35C3: Finding Bugs In Bluetooth

[Jiska Classen] and [Dennis Mantz] created a tool called Internal Blue that aims to be a Swiss-army knife for playing around with Bluetooth at a lower level. The ground for their tool is based in three functions that are common to all Broadcom Bluetooth chipsets: one that lets you read arbitrary memory, on that lets you run it, and one that lets you write it. Well, that was easy. The rest of their work was analyzing this code, and learning how to replace the firmware with their own version. That took them a few months of hard reversing work.

In the end, Internal Blue lets them execute commands at one layer deeper — the LMP layer — easily allowing monitoring and injection. In a series of live (and successful!) demos they probe around on a Nexus 6P from a modified Nexus 5 on their desk. This is where they started digging around in the Bluetooth stack of other devices with Broadcom chipsets, and that’s where they started finding bugs.

As is often the case, [Jiska] was just poking around and found an external code handler that didn’t do bounds checking. And that meant that she could run other functions in the firmware simply by passing the address handler offset. Since they’re essentially calling functions at any location in memory, finding which functions to call with which arguments is a process of trial and error, but the ramifications of this include at least a Bluetooth module crash and reset, but can also pull such tricks as putting the Bluetooth module into “Device Under Test” mode, which should only be accessible from the device itself. All of this is before pairing with the device — just walking by is sufficient to invoke functions through the buggy handler.

All the details of this exploit aren’t yet available, because Broadcom hasn’t fixed the firmware for probably millions of devices in the wild. And one of the reasons that they haven’t fixed it is that patching the bug will disclose where the flaw lies in all of the unpatched phones, and not all vendors can be counted on to push out updates at the same time. While they focused on the Nexus 5 cellphone, which is fairly old now, it’s applicable to any device with a similar Broadcom Bluetooth chipset.

Aside from the zero-day bug here, the big story is their Bluetooth analysis framework which will surely help other researchers learn more about Bluetooth, finding more glitches and hopefully helping make Bluetooth more openly scrutinized and more secure. Now anyone with a Raspberry Pi 3/3+ or a Nexus 5, is able to turn it into a low-level Bluetooth investigation tool.

You might know [Jiska] from her previous FitBit hack. If not, be sure to check it out.

Continue reading “35C3: Finding Bugs In Bluetooth”

RFID Doing More Than ID

RFID is a workhorse in industrial, commercial, and consumer markets. Passive tags, like work badges and key fobs, need a base station but not the tags. Sensors are a big market and putting sensors in places that are hard to reach, hostile, or mobile is a costly proposition. That price could drop, and the sensors could be more approachable with help from MIT’s Auto-ID Lab who are experimenting with sensor feedback to RFID devices.

Let’s pretend you want to measure the temperature inside a vat of pressurized acid. You’d rather not drill a hole in it to insert a thermometer, but a temperature sensor sealed in Pyrex that wirelessly transmits the data and never runs out of power is a permanent and cheap solution. The researchers have their sights set on glucose sensing and that news come shortly after Alphabet gave up their RFID quest to measure glucose through contact lenses. Shown the top of this article is a prototype for a Battery Assisted Passive (BAP) RFID sensor that uses commodity glucose testing strips, sending data when the electrochemical reaction occurs. It uses six of these cells in parallel to achieve a high enough peak current to trigger the transmission. But the paper (10.1109/RFID.2018.8376201 behind paywall) mentions a few strategies to improve upon this. However, it does prove the concept that the current spike from the test strips determines the time the tag is active and that can be correlated to the blood glucose detected.

How many of our own projects would instantly upgrade with the addition of a few sensors that were previously unobtainable on a hacker budget? Would beer be brewed more effectively with more monitoring? How many wearables would be feasible with battery-free attachments? The sky is the figurative limit.

Thank you, [QES] for the tip [via TechXplore]

Pushbutton → Push Notification

How many mundane devices upgrade to IoT because they let you monitor a single data point or a variable? That little nudge over the communication precipice allows you to charge 500% more. Now, if you are as handy as a Hackaday reader, you can throw a lazy afternoon at the problem and get the same effect from a “dumb” appliance. If IoT is as simple as getting a notification when your laundry is dry, or your water is boiling, all you really need is a WiFi device and a push notification, right? Does it need to be more complicated than that? [Gianni] believes it is that simple (machine translation) and has built up an easy-to-implement version on Raspberry Pi, Arduino, and ESP8266.

[Gianni] leverages the aptly named Pushover (a paid app with a 1-week trial period) to convert your bits, bytes, words, or strings to a push notification. This idea is born of the desire for a home security system which doesn’t require constant monitoring but instead alerts you to problems. The minimum requirement you need is for your phone to chime with a notification saying, “Your front window sensor has been tripped.” Now it is time to launch your IP camera app or call someone nearby.

It’s not revolutionary, it may be the “Hello World” of IoT, but that is all some people need. The general idea is the same no matter the framework you want to use. For instance, if you Google Suite account, you can set up a chatroom just for your alert notifications; Google’s quickstart takes about 3 minutes to test it out in Python. The same setup is also available for Slack, and [Tom Nardi] did a guide for doing this with Discord. These tackle the receiving side, but the sending side is really flexible too — that MQTT broker you built could easily be the source of the alerts.

Build a handful of these in a weekend and keep them nearby to step up your next project to IoT status with a couple of solder joints. Maybe it will be a motion sensor for your own security system.

Starlite: Super Material That Protects Hands From Pesky Blowtorches

A super-material that’s non-toxic, highly flame resistant, and a good enough insulator, you can literally hold fire in your hand? Our interest was definitely caught by [NightHawkInLight] and his recent video about Starlite, embedded below the break.

Starlite was the brainchild of English hairdresser, [Maurice Ward]. The famous demo was an egg, coated in Starlite, and blasted with a blowtorch for a full 5 minutes. After heating, he cracked the egg to show it still raw. The inventor died in 2011, and apparently the recipe for Starlite died with him.

[NightHawkInLight] realized he had already made something very similar, the Pharoah’s Serpent demonstration, also known as a black snake. In both examples, a carbon foam is produced, providing flame resistance and insulation. A bit of trial and error later, and he’s out doing the original Starlight demo, pointing the blow torch at his hand instead of an egg.

Continue reading “Starlite: Super Material That Protects Hands From Pesky Blowtorches”

The Very Slow Movie Player Does It With E-Ink

Most displays are looking to play things faster. We’ve got movies at 60 frames per second, and gaming displays that run at 144 fps. But what about moving in the other direction? [Bryan Boyer] wanted to try this out, so he built the VSMP, or Very Slow Movie Player. It’s a neat device that plays back a movie at about 24 fph (frames per hour) on an e-ink display to demonstrate something that [Bryan] calls Slow Seeing, which, he says “helps you see yourself against the smear of time.” A traditional epic-length movie is now going to run you greater than 8,000 hours of viewing.

Artistic considerations aside, it’s an interesting device from a technical point of view. [Bryan] built it from a 7.4-inch e-ink display from Pervasive Displays. The controller is connected to a Raspberry Pi Zero, which is running a Python script to convert a frame of the movie file into a dithered file, then send it to the display. Because the Pi Zero isn’t a very fast computer, this takes some time, and thus the slow speed of the VSMP. Originally, [Bryan] had set it up to run as fast as the system could manage, which was about 25 seconds per frame, or about 2 frames per minute. He decided to slow it down a bit further to the more attractive multiple of 24 frames per hour to contrast with the 24 frames per second of the original movie. He did this by using a CRON job that kicks of the conversion script once every 2.5 minutes and increments the frame counter. All of this is topped off with a nice 3D-printed case that has a lovely interference pattern to make a rather neat and intriguing project.

Perhaps the best part of this is see a time-lapse of the VSMP — life moves quickly around it while 2001: A Space Odyssey plays at normal speed.

Continue reading “The Very Slow Movie Player Does It With E-Ink”

This Raspberry Pi Is A Stereo Camera And So Much More

Over the years we have featured a huge array of projects featuring the Raspberry Pi, but among them there is something that has been missing in all but a few examples. The Raspberry P Compute Module is the essentials of a Pi on a form factor close to that of a SODIMM module, and it is intended as a way to embed a Pi inside a commercial product. It’s refreshing then to see [Eugene]’s StereoPi project, a PCB that accepts a Compute Module and provides interfaces for two Raspberry Pi cameras.

What makes this board a bit special is that as well as the two camera connectors at the required spacing for stereophotography it also brings out all the interfaces you’d expect on a regular Pi, so there is the familiar 40-pin expansion header as well as USB and Ethernet ports. It has a few extras such as a pin-based power connector, and an on-off switch.

Where are they going with this one? So far we’ve seen demonstrations of the rig used to create depth maps with ROS (Robot Operating System). But even more fun is seeing the 3rd-person-view rig shown in the video below. You strap on a backpack that holds the stereo camera above your head, then watch yourself through VR goggles. Essentially you become the video game. We’ve seen this demonstrated before and now it looks like it will be easy to give it a try yourself as StereoPi has announced they’re preparing to crowdfund.

So aside from the stereophotography why is this special? The answer comes in that it is as close as possible to a fresh interpretation of a Raspberry Pi board without being from the Pi Foundation themselves. The Pi processors are not available to third party manufacturers, so aside from the Odroid W (which was made in very limited numbers) we have never seen a significant alternative take on a compatible Raspberry Pi. The idea that this could be achieved through the Compute Module is one that we hope might be taken up by other designers, potentially opening a fresh avenue in the Raspberry Pi story.

The Raspberry Pi Compute Module has passed through two iterations since its launch in 2014, but probably due to the lower cost of a retail Raspberry Pi we haven’t seen it in many projects save for a few game consoles. If the advent of boards like this means we see more of it, that can be no bad thing.

Continue reading “This Raspberry Pi Is A Stereo Camera And So Much More”

3D-Printing Wankel Engine From Mazda’s Beloved “Rotary Rocket”

Although there was briefly a company called Rotary Rocket, the term is much better known as a nickname for the Mazda RX-7 — one of the few cars that used a Wankel, or rotary, engine. If you ever wondered how these worked, why not print a model? That’s what [Engineering Explained] did. They printed a 1/3 scale model and made a video explaining and demonstrating its operation. The model itself was from Thingiverse, created by [EricThePoolBoy].

One thing we really liked about the model was the use of lights to show the different stages of combustion. Cool air intake is a blue light, hot air is red, and so on. It really helps visualize what’s happening. You can watch the video below.

If you haven’t seen a Wankel before, it is a clever design. It has very few moving parts and offers very smooth power transfer and high power to weight ratio. The downside, though, is that the engine deliberately burns oil to lubricate and seal, so it is difficult to meet emission standards and requires a lot of oil. The fuel efficiency of current designs is not very good either, especially since manufacturers will often trade fuel efficiency for better emissions.

If you’d like to read more about the Wankel, check out our earlier post (and the 165 comments attached). We also looked at — or rather through — another Wankel earlier this year.

Continue reading “3D-Printing Wankel Engine From Mazda’s Beloved “Rotary Rocket””