Author: Arya Voronova

514 Articles

Showing the dock PCB with a Pi Zero attached and wired up onto it

Is Your USB-C Dock Out To Hack You?

March 26, 2023 by 20 Comments

In today’s installment of Betteridge’s law enforcement, here’s an evil USB-C dock proof-of-concept by [Lachlan Davidson] from [Aura Division]. We’ve seen malicious USB devices aplenty, from cables and chargers to flash drives and even suspicious USB fans. But a dock, however, is new. The gist is simple — you take a stock dock, find a Pi Zero W and wire it up to a USB 2.0 port tapped somewhere inside the dock. Finding a Pi Zero is unquestionably the hardest part in this endeavor — on the software side, everything is ready for you, just flash an SD card with a pre-cooked malicious image and go!

On the surface level, this might seem like a cookie-cutter malicious USB attack. However, there’s a non-technical element to it; USB-C docks are becoming more and more popular, and with the unique level of convenience they provide, the “plug it in” temptation is much higher than with other devices. For instance, in shared workspaces, having a USB-C cable with charging and sometimes even a second monitor is becoming a norm. If you use USB-C day-to-day, the convenience of just plugging a USB-C cable into your laptop becomes too good to pass up on.

This hack doesn’t exactly use any USB-C specific technical features, like Power Delivery (PD) – it’s more about exploiting the convenience factor of USB-C that incentivizes you to plug a USB-C cable in, amplifying an old attack. Now, BadUSB with its keystroke injection is no longer the limit — with a Thunderbolt-capable USB-C dock, you can connect a PCIe device to it internally and even get access to a laptop’s RAM contents. Of course, fearing USB-C cables is not a viable approach, so perhaps it’s time for us to start protecting from BadUSB attacks on the software side.

Picture of the miniJen structure on a presentation desk

A Jenkins Demo Stand For Modern Times

March 24, 2023 by 7 Comments

Once you’re working on large-scale software projects, automation is a lifesaver, and Jenkins is a strong player in open-source automation – be it software builds, automated testing or deploying onto your servers. Naturally, it’s historically been developed with x86 infrastructure in mind, and let’s be fair, x86 is getting old. [poddingue], a hacker and a Jenkins contributor, demonstrates that Jenkins keeps up with the times, with a hardware demo stand called miniJen, that has Jenkins run on three non-x86 architectures – arm8v (aarch64), armv7l and RISC-V.

There’s four SBCs of different architectures involved in this, three acting as Jenkins agents executing tasks, and one acting as a controller, all powered with a big desktop PSU from Pine64. The controller’s got a bit beefier CPU for a reason – at FOSDEM, we’ve seen it drive a separate display with a Jenkins dashboard. It’s very much a complete demo for its purpose, and definitely an eyecatcher for FOSDEM attendees passing by the desk! As a bonus, there’s also a fascinating blog post about how [poddingue] got to running Jenkins on RISC-V in particular.

Even software demonstrations get better with hardware, and this stood out no doubt! Looking to build a similar demo, or wondering how it came together? [poddingue] has blog posts on the demo’s structure, a repo with OpenSCAD files, and a trove of videos demonstrating the planning, design and setup process. As it goes with continuous integrations, we’ve generally seen hackers and Jenkins collide when it comes to build failure alerts, from rotating warning lights to stack lights to a Christmas tree; however, we’ve also seen a hacker use it to keep their firmware size under control between code changes. And, if you’re wondering what continuous integration holds for you, here’s our hacker-oriented deep dive.

A picture of the bottom of the Pi 4 PCB, showing the three points you need to use to tap into the Pi 4 I2C bus going to the PMIC

Dead Raspberry Pi Boards, PMICs, And New Hope

March 24, 2023 by 23 Comments

Since the Raspberry Pi 3B+ release, the Pi boards we all know and love gained one more weakpoint – the PMIC chip, responsible for generating all the power rails a Pi needs. Specifically, the new PMIC was way more vulnerable to shorting 5V and 3.3V power rails together – something that’s trivial to do on a Raspberry Pi, and would leave you with a bricked board. Just replacing the PMIC chip, the MxL7704, wouldn’t help since the Raspberry Pi version of this chip is customized – but now, on Raspberry Pi forums, [Nefarious19] has reportedly managed to replace it and revive their Pi.

First off, you get a replacement PMIC and reflow it – and that’s where, to our knowledge, people have stopped so far. The next step proposed by [Nefarious19] is writing proper values into the I2C registers of the PMIC. For that, you’d want a currently-alive Pi – useful as both I2C controller for writing the values in, and as a source of known-good values. That said, if you go with the values that have been posted online, just having something like a Pi Pico for the I2C part ought to be enough.

[Nefarious19] reports a revived Pi, and this is way more hopeful than the “PMIC failures are unfixable” conclusion we’ve reached before. The instructions are not quite clear – someone else in the thread reports an unsuccessful attempt doing the same, and it might be that there’s a crucial step missing in making the values persist. However, such an advancement is notable, and we trust our readers to take the lead.

A week ago, [Mangy_Dog] on Hackaday Discord brought up fixing Raspberry Pi boards – given that the Raspberry Pi shortages are still an issue, digging up your broken Pi and repairing it starts making sense budget-wise. It’s no longer the ages where you could buy broken Pi boards by the hundred, and we imagine our readers have been getting creative. What are your experiences with fixing Raspberry Pi boards?

PCIe For Hackers: Link Anatomy

March 23, 2023 by 17 Comments

Last time, we looked over diffpairs, their basics, routing rules and the notorious tolerances of PCIe when it comes to diffpairs. Now, let’s take a look at the exact signals that make PCIe tick, as well as give you an overview of which sockets you can get PCIe on.

I separate PCIe sockets into two categories – desktop sockets, which are the usual 1x, 16x, or perhaps x4 PCIe sockets we see on desktop motherboards — and mobile sockets: mPCIe and M.2. There are also sockets like ExpressCard that are still found on some older laptops, but they have definitely fallen out of relevance. On mobile, M.2 is the way forward when it comes to PCIe – if you’re interested, I’ve written a short series talking about everything M.2 before.

On these sockets, most signals will be optional and some signals will be socket-specific, but there are some signals required in any PCIe device. Of course, the first group of required signals is the PCIe diffpairs themselves.

Continue reading “PCIe For Hackers: Link Anatomy”

Screenshot of ImHex hex editor, with the MOC3 file structure being reverse-engineered inside of it

Live2D: Silently Subverting Threat Models

March 20, 2023 by 10 Comments

In online spaces, VTubers have been steadily growing in popularity in the past few years – they are entertainers using motion capture tech to animate a special-sauce 2D or 3D model, typically livestreaming it as their avatar to an audience. The tech in question is pretty fun, lively communities tend to form around the entertainers and artists involved, and there’s loads of room for creativity in the VTuber format; as for viewers, there’s a VTuber for anyone’s taste out there – what’s not to like? On the tech side of making everything work, most creators in the VTubing space currently go with a software suite from a company called Live2D – which is where today’s investigation comes in. Continue reading “Live2D: Silently Subverting Threat Models”

A Pi Pico soldered onto a custom breakout PCB, with an SD card connected to it using prototyping wires

RP2040 Runs Linux Through RISC-V Emulation

March 19, 2023 by 27 Comments

We’re used to running Linux on CPUs where it belongs, and the consensus is that RP2040 just isn’t up for the task – no memory controller, and nowhere near enough RAM, to boot. At least, that’s what you might believe until you see [tvlad1234]’s Linux-on-RP2040 project, reminding us there’s more than one way to boot Linux on a CPU like this! Just like with the “Linux on AVR” project in 2012 that emulated an ARM processor, the pico-rv32ima project emulates a RISC-V core – keeping up with the times.

Initially, the aforementioned “Linux on AVR through ARM” project was picked as a base – then, a newer development, [cnlohr]’s RISC-V emulator, presented itself and was too good to pass up on. Lack of RAM was fully negated by adding an SD card into the equation – coupled with a small caching layer, this is a crucial part for the project’s not-so-secret sauce. A fair amount of debugging and optimization later, [tvlad1234] got Linux to run, achieving boot times in 10-15 minutes’ ballpark – considering the emulation layer’s presence, this is no mean feat.

At this point, the boot process stalls as you enter a login shell. If Linux on RP2040 is within your area of interest, feel free to pick up the effort from here, as the project is fully open-source – you only need a Pi Pico board and a throwaway SD card! Now, if pairing a RP2040 with some classic software is your definition of an evening well-spent, you can’t go wrong with DOOM! However, if you’d rather play with something else *nix-like, we’ve seen someone port Fuzix onto the RP2040 before.

PCIe For Hackers: The Diffpair Prelude

March 14, 2023 by 35 Comments

PCIe, also known as PCI-Express, is a highly powerful interface. So let’s see what it takes to hack on something that powerful. PCIe is be a bit intimidating at first, however it is reasonably simple to start building PCIe stuff, and the interface is quite resilient for hobbyist-level technology. There will come a time when we want to use a PCIe chip in our designs, or perhaps, make use of the PCIe connection available on a certain Compute Module, and it’s good to make sure that we’re ready for that.

PCIe is everywhere now. Every modern computer has a bunch of PCIe devices performing crucial functions, and even iPhones use PCIe internally to connect the CPU with the flash and WiFi chips. You can get all kinds of PCIe devices: Ethernet controllers, high-throughput WiFi cards, graphics, and all the cheap NVMe drives that gladly provide you with heaps of storage when connected over PCIe. If you’re hacking on a laptop or a single-board computer and you’d like to add a PCIe device, you can get some PCIe from one of the PCIe-carrying sockets, or just tap into an existing PCIe link if there’s no socket to connect to. It’s been two decades since we’ve started getting PCIe devices – now, PCIe is on its 5.0 revision, and it’s clear that it’s here to stay.

Continue reading “PCIe For Hackers: The Diffpair Prelude”