Thanks to the support of the fantastic folks at the NLnet Foundation, I have support to progress the hand-held version of the MEGA65, building on the past work which NLnet supported. The brief for this stage of the work is as follows:
The previous MEGAphone project laid the groundwork for creating personal communications devices that are secure through simplicity. This project extends that work by making the hardware modular, at some cost of minimum size, so that it becomes much more feasible for small communities to produce and maintain their own units, even in the face of supply chain challenges and other contributors to the "digital winter", i.e., the situation where open innovation becomes more difficult due to number of factors. This will also make it easier to include diverse resilient communications options, whether RF, optical or acoustic, so that peer-to-peer communications networks can be sustained even in environments that are hostile to freedom of communications. For this reason energy sovereignty will also be part of the design, so that even if all civil infrastructure is denied, that basic communications and computing functions can be sustained, with a single device whose security can be much more easily reasoned about.
If you want a bit more background on the motivations for this, I'd recommend watching this presentation and this presentation I gave just before the COVID19 pandemic, which rather uncomfortably rapidly confirmed my hypothesis that a Digital Winter could occur.
I'll dig into the work more deeply as it progresses, but the first part we will focus on, is the ability to develop a mobile-phone like device, that can be build by hand, without requiring advanced skills, and that is nimble to supply chain shocks of various forms, that characterise a Digital Winter.
Let's first agree what we mean by can be built by hand, without requiring advanced skills. Some skills will be unavoidably necessary, but we can minimise these. and perhaps more importantly, we can reduce the scale at which those skills are able to be mustered -- this is one of the key motivations for the modularisation of the MEGAphone. Put another way, we can minimise the impact of an error when building a MEGAphone. This has the significant benefit of allowing someone whose skills allow them a low but non-zero probability of achieving some particular task to increase their probability of eventual success.
Why Modularisation Makes So Much Sense
In the first instance, modularisation contributes significantly to this goal, by allowing an assembly error in a specific module to not impact on the rest of the unit. Consider the key example of surface-mount soldering of small and fiddly components. I know first-hand, how much of a pain it can be to solder these things by hand, and how easy it is for someone who has some rudimentary hand-soldering skills to nonetheless be thwarted by the narrow pitch of pins on surface-mount components, or even more difficultly, to correctly mount surface-mount components that have ball grids, concealed thermal pads or other particularly diabolical characteristics for the hand-solderer.
By isolating such components to be on their own little PCBs, these components can be the focus of attention, and if their attachment goes wrong, only that little PCB will be wasted: The rest of the complex board on which it needs to be mounted will be preserved, and all that's needed is to have another go at making the little PCB.
Also, it becomes much easier to track down problems with the attachment of the surface-mount components through their isolation. Short-circuits and open-circuits are some of the most common things that can go wrong, and are much easier to track down if there is only one component that needs to be investigated.
A further benefit, is that for components that truly need surface-mount techniques, it is much more likely that in austere environments that a very small SMD reflow oven could be rigged up and operated correctly, than if a whole board needed to be reflowed. For boards that are perhaps just a few centimeters long and wide, getting an even temperature will be much easier.
This isolation of the need for SMD processing skills onto small modules, also allows for a community where those skills (or the equipment necessary) are available, but scarce, that they can be focused on exactly those parts of the design where they are unavoidable, while the rest of the assembly process is performed using much simpler hand-soldering skills.
Finally, the modularisation allows for ordering these little modules in bulk, if such services were still available, which one assumes that except in a deep Digital Winter, that they may well be. And certainly, prior to that, it would be a very convenient option. The attraction of this is increased if we reuse some modules in the design. For example, the MEMS microphone module will likely be replicated at least 2x and possibly 4x, to allow for a nice way to suppress background noise in the hardware domain (we'll talk about this more in a future post, but the short version is that you can use the difference between pairs of microphones to subtract out common mode background noise). The voltage regulators are also likely to be used more than once, as well. This would allow individuals or small communities to order modest size batches at affordable cost from online PCB providers, and either used by themselves, or further distributed.
This approach also helps us to mitigate a bunch of the common problems with PCB design, too, and generally allows us to apply the strengths of a Systems Engineering approach, by breaking down a complex system into several smaller ones, that we can then integrate in a methodical and reliable manner.
Module Interface Requirements
So given that we are going to use a modular approach, let's now think about how we can design a nice module interface. We'll start by looking at a number of the requirements for such an interface to be effective in our use-case, in no particular order.
1. Large Pad Size
First up, the solder pads need to be big enough, that someone who has only spent an hour or two learning to solder can work with them, without significant risk of creating short-circuits or other problems.
2. Effective Thermal Relief for Hand Soldering
Soldering power rails and ground pins by hand can be a royal pain, when those pins are connected to ground or power planes in the PCB, because the heat gets sucked out of the spot you are trying to solder. Without a solution to this, a reflow oven or similar approach would then be required, that can heat the entire ground or power plane to be heated, so that it can't cause this problem.
3. Unambiguous Orientation and Placement
The original formulation of Murphy's Law is all that we need as justification:
If there are two or more ways to do something and one of those results in a catastrophe, then someone will do it that way.[1]
Therefore it should not be possible to place a module with incorrect orientation, nor in the incorrect place on the PCB. This indicates that means that each module should have only one, correct, orientation, where they fit into the PCB receptacle, and that the PCB receptacles and modules should only mate in places where the modules are electronically compatible.
4. No Sharp Protrusions on Rear
The MEGAphone is not going to be a particularly small device, because miniaturisation and modularisation aren't usually the best of friends, and even more so hand assembability and miniaturisation are more or less sworn enemies. Nonetheless, we don't want it to be any bigger than necessary.
To assist with this goal, we don't want to have to have any clearance between the PCB assembly and other components, like the rechargeable battery, which its probably a good idea to avoid sharp metal pins and solder lumps poking holes into [2]. We could avoid this by putting a spacer or bracket in place, but that takes space -- it would be much better to just make the rear of the PCB -- including attached modules -- be smooth and flat, so that the problem is simply avoided. Apart from being be best option from the Heirarchy of Control perspective [3], i.e., we have removed rather than managed the battery piercing hazard, it also follows the principle of "the best part is no part", made famous by Elon Musk [4].
(We'll also be using LiFePO4 cells, rather than Lithium Ion, to also reduce the risk, as they behave much more sedately when damaged, as can be seen in this video).
5. Ease of Desoldering for Diagnosis, Repair, Replacement, Substitution or Scavenging
It's not just important that a module can be easily added to the system, but also that they can be easily and reversably removed. Maybe you want to be check a suspect faulty module by swapping it out with another one, or maybe you are in an extremely austere environment, and need to make one working MEGAphone out of two or more damaged units, or swap out a module with a newer (or older) one that avoids a security vulnerability of some sort. This should be possible using only simple hand soldering tools, if possible.
6. Small Size
We have already mentioned size, but this is really critical: We want these modules to be as small as possible in surface area, and also in height, as possible, so that the MEGAphone doesn't become the GIGAphone, or require a backpack to carry around.
7. Ease of Testability / Verification
We have also touched on this one, in terms of being able to remove or replace a module easily, but we'd also like to be able to easily test a module before it is first installed. This includes during development, but also for post-assembly of modules to test that they have been built correctly, especially when hand assembling modules with tricky surface-mount parts.
It also makes it easier to check modules that have been assembled by 3rd parties for correctness. While a sufficiently determined adversary can almost always hide malicious functionality in a device, by breaking it down into smaller simpler modules, we at least make it as easy as possible for us to detect the cheaper and easier approaches, thus increasing the cost of such attacks, and/or increasing our chance of detecting them.
This can be further enhanced by applying some tricks to make it harder for components to contain side-channels for communications, such as using low-pass filters on signals, but that's probably well outside of our current scope, for now at least.
8. Tamper Evidence
But one thing that we can design for, is to make it easier to detect when a device has been tampered with, in particular, by swapping out a module, or by reflowing it to swap out a component in the field without the owners knowledge, e.g., via an Evil Maid/Manservant attack [5].
While nothing is perfect, not even glitter polish seals [6], they are still a pretty good approach in that they are quick and easy to apply [7], but take considerable time and effort to replicate -- the time factor being critical here: It is pretty implausible that someone could replicate a glitter seal in just a few moments -- especially if the seal is not flat, but has to conform around some slightly odd shape, a point that we'll come back to later.
In short, if we can meet these design criteria, we will be well on our way to a good solution.
Considering Some Module Design Characteristics
A. Hole-through vs Surface-Mount
Let's start with the key dichotomy we have to deal with: Should we make our modules use a hole-through or a surface-mount attachment mechanism? Let's compare how these interact with our 8 design criteria:
Approach | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
---|---|---|---|---|---|---|---|---|
Hole-Through | 😐 |
😐 | 😐 | 💩 | 😍 | 💩 | 😍 | 😐 |
Surface Mount | 😐 | 😐 | 💩 | 😍 |
💩 | 😍 | 💩 | 😐 |
As we can see, neither has the upper hand: Both have characteristics that are great, really unhelpful, or are rather neutral. Surface mount has the slight edge here. But what if we break it down, and instead say that the PCB should be surface mount, and the module have hole-through characteristics, and see how many of those poops we can get rid off:
Approach | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
---|---|---|---|---|---|---|---|---|
Hole-Through Module |
😐 |
😐 | 😐 | 😍 | 😍 | 😐 | 😍 | 😐 |
Surface Mount Carrier |
😐 | 😐 | 😐 | 😍 |
😍 | 😍 | 😍 | 😐 |
Look at that: we have flushed all of the poop away, in many cases turning them into strengths. Not surprisingly, such hybrid approaches already exist, in particular in the form of crenelated/castellated modules, e.g., this module.
B. Half-Round Castellated Pins
If the castellations are made as half-rounds with spacing that matches standard hole-through spacing of breadboards etc, then they can also be just easy to test in that context. This also makes it easier to hand-solder, without causing bridges between adjacent pads, because the shape helps surface tension to keep the blob of solder away from the neighbouring pads.
We are probably stuck with 2.54mm spacing, as the smallest pitch that is easily hand-soldered, and would offer good compatibility with existing prototyping aids, such as breadboards and DIP IC sockets.
Another benefit of this approach is cost: There are no sockets or connectors involved, delivering another benefit of "the best part is no part" philosophy.
C. Key Pins & Varied Module Dimensions.
By using judiciously placed key pins, we can make it impossible to insert the module around the wrong way, including up-side down -- which is important if we want to be able to minimise the assembled height (see below).
Also, by varying the module dimensions, primarily through changing the number of pads, and the width of the module, we can effectively key each type of electrically compatible module, so that they can't be put in an electrically incompatible place on the board. The module widths could match existing DIP spacing options to make prototyping and testing as simple as possible.
Together, these measures would effectively deal with Murphy's Law.
D. Carrier Board Cut-Outs for Reduced Height / Reverse Component Mounting
In some cases, it might be desirable to mount the components on the under-side of the module. This makes it possible to reduce the overall PCB stack-height, by reusing the thickness of the carrier PCB to offset the height of the components. If modules are assembled on both sides of the carrier, then components can be the height of the carrier board and one module PCB thickness -- which is probably sufficient for most components -- without further increasing the height of the assembly, and ensuring that there are no non-smooth protrusions on either side of the PCB assembly, thus helping to avoid the need for spacers or brackets on either side.
Mounting components on the under-side of the modules also makes it easier to use simple surface-mount techniques, such as a hot air gun, to reflow the modules into place, or to remove them later. This is because the attached surface mount components on the module will not be exposed to direct heat, and thus are unlikely to move or fall off.
E. Carrier Board Cut-Outs for Ease of Removal
Another use that can be made of cut-outs in the carrier board, is to make it easier to remove modules using either a hot-air gun or hand desoldering techniques, as the module can then be gently pried using a small screw-driver, tweezers or and old-fashion DIP chip puller, like this one:
While it's not the best way to remove a castellated module, as it would require you to reflow the pads repeatedly, until you could get enough movement to get it free, it would work, and doesn't require a great deal of skill or precision. And of course, with a hot air-gun, this becomes almost trivial. So all in all, it makes sense to allow.
F. Bridges for Power and Ground Thermal Relief
Another design element we can consider is to completely avoid the thermal relief problem, as well as helping with making testing and "bring-up" of the system, by having the power and GND of the module route to jumpers or pads, that then have to be bridged to the power and ground planes of the carrier.
Once the module was soldered in place, those pads would be bridged with a short piece of desoldering braid, to ensure that the link could carry high current loads. As only localised melting of solder onto those pads would be required, the thermal aspects would be greatly simplified. To desolder and remove the module, the bridge could be first cut, and then the two ends separately removed, so that it wouldn't be necessary to heat both ends at the same time. Using desoldering braid as the link is convenient, because its widely available, has good surface area for carrying current, and of course takes solder very easily.
Summary and Requirements Cross-Check
In short, this combination of design elements should yield a solution that satisfies our design requirements from above. Let's go over them again, just to be sure:
- Large Pad Size -- Addressed by A & B
- Effective Thermal Relief for Hand Soldering -- Addressed by F
- Unambiguous Orientation and Placement -- Addressed by C
- No Sharp Protrusions on Rear -- Addressed by A, B & D
- Ease of Desoldering for Diagnosis, Repair, Replacement, Substitution or Scavenging - Addressed by E & F
- Small Size - Addressed by A, B & D
- Ease of Testability / Verification -- Addressed by B & E
- Tamper Evidence -- Addressed by A & B: Glitter polish can be applied over the castellated solder joints, creating an uneven surface for the polish, that would be hard to rework without being detectable.
So this design approach has the potential to meet our needs. Now, I don't claim that it is the only possible approach, nor necessarily the best possible approach. Rather, only that it is an approach that we can use in this project, to make rapid progress. If you have better ideas, or suggested improvements to this approach, please let me know in the comments or via email!
In the meantime, I'll probably try to design up a module or two and a simple carrier board to test this concept, before I move onto the rest of the hardware design, in particular, gathering the requirements for the device as a whole.
No comments:
Post a Comment