Eco-Friendly Hardware Hacking with Android

Carlo Pescio @CarloPescio http://eptacom.net
Carlo Pescio
Eco-friendly hardware
hacking with Android

Code in Movies

Super Heroes
- Build this in a cave
- With a bunch of scraps

Reality

It gets worse

Your ____mission
Should you choose to accept it…
- Your phone
(no rooting)
- Bunch of scraps
- No Firmware
12V

Smart > Hero
Don’t do industrial controls
using scraps
It’s OK at home
Great learning opportunity

Just be careful, ok?

Step 1: blinking an LED
Phone
+
Scraps

Choices, choices…
Built-in led[s] Audio
USB

LEDs in common USB scraps
Flash drive
Mouse
Keyboard
Printer

And the winner is…
LEDs are host-controlled
Standard protocol
LEDs outlive the keys
Easy to find

Phone – Keyboard connection
Your phone is normally a device (gadget) for a
computer (host).
A keyboard is a gadget
=> your phone must turn into a host
=> you need an OTG adapter

OTG Adapter (make or buy)
+
=
+ wire 4-5

Device / Interface / Endpoint
Device
Descriptor
Endpoint
Descriptor 1
Endpoint
Descriptor 2
…
Configuration
Descriptor 1
Configuration
Descriptor 2
Interface 0
Descriptor
Interface 1
Descriptor
Interface 0
Descriptor
Interface 1
Descriptor
… …
Kbd + trackball
Solar powered
Keyboard
Interrupt IN
USB powered
Trackball

The software side
Don’t write any code yet
Interface #0
Class: Human Interaction Device (0x3)
Endpoint: #0
Address : 129 (10000001)
Number : 1
Direction : Inbound (0x80)
Type : Intrrupt (0x3)
Poll Interval : 10
Max Packet Size: 8
Attributes : 000000011
Interface #1
Class: Human Interaction Device (0x3)
Endpoint: #0
Address : 130 (10000010)
Number : 2
Direction : Inbound (0x80)
Type : Intrrupt (0x3)
Poll Interval : 10
Max Packet Size: 3
Attributes : 000000011

The missing endpoint
Source: USB Device Class Definition for Human
Interface Devices Firmware Specification, Section 4.4
If no Interrupt Out endpoint is declared then Output
reports are transmitted to a device through the
Control endpoint.
Endpoint 0 is a Control pipe always present in USB
devices. Therefore, only the Interrupt In pipe is
described for the Interface descriptor using an
Endpoint descriptor.

Know thy APIs
You just can’t get hold of endpoint 0. But:
UsbDeviceConnection.
controlTransfer( gazillion parameters )
Performs a control transaction on endpoint zero for
this device. The direction of the transfer is
determined by the request type. If requestType &
USB_ENDPOINT_DIR_MASK is USB_DIR_OUT, then
the transfer is a write […]

7.2.2 SET_REPORT
Part Description
bmRequestType 00100001 (0x21)
bRequest SET_REPORT
wValue Report Type and Report ID
wIndex Interface
wLength Report Length
Data Report
SET_REPORT = 0x09 (Paragraph 7.2)

For LEDs / Keyboards
Report Type: 02 = Output (Paragraph 7.2.1)
Report ID: 0 = Not Used (Paragraph 7.2.1)
Interface = 0 (irrelevant here)
Report Length = 1 (1 byte, Appendix B.1)
Data: bitmask where bit 0 = NUM LOCK
bit 1 = CAPS LOCK
bit 2 = SCROLL LOCK

Sending the report
int controlTransfer(
int requestType,
int request,
int value,
int index,
byte[] buffer,
int length,
int timeout)
byte[] buf = new byte[] { b };
connection.controlTransfer(
0x21, 0x09, 0x0200, 0x0000, buf, 1, 1000);
// data [as array] -> bitmask
// wValue -> 0x0200
// wIndex -> 0x0000
// wLength -> 1
// 1 sec ok -> 1000
// bmRequestType -> 0x21
// bRequest -> 0x09

Sketch of the code
usbManager = (UsbManager)
getSystemService(Context.USB_SERVICE);
// just get the first usb device –
// should get the keyboard instead
UsbDevice device = (UsbDevice)
usbManager.getDeviceList().values().
toArray()[0];
usbManager.requestPermission(
device, permissionIntent);

… build the Keyboard
// … receive intent
UsbDevice device = (UsbDevice)
intent.getParcelableExtra(
UsbManager.EXTRA_DEVICE);
keyboard = new
UsbKeyboard(usbManager, device);

Keyboard
public UsbKeyboard(UsbManager usbManager,
UsbDevice device)
{
requestQueue = new LinkedBlockingQueue<Byte>();
connection = usbManager.openDevice(device);
// WHY AM I DOING THIS? GUESS 
ifc0 = device.getInterface(0);
connection.claimInterface(ifc0, true);
ioThread = new Thread(usbWriteLoop);
ioThread.start();
}

private Runnable usbWriteLoop = new Runnable()
{
// …
while( !stop )
{
Byte b = requestQueue.take();
if( b < 0 )
{
stop = true;
}
else
{
byte[] buf = new byte[] { b };
0x21, 0x09, 0x0200,0x0000, buf, 1, 1000);
}
}
// …
};

UI
public void onCheckedChanged(
CompoundButton buttonView, boolean isChecked)
{
byte ledMask = 0;
if( led1.isChecked() )
ledMask += 1;
ledMask += 2;
ledMask += 4;
// just adds ledMask to the requestQueue
keyboard.powerLedsFromMask(ledMask);
}

We did it!

Detour: how fast can we go?
Just use an infinite loop / no sleeping or waiting:
byte[] buf0 = new byte[] { 0 };
byte[] buf1 = new byte[] { 4 };
while( true )
{
0x21, 0x09, 0x0200, 0x0000, buf0, 1, 1000);
0x21, 0x09, 0x0200, 0x0000, buf1, 1, 1000);
}

Hollywood loves CRTs
Fantastic Four Iron Man
Star Trek Enterprise
The Big Bang Theory

Me too!

Expected
Well, almost
No RT OS -> some (major) jitter expected
Square wave

Surprise!!
Captain America – the Winter Soldier

Kill the noise
Not exactly square but clean 
Guess the frequency!

About 1 KHz (on my device)

Conclusions from detour
Useful: we killed the noise
Things you cannot do:
- “high” frequency / low latency / low jitter stuff
- PWM
- Infrared remotes
- … etc. …
Things you can do:
- Turning on and off some stuff at low freq

No joy yet
- Different voltage (LED powered from your phone USB)
- High current (same as above)
- Generally speaking, no galvanic isolation
(whatever happens there, happens to your phone)
You can’t just put a motor where the LED is 

Step 2: Galvanic Isolation

The ubiquitous optoisolator

A small step forward…
But can’t power a
motor with that

A level of indirection…
… brings new problems
1) Who is providing the current
going through the phototransistor?
2) The phototransistor can’t handle much
current anyway
Phone
[usb]
???

Step 3: ATX is your best friend
Will solve all your problems at once 

ATX starts in stand-by

So that’s it
12 v
12K
SUPPLY
POWER
ATX
PS_ONCOM
1K1K
keyboard
1.2mA
USB
line power

Some assembly required

… and it works

What about inputs??
Well, it’s a keyboard!
you get digital inputs for free (almost)
???

Relevant code
connection = usbManager.openDevice(device);
ifc0 = device.getInterface(0);
connection.claimInterface(ifc0, true);
endPointRead = ifc0.getEndpoint(0);
while( true ) {
final byte[] buffer = new byte[8];
int transfer =
connection.bulkTransfer(endPointRead, buffer, 8, 1000);
if( transfer > 0 ) {
// [modifier,reserved,Key1,Key2,Key3,Key4,Key5,Key6]
byte key = buffer[2]; // dumps Key1 only...
if( key != 0 )
Log.e(“KEY", " " + key);
}
}

… and we’re live

Missing: galvanic isolation!
1K1KDI
ROW / COLUMN
combo

Charging while in host mode
Usually the host (phone) provides power.
OTG specification:
36.5 kΩ between pin 4 and 5
[…] The OTG device is allowed
to charge and enter host mode

May or may not work for you
If it works, ATX might be even more of a friend!
5V here also
in standby

If it doesn’t work…
- Fiddle with resistor values
- Remove battery and provide power from there
- Also useful when battery is dead
- That’s a story for another time 

Get in touch
carlo.pescio@gmail.com
@CarloPescio
http://eptacom.net

Eco-Friendly Hardware Hacking with Android

Recommandé

Recommandé

Contenu connexe

Similaire à Eco-Friendly Hardware Hacking with Android

Similaire à Eco-Friendly Hardware Hacking with Android (20)

Dernier

Dernier (20)

Eco-Friendly Hardware Hacking with Android