Updates from charliex Toggle Comment Threads | Keyboard Shortcuts

  • charliex 6:51 pm on March 18, 2014 Permalink | Reply
    Tags: irritrol, RD1200, repair, sprinker   

    Irritrol–RD1200 Sprinkler controller repair 

    I always have issues with water, I’ve flooded a couple of houses over the years. So the new house’s sprinkler system is no surprise, we have almost 150PSI of water pressure going into an old metal pipe sprinkler system, and I’ve been slowly replacing the pipe and reducing the pressure under concrete and all that,. This week i noticed a large dome shape on the front lawn and it turned out there was a few hundred gallons of water under the turf, and another broken pipe. Also the new flowers I planted had started to die off while I’d been out of town. the people I’d used to replace some of the bad pipes had missed one sprinkler output which had covered these flowers, so it goes on. I went out to repair these and I noticed the sprinkler solenoid  was chattering. 

    Checking out the rest of them, they were all chattering, so its obviously a problem at the controller and not the solenoids. I checked the output of the transformer, about 26VAC, so that was fine, watching the sprinkler output it was swinging from about 6VAC to 18VAC, when it hit 12VAC or so the solenoids would chatter.

    So I opened up the control box. Remove, power, Remove the ribbon cable, me plastic tabs that just pop out, then two screws hold the PCB down, which keeps the flexible LCD connector in place.  it just lifts out after the screws are removed.

     

    A few minutes inspection revealed the issue.

     

    The electrolytic capacitor is slightly swollen and leaking, its a 220uF 35V axial style, radio shack carries them for about $1.40. Changed it out and  its all working again, but make sure when you reassemble the box that the ABC switch gets on top of the PCB mounted switch, otherwise you’ll be doing what i have to do tonight and take it apart again.

     
  • charliex 11:00 pm on December 29, 2013 Permalink | Reply  

    Making PCB stencils with CadSoft Eagle and MoshiDraw 2013 

    This got me a useable stencil with the K40/ecpur style “40W” lasers

     

    Eagle DRC using ITEADs ( doesn’t really matter which )

     

    First shrink the tCream pads.

    moshi_drc

     

    2 or 3mil worked  in the  min//max cream settings, rectangles that are part of packages aren’t affected by this setting, only auto tCream from pads.

     

    Next switch off all layers except tCream or bCream.

     

    Print the layer as a PDF ( requires adobe’s driver /mill). Use solid, black scale of 1, bottom left

    moshi_print

     

    Save that as a PDF

    Load it into Illustrator, then Save it as an AI format file Version 8

    moshi_ai

     

    Import the AI into MoshiDraw

    moshi

     

    Output to Machine

    moshi_settings

    I use 10 10 speed for engrave and move. Cut just doesn’t work well, 16 speed will work, but I got the best results with a slower speed.

    I did my test cuts between 30 and 45 power, 45 worked fine but 30-35 is probably better, I used dura-lay uncoated mylar sheets 4 mil. I also used air assist from a silentaire supersilent compressor.

     

     

    Another way to do it, which does seem to generate a more accurate mask is to print it directly to the MoshiPrint driver, though it leaves a black bar at the bottom for me, so that has to be edited out, which you can set the page size, it seems to ignore it.

    Select the MoshiPrint, and have MoshiDraw running and it’ll print it directly to the software. You can also get it it to temporarily write to a file but it’ll delete it quickly.

    Printing to a BMP then editing it with a bitmap editor like Cosmigo’s ProMotion lets you go in and touch up pads that you can’t control easily in Eagle. You then import that BMP into MoshiDraw, MoshiDraw doesn’t use the same pixel to mm conversion size on Import that it does for printer driver, so you have to fix it up afterwards, the default conversion is 600 DPI so do (pixels/600) [in->mm] then set that size in MoshiDraw after its imported. Change the Destination X and Y pixel width/height to the MM conversion you do.

    So for a image that’s 2000×1000 width/height at 600 DPI, you’d do

    Destination X = ( (2000/600) * 25.4 ) = 84.66mm
    Destination Y = ( (1000/600) * 25.4 ) = 42.33mm

    The lasers smallest step is 0.025mm but the kerf of the cut is probably  a lot bigger than that.

     

    This image has a different resolution.

    moshi_setsize

     

    I believe the Chinese below “Overlay” is an aspect ratio lock

    You can also just print directly from the image software to MoshiDraw, but watch out for software that halftones or dithers when it prints.

    MoshiDraw does not work well with large images, above 600 DPI it really chokes.

     

    MoshiPrint tabs

    moshi_print3

    moshi_print4

     

     

    What we really need is a smart engrave mode where the laser travels either –X X+ or –Y Y+ direction depending on the length of the engrave, so a [___] shape would cut left to right but a || cut would be up/down. MoshiDraw has an option to change the direction of the cut, but it rotates the image too, what we want is same table orientation and position, but head travels in a different direction

     
  • charliex 7:11 pm on December 21, 2013 Permalink | Reply  

    Chinese 40W eBay engraving laser 

    I ended up trading some LTC/BTC for a 40W laser from china, even though I have a 100W laser at Null Space but I wanted something for making PCB stencils and so on. I fully expected to get back a hodge podge machine that would need work, since it was $599.

     

    They took just over a week from purchase on eBay to shipping via Fedex, it arrived in a few days, going from China, to Japan, to Hawaii, Oakland, to LA. The box just about made it, when I unpacked it, the box was being held together with the cling film outer wrapper.

    My phones SD card was corrupted, but this is the top of the box

     

     

    That blue box notes the first problem I noticed, its 220V/50hz and USA uses 110V/60Hz, the eBay listing wasn’t super clear but there was an image with the 220V shown on the label.

    Quick trip to Frys and I picked up the 2000W step up transformer, this will be plenty. 

    The left side is 110V, that’s plugged into the water pump (see later)

    Inspecting the machine is the first order of the day, and for good reason.

     

    This terminal block sends 220V to the rear panel for the water pump and squirrel fan. The two terminals on the left side in the middle are loose, they’re never been actually connected, so they didn’t come loose in shipping, how do I know? the screws on the terminal are screwed down tight. So first easy fix, but not a great start.

     

    I noticed the Y direction had a small plastic tube and o-ring as the hard stop

     

     

    But its not long enough, so the mirror adjustment screws hit the frame before this stop works, so add a short length of tube til it no longer hits the frame.

    One the back the pump and fan are connected, they won’t sit together, shave off some of the squirrels plastic and it’ll sit better, but they’re the wrong style plugs (also 220V) for a better fir they need to be the round style of metal pin not the flat blade type, they just fall out otherwise.

     

     

    water pump and air assist hookups

     

     

    laser tube, interesting mounts

     

    The water pump I got with the machine, couldn’t pump the water not sure if a problem with the Hz difference, or just a crap pump, luckily as with most hackers I had at least one water pump in the garage, and not only that the plastic fittings were exactly the same so I swapped it out, since it’s a 110V pump I didn’t use the rear panel. this pump is also very quiet and pumps a lot more water. Make sure you get all the air bubbles out of the laser, so as not to make hot spots.

     

    The squirrel fan didn’t boot either so, but it was just stuck so cleaned it out and it was fine, not the most powerful fan but its quiet.

     

    The transformer came with a small blade to pin adapter, it worked really well with the rear panel and fan.

    I have a spare laser tube in the background that I’d picked up a couple of years ago, I believe it should fit.

     

    Interestingly the wires for the LED crosshair runs through the tube, it limits the airflow I found, so I rerouted it to the outside. Also there is a hole,a nd a slice in the tube at the quick connects for the wire to get into, so the air leaks there too.

     

     

     

    runs back here

     

    unwrapped the spiral wrap

     

    mark the wires so you know which polarity is used.

     

    I undid them and unwound the orange pipe, this makes it easier to remove the ribbon cable from inside the tube

     

     

    hole in the tube

     

    I cut the tube to remove both holes and rewound, then reattached it so that it didn’t foul.

     

    the original tie wrap routed the tube so it limited air flow, so I moved it.

     

     

    Lightly tightened to allow it to move a little.

     

    This is how I mounted the cable, til I pick up some new wiring, I’m planning to change out all the wiring since most of it seems to low a gauge for the voltages used.

     

     

    rewrapped and tied back

     

    the air flow is much better now, but the end needs a new nozzle to help jet the air

     

    The mirror adjustment is interesting

     

    jumping around a bit, i ‘d engraved some plastic sheet

     

    interesting clip art that moshidraw is supplied with.

     

    I’ll add more to this as I go along, there are a few blogs already about these styles of laser cutters , most people replace the moshi electronics, as moshidraw is probably some of the worst  software you’ll use. Though I’ve never had software that’s had a specific icon for Mongolian text.

     

    I downloaded and installed MoshiDraw 2012, that works a lot better there are some warnings about MoshiDraw 2013 bricking controllers or USB drivers, my interface board is v4.6 so it seems to be earlier versions that are affected, there’s a debricker for the 2013 version too. I’ll try the 2013 version later today.

     

    http://www.moshisoft.com/soft_200/repairusb.rar

    http://www.krasner.de/RepairUSB.rar

    I haven’t had to use it yet. MoshiDraw 2012 stopped once during an engrave, but only once so far. The software writers though have used the wrong windows message handler for the numerical input boxes though, so every time you type a character into the move control, it sends it to the machine instead of waiting for the input box to be moved away from or enter press, it’s a common windows GUI newbie mistake that affects a lot of software though you may never notice, but its critical for CNC stuff, you can change 80.000 to 80000 by mistake, and the machine will try to move to 80000mm. A side effect is if you type 8 0 , it’ll move to 8, then 80 but since it’s a quick move, the machine wont respond correctly and you get an error. I’m going to see if I can change the message handler code.

    No need to change it, moshidraw 2013 fixes that problem, but it introduces another one, I’ve done two engraves and its only made it through about 20% of the task. I reset the machine on one of the crashes tasks, and the laser immediately came on and cut a diagonal line from home til I turned it off again… One of the reasons I’m going to add a defeat switch on the main panel lid and laser tube access panels. 

    Yep tried a few times, only makes it part way through the job before stopping and homing or just stopping altogether., might be a buffer size issue?

    With MoshiDraw 2012 you can use the machine as laser cutter, and not just a laser engraver though, the MoshiDraw 6/7 that comes with it will really only engrave, if you draw a line, it’ll draw around it, if you draw a circle it rasterises it so you get the draw left, move , draw right, move back, down, draw left, move, draw right.

     

    Air assist as you’d expect, really helps keeps the flames down and improves the cuts no end. I just have to change out from my supersilent aire airbrush compressor which can’t keep up the air demand, to a cheap diaphragm compressor which can, just make the tubes long enough so it acts as a reservoir and stops the putt putt airflow.

     

    I pulled the 8051 and tried to read it back in an eprom programmer. its likely locked or not the atmel/win AT89 but its definitely a variant, schematics match up , it has a serial 4 pin isp port on the board too..

     

    So far it cuts just fine. Engraves nice too.

     

    Primarily I wanted to use this for eagle solder stencils.

     

    I used cream-dxf.ulp which outputs two dxf’s of tcream and bcream. Since its primarily designed for vinyl cutters , I click off the cut two times, and set shrink to 0.1mm ( None of the other DXF outputters I used could import properly)

    cream-cdxf

     

    After that I open it into Illustrator, set the scale to 1:1 millimeters, watch out when you select mm, it’ll change the Units(s) number

    illustrator-open

     

    My board is centered at 0,0, so I move the artwork to the bottom left, which is where AI has its coordinate system.

    Then “Save As”  .AI format, version 8

    ai_out

     

    Then I import it into MoshiDraw 2013, File/Import

     

    moshi

     

    For the 40W I set speed 20-30 and power 25.0 to 20.0 (on the cutters control) 25 I find scorches and melts the plastic sheet, you want the fastest with the least amount of power.

    moshi2

    I’m still fine tuning the power/speed and reduction settings, on the TQFP64 its removing too much I need an inner cut of the pad..  But its real close.

     

    Oh and if you just output HPGL directly from an Eagle CAM job, you’ll get this…

    The HPGL is one contiguous line.So the laser never turns off, Etch-A-Sketch style

     

    mmca suggested not using air assist.

    Straight off the cutter. Like I said needs some tuning. I do these stencils on our bigger GWeike 100W laser no problem.

     
    • James Scott 2:13 pm on December 27, 2013 Permalink | Reply

      Maybe a bottle of some form of shielding gas rather than air will do a better job of eliminating flames and making cleaner cuts/etches? Straight up CO2 would work, Nitrogen is also pretty cheap. Doubt anything extreme like actual full on welding gas ie Argon would be any better. You wouldn’t even need a pump since the gas is regulated out of a compressed container.

      • charliex 12:02 am on December 29, 2013 Permalink | Reply

        yeah we tried o2 assists on our other laser, i think this one is just a crappy nozzle design and not enough air, also the plastic sheets weren’t that great. i just picked up some duralar 4mil uncoated sheets, gonna give that atry

    • John Wasser 2:37 pm on March 17, 2014 Permalink | Reply

      On the side of the internal power supply you should find the 220/110 switch.

  • charliex 12:15 am on December 3, 2013 Permalink | Reply
    Tags: error 1747, windows 7   

    Error 1747 : The Authentication Service is Unknown 

    I had a Windows 7 machine in one of the racks with a bunch of services not starting, no networking so not much of anything since its headless and graphics are network remote, so I pulled it out and switched its graphics cards to see what was going on.

    Really slow to boot windows, after login black screen with mouse, sluggish response.
    dhcp, lass, service showing ‘starting’ and can’t be stopped or restarted
    ping etc gives no network, or various network errors
    Event logs stop working with “Error 1747 : The Authentication Service is Unknown”
    Even a BSOD on a reboot

    sfc /scannow  no issues, fsck, no issues. hardware all looked ok.

    As usual MVP advice is reformat and re-install, so sad.  So i did this instead

    From admin shell, cmd

    netsh winsock reset

    and rebooted, totally fine after that. sigh…

     
  • charliex 11:54 pm on November 23, 2013 Permalink | Reply  

    Power Toy Calculator in windows 7 x64 

    .text:01001FD3
    .text:01001FD3 55                                      push    ebp
    .text:01001FD4 8B EC                                   mov     ebp, esp
    .text:01001FD6 83 EC 24                                sub     esp, 24h
    .text:01001FD9 56                                      push    esi
    .text:01001FDA E8 81 FF FF FF                          call    sub_1001F60
    .text:01001FDF 85 C0                                   test    eax, eax

    .text:01001FE1 0F 84 B9 00 00 00                       jz      loc_10020A0

    .text:01001FE7 83 65 DC 00                             and     [ebp+Msg.hwnd], 0
    .text:01001FEB 8B 75 08                                mov     esi, [ebp+hInstance]
    .text:01001FEE 57                                      push    edi

     

    nop out the bolded instruction.

    was

    0x13e1 9F 84 B9 00 00 00

    change to

    0x13e1 90 90 90 90 90 90

     

    that’s it.

     

    All it does is ignore the results of sub_1001f60 which is a windows version check.

    You can install the msi using XP sp3 compatibility mode.

     
  • charliex 7:41 pm on November 23, 2013 Permalink | Reply  

    USB Hub vid 0409 pid 005a windows, not showing up/ multiple Kinects 

     

    Since kinects need all the things, I had to separate them to different USB ports , somehow my device manager showed an unknown device, which was 0409 005a USB NEC, I kept finding renesas usb 3.0 drivers on Google but that’s a red herring. Anyway after realising it was a hub and not a controller, I figured out the deal

    go here and find the USB stock drivers

    %SystemRoot%\system32\DriverStore\FileRepository\usb.inf_your_machine_Type_id

    mine were

    C:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_neutral_153b489118ee37b8

     

    copy the contents of that folder to

    %SystemRoot%\inf\

    C:\windows\inf\

     

    now rescan in device manager and it the driver should appear.

     

    So almost have two kinects connected now, one shows the camera isn’t working, this might be because its still on the same root usb, which the kinect needs all the usage of, or there’s another usb camera/streaming device installed.

     

    Which it was, moved it to another USB Root Hub, not just a different HUB,

    multik

     

    Ok so two kinects, connected, now for the third….

     

    I couldn’t start the second kinect, running the kineck SDK and then opening the kinect info panel tells you that its not powered, though usb will show ok, I swapped the kinect with my third and it worked, so seems like one of my kinects might be bad.

     
  • charliex 9:33 pm on November 14, 2013 Permalink | Reply
    Tags: hayward pool heater h250 ed1   

    Hayward H250 ED1 Pool Heater Electronic Ignition 

    When we bought out house, I wanted a pool, even though I can’t swim. It came with a pool heater, so I was happy about that.. But as fate would have it the only thing that didn’t work, was the pool heater (and the fire pit ) . Before we bought the house, I turned it on and it turned off immediately.

     

    The gas line was disconnected at the main with a big warning sign.  After we bought the house, I laid new pipe from the pool heater to the fire pit , cleaned and pressure tested the 1 1/2” line that wasn’t damaged by the trees, the trees paid the price since the leaking gas had killed three of them, which we replaced, the story all came together as we tracked the history, the owners at the time had massive gas bills which is when the leak was discovered., but they just opted to disconnect it. Took me a couple of days to lay the 1/2” pipe for the fire pit.

    So once the line was all replaced, time to test the heater again. fire it up, hope shuts off again. The burners weren’t firing up, a few years of disuse and it was filthy..  The nozzles that fire the gas into the heater were blocked, so I got some wire, and cleaned out the nozzles, and cleaned up the dirt elsewhere, still didn’t start, probably air in the gas lines, so a few dozen tries and it started up fine.

    It seems unlikely its gas flow, the main pipe is 1 1/2” and gas is only about 6 pressure, so should be plenty and gas pressure is harder to measure, the bigger heaters need at least 1 1/2” all the way to the heater.

    When the gas igniter fails a few times, it’ll lock you out for a while.

    This is the gas valve and sensor , you could bypass this if you think there is a gas flow issue but only for testing.  TH is marked on the top left, the manual says jump TH –TH , I believe its saying jumper TH on the left, to the bottom left orange. But I am not sure, so I haven’t done this test ( which as it turns out, I now need to do.. )

    I’m not sure if my Gas valve is aftermarket or not, I don’t see a similar one anywhere on the Hayward’s parts lists. its marked like a robertshaw.. Aha, I’m pretty sure it’s a White-Rodgers, they use  TH  TH-TR   TR markings.

    Yep verified it as being very similar to the  “White Rodgers 36D27 Gas Valve, Type 201” the trim screw is different

     

    http://www.emersonclimate.com/Documents/White-Rodgers/sell_sheets/R-3769C_36C_Gas_Brochure.pdf

     

     

     

    Here is a useful PDF on how the detection works on the pilot.

    http://www.invensyscontrols.com/spaw2/SiteContent/Training%20HEATING%20GAS%20VALVE%20ACTUATORS%20FINAL.pdf

     

     

    One of the gas nozzles, you can remove this to clean it, if its really dirty you should but it’s a hassle Spiders love this thing, they get in everywhere and our trees shed like crazy so its always dirty..

     

    its easy to remove the whole heater setup

     

    The individual nozzles are removable too, for easier cleaning

    Retested then it shut down again… .. What next, bypass the flow meter, and it works fine, you can tell if it’s the flow meter usually coz it the system light flickers on and off rapidly.. Turn to the pool filtering system, yep hasn’t been cleaned out in ages, did that waters flowing and the flow meter works again. It’s a really really bad idea to bypass any of these sensors for anything more than troubleshooting.

    This is the water flow meter, disconnect the two wires and join them together to bypass it for testing (turn off the system first)

     

    This just keeps the microswitch depressed when there is enough flow, you should hear it audibly click at system startup, might take a few seconds to get flow. this can also be adjusted for different flow rates.

    So great a few months of the wife enjoying 90o degree pool, then the gas bill came, so it got turned off cept for weekends, a few weeks later. It’d start for 10 minutes, shut off, , turning it off it, shut off immediately, . To me that strikes of a heat issue, this time I called out a pool heater guy recommended by hayward, since I figured maybe it just needs a service.

    He comes out , cleans it, tests it, same issue, says its likely the control panel.. My thought is that if it’s a control panel its really repeatable problem, and its part of how the system should work, if not enough heat gets exchanged the  thermistor high/low heat sensors will kick and shut it down, let it cool and it’ll work again, but we’ll see.

    Though now after he visited, its no longer booting up for 10 minutes before, its only doing a few seconds again… sigh…

    Disconnect the control panel via this connector, the other two wires are the remote thermostats. don’t disconnect them, and don’t fold or bend them too much, they’ll snap

    amazon

     this says its the ED1

     

    You can bypass all the tests here, jumper the bottom and top connector and it’ll bypass all the sensors, this is just a rough test since it wont tell you which one isn’t working, but it will tell you if the heater is working, but be careful

     

    Igniter The rusty screw there holds the ignite mechanism inside. Remove that screw and the wingnut above it ( obscured by the black tube )

    I haven’t pulled this part yet, the flame is a bit yellow so maybe a dirty pilot. I did just find another persons (frank lopez/doityouself.com forums) image of it. You can remove it with the one screw at the front, then there is an alignment wingnut on the top side.

     

     

    This image is of a millivolt pilot setup, I have the electronic ignition version.

     

    The electronic igniter, is much simpler.

    the spark gap is meant to be about 3.5mm or 9/64” in ye olde measurements

     

    The insulation on this has worn away, and when I removed it to check the gap the wire fell out, so I’ll replace it too, but If the spark is failing to ignite, you’ll hear it constantly firing for a few seconds, (or not at all if the wire isn’t making good contact) the wire was pretty corroded internally so worth changing. I’ve read that when it fails, the heater will try to ignite three times then shut down.

    Update: Replacing the ignitor fixed it, the bad wire was making the flame detector think the flame was off.

    HAXIGN1931 is the part number for my heater

    Clean out the burners with a wire brush too.

     

    Correct Flame  ==== Tip of thermocouple or thermopile is 3/8” to 1/2” into pilot flame
    Noisy, Lifting, Blowing Flame === High gas pressure or Wrong Pilot Orifice
    Lazy Yellow Flame == Clogged primary air opening
    Low gas pressure   === Clogged pilot orifice
    Wavy Blue Flame ===Draft condition as pilot
    Hard Sharp Flame === High gas pressure or Pilot orifice too small
    Small Blue Flame == Wrong pilot orifice size or Low gas pressure or Clogged pilot tube

     

     

    Remote control instructions

     

    This is the United Technologies electronic Controls control panel, its about $125-$180 ish, I’ve seen it on amazon and ebay., the direct spark is the big insulated wire. It’s a 1016-405 Series Direct Spark Igniter, but you need to pay attention to the part number on the white paper sticker, it is a 1016-458 variant. They have different connections for the igniter wire, some are spades, and the terminals are different sizes, also the chip inside is different, The PCB’s are mostly the same , just a few resistors and such inside.

    There isn’t a whole lot to go wrong inside, a  couple of high wattage resistors could potentially get bad solder joints,  a relay, but they’re made pretty well. the box just unclips apart.

     

     

    Supposedly the LED (left of the orange wire) is , I’ve only seen it RED since it seems if anything trips the whole system shuts down.

    • On – Steady Control operation normal
    • 1 Flash Open Pressure switch, limit switch or flame rollout switch
    • 2 Flashes Pressure switch stuck closed
    • 3 Flashes Ignition / flame sense failure
    • 4 Flashes Repeated flame losses
    • 5 Flashes Internal control fault

    Transformer notes for 240V vs 110V systems

     

     

    temperature limiter switch, automatic reset

     

    Temperature limiter switch, requires a manual reset, part of the kit HAXTLK1930, the replacements seem to be 36TX16s , the L is the temperature  in Fahrenheit

     

    high limit thermostat safety, if this trips then filter is clogged, or not enough water flow. rear header, part number HMXHLI2932, its under the rubber boot, there is a drain plug underneath the header. this is the 160F degree limiter. If you mix the rear and front sensors up since they look the same, they’re stamped around the edge, L160F and L135F respectively.

     

    The front header hi limit, that ones a 135F trip, HAXHLI1930 its behind the left side access panel.

     

    The flow meter tube is on the right side of the front header, this goes to the flow sensor/microswitch sensor

     

    Cleaned out underneath the heaters too, a lot of rust and stuff gets down here. I used a shop vacuum, alternating between blow and vacuum.

     

     

    The top gets messy too, these metal bits are loose on this heater.

     

    Back panel instructions.

     

     

     

    Wiring diagram.

     

    you can see the in-series fault sensors at the top, limit/, imit. pressure and two temperatures sensors.

     

     
  • charliex 12:46 am on October 27, 2013 Permalink | Reply  

    Windows installer cannot be found 

    The Windows Installer service could not be accessed

    I’ve had this on and off windows service installer message from time to time, and mostly gotten around it.

     

    If you’re tried the usual MVP advice of “sfc ‘/scannow” , the unreg/regserver stuff as well with msiexe.exe, no difference. and so on, read on for MFP advice..

    First (or last) check in the registry

     

    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\MsiExecCA32

    on my machine points to, ok so first issue…

    C:\Windows\syswow64\msiexec.exe

    Mine was pointing to an msiexec in the download folder, I believe that’s how I got past it once before.. Anyway that reset and still same error.

     

     

    So I did what any normal person would do.. Since I  wanted to try CNC’ing a stencil on my modified CNC that I’d been working on this morning, for a mylar stencil for the layerone badge 2014 prototype and none of the eagle DXF’s would import into the GCODE generator software I was testing, I installed Adobe Illustrator from creative cloud ( since I killed my mac version last night by stupidly installing Mavericks, hint if it gets stuck at A minute remaining, go to the title bar and look at the logging, you’ll see a message repeated ( I left mine for 12 hours showing “less than a minute remaining ) , I forced a reboot and it started doing a fresh setup, put in my normal account, went through all that OSX baloney and it shut off, reboot, made a second account, logged out, logged in, then deleted the second account ( and my normal second account form 10.8 had also disappeared) then it deleted all the registry keys and apps for creative cloud and parallels, so I had to reinstall both those, after making sure I found my original parallels 7 key to use my parallels 8 key that I’d just bought,  then parallels “lost” all my existing VM setups, so I had to reimport all of those and reinstall all my adobe apps and re-regged them. SO ANYWAY

    Ahh yes, windows installer.

    Illustrator was failing with usual check the logs, and sure enough back to the msi installer logs missing.

    I loaded vc_redistx86.exe and traced it, it writes out an installer to a temp path

    c:\356d6a546677486af533fa9c7a0e\.\install.exe

    That’s the one that actually has the error message generated.

    So loaded that into IDA32 via windbg, and it fails here.

    cmp     [ebp+VersionInformation.dwMajorVersion], 5
    jnz     short loc_CB2675

    text:00CB2675 loc_CB2675:                             ; CODE XREF: CMsiWrapper::CheckDarwin(ulong,ulong,ulong)+64j

    jbe     short check_darwin

    .text:00CB267E call    ?LoadDarwinLibrary@C

    check_darwin:

    MsiWrapper@@CGPAUHINSTANCE__@@XZ ; CMsiWrapper::LoadDarwinLibrary(void)
    .text:00CB2683 mov     ecx, ?g_Logger@@3AAVCLogging@@A ; CLogging & g_Logger
    .text:00CB2689 mov     [ebp+hLibModule], eax
    .text:00CB268F test    eax, eax
    .text:00CB2691 jz      cannot_find_windows_installer

    text:00CB279C cannot_find_windows_installer:          ; CODE XREF: CMsiWrapper::CheckDarwin(ulong,ulong,ulong)+92j
    .text:00CB279C push    offset aCannotFindWind          ; "Cannot find Windows Installer."
    .text:00CB27A1 call    ?LogEvent@CLogging@@QAEXPBG@Z   ; CLogging::LogEvent(ushort const *)

    Ok so what does that do ? Ok down the rabbit hole…..

     

    HMODULE __cdecl CMsiWrapper::LoadDarwinLibrary()
    {

      DWORD cbData; // [sp+4h] [bp-214h]@1
      HKEY hKey; // [sp+8h] [bp-210h]@1
      BYTE Dst[2]; // [sp+Ch] [bp-20Ch]@1
      char v6; // [sp+Eh] [bp-20Ah]@1
      unsigned int v7; // [sp+214h] [bp-4h]@1
      int v8; // [sp+218h] [bp+0h]@1

    v7 = (unsigned int)&v8 ^ __security_cookie;
      *(_WORD *)Dst = 0;
      hKey = 0;
      memset(&v6, 0, 0x206u);
      cbData = 520;
      if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer", 0, 0x20019u, &hKey) )
      {
        v1 = Dst;
        goto LABEL_5;
      }
      v0 = RegQueryValueExW(hKey, L"InstallerLocation", 0, 0, Dst, &cbData);
      RegCloseKey(hKey);
      v1 = Dst;
      if ( v0 )
      {
    LABEL_5:
        wcscpy<260>((wchar_t *)v1);
        return LoadLibraryW((LPCWSTR)Dst);
      }
      wcscat_s((wchar_t *)Dst, 0x104u, L"\\msi.dll");
      return LoadLibraryW((LPCWSTR)Dst);
    }

    }

     

    Tracing this it gets into LoadLibrary, but already I see the issue  (well at least the next one)

     

    C.:.\.U.s.e.r.s.
    \.c.h.a.r.l.i.e.
    \.D.o.w.n.l.o.a.
    d.s.\.m.s.i…d.
    l.l………….

    Sigh… (I’d run SysSoop on this first, but a simple FileMon would have likely done it )

    So lets check

    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer

    Hmm  (I’m actually writing this blog as I do these steps and make the discovery’s.

    C:\Windows\system32\ 

    That’s odd, HKEY_LOCAL_MACHINE and that path show a different path…

    trace into kernel..

    kernel32.dll:75741EEE kernel32_RegQueryValueExW:              ; DATA XREF: advapi32.dll:off_75041484o
    kernel32.dll:75741EEE push    2Ch
    kernel32.dll:75741EF0 push    offset unk_75742000
    kernel32.dll:75741EF5 call    sub_757415C0
    kernel32.dll:75741EFA xor     esi, esi
    kernel32.dll:75741EFC mov     [ebp-24h], esi
    kernel32.dll:75741EFF mov     [ebp-30h], esi
    kernel32.dll:75741F02 mov     [ebp-2Ch], esi
    kernel32.dll:75741F05 call    kernel32_RegKrnGetGlobalState

     

    ahh yeah,so WOW64

    back to regedit

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer

    And there we have it….

    InstallerLocation = C:\Users\charlie\Downloads

    which on my system should be

    C:\Windows\SysWOW64\

    ok changing that lets retry….. and yep that worked..

    So simple thing would have been to run procmon and see it looking for the wrong string in the registry key for the msi.dll

     

    Ok back to installing Illustrator….

     

    Hopefully it helps someone to just check these settings

    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\MsiExecCA32
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\MsiExecCA64

     

     

    sigh ERROR: DF024: Unable to restore file at "C:\Windows\Fonts\ChaparralPro-Bold.otf" from backup at "C:\adobeTemp\backup\adobetmp081529265" Error 5 Access is denied.. Try setting correct permissions etc etc

     

    quick flip to

    C:\Users\charlie\AppData\Local\Temp\{91CAA566-6E85-4661-887A-89AA3E7AC1F9}

     

    run setup-up.exe from illustrator folder instead.. complains about a pending restart. ignoring that…oh you… installs, but does it run under adobe cloud mgmt?

     

    quit cloud, reload and yep it works (and my blog writer froze up as I hit this point, but it came back phew..)

    now can I export a DXF from eagle without polylines and shapes instead… hmmm , nsl halloween party tonight, or actual hacking…..

     

    charliex

     
  • charliex 4:45 pm on October 24, 2013 Permalink | Reply
    Tags: #hacklu   

    hack.lu CTF 

    jking http://www.theamazingking.com/ and I worked on ELF

     

    first disassembled it with IDA, pulled out C code and attacked it from there, working backwards with what the key ought to be, one value at first just seemed to be anti debug , which was just the ptrace test, which would increment it.

    Also as eventually noted by fluxfingers team, if you happened to be running non root on ubuntu ( I was ) you’d get the wrong results because ubuntu doesn’t let child procs ptrace as a non root user…which would have been a big clue.

     

    unsigned char some_counter = 0xA ;

    unsigned char fluxFluxFLUX[] = "fluxFluxfLuxFLuxflUxFlUxfLUxFLUxfluXFluXfLuXFLuXflUXFlUXfLUXFLUX";

    int __cdecl ld_preload_ptrace()
    {
        int result; // eax@4
        int stat_loc; // [sp+14h] [bp-14h]@4
        int v2; // [sp+18h] [bp-10h]@6
        int v3; // [sp+1Ch] [bp-Ch]@3

        if ( getenv ( "LD_PRELOAD" ) )
        { ++counter; }

        v3 = fork();

        if ( !v3 ) {
            v2 = getppid();

            if ( ptrace ( PTRACE_ATTACH, v2, 0, 0 ) < 0 )
            { exit ( 1 ); }

            sleep ( 1u );
            ptrace ( PTRACE_DETACH, v2, 0, 0 );
            exit ( 0 );
        }

        wait ( &stat_loc );
        result = stat_loc;

        if ( stat_loc ) {
            sleep ( 1u );
            result = counter++ + 1;
        }

        return result;
    }

    int __cdecl main ( int argc, char *argv[] )
    {
        size_t password_length; // eax@4
        char v9[300]; // [sp+28h] [bp-374h]@8
        unsigned char *v10; // [sp+368h] [bp-34h]@13
        unsigned char *v11; // [sp+36Ch] [bp-30h]@10
        unsigned char *phase1_buffer; // [sp+370h] [bp-2Ch]@4
        const char *ptr_to_password; // [sp+374h] [bp-28h]@4

        unsigned int flag4; // [sp+378h] [bp-24h]@40
        unsigned int flag3; // [sp+37Ch] [bp-20h]@40
        unsigned int flag2; // [sp+380h] [bp-1Ch]@40
        unsigned int flag1; // [sp+384h] [bp-18h]@40

        size_t j; // [sp+388h] [bp-14h]@23
        size_t i; // [sp+38Ch] [bp-10h]@4

        if ( argc != 2 ) {
            printf ( "Usage: %s <flag>\n",  argv[0] );
            exit ( 0 );
        }

        puts ( "Calculating phase 1 …" );

        ptr_to_password =  argv[1];

        password_length = strlen ( argv[1] );
        phase1_buffer = ( unsigned char * ) malloc ( password_length + 1 );

        memset ( phase1_buffer, 0, password_length + 1 );

        for ( i = 0;  password_length > i; ++i ) {
            int i2;
            i2 = ( i – some_counter );

            phase1_buffer[ i ]  = ptr_to_password[ ( i - some_counter ) % password_length ];
        }

        sleep ( 1u );
        puts ( "done\n" );

        ++some_counter;

        for ( i = 0; i <= 207; ++i ) {
            v9[i] =  65;
        }

        v11 = ( unsigned char * ) malloc ( password_length + 1 );
        memset ( v11, 0, password_length + 1 );

        puts ( "Calculating phase 2 …" );

        for ( i = 0; ; ++i ) {

            if ( password_length <= i ) {
                break;
            }

            v11[i]  = some_counter ^ fluxFluxFLUX[i] ^  phase1_buffer[ i ];
        }

        sleep ( 1u );
        puts ( "done\n" );

        some_counter += 3;

    // I added the +1 for for dbg

        v10 = ( unsigned char* ) malloc ( password_length + 1 );

        memset ( v10, 0, password_length + 1 );

        for ( i = 0; ; ++i ) {

            if ( password_length <= i ) {
                break;
            }

            v10[i] = some_counter;
        }

        for ( i = 0; i <= 207; ++i ) {
            v9[i] =  66;
        }

        for ( i = 0; i <= 0xCF; ++i ) {
            v9[i] = 70;
        }

        // 3 on

        unsigned char index = 0;

        //memset ( v11, 0, password_length );

        some_counter  = 4;

    loop:

        for ( i = 0; i <= 2; ++i ) {

            printf ( "Calculating phase  %u …\n", i + 3 );

            for ( j = 0; ; ++j ) {

                if ( password_length <= j ) {
                    break;
                }

                v10[j]  ^= v11[ j ] ^ fluxFluxFLUX[ ( i + j + some_counter ) % password_length];
            }
        }

     

        for ( i = 0; i <= 0xCF; ++i ) {

            v9[i] =  69;
            v9[i] =  67;

            if ( v9 [ ( i + 3 ) % 0xD0] ==  65 ) {
                v9 [ ( i + 4 ) % 0xD0] =  83;
            }
        }

        for ( i = 0; i <= 0xCF; ++i ) {

            v9[i] = 67;

            if ( v9[ ( i + 3 ) % 0xD0] ==  65 ) {
                v9[ ( i + 4 ) % 0xD0] = 83;
            }

            if ( ( v9 ) [ ( i + 3 ) % 0xD0] ==  66 ) {
                v9[ ( i + 4 ) % 0xD0] = 83;
            }
        }

     

        flag1 = 0;
        flag2 = 0;
        flag3 = 0;
        flag4 = 0;

     

    // working backwards from below we get

    v10[0] = 17;
    v10[1] = 96;
    v10[2] = 50;
    v10[3] = 88;
    v10[4] = 97;
    v10[5] = 101;
            v10[6] = 81;
            v10[7] = 34;
            v10[8] = 102;
            v10[9] = 98;
            v10[10] = 107;
            v10[11] = 94;
            v10[12] = 75;
            v10[13] = 69;
            v10[14] = 110;
            v10[15] = 85;
     

     

    for ( i = 0; i <= 3; ++i ) {
        flag1 |= ( unsigned char ) v10[i] << 8 * i;
    }

    for ( i = 0; i <= 3; ++i ) {
        flag2 |= ( unsigned char ) v10[i + 4] << 8 * i;
    }

    for ( i = 0; i <= 3; ++i ) {
        flag3 |= ( unsigned char ) v10[i + 8] << 8 * i;
    }

    for ( i = 0; i <= 3; ++i ) {
        flag4 |= ( unsigned char ) v10[i + 12] << 8 * i;

    }

    //printf ( "%x %x %x %x %x\n", some_counter, flag1, flag2, flag3, flag4 );

    if ( flag1 != 0×58326011 || flag2 != 0×22516561 || flag3 != 0x5E6B6266 || flag4 != 0x556E454B ) {
        puts ( "Flag wrong!" );

    }

    else {
        puts ( "Flag correct!" );
    }

    return 0;

     

    }

     

    the thing that bothered me about my C version vs the elf binary was the speed difference, mine ran much faster for no apparent reason, so I looked harder at the initial ptrace test but even though it was forking I saw no way that it could be hooking and repeating itself, noping out the sleep code didn’t alter the speed.

     

    stracing showed that it was forking and sleeping again. so single stepping I saw that some of the libc’s were indeed going to different places. looking at the plt

     

    — SIGCHLD (Child exited) @ 0 (0) —
    rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
    rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    nanosleep({1, 0}, 0xffeca9f8)           = 0
    clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 18192
    wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 18192
    — SIGCHLD (Child exited) @ 0 (0) —
    rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
    rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    nanosleep({1, 0}, 0xffeca9f8)           = 0
    fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), …}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xfffffffff7792000
    write(1, "Calculating phase 1 …\n", 24Calculating phase 1 …
    ) = 24
    clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 18193
    wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 18193
    — SIGCHLD (Child exited) @ 0 (0) —
    rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
    rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    nanosleep({1, 0}, ^C <unfinished …>

     

     

    .got.plt:0804A150 18 89 7B F7                   off_804A150 dd offset dword_F77B8918    ; DATA XREF: .got.plt:0804A154                               ; int (*off_804A154)(void)
    .got.plt:0804A154 A0 B6 7A F7                   off_804A154 dd offset unk_F77AB6A0      ; DATA XREF: .got.plt:0804A158 AF 91 04 08                   ptr_to_printf dd offset another_ptrace_counter_increment_0
    .got.plt:0804A15C 76 84 04 08                   ptr_sleep dd offset loc_8048476         ; DATA XREF: _sleepr
    .got.plt:0804A160 86 84 04 08                   ptr_wait dd offset word_8048486         ; DATA XREF: _waitr
    .got.plt:0804A164 96 84 04 08                   ptr_getenv dd offset word_8048496       ; DATA XREF: _getenvr
    .got.plt:0804A168 D1 92 04 08                   ptr_malloc dd offset another_ptrace_counter_increment_1
    .got.plt:0804A168                                                                       ; DATA XREF: _mallocr
    .got.plt:0804A168                                                                       ; setup_hooks+1Aw
    .got.plt:0804A16C 60 90 04 08                   p_io_puts dd offset another_ptrace_counter_increment
    .got.plt:0804A16C                                                                       ; DATA XREF: _putsr
    .got.plt:0804A16C                                                                       ; setup_hooks+6w
    .got.plt:0804A170                               ; int (*off_804A170)(void)
    .got.plt:0804A170 C6 84 04 08                   off_804A170 dd offset word_80484C6      ; DATA XREF: ___gmon_start__r
    .got.plt:0804A174 D6 84 04 08                   off_804A174 dd offset word_80484D6      ; DATA XREF: _exitr
    .got.plt:0804A178 5F 94 04 08                   check_cc_buffer dd offset another_ptrace_counter_increment_2
    .got.plt:0804A178                                                                       ; DATA XREF: _strlenr
    .got.plt:0804A178                                                                       ; setup_hooks+24w
    .got.plt:0804A17C E0 53 5F F7                   ptr_libc_main dd offset __libc_start_main
    .got.plt:0804A17C                                                                       ; DATA XREF: ___libc_start_mainr
    .got.plt:0804A180 06 85 04 08                   ptr_libc_fork dd offset word_8048506    ; DATA XREF: _forkr
    .got.plt:0804A184 16 85 04 08                   off_804A184 dd offset word_8048516      ; DATA XREF: _getppidr
    .got.plt:0804A188                               ; int (*ptr_ptrace)(void)
    .got.plt:0804A188 26 85 04 08                   ptr_ptrace dd offset word_8048526       ; DATA XREF: _ptracer

     

    reverse_me:080491AF                               ; —————————————————————————
    reverse_me:080491AF
    reverse_me:080491AF                               loc_80491AF:
    reverse_me:080491AF 50                            push    eax
    reverse_me:080491B0 51                            push    ecx
    reverse_me:080491B1 E8 55 02 00 00                call    near ptr unk_804940B
    reverse_me:080491B6 B8 F4 00 00 00                mov     eax, 0F4h
    reverse_me:080491BB
    reverse_me:080491BB                               loc_80491BB:                            ; CODE XREF: reverse_me:080491DBj
    reverse_me:080491BB 8A 88 60 90 04 08             mov     cl, byte ptr loc_8049060[eax]
    reverse_me:080491C1 80 F9 CC                      cmp     cl, 0CCh
    reverse_me:080491C4 75 0F                         jnz     short loc_80491D5
    reverse_me:080491C6 50                            push    eax
    reverse_me:080491C7 A1 94 A1 04 08                mov     eax, ds:just0x //the increment of the counter
    reverse_me:080491CC 83 C0 01                      add     eax, 1
    reverse_me:080491CF A3 94 A1 04 08                mov     ds:just0x, eax
    reverse_me:080491D4 58                            pop     eax
    reverse_me:080491D5
    reverse_me:080491D5                               loc_80491D5:                            ; CODE XREF: reverse_me:080491C4j
    reverse_me:080491D5 83 F8 00                      cmp     eax, 0
    reverse_me:080491D8 74 03                         jz      short loc_80491DD
    reverse_me:080491DA 48                            dec     eax
    reverse_me:080491DB EB DE                         jmp     short loc_80491BB
    reverse_me:080491DD                               ; —————————————————————————
    reverse_me:080491DD
    reverse_me:080491DD                               loc_80491DD:                            ; CODE XREF: reverse_me:080491D8j
    reverse_me:080491DD B8 F0 00 00 00                mov     eax, 0F0h
    reverse_me:080491E2
    reverse_me:080491E2                               loc_80491E2:                            ; CODE XREF: reverse_me:08049202j
    reverse_me:080491E2 8A 88 5F 94 04 08             mov     cl, byte_804945F[eax]
    reverse_me:080491E8 80 F9 CC                      cmp     cl, 0CCh
    reverse_me:080491EB 75 0F                         jnz     short loc_80491FC
    reverse_me:080491ED 50                            push    eax
    reverse_me:080491EE A1 94 A1 04 08                mov     eax, ds:just0x // the increment again
    reverse_me:080491F3 83 C0 01                      add     eax, 1
    reverse_me:080491F6 A3 94 A1 04 08                mov     ds:just0x, eax
    reverse_me:080491FB 58                            pop     eax
    reverse_me:080491FC
    reverse_me:080491FC                               loc_80491FC:                            ; CODE XREF: reverse_me:080491EBj
    reverse_me:080491FC 83 F8 00                      cmp     eax, 0
    reverse_me:080491FF 74 03                         jz      short loc_8049204
    reverse_me:08049201 48                            dec     eax
    reverse_me:08049202 EB DE                         jmp     short loc_80491E2
    reverse_me:08049204                               ; —————————————————————————
    reverse_me:08049204
    reverse_me:08049204                               loc_8049204:                            ; CODE XREF: reverse_me:080491FFj
    reverse_me:08049204 59                            pop     ecx
    reverse_me:08049205 58                            pop     eax
    reverse_me:08049206 E9 5B F2 FF FF                jmp     near ptr word_8048466

     

    similar code again, and there were a couple of others.

     

    so from here we knew that it was incrementing the value during the run.

    jk wrote a python bruter based on the c code and we had been trying different values with the counter.

    He got “4v0iDsS3CtIOnSLd” the password was “Ld4v0iDsS3CtIOnS” I’d even rotated it since phase one did that, but the change of case on the Ld threw a spanner in that. unfortunately for us that was about 1400 seconds before the end of the CTF when we really started focusing on the change of value.

    http://charliex.pastebay.com/1332967

     

    Ahh well..

     
  • charliex 9:14 pm on May 20, 2013 Permalink | Reply
    Tags:   

    layerOne 2013 badge 

     

    Update, PCB’s arrive

    Well at the least we’ve got PCBs to hand out Smile though why do you think i choose a coffee mug sized board, worst case is always coasters.

    Arrived at 10AM, after MY to TW to JP to USA, at 6AM it was noted as being in Japan..

    20130522_100116[2]

    20130522_100156[1]

    Funny that I made the tracks stylistic, but we can’t see them. Which is also awesome for debugging.

    20130522_100233[1]

    Now to find out if they actually work! If they don’t well there’s always this option

    20130522_100937[1]

    ————————————————————–

    We’re at layerOne again, http://www.layerone.org  and it always seems to creep up on me. Even though I tried to follow Dark Tangent’s lead for Joe Grand and ‘Badges by Christmas’,  if Christmas is two days before layerOne then I’ve succeeded. I’m starting the 2014 badge after I finish this blog entry, well probably.

    We definitely had a tough year for free time this year, got married, bought a house, fixed it up and launched a bunch of stuff at work.  I was having a creative block on what to do, we first though lets do a mash up of  the TV-B-Gone(null) and then the Dangerous Prototypes IR toy,they’re both neat things but I just felt we needed a bit more so about a week and a half ago I scrapped everything and started over, which when you have no time left, busy at work and funds are looking low is a really good idea.

    I’ve thought about crowdsourcing the idea, but that doesn’t always work, in fact it rarely does. The ideas are either too crazy, impossible, cost about as much as yahoo overpaid for tumblr or only interesting to one or two people. Maybe 2014 we’ll try again.

    So little time in fact, the PCB’s don’t arrive til Wednesday, our supplier had a snafu or something and they were delayed a tad. So here is a quick render with eagle3d. If you’ve bumped into me recently, you’ll notice I’ve been pre-occupied, this is definitely the closest we’ve cut it in time.

    badge_2013-1838

    The USB is a mini not the giant one hanging off there, and the OLED is missing.

    The LED drivers are the super nice TLC5947DAP and I’m not using charlieplexing this time, so they’ll look great ( I hope !), we used this chip on the blinky ball and the Tron disc the CPU is an ATXMEGA32A4U-AU 

    Some of the challenges for electronics badges is making something everyone can build, have interest in and be interesting and be hack-able.,. Preferably  that they can also use past conference. we do tend to rework or use other proven designs because then we can see what the interest level is, last year we did the RC cars and people liked it but it wasn’t really well taken in and that was lot of work to get it right and find the right parts.

    I started off with a chip and wanted to try the ATXMega it was the one i was going to use for the IR toy since it has USB. I came across the xprotolab http://www.gabotronics.com/development-boards/xmega-xprotolab.htm and though that’d be a great badge since it has so much stuff on it and people can use it as a tool as well.  For the people that wanted one of the usual blinky LED toys, I slapped on a smaller version of the ‘Tron’ disc we made. This way we’ve go ta badge that is simple to build and looks purty, then a second circuit that is more complex to build , has an OLED and lots of features.  I pinged gabotronics about us using their design and they were super nice about it too. He’s also running a kick-starter for a portable version of the xprotolab too.

    http://www.kickstarter.com/projects/920064946/xprotolab-portable

    I picked up 8,000 LEDs since typically we only use SMD  and NullSpaceLabs has like 1 million + LED’s in the back room, but not so much in the 3mm variety.  Found a local place in Los Angeles area that had them, they arrived overnight, the OLED’s I found in china. Rest of the parts given the short time frame I picked up at Digikey. Some of the parts can be had cheaper elsewhere, but when you add shipping it ends up being more.

    The badge has got all sorts of potential to hack though, the LED’s can be included in the xprotolab as well as be independent,  with the OLED and the extra expansion, as well as the ADC’s it’ll make some fun toys.

    I really didn’t have time to prove out a booster for the 3V to 5V even though gabotronics sent me a suitable schematic for the portable version, so that’d be a neat hack too.

    Add a Mic or other sensors with a beat detector or simple audio level device. Add on an IR LED and it can be a IR Toy/ TV-B-Gone too. Video game too!

    I extended a few of the pads on components that people typically have issues with, or lift pads , particularly the CPU. We have an on-going battle at NSL on lead vs leadless chips, personally I think leadless chips(QFNs) are easier to solder and don’t get damaged as easy, others don’t. This year i opted for the large TQFP44 package with legs. One year I’ll do BGA just for the heck of it.

    The PCB’s are posted on the Null Space SVN server the http://wiki.032.la has links to it.

    We will of course bring our pro as —- hardware hacking lab, probably a  dozen or more metcals, microscopes, hot plates, scopes, etc. I’ve yet to see another lab as well equipped as ours.

    6022847245_18e5603d27_b[1]

    Null-Space-Labs-Workbench-eecue_31841_hz7w_l[1]

    5975528106_08067162bd_o[1]

    5974967315_5586105413_z[1]

    8096189458_52abf59c2b_c[1]

    6328077222_e4da31fd8a_z[1]

    5862809032_84fbb0d442_b[1]

    Feature list of the xprotolab (taken from gabotronics site)

    • Mixed Signal Oscilloscope: Simultaneous sampling of analogue and digital signals.
    • Advanced Trigger: Normal / Single / Auto, with rising or falling edge and adjustable trigger level.
    • Meter Mode: Average, Peak to peak and Frequency readout.
    • XY Mode:
      - Plot Lissajous patterns
      - See the phase difference between two waveforms
      - V/I Curve tracer with an external resistor
    • Spectrum Analyser with different windowing options and selectable vertical log.
    • Horizontal and Vertical Cursors with automatic waveform measurements.
    • Arbitrary Waveform Generator with Sweep on all parameters.
    • Display options: Persistence, Different grid options, and more.

     

    Parts Breakdown

    The OLED’s I picked up from here

    $(KGrHqRHJC!E8fiuLMlbBPJ(kZkIMQ~~60_58[1]

    http://www.ebay.com/itm/200441663374?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1439.l2649

    as well as here, I split the orders since they looked like diff models.

    $T2eC16ZHJIIE9qTYLSWWBQMj)qnIN!~~60_3[1]

    http://www.ebay.com/itm/130495997889?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1439.l2649

    The OLED Datasheet  is here

    The 3mm LEDs I picked up from ( various colours )

    http://myworld.ebay.com/he-n-she?_trksid=p2047675.l2559

    Useful since its reasonably cheap and ships from CA, they came within a day.

    The batteries are C123A’s and i got them from https://www.batteryspace.com along with the holders. They are the cheapest i can find, and we’ve used them before. its a hassle to ship lithium batteries in CA. You’ll see a lot of batteries (especially watch batteries) that are listed a ‘California’ only, they’re crappy, so avoid if possible.

    CR123A
    HOLDER

    I guess I’ll find out Wednesday night/Thursday if my board layout works! If it doesn’t guess what the hardware hacking competition will be Winking smile 

     

    We do have prizes for the Hardware Hacking competition, I have a pandaboard ex, beaglebone black and a pcduino to give away, and maybe some other stuff, we’ll see what goes down.

    Now to start actually designing a badge for 2014. Will the proxmarklcd re-appear?

    cheers,
    charliex

     

    If you like this badge etc, I’ll be at layerOne, This is what i look like.

    5399975258_023215624c_z[1]

    If not

    5733646861_852956c0a1_o[1]

     

    Here’s some of other Null Space links :-

    http://www.032.la

    http://hackaday.com/2012/05/03/hackerspace-intros-null-space-labs-in-los-angeles-california/

    http://www.flickr.com/photos/nullspacelabs/

     
    • Niek 5:33 pm on May 21, 2013 Permalink | Reply

      Does the back of the badge say “LayerTwo”?

      • charliex 7:33 pm on May 21, 2013 Permalink | Reply

        heh no, we did have a four layer badge a few years ago. the insides might have said something!

c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
Follow

Get every new post delivered to your Inbox.