Hacking With Gum http://hackingwithgum.com A Hardware Hacking Blog Tue, 23 Mar 2010 00:47:02 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 Dumping AVR Fuse Settings In Bash http://hackingwithgum.com/2009/11/05/dumping-avr-fuse-settings-in-bash/ http://hackingwithgum.com/2009/11/05/dumping-avr-fuse-settings-in-bash/#comments Fri, 06 Nov 2009 03:44:19 +0000 cheffner http://hackingwithgum.com/?p=384 I’m starting to get more into AVR programming, and reading / writing fuses is a pretty essential skill. The fuses can be easily read with avrdude, and the Engbedded Fuse Calculator does a wonderful job of interpreting the fuse bytes for you. But I got tired of typing out the avrdude command, then opening up firefox, going to the Engbedded site and copying and pasting the fuse bytes into the input fields every time I wanted to check fuse settings (granted, not that often, but still…).

So, naturally, I wrote a bash script: avr-fusedump. Just give it the name of your programmer and the AVR chip that you have connected, and it will run avrdude, print out the high, low, and extended fuse bytes, and open up the Engbedded Fuse Calculator site with the current fuse settings of your AVR chip. Example:

$ avr-fusedump -c usbtiny -p ATmega328P
lfuse	0xFF
hfuse	0xD9
efuse	0x07

And the following page was opened:

Engbedded page opened by avr-fusedump

Engbedded page opened by avr-fusedump

The avr-fusedump script can be downloaded here.

]]>
http://hackingwithgum.com/2009/11/05/dumping-avr-fuse-settings-in-bash/feed/ 0
Cenzic POV Fan Toolkit http://hackingwithgum.com/2009/10/08/cenzic-pov-fan-toolkit/ http://hackingwithgum.com/2009/10/08/cenzic-pov-fan-toolkit/#comments Fri, 09 Oct 2009 02:56:56 +0000 cheffner http://hackingwithgum.com/?p=366 In order to make hacking my Cenzic POV fan easier, I created a small tool kit consisting of a couple of Python scripts to aid in the creation of character maps and EEPROM images for the fan.

The first Python script, ascii2cenzic.py, was mentioned in my original article; you simply pass it the ASCII text that you want the fan to display, and it will generate the binary data that you need to load onto the fan’s EERPOM using PonyProg. It has been updated to support uppercase alpha numeric characters, some punctuation, and smiley and frowney faces.

If you want to display an image that the ascii2cenzic script doesn’t support, you have to figure out the necessary byte patterns. This can be time consuming, so the second script included in the tool kit is graph2hex.py. Graph2hex will take a 5×7 character ASCII art image and generate the five byte sequence needed in order to display that image on the fan. There are two important notes regarding the use of this tool:

  1. The image MUST be 5×7 characters, no more, no less
  2. Zeros in the ASCII art image will be where the LEDs are turned on; anything else is considered “off”.

There is also an example ASCII art image of a smiley face included in the zip file, example_graph.txt. Note that there are five columns, with seven rows each, no more, no less:

11111
01110
11111
11011
11111
01110
10001

To make the image clearer, you can replace all the 1′s with spaces. Be careful with this though, it’s easy to accidentally add extra white space and then you’ll be left wondering why graph2hex is throwing errors:


0   0

  0  

0   0
 000

Running graph2hex on this file produces the five byte sequence needed to properly display this image:

c:>python graph2hex.py example_graph.txt
0xBD,0x7F,0x6F,0x7F,0xBD

Once you have these bytes, you can add an entry to the ascii_table dictionary in ascii2cenzic.py (note that the key in the dictionary must be ONE character):


‘)’ : [0xBD,0x7F,0x6F,0x7F,0xBD], #Close paren displays a smiley face

You can download the tool kit here.

]]>
http://hackingwithgum.com/2009/10/08/cenzic-pov-fan-toolkit/feed/ 0
Hacking The Cenzic POV Fan http://hackingwithgum.com/2009/10/06/hacking-the-cenzic-pov-fan/ http://hackingwithgum.com/2009/10/06/hacking-the-cenzic-pov-fan/#comments Wed, 07 Oct 2009 01:26:48 +0000 cheffner http://hackingwithgum.com/?p=308 At Black Hat this year the Cenzic booth was giving away some portable personal fans, with a slight twist: these were persistence of vision fans. I’d only ever seen one other POV fan, and it wasn’t portable, so the Cenzic fan seemed like a prime candidate for hacking.

Not having any prior experience with POV, I started poking at things to see how it worked. It turns out that Cenzic made it very easy to access the fan’s EEPROM chip, and with a simple RS232-to-I2C interface you can re-write the EEPROM on this device to make it display whatever you like:

Get the Flash Player to see this player.

Disassembly was pretty simple, as all the plastic covers can be pried off with your fingers or a small screwdriver. The first step to taking the Cenzic fan apart was to gently pry up the small cover on the front of the fan:

Cenzic POV Fan

Cenzic POV Fan

Header Cover Removed

Header Cover Removed

This revealed a four pin header, which was very encouraging. Note that this is really all the disassembling you’ll need to do in order to re-program the EEPROM.

Next, prying off the plastic cap revealed the fan blades that double as a sheath for the LED strip:

Fan Cap Removed

Fan Cap Removed

Prying off the cover below that allowed access to the circuit board:

Fan Circuit Board

Fan Circuit Board

Here you can see the two springs that sit between the circuit board and fan body to supply power to the circuitry while the fan is spinning:

Brush Springs

Brush Springs

The hardware in the Cenzic fan is pretty sparse: an unknown controller (covered with epoxy), a few resistors and capacitors, and a single EEPROM chip located right next to the four pin header:

A Closer View Of The Circuit Board

Closer View Of The Circuit Board

The EEPROM chip is a 24C02N, which is a 2Kb I2C EEPROM chip. The four pin header attaches to the 24C02, allowing it to be read from and re-written. The header pin out from bottom to top, as pictured above, is: GND, SDA, Vcc, SCL:

24C02 Header Pin Out

24C02 Header Pin Out

In order to read and write to the EEPROM chip, a simple serial to I2C interface was required. I built the serial adapter circuit found on Chiprecharge.com, which works nicely with PonyProg. This circuit drops the RS-232 voltage on the data and clock lines down to 5v via a pair of zener diodes, and provides 5v power to the EEPROM chip:

PonyProg EasyI2C Serial Interface

PonyProg EasyI2C Serial Interface

Attaching the adapter to the fan’s four pin header allowed me to read out the contents of the EEPROM chip:

Dumping The EEPROM

Dumping The EEPROM

PonyProg Data Dump

PonyProg Data Dump

And here’s what the above data displays on the POV fan:

The data dump obtained from the Cenzic fan may need some explanation. If you watched the above video, you saw that the original Cenzic message was broken into five parts:

  1. SECURE
  2. YOUR
  3. WEB APPS
  4. WITH
  5. CENZIC

The first byte of data in the EEPROM tells the controller how many parts there are to the message (in this case, five, or 0×05).

Following the 0×05 is the byte 0×06; this is the number of letters in the first part of the message (“SECURE”). Each part of the message is prefixed with its string length in bytes.

Each letter is displayed on a 5×7 matrix, that is, there are 7 LEDs aligned vertically, and each letter gets 5 pulses as the LED array moves around in a circle (5 LEDs in width, 7 LEDs in height).

Each of the vertical LED patterns (5 per letter, since each letter is 5 LEDs in width) are describe by a single byte. The first part of the original message is “SECURE”, which is 6 characters long. Therefore, the size of the first part of the message when stored in EEPROM is 6 * 5 = 30 bytes. If we go to offset 0×20 (which is the next byte after the 30 “SECURE” bytes), we see the number 4, which is the string length of the second part of the message (“YOUR”). The microcontroller reads these patterns from the EEPROM until all parts of the message have been displayed, at which point it starts the message over again.

Each byte in the message represents a vertical LED display pattern, with the high-order bit in each byte controlling the bottom LED, and the low-order bit controlling the top LED. A 1 indicates that the corresponding LED is off, while a 0 turns the LED on; however, there are only 7 LEDs, and 8 bits in each byte, so something has to give. The fourth lowest-order bit is ignored, and can be set to either a 1 or a 0 without affecting the resulting display.

Because the fan rotates in a counter-clockwise direction, the letters entered in the EEPROM are a mirror image of what will be displayed; that is, when displaying a message, the controller starts at the end of a message, and works its way backwards. So, the first five bytes in the first message tell the controller how to display the letter “E”, although if you visually mapped out the bit patterns for these five bytes, you would see that the “E” is actually backwards (again, it needs to be a mirror image of what should be displayed).

To help visualize this, take a look at how to display the letter “E”. First, map out a mirror image of the letter on a 5×7 grid:

00000  <- Low order bits
    0
    0
00000  <- This row of bits will be ignored
00000
    0
    0
00000  <- High order bits

Now, fill in everything else with 1′s:

00000  <- Low order bits
11110
11110
00000  <- This row of bits will be ignored
00000
11110
11110
00000  <- High order bits

The resulting hex values for each column of bits is, from left to right:

0×66,0×66,0×66,0×66,0×00
 

And the resulting image that will be displayed by the fan is:

00000
0
0
00000
0
0
00000

In order to make it easier to load new text onto the Cenzic fan, I wrote a Python script to translate ASCII text into a data dump that can be loaded into the fan’s EEPROM using PonyProg. Currently it only supports uppercase letters and smileys, but if you understand the above description, it’s easy enough to modify the script to produce any pattern you’d like. Usage is fairly straightforward; to generate a message that displays “Hello World”:

C:\>python ascii2cenzic.py hello world > hello.bin
 

The resulting hello.bin file can then be opened with PonyProg and written to the EEPROM chip:

Configure PonyProg I/O Settings

Configure PonyProg I/O Settings

Write Data To EEPROM

Write Data To EEPROM

]]>
http://hackingwithgum.com/2009/10/06/hacking-the-cenzic-pov-fan/feed/ 19
Building A Boxee Remote Control http://hackingwithgum.com/2009/09/28/building-a-boxee-remote-control/ http://hackingwithgum.com/2009/09/28/building-a-boxee-remote-control/#comments Tue, 29 Sep 2009 02:22:36 +0000 cheffner http://hackingwithgum.com/?p=234 After configuring my Boxee server to distribute video through the coax cabling in my house, I needed a way to control the Boxee server from other rooms.

I built a remote control system that uses an ATMega328 microcontroller and a Linksys WRT54G to read IR codes from standard TV remote controls and relay them over the WiFi network to a Python script running on the Boxee server.

Get the Flash Player to see this player.

Here’s how it works:

  1. An IR receiver is attached to an ATMega328 microcontroller (Arduino), which reads the IR codes from standard TV remote(s).
  2. The microcontroller is also connected to the serial port of a WRT54GSv4, which is connected as a client to my WiFi network.
  3. When the microcontroller receives an IR code, it pipes the code through netcat to a Python script running on the Boxee server.
  4. The Python script finds the keyboard key in its lookup table that corresponds to the received IR code and then simulates that key press using the xte utility.

The IR receiver is a TSOP1738 which was pulled out of a broken DirectTV box that had been thrown away. Most IR receivers from old VCRs / DVD players  / whatever should also work:

TSOP1738 Pin Out

TSOP1738 Pin Out


The microcontroller code was kept sweet and simple using Ken Shirrif’s multi-protocol infrared Arduino library. All it does is read a code from the IR receiver, check to make sure that it’s a valid code, and sends the command echo “<ir protocol>:<ir code>” | nc <boxee server> 4919 to the BusyBox shell running on the WRT54G’s serial port. The Arduino code can be downloaded here.

The WRT54G is an old Fonera router re-loaded with Tomato firmware. The router has two serial ports, one of which (/dev/ttyS0) provides a root shell; this shell is used by the microcontroller to send messages to the Boxee server:

Tomato 1.25.1720

BusyBox v1.14.0 (2009-05-25 16:08:27 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

#
# echo "NEC:18E708F7" | nc boxee 4919
#

The following schematic depicts how the ATmega328 is interfaced with the IR receiver and the router’s serial port. Both the ATmega328 and the TSOP1738 require 5v, so a 7805 regulator is used to drop router’s 12v power supply down to 5v, and suppress any power supply disturbances that may occur. The 3.3v zener diode drops the 5v output from the microcontroller down to 3.3v for the router’s TTL serial interface, while the 2200 ohm resistor limits the current through zener diode so that the it doesn’t burn out:

IR Receiver Schematic

IR Receiver Schematic


Here is the circuit wired up to the WRT54G during testing. As you can see, the WRT54G case has plenty of room for the new circuit board:

Testing The Circuit Board

Testing The Circuit Board


To mount the IR receiver, the “Cisco Systems” logo was cut away from the front panel of the case. The logo did not have any hard plastic behind it, so it was easy to cut out with a hobby knife, and is the perfect size for the TSOP1738:

The Cisco Logo Removed

The Cisco Logo Removed


The Cisco logo was used to cover the “Secure Easy Setup” button, so in order to use that space for the IR receiver, the SES button needed to be removed from the Linksys board as well:

Secure Easy Access Button

Secure Easy Access Button

Secure Easy Access Button Removed

Secure Easy Access Button Removed

Fitting The Circuit Board And IR Receiver Into The Case

Fitting The Circuit Board And IR Receiver Into The Case

The Router, Reassembled

The Router, Reassembled


With the hardware complete, as much of the logic as possible was placed into a Python script that runs on the Boxee server; this way if I need to add or change some IR codes, I can just edit the Python script, rather than re-program the microcontroller.

The Python script runs as a daemon, and currently has codes for most of the buttons on my Sony, RC6, and NEC remote controls at home. Since Python in Linux doesn’t have an API for simulating keystrokes to GUI applications, the script uses the xte utility which is part of the xautomation package.

I managed to scrounge up most of the parts for this project (including the router), keeping the total cost to around $15. I’m also thinking of using a similar set-up to control other applications running on my PC.

]]>
http://hackingwithgum.com/2009/09/28/building-a-boxee-remote-control/feed/ 6
Installing OpenWRT On The GT-704WG http://hackingwithgum.com/2009/09/17/installing-openwrt-on-the-actiontec-gt-704wg/ http://hackingwithgum.com/2009/09/17/installing-openwrt-on-the-actiontec-gt-704wg/#comments Fri, 18 Sep 2009 02:05:42 +0000 cheffner http://hackingwithgum.com/?p=206 I recently picked up an ActionTec GT-704WG DSL router from the thrift store ($15) and wanted to flash it with OpenWRT. Checking out Google and the OpenWRT Wiki, some work has been done on the GT-701WG, but specific information for flashing the GT-704 was scarce. The GT-704 hardware is based on the AR7 from Texas Instruments, and is nearly identical in specifications to the GT-701:


Platform:
Texas Instruments AR7, 150MHz
Flash: 4MB
RAM: 16MB
Ethernet: 4 Ports
Wireless: TI ACX111, 802.11b/g

The firmware install is pretty straightforward, once you get the commands right. The process is very similar to that documented for generic AR7 devices, but not exactly the same. It helps to have a terminal connected to the JP603 serial port (ttys0, 38400, 8N1)during this process as well, but it is not necessary:

The serial port on the right (JP603) is ttys0; the other is not used.

The serial port on the right (JP603) is ttys0

The pinout for the serial port is, as pictured, from bottom to top: ground, transmit, receive, unknown, Vcc, unknown.

In order to flash the firmware, you’ll need to get access to the Adam2 bootloader. The easiest way to do this is to turn off the router, hold down the reset button, and turn the router back on. Keep holding the reset button until you see the Power and Internet LEDs stay on; this indicates that the router has dropped into the Adam2 shell prompt.

The prompt can be accessed via the serial connection, or via FTP. To connect via FTP, simply FTP to the router and login with the user name of ‘adam2′ and password ‘adam2′. The default adam2 IP address is 192.168.0.1. If this IP address does not work, you will have to connect via the serial connection and issue the following command:

printenv
 

Look for the variable named ‘my_ipaddress’, which will list the Adam2 IP.

Once you have access to Adam2 (either via FTP or serial), you will have to set a couple of environment variables. First, you need to create a partition to install OpenWRT to. The existing partitions can be viewed by issuing the printenv command at the serial console. They are:

mtd2                  0×90000000,0×90010000
mtd1                  0×90010000,0x900d0000
mtd0                  0x900d0000,0x903e0000
mtd4                  0x903e0000,0x903f0000
mtd3                  0x903f0000,0×90400000

Since the OpenWRT image contains both the kernel and the file system, your new partition should cover both the existing kernel and file system partitions (mtd1 and mtd0, respectively). To create the partition via the serial console, run:

setenv mtd5,0×90010000,0x903f0000
 

Or via the FTP connection:

quote SETENV mtd5,0×90010000,0x903f0000
 

You will also have to set the MAC_PORT environment variable in order to enable the internal ethernet port. From the serial console:

setenv MAC_PORT,0
 

Or from FTP:

quote SETENV MAC_PORT,0
 

With that done, you’re ready to FTP your new firmware to the router; other reports on the GT-701 and GT-704 have noted that the ActionTec recovery utility sends a message to UDP port 5035 (actually, two messages in the case of the GT-704). However this appears to be simply for discovery of the router’s IP address and is not necessary for loading firmware onto the router.

Go to OpenWRT’s download page, and get the latest release of openwrt-ar7-squashfs.bin (currently Kamikaze 8.09.1). If you haven’t already, FTP to the router and login with the previously described credentials. You will need to issue the following commands:

ftp> binary
200 Type set to I.
ftp> quote MEDIA FLSH
200 Media set to FLSH
ftp> quote STOR openwrt-ar7-squashfs.bin mtd5
226 Transfer complete
ftp> quote REBOOT

It will take the router a minute or two to clear the flash and load the firmware. Note that you do NOT want to enter passive mode for the file transfer; doing so will slow the file transfer significantly (it would have taken about a week by my estimation). You can monitor the router’s progress via the serial console, or by watching the file transfer in Wireshark. Once the firmware transfer is complete, the reboot command will reboot the router, and you should have a working OpenWRT install:

Please press Enter to activate this console.

BusyBox v1.11.2 (2009-05-28 18:22:45 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (8.09.1, r16278) ----------------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@OpenWrt:/#

So far everything checks out OK using the generic firmware image; ethernet and wireless works, opkg updates and installs packages fine. The only downside is that the wireless doesn’t seem to support WPA, possibly due to the poor open source support from TI. I haven’t tested the USB port, but it appears to be a client-only USB device, so it’s of limited use.

]]>
http://hackingwithgum.com/2009/09/17/installing-openwrt-on-the-actiontec-gt-704wg/feed/ 11
Flashing Asus WL-520GU Firmware Via TFTP http://hackingwithgum.com/2009/09/11/flashing-asus-wl-520gu-firmware-via-tftp/ http://hackingwithgum.com/2009/09/11/flashing-asus-wl-520gu-firmware-via-tftp/#comments Sat, 12 Sep 2009 01:27:26 +0000 cheffner http://hackingwithgum.com/?p=199 Today a friend and I were struggling to re-flash an Asus WL-520GU with OpenWRT via TFTP. The router had been previously flashed with DD-WRT, and of course the Web-based firmware update did not recognize the OpenWRT trx file as a valid image (there is currently no OpenWRT .bin file available for the WL-520GU); this left TFTP as the next best option for flashing the firmware.

Usually, it is helpful to have a serial console connected to the router while doing a TFTP transfer, so that you can see when the bootloader (CFE, in the case of the Asus) is listening for TFTP connections, as with the Linksys WRT54G:

CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Thu Mar 24 16:31:45 CST 2005 (motoplayer@cvs.gemtek.com.tw)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena
Initializing Devices.
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.39.0
CPU type 0×29008: 200MHz
Total memory: 8192 KBytes

Total memory used by CFE:  0×80300000 – 0×80399700 (628480)
Initialized Data:          0x8032F870 – 0x80331F50 (9952)
BSS Area:                  0x80331F50 – 0×80333700 (6064)
Local Heap:                0×80333700 – 0×80397700 (409600)
Stack Area:                0×80397700 – 0×80399700 (8192)
Text (code) segment:       0×80300000 – 0x8032F870 (194672)
Boot area (physical):      0x0039A000 – 0x003DA000
Relocation Factor:         I:00000000 – D:00000000

Committing NVRAM…done
Device eth0:  hwaddr 00-40-77-BB-55-10, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Reading ::

Unlike the WRT54G however, the WL-520GU bootloader did not specify its IP address, and the usual 192.168.1.1 did not work; watching the network traffic while attempting the TFTP transfer revealed that this address was not responding to ARP requests at all. Additionally, while the WRT54G waits for a TFTP connection for a few seconds before timing out, the WL-520GU only listens for about one second before timing out and loading the kernel. Such a short time period, coupled with not knowing the bootloader’s IP address, made flashing via TFTP nearly impossible.

The solutions to both these problems were found (directly and indirectly) through DD-WRT’s WL-520GU Wiki page. By holding down the reset button on the router on boot up, the bootloader will enter hardware restoration mode and perpetually listen for TFTP connections rather than continuing with the boot process. This can be confirmed by watching the serial console output; you should see repeating messages that read: “Reading :: Failed.: Timeout occured”. The power LED should also be blinking slowly when the router is in hardware restoration mode.

Once you have the router constantly listening for TFTP connections, you still need to know the IP. This was discovered by downloading the Asus restoration utility and monitoring the network traffic it generated. This revealed that the router’s bootloader IP address was 192.168.1.49. With the router in hardware restoration mode and knowledge of the bootloader IP address, it was easy to upload the firmware via TFTP:

tftp> mode binary
tftp> trace
tftp> connect 192.168.1.49
tftp> put openwrt-brcm-2.4-squashfs.trx
sent DATA <block=1, 512 bytes>
received ACK <block=1>
sent DATA <block=2, 512 bytes>
received ACK <block=2>

]]>
http://hackingwithgum.com/2009/09/11/flashing-asus-wl-520gu-firmware-via-tftp/feed/ 0
Very Simple Vibration Sensor http://hackingwithgum.com/2009/06/12/very-simple-vibration-sensor/ http://hackingwithgum.com/2009/06/12/very-simple-vibration-sensor/#comments Sat, 13 Jun 2009 03:09:23 +0000 cheffner http://hackingwithgum.com/?p=144 Sometimes when working on a project you may find that you need a vibration sensor. These are useful for detecting footsteps, tremors, wind, etc. Accelorometers can be used, but are a costly solution if you simply want to detect vibrations and are not concerned with gathering precise measurements. Out of curiosity one day, I cut open an Urchin ball to examine the circuitry they use for detecting vibrations / shock. I found that they use a light spring as a very simple, but effective, shock sensor:

Urchin Ball Spring Shock Sensor

Urchin Ball Spring Shock Sensor

The above circuit is enclosed in a small hard plastic ball, placed inside the Urchin ball, which prevents the spring from being physically struck as the ball is thrown around. When the spring vibrates, it strikes the pad on the circuit board, completing a connection and initiating the flashing light sequence. By adjusting the height of the spring above the pad, the vibration detector can be made quite sensitive; even a slight tap on the table or a gentle breeze will set it off:

Get the Flash Player to see this player.

Just goes to show that you shouldn’t over think your problem: the simplest solution is usually best. I’m thinking that I’ll have to use this for something this holloween…

]]>
http://hackingwithgum.com/2009/06/12/very-simple-vibration-sensor/feed/ 3
Diamagnetic Levitation http://hackingwithgum.com/2009/06/10/diamagnetic-levitation/ http://hackingwithgum.com/2009/06/10/diamagnetic-levitation/#comments Thu, 11 Jun 2009 00:03:30 +0000 cheffner http://hackingwithgum.com/?p=123 Ever tried to levitate a magnet with another magnet? The trick is to place a diamagnetic material in between the two magnets. Normal magnets have poles, where opposite poles attract and like poles repel; diamagnetic materials repel both magnetic poles equally, and can be used to balance out the force of attraction between two magnets. Getting a magnet to hover in the air can be a bit touchy, but it can be done without too much trouble.

Bismuth and pyrolytic graphite are both diamagnetic and can be obtained relatively cheaply. You’ll also want a small neodymium magnet to levitate, and any normal ceramic magnet can be used to do the levitating. I purchased a couple strips of pyrolytic graphite and a 2mm neodymium cube magnet from SciToys and used a small ceramic magnet that I’d bought from Radio Shack. The idea is to place the pyrolytic graphite between the neodymium magnet and the ceramic magnet, with the ceramic magnet above the graphite, and the neodymium magnet below. Then slowly adjust the height of the ceramic magnet until you get the neodymium magnet to hover between the ground and the graphite. The graphite should be placed close to the neodymium magnet, and you can put a second piece of pyrolytic graphite below the neodymium magnet for additional stability, but with careful adjustment only one piece is necessary.

So, here is my “levitation device” built primarily from leftover metal covers that come with Radio Shack’s plastic project enclosures (note that all non-magnetic metal was used of course). No electricity or optical illusions, just the wonders of magnetism:

Get the Flash Player to see this player.

]]>
http://hackingwithgum.com/2009/06/10/diamagnetic-levitation/feed/ 0
How Crystal Radios Really Work http://hackingwithgum.com/2009/06/08/how-crystal-radios-really-work/ http://hackingwithgum.com/2009/06/08/how-crystal-radios-really-work/#comments Mon, 08 Jun 2009 12:55:57 +0000 cheffner http://hackingwithgum.com/?p=105 Almost anyone who has tinkered with electronics has built a crystal radio. I’ve always marveled not only at how amazing these little devices were, but also at the lack of descriptions regarding their inner workings. Descriptions of crystal radios almost invariably use some terminology synonymous with, “The detector changes the back and forth radio wave electricity into one way sound electricity…“; well, that’s nice, but how does it do that? Why does it work? What do we mean by “radio wave electricity” and “sound electricity”?

Before examining a crystal radio circuit, it is important to understand where crystal radios get their power from. One of the things that makes crystal radios so interesting is that they require no power source. Well, that’s not entirely true, as there has to be some energy coming from somewhere in order to make your speaker / headphones vibrate. Crystal radios get this energy from the radio waves themselves; in fact all radios use this same energy, although modern radios require additional power sources to amplify the relatively weak energy supplied by radio waves.

Radio waves are in many ways similar to the 60Hz AC power that you have in your house; both are forms of electrical energy, and both have currents that alternate direction. The electrons that are responsible for generating radio waves however, alternate direction much faster than the electricity in your power lines, typically switching direction millions of times per second. When we talk about electricity, we usually are referring to the electromagnetic fields that transfer power from one place (your electric company) to another (your computer, lights, phone charger, etc). That is exactly what radio waves are: electromagnetic fields. So, think of radio transmitters as small electric companies that send you very small amounts of electric energy, except in stead of sending it through wires, they send it through the air. Einstein’s description of radio is perhaps the most eloquent:

You see, wire telegraph is a kind of a very, very long cat. You pull his tail in New York and his head is meowing in Los Angeles. Do you understand this? And radio operates exactly the same way: you send signals here, they receive them there. The only difference is that there is no cat.

Now, if you were to listen to a 60Hz AC signal, you’d find that it’s not much fun to listen to, just a constant humming sound. That’s because the 60Hz signal is switching directions back and forth at a constant rate and constant amplitude, which would cause your speakers to vibrate at that same constant rate and amplitude, which would produce a monotone humming sound. But crystal radios are usually designed to listen to AM radio stations, not 60Hz hums, so let’s take a look at how AM radio waves work.

AM stands for Amplitude Modulation, and as you might guess, it “encodes” radio waves with information by varying (modulating) the strength (amplitude) of the radio wave. It does this by using sound waves to control the strength of the radio waves generated by the transmitter. It is perhaps easier to understand how these currents are modulated by examining the following circuit of a simple AM transmitter (courtesy of SciToys.com). The audio input actually controls the power supply for the oscillator; obviously, if the oscillator is supplied with less power, its output will be weaker, and if it is supplied with more power its output will be stronger. The variations in the strength and frequency of the audio waves cause the amount of power supplied to the oscillator to vary, thus changing the amplitude of the oscillator’s output signal accordingly:

Simple AM Transmitter Circuit

Simple AM Transmitter Circuit

Below you can see how the audio signal applied to the transformer in the schematic above changes the amplitude of the oscillator’s signal:

Amplitude Modulation

Amplitude Modulation

Notice that the transmitter’s frequency of oscillation is much higher than that of the audio signal; in the above image, one oscillation of the audio tone is spread out over twelve of the transmitter’s oscillations. This is important, because it allows variations in both the strength and the frequency of the audio tone to modulate the transmitter’s signal.

For example, if the audio tone were of a higher frequency, one audio cycle might only cause an amplitude change in five of the oscillator’s cycles. In other words, the amplitude change in the transmitted signal will be shorter (amplitude changes will occur more frequency) or longer (amplitude changes will occur less frequently) depending on the frequency of the imposed audio tone. When these time variations in amplitude are converted back into audio at the receiver, the audio wave will be respectively shorter or longer, thus re-producing the original audio tone.

But how do we convert these changes in amplitude back into audible sound waves? Let’s examine the simplest crystal radio circuit, which consists only of a diode and a pair of headphones:

Simplest Crystal Radio

Simplest Crystal Radio

When radio waves (electromagnetic energy) strike the antenna, they cause the electrons in the antenna to vibrate back and forth at the same frequency and relative amplitude as the electrons that produced the radio waves in the first place; this induces electric energy in the circuit. Remember that radio waves are generated by alternating current, which is just a bunch of electrons vibrating back and forth at a certain rate. This rate is called the frequency. The frequency of your AC line is 60Hz. The frequency of your local NPR station would likely be somewhere around 89MHz (mega-hertz).

The diode is of course the detector in this circuit. Germanium diodes are preferred over silicone diodes due to their lower turn-on voltage. Basically, the diode works to convert the AC current (induced by the radio waves) into DC current by only allowing electrons to flow in one direction through the speaker. This means that when the alternating current moves one way, the diode will block the flow of electrons, forcing them to go through the tuned circuit (path of least resistance, since the diode is blocking the flow of charges). When the alternating current is moving in the other direction however, radio signals at the desired frequency will move through the diode, and subsequently, through the speaker. This means that the electron flow moving through the speaker looks like this (courtesy CrystalRadio.net):

Pulsating DC In The Speaker

Pulsating DC In The Speaker

Anyone who has worked on DC power supplies will recognize that this diode is acting as a half-wave rectifier, simply converting AC into pulsing DC. The principle that you use to convert the electricity from your AC power lines into DC that you can use to charge your cell phone is the same principle used in a crystal radio; we simply convert the alternating current into a pulsating direct current (most power supplies are actually full-wave rectifiers, but the principle is the same). The amplitude of these pulsating direct currents is controlled by the audio input (i.e., your voice) to the AM transmitter, and as they change amplitude they force the speaker to vibrate up and down in a corresponding pattern. These speaker vibrations produce an identical copy of the original audio input.

But why do we need the diode in the first place? If the amplitude changes drive the speaker, shouldn’t we be able to connect the antenna directly to the speaker and achieve the same effect? To understand why, you must first think about what a speaker is made of. It is basically a magnet, an inductor, and a diaphragm (some piece of light, flexible material). A simple speaker can be made by wrapping some wire around a tube of paper and placing a magnet in the center of the paper tube; connect the ends of the inductor (the wire coil) to an audio source, and you have a very low quality, but working, speaker (video by CalcProgrammer1):

Electricity and magnetism are closely linked, and as electric power moves through the speaker coil, a magnetic field is produced. Everyone knows that if you hold two magnets next to each other, they will attract one another if the opposite poles are facing, and repel one another if the same poles are facing. By placing a magnet inside of the speaker coil, the coil will actually move back and forth as electric power generates a magnetic field of varying strength in the coil: the magnetic fields in a speaker work on the same principle of attraction / repulsion that all magnetic fields exhibit.

However, the above speaker is very weak; in order to improve the response of a speaker, most speaker coils (aka, voice coils) are wrapped around iron or some other magnetic metal. This improves the quality of the speaker, however, it also introduces a slight problem for radio work: as the AC audio signals in the speaker coil switch back and forth, they create a magnetic field that causes the polarity of the metal core to switch back and forth as well. This is fine at low frequencies, but as the AC begins switching back and forth very rapidly, you encounter a phenomenon called hysteresis. Basically, the core’s polarity can only switch back and forth so fast, and once you exceed this maximum frequency, the core’s polarity stops switching altogether. Audio is fine, but radio frequencies are much higher in frequency and will induce hysteresis. By using the diode to convert the alternating current to direct current, the magnetic polarity never has to switch back and forth because the flow of electrons through the speaker are always going in the same direction.

The final piece to this circuit is ground. Everyone will tell you that a good ground makes for a better receiver; but why? Well, quite simply, electrons need a place to go. Electrons aren’t produced by radio waves, but already exist throughout the crystal radio’s wires and components; the radio waves just make them move back and forth. But they need a place to move to, which in most cases is provided by an earth ground.

To demonstrate, I have built both the simple crystal radio as well as the AM transmitter described above. The receiver is poor and the transmitter is weak, so instead of connecting the receiver to an antenna as depicted in the schematic, I’ve simply connected the output of the transmitter directly to the diode in the crystal radio. In order to actually hear the output I have also connected an amplified speaker in place of the headphones, although the audio is still rather weak. Note the loud humming noise that comes out of the speaker with no ground connected; you will hear a dramatic difference as soon as the ground wire is connected, as well as some faint audio from the transmitter:

Get the Flash Player to see this player.

In reality however, this crystal radio is not very useful because it is picking up all frequencies at once and has no way of selecting out one particular signal. So when you connect it to an antenna all you hear is a lot of noise. This is much like sitting in a loud auditorium full of people talking – it would be very difficult to pick out any one conversation unless they were yelling right in your ear, just like connecting the transmitter’s output directly to the crystal receiver’s input. Here is what the radio sounds like when connected to an antenna:

Get the Flash Player to see this player.

In order to provide some selectivity, an inductor (coil) can be added to the circuit. Without getting too in depth into the subject of reactance, inductors will generally impede changes in frequency; thus, signals with lower frequencies will pass through inductors more easily than those with higher frequencies. By connecting an inductor between the antenna and ground, we can create a very rudimentary filter that essentially short-circuits low frequency signals between the antenna and ground, because they will see the inductor as a low-resistance path between the antenna (power source) and ground. Higher frequencies will still pass through the diode because they will see the inductor as a high-resistance path between the antenna and ground:

Crystal Radio With Inductor

Crystal Radio With Inductor

After connecting the inductor to the circuit much of the low frequency hum from electrical appliances and the like are filtered out, and a local AM station can be faintly heard:

Get the Flash Player to see this player.

The problem with this circuit is that there is still not much selectivity. It works if there is only one loud AM station, but what if there are two or three or more? In order to provide more selectivity, a capacitor can be added in parallel with the inductor:

Crystal Radio With Tuned Circuit

Crystal Radio With Tuned Circuit

Like inductors, capacitors also have reactance, but capacitors tend to “pass” higher frequency signals and “block” lower frequency signals. The inductor and variable capacitor in the circuit above together act as a filter; this filter is tuned to allow only a certain range of radio frequencies to reach the detector. Tuning can be accomplished by changing the value of the capacitor or inductor; variable capacitors are convenient to use because their values are easily changed.

For example, say that we want to receive radio waves with a frequency of 1000kHz; the inductor and variable capacitor would be selected so that they act as low-resistance paths to AC signals that are above and below the desired 1000kHz frequency. Since electrons prefer the path of least resistance, radio signals at these frequencies will pass directly between the antenna and ground, bypassing the detector. The inductor and variable capacitor also appear as high-resistance paths to AC signals that vibrate at the desired frequency of 1,000,000 times per second, so these signals will prefer to travel through the detector. Of course, in real life, such filters are not so precise, and will allow a range of frequencies to travel through the detector. However, the electromagnetic spectrum is quite large, so they still serve to filter out the vast majority of undesired signals.

As an example, I’ve added a variable capacitor to the circuit and it is selective enough so that both the local AM station and my small AM transmitter can be individually tuned in and listened to:

Get the Flash Player to see this player.

You will also often see a capacitor placed in parallel with the headphones in a crystal radio. This capacitor acts as a smoothing capacitor, just like one that you would find in an AC to DC power converter. This smooths out the high-frequency pulses that were rectified by the diode:

Crystal Radio With Smoothing Capacitor

Crystal Radio With Smoothing Capacitor

The signal differences with and without the smoothing capacitor can be clearly seen in the following pictures; the unfiltered signal looks much noisier:

Signal With Smoothing Capacitor

Signal With Smoothing Capacitor

Signal Without Smoothing Capacitor

Signal Without Smoothing Capacitor

And that is the magic of crystal radio: it’s just a long-range, wireless power supply. Now if only we could figure out where that cat went…

]]>
http://hackingwithgum.com/2009/06/08/how-crystal-radios-really-work/feed/ 5
Baby Monitor RF Repeater http://hackingwithgum.com/2009/06/01/baby-monitor-rf-repeater/ http://hackingwithgum.com/2009/06/01/baby-monitor-rf-repeater/#comments Tue, 02 Jun 2009 02:15:14 +0000 cheffner http://hackingwithgum.com/?p=18 After I restored my Crosley 516, I was faced with a new problem: what was I going to use it for? Short wave reception was non-existent with a short wire antenna, and there’s nothing that I particularly care to listen to on AM; what I really wanted to do was listen to some old time radio! I’d seen other projects that replaced the guts with Internet radios, but since the electronics worked just fine I really wanted a way to stream audio from my computer to the radio without any modifications to the original radio circuitry itself.

The obvious solution was to build a small AM transmitter and modulate the signal with the audio output from my computer. I built a very simple, low-cost, low-power AM transmitter:

Simple AM transmitter schematic

Simple AM transmitter schematic

However, I had some self-imposed restrictions to overcome:

  1. The receiver could not pick up the low-power transmitter unless the two were right next to each other.
  2. A larger antenna would improve reception, but I didn’t want to have a large piece of wire hanging off the back of the radio since I planned on placing it in the living room.
  3. Adding an amplifier to the transmitter would improve reception, but would make the circuit more complex; more importantly, I would have to be careful about the FCC’s part 15 rules.
  4. I didn’t want to put a computer in the living room – most of the ones that I have laying around are noisy, so it would be best to keep the audio source (computer) in the basement.

I needed a way of relaying (preferably legally, cheaply and simply) the audio from the computer in the basement up to the AM transmitter located just behind the receiver. After considering several possibilities, I finally settled on using a baby monitor set to do the relay. My wife picked up this set from Target, which sells for $20, claims a 600+ foot range and operates on 49MHz:

Saftey 1st Baby Monitors

Safety 1st Baby Monitors

They aren’t Hi-Fi by any means, but neither is the Crosley. Besides, $20 for a TX/RX pair is about as cheap as it gets. The transmitter was easily modified to accept a direct audio line in by replacing the electret microphone with a 20dB attenuator and 1/8″ stereo jack; I simply drilled out the mic hole to accommodate the line input jack:

Transmitter with 20dB attenuator

Relay transmitter with 20dB attenuator

Transmitter, mic replaced by line input

Relay transmitter exterior view

For the receiver, I just replaced the speaker with a 1/8″ line out jack:

Receiver with line out jack

Relay receiver with line out jack

Receiver exterior view

Relay receiver exterior view

Initially I tried placing the AM transmitter in the relay receiver enclosure and powering them both from the same 9v wall wart, but this resulted in nothing but heavy static feeding into the AM transmitter. Instead, I enclosed the AM transmitter in a separate case and powered it off an external battery; given that the AM transmitter draws a relatively low 50mA of current, this was an acceptable compromise:

AM transmitter in case

AM transmitter assembled in case

The primary audio source for the transmitter is my PC, but I also wanted to be able to re-transmit CD, cassette and FM radio programs as well. I’m using an old Pioneer SX-2300 stereo to manage the audio sources; the Pioneer, cassette deck and CD player were all pulled from the dumpster:

Transmitting station

Transmitting station

Here you can see the audio output of the baby monitor connected to the audio input of the AM transmitter, and the RF output of the AM transmitter connected to the antenna input of the Crosley. Radio, “the way it used to be” (more or less):

Get the Flash Player to see this player.

]]>
http://hackingwithgum.com/2009/06/01/baby-monitor-rf-repeater/feed/ 0