When Mary Wallace “Wally” Funk reached the boundary of space aboard the first crewed flight of Blue Origin’s New Shepard capsule earlier today, it marked the end of a journey she started 60 years ago. In 1961 she became the youngest member of what would later become known as the “Mercury 13”, a group of accomplished female aviators that volunteered to be put through the same physical and mental qualification tests that NASA’s Mercury astronauts went through. But the promising experiment was cut short by the space agency’s rigid requirements for potential astronauts, and what John Glenn referred to in his testimony to the Committee on Science and Astronautics as the “social order” of America at the time.
In the interest of simplification or abstraction, we like to think of the laptop on the kitchen table as a single discrete unit of processing. In fact, there is a surprisingly large number of small processors alongside the many cores that make up the processor. [8051enthusiast] dove into the Realtek rtl8821ae WiFi chip on his laptop and extracted the firmware. The Realtek rtl8821ae chip is a fairly standard Realtek chip as seen in this unboxing (which is where the main image comes from).
True to his name, [8051enthusiast] was pleased to find that the rtl8821ae was clearly based on the Intel 8051. The firmware was loaded on startup from a known file path and loaded onto the chip sitting in an M.2 slot. Careful consideration, [8051enthusiast] reasoned that the firmware was using RTX51 Tiny, which is a small real-time kernel.
The firmware is loaded at 0x4000 but it calls to code below that address, which means there is a ROM on the chip that contains some code. The easiest way to extract it would be to write some custom code that just copies the masked ROM back to the main CPU via the shared memory-mapped config space, but the firmware is checksummed by the masked ROM code. However, the checksum is just a 16-bit XOR. With a tweak in the kernel to allow accessing the shared config space from userspace, [8051enthusiast] was on his way to a complete firmware image.
Next, [8051enthusiast] looked at what could be done with his newfound hackability. The keyboard matrix is read by the Embedded Controller (EC), which happens to be another 8051 based microcontroller. There also happens to be an RX and a TX trace from the EC to the m.2 slot (where the rtl8821ae is). This has to do with 0x80 postcodes from the processor being routed out somewhere accessible via the EC. With a bit of custom code on both the EC and the WiFi chip, [8051enthusiast] had a keylogger that didn’t run on the main processor broadcasting the PS/2 keystrokes as UDP packets.
Of course, there are plenty of other 8051 based devices out there just waiting to be discovered. Like this 8051 based e-ink display controller.
[Main image source: Realtek RTL8821AE unboxing on YouTube by Евгений Горохов]
If you remember the crazy events in the winter of 2018 as two airports were closed over reports of drone sightings, you might be interested to hear that there’s still a trickle of information about those happenings making it into the public domain as Freedom of Information responses.
Three Christmases ago the news media was gripped by a new menace, that of rogue drones terrorising aircraft. The UK’s Gatwick airport had been closed for several days following a spate of drone sightings, and authorities thundered about he dire punishments which would be visited upon the perpetrators when they were caught. A couple were arrested and later quietly released, and after a lot of fuss the story quietly disappeared.
Received Opinion had it that a drone had closed an airport, but drone enthusiasts, and Hackaday as a publication in their sphere, were asking awkward questions about why no tangible evidence of a drone ever having been present had appeared. Gradually the story unravelled with the police and aviation authorities quietly admitting that they had no evidence of a drone, and a dedicated band of drone enthusiasts has continues to pursue the truth about those few winter nights in 2018. The latest results chase up the possibility that the CAA might have received a description of the drone, and why when a fully functional drone detection system had been deployed and detected nothing they continued with the farce of closing the airport.
Perhaps the saddest thing about these and other revelations about the incident which have been teased from the authorities is that while they should fire up a scandal, it seems inevitable that they won’t. The police, the government, and the CAA have no desire to be reminded of their mishandling of the event, neither except for a rare bit of mild questioning do the media wish to be held to account for the execrable quality of their reporting. The couple who were wrongly arrested have not held back in their condemnation, but without the attention of any powerful vested interests it seems that some of the measures brought in as a response will never be questioned. All we can do is report any new developments in our little corner of the Internet, and of course keep you up to date with any fresh UK police drone paranoia.