Friday, November 26, 2010

Bluetooth Keyboards: who owns your keystrokes?

I gave a talk at ShmooCon 2010 on the security of Bluetooth keyboards and mice. After a restoration of the ShmooCon archive, the full video is once again available. I have also published the slides and such.

Most of my previous Bluetooth work had been done using software radio techniques requiring somewhat costly hardware. For this talk I focused on what is possible for both attack and defense using low-cost off-the-shelf Bluetooth equipment. It turned out that quite a lot of interesting things were possible that had not been demonstrated before. Even so, many essential capabilities such as passive monitoring remained out of reach without more expensive hardware which is why I've since turned my attention to Project Ubertooth.

Tuesday, November 23, 2010

supporting OpenVizsla

I just made a pledge to support OpenVizsla, an open source USB analyzer. I had been thinking about designing something similar, and now I don't have to!

Tuesday, November 16, 2010

Ubertooth: first release

Tonight I uploaded the first release of Project Ubertooth, an open source wireless development platform that can be used for Bluetooth testing and research. This is a very preliminary release, but it includes the complete hardware design for Ubertooth Zero, firmware source code, and the host code needed to perform rudimentary Bluetooth sniffing as I demonstrated at ToorCon 12. Although you can download a project archive, I recommend using the Subversion repository so that you can easily keep up to date with the project as it develops.

The documentation is still a bit thin, but there are README files scattered about the project directories. The host code can be compiled with gcc on Linux. The firmware also can be compiled with a gcc toolchain (I have found the CodeSourcery package to be helpful) and can be flashed onto a board with lpc21isp. I've been using a slightly modified SparkFun FTDI Basic Breakout for this, but there are several serial programming devices that will work with lpc21isp.

Also in the repository is an early hardware design for Ubertooth One, the next generation board that I hope to have ready within a couple months. This is a more challenging design that will probably require a few revisions, so keep your expectations low if you try to build one based on the current layout.

Tuesday, November 02, 2010

introducing the DEF CON Super Rocker 18

Last spring I decided that this year I would win the DEF CON 18 badge hacking contest. I failed. In the process, however, I had fun and learned a great deal, and I ended up with a decent hack that is still unfinished.

I wanted to make something to take advantage of the digital signal processing (DSP) capabilities of the chip on the badge, so I decided to turn my travel guitar into the DEF CON Super Rocker 18, an electric guitar with digital effects powered by the badge.

I started with a Hohner 30" Folk Guitar, an instrument that you can find at toy stores for $30 to $50. I first bought a toy guitar several years ago when I had a job that involved a lot of travel. It was a great way to entertain myself and keep practicing while on the road. I could toss it into the overhead bin on an airplane without a case and not worry about damage because the thing only cost me $20. It didn't sound great (though it was much better than others of the same model that I tried - always try musical instruments at the store even if they are toys), but it was the best $20 I ever spent. That guitar lasted for years and traveled with me to about 25 states. After ToorCamp in 2009, I decided to retire that guitar because its quality had degraded considerably over several years and a few repairs. I replaced it with the Hohner, a higher quality instrument that made its first journey to DEF CON 17. I can't say enough good things about the Hohner. Yes, it is a toy, but I have played worse guitars that cost 10 times as much. If you've ever thought it would be nice to have a guitar for travel, backpacking, or to keep in your car, go get one.

If you are a friend of mine who is wondering why you didn't see me at DEF CON, it is probably because I spent quite a bit of the weekend soldering in my hotel room! I started the project about six weeks in advance, but I spent most of that time experimenting with alternative guitar pickup technologies. I saw the project as an opportunity to experiment more than a contest to win - and my results followed accordingly. When I arrived at the con, I had 99% of the circuits designed, 10% of them constructed, and I had yet to start cutting into the guitar or writing firmware.

I think it was a good thing that I started drilling the guitar in the bathtub. That made it much easier to clean up the sawdust in the hotel room. I used a manual hand drill that was good to travel with. It worked great with smaller twist bits, but I gave up and turned the hole saws by hand. All the parts were mounted in the guitar with hot glue, a few small wood screws, and some bits of wooden chopsticks I picked up at a Las Vegas sushi buffet.

Counting the badge, I think I ended up with six circuit boards mounted in or on the guitar, and it turned out that most of them never did anything! You see, I spent so much time working on building the hardware that I ended up with only a couple hours to write code before the end of the competition. Making the time crunch even worse, I had reliability problems with both the badge's serial bootloader and the JTAG interface. Unfortunately I had to completely abandon the notion that the thing would make noise, and I instead turned my attention to the one function that I thought I could get working very quickly.

I had mounted an RGB LED under each string in the fingerboard of the guitar, and I used those to implement a three-phase RGB stroboscopic tuner. You can see it in action at the end of my contest entry video. The LEDs are driven by a circuit with both high and low side shift registers to minimize the number of pins used on the badge's microcontroller. Each color of the LED flashes at a rate equal to the string's frequency (110 times per second if tuning a 110 Hz string). If the string is in tune, then its vibration brings it to about the same location each time that color flashes. This is much faster than the eye can see, so it just appears to be a stationary blob of color. If the string is a little bit out of tune, the blob moves around slowly, and if the string is further out of tune the blob moves faster. With three colors all firing at different times, you see three blobs that move around depending on the tuning of the string. The circuit doesn't involve any audio sensing whatsoever. I've seen single-phase and two-phase stroboscopic guitar tuners before. What's better than one or two? Three!

I've been so busy with other projects that I haven't even looked at the code since the day of the contest, but I still travel with the DCSR18. When I do, I am reminded that I should resume working on it before too much time goes by. There are a number of other interesting features that I hope to get working, and I'll blog about them as I do.

Wednesday, October 27, 2010

Ubertooth Zero, a preview

Last weekend at ToorCon 12 I unveiled Project Ubertooth, something I've been working on for more than a year. The goal of the project is to produce a low cost 2.4 GHz wireless development platform suitable for Bluetooth sniffing (among other things). If you are familiar with previous work on Bluetooth monitoring, then you know that good tools are expensive. Commercial equipment costs $10,000 or more, and even the open source solution requires a hardware investment of at least $1000.

In my talk, Ubertooth Zero, a preview, I demonstrated Bluetooth sniffing for the first time with Ubertooth Zero, my first prototype hardware model. The platform is based on the Texas Instruments CC2400 wireless transceiver paired with NXP's LPC1758, an ARM microcontroller with USB. You can build an Ubertooth Zero for less than $50 in parts. The hardware design and host code are published in the svn repository at http://ubertooth.sourceforge.net/, and firmware will follow as soon as possible (probably a couple weeks). Everything is open source.

Over the coming weeks I'll be working on the next model, Ubertooth One, which I hope to have available in early 2011. It will be compatible with the Ubertooth Zero software but will have an improved RF front end, comparable to a Class 1 Bluetooth device. I hope to produce Ubertooth One commercially, making it available to those who don't want to solder 0402s, but rest assured that the product will remain fully open source. I'm also working on firmware, host software, and documentation so that the platform will be easier to build and use.

I would love to hear from you if you decide to build an Ubertooth Zero. Keep in mind that this is a preview release with much work still undone. So far I've built three working boards, one of which fetched $275 in Sunday night's ToorCon Foundation auction, supporting technology education in developing countries. I have three more that I hope to get working soon, and then I'll start work on Ubertooth One.

So far I have implemented only single channel Bluetooth monitoring. The device sits on a single channel and receives a small subset of packets from all Bluetooth devices in range (the target devices use frequency hopping, so they only transmit a small percentage of their packets on that particular channel). This is sufficient to provide a good survey of Bluetooth activity. With some work on software in the future, the platform should be capable of hopping along with a target, receiving every packet on that piconet. Once that is working, it should be possible to use the Ubertooth platform for raw frame injection, an important capability that has been out of reach of wireless security researchers since Bluetooth's introduction. The platform could also be used for several non-Bluetooth functions such as spectrum monitoring or 802.11 FHSS

ToorCon was a blast, as always. Thanks to everyone who attended the Software Defined Radio Workshop, Real Men Carry Pink Pagers, and the Ubertooth talk. Thanks to Travis for making our talk so much fun. Thanks to Dominic for making the trip from London. Thanks to George, Tim, and David for putting on a great con and making me feel so welcome. Thanks to all the friends, both old and new. Thanks(?) to Nick et al. for embarrassing the hell out of me. Thanks to Laen for running the DorkbotPDX PCB service. Most of all, thanks to Jared Boone who couldn't be at ToorCon but who has supported my effort to develop Project Ubertooth more than anyone.

Wednesday, March 17, 2010

Quixote's Nightmare

Quixote's Nightmare is an abstract ice sculpture that captures a view through the eyes of Don Quixote. Lars Hansen and I completed it as our entry in the Single Block Classic at the 2010 World Ice Art Championships. The piece was illuminated with white lights for judging the first night.

We returned a couple nights later to see the sculpture under colored lights. I like the colors the Ice Alaska lighting crew picked for us! Sculptors are encouraged to submit lighting design diagrams, but this year we decided to let someone else choose for us.

While we were there, I stupidly tried to brush some snow off of the wheel at the front of the piece. The left eyeball came crashing down! Fortunately this happened 48 hours after judging and after the official photos were taken, and ice sculptures are temporary anyway. I still feel bad, though. Here you can see the eye resting on the ground. It is a nice piece that Lars turned on the lathe. He also sculpted the interior of the eyeball with the boiler.

From the side you can see the linkage mechanism quite clearly. The piece was intended to be a working machine, a windmill whose rotor turns when the wheel on the front is turned, but the mechanism failed to function. last year's piece still stands as our most successful mechanical sculpture. Apart from the mechanical failure, we thought that this year's effort was a great success overall.

Quixote's Nightmare tells a story much more than any of our previous sculptures. We had a lot of fun figuring out how to bring the story to life both artistically and mechanically. I was particularly fond of the inscription we chose.

Tuesday, March 16, 2010

a $16 pocket spectrum analyzer

ShmooCon was, once again, a fantastic experience this year. One of many highlights of this year's event for me was hacking on some radio devices with Travis Goodspeed in the hotel bar for hours on end. This included playing with the IM-Me that he brought. As soon as I got home I ordered one. I found mine for $15.99 and free shipping on eBay.

Since then I've written custom firmware to turn my IM-Me into a pocket spectrum analyzer, shown here displaying activity of a frequency hopping system at a grocery store. The only change I've made to the hardware is the addition of a ribbon cable in order to easily connect to a GoodFET for programming, but this is simply creating a permanent connection to the debug contact points that are already exposed in the battery compartment. I've followed Travis's advice on how to develop for the platform.

The software tunes the IM-Me's radio chip to one frequency at a time, uses the chip's RSSI measurement function, and plots the result as one column on the LCD. It sweeps across the whole screen (132 columns) several times per second, showing a contiguous range of radio frequency activity. The technique works quite well, although there are a few defects. Most notably, harmonics of the IM-Me's 26 MHz crystal show up as spurs on the display.

The frequency ranges supported by my device are 281 - 361, 378 - 481, and 749 - 962 MHz. This is about 50% more than the chip is advertised to support and covers quite a bit of interesting activity in the US including ISM, LMR, television, amateur bands, pagers, and mobile phones. The edges of the bands supported by other batches of chips may differ but probably not by much.

The software supports three bandwidth modes: wide (default), narrow, and ultrawide. Wide mode displays 26.4 MHz of bandwidth in 200 kHz increments. Narrow mode displays 6.6 MHz of bandwidth in 50 kHz increments. Ultrawide mode, shown here with some mobile phone activity, displays 88 MHz of bandwidth in 667 kHz increments.

The code is open and available here. I'd love to hear from you if you give it a try. Huge thanks to both Travis and Dave who did the hard reverse engineering work!

Update: The code has a new home at github.

Sunday, February 28, 2010

daily photos

Ice Alaska finally posted the daily photos of our piece. I hope to have some more up in the next few days.

Saturday, February 27, 2010

our five thousand pound delusion

By mid-afternoon Thursday we had turned our attention toward assembly of the mechanism. The weather was considerably colder than the previous two days. Unfortunately this made the ice more brittle, and we had trouble with fusing. The upper axle (the one that connects to the rotor) broke clean through in two places while Lars bonded it to the cams! Lars had to turn a replacement on the lathe. While he was doing that I worked on adding suckers to the rotor and shaping it, and I broke it! Twice!

We wasted a lot of time repairing or replacing broken parts when we were already short on time, but we were able to get everything back together.

After Lars finished the replacement axle and carved out the remaining bits of the broken one, we were ready for re-assembly. We had it all glued together and ready for a critical step: cutting out the intermediate (between the cams) section of the two main axles in order to provide clearance for the linkage. Lars hesitated and suggested that maybe we should just assemble the sculpture as a static piece and not try to make it work. He thought that the weather conditions and time constraint made it very unlikely that the machine would work correctly, and we both feared that any failure could be catastrophic, destroying several parts at once. I held the opinion that we should try to make it work regardless. Since we disagreed and needed to make a decision quickly, Lars suggested that we flip a coin. At about 8:15 PM (45 minutes remaining) the coin dictated that we would try to make the thing work.

After a little more work preparing various components, Lars sliced through the axles with a saw. The mechanism held together, so we attempted a gentle rotation. Failure! One of the cam/axle joints cracked, and the two halves of the upper axle tipped toward each other by a few degrees. We both instantly came to the conclusion that the mechanism could not be salvaged in time, so we started applying slush to critical points in order to freeze the machine in place. We were lucky that the failure was relatively invisible and not catastrophic, so we froze everything to prevent damage caused by additional movement.

With only a few minutes remaining, we attached the final few components. The front wheel failed near the center (I had removed too much ice from the back side trying to reduce its weight), so we chiseled out the rest of the axle connector and tacked it onto the front face of the sculpture by the the tips of its tentacles as the horn sounded. It stayed!

During the clean-up period I made a sign with the inscription:

"Though ye flourish more arms than the giant Briareus, ye have to reckon with me." - Don Quixote

We were disappointed that the mechanism didn't work but pleased that the sculpture came together as a whole. It was very fortunate that the cam/axle failure did not result in collapse and breakage of the entire linkage assembly. Unfortunately the time we spent making up for various damaged parts meant that we didn't have enough time for much texturing and finishing work. Some of the parts even had snow caked on them. We felt satisfied nonetheless, and I was reminded of something Lars said some years ago when it seemed unlikely that some mechanism would function: "Art may break out at any moment!"

Thursday, February 25, 2010

it's time to let your babies grow up to cowboys

It's time to let the bed bugs bite.

We made good progress this morning. The body has been completely shaped down to the ground. The giant tentacles have 90% of their suckers, and the eyes have been turned on the lathe. Time to get back out there!

Tentacular, Tentacular!

We resolved to sleep well Monday night and have a good breakfast. These goals were achieved.

Tuesday morning we established our battle plan for the day, and it centered around sculpting the main body of the beast. In order to prepare for this, our principal morning activity was to insert pins (grafts? sutures?) across the terrible crack on either side of the body. These were fused in place by lunch. In the afternoon we added buttresses (which ended up being flying buttresses) to provide additional support and contact area across the crack. After dinner we declared the structure sound enough to survive a chainsaw, so we attacked it immediately. By midnight it was almost entirely shaped, and we called it a day. The sculpture appears to be quite sturdy, and we didn't even have to modify the overall shape all that much to make it so.

Throughout the process of reinforcing the cracked body, there was plenty of time to do other things while waiting for bonds to cure. We worked on the wheel (the thing that people turn) and the windmill blades. We also started preparing the three largest tentacles and finished all the machine parts.

We have our work cut out for us tomorrow, but we believe that we can finish the piece by the time the horn sounds at 9:00 PM.

Oh, and yes, that tentacle pictured in my previous post is one of ours. We have not yet resorted to stealing from Junichi.

Wednesday, February 24, 2010

we destroyed a lot of ice today

At some point today they finally published the correct link to our webcam. If you hadn't found it yet, you haven't missed a whole lot. Mostly Lars and I spent the day working on small parts that aren't very visible from a distance, and we were probably off camera quite a bit of the time.

If you have been watching, you may be wondering why our sculpture looks so blocky and boring! While we were carving giant chunks out of the block early in the day, the central tall piece of the sculpture, the primary lobe of the monster's body that supports the windmill blades, suffered a major crack at its base. We were in the process of removing the large block in front of it, and it came loose and wobbled forward and back! We had to spend some time reinforcing the weak area and were avoiding touching that part for the rest of the day in order to give it time to heal. If the crack were to fail completely it would be catastrophic for the entire sculpture. We plan to spend some time tomorrow morning adding additional support.

We did manage to continue extracting some ice from the block later in the afternoon. We slid the section immediately behind the main lobe out to the side and let it fall onto the snow. I just figured out that it was a thousand pounds!

Despite not being able to carve the main body into anything interesting, we had plenty of other things to work on. This sculpture has many parts. Lars made some axles (including our longest ever - five feet!) and other machine parts.

I worked on tentacles.

Tuesday, February 23, 2010

webcam

This probably won't be the official URL, but I poked around on the server and found our active camera.

first break

My coffee started to freeze, so it must be time for our first break of the event. After a stop at the school this morning for Lars to brief his sub, we arrived at Ice Park with just about enough time to set up our scaffolding before the starting horn sounded. Since then we've been drilling the axle holes and marking the block for the imminent attack of the giant chainsaw.

The webcams are not accessible from the Ice Alaska web site yet, but you haven't missed much. All we've done to our block so far is to drill holes into it from the rear and mark up the sides. When the webcam is up, it should be accessible from here. Hey, it looks like Junichi and Heather are carving an octopus. I bet they made sucker bits too! Weird. Last year it seemed that everybody was carving birds, including us, so I guess we've been assimilated into the collective consciousness.

bed time

Some joker at Belfair added to our model. Lars is still working on lesson plans, but I'm going to bed.

site 40

Lars and I will be carving in site 40 which is the closest site to the warming hut and most of the other facilities at Ice Park. Watch us on our webcam at icealaska.com starting Tuesday at 9:00 AM AKST.

a long Monday

I was glad to be able to go back to bed for a while after Lars went to work. A couple hours later I had breakfast with Sharon and then spent some time preparing a new official sketch (to submit to Ice Alaska) from the clay model. I also drew side and front block layout diagrams so that we will know where to start cutting Tuesday morning. Later in the day I made the smallest two sucker bits and tested and tuned the entire set. The two largest bits were considerably out of alignment, so they chattered a great deal, causing terrible destruction to the ice. I was able to straighten out their shafts with a hand file, and this improved their performance greatly.

Lars returned to Belfair in the afternoon. We disassembled Sleipnir and the lathe, loaded up the trailer, and headed to ice park. Just past UAF, a neighborly driver informed us that the trailer had a flat tire! Since were were only a mile from Ice Park, Lars decided to drive on slowly. Thankfully it turned out that the tire did not suffer any additional damage; Lars was able to re-inflate it for the short trip from the parking lot to our site later in the evening.

Registration was quick and easy, and we found out that, since we are now five year veterans, we are eligible for Ice Alaska jackets! My ears perked up when I heard this as I really could use a new coat right now. Alas, it turns out that it is likely to be a while (like years) before we receive them.

We went to our site and found that it was already set up with power, lights, sawhorses, a bucket, and a working webcam. Nice! Jasper expertly tweaked our block for us with a zoom boom so that the smaller face is turned toward the road, and we were off to the warming hut for dinner and the safety meeting.

After dinner Lars moved the trailer while I carried scaffolding parts to our site. Then we set up Sleipner and the lathe and a few other things. Our site happens to be at the end of a row, so we had plenty of room to set up the trailer and the big equipment, though it will probably out of view of the webcam.

Now Lars and I are sitting in his classroom. I'm blogging while he finishes lesson plans for his sub. We'll be in bed at Belfair before long (I hope).

modeling

After my arrival at Belfair Sunday night, Lars and I looked over all our equipment and started planning the activities of the next 36 hours before the start of the Single Block Classic. Before going to bed we had a design session, reviewing several sketches we had made and modeling some of them with clay. He ended up with a model that I liked but didn't love, and I made a model that he liked but didn't love. We decided to go with his model, but I wasn't thrilled with the overall look. The core features of the monster were great, but the tentacles extending upward and outward from the base of the sculpture had a look that was sort of, well, floral. I was hoping for something more menacing.

Inspiration struck as I was brushing my teeth, and I ran back upstairs to make a new model. I made the main body and head similar to Lars' design, but I extended tentacles down through the snow and back out some distance away from the body. This makes great use of space and ice, allowing the piece to extend well beyond the original block, and it doesn't even require much ice welding. The fence posts in front of the sculpture will be additional tentacles that are a part of the creature.

Lars was already in bed, but I left it out for him to see in the morning. As he was leaving for school at 5:30 AM, I happened to be up on a call from work (gah!). He hadn't noticed the new model, so I told him to take a peek. He approved!

Monday, February 22, 2010

Lars has been busy

I arrived at Belfair excited to see all of the improvements Lars has made to various tools this year. There are many! The first thing he showed me was the housing that he built for the lathe motor. He bought a riveter this year, so he was able to make it quite light (unlike many of his inventions that feature thick, welded steel). He also improved the lathe chucks by adding permanent bits of rubber that cushion the ice against the chuck screws. In the past we've had to insert loose pieces of rubber every time we mounted a blank.

Next he showed me Sleipnir's new skateboard wheel tensioner which stabilizes the band action enough to make the beast considerably less frightening. He also installed a built-in jack to raise and lower the table, making cutting depth adjustments faster and more precise.

The trailer has been upgraded with an exterior, fold-down workbench.

I found a couple antique 2 inch gouges a year or two ago and gave one to Lars. Unfortunately it had a tendency to fall out of the handle I made for it, so he welded on a hockey stick socket.

You might think that using a jackhammer on an ice sculpture would be a bad idea. You might be right, but so far this bit Lars made for his reciprocating saw has performed admirably. We may use it to clear away the ice between suckers, but we aren't sure yet if it is any better for this task than small hand chisels or a die grinder.

Bob the Boiler has been completely rebuilt. He used to suck propane, but now he's switched to electrons.

Bob's various new bits, including the long "Intruder", can be used for heat cutting of all sorts of crazy shapes.

The Senator has been upgraded with the simple addition of some silicone on his base plate. This saves us the trouble of having to hold pieces of rubber between the device and the ice. His interior series of tubes has also been soldered together which should help speed drilling operations.

My own new contribution, a set of seven sucker bits ranging from one half inch to four inches, seems rather miniscule in comparison!

Big thanks to Evan, a long-time Belfarian, for the use of his camera. Mine died today, but it was old and beat up anyway.

Sunday, February 21, 2010

en route

Yesterday was a very, very bad day. On Friday night I had a couple hours to work on sucker bits in the garage before heading to the airport to pick up Emily. At some point during that time, Charley, our Rhodesian Ridgeback, went outside and got stuck in the backyard. I looked for him as I was getting ready to leave and finally found him prone in the snow next to the chicken coop at the bottom of the slope in the dog yard. He was unable to stand, so I carried him inside and sat with him by the fire for a while. After twenty minutes or so, he showed a slight interest in food and managed to get up and walk by himself, but it wasn't pretty. He only made it a few feet, and it was clear that his legs were not working correctly.

I decided to put him in the car and take him with me to the airport. Since he hadn't shown any improvement by the time we were heading back up the hill, we took him to the emergency vet. She thought it might be something neurological, perhaps a tumor or spinal injury, and sent Charley home after midnight with a steroid shot and a follow-up appointment scheduled for early the next morning.

Charley didn't respond to the shot, and the vet at our Saturday morning appointment discovered that he had a new and significant heart murmur. He determined that Charley's inability to walk was due to general weakness from his heart condition and that little could be done for him. We had to say goodbye to Charley just a few days prior to his twelfth birthday.

On the way home from the vet, we stopped by the cleaners to pick up my heavy coat for the trip. I had left it there a week ago to have its zipper replaced. They didn't have it. Apparently it was in the possession of their seamstress in Aurora, and she hadn't returned their calls for the past two days. Fortunately the Fairbanks forecast looks fairly warm (mostly above zero F) for the coming week, so I should be fine with a lesser coat.

After getting home, I finally turned my attention to my right eye which had been irritated since the drive to the airport. It didn't take long to find a small bit of steel stuck in my cornea. I had been wearing safety glasses while making the sucker bits, but that one piece somehow found its way around them. The only good news I had all day was that my ophthalmologist would be able to return from Colorado Springs and see me in the afternoon. He popped the tiny chunk out with the tip of a syringe and then removed the remaining rust ring with a drill.

Needless to say, I didn't have as much time for trip preparations on Saturday as I had hoped, but I was able to get everything packed in time for a few hours sleep before my early morning flight. I'll probably have time at Belfair on Monday to test and touch up the sucker bits and finish sharpening chisels and saw chains. Meanwhile, I'm spending a long day of travel, an odd calm amid days of storm.

Friday, February 19, 2010

sharpening, sharpening, sharpening

When Lars and I first started carving ice, we underestimated the value of some of the more traditional ice carving tools. Chainsaws would be essential, we knew, but we didn't figure that chisels would be so important to the mechanical ice sculptor as they are to the traditional ice sculptor. We only had a few, small, one-handed chisels on hand that first year, but wasn't long before we realized that we needed more chisels, sharper chisels, bigger chisels, and better chisels.

We found that professional ice carving chisels are rather expensive, so we tried making some of our own or refurbishing antiques found on eBay. These efforts weren't terribly successful until one day a couple years ago when Lars found a nice, large, 3/8 inch thick piece of tool steel. He cut it up into several chisel blades (up to 4 inches wide) and welded on sockets for hockey stick handles. These chisels have been an outstanding addition to our arsenal.

When they were new, Lars had them professionally sharpened. They cut ice much better than any chisel we had used before, but some of them lost their edges fairly quickly. After learning a thing or two about sharpening chisels I came to realize that the reason some of them were better than others was that they had flatter backs. The professional sharpener had done a terrific job on the bezels but hadn't flattened the backs. Since the cutting edge is the intersection of two planes, the bezel and the back, it is important that both be very flat. Over time, I've tried to flatten the backs of these chisels, but it is a great deal of work. Last year I took a particularly troublesome one home with me, and I have been trying to flatten it this week, starting with a belt sander and moving up to a coarse diamond stone.

Wednesday, February 17, 2010

big suckers

Making sucker bits out of spade bits turned out to be pretty easy, but we need to make some bigger suckers. The largest spade bit I have found is 1.5 inches. I'd like to be able to make suckers at least twice that large, so I made a prototype 3 inch sucker bit out of a flat piece of 1/4 inch aluminum.

It worked quite well, so I'm now working on a set of bits in made in this style out of 1/4 inch steel. Tonight I drink a toast to whoever invented the angle grinder.

Monday, February 15, 2010

suckers!

In one week I'll head to Fairbanks for the World Ice Art Championships. This year Lars and I have decided to carve a windmill as seen through the eyes of Don Quixote. There isn't much in the text that describes how he perceives them, so we have a lot of freedom. Don Quixote calls them "monstrous giants" and says that they have many arms, so we are carving our windmill in the form of an octopus-like monster.

Inspired by the bubble bits that Steve Brice has used to great effect in past events, I decided to try making a sucker bit. I used an off-the-shelf spade bit and modified it with a bench grinder and some hand filing. With bits in this shape, we should be able to quickly carve long tentacles with many suckers.

My first test went well! While I've been working on sucker bits, Lars has done ten times as much, making improvements on various machines including the lathe, the eight-legged slab-cutting bandsaw (now known as "Sleipnir"), and "Bob the Boiler," a heat cutting tool.

Friday, February 05, 2010

ShmooCon live!

I'm giving a talk on Bluetooth keyboard security at ShmooCon this year. Live video of the talk will be provided. My talk will be at 3:00 PM EST on Saturday, February 6th in the Break It! track.

Tuesday, January 12, 2010

KillerBee on a budget

At ToorCon 11, Joshua Wright handed out a pre-release version of his KillerBee framework, a set of tools for analysis of 802.15.4 and ZigBee wireless networks.

KillerBee requires a particular hardware device, Atmel's AVR RZUSBSTICK, an inexpensive USB dongle with a programmable microcontroller. Many of the KillerBee functions require custom firmware (written by Joshua) to be flashed onto the stick. While most Atmel products feature In-System Programming (ISP) which can be done with a low-cost programming device, the RZUSBSTICK unfortunately only provides a JTAG header for programming, and the JTAG debugger/programmer costs about $300.

The good news is that ISP can be used to program the RZUSBSTICK. The bad news is that it requires some tricky soldering to get it working. With a little guidance from those who have gone before me and SparkFun's excellent surface mount soldering tutorials under my belt, I was able to attach a 10-pin ISP header to my RZUSBSTICK and successfully flash it with the KillerBee firmware.

There are two kinds of AVR ISP headers, a 6-pin and a 10-pin version. I chose the 10-pin variety because my programmer has a 10-pin connector, but a simple adapter can allow you to use either. Both varieties use the same 6 signals: GND, VCC, RESET, SCK, MISO, and MOSI. I connected them with colored wire (28 or 30 AWG wirewrap wire) as follows:

signalcolorheader pinsource
GNDblack4,6,8,10JTAG header pin 2
VCCred2JTAG header pin 4
RESETwhite5JTAG header pin 6
SCKpurple7AT90USB1287 pin 11
MISObrown9AT90USB1287 pin 13
MOSIorange1AT86RF230 pin 22

I ran all six wires through the unused holes of the (unpopulated) JTAG header in order to provide some strain relief. Those connections to the individual chip pins are fragile! From there I ran them across the back of the board to a 10-pin header glued to the end of the stick.

My serial programmer works great when connected to an on-board serial port on an old PC, but its bit-banging technique is incredibly slow (about 3 bits per second) and unreliable when connected to a USB/serial adapter. I believe that trying to use it via USB was the cause of death of an ATtiny85 while working on a previous project. Anyway, with a good serial port, AVRDUDE does a fine job programming the RZUSBSTICK over ISP:

avrdude -c ponyser -p usb1287 -P /dev/ttyS0 -U flash:w:kb-rzusbstick1.hex

Now to find some target devices. . .