Author: Elliot Williams

1432 Articles

Cheap Smarthome Gadget(s) Hacked Into Zigbee Sniffer

March 27, 2017 by 7 Comments

French hacker [akila] is building up a home automation system. In particular, he’s been working with the “SmartHome” series of gadgets made by Chinese smartphone giant, Xiaomi. First, he started off by reverse-engineering their very nicely made temperature and humidity sensor. (Original in French, hit the translate button in the lower right.) With that under his belt, he opened up the PIR motion sensor unit to discover that it has the same debugging pinouts and the same processor. Almost too easy.

For a challenge, [akila] decided it was time to implement something useful in one of these gadgets: a ZigBee sniffer so that he can tell what’s going on in the rest of his home network. He built a USB/serial programming cable to work with the NXP JN5169’s bootloader, downloaded the SDK, and rolled up his sleeves to get to work.

While trolling through the SDK, he found some interesting firmware called “JennicSniffer”. Well, that was easy. There’s a demo version of a protocol analyzer that he used. It would be cool to get this working with Wireshark, but that’s a project for another day. [Akila] got far enough with the demo analyzer to discover that the packets sent by the various devices in the home network are encrypted. That’s good news for the security-conscious out there and stands as the next open item on [akila]’s to-do list.

We don’t see as many ZigBee hacks as we’d expect, but they’ve definitely got a solid niche in home automation because of commercial offerings like Philips Hue and Wink. And of course, there’s the XBee line of wireless communications modules. We just wrote up a ZigBee hack that aims to work with the Hue system, though, so maybe times are changing?

A Red Teamer’s Guide To Pivoting

March 25, 2017 by 22 Comments

What is hacking and what is network engineering? We’re not sure where exactly to draw the lines, but [Artem]’s writeup of pivoting is distinctly written from the (paid) hacker’s perspective.

Once you’re inside a network, the question is what to do next. “Pivoting” is how you get from where you are currently to where you want to be, or even just find out what’s available. And that means using all of the networking tricks available. These aren’t just useful for breaking into other people’s networks, though. We’ve used half of these tools at one time or another just running things at home. The other half? Getting to know them would make a rainy-day project.

Is there anything that ssh and socat can’t do? Maybe not, but there are other tools (3proxy and Rpivot) that will let you do it easier. You know how clients behind a NAT firewall can reach out, but can’t be reached from outside? ssh -D will forward a port to the inside of the network. Need to get data out? There’s the old standby iodine to route arbitrary data over DNS queries, but [Artem] says dnscat2 works without root permissions. (And this code does the same on an ESP8266.)

Once you’ve set up proxies inside, the tremendously useful proxychains will let you tunnel whatever you’d like across them. Python’s pty shell makes things easier to use, and tsh will get you a small shell on the inside, complete with file-transfer capabilities.

Again, this writeup is geared toward the pen-testing professional, but you might find any one of these tools useful in your own home network. We used to stream MP3s from home to work with some (ab)use of netcat and ssh. We keep our home IoT devices inside our own network, and launching reverse-proxies lets us check up on things from far away without permanently leaving the doors open. One hacker’s encrypted tunnel is another man’s VPN. Once you know the tools, you’ll find plenty of uses for them. What’s your favorite?

Thanks [nootrope] for the indirect tip!

MIDI Drawings Paint With Piano Keyboards

March 25, 2017 by 9 Comments

Musician [Mari Lesteberg] is making music that paints pictures. Or maybe she’s making pictures that paint music. It’s complicated. Check out the video (embedded below) and you’ll see what we mean. The result is half Chinese scroll painting, and half musical score, and they go great together.

Lots of MIDI recorders/players use the piano roll as a model for input — time scrolls off to the side, and a few illuminated pixels represent a note played. She’s using the pixels to paint pictures as well: waves on a cartoon river make an up-and-down arpeggio. That’s a (musical) hack. And she’s not the only person making MIDI drawings. You’ll find a lot more on reddit.

Of course, one could do the same thing with silent pixels — just set a note to play with a volume of zero — but that’s cheating and no fun at all. As far as we can tell, you can hear every note that’s part of the scrolling image. The same can not be said for music of the black MIDI variety, which aims to pack as many notes into a short period of time as possible. To our ears, it’s not as beautiful, but there’s no accounting for taste.

It’s amazing what variations we’re seeing in the last few years on the ancient piano roll technology. Of course, since piano rolls are essentially punch-cards for musical instruments, we shouldn’t be too surprised that this is all possible. Indeed, we’re a little bit surprised that new artistic possibilities are still around. Has anyone seen punch-card drawings that are executable code? Or physical piano rolls with playable images embedded in them?

Continue reading “MIDI Drawings Paint With Piano Keyboards”

Say It With Me: Aliasing

March 23, 2017 by 28 Comments

Suppose you take a few measurements of a time-varying signal. Let’s say for concreteness that you have a microcontroller that reads some voltage 100 times per second. Collecting a bunch of data points together, you plot them out — this must surely have come from a sine wave at 35 Hz, you say. Just connect up the dots with a sine wave! It’s as plain as the nose on your face.

And then some spoil-sport comes along and draws in a version of your sine wave at -65 Hz, and then another at 135 Hz. And then more at -165 Hz and 235 Hz or -265 Hz and 335 Hz. And then an arbitrary number of potential sine waves that fit the very same data, all spaced apart at positive and negative integer multiples of your 100 Hz sampling frequency. Soon, your very pretty picture is looking a bit more complicated than you’d bargained for, and you have no idea which of these frequencies generated your data. It seems hopeless! You go home in tears.

But then you realize that this phenomenon gives you super powers — the power to resolve frequencies that are significantly higher than your sampling frequency. Just as the 235 Hz wave leaves an apparent 35 Hz waveform in the data when sampled at 100 Hz, a 237 Hz signal will look like 37 Hz. You can tell them apart even though they’re well beyond your ability to sample that fast. You’re pulling in information from beyond the Nyquist limit!

This essential ambiguity in sampling — that all frequencies offset by an integer multiple of the sampling frequency produce the same data — is called “aliasing”. And understanding aliasing is the first step toward really understanding sampling, and that’s the first step into the big wide world of digital signal processing.

Whether aliasing corrupts your pristine data or provides you with super powers hinges on your understanding of the effect, and maybe some judicious pre-sampling filtering, so let’s get some knowledge.

Continue reading “Say It With Me: Aliasing”

Mood Lamp Also Warns Of Nuclear Catastrophe

March 23, 2017 by 14 Comments

[Michal Zalewski] has radiation on the brain. Why else would he gut a perfectly-horrible floor lamp, rebuild the entire thing with high-power RGB LEDs, and then drive it with a microcontroller that is connected up to a Geiger-Müller tube? Oh right, because it also looks very cool, and Geiger tubes are awesome.

If you’ve been putting off your own Geiger tube project, and we know you have, [Michal]’s detailed explanation of the driver circuit and building one from scratch should help get you off the couch. Since a Geiger tube needs 400 volts DC, some precautions are necessary here, and [Michal] builds a relatively safe inverter and also details a relatively safe way to test it.

The result is a nice piece of decor that simultaneously warns you of a nuclear disaster by flashing lights like crazy, or (hopefully) just makes a nice conversation piece. This is one of the cooler Geiger tube hacks we’ve seen since [Robert Hart] connected up eighteen Geiger tubes, and used them to detect the direction of incoming cosmic rays and use that to compose random music (YouTube, embedded below).

[Michal] is also author of the most excellent Guerrilla Guide to CNC Machining and keeps good tabs on his background radiation.

Continue reading “Mood Lamp Also Warns Of Nuclear Catastrophe”

Creepy Speaking Neural Networks

March 22, 2017 by 37 Comments

Tech artist [Alexander Reben] has shared some work in progress with us. It’s a neural network trained on various famous peoples’ speech (YouTube, embedded below). [Alexander]’s artistic goal is to capture the “soul” of a person’s voice, in much the same way as death masks of centuries past. Of course, listening to [Alexander]’s Rob Boss is no substitute for actually watching an old Bob Ross tape — indeed it never even manages to say “happy little trees” — but it is certainly recognizable as the man himself, and now we can generate an infinite amount of his patter.

Behind the scenes, he’s using WaveNet to train the networks. Basically, the algorithm splits up an audio stream into chunks and tries to predict the next chunk based on the previous state. Some pre-editing of the training audio data was necessary — removing the laughter and applause from the Colbert track for instance — but it was basically just plugged right in.

The network seems to over-emphasize sibilants; we’ve never heard Barack Obama hiss quite like that in real life. Feeding noise into machines that are set up as pattern-recognizers tends to push them to the limits. But in keeping with the name of this series of projects, the “unreasonable humanity of algorithms”, it does pretty well.

He’s also done the same thing with multiple speakers (also YouTube), in this case 110 people with different genders and accents. The variation across people leads to a smoother, more human sound, but it’s also not clearly anyone in particular. It’s meant to be continuously running out of a speaker inside a sculpture’s mouth. We’re a bit creeped out, in a good way.

We’ve covered some of [Alexander]’s work before, from the wince-inducing “Robot Bites Man” to the intellectual-conceptual “All Prior Art“. Keep it coming, [Alexander]!

Continue reading “Creepy Speaking Neural Networks”

Ask Hackaday: Frequency Hopping On The NRF24l01+?

March 21, 2017 by 50 Comments

We’ve seen a lot of hacks with the nRF24l01+ 2.4 GHz radio modules. The tiny chips pack a lot of bang for the buck. Since the radios can switch frequencies relatively quickly, [Shubham Paul] decided to take advantage of this feature to make a rudimentary frequency-hopping communications channel.

The code is actually incredibly simple. Both the transmitter and receiver simply scan up and down over the defined channels. Because the clock speeds of any given pair of Arduinos are likely to be slightly different, it’s not a surprise that the radios eventually drift out of sync. Right now, as a quickie solution, [Shubham] is using a serial-port resynchronization: both are connected to the same computer, and he just tells them to get on the same channel. That’s not a horribly satisfying workaround. (But it’s a great start!)

Keeping two radios that are continually swapping channels in sync is no easy task, but it could possibly be made easier by taking advantage of the nRF’s acknowledge mode. If the delay between a sent acknowledge message and a received one were constant, these events (one on TX and one on RX) could be used to re-sync the two hopping cycles. All of this would probably require more temporal resolution than you’re going to get out of a microprocessor running Arduino code, but should be possible using hardware timers. But this is pure speculation. We briefly looked around and couldn’t find any working demos.

So Hackaday, how would you remotely sync two nRF24s on the cheap? Or is this a crazy idea? It might help to make transmissions more reliable in the face of 2.4 GHz band interference. Has anyone implemented their own frequency hopping scheme for the nRF24l01+?