Mouse Doesn’t Play Pong… It IS Pong!

From the “why didn’t we think of that” department comes [dupontgu’s] pong mouse project. The mouse appears and acts like a normal computer mouse until you click the scroll wheel. When you do, the mouse rapidly moves the cursor on the connected computer to play pong. Obviously, though, the paddles and the ball all look like your cursor, whatever that happens to be. So, how do you tell the score? Well, when a score happens, the cursor shows between the two paddles. In the middle means the game is tied. Otherwise, the player closest to the score indicator is winning. Continue reading “Mouse Doesn’t Play Pong… It IS Pong!”

Kickflips And Buffer Slips: An Exploit In Tony Hawk’s Pro Skater

[Ryan Miceli] wanted to build some reverse engineering skills by finding a new exploit for an original Xbox. Where he ended up was an exploit that worked across the network, across several games, and several different consoles. But it all started with an unbounded strcpy in Tony Hawk Pro Skater (THPS).

Xbox, PlayStation 2, and Gamecube (often referred to as the sixth generation) are wonderful hacking targets as they don’t possess many of the security enhancements of the seventh generation, like hypervisors, privilege levels, and hardware executability protections. The console launches the game, and control is fully within the game, so once you get your code executing, you’re done. The exploit started with a feature in many Tony Hawk games, the custom map editor. In the editor, you can create gaps between jumps with a name so that when a player completes the gap, it can flash “you jumped x” in big letters. However, on Xbox, the gap name is copied with an unbounded strcpy to the stack, meaning you can overwrite the return pointer. Additionally, there are no stack cookies for THPS, which meant nothing stopped [Ryan] from smashing his way through. He includes a small memcpy stub in the header of the level, which the gap name jumps to, which then copies and executes his full payload.

The other games in the series, like Tony Hawk’s Pro Skater 3 (THPS3), had the bug, but the gap name was copied to the heap, not the stack. However, he could overflow into a vtable of the next object that would call his code when the object was freed. However, the level save data wasn’t an executable region of memory, which meant he needed ROP (return-oriented programming). Just a few gadgets later, and [Ryan] had another exploit working.

Tony Hawk’s Underground 1 and 2 had stack cookies turned on. This meant a random value was placed on the stack before a function, then popped off and checked. This meant the program could check if its stack had been smashed. Unfortunately for [Ryan], this proved to be a major roadblock. However, the PC and PS2 versions of these games do not have stack cookies, which means they can be exploited in the same manner.

The beauty of the exploit is that the game allows you to invite a friend to play a custom level. This means once the level is transferred over the network, their console is hacked as well. However, the full payload wasn’t sent to the client console, which meant the exploit had to send the payload to the other console using the game’s existing net code. The exploit sets up an asynchronous file transfer then hands control back to the game. Of course, there was a memory leak in the netcode, because the game had never sent large amounts of data over the network before. So, part of the exploit was a hot patch for a memory leak.

As a last hurrah, [Ryan] ported the hack to Gamecube, PS2, and PC. The code is on GitHub, and the video is after the break. We love the attention the Xbox has been getting, and if you’re curious about a hardware hack, this 256MB ROM mod goes deep into the internals.

Continue reading “Kickflips And Buffer Slips: An Exploit In Tony Hawk’s Pro Skater”

Building AI Models To Diagnose HVAC Issues

HVAC – heating, ventilation, and air conditioning – can account for a huge amount of energy usage of a building, whether it’s residential or industrial. Often it’s the majority energy consumer, especially in places with extreme climates or for things like data centers where cooling is a large design consideration. When problems arise with these complex systems, they can go undiagnosed for a time and additionally be difficult to fix, leading to even more energy losses until repairs are complete. With the growing availability of platforms that can run capable artificial intelligences, [kutluhan_aktar] is working towards a system that can automatically diagnose potential issues and help humans get a handle on repairs faster.

The prototype system is designed for hydronic (water-based) systems and uses two separate artificial intelligences, one to analyze thermal imagery of the system and look for problems like leaks, hot spots, or blockages, and the other to listen for anomalous sounds especially relating to the behavior of cooling fans. For the first, a CNC-like machine was built to move a thermal camera around a custom-built model HVAC system and report its images back to a central system where they can be analyzed for anomalies. The second system which analyses audio runs its artificial intelligence on a XIAO ESP32C6 and listens to the cooling fans running in the model.

One problem that had to be tackled before any of this could be completed was actually building an open-source dataset to train the AI on. That’s part of the reason for the HVAC model in this project; being able to create problems to train the computer to detect before rolling it out to a larger system. The project’s code and training models can be found on its GitHub page. It seems to be a fairly robust solution to this problem, though, and we’ll be looking forward to future versions running on larger systems. Not everyone has a hydronic HVAC system, though. As heat pumps become more and more popular and capable, you’ll need systems to control those as well.

A black device with a monochrome LCD sits on a wooden table. It's keyboard extends below the frame. On the screen is the "Level 29" BBS service login.

Internet Appliance To Portable Terminal

Few processors have found themselves in so many different devices as the venerable Z80. While it isn’t powerful by modern standards, you can still use devices like this Cidco MailStation as a terminal.

The MailStation was originally designed as an email machine for people who weren’t onboard with this whole computer fad, keeping things simple with just an adjustable monchrome LCD, a keyboard, and a few basic applications. [Joshua Stein] developed a terminal application, msTERM, for the MailStation thanks to work previously done on decoding this device and the wealth of documentation for Z80 assembly.

While [Stein] designed his program to access BBSes, we wonder if it might be a good way to do some distraction-free writing. If that wasn’t enough, he also designed the WiFiStation dongle which lets you communicate over a network without all that tedious mucking about with parallel ports.

If you’d like something designed specifically for writing, how about an AlphaSmart? Wanting to build your own Z80-based project? Why not start with an Altoids-sized Z80 SBC, but don’t wait forever since Z80 production finally ended in June.

Continue reading “Internet Appliance To Portable Terminal”

Adapter Salad: Making Your Own Server Cables Because HP Won’t Sell Them To You

The world is tough and uncaring sometimes, especially if you’re at home tinkering with HP Enterprise equipment. If you’re in the same boat as [Neel Chauhan], you might have found that HPE is less than interested in interacting with small individual customers. Thus, when a cable was needed, [Neel] was out of luck. The simple solution was to assemble a substitute one instead!

[Neel] had a HPE ProLiant ML110 Gen11 server, which was to be used as network-attached storage (NAS). Unfortunately, it was bought as an open box, and lacked an appropriate serial-attached SCSI (SAS) cable. Sadly, HPE support was of no assistance in sourcing one.

SlimSAS LP x8 to dual MiniSAS x4 cables aren’t easy to find from anyone else, it turns out. Thus, [Neel] turned to Amazon for help sourcing a combination of parts to make this work. A SlimSAS LP 8X to 2x MiniSAS SFF-8643 cable was used, along with a pair of Mini SAS SFF-8087 to SAS HD SFF-8643 female adapters. From there, SFF-8087 cables could be used to hook up to the actual SAS devices required. The total cost? $102.15.

The stack of cables and adapters looks a bit silly, but it works—and it got [Neel]’s NAS up and running. It’s frustrating when you have to go to such lengths, but it’s not the first time we’ve seen hackers have to recreate obscure cables or connectors from scratch! What’s the craziest adapter salad you’ve ever made?

A Smart LED Dice Box Thanks To The Internet Of Things

If there’s one thing humans love, it’s dancing with chance. To that end, [Jonathan] whipped up a fun dice box, connecting it to the Internet of Things for additional functionality.

Expect dice roll stat tracking to become a big thing in the D&D community.

The build is based around Pixels Dice. They’re a smart type of IoT dice that contains Bluetooth connectivity and internal LEDs. The dice are literally capable of detecting their own rolls and reporting them wirelessly. Thus, the dice connects to the dice box, and the dice box can literally log the rolls and even graph them over time.

The project was built in a nice octagonal box [Jonathan] picked up from a thrift store. It was fitted with a hidden battery and ESP32 to communicate with the dice and run the show. The box also contains integrated wireless chargers to recharge the dice as needed, and a screen for displaying status information.

The dice and dice box can do all kinds of neat things, like responding with mood lighting and animations to your rolls—for better or worse. There are some fun modes you can play with—you can even set the lights to sparkle if you pass a given skill check in your tabletop RPG of choice!

If you play a lot of tabletop games, and you love dice and statistics, this is a project well worth looking into. Imagine logging every roll so you can see how hot you are on a given night. Or, heck—whether it was the dice’s fault you lost your favorite player character in that foreboding dungeon.

We see a few dice hacks now and then, but not nearly enough. This project has us questioning where smart dice have been all our life! Video after the break.
Continue reading “A Smart LED Dice Box Thanks To The Internet Of Things”

Raspberry Has A New Pico, Built With The New RP2350

Raspberry Pi’s first foray into the world of microcontrollers, the RP2040, was a very interesting chip. Its standout features were the programmable input/output units (PIOs) which enabled all sorts of custom real-time shenanigans. And that’s not to discount the impact of the Pi Pico, the $4 dev kit built around it.

Today, they’re announcing a brand-new microcontroller: the RP2350. It will come conveniently packaged in the new Pi Pico 2, and there’s good news and bad news. The good news is that the new chip is better in every way, and that the Pico form factor will stay the same. The bad news? It’s going to cost 25% more, coming in at $5. But in exchange for the extra buck, you get a lot.

For starters, the RP2350 runs a bit faster at 150 MHz, has double the on-board RAM at 520 kB, and twice as much QSPI flash at 4 MB. And those sweet, sweet PIOs? Now it has 12 instead of just 8. (Although we have no word yet if there is more program space per PIO – even with the incredibly compact PIO instruction set, we always wanted more!)

Two flavors on the same chip: Arm and RISC

As before, it’s a dual-core chip, but now the cores are Arm Cortex M33s or RISC-V Hazard3s. Yes, you heard that right, there are two pairs of processors on board. Raspberry Pi says that you’ll be able to select which style of cores runs either by software or by burning one-time fuses. So it’s not a quad core chip, but rather your choice of two different dual cores. Wild!

Raspberry Pi is also making a big deal about the new Arm TrustZone functionality. It has signed boot, 8 kB of OTP key-storage memory, SHA-256 acceleration, a hardware RNG, and “fast glitch detectors”. While this is probably more aimed at industry than at the beginning hacker, we’re absolutely confident that some of you out there will put this data-safe to good use.

There is, as of yet, no wireless built in. We can’t see into the future, but we can see into the past, and we remember that the original Pico was wireless for a few months before they got the WiFi and Bluetooth radio added into the Pico W. Will history repeat itself with the Pico 2?

We’re getting our hands on a Pico 2 in short order, and we’ve already gotten a sneak peek at the extensive software toolchain that’s been built out for it. All the usual suspects are there: Picotool, TinyUSB, and OpenOCD as we write this. We’ll be putting it through its paces and writing up all the details next week.