Microcorruption Embedded CTF

The folks at Matasano Security and Square have teamed up to build an online capture the flag (CTF) competition. The Microcorruption CTF focuses on embedded security and challenges players to reverse engineer a fictional “Lockitall LockIT Pro” lock system.

Each level places you in a debugging environment with a disassembly listing, live memory view, register view, and debugging console. You can set breakpoints, step through code, and modify registers like in a real debugging environment. Your goal is to figure out how to bypass the lock to collect bearer bonds.

While the device and motive may be fictional, the assembly is actual MSP430 code. The debugger is similar to GDB connected to a remote target using OpenOCD. There’s even a manual (PDF) to help you get up to speed with writing MSP430 code for the device.

This CTF looks like a great introduction to embedded security, and doesn’t require buying real hardware. It even includes a full tutorial to get you started.

Sucking PIC Firmware Out Of An Old APC Battery Backup

reverse-engineering-pic-firmware-of-APC-power-supply

Looking at this huge Uninterruptible Power Supply we are a little envious. It’s meant to hang on the wall of a utility room and power your critical devices. [Radek Hvizdos] has had it in service for quite some time, and when he started thinking of replacing the internal battery he decided to see if he could also extend the functionality. To do so he needed to get at the firmware of the chip controlling the device. And so began his adventure of dumping the firmware from the read-protected PIC 18F452.

The challenge of dumping code from a write-protected chip is in itself a fun project. But [Radek] was actually interested in fixing bugs and adding features. The wishlist feature we’d be most interested in is a kind of triage for shutting down devices as the internal battery starts to run low. Nice! But starting from scratch with the firmware is a no-go. You can see the two places where he connected to the PCB. The upper is for using a PIC programmer. The lower is an I2C connection used to dump the EEPROM with an improvised Bus Pirate.

In the end it was improper lock bit settings that opened the door to grabbing the firmware. The bootloader section of the PIC is not locked, and neither is the ability to read from FLASH at run-time. These two combined allowed him to write his own code which, when flashed to the bootloader section, dumps the rest of the firmware so that it may be combined into a complete file afterward. Since posting this fascinating article he has made a follow-up about disassembling the code.

Sniffing Wired Garage Door Opener Signals

sniffing-garage-door-signals

In addition to being something fun to do with an oscilloscope, this could be a valuable time-saver for anyone looking to tap into the wired communications on a garage door opener. If you own an older model you might be scratching your head. But newer units have more than just one button operation, usually extending to at least two extra buttons that control the lights on the motor unit and lock out wireless control. A quick probing turned up the communication scheme used by the button unit mounted next to the door into the house.

We’ve patched into our own garage door using a simple relay to interface with a microcontroller which will still work for opening and closing the door But if you’re looking for extended control you need to spoof one of the timing signals detailed in this post. We like the stated examples for future hacks: building a better wired button unit, or adding some type of RFID integration. We could see this approach for hacking in motion light control for door openers that don’t have it.

[Thanks Victor]

Mephisto III Internet Radio

Avid Hackaday reader [Matthias] told us he takes a lot of inspiration from our site. That’s quite a compliment, because his work is both inspiring and beautiful. [Matthias] wanted to build a UI using JavaFX, so he made a really nice-looking Raspberry Pi-based Internet radio. We featured his previous radio build a few months ago when he modified an old Bakelite unit.

The Mephisto III is enclosed in a handsome oak cabinet built by [Matthias]’ father. Like his previous build, this one uses the Google Music interface to play MP3s and streams radio from the web. He also added weather and a clock, which is a nice touch. In addition to the Raspi and a USB WLAN stick, [Matthias] is using two relays. One relay powers the amplifier and the other enables the display. [Matthias] is impressed with the JavaFX API, but found that the performance of the Raspberry Pi is insufficient for smooth multithreading. He considered switching to a BeagleBone Black, but it has no component out.

If you want to be able to listen to vinyl, too, check out this killer media center. If you have lost your taste for Pi, build yourself a web radio from a tiny router.

[Thanks Matthias]

$20 GPS/GLONASS/Beidou Receiver

Sticking a GPS module in a project has been a common occurrence for a while now, whether it be for a reverse geocache or for a drone telemetry system. These GPS modules are expensive, though, and they only listen in on GPS satellites – not the Russian GLONASS satellites or the Chinese Beidou satellites. NavSpark has the capability to listen to all these positioning systems, all while being an Arduino-compatible board that costs about $20.

Inside the NavSpark is a 32-bit microcontroller core (no, not ARM. LEON) with 1 MB of Flash 212kB of RAM, and a whole lot of horsepower. Tacked onto this core is a GPS unit that’s capable of listening in on GPS, GPS and GLONASS, or GPS and Beidou signals.

On paper, it’s an extremely impressive board for any application that needs any sort of global positioning and a powerful microcontroller. There’s also the option of using two of these boards and active antennas to capture carrier phase information, bringing the accuracy of this setup down to a few centimeters. Very cool, indeed.

Thanks [Steve] for sending this in.

Magic Morse Arduino Trainer

cover_IMG408

Magic Morse is a mathematical algorithm that [Ray Burnette] wrote a few years ago to make it easy to send and receive Morse code. When he first wrote it, he designed it for a PIC, but since then he has re-written it to use as a training program for the Arduino platform.

It can run on the Uno, Nano, Pro Micro, or even home-brew Arduino boards. He’s demonstrating the program with a Nokia 5110 LCD, but has also included code for the typical 2×16 LCD displays. The Magic Morse algorithm is copyrighted, but he has released the Arduino code as open source in an effort to get people using Morse code once again — it is pretty awesome.

So how does it work? The algorithm assigns weights to the “dits” and “dahs” as received — when there is a longer pause, the algorithm creates a pointer which calls the character out of an array stored in the EEPROM. He’s included an example of this in Excel on his page.

Now you have no excuses about learning Morse code! Oh and if you don’t have a fancy telegraph key (the switch), [Ray’s] also published a handy method of making your own Morse code key out of popsicle sticks and magnets.

$1 Coin Cell Charger

Sure, coin cells usually last a long time — but do you really want to buy new ones and throw the old ones out? The LiR2032 coin cell is a rechargeable lithium battery, for which you can build a charger at around $1.

The 5 minute hack starts with a TP4056 lithium charging circuit, which is a great DIY board designed to charge high-capacity cells at about 1A. Luckily, it is pretty easy to modify the board to charge lower capacity batteries. It’s just a matter of replacing resistor R4, and a little bit of soldering! Continue reading “$1 Coin Cell Charger”