These Sands Of Time Literally Keep Time

Hour glasses have long been a way to indicate time with sand, but the one-hour resolution isn’t the best. [Erich] decided he would be do better and made a clock that actually wrote the time in the sand. We’ve seen this before with writing time on a dry erase board with an arm that first erases the previous time and then uses a dry erase marker to write the next time. [Erich]’s also uses an arm to write the time, using the tip of a sea shell, but he erases the time by vibrating the sandbox, something that took much experimentation to get right.

To do the actual vibrating he used a Seeed Studio vibration motor which has a permanent magnet coreless DC motor. Interestingly he first tried with a rectangular sandbox but that resulted in hills and valleys, so he switched to a round one instead. Different frequencies shifted the sand around in different ways, some moving it to the sides and even out of the sandbox, but trial and error uncovered the right frequency, duration, and granular medium. He experimented with different sands, including litter for small animals, and found that a powder sand with small, round grains works best.

Four white LEDs not only add to the nice ambience but make the writing more visible by creating shadows. The shells also cleverly serve double duty, both for appearance and for hiding things. Shells cause the arms to be practically invisible until they move (well worth viewing the video below), but the power switch and two hooks for lifting the clock out of the box are also covered by shells. And best of all, the tip that writes in the sand is a shell. There’s plenty more to admire about the cleverness and workmanship of this one.

Continue reading “These Sands Of Time Literally Keep Time”

One Man, A Raspberry Pi, and a Formerly Hand Powered Loom

[Fred Hoefler] was challenged to finally do something with that Raspberry Pi he wouldn’t keep quiet about. So he built a machine assist loom for the hand weaver. Many older weavers simply can’t enjoy their art anymore due to the physical strain caused by the repetitive task. Since he had a Pi looking for a purpose, he also had his project.

His biggest requirement was cost. There are lots of assistive looms on the market, but the starting price for those is around ten thousand dollars. So he set the rule that nothing on the device would cost more than the mentioned single board computer. This resulted in a BOM cost for the conversion that came in well under two hundred dollars. Not bad!

The motive parts are simple cheap 12V geared motors off Amazon. He powered them using his own motor driver circuits. They get their commands from the Pi, running Python. To control the loom one can either type in commands into the shell or use the keyboard. There are also some manual switches on the loom itself.

In the end [Fred] met his design goal, and has further convinced his friends that the words Raspberry Pi are somehow involved with trouble.

Continue reading “One Man, A Raspberry Pi, and a Formerly Hand Powered Loom”

Hacking a Thin Client to Gain Root Access

[Roberto] recently discovered a clever way to gain root access to an HP t520 thin client computer. These computers run HP’s ThinPro operating system. The OS is based on Linux and is basically just a lightweight system designed to boot into a virtual desktop image loaded from a server. [Roberto’s] discovery works on systems that are running in “kiosk mode”.

The setup for the attack is incredibly simple. The attacker first stops the virtual desktop image from loading. Then, the connection settings are edited. The host field is filled with garbage, which will prevent the connection from actually working properly. The real trick is in the “command line arguments” field. The attacker simply needs to add the argument “&& xterm”. When the connection is launched, it will first fail and then launch the xterm program. This gives the attacker a command shell running under the context of whichever user the original software is running as.

The next step is to escalate privileges to root. [Roberto] discovered a special command that the default user can run as root using sudo. The “”hpobl” command launches the HP Easy Setup Wizard. Once the wizard is opened, the attacker clicks on the “Thank You” link, which will then load up the HP website in a version of Firefox. The final step is to edit Firefox’s default email program association to xterm. Now when the attacker visits an address like “mailto:test@test.com”, Firefox (running as root) launches xterm with full root privileges. These types of attacks are nothing new, but it’s interesting to see that they still persist even in newer software.

The Pi 2 Means Faster GPIO

The Raspberry Pi is a great machine to learn the ins and outs of blinking pins, but for doing anything that requires blinking pins fast, you’re better off going with a BeagleBone. This has been the conventional wisdom for years now, and now that the updated Raspberry Pi 2 is out, there’s the expectation that you’ll be able to blink a pin faster. The data are here, and yes, you can.

The method of testing was connecting a PicoScope 5444B to a pin on the GPIO pin and toggling between zero and one as fast as possible. The original test wasn’t very encouraging; Python maxed out at around 70 kHz, Ruby was terrible, and only C with the native library was useful for interesting stuff – 22MHz.

Using the same experimental setup, the Raspberry Pi 2 is about 2 to three times faster. The fastest is still the C native library, topping out at just under 42 MHz. Other languages and libraries are much slower, but the RPi.GPIO Python library stukk sees a 2.5x increase.

Transcend DrivePro 200 Hack to Stream and Script; Begs for More

Transcend markets their DrivePro 200 camera for use as a car dashcam. We’re a bit surprised at the quality and apparent feature set for something relegated to a rather mundane task as this. But [Gadget Addict] poked around and found a nice little nugget: you can live stream the video via WiFi; the framerate, quality, and low-lag are pretty impressive. In addition to that, the next hack is just waiting for you to unlock it.

As it stands right now you turn on the camera’s built-in WiFi AP, telnet into two different ports on the device (sending it into smartphone connected mode) and you’ll be able to live stream the view to your computer using RTSP. Great, that in itself is a good hack and we’re sure that before long someone will figure out an automatic way to trigger this. [GA] also found out how to get the thing into script mode at power-on. He hasn’t actually executed any code… that’s where you come in. If you have one of these pull it out and get hacking! It’s a matter put putting files on the SD storage and rebooting. Crafting this file to enable shell access would open up an entire world of hacks, from things like time-lapse and motion sensing to special processing and filtering in real time. We think there’s huge potential so keep us up-to-date as you find new ways to pwn this hardware.

Continue reading “Transcend DrivePro 200 Hack to Stream and Script; Begs for More”

Yik Yak MITM Hack (Give the Dog a Bone)

Yik Yak is growing in popularity lately. If you are unfamiliar with Yik Yak, here’s the run down. It’s kind of like Twitter, but your messages are only shared with people who are currently within a few miles of you. Also, your account is supposed to be totally anonymous. When you combine anonymity and location, you get some interesting results. The app seems to be most popular in schools. The anonymity allows users to post their honest thoughts without fear of scrutiny.

[Sanford Moskowitz] decided to do some digging into Yik Yak’s authentication system. He wanted to see just how secure this “anonymous” app really is. As it turns out, not as much as one would hope. The primary vulnerability is that Yik Yak authenticates users based solely on a user ID. There are no passwords. If you know the user’s ID number, it’s game over.

The first thing [Sanford] looked for was an encrypted connection to try to sniff out User ID’s. It turned out that Yik Yak does actually encrypt the connection to its own servers, at least for the iPhone app. Not to worry, mobile apps always connect to other services for things like ad networks, user tracking, etc. Yik Yak happens to make a call to an analytics tool called Flurry every time the app is fired. Flurry needs a way to track the users for Yik Yak, so of course the Yik Yak App tells Flurry the user’s ID. What other information would the anonymous app have to send?

Unfortunately, Flurry disables HTTPS by default, so this initial communication is in plain text. That means that even though Yik Yak’s own communications are protected, the User ID is still exposed and vulnerable. [Sanford] has published a shell script to make it easy to sniff out these user ID’s if you are on the same network as the user.

Once you have the user ID, you can take complete control over the account. [Sanford] has also published scripts to make this part simple. The scripts will allow you to print out every single message a user has posted. He also describes a method to alter the Yik Yak installation on a rooted iPhone so that the app runs under the victim’s user ID. This gives you full access as if you owned the account yourself.

Oh, there’s another problem too. The Android app is programmed to ignore bad SSL certificates. This means that any script kiddie can perform a simple man in the middle attack with a fake SSL certificate and the app will still function. It doesn’t even throw a warning to the user. This just allows for another method to steal a user ID.

So now you have control over some poor user’s account but at least they are still anonymous, right? That depends. The Yik Yak app itself appears to keep anonymity, but by analyzing the traffic coming from the client IP address can make it trivial to identify a person. First of all, [Sanford] mentions that a host name can be a dead giveaway. A host named “Joe’s iPhone” might be a pretty big clue. Other than that, looking out for user names and information from other unencrypted sites is easy enough, and that would likely give you everything you need to identify someone. Keep this in mind the next time you post something “anonymously” to the Internet.

[via Reddit]

Finding a Shell in a Bose SoundTouch

Bose, every salesperson’s favorite stereo manufacturer, has a line of WiFi connected systems available. It’s an impressively innovative product, able to connect to Internet Radio, Pandora, music libraries stored elsewhere on the network. A really great idea, and since this connects to a bunch of web services, you just know there’s a Linux shell in there somewhere. [Michael] found it.

The SoundTouch is actually rather easy to get into. The only real work to be done is connecting to port 17000, turning remote services on, and then connecting with telnet. The username is root.

The telnet service on port 17000 is actually pretty interesting, and we’re guessing this is what the SoundTouch iOS app uses for all its wizardry. [Michael] put a listing of the ‘help’ command up on pastebin, and it looks like there are commands for toggling GPIOs, futzing around with Pandora, and references to a Bluetooth module.

Interestingly, when [Michael] first suspected there could be Linux inside this box, he contacted Bose support for any information. He figured out how to get in on his own, before Bose emailed him back saying the information is proprietary in nature.