Novation Launchpad MIDI Controller Moves Toward Open Source

The Novation Launchpad is a MIDI controller, most commonly used with the Ableton Live digital audio workstation. It’s an eight by eight grid of buttons with RGB LED backlights that sends MIDI commands to your PC over USB. It’s often used to trigger clips, which is demonstrated by the artist Madeon in this video.

The Launchpad is useful as a MIDI input device, but that’s about all it used to do. But now, Novation has released an open source API for the Novation Pro. This makes it possible to write your own code to run on the controller, which can be flashed using a USB bootloader. An API gives you access to the hardware, and example code is provided.

[Jason Hotchkiss], who gave us the tip on this, has been hacking around with the API. The Launchpad Pro has a good old 5 pin MIDI output, which can be connected directly to a synth. [Jason]’s custom firmware uses the Launchpad Pro as a standalone MIDI sequencer. You can check out a video of this after the break.

Unfortunately, Novation didn’t open source the factory firmware. However, this open API is a welcome change to the usual closed-source nature of audio devices.

Continue reading “Novation Launchpad MIDI Controller Moves Toward Open Source”

Combining Musical Hatred with Target Practice

Not everyone can agree on what good music is, but in some cases you’ll find that just about everyone can agree on what is awful. That’s what the people over at Neo-Pangea discovered when they were listening to Internet radio. When one of those terrible songs hits their collective eardrums, the group’s rage increases and they just need to skip the track.

This is how Engineers act if the song is super-awful
This is how Engineers act if the song is super-awful

Rather than use a web app or simple push button to do the trick, they turned the “skip” button into a NERF target. They call their creation the Boom Box Blaster and made a fantastic demo film video about it which is found after the break.

Inspired by a painting in the office, the target takes the form of a small hot air balloon. The target obviously needed some kind of sensor that can detect when it is hit by a NERF dart. The group tried several different sensor types, but eventually settled on a medium vibration sensor. This sensor is connected to an Arduino, which then communicates with a Raspberry Pi over a Serial connection. The Pi uses a Python script to monitor the Arduino’s vibration sensor. The system also includes some orange LEDs to simulate flames and a servo attached to the string which suspends the balloon from the ceiling. Whenever a hit is registered, the flames light up and the balloon raises into the air to indicate that the shot was on target.

Continue reading “Combining Musical Hatred with Target Practice”

LEDs Strips Tell You the Trains Aren’t Running

[James] is a frequent user of the London Underground, a subway system that is not immune to breakdowns and delays. He wanted a way to easily tell if any of the trains were being disrupted, and thanks to some LEDs, he now has that information available at a glance without having to check a webpage first.

Inspired by the Blinky Tape project at FT Engineering, [James] thought he could use the same strip of addressable LEDs to display information about the tube. A Raspberry Pi B+ gathers data from the London Underground’s TfL API and does a few calculations on the data. If there is a delay, the LEDs in the corresponding section of the strip will pulse, alerting the user to a problem with just a passing glance.

The project is one of many that displays data about the conditions you’ll find when you step outside the house, without having to look at a computer or smartphone. We recently featured an artistic lamp which displays weather forecasts for 12 hours into the future, and there was an umbrella stand which did the same thing. A lot is possible with LEDs and a good API!

Continue reading “LEDs Strips Tell You the Trains Aren’t Running”

Display Your City’s Emotional State with Illuminated Snow

[Hunter] wanted to do something a bit more interesting for his holiday lights display last year. Rather than just animated lights, he wanted something that was driven by data. In this case, his display was based on the mood of people in his city. We’ve seen a very similar project in the past, but this one has a few notable differences.

The display runs off of an Arduino. [Hunter] is using an Ethernet shield to connect the Arduino to the Internet. It then monitors all of the latest tweets from users within a 15 mile radius of his area. The tweets are then forwarded to the Alchemy Sentiment API for analysis. The API uses various algorithms and detection methods to identify the overall sentiment within a body of text. [Hunter] is using it to determine the general mood indicated by the text of a given tweet.

Next [Hunter] needed a way to somehow display this information. He opted to use an LED strip. Since the range of sentiments is rather small, [Hunter] didn’t want to display the overall average sentiment. This value doesn’t change much over short periods of time, so it’s not very interesting to see. Instead, he plots the change made since the last sample. This results in a more obvious change to the LED display.

Another interesting thing to note about this project is that [Hunter] is using the snow in his yard to diffuse the light from the LEDs. He’s actually buried the strip under a layer of snow. This has the result of hiding the electronics, but blurring the light enough so you can’t see the individual LEDs. The effect is rather nice, and it’s something different to add to your holiday lights display. Be sure to check out the video below for a demonstration. Continue reading “Display Your City’s Emotional State with Illuminated Snow”

Super Bowl Football Lamp Keeps You Informed

[David] loves to watch football. After his preferred team lost the playoffs, he wanted another reason to watch the big game last Sunday. He ended up building himself a football-shaped lamp that changes color based on who scored last.

[David] started with a Spark Core and a Spark Button. The Spark is the primary microcontroller and includes WiFi. The Spark Button is essentially a shield for the Spark that includes an accelerometer, some LEDs, and a few push buttons. The other part of this build was the housing. [David] used a toy football he got for free as swag from a parade.

As for the code, [David] started by first learning how to control the LEDs on the Spark Button. Then he wrote his own touchdown function to illuminate the football a specific color. Since the Spark uses the REST API, [David] is able to trigger this function by simply visiting the URL of his Spark. This makes it very simple to trigger the event.

The final part of this build was made easy thanks to IfThisThenThat (IFTTT). This is a web service that allows you to monitor and interact with various online web services. It can monitor one service, and then interact with another based on events that happen in the first service. In this case, [David] is using a “channel” added to IFTTT by ESPN. This channel can trigger when certain events happen for whatever team you specify. For this project [David] is monitoring touchdowns.

After combining all of these various services, [David] had a working light that would change colors based on which team scored. He did notice that IFTTT has anywhere between a 1 and 15 minute delay, and he hopes to improve upon this design by hooking directly to an API and skipping the extra service altogether.

When Responsible Disclosure Isn’t Enough

Moonpig is a well-known greeting card company in the UK. You can use their services to send personalized greeting cards to your friends and family. [Paul] decided to do some digging around and discovered a few security vulnerabilities between the Moonpig Android app and their API.

First of all, [Paul] noticed that the system was using basic authentication. This is not ideal, but the company was at least using SSL encryption to protect the customer credentials. After decoding the authentication header, [Paul] noticed something strange. The username and password being sent with each request were not his own credentials. His customer ID was there, but the actual credentials were wrong.

[Paul] created a new account and found that the credentials were the same. By modifying the customer ID in the HTTP request of his second account, he was able to trick the website into spitting out all of the saved address information of his first account. This meant that there was essentially no authentication at all. Any user could impersonate another user. Pulling address information may not sound like a big deal, but [Paul] claims that every API request was like this. This meant that you could go as far as placing orders under other customer accounts without their consent.

[Paul] used Moonpig’s API help files to locate more interesting methods. One that stood out to him was the GetCreditCardDetails method. [Paul] gave it a shot, and sure enough the system dumped out credit card details including the last four digits of the card, expiration date, and the name associated with the card. It may not be full card numbers but this is still obviously a pretty big problem that would be fixed immediately… right?

[Paul] disclosed the vulnerability responsibly to Moonpig in August 2013. Moonpig responded by saying the problem was due to legacy code and it would be fixed promptly. A year later, [Paul] followed up with Moonpig. He was told it should be resolved before Christmas. On January 5, 2015, the vulnerability was still not resolved. [Paul] decided that enough was enough, and he might as well just publish his findings online to help press the issue. It seems to have worked. Moonpig has since disabled its API and released a statement via Twitter claiming that, “all password and payment information is and has always been safe”. That’s great and all, but it would mean a bit more if the passwords actually mattered.

Reverse Engineering the Kayak Mobile API

The travel meta-search website Kayak apparently used to have a public API which is no longer available. We can’t say we mourn the loss of the interface we’d never known about. If you are someone who was automating their searches for that perfect vacation getaway deal, there’s still hope. But either way you’ll like this one. [Shubhro Saha] figured out how to access the API used by the Kayak mobile app. We like that he details how to sniff the traffic between an app and the internet and make sense of what is found.

His tool of choice is the Python package Mitmproxy. We haven’t heard of it but we have heard of Wireshark and [Shabhro] makes the case that Mitmproxy is superior for this application. As the name suggests, you set it up on your computer and use that box’s IP as the proxy connection for your phone. After using the app for a bit, there is enough data to start deconstructing what’s going on between the app and remote server which which it communicates. We could have a lot of fun with this, like seeing what info those free apps are sending home, or looking for security flaws in your own creations.

[Thanks Juan via Twitter]