Running Custom Code On Cheap One-time Password Tokens

October 15, 2013 by Mathieu Stephan 41 Comments

One-time passwords (OTP) are often used in America but not so much in Europe. For our unfamiliar readers, OTP tokens like the one shown above generate passwords that are only valid for one login session or transaction, making them invulnerable to replay attacks. [Dmitry] disassembled one eToken (Aladin PASS) he had lying around and managed to reprogram it for his own needs.

Obviously, these kind of devices don’t come with their schematics and layout files so [Dmitry] had to do some reverse engineering. He discovered six holes in a 3×2 arrangement on the PCB so he figured that they must be used to reprogram the device. However, [Dmitry] also had to find which microcontroller was present on the board as its only marking were “HA4450” with a Microchip logo. By cross-referencing the number of pins, package and peripherals on Microchip parametric search tool he deduced it was a PIC16F913. From there, it was just a matter of time until he could display what he wanted on the LCD.

We love seeing tiny consumer hardware hacked like this. Most recently we’ve been enthralled by the Trandscend Wi-Fi SD card hacking which was also one of [Dmitry’s] hacks.

Reverse Engineering A D-Link Backdoor

October 14, 2013 by Mathieu Stephan 47 Comments

Here’s one true hack (Google cache link) for our dear Hackaday readers. On a Saturday night, as [Craig] didn’t have anything else to do, he decided to download the firmware of an old D-Link DIR-100 router (because who wouldn’t?). His goal was to see what interesting things he could find in it. He fired up binwalk to extract the SquashFS file system, then opened the router webserver on the multi-processor disassembler/debugger IDA. [Craig] discovered that the webserver is actually a modified version of thttpd, providing the administrative interface for the router. As you can see in the picture above, it seems Alphanetworks (a spin-off of D-Link) performed the modifications.

Luckily for [Craig], the guys at Alphanetworks were kind enough to prepend many of their custom function names with the string “alpha”. Looking at the disassembly of the http identification functions revealed that a backdoor is implemented on the firmware. If one malicious user has the string “xmlset_roodkcableoj28840ybtide” as his browser user agent, no authentication is required to gain access to the router. One of the comments on the reddit thread points out that reading that string backwords results in: “edit by (04882) joel backdoor”.

CNC Software Toolchain Using Only Open Source Software

October 12, 2013 by Mathieu Stephan 53 Comments

For hobbyists, there are two types of machines that can make parts at home. The first type is matter-adding machines (3D printers) and the other is matter-subtracting machines (like CNC milling machines). [Mario] recently tipped us about an article he made detailing which free software can be used to design and produce parts on CNC machines.

The first step of the process is obviously designing the part you want to make using a Computer-Aided Design (CAD) application. [Mario] suggests Heeks or Freecad for which you can find plenty of tutorials on YouTube. The next step consists in converting the part you just designed to machine tool paths using a Computer-Aided Manufacturing (CAM) application. Fortunately, Heeks can do both so it may be the best option for beginners. [Mario] also mentions the pcb2gcode application, which allows you to manufacture printed circuit boards at home for the prototypes you may want to produce. Finally, the well known LinuxCNC (previously Linux EMC2) software is used to control the CNC machine using the GCode that the CAM software produced.

At Hackaday, we’d really like knowing what our readers currently use for their CNCs so don’t hesitate to leave us a comment below.

An Homemade 48cc V8 Engine With Injection

October 11, 2013 by Mathieu Stephan 36 Comments

A few months ago we mentioned [Keith]’s first project in the works, a 1/4 scale V8 engine. Today, we are amazed to see that his engine is finished and running really smoothly. What is even more impressive is that the entire project has been completed on manual mills and lathes. The thread on the Home Model Engine Machinist forum contains his build log in which he details how all the different parts were made. The engine has an electric starter, uses a fuel injection system and [Keith] even made his own injection molds for several plastic parts. The ECU is based on the Megasquirt-II, we guess it must have taken [Keith] many tries before correctly setting its parameters. A video of the engine in action can be viewed after the break.

You can find our previous coverage of this project as well as other miniature engines on this feature from last April.

Continue reading “An Homemade 48cc V8 Engine With Injection” →

SDRAM Controller For Low-end FPGAs

October 11, 2013 by Mathieu Stephan 25 Comments

There are very few ‘recent’ FPGAs out there that can be easily soldered. Due to their important number of IOs, they usually come in Ball Grid Array (BGA) packages. The Xilinx Spartan 6 LX9, a TQFP144 FPGA (having pins with a 0.5mm pitch) is one of the few exceptions that can be used to make low end development boards. However, it doesn’t have a lot of logic and memory resources or an on-chip Memory Control Block implemented in the silicon. Therefore, [Michael] designed an SDRAM controller with a small footprint for it.

Writing an SDRAM controller from scratch isn’t for the fainthearted – first of all you really have to know how SDRAM works (RAS, CAS, precharges, refresh cycles), and because of the high speed and accurate timing required you also have to learn some of the finer points of FPGA off-chip interfacing. In addition, most publicly available open cores are very complex – for example just the RTL core of the sdr_ctrl controller on opencores.org adds up to over 2,700 lines of Verilog. Even if it is not an accurate comparison metric, [Michael]’s controller is only 500 lines long.

Making A Core Rope Read-only Memory

October 9, 2013 by Mathieu Stephan 30 Comments

[Kos] tipped us about an article he made presenting his experiences in designing and implementing a core rope memory. This magnetic read-only memory (ROM), contrary to ordinary coincident-current magnetic core memories (used for RAM), uses the ferrite cores as transformers. If you look at the picture above, you’ll count 7 of them. This sets the memory word size (7bits). A new word is added to the memory by passing (or not) a wire through the ferrite holes. If you then pass an alternating current through this wire, a current will be induced (or not) in the other wire turned 30 times around the ferrite (alias transformer secondary).

In [Kos]’s setup, an input pulse of 5V generates output pulses of 15V. For demonstration purposes, he “wrote” a simple program that lights up digits in a seven segment display. Therefore, different numbers will light up depending on which wire he uses to pass the AC current.

These days core memory hacks are few and far between. But looking at this one, and the one we saw in August, makes want more. If you know of any others don’t hesitate to send us a tip.

Troll Physics: 3 LEDs Powered By Hand

October 9, 2013 by Mathieu Stephan 54 Comments

[Henryk] just sent us his latest episode of simple LED circuit puzzles. In front of the camera he solders one pin of each of the 3 LEDs to a different switch. He then puts the three assemblies in his hand and flips each switch to make the corresponding LED come on. We look forward to your explanations in the comments.

You may remember two other videos that [Henryk] made (also embedded after the break). The first video was a simple circuit with a resistor, three switches, and three LEDs in series. When a battery was connected, the LEDs were somehow switched on one at a time.The second video featured the same resistor/switches/LEDs, this time in a parallel circuit. Turning on the first switch made the first LED light up, and the second switch made the second LED light up.

Here are the few other troll physics projects we featured: the original LED circuits post, the super deluxe edition and the amazing solution to the trickery.