Saving data when you have no I/O devices

[BigEd]

Some little time ago I posted
Puzzle challenge: An unusual idea, but not a new one
with an idea and some half-baked code. It's time to get it out in the open ...spoilers ahead for anyone who wanted to tackle the puzzle...

...

...

...

The idea is that even on a device with no I/O devices, you can save data by putting out radio interference.

(Beware of local regulations and don't abuse this new power! Especially if you have a radio license to lose - perform all experiments within a Faraday cage.)

So, every micro has data lines and address lines bouncing up and down at megahertz rates - can we do anything to control that? It turns out we can! With a 2MHz 6502, as found in the BBC micro, a counted loop which crosses a major address boundary can toggle many of the address lines at 200kHz, which is nicely in the middle of the long wave band, and more or less on top of Radio 4 at 198kHz.

Here's my inner loop:

Code: Select all

.loop5 SBC #1:JMP skip5
.skip5 NOP:BNE loop5:RTS

or, more conventionally:

Code: Select all

loop5:
    SBC #1
    JMP skip5
skip5:
    NOP
    BNE loop5
    RTS

which is a ten-cycle loop. At 2MHz, that's 200kHz.

There'll be lots of other frequency components, but should be a strong contribution at 200kHz.

If we had a strong constant sine wave output at that frequency, a nearby radio tuning around the middle of the long wave should have a bit of a drop in the static it picks up as it passes that carrier. That's what I thought anyway.

As it turns out (and as I recall) I got a horrible buzz across quite a bit of the band, from a radio put right on top of the machine. Bear in mind that the UK computers of the 80s didn't really have shielding - one of several reasons why they struggled to export to the US.

My thinking was, if there's any modulation of the strength of our signal, at audio rates, we should get some kind of sound from the radio. Especially if we'd managed to get silence from our "carrier."

So, with my loop5 routine producing strong carrier, I wrote a loop15 like this:

Code: Select all

.loop15 SEC:BCS skip15a
.skip15a SBC #1:JMP skip15b
.skip15b NOP:JMP skip15c
.skip15c NOP:JMP skip15d
.skip15d NOP:JMP skip15e
.skip15e NOP:BNE loop15

The idea here is to waste a lot more time and cross the major address boundary less often.

Code: Select all

loop15:
  SEC
  BCS skip15a
skip15a:
  SBC #1
  JMP skip15b
skip15b:
  NOP
  JMP skip15c
skip15c:
  NOP
  JMP skip15d
skip15d:
  NOP
  JMP skip15e
skip15e:
  NOP
  BNE loop15

That's a 30-cycle loop. My thinking was, if my output is a square wave (of course it isn't) then the fundamental is now at 200/3 and the weaker first harmonic is at 200.

So, if I alternate between these routines, I can modulate my "carrier" at an audio rate. And that's what I was trying to do with my innerlo and innerhi routines:

Code: Select all

LDX #48
.innerhi
LDA #42:JSR loop5
LDA #14:JSR loop15
DEX:BNE innerhi

Code: Select all

LDX #24
.innerlo
LDA #42:JSR loop5
LDA #42:JSR loop5
LDA #14:JSR loop15
LDA #14:JSR loop15
DEX:BNE innerlo

(Thanks to Jeff for the bugfixes to those!)

My ideal result would be that I can get the radio to output one of two tones, and then it's a simple matter of programming to output data from the 6502 machine, over the radio, in a format which might even be compatible with cassette tape storage.

The actual result was some kind of horrible warbling - by no means alternating between two nice tones, but certainly an audio-modulated signal!

At that point I put the project down, and walked away...

[BigEd]

(Just to note, the idea to do this was from this thread, which posted the challenge of getting ROM contents from a small machine.)

[KC9UDX]

Interesting! I don't think I've ever heard of anyone trying this method. I have heard of using a radio receiver to listen to a computer to see what it's doing, unmodulated. In fact, I've done this myself.

But by your way, you could reliably transmit data. I wonder if it wouldn't help to try to use a lower frequency. Also, for the purposes at hand, perhaps simple on/off keying works.

[Dr Jefyll]

Good stuff, Ed -- thanks for the intriguing topic!

KC9UDX wrote:

I wonder if it wouldn't help to try to use a lower frequency.

Choosing a frequency that's already occupied (by Radio 4 at 198kHz) wasn't a good decision, IMO. If it were Frequency Modulation (FM) the stronger signal would suppress the weaker one. In fact Dwight posted an amusing item about that here. But AIUI an AM (Amplitude Modulation) receiver will simply accept both inputs, and they'll both be audible. It's true that a stronger signal will be heard more loudly, but it doesn't mute the weaker signal.

It'd be better to avoid interference by transmitting on an otherwise unused frequency. I realize the selections are limited, since we're dealing with integer relations to the CPU clock.

KC9UDX wrote:

Also, for the purposes at hand, perhaps simple on/off keying works.

Interesting. Are you supposing a machine would read the signal, or would a human do it (as with Morse code)? If there's no modulation, don't you need a BFO to render the carrier audible? (I'm dusting off some long-unused vocabulary I learned as a kid from my older brother, the former VE3EWK )

[Arlet]

Cool trick, but I'm wondering what kind of device has no I/O at all ? Would seem a bit useless.

Most of the old computers had a video output. Perhaps you could modulate that as well, by filling the screen with different color bars, and running the video output through a low pass filter to get a usable signal. Maybe even directly into a UART ?

[BigEd]

In the case which kicked me off, the unknown computer was an SBC with a keypad. I figured it should be possible to figure out how to put bytes in memory, set the PC, and run, whereas trying to figure out where the PIA was mapped would be a little bit harder. Of course one might also pull the ROM and read it, which is I think what happened, but that supposes some technical knowledge and equipment too.

But imagine if a hacker can overflow a buffer in your computer and run some code... and is sitting outside with a long wave receiver and a cassette recorder!

Jeff, you're absolutely right, add a cycle and we can go down to about about 182kHz, next step is 166Hz, we might still be in band. Anything over 150kHz stands a chance. As I recall, the horrible noise I made was strong enough to render Radio 4 irrelevant!

(I did pick the constants in the outer loops to give me something close to the CUTS standards, or the Beeb's cassette standards, and they'd need tweaking, and we might not be so lucky with the even divisibility.)

[BigEd]

You're right Arlet, you can do wonderful things with video output. Even broadcast digital radio, IIRC. Edit: nope, even more amazing, it was DVB-T - see http://bellard.org/dvbt/

[Arlet]

Can you increase the AM effect by switching more data/address lines at the same time ?

[BigEd]

It's a good thought - I was aiming to place the code just below $0180 so the PC will flip from $017F to $0180 - but what we really want is a strong effect with the ON loop and a weaker effect with the OFF loop.

The other thing I did was attach a little dangly wire - I think that helped, although of course all the dimensions of the system are a great deal less than the 375m quarter-wavelength!

[hoglet]

Code: Select all

loop5:
    SBC #1
    JMP skip5
skip5:
    NOP
    BNE loop5
    RTS

I'm not sure whether this has been overlooked or not, but if the loop crosses a page boundary, doesn't this become an 11 cycle loop?

Dave

[BigEd]

You'd be right! As I'd decided to sit near the middle of page 1, it wouldn't be a concern, but my original thought was to sit just below $4000, and that would indeed have been a wrinkle.

[whartung]

Well you always hear stories about listening in on machines (in various ways), notably those doing encryption with the hope of narrowing the keyspace to weaken it.

One of my favorite hacks, years ago, was a group that managed to break in to a stock Apple iPod. In the end, all they could get their code to do was make a beep.

But they leveraged this by uploading code to the device that compressed the iPod ROMS, and then simply beep-ed out the resulting bit stream.

They then stuck the iPod in to a box with a mic, and recorded the whole thing, then decoded it, thus getting a binary image of the iPod ROMS.

[GARTHWILSON]

Don't forget bogax's sine-wave generator: viewtopic.php?f=2&t=2404

[KC9UDX]

Dr Jefyll wrote:

Good stuff, Ed -- thanks for the intriguing topic!

KC9UDX wrote:

Also, for the purposes at hand, perhaps simple on/off keying works.

Interesting. Are you supposing a machine would read the signal, or would a human do it (as with Morse code)? If there's no modulation, don't you need a BFO to render the carrier audible? (I'm dusting off some long-unused vocabulary I learned as a kid from my older brother, the former VE3EWK )

You don't need a BFO to copy morse or any other on/off keying. It does help if you are trying to hear it; but you can actually hear it without, it's just more difficult. Visually, if you have a signal strength meter, you can copy just fine without a BFO. A machine has the same advantage.

Strictly speaking, a computer by itself with no actual transmitting hardware could not (probably) output on/off keying. It would actually be FSK. But, you could make the shift far enough to seem on/off to a narrow enough receiver. Either way it should work.

[Windfall]

BigEd wrote:

(Just to note, the idea to do this was from this thread, which posted the challenge of getting ROM contents from a small machine.)

Intriguing. It's like an alien that has to 'phone home' with just a wire, a match, and a piece of lint.

Apropos : causing interference is one thing, getting data into and out of it is quite another, I expect.