Hacking the Neutrogena visible light therapy system to get 99 lives

Here’s a thing. It illuminates you with blue and red light which is apparently effective. Possibly because light, especially high energy light causes phototoxicity. Anyway, the device consists of a mask full of LEDs and an “activator” which is a power supply which gives 30 uses before you have to replace it.

They’re clearly going for a printer ink model and the activator is £14 or so which is aimed at the expensive-but-not-outrageously-painful price point. The thing is though it’s extremely wasteful because the batteries are still good1 as is the hardware. Its just burning stuff to make money which is kind of objectionable, so we must deal with it. Or hack it.

By the way after this point I was using the post to make notes as I went along so it’s a bit stream of consciousness.

Day 1

(note these aren’t full days)

OK, first some disassembly pictures:

IMG_20171231_152434

The device

 

 

 

 

 

 

 

 

 

IMG_20171231_152458(1)

The battery cover removed

IMG_20171231_152612

The back cover removed

IMG_20171231_152832

The bare board

So far, so good.

The design for manufacture is pretty good: excluding screws there are 5 parts and they slot together with minimal effort. The plastic parts are decently moulded and aimed at a low price point. The draft angles are large and those holes at either end of the battery compartment where the springs are have highly drafted sliding shutoffs.  The board is pretty interesting. It’s a single sided soldering process with a mixture of connection types. There’s SMD for the small stuff and a number of THM parts as well. Note that the THM hasn’t been wave soldered since the gold test pads are not tinned. The joints look very uniform so it’s either top notch hand soldering or a selective soldering machine. Here’s a cool video:


I have nothing to do with that company, but they had a nice video on the technique.

Anyway, the mix is quite unusual because of the extra cost except it allows them several things. Firstly, they can use a stock THM 3.5mm 4 way barrel plug. You can’t see this from the photos, but it’s obvious from the plug. Second, they can use some very cheap battery connectors which are simply bent pieces of spring.

Also note the 100uF electrolytic capacitor. Fujicon is one of the very cheap brands, and given they’ve already got a THM stage, this means they can use the cheapest of the cheap caps. Its hard to find Fujicon retailers, the first one I found sells these caps for 1.195¢ a pop (they blinged it up and went for the pricey 105C one, not the 85C 1.111¢ one). The cheapest 100uF 16V electrolytics on Digikey are 4 cents a pop.

Also, with the cut out they can fit the cap in a very low profile and hey that’s weird, there’s a track going right into the middle of the snapped off tab.

weird

The LCD is connected with your common or garden zebra strip. The final bit is the metal diaphragm switch. This has two lugs which go through the board and are bent in place on the back side, no soldering required:

cheap

There appears to be some hand finishing on the back where the crystal is anchored in place with solder:

hand

Now for the components. The 3 terminal THM device has code SS8050 and is a Fairchild NPN transistor rated for 1.5A/2W. Graphs indicate that at 1A with a 100mA base drive, wed expect Vce sat to be about 50mV, giving a equivalent resistance of 50mOhm. This is not that bad since the base drive voltage would be about 0.8V. They’re cheap (0.47¢ from Mouser). Maybe a little inefficient but the LED power draw is high and you only get 30 uses out of the 4 AA batteries, so that’s not a concern.

Before I get to tracing with a multimeter, here’s a rough trace of the board:

IMG_20171231_161225

At a first glance it looks like the transistor and switch both feed into the little COB blob meaning that’s probably the microcontroller as well as the LCD driver. I’m not sure what the ATMLH640 chip is. My guess is it’s an EEPROM to store the number of remaining uses. Perhaps the super cheap COB chip doesn’t have one because that would require a different process. Web searches don’t reveal anything especially informative.

My guess is the SOT23ish part labeled 7533 is some sort of 3.3V LDO linear regulator. It connects to the main power after the big cap and before the largish ceramic. Also, look at the power: it won’t be connected unless something’s plugged into the jack, since the battery goes into the jack only.

So, what about that small chip, eh?

After a little tracing, here’s the layout:

eprom

and it’s connected to the μC via 1k resistors. Interestingly so is the transistor. In that region, the base drop is about 0.6, giving a base current of 2.7mA. That would give a collector current in the region of 0.4 to 0.45A, I reckon. Since there appears to be no other mechanism, I think this may be the current limiting for the LEDs. Note that the datasheet says it’s designed for class B audio amplification so it’s built to run in the active region dissipating power.

Here’s the result of the first bit of tracing with a continuity meter on the socket and using a 4 pin plug I got from Maplin:

plug.jpg

Two of the 5 pins connect to one conductor and get bridged only when the plug is in. This appears to be used to connect the battery to the main power, meaning this thing won’t drain any power when the mask isn’t connected. Two(!) of the 4 conductors are unused, so this thing only has power in and power out (no ground) with current limiting on the board. Kinda wonder why they used a weird 4 conductor plug. Maybe obfuscation?

Looking further there’s a B, C and D type transistor. Mine has an isolated D on it as well as a 331. I guess it’s the D type, which has hFE in the range 160 to 300. Kind of a high range for anything approaching reasonable current limiting, but perhaps the actual range is somewhat narrower in practice.

But this is good and implies that there is no DRM in the mask, since there’s no way to communicate from the mask to the uC. Hopefully a simple current supply will do the job, but how much? (more later).

Back to the enigmatic SOIC. A friend on IRC put me on to http://www.smdmark.com. The ATML mark corresponds to Atmel (I guessed that), but ATMLH only matches a few EEPROMS. None of them match the code exactly, but the AT93Cxx series have the correct (unusual) pin layout, or at least a vague match. I can’t find the exact match for the code, so it’s off to the logic analyser to see if the bus is correct.

First some bodgewires and some hot glue to stop them falling off. To get it clean, put a little chip of cold glue in the right place the heat gently to 150 degrees C with an air gun. It’s much cleaner than trying to blob on hot glue:

Now to partially reassemble, but where the heck is the LCD???? Ah buried behind the brass tip cleaner. Anyway they have very kindly provided a very neat hole for precisely this kind of thing:

IMG_20171231_184558

Given my ordering (1234->GBRW) I hypothesise from the datasheet that:

  1. Green = CS
  2. Blue = SK
  3. Red = DI (that’s MOSI: master out slave in)
  4. White= DO (that’s MISO: master in slave out)

Personally I prefer the MOSI/MISO naming since it’s unambiguous. Now, time for the scope! How do you get the blasted thing to trigger? How how how how?? Oh has to be logic triggering and pod input. Apparently selecting pod input and edge triggering isn’t enough. Okey dokey. Here’s the first shot, and of a packet that doesn’t return all zeros:

SCR02

I think my hypothesis is confirmed! Note how CS goes high then the clock starts. DI is set in advance of the pulses and DO changes on the clock edge. Though it seems glitchy. Look at those weird spikes on the data lines.

Day turns into night and back again.

Day 2

Huh is the clock really that non uniform or am I reaching the resolution limit given the very long capture window?

So now there’s two choices. I can attack the mask itself and measure the current. Once I know that it’d be easy to build a different driver that provides that current for a fixed time. The other choice is to attack the EEPROM and see if I can figure out what’s going on and reset the counter. I hope the program isn’t stored there, just the data!

Hm well OK! Based on the wiring I can drive it with a current limited source just fine and it appears to work perfectly. That was easy!

So yeah how the heck does the bus decoding work??? I’ve got it to work before. Also the DO pin gives bad noise without a 100k pull down. Nothing in the datasheet about that but it’s not the right datasheet anyway so there’s that! Ho hum got one half working…

So the EEPROM only receives 10 commands so it’s not storing the program for the uC, which is nice. According to the maybe wrong datasheet the commands are:

  1. Write enable
  2. Read 0x60
  3. Read 0x64
  4. Write disable
  5. Write enable
  6. Read 0x55
  7. Write disable
  8. Write enable
  9. Read 0x50
  10. Write disable

Well that’s a bit strange but not exactly out of the ordinary for embedded devices!  Anyway fine WHATEVER I’ll decode it by hand. Only a few reads. Here it is along with MISO decoded by the scope and my notes on what it means from a “close” datasheet:

IMG_20180101_212753

Right well commands (names like EWEN, EWDS are from the datasheet) are 10 bits and reads should be 8 but it clocks 9. A bug? But that means the value at register 0x50 is 1, and this device just happens to have one use left in it. Coincidence? Time to use up the last use, measure the current as best we can and see what changes in the ROM. I just measured my multimeter (90’s era White Gold WG020) as having 66mV burden at 5A. Which is fine. Except then I realised my PSU also measures current and the LEDs will be the  bulk of the draw.

Well it draws 400 mA aaaand it’s down to 0 uses left. Oh hey!! 400mA is exactly what I figured from the datasheet!! whoooo! Oh the hFE thing is small signal gain anyway. The large signal stuff seems pretty well characterized. It’s actually a pretty impressively cheap way of regulating current. The regulator is probably plus minus a few percent, the base resistor, 1%. Being transistor designed for class B audio it’s probably decently narrow in spec so it matches well with it’s complementary PNP (SS8550). Huh. I’m impressed. It’ll probably regulate current to within 10% no problem which is good enough for a non critical task like this. When the battery level gets low the power will drop and there’s no warning but it’s only meant to work for 30 uses so that’s not an issue. A very cheap solution to the problem!

Anyway, looking at the bus now it’s got 0 uses left, at a first glance, both 0x55 and 0x50 have counted down by 1. Not sure what to make of that. The other two numbers don’t change at all.

The AT93C46 datasheet seems close enough. The next step is to try to write to it using my Arduino to reset those registers back to the previous values. Going to have to be a bitbang because of (a) the rather odd bit count and (b) because the D0 pin is not data but an asynchronous write/erase finished signal. OK that explains why the clocking is so messy: it’s bitbanged.

Day 3

OK, here’s the Arduino sketch:

// Pin 13 has an LED connected on most Arduino boards.
// give it a name:
static const int led = 13;

static const int CS = 4;
static const int CK = 5;
static const int mMOSI = 6;
static const int mMISO = 7;

// the setup routine runs once when you press reset:
void setup() {
  // initialize the digital pin as an output.
  pinMode(led, OUTPUT);
  pinMode(CS, OUTPUT);
  pinMode(CK, OUTPUT);
  pinMode(mMOSI, OUTPUT);
  pinMode(mMISO, INPUT);
  Serial.begin(9600);
}

//Write out the N low order bits of data as MSB first
//and return the collected data.
uint32_t write_N_MSB_first(uint32_t data, int n)
{
  uint32_t ret = 0;

  //First shift everything to the 16th bit
  data <<= (32-n);
  digitalWrite(mMOSI, LOW); //Make the scope trace look nice
  delay(1);

  for(int i=0; i < n; i++)
  {
    digitalWrite(mMOSI, (bool)(data& (uint32_t(1)<<31)));
    delay(1);
    digitalWrite(CK, HIGH);
    delay(1);
    digitalWrite(CK, LOW);
    delay(1);
    int r = digitalRead(mMISO);
    ret <<=1;
    ret |= r;
    data<<=1;
  }
  digitalWrite(mMOSI, LOW); //Make the scope trace look nice
  return ret;
}

// the loop routine runs over and over again forever:
void loop() {
  digitalWrite(led, HIGH);   // turn the LED on (HIGH is the voltage level)
  delay(100);               // wait for a second
  digitalWrite(led, LOW);    // turn the LED off by making the voltage LOW
  delay(100);               // wait for a second

  digitalWrite(CS,1);
  write_N_MSB_first(0x360, 10);
  int v = write_N_MSB_first(0, 8);
  Serial.write("val =0x");
  Serial.print(v, HEX);
  Serial.write("\n");

  digitalWrite(CS, 0);

}

It’s a straightforward bitbang, except you can read/write in variable length chunks, and it prints the read value to the serial port. It looks fine on the scope (the bus decoding works today!) so the next step is to wire it into the device.

The device is a 3.3V one and the Arduino is 5V so we need to shift the levels down. The easiest way is to make a potential divider using an LED and 1k resistor. The LED will drop more than a normal diode: the scope tells me it’s dripped about 2V. We don’t need to level shift the input since the EEPROM gives a nice clean 3.3V and that’s easily enough for the Arduino to register high.  All we need to do is bodge it in (I reckon those 1k resistors on the device will protect things) after switching the device on, so the bus is not busy…

img_20180102_135950.jpg

And it WORKS!!! Here’s the scope screenie:

SCR12

And the Arduino is printing out a steady stream of 0x95, which is the correct value: we got that from earlier analysis. This also confirms that they are writing utterly unnecessary write-enable, write-disable commands and they are clocking in an extra bit at the end too.

I did initially OR both channels together using some diodes so one bus would decode read and write. That of course doesn’t work: for MOSI, the data should be read on the rising edge of the clock, but with MISO, it’s set after the rising edge, and won’t be changed until the next bit-after-rising-edge. It’s safe to read on the falling edge of the clock, so I set up the other decoder to do that.

OK, so now to try a write. Here’s the code:

// Pin 13 has an LED connected on most Arduino boards.
// give it a name:
static const int led = 13;

static const int CS = 4;
static const int CK = 5;
static const int mMOSI = 6;
static const int mMISO = 7;

static const int BUTTON = 2;

// the setup routine runs once when you press reset:
void setup() {
  // initialize the digital pin as an output.
  pinMode(led, OUTPUT);
  pinMode(CS, OUTPUT);
  pinMode(CK, OUTPUT);
  pinMode(mMOSI, OUTPUT);
  pinMode(mMISO, INPUT);
  pinMode(BUTTON, INPUT_PULLUP);
  Serial.begin(9600);
  Serial.write("Booted...\n");
}

//Write out the N low order bits of data as MSB first
//and return the collected data.
uint32_t write_N_MSB_first(uint32_t data, int n)
{
  uint32_t ret = 0;

  //First shift everything to the 16th bit
  data <<= (32-n);
  digitalWrite(mMOSI, LOW); //Make the scope trace look nice
  delay(1);

  for(int i=0; i < n; i++)
  {
    digitalWrite(mMOSI, (bool)(data& (uint32_t(1)<<31)));
    delay(1);
    digitalWrite(CK, HIGH);
    delay(1);
    digitalWrite(CK, LOW);
    delay(1);
    int r = digitalRead(mMISO);
    ret <<=1;
    ret |= r;
    data<<=1;
  }
  digitalWrite(mMOSI, LOW); //Make the scope trace look nice
  return ret;
}

void ewen()
{
  digitalWrite(CS,1);
  write_N_MSB_first(0x260, 10);
  digitalWrite(CS,0);
  delay(1);
}

void ewds()
{
  digitalWrite(CS,1);
  write_N_MSB_first(0x200, 10);
  digitalWrite(CS,0);
  delay(1);
}

uint8_t read(uint8_t addr)
{
  digitalWrite(CS,1);
  write_N_MSB_first(0x300 | (addr&0x7f), 10);
  int v = write_N_MSB_first(0, 8);
  digitalWrite(CS, 0);
  delay(1);
  return v;
}

void write(uint8_t addr, uint8_t val)
{
  digitalWrite(CS,1);
  write_N_MSB_first(0x280 | (addr&0x7f), 10);
  write_N_MSB_first(val, 8);
  digitalWrite(CS,0);
  delay(1);
  digitalWrite(CS,1);
  while(digitalRead(mMISO) == 0)
  {
  } //Wait for the status to come up
  digitalWrite(CS,0);
  delay(1);
}

// the loop routine runs over and over again forever:
void loop() {
  if(!digitalRead(BUTTON))
  {
    delay(200);
    Serial.write("Sequence begin\n");
    while(!digitalRead(BUTTON))
    {}

    int v1 = read(0x55);
    int v2 = read(0x50);
    ewen();
    write(0x55, 2);
    write(0x50, 1);
    ewds();

    int v3 = read(0x55);
    int v4 = read(0x50);

    Serial.write("0x55, 0x50 :=  0x");
    Serial.print(v1, HEX);
    Serial.write(" 0x");
    Serial.print(v2, HEX);
    Serial.write("\n");

    Serial.write("new 0x55, 0x50 :=  0x");
    Serial.print(v3, HEX);
    Serial.write(" 0x");
    Serial.print(v4, HEX);
    Serial.write("\n");
  }
  else
  {
    digitalWrite(led, HIGH);   // turn the LED on (HIGH is the voltage level)
    delay(100);               // wait for a second
    digitalWrite(led, LOW);    // turn the LED off by making the voltage LOW
    delay(100);               // wait for a second
  }

}

So I’ve also added a switch too (one of those incredibly bouncy microswitches): it’s connected to ground, and the input pin is set to pullup. When the Arduino detects a zero (a press), it waits 200ms, then waits until the switch is released before starting the write sequence. That way I have plenty of time to set up the scope and triggering etc.

Oddly enough it doesn’t work if you send the wrong instruction for EWEN (write enable). Who knew?

Huh, OK so I successfully wrote (I discovered this after), but my state machine didn’t work for reason that the write finished signal never happens. OK. Maybe I’ll just try waiting 15ms (wrong datasheet says 10 max…). Now it’s in an inconsistent state because it blocked after one attempted write. So the new write function is simply:

void write(uint8_t addr, uint8_t val)
{
  digitalWrite(CS,1);
  write_N_MSB_first(0x280 | (addr&0x7f), 10);
  write_N_MSB_first(val, 8);
  digitalWrite(CS,0);
  delay(15);
}

And the output of the serial monitor is:

Booted...
Sequence begin
0x55, 0x50 :=  0x1 0x0
new 0x55, 0x50 :=  0x2 0x1

That’s promising. Now to disconnect the Arduino and reboot the device…

IMG_20180102_180251

YESSSS!!!! I WIN!!!!

Q96tJbBN

Yes, I tried using using it, and the LEDs all come on and it goes back down to 0. And I can reset it to 1 again and so on and so forth.

The next step is to get infinite, or at least many lives. I’ll probably try setting it to something intermediate first like 15, then 99, then 255. I wonder if it will work with more than 2 digits or if it will crash. Also, I should probably check what voltage is required to push 400mA through the LEDs: when it’s not limited to 30 uses the batteries will get used up and it would be good to know if it’ll cut out or slowly go dim.

Day 4

Huh OK, 400mA requires 5.43V.  According to these guys https://www.powerstream.com/AA-tests.htm at a 500mA discharge or under AA cells deadify at  about 1V. At 1V, we’d have a about 4V total which I measure as about 225mA through the mask, so the power is about halved. After that it will drop off very quickly. That link also says a decent battery will get 2Ah ish. The average discharge is very roughly 360mA over that range. That would give about 2000/360 * 60 = 331 minutes of use. Oh LOL!!! The mask lasts for 10 minutes a time so at that rating, the batteries will last about 33 uses or just over the number it claims to give you.

That means the regulation isn’t as good as I  thought before, or more to the point the low voltage condition bites almost instantly. The regulation will decently accurately stop the current from being very high when the battery is fresh but will do little after that.

That’s pretty funny. I’ll bet they chose the power levels based on AA batteries. Well, according to Powerstream above, the expensive batteries pull ahead at a 500mA discharge but are on a par with the cheaper ones at 100mA. So, I can replace the batteries for a grand total of 60p from Maplin, a lot cheaper than £15. It came with “Excell” brand batteries which you can only get with a minimum order of 2000 from Alibaba.

IMG_20180103_223007

Quality.

I wonder what they cost: no price for these but AA prices seem to vary from 1¢ to 10¢ on Alibaba for bulk buys. Even reputable brands (Panasonic) are only 11p in quantity from Digikey.

So on to 99-UP. Actually come to think of it…

If I was an engineer working on a product (ahem) and there was some spare ROM space, I might be tempted to leave an Easter Egg in there. So let’s do a ROM dump and see. So, all I’m doing is modding the code to simply read 127 bytes from the EEPROM.

Then I got a bunch of:

avrdude: stk500_getsync(): not in sync: resp=0x??

errors. There was a lot of cargo culting on Stack Overflow. the correct answer (not there) was that I accidentally changed the board type setting. Check the github page for the source for the ROM dumper if you’re interested. Its just a combo of read(), sprintf and serial write. And the ROM contents is:

0x00: ff aa aa aa aa aa aa aa aa aa ff ff ff ff ff ff
0x10: aa aa aa aa aa aa aa aa aa aa ff ff ff ff ff ff
0x20: aa aa aa aa aa aa aa aa aa aa ff ff ff ff ff ff
0x30: aa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0x40: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0x50: 01 ff ff ff ff 02 ff ff ff ff ff ff ff ff ff ff
0x60: 95 ff ff ff 34 ff ff ff ff ff ff ff ff ff ff ff
0x70: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Well, that’s dull 😦 Oh well.

So, OK, on to infinilives. I still don’t know the significance of 0201 going to 0100. I’m going to try 0209 to see if we get 9 lives. Tried it and now it reads 0 lives. How odd. Let’s try n+1, then, so 0302 and 2n next. So, n+1 first.

img_20180103_205335.jpg

Yep! That works!

OK, what about, let’s say, 99, because that’s clearly the most the display can handle. I’d also hypothesise that going higher might go funny, if they do decimal conversion by say %10 and /10, then looking up the segment results in an array. By the way the device won’t boot when the programmer is plugged in, displaying “–” instead of a number. So it’s checking the results of those initial reads and won’t work if they’re corrupted. I just discovered that I only need disconnect the MISO line, rather than everything. This makes experimenting much faster. Right, so, 100,99:

img_20180103_210014.jpg

you… uh… huh. huh. HUH.

222xv1

well well. Looks like they have a straight up lookup table. Maybe because it’s a multiplexed LCD? It doesn’t have enough wires for a static one (8 wires for 14 segments). Anyway, looks like they’re checking bounds which is nice. I’ll bet if I do a ROM dump, I’ll see the 100,99 in there.

0x00: ff aa aa aa aa aa aa aa aa aa ff ff ff ff ff ff
0x10: aa aa aa aa aa aa aa aa aa aa ff ff ff ff ff ff
0x20: aa aa aa aa aa aa aa aa aa aa ff ff ff ff ff ff
0x30: aa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0x40: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0x50: 63 ff ff ff ff 64 ff ff ff ff ff ff ff ff ff ff
0x60: 95 ff ff ff 34 ff ff ff ff ff ff ff ff ff ff ff
0x70: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

No. Well that’s even more unexpected. First lets’s see what happens with 0,255 and 255,254. The plot thickens!! Oh no, stuuuppppiiidddd! 64,63 in hex is 100,99 in decimal, so hasn’t rewritten the values.

If I upload 0,255 then when I reboot it, I get back to the original 30 uses. Even stranger is the ROM dump:

0x00: ff aa aa aa aa aa aa aa aa aa ff ff ff ff ff ff
0x10: aa aa aa aa aa aa aa aa aa aa ff ff ff ff ff ff
0x20: aa aa aa aa aa aa aa aa aa aa ff ff ff ff ff ff
0x30: aa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0x40: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0x50: ff ff ff ff ff 31 ff ff ff ff ff ff ff ff ff ff
0x60: 95 ff ff ff 34 ff ff ff ff ff ff ff ff ff ff ff
0x70: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

but after one use, it goes to the expected:

0x50: 29 ff ff ff ff 30 ff ff ff ff ff ff ff ff ff ff

Curious. OK, so what about 255,254? Now we have blank-blank. Disappointing? Well, I tried activating it and it comes on! And the ROM indicates that it’s counted down.So OK, that works. Back to loading up 100,99. It displays 63. If I use it, it counts down to 62?? WTF? The ROM dump indicates it’s still 0x63,0x62. One more use and it displays 61. Then 60. Now it should get interesting… Oh wait I just noticed above, it’s got 0x29, 0x30. The little devil is counting in BCD!!! So, now it’s diplaying 59 and the ROM dump is:

0x50: 59 ff ff ff ff 60 ff ff ff ff ff ff ff ff ff ff

Confirmed! Gosh, I’ve not seen BCD in so long! Let’s try uploading 0x100 0x99. And my hypothesis about the 63 element LUT is clearly wrong. Oh huh 0x100, 0x99 gives 0 on the display.

WLPjJ2i

Yes, 0x100 is 2 bytes, so it would only load up the first 00 which is of course not valid for this setup. Right moving on, I’ll bet its BCD is a bit dodgy, because it happily counted down from 255,255. Maybe 0x9a99 will work.

img_20180103_214858.jpg

H4X SUCCESSFUL!

YOU'RE_WINNER_trophy

So I wonder…

CONFIRMED! So if you upload 0xfaf9, then it displays blank-9. Because it can’t decode f. OK, so I’ll bet if I load it up with 0xf1f0, it will count down to 0xf0e9 and display blank-9. And sure enough it does. That means the maximum number of uses is the first 99, then the 10s for a9 b9 c9 d9 e9 giving 159 and the remaining 15 giving 174.

But I think I’ll leave it at 99 because it looks cooler.

😎

PS if you’re interested here’s the code

 

 1NOT!!! Actually it uses up most of the batteries, but the hardware is fine

Advertisements

A simple light chasing robot

I’ve been meaning to try this idea for a simple direction finding car for ages. The idea is you place down a light source (i.e. a torch) and the car will head towards it. This was going to make the core of a practical but that wasn’t to be, so it’s been on the back burner for a while. It’s not only simple but very cheap, so I didn’t want to spend a lot on it.

The impetus came when someone released some sort of Arduino car the result of which is you can now get wheel/gearbox/motor assemblies on EBay for 99p if you’re prepared to wait for a boat from China (£1.50 if you’re impatient). That allowed me to make tis for a very very low budget.

Before I continue, I do realise this would have needed fewer components and been more flexible with a microcontroller. I prefer playing with not-computers on the weekend and I also like the appeal of the “no magic” aspect of it. Even an 8 pin uC like an ATtiny or a PIC12F675 would have been more expensive.

Anyway, the first part is to make a directional light sensor. I made this from an LDR (10p in a bag of 20), black card, tape and glue. They look like this:

sensors

And here’s how I made them:

  1. Make a tube of black card and tape it up.
  2. Push an LDR into it so the back of the LDR is about 5mm in.
  3. Fill up the hole at the back with grains of hotmelt glue.
  4. Heat gently with a heat gun (100C) to melt the glue.
  5. Repeat 2-4 until it’s full.
  6. While the glue is molten, gently wiggle the LDR to spread the glue.
  7. Tape over the back with opaque electrical tape to prevent light ingress

They’re pretty directional by my reckoning. It’s hard to get a good measurement of sensitivity because I don’t have an infinite point light source and by the time the resistance gets to 200k, even small stray reflections can have a quite large effect. Even so, here’s some hacky measurements:

a

On order to tell which direction a light source is, you need to have two pointing in different directions and compare their level. The light is on the side which has lowest resistance. To make a direction finding car, you need to turn towards the side with the lowest resistance. Since I have motorised wheels, this is a question of running one motor or the other.

Then of course, you need to build it into a car:

Note how the two sensors are pointing outwards in different directions. There’s also a castor at the back. The body is just a bit of scrap pine, and the motors are screwed to it with some M3 studding. It also turns out the tyres are a bit slippery and the motors spin up fast with plenty of torque, so the first version just sat and span the wheels going nowhere. I velcro’d the battery to the front to get more traction. It’s tricky to get velcro to stick to end grain stronger than it sticks to itself, about the only thing I’ve found reliable is gorilla glue.

Plus this is the first and only time I’ve used the sticky pad on the bottom of a breadboard.

The circuit diagram is very simple:

IMG_20171210_191625

Total cost about 90p (not including batteries).

The two LDRs form a divider and the midpoint is compared to a reference with a comparatorvery cheap opamp. The op-amp switches on one motor using a massively overspecced MOSFET. The other is connected via an ad-oc not gate, so either one motor is on or the other is. I could have used the other half of the dual op-amp for the inverter, but I have future plans for that.

As long as you get the LDRs and motors the right way round, it will always turn towards a strong light source. Here’s a video of it in operation!

There’s an LED torch down at the far end of the hall and the car heads right towards it. The wild swinging backwards and forwards is because it can only have one motor on at once and because there’s a fair amount of momentum and slip. So it spins one wheel cranks up to speed, and passes the midpoint. The other wheel comes on, but it keeps on swinging until eventually the other wheel bites at which point it’s way over. So it has a long way to come back by which time it’s got plenty of speed by the time it crosses the mid point and so on…

Works pretty well for sucg a simple version 1 🙂

 

Die grinder woz ‘ere

In the world of heavy automation and mass production it’s sometimes easy to forget that there’s a person around at every stage. But sometimes a nice little reminder finds its way through. A while back I bought a Raspberry Pi universal power supply. It’s universal in that it comes with a selection of mains prongs which clip on.

There’s a disposable plastic cover for the area in which they clip on, and on the inside of the cover, some person wrote the initials “bc” by hand with a die grinder, between the ejector pin holes:

bc_woz_ere

It’s probably a little messy because it’s hard to write with a die grinder and they had to mirror-write it so it looked right after moulding.

Small hack of the day

Two things:

  1. syntax highlighting is nice
  2. wouldn’t it be nice to copy /paste it

The main problem is many terminals don’t for no especially good reason allow copy/paste of formatted text. There are three tools which help:

  1. xclip -t text/html this eats standard input and allows pasting of it as HTML, so it can include formatting and color and so on. By default, xclip does plain text, so you have to specify that it’s HTML.
  2. aha this takes ANSI formatted text (i.e. the formatting scheme used by terminals and turns it into HTML).
  3.  unbuffer many tools will only write color output to a terminal, not a pipe. Through the magic of PTYs (pseudoterminals) this program fools other programs into thinking they’re running on a terminal when they’re not.

Now all you have to do is pipe them together. So, take a silly C++ program like this:

void silly;

And compile it like this:

unbuffer g++-7 error.cc -std=c++1z  | aha | xclip -t text/html

Then a simple paste into a box which accepts HTML (e.g. email, etc) gives:

error.cc:2:6: error: variable or field 'silly' declared void
 void silly;
      ^~~~~

 

Server Send Events

Server send events are a way of getting data pushed over an http connection to a browser. The JavaScript interface is very simple. Here’s some useful info:

I thought it would be a neat way of debugging some GIS code in C++: all I had to do was write the data to a socket, and have a page that collected it in JavaScript and plugged it into Google maps. It was that simple, sort of, except that it was actually incredibly awkward getting it up and running since web browsers are both finicky and don’t provide much error information.

All you have to do is open a socket, write the right HTTP headers and send the correct data. I eventually ended up sending it in chunked encoding, which means each message is essentially preceded by a length so the browser knows how much data to accept and put together into a message.  The alternative is to use Content-Length and have fixed length messages (like the w3schools example), but I couldn’t manage to get my browser (Firefox) to accept more than one message before closing the connection due to an error. No idea why, but the chunked encoding is much more flexible anyway.

Probably the biggest hurdle is that my HTLM page was just a file, but the server send events were from a (local) server. Either way that meant it was cross domain and so Firefox would block the request because of CORS. Turns out the fix was a simple headre tweak but that had me going for a while!

Anyway, here’s the code:

#include <iostream>
#include <cstring>
#include <cerrno>
#include <vector>
#include <iomanip>


#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>


using namespace std;

class VeryBasicServer
{
	private:
		int sockfd=-1; 
		int connection_fd{-1};
	
	public:

		VeryBasicServer()
		{
			//Incantation to create a socket 
			//Address famile: AF_INET (that is internet, aka IPv4)
			//Type is a reliable 2 way stream, aka TCP
			//Note this just creates a socket handle, it doesn't do anything yet.
			//The 0 is the socket type which is pretty redundant for SOCK_STREAM (only one option)
			sockfd = socket(AF_INET, SOCK_STREAM, 0);
			if (sockfd < 0)
				throw runtime_error("Error opening socket:"s + strerror(errno));

			
			//Set options at the socket level (a socket has a stack of levels, and 
			//all of them have options). This one allows reuse of the address, so that
			//if the program crashes, we don't have to wait for the OS to reclaim it, before
			//we can use this socket again. Useful for debugging!
			int true_ = 1; 
			setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR,&true_,sizeof(int));
			
			
			//Binding a socket is what sets the port number for a particular
			//socket.
			sockaddr_in serv_addr = {};
			serv_addr.sin_family = AF_INET;          //internet address family
			serv_addr.sin_addr.s_addr = INADDR_ANY;  //allow connections from any address
			serv_addr.sin_port = htons(6502);        //Still fighting the 80s CPU wars. 6502 > 8080
			if (bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) 
				throw runtime_error("Error binding socket:"s + strerror(errno));
			
			//This is necessary for stream sockets (e.g. TCP). When a client_ connects
			//a new socket will be created just for that connection on a high port.
			listen(sockfd,5);
		}
		

		void read_ignore_and_dump_incoming_data()
		{
			vector<char> buf(65536, 0);
			int n = read(connection_fd,buf.data(),buf.size());
			if (n < 0) 
				throw runtime_error("Error reading from socket:"s + strerror(errno));
			cout << "Message reads: ";
			cout.write(buf.data(), n);
		}

		void accept()
		{
			//Listen blocks until a cnnection is made, then hands over the newly created
			//socket for the connection
			connection_fd = ::accept(sockfd, nullptr, nullptr);

			if (connection_fd < 0) 
				throw runtime_error("Error accepting:"s + strerror(errno));
			
			//We can actually ignore the HTTP header just to get up
			//and running. For ServerSendEvents, there's only one accepted
			//MIME type, and uncompressed is always a valid compression option
			//even if the client_ doesn't request it.
			read_ignore_and_dump_incoming_data();


			//Construct a valid working header.
			//
			//Two important things to note. One is the access control. Since
			//this server isn't serving anything except SSEs, the web page
			//which is using them ust come from elsewhere. Unless we allow 
			//connections from places other than the originating server, then
			//the web browser will block the attempt for security.
			//
			//The other point is the chunked encodeing. The browser connecting
			//has to know when we've finished sending an event in the stream
			//of data. Chunked encoding allows us to send data blocks along with a 
			//length so the server knows when a block is finished. The other option
			//is to have a fixed Content-Length instead. I never got it working,
			//but it's much less flexible so I didn't try hard.
			//
			//Note also the \r\n line terminations, not just \n. Part of the HTTP spec.
			write("HTTP/1.1 200 OK\r\n"                          //Standard HTTP header line
			      "Content-Type: text/event-stream\r\n"          //This is the only allowed MIME type for SSE
                  "Transfer-Encoding: chunked\r\n"               //Chunked encoding lets it know when an event is done without knowing packet boundaries.
				  "Access-Control-Allow-Origin: *\r\n"           //Because the HTML comes from a file, not this server, we have to allow access
			      "\r\n");                                       //End of header indicator

		}
		
		//Write data with less than the minimal amount of error checking.
		void write(const string& str)
		{
			int n = ::write(connection_fd, str.data(), str.size());

			if(n < 0)
				throw runtime_error("Error writing:"s + strerror(errno));
		}

		void write_chunk(const string& str)
		{
			//Chunked encoding is the size in hex followed by the data. Note that both
			//the size and data fields are terminated by HTTP line terminations (\r\n)
			ostringstream o;
			o << hex << str.size() << "\r\n" << str << "\r\n";
			write(o.str());
		}

		~VeryBasicServer()
		{
			cerr << "closing\n";
			close(connection_fd);
			close(sockfd);
		}
};


int main()
{
	VeryBasicServer hax;

	hax.accept();
	
	cout << "Press enter to send an event" << endl;
	for(int i=1;;i++)
	{
		if(cin.get() == EOF)
			break;
		
		//Build up an event in server-send-event format. The message consists of 
		//one or more fields of the form:
		//field: value\n
		//Followed by an empty line.
		//
		//The main tag is "data:" which carries the data payload.
		//See https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events/Using_server-sent_events
		//for more info (e.g. different message types and dispatch)
		string sse;
		sse += "data: " + to_string(i) + "\n";  //Send the current number as the data value
		sse += "\n";                            //Empty field ends the message.

		//Send the message data using chunked encoding
		hax.write_chunk(sse);

	}

}

And the corresponding HTML page is:

<!DOCTYPE html>
<html>
<head>  <meta charset="UTF-8"> </head>
<body>

<h1>Getting server updates</h1>
<div id="result"></div>

<script>
if(typeof(EventSource) !== "undefined") {
    var source = new EventSource("http://127.0.0.1:6502");
    source.onmessage = function(event) {
        document.getElementById("result").innerHTML += "Data: " + event.data + "<br>";
    };
    source.onerror = function(event) {
        document.getElementById("result").innerHTML += "Connection failed<br>";
    };
} else {
    document.getElementById("result").innerHTML = "Sorry, your browser does not support server-sent events...";
}
</script>

</body>
</html>

And that’s basically it. It’s a handy and rather silly chunk you can put in a C++ file. It’s a lot of very poor practices and does all the wrong things for scalability, security, generality and good sense, but it’s handy for debugging hacks.

Code is on github.

Blog as you go: sigma delta DAC

I have some piezo speakers from another project. That one used a bi-level amp to drive them. I figured it would  be fun to try a tri-level drive, using an H bridge allows you to have +, – and 0V across the device. And for fun, why not make it a direct sigma delta encoder?

It’s going to run on a microcontroller (an arduino). It’ll need very precise timings, so I’ll not be using the arduino environment.

Here’s a first pass in C++ for linux:


#include <iostream>
#include <cmath>
#include <utility>

using namespace std;

float signal(int t)
{
	//Roughly 0-1
	return (1 + sin(t/20. - 1))/2.1;
}

float quantize(float f, int levels)
{
	return min(levels-1.f, max(0.f, floor(f*levels)))/(levels-1);
}

int main()
{

	float integral = 0;

	for(int i=0; i < 200; i++)
	{
		float output = quantize(integral, 3);
		float difference = signal(i) - output;
		integral += difference;

		cout << signal(i) << " " << output << endl;
	}

}

And this produces output like this (mildly prettified):
graph.png

Which looks about right. The code will pretty much stink on an arduino since it’s all floating point. It’s easy to convert to integer code though:

#include <iostream>
#include <cmath>
#include <utility>

using namespace std;

uint16_t signal(int t)
{
	//Roughly 0-1
	return 65535 * (1 + sin(t/20. - 1))/2.1;
}

uint16_t quantize(int32_t i)
{
	if(i < 21845)
		return 0;
	else if (i < 43690)
		return 32768;
	else
		return 65535;
}

int main()
{

	int32_t integral = 0;

	for(int i=0; i < 200; i++)
	{
		uint16_t output = quantize(integral);
		float difference = signal(i) - output;
		integral += difference;

		cout << signal(i) << " " << integral << " " << output << endl;
	}

}

I’ve used a uint16_t for the value, which will effectively represent both positive and negative levels with 32768 being the zero point. Note that the error integral must be both signed and wider since the errors can grow beyond the signal range:

graph.png

Now to port to the arduino. So, I’ll get my Makefile from here.

I’m going to pick pins 8 and 9 on the UNO, that is PB0,1 on the chip for my outputs. and here’s how you get 3 way opposed outputs as +/-/0. To demo, I connected a pair of LEDs in parallel but facing the other way:


#include <avr/io.h>
#include <util/delay.h>
int main()
{
	int i=0;

    while(1)
    {
		if(i==0)
		{
			DDRB = 3;
			PORTB = 1;
		}
		else if(i==1)
		{

			DDRB = 3;
			PORTB = 2;
		}
		else
		{
			DDRB=0;
			PORTB = 0;
		}

		i++;
		if(i > 2)
			i=0;

        _delay_ms(200);
    }
}

So I started the port and BOOM! 😦

It stopped working. The reason was simple: the simple makefile takes one object file and converts it to HEX. Since I’m using sin(), we actually need to link the .o and .a into a .elf file, then convert THAT to HEX. The snippet is:

%.hex: %.elf
avr-objcopy -j .text -j .data -O ihex $< $@

prog.elf: delta_sigma.o
avr-gcc $(FLAGS) -o prog.elf delta_sigma.o -lm

Obvious, really, in hindsight…

So, OK, now to convert the modulator code to the arduino. Lots of things went wrong. But first, here’s the code:

#include <math.h>
#include <stdint.h>
#include <avr/io.h>

uint16_t signal(int32_t t)
{
	float u = t / 1024.f;

	//Roughly 0-1
	return 65535 * (1 + sin(2*3.151592f*u))/2.1;

}

uint16_t quantize(int32_t i)
{
	if(i < 21845)
		return 0;
	else if (i < 43690)
		return 32768;
	else
		return 65535;
}

int main()
{

	int32_t integral = 0;

	DDRB|=32;

	for(uint32_t i=0; ; i++)
	{
		uint16_t output = quantize(integral);
		int32_t difference = (int32_t)signal(i) - output;
		integral += difference;

		if(output == 0)
		{
			DDRB=255;
			PORTB=1; //Output 1 0
		}
		else if(output == 65535)
		{
			DDRB =255;
			PORTB=2; //Output 0 1
		}
		else
		{
			DDRB=255;
			PORTB=0; //Output 0 0
		}
	}
}

What didn’t go wrong? Nothing! I wasn’t nearly careful enough with my ints (only 16 bits on AVR), ints of specific width, overflow and that sort of thing. Also, initially, I decided to output a 0 level by tri-stating the two outputs, so they both float to the middleish. Turns out that didn’t work well since they float extremely slowly (not surprising really!). Forcing them both down to 0 worked much better.

After all that, I then connected a simple RC filter across it so you an see the results:

That’s actually a pretty nice sine wave there! It ought to be: there’s really not much room for nonlinearity and other distortions to creep in. I’ve zoomed in a few levels so you can see how it looks in detail.

It is however really really slow. I’m using full floating point, and a transcendental operation every iteration of the sigma delta encoder. That is really slowing down the cycle time since the AVR isn’t very fast. That accidentally solves the other problem which I’ve made no attempt to make sure every path takes the same number of cycles. But that sin() is dominating so heavily that it doesn’t matter.

And that’s it for part 1: a working sigma delta encoder. For part 2, I’ll make it fast enough to generate audio tones which aren’t simply the sigma-delta encoder transitions (I hope).

Oh also here’s tehe obligatory github link.

 

How bad is switch bouncing really?

TL;DR: it’s worse.

ETA: I think every electronic engineer goes through this at one time or another. You have a switch that bounces, so you debounce it. I mean every knows that switches bounce. The code doesn’t work 100%, so you fix all the bugs and it still doesn’t work. So then you break out the scope and hells bells! How can it be that bad?! I mean everyone says it’s bad and you knew it was bad but it’s BAAAAAAD.

So, I recently had a switch which needed debouncing. It happens to be a Marquardt (seems to be a good brand) microswitch. In terms of current it’s massively overspecced (16A, 250V), but it turned out to be ideal for the combination of size, button stroke, force and of course price. I guess that sort of switch is used for mains interlocks or something, but I’m using it to switch a GPIO input to a raspberry pi.

Here’s how it’s connected up:

IMG_20170504_184225.jpg

I’d like to say I connected it to both power rails to show how the different contacts bounce. Actually my brain disconnected and that’s how I originally connected up the switch in my project. It’s a terrible idea because you get bouncing from both sets of contacts for twice the fun. The potential divider pulls the middle up to half the voltage so you can see which contacts are bouncing and when.

On the plus side, it’s great for illustrating bouncing…

Here’s what the setup looks like:

IMG_20170504_185448

I use the mini vice (which I’m quite unreasonably proud of) to close the switch really, really slowly. And this is what pushing the switch looks like:

SCR01

(Note: I can’t figure out how to take a screenie without the annoying “take a screenshot” dialog showing…)

It’s quite amazing. Note the “pre-bounce” where a disconnect happens 225ms before the switching starts. In fairness, I couldn’t reliably reproduce that, but it does happen occasionally. Thar main transition looks suspicious though:

SCR02

That’s semi-horrid. The 0V contact opening is pretty clean. It then takes about 9ms for the + contact to start closing. It bounces all over the place, and even after the main bounce has stopped, it still takes 4ms for the voltage to stabilise. I guess connecting only 0V and a pullup would work much better. And here’s the bounces in detail:

SCR03

Horrible, but par for the course. You can see it’s not settling cleanly on the contact in between the bounces. And here’s a different one for comparison (RTFM n00b, the fine manual says how to sake screenies properly):

SCR05

This is bad in a rich and interesting variety of different ways. Like the vast majority of traces, there’s no awful pre-bounce. However, the disconnect is unclean and takes 10ms before it starts to rise properly. After the bouncing nominally finishes, it still takes a whopping 100ms to really settle.

Amazing!

Here’s some samples to fill you with horror as well as a couple of fairly standard ones. Some of them have a longer timebase to show a 200ms settling time.

Some of them have some really weird behaviour as they open. I haven’t figured why and the speed at which I actuate the switch doesn’t seem to affect things much. The same can’t be said for releasing the switch. The slower you release it, the gungier it is. See the enormous 100ms timebase:

yuck yuck yuck 😦 Faster actuation (and the actual bouncing) looks much as you’d expect:

SCR04

though, the time between the break and make is rather shorter.

Either way, the +V contact (the one connected by closing the switch) seems surprisingly much worse than the 0V one. We can of avoid that contact by connecting the switch as a single throw one with a pullup:

IMG_20170504_193440.jpg

And if I’m quick, I can manage to get an open and close on the screen with a 10ms timebase:

SCR05

The push still has some pre-bounce, but it’s nothing like as bad as from the other contact. For the switch being pushed, there is on bounce whatsoever; it’s astonishingly fast:

SCR06

for the release, there’s a bit of bouncing as expected.

Conclusion: don’t connect up switches in a silly way like I did!