A car from 1940 would have been an almost completely mechanical device. These days though, a car without electricity wouldn’t run. It’s not the engine – it’s the computers; the design details of which automotive manufacturers would love to keep out of the hands of hardware hackers like us. [Mastro Gippo] wanted to build a small and powerful CAN bus reverse engineering tool, and the Crunchtrack hits it out of the park. It’s a CAN bus transceiver, GPS receiver, and GSM modem all wrapped up into a single tiny device that fits under your dash.
[Mastro] has a slight fetish for efficiency and tiny, tiny devices, so he’s packaging everything inside the shell of a standard ELM327 Bluetooth adapter. This is a device that can fit in the palm of your hand, but still taps a CAN bus (with the help of a computer), receives GPS, and sends that data out over cell phone towers.
The device is based on the STM32 F3 ARM microcontroller (with mbed support), a ublox 7 GPS module, and an SIM800 GSM module, but the story doesn’t stop with hardware. [Mastro] is also working on a website where reverse engineering data can be shared between car hackers. That makes this an excellent Hackaday Prize entry, and we can’t wait to see where it goes from here.The 2015 Hackaday Prize is sponsored by:
Filed under: The Hackaday Prize
There are many different ways to keep your plants watered on a schedule. [Luca Dentella] just created a new one by building the irrighino watering system. He used standard off the shelf, hardware to keep it simple. Irrighino is a complete watering system based on the Arduino Yun, featuring a user friendly AJAX interface. This allows scheduling in a manner similar to creating appointments in Outlook. It’s also possible to manually control the various water solenoids. The code is fully customizable and open source, with code available from [Luca’s] github repository. The web interface is divided in to three tabs – “runtime” for manual control, “setup” to configure the scheduling, and “events” to view system logs.
The Arduino Yun activates solenoid valves via a relay shield. A switch panel has indicator Status LED’s and three position switches. These allow the outputs to be switched off or on manually, or controlled via the Yun when in auto mode. [Luca] describes how to read three states of the switch (On-Off-On) when connected to a single analog input of the Arduino. He’s also got another tutorial describing how to connect a USB WiFi adapter to the Yun. This is handy since the Yun is mounted inside an enclosure where the signal strength is very weak. While the Yun has on-board WiFi, there is no possibility to attach an external antenna directly to the test SMA socket.
One interesting part is the commercial rain sensor. It’s a switch surrounded by a spongy material. When this material absorbs rain water, it begins to expand and triggers the switch. The Arduino sees the sensor as a simple digital input.
Check a short demo of his system in the video after the break.
Filed under: Arduino Hacks, green hacks
We’re big fans of the Zynq, which is an answer to the question: what do you get when you cross a big ARM processor with a big FPGA? So it isn’t surprising that [GregTaylor’s] project to emulate the OPL3 FM Synthesis chip in an FPGA using the Zynq caught our eye.
The OPL3 (also known as the Yamaha YMF262) was a very common MIDI chip on older PC sound cards. If you had a Sound Blaster Pro or 16 board, you had an OPL3 chip in your PC. The OPL3 was responsible for a lot of the music you associate with vintage video games like Doom. [Greg] not only duplicated the chip’s functions, but also ported imfplay from DOS to run on the Zynq’s ARM processors so he could reproduce those old video game sounds.
The Zybo board that [Greg] uses includes an Analog Devices SSM2603 audio codec with dual 24-bit DACs and 256X oversampling. However, the interface to the codec is isolated in the code, so it ought to be possible to port the design to other hardware without much trouble.
To better match the original device’s sampling rate with the faster CODEC, this design runs at a slightly slower frequency than the OPL3, but thanks to the efficient FPGA logic, the new device can easily keep up with the 49.7 kHz sample rate.
Filed under: ARM, FPGA, musical hacks
The internet only just got over Lexus’ real working hover board, but as it turns out, a team of researchers from the University of Paris Diderot already built one, over 4 years ago (machine translation)!
Using the same principles as the hover board Lexus build, the researchers built a very expensive neodymium magnet track to test the board on. Only difference here is that they didn’t hide the magnets. The hover board itself was machined out of wood, and houses a large sealed metal tray which contains the superconducting bricks.
Pour in some liquid nitrogen through the funnel, and you’re ready to witness some of the quantum properties of superconductors! The board floats a few centimeters above the magnetic rails, and in their tests was able to lift people over 100 kg in weight (hint for most Americans… there are 2.2 pounds to one kilogram).
The funny thing is, the French researchers make no mention of BTTF, and instead, compare its likeness to the flying carpet from Arabian Nights… Seems like a bit of a stretch to us.
[Thanks for the tip Pierre!]
Filed under: transportation hacks
Ahh DEF CON! One group of hackers shows off how they’ve broken into all sorts of cool devices and other hackers (ahem… “security professionals”) lament the fact that the first group were able to do so. For every joyous “we rooted the Nest thermostat, now we can have fun” there’s a doom-mongering “the security of network-connected IoT devices is totally broken!”.
And like Dr. Jekyll and Mr. Hyde, these two sides of the hacker persona can coexist within the same individual. At Hackaday, we’re totally paranoid security conscious, but we also like to tinker with stuff. We believe that openness and security are best friends forever. If you can open it, you can see if it’s well-made inside, at least in principle. How do we reconcile this with the security professional’s demand for devices that only accept signed binary firmware updates so that they can’t be tampered with?
We’ve got no answers, but we’ve got plenty of questions. Read on, and let us know what you think.On Hackability vs. Security
How many home-automation hackers have gotten their start by “reversing” the simple radio protocol that those el-cheapo 432 MHz sockets use? We’ve seen our fair share of projects. (And an Arduino library.) Why? Because they’re cheap and because it’s easy. They’ve got five bits for the channel ID, everything else is straightforward, and you can use any one-dollar 432 MHz transmitter to get the job done. It’s like the RF garage-door openers of old, only simpler. For the tinkerer in us, these RF power sockets are a godsend.
But from a security perspective, they’re a disaster. Of course, the sockets could be equipped with a much more complicated unique ID to increase security. But that raises the barrier to DIY hacking with the device (not that it would stop anyone) and still doesn’t protect you against replay attacks anyway. Totally insecure!
Now the risk of abuse of these RF-controlled power sockets is pretty small. Unlike the garage door example, nobody is breaking into your house by turning your hallway lights on and off. Even if they were, they’d have to get fairly close to your house to do so. If you’ve got someone willing to camp outside your house with RF gear, you’ve got trouble already. So perhaps the balance between hackability and security is ok for these devices?Enter the IoT
This changes when one brings the Internet to the Things. Exposing yourself not just to your neighbors, but to the whole world, dramatically enlarges the attack surface. Not like we need to be told this. But for some device manufacturers, it was a shocking realization, and they’re responding by locking everything down, and we get sold this story that it’s to protect the consumer from the hacker. IoThings must be secured! You don’t want strangers screaming at your baby, right? (Hint: change the default password.)
But what happens when the hacker and the consumer are the same person? We all know that there’s an embedded Linux distribution inside the Sony BDP-S5100 Blu-Ray player, and we all want at it, but Sony won’t let us play with it because they also want to prevent hackers from getting at it. (Not that it stops anyone.) It’s supposedly made more secure by not being modifiable.
We think not. And a decent consumer counterexample is the Nexus series of smartphones. With a few clicks you can unlock the bootloader and load up a custom OS on the device. Because the bootloader normally requires physical access, this isn’t particularly a security problem. Because you can flash whatever the heck you want in there, the phone is vastly modifiable. Want root? Get root. The Sony Blu-Ray player could be the same.
It’s all about how you give control to the consumer to modify their own device, and there are more or less secure ways to do so. Then why do we see so many devices simply locked down, with no allowances for modifiability? Are the manufacturers just lazy? Or are hackers just too small a market to matter?Hardware with a “Service”
We fear that there’s something yet more sinister afoot: the razor-blade pricing model. You get the razor for free, but you’ve got to buy corresponding blades at a markup. Or you buy the inkjet printer cheap, but pay ridiculous sums for ink cartridges (Corey Doctorow touched on this in his DEF CON talk). Or you buy the Kodak Brownie camera for $1 in 1900, and make the Eastman Kodak film company dominant for nearly a century.
Now there’s nothing wrong with this pricing model as long as the consumer knows what they’re getting into ahead of time. But suppose you’re a hacker and you’d like to do something out of the ordinary?
Take the Wink Hub, which was busted at last year’s Defcon. It’s a great home-automation device, and at $50 it’s cheap for what it does. But you have to use their app, run through their online service, to control the electronics in your own home. Want to connect to the Wink from your computer? Sorry. Your tablet? Nope. Run your own server? Dream on.
And why? We don’t think that it’s because of security, here. Instead, it’s that whatever data they’re harvesting from you is worth cash money, and they’ve got a vested interest in keeping you from hacking that away from them. And you can’t really blame them — their business model relies on the revenue stream. They can’t give away the razors if they can’t make up their money on the blades.
But as an unfortunate byproduct of this business model, if you want to integrate your Wink into your OpenHAB system, you’ve got to break your way into the device. Which means that you’re always going to be fighting with the manufacturer, and that’s a shame.Ideas?
We hackers are Jekyll and Hyde; we insist on devices being open(able) and secure. And what’s worse, we’d like them cheap. It’s not clear we can have all of these things at once, and maybe it’s important to think about the tradeoffs. One man’s insecure firmware is another’s extensible and debuggable firmware, and what “security” even means may depend on whether you’re asking the consumer or the device manufacturer.
What’s your take on IoT security? Can one have too much security? Are security and hackability in conflict or are they mutual prerequisites? Do you have better examples? Can we hope for inexpensive, modifiable, and secure gear? Or do we just gotta keep hacking?
Filed under: Hackaday Columns, security hacks
2015 was the year of the unofficial hardware badge at DEF CON 23. There were a ton of different hardware badges designed for the love of custom electronics and I tried to catch up with the designer of each different badge. Here is the collection of images, video demos, and build details for each one I saw this weekend.Whiskey Pirates
[TrueControl] did a great job with his badge design this year for the Whiskey Pirate Crew. This is a great update from the badge he designed last year, keeping the skull and bones outline. It uses a PSOC4 chip to control a ton of LEDs. The eyes are RGB pixels which are each on their own PCB that is soldered onto the back of the badge, with openings for the LED to show through. Two AA batteries power the board which has a surface-mount LED matrix. The user controls are all capacitive touch. There is a spinner around one eye, and pads for select and back. The NRF24L01 radio operates at 2.4GHz. This badge is slave to commands from last year’s badge. When the two are in the same area the 2015 badges will scroll the nickname of the 2014 badge it “sees”. The piezo element also chirps many different sounds based on the interactions with different badges.
[True] makes design an art form. The matte black solder mask looks fantastic, and he took great care in use of font, size, alignment, and things like letting copper show through for a really stunning piece of hardware art.
Keep reading for ten more great badges seen over the weekend.DEF CON Shoot
[Seeess] designed this badge for the DEF CON shoot. It was his first time working with microcontrollers. He programmed all of the firmware himself but did have help with the board layout. It includes a microphone, two buttons, a tilt sensor, and a six digit 7-segment display module. There are a ton of features built into it including a shot counter (based on sound), reflex sensor, VU meter (demonstrated at one of the parties), and ton of other visualizations. There’s a forum thread on the badge and the code is available, as well as several demo videos like the one found below. A nice touch is that the lanyard sold with the device (the badge was $25) glows in the dark.Crypto Badge
The Crypto Badge was on sale for $25. It has twelve LEDs around the perimeter of the circle, with a two 4-character bubble displays and two buttons as the user interface. When you plug it in, not a lot happens. You need to enter words and codes in the interface to get the badge to do things. In addition to that cryptic interface there is a cypher on the back of the board and another on the lanyard.
The MSP430g2955 based board was has firmware written by [Karl Koscher], with hardware design by [Jorge Lacoste]. One of the coolest surprises they showed me is a mode that turns the badge into a super-low-power AM transmitter. Set it right on top of a radio and you will hear the Tetris song playing!Car Hacking Badge
This badge could be purchased at the Car Hacking Village and includes and ODB2 plug. The set of headers and jumpers lets the user choose between the different CAN Bus connections (low speed, high speed, 1-wire). An STM32 Cortex-M0 chip drives the device and is scripted in the Pawn language.Queercon
I didn’t have any luck tracking down the maker of the Queercon 11 badge, but hopefully the webpage on the device will be updated soon. I believe it was selling for $125 and was an exquisite badge delivered in a box with some neat art on the lid. When you first turn it on, you name your character and then take it through a Tamagotchi-style life cycle. The badge is aware of other badges in the area.DC801
The DC801 crew from Salt Lake City had a huge badge housed in a CNC milled enclosure. It has RGB LED strips on either side, and features a huge LCD display, two analog sticks, two buttons, and a rotary encoder. They do a pre-sale each year and this badge gets you into their party
There is a Propeller chip running the screen and the wireless socked for an XBee radio. An ATmega328p handles the analog sticks, rotary encoder, and buttons. 10-15 people in two hackerspaces (theTransistor and 801 Labs) worked on the project, with the former handling most of the hardware and the latter organizing the logistics of the group’s appearance at the con.
There was a snafu with the LCD supplier. The screens arrived with the wrong chipset and were not working in time for the event. This will be fixed as the FTDI chip in the unit has a bus selector switch that allows firmware update for both the Prop and the AVR.DC503
The DC503 badge is shaped like a bicycle and creator [Joe Fitz] (@securelyfitz) used that theme well in the design. The 14 LEDs on the board are mounted on the back and shine through the substrate to the front. An ATtiny85 drives the LEDs using two PWM channels. The setup drives 4 LEDs from VCC to PWM1, and four more from PWM1 to GND. They are driven out of phase and the same trick is used on the other PWM pin. Control is provided by capacitive buttons. One on the gears speeds up rotation (as if you’re pedaling), the handlebars (where the brakes would be) slows it down.
The board is your entry into the DC503 party. The badges were acquired by crowdfunding backers. 100 boards were spun; they populated 50 for the backers and another 10 were assembled on-site for the organizers. DC503 is a group of friends in Portland, many of which are involved with the CTRL-H Hackerspace.Mass Hackers
This one isn’t really “unofficial”, the DarkNet badge has become a hot item each year at DEF CON. I was unable to get one last year and this year I just barely got my hands on one. It is sold as a kit for $25 and when I tried to get one on Friday afternoon they were sold out. Another 200 were sold on Saturday morning and it was about a 90 minute wait for me and I was probably about 150th in line.
The badge was designed by [Smitty] and [Krux] (who has been a great friend of Hackaday). It is Arduino based and uses IR to communicate with other badges. You find someone wearing an assembled badge and point them at each other for a few seconds to exchange badge identifiers. This is part of the DarkNet challenge that encourages attendees to solve puzzles and try out different activities at the con. This year’s design is very similar to last year’s so take a look at that repo for more info.Misc Badges
There were a ton of miscellaneous hardware offerings and admittedly I didn’t get pictures of very many of them. Above you can see two that [Christian] was wearing at the con. PipMan is a project on Hackaday.io. It features a color screen OLED screen and the Propeller driven wearable hangs out on a leather wristband. It shows time using GPS sync keep it accurate and includes temperature, compass, and some ancillary functions. He was also wearing an NSL Cylon v2 which is a kit for surface mount soldering practice.Please Share
I spent a lot of time trying to track down details of these badges. If you enjoyed reading about them, please help me out by sharing this post around so that others can enjoy it as well. Thanks!Update:
If you had a hardware badge at DEF CON that didn’t make it into this roundup, please email me (mike at the most obvious domain). I’d love to do a “badges I somehow missed at DEF CON” post!
Filed under: cons, Featured, roundup, slider
We’re still not too sure if the Amazon Dash button is a brilliant marketing and advertising ploy, or is just downright stupid. But what we do know, is for $5, it’s a lot of hackable tech that could be used for more… useful purposes. The big A sells these dash buttons for one purpose — you push the button and whichever product is assigned to it shows up on your doorstep in a few days. [Ted Benson] wanted them to do more than that so he turned a few dash buttons into a way of tracking his baby’s health!
Apparently, data acquisition of your baby’s wake-up times and poops is useful to identify health patterns. [Ted] tried using some phone apps to keep track of this stuff, but found it would be a lot easier if there was just a big button on the wall or something… which is where he got the idea to make use of the Amazon Dash button.
It’s actually really simple to do. Buy the dash button, do the setup with Amazon… but don’t do the final step: selecting the product you want to order. If you don’t select anything, you won’t order anything…
The beauty of the dash button is that it’s designed to save power, which means it only turns itself on when you press the button.
Every time it boots up it has to reconnect to your WiFi network. This is a terribly simple thing to track and record using a simple Python script.
Record the MAC address of each dash button, and all you have to do is sniff the WiFi network for the ARP probe that gets sent out by the button! It’s so simple, you can pretty much copy and paste the code from [Ted’s] blog and do it yourself. Think this isn’t useful to you? Human fingers aren’t the only way to push buttons — rig this up mechanically or electrically and you can easily record recurring events.
And for more information about the tech inside the Dash button? Check out our Dash button tear down coverage.
Filed under: Network Hacks
Looking for an easy way to manage wire when prototyping PCBs? Ever consider using a mechanical pencil to dispense it? Turns out, it works pretty well — and all you need is a 3D printed attachment!
[Proto G] is using a Papermate 0.5mm mechanical pencil, which means if you get 0.5mm wire (or solder) you can use it to dispense the wire without tangling your spool. In the demonstration, he uses 0.5mm magnet wire which has a thin enamel coating on it and melts away easily when you solder it.
The 3D printed wire-spool and guide snap onto the back of the mechanical pencil allowing you to load it up with a considerable amount of wire for prototyping. He has all the .STL files available on his Instructable in case you want to add this tool to your workshop.
Next up, why not make a solder paste dispenser too?
Filed under: 3d Printer hacks
The well-dressed hacker [Sean Hodgins] has put together a neat little project: a battery powered remote shutter. He built it for use with Beme, the latest Snapchat clone that all of the cool kids are now using.
This service is designed to get away from the selfie culture by starting to record when you hold your phone against your chest, so you are looking at the thing being recorded, not your phone. [Sean] wanted a bit more control than that, so he built a remote control that starts the recording by moving the servo arm over the proximity sensor.
He built this neat little device from an Arduino Pro Mini, a battery, a small servo, a couple of power control boards and a cheap RF link from SeedStudio, all glued onto an iPhone case. It’s a bit rough around the edges (the servo makes some noise that is picked up on the recording, for one thing), but it is a great example of how to lash together a quick prototype to test a project out.
Filed under: Arduino Hacks, digital cameras hacks
For his Hackaday Prize entry, [MIPS ARMSTRONG] is working on an open-source terrarium that will be one of the fastest way to grow foodstuffs or other edible greens. He’s calling it Project EDEN, and it’s shaping up to be one of the most advanced homebrew horticultural devices ever made.
There are a few things that make this indoor greenhouse unique. The most obvious is the incredible number of LEDs used as grow lights. [MIPS] is using 900 Watts worth of Royal Blue and Deep Red LEDs. To water these plants, [MIPS] is taking a cue from NASA and building a High Pressure Aeroponics system – a device that shoots droplets of water only 50 microns in diameter directly onto the roots of the plants.
One of the more interesting aspects of EDEN is the CO2 system. The bulk of plant biomass – like humans – comes from carbon, and plants get their carbon from the atmosphere. Studies have shown that increasing the concentration of CO2 in a grow chamber can increase plant growth. There is a limit before CO2 becomes toxic to plants, so [MIPS] will have to keep a close eye on the CO2 levels with gas sensors.
With high-pressure watering, a CO2 system, and an amazing array of LEDs, this is one of the most advanced homebrew horticulture projects on the planet. It’s also a great fit for this year’s Hackaday prize theme of ‘build something that matters’, and we can’t wait to see [MIPS]’s future developments of his awesome aeroponic terrarium.The 2015 Hackaday Prize is sponsored by:
Filed under: Hackaday Columns, The Hackaday Prize
The term “workflow” gets thrown around a lot these days. For example, say you own a 3D printer and you just came up with an idea. The temptation is to go straight to your favorite CAD tool, start designing the finished product, and then hit print. That, in many cases, can be the worst thing you could do. You would be missing out on all the variation and design choices you can easily try out with a simple series of drawings.
So, you’ve worked out your drawing, played with the design a bit, and now it is time to design in 3D on the computer right? Not so fast. Depending on the nature of the design, you might want to follow this nice tutorial from [Willy Nicholas] on how to quickly make a cardboard prototype.
Now, obviously this won’t work on all designs. But it’s a tool everyone should keep in their bag of tricks. It allows for basically free, quick mock ups that you can hold in your hand. That last bit is important, because having something you can touch and see is a huge part of the design process.
You can also use cardboard as an excellent device for making templates for working with materials such as sheet metal. In case you have seen it, check out “Project Binky” to see what a couple of blokes in England are able to accomplish with nothing much more than a welder, a grinder and some cardboard.
Filed under: tool hacks
We should come clean right up front. We like blinky stuff, tech art, smoke machines, and dark atmospheric electronic music. This audiovisual installation piece (scroll down) by [supermafia] ticks off all our boxes. As the saying doesn’t really go, writing about site-specific audiovisual art pieces is like dancing about architecture, so go ahead and watch the video (Vimeo) below the break.
But writing words is our duty. So without too many spoilers, here’s what we like about this piece: it’s all about the pacing and introducing one element after the next to keep the viewer interested for the five-minute running time.
Any good story has an arc — starting off simply, then a problem arises that leads to an epic battle, and finally a resolution. Here, it’s the timing of spooky moments and the increasing addition of visual elements that build up over time, to the point that they become almost confusing after 4:10. After that you’re left staring at your own reflection. Sweet.
Filed under: misc hacks
Ever consider monitoring the air quality of your home? With the cost of sensors coming way down, it’s becoming easier and easier to build devices to monitor pretty much anything and everything. [AirBoxLab] just released open-source designs of an all-in-one indoor air quality monitor, and it looks pretty fantastic.
Capable of monitoring Volatile Organic Compounds (VOCs), basic particulate matter, carbon dioxide, temperature and humidity, it takes care of the basic metrics to measure the air quality of a room.
All of the files you’ll need are shared freely on their GitHub, including their CAD — but what’s really awesome is reading back through their blog on the design and manufacturing process as they took this from an idea to a full fledged open-source device.
Did we mention you can add your own sensors quite easily? Extra ports for both I2C and analog sensors are available, making it a rather attractive expandable home sensor hub.
To keep the costs down on their kits, [AirBoxLab] relied heavily on laser cutting as a form of rapid manufacturing without the need for expensive tooling. The team also used some 3D printed parts. Looking at the finished device, we have to say, we’re impressed. It would look at home next to a Nest or Amazon Echo. Alternatively if you want to mess around with individual sensors and a Raspberry Pi by yourself, you could always make one of these instead.
Filed under: 3d Printer hacks, home hacks
Our favorite mechanical master of woodworking, [Matthias Wandel], is at it again, this time making an endless staircase for a Slinky. Making an escalator out of 2×4’s and other lumber bits looks fairly easy when condensed down to a two and a half minute video. In reality a job like this requires lots of cuts, holes, and a ton of planning.
The hard part of this build seemed to be the motor arrangement. There is a sweet spot when it comes to Slinky escalator speeds. Too fast, and you’ll outpace the Slinky. Too slow, and the Slinky flies off the end of the escalator. Keeping the speed in check turned out to be a difficult task with the coarse speed control of a drill trigger. The solution was to ditch the drill and build a simple hand crank mechanism. The Slinky now can cascade down stairs as long as your arm holds out.
Join us after the break for 3 videos, the making of the escalator, a 140 step demonstration video, and a followup video (for geeks like us) explaining where the idea came from, whats wrong with the machine and possible improvements.
Thanks to [Jim Lynch] for the tip
Filed under: toy hacks
HDMI is implemented on just about every piece of sufficiently advanced consumer electronics. You can find it in low-end cellphones, and a single board Linux computer without HDMI is considered crippled. There’s some interesting stuff lurking around in the HDMI spec, and at DEF CON, [Joshua Smith] laid the Consumer Electronics Control (CEC) part of HDMI out on the line, and exposed a few vulnerabilities in this protocol that’s in everything with an HDMI port.
CEC is designed to control multiple devices over an HDMI connection; it allows your TV to be controlled from your set top box, your DVD player from your TV, and passing text from one device to another for an On Screen Display. It’s a 1-wire bidirectional bus with 500bits/second of bandwidth. There are a few open source implementations like libCEC, Android HDMI-CEC, and even an Arduino implementation. The circuit to interface a microcontroller with the single CEC pin is very simple – just a handful of jellybean parts.
[Joshua]’s work is based off a talk by [Andy Davis] from Blackhat 2012 (PDF), but greatly expands on this work. After looking at a ton of devices, [Joshua] was able to find some very cool vulnerabilities in a specific Panasonic TV and a Samsung Blu-ray player.
A certain CEC command directed towards the Panasonic TV sent a command to upload new firmware from an SD card. This is somewhat odd, as you would think firmware would be automagically downloaded from an SD card, just like thousands of other consumer electronics devices. For the Samsung Blu-Ray player, a few memcpy() calls were found to be accessed by CEC commands, but they’re not easily exploitable yet.
As far as vulnerabilities go, [Joshua] has a few ideas. Game consoles and BluRay players are ubiquitous, and the holy grail – setting up a network connection over HDMI Ethernet Channel (HEC) – are the keys to the castle in a device no one would ever think of taking a close look at.
Future work includes a refactor of the current code, and digging into more devices. There are millions of CEC-capable devices out on the market right now, and the CEC commands themselves are not standardized. The only way for HDMI CEC to be a reliable tool is to figure out commands for these devices. It’s a lot of work, but makes for a great call to action to get more people investigating this very interesting and versatile protocol.
Filed under: cons, hardware
As hilariously outrageous as Pacific Rim was, it was still an awesome concept. Giant robot battle suits, duking it out with the aliens. Well, it looks as if it wasn’t quite as far-fetched as we first imagined. Maker [Danny Benedettelli] just released a video of his very own Lego exoskeleton suit that when worn can be used to control a desktop size Cyclops robot. You might remember [Danny] as the author of The Lego Mindstorms EV3 Library,
The Cyclops robot (also his design) was originally built four years ago using Lego Mindstorms NXT system with an Android phone running a custom app. Cyclops has been upgraded a bit for this demonstration. Now it communicates over Bluetooth with an Arduino to [Danny’s] telemetry suit.
Relatively speaking, the system is pretty simple. The Lego exoskeleton has potentiometers on each joint, which map to a degree of freedom for the robot. When one potentiometer spins, the associated robot joint mimics it. Simple, right?
He says it’s just a prototype, so we can probably expect an even more functional robot very soon — for more information, check out his personal site called Danny’s Lab.
Filed under: Android Hacks, Arduino Hacks, robots hacks
Satellite television is prevalent in Europe and Northern Africa. This is delivered through a Set Top Box (STB) which uses a card reader to decode the scrambled satellite signals. You need to buy a card if you want to watch. But you know how people like to get something for nothing. This is being exploited by hackers and the result is millions of these Set Top Boxes just waiting to form into botnets.
This was the topic of [Sofiane Talmat’s] talk at DEF CON 23. He also gave this talk earlier in the week at BlackHat and has published his slides (PDF).
The Hardware in Satellite receivers is running Linux. They use a card reader to pull in a Code Word (CW) which decodes the signal coming in through the satellite radio.
An entire black market has grown up around these Code Words. Instead of purchasing a valid card, people are installing plugins from the Internet which cause the system to phone into a server which will supply valid Code Words. This is known as “card sharing”.
On the user side of things this just works; the user watches TV for free. It might cause more crashes than normal, but the stock software is buggy anyway so this isn’t a major regression. The problem is that now these people have exposed a network-connected Linux box to the Internet and installed non-verified code from unreputable sources to run on the thing.
[Sofiane] demonstrated how little you need to know about this system to create a botnet:
- Build a plugin in C/C++
- Host a card-sharing server
- Botnet victims come to you (profit)
It is literally that easy. The toolchain to compile the STLinux binaries (gcc) is available in the Linux repos. The STB will look for a “bin” directory on a USB thumb drive at boot time, the binary in that folder will be automatically installed. Since the user is getting free TV they voluntarily install this malware.
Click through for more on the STB Hacks.
Here’s a prime example of why you always want to verify the checksum when you download software to install on your own system. [Sofaine] researched the “same” software package for card sharing across many download sites on the internet and there were multiple different checksums. The assumption is that these are carrying different malware payloads.
In addition to this easy exploit, the boxes are broken by design anyway. There are no firewalls, there are secondary root accounts (backdoors), there are FTP servers running by default with root privileges and no password. The most laughable vulnerability for me is that updates from the manufacturer don’t do anything to patch or improve the OS, they’re 100% user experience updates. The BusyBox build running on the demo machine was from 2012 and has multiple known vulnerabilities. Even if you don’t want to use a card sharing service, the device can be compromised just by being connected to the Internet.
This talk was presented in the IoT villiage, not on a main stage. This a great example of why you should take these talks seriously. You’ll get a much grittier explanation and demonstration of the hacks than on the highly-polished “Track” talks. You also have the opportunity to ask questions and it’s less likely people will be asking questions just to hear themselves talk (which happens far too often here).
Filed under: cons, home entertainment hacks, security hacks, slider
If someone lobs a grenade, it’s fair to expect that something unpleasant is going to happen. Tear gas grenades are often used by riot police to disperse an unruly crowd, and the military might use a smoke grenade as cover to advance on an armed position, or to mark a location in need of an airstrike. But some gas grenades are meant to help, not hurt, like this talking gas-sensing grenade that’s a 2015 Hackaday Prize entry.
Confined space entry is a particularly dangerous aspect of rescue work, especially in the mining industry. A cave in or other accident can trap not only people, but also dangerous gasses, endangering victims and rescuers alike. Plenty of fancy robots have been developed that can take gas sensors deep into confined spaces ahead of rescuers, but [Eric William] figured out a cheaper way to sniff the air before entering. An MQ2 combination CO, LPG and smoke sensor is interfaced to an Arduino Nano, and a 433MHz transmitter is attached to an output. A little code measures the data from the sensors and synthesizes human voice readings which are fed to the transmitter. The whole package is stuffed into a tough, easily deployed package – a Nerf dog toy! Lobbed into a confined space, the grenade begins squawking its readings out in spoken English, which can be received by any UHF handy-talkie in range. [Eric] reports in the after-break video that he’s received signals over a block away – good standoff distance for a potentially explosive situation.
With the expanding supply of cheap sensors available these days, the possibilities are endless for ideas like this. It wouldn’t be that hard to add temperature, humidity and pressure sensors to the grenade, or maybe even the alcohol and ammonia sensors from this sensor suite. Add in sensors for things like particulates, vibration, and radiation, and pretty soon you’ve got a grenade that could do a lot of good.The 2015 Hackaday Prize is sponsored by:
Filed under: Arduino Hacks, The Hackaday Prize
When it comes to large systems, there are a lot more computers than there are people maintaining them. That’s not a big deal since you can simply use a KVM to connect one Keyboard/Video/Mouse terminal up to all of them, switching between each box simply and seamlessly. The side effect is that now the KVM has just as much access to all of those systems as the human who caresses the keyboard. [Yaniv Balmas] and [Lior Oppenheim] spent some time reverse engineering the firmware for one of these devices and demonstrated how shady firmware can pwn these systems, even when some of the systems themselves are air-gapped from the Internet. This was their first DEF CON talk and they did a great job of explaining what it took to hack these devices.History
KVM’s started off really simple but they haven’t stayed that way. In the early 1990’s you could get a 4-port KVM which was little more than an AV-style switch. The transition of keyboards to USB brought with it a big upgrade to the KVM hardware. In 2000 switches with 16-ports and a full USB stack came onto the scene. Ten years later you could find Matrix KVM’s that support 1024 machines or more. These are far from the early switches, they’re full blown computers built to make access to server racks full of machines simple.Finding the Firmware
The key is the firmware, own it and you own the device. The undisclosed manufacturer of the device presented in this talk was nice enough to include a CD in the box that contains the firmware update utility, as well as the firmware.bin file. The firmware utility unpacks this binary and stores it in memory which makes it easily accessible.
Unfortunately running the dumped blob through Binwalk did nothing for the researchers. The 64 kilobytes of data contains not a single string and zero usable results, it’s obviously obfuscated. The next test was sniffing the data transmitted through the update cable which comes with the unit. Other than your normal serial overhead and error correction, what is going through the cable is byte-for-byte identical to the blob. They needed to figure out a way to crack that code.Decoding the Firmware
The real key to decoding the firmware blob came when looking at the circuit board of the KVM. There are two big chips with the device manufacturer’s name branded on them; likely ASICs. In addition to that there is an 8052 processor and an external RAM chip. Looking at the firmware through the lens of 8051 Assembly (yes, this is an 8052 but assembly is the same as the ’51 variant) is what did it for them.
It didn’t immediately turn up any clues, but looking at the last eight bytes of the firmware, a pattern started to emerge. Matching the frequently used values found across several variants of the firmware, the researches started to associate this as an identifier of the firmware version. These were basic numeric values, but the four bits representing each number were hidden in each byte, occupying positions [6..3]. By rotating the bytes to the right by three, each byte becomes the ASCII value for a number, and these lined up with the rev number of the firmware.
They were almost there. Looking at the strings they found an alphabet but in the wrong order. Closer study showed that the letters were grouped into 3 sets and each set was shuffled in the same way. This string was the key to un-shuffling the rest of the binary. Eureka, obsfucated code! Shifting all bytes of the firmware allowed Binwalk to parse the file and that resulted in strings, functions, and everything you need to read the program.Demonstrating the Vulnerability
Of course reading the firmware is only the first step, you need to show that something useful (insidious) can be done with it. During the talk the pair demonstrated their custom firmware switching to a different system, “typing” in the password (which would have been logged earlier when a human typed it in), and echoing out a binary file which was then executed to load malware onto the system.
Yes, you need physical access to perform this attack with the KVM used during the talk. But some KVMs allow firmware updates over IP, and many of them have web interfaces for configuration. There are many vectors available here and knowing that, the discussion turns to prevention. Keystroke statistics are one way to prevent this kind of attack. By logging how fast characters are being typed, how tight the cadence is, and other human traits like use of backspace, the effectiveness of this type of attack can be greatly reduced.
Filed under: cons, Hackaday Columns, security hacks
At the heart of [Renaud’s] design lie two sense transformers. The first is a typical voltage stepdown transformer. This brings the AC line voltage down to +/- 10V, which is more amenable to digital sampling. The second is a current sense transformer. In current transformers the primary is typically a single wire (the AC line in this case) passing through the middle of a ring (see the picture to the right from wikipedia). The secondary is wrapped round the ring. When the secondary coil is shorted a current in the primary wire/coil induces a current in the secondary coil.
In practice, the voltage drop across a low value resistor is used to detect the current in the secondary. Clamp meters use this principle to make non-contact current measurements. Other power meters often use hall effect sensors for current measurements. It will be interesting to see how these methods compare when [Renaud] benchmarks this build.
[Renaud] takes the voltage and current readings from these transformers and samples them with a PIC in order to calculate power. As the AC voltage is periodic [Renaud] uses a method similar to Equivalent Time Sampling (ETS) to combine waveforms from multiple cycles and increase the effective sample rate.
Great stuff [Renaud]!
Filed under: misc hacks