Root on the Philips Hue IoT Bridge

Building on the work of others (as is always the case!) [pepe2k] managed to get root access on the Philips Hue Bridge v2 IoT light controller. There’s nothing unusual here, really. Connect to the device over serial, interrupt the boot process, boot up open firmware, dump the existing firmware, and work the hacker magic from there.

Of course, the details are the real story. Philips had set U-Boot to boot the firmware from flash in zero seconds, not allowing [pepe2k] much time to interrupt it. So he desoldered the flash, giving him all the time in the world, and allowing him to change the boot delay. Resoldering the flash and loading up his own system let him dump the firmware.

The “hacker magic” glossed over in the intro consisted of poking around until he found a script that was called on every boot. This is how [pepe2k] gets around not knowing the root password. The script compares the hash of the typed password with an environment variable, set with the hash of the correct password. Changing that environment variable to the hash of his favorite password (“root”) made him master of the box.

And just in case you’re one of the few Hackaday readers who doesn’t understand why we do these things, besides the fact that it’s just fun, consider Philips’ (eventually retracted) clampdown on the interoperability of this very device, or Google’s red bricks. The fatal flaw of IoT devices is that they place you at the whims of companies who may decide that they’re not making enough money any more, and shut them down. Keep your hacking skills sharp.

Thanks [Jan] for the great tip!

[HomoFaciens] Shows Off With DIY Paper Printer

[HomoFaciens] is always making us feel silly about our purchases. Did we really need to buy a nice set of stepper motors for that automation project? Couldn’t we have just used some epoxy and a threaded rod to make an encoder? Did we need to spend hours reading through the documentation for an industrial inkjet head? Couldn’t we just have asked ourselves, “What would [HomoFaciens] do?” and then made a jailhouse tattoo gun attached to a broken printer carriage and some other household tech trash?

In his continuing work for his Hackaday prize entry, which we have covered before, his latest is a ink (…drop? ) printer. We think the goal is a Gingery book for CNC.  He begins to combine all his previous work into a complete assembly. The video, viewable after the break, starts by explaining the function of a salvaged printer carriage. A motor attached to a belt moves the carriage back and forth; the original linear encoder from the printer is used for positional feedback.

The base of the printer is a homemade y-carriage with another salvaged printer motor and encoder driving a threaded rod. The positional feedback for this axis is provided by a optical mouse gliding on a sheet of graph paper.  The printer nozzle is a cup of ink with a solenoid actuated needle in it. When the needle moves in a hole at the bottom, it dispenses ink.

As always, [HomoFaciens] makes something that is the very definition of a hack. Commenters will have to go elsewhere to leave their favorite debasement.

Continue reading “[HomoFaciens] Shows Off With DIY Paper Printer”

Threadless Ballscrew for 3D Printer

[2n2r5] posted up a mechanism that we’d never seen before — a threadless ballscrew that turns rotational into linear motion with no backlash. It works by pressing the edge of three bearings fairly hard up against a smooth rod, at an angle. The bearings actually squeeze the rod a little bit, making a temporary indentation in the surface that works just like a screw thread would. As the bearings roll on, the rod bounces back to its original shape. Watch it in action in the video below.

Continue reading “Threadless Ballscrew for 3D Printer”

This Teddy Bear Steals Your Ubuntu Secrets

Ubuntu just came out with the new long-term support version of their desktop Linux operating system. It’s got a few newish features, including incorporating the “snap” package management format. One of the claims about “snaps” is that they’re more secure — being installed read-only and essentially self-contained makes them harder to hack across applications. In principle.

[mjg59] took issue with their claims of increased cross-application security. And rather than just moan, he patched together an exploit that’s disguised as a lovable teddy bear. The central flaw is something like twenty years old now; X11 has no sense of permissions and any X11 application can listen in on the keyboard and mouse at any time, regardless of which application the user thinks they’re providing input to. This makes writing keylogging and command-insertion trojans effortless, which is just what [mjg59] did. You can download a harmless version of the demo at [mjg59]’s GitHub.

This flaw in X11 is well-known. In some sense, there’s nothing new here. It’s only in light of Ubuntu’s claim of cross-application security that it’s interesting to bring this up again.

xeyes

And the teddy bear in question? Xteddy dates back from when it was cool to display a static image in a window on a workstation computer. It’s like a warmer, cuddlier version of Xeyes. Except it just sits there. Or, in [mjg59]’s version, it records your keystrokes and uploads your passwords to shady underground characters or TLAs.

We discussed Snappy Core for IoT devices previously, and we think it’s a step in the right direction towards building a system where all the moving parts are only loosely connected to each other, which makes upgrading part of your system possible without upgrading (or downgrading) the whole thing. It probably does enhance security when coupled with a newer display manager like Mir or Wayland. But as [mjg59] pointed out, “snaps” alone don’t patch up X11’s security holes.

[Sprite_tm] Gives Near Death VFD a Better Second Life

[Sprite_tm] picked up some used VFD displays for cheap, and wanted to make his own custom temperature and air-quality display. He did that, of course, but turned it into a colossal experiment in re-design to boot. What started out as a $6 used VFD becomes priceless with the addition of hours of high-powered hacking mojo.

You see, the phosphor screen had burnt-in spots where the old display was left static for too long. A normal person would either live with it or buy new displays. [Sprite_tm] ripped off the old display driver and drives the row and column shift registers using the DMA module on a Raspberry Pi2, coding up his own fast PWM/BCM hybrid scheme that can do greyscale.

He mapped out the individual pixels using a camera and post processing in The Gimp to establish the degradation of burnt-in pixels. He then re-wrote a previous custom driver project to compensate for the pixels’ inherent brightness in firmware. After all that work, he wrapped the whole thing up in a nice wooden frame.

There’s a lot to read, so just go hit up his website. High points include the shift-register-based driver transplant, the bit-angle modulation that was needed to get the necessary bit-depth for the grayscale, and the PHP script that does the photograph-based brightness correction.

Picking a favorite [Sprite_tm] hack is like picking a favorite ice-cream flavor: they’re all good. But his investigation into hard-drive controller chips still makes our head spin just a little bit. If you missed his talks about the Tamagotchi Singularity from the Hackaday SuperCon make sure you drop what you’re doing and watch it now.

Milk-Based 3D Scanner

3D scanners don’t have to be expensive or high-tech because all of the magic goes on in software. The hardware setup just needs to gather a bunch of cross-sections. In perhaps the lowest-tech of scanners that we’ve seen, [yenfre]’s GotMesh scanner uses milk.

Specifically, the apparatus is a pair of boxes, one with a hole drilled in it. You put the object in the top box and fill it with milk to cover the object. A camera takes pictures of the outline of the object in the milk as it drains out the hole, these get stitched together, and voilà.

There are limitations to this method. The object gets soaked in milk, so it won’t work for scanning sand-castles. (It’s optimally suited for chocolate-chip cookies, in our opinion.) If the camera is located directly above, the objects have to get wider as the milk drains out. You can do multiple takes with the object rotated at different angles or use multiple cameras to solve this problem. The edge-detection software will have issues with white objects in milk, so maybe you’ll want to scan that porcelain figurine in coffee, but you get the idea. More seriously, the rate of milk drain will slow down a bit as the amount of milk in the upper box decreases. This could also be handled in software.

In all, we’re not surprised that we don’t see commercial versions of this device, but we love the idea. It’s based on this experiment where they dip a guy in a tank of ink! If you just drank all your milk, but still have a line-laser lying around, maybe this build is more your speed. What’s your cheapest 3D scanner solution?

Hacking Flappy Bird By Playing Mario

This is a hacking and gaming tour de force! [Seth Bling] executed a code injection hack in Super Mario World (SMW) that not only glitches the game, but re-programs it to play a stripped-down version of “Flappy Bird”. And he did this not with a set of JTAG probes, but by using the game’s own controller.

There are apparently a bunch of people working on hacking Super Mario World from within the game, and a number of these hacks use modified controllers to carry out the sequence of codes. The craziest thing about our hack here is that [Seth] did this entirely by hand. The complete notes are available here, but we’ll summarize the procedure for you. Or you can go watch the video below. It’s really incredible.

Continue reading “Hacking Flappy Bird By Playing Mario”