Year: 2024

This Week In Security: Forksquatting, RustDesk, And M&Ms

March 1, 2024 by 14 Comments

Github is struggling to keep up with a malware campaign that’s a new twist on typosquatting. The play is straightforward: Clone popular repositories, add malware, and advertise the forks as the original. Some developers mistake the forks for the real projects, and unintentionally run the malware. The obvious naming choice is forksquatting, but the researchers at apiiro went with the safer name of “Repo Confusion”.

The campaign is automated, and GitHub is aware of it, with the vast majority of these malicious repositories getting removed right away. For whatever reason, the GitHub algorithm isn’t catching all of the new repos. The current campaign appears to publishing millions of forks, using code from over 100,000 legitimate projects. It’s beginning to seem that the squatting family of attacks are here to stay.

RustDesk and Odd Certificates

The RustDesk remote access software is interesting, as it’s open source, allows self-hosting, and written in Rust. I’ve had exploring RustDesk as a todo item for a long time, but a bit of concerning drama has just finished playing out. A user pointed out back in November that a test root certificate was installed as part of the RustDesk installation. That root cert is self-signed with SHA1. There is also concern that the RustDesk binaries are signed with a different certificate.

There have been new events since then. First, there was a Hacker News thread about the issue earlier this month. The next day, CVE-2024-25140 was registered with NIST, ranking an insane CVE 9.8 CVSS. Let’s cut through some FUD and talk about what’s really going on.

Continue reading “This Week In Security: Forksquatting, RustDesk, And M&Ms”

The Thinkpad in question, with a Linux shell open on its screen, showing that the device mode has been successfully enabled

ThinkPad X1 Carbon Turned USB Device Through Relentless Digging

March 1, 2024 by 15 Comments

In what’s perhaps one of the most impressive laptop reverse engineering posts in recent memory, [Andrey Konovalov] brings us an incredibly detailed story of how he’s discovered and successfully enabled a USB device controller in a ThinkPad X1 Carbon equipped with a 6th gen Intel CPU.

If you ever wanted to peek at the dirty secrets of a somewhat modern-day Intel CPU-based system, this write-up spares you no detail, and spans dozens of abstraction layers — from Linux drivers and modifying NVRAM to custom USB cable building and BIOS chip flashing, digging deep into undocumented PCH registers for the dessert.

All [Andrey] wanted was to avoid tinkering with an extra Raspberry Pi. While using a PCIe connected device controller, he’s found a reference to intel_xhci_usb_sw-role-switch in Linux sysfs, and dove into a rabbit hole, where he discovered that the IP core used for the laptop’s USB ports has a ‘device’ mode that can be enabled. A dig through ACPI tables confirmed this, but also highlighted that the device is disabled in BIOS. What’s more, it turned out to be locked away behind a hidden menu. Experiments in unlocking that menu ensued, in particular when it comes to bypassing Intel Boot Guard, a mechanism that checks BIOS image signatures before boot.

Continue reading “ThinkPad X1 Carbon Turned USB Device Through Relentless Digging”

DOOM Runs On Husqvarna’s Robot Lawnmower

March 1, 2024 by 26 Comments

DOOM has been ported to a lot of platforms — to the point where the joke is kind of getting old now. Evidence of that is available in the fact that brands are now getting in on the action. Yes, as reported by The Register, you can now officially play DOOM on your Husqvarna’s Automower.

Nice, right? Speedrun it on this interface.

We had to check if this was some kind of joke; indeed, the April release date had us looking at the calendar. However, it seems to be legit. You’ll be able to download a version of DOOM via the Husqvarna Automower Connect App, and play it on the tiny screen of your robot lawnmower. Hilariously, due to the size of the game, Husqvarna notes it “may take up to a week before the game is playable” due to the time it takes the mower to download it, along with a necessary software update.

Controls are simple. The knob on the robot is used for turning left and right, while pressing start lets you run forward. Firing weapons is done by pressing the control knob.

We’ve seen some quality ports before, including an arcade port that was particularly cool. Really, though, at this stage, you have to work harder to impress. Show us DOOM running on a Minuteman launch console or something. Continue reading DOOM Runs On Husqvarna’s Robot Lawnmower”

Easily Add Link Cable Support To Your Homebrew GBA Game

February 29, 2024 by 7 Comments

The Game Boy Advance (GBA) link cable is the third generation of this feature which originated with the Gameboy. It not only allows for peripherals to be connected, but also for multiplayer between GBAs – even with just one game copy – and item sharing and unlocking of features in specific games. This makes it an interesting feature to support in today’s homebrew GBA games and applications, made easy by libraries such as [Rodrigo Alfonso]’s gba-link-connection.

This C++  library can be used in a number of ways: either limited to just the physical link cable, just the wireless link option or both (universal link). These support either 4 (cable) or 5 (wireless) players to be connected simultaneously. As additional options there are the LinkGPIO.hpp and LinkSPI.hpp headers which allow the link port to be used either as a generic GPIO, or as an SPI link (up to 2 Mb/s). The multiboot feature where a single ROM image is shared among connected GBAs is supported with both wired and wireless links.

It’s heartening to see that a device which this year celebrates its 23rd birthday is still supported so well.

Thanks to [gudenau] for the tip.

A map of the world with continents in light grey and countries outlined in dark grey. A nuber of yellow and grey circles with cartoon factories on them are connected with curved lines reminiscent of airplane flight paths. The lines have seemingly-arbitrary binary ones and zeros next to them. All of the grey factories are in the Americas, likely since IoP is currently focused on Africa and Europe.

Internet Of Production Alliance Wants You To Think Globally, Make Locally

February 29, 2024 by 19 Comments

With the proliferation of digital fabrication tools, many feel the future of manufacturing is distributed. It would certainly be welcome after the pandemic-induced supply chain kerfuffles from toilet paper to Raspberry Pis. The Internet of Production Alliance (IoP) is designing standards to smooth this transition. [via Solarpunk Presents]

IoP was founded in 2016 to build the infrastructure necessary to move toward a global supply chain based on local production of goods from a global database of designs instead of the current centralized model of production with closed designs. Some might identify this decentralization as part of the Fourth Industrial Revolution. They currently have developed two standards, Open Know-Where [PDF] and Open Know-How.

Open Know-Where is designed to help locate makerspaces, FabLabs, and other spaces with the tools and materials necessary to build a thing. The sort of data collected here is broken down in to five categories: manufacturing facility, people, location, equipment, and materials. Continue reading “Internet Of Production Alliance Wants You To Think Globally, Make Locally”

JBC soldering station sitting atop a custom switch box next to a selection of hot ends.

A 3-tool Selector Box For A JBC Soldering Station

February 29, 2024 by 4 Comments

Soldering is one of those jobs that are conceptually simple enough, but there’s quite a bit of devil in the detail and having precisely the right tool for the job in hand is essential for speed and quality of results. The higher-quality soldering stations have many options for the hot end, but switching from a simple pencil to hot tweezers often means unplugging one and reattaching the other, and hoping the station recognises the change and does the right thing. [Lajt] had three soldering options and a single output station. Their solution was a custom-built three-way frontend box that provides a push-button selection of the tool to be connected to the station sitting atop.

[Lajt] shows in the blog post how each of their target hot ends is wired and the connectivity the control station expects to determine what is plugged in. Failing to recognise a connected 50 W heating element as if the smaller 25 W unit was still connected would suck, with a huge amount of lag as the temperature of the hot end would fail to keep up with the thermal load during use. When connections are made, it is important to ensure the unit has sufficient time to detect the change in output and configure itself appropriately. An Arduino Pro mini handles the selection between outputs by driving a selection of relays with appropriate timing. An interesting detail here is what [Lajt] calls a ‘sacrificial relay’ in the common ground path, which has a greater contact rating than the others and acts as a secondary switch to save wear on the other relay contacts that would otherwise be hot-switched. All in all, a nicely executed project, which should offer years of service.

We like DIY tools and tool-related hacks. Here’s a DIY Hakko station, a Weller clone unit, and a peek inside TS1C portable unit.

Continue reading “A 3-tool Selector Box For A JBC Soldering Station”

For Today Only, Pi=3

February 29, 2024 by 47 Comments

In 1897 the state assembly of the American state of Indiana famously tried and failed to pass a bill which would have had the effect of denying the value of the mathematical constant Pi. It was an attempt to define a method to “square the circle”, or draw a square of the same area as a given circle through a series of compass and straight edge steps. It’s become something of a running joke and internet meme, and of course defining Pi exactly remains as elusive as ever.

Today and today alone though, you can in one sense claim that Pi is 3, because it’s twelve years since the launch of the original Raspberry Pi. The 29th of February 2012 was a leap day, and today being the third leap day since, could be claimed by a date pedant to be the third birthday of the little board from Cambridge. It’s all a bit of fun, but the Pi folks have marked the occasion by featuring an LED birthday cake.

Three leap days ago, your scribe was up at the crack of dawn to be one of the first to snag a board, only to witness the websites of the two distributors at the time, RS and Farnell, immediately go down under the denial of service formed by many thousands of other would-be Pi owners with the same idea. It would be lunchtime before the sites recovered enough to slowly buy a Pi, and it would be May before the computer arrived.

The Pi definitely arrived with a bang, but at tweleve years old is it still smoking? We think so, while it’s normalized the idea of an affordable little board to run Linux to the extent that it’s one of a crowd, the Pi folks have managed to stay relevant and remain the trend setter for their sector rather than Arduino-style becoming an unwilling collective term.

We’ve said this before here at Hackaday, that while the Pi boards are good, it’s not them alone which sets them apart from the clones but their support and software. Perhaps their greatest achievement is that a version of the latest Raspberry Pi OS can still run on that board ordered in February 2012, something unheard of elsewhere in single board computers. If you still have an original Pi don’t forget this, while it’s not the quickest any more there are still plenty of tasks at which they can excel. Meanwhile with their move into branded silicon and their PCIe architecture move we think things are looking exciting, and we look forward to another 12 years and three birthdays for them. Happy 3rd birthday, Raspberry Pi!