Author: Elliot Williams

1437 Articles

Supercon: Ruth Grace Wong And Firmware From The Firehose

February 22, 2019 by 13 Comments

Firmware and software are both just code, right? How different could the code that runs Internet-scale distributed web stuff be from the code that runs a tiny microcontroller brain inside a personal hydroponics device? Night and day!

Ruth Grace Wong works in the former world, but moonlights as a manufacturing engineer with some friends. Their product had pre-existing firmware that contained (at least) one bug, and Ruth’s job was to find it. The code in question was written by the Chinese PCB engineer, who knew the electronics intimately but who had no software background, providing Ruth an opportunity to jump head-first into the rawest of raw embedded programming. Spoiler alert: she found the bug and learned a lot about firmware along the way. This talk follows her along the adventure.

“The code is very well documented, in Chinese” but the variable names are insanely non-descriptive. Similarly, while the PCB engineer knows full well what a 24C02 is, if you’re a software geek that might as well be Chinese. As you’d expect, web searches came to the rescue on both fronts.

The bug ended up hiding in a logical flaw in the PWM-setting code inside an interrupt service routine, and it kept the fan from ever coming full on. Once found, it was easily fixed. But getting to the point where you understand the codebase deeply enough to know where to look is four-fifths of the battle. Heck, setting up the toolchain alone can take a day or two.

If you’re a fellow software type, Ruth’s talk (embedded below) will give you a quick glimpse into the outer few layers of the onion that is embedded firmware development, from a familiar viewpoint. Give her quick and value-packed talk a watch! Grizzled hardware veterans will nod along, and maybe even gain a little insight into how our code looks to “them”.

Continue reading “Supercon: Ruth Grace Wong And Firmware From The Firehose”

Supercon 2018: Mike Szczys And The State Of The Hackaday

February 14, 2019 by 12 Comments

Every year at Superconference, Editor-in-Chief Mike Szczys gets the chance to talk about what we think are the biggest, most important themes in the Hackaday universe. This year’s talk was about science and technology, and more importantly who gets to be involved in building the future. Spoiler: all of us! Hackaday has always stood for the ideal that you, yes you, should be taking stuff apart, improving it, and finding innovative ways to use, make, and improve. To steal one of Mike’s lines: “Hackaday is an engine of engagement in engineering fields.”

Continue reading “Supercon 2018: Mike Szczys And The State Of The Hackaday”

Voja Antonic: Designing The Cube

February 7, 2019 by 6 Comments

Voja Antonic designed this fantastic retrocomputing badge for Hackaday Belgrade in 2018, and it was so much fun that we wanted to bring it stateside to the Supercon essentially unaltered. And that meant that Voja had some free time to devote to a new hardware giveaway: the Cube. So while his talk at Supercon in November was ostensibly about the badge, he just couldn’t help but tell us about his newer love, and some of the extremely clever features hidden within.

It’s funny how the hardware we design can sometimes reflect so much on the creator. Voja designed then-Yugoslavia’s first widely used home computer (and published the DIY plans in a magazine!). Thousands were built from their kits. The Galaksija was a Z80-based design with a custom BASIC that was just barely squeezed into the available 4K of ROM. So you shouldn’t be shocked that the retro-badge has a working keyboard and a nice BASIC on board.

But let’s jump ahead to the Cube, because that’s even more of a passion project. On the outside, they’re very simple devices, with only a USB port and a sweet diffused LED ring visible. Aesthetic? Minimalistic? Beautiful, honestly.
Continue reading “Voja Antonic: Designing The Cube”

Ben Krasnow At Supercon: Making Alien Technology In Your Own Shop

January 28, 2019 by 25 Comments

Ben Krasnow has a vision of future electronics: instead of the present PCB-screwed-into-a-plastic-box construction, flexible circuits will be deposited straight onto the plastic body of the device itself, merging the physical object and its electronics. There is existing copper-on-plastic technology, but Ben’s got something novel that he presents in this talk that you could implement yourself. You might also want a display, or at least something to blink, so he’s also working on some electroluminescent technology to complement it. If you were wondering why Ben is so interested in silkscreening photopolymers right now, watching this talk will pull a lot of interesting threads together. Continue reading “Ben Krasnow At Supercon: Making Alien Technology In Your Own Shop”

35C3: Biggest Communication Congress, Yet Little Chaos

January 10, 2019 by 4 Comments

Every year for the past 35 years, the German Chaos Computer Club has met just after Christmas for a few days of “Spaß am Gerät” — having fun with the machines. And that’s everything from trying to bring an old PDP-8 back into running condition to forging new software to replace the old and busted social media platforms that permeate our lives. The sum total of around 17,000 people doing the nerdy stuff that they love, and sharing it together, is both amazing and inspiring. Four days of little sleep and much socializing later, I bet there was still another four days’ worth of stuff to see.

The official theme this year was “Refreshing Memories” which honestly sounds a bit too much like a cola slogan, but was a great opportunity to think back on the hacks of the past that got us where we are. Assemblies put up shrines to their hacker heroes of the past. Retro computers were everywhere, in the talks and on the floor. This year’s Congress was a great time to look back and remember, but also to create new memories for the future. On that front, it was a total success.

But the unofficial theme this year was “Smooth Running”. Everything went very well, which is no small feat considering that the infrastructure, decoration, security, and even the medical response teams are from the Chaos community. It’s the depth of engagement that makes this work: of the 17,000 people who showed up, just over 4,000 of them volunteered for “angel” shifts — meaning they helped guard the doors, staff the info desks, or build up or tear down. It was the largest ever CCC, and you could feel it, but they pulled it off, and then some.

The angels are geeks just like you and me, and since everything went so smoothly, they had time to play. For instance, the phone operations people offer DECT phone service so that attendees can bring in their home phones and use them at Congress. In years past, the lines to register and enroll phones were painfully long. This year, it all happened online, and the result is that the phone ops crew got bored. That explains how they had time to establish roaming home-phone wireless service in some of the normal Leipzig city trams. Wait, what?

Continue reading “35C3: Biggest Communication Congress, Yet Little Chaos”

Fail Of The Week: EPROMs, Rats’ Nests, Tanning Lamps, And Cardboard On Fire

January 2, 2019 by 87 Comments

It all started when I bought a late-1990s synthesizer that needed a firmware upgrade. One could simply pull the ROM chip, ship it off to Yamaha for a free replacement, and swap in the new one — in 2003. Lacking a time machine, a sensible option is to buy a pre-programmed aftermarket EPROM on eBay for $10, and if you just want a single pre-flashed EPROM that’s probably the right way to go. But I wanted an adventure.

Spoiler alert: I did manage to flash a few EPROMs and the RM1X is happily running OS 1.13 and pumping out the jams. That’s not the adventure. The adventure is trying to erase UV-erasable EPROMS.

And that’s how I ended up with a small cardboard fire and a scorched tanning lamp, and why I bought a $5 LED, and why I left EPROMs out in the sun for four days. And why, in the end, I gave up and ordered a $15 EPROM eraser from China. Along the way, I learned a ton about old-school UV-erasable EPROMs, and now I have a stack of obsolete silicon that’s looking for a new project like a hammer looks for a nail — just as soon as that UV eraser arrives in the mail.

Continue reading “Fail Of The Week: EPROMs, Rats’ Nests, Tanning Lamps, And Cardboard On Fire”

35C3: Finding Bugs In Bluetooth

December 30, 2018 by 24 Comments

[Jiska Classen] and [Dennis Mantz] created a tool called Internal Blue that aims to be a Swiss-army knife for playing around with Bluetooth at a lower level. The ground for their tool is based in three functions that are common to all Broadcom Bluetooth chipsets: one that lets you read arbitrary memory, on that lets you run it, and one that lets you write it. Well, that was easy. The rest of their work was analyzing this code, and learning how to replace the firmware with their own version. That took them a few months of hard reversing work.

In the end, Internal Blue lets them execute commands at one layer deeper — the LMP layer — easily allowing monitoring and injection. In a series of live (and successful!) demos they probe around on a Nexus 6P from a modified Nexus 5 on their desk. This is where they started digging around in the Bluetooth stack of other devices with Broadcom chipsets, and that’s where they started finding bugs.

As is often the case, [Jiska] was just poking around and found an external code handler that didn’t do bounds checking. And that meant that she could run other functions in the firmware simply by passing the address handler offset. Since they’re essentially calling functions at any location in memory, finding which functions to call with which arguments is a process of trial and error, but the ramifications of this include at least a Bluetooth module crash and reset, but can also pull such tricks as putting the Bluetooth module into “Device Under Test” mode, which should only be accessible from the device itself. All of this is before pairing with the device — just walking by is sufficient to invoke functions through the buggy handler.

All the details of this exploit aren’t yet available, because Broadcom hasn’t fixed the firmware for probably millions of devices in the wild. And one of the reasons that they haven’t fixed it is that patching the bug will disclose where the flaw lies in all of the unpatched phones, and not all vendors can be counted on to push out updates at the same time. While they focused on the Nexus 5 cellphone, which is fairly old now, it’s applicable to any device with a similar Broadcom Bluetooth chipset.

Aside from the zero-day bug here, the big story is their Bluetooth analysis framework which will surely help other researchers learn more about Bluetooth, finding more glitches and hopefully helping make Bluetooth more openly scrutinized and more secure. Now anyone with a Raspberry Pi 3/3+ or a Nexus 5, is able to turn it into a low-level Bluetooth investigation tool.

You might know [Jiska] from her previous FitBit hack. If not, be sure to check it out.

Continue reading “35C3: Finding Bugs In Bluetooth”