One of my Interlock projects has been to explore the capabilities of the Beaglebone Black’s built-in Power Management Integrated Circuit (PMIC) that gives the BBB a pretty useful feature; charging and operating off of li-po batteries. If you look at the BBB board, you will see 4 through-holes behind the 5v plug. These are break outs for the PMIC and can be used to hook up to a battery.
Having a battery connected to your board gives you the ability to do things like making a UPS for you beaglebone so in the case of a power loss, it can politely shut-down, run a custom command, or just continue running for as long as the battery can charge it.
In most of the use cases, you’re going to find a lithium polymer that can produce around 3.7V which is under the BBB’s 5v requirement. 3.7V will work fine to power the board but of course your 5V USB port will not work while on the battery. Sparkfun has a few nice ones that have the voltage protection circuits built in to help limit the risk you brick your li-po.
There are 4 pins we’re talking about:
You can see in the diagram what each pin-out is. Li-po’s are riskier than some batteries because they’re known to explode in some cases of over powering. A temperature sensor that is designed to check how hot the battery is getting and decide how to handle it, is built into the PMIC in case your battery doesn’t have this capability already(many do). The directions below are going to show you how to jump this temperatur check with a 10k resistor, which is not recommended if you value your home or hackerspace. If you don’t trust the battery you’re charging, I’d suggest looking into accurately reading the temperature from your battery. My Sparkfun batteries do no break out the temperature sensor so this wasn’t plausible.
- jumper pins TP5 to TP6 (or use an SMT zero ohm resistor)
- connect a 10K resistor between TP7 and TP8
- Install a JST connector on TP6 and TP8
- Connect your battery into the JST connector
With a little luck and the correct battery, you should be in business. You’ll need to let your battery charge before you try and yank the power cable from it. In the mean time, you can query the status of the battery via the i2cget command built into the OS.
The PMIC is accessible using I2C and the builti-n OS for BBB has a simple command line interface to query its state. The following command will tell you whether or not battery is plugged in:
i2cget -y -f 0 0x24 0xA
This will return information that contains this:
0 device 0x24
On battery power only? 0
Push Button = 0
USB Power = 0
AC Power = 1
Active (charging) = 1
“Active” refers to whether it can recognize the battery you have plugged in. You can also read this state to detect a power failure and automatically failover. If you’re using the default OS for the Beaglebone Black (the one that comes pre-installed), the OS will automatically shut itself down in the case of a power loss. You’ll want to either install another OS, or disable that service if you’d like to change how long the battery should stay online.
A decent amount of research went into this simple project. There are a ton of warnings and caveats that I’m not going to cram into this blog post (i2c address is read only, pin-outs are not a standard size, beware of jumping the resistor next to the pins). You can find out more information here:
Thanks to Alex for finding a fatal flaw in the 10k resistor I was using.
from antitree on March 2nd, 20150 Comments
This Thursday the 19th, we have another installment of the Software Defined Radio (SDR) workshop. The goal of which is to provide introductory support to people learning about SDR’s as well as let some of the more seasoned folk work on their projects. We’ve talk to a lot of people lately about what an SDR is and why we have a workshop for it so I thought I’d review why they’re fun.
What is an SDR?
Unlike some radio equipment which only provides a small range of frequencies you can transmit and receive on, SDR’s let you use a single device, and control their frequency from very low (<100Mhz) to very high (2.4GHz+).
In the past, if you wanted to listen in on a certain frequency, say your garage door opener for example, you’d have to buy a piece of hardware that runs at that frequency — in this case it’s often 434MHz. Now for as little as $20, you can buy a device that can read your garage door opener at 433Mhz, listen to the local FM radio station at 90.5Mhz, or track airplanes at 1090Mhz. This lets you play with different frequencies and see what’s being transmitted. You may be surprised.
This also lets you learn about the basics of RF: electronics, antennas, ways to decode a signal.
The workshop is open to the public; non-members are welcome as always. Feel free to drop a comment on the meetup page if you’re interested but have some questions.
SDR Workshop on Meetup
from antitree on February 17th, 20150 Comments
The JTAGulator is a tool designed by Joe Grand – the guy that used to make the DEFCON badges for years and was part of one of the first hackerspaces, Lopht. He did a Blackhat LV presentation on his newest open hardware, open source project called the JTAGulator. It’s purpose is to help you figure out the pins of a JTAG or UART device. This is normally an annoying and time consuming process.
JTAG (Joint Test Action Group) is just a name for a standard way of providing a debug interface to your hardware devices. What’s nice about it is with one interface, you can provide debugging capabilities to a variety of chips on your board. So if you have two microcontrollers, each of them can be separately accessed through one interface. Pretty cool.
Hackers have been using JTAG for years to reverse hardware. You might have seen them used when messing with router firmware to install DD-WRT or OpenWRT. For WRT supported routers, JTAG often gives you the ability to push a custom firmware onto a board or extra the firmware that is currently installed.
JTAG For Security
Of course with all of my projects, I add a security twist. JTAG lets me gain low level access to a device and see how it works. An interface may be able to dump an EEPROM which could contain the cryptographic keys that are securing another piece of memory on the chip. Or it could give me a serial console similar to a root terminal that lets me interact with a device like a computer. The point is, it’s a debuggable interface that I can use to exploit in a variety of ways to learn about how the device works.
You might wonder why these interfaces even exist on hardware since they give hackers the opportunity to access your hardware. Because JTAG is so useful for debugging, manufacturers actually use this interface the same way you would, to make sure the device is functioning properly. That’s why it’s highly likely you’ll find some kind of debug interface for your boards.
The JTAGulator connects to your computer using a micro-USB cable that shows up as a serial device. In Linux, that device will be something like /dev/ttyUSB0. It uses 115.2K baud 8N1. Once connected using something like minicom or gtkterm in Linux, you’ll see a prompt of available options. You can now start JTAGulating.
To connect the JTAGulator to a device, the board is designed to use the cables from a standard Bus Pirate board. You can either do that, or just use some aligator clips to connect to the pins. Either way, the board you’re working on is going to need to be have the JTAG leads broken out so you can connect something to them. In my little Asus router that I found, these pins are pretty easy to access. I just soldered some cables on to them, and added a bit of glue to make sure they kept.
Asus Router with wires near JTAG leads
From this point, your router should be connected to the JTAGulator, your JTAGulator connected to your computer, and you should have a console interface waiting for directions.
The first step is to set the voltage. It has a range of 1.2 to 3.3V and this is going to be important for you to figure out before hand. (If you don’t know how to figure out the voltage on your board, you can probably ask someone at Interlock to show you using a multimeter.) Then you can choose how you’d like to scan for JTAG. There are two options, one is more thorough and time consuming but I don’t have enough data to tell you which is better for which situation (feel free to chime in if you know). Either one will prompt you for which pins you’d like to test with, which should correspond to the pins you’ve connected on your JTAGulator. When you run it, it will attempt every possible combination of pins until it thinks it has found the right one. It also has a UART discovery mode.
This is not the first JTAG discovery product out there but it’s the first I’ve used. I mentioned that the project is open source so here is a link to Joe’s site to help you build your own board if you want, or if you’re like me, you can buy them from a company like Adafruit, too.
from antitree on October 16th, 20130 Comments