About Circuit Cellar Staff

Circuit Cellar's editorial team comprises professional engineers, technical editors, and digital media specialists. You can reach the Editorial Department at editorial@circuitcellar.com, @circuitcellar, and facebook.com/circuitcellar

Graphene Enables Broad Spectrum Sensor Development

Team successfully marries a CMOS IC with graphene, resulting in a camera able to image visible and infrared light simultaneously.

Graphene Enables Broad Spectrum Sensor Development

By Wisse Hettinga

Researchers at ICFO—the Institute of Photonic Sciences, located in Catalonia, Spain—have developed a broad-spectrum sensor by depositing graphene with colloidal quantum dots onto a standard, off-the-shelf read-out integrated circuit. It is the first-time scientists and engineers were able to integrate a CMOS circuit with graphene to create a camera capable of imaging visible and infrared light at the same time. Circuit Cellar visited ICFO

Stijn Goossens is a Research Engineer at ICFO- the Institute of Photonic Sciences.

Stijn Goossens is a Research Engineer at ICFO- the Institute of Photonic Sciences.

and talked with Stijn Goossens, one of the lead researchers of the study.

HETTINGA: What is ICFO?

GOOSSENS: ICFO is a research institute devoted to the science and technologies of light. We carry out frontier research in fundamental science in optics and photonics as well as applied research with the objective of developing products that can be brought to market. The institute is based in Castelldefels, in the metropolitan area of Barcelona (Catalonia region of Spain).

HETTINGA: Over the last 3 to 4 years, you did research on how to combine graphene and CMOS. What is the outcome?

GOOSSENS: We’ve been able to create a sensor that is capable of imaging both visible and infrared light at the same time. A sensor like this can be very useful for many applications—automotive solutions and food inspection, to name a few. Moreover, being able to image infrared light can enable night vision features in a smartphone.

HETTINGA: For your research, you are using a standard off-the-shelf CMOS read-out circuit correct?

GOOSSENS: Indeed. We’re using a standard CMOS circuit. These circuits have all the electronics available to read the charges induced in the graphene, the rows and columns selects and the drivers to make the signal available for further processing by a computer or smartphone. For us, it’s a very easy platform to work on as a starting point. We can deposit the graphene and quantum dot layer on top of the CMOS sensor (Photo 1).

PHOTO 1 The CMOS image sensor serves as the base for the graphene layer.

PHOTO 1
The CMOS image sensor serves as the base for the graphene layer.

HETTINGA: What is the shortcoming of normal sensors that can be overcome by using graphene?

GOOSSENS: Normal CMOS imaging sensors only work with visible light. Our solution can image visible and infrared light. We use the CMOS circuit for reading the signal from the graphene and quantum dot sensors. Tt acts more like an ‘infrastructure’ solution. Graphene is a 2D material with very special specifications: it is strong, flexible, almost 100 percent transparent and is a very good conductor.

HETTINGA: How does the graphene sensor work?

GOOSSENS: There are different layers (Figure 1). There’s a layer of colloidal quantum dots. A quantum dot is a nano-sized semiconductor. Due to its small size, the optical and electronic properties differ from larger size particles. The quantum dots turn the photons they receive into an electric charge. This electric charge is then transferred to the graphene layer that acts like a highly sensitive charge sensor. With the CMOS circuit, we then read the change in resistance of the graphene and multiplex the signal from the different pixels on one output line.

FIGURE 1 The graphene sensor is comprised of a layer of colloidal quantum dots, a graphene layer and a CMOS circuitry layer.

FIGURE 1
The graphene sensor is comprised of a layer of colloidal quantum dots, a graphene layer and a CMOS circuitry layer.

HETTINGA: What hurdles did you have to overcome in the development?

GOOSSENS: You always encounter difficulties during the course of a research study and sometimes you’re close to giving up. However, we knew it would work. And with the right team, the right technologies and the lab at ICFO we have shown it is indeed possible. The biggest problem was the mismatch we faced between the graphene layer and the CMOS layer. When there’s a mismatch, that means there’s a lack of an efficient resistance read-out of the graphene—but we were able to solve that problem.

HETTINGA: What is the next step in the research?

GOOSSENS: Together with the European Graphene Flagship project, we are developing a production machine that will allow us to start a more automated production process for these graphene sensors.

HETTINGA: Where will we see graphene-based cameras?

GOOSSENS: One of the most interesting applications will be related to self-driving cars. A self-driving car needs a clear vision to function efficiently. If you want to be able to drive a car through a foggy night or under extreme weather conditions, you’ll definitely need an infrared camera to see what’s ahead of you. Today’s infrared cameras are expensive. With our newly-developed image sensor, you will have a very effective, low-cost solution. Another application will be in the food inspection area. When fruit ripens, the infrared light absorption changes. With our camera, you can measure this change in absorption, which will allow you to identify which fruits to buy in the supermarket. We expect this technology to be integrated in smartphone cameras in the near future.

ICFO | www.icfo.eu

This article appeared in the September 326 issue of Circuit Cellar

Xilinx Provides Design Platform for Scalable Storage

At the Flash Memory Summit earlier this month in Santa Clara, CA, leading FPGA vendor Xilinx rolled out the Xilinx NVMe-over-Fabrics reference design. It provides designers a flexible platform to enable scalable storage solutions and integrate custom acceleration functions into their storage arrays. The reference design eliminates the need for a dedicated x86 processor or an external NIC, thus creating a highly integrated, reliable and cost-effective solution. The NVMe-over-Fabrics (NVM-oF) reference platform is implemented on the Fidus Sidewinder card which supports up to 4 NVMe SSDs, and has a Xilinx ZU19EG Ultrascale+ MPSoC device. The reference platform is delivered with the required software drivers.

The Xilinx NVMe-over-Fabric Platform is a single-chip storage solution that integrates NVMe-over-Fabric and target RDMA offloads with a processing subsystem to provide a very power-efficient and low-latency solution compared to existing products that require both an external host chip and a Network Interface Card (NIC). This 2x100Gb Ethernet platform enables customers to implement value-added storage workload acceleration, such as compression and erasure code.

Xilinx | www.xilinx.com

Kintex Ultrascale FPGA-Based Cards Target Radar, Comms

Pentek has ntroduced the newest member of the Jade family of high-performance data converter XMC modules based on the Xilinx Kintex Ultrascale FPGA. The Model 71141 is a 6.4 GHz dual channel analog-to-digital and digital-to-analog converter with programmable DDCs (digital downconverters) and DUCs (digital upconverters). The Model 71141 is suitable for connection to IF or RF signals for very wideband communications or radar system applications including:

  • Satellite communications (SATCOM)
  • Phased array radar, SIGINT and ELINT
  • Synthetic aperture radar (SAR)71141
  • Time-of-flight and LIDAR distance measurement
  • RF sampling software defined radio (SDR)

For applications that require unique functions, users can install custom IP for specialized data processing tasks. Pentek’s Navigator FPGA Design Kit includes source code for all factory-installed IP modules. Developers can integrate their own IP with the Pentek functions or use the Navigator kit to completely replace the Pentek IP with their own.

The Pentek Navigator tools reduce the development time and cost associated with complex designs. Users can also select the size of the FPGA they would like installed so they are getting exactly what they need performance-wise without paying for a larger FPGA they may not need. Unlike others in the industry, Pentek still provides application support to customers at no cost.

The Model 71141 is the first of the Pentek Jade products to use the Texas Instruments ADC12DJ3200 12-bit A/D. The front end accepts analog RF inputs on a pair of front panel SSMC connectors. The converter operates in single-channel interleaved mode with a sampling rate of 6.4 GS/sec and an input bandwidth of 7.9 GHz; or, in dual-channel mode with a sampling rate of 3.2 GS/sec and input bandwidth of 8.1 GHz.

The A/D built-in digital down converters support 2x decimation in real output mode and 4x, 8x or 16x decimation in complex output mode. The A/D digital outputs are delivered into the FPGA for signal processing, data capture or for routing to other module resources.

A Texas Instruments DAC38RF82 D/A with DUC accepts a baseband real or complex data stream from the FPGA and provides that input to the upconversion, interpolation and dual D/A stages. When operating as a DUC, it interpolates and translates real or complex baseband input signals. It delivers real or quadrature (I+Q) analog outputs to the dual 14-bit D/A converter. The two 6.4 GS/sec 14-bit D/As pair well with the dual input channels while delivering more than twice the output performance of previous generations of Pentek products.

The 71141 factory-installed functions include two A/D acquisition and two D/A waveform generation IP modules. In addition, IP modules for DDR4 SDRAM memories, a controller for all data clocking and synchronization functions, a test signal generator and a PCIe Gen.3 interface complete the factory-installed functions. System integrators get to market with less time and risk, because the 71141 delivers a complete turnkey solution without the need to develop any FPGA IP.

The Pentek Jade Architecture is based on the Xilinx Kintex UltraScale FPGA, which raises the digital signal processing (DSP) performance by over 50% with equally impressive reductions in cost, power dissipation and weight. As the central feature of the Jade Architecture, the FPGA has access to all data and control paths, enabling factory-installed functions including data multiplexing, channel selection, data packing, gating, triggering and memory control. A 5 GB bank of DDR4 SDRAM is available to the FPGA for custom applications. The x8 PCIe Gen 3 link can sustain 6.4 GB/s data transfers to system memory. Eight additional gigabit serial lanes and LVDS general-purpose I/O lines are available for custom solutions.

The Model 71141 XMC module is designed to operate with a wide range of carrier boards in PCIe, 3U and 6U VPX, AMC, and 3U and 6U CompactPCI form factors, with versions for both commercial and rugged environments. Designed for air-cooled, conduction-cooled and rugged operating environments, the Model 71141 XMC module with 5 GB of DDR4 SDRAM starts at $18,795. Additional FPGA options are available. The Navigator Design Suite consists of two packages. The Navigator BSP is $2,500 and the Navigator FDK is $3,500.

Pentek | www.pentek.com

Cloud Platform Supports BeagleBone Black Dev Kit

Anaren IoT Group has announced the release of version 2.1 of its innovative Anaren Atmosphere online development platform. Atmosphere affords embedded, mobile and cloud developers an exceptionally fast way to create IoT applications with an easy-to-use IoT development environment. The new version of Atmosphere 2.1, now offers support for the BeagleBone Black Embedded Linux Development Kit, as well as a new cloud-only project type that allows users to build libraries for C#/.Net, C/C++, and Python to enable connections to their own embedded solutions in Atmosphere Cloud.

AtmosphereIntroCloudMonitor

As with version 2.0, users of Atmosphere 2.1 are able to simultaneously create and deploy corresponding hosted web applications. All design functions, including cloud visualization, use a drag-and-drop approach that does not require the need for command line coding – although code can be customized if desired. Atmosphere 2.1 also provides access to a large and growing library of sensors and other IoT elements for easy application creation. Atmosphere’s unique approach immediately accelerates design cycles, lowers risk, while removing cost in the development process as no specialized knowledge in hardware embedded coding, mobile application creation or web development is needed.

Atmosphere 2.1 can also host device and sensor data in its cloud-based environment and offers a highly customizable web-based user interface. The Atmosphere Cloud™ hosting option allows each user to host up to five devices at once – free of charge. The Atmosphere toolset is ideal for a variety of developers – from those who are simply looking to record single sensor data to those developing rich, complex device monitoring and control applications.

Anaren IoT | www.anaren.com/iot

COM Express Type 10 Mini Board Boasts Wide Temp Range

Axiomtek has announced its latest COM Express Type 10 Mini Module, the CEM311. The CEM311 is scalable and features Intel Celeron processor N3350 or Intel Pentium processor N4200. Integrated with Intel Gen 9 graphics, and with the support of DX12.0, OCL 2.0 and OGL 4.3, the CEM311 delivers advanced graphics capability, 4K resolutions and high media performance. The rugged system on module supports a wide operating temperature range from -20°C to +70°C to ensure stable operation in harsh environments. Axiomtek image002The CEM311 is well suited for graphics-intensive, industrial IoT applications such as industrial control, medical imaging, digital signage, gaming, military, and networking.

This versatile board supports Windows 10 and Linux operating systems, and offers AXView 2.0 – Axiomtek’s proprietary intelligent remote management software that will make operating the solution/application easier.

Key Features:

  • COM Express Type 10 mini computer-on-module
  • Intel Pentium N4200 and Celeron N3350 processors (codename: Apollo Lake SoC)
  • Onboard 4 GB DDR3L-1600 memory, up to 8 GB
  • Optional eMMC 5.0, up to 64 GB
  • One LPC bus is available for easy connection of legacy I/O interfaces.
  • Up to 4 lanes of PCI Express
  • Two SATA-600 ports
  • Wide voltage range of 4.75 V – 20 V DC-in power input
  • 1 GbE, 2 USB 3.0 and 8 USB 2.0
  • Intelligent remote management software AXView 2.0

Axiomtek | www. axiomtek.com

Don’t Miss Our Bonus Newsletter: FPGA Technologies

As you know, Circuit Cellar’s newsletter covers four key themes each month. But August is a special month with a 5th Tuesday! As result, tomorrow coming to your inbox with be a special bonus newsletter theme: FPGA Technologies. In tomorrow’s newsletter you’ll get news about the products and technologies trends in the FPGA market. FPGAs have sv_gs_diagramevolved to become complete system chips. Today’s FPGAs pack in levels of processing, I/O and memory on one chip that once required several ICs or boards.

Also: We’ve added Drawings for Free Stuff to our weekly newsletters. Make sure you’ve subscribed to the newsletter so you can participate.

Already a Circuit Cellar Newsletter subscriber? Great!
You’ll get your “FPGA Technology” themed newsletter issue tomorrow.

Not a Circuit Cellar Newsletter subscriber?
Don’t be left out! Sign up now:

Remember, our new enhanced weekly CC Newsletter will switch its theme each week, so look for these in upcoming weeks:

Analog & Power. This newsletter content zeros in on the latest developments in analog and power technologies including DC-DC converters, AD-DC converters, power supplies, op-amps, batteries, and more.

Microcontroller Watch. This newsletter keeps you up-to-date on latest microcontroller news. In this section, we examine the microcontrollers along with their associated tools and support products.

IoT Technology Focus. The Internet-of-Things (IoT) phenomenon is rich with opportunity. This newsletter tackles news and trends about the products and technologies needed to build IoT implementations and devices.

Embedded Boards. Embedded boards are critical building blocks around which system developers can build all manor of intelligent systems. The focus here is on both standard and non-standard embedded computer boards.

Time-Oriented Task Manager

…for 8-bit PIC Microcontrollers

For many new embedded applications, an 8-bit MCU is just right. Pedro
shows how to build a time-oriented task manager using Microchip’s PIC
16F628A 8-bit microcontroller.

By Pedro Bertoleti

Microcontrollers are everywhere. From a simple remote control to an advanced car embedded system, microcontrollers surround us all. But while an 8-bit microcontroller is a relatively simple device, the software on them can get more sophisticated as more functionality is added to embedded systems. One of the most interesting advances in software technique is managing tasks. That involves enabling a microcontroller to execute several scheduled tasks, ensuring periodic and precise time execution. Here, we will examine how to implement a time-oriented task manager for a simple microcontroller—in this case, a Microchip 8-bit PIC microcontroller.

A graphic representation of a time-oriented task manager and its tasks

A graphic representation of a time-oriented task manager and its tasks

A good place to start is to ask: What is a task? A task is a part of a software program that’s dedicated to do something exclusively. In other words, a task is a piece of software that can be implemented and executed as an independent software program. Take, for example, an embedded system that has to blink an LED, send something through the UART interface and check an input’s state. Each one of these activities can be defined as a task. In a general way, each function of an embedded system can be defined as a task. A time-oriented task manager is a piece of software that performs these three main activities:

  • Execute tasks periodically
  • Execute tasks in the amount of time specified for them
  • Ensure time-precision measurement for the execution of tasks

In terms of coding, the time-oriented task manager and the tasks are different parts of the same software program. ….

Read the full article in the September 326 issue of Circuit Cellar

Not a Subscriber yet? Become one today:

 

Or purchase the September 2017 issue at the  CC-Webshop

Don’t Wait for IoT Standards

Input Voltage

–Jeff Child, Editor-in-Chief

JeffHeadShot

I’ll admit it. When the phrase “Internet-of-Things” started to gain momentum some years ago, I was pretty dismissive of it. In the world of embedded systems technology that I’ve been covering for decades, the idea of network-connected embedded devices was far from new. At that point, I’d seen numerous catch phrases come and go—few of them ever sticking around. Fast forward to today, and boy was my skepticism misplaced! Market analysts vary in how they slice up the IoT market, but the general thinking puts the gowth range at several trillion dollars by the year 2020. IoT cuts across several market areas with industrial, transportation, smart homes and energy segments growing fastest. Even when you exclude PCs, phones, servers and tablets—concentrating on embedded devices using processors, microcontrollers, connectivity and high-level operating systems—we’re still talking billions of units.

Now that I’m sold that the hype around IoT is justified, I’m intrigued with this question: What specific IoT standards and protocols are really necessary to get started building an IoT implementation? From my point of view, I think there’s perhaps been too much hesitation on that score. I think there’s a false perception among some that joining the IoT game is some future possibility—a possibility waiting for standards.

Over the past couple years, major players like Google, GE, Qualcomm and others have scrambled to come up with standards suited for broad and narrow types of IoT devices. And those efforts have all helped move IoT forward. But in reality, all the pieces—from sensors to connectivity standards to gateway technologies to cloud infrastructures—all exist today. Businesses and organizations can move forward today to build highly efficient and scalable IoT infrastructures. They can make use of the key connectivity technologies that are usable today, rather than get too caught up with “future” thinking based on nascent industry standards.

In terms of the basic connectivity technologies for IoT, the industry is rich with choices. It’s actually rather rare that an IoT system can be completely hardwired end-to-end. As a result, most IoT systems of any large scale depend on a variety of wireless technologies including everything from device-level technologies to Wi-Fi to cellular networking. At the device-level, the ISM 802.15.4 is a popular standard for low power kinds of gear. 802.15.4 is the basis for established industrial network schemes like ZigBee, and can be used with protocols like 6LoWPAN to add higher layer functions using IP technology. Where power is less of a constraint, the standard Wi-Fi 802.11 is also a good method of IoT activity—whether leveraging off of existing Wi-Fi infrastructures or just using Wi-Fi hubs and routers in a purpose-built network implementation.

Another attractive IoT edge connectivity technology is Bluetooth LE (low energy) or BLE. While it was created for applications in healthcare, fitness, security and home entertainment, Bluetooth LE offers connectivity for any low power device. It’s especially useful in devices that need to operate for more than a year without recharging. If cellular networks make sense as a part of your IoT architecture, virtual networking platforms are available via all the major carriers—AT&T, Sprint, T-Mobile and Verizon Wireless.

IoT is definitely having an impact in the microcontroller-based embedded design space that’s at the heart of Circuit Cellar’s coverage. Not to overstate the matter, IoT systems today make up less than a tenth of the microcontroller application market. MCUs are used in a myriad of non-IoT systems. But, according to market research done by IHS in 2015, IoT is growing at a rate of 11% in the MCU space, while the overall MCU market is expected to grow at just 4% through 2019.

IoT requires the integration of edge technologies where data is created, connectivity technologies that move and share data using Internet and related technologies and then finally aggregating data where it can be processed by applications using Cloud-based gateways and servers. While that sounds complex, all the building blocks to implement such IoT installations are not future technologies. They are simply an integration of hardware, software and service elements that are readily available today. In the spirit of Circuit Cellar’s tag line “Inspiring the Evolution of Embedded Design,” get inspired and start building your IoT system today.

This appears in the September (326) issue of Circuit Cellar magazine

Sensor-Based IoT Development Platform With Bluetooth

Fujitsu Components America’s BlueBrain development platform for high-performance IoT applications is now available with a development breakout board and interface board. It enables designers to easily create a wireless monitoring and data collection system via Bluetooth. The enhanced BlueBrain Sensor-Based IoT System Platform will be available in this summer as a standard product through distribution. Jointly Fujitsu Components America bluebrain-sbs highdeveloped with CRATUS Technology, the BlueBrain platform features a high-performance CORTEX-M4 microcontroller from STMicroelectronics and a Bluetooth Low Energy wireless module from Fujitsu Components. The embedded hardware, software, and industry-standard interfaces and peripherals reduce the time and expertise needed to develop and deploy wireless, sensor-based products running simple or complicated algorithms.

The Breakout Board provides switch inputs and LED outputs to test I/O ports and functions, as well as programming interfaces for proof of concept and application development. The Interface Board provides additional sensors and interfaces and may also be used in parallel to expand the development platform. The BlueBrain Edge Processing Module attaches to a standard, 32-Pin 1.6” X 0.7” EEPROM-style IC socket, or equivalent footprint, on a mezzanine board to address specific markets and applications including industrial, agriculture, automotive and telematics, retail, smart buildings and civil infrastructure. Pricing for the BlueBrain Sensor-Based IoT System Platform is $425.

Fujitsu Components America | us.fujitsu.com/components

Compact Power Management ICs Boast Low Standby Power

Maxim Integrated Products.offers a pair of power management ICs (PMICs) aimed at designers of Bluetooth headphones, activity monitors, smart garments, smartwatches, and other size-constrained devices where battery life and efficiency are priorities.

Maxim 9065

The MAX77650 and MAX77651 feature single inductor multiple output (SIMO) buck-boost regulators that provide three independently programmable power rails from a single inductor, 150mA LDO, and three current sink drivers to reduce overall component count and maximize available board space. For design flexibility, the MAX77650 operates up to 3.3V and the MAX77651 operates up to 5V—both include an analog multiplexer (MUX) output for safe battery monitoring, making them ideal for low-power designs.

Size is critical for hearables and wearables as they continue moving to smaller form factors. Most PMICs for these small, lithium-ion battery-operated devices require additional components, such as boost, buck, and low dropout (LDO) regulators; a charger; and current regulators for LED indicators. For space-savings and efficiency, Maxim has integrated all these functions into a complete power solution that is only 19.2mm2—less than 1/2 the size of existing component combinations.

Key Advantages

  • Lowest Standby Power: 0.3µA; 5.6µA operating current
  • High Efficiency: 3-output SIMO channels plus LDO extend Li+ battery life
  • Small Size: Multi-channel SIMO regulator reduces component count

Availability and Pricing

  • MAX77650/MAX77651 are available from stock and priced at $1.99 (1,000-up, FOB USA)
  • MAX77650EVKIT# and MAX77651EVKIT# are available from stock and priced at $193.63 each

Maxim Integrated Products.| www.maximintegrated.com

ST Deploys Low-Layer Software for All STM32 MCUs

STMicroelectronics has completed the introduction of its free Low-Layer Application Programming Interface (LL API) software to the STM32Cube software packages for all STM32 microcontrollers. The LL APIs enable expert developers to work within the convenient and easy-to-use STMCube environment, and optimize their code down to the register level using ST-validated software for faster time to market.

en.STM32Cube_Low_Layer_APIs_HR_AIAP_n3949_big

The combination of LL APIs and Hardware Abstraction Layer (HAL) software in all STM32Cube packages now gives developers complete flexibility when choosing how to control device peripherals. They can leverage the HAL’s ease of use and portability or use LL APIs to optimize performance, code footprint, and power consumption. Code examples tailored to run on the associated STM32 Nucleo board provide templates that simplify porting to other STM32 MCUs.

With features such as peripheral-initialization services that are functionally equivalent to STM32 Standard Peripheral Libraries (SPLs), the LL APIs present an easy migration path from the older SPLs to the simple but powerful STM32Cube ecosystem. Using the LL APIs can deliver superior performance, comparable to that of STM32Snippets direct-register-access code examples.

The LL APIs are MISRA-C 2004 compliant except where indicated, and have been checked using Grammatech CodeSonar for optimum code quality and reliability. An automatic-update mechanism inside STM32CubeMX keeps the LL APIs up to date with the latest releases. The STM32CubeMX tool automates the generation of peripheral-initialization code with LL APIs for STM32L0, STM32F0, STM32L4, and STM32F3 MCUs. Support for the remaining STM32 series will be added in the coming months. A written guide and an automated tool for the SPL-to-LL code migration are also available.

More information on STM32CubeMX is available at www.st.com/stm32cubefw

STMicroelectronics | www.st.com

Don’t Miss Our Newsletter: Embedded Boards

Circuit Cellar’s Embedded Boards themed newsletter is coming to your inbox tomorrow. In tomorrow’s newsletter you’ll get news about the products and technologies trends in the board-level embedded computer market. Embedded boards are a critical building block around which system developers can build all manor of intelligent systems. PR_EPM-43_HI

The focus here is on both standard and non-standard embedded computer boards that ease prototyping efforts and let you smoothly scale up to production volumes.

 

Bonus: We’ve added Drawings for Free Stuff to our weekly newsletters. Make sure you’ve subscribed to the newsletter so you can participate.

Already a Circuit Cellar Newsletter subscriber? Great!
You’ll get your “Embedded Boards” themed newsletter issue tomorrow.

Not a Circuit Cellar Newsletter subscriber?
Don’t be left out! Sign up now:

Remember, our new enhanced weekly CC Newsletter will switch its theme each week, so look for these in upcoming weeks:

Analog & Power. This newsletter content zeros in on the latest developments in analog and power technologies including DC-DC converters, AD-DC converters, power supplies, op-amps, batteries, and more.

Microcontroller Watch. This newsletter keeps you up-to-date on latest microcontroller news. In this section, we examine the microcontrollers along with their associated tools and support products.

IoT Technology Focus. The Internet-of-Things (IoT) phenomenon is rich with opportunity. This newsletter tackles news and trends about the products and technologies needed to build IoT implementations and devices.

…and…

August has a 5th Tuesday. So look for a bonus Newsletter this  month!

MOSFET is Drop-In Replacement for DPAK Footprint

Infineon Technologies is expanding its recently launched CoolMOS P7 superjunction power MOSFET family with a SOT-223 package. The device has been developed as a one-to-one drop-in replacement for DPAK. It is fully compatible with a typical DPAK footprint. The combination of the new CoolMOS P7 platform with the SOT-223 package is Infineon SOT223-CoolMOS-P7a perfect fit for applications such as chargers for smartphones, laptop adapters, TV power supplies and lighting.

The new power MOSFET CoolMOS P7 is designed to address needs of the low power SMPS market. It uses a price competitive superjunction technology, which results in a reduced overall Bill of Materials (BOM) on the user side. The thermal behavior of the CoolMOS P7 in this package was assessed across several applications. When the SOT-223 was placed on a DPAK footprint, the temperature increased by a maximum of 2°C to 3 °C compared to a standard DPAK. And for copper areas of 20 mm² or more, the thermal performance was equal to DPAK. The CoolMOS P7 in SOT-223 is available in 600 V, 700 V and 800 V devices.

Infineon Technologies | www.infineon.com

Breaking a Password with Power Analysis Attacks

Breaking a Password with Power Analysis Attacks

In his previous column, Colin showed how timing attacks could be used to break a password check. This article brings out a more advanced type of attack called a power analysis attack, which exploits small leaks about internal states of a microcontroller to recover the password.

By Colin O’Flynn

Article originally published in Circuit Cellar June 2017, Issue #323

Last month, I introduced a type of attacks on embedded systems called power analysis attacks. I used these to attack a simple PIN code check, where the power analysis attack told us what steps the code was performing. This was possible because different instructions had unique signatures we could see in a detailed measurement of the power of the device as it was performing operations. I won’t replicate the hardware setup I discussed in the previous column, but again the example figures here will be measured on my open-source ChipWhisperer-Lite platform.

I’ll be returning to the PIN code check I have in Listing 1. This code uses an XOR of the input PIN code (could be a password or anything else) with the correct code. If the input and correct code are the same value, the result of all the XORs will be zero. If a single bit differs, the XOR will output a 1 for that bit. The accumulating OR circuit will then keep that bit set to “1” for the remainder of the comparisons.

int check_pin( uint8_t entered_pin[]){
 uint8_t correct_pin[4] = {1,2,3,4};

 uint8_t pin_fail = 0;

 for (int i = 0; i < 4; i++){
 pin_fail |= correct_pin[i] ^ entered_pin[i];
 }
 
 if(pin_fail){
 return 0;
 } else {
 return 1;
 }
}
Listing 1
This password check code came from my previous column, as it was written to avoid timing attacks. We’re going to use a more advanced type of attack in this column to break the code.

BACKGROUND
Let’s begin with a little background. Consider a digital device like our microcontroller. Internally, it has a data bus, which moves data from one section (e.g., a register) to another section (e.g., the arithmetic logic unit, or ALU).

Is there some way an external observer could detect details of that data? It turns out there might be, and it might be a lot easier than you expect. That data bus contains a number of lines, which we can model as capacitors. Changing the logic state of those lines is the same as changing the voltage on those lines, as in Figure 1.

OFlynn #323 - Figure 1

Figure 1
Changing the voltage on an internal data bus is equivalent to charging or discharging a capacitor, something that takes a tiny amount of energy.

While changing the voltage on a capacitor takes energy—a tiny amount of energy—but it still physically requires a little bit of power. When four data lines change from a 0 to a 1 state, it actually takes more power than when only one of the data lines change state. And when it comes to a microcontroller, as we make a more complete picture, things get even easier for us. Most buses on microcontrollers use a precharge state, which you can consider a state partway between a 0 and a 1.

To transfer data on the bus, the bus goes from this intermediate state, to the final state, and then back to the intermediate state. What this means for us is the amount of power consumed may depend not on the difference between number of bits set in the data, but in fact just on the number of bits in the data. For example, if you transfer 0xFF on the data bus, you’ll see a slightly higher spike at that instant in time than if you transferred 0x00 on the data bus. This probably still seems a little abstract, so let’s keep working and see two different ways this can be used to break the XOR code of Listing 1.

DPA ATTACK
The first attack I’ll discuss will be the “classic” differential power analysis (DPA) attack, which was published by Paul Kocher, Joshua Jaffee, and Benjamin Jun in the paper entitled “Differential Power Analysis” around 1999. For this attack to work, assume we have a method of sending in a four-digit guess for the pin-code of Listing 1, and we can trigger such that we can record the power consumption around when the XOR is happening. We don’t need to guarantee we get the exact moment; just that we know roughly when the XOR test is happening. Practically, this can be pretty easy. You know at some point after sending the input data the XOR will happen, so you just need to record a section of power after sending the input data.

Next, assume we could send a bunch of wrong guesses. For each wrong guess, we record the guess and the power trace of the system processing this guess. Figure 2 shows a number of such power traces overlaid on each other. Notice that the traces are mostly uniform, but certain small areas seem to have minor differences.

OFlynn-323-F2

Figure 2
An example power trace as the code in Listing 1 is executed an a XMEGA device.

Next, we’ll do the most important part, which is to take the power traces and move them into two groups. Our attack will work by looking at a single bit of the secret pin at a time. Let’s say we want to get the value of byte 0, bit 0. Taking our set of known inputs and associated power traces, we can split them into two groups—one where byte 0, bit 0 is “0” and one where that same bit is “1.” We’ll take the average of these two groups to end up with two traces. Finally, taking the difference between these “average” traces (a difference of means) tells us specifically where the amount of power varied for each operation.

What has all this fuss accomplished? First off, we’d expect to see a very small spike in power consumption at the point that byte 0 is manipulated. If bit 0 of byte 0 is “1,” it will take a tiny bit more power than when that bit is “0.” “But what about the other bits?” you might ask, as they are also being flipped. The rest of the bits are set to random values, so the average of them should be the same between the two groups. The only difference between those groups was the value of byte 0, bit 0. And it’s that bit we are concentrating on.

Then there will be a second spike, as the “correct” PIN code is a constant that will basically either flip (if the bit of the pin-code is “1”) or not flip (if the bit of the PIN code is “0”) that spike. This is shown in Figure 3, where the bit of the secret key is “1,” so we see two opposite polarity spikes. These are from real measurements performed on Listing 1 running on an Atmel XMEGA microcontroller measured with my ChipWhisperer-Lite. These tiny differences are clear as day—it might seem impossible from the text, but it works in real life!

OFlynn-323-F3

Figure 3
This shows the power difference when attacking a single bit of a password byte. I’ve averaged two groups of traces and subtracted them to see the difference between the groups. See Listing 2 for the code that generated this plot.

And as in my other article, I encourage you to try this yourself. This is something you can measure with a regular oscilloscope and using a shunt resistor in the voltage line of a microcontroller, as discussed in my April 2017 column.

If you need a hint, the code in Listing 2 shows a simple Python listing that performs this splitting of an array of data into two groups, averages them, does the difference, and plots this for you. This will give the value of a single bit of the secret key.

from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI
from matplotlib.pylab import *

cwapi = CWCoreAPI()
cwapi.openProject(‘xortest_1000.cwp’)

tm = cwapi.project().traceManager()
number_traces = tm.numTraces()

zerolist = []
onelist = []

for tnum in range(0, number_traces):
 entered_pin = tm.getTextin(tnum)
 trace_data = tm.getTrace(tnum)

 #Get value of bit 1 in data we sent
 bit_value = entered_pin[0] & 0x02
 
 #Seperate into group based on bit value
 if bit_value:
 onelist.append(trace_data)
 else:
 zerolist.append(trace_data)
 
#Take mean of both groups of traces
one_mean = np.mean(onelist, axis=0)
zero_mean = np.mean(zerolist, axis=0) 

#Get difference
diff = one_mean - zero_mean

plot(diff)
Listing 2
This Python code performs a single-bit DPA attack, by attempting to determine the value of bit 0 of the key. The resulting plot is given in Figure 3.

BREAKING A REAL SYSTEM
Moving from that single-bit break to a real system requires little more than taking the same power traces, and iterating through each bit and byte to recover the complete value. You’ll be able to get the entire PIN code (or password) out of the system, even though there appears to be no timing or similar errors.

As a test, we can do this for the case where we know the “secret key.” I’ve done this for Byte 0 in Figure 4, where you can see all the bits with a certain state have a positive power difference, and all the bits with the opposite state have a negative power difference. The red and blue coloring is only possible as I know the secret key, if I hadn’t known it we would recover it based on the difference direction.

OFlynn-323-F4

Figure 4
This shows differences for all 8 bits of a guessed password byte, where red power traces are bits where the value of the key-bit ‘0’, and blue power traces are values of the key are ‘1’. You can see all the bits of each value go in opposite directions.

A complete attack is shown in Listing 3. Note that I just consider a single point to determine if the bit is a “0” or a “1.” This point moves for each byte. Because this is an 8-bit microcontroller, the byte moves further in time every 8 bits that are processed. If I had a 32-bit microcontroller then it could have processed 4 bytes at once, for example. But looking at the difference traces (such as in Figure 3) helps you determine where exactly to look for a large difference, even if you don’t know much about the device you are attacking or how the code works. The only tricky part is getting a nice trigger. In many systems, this can be done by triggering on the communication line. For example, if you have a UART protocol to send the password, you can trigger when you see the last byte go over the UART.

from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI
from matplotlib.pylab import *

cwapi = CWCoreAPI()
cwapi.openProject(‘xortest_1000.cwp’)

tm = cwapi.project().traceManager()
number_traces = tm.numTraces()

for byte in range(0, 4):
    recovered_byte = 0
    for bit in range(0, 8):
        zerolist = []
        onelist = []
        for tnum in range(0, number_traces):
            entered_pin = tm.getTextin(tnum)
            trace_data = tm.getTrace(tnum)
            
            #Get value of bit in input guess for this trace            
            bit_value = entered_pin[byte] & (1<<bit)
            
            #Seperate into group based on bit value
            if bit_value:
                onelist.append(trace_data)
            else:
                zerolist.append(trace_data)
        #Take mean of all traces where one, all traces where zero
        one_mean = np.mean(onelist, axis=0)
        zero_mean = np.mean(zerolist, axis=0)        
        #Get difference
        diff = one_mean - zero_mean
        
        #Based on our graphical plotting, we identified point 129 in byte 0
        #and that point occurs 92 samples later in each successive byte
        print “byte %d, bit %d = “%(byte, bit),
        if diff[129 + 92*byte] < 0:
            print “0”            
        else:
            print “1”
            recovered_byte |= (1<<bit)
    print “Guess for byte %d: 0x%02x”%(byte, recovered_byte)
}
Listing 3
This is Python code for breaking complete system iterates through the test done in Listing 2. (See text for details.)

You can even get fancy by triggering on patterns in the analog waveform. Certain oscilloscopes provide this capability, and it’s possible with custom hardware such as I built for the ChipWhisperer-Pro (a higher-end version of the same capture hardware). But in most practical cases it’s enough to trigger on communication lines that are already present. The open-source ChipWhisperer software I’m using here also has capabilities to resynchronize traces with some “jitter” in them by looking for patterns that appear in both traces and lining them up.

Hopefully, this article has opened your eyes to how it’s possible to attack real systems using side-channel power analysis. This is just the tip of the iceberg for advanced hardware attacks that are possible, and I’ll be sharing more of these with you in the coming columns.

If you want more detailed examples, I’ll link them from a blog post for this article on oflynn.com, but they are all part of the open-source ChipWhisperer project. I’m creating some unique examples for my columns here, but the overall goals will be the same.

Read this article in the June #323 issue of Circuit Cellar

Stay informed, subscribe today:

 

Single issues can be purchased in the  CC-Webshop

Keysight and Sequans Team for IoT Deployment Test Offering

Keysight Technologies has announced an agreement with Sequans Communications whereby Keysight will use Sequans’ Monarch LTE for IoT chip platform to provide support for NB-IoT and LTE-M customers using Keysight’s E7515A UXM wireless test set (shown). The integration assures customers that they have their test needs covered for IoT deployments and are in compliance with 3GPP standards. Keysight and Sequans are developing products and solutions that are tailored for the IoT ecosystem and the companies are now working closely together to accelerate the deployment of IoT technologies in the industry.

4c1602a54580fcd6baf3a1c31521e39a

The combined solution addresses users’ deployment test needs and ensures compliance with 3GPP standards. Keysight’s UXM Wireless Test Set integrated with Sequans’ Monarch LTE for IoT platform supports testing needs of NarrowBand-Internet of Things (NB-IoT) and enhanced Machine-Type Communication (eMTC) Cat-M1 customers. Keysight is testing for 3GPP RF/RRM compliance for NB-IoT and Cat-M1 using the Sequans Monarch chip.

Keysight Technologies | www.keysight.com

Sequans Communications | www.sequans.com