Updates from December, 2013 Toggle Comment Threads | Keyboard Shortcuts

  • charliex 12:15 am on December 3, 2013 Permalink | Reply
    Tags: error 1747, windows 7   

    Error 1747 : The Authentication Service is Unknown 

    I had a Windows 7 machine in one of the racks with a bunch of services not starting, no networking so not much of anything since its headless and graphics are network remote, so I pulled it out and switched its graphics cards to see what was going on.

    Really slow to boot windows, after login black screen with mouse, sluggish response.
    dhcp, lass, service showing ‘starting’ and can’t be stopped or restarted
    ping etc gives no network, or various network errors
    Event logs stop working with “Error 1747 : The Authentication Service is Unknown”
    Even a BSOD on a reboot

    sfc /scannow  no issues, fsck, no issues. hardware all looked ok.

    As usual MVP advice is reformat and re-install, so sad.  So i did this instead

    From admin shell, cmd

    netsh winsock reset

    and rebooted, totally fine after that. sigh…

     
  • charliex 4:45 pm on October 24, 2013 Permalink | Reply
    Tags: #hacklu   

    hack.lu CTF 

    jking http://www.theamazingking.com/ and I worked on ELF

     

    first disassembled it with IDA, pulled out C code and attacked it from there, working backwards with what the key ought to be, one value at first just seemed to be anti debug , which was just the ptrace test, which would increment it.

    Also as eventually noted by fluxfingers team, if you happened to be running non root on ubuntu ( I was ) you’d get the wrong results because ubuntu doesn’t let child procs ptrace as a non root user…which would have been a big clue.

     

    unsigned char some_counter = 0xA ;

    unsigned char fluxFluxFLUX[] = "fluxFluxfLuxFLuxflUxFlUxfLUxFLUxfluXFluXfLuXFLuXflUXFlUXfLUXFLUX";

    int __cdecl ld_preload_ptrace()
    {
        int result; // eax@4
        int stat_loc; // [sp+14h] [bp-14h]@4
        int v2; // [sp+18h] [bp-10h]@6
        int v3; // [sp+1Ch] [bp-Ch]@3

        if ( getenv ( "LD_PRELOAD" ) )
        { ++counter; }

        v3 = fork();

        if ( !v3 ) {
            v2 = getppid();

            if ( ptrace ( PTRACE_ATTACH, v2, 0, 0 ) < 0 )
            { exit ( 1 ); }

            sleep ( 1u );
            ptrace ( PTRACE_DETACH, v2, 0, 0 );
            exit ( 0 );
        }

        wait ( &stat_loc );
        result = stat_loc;

        if ( stat_loc ) {
            sleep ( 1u );
            result = counter++ + 1;
        }

        return result;
    }

    int __cdecl main ( int argc, char *argv[] )
    {
        size_t password_length; // eax@4
        char v9[300]; // [sp+28h] [bp-374h]@8
        unsigned char *v10; // [sp+368h] [bp-34h]@13
        unsigned char *v11; // [sp+36Ch] [bp-30h]@10
        unsigned char *phase1_buffer; // [sp+370h] [bp-2Ch]@4
        const char *ptr_to_password; // [sp+374h] [bp-28h]@4

        unsigned int flag4; // [sp+378h] [bp-24h]@40
        unsigned int flag3; // [sp+37Ch] [bp-20h]@40
        unsigned int flag2; // [sp+380h] [bp-1Ch]@40
        unsigned int flag1; // [sp+384h] [bp-18h]@40

        size_t j; // [sp+388h] [bp-14h]@23
        size_t i; // [sp+38Ch] [bp-10h]@4

        if ( argc != 2 ) {
            printf ( "Usage: %s <flag>\n",  argv[0] );
            exit ( 0 );
        }

        puts ( "Calculating phase 1 …" );

        ptr_to_password =  argv[1];

        password_length = strlen ( argv[1] );
        phase1_buffer = ( unsigned char * ) malloc ( password_length + 1 );

        memset ( phase1_buffer, 0, password_length + 1 );

        for ( i = 0;  password_length > i; ++i ) {
            int i2;
            i2 = ( i – some_counter );

            phase1_buffer[ i ]  = ptr_to_password[ ( i - some_counter ) % password_length ];
        }

        sleep ( 1u );
        puts ( "done\n" );

        ++some_counter;

        for ( i = 0; i <= 207; ++i ) {
            v9[i] =  65;
        }

        v11 = ( unsigned char * ) malloc ( password_length + 1 );
        memset ( v11, 0, password_length + 1 );

        puts ( "Calculating phase 2 …" );

        for ( i = 0; ; ++i ) {

            if ( password_length <= i ) {
                break;
            }

            v11[i]  = some_counter ^ fluxFluxFLUX[i] ^  phase1_buffer[ i ];
        }

        sleep ( 1u );
        puts ( "done\n" );

        some_counter += 3;

    // I added the +1 for for dbg

        v10 = ( unsigned char* ) malloc ( password_length + 1 );

        memset ( v10, 0, password_length + 1 );

        for ( i = 0; ; ++i ) {

            if ( password_length <= i ) {
                break;
            }

            v10[i] = some_counter;
        }

        for ( i = 0; i <= 207; ++i ) {
            v9[i] =  66;
        }

        for ( i = 0; i <= 0xCF; ++i ) {
            v9[i] = 70;
        }

        // 3 on

        unsigned char index = 0;

        //memset ( v11, 0, password_length );

        some_counter  = 4;

    loop:

        for ( i = 0; i <= 2; ++i ) {

            printf ( "Calculating phase  %u …\n", i + 3 );

            for ( j = 0; ; ++j ) {

                if ( password_length <= j ) {
                    break;
                }

                v10[j]  ^= v11[ j ] ^ fluxFluxFLUX[ ( i + j + some_counter ) % password_length];
            }
        }

     

        for ( i = 0; i <= 0xCF; ++i ) {

            v9[i] =  69;
            v9[i] =  67;

            if ( v9 [ ( i + 3 ) % 0xD0] ==  65 ) {
                v9 [ ( i + 4 ) % 0xD0] =  83;
            }
        }

        for ( i = 0; i <= 0xCF; ++i ) {

            v9[i] = 67;

            if ( v9[ ( i + 3 ) % 0xD0] ==  65 ) {
                v9[ ( i + 4 ) % 0xD0] = 83;
            }

            if ( ( v9 ) [ ( i + 3 ) % 0xD0] ==  66 ) {
                v9[ ( i + 4 ) % 0xD0] = 83;
            }
        }

     

        flag1 = 0;
        flag2 = 0;
        flag3 = 0;
        flag4 = 0;

     

    // working backwards from below we get

    v10[0] = 17;
    v10[1] = 96;
    v10[2] = 50;
    v10[3] = 88;
    v10[4] = 97;
    v10[5] = 101;
            v10[6] = 81;
            v10[7] = 34;
            v10[8] = 102;
            v10[9] = 98;
            v10[10] = 107;
            v10[11] = 94;
            v10[12] = 75;
            v10[13] = 69;
            v10[14] = 110;
            v10[15] = 85;
     

     

    for ( i = 0; i <= 3; ++i ) {
        flag1 |= ( unsigned char ) v10[i] << 8 * i;
    }

    for ( i = 0; i <= 3; ++i ) {
        flag2 |= ( unsigned char ) v10[i + 4] << 8 * i;
    }

    for ( i = 0; i <= 3; ++i ) {
        flag3 |= ( unsigned char ) v10[i + 8] << 8 * i;
    }

    for ( i = 0; i <= 3; ++i ) {
        flag4 |= ( unsigned char ) v10[i + 12] << 8 * i;

    }

    //printf ( "%x %x %x %x %x\n", some_counter, flag1, flag2, flag3, flag4 );

    if ( flag1 != 0×58326011 || flag2 != 0×22516561 || flag3 != 0x5E6B6266 || flag4 != 0x556E454B ) {
        puts ( "Flag wrong!" );

    }

    else {
        puts ( "Flag correct!" );
    }

    return 0;

     

    }

     

    the thing that bothered me about my C version vs the elf binary was the speed difference, mine ran much faster for no apparent reason, so I looked harder at the initial ptrace test but even though it was forking I saw no way that it could be hooking and repeating itself, noping out the sleep code didn’t alter the speed.

     

    stracing showed that it was forking and sleeping again. so single stepping I saw that some of the libc’s were indeed going to different places. looking at the plt

     

    — SIGCHLD (Child exited) @ 0 (0) —
    rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
    rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    nanosleep({1, 0}, 0xffeca9f8)           = 0
    clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 18192
    wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 18192
    — SIGCHLD (Child exited) @ 0 (0) —
    rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
    rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    nanosleep({1, 0}, 0xffeca9f8)           = 0
    fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), …}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xfffffffff7792000
    write(1, "Calculating phase 1 …\n", 24Calculating phase 1 …
    ) = 24
    clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 18193
    wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 18193
    — SIGCHLD (Child exited) @ 0 (0) —
    rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
    rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    nanosleep({1, 0}, ^C <unfinished …>

     

     

    .got.plt:0804A150 18 89 7B F7                   off_804A150 dd offset dword_F77B8918    ; DATA XREF: .got.plt:0804A154                               ; int (*off_804A154)(void)
    .got.plt:0804A154 A0 B6 7A F7                   off_804A154 dd offset unk_F77AB6A0      ; DATA XREF: .got.plt:0804A158 AF 91 04 08                   ptr_to_printf dd offset another_ptrace_counter_increment_0
    .got.plt:0804A15C 76 84 04 08                   ptr_sleep dd offset loc_8048476         ; DATA XREF: _sleepr
    .got.plt:0804A160 86 84 04 08                   ptr_wait dd offset word_8048486         ; DATA XREF: _waitr
    .got.plt:0804A164 96 84 04 08                   ptr_getenv dd offset word_8048496       ; DATA XREF: _getenvr
    .got.plt:0804A168 D1 92 04 08                   ptr_malloc dd offset another_ptrace_counter_increment_1
    .got.plt:0804A168                                                                       ; DATA XREF: _mallocr
    .got.plt:0804A168                                                                       ; setup_hooks+1Aw
    .got.plt:0804A16C 60 90 04 08                   p_io_puts dd offset another_ptrace_counter_increment
    .got.plt:0804A16C                                                                       ; DATA XREF: _putsr
    .got.plt:0804A16C                                                                       ; setup_hooks+6w
    .got.plt:0804A170                               ; int (*off_804A170)(void)
    .got.plt:0804A170 C6 84 04 08                   off_804A170 dd offset word_80484C6      ; DATA XREF: ___gmon_start__r
    .got.plt:0804A174 D6 84 04 08                   off_804A174 dd offset word_80484D6      ; DATA XREF: _exitr
    .got.plt:0804A178 5F 94 04 08                   check_cc_buffer dd offset another_ptrace_counter_increment_2
    .got.plt:0804A178                                                                       ; DATA XREF: _strlenr
    .got.plt:0804A178                                                                       ; setup_hooks+24w
    .got.plt:0804A17C E0 53 5F F7                   ptr_libc_main dd offset __libc_start_main
    .got.plt:0804A17C                                                                       ; DATA XREF: ___libc_start_mainr
    .got.plt:0804A180 06 85 04 08                   ptr_libc_fork dd offset word_8048506    ; DATA XREF: _forkr
    .got.plt:0804A184 16 85 04 08                   off_804A184 dd offset word_8048516      ; DATA XREF: _getppidr
    .got.plt:0804A188                               ; int (*ptr_ptrace)(void)
    .got.plt:0804A188 26 85 04 08                   ptr_ptrace dd offset word_8048526       ; DATA XREF: _ptracer

     

    reverse_me:080491AF                               ; —————————————————————————
    reverse_me:080491AF
    reverse_me:080491AF                               loc_80491AF:
    reverse_me:080491AF 50                            push    eax
    reverse_me:080491B0 51                            push    ecx
    reverse_me:080491B1 E8 55 02 00 00                call    near ptr unk_804940B
    reverse_me:080491B6 B8 F4 00 00 00                mov     eax, 0F4h
    reverse_me:080491BB
    reverse_me:080491BB                               loc_80491BB:                            ; CODE XREF: reverse_me:080491DBj
    reverse_me:080491BB 8A 88 60 90 04 08             mov     cl, byte ptr loc_8049060[eax]
    reverse_me:080491C1 80 F9 CC                      cmp     cl, 0CCh
    reverse_me:080491C4 75 0F                         jnz     short loc_80491D5
    reverse_me:080491C6 50                            push    eax
    reverse_me:080491C7 A1 94 A1 04 08                mov     eax, ds:just0x //the increment of the counter
    reverse_me:080491CC 83 C0 01                      add     eax, 1
    reverse_me:080491CF A3 94 A1 04 08                mov     ds:just0x, eax
    reverse_me:080491D4 58                            pop     eax
    reverse_me:080491D5
    reverse_me:080491D5                               loc_80491D5:                            ; CODE XREF: reverse_me:080491C4j
    reverse_me:080491D5 83 F8 00                      cmp     eax, 0
    reverse_me:080491D8 74 03                         jz      short loc_80491DD
    reverse_me:080491DA 48                            dec     eax
    reverse_me:080491DB EB DE                         jmp     short loc_80491BB
    reverse_me:080491DD                               ; —————————————————————————
    reverse_me:080491DD
    reverse_me:080491DD                               loc_80491DD:                            ; CODE XREF: reverse_me:080491D8j
    reverse_me:080491DD B8 F0 00 00 00                mov     eax, 0F0h
    reverse_me:080491E2
    reverse_me:080491E2                               loc_80491E2:                            ; CODE XREF: reverse_me:08049202j
    reverse_me:080491E2 8A 88 5F 94 04 08             mov     cl, byte_804945F[eax]
    reverse_me:080491E8 80 F9 CC                      cmp     cl, 0CCh
    reverse_me:080491EB 75 0F                         jnz     short loc_80491FC
    reverse_me:080491ED 50                            push    eax
    reverse_me:080491EE A1 94 A1 04 08                mov     eax, ds:just0x // the increment again
    reverse_me:080491F3 83 C0 01                      add     eax, 1
    reverse_me:080491F6 A3 94 A1 04 08                mov     ds:just0x, eax
    reverse_me:080491FB 58                            pop     eax
    reverse_me:080491FC
    reverse_me:080491FC                               loc_80491FC:                            ; CODE XREF: reverse_me:080491EBj
    reverse_me:080491FC 83 F8 00                      cmp     eax, 0
    reverse_me:080491FF 74 03                         jz      short loc_8049204
    reverse_me:08049201 48                            dec     eax
    reverse_me:08049202 EB DE                         jmp     short loc_80491E2
    reverse_me:08049204                               ; —————————————————————————
    reverse_me:08049204
    reverse_me:08049204                               loc_8049204:                            ; CODE XREF: reverse_me:080491FFj
    reverse_me:08049204 59                            pop     ecx
    reverse_me:08049205 58                            pop     eax
    reverse_me:08049206 E9 5B F2 FF FF                jmp     near ptr word_8048466

     

    similar code again, and there were a couple of others.

     

    so from here we knew that it was incrementing the value during the run.

    jk wrote a python bruter based on the c code and we had been trying different values with the counter.

    He got “4v0iDsS3CtIOnSLd” the password was “Ld4v0iDsS3CtIOnS” I’d even rotated it since phase one did that, but the change of case on the Ld threw a spanner in that. unfortunately for us that was about 1400 seconds before the end of the CTF when we really started focusing on the change of value.

    http://charliex.pastebay.com/1332967

     

    Ahh well..

     
  • charliex 3:50 am on December 24, 2012 Permalink | Reply
    Tags: changing mac address, proxim   

    Changing the Mac address of a proxim 802.11abgn usb adapter 

    Windows 7 has a a limitation (That can be removed in the code of the individual driver) that you can’t set a fake mac id starting with 00 on a wireless usb So I did what any normal person would do, pulled apart the adapter, removed the eeprom found and edited the hardware MAC ID

     

    Use a spudger to open the case, its not glued or anything.

    I tried a few ways of programming the spi on board, but it just wouldn’t do it,, too much interference.

     

    The chip is glued down, some acetone will take care of that, desolder the chip and pop it into a eeprom reader its an ATMEGA AT61 series SPI EEPROM so easy enough. Once you have the hex file, grep for the mac address in hex. Edit it to what you want it to be and reflash it back to the chip, there is no checksum etc.

    You can send eeprom commands back to the chip via the driver, but I didn’t look into it too deeply;. Its pretty quick to remove it and change it, obviously this is more useful for cloning vs just changing.

     

    The Proxim / Orinoco is just a Taiwanese usb adapter, I haven’t seen it for sale under the different brands though, but its considerably cheaper.

     

    I’ll add some pictures to the post later.

     
    • Andrew Bailey 4:23 am on December 24, 2012 Permalink | Reply

      Dumb question, why did you want a 00 MAC address?

      • charliex 4:33 am on December 24, 2012 Permalink | Reply

        Its the first part, so 00-90-a9-a2-1a-33 isn’t cloneable it has to be 02-90-a9-a2-1a-33 06-90-a9-a2-1a-33 etc. Useful for when an ISP uses your MAC to identify your NIC for home internet connections etc.

        • timd8137 12:58 am on September 15, 2013 Permalink

          Charliex Please whenever you find time send pictures regarding this, and any EEprom programmer you can recommend?

          desolder the chip and pop it into a eeprom reader its an ATMEGA AT61 series SPI EEPROM so easy enough

          Thanks
          Tim

        • Tim 6:49 pm on September 27, 2013 Permalink

          Charlie , I am looking all over Amtel website to get some free samples but when I google ATML H118 64DM Y is says ST micro is the manufacturer? maybe your proxim had a different chip on it?

    • Freddy 6:06 am on June 29, 2013 Permalink | Reply

      How hard would this be to do for someone with no experience?? I have the exact same Proxim USB which i need to clone the MAC address.. Any change you could provide a detailed howto or even youtube video ?

      Thanks
      freddy

      • charliex 10:02 pm on June 30, 2013 Permalink | Reply

        open it, remove the flash chip (small soic 8 pin surface mount )with acetone and a soldering iron carefully use low melt (chip quik at frys) , clone it with programmer than can handle spi based flash memory. solder it back, close up case

    • Tim 1:52 pm on September 13, 2013 Permalink | Reply

      Charliex any reccomendations on a good programmer?
      Thanks

    • Tim 5:18 pm on September 15, 2013 Permalink | Reply

      Charlie, another question, where do you suggest getting blank SPI Eeproms from, so I could burn some clones? or I could just go in and modify the existing one to the MAC I want right?

      • charliex 6:06 pm on September 15, 2013 Permalink | Reply

        it has like 1000 write lifetime so plenty, digikey, mouser, rs components, element14, farnell all should have it. http://www.findchips.com and punch in the parttno for finding it it easily

  • charliex 7:02 pm on October 2, 2012 Permalink | Reply
    Tags: ARM, freescale, JL25Z, kinetis   

    Kinetis KL25Z Freescale freedom platform 

     

    Today my KL25Z dev board arrived from Newark,  I had it on pre-order as soon as i saw it, mainly because its cheap at $12.95 +tax and because its ARM M0+ that can go upto 48Mhz.

    Comes in a nice box you solder the headers in if you want too, otherwise you get nothing with it ( but that’s not a bad thing ) the box has a colour print diagram of the connections to the board on the underside and its a nicely packaged.

     

    Oddly, or not, the first thing I noticed was an unpopulated spot for an IC U5, a quick scan of the schematics and its for an AT45DB161D which is a 5V tolerant 3.3V SPI flash memory chip. Which is great because I just happen to have a stack of 16’, 32’s and 64’s at NullSpace. I’ll update the blog when I add it and see if it works, it is a fairly costly IC so that might be why its not included versus a build mistake.

    Underneath there is a space for a CR2032 PTH battery holder.

    It is a very nicely laid out board, going for the black mask with gold finish. Though placement of the RST button could be better, the placement of the pads underneath mean when you press the reset the board flips up, less so when the USB cables are plugged in, a minor annoyance. The captouch could also have done with something underneath as well, its just slightly off balance, again very minor and easily fixed.

     

    specs are :-

    • MKL25Z128VLK4 MCU – 48 MHz, 128 KB flash, 16 KB SRAM, USB OTG (FS), 80LQFP
    • Capacitive touch “slider,” MMA8451Q accelerometer, tri-colour LED
    • Easy access to MCU I/O
    • Sophisticated OpenSDA debug interface
    • Mass storage device flash programming interface (default) – no tool installation required to evaluate demo apps
    • P&E Multilink interface provides run-control debugging and compatibility with IDE tools
    • Open-source data logging application provides an example for customer, partner and enthusiast development on the OpenSDA circuit

     

    I dunno how I feel about the P&E stuff, Freescale must own stock in them or something, I have a bunch of P&E BDM’s, cyclones, cpu32/cpu16 etc. which i use for my reverse engineering work but they’re expensive and the software is about 1990’s level of basic, everything is an add on cost, the flash tool is one cost, programmer/debugger, capacity on the cyclone max etc. Also they don’t have a lot of protection, I’ve blown up my cyclone max with a bad PSU,  for such an expensive tool its poorly protected.

    Talking about questionable software, my old friend CodeWarrior rears its head again, anyone who has been in game development for a long time, especially console, probably has a special place for CodeWarrior, along with the Sony CD burners for PSONE. Freescale/Motorola bought them out a long time ago and so of course it keeps coming back to haunt me, and haunt me it does. Still I’m sure its gotten better?… I’m not sure why TI/Freescale etc wants to roll their own dev tools, maybe for QC or lock–in but GCC is OK enough to use it and ARM were smart and paid someone to make the ARM support better in GCC. Beyond that CodeSourcery seem to do a good job of keeping it all together. Maybe I do want to download another 1.5G Eclipse installer (not CW thankfully). I think its a mistake going down this route, but there you go.

    Link to CodeWarrior

    Keil  (needs a patch )and IAR have tools as well,

    Anyway enough of that, at least they’re trying and giving away what they can, my beefs lie with them mostly on the commercial side of things anyway.

    This is what the OpenSDA firmware zip file contains

    10/02/2012  11:48          79,583  DEBUG-APP_Pemicro_v102.SDA
    10/02/2012  11:48         213,461  MSD-FRDM-KL05Z_Pemicro_v105.SDA
    10/02/2012  11:48         213,461  MSD-FRDM-KL25Z_Pemicro_v105.SDA
    10/02/2012  11:48         213,501  MSD-XTWR-KL25Z48M_Pemicro_v105.SDA
    10/02/2012  11:47             177  Readme.txt
    10/02/2012  11:47         287,369  Updating the OpenSDA Firmware.pdf

    So no tools host side needed as such, just firmware for the connection to CW/PE multilinks.

    It supports ETM and SWD, OpenSDA this doc goes over how to setup and upload files.

    P&E’s tools are http://www.pemicro.com/opensda/pe_tools.cfm

    Its an CDC driver that should auto install on Windows, there are drivers for it available if not. After that its drag and drop binary or Motorola S record files, they note that the dev tools work primarily on Windows but CDC obviously works on the other platforms.

     

    < to be continued >

     
    • Erich Styger 5:55 pm on October 14, 2012 Permalink | Reply

      Yes. This board is a really nice and versatile one! I already have published several articles around the Freedom KL25Z board on my blog, along with tutorials and software projects:
      http://mcuoneclipse.wordpress.com/tag/kl25z-freedom-board/

    • Chris Smith 2:21 pm on November 2, 2012 Permalink | Reply

      >I’ll update the blog when I add it and see if it works, it is a fairly costly IC so that might be why its not >included versus a build mistake

      Did you find out if the 16GB chip at U5 was functional. DigiKey has the AT45DB161E-SSHD-B-ND for $2.26 – pretty cheap IMO.

  • charliex 6:25 pm on June 21, 2012 Permalink | Reply
    Tags: soldercore   

    Soldercore quick intro 

     

    I ordered a SolderCore from Mouser yesterday, it arrived this morning. Its a pretty nice little device. Oddly I’d had some interaction with one of the creators at Rowley Associates, Paul,  on an email list talking about C compilers/assembler etc and it turns out we’re both Lotus people as well as having ECU related experiences, it is a small world.

    Haven’t done much with yet, since i’m not at NullSpace and all my stuff is there.

    From http://www.soldercore.com

    • Arduino Form Factor
    • Based upon a 80 MHz Cortex-M3
    • 512KB Flash, 96KB contiguous RAM
    • Built in Ethernet support with an on-board RJ45 connector.
    • USB OTG support with an on board microAB connector.
    • On board microSD holder.
    • Support for additional Flash and FRAM devices.
    • CAN, I2S, 2xI2C, UART, PWM, ADC, SPI and QEI supported
    • On board standard 10 way SWD JTAG header. (Only fitted to the Commando variant)
    • Power can be supplied via USB or the barrel jack (6V – 9V DC).

    So decent enough specs.

    Nice things are , no drivers, so no one whining about CDC driver support in Windows 7.  All the help, examples firmware are net enabled. All you need is telnet to edit.

     

     

    compared to a Pandaboard ES, and one of our NSL ADK boards. Soldercore in the middle.

    If you want the headers, you can solder them on. I like the idea Sparkfun has with single row headers and to offset every other one so its easier to solder, but these aren’t difficult, just hold and tack the first one very lightly with solder, make sure its straight and do the others. That first tack is important so its aligned and then you can re-align easily.

    I plugged it in, pinged as per the label on the back, then i use Putty to login  in to it. (change from ssh to telnet) also it uses ^H for backspace so edit that too. I then posted to the forums with a hello world, but then realised it was a program that did it. So i went off to find it, since it isn’t in the examples but in the help section instead.

    Had to edit a bit first. Mine didn’t like the command $NL so i used $LF instead. Then came along figuring out how to set NET.SMTPSERVER (which is fairly futile for me at this point so all my SMTP servers require a login) but trying anyway. I of course battled ahead and did NET.SMTPSERVER = “smtp.mail.com” NET.SMTPSERVER = “10.0.0.1”  etc neither worked. It says ‘Digital I/O’ as the type.  My SMTP server will work even less with an IP address since it wants to use the FQDN to find it. But regardless..

    Luckily BASIC being immediate, i just did

    PRINT NET.SMTPSERVER

    Which yielded

    [0, 0, 0, 0]

    Aha!, So

    NET.SMTPSERVER = [192,168,1,1]

    Easy enough. But i don’t have an open relay… So i got as far as ?SMTP server down in 60:

    10 SUBJECT = "Hello from SolderCore!"
    20 FROM = NET.NAME + “charlie@xxx.com”  ‘ fill in your own e-mail address
    30 TOO = "soldercore@googlegroups.com"
    40 BODY = "Hello from " + NET.NAME + "." + $LF
    50 BODY = BODY + "My device address is 192.168.1.159 ." + $LF
    60 MAIL TOO, FROM, SUBJECT, BODY
    70 PRINT "e-mail away!"
    80 END

    It didn’t like the IP$(NET.ADDR) either so i replaced it with text.

    The original looks like http://soldercore.com/manual/corebasic_mail.htm

    > list ↵ 10 SUBJECT = "Hello from SolderCore!" 20 FROM = NET.NAME + "@local" ' fill in your own e-mail address 30 TOO = "soldercore@googlegroups.com" 40 BODY = "Hello from " + NET.NAME + "." + $NL 50 BODY = BODY + "My device address is " + IP$(NET.IPADDR) + "." + $NL 60 MAIL TOO, FROM, SUBJECT, BODY 70 PRINT "e-mail away!" 80 END > run ↵ e-mail away! >

     

    I concluded the problems/missing command might be an old firmware so I tried to do a firmware update with firmware run, but i realised it needed a FAT16 SD card (a good one not a cheap fakey one) All i had was  a 16B MicroSD so its too big, but normally you’d do. 2G is what you need.

    FORMAT n: /FS:FAT

    where n: is the drive letter. After a year or two , it’ll be formatted

    You should see something like :-

    “Insert new disk for drive J:

    and press ENTER when ready…

    The type of the file system is FAT32.

    The new file system is FAT.

    Verifying 15267M (this is a problem)

    You can also use this https://www.sdcard.org/downloads/formatter_3/ Which supposedly does a better job of the FAT format. I can’t try it at the moment, since format is still running.

    The soldercore.com website does go into this in detail, if the GUI doesn’t show FAT as an option, the card is too big..

    It has a few nice features, being able to update firmware over the internet is great, and you can type

    example

    and it’ll list all the examples available, over the net. Typing

    example “welcome”

    will load the welcome.bas, so that is pretty neat, most of the examples look like they need one of the add on boards though. It is case sensitive on the example filenames.

    Typing

    firmware

    Seems equivalent to firmware catalog and it stops me typing catalogue(j/k)

    A lot of people might gripe about BASIC but what BASIC looks like versus what goes on in the background are completely different things, look at BlitzBasic etc, they’re very quick. Having to do line numbers is a bit of a throwback for sure.

    Here are a lot of builtin commands that do useful math, dot products, matrices etc. sin/cos, etc. Very useful. At worst case you can pop on a JTAG and write everything in C/ASM to your hearts content.

    I have had one  reset so far, but its probably the usb port i have isn’t giving me enough juice, it has external power port too.  If i find a small enough SD card, i can try to update the firmware. My firmware is also at 0.9.5 which is older than they list at the website, so I’m sure some of the stuff has been fixed already. I’ll update the blog when i find an SD card.

    I did all this with it so far, and no drivers installed and no software installed i can run it from android or nokia phone as long as it has telnet.

    The usual BASIC commands like EDIT, RENUMBER work, its just like being back on the BBC or Archimedes.

    Haven’t done much else with it yet, but I’m really interested in at as we use the Stellaris chips for other projects. I also really like Paul from the small interactions I’ve had with them, and Rowley Associates , I don’t know Iain or K&I but they did a nice layout job, so I’m looking forward to where they go with it. Anyone who’s a Lotus nut is ok with me !

     

    Update

    I realised my Skyrocket had a 2GB card in it, so I swapped that out, formatted it as FAT16 and made the top level SYS folder, plugged it into the soldercore and typed

    firmware run

    After a few seconds its at 0.9.12 now. I retried the original syntax of the Mail  example and it accepted it fine, i still can’t relay the email but it does accept the commands that were missing. Easiest firmware update ever.

    Quickly, an open relay! To hMailServer !

     
  • charliex 8:28 pm on June 18, 2012 Permalink | Reply  

    NSL gets a laser cutter 

    We’ve been trying to sort out a laser cutter for a while now, last year we bought a 40W tube and a PSU and burned holes into things. While hugely entertaining, it lacked some precision

     

    That was as far as it went, so i had enough and just decided to order one, after a few stops and starts we bought an LC900N directly from wklaser in China, they’re the same ones FS laser and hurricane etc sell but they do some mods to the software/boards, but nothing that is worth the price increase that i can see. It cost us under $4,000 USD for a 90W laser with a 600x900mm cutting area, with a motorised Z table from china to us.

    We’re on the third floor and our elevator is ( A ) too small ( B ) out of order, so we had to levitate it in.. Having hindsight we could have taken it apart, but had  been previously assured we couldn’t do that. Anyway…..

    We did what anyone would do and removed the window, hired a crane and lifted it in through the window.

     

    Taking it out to inspect the contents etc.

     

    Building a landing table

    Scientific weight test, the window is gone and 3rd floor, proceed to start jumping. Some people were confused about what don’t go past the blue line meant.

    Yes this is a good idea.

     

    Test lift

    We put out cones, people removed them and parked anyway, I told a few people they may not want to park there, most people got annoyed and asked why not? So i explained, most of them changed location. But only most….

     

    ok we’ve gotten it to here, what now ? Time for a meeting.

    The tricky part, removing the first strap, everyone pitched in to help.

    The Rapunzel method started off well but we discovered a problem in the hair length dept.

     

    And its in!

    Books are useful. Dropping it the last meter was harder than getting it from China.

     

     

     

    Put the window back, respackle it and no one is the wiser.

     

    Ok so the laser is purchased, shipped from china, craned in through a window. What next?

     

     

    First install the tube

     

    The laser needs a vent, preferably hilarious. (needs video)

    Obviously take it apart and improve it.

    The height setting tool needed improvement, so made that and labelled it as such

    Test cuts. Lots of test cuts.

    Align mirrors, the manual came in useful here. (bits of paper)

    Now change mind, remove the mirrors, turns out they’re dirty! So we swapped them out for ii-iv’s, increasing the power 20%. Interestingly there is a technique to make CO2 laser mirrors from hard drive platters hard disk platter co2 laser mirror

    Frostbite hand.

    The new lens vs old one.

    Ply Wood 5.2mm 8speed 90power OLD LENS
    ply wood 5.2mm 15speed 40power NEW LENS

     

    The T4 28” fluorescent bulb burned out after a day or so so we replaced it with some halogens, especially since they’re hard to source locally, test fitted with duct tape. The whole machine gets covered in grease for shipping so lots of cleaning first.

    Next well they said we can’t cut steel. So quick trip to home depot for some O2.

    The glo-stick is vital

    well it is cut but…. not really useable, however great progress

     

    vertical video!

    Here we cut some 1” acrylic

     

    Next!

    The GUI is full of odd chinese-english conversions, but they use a UTF8 .ini file so you can edit it all you want. Instead of Datum, it is now Home . Just edit language.ini or use Resource Editor on the .exe for permanent changes the software does nt self check, even though it uses a senselock dongle.

     

    Next is hack the software, we figured out the control software, reversed most of the API it actually rasterises vectors in the PC side and sends them over as points!! I’m shocked and amazed since the machine has a ‘DSP’ based controller board. It generates a TXT file and compiles it ,then uploads it the API has move, p-move, arc and circle functions but the software never uses them..

    e.g.

    CLASS_DECLSPEC int APICALL M05_m_fast_line2(int chx,long disx,int chy,long disy);
    CLASS_DECLSPEC int APICALL M05_m_set_vector_profile(double ls,double hs,double ac);
    CLASS_DECLSPEC int APICALL M05_m_set_vector_profile2(double start_ls, double hs, double end_ls, double ac, double dc);
    CLASS_DECLSPEC int APICALL M05_m_curve_vertex();
    CLASS_DECLSPEC int APICALL M05_m_curve_begin();
    CLASS_DECLSPEC int APICALL M05_m_curve_end();
    CLASS_DECLSPEC int APICALL M05_m_set_period(double period);
    CLASS_DECLSPEC int APICALL M05_m_set_power(int LowPower,int HighPower);
    CLASS_DECLSPEC int APICALL M05_m_set_laser_mode(int mode);

    The are all set ramp speeds, laser on, move here, move here move here, move here. Not set point, radius calculate in controller.

     

    Oddly the first command we figured out (unintentionally) was fire the laser at full power indefinitely.

    Is it off, no, is it off now , no ? how about now ,, no ? OK what’s the tube temp? still not off ? Easy to fix though, its just a toggle on/off. You also can’t easily jog the laser head around with the laser on, it’ll work but you can’t turn it off easily!

     

    Knock out a quick GUI in Visual Studio.

    I updated the header file for the DLL on our SVN. I’ll document it as i go along

    http://www.032.la/svn/listing.php?repname=032&path=/NSL_LaserGUI/Controller/&#a80090f0f13e60006321d63b48b8768ea

    Example of the txt file, which it compiles on the PC side.

    SUB001
    CMD101,0
    SET002,20000
    SET014,1,0,2,2
    CMD109,1
    CMD102,416,20833,97222
    CMD104,6944
    CMD401,416,880,41666,900
    CMD402,900
    CMD409,416,880,3000,41666,900,5000 //set  ramp speeds and power
    CMD408,900,5000
    CMD050,2,1
    CMD002,63556,42631
    CMD050,1,1 //laser on
    CMD103,416,41666,69444
    CMD001,63556,42631 // move
    CMD050,1,0 //laser off
    i’m surprised it rasterises the vectors though, i was expecting to see a command for a circle that defined a center,radius etc.
    speed change. 100 to 300
    CMD401,416,880,13888,900
    CMD409,416,880,3000,13888,900,5000
    CMD103,416,13888,69444
    CMD401,416,880,41666,900
    CMD409,416,880,3000,41666,900,5000
    CMD103,416,41666,69444
    power change 9 to 99 ( *100)
    CMD401,416,880,13888,900
    CMD402,900
    CMD409,416,880,3000,13888,900,5000
    CMD408,900,5000
    CMD401,416,880,13888,9900
    CMD402,9900
    CMD409,416,880,3000,13888,9900,5000
    CMD408,9900,5000
    horizontal line moved in y
    CMD002,62466,45271
    CMD001,62466,45271
    CMD001,69328,45271
    CMD002,69328,45271
    SUB603,416,20833,97222,69328,45271
    CMD001,69328,45271
    CMD001,69328,45271
    CMD001,62466,45271
    CMD001,62466,45271
    CMD001,69328,45271
    CMD001,69605,44993
    CMD001,69605,45548
    CMD001,62188,45548
    CMD001,62188,44993
    CMD001,69605,44993
    CMD002,62466,45175
    CMD001,62466,45175
    CMD001,69328,45175
    CMD002,69328,45175
    SUB603,416,20833,97222,69328,45175
    CMD001,69328,45175
    CMD001,69328,45175
    CMD001,62466,45175
    CMD001,62466,45175
    CMD001,69328,45175
    CMD001,69605,44898
    CMD001,69605,45453
    CMD001,62188,45453
    CMD001,62188,44898
    CMD001,69605,44898
    horizontal line moved in x
    CMD001,69328,45271
    CMD002,69328,45271
    SUB603,416,20833,97222,69328,45271
    CMD001,69328,45271
    CMD001,69328,45271
    CMD001,69328,45271
    CMD001,69605,44993
    CMD001,69605,45548
    CMD001,69605,44993
    CMD001,69492,45271
    CMD002,69492,45271
    SUB603,416,20833,97222,69492,45271
    CMD001,69492,45271
    CMD001,69492,45271
    CMD001,69492,45271
    CMD001,69770,44993
    CMD001,69770,45548
    CMD001,69770,44993


    Lots of boxes were cut

    boxmaker scripty thing

    Found a nice dragon box on thingverse

    bVector made  a nice mod to that case.

    So this ends our first week with the cutter, we have to decide if we’re replacing the controller, Leetro apparently want us to buy $25,000 of stuff to get the SDK documentation, but we’re so far into reversing it, that won’t matter. The controller might be ok. It has some strangeness we want it to speak GCODE so maybe another GRBL based controller like we did for Pickobear.

    We’re also building a new frame for it, and updating it to 170W laser tube (maybe)

    more to come….

    http://www.youtube.com/watch?v=7MZenjpAZJ4

     
    • Sascha 9:00 am on June 20, 2012 Permalink | Reply

      Great post & congrats on getting yourselves a laser!!! I bought a laser 18 months ago from WKLaser and had a wonderful experience dealing with them. Oh, and I had to remove a window to get my laser inside, too :)

    • Hugo 12:56 pm on June 20, 2012 Permalink | Reply

      I’m curious (and surprised about your modest successes cutting steel. I had heard that (due to the reflectivity of the molten steel?) attempting it can damage the laser or the head/nozel/lens and that metal-cutting CO2 lasers have an additional polarizing filter system to control the reflections. Have you noticed any problems since cutting steel? Or any plans to improve the cuts in the future?

      • charliex 4:38 pm on June 20, 2012 Permalink | Reply

        The mirrors and the last part of the laser ( the focus stage ) are consumable basically, the very last stage will get eaten simply away with the heat etc, so we are looking to change them out to a copper ends and increasing the lasers power. We will probably only keep cutting the same thin steel but its useful for us. The 170W tube should get us where we want to be.

    • Dan 1:26 pm on June 20, 2012 Permalink | Reply

      Awesome! Keep us up to date on the controller reversing – I’ve got one with an MPC6535 controller and the lasercut software can be quite limiting and badly behaved on occasion.

    • oktane 12:48 am on June 21, 2012 Permalink | Reply

      Congrats guys, wish I was still in LA to see this and help reverse that controller app, sounds like fun. I volunteer for the first NSL laser tattoo, just spray my arm with flat black spraypaint. (semi-serious here) Remind that distinguished rapist enzo to send me the nsl stickers! (he promised)

  • charliex 6:29 pm on August 31, 2011 Permalink | Reply
    Tags: , 460, , , zevatech   

    Juki 360 rebuild at [Null Space Labs] 

     

    This is log of the current work we’re doing at NSL http://032.la

    Rather than hand build all the badges for our  socal security conference layerOne again, http://www.layerone.org/ we’ve gone to a pick and place machine.

    Gleep found us a Juki(Zevatech) Placemat 360 (that seems to  have been upgraded to a 460 ) pick and place machine. It was sold as ‘working’, the sellers definition was, if I’m completely honest a stretch (outright lie).

    This is actually our second pick and place machine, we don’t mention the other one Smile

    We’re also interested in acquiring a Zevatech/Juki 460 if you have one for a decent price.

    Basically he demo’d everything that didn’t need a compressor, that all worked. Of course everything that needed a compressor as we found out later, didn’t work! Still $1,200 isn’t bad.

    I used my supersilent 20a as a temporary compressor, it only has a small  < 1 gallon tank, but its actually quiet, we used the 8 gallon compressor at null space which is deafening, so i found a 3 gallon temporary one at harbour freight for cheap in their recent sale. its too small though, so we’ll need shop air at some point. The supersilent was causing the pickup head to fail to work after a few passes, so this caused as a few false starts, the machine needs a solid air supply to function , even in testing.

     

    The existing filter and pressure regulator was a mess, so off to home depot to come back with the best we could find there, which isn’t that great.

     

    This is the old one, remember sold as working. No filter, and all these bits were just lying around inside it.

    The machine itself is based on the PC-8801 Z80 4mhz CP/M which I recognised straight away as my old job had me doing game conversions in Japan for the PC-9801.

     

    Dusty

    The whole machine works pretty much on the principal of that if the CNC software said do this, do that, that it executed perfectly. Only limit, head, home and the tool changer have checks.

    We fired it up , Krs and Gleep got it picking and placing a few resistors (though they somehow managed to get the tape removal part completely wrong and it was throwing resistors all over the place. Then mmca got it placing QFP parts correctly. The lamp spot system was off, the 90′o rotation was off, the tubes were old and cracking. Compressor filter was non existent and rusted out. We’ve also discovered the whole thing is covered in parts from the previous owners, we’ve scored a few 100 0805s and some IC’s.

     

    Free Parts!

    The reed sensor was the first thing we found that was broken, a quick trip to eBay and a few days later we had replacements. Luckily Juki is in heavy use, and they use a lot of off the shelf components. Apparently the later 5xx machines do switch to a proprietary drive system.

     

    The reed switch detects if the head is up or down. Its one of the few sensors in this machine. The bend has caused the wiring to break down internally over the years. so the machine gets confused about being up or down, and the software doesn’t cope well with that, it basically needs a full reset afterwards.

     

    The new sensors , $9 from eBay.

    I also bought a CPLD based floppy emulator from Poland, it hasn’t arrived yet and we’ll probably be done with the new system before it gets here, and we’ve discovered the speed stays the same but floppy drives won’t last so the SD is still a good replacement.

    Placing QFPS (AT90CAN128)

    Fashioned a quick tray for the IC placements. We use these great little boxes, also from eBay, for holding SMD components, they double up as handy platforms too.

     

    Feeders

    The feeder is controlled by the head, it moves over the spring loaded pin and pushes it down, this releases air and the notched wheel on the right moves the component reel tape one step, at the same time the protective covering tape is peeled away, allowing the machine to come back and pick the part up. This time, they’re correctly threaded, previously the protective tape was wrapped around the pin in the middle.

    Side view of feeders, you can see the reel of components on the left, and the pneumatics underneath. Its important to choose a pick and place with a widely available  range of cheap feeders, all too often people buy a cheap pick and place then find out it has none, and it’ll cost $1000’s to get them, if at all.

    Feeder with pneumatic assembly

    The expansion board

    This is the board inside the machine, it is a couple of 8255s which are the defacto standard for PC parallel IO, almost every PC has had one or more of these, they’ve since moved into the ASIC’s but the principle is the same. It memory maps each of the input/outputs of the machine so that host PC can see them. I pulled off the floppy image, copied the files to my PC and reverse engineered the controller code with IDA.

     

    I found an IMG of the floppy online, this was MFM encoded . So i converted that to a raw binary file, and then used cpmtools to copy the files from it. I was hoping to find some of the saved files so we could reverse the format and write a quick tool to do the placement. Once the files were copied off i tried a few of the different PC-8801 emulators, M88 etc, but had no joy in getting it running. So finally I just pulled apart the CP/M COM files in IDA and see what we could find.

    The teaching process is tedious, so reversing the format would have been worthwhile.

    Interface board

    This board takes the IO from the PC, buffers 74LS240 it and uses power darlingtons FT5723M to switch the 24V signals for the pneumatics.  As well as read the various sensors and the + / – for the motors. The motors and stepper drivers are off the shelf, but very nice, we even have newer versions of the motors and controllers at NSL.I’ve removed the bottom connector to make it easier to take pictures.

    The grey cable that has been added later is the automatic tool changer, this is soldered directly in the spare connections , 5V and 24V VDC. The 5V powers the small adapter board in the ATC and the 24V is for the pneumatic switches.

    The remaining signals are multiplexed IO that are demuxed by a 74Ls138 on the ATC board, which deviates from the way the rest of the board works as the rest are all controlled by the darlingtons directly.

    Each function of the machine is basically <control> – <buffer> — <pc> – <memory map>

    So if you want the head to go down, you flip a bit in the PC’s memory. Its all digital IO, nothing fancy at all. The only extra part is the 5V TTL to 24VDC for the pneumatic switches.

    Stepper drivers and power supplies.

    The stepper drivers are on the bottom, the other one is to the right under the tray. the two power supplies are just visible at the top right, one is a 5V the other a 24V. The power filter is in the lower left.

    Power supply

    Stepper motor driver

    XY gantry

    Since the machine was in bad need of service, we stripped it down, here the XY belts are visible. The top side has the the driver motor and the bottom side gets its power from a rod under the bed on the right side, so both belts are moved in unison. The ATC is in the top right and the frame in the middle is what is left of the PCB holder.

     

    Tearing it down.

    The head

    mmca stripped the head down. here it is removed from the gantry. mainly because there is a piece of string visible , and we can’t figure out what its for.

     

    Shims, we don’t think these are factory shims.

    The strange piece of string inside the head… What could it be for?

    Bottom view of the tool pickup and the 90’o rotation.

     

    These 4 arms are moved towards the part and clamp it gently, this straightens the part for placement, it can also rotate the part by 90’o ( which sucks for us because i always like to put parts at 45’o)

    The laser, focused lamp (this machine continues to surprise us ) which is used to position the head in teaching mode.

    We’re removing the lamp and replacing it with machine vision, so some measurements are taken.

     

    The hoses are removed and marked with a letter , the corresponding connector is also marked with the same letter.

    This is how the previous owners repaired the 90’o rotation arms….. so that explains the string. this was removed and repaired correctly. The 90’o does just that, it rotates a part by 90’o that’s all this machine can do, so we’re going to change that to it can do arbitrary rotations.

     

    This hose had cracked, a few others did too. I found a few temporary replacements at the auto parts store 4mm ID, 8mm OD  fuel priming line.  The plan is to replace all the hose.

    Stripped machine screw in the head. Replace from grainger, M3x8mm 0.4mm thread 5.5mm head size.

    And some missing set screws

    Spent some time measuring all the screws and what not. The machine is old enough that it came from proper manuals with circuit diagrams.

    We’re replacing the IO board, the plan is to throw in a TI Stellaris ARM lm3s9b96 chip instead, (TI were good enough to send us a bunch a while ago, thanks TI!)

    This board is a dumb board, it just marshals the I/O and does the switching of the 24VDC with darlington’s.

    Here we’re removing and verifying the connector sizes and function  (the manual had some errors) so its good to do that. It also gives us good insight into what’s going on.

    Checking how the machine works with my trusty fluke.

     

    I threw together the connector layout in eagle and printed it out to verify it,  early revision.

    Measure the hole size and distance. Our board is exactly the same size so its a drop in replacement, we’ll just lose the two larger connectors and change it to USB.

    Here we were figuring out how the ATC worked, at first it was though to drive it directly , but there weren’t enough wires. So its 24V, 5V and control signals, the small interface board at the front is a  74LS138 decoder/demultiplexer with a few buffers and more darlington drivers , it switches the 24V on and off based on the 4 control signals coming in.

    Automatic Tool Changer

    The tool wanted is lifted up when the machine wants to change it, on the right are the pneumatic switches that are controlled by a 24V signal.

     

     

    We’re using Power MOSFETs to control the 24V instead, a 6 pin ROHM US6K1DKR in a TUMT6 package ( time to create a new device in eagle again !) I ordered 100 from Digikey yesterday and should have the board layout finished today. Then we can mill out a test PCB and see how it works. (parts arrived a few minutes ago!)

    You might be amazed, I was , about just how simple this machine is, you could run the whole thing from a set of on/off switches, albeit very slowly. But that is great for us though as it makes it very easy to replace the PC software.

    The next big thing is going to be testing the new power MOSFET and building the new PCB.  The chips will be here today have arrived.

    So new eagle package

    Cut out a few to test.

     

     

    Apparently I goofed on the measurements, I did change it around a tad after the first revision. Teeny part.

    Soldered it anyway

     

    So the next step is adding cameras etc.

     

    mmca explaining the new part to be cnc’d out for the camera

     

    mockup of the mount

     

     

     

    The head has to be recalibrated so the bottom of the tool is 62.5mm from the table, with a .1mm accuracy, so we as usual went overboard and used grade B gauge blocks.

    69.5mm to .00005 inches accurate.

     

    Gauge blocks are fascinating, they stick together like magnets if you put them together by making surer there is no air between them, but if you just stick them together they won’t. Super flat. these aren’t grade a or better, but they’re nice. mmca has the coolest stuff.

     

    Starting to rebuild it

     

     

    Machine vision tests

    This is work in progress, testing RoboRealm/OpenCV and teaching it components, it works well!

     

    Using a panda board a HP HD Webcam for testing the vision.

     

    Software

    Playing around with layouts for a quick test tool. two grey areas are for the cameras.

     

    Well that is it so far, my Motorola Atrix decided that the fingerprint reader would become burning hot to the touch. So I pulled it apart and removed it, but somehow managed to make it do a full hard reset (or a docwho76 as we call it ) and it deleted a bunch of my pictures. google+ had failed to sync them. But we’ll keep documenting the project,

     
    • Jack Gassett 4:52 pm on September 1, 2011 Permalink | Reply

      Hey, this is great guys! I have the exact same pick and place unit and went through the same pains getting it up and running about a year ago.

      Thought I’d share a couple tips that I learned, you might already know them, or they might help. :)

      I was having trouble with the autochanger detecting if a bit was attached. At first I thought it was the reed switch. But it turned out that it was actually the PS4 pressure switch. You can put it into test mode, drop a bit onto the rubber pad by the autochanger and then look for a red LED to light up on the PS4. Adjust the screw on the PS4 to get it just right.

      The other tip is that I don’t even bother with the teaching light anymore. Screaming Circuits has an EAGLE ulp file that generates a centroid file with exact coordinates of your parts. It saves a LOT of time to just print out the centroid file and type the exact coordinates in instead of teaching each component location.
      http://i.screamingcircuits.com/docs/ScreamingCircuits%20centroid%20ULP.zip

      Hope this helps, and hope you guys have as much fun with your Juki as I have. :)

      Jack.

      • charliex 5:06 pm on September 1, 2011 Permalink | Reply

        Hey Jack,

        Yeah i saw you on the zevatech list, seems like its a small world!. We’re completely replacing the PCB and rewriting the software for it. The reed switch was definitely broken, and once repaired and realigned the head, it picks up stuff really nicely now.

        The initial plan was to reverse the save file and put the centroids directly into that, but we decided to go whole hog and just redo all the software.

        charlie

    • Jack Gassett 8:49 pm on September 1, 2011 Permalink | Reply

      Hey Charlie,

      The thought has crossed my mind to replace the old Z80 computer with a Soft Z80 running on my Papilio FPGA board. :)

      The two problems with that are:
      1) The software as it is is not the greatest, seems like a lot of work and you would end up with the same software.
      2) It’s a lot of work that very few people would actually ever use.

      But, I love my local hackerspaces and if you think you can use a Papilio FPGA board I’d be happy to donate one to you guys.

    • charliex 9:04 pm on September 1, 2011 Permalink | Reply

      thanks Jack, I’ve got a few of your fpga boards already, got a few maybe three years ago? when we were all looking at the sump. we’re always happy to take more donations of dev boards though for people. http://wiki.032.la/nsl/Equipment_Inventory

      But we’re actually replacing it with an Stellaris ARM because TI gave us a bunch of free chips and dev boards, if we promised to make something cool. I’m writing the PC control software from scratch too and adding machine vision etc. I’ve got most of the board ready in eagle.

    • truthspew 9:40 pm on September 1, 2011 Permalink | Reply

      Wow, that is far too cool. Taking an old piece of tech and extending it’s usable life by upgrading it’s systems is priceless. I wish you great adventure with the machine!

    • Tim 3:40 pm on September 2, 2011 Permalink | Reply

      Very cool! How are you planning to implement the control software and vision system? I’ve been laying some groundwork for an open-source pick&place design, and the software controller is the next major step. (Right now this consists only of a Python to EMC2 remote interface and a few not-ready-for-primetime opencv experiments, but my freetime will free up again a bit this fall!)

      • charliex 9:53 pm on September 4, 2011 Permalink | Reply

        Longer term plan is to use a custom arm board, but last night we just built and designed a shield for the arduino mega. Vision is opencv currently

        • rfritz 3:44 pm on September 9, 2011 Permalink

          “Shims, we don’t think these are factory shims.” – They ARE factory shims.

          “The strange piece of string inside the head… What could it be for?” – It could be and in fact IS an oil wick. Google JUKI to find out what they made b4 pp machines.

          Contact Marc LeLonge(sp?) [alphatronique.com] on Zevatech list, he completed the ARM controller w/ PC GUI a while back.

          There are also scanned manuals and exploded mechanical dwgs for machine and assy’s.

        • charliex 7:15 pm on September 9, 2011 Permalink

          We found out about the shims being factory last night oddly enough, however the string was there to hold some bits in place. I’ve already chatted to marc, his solution isn’t finished yet and we’re pertty much at the same stage he his, maybe even a little bit beyond it as we’re moving on to the machine vision.

    • rfritz 4:45 am on September 10, 2011 Permalink | Reply

      I have three 460 heads all with “the string”, just like in your photo. Two from Florida and one from Texas. Hmm.

      • charliex 5:34 am on September 10, 2011 Permalink | Reply

        yeah the oil string thing makes sense for the age of the machine, with modern lubricants you shouldn’t need it. our head was in a mess when we got it and had to rebuild it and it was held together with all sorts/ it wasn’t in the manual we could see either.

    • Marc Lalonde 6:19 pm on September 13, 2011 Permalink | Reply

      Hi

      sorry charlies but my project not a same stage of your
      i have all my machine doing production since august
      and one of it whit vision and servo rotation on head

      Kit i put on ebay was intended to be easy to install and setup so i remove
      servo and vision since i quite hard to setup and expensive since i use cognex vision system
      optic and lighting was not easy task to setup (top and bottom vision)

      as for software issue that have make me crash my machine head it was fixed now
      so now i monitor head cylinder switch and stop all motor in hardware if head was not full up
      old soft version rely on soft but experience show me that if head was stuck down(no air)
      the protection was not good and may let motor move and cause damage

      but i not yet knot if i put back on ebay since commercial grade hardware software make it expensive
      and market was quite limited so seem that i will never recover R&D money i put on solution
      but at last i have all my 5 machine working (3 in production + 2 spare)
      so my project main goal was dome i have machine that operate like i what and take 3 minute to program

      also remeber that make machine move was the easy part , make it easy to operate ,user friendly
      and reliable was more difficult i have ~75k line of code firmware hardware for have it

      Best regard and good luck
      Marc lalonde
      Alphatronique inc.

      • charliex 6:38 pm on September 13, 2011 Permalink | Reply

        We have the head up down detection, it won’t move with the head down, it knows if its homed, it knows the size of the table, it knows if its not moving, it knows if it picked up a tool or not, it knows if it picked up a part or dropped it, it knows if the air supply is probably getting low and waits for the compressor to catch up. It knows if the emergency switch has been pushed and needs to rehome. We’re using half step, the controllers have been updated for newer ones, same for the motors.

        We’ve added all sorts of safety features, some of them weren’t in the original . everything that can be checked is checked. The machine vision is being added too, head rotation is being worked on last night.

        There is nothing fancy about it, its a very simple system it doesn’t take a lot of work to better the zevatech.

        All of this we’ve done in a couple of weeks.

    • Marc Lalonde 10:05 pm on September 13, 2011 Permalink | Reply

      Hi

      as said before i have no bout about your hardware

      i just curious wly change drive and original stepper ?
      original 5 phase stepper have lot of torque @ hi speed compared to 2 phase stepper
      and still not sure about wly use half step ? original drive do 0.25mm/step
      (zevatech software handel only 0.5mm but it software limitation)
      but i found that resolution limitation not come from motor but from feeder mechanical variation (repetability issue)
      and solder past making part slick since head height and force was only limited by gravity

      Best regard

    • charliex 10:10 pm on September 13, 2011 Permalink | Reply

      Simply because we could and had the parts on hand in the lab. The new controllers also offer more features too, the guy i work with is a cnc magician so he’s the one driving the changes.

      We’re also planning to add more features to the machine, and get down to 0402 (or better) we’re working on our own feeder design.

      • Jose 10:42 pm on March 1, 2012 Permalink | Reply

        Hi Charliex, great work on the 360, I have a JUKI KP460 that also have rebuilt and doing some ggood work now, but I’m VERY interested on upgrading it to camera and GUI interface, eager to replace the 286 PC running it!!!! and the folppy drive, great tip, great work, I’m not a programmer but like to tinker, any info/tips on how to modify my unit servos to OpenPnP great. Also feeders, are you guys thinking to modify the feeders? to smartfeeders? and the tips, when you break were do you get the replacements from? I broke a few that I patched and modified to pick up up to 0603 components.

    • charliex 11:56 pm on March 1, 2012 Permalink | Reply

      As long as its stepdir openpnp will support it.

      We haven’t changed the feeders, just been buying them off ebay when they appear.

      tips we haven’t broken yet, but parts we just scav around from people.

  • charliex 3:25 am on November 24, 2009 Permalink | Reply
    Tags: Dream cheeky, hacking, usb message led   

    Hacking the Dream Cheeky USB LED Message Board 

     Dream Cheeky

     

    For some reason I always pick up these dumb scrolling message things at Fry’s, first one had an embedded uC that Furan had hacked by RE’ing the wires and installing a new uC, this one has USB but doesn’t work without the program running on the Host PC….

     

    So lets hack it..

     

    First thing is that it is a USB HID , so that is fairly straightforward. HID Write comes into play here. Jan Axelson is pretty much the standard for USB/serial etc http://www.lvr.com/hidpage.htm

     

    shw

    shw1

     

    A quick poke around the bytes look like, brightness, location, data. 0xFF is all off, 0×00 all on. right most byte is left most on the display at 0×00 0×00 0xFF 0xFF 0xFF 0xFF 0×00

    First byte is brightness

    Second byte is vertical row 0×5 is the bottom, two lines are written at once. If you give it 0×6 it’ll write the first line to the last row, then wrap after a few that disappear.

    It takes 0×9 message length, and no read back.

    That’s it on the hardware side really!

     

    Using usbhido_vc6 as an example, all you have to do is FindHid() with the VID/PID set, and then do

     

    I just threw in some junk code to show it working

     

    if( MyDeviceDetected ) {

        // always
        OutputReport[0 ] = 0×0;

        // brightness 0 .. 15
        OutputReport[1 ] = 15;

        OutputReport[2 ] = row;

        row+=2;

        row%=8;

        // fill in some random data
        for( int i= 3 ; i < 10 ;i ++ ) {
            OutputReport[i]++;;
        }

        if (WriteHandle != INVALID_HANDLE_VALUE)
        {
            HRESULT Result = HidD_SetOutputReport
                (WriteHandle,
                OutputReport,
                9); // fixed length (comes from device report)
        }
    }

     

    It’s trivial to treat the output as a frame buffer, 21×7

    so the header of the OutputReport[] looks like

    offset 0, always 00
    offset 1, brightness, 0-15
    offset 2, row *2

    then the remaining bytes are

    offset 3,   0×00 – right hand side 5 LEDS on
    offset 4,   0×00 – middle 8 LEDS all on
    offset 5,   0×00 – left 8 LEDS all on

    offset 6,   0×00 – right hand side 5 leds on , second row
    offset 7,   0×00 – middle 8 LEDS all on, second row
    offset 8,   0×00 – left 8 LEDS all on, second row

    0xfe in an 8 LED cell, would mean the leftmost LED was ON and the others off

    0xaa would be ON,OFF,ON,OFF,ON,OFF since the leds are reversed, since 1 is LED off.

    a quick #define in c for the 5 LED’s

    #define LED_5(a,b,c,d,e) ( (!e<<4) + (!d<<3) + (!c<<2) + (!b<<1) + (!a) )

    The 8’s

    #define LED_8(a,b,c,d,e,f,g,h) ( (!h<<7) + (!g<<6) + (!f<<5) + (!e<<4) + (!d<<3) + (!c<<2) + (!b<<1) + (!a) )

    You can use the 8 macro for the 5 LEDs, since it ignores the top ones, so LED_8(1,1,1,1,1,0,0,0) is equivalent to LED_5(1,1,1,1,1)

    One whole row, left to right would be

    OutputReport[5] = LED_8(1,1,1,1 ,1,1,1,1) ;
    OutputReport[4] = LED_8(1,1,1,1, 1,1,1,1) ;
    OutputReport[3] = LED_8(1,1,1,1 ,1,0,0,0) ;

     

    And some equally hacky code just to see if the above all works in principle.

     

    #define LED_8(a,b,c,d,e,f,g,h) ( (!h<<7) + (!g<<6) + (!f<<5) + (!e<<4) + (!d<<3) + (!c<<2) + (!b<<1) + (!a) )

    #define FB(x) (framebuffer[x + (y*21)]?1:0)

    #define _ 0
    #define W 1

    unsigned char framebuffer[21 * 7] = {
       W, _, W, _, W, W, _, W, _, _, W, _, _, W, W, W, _, W, _, W, _,
       W, _, W, _, W, _, _, W, _, _, W, _, _, W, _, W, _, W, _, W, _,
       W, _, W, _, W, _, _, W, _, _, W, _, _, W, _, W, _, W, _, W, _,
       W, W, W, _, W, W, _, W, _, _, W, _, _, W, _, W, _, W, _, W, _,
       W, _, W, _, W, _, _, W, _, _, W, _, _, W, _, W, _, W, _, W, _,
       W, _, W, _, W, _, _, W, _, _, W, _, _, W, _, W, _, _, _, _, _,
       W, _, W, _, W, W, _, W, W, _, W, W, _, W, W, W, _, W, _, W, _
    };
    #undef _
    #undef W

    void CCreamDeekyDlg::OnTimer(UINT_PTR nIDEvent)
    {
        int y;

        CDialog::OnTimer(nIDEvent);

        if( MyDeviceDetected ) {

            for( y = 0 ; y < 7 ; y++ ) {

                // always
                OutputReport[0 ] = 0×0;

                // brightness 0 .. 15
                OutputReport[1 ] = 1;

                OutputReport[2 ] = y;

                OutputReport[5] = LED_8(FB( 0),FB( 1),FB( 2),FB( 3),FB( 4),FB( 5),FB( 6),FB( 7));
                OutputReport[4] = LED_8(FB( 8),FB( 9),FB(10),FB(11),FB(12),FB(13),FB(14),FB(15));
                OutputReport[3] = LED_8(FB(16),FB(17),FB(18),FB(19),FB(20),0,0,0);

                y++;
                OutputReport[8] = LED_8(FB( 0),FB( 1),FB( 2),FB( 3),FB( 4),FB( 5),FB( 6),FB( 7));
                OutputReport[7] = LED_8(FB( 8),FB( 9),FB(10),FB(11),FB(12),FB(13),FB(14),FB(15));
                OutputReport[6] = LED_8(FB(16),FB(17),FB(18),FB(19),FB(20),0,0,0);

                if (WriteHandle != INVALID_HANDLE_VALUE)
                {
                    HRESULT Result = HidD_SetOutputReport
                        (WriteHandle,
                        OutputReport,
                        9);
                }
            }
        }
    }

    and it does , that’s brightness level 1, but its an iPhone..

    IMG_1134

     

    Next i think i’ll see if i can implement per LED brightness, I’m hoping POV will let me write multiple times on the same row.

     
    • Chrysilis 6:28 am on December 3, 2009 Permalink | Reply

      I just pulled mine out for some christmas messaging and eagerly await further developments!

    • Manzed 5:20 pm on August 1, 2010 Permalink | Reply

      Wow nice, I have no clue about the HID stuff but I guess it shouldn’t be a brainer to come up with a VB script that writes any message to it? You know, I’d like to let people leave comments on a website and have it sent to a little HTTP-server on my comp, then pass the message on to VB and have it displayed on the LED. Oh and received email headers could be displayed too. All I’d need is the VB code, any clue how to make that possible?

    • Manzed 6:01 pm on August 1, 2010 Permalink | Reply

      oh i just found something here – http://board.homeseer.com/showthread.php?t=129324
      “There is a 3rd Party interface for the Dream Cheeky LED sign available. This allows Cmd line control and even has client/server facilities, font and graphic editing.”

      Exactly what i want.
      http://sourceforge.net/project/platformdownload.php?group_id=257864

    • Duncan 11:31 pm on September 17, 2010 Permalink | Reply

      Any further developments on this? I am looking for a way to visibly report on the latest build coming out of CruiseControl.NET, and figured this board would be awesome for “BUILD FAILING” messages… and maybe the name of the programmer who broke the build. Anyway, I don’t want to have to load software, I’d want something that would be .bat / .com friendly. Surely it’s trivial to call a .exe from a .bat and pass in a string, which is passed to the message board, yes?

    • Ryan 7:19 am on May 15, 2011 Permalink | Reply

      Hi there.

      Good job! I just want to know if there is visual basic source code to use with the cheeky LED display that I can download somewhere?

      Many thanks

      Ryan

    • zaphodikus 8:32 pm on December 4, 2012 Permalink | Reply

      I’m a bit worried about accuracy and the unusual use of math here, “It’s trivial to treat the output as a frame buffer, 21×7″ . Are we saying the device has 148 pixels and they are written to from left-to right, not top to bottom as one might expect?

      • charliex 10:09 pm on December 4, 2012 Permalink | Reply

        It’s definitely 21×7, honestly i don’t recall if its left to to right or to bottom addressing, but you’d deal with that in the per write routines anyway. I do recall it being left to right.

  • charliex 12:03 am on July 25, 2009 Permalink | Reply  

    Windows 7 blue screen DRIVER_POWER_STATE_FAILURE (9f) 

     

    Fairly regularly i was getting a

    DRIVER_POWER_STATE_FAILURE (9f)

    BSOD/BugCheck.

    Turns out its the Western Digital MyBook connected to the firewire port, supposedly it only happens after hibernate/resume but i was getting it at other times. Perhaps the drive itself was sleeping.

    No solution I can find for W7 yet, Vista had a known problem for it and a service patch.

    http://support.microsoft.com/?kbid=929762&sd=RMVP

    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    DRIVER_POWER_STATE_FAILURE (9f)
    A driver is causing an inconsistent power state.
    Arguments:
    Arg1: 00000003, A device object has been blocking an Irp for too long a time
    Arg2: 87653028, Physical Device Object of the stack
    Arg3: 82d70ae0, Functional Device Object of the stack
    Arg4: a980bd70, The blocked IRP

    Debugging Details:
    ——————

    DRVPOWERSTATE_SUBCODE:  3

    IRP_ADDRESS:  a980bd70

    DEVICE_OBJECT: 8a932ac8

    DRIVER_OBJECT: 86dd88e0

    IMAGE_NAME:  disk.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  49ee8a44

    MODULE_NAME: disk

    FAULTING_MODULE: 8b8f4000 disk

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0x9F

    PROCESS_NAME:  System

    CURRENT_IRQL:  2

    LAST_CONTROL_TRANSFER:  from 82cf083f to 82d25f28

    STACK_TEXT: 
    82d70a94 82cf083f 0000009f 00000003 87653028 nt!KeBugCheckEx+0x1e
    82d70b00 82cd31da 82d70ba0 00000000 82d7d280 nt!PopCheckIrpWatchdog+0x1f5
    82d70b38 82ca495d 82d8ba20 00000000 7a38c1d1 nt!PopCheckForIdleness+0×73
    82d70b7c 82ca4901 82d73d20 82d70ca8 00000003 nt!KiProcessTimerDpcTable+0×50
    82d70c68 82ca47be 82d73d20 82d70ca8 00000000 nt!KiProcessExpiredTimerList+0×101
    82d70cdc 82ca296e 000cbb70 85ae7d48 82d7d280 nt!KiTimerExpiration+0x25c
    82d70d20 82ca2798 00000000 0000000e 00000000 nt!KiRetireDpcList+0xcb
    82d70d24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0×38

    STACK_COMMAND:  kb

    FOLLOWUP_NAME:  MachineOwner

    FAILURE_BUCKET_ID:  0x9F_IMAGE_disk.sys

    BUCKET_ID:  0x9F_IMAGE_disk.sys

    Followup: MachineOwner
    ———

    0: kd> lmvm disk
    start    end        module name
    8b8f4000 8b905000   disk       (pdb symbols)          d:\symbols\disk.pdb\BC64DE4F0A0645F8BC4E6067A351FE861\disk.pdb
        Loaded symbol image file: disk.sys
        Image path: \SystemRoot\system32\DRIVERS\disk.sys
        Image name: disk.sys
        Timestamp:        Tue Apr 21 20:08:52 2009 (49EE8A44)
        CheckSum:         00010B49
        ImageSize:        00011000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

     
  • charliex 9:07 pm on July 10, 2009 Permalink | Reply  

    Aspire one oopsie! 

     

    I was out enjoying my day at Starbucks, and my aspire one needed a reboot for something, came back to a blank screen and deader than tank tops and platform shoes.

    So I did what anyone would do and took it apart, checked it all over for anything obvious, nada.. So then I checked google for others having the same issues, and sure enough its a common problem ( note to self, do exactly the same thing since you learn a lot more taking it apart than just finding the answer on google! ;)

    Apparently loosing the BIOS isn’t infrequent for these little machines, i really like it but i’ve made a few changes to it, added bluetooth changed the “i can’t believe they can get away with that” terrible wireless card that disconnects and disappears if you look at it the wrong way.

    So quick flash with a USB recovery stick and it came back to life, and with only one screw left over!

    IMG_0312[1]

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
Follow

Get every new post delivered to your Inbox.