Hack Your Hot Air Station

It used to be hot air soldering gear was exotic, but not anymore. There are plenty of relatively inexpensive choices. Many of these appear to be the same despite having different brand names and model numbers. One that is common and inexpensive is the 858D. These run about $50. [Gabse] has one and decided to upgrade it using some open source controller hardware and software. There wasn’t a complete guide, so he created one himself.

According to the original GitHub page, the controller will work with the Youyue-858D and any clones. However, there are others like the Atten 858D that use a different controller. In addition, there have been several variants. [Gabse’s] guide is for the latest version. Information on other versions and brands might be on this discussion board thread.

Continue reading “Hack Your Hot Air Station”

Ever hear of the Ford Cylon?

OK, we haven’t heard of a Ford Cylon either. However, there is now a Mustang Cobra out there that has been given a famous Cylon characteristic. [Monta Elkins] picked himself up an aftermarket third brake light assembly, hacked it, and installed it on said Mustang.

The brake light assembly contains 12 LEDs, which unfortunately, are not individually addressable. Additionally, by the looks of it, the brake light housing was not meant to be opened up. That didn’t get [Monta] down though. There’s more than one way to skin a cat, but he chose to use a hot knife to open the assembly, which worked quite well. A rotary cutter tool was used to cut the traces between the LEDs allowing them to be individually controlled with an Arduino. A Bluetooth module allows him to control the new brake light from his smartphone. There are different modes (including a special mode that he shows off at the end of the video) that can be selected via a Bluetooth Terminal app.

There is no schematic or code link in the video itself or the description, but [Monta] did hit the high points. Therefore, it shouldn’t be too hard to replicate.

This isn’t the first brake light hack we’ve featured. This one goes way beyond just animated lightsThis one requires no programming. Rather wear your brake light? We’ve got your back(pack).

Hacked by Subtitles

CheckPoint researchers published in the company blog a warning about a vulnerability affecting several video players. They found that VLC, Kodi (XBMC), Popcorn-Time and strem.io are all vulnerable to attack via malicious subtitle files. By carefully crafting a subtitles file they claim to have managed to take complete control over any type of device using the affected players when they try to load a video and the respective subtitles.

According to the researchers, things look pretty grim:

We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years. (…) Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well.

One of the reasons you might want to make sure your software is up to date is that some media players download subtitles automatically from several shared online repositories. An attacker, as the researchers proved, could manipulate the website’s ranking algorithm and not only would entice more unsuspecting users to manually download his subtitles,  but would also guarantee that his crafted malicious subtitles would be those automatically downloaded by the media players.

No additional details were disclosed yet about how each video player is affected, although the researchers did share the details to each of the software developers so they can tackle the issue. They reported that some of the problems are already fixed in their current versions, while others are still being investigated. It might be a good idea to watch carefully and update your system before the details come out.

Meanwhile, we can look at the trailer:

Continue reading “Hacked by Subtitles”

Linux SambaCry

Great news everyone, Windows is not the only operating system with remote code execution via SMB. Linux has also its own, seven-year-old version of the bug. /s

This Linux remote execution vulnerability (CVE-2017-7494) affects Samba, the Linux re-implementation of the SMB networking protocol, from versions 3.5.0 onwards (since 2010). The SambaCry moniker was almost unavoidable.

The bug, however, has nothing to do on how Eternalblue works, one of the exploits that the current version of WannaCry ransomware packs with. While Eternalblue is essentially a buffer overflow exploit, CVE-2017-7494 takes advantage of an arbitrary shared library load.  To exploit it, a malicious client needs to be able to upload a shared library file to a writeable share, afterwards it’s possible for the attacker to cause the server to load and execute it. A Metasploit exploit module is already public, able to target Linux ARM, X86 and X86_64 architectures.

A patch addressing this defect has been posted to the official website and Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are also available. If you can’t apply the patch at the moment, the workaround is to add the parameter “nt pipe support = no” to the [global] section of your smb.conf and restart smbd. Note that this can disable some expected functionality for Windows clients.

Meanwhile, NAS vendors start to realise they have work on their hands. Different brands and models that use Samba for file sharing (a lot, if not all, of them provide this functionality) will have to issue firmware updates if they want to patch this flaw. If the firmware updates for these appliances take the same time they usually do, we will have this bug around for quite some time.

Hackaday Prize Entry: Heart Failure Detection Device

Early and low-cost detection of a Heart Failure is the proposal of [Jean Pierre Le Rouzic] for his entry for the 2017 Hackaday Prize. His device is based on a low-cost Doppler device, like those fetal Doppler devices used to listen an unborn baby heart, feeding a machine learning algorithm that could differentiate between a healthy and an unhealthy heart.

The theory behind it is that a regular, healthy heart tissue has a different acoustic impedance than degenerated tissue. Based on the acoustic impedance, the device would classify the tissue as: normal, degenerated, granulated or fibrous. Each category indicates specific problems mostly in connective tissues.

There are several advantages to have a working device like the one [Rouzic] is working on. To start, it would be possible to use it at home, without the intervention of a doctor or medical staff. It seems to us that would be as easy as using a blood pressure device or a fetal Doppler. It’s also relatively cheap (estimated under 150$) and it needs no gel to work. We covered similar projects that measure different heart signals, like Open Source electrocardiography, but ECG has the downfall that it requires attaching electrodes to the body.

One interesting proposed feature is that what is learn from a single case, is sent to every devices at their next update, so the devices get ‘smarter’ as they are used. Of course, there are a lot of ways for this to go wrong, but it’s a good idea to begin with.

Music Reading for Machines

“Dammit Jim, I’m a hacker, not a musician!”, to paraphrase McCoy Scotty from the original Star Trek series. Well, some of us are also musicians, some, like me, are also hack-musicians, and some wouldn’t know a whole note from a treble clef. But every now and then the music you want is in the form of sheet music and you need to convert that to something your hack can play. If you’re lucky, you can find software that will read the sheet music for you and spit out a MIDI or WAV file. Or, as with my hand-cranked music player, you may have to read just enough of the music yourself to convert musical notes to frequencies for something like a 555 timer chip. We’ll dive into both cases here.

Continue reading “Music Reading for Machines”

Coleco In Spat With ColecoVision Community

If you were a child of the late 1970s or early 1980s, the chances are that your number one desire was to own a games console. The one to have was the Atari 2600, notwithstanding that dreadful E.T. game.

Of course, there were other consoles during that era. One of these also-ran products came from Coleco, a company that had started in the leather business but by the mid 1970s had diversified into handheld single-game consoles. Their ColecoVision console of 1982 sold well initially, but suffered badly in the video game crash of 1983. By 1985 it was gone, and though Coleco went on to have further success, by the end of the decade they too had faded away.

The Coleco story was not over though, because in 2005 the brand was relaunched by a successor company. Initially it appeared on an all-in-one retro console, and then on an abortive attempt to crowdfund a new console, the Coleco Chameleon. This campaign came to a halt after the Chameleon prototypes were shown to be not quite what they seemed by eagle-eyed onlookers. Continue reading “Coleco In Spat With ColecoVision Community”