Citizen Gadget

The id101 have a Nordic nrf51 bluetooth chip which is what I use in my work, and which has two open source bluetooth stacks, Apache Mynewt and Zephyr.

After charming my market contact by returning every few days to buy a handful more of them off her, I finally got back to a factory contact on WeChat. They’re made by idoosmart and they agreed to a tour of the factory. I was quite impressed with what I saw. They were clean and had complete testing throughout including water pressure testing every unit as far as I could tell. These guys put out roughly 10k per line per day, and they had several full lines running. I got quotes for something like $9 bucks with no heartrate, and $12 bucks with heartrate in quantities as low as 100. I was paying ~$20 in the markets, and a year later now the id101 can be bought for $20-$40 from any one of many amazon resellers.

I grabbed one of the cheap USB oscilloscopes in the markets and sat at Gee Coffee Roasters to reverse engineer my board. I desoldered all the components and took a picture to mark up while I probed the board.

It wasn’t pretty but got the job done. I identified most of the components and connections.

Printed on board: “id101 ver 2.1 2016.06.13 3716″

Nordic nrf51822 qfaca1 1609ab - Bluetooth LE

hnox ver 2.2 2016.4.19 - HR sensor

Azoteq iqs263a - Captouch Controller

na45e - Battery charge or voltage regulator (?)

"8c630 og155r" sot-23-8? - Erm driver (?) 

“2 w6 358411p ba 6" (15pin flex ribbon cable to SSD1306 oled

"1187-02 hxs 2016.09" - 4pin Digitizer 4

"ib 122" LGA-12? maybe Bosch Bma250e accelerometer (?)

Durning this time I finally met Ian and Jin from Dangerous Prototypes who told me about their little known Chinese reverse engineering service. For $80 they’ll reverse engineer a populated 2 layer PCB to Protel in a few days. I handed over $80 and a freshly purchased id101. After a few days Jin got back to me and said it was taking a bit longer. I forgot about it and a few weeks later I had a zip file with some nice pics of a 4 layer (oops) board which presumably slowed them down.

The zip also had the the Protel CAD files. Protel was apparently bought by Altium and is now subsumed into their ~$10k designer tool. I tried to obtain an old copy to run in a VM but it ended up being a huge pain in the ass and so I got bored and put this project down.

Recently, I found out that Altium’s free (though otherwise uncompetitive) online design tool Circuitmaker will actually import Protel files including PCBS. I opened that old zip file in there and found it looking pretty good! 

It probably took me a day or two of stitching screenshots, probing nets and marking up images in order to get my jpg. My working rate aside, $80 to get a fully interactive view of the board is worth it in every case I can think of.

There would be prizes for best hardware hack, best app hack and even a film fest prize. But most importantly, there was also a puzzle prize. The puzzle firmware was implemented by Mike Szczys with the ciphers being developed by Jeff Rosowski (Krux).

Navigating to the puzzle menu revealed three options in binary, 00, 01, 10. 

00 was some graphical 'game', 01 appeared to be a reciting of the hacker's manifesto, and 10 was a ouija board. That's all the information we were given.

PUZZLE 00

We halfheartedly played with the 00 puzzle while trying to be social during the pre party and started to put together a ruleset. A green cursor could be moved around an 8x8 grid by tilting the accelerometer. One button seemed to ‘place’ a red circle under the cursor. Further placements that shared a row (vertically, horizontally or diagonally) would light up the row in orange. 

This was presumably a failure scenario but it was puzzling that we still had control of the cursor. A very jetlagged Scotty from StrangeParts got six placements before giving it up and handing it back, suggesting to google it or write a script to solve it. We finally figured out the failure screen allows you to remove a failed placement and continue the game. This allowed us to put down a random six placements and continue taking back movements until we had all eight which went surprisingly quickly. In just a few minutes and roughly five take backs we had "Winner Winner!" printed on screen. 

Suspiciously, the menu screen also now has a set of hieroglyphic symbols under the 00 menu item. In googling later, we’d find out later this is a Queens Puzzle and we got a bit lucky. Theres 92 possible solutions but our methodology is called iterative repair and does not guarantee a solution.

PUZZLE 10

We talked to John Dahan who won last year by using the strings command on the binary to find the success email to skip all puzzles. Strings is a common utility that prints all ascii characters it can find in a binary. We talked to Mike who said that wasn't going to work this year, but were were undeterred. Before even bothering to understand the puzzle ruleset we just started looking at the scrubbed source and production hex file. The source was definitely missing the puzzles, though we did get a dist folder with intact elf files. That could come in very handy and also means we don’t have to install MPLAB-X IDE ide to generate it myself. The .hex file was strange though. Generally .hex are intel hex format, ie ascii hex code representation with checksumming, but this was a binary. We wasted a bunch of time here remembering obj-copy stuff, only to realize we weren’t gaining anything and this was indeed a binary we could utilize as is. Running “strings Badge103.hex” output the results in this gist.

After entering eight letters into ouija board the screen reads “What was that?” and appears to tell you which letters you had right by “X”ing out incorrect letters. 

This would be super easy in retrospect, but hacking was way more fun. We searched the strings list for “What was that” hoping to find any suspicious text around it.

$ strings Badge103.hex  | grep -A 5 "What was that"

What was that?

HACKADAY  

MARKUSHESS

None

Not found

Read Err

HACKADAY is indeed eight characters which when entered was answered with “The planchette moves by itself:” and the code “PNIRHJZYL GSIXDF WFDNXJF JH CZDRI.”

Too lazy to bother cracking the cipher we entered “MARKUSHESS.” Though we still have no idea how to crack this code, Markus was the hacker from Clifford Stoll’s The Cuckoo's Egg so we weren’t surprised to receive an egg image.

We were subsequently kicked back out to the puzzle menu now with more symbols.

PUZZLE 01

The puzzle consists of twenty-seven lines of the Hacker’s Manifesto where you must scroll each line left or right to read it on the tiny screen. For some reason the cursor always starts at the fourth line which seems odd. At the bottom there is a list of twenty-seven negative and positive numbers with a four alpha character input to presumably complete the puzzle.

It seems obvious that the list of numbers maps to the lines of the manifesto. We looked to see if aligning the rows might spell a question in far right or left column that we could answer with four characters, but couldn't see anything obvious.

It was a huge pain to click buttons and invariably the badge would turn off or we’d get distracted and lose our place. We glanced through the strings dump for anything that might make sense for puzzle 10, but didn't see anything this time. As the party was ending we spent time running down mysterious QR codes that showed up around the venue thinking they could be related somehow, but were thrown out before we could get more than a few. 

Later we woudl find there was a (seperate) prize that unlocked on the badge if you scanned all ten of the mysterious QR codes sprinkled throughout the venues.

The next day we were bored looking at puzzles and wanted to do more reverse engineering. I've been looking for a reason to get better with Radare forever. Radare lets you snoop through binaries, disassemble them, rebuild the function graph, and even edit the code in place! So not unlike a crackme, we could presumably find the code that prints Winner, backtrace to find the branching instruction that decides success, and hardcode it to so that when we enter the game it gives us the winner screen. TLDR feel free to skip this section as we didn’t get anywhere, but we would love guidance to be better at this for the next conference.

HUGE DIVERSION AHEAD

Radare has a bit of a learning curve, as described by a slide from a recent talk from the founding developer, pancake.

We can open our binary file in Radare and analyze it for functions, printing the results.

$ r2 -a mips -e asm.bits=32 Badge103.hex

WARNING: bin_strings buffer is too big (0x02bf8a80). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)

-- It's not a bug, it's a work in progress

[0x00000000]> aaa

[x] Analyze all flags starting with sym. and entry0 (aa)

[ ]

[aav: Cannot find section at this address

aav: Cannot find section at this address

[x] Analyze len bytes of instructions for references (aar)

[x] Analyze function calls (aac)

[ ] [*] Use -AA or aaaa to perform additional experimental analysis.

[x] Constructing a function name for fcn.* and sym.func.* functions (aan))

[0x00000000]> afl

0x00000000    1 16           fcn.00000000

[0x00000000]>

We should see a huge list of functions, but sadly we don’t. Earlier we found someone saved us having to install MPLAB-X IDE and we also have an unmangled elf to mess with.

$ r2 -a mips ~/Downloads/cambadge.X/dist/Normal/production/cambadge.X.production.elf

Warning: Cannot initialize dynamic strings

-- The unix-like reverse engineering framework.

[0x9d009000]> aaa

[x] Analyze all flags starting with sym. and entry0 (aa)

[ ]

[aav: using from to 0x9d000000 0x9d08b3f3

Using vmin 0x9d000000 and vmax 0xbfc00c00

aav: using from to 0x9d000000 0x9d08b3f3

Using vmin 0x9d000000 and vmax 0xbfc00c00

[x] Analyze len bytes of instructions for references (aar)

[x] Analyze function calls (aac)

[ ] [*] Use -AA or aaaa to perform additional experimental analysis.

[x] Constructing a function name for fcn.* and sym.func.* functions (aan))

0x9d008180    1 16           sym._gen_exception

0x9d008200   44 1384         sym.__vector_dispatch_0

0x9d008220   43 1352         sym.__vector_dispatch_1

….

0x9d023cd8    1 8            sym._on_bootstrap

0x9d023ce0    1 8            sym._libc_private_storage

0xbfc00480    3 1908         sym.__DbgExecReturn

[0x9d009000]>

That’s what we’re supposed to see! We can even visualize a complete call graph.

But remember, we know this has all our puzzles stripped so there won’t be much to see here. What we want is this view in our puzzle inclusive binary. Why doesn't our binary ‘hex’ file load cleanly into Radare? Presumably the elf file has a bunch of debug info like sections and entry point (reset vector) to help set up Radare automatically which we don’t understand how to do manually. So how do we help it? In our production dist files we also have a .map file that has the function names and addresses in it. There we find the reset address

.reset                  0x9d009000          0x1e4         484  Reset handler

And from cambadge.X.production.elf we can get the entry point(reset vector) to confirm

[0x9d009000]> ie

[Entrypoints]

vaddr=0x9d009000 paddr=0x00009000 baddr=0x9d000000 laddr=0x00000000 haddr=0x00000018 type=program

1 entrypoints

[0x9d009000]>

And we can print the hexdump of the binary code at that location

[0x9d009000]> px @ 0x9d009000

- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF

0x9d009000  0224 400f 0000 0000 0060 1a40 c004 5a7f  .$@......`[email protected].

0x9d009010  0500 4013 0000 0000 029d 1a3c a43c 5a27  ..@........<.<Z'

0x9d009020  0800 4003 0000 0000 01a0 1d3c f0ff bd27  ..@........<...'

0x9d009030  00a0 1c3c f07f 9c27 029d 083c d03c 0825  ...<...'...<.<.%

0x9d009040  09f8 0001 0000 0000 00a0 083c 1c00 0825  ...........<...%

0x9d009050  01a0 093c 5cea 2925 0600 0010 0000 0000  ...<\.)%........

0x9d009060  0000 00ad 0400 00ad 0800 00ad 0c00 00ad  ................

0x9d009070  1000 0825 2b08 0901 f9ff 2014 0000 0000  ...%+..... .....

0x9d009080  029d 083c f8fb 0825 0000 098d 1800 2011  ...<...%...... .

0x9d009090  0400 0825 0000 0a8d 0400 0825 0000 0b8d  ...%.......%....

0x9d0090a0  0900 6011 0400 0825 0000 0c91 ffff 4a25  ..`....%......J%

0x9d0090b0  0100 0825 0000 2ca1 fbff 4015 0100 2925  ...%..,...@...)%

0x9d0090c0  0500 0010 0000 0000 0000 20a1 ffff 4a25  .......... ...J%

0x9d0090d0  fdff 4015 0100 2925 0300 0825 fcff 0a24  ..@...)%...%...$

0x9d0090e0  2440 4801 0000 098d e7ff 2015 0000 0000  $@H....... .....

0x9d0090f0  0000 093c 0000 2925 1000 2011 0000 0000  ...<..)%.. .....

[0x9d009000]>

Back to our puzzle inclusive binary code, Let’s search for that reset vector bytecode “0224 400f” as that shouldn't have changed even with puzzles stripped out:

$ r2 -a mips -e asm.bits=32 Badge103.hex

[0x00000000]> /x 0224 400f

Searching 3 bytes in [0x0-0x2bf8a80]

hits: 5

0x00000e80 hit0_0 022440

0x00006d66 hit0_1 022440

0x000102ce hit0_2 022440

0x000191fe hit0_3 022440

0x00025466 hit0_4 022440

[0x00000000]> px @ hit0_0

- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF

0x00000e80  0224 400f 0000 0000 0060 1a40 c004 5a7f  .$@......`[email protected].

0x00000e90  0500 4013 0000 0000 039d 1a3c 9cd6 5a27  ..@........<..Z'

0x00000ea0  0800 4003 0000 0000 01a0 1d3c f0ff bd27  ..@........<...'

0x00000eb0  00a0 1c3c f07f 9c27 039d 083c c8d6 0825  ...<...'...<...%

0x00000ec0  09f8 0001 0000 0000 00a0 083c 3c00 0825  ...........<<..%

0x00000ed0  01a0 093c b0ea 2925 0600 0010 0000 0000  ...<..)%........

0x00000ee0  0000 00ad 0400 00ad 0800 00ad 0c00 00ad  ................

0x00000ef0  1000 0825 2b08 0901 f9ff 2014 0000 0000  ...%+..... .....

0x00000f00  029d 083c d478 0825 0000 098d 1800 2011  ...<.x.%...... .

0x00000f10  0400 0825 0000 0a8d 0400 0825 0000 0b8d  ...%.......%....

0x00000f20  0900 6011 0400 0825 0000 0c91 ffff 4a25  ..`....%......J%

0x00000f30  0100 0825 0000 2ca1 fbff 4015 0100 2925  ...%..,...@...)%

0x00000f40  0500 0010 0000 0000 0000 20a1 ffff 4a25  .......... ...J%

0x00000f50  fdff 4015 0100 2925 0300 0825 fcff 0a24  ..@...)%...%...$

0x00000f60  2440 4801 0000 098d e7ff 2015 0000 0000  $@H....... .....

0x00000f70  0000 093c 0000 2925 1000 2011 0000 0000  ...<..)%.. .....

[0x00000000]>

Found it! Maybe we can shift our 0x00000e80 address by 0x9D008180 so it becomes 0x9d009000 and Radare has more success analyzing functions? This is where we gave up though. Anyone reading this please reach out if you can help us understand Radare better for the next conference.

Back on track

A day lost, we went back to solving it the honest way -- sort of. Blaine wasn’t even an official attendee so we were having to share a badge. Since we were armed with the strings dump of the manifesto text and list of integes we turned to node to script something to print the columns so we could maybe see what we couldn’t see with our own eyes.

Still, nothing looked right and we went down a hundred other rabbit holes that didn't work out, all the while begging Krux and Mike for any guidance. Finally when the conference ceremony was just hours away Krux helped us find our script had an off by one error. With that fixed it turns out all this time a middle column read “realbunniehuanghardwarehack” Bunnie was perhaps first known for hacking the xbox. “Winner Winner!”

A Fourth Puzzle

Now we had a third set of hieroglyphs and “[email protected]”. To be fair we saw this email in the strings earlier, so we're pretty sure we'd be seeing it again. But what were these glyphs?

Several, especially the last one sure looks like unicode but we couldn’t find many of the rest. We spent a lot of time on that before asking Krux who didn't seem interested in that line of reasoning. We decided to do a transposition arbitrarily to the english alphabet just to play with the characters. Transposing the first character to a, and so one, we got “abcde fgahidjkclefg gmgce ccgcm nkeopfi” There were only 16 distinct 'letters', with c, g, and e being highest in frequency. However this tiny subset of text just doesn't lend to any kind of frequency analysis. We spent a lot of time thinking the spaces were useful and that “ccgcm” would be an odd word with double repeated starting letter. Llama didn’t seem likely, but you never know. We looked at brute forcing rot, morse and other symbol alphabets but didn’t come up with anything that worked before we finally ran out of time.

During the badge ceremony one other team had apparently also got this far and was awarded some cash for their efforts. Mike and Krux spoiled the last puzzle on stage, it's apparently the Commander Keen, Standard Galactic Alphabet. When translated it reads: “PRESTONPLUSWHEATONNINETEENEIGHTYFOUR” which is a Last Starfighter reference. Presumably emailing “Last Starfighter” to [email protected] would have won us the that sweet $256 prize.

Next time

Huge thanks to everyone involved at Superconference. It was a crazy lineup of amazing speakers. It was also awesome to see so much money given away to the Hackaday prize entrants I had been bumping into all weekend. Huge thanks to Mike and Krux for getting us to commit to a badge puzzle for the first time and for helping us through to the (very) end.

You can choose as fast as 2 days, or 20 days with the cost on a sliding scale. For reference, my qty 50 ~1″x1″ nrf51 bluetooth boards were all told under 2k assembled in 5 days. Always check their specials page to take a few hundred off your order, too.

For using Kicad for Design for Manufacture, you need to start with this excellent post from Rheingold Heavy which has inline responses from Small Batch.

Almost everything in that article is relevant from storing BOM data in eeschema elements, fiducials, to viewing gerbers in gerbview. We’ll talk about exceptions below.

For PCBs, sadly Kicad doesn’t have design rules (dru) like Eagle does. Advanced's standard (cheapest) board service, lists tolerances but remember these are all negotiable with a big board house like this! If you need tighter just talk to your rep and see if theres a cost.

So for a standard cheap board, with the inches icon on left on, click Design Rules->Design Rules and for all nets set:

Clearance no less than .008″

Track width no less than .008″

Via diameters no less .020″

Via drill no less than .010″ (ie a 5mil annular ring)

Another issue that wasn’t caught by FreeDFM initially was board edge clearance. There doesn’t appear to be a way to set this in Kicad, but you need to leave .015″ clearance of pads, vias, AND copper pours in order for them to separate your boards after manufacture and assembly. Make sure to move all your components an zones away from the edge, or just move your board edge back that much on all sides.

To generate the gerbers in pcbnew, click plot icon or File->Plot. This Wayne and Layne post on Gerber generation was super helpful here.

Layers, probably F.Cu (Top Copper), B.Cu(Bottom Copper) F.Paste(Top Solder Paste) F.Silk (Top Silkscreen), B.Silk (Bottom Silkscreen), B.Mask (Bottom soldermask), F.Mask (Top soldermask)

Options, You might have other stuff checked, but the important one is to make sure Exclude PCB edge layer from other layers is unchecked as Advanced doesn’t take a separate edge cuts layer. Another nicety is check use auxiliary axis as origin so when you view in gerbview the file is in the center of the screen.

Gerber Options, click Protel filename Options.

Finally, Click Plot.

Now to generate the drill file, click Generate Drill File.

Drill Units, use inches

Zeros format suppress leading zeros

Drill Map doesn’t matter

Files options uncheck mirror y, use minimal header, and if you have non plated holes, Advanced takes a separate file for plated and non plated so make sure merge pth and npth holes into one file is unchecked.

Drill Origin Auxiliary axis presuming you used "auxiliary axis as origin" in the plot screen. 

Finally, click Drill File then Close and Close and you Gerbers are in your project directory under GerberOutput  

As the Rheingold article mentions, use gerbview to check your designs locally, then zip and upload them to Advanced’s FreeDFM tool for further error and tolerance checking and tweak as needed.

One issue that wasn’t caught by FreeDFM was board edge clearance. There doesn’t appear to be a way to set this in Kicad(?), but you need to leave .015″ clearance of pads, vias, AND copper pours from board edges in order for them to separate your boards after manufacture and assembly. Make sure to move all your components an zones away from the edge, or just expand your board size that much on all sides.

Once your PCB is looking good, next you’ll need your BOM in excel format. Like in the Rheingold article, use BOM generation in eeschema. But what is different, you’ll need a grouped BOM layout (all like values and parts on same line). Luckily Kicad forum user Wolf wrote a Kicad BOM plugin for that, posted on the Kicad forums as bom2groupedCsv. But you’ll also need it converted to xlsx for your rep. so I wrote a python script for that. Just run it with the only input the name of the BOM (by default is the name of the project no extension) ./csv2xls.py projectname

Finally you need your placement File-Fabrication Outputs->position (.pos). They call this a CPL file. Unlike in the article for for Small Batch Assembly you don’t need to change header names or merge any other BOM data on it, Advanced can pivot with the existing Ref, Val, and Package fields just fine. One note though, they don’t currently use the rotation data (Rot), so you need to have your pin1's marked nicely on your PCB silk! Finally, they'll take it columnar tab separated as it comes out of Kicad, so no need to format to xlsx or anything else for this one.

Finally, you have everything you need. Grab your final revision PCB quote number from FreeDFM, and contact your regional rep via email for an assembly quote. When they reply, also give them your xlsx BOM and .pos placement BOM. You might need to approve part substitutions, or if you’re stubborn, work to send them a reel of the parts you want used, but mostly Ive found if the part was well stocked on Digikey, Advanced would supply it for me.

To see a working example, check out one of my libraries called NullStream. Its goofy but useful library that creates a Serial object that doesn’t actually do anything with data you .write to it. /dev/null for Arduino. You’ll notice the only difference from a regular Arduino library on Github is the .travis.yaml file. I’m using a free service called Travis to monitor my repo and when it sees new code create a server to do whatever I want! As of Arduino ~1.5.2 you've actually been able to build Arduino code from the command line, so we ask Travis to download Arduino, move some stuff around, and try to build our code.

To get setup on your own repo follow the Travis getting started guide to sign in and enable Travis on your Github profile. When you get to step three you'll need a .travis.yaml file, grab my Arduino command line Travis testing example. Travis have a nice guide explaining the configuration file. 

At the very least you’ll need to change NAME=NullStreamExample to NAME=Whatever your example sketch is called. Note: This example doesn’t download any non Arduino libraries (except for the one under test) -- If your library depends another library take a look at the .travis.yaml file and try to use wget to download and 'install' another library. Save the file to your Github repo as .travis.yaml, git add it, commit and push, and check your dashboard to watch Travis work its magic.

If you have a build error don’t fret. There are build logs you can examine for the error message. 

Tests should only take a few minutes. If they’re taking longer and timing out thats Arduino failing silently and hanging open because some build option or path was incorrect. You sadly just need to keep trying different options until you can get it to tell you something useful. When you're all done re-commit and repeat until its all ironed out. 

Once you get everything working, it is really nice to show your users by adding a status badge. Follow the directions to find your generated markdown text and paste it to the top of your README.md file.

In the future if you push code that doesn’t work Travis will email you and that badge will turn red alerting you something is wrong. As we said, there is a lot more we could do, but this is a great start.

As we continue to reach out and teach new people hardware through software with the nodebots project its become painful to have people download the Arduino IDE just to flash Firmata on their devices.

We're all waiting for Arduino to release their web IDE  (presumably open sourcing much of it?) but theres just no eta or guarantees there.

It struck me as odd this hadn't been done before and I think I know why now. Programming requires the dtr/rts control lines to reset the microcontroller. However, the popular and excellent nodeserial from Chris Williams is the standard serial library for Node doesn't support manual control of the rts/dtr lines necessary for rebooting into bootloader mode.

As part of my work I added the OSX bindings to allow me to do just that. That means this only works on OSX right now. We'll need Windows and Linux bindings to get my fork accepted, so please jump in with those if you can.

Big thanks to the Pinoccio mesh Arduino Compatible project, especially their recently open sourced js-stk500 project. Large portions of my logic were lifted from the Pinoccio project's stk500v2 implementation. They've been stk500 programming in the browser for a year now. (Chrome's serial has supported control signaling for some time) The Pinoccio chip is based on the Arduino Mega though, which means their implementation was of the incompatible stk500v2 protocol and was unable to be used for Unos.

Next I'm working on browserifying and bringing my implementation back to the browser and I hope to work with Pinoccio to upstream my work and standardize further.

10:14  First up, pitching the media with Vijay from

@Warenessio and @joemfbrown from @WIRED

10:19     Outlets like exclusive images/assets (sized correctly for their site) 

10:19  Dont pitch editor in chief, google around and find the guy on your beat

10:30  Get assets video/pitch out to press a 1-2 months before, not day of week before - they're busy

10:31  Dont just spam, have a dialog - reach out and build a relationship that isn’t always asking for something

10:33  Product Reviews: Show up with product in person if possible, or have them open it while you're on the phone

10:37  Review your own product first. Fix the flaws. Then start with kinder press outlets, get their feedback and adapt

11:02  Now: Adam Craft From @dragoninnovate on How to Select a Supplier. Follow along at http://t.co/83nCqS4kaH

11:12     China only if: High qty(10k+), need labor, most components from there, standard processes can tolerate logistics

11:21     RFQ a manufacturing partner when you have an '80%' prototype some changes but nothing major

11:26  The RFQ package: http://t.co/IfB2gM82sm

12:05  Now: @jcjohnson from @AugustSmartLock on Hardware

Business Models

12:33  Are you building a lifestyle, work for yourself, no exit, or venture backed with obligation for excise (30x) return?

12:34  Ventures dont buy commodity, august isnt a lock company, its selling identity services

12:36  Challenges: #1 Hiring -across board esp EE's Embedded designers. #2 Manufacturing

14:02  Now @sircoolio from @lemnoslabs Funding your hardware startup

14:06  VCs often invest PRE crowd funding. Even If you have a $1M plus you still only have 33% chance of funding

14:43   Minimum funding to deliver consumer electronic product is looking like 2.5million

14:46   The big kids are now spending 300-500K on their crowdfunding campaigns

15:08  Now: What startups need to know about patent law by

Peter Miller https://t.co/0C4QnncGQf from @jschox

15:11  Startups dont get patents to enforce against competitors -3-5 years and costs millions

15:11  Startups dont get patents to prevent patenting by someone else - costs ~40k! just disclose so they cant patent.

15:13  Startups don’t get patents to generate licensing revenue - thats a different business model (see triple damages) 

15:20  Startups get patents to: stimulate investment or acquisition

15:20  Startups get patents to: deter patent infringement lawsuits

15:20  Startups get patents to: increase leverage over a partner (see JDA's)

15:26  In US you can file within 1 yr after public disclosure. 

15:26  What is public disclosure? Sales, media coverage is disclosure. Showing to vcs, beta testing not.

15:50  "Our clients allocate ~5%(up to 10) of a round for IP protection" 

15:53  Your savvy investor may be excited if you’re sued by patent troll?! 

15:53  It costs 5mil to win, need 2x for profit (10m), awards are 10% so you were just valued at over 100million

16:04  Last today: Jon Carver and Brian Lee from

@highway1io Electrical and mechanical prototyping

16:06  “Hardware is a waterfall model” (shock! horror!)

16:24  Resist integrated prototypes until the end - prototype modules, and only include the features you want to test

16:42  Provide testers many options, they're bad at just critiquing single option

16:42  Dont just jump into raspi/arduin/etc. look for dev kits from mfg;s that already do what you want

16:54  Everytime design product, designing 2. Second is for manufacturer to test. How to collect that data? 

10:05  First today: @arielbraunstein Creating the Right

Roadmap

10:13  Cost reduction curves - They're meeting some other trends/vendors needs, not yours, can misalign

10:13      Competitive pressure -- think of it as an advantage. Differentiate. 

10:30  Your Roadmap tells a story - visual.

11:06  Now: Gary Roberts from @LyveMinds on

Manufacturing

11:09  Need to tour a factory to know if theyre in control or not. How operators look, the equipment, if there are instructions

11:11  Factories ask for forgiveness not permission

11:11  Plan.Do.Check.Act. Or Please Don't Change Anything

11:15  Incoming inspection verification means they'll check the count. Need to stress if you want them to verify anything else

11:23  Avoiding Asian holidays given, but don't schedule builds 2 weeks either side of holidays either.

11:24  Versioning - NEED configuration management tool for

BOM and drawings. (Not Google, can't access)

11:31  Communication challenging. Understand audience. Dont write long emails. Yelling doesnt help. Need feet on the ground. 

11:32  Recurring checkins-everything is good until its not. They want to figure it out themselves until they run out of time 

11:43  For resources for factory inspection/review. Dragon, amrep, use google.

11:50  Factories have no time for quoting right now in run up to xmas. Same thing happens in spring around March.

11:52  Distribution, logistis an and packout B2B services can really help free up capital for sales, etc

12:01  Now: Andre Neumann-Loreck on Build Ops (Team)

12:17  What is ops? Very broad - Procurement, test, quality, logistics, fulfillment, more.

12:22  We're going to talk about master scheduling(inventory), commodity(supplier) mgmt, manufacturing engineering 

12:34  Hiring should lag business, but only by a little bit.

Wait to see where you experience pain and hire.

12:36  If missing schedule because components late, maybe materials manager. if yields are bad, maybe need mfgr engineer 

12:44  Hrm.. we’ve run short on content. Mostly Q/A. Takeaway might be utilize our host @PCH_Intl :)

14:03  Back from lunch: Rachael Stefanussen and

@BrettLovelady from @AstroStudios — Brand 101

14:10  Hardware is tangible branding 

4:12    Design and development as consumer advocacy

14:13  Not enough to ask question of demographic anymore ( Male/24/Seoul) but rather artistic, calm, slow to anger... 

14:18  Don’t drown in data. Research, test. etc, but let empathy guide you to actionable decisions.

14:22  Read: http://t.co/cibCCVbbvV, Seth Godin, Marty neumeier

15:02  Second to last: @BenEinstein from @BoltBoston Hardware by the Numbers

15:10  All numbers, just the numbers - disclaimer, not the word of god 

15:10  2 founders (hacker, dealmaker) 

15:11  8  Employees to scale: (ME, EE, firmware, design/ux, front end, backend, ops, sales)

15:11  50:50 wrong way to divide equity 

15:12  2-5 % equity for first hire, next 10 divy 10%, 20 divy

5%, 50 divy 5% 

15:14  110 slides in this deck. Uh oh. 

15:27   3-10 % equity to key hire, 7-10% hired ceo, 4 years to vest, 10% option pool(min), 3 board members

15:27  6  months product development, 1 prototype per week, >30  customers until validation, 70 magic Net Promoter Score (NPS) 

15:27  500 K to hire a top tier design firm (IEDO, Frog), 100K tier 2 firms, 10-50k consultant

15:49  $3.5k per person per week to send someone to china

15:49  $6.5K (simple) injection tooling China, $15k in US

15:53  5% loss rate on line (you eat it) 

15:54  .50 1  color cardboard retail box, $5-15 apple style box, don’t forget $1-5 for master carton packaging,

15:54  4  weeks and $2k ship across ocean, 10x that for air

15:56  12-20 % amazon's margin depending on category, 30-35% best buy, 35-50% Apple

16:11  Finally @marcbarros from @moment and

#hardwareworkshop founder on Hardware MVP

( minimum viable product )

16:38  Customer journey interviews: forget your solution, find what do people do TODAY. first question how->why->what

16:40  Find out what customer does before, during, after, map out key interactions, brainstorm solutions.

16:44  Filter solutions on cost and ability to execute. MVP will solve one. Company will solve all eventually

16:51  "How much did @moment spend on crowd funding marketing" "Plane ticket to SF, Plane ticket to NY"

17:41  Thats it for #hardwareworkshop. Big thanks

@highway1io @FlextronicsLab9 @SupplyFrame @intel

DESIGN

For construction I followed the rabbit hole to find the original research for swarm bots. Theres a lot of math, but the basics appear to be an equilateral triangle, 2 cylindrical motors opposite each other and the lowest possible friction so the vibrations can overcome it.

I tried a couple designs with common parts and came up with this design:

Bean

3x ~30-50ohm resistor- bigger better because less current and longer battery life, but at some point the motor wont turn on...

Hot glue

Scrap <.5 inch diameter, >.5 inch thick to stick motors to safely (for me it was a laser cut scrap hexagon)

2x 3v 10mm pancake motors

For the resistors, basic math said had to be around 20-100 ohm resistor. I tried some out and was seeing about 1v drop across motor. Using an LED calculator presuming our 3v coin cell battery source, and wanting less than 40ma (arduino pin limit) of current you can calculate for our 50-100ohm resistor. I've found some motors are finicky to turn on at such low voltage though so I consider 30-50ohm the appropriate resistor.

NOTE: Before the engineers write in, yes I know we should have flyback diodes and frankly shouldnt stress the microcontroller pins as close to max current as we might be. We're not selling these things to the government. We'll be fine..

ASSEMBLY

Always remove the battery before operating on the bean. Its VERY easy to bridge stuff and you dont want to be done before we've started.

We're using the resistors as legs to keep part count down and remove the need for jumpers or other wires. Note this means that the legs are live with voltage. Don't touch them to eacother or let them touch the rest of the board and dont drive on metal surfaces. But frankly with the Bean not in an enclosure you should be mindful of all that normally. Solder one of each to the A0 and D5 holes. Sadly theres no more holes near the center of gravity, so hot glue the third resistor the battery side which we'll call the front.

Most motors have tape on them otherwise get some double sided tape and put the motors on either side of the spacer and tape it to the top of the ble chip. Again be careful not to touch metal to metal, use extra tape to protect if need be.

Now solder down the same color wire on each motor to its nearest gnd pad. which ever color you pick will be if your bot drives 'forwards' or 'backwards', whatever that means. For me blue to resistor meant forward was toward battery and third leg resistor. Solder the other wire of each motor the top of the resistor.

Now you can bend the legs as you like. You're going to have to play with them to get leftish, rightish and straightish motion so dont worry about it too much right now.

USE IT

Previously I've been working with firmata on bean over ble. This has allowed me to develop js apps that can control my bean from the browser, mac, or mobile with the same codebase.  I think you can control pins from the bean iphone app, but I can't figure it out :)

*UPDATE* Luis has a post on using node.js to control beans cross platform including mobile with phonegap.

FEEDBACK

Let me know what you find. Does bending the legs a certain way lead to better results. Can you find a better common leg material? Care to program some swarm behavior? I'm @jacobrosenthal on twitter

STEERING *UPDATE*

The big gotchas Ive found so far are is that Punchthrough actually moved pins around in pins_arduino.h. There should be a fix for this but Standard firmata writes pins in order on the port.. So for now I'm just using the true pin names which map like so:

a0 -> a4->d18 a1 -> a5->d19 d0 -> d6 -- Unavailable right now from firmata d1 -> d9 -- Unavailable right now from firmata d2 -> d10 d3 -> d11 d4 -> d12 d5 -> d13

Beyond that I would avoid all other pins which still exist and could be hooked up to anything for all I know. This sketch doesnt protect any pins. Setting anything else very well may take your bean offline or worse..

Other than that I just added Bean.sleep at the end of loop to allow bean to sleep for power saves. Adjust to taste.

Besides resolving the pin mapping, theres plenty to be done to make this a full port. There should be a more clear Firmata Boards.h entry to show the true available pins, and in Standard firmata we might look to protect other pins from being touched. I also havent tested servo/pwm/etc functionality, especially with the sleep addition...

A firmata will allow us to command and control our sparks from all the existing firmata interfaces out there like Johnny 5 in Node or the many native interfaces. I should note Chris Williams has Voodoo Spark https://github.com/voodootikigod/voodoospark which is an RPC replacement for Firmata on Spark. From the Readme

"The VoodooSpark uses the Spark Cloud and its REST API to provide IP address and port information to the local spark core. It will then initiate a direct connection to the host machine, on which will need to be a TCP server. Once the connection has been made, the host machine can drive the Spark Core using the binary protocol defined below to effectively execute firmware API level commands dynamically."

That being said not relying on the Spark server or requiring you to have a TCP Server seemed like enough to bring Firmata over. Plus Ive been able to do things like tunnel firmata through mqtt which would allow Core sleep and store and forward messages that VoodoSpark currently couldnt achieve.

UPDATE: Firmata has forked the project for the Spark and I'm developing in dev at https://github.com/firmata/spark#dev with production being at https://github.com/firmata/spark

While a full working branch of octoblu (nea skynet) mqtt and core-firmware is over at https://github.com/jacobrosenthal/core-firmware/tree/skynet-mqtt-firmata

Make sure you have the Arduino files (go with the nightly build Pinoccio recommends) installed at: C:\Program Files\Arduino

and the Pinoccio libraries and hardware installed at: C:\Users\XXXX\Documents\Arduino

Now for the Atmel Studio setup. The full description for how to do this in general is up at Engblaze, but I've done the hard work and uploaded a completed 6.2 solution to Github.

Unzip it to C:\Users\XXXX\Documents\Atmel Studio\

Open it up and you should be able to simulate and debug your bootstrap code!

How to burn an Atmega256rfr2 Xplained Pro or other breakout as a Pinoccio from within Atmel Studio

Atmel makes a breakout for the Atmega256rfr2 called the Atmega256rfr2 Xplained Pro.  It doesnt have the Fuel Guage, or FTDI chip for serial communication, but its a great breakout with onboard debugger and plenty of room to work.

First, you'll need to set the fuses. Look them up and set them in Atmel Studio.

Other than that everything is the same as above except I had to make one change to halFuelGauge.cpp because it'll hang trying to talk to our non existent fuel gauge:

unsigned int HAL_FuelGaugei2cRead16(unsigned char address) { int data = 0;

// Wire.beginTransmission(MAX17048G_ADDRESS); // Wire.write(address); // Wire.endTransmission(); // // Wire.requestFrom(MAX17048G_ADDRESS, 2); // while (Wire.available() < 2) // ; // data = ((int) Wire.read()) << 8; // data |= Wire.read();

return data; }

Now just burn that image.

To actually talk to the board you'll need to add an ftdi friend

From the Pinoccio definitions we know the serial pins are RX to PE1 and TX to PE0 and black to GND.

Now you can open up your serial port and you'll see the bitlash command prompt just like it was a real Pinoccio!

NOTE: if you want opening serial to reset the board, you're going to have to add in the reset line. Note, however, you'll need a .1uF capacitor between your RTS on the ftdi friend and the RSTN pin.

How to have your Atmega256rfr2 discovered by HQ as a real boy Pinoccio

This is pretty difficult. Before you go any further, know even I haven't successfully done this yet.

First you need to buy and hook up a MAX17048 / MAX17049 fuel gauge breakout. Test without the code from the previous section commented out and make sure it all works, or at least doesnt freeze the sketch trying to find it.

Next, you need to have the bootloader burned on to your Atmega256rfr2. 

You can find a hex to burn from Atmel Studio in the Pinoccio Github and again make sure to look up and program the fuses as before.

Or you can hook up an ISP programmer using the pin definitions as guide and burn it right from Arduino, knowing it'll get all the fuses itself.

Now that you have a bootloader you can upload the Examples->Pinoccio->Bootstrap sketch right from Arduino.

Finally you'll need to either edit the Pinoccio HQ Chrome Extension with your FTDI's PID and VID set to be Pinoccio (VENDOR_ID 0x1d50, PRODUCT_ID = 0x6051), or burn a new PID and VID to your FTDI with FT_Prog. Since Burning a VID and PID didn't work for me (the drivers still didn't really think it was a Pinoccio) I'd suggest the Chrome Extension route.

Go to Chrome Extensions, and turn on Developer Mode in the upper right corner. Then find Pinoccio. Disable it and look for its id like njhfipeehmigebbdfbingghcjdfmjeai.

On my Mac I found the files at  /Users/XXXXX/Library/Application\ Support/Google/Chrome/Default/Extensions/njhfipeehmigebbdfbingghcjdfmjeai and copied the version named folder out to the Desktop.  Windows folks should find their folder in a more Window-sy location.

Now edit the manifest.js file to add your FTDI's vendor and product ID like so "usbDevices": [ { "productId": 24657, "vendorId": 7504 } , { "productId": 24577, "vendorId": 1027 } ]

Next, open up the pinoccio.js file and swap out the pid and vid at the top for yours.

Now, back in Extensions, click the load unpacked extension and select your file.

Lastly, you'll need the capacitor on the reset line as described above because the Extension will want to reset the board. 

Now head to http://hq.pinocc.io It should find your device, decide its out of date, and hopefully successfully contact the bootloader to upload a new Bootstrap copy (hence the need for us to have a working fuel guage since we don't have room to comment anything out here)