Author: Elliot Williams

1433 Articles

32C3: Beyond Your Cable Modem

December 29, 2015 by 20 Comments

[Alexander Graf] gave an absolutely hilarious talk at 32C3 about the security flaws he found in cable modems from two large German ISPs. The vulnerability was very serious, resulting in remote root terminals on essentially any affected cable modem, and the causes were trivial: unencrypted passwords in files that are sent over TFTP or Telnet to the modems, for instance.

While [Alexander] was very careful to point out that he’d disclosed all of these vulnerabilities to the two German cable ISPs that were affected, he notably praised one of them for its speedy response in patching up the holes. As for the other? “They’d better hurry up.” He also mentions that, although he’s not sure, he suspects that similar vulnerabilities are present in other countries. Oh dear.

A very interesting point in the talk is the way that [Alexander] chose to go about informing the cable ISPs. Instead of going to them directly and potentially landing himself in jail, he instead went to the press, and let his contacts at the press talk to the ISPs. This both shielded him from the potential initial heat and puts a bit of additional pressure on the ISPs to fix the vulnerability — when the story hits the front page, they would really like to be ahead of the problem.

cable_modem-shot0012

There’s even a bone for you die-hard hardware hackers out there who think that all of this software security stuff is silly. To get the modem’s firmware in the first place, at minute 42 of the talk, [Alexander] shows briefly how he pulled the flash chip off the device and read it into his computer using a BeagleBone Black. No JTAG, no nothing. Just pulling the chip off and reading it the old-fashioned way.

If you’ve got an hour, go watch [Alexander]’s talk. It’s a fun romp through some serious vulnerabilities.

32C3: A Free And Open Source Verilog-to-Bitstream Flow For ICE40 FPGAs

December 29, 2015 by 10 Comments

[Clifford] presented a fully open-source toolchain for programming FPGAs. If you don’t think that this is an impressive piece of work, you don’t really understand FPGAs.

The toolchain, or “flow” as the FPGA kids like to call it, consists of three parts: Project IceStorm, a low-level tool that can build the bitstreams that flip individual bits inside the FPGA, Arachne-pnr, a place-and-route tool that turns a symbolic netlist into the physical stuff that IceStorm needs, and Yosys which synthesizes Verilog code into the netlists needed by Arachne. [Clifford] developed both IceStorm and Yosys, so he knows what he’s talking about.

What’s most impressive is that FPGAs aren’t the only target for this flow. Because it’s all open source and modifiable, it has also been used for designing custom ASICs, good to know when you’re in need of your own custom silicon. [Clifford]’s main focus in Yosys is on formal verification — making sure that the FPGA will behave as intended in the Verilog code. A fully open-source toolchain makes working on this task possible.

If you’ve been following along with [Al Williams]’s FPGA posts, either this introduction or his more recent intermediate series that are also based on the relatively cheap Lattice iCEStick development kit, this video is a must-watch. It’s a fantastic introduction to the cutting-edge in free FPGA tools.

What Can Happen When You Do Try This At Home

December 28, 2015 by 25 Comments

In somewhat of a countdown format, [John McMaster] looked back over the last few years of projects and documented the incidents he’s suffered (and their causes) in the course of doing cool stuff.

[John] starts us off easy — mis-wiring and consequently blowing up a 400V power supply. He concludes “double-check wiring, especially with high power systems”. Other tips and hazards involve situations in which we seldom find ourselves: “always check CCTV” before entering the experiment chamber of a cyclotron to prevent getting irradiated. Sounds like good advice.

hotplate[John] also does a lot of IC decapping, which can involve both heat and nasty acids. His advice includes being ready for large spills with lots of baking soda on hand, and he points out the need to be much more careful with large batches of acid than with the usual smaller ones. Don’t store acid in unfamiliar bottles — all plastics aren’t created equal — and don’t store any of it in your bedroom.

The incidents are listed from least to most horrible, and second place goes to what was probably a dilute Hydrofluoric acid splash. Keyword: necrosis. First place is a DIY Hydrochloric acid fabrication that involves, naturally, combining pure hydrogen and chlorine gas. What could possibly go wrong?

Anyway, if you’re going to do “this” at home, and we know a bunch of you are: be careful, be protected, and be prepared.

Thanks [J. Peterson] for the tip!

V8 Javascript Fixes (Horrible!) Random Number Generator

December 28, 2015 by 59 Comments

According to this post on the official V8 Javascript blog, the pseudo-random number generator (PRNG) that V8 Javascript uses in Math.random() is horribly flawed and getting replaced with something a lot better. V8 is Google’s fast Javascript engine that they developed for Chrome, and it’s used in Node.js and basically everywhere. The fact that nobody has noticed something like this for the last six years is a little bit worrisome, but it’s been caught and fixed and it’s all going to be better soon.

In this article, I’ll take you on a trip through the math of randomness, through to pseudo-randomness, and then loop back around and cover the history of the bad PRNG and its replacements. If you’ve been waiting for an excuse to get into PRNGs, you can use this bizarre fail and its fix as your excuse.

But first, some words of wisdom:

Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin. For, as has been pointed out several times, there is no such thing as a random number — there are only methods to produce random numbers, and a strict arithmetic procedure of course is not such a method.
John von Neumann

John von Neumann was a very smart man — that goes without saying. But in two sentences, he conveys something tremendously deep and tremendously important about random variables and their mathematical definition. Indeed, when you really understand these two sentences, you’ll understand more about randomness than most everyone you’ll meet.

Continue reading “V8 Javascript Fixes (Horrible!) Random Number Generator”

You Need A Self-Righting Thrust-Vector Balloon Copter

December 25, 2015 by 15 Comments

Cornell University’s microcontroller class looks like a tremendous amount of fun. Not only do the students learn the nitty-gritty details of microcontroller programming, but the course culminates in a cool project. [Brian Ritchken] and [Jim Liu] made a thrust-vector controlled balloon blimp. They call this working?!?!

Three balloons provide just enough lift so that the blimp can climb or descend on motor power. Since the machine is symmetric, there’s no intrinsic idea of “forward” or “backward”. Instead, a ring of eight LEDs around the edge let you know which way the blimp thinks it’s pointing. Two controls on the remote rotate the pointing direction clockwise and counter-clockwise. The blimp does the math to figure out which motors to run faster or slower when you tell it to go forward or back.

The platform is stabilized by a feedback loop with an accelerometer on board, and seems capable of handling a fairly asymmetric weight distribution, as evidenced by their ballast dangling off the side — a climbing bag filled with ketchup packets that presumably weren’t just lifted from the dining halls.

It looks like [Brian] and [Jim] had a ton of fun building and flying this contraption. We’d love to see a distance-to-the-floor sensor added so that they could command it to hover at a given height, but that adds an extra level of complexity. They got this done in time and under budget, so kudos to them both. And in a world full of over-qualified quadcopters, it’s nice to see the humble blimp getting its time in the sun.

Yep, you heard right… this is yet another final project for a University course. Yesterday we saw a spinning POV globe, and the day before a voice-activated eye test. We want to see your final project too so please send in a link!

Camera Quadcopter Almost Hits Slalom Skiier

December 23, 2015 by 107 Comments

During the World Cup slalom skiing championship on Wednesday, ski champion [Marcel Hirscher] was nearly hit by an out-of-control camera drone, that crashed just behind him while filming during a run. Watch the (scary) video embedded after the break.

According to this article in Heise.de (Google Translate link), the pilot was accredited and allowed to fly the quad, but only over a corridor where no spectators were present. After the first couple of runs, apparently the pilot went off course and quite obviously lost control of the copter.

Continue reading “Camera Quadcopter Almost Hits Slalom Skiier”

USB Proxy Rats Out Your Devices’ Secrets

December 23, 2015 by 19 Comments

If you need to reverse-engineer a USB protocol on a computer running Linux, your work is easy because you control everything on the target system — you can just look at the raw USB data. If you’d like to reverse-engineer a USB device that plugs into a game console, on the other hand, your work is a lot harder. Until now.

serialusb is a side-project by [Mathieu Laurendeau], alias [Matlo]. His main project, GIMX is aimed at gaming and lets you modify your gaming controller’s performance by passing it first through your PC and tweaking the USB data before forwarding it on to the target console. Want rapid fire? You got it. Alter the steering-wheel sensitivity curves? Sure.

GIMX is essentially a USB man-in-the-middle between your controller and your console, with the added ability to modify the data along the way. For hardware that’s not yet supported by GIMX, though, either [Matlo] would need to borrow your controller, or teach you to man-in-the-middle your own USB traffic. And that’s what serialusb does.

The hardware required is very modest: a USB-to-serial adapter and an ATmega32u4-based Arduino clone. Many of you could whip this together with parts on hand, and it’s the same hardware you’d need to run GIMX anyway. Data goes through your computer, is usbmon’ed and wireshark’ed, and then passed over serial to the ATmega which then converts it back into USB, plugged into the console. A very tidy little setup.

In case this seems familiar, we’ve covered a similar trick by [Matlo] before that used a BeagleBoard as the computer in the middle. That’s a sweet setup for sure, but if you don’t have a spare single-board computer lying around, now you can get it done for only around $5 in parts. Happy USB reversing!