Browsed by
Category: My Projects

My Projects

QuahogCon 2010 Humans vs. Zombies Game

QuahogCon 2010 Humans vs. Zombies Game

For those who are curious about some of the particulars of the game, here is what I gleaned from the goings-on at the ‘con (And from a lot of borrowing Jimmie’s badge, and soliciting button-presses from random ‘con attendees).

Spoiler Warning: If you want to try to disassemble, packet-sniff, or otherwise decode the Humans vs Zombies game completely on your own, don’t read on.

Most of this is just a brain dump, it’s not really in any particular order.

  • AFAIK, 5 types of badges existed: Human, Zombie, Cleric, Mussel and Uber. All of these attacks are explained later on in the “giant list ‘o attacks”, with the only exception: Mussels can attack either humans or zombies, and have no unique attack code.
  • I managed to peek at an instruction sheet for a Cleric that was left behind by one of the lovely ladies from the CORE table; however, it held no unexpected information. (Though it was quite nice, and fit with the story in the Attendee pamphlets/schedules
  • Attendees began as humans, and were turned into zombies by attacks from other zombies, or from coaxing from an Uber badge.
  • In the download provided at con-time (q10-pub.tar.gz), there lives a file known as rftest-rx.c. By default, this will list (over UART1), the unencrypted attack type and attack power of whatever attacks it hears.

    rftest-rx.c also has a line commented out that will print the entire packet received. Note that the packet [3] and [4] need to be XOR’d with packet [2] to make any sense. (<– Uber encryption) 
    Example:
    [2] ^ [3] = Attack Type
    [2] ^ [4] = Attack Power

  • From soliciting keypresses, I managed to make a list of the following attacks/powers:
    1,1: Human Defensive
    1,2: Human Normal
    1,3: Human Offensive
    1,6: Human Critical Hit
    2,1: Zombie default attack OR attack with 1 LED of charge
    2,2: Zombie charged to 2 LEDs
    2,3: Zombie charged to 3 LEDs
    2,4: Zombie charged to 4 LEDs
    2,5: Zombie charged to 5 LEDs
    3,20: Cleric Heal Humans
    3,50: Cleric Heal Humans (Critical Hit)
    4,20: (Really? 4:20? *groan*) Cleric Turn Undead
    4,50: Cleric Turn Undead (Critical Hit)
    99,5: Uber ???
    99,6: Uber Epic Win
  • During his talk on 802.15.4 security regarding replay attacks, Josh Wright briefly showed the packets that he managed to sniff from an Uber badge, which turned anyone in range into any of the 6 modes (the 5 discussed above, and also ‘dead’.) He then proceeded to execute a replay attack on the audience, and it apparently hit @innismir (Ben Jackson) in the next room during his presentation. Twitter thread: [1][2][2.5][3][4][5]

I’ll add more here if/when I think of it, and once I start sniffing in earnest. I spent the entire ‘Con trying to reinvent the wheel… Apparently all the good stuff was in the q10-pub/firmware directory… I had been tweaking code in the q10-pub/tests directory. I still managed to sniff the above code, however I didn’t get transmit working in time to pwn the closing ceremonies. Totally looking forward to pwning whatever badge they throw at us next year, though.

Sparkfun.com Stuff: Arduino Shield, Breadboarding Supplies, etc

Sparkfun.com Stuff: Arduino Shield, Breadboarding Supplies, etc

My latest Sparkfun.com order.

For PIC programming:
BOB-00193 (1): Adapter board for Microchip ICD and ICD2

For (hopefully) adding some IR functionality to my QuahogCon badge:
COM-09349 (4): Infrared LED – 950nm

For parts:
DEV-00348 (2): Olimex Carrier Board for OKI ML67Q5003

For prototyping on the Arduino (and otherwise generic prototyping):
DEV-07914 (1): Arduino ProtoShield Kit
PRT-07915 (1): Breadboard Mini Self-Adhesive (For Protoshield Kit)
PRT-09567 (1) : Breadboard Clear Self-Adhesive (For other breadboarding)
PRT-00124 (1): Jumper Wire Kit
PRT-08430 (1): Jumper Wires Premium 6″ F/F Pack of 10
PRT-08431 (1): Jumper Wires Premium 6″ M/M Pack of 10
PRT-09140 (1): Jumper Wires Premium 6″ M/F Pack of 10

QuahogCon Badge Details Released

QuahogCon Badge Details Released

In the fine tradition of hacker con badges, QuahogCon presents its inaugural badge, based on the Freescale MC13224v.

More info and badge specs can be found at mc1322x.devl.org: MC13224 Hardware, and more contest-related info can be found at QuahogCon: Contests.
.
MC1322x-related Open Source tools and guides are available at mc1322x.devl.org.

I’ll be adding more badge-hacking-related stuff before/during/after QuahogCon, once I get to play around with my badge.

FT4232H-Based Eee 701 Internals Controller

FT4232H-Based Eee 701 Internals Controller

Attachment: Schematic PDF

This controller will be designed for installation into an Eee 700-series netbook to serve the following purposes:

  1. Provide a communications interface to I2C, SPI and UART devices over USB
  2. Control power switching to various internally-mounted low-current (~0-25mA) and high-current (~25-125mA) devices.
  3. Provide non-USB-Host 5V power to the high-current USB devices through high-current SPST switches so as not to overload the USB Bus (Update: This will be done by off-board MOSFETs. There just wasn’t enough room on the board to allow it to still fit in the space allocated for the MDC1.5.

Requirements:

  • The finished PCB should fit comfortably inside an Eee 700-series netbook, in the MDC1.5 spot (A modem was planned for the Eee 700-series, but never released. There is an empty space in the Eee 700-series case to fit a Mobile Data Card (Modem), but one was never included, and the option was removed from later BIOSes. In later netbooks the connector was no longer soldered in.)
  • The finished PCB will have through-hole connectors for attaching external devices, USB, external power, etc. for ease of soldering and to help prevent solder-pad lifting.
  • Surface-mount parts will be used to save space (I know, they’re a pain to solder. I don’t look forward to it, but there just isn’t a whole lot of room inside the Eee)
  • It would be nice to have all pins aligned at 0.1″ so it could be put on a breadboard for prototyping.

Background:

This came about in its current form through discussions on #sparkfun as I was looking for a controller to go along with devices such as GPS that I would (hopefully) purchase on SparkFun’s Free Day. I was stuck between the Arduino Pro Mini and the Mini Bully to allow for SPI communication; however, I would still have had to include a USB-TTL FT232R-based converter. It was suggested that I use the FT2232 since I could do SPI and UART on the same chip.

Unfortunately, or fortunately (depending on how you look at it), I looked again at the size of the USB-capable GPS I wanted (GS407), and found that there was no way it was going to fit, despite my previous measurements. I instead chose the Venus GPS with SMA for its size; however, it has a UART interface, and I was stuck now with SPI and UART devices (And maybe some I2C). This is why I’m looking now at the FT2232H and the FT4232H (Which is pin-identical to the FT2232H, just with 4 ports instead of 2).

FTDI Chips:

FT2232D:

The FT2232D has 2 channels and is slightly smaller and takes less than half the power of the newer FT2232H, but the FT2232D only allows for one MPSSE (Multi-Protocol Synchronous Serial Engine: the encoder that allows you to use I2C, SPI, etc.) channel. This means you can have one JTAG, I2C or SPI channel. Channel 2 (Also called B) doesn’t support the MPSSE engine; it is only for RS232 UART, RS245 or other serial modes.

FT2232H:

The FT2232H is larger than the FT2232D, and consumes more than double the current. However, the FT2232H supports MPSSE on both of its 2 channels: You can now have SPI, I2C, RS232 UART, etc in any configuration. It has a direct upgrade path to the FT4232H thanks to a shared size, footprint and power requirements.

FT4232H:

The FT4232H is a direct replacement for the FT2232H, and allows for 4 channels instead of 2. The MPSSE can be used on channels A and B simultaneously. Though the number of channels goes up for the FT4232H, the number of supported protocols goes down; however, this chip supports all of the protocols this project would ever require: UART, SPI, I2C and maybe bit-banging. This project has no plausible requirement for RS245, FIFO, Host Bus Emulation or the like.

FT4232H Channels:

  1. RS232 UART, JTAG, SPI, I2C or bit-banging
  2. RS232 UART, JTAG, SPI, I2C or bit-banging
  3. RS232 UART or bit-banging
  4. RS232 UART or bit-banging

Ports: Here’s what I personally plan to attach on each of the ports of my copy of the project board.

Channel A: SPI #1

  • 3-Axis Accelerometer (Has an optional interrupt for motion detection. Has buffer room for 64 samples per axis. Supports reading of its 9-bit temperature sensor over the serial bus.)
  • Cable Select for each SPI device on GPIOs.
  • Interrupt from 3-Axis Accelerometer, if needed

Channel B: I2C or SPI #2

  • Sensors: Temperature, …?
  • FM Radio Receiver AR1010

Channel C: UART #1

  • Venus 634FLPx GPS (I’ll have to see what this GPS supports in regards to buffering to see if it could handle being on the SPI bus along with the accelerometer.)

Channel D: UART #2

  • Kenwood D7A APRS In or GPS Location Out

GPIOs: (Spare pins on Channels A or B)

  • Triggers for high-current SPST Switches or MOSFETs for switching power to internal devices
  • LED(s)?

Voltages: Voltage requirements of each device I intend to connect

  • FM Receiver AR1010: 3.3V
  • 3-Axis Accelerometer SCA3000: 3.35V-10V
  • Venus 634FLPx GPS: 2.7V-3.3V
  • FT4232H or FT2232H: 3.3V

Amperages Required and Equivalent Current Draw at 5V: 5V Current Equivalents for determining if all devices specified can be safely run on USB power or if they would require power from another source. (These are based on rough figures, and are always subject to the device’s operating conditions. I just want to see if it’s in the ballpark)
AR1010:
(Max current 16mA at 3.3V, as per module datasheet.)

  • 3.3 Volts * 0.016 Amps = 0.0528 Watts
  • 0.0528 Watts / 5 Volts = 0.01056 Amps
  • 0.01056 Amps = 10.56 milliamps at 5V

SCA3000: (Typical current during motion capture of 650uA at 3.3V, as per chip datasheet)

  • 3.3 Volts * 0.00065 Amps = 0.002145 Watts
  • 0.002145 Watts / 5 Volts = 0.000429 Amps
  • 0.000429 Amps = 0.429 milliamps at 5V (== 429uA at 5V)

Venus 634FLPx GPS: (Typically 28mA at 2.7-3.3V in tracking and navigation mode, per chip datasheet. A commenter on the Sparkfun product page notes that the added LED will add an extra 10mA (when the LED is turned on), so I’m going to go with 38mA for now. I’m going to assume their rated current is at the higher of the range: 3.3V)

  • 3.3 Volts * 0.038 Amps = 0.1254 Watts
  • 0.1254 Watts / 5 Volts = 0.02508 Amps
  • 0.02508 Amps = 25.08 milliamps at 5V

FT4232H/FT2232H: Icc1 (Vcore) is typically 70mA @1.8V, as per chip datasheet (pg 26)

  • 1.8 Volts * 0.070 Amps = 0.126 Watts
  • 0.126 Watts / 5 Volts = 0.0252 Amps
  • 0.0252 Amps = 25.2 milliamps at 5V

FT4232H/FT2232H: IPHY (VPHY) (For the USB Interface) is typically 30mA @3.3V, as per chip datasheet (pg 28)

  • 3.3 Volts * 0.030 Amps = 0.099 Watts
  • 0.099 Watts / 5 Volts = 0.0198 Amps
  • 0.0198 Amps = 19.8 milliamps at 5V

FT4232H/FT2232H: IReg (VReg) (For the 3.3V to 1.8V internal regulator) is maximum 150mA @3.3V, as per chip datasheet (pg 26)

  • 3.3 Volts * 0.15 Amps = 0.495 Watts
  • 0.495 Watts / 5 Volts = 0.099 Amps
  • 0.099 Amps = 99 milliamps at 5V

Therefore, total expected current required at 5V is (10.56 + 0.429 + 25.08 + 25.2 + 19.8) = 81.069 mA., and at the very worst case scenario, the VReg will draw 99mA at 5V. Power requirements will be tested again later with an ammeter. Anything under 100mA is easily provided by the USB Bus. Anything over 100mA should be specifically noted in the EEPROM of the device so it knows to request a higher power allocation from the computer.

Parts List (And Digikey Part#): [Might need updating for v1.1?]

  • C1, C2: CAP TANTALUM 4.7UF 10V 20% SMD (511-1491-1-ND)
  • C3, C7: CAP CER 1UF 25V X5R 0603 (490-3897-1-ND)
  • C4-6,C8-13: CAP CER .1UF 25V 10% X7R 0603 (490-1524-1-ND)
  • C14, C15: CAP CER 18PF 50V C0G 5% 0603 (445-1272-1-ND)
  • C16: CAP CER 3.3UF 10V X5R 0603 (445-5168-1-ND)
  • U1: IC REG LDO 3.3V 250MA SOT-23A (MCP1702T-3302E/CBCT-ND)
  • U2: IC EEPROM 1KBIT 2MHZ SOT23-6 (93LC46BT-I/OTCT-ND)
  • U3: IC USB UART/MPSSE QUAD HS 64LQFP (768-1026-1-ND)
  • U4: CRYSTAL 12.0000 MHZ 18PF SMD (535-9836-1-ND)
  • R1, R3, R4: RES 10K OHM 1/10W 1% 0603 SMD (RMCF1/1610KFRCT-ND)
  • R2: RES 2.2K OHM 1/10W 1% 0603 SMD (RMCF1/162.2KFRCT-ND)
  • R5: RES 1K OHM 1/10W 1% 0603 SMD (RMCF1/161KFRCT-ND)
  • R6: RES 12.0K OHM 1/10W 1% 0603 SMD (311-12.0KHRCT-ND)
  • L1, L2: FERRITE 1A 60 OHM 0603 SMD (240-2370-1-ND)

Schematic:

v1.1 as attached. NB, it was made with gEDA, not Eagle.

PCB Layout:

v1.1 as attached. NB, it was made with gEDA / PCB, not Eagle.

Suggestions:

All suggestions are welcome. Please leave a comment below to let me know what you think, or if you have any feature requests.

License:

This project is released under the CC BY-NC-SA 3.0 license. If you wish to use this project for commercial purposes, please contact me.

Availability:

I have a number of v1.1 boards available. I will be able to put one together for testing/debugging once I get parts for it. Unfortunately, the high-accuracy, small-form-factor crystal is backordered until something like November (2010).

Disclaimer:

This is for educational purposes only. I’m not liable for damages caused to you or your property (including but not limited to netbooks).

What I would buy/bought with $100 at SparkFun Electronics

What I would buy/bought with $100 at SparkFun Electronics

Since SparkFun Electronics announced Free Day on January 7, 2010, I figured I’d start looking at what exactly I could get for $100. (I’ll only link the big items for risk of being called Spam by Googlebot.) This list is a work in progress, I’ll add more as I search.

To anyone new to electronics, I would suggest the Arduino (See arduino.cc for more information).

Idea 1: Oscilloscope kit and soldering supplies (Probably better to get the Oscilloscope Kit at Seeed Studios for $33)

  • Digital Oscilloscope Kit $45.95
  • BNC probe kit $12.95
  • 9V DC/350mA power supply $5.95
  • Soldering Iron Stand $5.95
  • Brass Sponge $2.95
  • Diagonal Cutters $1.95
  • Total: Not quite done yet!

Idea 2: Reflow toaster controller kit and swag

  • Reflow Toaster Controller $89.95
  • SparkFun Pint Glass ($9.95) OR (SFE Iron-on patch ($4.95) and SparkFun Coffee Mug ($4.95)) OR Sparkfun Projects Case (Clear) ($11.95)
  • Total: $99.85 or $99.90 or $101.90

Idea 3: 3pi Robot (Probably better to get the 3pi at the Maker Shed, since their 3pi bundle is on sale for the same price, and use the free $100 to get other stuff)

  • 3pi Robot $99.95
  • Total: $99.95

Idea 4: Eee PC Hacking (NO. These modules’ antennae are too big for the Eee. A separate GPS with panel-mount SMA would be better.)

  • 20-Channel GS405 (SiRF Star III chipset) or 50-Channel GS407 (u-Blox 5H chipset) Helical GPS Receiver. Either is $89.95.
    (People have been having problems getting GPS to work right when put inside the EEE 700/701/702, but they’ve been trying to use a ceramic antenna instead of a helical one. Maybe helical is the answer?)
  • Surface-mount connector to fit the above. For GS405, $0.95. For GS407, $1.25
  • Total: $89.95+ (or maybe more Eee hacking stuff)

Idea 5: Uber Eee PC Hacking

  • UFl to RP-SMA Connector for external wifi antenna, $4.95 (Plus antenna, $7.95-$9.95) (Sold out for now, i’ll leave it alone)
  • Arduino Pro Mini 328, $18.95 (3.3V version or 5V version) OR Breakout Board for PIC24HJ64 – Mini Bully, $19.95 (3.3V) (Though neither have the serial to usb converter onboard… They would require something like the FTDI Basic Breakout, $13.95)… Maybe I should just make my own from a USB-capable PIC SOIC board?)
  •    OR… Just use an FT2232 chip to do all the controlling! (I’ll custom-build a circuit board based on FT2232 and a latch to control the innards of the Eee… Power switching to various devices, spi expander for sensors, etc)
  • FM Receiver Breakout Board – AR1010, $14.95 (Hmm, not RDS-capable…)
  • Triple Axis SPI Accelerometer Breakout – SCA3000, $44.95 (Temperature compensating, voltage regulated, input 3.35V-10V) OR Triple Axis Analog Accelerometer Breakout – ADXL335, $24.95
  • Total: $?+

Idea 6: Soldering Station

  • Soldering Station Variable Temperature 70W – Digital, $99.95
  • And maybe a smaller tip (each $14.99)
  • Total: $99.95+

Subtotal: GPS (Idea 4) + Uber Eee PC Hacking (Idea 5)

EVEm V1.1 Carputer

EVEm V1.1 Carputer

I scored a mega-deal on eBay a while back for this EVEm mini-ITX computer with an EVEm DC/DC power supply, in a generic mini-ITX case.

The EVEm has a VIA C3 Samuel2 600MHz “1GigaPro” CPU and a VIA VT133 Chipset.

I added the specified maximum of 256MB of 133Mhz SDRAM, and am currently using a 3.5″ 6.4Gb hard drive.

For more stats, look in this forum thread and in the English Manual. The support site can be found here.

The DC/DC Power supply is based on the Texas Instruments TL1451A.

Seiko/Epson RG9013F-NZ LCD Screen

Seiko/Epson RG9013F-NZ LCD Screen

I got this LCD screen free with one of my computer-related eBay purchases.

The label on the bubblewrap says:

Seiko/Epson RG9013F-NZ VGA 640×480 Mono for Dragonball EZ
Used/Excellent – Full Factory Spec Sheet At:
www.openhardware.net/ez328simm/resources.html [archive.org link]

Spec Sheet [PDF, archive.org link]

According to store.earthlcd.com, the EG9013FNZ1 is an STN Passive Transmissive 6.3″ 640×480 Monochrome LCD display with a CCFL backlight.