF capacitor decouples the EEPROM from the power supply.

Setup I2C mode

First, we setup the Bus Pirate for I2C mode and enable the pull-up resistors. Since the Bus Pirate currently uses a software I2C library, the speed setting doesn’t really have an effect.

SPI>m  <–enter m for mode select
1. SPI
2. I2C
3. UART
4. RAW 2 WIRE
5. RAW 3 WIRE
MODE>2  <–enter 2 for I2C
900 MODE SET
Set speed:
1. 100KHz (Standard)
2. 400KHz (Fast Mode)
3. 1MHz (High Speed)
SPEED>1 <–speed doesn’t really do anything…
901 SPEED SET
202 I2C READY, P/p FOR PULLUPS
I2C>P   <–enable the I2C pull-up resistors
205 I2C PULLUP ON
I2C>

Write to EEPROM (I2C)

All I2C operations begin with a start condition { or [, and end with a stop condition } or ]. A write begins by addressing the device (1 byte) and looking for an acknowledgment bit (ACK). If the EEPROM responds, we can send the data location to write (2 bytes) and data payload (n bytes). The Bus Pirate automatically checks for an ACK at the end of each write, and ACKs each read.

The 24LC1025 base address is 1010xxy, where xx is determined by the state of pins 2 and 3, and y is read (1) or write (0) mode. We tied pins 2 and 3 high, making the full write address 1010110.  We’ll start writing to the device at the first data location (0 0), and write one to thirteen using a mix of data input formats (1…13).

I2C>{0b10100110 0 0 1 2 3 4 5 6 7 8 9 10 0xb 0xc 13} <–I2C command
210 I2C START CONDITION <–bus start
220 I2C WRITE: 0xA6 GOT ACK: YES <–address sent and ACK received
220 I2C WRITE: 0×00 GOT ACK: YES <–write address
220 I2C WRITE: 0×00 GOT ACK: YES <–write address
220 I2C WRITE: 0×01 GOT ACK: YES <–data

220 I2C WRITE: 0×0D GOT ACK: YES
240 I2C STOP CONDITION
I2C>

Read from EEPROM (I2C)

Reading the 24LC1025 takes two steps. First, a write command with no data sets the address pointer. Second, a read command outputs data starting at the location set in step 1.

The first command is a write command, we use the hexadecimal equivalent of the write address (0b10100110 = 0xa6) to save a bit of typing. The address pointer is set to the location where we wrote our data (0 0).

I2C>{0xa6 0 0} <–set write pointer command
210 I2C START CONDITION
220 I2C WRITE: 0xA6 GOT ACK: YES
220 I2C WRITE: 0×00 GOT ACK: YES
220 I2C WRITE: 0×00 GOT ACK: YES
240 I2C STOP CONDITION

With the pointer set, we can start reading data. The read address is the device address, with the last bit set to 1 ( 0b10100111 or 0xa7). We used thirteen r commands to read the data, but we could have used the shorthand version: 0r13.

I2C>{0b10100111 rrrrrrrrrrrrr} <–read command
210 I2C START CONDITION
220 I2C WRITE: 0xA7 GOT ACK: YES <–chip ACKed the read address
230 I2C READ: 0×01 <–data byte 1
230 I2C READ: 0×02 <–data byte 2

230 I2C READ: 0×0D <–data byte 13
240 I2C STOP CONDITION
I2C>

We know the operation was a success because the output matches the data we wrote earlier.

UART - EM406 SurfIII GPS

gps

The EM406 is a tiny 5volt GPS module that tracks up to 20 satellites. By default, it outputs NMEA formatted data from a serial port at 4800bps, 8N1. The output format is standard serial, but at 2.8volts it’s incompatible with PC serial ports. The Bus Pirate can interface this GPS without the need for a separate RS232 transceiver or 5volt power supply.

Setup the UART

First, we setup the Bus Pirate UART to receive serial data at 4800bps.

I2C>m <–setup mode
1. SPI
2. I2C
3. UART
4. RAW 2 WIRE
5. RAW 3 WIRE
MODE>3 <–UART
900 MODE SET
Set speed:
(bps)
1. 300
2. 1200
3. 2400
4. 4800

9. 115200
SPEED>4 <–4800bps
901 SPEED SET
302 UART READY
UART>

Enable UART and data reads

An important thing to remember about UARTs is that the data arrives asynchronously. Unlike SPI and I2C, where data transfer is controlled by the master, serial data can arrive at the UART at any time. The GPS is a great example of this because it spits out location data continuously, without user intervention.

We developed two read modes to cope with asynchronous data .  { echos all incoming data as it arrives.  New data will displace and garble data entry, but all input is still accepted normally.  [ opens the UART in a send only mode that discards incoming bytes. } or ] closes the UART, regardless of the mode.

UART>{ <–open UART with async reads
310 UART OPEN, } TO CLOSE
330 UART READ: 0×80 <–GPS data
330 UART READ: 0×78

Write to the UART

Type in values to send out the UART. Even if the input is broken up by incoming data, it will be processed on <enter>.  We sent 0×40 as an example, but this has no particular meaning to the GPS module.

330 UART READ: 0×80 0×40<–random byte to write
320 UART WRITE: 0×40 <–byte written

Close the UART

“}” followed by <enter> closes the UART.

330 UART READ: 0×78
303 UART READ: 0×60 } <–close UART command
330 UART READ: 0xE6
340 UART CLOSED
UART>

Don’t think you can use this GPS data to track us, we don’t actually get satellite reception down here in mom’s basement.

Taking it further

The Bus Pirate is an important development tool in our lab. We keep updating it as we use it, and we’ll release new firmware as we add protocols and features. Expect to see the Bus Pirate in future articles.

These improvements are at the top of our list. Do you have any suggestions?

  • New protocols: One Wire, CAN, ???
  • Controls for polarity and other settings
  • Adjustable instruction delay
  • Get hardware I2C module working.
  • Enable protocol speed settings.
  • Cheaper, easier to get RS232 transceiver

The project archive (ZIP) has everything you need to build your own Bus Pirate.

      

Clickjacking webcast tomorrow


[Jeremiah Grossman] and [Eric Lawrence] will be presenting on clickjacking and browser security in an online seminar tomorrow. Clickjacking allows an attacker to transparently place links exactly where a user would be clicking, essentially forcing the user to perform actions without their knowledge. This method of attack has been known for a few years, but researchers have focused their attention on it lately because they feel the threat has been underestimated. Recently, Adobe patched a vulnerability specifically because of this issue. Tune in tomorrow for more info on the attack.

      

SGI 10,000 core concept


sgi

In a bold move, Silicon Graphics has decided to see how much crap many cores they can shove in one box. The Molecule is 10,000 core rackmount machine designed to leverage low cost consumer CPUs like the Intel Atom. It emphasizes high memory bandwidth and throughput between CPUs. While this sort of space efficiency is interesting it’s certainly going to take some serious cooling to get designs like this off the ground.

[via Hacked Gadgets]

      

You received this email because you are subscribed to the real_time feed for http://hackaday.com/feed/. To change your subscription settings, please log into RSSFWD.

No comments: