This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis

October 7, 2022 by Jonathan Bennett 1 Comment

If you use PHP, you likely use the Composer tool for managing dependencies, at least indirectly. And the good folks at SonarSource found a nasty, potential supply chain attack in this tool, when used in the Packagist repository. The problem is the support for arbitrary README filenames. When a package update shows up on Packagist, that service uses a Version Control Service (VCS) like Git or Mercurial to pull the specified readme location. That pull operation is subject to argument injection. Name your branch --help, and Git will happily run the help argument instead of doing the pull intended. In the case of Git commands, our intrepid researchers were unable to weaponize the issue to achieve code execution.

Composer also supports projects that use Mercurial as their VCS, and Mercurial has a --config option that has… interesting potential. It allows redefining a Mecurial command as a script snippet. So a project just has to contain a malicious payload.sh, and the readme set to --config=alias.cat=!hg cat -r : payload.sh|sh;,txt. For those keeping track at home, the vulnerability is that this cursed string of ugly is accepted by Composer as a valid filename. This uses the --config trick to redefine cat as a bit of script that executes the payload. It ends in .txt because that is a requirement of Composer.

So let’s talk about what this little hack could have been used for, or maybe still used for on an unpatched, private install of Packagist. This is an unattended attack that jumps straight to remote script execution — on an official package repository. If discovered and used for evil, this would have been a massive supply chain attack against PHP deployments. Instead, thanks to SonarSource, it was discovered and disclosed privately back in April. The official Packagist repo at packagist.org was fixed the day after disclosure, and a CVE and updated packages went out six days later. Great work all around.
Continue reading “This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis” →

A purple PCB with an OLED display and various chips

A Neat Little Tool To Reset The Fuses On Your ATtiny

April 16, 2022 by Robin Kearey 8 Comments

If you’re an experienced hacker, you’ve probably run into a problem at some point and thought “let’s make a tool to automate that”. A few hours later you’ve got your tool, but then realize that the amount of work you put into making the tool vastly exceeds what you would have needed to solve the original problem manually. That really doesn’t matter though: developing a fancy tool can be a rewarding experience that teaches you way more about the original problem than you would have learned otherwise. [sjm4306]’s ATtiny High Voltage Fuse Reset-er is a clever device that firmly falls into this category.

The problem it solves is familiar to anyone who’s ever worked with Atmel/Microchip’s ATtiny series of microcontrollers: set one of the configuration fuses incorrectly and you’re no longer able to reprogram your chip. Getting the ATtiny back to its original configuration requires a high-voltage programming step that involves pulling the reset pin to 12 V in what’s otherwise a 5 V system. You could simply grab a spare 12 V supply and hack together a level shifter with a few transistors, but where’s the fun in that?

[sjm4306]’s solution is built on a pretty purple PCB that contains an ATmega328, an OLED display, and sockets to accommodate various versions of the ATtiny series microcontrollers. To generate the required 12 V, one could simply use an off-the-shelf boost converter IC. But instead, he decided it would be interesting to make such a circuit out of discrete components and control it using the ATmega. After all, this chip already contains timers to generate PWM signals and an ADC to measure the converter’s output voltage, so all it took was to write some control logic in the form of a PID controller.

The end result, as you can see in the video embedded below, is a convenient little PCB that runs off a 5 V USB power supply and resets the fuses on your ATtiny at the push of a button. Sometimes, simple tools that do one thing well are all you need; however, if you’re looking for an all-in-one AVR programmer that also supports HV programming, check out this AVR Multi-Tool.

Continue reading “A Neat Little Tool To Reset The Fuses On Your ATtiny” →

AVR Fuse Bits Explained

August 30, 2012 by Brian Benchoff 50 Comments

Every AVR microcontroller, from the ATtiny in your thermostat to the ATMega in your Arduino, stores its configuration in a series of fuse bits. These fuse bits control settings such as the multiplier of the internal oscillator (and thus the speed of the chip), or if the reset pin can be used as a GPIO pin. [YS] just put up an awesome tutorial for understanding these fuse/lock bits, and it’s just the reference guide you’ll need when you find your AVR is running 8 times slower than you would like.

As an example, [YS] uses the ATMega48 default settings. From the factory, the ‘Mega48 ships with it’s fuse bits set to use an 8MHz internal RC oscillator with the CKDIV8 bit set. This results in the chip operating at 1MHz, a bit slow for [YS]’ liking.

By looking at the datasheet for the ATMega48, [YS] found the CKDIV8 fuse was the 7th bit in the low fuse byte. From the factory, the default value for this byte is 0b01100010. To remove the ‘divide clock by 8’ bit, [YS] needed to change the low byte to 0b11100010, or 0xE2. This is done via AVRdude by appending lfuse:w:0xE2:m to the commands entered when programming.

Fuse bits don’t need to be scary. As long as you can convert between binary and hex, can remember there are 7 bits in a byte (remember to start counting from 0), and have access to an easy to use fuse calculator, it’s possible to change all the settings on any AVR you have on hand.

Sanguino ATmega644P Board

October 5, 2008 by Jason Rollette 23 Comments

The RepRap project, which is a printer that can make components using rapid prototyping technology, and it is designed so that it can eventually self replicate. Has released a new breakout board for the Sanguino that provides access to all the pins as screw terminals. The Sanguino is an Arduino compatible board based on the ATmega644P chip. You can populate the full board with all the components and have a fully functional single board. You could populate only the screw terminals and plug your Sanguino, and use it as a breakout board as well. The board design is released on Google Code.

Magically Repair AVR Chips

May 17, 2010 by Mike Szczys 30 Comments

If you’ve ever spent time working with AVR microcontrollers you’ve probably set the fuse bits incorrectly at least once. The ATmega fusebit doctor will automatically repair the fuse bits and get you back in business until your next mishap. The ATmega8 that powers the device has the chip signatures for the ATmega family stored inside so it will automatically detect which chip you’re trying to ‘unbrick’. From there it looks up the correct fuse bits and resurrects the sick microcontroller. This is useful in recovering a chip that has serial programming disabled, used the reset pin as I/O, or just enabled an external clock without the necessary hardware to deliver on that feature.

This magic is taken care of by using High Voltage Parallel Programming. We’ve seen HVPP used in the Arduino rescue shield and it is a valuable feature of the AVR Dragon, our favorite AVR programmer, as well as others. Still, you can hardly beat the ease of plugging a dead chip into this board and pressing one button. Oh, did you brick a member of the ATtiny family? There’s a rescue board for those too.

[Thanks Stewe]

This Thermochromic Clock Is A Ray Of Sunshine

June 16, 2025 by Tyler August 5 Comments

It’s never a bad time to look at a clock, and one could certainly do worse than this delightful Paper Sunshine Clock by [anneosaur]. The sun-ray display is an interesting take on the analog clock, and its method of operation is not one we see every day, either.

Reading the clock is straightforward: there are twelve rays divided into two segments. Once you figure out that this artful object is a clock, it’s easy enough to guess that the rays give the hours, and half-rays are half-hours. In the photo above, it’s sometime between nine o’clock and nine thirty. Our Swiss readers might not be terribly impressed, but a “fuzzy” clock like this is quite good enough much of the time for many people.

Even the flex PCB holding the resistors looks like a work of art.

The title gives away its method of operation: it’s thermochromic paint! The paint is printed onto a piece of Japanese awagami paper, which is pressed against a flexible PCB holding an array of resistors. Large copper pads act as heat spreaders for the resistors. For timekeeping and control, an Atmega328PB is paired with a DS3231MZ RTC, with a coin cell for backup power when the unit is unplugged. (When plugged in, the unit uses USB-C, as all things should.) That’s probably overkill for a +/-30 minute display, but we’re not complaining.

The Atmega328PB does not have quite enough outputs to drive all those resistors, so a multiplexing circuit is used to let the 10 available GIPO control current to 24 rays. Everything is fused for safety, and [anneosaur] even includes a temperature sensor on the control board. The resistors are driven by a temperature-compensated PWM signal to keep them from overheating or warming up too slowly, regardless of room temperature. The attention to detail here is as impressive as the aesthetics.

[annenosaur] has even thought of those poor people for whom such a fuzzy clock would never do (be they Swiss or otherwise) — the Paper Sunshine Clock has a lovely “sparkle mode” that turns the rays on and off at random, turning the clock into an art piece. A demo video of that is below. If you find this clock to be a ray of sunshine, everything you need to reproduce it is on GitHub under an MIT or CC4.0 license.

This is not the first thermochromic clock we’ve featured, though the last one was numeric. If you must have minute accuracy in a thermochromic analog clock, we’ve got you covered there, too.

Special thanks to [anneosaur] for submitting the hack. If you’ve seen (or made) a neat clock, let us know! You won’t catch us at a bad time; it’s always clock time at Hackaday.

Fibonacci Clock Looks Like Beautiful Modern Art

December 19, 2024 by Lewin Day 12 Comments

Don’t ask us why, but hackers and makers just love building clocks. Especially in the latter case, many like to specialize in builds that don’t even look like traditional timepieces, and are difficult to read unless you know the trick behind them. [NerdCave] has brought us a pleasing example of such a thing, in the form of this gorgeous Fibonacci clock.

The build was inspired by an earlier Fibonacci clock that later became a Kickstarter project. Where that build used an Atmega328P, though, [NerdCage] landed on using a Raspberry Pi Pico W instead. The build throws the microcontroller board on a custom PCB, and sticks in inside an attractive 3D-printed enclosure. Black filmanet was used for the body, while white filament was used for the face of each square to act as a diffuser. Addressable RGB LEDs are used to illuminate the five square segments of the clock.

Obviously, you’re wondering how to read the clock. All you need to know is this. The first five numbers in the Fibonacci sequence are 1, 1, 2, 3, and 5. Each square on the clock represents one of these numbers—the side lengths of each square match these numbers. Red and green are used to represent hours and minutes, respectively, while a blue square is representing both. Basically, to get the hour, add up the values of red and blue squares, and to get the minutes, do the same with green and blue squares, but then multiply by 5. In the header image, the clock is displaying 8:55 PM… we think.

We’ve featured Fibonacci-themed clocks before, albeit ones with entirely different visual themes. Video after the break.

Continue reading “Fibonacci Clock Looks Like Beautiful Modern Art” →