Flipbook Automation Saves Your Thumb

You’ve probably seen a flipbook. That’s a book with pictures on each page. Each picture is slightly different than the last one so if you flip rapidly through the book you get a little animation. We like the German word, Daumenkino, which translates as “thumb cinema” and that seems appropriate. [Barqunics] put a decidedly new twist on this old technology. His flipbook senses a viewer and automatically flips the pages using a motor. You can see the Arduino-controlled device in the video below.

The presence detection is a ubiquitous sonar sensor. The frame is easy to make since it uses cardboard and hot glue. A DC motor like you find on many toy cars or robots provides the rotation. No 3D printing needed, but we did think it would be easy to 3D-print or laser-cut the pieces.

Continue reading “Flipbook Automation Saves Your Thumb”

This Week In Security: IOS Wifi Incantations, Ghosts, And Bad Regex

I hope everyone had a wonderful Thanksgiving last week. My household celebrated by welcoming a 4th member to the family. My daughter was born on Wednesday morning, November 25th. And thus explains what I did last week instead of writing the normal Hackaday column. Never fear, we shall catch up today, and cover the news that’s fit to be noticed.

iOS Zero-click Wifi Attack

[Ian Beer] of Google’s Project Zero brings us the fruit of his lockdown-induced labors, a spectacular iOS attack. The target of this attack is the kernel code that handles AWDL, an Apple WiFi protocol for adhoc mesh networks between devices. The most notable feature that makes use of AWDL is AirDrop, Apple’s device-to-device file sharing system. Because AWDL is a proprietary protocol, the WiFi hardware can’t do any accelerated processing of packets. A few years back, there was an attack against Broadcom firmware that required a second vulnerability to jump from the WiFi chip to the device CPU. Here, because the protocol is all implemented in Apple’s code, no such pivot is necessary.

And as you’ve likely deduced, there was a vulnerability found. AWDL uses Type-Length-Value (TLV) messages for sending management data. For a security researcher, TLVs are particularly interesting because each data type represents a different code path to attack. One of those data types is a list of MAC addresses, with a maximum of 10. The code that handles it allocates a 60 byte buffer, based on that maximum. The problem is that there isn’t a code path to drop incoming TLVs of that type when they exceed 60 bytes. The remainder is written right past the end of the allocated buffer.

There is more fun to be had, getting to a full exploit, but the details are a bit too much to fully dive in to here. It interesting to note that [Ian] ran into a particular problem: His poking at the target code was triggering unexpected kernel panics. He discovered two separate vulnerabilities, both distinct from the vuln he was trying to exploit.

Finally, this exploit requires the target device to have AWDL enabled, and many won’t. But you can use Bluetooth Low Energy advertisements to trick the target device into believing an Airdrop is coming in from a trusted contact. Once the device enables AWDL to verify the request, the attack can proceed. [Ian] reported his findings to Apple way back in 2019, and this vulnerability was patched in March of 2020.

Via Ars Technica.
Continue reading “This Week In Security: IOS Wifi Incantations, Ghosts, And Bad Regex”

Nerfnet Tunnels TCP/IP Over NRF24L01 Radios

There’s an excellent chance you’ve already worked with the nRF24L01. These little modules are an easy and cheap way to shuffle data across a 2.4 GHz radio link at a respectable rate, making them great for remote control projects. But after seeing that others had experimenting with using these radios to transmit digital audio, [Andrew Rossignol] got to wondering if some software trickery could push the envelope even further.

The result is nerfnet, a Linux program that allows you to tunnel TCP/IP over a pair of nRF24L01 modules. The link appears as a virtual interface, meaning everything happens transparently as far as other programs are concerned. Anything that uses TCP/IP to communicate on Linux can take advantage of this low-cost link, albeit at speeds that most of us haven’t had to deal with in decades.

Though it’s not quite as bad as you might think. Latency is around 50 ms, and after some tweaks, [Andrew] has been able to squeeze almost 300 Kbps out of the link. That’s more than enough for terminal work, and some light audio and video streaming isn’t out of the question.

In terms of range, he was able to maintain a fairly reliable connection at a distance of up to 60 meters (200 feet) outdoors. It might not sound like much, but again, you’ve got to take the cost of these radios into account. If you’re looking to SSH into a Raspberry Pi weather station you’ve got in the backyard, a pair of these could get the job done for just a couple of bucks.

The blog post [Andrew] has put together explains the software in fantastic detail if you’re interested in the nuts and bolts of it all. But if you just want to play around with the idea, you just need to connect some nRF24L01 modules to a pair of Raspberry Pis with short SPI wires to cut down any interference, and follow the instructions. Ideally the radios would have external antennas, but it’s not strictly required.

We’ve seen these modules pushed into service as impromptu Bluetooth Low Energy transmitters in the past, but nothing quite like this. While the latency and bandwidth offered by this technique might seem antiquated to modern eyes, it could be the perfect dedicated communication channel for your sensors, smart devices, or home automation projects.

Continue reading “Nerfnet Tunnels TCP/IP Over NRF24L01 Radios”

Incredible Discrete MOSFET Rover Has Maximum Blink

What do you get when you stick 1738 MOSFETs together? If your answer was a ‘4-bit CPU’, you would be totally correct. Available as a product over at Marutsu as the ‘CPU1738’, it seems to target beginners to computer theory, with build instructions that explain how the CPU is built up from individual MOSFETs that are combined into logic gates.


While decidedly more compact in its SMD format than it would have been with pure through-hole parts, the use of countless small PCBs on top of the larger PCBs make for a pretty hefty package. Board after board build up the CPU, and the assembly continues with the addition of sensors, motors, and wheels. In the end, a robot emerges, albeit a somewhat wobbly-looking one.

Check out the video linked after the break, though before starting one up, note the 50,000 Yen (approximately $500) price tag for the CPU block alone. On the other hand, in addition to the 1738 MOSFETs, there are also 1070 LEDs, so you get what you pay for in blinkies.

Continue reading “Incredible Discrete MOSFET Rover Has Maximum Blink”