LayerOne 2017

Description

It's the tock of the tick-tock cycle, so less focus on the awesome blinkies we all know and love, and more on something hacking related (with blinkies).

STM32F4 (99%)
Display
External Controller

Also finally decided to do a car hacking session at LayerOne, we've been talking about it for 5 years, so the badge will have some involvement in that.

Details

We're at the last stage of prototyping

2.2 or 2.4" TFT display that is DMA driven SPI for 30+ FPS, ILIO9341/45 supported
STM32F446 LQFP64 is the current leader, Now supports 446/405 and 415
SDCARD smaller size SPI driven (prototype six)
Twin CAN bus for 1Mbps CAN with two transceivers TI sn65vhd230 supports 235 as well
USB , supporting HID controller
USB host
Headers for cables to external CAN Bus
Breakout for second CAN for MITM or dual logging
Audio output, headphone jack, added filter
Battery powered ( rechargeable ) yep 18650 which can also charge your cell phone
Buttons, two , plus two switches
PC side software to work with CAN
J2534 202/404 (mostly) compatible DLL
Bootloader is TBD, currently it'll be ST-Link V2's which we have a whole bunch of, via SWD

Due to cost, we probably will have to do the OBD-II cable and USB controller as low cost add ons, but we'll do our best, and we'll find them as inexpensive as possible, and in bulk. I always like to try to include everything needed, its not always possible.

The aim is to have 400 built badges at LayerOne 2017, we hand made 300 in 2016. This will be our second most complex badge, the 10 year anniversary Proxmark version being the most complex we've done to date.

The badge currently has two, and later maybe three separate firmwares that all do different things, we'll probably keep some of under wraps til the event just for the fun, the focus will be on the CAN side. But one of the test firmwares is up and running on the bench and random people have been picking up and playing it.

The development environment can be completely online with a zero install. Or it can use GCC/IAR/Keil etc.

Components

1 × STM32F446RET6 or STM32F405/415 LQFP64 STM32 F4 ARM chip, uses 446 at the moment, new boards can support either 446/405/415
1 × MCUFRIEND 320x240 TFT ILI9341/25/28 or Bare LCD
1 × TI-BQ2407XBQ24075 http://www.ti.com/product/BQ24072 Li-Ion Battery Charger
2 × SN65HVD230/5 CAN transceiver Supports slew and autobaud variant of chips.
1 × LM261 Step-UP DC-DC converter http://www.ti.com/lit/ds/symlink/lm2621.pdf

View all 7 components

Project Logs

Collapse logs

"the last revision"
charliex • 03/19/2017 at 18:58 • 0 comments

so the day started as it usually does, i installed 300ft of low voltage wiring around the house, installed some ELD 3W lights that i picked up from alixpress for $each with transformers from lowes (the equiv lights from lowes are usually around 20-30$ each ) , picked up some R G and B ones was well as the white, used warm white since cool white doesn't usually work for traditional landscaping. i spent an hour or two soldering in lamp wires since i don't care for the vampire taps , t taps or the style they sell at the hardware stores, plus they're like $5 each, almost as much as the light!
another one of my siblings came by and wanted their iphone 6 vs the 6s i did last week, fixed, so far screen swap, battery swap the usual stuff.
anyway on to the badge, i'd swapped out a npn transistor to a npn darlington, should have done a npn to pnp darlington or just bit the bullet and went back to the straight up mcu pin to npn transistor to current limit+ leds for the backlight. with the npn darlington it just wouldn't pass the current properly, so it ended up around 2.4V and flickery, if you saw me on twitter i posted about it being late, lack of sleep and possibly jumpering the wrong two pins on the transistor! so redesigned that circuit, or rather went back to original since we also decided we don't need to carry the module as well as the FPC LCD.
fitted out the battery holder, sourced that and started the new layout....again...
giant! so all that stuff gets shifted down about 30mm.
decided to check out different sdcard arrangement and remembered the one used on the voice, it was small and easy to repair solder ( very important at hacker cons) ,so switched to the molex 0475710001, which is cheaper, after ordering 20 for testing, then looking for a vocore dock i find strip of 50 for other projects in boxes, if we ever decided to sort out our component stocks, we'd likely be able to build a full set of badges without buying anything, it can be crazy, boxes of LEDs, i still have a box of every 0603 value resistor mouser sold about 4 years ago, and its never really been opened.
test fitted the lanyard, i always copy the holes from the previous years badges, so that is usually all good but since they're often metal clips, watch out for shorts.
ordered some more parts, we don't usually make this many prototypes, only the proxmark variant had so many built. going to reach out to a friend of mmca's in china , who doesn't speak english, but does speak chinese and korean, but apparently not for electronics and see if they can help us get the displays from taobao, most LCD modules or bare LCDs are crazy expensive from US suppliers, ebay or amazon, or even alixpress, and wading through alibaba these days is just awful, for a multiple store quote, 90% of the time its the same seller and they don't have it, and if they did its 3x the price listed.
taobao is usually better price wise because unlike aliexpress+alibaba they haven't really penetrated the western markets, so the prices are set what you'd pay in china, and not pay in the west, its a huge difference. it can also be a bit more work, depending on which store you use.
a year or two ago i saw an sms conversion, so i started to look at porting that over, it is an interesting area, since i've written many emulators over the year both for fun and professionally, last one i did was for sega to do the megadrive, so it can often limit what i want to do, better to use someone else's and just port it.
mmca wanted to change to the micro usb vs the mini, i dislike micro usb, but i accept that is the much more common cable, mini is a lot rarer for people to be carrying.
a while ago when hackaday started their store/tindie thing there was a beta, i was part of that so i bought something, it was a usb power meter something i have a few of and they're ok, but this one looked neat and i like to support people making stuff as well as...
Read more »
Insert Coin
charliex • 03/12/2017 at 09:10 • 0 comments

Only 398 left to build.
After the PCB gets submitted, all is fine, I can rest for a bit, right?
charliex • 03/05/2017 at 08:07 • 2 comments

THE DAY AFTER......
As we walk casually to the workshop, and discuss the various quad copter projects, and my old Traxxas RC truck which I have up the bench to repair it's glow engine and trying to find other radioactive sources to test geiger counters and build RNGs
Probably radioactive las vegas dust
Our attention turns to what we're going to do next with the board, we've been talking to the good folks at crowdsupply as well. So we talk about adding all the features you'd want to see in a board that isn't meant for a 3 day hacking conference.
Adding TMOVs, input protection,SWCAN, LIN, optical and galvanic isolation to USB, talking about USB 3.1, then we looked at a chip upgrade which for some reason i'd convinced myself STMicro had made a 2Ghz STM32, in my defence i'd been spending all week working on Snapdragons for Quads and stuff. We ended up deciding to move up to an even moar powerful chip for the after con board.
Then we played around a bit with a HIL Drone Project in VR with the Vive that i've been playing around with, fun stuff... So far pretty chilled and not too much worry about the board, we even took one of the fried boards from a few weeks ago and changed out the CPU, and removed the power section so even that was fixed up, so far so good.... We turned to sourcing parts and taking about the various battery tests and how one of the battery that claims to be 2x the mAh is half the weight of a decent 18650.
So we start fiddling around with the solution we though we had settled on, an external 18650 case that has USB in and and out, and boosts it to 5V and charges it, I bought a bunch of them from eBay etc to test with as usual.
So far so good.....dun dun duuuuuaaaa
Then I pull out the PCB's I'd ordered with the USB boost on them, and that is when it all goes the usual way, We test a lot, we test all sorts of batteries, charger circuits,. design and redesign but we had a hard time making a circuit that could charge an 18650 and supply 5V, which is why we'd decided to drop out nice TI boost, charger, fuel monitor, auto power switch version which had a large cost and component count, and just use these little self contained power cells, a USB cable to plug into the board and hang it off the badge,. cost is a big factor, and we always end up over budget.
Pictured above are a range of 18650s , the rule is the higher the claimed mAh is , the lower mAh it actually is. the 6000mAh we reckon to be about 1800mAh give or take. We're pulling some of these in for sub $1 and with a draw of about 50mA for the badge.
The ones in the mylar bags are just an eBay lot of the power pack chargers, the one on the right in the blue box is what we were thinking...
Personally we hate it, its a terrible design choice, but it was a struggle to get it on board and be reasonable, and its hard to beat these boards for cost. I don't like using modules to build badges, I get why, it makes sense but I don't have to like it.
So then we start to poke around the boards a bit and see what they're upto, the first one has a bunch of stuff, charger/boost chip, battery monitor, FETs and a lot of components, one has three chips and 6 jellybeans, then we get to one that has about 5 components, a quick RE of the board and its feeding the VUSB via a resistor, a diode to drop the voltage 0.7V into the battery, then a booster and out to the USB with a couple of LEDs, it is an unmarked IC but some searching around we find it.
So far these are the chips commonly found in these powerbank setups
DW01 One Cell Lithium-ion/Polymer Battery Protection IC
High Efficiency 1MHz, 2A Step Up Regulator
Single Lithium Cell Protection IC
Usually a CD43 sized 1.5uH power inductor,. though I see 2.2uH in most datasheets it might be a part on hand thing since thats usually the availability step, 1.5uH and next 2.2uH
A couple of caps, one in , one out, two resistors and an LED.
I find these guys too Battery Charger as usual...
Read more »
Quick log update
charliex • 03/02/2017 at 05:22 • 0 comments

We just submitted whats hopefully the last revision of the conference badge version, more time laying it out, new shape and removing anything we didn't really need. This revisions files are stored inside the "seven" folder in SVN, they'll be here a week on Monday is my guess.
A small box of misc 18650s arrived marked as 6000mAh, hopefully not missing a decimal point
Now all i have to do is source the screens.........and write a lot more code.. I did start to tidy up and translate a lot of my old code, i won't lie it'll take me a while to clean it, up but i'll upload it anyway and just try to clean it up as i go a long, this will be a longer term project.
After testing, we'll build a PNP plan, cut stencils etc, buy all the components etc.
I remember in October/November when i was thinking, damn we'll be done by xmas...,.
Wolfram Alpha data bin thing turned out to be a flop, it's down every time i go to use it, and it doesn't seem to analyse it well. Maybe i'll go back to google sheets for logging.
Change all the things, more battery tests
charliex • 02/19/2017 at 22:14 • 0 comments
Last week we did the battery tests using the 800mAh "iPod' battery we have used before, it is cheap and easily available, the results were about two hours running everything, I posted the data earlier. That is not great, the conference is 3 days usually ( 4 days this time ) and two hours means charging a lot of batteries.
What to do ? Well I'd ordered some various 18650 batteries last week and chargers just to test them, much to my amusement they're called "UltraFire" with an icon of a fire and a claim for 5000mAh, I'm not sure what mAh stands for in this context, but it is extremely unlikely it means milli-amp-hour as we're used too, what i think it means is likely divide the number by about 1.666. mmca doesn't think UltraFire is a funny name, since there is some history of the name with TrueFire or SureFire etc but it has a picture of flames!
We had to build two of the new prototype boards, since two had been killed in last weeks, hey did you actually implement USB host in the firmware tests and not the board is not working #fail modes.
It is admittedly very hard to see this but there is smoke coming out of this CPU from last weeks adventures in rewiring boards with kynar wires and what not.
Toasty
I have to laugh that as i am editing this, the above video at the end shows the YouTube recommended next video on this frame
Yeah that's about how we felt after the burnination and destruction of our two black and gold prototypes (we'd be the guys on the right) and Cuban is giving us the run down.
The replacements were were built yesterday and one of the boards is using a STM32F405/415 CPU, which meant a small schematic change to move VCAP1 and add VCAP2, also a part change to 2.2uF for the caps instead of one 4.7uF which to be honest, we cheated and put two 4.7uF's since I didn't feel like wading through our boxes of gear to find an 0805 2.2uF and none of my kits go up that far.
The difference between the 405 and 415 is that the 415 has hardware crypto, so we installed the 415 which means likely export restricted prototype! The reason for the looking at the 4x5 chip is because it has 1024K flash and 192K RAM which is nice.
mmca built both the prototypes, flashed it and it didn't go beyond the RED screen mode, which means it can't find USB controller, sheesh not this again.. but reasonably quickly I realised I had the test mode projected load ed up which only did USB device, HID host and make the screen RED, so flashed the EMU project and it kicked into life. Not before a couple of lets check some connections, but before we wrecked the boards. Pro Tip don't use the same colour for error waiting for USB on one project, and everything is groovy man on the other project, in fact even use text since its a screen not an LED !
Latest revision being built by mmca
The second board with the 415 booted up OK but this time it also got stuck at the USB mode, but it is a different chip so likely its just a firmware issue, I threw together a quick CDC test in STM32Cube and proved out at least that the USB device works. Which brings me to the next part, which I'm glad i figured out a while ago, because it was a tricky one.
So I'm noting this in here, possibly again, since i always forget where it is, but in STM32Cube CDC_DATA_HS_MAX_PACKET_SIZE is defined as 512, which won't work in windows (maybe elsewhere) at least, so set it to 256. You'll see the device enumerate but it will have a yellow exclamation mark. It is defined in usb_cdc.h
take out bad
```
/* CDC Endpoints parameters: you can fine tune these values depending on the needed baudrates and performance. */
#define CDC_DATA_HS_MAX_PACKET_SIZE                 512 /* Endpoint IN & OUT Packet size */
#define CDC_DATA_FS_MAX_PACKET_SIZE                 64  /* Endpoint IN & OUT Packet size */
#define CDC_CMD_PACKET_SIZE                         8  /* Control Endpoint Packet size */ 
```
put in good
```
/* CDC Endpoints parameters: you can fine tune these values depending...
```
Read more »
Updates & Battery Testing
charliex • 02/12/2017 at 21:47 • 0 comments

After spending the week up in Seattle ingressing and lighthousing we got back into the board for some battery performance testing.
I used my custom VISA software and the Rigol RM3058E DMM , added a logging and simple alarm mode to it so it'll log the data every so often and let me know when it hits a certain voltage.
Graphing it out, we haven't investigated what happened after 20 minutes, it might have been after we disconnected the programmer.
We made some changes to the board to add some test pins, and here is a useful warning i'll forget again, if you've left a project for a while, make a change and things don't work as you recall, check first if what you thought is meant to happen, actually did. Otherwise you'll be biased by the it did work, we soldered some stuff, it no longer works,. In this case the USB popped up saying unrecognised device, i had changed small elements of the code but nothing that should break it, went back to a known working firmware ( add the hex files and tag source control so you know working firmwares, add text/comments to describe state and what working means)
Anyway after poking for an hour and swapping things out, and a xtal that didn't boot once, and i tried a firmware that i'd written from scratch, and it showed the USB OK, so software issue, checked against source control and see what was changed , nothing major. it was late and we looked at other stuff. Next morning I wake up have coffee and take another look, wait a tick didn't this firmware not actually have USB host implemented .... yep... derp moment. so it never had it and since it'd been sitting soak testing and i always have at least two unrecognised USB devices connected to my dev PC, bias again.
So the USB is fine, some wasted time. Also ra ! gnd is an evil eagle command, i need to stop using it, its bitten me twice now.
the new battery test just ended at 2017-02-12 13:37:09 2.979585V (nice timestamp!) and nice smooth curve
Another display for consideration
charliex • 01/28/2017 at 18:09 • 0 comments

I found a cheap Raspberry PI 2 compatible 3.0" display, i tried it on the RPI3 i just picked up but no go.
It is another one from mcufriend, who as far as i can tell are some sort of large warehouse full of cheap LCD's and prototyping boards. The other TFT 2.7" 8 bit parallel boards are mcufriend too. This will be about the fourth different LCD that i have pulled up on the prototype.
The resolution is listed as 240x400
So see how much i can get done before heading to SparkleCon
It is a bit bigger and a different resolution to the existing board, and i still have to find out how fast i can push it via DMA etc.
versus the existing one.
More screen space, with more resolution is good though. It is also more mechanically stable and the LCD is held down more securely than the 2.2"/2.7" screens. More power draw, and slightly heavier are the cons (and also that i have yet to actually make it run)
If it worked on the RPI i could tell what chipset it was, ILITEK’s ILI9488? maybe, though i see that one more commonly used as 8 bit parallel and i'm not seeing enough pins. ILI9327 also a decent bet. R61509V is also a contender.
As usual I ordered a bunch and as often happens I must have had a late night Alibaba session because a day after ordering 10, 4 showed up.. So apparently I had ordered the same LCD the week before, even from the same seller.
They point you at https://pan.baidu.com/s/1pJNwGBp for an image, but seems it is for the older RPI.
Next steps are figure out the 26 pin connector which is connected to the "display" side of the RPI, I pinged the seller so we shall see how that goes. other similar boards on t'internet for the RPI are :-
It is a good start, there are no keys, not sure there is actually a touch screen on this display it doesn't have the usual overlay, on the LCD. Let's see if the PCBs connector and traces match this. The SPI is shared with the LCD and Touch Panel if there is one, LCD_CS and TP_CS select which one is active. I can look at the schematic of the RPI as well, the LCD board is 1:1 pin to the RPI
Ok good, so the voltages/GND match up and the pins you'd expect to be GPIOs are. 23 is SPI0_SCLK, MPI0_MISO is TP_SO ( which means we might not be able to get feedback from the LCD if they're not shared)
SPI0_MOSI is LCD_SI/TP_SI , 24 and 26 are SPI0_CE0_N and SPI0_CE1_N so those are the TP_CS and LCD_CS, so far all that makes sense.
Initially I figured to hook up the SPI to an STM32F4 breakout and query the driver IC, but I can only do that if MISO is connected to the LCD, or which seems likely that there is no touch screen but that doesn't mean that the MISO is hooked up. So for now lets just remove the two double sided pads from underneath the LCD and take a look at the connections and see if we can identify the chip from there. After I've done all this I will no doubt find the right google combo for someone who's already done it...And also stop starting sentences with So..
And here it is , MFPA-ZR30045S00CI-A (future googlers hello) 24 pin flex, looking at this we will be able to tell a lot about its setup and configuration since these LCDs are typically set to the style of interface 3/4 wire, SPI, 8 bit parallel etc by the flex cable, and not usually broken out to the PCB connector. bing shows no results for this part number and its not a Truly since they usually mark it with a logo. mcufriend are the masters of the wierd LCDs
I count 14 connections. so we know its 3.0" TFT LCD 240x400 resolution and a 24 pin connector. though 14 is a lot, i'm not worried its parallel, there are 24 pin 8 bit parallel FPCs so it may have the interface but i'm expecting to see t hat in that block around pins 12-19. we're looking for power for the LCD, separate LED power maybe A/K, and then SPI clk/mosi/miso/cs and grounds. possibly the other style which is read/write data/command , register select too fingers cross on 4 pin SPI.
Next remove...
Read more »
How are the goals going?
charliex • 01/23/2017 at 20:19 • 0 comments
Revisiting the goals from the project overview... what does past me think future me is doing.
- 2.2/2.4" TFT display that is DMA driven SPI
yep made that one, it's DMA SPI and it might change to a different LCD, but fingers crossed
- STM32F446 LQFP100 is the current leader, but we may switch to a different F4
Moved to an LQFP64, board supports the 446 and 415/405 variants.
- SDCARD smaller size SDIO drive
Yes, currently using SPI since apparently i forgot to read my own notes, next proto rev is SDIO
- Twin CAN bus for 1Mbps CAN with two transceivers MicroChip 2551
Twin CAN yes, switched to the TI SN65VHD since works better with 3.3V/5V etc, though watch out for autobaud in the 235.
- USB OTG, supporting HID controller
Dropped OTG due to limited pin space, has USB Device, supports CDC, HID etc (firmwares in SVN)
- USB OTG/host
Dropped OTG, has USB host
- One DB9 or DB15 to OBD II cable TBD
We haven't decided yet, i'd prefer a SIL 2.54mm IDC to OBD II, also considering magnetics less RJ45 connector (board space)
- Breakout for second CAN for MITM or dual logging
Yes, though i really ought to test it :)
- Audio output, possibly with onboard speaker TBD
Yes, offboard audio due to requests ;) via 3.5mm headphone jack and not bluetooth.
- Battery powered ( rechargeable ) TBD
Yes, Li-Ion battery with USB charging.
- Buttons
Has 6 at the moment, PWR on , PWR reset, CPU RESET, two Soft switches and master PWR switch
- PC side software to look at CAN
Yes.
- J2534 202/404 (mostly) compatible DLL
Partially done.
- Bootloader is TBD, currently it'll be ST-Link V2's which we have a whole bunch of, via SWD
So far i have about 75+ of the knock off ST-Links trying to order them in batches that the cost doesn't show up to the wife :) and I hope to have 200-400 by layerOne, maybe even have a disk loader but i disagree with some people, though i think disk enabled firmware loading is teh awesome and the way the ST Nucleo does it is the best, but I want to be able to do a full flash and debug, since it is a board for hackers. Adding an ST Link onto the board would have increased costs more than it costs to get the ST Link clones, and you can use it for other boards.
A kind soul (devanl) on reddit pointed to me to alternate firmware for the ST Link so have to investigate that.
https://github.com/devanlai/DAPLink
> We may add PSRAM to the board, possibly as a DNP not populated
No on the PSRAM, we almost did but after a switch to LQFP64 no support and supporting the 405/415 hopefully will be enough.
Software wise I have a very simple PC based ECU emulator, I've tested reflashing some of my bench ECUs from the badge and that works great, the CAN logger works with the LCD and output to USB HID or CDC, reading OBD II codes, firmware ID etc that is all working too.
MITM i will look at this week (second board+second CAN testing) my plan is to flash an ECU from the badge, pass that CAN into a second BADGE and have it intercept the messages and replace the uploaded firmware from the first badge, which would also work with any other CAN bus based reflash tool that you know a protocol for.
cheers,
charlie
Revise, revise, revise!
charliex • 01/23/2017 at 19:48 • 0 comments

Since its so easy to rev boards nowadays I end up doing it more often than i'd like, but we made a nice black and gold board that everything works on :-
Haven't yet decided if we're sticking the module add on or bare LCD, these are very delicate displays and the flex will break even with light handling which is no good for a conference badge around peoples necks, having the module means it is easy to replace and someone else gets the headache of soldering it on, and it is cheaper than the parts , the sum really is greater than the whole.
I did revise this board immediately after it was submitted to the board house so that i could use the 415/405 variants of the STM32F4, something that happened in the past with the ten year anniversary layerOne proxmark board, darn VCAP1/2/3/4/5.
These LCDs seem like they are randomly thrown together, out of a batch of 20 i get 5 variants. Each with a slightly different controller so the host software has to recognise that and adapt them.
This is an 8 bit parallel version that is crazy cheap and with SDCARD however, i can't figure out a good way of driving it from DMA so i can't get the frame rate i need, the controller can support different modes but they're defined by the FPC connector itself so even though you can see the ID pins you have no hope of really reconfiguring it to a different setup, and even though the makers say they'll custom build ones for you, they never answer emails..
Finding the datasheets is generally straightforward, but unfortunately doesn't help.
This is a truly TFT8K24 revision.
The issue with 8 bit ones is that they have three other signals, chip select, data/command, read/write that also have to be set as the data is transferred, with the DMA its just CS, byte/byte/byte out as fast as you like, I'd be interested to hear if anyone has an idea (other than making a long buffer with all the patterns and mda that as 16 bit , since lots of RAM used there)
This is the bare LCD of the ILI9341 version, which only usually lasts a few bends before it'll break, so i have pads for the LCD and holes for the module board to save it. Note the part if pulled from an eagle lib has 4 missing pads for the XY touchpad..
Here is a version of the module with the GIANT mmc card and yet another variant this time with extra F_CS variant (it was also a DOA LCD) hence the poorly squiggled BAD on it.
Note this one supports two physically different LCD types.
I've also grabbed some of the popular 3.0" screens that are used on the raspberry PI, i found a deal on them cheap but not on 450 of them, it is always something. Those are also driven by SPI, more than likely 9341 variants. Some of them handily have the controller written on a sticker on the board, but it turns out not to be accurate so that has been a fun game.
Here is the battery all mounted up and tested. we've used this battery before , popular ipod type. Though we're using a different boost/charger setup this time. More on that later. This is more of a photodump log.
Fuzzy photo of a board being built
My workdesk tends to be a random explosion of things, i've watched all the various videos on doing horizontal or vertical layouts and all manner of 8 bullets, but who has the time or space... Top left scope has a CAN bus differential showing which the badge is decoding, i picked up a nice differential probe even though most scopes can do it easily, but i love single use tools.
That toorcon badge lower right is from years ago, why is it there? and an original sphero?
Also that was relatively tidy, look at it this morning! Some people are able to focus on one project at a time, I usually have a dozen or so going. I found a nicely made cheapish 30:1 worm gear drive on a 2 phase vexta motor so made a little turntable for it for some work related projects.
Now we just have to lock down the LCD and then I can focus on building lots of firmwares and other useful things I hope, its the...
Read more »
Been a while but been busy
charliex • 10/24/2016 at 03:38 • 0 comments
mmca wanted us to show off the badge at hackaday's supercon event this coming november in pasadena, so i went from a nice leisurely the badges actually might be ready for xmas, to i have like a week left.
so after the last log one of the things i ended up working on was the encrypted bootloader / flashtools from ST, i spent a few days on it, rewrote their flash tool, added some features etc. Discovered we're likely missing a small part of firmware that ST doesn't give out. Which is a shame that an electronics OEM wants to keep a neat feature to itself, but that is how it goes. I messed up a couple of the Nucleo 446 dev boards, but not enough to stop working, just lost one feature.
after that i threw together some of the morpho headers and made a little pop on board that had the LCD breakout, sd card , usb device and speakers , sent them off to seeed for making, then i remembered i'd forgotten to add the mcp2551 CAN transceivers, so added those and a week later submitted the boards to itead,.. just about a week later the itead boards showed up.
setup the boards, pretty much everything worked, went on to test the CAN adapters, i'd been using a little waveshare board i'd had to test with before. Couldn't get much out of the CAN just a small blip here and there. Read over the docs, added a 10K slew resistor to it, fiddled, re-fiddled, then mmca said , is that chip ok for 3.3V i said yes, i'd checked it on the internets and i know i'd used it before (but on a 5V part), so yes i had that sinking feeling, but it was working on ther chip.
now fast forward to the day of #supercon and a late name,t hen early 6AM morning finishing up code, we got the PCB's in a few days ago but the two sizes of LQFP64 bit us again, even though we used the BSDL from the OEM. Once we got the PCBs in it was really obvious the chip was the wrong size. So went in with the prototypes instead, they're basically the same. I dropped a new PCB to itead this morning as well.
i added a simple CAN bus viewer that just dumps the CAN bus traffic coming in.
For the NES emulator (which is pNesX) I did the following
- Added game pads to CAN bus for read and write, so you can do two/four player etc.
- Added a memory read/write over CAN bus to get access to the internal memory of the the emulator
- Added CAN bus to the NES fceux on the PC so that you can play on the PC against the badge (uses j2534 dll)
- ECU reflash function
So our Idea is to teach how to hack on CAN bus but make it easier and a bit more interesting, the principle of it is the same as doing it on a car's CAN bus, you can read/log/inject and interact with the memory on the device, except its more fun you can hack into peoples games grab screen shots, disassembly, change scores , change joystick commands etc, auto play, the list goes on.
These are basically the same things as you do with the car, you listen to the bus do something , record it and see what it is , decode the CAN packets, log, graph and replay, and you're playing a game. You can also do all the same things to the CAR, logging, injection, MITM, etc
We're not obfuscating the protocols , they're very simple and I'll publish them as i refine them, but the idea is basically commands to read/write byte/word/dword you tell it the size and address, and the badge replies with the data, or updates the memory. The memory mapping is the the same layout as the NES,.
Everything is packed up in boxes at the moment as i just got back, so i'll add pictures and videos.
We're almost getting to "badges by Christmas," which hopefully will really give me time to polish up and makes lots of various firmware before layerOne, which never happens as i'm usually down to the wire.
mmca is finishing up the battery design, looks like we're going back to the iPod battery, and not an 18650, no CR123s this year, it'll be similar to the Proxmark layerOne board of 2014.
CAN bus logger running...
Read more »