Saving an Alarm System Remote and $100

[Simon] has been using his home alarm system for over six years now. The system originally came with a small RF remote control, but after years of use and abuse it was finally falling apart. After searching for replacement parts online, he found that his alarm system is the “old” model and remotes are no longer available for purchase. The new system had similar RF remotes, but supposedly they were not compatible. He decided to dig in and fix his remote himself.

He cracked open the remote’s case and found an 8-pin chip labeled HCS300. This chip handles all of the remote’s functions, including reading the buttons, flashing the LED, and providing encoded output to the 433MHz transmitter. The HCS300 also uses KeeLoq technology to protect the data transmission with a rolling code. [Simon] did some research online and found the thew new alarm system’s remotes also use the same KeeLoq technology. On a hunch, he went ahead and ordered two of the newer model remotes.

He tried pairing them up with his receiver but of course it couldn’t be that simple. After opening up the new remote he found that it also used the HCS300 chip. That was a good sign. The manufacturer states that each remote is programmed with a secret 64-bit manufacturer’s code. This acts as the encryption key, so [Simon] would have to somehow crack the key on his original chip and re-program the new chip with the old key. Or he could take the simpler path and swap chips.

A hot air gun made short work of the de-soldering and soon enough the chips were in place. Unfortunately, the chips have different pinouts, so [Simon] had to cut a few traces and fix them with jumper wire. With the case back together and the buttons in place, he gave it a test. It worked. Who needs to upgrade their entire alarm system when you can just hack the remote?

Control Nest Devices with Amazon Echo

[ZPriddy] was looking for a way to control his Nest thermostats with Amazon Echo. He didn’t want to settle for using AWS or some other hosted service. [ZPriddy] wanted something that he could host and manage completely on his own. The end result is what he calls EchoNestPy.

[ZPriddy] started by learning how to use the Alexa Skills Kit (ASK). ASK is the official SDK that allows enthusiasts to add functionality to their Amazon Echo. Unfortunately for [ZPriddy], most of the example code he found was designed to be used on Amazon Lambda, but that didn’t stop him. After finding a few examples of Amazon Echo requests and responses, he was on his way.

[ZPriddy] chose to implement a simple web server using Flask. The web server listens for the Amazon requests and responds appropriately. It also Oauth2 authentication to ensure some level of security. The server is capable of synchronizing the temperature of multiple Nest devices in the same home, but it can also increment or increment the temperature across the board. This is accomplished with some simple voice commands such as “Tell Nest that I’m a little bit chilly”. If you like Amazon Echo hacks, be sure to check out this other one for controlling WeMo devices. Continue reading “Control Nest Devices with Amazon Echo”

Alarm Notifies the Office When the Coffee is Ready

[Stian] thought it would be nice if his coworkers could be electronically notified when the latest batch of coffee is ready. He ended up building an inexpensive coffee alarm system to do exactly that. When the coffee is done, the brewer can press a giant button to notify the rest of the office that it’s time for a cuppa joe.

[Stian’s] first project requirement was to activate the system using a big physical button. He chose a button from Sparkfun, although he ended up modifying it to better suit his needs. The original button came with a single LED built-in. This wasn’t enough for [Stian], so he added two more LEDs. All three LEDs are driven by a ULN2003A NPN transistor array. Now he can flash them in sequence to make a simple animation.

This momentary push button supplies power to a ESP8266 microcontroller using a soft latch power switch. When the momentary switch is pressed, it supplies power to the latch. The latch then powers up the main circuit and continues supplying power even when the push button is released. The reason for this power trickery is to conserve power from the 18650 li-on battery.

The core functionality of the alarm uses a combination of physical hardware and two cloud-based services. The ESP8266 was chosen because it includes a built-in WiFi chip and it only costs five dollars. The microcontroller is configured to connect to the WiFi network with the push of a button. The device also monitors the giant alarm button.

When the button is pressed, it sends an HTTP request to a custom clojure app running on a cloud service called Heroku. The clojure app then stores brewing information in a database and sends a notification to the Slack cloud service. Slack is a sort of project management app that allows multiple users to work on projects and communicate easier over the internet. [Stian] has tapped into it in order to send the actual text notification to his coworkers to let them know that the coffee is ready. Be sure to watch the demo video below. Continue reading “Alarm Notifies the Office When the Coffee is Ready”

Puzzle Box is Rigged to Blow

[Sande24] needed a gift for his father’s birthday. He decided that rather than simply give his father the gifts, he would present his father with a unique challenge. The gifts are locked inside of a multi-stage puzzle box. This isn’t your average puzzle box though. This one is rigged to blow.

The puzzle box was designed to test his father’s reflexes, mind, and luck. The finished product looks sort of like a wooden crate made from particle board. The box contains three levels, each with its own gift and its own task to be completed.

With the lid opened, the first compartment and puzzle is revealed. Inside of the compartment were a new pair of gloves, meant to protect the father’s hands when working on the puzzles. The first puzzle is built into a sheet of wood with several custom-made levers. The levers must be moved into position in order to remove the wooden sheet and reveal the next level.

The first lever triggers a home-made detonator that eventually lights a series of fireworks placed around the box. You need to solve the puzzle box fast enough to prevent the fireworks from destroying the gifts that lay inside. [Sande24] was unable to legally purchase fuses where he lived, so he had to make his own.

The second level held a gas mask, also meant to protect the father from the booby traps of this mysterious box. This level, also made from a sheet of wood, has nine squares drawn on it. Each square is labeled with a different number which goes into solving a mathematical function (x^5-25x^4+233x^3-995x^2+1866x-1080 = 0). The solution to the function would reveal the safe path to be used to cut the wooden platform in half. Unfortunately [Sande24’s] father cut the wrong squares and released a huge amount of vinegar into the box. Oops.

The bottom level contained the final puzzle and the locked treasure compartment locked with an ordinary padlock. To find the key, another puzzle had to be solved based on a series of wooden levers labeled with different shapes. The shapes provided clues to the order in which the levers should be pulled. Once the levers were moved into position, two compartments were unlocked. One of them contained the key to the treasure box. The other contained another booby trap which would set off more fireworks, destroying the final gift of four cans of Kuld beer. That’s a lot of work to get a a few cans of frothy beverage!

[Thanks Ellery]

Fooling Google Search Console With Tricky PHP

When [Steve] received a notice from Google that a new owner had been added to his Google Search Console account, he knew something was wrong. He hadn’t added anyone to his account. At first he thought it might be a clever phishing tactic. Maybe the email was trying to get him to click a malicious link. Upon further investigation, he discovered that it was legitimate. Some strange email address had been added to his account. How did this happen?

When you want to add a website to Google’s services, they require that you prove that you own the actual website as a security precaution. One method to provide proof is by uploading or creating an HTML file to your website with some specific text inside. In this case, the file needed to be called “google1a74e5bf969ded17.html” and it needed to contain the string “google-site-verification: googlea174e5bf969ded17.html”.

[Steve] logged into his web server and looked in the website directory but he couldn’t find the verification file. Out of curiosity, he tried visiting the web page anyways and was surprised to find that it worked. After some experimentation, [Steve] learned that if he tried to load any web page that looked like “googleNNNNNNN.html”, he would be presented with the corresponding verification code of “google-site-verification: googleNNNNNNNN.html”. Something was automatically generating these pages.

After further investigation, [Steve] found that some malicious PHP code had been added to his website’s index.php page. Unfortunately the code was obfuscated, so he couldn’t determine exactly what was happening. After removing the new code from the index.php file, [Steve] was able to remove the hacker’s email address from [Steve’s] Google account.

This is a very interesting hack, because not only did it allow this one hacker to add himself to [Steve’s] Google account, but it would also have allowed anyone else to do the same thing. This is because each new hacker would have been able to fool Google’s servers into thinking that they had uploaded the verification file thanks to the malicious PHP code. It makes us think that perhaps Google’s verification system should use a separate randomized string inside of the verification file. Perhaps one that can’t be guessed or calculated based on known variables such as the file name.

Transmitting MIDI Signals With XBEE

What do you do when you want to rock out on your keytar without the constraints of cables and wires? You make your own wireless keytar of course! In order to get the job done, [kr1st0f] built a logic translator circuit. This allows him to transmit MIDI signals directly from a MIDI keyboard to a remote system using XBEE.

[kr1st0f] started with a MIDI keyboard that had the old style MIDI interface with a 5 pin DIN connector. Many new keyboards only have a USB interface, and that would have complicated things. The main circuit uses an optoisolator and a logic converter to get the job done. The MIDI signals are converted from the standard 5V logic to 3.3V in order to work with the XBEE.

The XBEE itself also needed to be configured in order for this circuit to work properly. MIDI signals operate at a rate of 31,250 bits per second. The XBEE, on the other hand, works by default at 9,600 bps. [kr1st0f] first had to reconfigure the XBEE to run at the MIDI bit rate. He did this by connecting to the XBEE over a Serial interface and using a series of AT commands. He also had to configure proper ID numbers into the XBEE modules. When all is said and done, his new transmitter circuit can transmit the MIDI signals wirelessly to a receiver circuit which is hooked up to a computer.

How to Make Amazon Echo Control Fake WeMo Devices

[Chris] has been playing with the Amazon Echo. It’s sort of like having Siri or Google Now available as part of your home, but with built-in support for certain other home automation appliances like those from Belkin WeMo and Philips. The problem was [Chris] didn’t want to be limited to only those brands. He had other home automation gear that he felt should work with Amazon Echo, but didn’t. That’s when he came up with the clever idea to just emulate one of the supported platforms.

The WeMo devices use UPnP to perform certain functions over the network. [Chris] wanted to see how these communications actually worked, so he fired up his laptop and put his WiFi adapter into monitor mode. Then he used Wireshark to start collecting packets. He found that the device detection function starts out with the Echo searching for WeMo devices using UPnP. The device then responds to the Echo with the device’s URL using HTTP over UDP. The Echo then requests the device’s description using that HTTP URL. The description is then returned as an HTTP response.

The actual “on/off” functionality of the WeMo devices is simpler since the Echo already knows about the device. The Echo simply connects to the WeMo over the HTTP interface and issues a “SetBinaryState” command. The WeMo then obliges and returns a confirmation via HTTP.

WeMo Echo
How Echo Communicates with WeMo Devices

[Steve] was able to use this information to set up his own WeMo “virtual cloud”. Each virtual device would have its own IP address. They would also need to have a listener for UDP broadcasts as well as an HTTP listener running on the WeMo port 49153. Each virtual device would also need to be able to respond to the UPnP discovery requests and the “on/off” commands.

[Chris] used a Linux server, creating a new virtual Ethernet interface for each virtual WeMo switch. A single Python script runs the WeMo emulation, listening for the UPnP broadcast and sending a different response for each virtual device. Part of the response includes the device’s “friendly name”, which is what the Echo listens for when the user says voice commands. Since the virtual WeMo devices are free, this allows [Chris] to make multiple phrases for each device. So rather than be limited to “television”, he can also make a separate device for “TV” that performs the same function. [Chris] is also no longer limited to only specific brands of home automation gear.

There’s still a long way to go in hacking this device. There’s a lot of hardware under the hood to work with. Has anyone else gotten their hands (and bench tools) on one of these?