Sunday, February 24, 2019

Fixing a Tektronix Spectrum Analyzer

So the other day, a decently well of RF lab at CU Boulder was getting rid of stuff. And, as a good young engineer, I immediately started digging through their pile and asked about their situation to the nearest apparent lab-member. It turned out to be the head of the lab, and he let me take some stuff. I asked about this NOAA spectrum analyzer with plugin unit range to 60Ghz, and he said it didn't. I told him I could fix it, and he chuckled a bit.

Anyways I fixed it, and it is now part of the Solid State Depot (SSD) hackerspace in Boulder:
I have yet to test it with a proper source, as I don't have one, but at least it shows a neat FFT plot! Basically the power to the CRT as well as the plug in modules was not working. I replaced some fuses and other small components, and it fired right up.

I'm no stranger to adopting lovely old Tektronix test equipment. Here is a Tek 543 from 1959 and a 561 from the 60s. I got both working back in high school as fun projects. The first was picked up from a garage sale and belonged to Sarkes Tarzian himself. The second was a gift from a gracious history teacher.

TeXbrd: The custom mechanical keyboard with $\LaTeX$ bindings

So I had this ridiculous idea about 6mo ago. I use $\LaTeX$ all the time in my homeworks, research, and writing in general. I even use it for documentation when I am doing work for different companies. Overall, it is an excellent programmatic, scripted documentation language that seems to have infinite degrees of freedom. I always felt that I could do so much more if I had an edge on speed while writing mathematics. The following takes roughly 40 seconds for me to write out (counting sublime auto-fill features):

J = \sum_{i=0}^{N-1} x_i^TQx_i + u_i^TRu_i

I know that you can just add bindings to an existing keyboard. I know there are simpler solutions to make writing $\LaTeX$ quicker. But I like keyboards, designing PCBs, writing firmware, and ridiculous solutions to simple problems. So I built a keyboard. I dub thee TeXbrd.

For some reason I decided to use a Teensy 3.2 early on, only because I knew it could function as an HID keyboard and had all the support for it. I should have gone with the pro mini with QMK firmware that is already extensible.

I started off (MkI) with a 60% style keyboard style as you see in the foreground here:
I quickly realized that I did not want to be stuck in layer-hell by burying the navigation cluster. Additionally, I would be using double modifiers for all of the $\LaTeX$. There would be a key for Greek AND math. The latter is the part that would be impossible to remember.

Around this time, I also got my vintage IBM SKCC Alps cream pingmaster keyboad which made my fall in love with linear switches and battlestations (keyboards with tons of keys).

MkI also had Cherry MX blues which are a flaming disaster of a keyswitch. I also wanted this to function in an office environment.
SO I moved to Kailh box reds, which are superior in their smooth linear quality as well as being quiet enough so that my office mates don't throttle me (in fact I am making one for a fellow lab-mate).

You can see MkI in the background with my IBM pingmaster in the foreground.

I enjoy the ortholinear look of the number keys and function keys. I also chose to go for a 2U sized escape key, as I find myself using ESC very often. I made sure that all of the keys lined up such that I could but a delete key above backspace.
Below you can see the board layout! The teensy jutting off the side seemed cool, and I was going to make an additional add-on board that clips in via TRRS jack. But too much work; plus higher BOM and PCB cost.

So I ordered the standard 5pcs of this from JLCPCB (totally recommend, unbelievably cheap). I made one with cherry blues, died a little on the inside, and then proceeded to design MkII. This time, I added the extra keys for dedicated math bindings (so tired of writing \frac{}{} +  3x left key hundreds of times). Here is the layout for MKII:

The layout got a little trickier, but still all 2-layer. I also learned some lessons on rollover diode placement with respect to the stabilizers. I made sure to bring the bottom of the PCB up as high as I could, and you can see the spacebar stabs are truncated.

I fabricated these PCBs in white color, and ordered another 5pcs with the full expectation to build all of them (currently doing as I get free time). I wanted a proper case, unlike the layer of neoprene I put under the MkI PCB. I also enjoy having a slightly angled board for my wrists, and elevated to accommodate a future rest if I like. I designed the case to be printed on my Wanhao I3 printer:

I was inspired by an online design on kbdfans of a 5-degree case. So I did my best to keep it cool and polygonal. After a couple printed revisions, I got the design down and made some pretty sweet prototypes.  Oh and I also spent a ton of time laser cutting and debugging a design for a 1.5mm acrylic backplate for all of the switches to lay into:

 They turned out excellently..... They are honestly a joy to type on; and I almost want to just make a wall of them. They look so good!!!!!!

If you want one, I may start selling them for ~$155 each. Contact information:

Wednesday, February 13, 2019

Experimenting with HM10 Bluetooth 4.0 CC2541 Devices: Reprogramming HM10 firmware on fake devices

These things are what I am talking about.
First off... It seems to be hard to find a comprehensive list of AT commands for this device. Some online seem to work, and some don't. Here is what is displayed when I command AT+HELP

* Command             Description             *
* ---------------------------------------------------------------- *
* AT                  Check if the command terminal work normally  *
* AT+RESET            Software reboot *
* AT+VERSION          Get firmware, bluetooth, HCI and LMP version *
* AT+HELP             List all the commands             *
* AT+NAME             Get/Set local device name                    *
* AT+PIN              Get/Set pin code for pairing                  *
* AT+BAUD             Get/Set baud rate                     *
* AT+LADDR            Get local bluetooth address   *
* AT+ADDR             Get local bluetooth address     *
* AT+DEFAULT          Restore factory default   *
* AT+RENEW            Restore factory default     *
* AT+STATE            Get current state     *
* AT+PWRM             Get/Set power on mode(low power)     *
* AT+POWE             Get/Set RF transmit power     *
* AT+SLEEP            Sleep mode                     *
* AT+ROLE             Get/Set current role.                     *
* AT+PARI             Get/Set UART parity bit.                      *
* AT+STOP             Get/Set UART stop bit.                        *
* AT+INQ              Search slave model                            *
* AT+SHOW             Show the searched slave model.                *
* AT+CONN             Connect the index slave model.                *
* AT+IMME             System wait for command when power on.     *
* AT+START            System start working.     *
* AT+UUID             Get/Set system SERVER_UUID .                *
* AT+CHAR             Get/Set system CHAR_UUID .                *
* ----------------------------------------------------------------- *
* Note: (M) = The command support master mode only.             *
* Copyright@2013   All rights reserved.     *

Wait can you copyright a help readout? Does that make any sense at all?

Anyways, we see that my devices come with Firmware V4.2.0
Also for some reason it is talking at 74880 baud, and so we are going to change it to something more common. However a AT+BAUD query yields the value 45... Resetting yielded errors. However, spamming the reset and factory default commands seemed to knock it back to 9600. Supposedly:

Should return: OK+Set:[para1]
Details: Scope of para1:0 ~ 8. The parameters corresponding to: 0 represents 9600, 1, 2, 9600, 38400, on behalf of the representative representative of 57600, 115200, 5, 4800, 6, 7 represents 1200, 1200 2400. The default baud rate is 9600.
Note: If you switch to the 1200, module will no longer support the configurations of the AT command, and press the PIO0 under standby, module can restore the factory Settings.Do not recommend using the baud rate.After setting the baud rate, modules should be on electricity, anew set parameters can take effect. "

This does not explain the numbering on my device. Mine returns: "+BAUD=4" now at 9600.

Both of my devices have +ADDR=00:15:85:14:9C:09 with +NAME=BT05. But aren't addresses supposed to be unique? Additionally there does not seem to be a way to spoof addresses.

After some more digging, it seems that these were programmed with some shoddy HM10 firmware from that cyobd company from above (they manufacture OBD port tools for car diagnostics by the looks of it..).

I followed this video!

I reprogrammed the firmware without any level shifters or resistors, and it behaved nominally.
I now have different addresses!

This now abides by the AT command standards that are listed for standard HM10 firmware setup.
If you manage to intercept my packets / man-in-middle attack me, then congrats! You are far too close for comfort.