BadUSB – what is it, and why is it scary? If you know something about microcontrollers and low-level electronics, the import of the recently-published BadUSB vulnerability is obvious and alarming. It destroys our nice little abstraction of external data storage being just a huge buffer of bytes, and reveals the microcontrollers and other control mechanisms underpinning it. And as it turns out, those control mechanisms have some properties that can turn them into a virtually unstoppable malware juggernaut.

On every USB device from keyboard to thumb drives to web cameras, there’s a simple microcontroller that runs the hardware. It’s this microcontroller that actually talks to your PC, and processes keystrokes or fetches data from flash memory. Normally this microcontroller is invisible to the operating system and any programs running on the PC: they just send USB commands to the device, and get USB data back. The microcontroller is the invisible man in the middle, executing those USB commands.

Like your Arduino or any other microcontroller, the microcontroller on a USB device has its own simple control program called firmware. The firmware is authored by the USB device manufacturer, and is typically stored in a special non-volatile buffer in the microcontroller itself. But just like your Arduino, this firmware can be updated. And here’s where it gets scary.

A traditional piece of malware might scan your attached USB devices, looking for any that use a particular controller chip it knows how to infect. When it finds one, this malware could silently update the microcontroller firmware on that device. If the device is a USB thumb drive, the modified firmware might include a new behavior that does on-the-fly modification of every file retrieved from the thumb drive’s mass storage memory, attaching a virus. Boom! That thumb drive will now instantly infect any computer it’s plugged in to. But unlike a virus stored as a regular file in mass storage, it can’t be deleted. Erasing or reformatting the contents of the thumb drive will have no effect.

OK, that sounds bad. But maybe anti-virus programs could be upgraded to scan the firmware on attached USB devices and look for known evil USB firmware. Sounds good, but it’s not possible. The firmware of a USB device can typically only be read back with the help of that same firmware, if at all: A malicious firmware can spoof a legitimate one. For all practical purposes then, evil USB firmware is undetectable.

The range of possible exploits from evil USB firmware is very broad, and silently attaching a virus to every file retrieved from mass storage is just one example. Because the evil USB firmware can identify itself as a different type of device than it truly is, or even as a hub with multiple fictional devices, all sorts of crazy scenarios are possible. The researchers who first published the vulnerability described several possible exploits, including generating fake keyboard/mouse input, stealing passwords, redirecting network traffic,  and even breaking out of a virtual machine.

At present, there appears to be very little that anyone can do to protect against this vulnerability, to detect it, or to remove it. A true fix would require a fundamental change to the way USB devices operate, and even then billions of older USB devices would remain vulnerable for years to come.

%#@&$! Raspberry Pi! I’ve been a Raspberry Pi hater since they first appeared on the electronics hacking scene a few years ago. I had no strong reason for disliking the Pi, but something about it just bugged me. It was too cute and trendy. It felt like a new kid forcing its way into the clubhouse of ATMegas and PICs and Propellers, trampling everything with well-meaning but misplaced enthusiasm. The media portrayal of the Pi bugged me too. It was constantly compared with the Arduino, but the Pi isn’t even really the same class of device. It’s a full-on desktop computer, with a Linux operating system, USB mouse and keyboard, ethernet, and HDMI video. I thought it would make as much sense to write articles comparing Arduino to the MacBook Air.

Part of my dislike for the Raspberry Pi was also a grumpy old man conviction that it was just too easy. “Back in my day,” I’d say, “we didn’t have your fancy operating systems and scripting languages and network adapters. If we wanted to code on an embedded microcontroller, we had to use bootloaders and cross-compilers and bit shifters and registers named UCSR1A. Now get off my lawn!”

You can probably guess where this is going: I finally gave in to the march of progress, and built some experiments with a Raspberry Pi. And despite my initial reticence, I have to say that Raspberry Pi tastes pretty good!

 
A First Taste of Raspberry Pi

My first Pi project was an electronic symphony orchestra, derived from an article in Make Magazine. I connected a few external pushbuttons on a breadboard, and wrote a Pi program to play various instrument sounds when the buttons are pushed. I also created an on-screen GUI showing what instruments are currently playing, and you can click on an instrument’s picture to make it play through the UI. Pretty neat! Maybe it could evolve into some kind of Pi-based jam box.

So how is Raspberry Pi development similar to working with a PIC or ATMega (or the ATMega-based Arduino), and how is it different? What kinds of projects are best suited to each platform?

Both the Pi and the Arduino are self-contained computing boards, about the size of a deck of playing cards, with a price around $30. Both have a bunch of general-purpose I/O pins that can be connected to external buttons, LEDs, sensors, LCD screens, motors, etc. Manipulating those I/O pins from software is easy on either platform:

 
Looks similar enough, although the preferred programming language for Raspberry Pi development is Python, rather than C. It’s certainly possible to write Pi programs in C, but you’ll be swimming against the current, as virtually every common Pi library and example project is Python based.

While these code snippets appear similar, look beyond the LED blink example and you’ll discover that developing for the Raspberry Pi is a completely different experience from the Arduino. With the Arduino, you write your program using an editor that runs on a Mac or PC. Then you push a button, and your code is sent over a cable to the connected Arduino, where it runs. Contrast this with the Raspberry Pi, where you can write your program using a graphical editor running on the Pi itself, in a full-blown Linux operating system. You can hook the Pi to an HDMI monitor, or view its virtual display using remote desktop software.

The significance of having a tiny but full-featured computer may not be clear from an LED example, but how about playing a sound when a button is pushed?

 
How about logging an 8-bit digital sensor value to a web server every 60 seconds?

 
How about any kind of physical computing project that can benefit from easy access to sound, video, USB, a file system, or internet? Send a tweet when your toast is ready. Stream data from an SD memory card to a GPS chip. Use a mouse to control a robot. All these things could probably be done with a traditional microcontroller like an Arduino too, but would need extra hardware and complicated software. The Raspberry Pi makes this kind of work easy – almost too easy. And I didn’t even mention the huge advantage in RAM space and CPU speed that it has over traditional microcontrollers. It’s not hard to see why the Raspberry Pi has become so popular. Yes the Pi is overkill for many simple projects, but if it’s no bigger nor more expensive than the alternative, why not?

Arduino – It’s Not Dead Yet

For all the advantages of the Pi, there are still some situations where a good old Arduino or bare ATmega or PIC makes more sense. If your project has time-critical behaviors or requires specialized low-level hardware functions then you’re probably better off with an Arduino. An Arduino program is the only thing running on that hardware, so you can rely on fast, deterministic timing of I/O events. If you need to set pin 10 high exactly 20 microseconds after pin 9 goes low, you can do it on the Arduino, but the vagaries of the Pi OS’s task scheduling prevents this kind of precision. Likewise if you want something like super-fast pin change interrupts, a hardware watchdog, or advanced use of serial protocols like I2C, the Pi isn’t the best choice.

If you need a device that’s “instant on”, then you’ll be disappointed with the Raspberry Pi. An Arduino based project can be up and running within milliseconds after the power is turned on, but my Pi takes about 40 seconds to boot. Then it dumps me to a login prompt, and finally I have to run my program manually from the command line. You can edit a config file to skip the login and auto-start a specific program after boot-up, but it’s a little cumbersome and you’ll still be waiting 40 seconds.

Need analog inputs? Too bad, because the Pi doesn’t have any. You can use external solutions like this 8-way A-to-D converter with SPI interface, but reading an analog sensor is definitely more hassle on a Raspberry Pi than an Arduino.

What about battery-based projects? In sleep mode, the power consumption of an ATmega microcontroller can be tiny – in the microamps range. My Backwoods Logger ran off a single 3 volt coin cell battery for two years! In comparison, the Raspberry Pi is a huge power hog.

If these issues are important for your project, then stick with a traditional microcontroller. But if not, give the Raspberry Pi a try. I think you’ll be as surprised how easy it is to build something exciting!

 
3.1415926535

Now it’s your turn. What kind of microcontroller do you use for your projects? What are the Raspberry Pi’s biggest strengths and weaknesses? What does the future hold for embedded computing boards like these?

Burning through my 15 minutes of fame, I was the featured guest on this week’s episode of the RetroMacCast show – listen to it here. RetroMacCast is a weekly podcast about vintage Macintosh systems, software, and collectibles. Hosts James and John have been doing this since (at least) 2008! They were kind enough to invite me to this week’s show, where we discussed Floppy Emu, Plus Too, Tetris Max, and my other Apple-related hacks.

This recording prompted an interesting side-discussion: have I been mispronouncing “Floppy Emu” for the past two years? Is it “emyoo” (short e + myoo, as in ’emulator’), “eemyoo” (long e + myoo, a flightless Australian bird), or “eemoo” (long e + moo, an electronic cow sound)?

I’ve seen many people look at surface mount chips, with their tiny sub-millimeter pin spacing, and assume it’s impossible to hand solder them without special tools and equipment. I used to believe it myself, but fortunately for us hobbyists, it’s actually quite easy to hand solder most SMT chips with nothing but a standard soldering iron!

The video above shows how I use the drag soldering technique to solder a 44-pin chip in a typical TQFP package. The chip is only about 1 square centimeter, so those pins are tiny. Attempting to solder them one at a time in through-hole style will never work. Instead, the trick is to use the magic of flux and the surface tension of solder to do the hard work for you. Once you get the hang of it, it’s as easy or easier than soldering a through-hole component.

The process begins by applying a liberal amount of flux to the pads, then positioning the chip on top. I use a pencil eraser to hold the chip steady while I tack down a couple of pins with a blob of solder from my iron. If some pins accidentally get bridged together while tacking them down, it’s OK. Next, I apply more flux to the sides of the chip, wetting both the pins and the pads underneath. The final step is to lay a few millimeters of solder onto the pins at the edge of a row, then use the iron to melt it and drag the molten solder blob horizontally across all the pins in the row. It seems as if that should bridge every single pin together into a giant mess, but with enough flux the solder will magically stick only to the pins and pads, without creating any bridges between them. It’s fun to watch!

Most of the time, I’m able to solder all 44 pins with this technique without creating any bridges. If I do create a bridge, I can often fix it by applying more flux and then briefly heating the bridged pins with the iron. The video shows how to recover when that trick doesn’t work: a piece of solder wick (a braid of thin copper wire) can be laid on top of the bridge, with the iron laid on top of the wick, and the excess solder will be sucked up into the wick and leave a clean joint behind.

US Post Office, what are you doing to me? The USPS Click-n-Ship service has always been cumbersome, but it’s the only practical way to mail packages outside the USA via First Class Mail, which is the only way to send packages economically. Over the weekend the post office revamped the site, and now I’m unable to send any packages by First Class Mail. This leaves me with a choice between increasing my international shipping fee by 2x, or withholding all international shipping until some other solution is found. At the same time, the post office changed the method of address entry for most countries, so it’s no longer a free-form text entry, but a series of drop-down menus. If the city or postal code in your package’s address isn’t one of the choices provided, too bad.

In last month’s rant about international shipping headaches, I mentioned some of the problems I’ve encountered. Addresses must be formatted a particular way, regardless of whether that’s how they’re normally formatted in the destination country. Only numbers or the 26 letters from A to Z are permitted in the address. If the address is supposed to contain an accented letter, or any non-Roman letters like something from the Japanese or Korean alphabets, too bad. This is the US Postal Service. We don’t do accents.

The recent move to drop-down menus for composing the address makes matters even worse. Today I tried to send a package to the UK: destination Uxbridge, London, UB11 1BB. Look at the screenshot above, and you’ll see that I’m required to select a province before I can fill in the rest of the address. I wasn’t aware the UK even had the concept of provinces. So what province is London in? Ummm, England? Nope, that’s not a choice. Let’s see, British geography quiz, this should be fun. According to the post office, the city of London is in the province of… London! But then I had to choose a city (which should be obvious), given a list of 10 choices including “London”, “London West Depot Collection”, “Finchley Road”, and “Westminster”. Ugh. And no matter which one I chose, UB11 1BB was never offered as a choice for postal code. Total failure. I simply cannot mail a package to this address, using this service.

Then I discovered that the interface for choosing the shipping method has also changed. It used to be that you’d enter the package address, then on the next page you’d see a list of shipping methods including First Class, Priority Mail, and Priority Express. Now it’s a Javascript-enabled form that dynamically changes to show you the applicable shipping methods for the address as you type it. At least that’s the theory. In practice, it only ever shows Priority and Priority Express as choices. At first I thought this might reflect a change in policy for international shipping, but then I discovered that the same problem occurs when printing postage for domestic packages. RIP, First Class Mail?

I went to the local post office, waited in line, and spoke to an employee who assured me that First Class International was still a valid shipping method, and she was able to send the package to London UB11 1BB without problems. But it required almost an hour of my time, driving to the post office, waiting in line, and filling out custom declaration forms by hand, and it also cost 10% more than purchasing the same postage online by Click-n-Ship used to.

I’m not sure the best way to get this resolved. I tried Click-n-Ship’s live support feature, but got a generic error asking me to try again later. I spent an hour on hold waiting to talk to tech support before hanging up in frustration. Under the theory that maybe it was a browser bug, I tried Internet Explorer instead of my normal Chrome, but that didn’t help. Maybe there’s something about the address and package details I’ve entered that rules out First Class mail as a choice, so it’s never shown as an option? I don’t think so, though.

At this point, I think my only option is to hope that this is a bug and not a policy change, and hope that it magically gets fixed in the next few days. If not, I may have to start shipping international packages by Priority Mail, and charging substantially more for international shipping than I have been thus far. I sure wish the post office weren’t such an inscrutable bureaucracy, or that any of the other carriers like FedEx offered reasonably-priced options.

Edit: It looks like First Class International postage has been fixed! Thank you, USPS web programmers. My apologies to everyone who suffered through my rant. Now if I can only figure out how to ship to London UB11 1BB…

Edit 2: Choose “other” from the Province drop-down menu, then you can type in whatever you want without needing to follow the post office formatting.

It’s time for a change. I’ve made a lot of interesting software in my life, and built some fun hardware projects, but none of it was especially useful in the big scheme of things. The past year has seen lots of flux in my personal and professional lives, sending my thoughts in new directions, and I’ve been wondering why smart tech-minded people focus so overwhelmingly on building random web sites and gizmos instead of something that might do real good in the world. Check out this list of AngelList startups: I could almost write those business summaries with a buzzword generator script.

I get it: saving the world doesn’t really pay the bills, and people need the lure of a big payout to justify all the time and hard work they put in. Business, communication, and entertainment are all vital and noble pursuits. Isn’t making a difference in someone’s life noble too? When such huge numbers of the world’s best and brightest devote their energies to projects like “a smarter restaurant menu for smartphones”, doesn’t that seem, well, wrong? Like if you were an alien newly arrived on Earth, and observed how humanity’s technology efforts were focused, you’d just scratch your head and say WTF?

So I’ve been thinking about ways I can make a difference, with my brain and my hands. I’m pretty comfortable with writing software, and not too bad at making hardware, so there’s got to be something I can do. I’m casting my net pretty wide, considering everything from the rural poor (as in the video above), to the elderly, the disabled, the sick, and anyone with needs more pressing than “my phone charger won’t reach my bed”. I’m just one guy without a lot of resources, but you’ve got to begin somewhere right?

My biggest challenge is knowing where to start, and what kinds of problems need solving. I have no first-hand experience with the day-to-day trials of people confined to a wheelchair, or people living beyond the reach of electricity and clean water, or any other groups outside my own circle of friends. So I’ve been searching around for ideas and inspiration to help get myself launched. Here are a few projects I found that resonated with me.

Sip and Puff Joystick – I first heard about this a year or two ago. It’s basically a one-man operation, building mechanical interfaces to enable quadriplegics to use game controllers for the Xbox and Playstation. Helping people to play video games may not seem like “making a difference”, but in this case I’ll argue that it is. If you’re a young person who’s left by accident or illness with no good way to interact with your friends, those friendships may wither and die. Being able to compete with others and keep a social life going is HUGE.

Gravity Light – The first time I saw this, I literally slapped my head. Why didn’t I think of this? It’s a super-bright LED light, powered by a falling weight. Hang it from the ceiling, fill the weight bag with a few pounds of dirt, lift the weight, and illuminate the room for 30 minutes. There’s no need for mains electricity, no battery system like you’d need for a solar kit, and no harmful indoor pollution from a kerosene lamp.

Contact Lenses for Diabetics – This was a Google project, not something from a solo inventor, but it hit the news recently and got me thinking. The promise of a “smart” contact lens to monitor blood sugar levels (instead of a finger prick to draw blood) sounds like a real step forward. Though one diabetic scolded Google for a well-intentioned but misplaced effort, since the majority of the world’s diabetics lack the money and access to medical care needed to benefit from this project.

Philips LightAide – My wife brought this home from work yesterday, and to be honest I’m not exactly clear what it does, but it’s an LED light board intended for kids with vision and cognitive difficulties. It’s certainly part of the “tech to make a difference” space, and I’ll try to learn more about it.

Smartphone Interface for the Blind – On several past occasions, I’ve wondered how blind people make use of iPhones and other smartphones. Is it even possible? Is voice recognition and text-to-speech enough? The smartphone has become a nearly indispensable tool for many, so it’s a cruel irony that its featureless glass screen is actually worse than an old phone’s from the blind’s standpoint. What if the screen had a dynamic tactile interface, maybe some kind of Braille peripheral that plugged into the phone?

What similar projects have made you think “aha!”? Got any great ideas of your own for something that would make a difference?