Tuesday, January 26, 2010

Sony PS3 hacked: ""I rigged an FPGA button to send the pulse. Sometimes it kernel panics, "

The Register is reporting that a very smart hacker has been able to open up the Sony PS3. What is interesting here is what appears to be his combination of a hardware, software, old school 'keep pounding on the door till you get in' solution.

"I rigged an FPGA button to send the pulse. Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!! If the module exits, you are now exploited."

With the increase of open source hardware debuggers coming available, the 'old' clip of the young John Conner in the movie Terminator 2 sticking his 'hacked' ATM card into the ATM machine and getting money is here.

RFID passport privacy issues uncovered: A Traceability Attack Against e-Passports

This paper by Tom Chothia and Vitaliy Smirnov at the University of Birmingham shows another example of why open source vetting and more transparency are necessary before massive Internet of Things systems are rolled out.

Their conclusion:
'Our work shows the inherent dangers of using RFID tags in personal items.'

Berg Insights research: 1.4% of world wide wireless connection are machine to machine (M2M)

The research firm, Berg Insights, did a study at the end of last year  that finds that 1.4 percent of wireless communications is from one machine to another. And this is predicted grow by 26% per year. In the USA, Berg says the current percentage of wireless M2M connections is 4.3%.

This is the 'Internet of Things' growing at a very fast pace. This research only focuses on the mobile/cellular market, so the machine to machine communications in other frequencies [WiFi, Zigbee, Dash7] are even larger.

From Berg's research paper:

New M2M initiatives launched by major mobile operator groups are expected to have a positive influence on demand, stimulating new large-scale projects. Regulatory developments are predicted to have a major impact on the telematics industry. The EU is expected to propose formal legislation for the introduction of eCall by 2014 but in Brazil the fate of Resolution 245 is more uncertain. Another significant development to watch will be the progress of the Dutch government’s plans to introduce a nationwide electronic road charging system for all motor vehicles.

Monday, January 25, 2010

More on bad embedded software coding and coding practices

Good article here in Electronic Design about litigation that is starting to occur around embedded systems code. Just have a look at this line of code the author of that article found:

y = (x + 305) / 146097 * 400 + (x + 305) % 146097 / 36524 * 100 + (x + 305) % 146097 % 36524 / 1461 * 4 + (x + 305) % 146097 % 36524 % 1461 / 365;

In the original listing, there were no comments on this line to help. I eventually learned that this code computes the year, accounting for extra days in leap years, when given the number of days since a known reference date. But we still don’t know if it works in all cases, despite its presence in an FDA-regulated medical device. The Microsoft Zune Bug was buried in a much better formatted snippet of code that performed a very similar calculation.

This is a follow up to my post about the poor code that TI shipped out with their Zigbee products. I saw posts today that they are shipping updated code, but how long will it take to get it rolled out.

This article really highlights how important good training, good review processes and I think much more open source review is needed as we move forward to the Internet of Things.

Saturday, January 23, 2010

TI eZ-430 Chronos watch based wireless door lock

Ziyan Zhou and Zachery Shivers are two smart young guys studying at Rochester Institute of Technology. They have created a very nice project based on the low power TI 430 microcontroller and 9xx mHz wireless chips from Texas Instruments. I beat up on TI in a previous blog entry for their shoddy code review that allowed a big security bug to slip through in their Zigbee chips. Despite that fail, TI creates some very nice hardware that is enabling the Internet of Things. This project by Zhou and Shivers is a great example of what is going to explode in the coming months and years. They do a very nice job of reviewing security issues in their design. Give their project and the others at the TI430 low power design contest web site a look, good stuff! Vote for the one you think is tops, my vote was to Ziyan [Joe] and Zach.

Monday, January 18, 2010

TI Zigbee chips in SmartMeters easily hacked

It was very sad to see this article about the shoddy job that was done in creating a solid PRNG for the Zigbee smart meters that the TI chips are installed in. Apparently a large number of the current meters have the TI Zigbee hardware:
Texas Instruments to patch smart meter crypto blunder

You have to wonder about the quality of any other software coming out of that group. Were is the QA, code review? This reenforces my opinion that open source is the best path for much of the systems development going on now. Unless you can afford a Space Shuttle software development effort, I do not see other good routes to good software. This was such a basic blunder, with so much very recent history of similar shorts cuts causing WiFi systems to be vulnerable how could this happen?

This guy, Travis Goodspeed, and a couple of others are doing a real service getting these issue out in the light. And I am guessing with no help from the likes of TI, Zigbee or others.

While it not clear if this mistake will make it any more possible for hackers to 'bring the grid down'. It sure looks like it will slow the deployment of energy saving and GHG reducing solutions for residential and commercial buildings and that is bad enough.

Come on, you can do better!

Sunday, January 3, 2010

Eco-Home sustainable urban living demonstrated since the 1988

I had the wonderful experience of touring Julia Russell's Eco-Home in Los Angeles before Christmas. Julia's 1911 Craftsman home has been a demonstration project showing that it is possible to retrofit existing homes in an urban location and have a very low environmentally impact. I know this is old news to pretty much anyone living outside the United States. But for folks in Los Angeles, this is a must visit project.

Julia and one of her docents, Judy, gave a fantastic tour and lecture of the property, xeriscaping, garden, its history and the products and technologies used.

I've posted a few photos from the tour here on Flickr.

I encourage you to contact Eco-Home to set up a tour, here is the link for 2010 tour info.

Julia has indicate that she may retire from the Eco-Home project in 2010, so get a tour date as soon as you can. It is a wonderful education.

Zwave Home Automation, Leviton RS232 Serial Interface RZC0P basic wiring for USB Serial Adapter

I've started to work with a ZWave home automation control product from Leviton, the RZC0P-1LW. This device allows the control of Zwave based wireless home automation devices via a RS-232 interface.

The Zwave system is a proprietary system requiring a licensing agreement with Zwave Alliance group. Joining this group and paying some level of fees gives a developer access to programming and related information. The lowest level of membership in 2009 appears to be the Affiliate Member with an annual fee of USD300 and perhaps the requirement to purchase a USD500 hardware development kit.

There are a couple of other ways to programmatically work with Zwave devices, there are several home automation software and hardware systems that put one or more layers on top of the Zwave proprietary protocol. Doing a Google search of home automation and zwave will give you a list of these product. There are even a couple of open source projects that have reverse engineered parts of the Zwave control protocols and devices.

And a third way, in a sense a mini home automation layer, is to use one of these RZC0P devices in an existing Zwave network. As far as I can tell so far, the RZC0P cannot be the primary controller of a Zwave network. And every Zwave network requires one of these primary controllers to add, delete and manage the devices in a Zwave network. However, the RZC0P can be included as what is called a secondary controller. And a small amount of documentation has been created by Leviton to show you how to do basic functions to Zwave devices via ASCII commands to the RZC0P.

I've studied the Zwave products, vendors and public information for a couple of years. More on what I have found about it and my opinions later.

But for now, I wanted to share some tech work I did to get the RZC0P running on a small Zwave network I have set up to explores of of the uses of these devices for both Aging In Place and Energy Management.

I am not a RS-232 expert nor an electrical engineering guru. But I have spend enough time in both of these areas that I knew that I had a problem talking to the RZC0P pretty quickly. I had the documentation on the ASCII commands and the RS-232 configuration requirements. Using these, I hooked the RZC0P up to a IBM Thinkpad with a build in RS-232 port and was able to start communicating with the device right a way. The problems came with I tried to move my testing to a Apple OS X computer with a KeySpan USA-19HS USB serial adapter. I wanted do my testing using the Python language and tools and was more comfortable with using these tools on Linux and OS X.

The problem I encountered was that I could not get the RZC0P to respond to commands when attached via the KeySpan USB serial port. I did not try the KeySpan USB adapter on the Windows machine, but I suspect from reading some posts on the web that I would have found a similar problem. I found several other people that indicated they were only successful in communicating with the RZC0P using a serial port directly attached to the Windows machine.

At first I suspected that I was not correctly toggling some of the RS-232 control signals, however the devices cable and documentation point to, but do not directly spell out, that only TX, RX and Signal Ground pins are required on the cable and no software or hardware handshaking is done.

A further interesting fact appear as I played around with various terminal emulators on OS X and cable combinations. At various points of these changes, the RZC0P would start communicating. I struggled to find the pattern that made it work.

Well bottom, apologizes for my long route to my conclusion here.. I suspect that the RZC0P has some bug or non-standard implementation of RS-232 electrical interface. I found that if I used a RS-232 break out box between the Keyspan USB serial adapter and the RZC0P, with just the three pins, TX, RX and Signal Ground connected, the unit would work consistently. I could plug and unplug it, power it off and it would always come right up and communicate with the Mac software. So what was special about this RS-232 break out box?

The breakout box connects a set of LED from the TX and RX lines to signal ground via pull up resistors. This allows you to visually see the signal states change on these and other lines on the RS-232 specification. The breakout box I was using is a totally passive unit that adds no power or logic to the RS-232 signals it monitors.

So my conclusion is that the signal ground and RX/TX lines on the RZC0P are wired internally in some way that caused the logic circuit to not correctly start RS-232 communications without some electrical connection/kick between the RX/TX lines ad signal ground line.

My solution to the problem was to build a mini 9 pin DB-9 Male to Female adapter that recreated the passive monitoring circuit I found in the RS-232 breakout box.

I am guessing there is a better and simpler solution to this problem, but this seems to be working, and you get some visual feed back of the communications occurring via the two LEDs. Below is a picture of the finished adapter.


Here are the parts and steps:

Male 9 pin DB-9
Female 9 pin DB-9
2 - 560 ohm 1/4 watt resistors
2 - LED
wire to connect pin 2 to pin 2, male to female DB 9
wire to connect pin 3 to pin 3, male to female DB 9
wire to connect pin 5 to pin 5, male to female DB 9

Connect pin 2 to pin 2, male to female DB 9
Connect pin 3 to pin 3, male to female DB 9
Connect pin 5 to pin 5, male to female DB 9

Connect pin 2 on the male DB-9 connector to one lead of a 560 ohm 1/4 watt resistor
Connect the second lead of the 1st 560 ohm resistor to the anode lead of the 1st LED
Connect the cathode lead of the 1st LED to pin 5 on the male DB-9 connector

Connect pin 3 on the female DB-9 connector to one lead of the 2nd 560 ohm 1/4 watt resistor
Connect the second lead of the 2nd 560 ohm resistor to the anode lead of the 2nd LED
Connect the cathode lead of the 2nd LED to pin 5 on the female DB-9 connector