TinyFPGA is a Tiny FPGA Board

We recently noticed an open source design for TinyFPGA A-Series boards from [Luke Valenty]. The tiny boards measure 18 mm by 30.5 mm and are breadboard friendly. You can choose a board that holds a Lattice Mach XO2-256 or an XO2-1200, if you need the additional capacity.

The boards have the JTAG interface on the side pins and also on a top header that would be handy to plug in a JTAG dongle for programming. The tiny chips are much easier to work with when they are entombed in a breakout board like this. Bigger boards with LEDs and other I/O devices are good for learning, but they aren’t always good for integrating into a larger project. The TinyFPGA boards would easily work in a device you were prototyping or doing a small production run.

Continue reading “TinyFPGA is a Tiny FPGA Board”

Low-Cost Rain Gauge Looks for Floods

We’ve seen a lot of uses for the now-ubiquitous ESP chip, including a numerous wilderness-monitoring devices.

Pluvi.on stands out with some attractive solutions and a simple design.

A lot of outdoor projects involve some sort of stock weather-resistance enclosure, but this project has a custom-designed acrylic box. About 4 inches across, the gauge uses a seesaw-like bucket to measure rain—a funnel, built into the enclosure, sends water into the gauge which records each time the bucket mechanism tilts, thereby recording the intensity of the rain. A NodeMCU packing an ESP8266 WiFi SoC sends the data to the cloud, helping predict the possibility of a flood in the area.

[Diogo Tolezano] and [Pedro Godoy] developed Pluvi.on as part of a Red Bull Basement hacker residency in São Paolo, Brazil. Interested in building your own Pluvi.on? They have building steps up on Instructables.

More ESP projects abound on Hackday, including this ESP mini robot, a data-logging hamster wheel, and an ESP32 information display. Continue reading “Low-Cost Rain Gauge Looks for Floods”

“Borrow” Payment Cards with NFC Proxy Hardware

Contactless payments are growing in popularity. Often the term will bring to mind the ability to pay by holding your phone over a reader, but the system can also use NFC tags embedded in credit cards, ID card, passports, and the like. NFC is a reasonably secure method of validating payments as it employs encryption and the functional distance between client and reader is in the tens of centimeters, and often much less. [Haoqi Shan] and the Unicorn team have reduced the security of the distance component by using a hardware proxy to relay NFC interactions over longer distances.

The talk, give on Sunday at DEF CON, outlined some incredibly simple hardware: an NFC antenna connected to a PN7462AU, an NRF24L01 wireless transceiver, and some power regulation. The exploit works by using a pair of these hardware modules. A master interfaces with the NFC reader, and a slave reads the card. The scenario goes something like this: a victim NFC card is placed near the slave hardware. The master hardware is placed over a payment kiosk as if making a normal payment. As the payment kiosk reader begins the process to read an NFC card, all of the communications between it and the actual card are forwarded over the 24L01 wireless connection.

The demo video during the talk showed a fast-food purchase made on the Apple Pay network while the card was still at a table out in the dining area (resting on the slave hardware module). The card used was a QuickPass contactless payment card from China UnionPay. According to a 2016 press release from the company, over two billion of these cards had been issued at the time. With that kind of adoption rate there is a huge incentive to find and patch any vulnerabilities in the system.

The hardware components in this build aren’t really anything special. We’ve seen these Nordic wireless modules used in numerous projects over they years, and the NXP chip is just NFC build around an ARM core. The leaps that tie this together are the speed-ups to make it work. NFC has tight timing and a delay between the master and slave would invalidate the handshake and subsequent interactions. The Unicorn team found some speedups by ensuring the chip was waking from suspend mode (150 µS) and not a deeper sleep. Furthermore, [Haoqi] mentioned they are only transmitting “I/S/R Block Data” and not the entirety of the interaction to save on time transmitting over the 24L01 wireless link. He didn’t expand on that so if you have details about what those blocks actually consist of please let us know in the comments below.

To the card reader, the emulated payment card is valid and the payment goes through. But one caveat to the system is that [Haoqi] was unable to alter the UID of the emulator — it doesn’t spoof the UID of the payment card being exploited. Current readers don’t check the UID and this could be one possible defense against this exploit. But to be honest, since you need close physical proximity of the master to the reader and the slave to the payment card simultaneously, we don’t see mayhem in the future. It’s more likely that we’ll see hacker cred when someone builds a long-range link that lets you leave your NFC cards at home and take one emulator with you for wireless door access or contactless payments in a single device. If you want to get working on this, check out the talk slides for program flow and some sourcecode hints.

These Twenty Wheels, Wings, and Walkers Won $1000 In The Hackaday Prize

Today, we’re excited to announce the winners of the Wheels, Wings, and Walkers portion of The Hackaday Prize. We were looking for the next generation of robots, drones, machines that make machines move, and hackers who now know far too much about inverse kinematics. The results were spectacular.

Hackaday is currently hosting the greatest hardware competition on Earth. We’re giving away thousands of dollars to hardware creators to build the next great thing. Last week, we wrapped up the third of five challenges. It was all about showing a design to Build Something That Matters. Hundreds entered and began their quest to build a device to change the world.

There are still two more challenges in The Hackaday Prize. If you’re working on Assistive Technologies, the time is now, with this portion of the Prize ending September 4th. After that, Anything Goes. The Anything Goes challenge is the catch-all, and we’re looking for the best projects, full stop.

The winners of the Wheels, Wings, and Walkers challenge are, in no particular order:

Wheels, Wings, and Walkers Hackaday Prize Finalists:

Continue reading “These Twenty Wheels, Wings, and Walkers Won $1000 In The Hackaday Prize”

The Dark Arts – Remote File Inclusion

In the waning hours of 2010, a hacking group known as Lulzsec ran rampant across the Internet, leaving a path of compromised servers, a trail of defaced home pages, leaked emails, and login information in their wake. They were eventually busted via human error, and the leader of the group becoming an FBI informant. This handful of relatively young hackers had made a huge mess of things. After the digital dust had settled – researches, journalists, and coders began to dissect just how these seemingly harmless group of kids were able to harness so much power and control over the World Wide Web. What they found was not only eye-opening to web masters and coders, but shined a light on just how vulnerable all of our data was for everyone to see. It ushered in an era of renewed focus on security and how to write secure code.

In this Dark Arts series, we have taken a close look at the primary techniques the Luzsec hackers used to gain illegal access to servers. We’ve covered two them – SQL injection (SQLi) and cross-site scripting (XSS). In this article, we’ll go over the final technique called remote file inclusion (RFI).

DISCLAIMER: Fortunately, the surge of security-minded coding practices after the fall of Lulzsec has (for the most part) removed these vulnerabilities from the Internet as a whole. These techniques are very dated and will not work on any server that is maintained and/or behind a decent firewall, and your IP will probably get flagged and logged for trying them out. But feel free to set up a server at home and play around. Continue reading “The Dark Arts – Remote File Inclusion”

Beautiful Rocketeer Jetpack Replica Boasts Impressive Metalwork

Fans of the Rocketeer comic book and movie franchise will be familiar with its hero’s 1930s-styled rocket backpack.  It’s an intricate construction of complex streamlined curves, that has inspired many recreations over the years.

Most Rocketeer jetpacks are made from plastic, foam, and other lightweight materials that will be familiar to cosplayers and costumers. But [David Guyton]’s one is different, he’s made it from sheet steel.

The attraction in his video is not so much the finished pack, though that is an impressive build. Instead it’s the workmanship, nay, the craftsmanship, as he documents every stage of the metalwork involved. The panel beating tools of a sheet metalworker’s trade are surprisingly simple, and it’s tempting to think as you watch: “I could do that!”. But behind the short video clips and apparent speed of the build lies many hours of painstaking work and a huge amount of skill. Some of us will have tried this kind of sheet work, few of us will have taken it to this level.

The video is below the break, it takes us through the constituent parts of the build, including at the end some of the engine details which are cast in resin. Watch it with a sense of awe!

Continue reading “Beautiful Rocketeer Jetpack Replica Boasts Impressive Metalwork”

Failing Infrastructure and the Lessons It Teaches

Infrastructure seems so permanent and mundane that most of us never give it a second thought. Maintenance doesn’t make for a flashy news story, but you will frequently find a nagging story on the inside pages of the news cycle discussing the slowly degrading, crumbling infrastructure in the United States.

If not given proper attention, it’s easy for these structures to fall into a state of disrepair until one suddenly, and often catastrophically, fails. We’ve already looked at a precarious dam situation currently playing out in California, and although engineers have that situation under control for now, other times we haven’t been so lucky. Today we’ll delve into a couple of notable catastrophic failures and how they might be avoided in future designs.

Gaining Weight While Delaying Repairs

Most of us take infrastructure for granted every day. Power lines, roads, pipelines, and everything else have a sense of permanence and banality that can’t be easily shaken. Sadly, this reality shattered for most people in Minneapolis, Minnesota in August 2007.

Continue reading “Failing Infrastructure and the Lessons It Teaches”