A few semesters back, [Jordan] was in an Intro to Hardware Security course at CMU. The final project was open ended, and where some students chose projects like implementing a crypto algorithm or designing something on an FPGA, [Jordan] decided to do something a little more ambitious. He wanted to decapsulate and reverse engineer an IC. No, this isn’t taking a peek at billions of transistors — [Jordan] chose a 74-series Quad XOR for this project — but it does show what goes into reverse engineering silicon, and how even simple chips can be maddeningly confusing.
The first step to reverse engineering a chip is decapsulation, and for this [Jordan] had two options. He could drop acid, or he could attack a ceramic package with an endmill. While hot nitric acid is effective and fun, it is a bit scary, so [Jordan] mounted a few chips in a 3D printed holder wedged in the vice on his mill. By slowly bringing the Z axis down a few thou at a time, he was able to find the tiny 1 mm square bit of silicon embedded in this chip. With the help of a grad student and the cleanroom, this square of sand was imaged with a very nice microscope.
Now that [Jordan] had an image of the silicon itself, he had to reverse engineer the chip. You might think that with less than a dozen transistors in there, designing an XOR out of transistors is something anyone with a bit of Minecraft experience can do. This line of thinking proved to be a trap. Technically, this wasn’t an XOR gate. It was a transmission gate XNOR gate with a big inverter on the output. Logically, it’s the same, but when it comes to silicon fabrication, the transmission gate XNORs aren’t able to sink or source a lot of current. By designing the chip as an XNOR with an inverter, the chip designers were able to design a simple chip that could still meet the spec.
While [Jordan] managed to reverse engineer the chip, this was quite possibly the simplest chip he could reverse engineer. The Quad XOR is just the same silicon repeated four times, anyway. This is the baseline for all efforts to reverse engineer silicon, and there were still a few confusing traps.
In case you haven’t heard, the best hardware conference in the world was last weekend. The Hackaday Superconference was three days of hardware hacking, soldering irons, and an epic hardware badge. Throw in two stages for talk, two workshop areas, the amazing hallwaycon and the best, most chill attendees you can imagine, and you have the ultimate hardware conference.
Already we’ve gone over the gory details of what this badge does, and now it’s time to talk about the perils of building large numbers of an electronic conference badge. This is the hardware demoscene, artisanal manufacturing, badgelife, and an exploration of exactly how far you can push a development schedule to get these badges out the door and into the hands of eager badge hackers and con attendees.
The good news is that we succeeded, and did so in time to put a completed badge in the hand of everyone who attended the conference (and we do have a few available if you didn’t make it to the con). Join me after the break to learn what it took to make it all happen and see the time lapse of the final kitting process.
Some Important Thank Yous:
This badge was conceived and designed by [Mike Harrison] of mikeselectricstuff fame. This badge includes a camera, bright OLED display, accelerometer, microSD card support for storing all those pictures and videos, and enough pin headers for some serious hardware hacking. Not only did he donate his time and experience, but did an amazingly thorough job of documenting the entire project on Hackaday.io. Thank you so much [Mike]. We hope you will take the time to send him some well wishes on the badge design!
We also want to thank Microchip for donating the main microcontroller and SRAM chips, as well as Macrofab for donating some of their time and expertise as our contract manufacturer on the project.
Constantly Putting Out Fires
Shipping electronic components around the planet is actually fairly horrible. This entire project went together very smoothly, but as with any hardware development project, there will be bumps in the road. What kind of bumps? Very annoying ones that could have completely derailed this project.
In our first teardown of building this year’s badge, I explained the dangers of single sourcing components from one random guy on eBay. We’ve sorted that out, but of course, there were more problems that cropped up. Remember, we weren’t changing the date of the Supercon, so these badges needed to be ready by a certain date. This gets complicated when you are making 500 of something, and sometimes means going to extreme measures.
The plan was to order the PICs for the main processor through MicrochipDirect because you can have firmware flashed before they are shipped. Unfortunately the lead time for programming these chips was several weeks, so we fell back on our backup plan: just ordering the chips and have the contract manufacturer burn the bootloader with a pre-programmed PICKit 3.
Here’s where things fell apart. On a Friday, three weeks before the Supercon, I got an email from Macrofab. The SRAMs arrived from Microchip, but the PICs were nowhere to be found. This caused great consternation as everything else was ready to go on the assembly line. The tracking number for the order told me the chips were somewhere between Thailand and Houston, Texas.
I called Microchip Direct, and they told me they would contact FedEx to figure out what was going on. But we needed a solution now. As a backstop to the is we ordered 500 pin-compatible PIC32 chips from from a distributor, shipped overnight to Macrofab. This is the third or fourth time I said, ‘whoops, we spent a few thousand dollars’ during the production of this badge.
Monday morning rolled around, and the PICs magically appeared at Macrofab. I called to cancel the order I placed Friday afternoon and everything was fine. The fire was extinguished.
For fun I also checked the FedEx tracking for the package full of PICs, and found these microcontrollers went from Thailand to Alaska to Malaysia to Alaska to Taiwan to the FedEx Mother Brain in Memphis and finally to Houston. There is a reason you pay your logistics guy well.
Badges Rolling Off the Line
As Macrofab began sending badges through the ovens, it seemed for a moment that everything was alright and this would actually happen. Then we got an email. Badges were failing their self-test.
If you check out the official project repo for this badge, [Mike Harrison] did an excellent job on the firmware development for this badge. There’s a splash screen, video recording, and most relevant for Macrofab, a hardware self-test. It’s a boon for the assembly line at Macrofab — the only thing the assemblers need to do is connect the PICKit 3 programmer (no computer necessary), hit upload, and wait for the word ‘PASS’ to appear on the screen.
Unfortunately, the first dozen badges off the line never showed ‘PASS’ during the self-test. The accelerometer was failing. [Mike] quickly wrote an additional I2C utility for the self-test which found the accelerometer was at address 3A 60, when it should have been at 32 60. That’s an off-by-one error if you’re keeping score at home.
This ended up being just another outcome of buying parts with a short lead time. The badge prototypes used an almost identical part as the production version. The only difference, as far as we can tell so far, is that the part we told Macrofab to order has an I2C address of 3A 60. No problem, that’s just updating a single line of code in the bootloader and test firmware. Macrofab swapped out for the new firmware on their programmers and everything magically worked.
If you’ve never done any sort of artisanal manufacturing before, you really don’t realize how much time it takes to do one thing five hundred times. If you need to do a task once — take the trash out, or wait for a machine to finish, for instance — it really doesn’t matter if it takes one minute or three minutes. You can always make up those extra two minutes somewhere. If you need to do a task five hundred times, a one-minute task turns into a bit more than eight hours, or a full workday. A three-minute task done five hundred times is three workdays. This is a big difference.
Building a conference badge is filled with these one- to three-minute tasks. You need to depanelize the boards. You need to solder in a battery holder. You need to install the lanyard. You need to copy an SD card. You need to kit the badges. All of these, singularly and independently, are not a big deal. Put together, you might be looking at a man-month of work. You’ll want some friends or coworkers for these small tasks I’m now calling ‘piddlin’ crap’.
Logos, sample images, a few demo videos, and a backup copy of the stock firmware are all stored on an SD card. This is a fantastic way to plan for software development that’ll happen at the the con since the bootloader can flash hex files from the card to the microprocessor. But it does mean someone has to program those SD cards. How do you clone five hundred microSD cards?
We ended up going with one of these things. It’s a 1 to 15 SD card duplicator, basically a tiny tower stuffed with four, four-bay SD card slots, a control panel, and an FPGA. Put the SD card to be cloned in the upper left-hand slot, fill the other slots with blank cards, and press a button.
We were pleasantly surprised with how fast it was to clone the microSD cards for each badge. We had tested the cloner a few weeks before, and came up with a 14-minute run time to clone 15 cards. Add in two minutes for swapping out each card, and that’s a full work day of cloning SD cards. This is a fairly advanced SD card cloner, though, and this experiment was copying each and every block on the card. Since we’re only copying a few megabytes worth of graphics and videos, the actual cloning of the master SD card was much faster.
As you would expect, firmware development for the 2017 Supercon badge was happening right up until the last possible minute. We discovered on Tuesday morning that the sleep function wasn’t working. The power pin was floating as the microcontroller entered sleep and too much noise from the switching power regulation turned it back on.
[Mike] fixed this in software by using PWM on the switcher’s enable line to bleed off enough stored power to shut it all the way down. There was also a wrongly mapped pin in the bootloader menu that was fixed. These changes meant we needed to reflash all of the badges — but we were going to have to do that with the the final firmware version anyway. On Wednesday night, [Mike Harrison] turned the badge into an oscilloscope just hours before we had to start kitting.
Very few tasks can be parallelized. You can’t design a badge in parallel, and I don’t even know what that would look like. Is it one person designing the power supply, one person putting pull-ups for the I2C bus, and another doing the mechanical design, throwing everything together, and hoping a working circuit appears at the end? It wouldn’t work.
Kitting is one of the very few parallelizable tasks in building this badge. This started with 1000 AA batteries that needed to be liberated from their 4-packs of plastic shrink wrap and 10 cardboard boxes. Line up 200 batteries at at time in rows of 20, use a box cutter to score the plastic, and you can unwrap 8 at a time in about one second using both hands.
Macrofab shipped the badges each sealed in an antistatic bag, placing four together and wrapping in bubble wrap. We unboxed these, unwrapped them, cut open the bags and placed each on the table. SD cards were inserted, then batteries, before sliding them to [Mike] who was using four programmers at once, along with binder clips to hold down the badge power button during the ~10 seconds of programming. Don’t worry, we made a video of this which starts after we had already done about 160 badges. This is not [Mike’s] first rodeo and his guidance is all that made this feasible — one second of wasted time per unit adds up to almost 10 minutes of extra work.
In theory, designing and manufacturing a badge is easy. You need only open up a copy of Eagle or KiCad, push some wires around, and send the board off to a contract manufacturer. In practice, even the ‘easy’ way of doing things is incredibly hard. Supply chain management is a skill, and being able to plan a design is as important as doing the actual design of the design. Waterfall calendar graphs are your friend.
Nevertheless, we got our badge finished and out the door. Yes, there were a few problems along the way, but that’s only two or three more gray hairs on our head.
If you want to get your hands on one of these sweet badges, head over to Tindie before they’re all gone.
At this point, it’s not really correct to describe DEF CON as a single, gigantic conference for security, tech, and other ‘hacky’ activities. DEF CON is more of a collection of groups hosting villages, get-togethers, meetups, and parties where like-minded individuals share their time, company, electronic war stories, and whiskey. One of the largest groups measured by the number of rideable, inflatable unicorns is Queercon, a ‘conference within a conference’ dedicated to LGBT causes, a rager of a party, and a killer conference badge.
The development of the 2017 Queercon badge had a really tough act to follow. Last year’s Blooper squid/cuttlefish badge is a high point in the world of functional PCB art, and by January of this year, the team didn’t know where to take badgecraft next.
In the end, the QC badge team decided on a ‘failsafe’ design — it wasn’t necessarily going to be the best idea, but the design would minimize risk and development time.
The two obvious features of this badge are an incredible number of tiny RGB LEDs, and very strange hermaphroditic edge connectors, allowing these badges to be plugged together into a panel of badges or a cube. What does this badge do? It blinks. If you have five friends, you can make something that looks like the Companion Cube from Portal.
The killer feature for this badge is a vast array of RGB LEDs. Instead of going with WS2812s or APA101s, the Queercon badge team found simple, 0604 RGB LEDs, priced at about $0.026 a piece. There are 73 LEDs in total, all driven by the same TI LED driver used in previous years, combined with two shift registers and 15 FETs to control the LED commons. Although the LED driver is able to address all 219, and even though the badge is powered by a 32-bit ARM Cortex M3 microcontroller, this is pretty much the limit of how many LEDs can be controlled with this setup.
The Queercon badge always has a bit of interconnectedness built in, and this year is no exception. This year the badge uses a strange universal connector mounted along the four sides of the badge. When one badge is plugged into the other, they mate producing a ‘fabric’ of glowing badges. The range of motion on this connector allows for 180 degrees of rotation, but surprisingly most Queercon badge holders only assembled single planes of badges. It took a bit of cajoling from the badgemakers to get people to assemble a cube, and no other weird shapes were constructed out of multiple badges. If anyone likes this idea of interconnected badges, I would like to personally suggest equilateral triangles — this would allow for icosahedrons or hexagon-based solids.
A badge wouldn’t be complete without a game, and the Queercon badge has it in spades. The UI/UX/graphics designer [Jonathan] came up with a game loosely based on a game called ‘Alchemy’. Every badge comes loaded with a set of basic elements (air, fire, water, earth), represented as pixel art on the 7×7 RGB LED matrix. Combining these elements leads to even more elements — water plus fire equals beer, for example. Think of it as crafting in Minecraft, but with badges.
Starbucks was responsible for sponsoring a portion of Queercon this year, so ten special badges were loaded up with a fifth element: coffee. Elements derived from the coffee element required a Starbucks sponsor badge.
When the badges came back from the fab house, the failure rate for this year’s Queercon badge was 0.7%. That’s an amazing yield for any independent hardware badge, and is honestly one of the most impressive aspects of this year’s Queercon. Failure modes during the con were probably related to spilling a drink on a badge, although there was a rash of failed CPUs. This is probably related to ESD, and during the con rework of failed badges was basically impossible because of drunk soldering in a dimly lit hotel room.
If there’s one failure of this year’s Queercon, it’s simply that it’s becoming too popular. From last year, Queercon saw 200% growth for the main party, which meant not everyone got a badge. That’s unfortunate, but plans are in the works for more inventory next year, providing DEF CON 26 isn’t cancelled, which it is. A shame, really.
A few weeks ago, I was working on a small project of mine, and I faced a rather large problem. I had to program nearly five hundred badges in a week. I needed a small programming adapter that would allow me to stab a few pads on a badge with six pogo pins, press a button, and move onto the next badge.
While not true for all things in life, sometimes you need to trade quality for expediency. This is how I built a terrible but completely functional USB to serial adapter to program hundreds of badges in just a few hours.
This is not the right way to do this.
As is usually the case for any tutorial I write, this is not the right way to do things. In commercial or manufacturing settings, pogo pins are usually found in test or programming jigs. In these jigs, the pogo pin is mounted perpendicular to a PCB, with each pin running through a second identical PCB mounted on standoffs. Just look at these fantastic products on Tindie for an example. These two PCBs provide mechanical stability and electrical connections to each pogo pin. This is a very robust system, but building one of these test jigs means I need to order a few PCBs. I didn’t have the time to do this, so I needed another solution.
All I need is some way to hold six pogo pins on 0.1″ centers, with a few pads to wire these pins up to a USB to serial adapter. A single PCB to do this is extremely simple — all you need are a few pads to hold the pogo pins and a set of holes to plug a serial adapter into.
I managed to whip up a PCB (right) for this in about three minutes. It’s extremely simple, with the only remarkable feature being six very long pads for the pogo pins. If you’re very good at applying solder paste by hand, the surface tension of melted solder will align the pogo pins, leaving you with six perfect pogo pins all aligned and parallel to each other.
A PCB solution is easy, but it also takes time. Unless you have a PCB mill sitting in your lab, you’ll have to make due with ordering this board from OSH Park or something. Sometimes you need a pogo pin programmer right now.
If you don’t have a PCB mill, I hope you have a 3D printer. Last year, [Timothy Reese] created the Fiddy for Adafruit. This is a 3D printed ‘clip’ for six pogo pins, designed to clip onto the end of an Adafruit Pro Trinket for FTDI programming. Before designing my own pogo pin adapter, I made Fiddy. It performs its job well. The Adafruit Fiddy will clamp down on small boards, and it will program them.
There are a few shortcomings to the Adafruit Fiddy. I found my 3D printed version to be a little too flexible, although this is probably because I printed it in ABS, not PLA. The Fiddy is a little bulky. I also don’t need a programmer that clamps down on a board — I’m more than happy to hold a serial programmer against a board for forty-five seconds if it means the pins are a little more secure and the device is a little more robust.
Here’s what I did
There’s the lit review for the existing solutions for a simple, handheld pogo pin programmer. They’re all good, but I needed something right away. Except for the pogo pins (available wherever fine electronics are sold), I only needed a few items that were already on my workbench:
30 AWG Kynar wire
Any random “FTDI” USB to serial converter
For this project, the pogo pins will be held in place with a 3D printed adapter. After a few minutes in OpenSCAD, I came up with this model. It aligns six pogo pins on 0.1″ centers, and can be epoxied to the back of a standard, off-the-shelf USB to Serial adapter.
There’s not much to this 3D printed pogo pin adapter. Think of these 3D printed parts as more of a jig, with a small amount of epoxy providing the mechanical strength.
These parts were printed at a very low layer height (0.05mm) using whatever filament was already in my printer. The orientation of the parts on the bed required support for the overhangs that would become the space behind the normal FTDI pin headers, and a passthrough for the Kynar wire from the pins to the pads.
In normal applications of pogo pins, you’d simply place the pin in a circular pad and solder the brass casing to a PCB. I don’t have this option, so I need to attach Kynar wire. I did this by stripping the Kynar, placing 2-3 millimeters of stripped wire in the hole at the non-pogo end of the pin, tacking it down, and wrapping the rest of the stripped wire around the pin. A tiny bit of solder holds everything together, and a small bit of heat shrink will keep the pins from shorting to each other once this is assembled.
After preparing six pogo pins, I had to sandwich all of them between two pieces of plastic. If I have one tip on how to do this, it’s, ‘go slow’. I used five-minute epoxy for this, installing one pin at a time and making sure they were all aligned and even. It takes patience, but it will work.
After that, the only thing left to do was to solder the other end of the Kynar wire to the FTDI adapter. It’s small, fiddly soldering, but it can be done.
Did it work? Yes. Is it good? Ehhhh….
While I was able to program a few hundred badges with this pogo pin serial adapter, I’m not going to call this a ‘good’ solution. There are a few issues with this device, and I’m actually surprised it worked in the first place.
After programming, the ESP8266 on the badge restarts, and the LEDs turn on. While the power supply for the FTDI adapter is capable of providing the required ~300mA to the badge, I should have used a larger gauge wire to attach the pogo pins to the USB to serial adapter. This really isn’t a big issue, but it is an issue.
Additionally, I had to be very, very careful not to get any epoxy on the ‘springy’ part of the pogo pins. It’s easy to not screw up the springiness of pogo pins if you’re dealing with solder, but epoxy gets everywhere. I found that a quick rub down with isopropyl alcohol does clean the pins, but this is still something I wish I didn’t have to deal with.
If I had to do this again, with no limitations on time or money, I would take the PCB I created in Eagle above, grab an FTDI chip and a USB connector, and simply build my own USB to serial adapter that uses pogo pins instead of pin headers. This actually wouldn’t be that much work — two hours to design the circuit, maybe an hour assembling it, and if everything goes right I’d have the perfect tool for the job.
However, sometimes you just have to solder and glue some crap together and hope it works. That’s what I managed to do here, and yes, it did work.
Recently, the voice push to talk circuit in [Ryan]’s BITX40 radio was keyed down for a very long time. Blue smoke was released, a MOSFET was burnt out, and [Ryan] needed a new IRF510 N-channel MOSFET. Not a problem; this is a $1 in quantity one, but shipping from Mouser or Digikey will always kill you if you only buy one part at a time. Instead, [Ryan] found a supplier for five of these MOSFETs for $6 shipped. This was a good deal and a bad move because those new parts were fakes. Now we have an opportunity to play spot the fake MOSFET and learn that it’s all about the supply chain.
To be fair to the counterfeit MOSFET [Ryan] acquired, it probably would have worked just fine if he were using his radio for SSB voice. [Ryan] is using this radio for digital, and that means the duty cycle for this MOSFET was 100% for two minutes straight. The fake got hot, and the magic blue smoke was released.
Through an industry contact, [Ryan] got a new, genuine IRF510 direct from Vishay Semiconductors. This is a fantastic opportunity to do a side-by-side comparison of real and counterfeit semiconductors, shown at right. Take a look: the MOSFET on the left has clear lettering, the one on the right has tinned leads and a notched heatsink. [Ryan] posed the question to a few Facebook groups, and there was a clear consensus: out of 37 votes, 21 people chose the MOSFET on the left to be genuine.
The majority of people were wrong. The real chip looked ugly, had tinned leads, and a thinner heatsink. The real chip looked like a poor imitation of the counterfeit chip.
What’s the takeaway here? Even ‘experts’ — i.e. people who think they know what they’re talking about on the Internet — sometimes don’t have a clue when it comes to counterfeit components. How can you keep yourself from being burned by counterfeit components? Stick to reputable resellers (Mouser, Digikey, etc) and assume that too good to be true is too good to be true.
If you need a sensor to detect gasses of some sort, you’ll probably be looking at the MQ series of gas sensors. These small metal cylinders contain a heater and some electrochemical sensor. Wire the heater up to a voltage, and connect one end of the resistor to an ADC, and you have a sensor for alcohol vapors, hydrogen sulfide, carbon monoxide, or ozone, depending on which model of sensor you’ve picked up.
There’s a difference between accuracy and precision, and if you want to calibrate gas sensors, you’ll need to calibrate them against something. Instead of digging out a gas sensor of known precision, [Davide] took the easy way out: he graphed the curves on the datasheets for these sensors. It’s brilliant in its simplicity.
These numbers were thrown into R, and with a bit of work, [Davide] had a look up table of various concentrations of gasses plotted against certain resistances. In testing these sensors, he found a higher correlation between humidity and temperature and gas concentrations, which one would expect.
The files for these sensors are available on [Davide]’s website, and he included a neat little video showing everyone what went into these calculations. You can check that out below.