D-Link Fails at Strings

Small Office and Home Office (SOHO) wireless routers have terrible security. That’s nothing new. But it is somewhat sad that manufacturers just keep repurposing the same broken firmware. Case in point: D-Link’s new DIR-890L, which looks like a turtled hexapod. [Craig] looked behind the odd case and grabbed the latest firmware for this device from D-Link’s website. Then he found a serious vulnerability.

D-Link's DIR-890 Router

The usual process was applied to the firmware image. Extract it, run binwalk to find the various contents of the firmware image, and then extract the root filesystem. This contains all the code that runs the router’s various services.

The CGI scripts are an obvious place to poke for issues. [Colin] disassembled the single executable that handles all CGI requests and started looking at the code that handles Home Network Administration Protocol (HNAP) requests. The first find was that system commands were being built using HNAP data. The data wasn’t being sanitized, so all that was needed was a way to bypass authentication.

This is where D-Link made a major error. They wanted to allow one specific URL to not require authentication. Seems simple, compare string A to string B and ensure they match. But they used the strstr function. This will return true if string A contains string B. Oops.

So authentication can be bypassed, telnetd can be started, and voila: a root shell on D-Link’s most pyramid-shaped router. Oh, and you can’t disable HNAP. May we suggest OpenWrt or dd-wrt?

Meet The Machines That Build Complex PCBs

You can etch a simple PCB at home with a few chemicals and some patience. However, once you get to multilayer boards, you’re going to want to pay someone to do the dirty work.

The folks behind the USB Armory project visited the factories that build their 6 layer PCB and assemble their final product. Then they posted a full walkthrough of the machines used in the manufacturing process.

The boards start out as layers of copper laminates. Each one is etched by applying a film, using a laser to print the design from a Gerber file, and etching away the unwanted copper in a solution. Then the copper and fibreglass prepreg sandwich is bonded together with epoxy and a big press.

Bonded boards then get drilled for vias, run through plating and solder mask processes and finally plated using an Electroless Nickel Immersion Gold (ENIG) process to give them that shiny gold finish. These completed boards are shipped off to another company, where a pick and place followed by reflow soldering mounts all the components to the board. An X-Ray is used to verify that the BGA parts are soldered correctly.

The walkthrough gives a detailed explanation of the process. It shows us the machines that create products we rely on daily, but never get to see.

The Oldland CPU 32-bit FPGA Core

Field Programmable Gate Arrays (FPGAs) let you program any logic you’d like onto a chip. You write your logic using a hardware description language, then flash it to the FPGA. You can even design your own processor and flash it to the chip.

That’s exactly what [jamieiles] has done with the Oldland CPU. It’s an open source 32 bit CPU core that you can synthesize for use on an FPGA. Not only can you browse through all the Verilog code in the Github repo, but there’s also a bunch of tools for working with this CPU core.

Included with the package is oldland-rtlsim, which lets you simulate the processor on a PC. The oldland-debug tool lets you connect to the processor for programming and debugging over JTAG. Finally, there’s a GNU toolchain port that lets you build C code for the device.

Going one step futher, [jamieiles] built a full SoC around the Oldland core. This has SPI, UART, timers, and more features you’d expect to find in a microcontroller. It can be flashed to the relatively cheap Terasic DE0-Nano board.

[jamieiles] has also ported u-boot to the processor, and the next thing on the list is the Linux kernel. If you’ve ever been interested in how CPUs actually work, this is a neat project to look through. If you want more open source CPU cores, check out OpenCores.

Rocket Controls Fit for a Kerbal

Kerbal Space Program is a space simulation game. You design spacecraft for a fictional race called Kerbals, then blast those brave Kerbals into space. Sometimes they don’t make it home.

If controlling spacecraft with your WASD keys isn’t immersive enough for you, [marzubus] has created a fully featured KSP control console. It sports a joystick, multiple displays, and an array of buttons and switches for all your flight control needs. The console was built using a modular approach, so different controls can be swapped in and out as needed.

Under the hood, three Arduinos provide the interface between the game and the controls. One Arduino Mega runs HoodLoader2 to provide joystick data over HID. A second Mega uses KSPSerialIO to communicate with the game over a standard COM port interface. Finally, a Due interfaces with the displays, which provide information on the current status of your spacecraft.

All of the parts are housed in an off the shelf enclosure, which has a certain Apollo Mission Control feel to it. All [marzubus] needs now is a white vest with a Kerbal badge on it.

Controlling Central Heating Via Wi-Fi

If you’ve ever lived in a building with manually controlled central heating, you’ll probably understand [Martin]’s motivation for this hack. These heating systems often have old fashioned valves to control the radiator. No Nest support, no thermostat, just a knob you turn.

To solve this problem, [Martin] built a Wi-Fi enabled thermostat. This impressive build brings together a custom PCB based on the ESP8266 Wi-Fi microcontroller and a mobile-friendly web UI based on the Open Thermostat Scheduler. The project’s web server is fully self-contained on the ESP8266.

To replace that manual value, [Martin] used a thermoelectric actuator from a Swiss company called HERZ. This is driven by a relay, which is controlled by the ESP8266 microcontroller. Based on the schedule and the measured temperature, the actuator lets fluid flow through the radiator and heat the room.

As a bonus, the device supports NTP for getting the time, MQTT for publishing real-time data, and ThingSpeak for logging and graphing historic data. The source code and design files are available under a Creative Commons license.

Cheap USB Control for your Telescope

There’s many complex systems for automatically pointing a telescope at an object in the sky, but most of them are too expensive for the amateur astronomer. [Kevin]’s Arduino ST4 interface lets you connect your PC to a reasonably priced motorized telescope mount, without ripping it apart.

The ST4 port is a very basic interface. There’s one pin per direction that the mount can move, and a common pin. This port can be added to just about any motorized mount with some modification to the controller. To connect to an Arduino, a TLP521-4 quad optoisolator is used. This keeps the Arduino and PC fully isolated from the motor circuits. but lets the Arduino take control of the mount.

With the hardware in place, [Kevin] cranked out some software which is available on Google Code. A simple Arduino sketch provides the USB interface, and a custom driver allows the ASCOM Platform to control the mount. Since many astronomy software tools support ASCOM, this allows the mount to be controlled by existing software.

With the interface in place, the mount can be used to find objects (GOTO) and automatically follow them with high accuracy (autoguiding). You can watch the telescope move on its own after the break.

Continue reading “Cheap USB Control for your Telescope”

AES-CMAC on an ATtiny85

[Blancmange] built a custom door chime using an ATtiny85. Unlike most commercial products out there, this one actually tries to be secure, using AES-CMAC for message signing.

The hardware is pretty simple, and a protoboard layout is shown in the image above. It uses the ATtiny85 for control, with an LM380N audio amplifier, and a low cost 315 MHz receiver.

The more impressive part of the build is the firmware. Using AVR assembly, [Blancmange] managed to fit everything into the 8 Kbytes of flash on the ATtiny85. This includes an implementation of AES-CMAC, an AES cypher based message authentication code. The transmitting device signs the request with a key shared between both devices, and the receiver verifies that the message is from a trusted transmitter.

Fortunately, the assembly code is very well commented. If you’ve ever wanted to take a look into some complex ASM assembly, this is a great project to check out. The source code has been released into the public domain, so the rest of us can implement crypto on this cheap microcontroller with much less effort.