Year: 2015

[Jay] Turns Over A New Leaf, Scores Batteries

April 29, 2015 by 36 Comments

[Jay] got a pretty good deal on a low milage Nissan Leaf battery. Unfortunately, it came wrapped in a wrecked Nissan Leaf. There are more and more electric cars on the road each year, and that means there are more cars coming off the road as well due to accidents. Electric cars are specifically designed to protect their batteries, so as we’ve seen before with Tesla vehicles,  a salvage car often will still contain a serviceable battery pack. [Jay] used this knowledge to his advantage, and walks us through his experience buying, testing, and dismantling Hoja, his very own salvage Leaf.

[Jay] set up an account on Copart, an auto salvage auction website here in the USA. “Live” online Auto auctions tend to work a bit differently than E-bay, so [Jay] walks us through the process of buying the car, and gives some tips for getting through the process. [Jay’s] particular car was delivered to him on a trailer. It had been rear ended so hard that the rear tires were not usable. The car was also electrically dead. Thankfully, the electrical problems turned out to be a discharged 12 volt accessory battery. A quick charge of the accessory battery caused the Leaf to spring to life – and display a ton of trouble codes. [Jay] cleared the codes with his trusty OBD II scanner, and the car was ready to drive, at least as much as a wrecked car can drive. It did move under its own power though – with the rear end riding on dollies.

Now that the battery was known to be good, [Jay] set about liberating it from its crushed Leaf cocoon. Nissan’s service manual assumes one would be doing this with a lift. [Jay] had no such luxuries in his driveway, so he used 3 floor jacks to lower the 600 lb battery and dollies to pull it out from under the car.

Click past the break for the rest of the story.

Continue reading “[Jay] Turns Over A New Leaf, Scores Batteries”

Teardown: An Electronic Master Lock

April 29, 2015 by 35 Comments

[rohare] has an interesting teardown for us over on the keypicking lock picking forums. It’s a Masterlock combination lock – specifically the Masterlock 1500eXD – and yes, it’s a completely electronic lock with buttons and LEDs. Think that’s the mark of a terrible lock? You might be surprised.

The first impressions of this lock were surprisingly positive. It was heavy, the shackle doesn’t move at all when you pull on it. Even the buttons and LEDs made sense. Once the back of the lock was drilled open, things got even more impressive. This lock might actually be well-built, with a ‘butterfly’ mechanism resembling a legendary padlock, actuated by a small but sufficient motor. Even the electronics are well-designed, with the programming port blocked by the shackle when it’s closed. [rohare] suspects the electronics aren’t made by Masterlock, but they are installed in a very secure enclosure.

The teardown concludes with a fair assessment that could also be interpreted as a challenge: [rohare] couldn’t find any obvious flaws to be exploited, or a simple way to break the lock. He concludes the most probable way of breaking this lock would be, “knowing some trick of logic that bypasses the codes on the electronics”. That sounds like a good enough challenge for us, and we’re eagerly awaiting the first person to digitally unlock this physical lock.

Thin Client Hack

Hacking A Thin Client To Gain Root Access

April 29, 2015 by 15 Comments

[Roberto] recently discovered a clever way to gain root access to an HP t520 thin client computer. These computers run HP’s ThinPro operating system. The OS is based on Linux and is basically just a lightweight system designed to boot into a virtual desktop image loaded from a server. [Roberto’s] discovery works on systems that are running in “kiosk mode”.

The setup for the attack is incredibly simple. The attacker first stops the virtual desktop image from loading. Then, the connection settings are edited. The host field is filled with garbage, which will prevent the connection from actually working properly. The real trick is in the “command line arguments” field. The attacker simply needs to add the argument “&& xterm”. When the connection is launched, it will first fail and then launch the xterm program. This gives the attacker a command shell running under the context of whichever user the original software is running as.

The next step is to escalate privileges to root. [Roberto] discovered a special command that the default user can run as root using sudo. The “”hpobl” command launches the HP Easy Setup Wizard. Once the wizard is opened, the attacker clicks on the “Thank You” link, which will then load up the HP website in a version of Firefox. The final step is to edit Firefox’s default email program association to xterm. Now when the attacker visits an address like “mailto:test@test.com”, Firefox (running as root) launches xterm with full root privileges. These types of attacks are nothing new, but it’s interesting to see that they still persist even in newer software.

Hackaday Prize Entry: Ground Penetrating Radar

April 29, 2015 by 33 Comments

This year’s Hackaday Prize is heating up, and right now there are quite a few projects in the works covering domains that are rarely, if ever, seen coming out of a garage or a workshop. One of the most interesting is [Glenn Powers]’ Open Ground Penetrating Radar. It’s exactly what the title says: an open-source radar system that can see into the Earth for less than $500.

While ground penetrating radar is great for archaeology and people searching for hoards buried in the middle of farmland, the biggest application is safety. You need only to Google “Florida sinkhole” to see the value of peering into the Earth.

[Glenn] is building his ground penetrating radar with a bare minimum of parts. A Baofeng VHF/UHF My First Radio™ serves as the signal generator, the controller is just an optoisolator, and the switch controller is a 7404 hex inverter. It literally can’t get simpler than that.

Of course these components can only be assembled into a simple radar, and the real value of a ground penetrating radar is the ability to map an area. For that, [Glenn] is bringing out a Pi and a GPS dongle to control the whole thing. Visualization is provided by none other than the US Navy. If it works for submarines, it should work for a metal cart, right?

It’s a great project, not only in the fact that it could help a whole bunch of people, but as a prime example of doing so much without tens of thousands of dollars in test equipment.

The 2015 Hackaday Prize is sponsored by:

Race Conditions Exploit Granted Free Money On Web Services

April 29, 2015 by 10 Comments

[Josip] has been playing around with race conditions on web interfaces lately, finding vulnerabilities on both Facebook and Digital Ocean. A race condition can occur when a piece of software processes multiple threads using a shared resource.

For example, [Josip] discovered that he was able to manipulate page reviews using just a single Facebook account. Normally, a user is permitted to leave just one review for any given Facebook page. This prevents a single user from being able to skew the page’s overall ranking by making a bunch of positive or negative reviews. The trick to manipulating the system was to intercept the HTTP request that submitted the page review. The request was then replayed over and over in a very short amount of time.

Facebook’s servers ended up processing some of these requests simultaneously, essentially unaware that multiple requests had come in so close together. The result was that multiple reviews were submitted, artificially changing the pages overall ranking even though only one review actually showed up on the page for this user. The user can then delete their single review, and repeat this cycle over and over. It took Facebook approximately two months to fix this vulnerability, but in the end it was fixed and [Josip] received a nice bounty.

The Digital Ocean hack was essentially the exact same process. This time instead of hacking page reviews, [Josip] went after some free money. He found that he was able to submit the same promotional code multiple times, resulting in a hefty discount at checkout time. Digital Ocean wasted no time fixing this bug, repairing it within just ten days of the disclosure.

garage door indicator

Indicator For Forgetful-Minded Garage Door Users

April 28, 2015 by 23 Comments

[Gareth] had a friend who regularly forgot to close his garage door after parking his car and heading inside. Since [Gareth] was familiar with basic electronics and an overall good pal, he offered to make a device that would indicate whether the garage door was open or not.

The project starts off simple with an Arduino and ultrasonic distance sensor. Both are mounted to the ceiling of the garage with the ultrasonic sensor pointed down. When the garage door is open, the sensor outputs a shorter distance measurement than when the garage door is closed.

Now that the system knows when the door is open or closed, the next part was sending a signal inside the house. He could have run a wire up through the house walls to an LED indicator but decided to go wireless with a 433mhz transmitter. There is a second Arduino inside equipped with a 433mhz receiver. When the garage door is open, the Arduino inside the house flashes an LED reminding the forgetful occupant to close the door.

[Gareth] made all his code for both the sensor/transmitter and the receiver available on his site for anyone interested in making something similar.

Upgrading A Microsoft Surface To A 1 TB SSD

April 28, 2015 by 66 Comments

The Microsoft Surface Pro 3 is a neat little tablet, and with an i7 processor, a decent-resolution display, and running a full Windows 8.1 Pro, it’s the closest you’re going to get to a desktop in tablet format. Upgrading the Surface Pro 3, on the other hand, is nigh impossible. iFixit destroyed the display in their teardown, as did CNET. [Jorge] wanted to upgrade his Surface Pro 3 with a 1 TB SSD, and where there’s a will there’s a way. In this case, a very precise application of advanced Dremel technology.

Taking a Surface Pro 3 apart the traditional way with heat guns, spudgers, and a vast array of screwdrivers obviously wasn’t going to work. Instead, [Jorge] thought laterally; the mSSD is tucked away behind some plastic that is normally hidden by the small kickstand integrated into the Surface. If [Jorge] could cut a hole in the case to reveal the mSSD, the resulting patch hole would be completely invisible most of the time. And so enters the Dremel.

By taking some teardown pictures of the Surface Pro 3, printing them out to scale, and aligning them to the device he had in his hand, [Jorge] had a very, very good idea of where to make the incision. A Dremel with a carbide bit was brought out to cut into the metal, and after a few nerve-wracking minutes the SSD was exposed.

The only remaining task was to clone the old drive onto the new one, stuff it back in the Surface, and patch everything up. [Jorge] is using some cardboard and foam, but a sticker would do just as well. Remember, this mod is only visible when the Surface kickstand is deployed, so it doesn’t have to look spectacular.

Thanks [fridgefire] and [Neolker] for sending this in.