Copyleft Hardware
Image Sensors World: MIPI Camera Working Group Update
There is a lot in the CSI-3 feature list: speed of 5Gbps per lane, dual simplex operation, no limit on number of parallel lanes, etc.
Image Sensors World: Tessera Q2 2010 Results
Q3 2010 Imaging & Optics revenue is expected to be approximately $10M vs $7M in Q3 2009. Still, there is some way to go to reach Hank's EDoF revenue target of $100M in 2011.
Bunnie Studios: Name that Ware July 2010
The Ware for July 2010 is shown below. Click on the image for a much larger version.
This ware is not a functional ware, but rather a work of art. I’m a little worried this might be too obscure for the competition, but I did a check on google, and the right keywords produced images of this artifact. If it turns out this is too hard to guess, I’ll release some more hints over time.
Bunnie Studios: Winner, Name That Ware June 2010
Thanks to everyone who played last month’s Name That Ware! I was astonished at the number of people who made a huge effort to count all the vias.
Before I announce the winners, I’ll reveal the design stats on the number of vias on the PCB:
144 9-mil vias
1062 10-mil vias
13 13-mil vias
15 162-mil vias
For a grand total of 1381 vias. This would make Alex G the winner at 1379 vias. Congrats, email me to claim your prize!
Harald Welte: Dieter Spaar has started a blog
Dieter Spaar, who has been involved in various ways with both OpenBSC and OsmocomBB has just started a blog. This is good news and I hope this way he will get a bit more (much deserved) exposure on his great work.
Harald Welte: GSM Denial of Service by flooding BTS with RACH requests
At Blackhat US 2010, there was a Talk that (among other things) apparently included the subject of a RACH DoS on GSM base stations, implemented using my Layer1 of the OsmocomBB software.
As some news sites are covering this as "news": This vulnerability has been long known in the field and was - to the best of my knowledge - first demonstrated to a public audience by Dieter Spaar at the Deepsec 2009 conference in November 2009. You can get his slides.
The difficult part for many years has not been to know about the possibility of this weakness. Anyone who has read the GSM air interface specification will inevitably see that there is a limited number of RACH slots and a limited number of dedicated channels. Once you fill more RACH slots than the cell has dedicated channels, and you keep re-filling them at a higher rate than the cell can expire those dedicated channels, you have a DoS.
So rather, the difficult part was to implement it in practise, as traditionally all GSM baseband chipsets have been extremely closed, just like the very software (firmware) running on them. Today, starting from Q2/2010, it is very easy to do a proof-of-concept implementation, as we have created OsmocomBB: An Open Source baseband firmware.
Dieter Spaar's implementation predates OsmocomBB development by the better part of a year. At that time, he had to resort to binary-patching existing proprietary (binary-only) baseband firmware. So I think people should recognize his effort in doing the first practical implementation of that attack.
I can only hope that the author of the Blackhat presentation has given proper credits and shown that neither OsmocomBB, nor the RACH DoS attack, nor the IMSI DETACH attack he has presented have been discovered or first published by him.
Harald Welte: A real-world practical A5/1 attack using airprobe and Kraken
At Blackhat USA 2010, Karsten Nohl has been presenting on a practical real-world A5/1 cracking attack. For recent years, Karsten, myself and others have been speaking at various opportunities, indicating that a practical attack using readily-available information and tools from the Internet is very possible, and that it is only a matter of time for somebody actually does it.
While Karsten has focused on the actual cryptographic attack, I've been putting in some time in projects like airprobe (a GSM receiver/decoder).
Now finally, a team of friends at the new Security Research Labs (founded by Karsten) in Berlin has put the pieces of the puzzle together.
Airprobe has been extended to fully support decoding of TCH/F (FACCH, SACCH and traffic), as well as SDCCH/SACCH control channels, and to specify the timeslot and physical channel configuration from the command line. Using this, you can
- decode the AGCH, wait for an IMMEDIATE ASSIGNMENT of a SDCCH
- decode that very SDCCH and wait until encryption is turned on
- dump an encrypted burst where you have sufficient known plaintext
- use a different program to actually recover the A5/1 ciphering key
- feed that key into airprobe and decrypt+decode the ASSIGNMENT COMMAND of the TCH
- use airprobe to decrypt+decode that assigned TCH/F
The external program to recover the A5/1 ciphering key is called Kraken and is also available from the SRLabs website.
So what are the limitations? Well, so far this only works on non-hopping cells with a single ARFCN. The limitations are those of the receiver hardware (and SDR software), and not really limitations of the airprobe GSM decoder or the actual software tools.
In the past I would have assumed that non-hopping and/or single-ARFCN cells are rare, but in fact we can find them even inside a big city like Berlin, from at least two of the four German GSM operators. So that's why this attack is very practical, no matter what the GSMA might say.
Harald Welte: I'm still alive ;)
In case you're wondering why there is such a long period with no updates: I've been travelling over the last week and barely had sufficient time to follow my e-mail and get the most high-priority work done. Hope to update the blog soon.
Image Sensors World: Pixelplus Announces Q2 2010 Results
Gross margin for Q2 2010 was 33.6%, compared to 40.5% in Q1 2010.
"We are pleased with the steady increase in our revenues in the second quarter and firmly believe that the Company will be able to improve our revenues in the second half of 2010 based on new design wins and business, especially in the security and automotive industries. We also are pleased to have more products in various stages of development and deployment than ever in our history," said S.K. Lee, CEO and Founder of Pixelplus.
Image Sensors World: SiliconFile Chooses Berkeley DA FastSPICE
I hope SiliconFile did its evaluation work properly. There has been a big progress in speed of SPICE and SPICE-like simulators recently.
Tuxbrain: SAKC, another step to Copyleft Hardware

SAKC = Swiss Army Knife Card What is SAKC?
SAKC is a development board for hardware and software hackers. SAKC has a MIPS processor running at 360MHz, also has an Spartan 3 FPGA. This combination enable many applications like robotics, automation, signal acquisition, and publicity applications. The software is based on Qi-hardware community development, right now there are some distributions available: Openwrt, Debian, Jlime.
Image Sensors World: TowerJazz Manufactures 25MP Sensors for Cypress
According to a report by Roy Szweda, RNR Associates, the forecast for image sensors used in the industrial market is expected to reach close to $840 million by 2014.
Image Sensors World: TSR Market Data - Now in English

Free Electrons: Ubuntu 10.04 on the IGEPv2 board
Installing Ubuntu 10.04 on the IGEPv2 board. Using the board as a small server.
Last year, folks at Texas Instruments told me about the IGEP v2 board. This board is similar to the Beagle board, but also features 512 MB of RAM and NAND flash (instead of 256 for the Beagle), on board Ethernet (RJ45), Wi-Fi and Bluetooth, all this for only 145 €! Its fast ARM CPU (TI OMAP 3530 running at 720 MHz) and graphical capabilities allow it to be used in for services usually performed by desktop or server CPUs.
At the Free Electrons main office, we needed a server to share files, create backups and upload these backups to our servers on the Internet. I decided to use the Ubuntu 10.04 distribution on ARM, based on Debian GNU/Linux. As I didn’t find all the details I needed on the IGEP community website, here are the steps that I took. Several details were found on the http://labs.igep.es/index.php/How_to_get_the_Ubuntu_distribution page though.
This page assumes that you are familiar with building the Linux kernel, controlling an embedded board from a serial line and booting it, and using the GNU/Linux system in general (see the training materials from our embedded Linux course). Beginners may be lost because we don’t give all the details, but more experienced developers should just find the board specific details that they need.
First, get an SD card (at least 2 GB), and prepare its partitions with the mkcard.sh utility.
To compile your kernel, get a CodeSourcery toolchain for ARM. I used the 2010q1 release. Install it in /usr/local/CodeSourcery/arm-2010q1/ (for example)
Get the kernel sources:
$ mkdir $HOME/igep $ cd $HOME/igep $ git clone git://git.igep.es/pub/scm/linux-omap-2.6.git $ cd linux-omap-2.6/Let’s switch to the latest stable version:
$ git tag v2.6.28.10-3 v2.6.28.10-igep0020b-0 v2.6.28.10-igep0020b-1 v2.6.28.10-igep0020b-2 v2.6.33.2-0 v2.6.33.4-0 $ git checkout -b v2.6.33.4-0 v2.6.33.4-0 Checking out files: 100% (13116/13116), done. Switched to a new branch 'v2.6.33.4-0'Now, set the environment variables for cross-compiling the kernel sources to the arm architecture:
$ export PATH=/usr/local/CodeSourcery/arm-2010q1/bin:$PATH $ export ARCH=arm $ export CROSS_COMPILE=arm-none-linux-gnueabi-Now, take the default configuration for the board and build your kernel:
$ make help | grep igep $ make igep0020_defconfig $ make -j 4 $ make uImageIt’s time to build your Ubuntu filesystem, using the Rootstock utility:
$ tar zxvf rootstock-0.1.99.3.tar.gz $ cd rootstock-0.1.99.3 $ sudo ./rootstock --fqdn igepv2 --login mike --password letmein --imagesize 2G --seed build-essential,openssh-server --dist lucidCopy the kernel to the first partition of your SD card:
cp arch/arm/boot/uImage /media/boot/ cp .config /media/boot/config-2.6.33.4Install the root filesystem on the second partition of your SD card:
$ cd /media/rootfs/ $ sudo tar zxvf $HOME/igep/rootstock-0.1.99.3/armel-rootfs-201006102239.tgzConfigure the rootfs to let you log in on the serial console (ttyS2 with OMAP). Do this by copying etc/init/tty1 to etc/init/ttyS2 and replacing tty1 by ttyS2 in this file.
Install kernel modules manually for the first time:
$ mkdir -p /lib/modules $ cd $HOME/igep/linux-omap-2.6/ $ make INSTALL_MOD_PATH=/media/rootfs modules_installIn the Rootstock version I tested, the specified user didn’t get created (bug report). To be able to log in, I had to disable the root password by removing the first * character in the root entry in etc/shadow:
We are now ready to boot our new system. First, unmount your SD card partitions:
$ sudo umount /media/boot $ sudo umount /media/rootfsInsert your SD card in the slot on your board, connect your serial cable and in the U-boot prompt on the serial line, configure the kernel boot parameters:
$ setenv bootargs mem=512M console=ttyS2,115200n8 root=/dev/mmcblk0p2 rw rootwait $ setenv bootcmd 'mmc init 0 ; fatload mmc 0 80000000 uImage' $ setenv autostart yes $ saveenv $bootYou should see your Linux kernel boot and get to a login shell. Log in as root with no password.
It is now time for the final tweaks. First, create a non root user (remember the Rootstock bug), allow it to run the sudo command, and choose a root password too:
adduser mike adduser mike sudo passwdLet’s cope with a last Rootstock bug. Add the updates and security repositories to /etc/apt/sources.list:
deb http://ports.ubuntu.com/ubuntu-ports lucid-updates main deb http://ports.ubuntu.com/ubuntu-ports lucid-security mainWithout this, you would miss package updates and security releases, and your packages would never change!
If you use the IGEP board as a server as I do, you may need your server to have a fixed MAC address. The trouble is the e2prom storing the MAC address is not populated by default, and every time you boot, the kernel gives you a random MAC address.
The easiest fix I found was to choose an arbitrary MAC address (you can take the first random one that you get), and force it in /etc/network/interfaces:
auto eth0 iface eth0 inet dhcp hwaddress ether 00:01:04:1b:2C:1FAs the IGEPv2 board doesn’t have a battery by default, it won’t be able to keep the correct time. You can use the ntp daemon to address this:
sudo apt-get install ntpYour configuration should now be complete. You can now use your IGEPv2 board as a tiny, ultra low power server with Ubuntu server. All the rest is ordinary Debian / Ubuntu server administration. Of course, you can also install desktop packages and use your board as a desktop replacement (you may need to add kernel command line settings for graphics). Have fun!
By the way, the IGEPv2 board is not the best solution if you all you need is a server. The amazing graphical capabilities of the OMAP chip would just be useless. For a server, better, cheaper and more powerful alternatives are the SheevaPlug and GuruPlug. Don’t miss these very nice devices!
Image Sensors World: Foveon Using Synopsys' Galaxy
Synopsys is relying on Open Access database for its PDK and it's not compatible with the dominating Cadence proprietary PDK format. Most of the foundry image sensor PDKs are not available in Open Access. It is not clear who made the translation work for Foveon.
Image Sensors World: e2v Supplies 0.5m x 1m CCD Array
The e2v CCD91-72 is 3 sided buttable, to minimise the dead space between CCDs when they are tiled together in the mosaic. All CCDs have been through e2v’s back thinning process, so not only this array is the largest, it's also BSI.
Via Electrons and Holes blog.
Free Electrons: ELC Europe 2010 sessions announced
List of sessions and speakers at ELC Europe in Cambridge, UK
Being a member of the organization committee of the Embedded Linux Conference Europe, I get access to fresh news about this yearly conference. The call for presentations is now over and we have just announced the list of sessions.
Note that this list is not the final one yet. Some speakers haven’t confirmed their participation or haven’t sent their biographies yet. There are also two or three speakers added at the last minute who are not listed yet.
The conference will happen in Cambridge, UK, on October 27-28, 2010. Keep an eye on the website (or on our blog). Registration should open in a few days from now, and all practical details will be given then.
See also the agenda of the GStreamer conference which will happen at the same location on the day before.
Image Sensors World: First Announcement for the 2011 International Image Sensor Workshop
TO: All Image Sensor Engineers
FROM: Nobukazu Teranishi
Junichi Nakamura
Dear Imaging Colleagues,
We are pleased to announce the 2011 International Image Sensor Workshop (IISW 2011) to be technically co-sponsored by IEEE Electron Devices Society and Institute of Image Information and Television Engineers (ITE) in Japan.
When: Wednesday, June 8 through Saturday, June 11, 2011
Where: Hakodate-Onuma Prince Hotel in Hokkaido, Japan
Website: www.imagesensors.org
(please check for latest information and hotel link)
As you find in the description on the web, the hotel is located in Onuma Quasi-National Park, considered one of the three best scenic views of modern Japan and one of the most spectacular areas of Hokkaido. The hotel is surrounded by white birch and oak and is built to harmonize with the natural environment. As a resort hotel, there is a wide range of activities available along with a hot spring and fine dining made with local Hokkaido ingredients.
Nobukazu Teranishi (Panasonic) and Junichi Nakamura (Aptina) will serve as General Co-Chairs, and Shoji Kawahito (Shizuoka Univ.) will serve as Technical Program Chair.
The deadline of the abstract submission will be January 17, 2011 (Japan time). The First Call for Papers will be sent in a month or so.
Also, for your information, the 2011 IEEE Symposia on VLSI Technology and on VLSI Circuits will be held in Kyoto, Japan, following this Workshop, from June 12 through June 17, 2011.
Please forward this email note to any and all your colleagues who you think might be interested in this workshop.
We will try to make the coming Workshop informative and beneficial for your research and development work. Thank you for your cooperation in advance.
Nobukazu Teranishi, General Co-Chair IISW 2011
Image Sensor Business Unit, Semiconductor Company
Panasonic Corporation.
1 Kotari-Yakemachi, Nagaokakyo, Kyoto 617-8520 Japan
E-mail: x.x@jp.panasonic.com
Junichi Nakamura, General Co-Chair IISW 2011
Design Center, Aptina Japan, LLC
4-2-8 Shibaura, Minato-ku, Tokyo 108-0023, Japan
E-mail: xx@aptina.com
Image Sensors World: Fujifilm Super CCD EXR Gets AF Enhancement Pixels

Pixels used in the phase detection AF are marked by 1. Fujifilm does not say how many pixels are entirely devoted to AF. It is not clear why they appear smaller too.
Image Sensors World: TSR Market Report: Samsung Closing Gap with Ominivision

It looks like Samsung is a big winner this year with its market share approaching Omnivision's. SETi market share has stabilized this year, while Galaxycore's rise mostly comes at Omnivision's expense.
Via Japanese Image Sensor blog.









