Getting started with the Papilio Pro and Xilinx ISE on Linux

Papilio Pro with LEDs and OV2640 camera module

Papilio Pro with LEDs and OV2640 camera module

My Papilio Pro arrived some days (weeks...) ago, let’s get started^^

First have a look at the Papilio Quick Start Guide:

Check that the Hardware is OK

If I get new hardware the first thing I always do is to check if its working properly. Sometimes you have to flash a basic Hello World example yourself but the Papilio Pro should have been flashed with a bitstream file already that:

  • Toggles all of the even numbered pins
  • Configures all of the odd number pins as inputs. When a odd number pin is asserted it will cause the even pin next to it to stop blinking and stay at 3.3V.
  • Sends the ASCII table at 9600 8N1 over the serial port in a continuous loop.

Lets check that, connect the Papilio via USB to your PC and use screen to open the serial port:

[chris@thinkpad ~]$ sudo screen /dev/ttyUSB1 9600
ASCII Table ~ Character Map
!, dec: 33, hex: 21, oct: 41, bin: 100001
", dec: 34, hex: 22, oct: 42, bin: 100010
#, dec: 35, hex: 23, oct: 43, bin: 100011
$, dec: 36, hex: 24, oct: 44, bin: 100100
%, dec: 37, hex: 25, oct: 45, bin: 100101
&, dec: 38, hex: 26, oct: 46, bin: 100110
', dec: 39, hex: 27, oct: 47, bin: 100111
(, dec: 40, hex: 28, oct: 50, bin: 101000
), dec: 41, hex: 29, oct: 51, bin: 101001
*, dec: 42, hex: 2A, oct: 52, bin: 101010
+, dec: 43, hex: 2B, oct: 53, bin: 101011
,, dec: 44, hex: 2C, oct: 54, bin: 101100
-, dec: 45, hex: 2D, oct: 55, bin: 101101
., dec: 46, hex: 2E, oct: 56, bin: 101110
/, dec: 47, hex: 2F, oct: 57, bin: 101111
0, dec: 48, hex: 30, oct: 60, bin: 110000
1, dec: 49, hex: 31, oct: 61, bin: 110001
2, dec: 50, hex: 32, oct: 62, bin: 110010
3, dec: 51, hex: 33, oct: 63, bin: 110011
4, dec: 52, hex: 34, oct: 64, bin: 110100
5, dec: 53, hex: 35, oct: 65, bin: 110101
6, dec: 54, hex: 36, oct: 66, bin: 110110
7, dec: 55, hex: 37, oct: 67, bin: 110111
8, dec: 56, hex: 38, oct: 70, bin: 111000
9, dec: 57, hex: 39, oct: 71, bin: 111001
:, dec: 58, hex: 3A, oct: 72, bin: 111010
;, dec: 59, hex: 3B, oct: 73, bin: 111011
<, dec: 60, hex: 3C, oct: 74, bin: 111100
=, dec: 61, hex: 3D, oct: 75, bin: 111101
>, dec: 62, hex: 3E, oct: 76, bin: 111110
?, dec: 63, hex: 3F, oct: 77, bin: 111111
@, dec: 64, hex: 40, oct: 100, bin: 1000000
A, dec: 65, hex: 41, oct: 101, bin: 1000001
B, dec: 66, hex: 42, oct: 102, bin: 1000010
C, dec: 67, hex: 43, oct: 103, bin: 1000011
Really kill this window [y/n]
[screen is terminating]
[chris@thinkpad ~]$

So this looks good, now the pins, you can easily check this if you connect an LED with a series resistor to 5V and PIN14 like seen in the tittle image. Then the LED should blink. Yippee!


Installing Xilinx ISE inside a Docker Container

Installing Xilinx ISE WebPACK inside a Docker Container

Installing Xilinx ISE WebPACK inside a Docker Container

Xilinx ISE WebPACK is a proprietary IDE that can be used for synthesis and analysis of VHDL designs.

This is a follow-up post from Sandboxing proprietary applications with Docker, so you might want to read this first.


ISE WebPACK can be downloaded at no charge from the URL below after you have signed up on the Xilinx website.

I have chosen to download ISE Design Suite - 14.7 Full Product Installation, Full Installer for Linux (TAR/GZIP - 6.09 GB). It’s quite a huge file so its a good idea to use some download manager like wget.


Instead of installing it directly on your host system we will install it into a Docker container that we have already prepared in the previous post.

To launch it just use the dockapp script with the -u option to make sure that the container has no network access:

[chris@thinkpad ~]$ dockapp run -u
[chris@thinkpad ~]$ dockapp view
Docker container without network access

Docker container without network access

The dockapp script will mount /home/$USER/share/docker/ automatically as /share inside the docker container so that we can easily access the installation tarball Xilinx_ISE_DS_Lin_14.7_1015_1.tar:

root@58f422d5ae63:/# ls -l share/
total 6385388
-rw-rw-r--. 1 app  app           5 Sep  4 15:40 Text File
-rw-------. 1 app  app  6538618880 Oct 18  2013 Xilinx_ISE_DS_Lin_14.7_1015_1.tar
-rwxrwxr-x. 1 app  app        1405 Sep  9 15:05 dockapp-start
-rw-r--r--. 1 root root          5 Sep  7 14:19 test.txt

Now we have two possibilities, install Xilinx ISE as root:

  • The setup will make changes to the root file system and we should commit them to a new Docker image, see here how this works.
  • The setup will be able to install Xilinx cable drivers

or install it it as unprivileged user:

  • From a security standpoint it should not make a huge difference since everything is running inside a container (at least in the future):

    Recent improvements in Linux namespaces will soon allow to run full-featured containers without root privileges, thanks to the new user namespace. This is covered in detail here. Moreover, this will solve the problem caused by sharing filesystems between host and guest, since the user namespace allows users within containers (including the root user) to be mapped to other users in the host system.

  • Installing Xilinx cable drivers will fail, but probably I don’t need them and you can install them later or rerun the setup.

I will start with installing it as unprivileged user app:

root@58f422d5ae63:/# su app
app@58f422d5ae63:/$ cd share/
app@58f422d5ae63:/share$ tar -xf Xilinx_ISE_DS_Lin_14.7_1015_1.tar
app@58f422d5ae63:/share$ cd Xilinx_ISE_DS_Lin_14.7_1015_1
app@58f422d5ae63:/share/Xilinx_ISE_DS_Lin_14.7_1015_1$ ./xsetup
Xilinx Setup inside a Docker container

Xilinx Setup inside a Docker container

It’s not possible to disable Xilinx’s WebTalk feature during installation... But luckily for us we have already disabled the network connection for the Docker container^^

Enables WebTalk to send software, IP and device usage statistics to Xilinx. For more information on WebTalk, please see Section 13 of the Xilinx End-User License Agreement and the WebTalk FAQ at:


Sandboxing proprietary applications with Docker


Docker is an open-source project that automates the deployment of applications inside software containers, providing that way an additional layer of abstraction and automatization of operating system-level virtualization on Linux. Docker uses resource isolation features of the Linux kernel such as cgroups and kernel namespaces to allow independent “containers” to run within a single Linux instance, avoiding the overhead of starting virtual machines.

Getting Started

The Docker documentations is very good, so this is where you should start:

Installing Docker

Just follow the guide for your Linux distribution:

On Fedora it looks like this:

[chris@thinkpad ~]$ sudo yum -y install docker-io
[chris@thinkpad ~]$ sudo systemctl start docker
[chris@thinkpad ~]$ sudo systemctl enable docker
[chris@thinkpad ~]$ sudo usermod -a -G docker chris # to run docker without sudo


To securely use USB devices inside Docker containers we need at least Docker 1.2.0. Since Fedora 20 is still shipping Docker 1.1.2 we have to enable the updates-testing repository while installing docker:

[chris@thinkpad ~]$ sudo yum --enablerepo=updates-testing install docker-io

User Guide

Now follow the user guide to get a bit familiar with the basics of Docker:

Docker Security

Some notes about Docker security:

Docker supports a so called “privileged” mode that was previously necessary to access USB devices for example (docker run -t -i -privileged -v /dev/bus/usb:/dev/bus/usb ubuntu bash). But this mode is really unsafe and should not longer be used. The Docker 1.2 release introduced two new flags for docker run --cap-add and --cap-drop that give a more fine grain control over the capabilities of a particular container.

One of the (many!) features of Docker 0.6 is the new “privileged” mode for containers. It allows you to run some containers with (almost) all the capabilities of their host machine, regarding kernel features and device access. [...] Note, however, that there are serious security implications there: since the private Docker instances run in privileged mode, they can easily escalate to the host, and you probably don’t want this!

Dockerizing your Application

The Interactive Approach


Start a new Docker container with Ubuntu 14.04, the first time you start it it will download the Ubuntu 14.04 base image (213 MB) automatically:

[chris@thinkpad ~]$ docker run ubuntu:14.04 /bin/echo 'Hello world'



[chris@thinkpad ~]$ docker run -i -t fedora /bin/bash
[chris@thinkpad ~]$ docker run -i -t fedora:20 /bin/bash

Let’s see what we can do with that image (

[chris@thinkpad ~]$ docker run -it ubuntu:14.04 /bin/bash
root@65a77c4901b3:/# echo "test"> test.txt
root@65a77c4901b3:/# cat test.txt
root@65a77c4901b3:/# exit
[chris@thinkpad ~]$ docker run -it ubuntu:14.04 /bin/bash
root@c688e3146470:/# cat test.txt
cat: test.txt: No such file or directory

As seen above, if we change something and start the image again a new container will be created and all changes are gone, but nothing is lost as we can restart old containers (

The command docker ps shows all our running containers:

[chris@thinkpad ~]$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED
c688e3146470        ubuntu:14.04        "/bin/bash"         About a minute ago

STATUS              PORTS               NAMES
Up About a minute                       drunk_torvalds
[chris@thinkpad ~]$

Whereas docker ps -a lists all containers:

[chris@thinkpad ~]$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED
c688e3146470        ubuntu:14.04        "/bin/bash"         4 minutes ago
65a77c4901b3        ubuntu:14.04        "/bin/bash"         5 minutes ago

STATUS                     PORTS               NAMES
Up 4 minutes                                   drunk_torvalds
Exited (0) 4 minutes ago                       stupefied_mestorf
[chris@thinkpad ~]$

We can use the name of the old container (stupefied_mestorf) to start it again and reattach:

[chris@thinkpad ~]$ docker start stupefied_mestorf
[chris@thinkpad ~]$ docker attach stupefied_mestorf
root@65a77c4901b3:/# cat test.txt

Short form (with container ID or container name):

[chris@thinkpad ~]$ docker start -ai 65a77c4901b3
root@65a77c4901b3:/# cat test.txt


Let’s be paranoid and secure our penguins


The goal of this article is to give a short overview of practical solutions to run untrusted proprietary applications under Linux while limiting the damage that they can do and to prevent possible privacy exploits.

There is a interesting section in the Arch Linux Wiki about Securing Skype that got me thinking about it:

There are a couple of reasons you might want to restrict Skype’s access to your computer: The skype binary is disguised against decompiling, so nobody is (still) able to reproduce what it really does and it produces encrypted traffic even when you are not actively using Skype.

Trust the Vendor

Just assume the software has no security flaws, no remote exploitable bugs, AutoUpdate uses a secure HTTPS connection and checks the certificates, that it does not gather usage statistics or send crash reports that may contain sensitive information...

[chris@thinkpad ~]$ sudo ./proprietary_crap.bin

Pros: No additional work needed

Cons: No protection, the software may break your system, or worse

Comment: It just feels not right, I want a clean system without programs where I don’t know what they are doing in the background.

Different User Account

So this is probably the easiest solution, just add a new user account.


  • Easy to set up

    [chris@thinkpad ~]$ sudo useradd evil
    [chris@thinkpad ~]$ sudo passwd evil
    Changing password for user evil.
    New password:
    Retype new password:
    passwd: all authentication tokens updated successfully.
    [evil@thinkpad ~]$
  • Easy to use “su - special_user”

    [chris@thinkpad ~]$ su - evil
    [evil@thinkpad ~]$ ps -Af|grep chris |tail -n1
    chris    22265     1  0 02:04 ?        00:00:17 okular /var/tmp/sandboxing-notes.pdf --icon okular -caption Okular
    [evil@thinkpad ~]$ ls /home/chris/.gnupg/
    ls: cannot access /home/chris/.gnupg/: Permission denied
    [evil@thinkpad ~]$
  • No extra work needed to start X11 applications

    [evil@thinkpad ~]$ firefox &
    [1] 7628
    [evil@thinkpad ~]$


  • Full network access, using iptables to restrict network access for a single user way too complex and thus prone to security lapses

  • Running on the same X server

    Any application that has access to the X server can do a lot of things. It can snoop on other applications that display windows on the same server. It can log key presses. It can rebind keys. It can inject key presses into other applications. It has access to the clipboard. –

  • See the full process list with command arguments “ps -Af” and more...

  • What about SUID binaries?


  • The user evil should not be allowed to use sudo.
  • At least it protects your files in your home directory a little bit.


Review: Saleae Logic16 Logic Analyzer

My newest toy is a sixteen channel Saleae logic analyzer:

../../../_images/saleae_logic16_1_small.jpg ../../../_images/saleae_logic16_2_small.jpg ../../../_images/saleae_logic16_3_small.jpg

The Saleae Logic16 is one of the very few cross platform logic analyzers available, with application software that runs under Linux, Windows, and on the Mac.

Below you will find my first impressions, if you would like to know something more specific then ask in the comments or have a look at the Saleae homepage.


It works with logic levels between 1.8V and 5V, you either select 1.8V to 3.6V or 3.6 to 5.0V from the menu. The lower voltage settings should work in most circumstances. The 5V setting is provided to reduce the likelihood of channel to channel crosstalk when using 5V signals.

The inputs are protected against overvoltage (high DC impedance, low-capacitance diode clamps) and a resettable fuse protects the USB ground return line.

It can sample 2 channels at 100MHz, 4 channels at 50MHz, 8 channels at 25MHz or all 16 channels at 12.5MHz and can record up to 10 billion samples.

The aluminum case looks high-end and the carrying case is really nice and handy.

I haven’t opened the device and don’t know what’s inside, I would guess some kind of FPGA but that’s all I can tell at the moment. (Update: a very nice review on YouTube:


The software is cross platform and works on Linux, Windows, & Mac. There is also an SDK available for writing your own analyzer plugins in c++ and a device API, which provides low-level access to the logic analyzer.


  • Download the Logic 1.1.15 (64-bit).zip from or the beta version from
  • Extract it somewhere
  • And run the install_driver script, which only copies the udev rules file 99-SaleaeLogic.rules to /etc/udev/rules.d/99-SaleaeLogic.rules


  • Supported Protocols: asynchronous serial, I2C, SPI, CAN, 1-Wire, UNI/O, I2S/PCM, MP Mode 9-bit Serial (i.e. Multidrop and Multiprocessor mod), Manchester, DMX-512, Parallel, JTAG*, LIN*, Atmel SWI*, MDIO*, BiSS C*, PS/2 Keyboard/Mouse*, HDLC*, HMDI CEC*, and USB 1.1*. (* currently in beta)
  • Measure pulse wide and period and calculate frequency
  • Measurement cursors
  • Export data in different formats
  • ...

Some experiments

Generally a logic analyzer has the advantage (compared to using another micro controller, what I’ve done until now), that you can not only see the decoded data, but also the timings and that you can analyze unspecified protocols. A logic analyzer has also mush more channels than an oscilloscope and can capture a large amount of digital data.

Async serial

Recently I bought some cheap FT232RL USB to TTL serial adapters from eBay that work with 3.3V and 5V logic levels.

After adding a serial decoder and specifying which channel should be decoded I can see the decoded characters right above the signal:

Saleae Logic16: Decoding "Test\r\n"

Saleae Logic16: Decoding “Test\r\n”


Arch Linux ARM: Network tools missing



The newest Arch Linux ARM image for the OLinuXino ( ships without the tools needed to configure a wireless connection.


Other people are experiencing the same problem, why remove such fundamental tools, and the hint pacman -S wireless_tools is not very helpful if you have no internet connection.

So how should I install additional tools if can’t setup an internet connection.

Let’s try to download them on another PC, copy them to the SD card and then install them on the OLinuXino.


Installing CadSoft Eagle 6.5 in Fedora 19 x86_64

“Linux users please download the file and run it. This self-extracting shell script will guide you through the setup process. You may need to click on the above link with the right mouse button and select “Save Link As…”. To run this file you need to make it executable, or enter “sh” in a shell window. System requirements: Linux based on kernel 2.6 for Intel computers, X11 with a minimum color depth of 8 bpp, 32-bit runtime environment with the libraries and”


32-bit runtime libraries

[chris@thinkpad ~]$ sudo yum install glibc.i686 libXrender.i686 libXrandr.i686 libXcursor.i686 libXi.i686 freetype.i686 fontconfig.i686 libstdc++.i686 zlib.i686 and

[chris@thinkpad ~]$ sudo yum install openssl-libs.i686
[chris@thinkpad ~]$ sudo ln -s /usr/lib/ /usr/lib/
[chris@thinkpad ~]$ sudo ln -s /usr/lib/ /usr/lib/ and

Not longer needed.

[chris@thinkpad Downloads]$  yum install glibc-devel.i686 zlib-devel.i686
[chris@thinkpad Downloads]$ wget
[chris@thinkpad Downloads]$ tar -xzf libpng-1.4.12.tar.gz
[chris@thinkpad Downloads]$ cd libpng-1.4.12
[chris@thinkpad libpng-1.4.12]$ ./configure --prefix=/usr --build=i686-pc-linux-gnu "CFLAGS=-m32" "CXXFLAGS=-m32" "LDFLAGS=-m32"
[chris@thinkpad libpng-1.4.12]$ make
[chris@thinkpad libpng-1.4.12]$ sudo make install
[chris@thinkpad Downloads]$ wget
[chris@thinkpad Downloads]$ tar -xzf jpegsrc.v8d.tar.gz
[chris@thinkpad Downloads]$ cd jpeg-8d/
[chris@thinkpad jpeg-8d]$ ./configure --prefix=/usr --build=i686-pc-linux-gnu "CFLAGS=-m32" "CXXFLAGS=-m32" "LDFLAGS=-m32"
[chris@thinkpad jpeg-8d]$ make
[chris@thinkpad jpeg-8d]$ sudo make install

And finally Eagle

[chris@thinkpad Downloads]$ wget
[chris@thinkpad Downloads]$ sh

Now you only need to create a menu entry in your launcher and the install is complete.

Tiny, hackable (?) quadcopter from China for EUR 22 / USD 35

I have a cool new gadget that is probably hackable too! Have a look:

I’ve ordered it on 21st of September from eBay and received it on 12th of October.


Embedded development with open source tools on Windows

Hello World from MinGW

Hello World from MinGW

Get a proper editor

You probably want to install Notepad++ or Programmer’s Notepad:

Install the GCC ARM Embedded toolchain

GNU Tools for ARM Embedded Processors:

Download the Windows installer from, for example:

And install it clicking everywhere next but choose a path without spaces, like C:\tools\gcc-arm-4.7-2013q3.

GCC ARM install location

GCC ARM install location


Received my MC HCK prototype boards

My first MC HCK

My first MC HCK


The MC HCK (pronounced: “McHack” [mæk hæk]) is a small, cheap, and versatile microcontroller platform that supports USB for easy programming, and can be built at home for $5. The MC HCK enables everybody to build big and small projects, because spending >$20 for other microcontroller boards is just too much.

Quick Specs

Dimensions: 50mm x 20mm
Platform: ARM Cortex-M4 (DSP, no FPU)
MCU: Freescale MK20DX32VLF5: 8KB RAM, 32KB program flash + 32KB data flash
Data Sheet:
Reference Manual:
Application Notes etc:
Interface: USB, I2C, SPI, UART, I2S
Programming: via USB bootloader (DFU, Direct Firmware Update)
Debugging: A second MC HCK can be used as debug adapter
Board options: mounting hole, LiPo charger, nRF24L01+ directly pluggable, up to 8Mbit flash, LDO, buck regulator, boost regulator, RTC crystal

I’ve already ordered a MC HCK prototype kit in July (, they were ready for dispatch on 30th September and now I have received them.


MC HCK Envelope

MC HCK Envelope

The letter contained the following components:

MC HCK Prototype Kit Contents

MC HCK Prototype Kit Contents