Copyleft Hardware

MIPI Alliance put a nice channel at Youtube with overview of its activities, as presented at June 2010 open session. Camera Working Group update video talks about the oncoming CSI-3 spec:



There is a lot in the CSI-3 feature list: speed of 5Gbps per lane, dual simplex operation, no limit on number of parallel lanes, etc.

Business Wire: Tessera announced its Imaging & Optics revenue was $9.5M in Q2 2010. This was up 43% compared to second quarter 2009 Imaging & Optics revenue of $6.7M.

Q3 2010 Imaging & Optics revenue is expected to be approximately $10M vs $7M in Q3 2009. Still, there is some way to go to reach Hank's EDoF revenue target of $100M in 2011.

The Ware for July 2010 is shown below. Click on the image for a much larger version.

This ware is not a functional ware, but rather a work of art. I’m a little worried this might be too obscure for the competition, but I did a check on google, and the right keywords produced images of this artifact. If it turns out this is too hard to guess, I’ll release some more hints over time.

Thanks to everyone who played last month’s Name That Ware! I was astonished at the number of people who made a huge effort to count all the vias.

Before I announce the winners, I’ll reveal the design stats on the number of vias on the PCB:

144 9-mil vias
1062 10-mil vias
13 13-mil vias
15 162-mil vias

For a grand total of 1381 vias. This would make Alex G the winner at 1379 vias. Congrats, email me to claim your prize!

Dieter Spaar, who has been involved in various ways with both OpenBSC and OsmocomBB has just started a blog. This is good news and I hope this way he will get a bit more (much deserved) exposure on his great work.

At Blackhat US 2010, there was a Talk that (among other things) apparently included the subject of a RACH DoS on GSM base stations, implemented using my Layer1 of the OsmocomBB software.

As some news sites are covering this as "news": This vulnerability has been long known in the field and was - to the best of my knowledge - first demonstrated to a public audience by Dieter Spaar at the Deepsec 2009 conference in November 2009. You can get his slides.

The difficult part for many years has not been to know about the possibility of this weakness. Anyone who has read the GSM air interface specification will inevitably see that there is a limited number of RACH slots and a limited number of dedicated channels. Once you fill more RACH slots than the cell has dedicated channels, and you keep re-filling them at a higher rate than the cell can expire those dedicated channels, you have a DoS.

So rather, the difficult part was to implement it in practise, as traditionally all GSM baseband chipsets have been extremely closed, just like the very software (firmware) running on them. Today, starting from Q2/2010, it is very easy to do a proof-of-concept implementation, as we have created OsmocomBB: An Open Source baseband firmware.

Dieter Spaar's implementation predates OsmocomBB development by the better part of a year. At that time, he had to resort to binary-patching existing proprietary (binary-only) baseband firmware. So I think people should recognize his effort in doing the first practical implementation of that attack.

I can only hope that the author of the Blackhat presentation has given proper credits and shown that neither OsmocomBB, nor the RACH DoS attack, nor the IMSI DETACH attack he has presented have been discovered or first published by him.

At Blackhat USA 2010, Karsten Nohl has been presenting on a practical real-world A5/1 cracking attack. For recent years, Karsten, myself and others have been speaking at various opportunities, indicating that a practical attack using readily-available information and tools from the Internet is very possible, and that it is only a matter of time for somebody actually does it.

While Karsten has focused on the actual cryptographic attack, I've been putting in some time in projects like airprobe (a GSM receiver/decoder).

Now finally, a team of friends at the new Security Research Labs (founded by Karsten) in Berlin has put the pieces of the puzzle together.

Airprobe has been extended to fully support decoding of TCH/F (FACCH, SACCH and traffic), as well as SDCCH/SACCH control channels, and to specify the timeslot and physical channel configuration from the command line. Using this, you can

• decode the AGCH, wait for an IMMEDIATE ASSIGNMENT of a SDCCH
• decode that very SDCCH and wait until encryption is turned on
• dump an encrypted burst where you have sufficient known plaintext
• use a different program to actually recover the A5/1 ciphering key
• feed that key into airprobe and decrypt+decode the ASSIGNMENT COMMAND of the TCH
• use airprobe to decrypt+decode that assigned TCH/F

The external program to recover the A5/1 ciphering key is called Kraken and is also available from the SRLabs website.

So what are the limitations? Well, so far this only works on non-hopping cells with a single ARFCN. The limitations are those of the receiver hardware (and SDR software), and not really limitations of the airprobe GSM decoder or the actual software tools.

In the past I would have assumed that non-hopping and/or single-ARFCN cells are rare, but in fact we can find them even inside a big city like Berlin, from at least two of the four German GSM operators. So that's why this attack is very practical, no matter what the GSMA might say.

In case you're wondering why there is such a long period with no updates: I've been travelling over the last week and barely had sufficient time to follow my e-mail and get the most high-priority work done. Hope to update the blog soon.

PR-Newswire: Pixelplus revenue for Q2 2010 was US$5.6 million, compared to US$3.3 million in the Q1 2010, and US$3.6 million in Q2 2009. Net income in Q2 2010 was US$0.6 million.

Gross margin for Q2 2010 was 33.6%, compared to 40.5% in Q1 2010.

"We are pleased with the steady increase in our revenues in the second quarter and firmly believe that the Company will be able to improve our revenues in the second half of 2010 based on new design wins and business, especially in the security and automotive industries. We also are pleased to have more products in various stages of development and deployment than ever in our history," said S.K. Lee, CEO and Founder of Pixelplus.

Business Wire: SiliconFile has selected the Analog FastSPICE (AFS) Platform for verification of its mobile image sensors. "We spend a significant amount of effort on block-level verification of our CMOS image sensors," said Do Yeong Lee, CTO at SiliconFile. "After extensive evaluation, we selected the Analog FastSPICE Platform for complex-block verification of our image sensors because it delivered nanometer SPICE accurate results 5x-10x faster than traditional SPICE simulators."

I hope SiliconFile did its evaluation work properly. There has been a big progress in speed of SPICE and SPICE-like simulators recently.

SAKC = Swiss Army Knife Card What is  SAKC?
SAKC is a development board for hardware and software hackers. SAKC has a MIPS processor running at 360MHz, also has an Spartan 3 FPGA. This combination enable many applications like robotics, automation, signal acquisition, and publicity applications. The software is based on Qi-hardware community development, right now there are some distributions available: Openwrt, Debian, Jlime.

read more

Business Wire: TowerJazz's 0.18um process is used in Cypress 25MP VITA 25K industrial image sensors for the high-end machine vision market, the companies said. Terms of the deal were not disclosed but a Reuters source said that TowerJazz would reap tens of millions of dollars a year in revenue over the next few years. Globes sources told that the collaboration is worth several million dollars, but beginning next year will grow significantly.

According to a report by Roy Szweda, RNR Associates, the forecast for image sensors used in the industrial market is expected to reach close to $840 million by 2014.

Tech-On published an English version of TSR image sensor analyst interview referred in the post few days ago. The interesting market shares graph is translated to English as well:

Installing Ubuntu 10.04 on the IGEPv2 board. Using the board as a small server.

Last year, folks at Texas Instruments told me about the IGEP v2 board. This board is similar to the Beagle board, but also features 512 MB of RAM and NAND flash (instead of 256 for the Beagle), on board Ethernet (RJ45), Wi-Fi and Bluetooth, all this for only 145 €! Its fast ARM CPU (TI OMAP 3530 running at 720 MHz) and graphical capabilities allow it to be used in for services usually performed by desktop or server CPUs.

At the Free Electrons main office, we needed a server to share files, create backups and upload these backups to our servers on the Internet. I decided to use the Ubuntu 10.04 distribution on ARM, based on Debian GNU/Linux. As I didn’t find all the details I needed on the IGEP community website, here are the steps that I took. Several details were found on the http://labs.igep.es/index.php/How_to_get_the_Ubuntu_distribution page though.

This page assumes that you are familiar with building the Linux kernel, controlling an embedded board from a serial line and booting it, and using the GNU/Linux system in general (see the training materials from our embedded Linux course). Beginners may be lost because we don’t give all the details, but more experienced developers should just find the board specific details that they need.

First, get an SD card (at least 2 GB), and prepare its partitions with the mkcard.sh utility.

To compile your kernel, get a CodeSourcery toolchain for ARM. I used the 2010q1 release. Install it in /usr/local/CodeSourcery/arm-2010q1/ (for example)

Get the kernel sources:

$ mkdir $HOME/igep $ cd $HOME/igep $ git clone git://git.igep.es/pub/scm/linux-omap-2.6.git $ cd linux-omap-2.6/

Let’s switch to the latest stable version:

$ git tag v2.6.28.10-3 v2.6.28.10-igep0020b-0 v2.6.28.10-igep0020b-1 v2.6.28.10-igep0020b-2 v2.6.33.2-0 v2.6.33.4-0 $ git checkout -b v2.6.33.4-0 v2.6.33.4-0 Checking out files: 100% (13116/13116), done. Switched to a new branch 'v2.6.33.4-0'

Now, set the environment variables for cross-compiling the kernel sources to the arm architecture:

$ export PATH=/usr/local/CodeSourcery/arm-2010q1/bin:$PATH $ export ARCH=arm $ export CROSS_COMPILE=arm-none-linux-gnueabi-

Now, take the default configuration for the board and build your kernel:

$ make help | grep igep $ make igep0020_defconfig $ make -j 4 $ make uImage

It’s time to build your Ubuntu filesystem, using the Rootstock utility:

$ tar zxvf rootstock-0.1.99.3.tar.gz $ cd rootstock-0.1.99.3 $ sudo ./rootstock --fqdn igepv2 --login mike --password letmein --imagesize 2G --seed build-essential,openssh-server --dist lucid

Copy the kernel to the first partition of your SD card:

cp arch/arm/boot/uImage /media/boot/ cp .config /media/boot/config-2.6.33.4

Install the root filesystem on the second partition of your SD card:

$ cd /media/rootfs/ $ sudo tar zxvf $HOME/igep/rootstock-0.1.99.3/armel-rootfs-201006102239.tgz

Configure the rootfs to let you log in on the serial console (ttyS2 with OMAP). Do this by copying etc/init/tty1 to etc/init/ttyS2 and replacing tty1 by ttyS2 in this file.

Install kernel modules manually for the first time:

$ mkdir -p /lib/modules $ cd $HOME/igep/linux-omap-2.6/ $ make INSTALL_MOD_PATH=/media/rootfs modules_install

In the Rootstock version I tested, the specified user didn’t get created (bug report). To be able to log in, I had to disable the root password by removing the first * character in the root entry in etc/shadow:

We are now ready to boot our new system. First, unmount your SD card partitions:

$ sudo umount /media/boot $ sudo umount /media/rootfs

Insert your SD card in the slot on your board, connect your serial cable and in the U-boot prompt on the serial line, configure the kernel boot parameters:

$ setenv bootargs mem=512M console=ttyS2,115200n8 root=/dev/mmcblk0p2 rw rootwait $ setenv bootcmd 'mmc init 0 ; fatload mmc 0 80000000 uImage' $ setenv autostart yes $ saveenv $boot

You should see your Linux kernel boot and get to a login shell. Log in as root with no password.

It is now time for the final tweaks. First, create a non root user (remember the Rootstock bug), allow it to run the sudo command, and choose a root password too:

adduser mike adduser mike sudo passwd

Let’s cope with a last Rootstock bug. Add the updates and security repositories to /etc/apt/sources.list:

deb http://ports.ubuntu.com/ubuntu-ports lucid-updates main deb http://ports.ubuntu.com/ubuntu-ports lucid-security main

Without this, you would miss package updates and security releases, and your packages would never change!

If you use the IGEP board as a server as I do, you may need your server to have a fixed MAC address. The trouble is the e2prom storing the MAC address is not populated by default, and every time you boot, the kernel gives you a random MAC address.

The easiest fix I found was to choose an arbitrary MAC address (you can take the first random one that you get), and force it in /etc/network/interfaces:

auto eth0 iface eth0 inet dhcp hwaddress ether 00:01:04:1b:2C:1F

As the IGEPv2 board doesn’t have a battery by default, it won’t be able to keep the correct time. You can use the ntp daemon to address this:

sudo apt-get install ntp

Your configuration should now be complete. You can now use your IGEPv2 board as a tiny, ultra low power server with Ubuntu server. All the rest is ordinary Debian / Ubuntu server administration. Of course, you can also install desktop packages and use your board as a desktop replacement (you may need to add kernel command line settings for graphics). Have fun!

By the way, the IGEPv2 board is not the best solution if you all you need is a server. The amazing graphical capabilities of the OMAP chip would just be useless. For a server, better, cheaper and more powerful alternatives are the SheevaPlug and GuruPlug. Don’t miss these very nice devices!

PR-Newswire: In a rare appearence in the news Foveon announces it has been using Synopsys' Galaxy Custom Designer to desing its sensors, including 14MP one for Sigma SD15 DSLR, made in 0.18um process.

Synopsys is relying on Open Access database for its PDK and it's not compatible with the dominating Cadence proprietary PDK format. Most of the foundry image sensor PDKs are not available in Open Access. It is not clear who made the translation work for Foveon.

e2v has delivered over 150 CCDs for Gaia, a European Space Agency (ESA) mission due to launch in 2012. Gaia’s goal is to map the positions, parallaxes and movement across the sky of around 1 billion objects in our galaxy. The Gaia focal plane will be the largest ever developed, with 106 CCDs, a total of almost 1 Gigapixels and physical dimensions of 0.5m × 1m.

The e2v CCD91-72 is 3 sided buttable, to minimise the dead space between CCDs when they are tiled together in the mosaic. All CCDs have been through e2v’s back thinning process, so not only this array is the largest, it's also BSI.

Via Electrons and Holes blog.

List of sessions and speakers at ELC Europe in Cambridge, UK

Being a member of the organization committee of the Embedded Linux Conference Europe, I get access to fresh news about this yearly conference. The call for presentations is now over and we have just announced the list of sessions.

Note that this list is not the final one yet. Some speakers haven’t confirmed their participation or haven’t sent their biographies yet. There are also two or three speakers added at the last minute who are not listed yet.

The conference will happen in Cambridge, UK, on October 27-28, 2010. Keep an eye on the website (or on our blog). Registration should open in a few days from now, and all practical details will be given then.

See also the agenda of the GStreamer conference which will happen at the same location on the day before.

The following email was sent to an Image Sensor Workshop distribution list:

TO: All Image Sensor Engineers

FROM: Nobukazu Teranishi
Junichi Nakamura

Dear Imaging Colleagues,

We are pleased to announce the 2011 International Image Sensor Workshop (IISW 2011) to be technically co-sponsored by IEEE Electron Devices Society and Institute of Image Information and Television Engineers (ITE) in Japan.

When: Wednesday, June 8 through Saturday, June 11, 2011

Where: Hakodate-Onuma Prince Hotel in Hokkaido, Japan

Website: www.imagesensors.org

(please check for latest information and hotel link)

As you find in the description on the web, the hotel is located in Onuma Quasi-National Park, considered one of the three best scenic views of modern Japan and one of the most spectacular areas of Hokkaido. The hotel is surrounded by white birch and oak and is built to harmonize with the natural environment. As a resort hotel, there is a wide range of activities available along with a hot spring and fine dining made with local Hokkaido ingredients.

Nobukazu Teranishi (Panasonic) and Junichi Nakamura (Aptina) will serve as General Co-Chairs, and Shoji Kawahito (Shizuoka Univ.) will serve as Technical Program Chair.

The deadline of the abstract submission will be January 17, 2011 (Japan time). The First Call for Papers will be sent in a month or so.

Also, for your information, the 2011 IEEE Symposia on VLSI Technology and on VLSI Circuits will be held in Kyoto, Japan, following this Workshop, from June 12 through June 17, 2011.

Please forward this email note to any and all your colleagues who you think might be interested in this workshop.

We will try to make the coming Workshop informative and beneficial for your research and development work. Thank you for your cooperation in advance.

Nobukazu Teranishi, General Co-Chair IISW 2011
Image Sensor Business Unit, Semiconductor Company
Panasonic Corporation.
1 Kotari-Yakemachi, Nagaokakyo, Kyoto 617-8520 Japan
E-mail: x.x@jp.panasonic.com

Junichi Nakamura, General Co-Chair IISW 2011
Design Center, Aptina Japan, LLC
4-2-8 Shibaura, Minato-ku, Tokyo 108-0023, Japan
E-mail: xx@aptina.com

Fujifilm's F300EXR compact camera features fast hybrid AF combining contrast AF and phase detection AF into one. To support phase detection AF the camera Super CCD EXR sensor is enhanced with built-in phase detection pixels:


Pixels used in the phase detection AF are marked by 1. Fujifilm does not say how many pixels are entirely devoted to AF. It is not clear why they appear smaller too.

Japanese Tech-On published an article about the latest TSR report "2010 CCD/CMOS Area Image Sensor Market Analysis". Most of the article is quite hard to interpret (see Google translation), but the graph below apparently shows year over year volumes and market shares for major image sensor companies:


It looks like Samsung is a big winner this year with its market share approaching Omnivision's. SETi market share has stabilized this year, while Galaxycore's rise mostly comes at Omnivision's expense.

Via Japanese Image Sensor blog.