<azonenberg>
sorry potato, this is garage lighting + cheap phone camera
<cr1901_modern>
that is a good quality potato
<cr1901_modern>
I still need a reflow oven
<rqou>
get a t962 like me?
<davidc__>
I think azonenberg wins... for the moment ;)
<azonenberg>
no SEM
<azonenberg>
Thats the exterior lab, my office (where i'm sitting now) is inside the house and has a desktop PC + three largeish monitors plus a 2-post 24U rack with a cisco switch and some patch panels on it
<azonenberg>
no real EE gear there
<azonenberg>
But it's climate controlled, unlike the garage :p
<azonenberg>
(my microscopes are also only optical)
<cyrozap>
rqou: fwiw, you can publish what you've learned from the FW RE, you just can't post anything that would violate Valve's copyright on it. Did you figure out the LPC<->NRF UART protocol?
<rqou>
i think i have some notes in a .idb
<rqou>
i don't really care about that part at this point
<cyrozap>
rqou: It's only the hardware that's patented, isn't it? I thought the uC's on the touchpads just spat out raw coordinate data?
<rqou>
no, they don't
<rqou>
the touchpad chips don't even look like uCs
<rqou>
they look like a dumb AFE
<cyrozap>
Oh, wow, so the process the software uses to interpret those signals is patented?
<rqou>
i think so?
<rqou>
afaik the touchpad is the only part in the controller that doesn't have an open datasheet
<rqou>
also apparently i took terrible notes while doing re :P
<pie_>
azonenberg has a big rack
<cyrozap>
^ heh
<azonenberg>
I have four of them actually, and a "nice rack" T-shirt
<azonenberg>
Looking to get rid of the gold-colored one though
<azonenberg>
the big black is my primary rack i am in the process of (very slowly) moving the other big rack to
<azonenberg>
since its deep enough for proper rails unlike the other one
<azonenberg>
The 2-post in the house is just a place to hold a switch and patch panel, 6U would be plenty but i had a 24 so i use that
<azonenberg>
The other big rack is a SGI Origin so i plan to keep it for the history even if i dont end up mounting gear on it
<azonenberg>
but the gold one i have no use for
DocScrutinizer05 has quit [Disconnected by services]
DocScrutinizer05 has joined ##openfpga
<rqou>
cyrozap: yeah my notes are too ugly to publish right now and i forgot a bunch of stuff
<rqou>
but in short most of it is easy RE except the touchpad
<rqou>
the only thing i have missing on the LPC is the touchpad and some battery crap
<rqou>
also checking my notes apparently the LPC has control over the nRF swd pins
<rqou>
so it's truly unbrickable
<rqou>
idk if the valve fw can do a recovery in that state if you bricked the radio though
<rqou>
oh also the 8051 dongle firmware is a giant hairball that i gave up on
<rqou>
hmm i also don't have a radio bootloader dump
<rqou>
whatever, don't care about that part either :P
<rqou>
how much progress have you made cyrozap?
<rqou>
oh btw be careful you don't nuke the eeprom, you won't be too happy afterwards
<rqou>
the LPC eeprom has calibration settings
<cyrozap>
rqou: I have both uC's dumped (I bought that stupid $50 "Tag Connect" cable), and while I've identified a bunch of functions in the LPC binary (and kind of understand the power on/off/sleep/watchdog stuff), I haven't actually learned much else or made any custom firmware other than "NOP-out the watchdog init so I can step through the FW".
<rqou>
hmm i've been looking at the existing fw purely via static analysis
<rqou>
i wiped the valve fw really early :P
<rqou>
(fortunately i didn't wipe the eeprom :P )
<cyrozap>
I also tried understanding the UART protocol, but haven't been able to build a good capture/parse setup.
<rqou>
i don't even have a debugger hooked up to the LPC
<rqou>
you can load fw by removing the batteries, holding rtrigger, and plugging it it
<rqou>
*in
<cyrozap>
I dumped both IC's flash as soon as I got SWD working.
<cyrozap>
I didn't find out about the rtrigger thing until much later :P
<rqou>
ok in that case i'm pretty ahead of you :P
<rqou>
i did most re by writing custom FW
<rqou>
including a really dangerous "bang on every unidentified GPIO until the haptics moved" :P
<rqou>
btw that doesn't directly work
<rqou>
a lot of the other RE was done by staring at the ifixit board photos
<cyrozap>
I just did everything via SWD, but finding about the built-in flashing tool was a nice bonus, since it means in the future, if we ever have a FOSS firmware replacement, less-technical users will be able to flash it without disassembling their controllers and connecting SWD dongles.
<rqou>
yeah, and couple that with the fact that afaik the radio swd is connected to the lpc
<rqou>
or at least i think it is
<cyrozap>
My eventual goal is FOSS firmware (for both IC's) with switchable BLE/Nordic Proprietary RF.
<rqou>
yeah that's what i wanted to do
<rqou>
oh btw i don't think the dongle has an unbrick, so be careful i guess?
<rqou>
the nRF24 dongle is imho a piece of crap though :P
<cyrozap>
Sounds like we need ##opensteamcontroller :)
<cyrozap>
Yeah, I have no desire to do 8051 RE, at least on that device.
<rqou>
i tried and the firmware is a giant hairball
<rqou>
not sure if nordic or valve's fault
<cyrozap>
Though I've been meaning to learn, since those ubiquitous cheap LCD controllers often use 8051's.
<rqou>
also it looks basically identical to any other nRF24 dongle ever
<rqou>
you can probably crossflash the valve fw onto some other things :P
<rqou>
the best i could figure out is that it seems to use ble-style pairing+crypto
<cyrozap>
RE-ing the dongle firmware would really only be useful for making cheap replacement dongles
<rqou>
iirc valve stated that the controller was originally supposed to be ble but had latency issues
<cyrozap>
since there really aren't any features you could add
<cyrozap>
Yeah, I expected as much
<rqou>
you can maybe mess with descriptors/reports?
<rqou>
i don't remember if the LPC does that, the dongle does that, or both contain code to do that
<cyrozap>
That's the reason the Xbox 360 controller used proprietary RF instead of Bluetooth, too, I think
<rqou>
it's weird because nordic proprietary is about 90% the same as BLE
<rqou>
i wonder if you can sniff other people's controllers and see what they're typing on the soft keyboard?
<rqou>
idk if the pairing has vulnerabilities
<rqou>
ble pairing is pretty worthless iirc
<cyrozap>
I thought BLE pairing was only vulnerable if someone could sniff/MitM the initial key exchange, assuming out-of-band key exchange isn't used?
<rqou>
you can force a disconnect/re-key-exchange
<cyrozap>
Which is still fairly secure.
<cyrozap>
Oh, lol
<rqou>
there's iirc a proposal to fix key exchange with curve25519
<cyrozap>
It's WEP all over again
<rqou>
tangential question: does anybody know why all game controllers have some really stupid mapping of "physical things" to "things in the HID descriptor?"
<rqou>
e.g. the HID descriptor can report multiple xy joysticks
<rqou>
but people map one of them as normal and the other one to weird things like zhat
<rqou>
why can't you just map them like the spec says?
<cyrozap>
Maybe to remain backwards-compatible with previous versions of the standard? Or to mimic other poorly-described hardware?
<rqou>
yeah, afaik a bunch of them eventually end up pretending to look like some microsoft flight sim controller
<rqou>
hence zhat
<rqou>
also the steam controller has a ridiculous number of analog axes
<rqou>
left touchpad, right touchpad, thumstick, triggers, and accel+gyro
<rqou>
so at least 14
<rqou>
anyways cyrozap since you're working on this i might un-shelve this project
<cyrozap>
rqou: Me, too. Also, I recently found out about Apache Mynewt, which is an RTOS that has a FOSS BLE stack for Nordic's chips. With this, truly libre BLE devices are no longer a pipe dream.
<rqou>
wait, as in the nordic phy got RE'd?
<rqou>
because iirc the phy needs a blob (.o file)
<rqou>
it's not nearly as bad as the cc2540 crap though because arm at least has a saner abi situation
<cyrozap>
Nordic contributed the code, and it's all Apache 2-licensed
<rqou>
i don't know how much i care about the rtos part though
<rqou>
but a blobless ble phy is interesting
<rqou>
i could have sworn the normal nrf51 sdk has a blob
kuldeep has quit [Ping timeout: 258 seconds]
<cyrozap>
It does
kuldeep has joined ##openfpga
<rqou>
now i want to know why they opened it up
<rqou>
also on a slightly different tangent someone should really RE the esp8266 phy
<rqou>
(although unfortunately i was told that the esp8266 has a lot of stolen IP internally)
<cyrozap>
It also does some proprietary protocol called "ANT", so that was probably one of the reasons for that. Fortunately, it appears that Nordic decided at least the BLE stuff was worth releasing.
<rqou>
ant is iirc the nrf24 stuff that was always opened
<rqou>
so honestly closing ble was kinda pointless
<cyrozap>
No, it's a different proto, or it at least requires a secret network key to use.
<rqou>
ant?
<cyrozap>
And you have to become a part of their org to get docs and pay to get the super secret network key
<rqou>
honestly ant/ble/nRF are all about the same
<azonenberg>
TMJ (total metal jacket) is fully enclosed, but more expensive and less common
carl0s has joined ##openfpga
<azonenberg>
usually only used when required by state law etc (would not surprise me if CA does mandate them)
<azonenberg>
i know some indoor ranges due to keep lead levels down in the air
<whitequark>
granted. lead has never had a lower toxicity limit determined
<azonenberg>
Yeah
<azonenberg>
then shotgun pellets are unjacketed
<azonenberg>
but sometimes non-lead
<azonenberg>
bismuth based alloys are common for hunting water birds because they're relatively nontoxic if ingested by the wildlife
<azonenberg>
lead is banned for that purpose
<azonenberg>
but OK for shooting land-based animals or target practice in most areas
<azonenberg>
Anyway, depending on how the range is set up lead leaching at a range (vs hunting area) is often not a big consideration
<whitequark>
"land-based animals"
<azonenberg>
the club i shoot at puts lime in the soil to keep the pH very alkaline
<azonenberg>
So the lead doesn't corrode and just stays in metallic form immobile
<azonenberg>
then every few years they excavate, sift the bullet fragments out of the dirt, and send it off to get recycled
<azonenberg>
So the actual lead levels in the runoff water (which are sampled periodically) are near zero
<azonenberg>
But of course that wouldn't be enough in CA
<azonenberg>
i think regulating IPA is like the peak of stupidity that i've seen from them though
<azonenberg>
i mean 2-propanol? really? of all the hazmats to be concerned about
<azonenberg>
its flammable, sure
<azonenberg>
but from a toxicity perspective?
<azonenberg>
sure, you dont want to drink it
<whitequark>
they should regulate rice
<azonenberg>
but the LD50 is... up there :p
<whitequark>
because it contains arsenic
<azonenberg>
lol
<whitequark>
wait, I bet they do
Bike has joined ##openfpga
<azonenberg>
lol
digshadow has joined ##openfpga
<azonenberg>
oral rat LD50 ethanol is ~7 g/kg, IPA is ~5
<azonenberg>
so slightly more toxic than booze, but even by a factor of 2
<azonenberg>
but not*
cosmobird has joined ##openfpga
<lain>
doesn't ipa cause blindness though? or am I confusing it with some other alcohol
<lain>
wait that's methanol isn't it
<azonenberg>
yeah that's methanol
<azonenberg>
poke whitequark for a long discourse on the exact mechanism of toxicity :p
<lain>
lol
cosmobird has quit [Ping timeout: 240 seconds]
pie_ has joined ##openfpga
pie_ has quit [Changing host]
pie_ has joined ##openfpga
<whitequark>
azonenberg: peek
<azonenberg>
?
<azonenberg>
lol
<whitequark>
lain: yeah so I've spent like several hours recently figuring out the exact mechanism of toxicity of methanol
<whitequark>
azonenberg: well the response to "ping" is "pong"
<whitequark>
and to "poke"...
<azonenberg>
whitequark: lol i was instructing lain to poke you, not doing so myself :p
<azonenberg>
also are you even old enough to have worked with those ancient BASIC platforms?
<whitequark>
lain: tl;dr formic acid preferentially targets optic nerve as it is a blocker of oxidative phosphorylation and long thin nerves rely on mitochondria to get mitochondria replaced in their distal (relative to the soma) part
<whitequark>
anything else that interferes with oxidative phsophorylation will have the same effect, ex.: H2S
<whitequark>
you can look up what IPA metabolizes into, my battery is nearly empty
<whitequark>
I think it does get cleaved after all but am not sure
<whitequark>
azonenberg: I'm not but I've studied history
<azonenberg>
Hmm
<azonenberg>
I wonder how fast i could push the GPIO headers on the zybo
<azonenberg>
i hear a few of those lines are matched pairs but then they break out to 0.1" headers
<azonenberg>
Should be fine out to 100 Mbps though, which is about the limit of my 100 MHz DSO
<nats`>
I pushed them to 720p hdmi
<azonenberg>
oh nice
<azonenberg>
in that case my limiting factor is probably my scope
<nats`>
yep :D
<azonenberg>
doesnt matter how clean the eye is if i can't see it :p
<nats`>
certainly
<nats`>
in fact you could witha sampling scope :)
<azonenberg>
yeah but i dont have one :p
<azonenberg>
oh also
<nats`>
I repaired one recently go it on ebay
<azonenberg>
Do you have a greenpak devkit?
<nats`>
CSA803
<nats`>
nop
<azonenberg>
Hmm, ok
<azonenberg>
i may have to bang up a breakout or something before sending you this board to test then
<nats`>
I would like to play with it but time and money are running low :D
<nats`>
oky keep me posted because I'm in the middle of changing job
<azonenberg>
Because i use a greenpak in some of the protection circuits
<azonenberg>
Ok
<nats`>
the next one have even better lab !
<azonenberg>
:D
<nats`>
slowest big scope but a lot of stuff like sampling scope SA VNA etc
<nats`>
even pulse generator :)
<azonenberg>
What i want is a GHz range AWG
<azonenberg>
:p
<nats`>
awg ?
<azonenberg>
arbitrary waveform generator
<nats`>
ahh :)
<azonenberg>
or at least a PRBS generator out to a few Gbps adjustable from like <1 to 5V p-p
<nats`>
they have ome of them to :D
<nats`>
anyway you have my email if I'm not too present on IRC don't hesitate to ping with it :)
<azonenberg>
Also bad news from analog devices
<azonenberg>
i heard back from a FAE
<azonenberg>
The absolute max ratings are both pulsed and sustained
<azonenberg>
So basically my protection isn't tight enough
<azonenberg>
(Even though it was supposed to be)
<azonenberg>
So now i have to figure out why it's not clamping as far as it was supposed to
<azonenberg>
Looks like the protection diodes are specified for 50 mA peak
<azonenberg>
Welp
<lain>
regarding high speed over .1" headers, see: ethernet over barbed wire