Part of a picture showing all kinds of different CAN devices in a car

CAN Peripheral For RP2040, Courtesy Of PIO

July 9, 2022 by Arya Voronova 31 Comments

[Kevin O’Connor] writes to us about his project, can2040 – adding CAN support to the RP2040. The RP2040 doesn’t have a CAN peripheral, but [Kevin] wrote code for the RP2040’s PIO engine that can receive and send CAN packets. Now we can all benefit from his work by using this openly available CAN driver. This library is written in C, so it’s a good fit for the lower-level hackers among us, and in all likelihood, it wouldn’t be hard to make a MicroPython wrapper around it.

The CAN bus needs a peripheral for the messages to be handled properly, and people have been using external chips for this purpose until now. These chips, [Kevin] tells us, have lately been unavailable due to the chip shortage, making this project more valuable. The documentation is extensive and accessible, and [Kevin] details how to best use this driver. With such a tool in hand, you can now turn your Pico into a CAN tinkering toolkit, or wire up some CAN devices for use in your own projects!

[Kevin] says this code is already being used in Klipper, a framework powering 3D printers and other machines like them. As for your own purposes, you can absolutely use such a CAN tool to hack on your car – here’s a treasure trove of car hacking documentation, by the way! Thanks to the PIO engine, there seems to be no end to the RP2040’s versatility – you can even drive HDMI monitor with this PIO-based DVI code.

Continue reading “CAN Peripheral For RP2040, Courtesy Of PIO” →

Mis-captured signal transitions shown on the screen of the LA104, with problematic parts circled in red.

When Your Logic Analyzer Can’t Tell Good And Bad Signals Apart

July 9, 2022 by Arya Voronova 17 Comments

[Avian] has picked up a Miniware LA104 – a small battery-powered logic analyzer with builtin protocol decoders. Such analyzers are handy tools for when you quickly need to see what really is happening with a certain signal, and they’re cheap enough to be sacrificial when it comes to risky repairs. Sadly, he stumbled upon a peculiar problem – the analyzer would show the signal glitching every now and then, even at very low bitrates. Even more surprisingly, the glitches didn’t occur in the signal traces when exported and viewed on a laptop.

He dug into the problem, as [Avian] does. Going through the problem-ridden capture files helped him realize that the glitch would always happen when one of the signal edges would be delayed by a few microseconds relative to other signal edges — a regular occurrence when it comes to digital logic. This seems to stem from compression being used by the FPGA-powered “capture samples and send them” part of the analyzer. This bug only relates to the signal as it’s being displayed on the analyzer’s screen, and turned out that while most of this analyzer’s interface is drawn by the STM32 CPU, the trace drawing part specifically was done by the FPGA using a separate LCD interface.

It would appear Miniware didn’t do enough testing, and it’s impossible to distinguish a good signal from a faulty one when using a LA104 – arguably, the primary function of a logic analyzer. In the best of Miniware traditions, going as far as being hostile to open-source firmware at times, the FPGA bistream source code is proprietary. Thus, this bug is not something we can easily fix ourselves, unless Miniware steps up and releases a gateware update. Until then, if you bought a LA104, you can’t rely on the signal it shows on the screen.

When it comes to Miniware problems, we’ve recently covered a Miniware tweezer repair, requiring a redesign of the shell originally held together with copious amount of glue. At times, it feels like there’s something in common between glue-filled unrepairable gadgets and faulty proprietary firmware. If this bug ruins the LA104 for you, hey, at least you can reflash it to work as an electronics interfacing multitool.

Screenshot of the RSA calculator, showing the fields that you can fill into and the results as they propagate through the calculation

Lift The Veil On RSA With This RSA Calculator

July 8, 2022 by Arya Voronova 2 Comments

Encryption algorithms can be intimidating to approach, what’s with all the math involved. However, once you start digging into them, you can break the math apart into smaller steps, and get a feel of what goes into encryption being the modern-day magic we take for granted. Today, [Henry Schmale] writes to us about his small contribution to making cryptography easier to understand – lifting the veil on the RSA asymmetric encryption technique through an RSA calculator.

With [Henry]’s calculator, you can only encrypt and decrypt a single integer, but you’re able to view each individual step of an RSA calculation as you do so. If you want to understand what makes RSA and other similar algorithms tick, this site is an excellent starting point. Now, this is not something you should use when roll your crypto implementations – as cryptographers say in unison, writing your own crypto from scratch is extremely inadvisable. [Henry] does say that this calculator could be useful for CTF players, for instance, but it’s also undeniably an accessible learning tool for any hacker out there wishing to understand what goes on under the wraps of the libraries we use.

In modern day, cryptography is instrumental to protecting our freedoms, and it’s a joy to see people work towards explaining the algorithms used. The cryptography tools we use day-to-day are also highly valuable targets for governments and intelligence agencies, willing to go to great lengths to subvert our communication security – so it’s even more important that we get acquianted with the tools that protect us. After all, it only takes a piece of paper to encrypt your communications with someone.

The OpenMV board inside a security camera shell on the left, an AprilTag on smartphone's screen on the right

Use AprilTags To Let Guests Open Your Front Gate

July 8, 2022 by Arya Voronova 18 Comments

[Herb Peyerl] is part of a robotics team, and in his robotics endeavours, learned about AprilTags; small QR-code-like printable patterns that are easily recognizable by even primitive machine vision. Later on, when thinking about good ways to let his guests through his property’s front gate, the AprilTags turned out to be a wonderful solution. Now all he needs to do is send his guest a picture of the appropriate AprilTag, which they can present to the camera at his front gate using their smartphone.

He used an OpenMV board for this – thanks to its wide variety of available libraries, the AprilTag recognition is already baked in, and the entire script is merely a hundred lines of MicroPython. An old surveillance camera gave up its dome-shaped housing, and now the OpenMV board is doing guest access duty on a post in front of his property’s front gate. He’s shared the code with us, and says he’s personally running a slightly modified version for security reasons — not that a random burglar is likely to stumble upon this post anyway. Besides it looks like the gate would be easy for a burglar to jump over without any need for security bypass, and the convenience benefits of this hack are undeniable.

In the unlikely chance a burglar is reading this, however, don’t be sad. We do happen to have a bunch of hacks for you, too. There’s far less secure systems out there, from building RFID keyfobs to gated community access control systems, sometimes all you need is a 12 V battery. If you’re not into burglary, that’s okay too — we’ve covered other guest access hacks before, for instance, this ESP8266-powered one.

A Honda car behind a gate, with its turn signals shown blinking as it's being unlocked by a portable device implementing the hack in question. Text under the car says "Rolling Pwned".

Unlock Any (Honda) Car

July 8, 2022 by Arya Voronova 78 Comments

Honda cars have been found to be severely vulnerable to a newly published Rolling PWN attack, letting you remotely open the car doors or even start the engine. So far it’s only been proven on Hondas, but ten out of ten models that [kevin2600] tested were vulnerable, leading him to conclude that all Honda vehicles on the market can probably be opened in this way. We simply don’t know yet if it affects other vendors, but in principle it could. This vulnerability has been assigned the CVE-2021-46145.

[kevin2600] goes in depth on the implications of the attack but doesn’t publish many details. [Wesley Li], who discovered the same flaw independently, goes into more technical detail. The hack appears to replay a series of previously valid codes that resets the internal PRNG counter to an older state, allowing the attacker to reuse the known prior keys. Thus, it requires some eavesdropping on previous keyfob-car communication, but this should be easy to set up with a cheap SDR and an SBC of your choice.

If you have one of the models affected, that’s bad news, because Honda probably won’t respond anyway. The researcher contacted Honda customer support weeks ago, and hasn’t received a reply yet. Why customer support? Because Honda doesn’t have a security department to submit such an issue to. And even if they did, just a few months ago, Honda has said they will not be doing any kind of mitigation for “car unlock” vulnerabilities.

As it stands, all these Honda cars affected might just be out there for the taking. This is not the first time Honda is found botching a rolling code implementation – in fact, it’s the second time this year. Perhaps, this string of vulnerabilities is just karma for Honda striking down all those replacement part 3D models, but one thing is for sure – they had better create a proper department for handling security issues.

LoRa Helps With Remote Water Tank Level Sensing

July 7, 2022 by Arya Voronova 9 Comments

[Renzo Mischianti]’s friend has to keep a water tank topped up. Problem is, the tank itself is 1.5 km away, so its water level isn’t typically known. There’s no electricity available there either — whichever monitoring solution is to be used, it has to be low-power and self-sufficient. To help with that, [Renzo] is working on a self-contained automation project, with a solar-powered sensor that communicates over LoRa, and a controller that receives the water level readings and powers the water pump when needed.

[Renzo] makes sure to prototype every part using shields and modules before committing to a design, and has already wrote and tested code for both the sensor and the controller, as well as created the PCBs. He’s also making sure to document everything as he goes – in fact, there’s whole seven blog posts on this project, covering the already completed software, PCB and 3D design stages of this project.

These worklogs have plenty of explanations and pictures, and [Renzo] shows a variety of different manufacturing techniques and tricks for beginners along the way. The last blog post on 3D designing and printing the sensor enclosure was recently released, and that likely means we’ll soon see a post about this system being installed and tested!

[Renzo] has been in the “intricately documented worklogs” business for a while. We’ve covered his 3D printed PCB mill and DIY soldermask process before, and recently he was seen adding a web interface to a 3D printer missing one. As for LoRa, there’s plenty of sensors you can build – be it mailbox sensors, burglar alarms, or handheld messengers; and now you have one more project to draw inspiration and knowledge from. [Renzo] has previously done a LoRa tutorial to get you started, and we’ve made one about LoRaWAN!

Continue reading “LoRa Helps With Remote Water Tank Level Sensing” →

Headphones described in article, charging off a powerbank through an orange USB cable

Headphone Cable Trouble Inspires Bluetooth Conversion

July 6, 2022 by Arya Voronova 12 Comments

[adblu] encountered the ever-present headphone problem with their Sennheiser Urbanite headphones – the cable broke. These headphones are decent, and despite the cable troubles, worth giving a new life to. Cable replacement is always an option, but [adblu] decided to see – what would it take to make these headphones wireless? And while they’re at it, just how much battery life could they get?

Armed with a CSR8635 Bluetooth audio receiver breakout module and a TP4056 charger, [adblu] went on rewiring the headphone internals. The CSR8635 already has a speaker amplifier inside, so connecting the headphones’ speakers didn’t require much effort – apart from general soldering difficulties, as [adblu]’s soldering iron was too large for the small pads on the BT module. They also found a 2400mAh battery, and fit it inside the headphone body after generous amounts of dremel work.

The result didn’t disappoint – not only does everything fit inside the headphone body, the headphones also provided 165 hours of music playback at varying volume. Electronics-wise, it really is that easy to retrofit your headphones with Bluetooth, but you can always go the extra mile and design an intricate set of custom PCBs! If firmware hacks are more to your liking, you can use a CSR8645 module for your build and then mod its firmware.