μblog: engineering from the trenches

Over a decade ago, I remember printing out and reading a text by Aleph1 entitled Smashing the Stack for Fun and Profit. Back then, stack-based buffer overflows were a hot topic and the tide was turning as programmers began to realize that null termination of strings was not a good security measure and bounds checking was becoming necessary for the security-minded programs.

The issue was that many people were used to using a function like strcpy() to copy a string from one memory location to a dynamically allocated memory segment on the stack. The strcpy() function simply started copying from the supplied address and stopped when it reached a null character without knowing how much space was allocated for the string at the destination. As a result, segments of the stack that were not allocated for the “local” variable, like the return address of a function, could be overwritten with arbitrary values. With the properly formatted string, even executable code could be put somewhere on the stack and the return address could be overwritten so that this code could be executed, for fun and profit as they say. Programmers became wiser and started using strncpy() instead, which only copied a fixed amount of data and therefore guaranteed that the allocated space would not be exceeded. Furthermore, most modern operating systems can now set areas of the memory dedicated to the stack as non-executable, so the above routine would be foiled. Individuals have found some ways around these security features, however, the stack smashing exploit (as described by Aleph1) has mostly been considered a thing of the past.

I use the term mostly since Nintendo has preserved the knowledge and allowed practice of this exploit with their release of the latest Zelda game for the Wii. Through a cleverly crafted save file, the name of the main characters horse can contain a string as mentioned above and lead to execution of arbitrary code. There are a few tricks to maintain the integrity of the save file, however, after a decade the above exploit still lives on, almost in the same form as described by Aleph1.

( Although the picture is not from the Twilight Princess game, it is a good game none the less. )

del.icio.us | digg

NOTE: This is essentially a modification of this setup except I am using a Sixaxis controller and displaying the PSP on a LCD TV.

I have previously mentioned my intention to add an external controller to a PSP, however, I have become quite fond of it and do not want to make it any less portable by adding extra wires and a PS2 controller decoder. If only there was a way that I could control the PSP with an external controller, all through software, without the need for hardware tampering. Furthermore, it would be nice if this method was wireless. Unfortunately, the only method that I have found involves illegal modification of the PSP firmware. I am against software piracy and typically uphold license agreements, however, I also would like to be able to occasionally play my PSP on the living room TV using a standard controller. Sony, if you are reading this, please add this feature to the firm ware, I mean, you already patented it.

As I mentioned, these steps involve putting modified firmware on the PSP which is probably against one or more sections of the license agreement, may be illegal, kills puppies, and may render your PSP useless. You will have to figure out how to load custom firmware on your own. You will also need ir shell.

At this point, the computer that will be connected to the PSP (over USB or Wifi) will need a joystick controller. Anything that the OS recognizes will probably do, however, I used a PS3 Sixaxis with Windows XP. The instructions to get the Sixaxis to work with XP are found here. One addition I would make is that it seems that the ps3sixaxis_en.exe file needs to be run once, and the PS button pressed once, every time the Sixaxis is connected to the PCs USB port.

The usbhostfs and nethostfs packages must now be downloaded to the target PC to facilitate the keypad redirection. The two packages are in the form of zip archives and can be extracted to the same directory. First, you can run joytest.exe to make sure that the PC can see that you are pressing buttons on the Sixaxis. If it does not, you can try pressing the PS button (all while the controller is connected to the USB port). Once the controller is identified, you can run the joymap.exe command to create a key map file for the Sixaxis controller. The syntax I used was ‘joymap 0 ps3.map’ where 0 denoted that I want to use joystick 0 and ps3.map was the output filename. Both analog and digital direction pads must be mapped to joysticks. Be careful where EXIT is mapped as it will end the game you are playing and return you to the shell. Finally, nethostfs must be run to listen for a connection from the PSP and control the keypad. The syntax I used was ‘nethostfs -s -l pass123 -1 ps3.map’ where the -s told it to redirect the keypad, the -l pass123 set the authentication password to pass123, and the -1 ps3.map mapped the first joystick using the previously created map.

Finally, we can configure the PSP. Once ir shell is booted on the PSP, we run the configuration/setup on the bottom row. The important things to change are to enable keypad redirection to nethostfs, to set the nethostfs AP to the ip address of the machine with the Sixaxis, and to set the nethostfs password. This is assuming that the default ports are used. We can now test the setup by initiating nethostfs on the main ir shell screen and verifying that we can move the cursor around using the Sixaxis. The last steps is to enable the TV output on the PSP by holding down the left trigger and the right directional pad and then to start up the game UMD from the ir shell screen.

At this point, one of the limitations is that the TV-out, through ir shell, does not scale to the whole screen properly and that I am using the wifi connection in infrastructure mode. The result of the first limitation is that the video screen does not take up the whole LCD screen on the TV while the result of the second limitation is a little bit of latency in the controls. The second issue may be lightened by using Ad Hoc mode between the PC and PSP or using a USB cable and usbhostfs (instead of nethostfs) all together.

At this point, I doubt that I will ever complete the PS2 controller to PSP interface that I previously mentioned since this works well enough and I am finding that playing the games on the PSP is not so bad. I have some of the basic interface codes worked out under LabView and may eventually end up putting a PS2 controller on some other device. Enjoy!

( YouTube video )

del.icio.us | digg

This week, we have the Playstation 2 Emotion Engine. Upon doing some background research, I came across this nice article regarding the design of the PS2 memory subsystem by Rambus.  On a side note, I had to subject this chip to an acid bath twice so as not to risk cracking it when I removing the die from the package. The was that some of the surface scratches actually ended up removing part of the metal layer on to and exposing some of the chips innards. Next time I run into a chip that is mostly metal on top, I may try to exploit this technique to remove some of the cover. I might also try to use a UV laser that my department just bought.

ps2-ee-4x-stitch.jpg

ps2-ee-40x-stitch1.jpg

ps2-ee-40x-stitch2.jpg

del.icio.us | digg

As per my previous post, I have started working out the waveforms to interface a Sony dualshock 2 controller. I decided to go with a Cypress PSoC instead of a standard 8051 because it has a built in SPI controller thereby making the bit-banging much easier. The downside is that I don’t have a C compiler built into the development suite, but that is all right, I am pretty good with assembly. In the process of setting this board up and testing a few things, I found the embedded systems section of wikibooks quite useful. The whole electrical engineering section looks pretty good. The pages can be edited by anonymous readers just as easily as wikipedia, however, I have not found anything terribly wrong in the limited time I spent looking at the site. Over all, it seems like a decent place to learn for beginners and to contribute for experts.

del.icio.us | digg

Ever since I learned to make truckloads of money on the internet, I have been mulling over the idea of buying myself a slim PSP. The main motivation for the purchase would be a few fun games that are PSP exclusives. The problem is that I don’t have any use for the portable aspect of the system and would actually prefer to keep it plugged into the TV. The slim PSP has component output capability, however, you still have to hold the device to play it. While looking at Hack A Day, I saw several ( 1 ) ( 2 ) methods to augment the inputs on the PSP, all involving directly wiring buttons and potentiometers directly to the PSP mainboard. A better option would be to attach a Playstation 1/2 controller port to the PSP so that a wireless PS2 controller can be used. Luckily, Jameco has some tutorials on communicating with the controller. I guess its a good time to get back to work with that 8051 board I built some time ago and see if I can get the interface to work.

( Broken PSP image is from mylife. )

del.icio.us | digg

This week, we have the Graphics Synthesizer chip from Sony’s Playstation 2 game console. The specs on the chip can be readily found, however, I did not see a published datasheet. I expect the emotion engine chip to be imaged in the upcoming weeks.

ps2-gs-4x-stitch.jpg

ps2-gs-40x-stitch.jpg

del.icio.us | digg

I spend the first half of today participating in an EEG Mu/Beta rhythm experiment which tries to differentiate intent for left and right hand movement based on a four electrode montage. This was the first time that I did such a thing and also the first time that my own EEG was recorded. Although there is plenty of optimism around using EEG recording to control video games, playing Pong (video) is the state of the art. Companies like g.Tec already sell hardware ensembles that have enough processing power for at least rough, single-axis position interpretation. The trouble is that there is a lot of training involved and there is still the propensity for misclassification if the data is analyzed in real-time movement tasks where there is intent but no well-defined success criteria. I am hoping to do some more BCI experiments and will hopefully have some more things to report. Below is a plot of the results of my best trial where I had to think about moving either my left or right arm as per computer instructions. Please note that the classification error is down to almost 8% between 4.5 and 5 seconds after experiment initiation with the instruction being given between 2 and 4 seconds. Since this is technically a single-axis discrimination, I think I may be ready to play some neuro-pong!

del.icio.us | digg

Someone handed me a a Sega Saturn without a video cable this evening (thanks Craigslist).  Wanting to add it to my 32bit gaming system collection, this problem would have to be remedied. The one beneficial fact is that generally, the audio/video cables for game systems are purely passive. That is, the system will have pins on the A/V connector for all of the supported outputs and it is just a matter of routing the right video connector and you are set. Some designers get clever and add some simple components to let the system identify what kind of cable is attached, such as the original Microsoft Xbox, which can then be used to add additional functionality to the device like a reset button. Here is the pin diagram for the Saturn’s A/V connector. While looking for it, I accidentally found a PIC16F630 based hack to allow you to toggle between 50/60Hz video output (PAL/NTSC).

del.icio.us | digg

I spent a little more time testing my electrocardiogram system last night. This time I tested it at home with the National Instruments USB acquisition. I tried to get a baseline ECG and then collected data while playing Tekken 5 Dark Resurrection. The signals looked terrible compared to what I saw in the lab with the oscilloscope, however, a heart rate could be seen. I will spend some time in the coming weeks making my portable system work as well as the lab setup. A schematic will be available once I get some of the noise issues taken care of. The PDF below is a side by side plot comparing ten seconds of baseline to ten seconds of Tekken play with an average 60BPM in the former and 80BPM in the latter. The two text files are the data for both sets. They are ASCII files with two columns. The left column is a millisecond time stamp and the right column is a recorded voltage.

( baseline-vs-tekken.pdf ) ( baseline.txt ) ( tekken.txt )

del.icio.us | digg

The swell people over at Analog Devices have created an application note that overviews making a power meter that converts average power into a frequency output that then drives the mechanical counter. The idea is that high-side current is measured resistively and then compared with the applied voltage to the load. The two signals are multiplied giving an instantaneous power. Providing that both the applied current and voltage are sinusoids and vary only in amplitude and phase, the DC component of the instantaneous power signal will be an indication of power delivered to the load and will depend on the power factor (the phase between voltage and current). I am thinking of simplifying the design and using a low-side measurement, a pair of differential amplifiers and a four quadrant multiplier to produce the instantaneous power. Depending on the components available, I can try to use a two-pole Sallen-Key low-pass filter to get the DC out with two decades of ripple suppression.

To clarify, I became interested in building a power meter when I found out that the Wii uses 17W of power in operation and 10W in standby (when Connect24 is enabled). I am wondering what other electronics around the house have such a conservative standby mode.

( an679.pdf )

del.icio.us | digg