Author: Rick Osgood

225 Articles

PS3 Controller

Get Better At Mortal Kombat By Hacking Your PS3 Controller

January 24, 2015 by 12 Comments

Fighting games like Mortal Kombat provide you with a variety of different available moves. These include kicks, punches, grabs, etc. They also normally include various combination moves you can perform. These combo moves require you to press the proper buttons in the correct order and also require you to time the presses correctly. [Egzola] realized that he could just hack his controller to simulate the button presses for him. This bypasses the learning curve and allows him to perform more complicated combinations with just the press of a single button.

[Egzola] started by taking apart his Playstation 3 controller. There were two PCB’s inside connected by a ribbon cable. Luckily, each individual pad for this cable was labeled with the corresponding controller button. This made it extremely simple to hack the controller. [Egzola] soldered his own wires to each of these pads. Each wire is a different color. The wires then go to two different connectors to make them easier to hook up to a bread board.

Each wire is then broken out on the breadboard. The signal from each button is run through a 4n25 optoisolator. From there the signal makes its way back to various Arduino pins. The 4n25 chips keeps the controller circuit isolated from the Arduino’s electrical circuit. The Arduino also has two push buttons connected to it. These buttons are mounted to the PS3 controller.

Now when [Egzola] presses one of the buttons, the Arduino senses the button press and simulates pressing the various controller buttons in a pre-programmed order. The result is a devastating combination move that would normally require practice and repetition to remember. You might say that [Egzola] could have spent his time just learning the moves, but that wasn’t really the point was it? Check out the video below for a demonstration. Continue reading “Get Better At Mortal Kombat By Hacking Your PS3 Controller”

NES Controller

Turning A Classic NES Controller Into A Bluetooth Controller

January 23, 2015 by 12 Comments

[Pietronet] is like many of us in that he enjoys playing some classic console video games from time to time. He usually plays them on his PC using a Wiimote as a controller. The Wiimote has most of the classic buttons in a comfortable configuration. Plus, it’s got Bluetooth built-in, which makes it easy to pair up to your PC. [Pietronet] decided to take it a step further, though. He managed to cram all of the guts from a Wiimote inside of the original NES controller for a more authentic feel.

The first step was to crack open the Wiimote and locate pads for each button. Once they were located, [Pietronet] used a Dremel to cut the board into a smaller size. He cut off part of the circuit board that contained the directional pad as well as the connector for the nunchuck. Next he had to solder very thin wires to each of the button pads he located earlier.

The original NES controller has a very limited number of buttons, and [Pietronet] wanted to modify the original controller as little as possible. Therefore, he attached a magnetic reed switch to the Wiimote’s sync button. This way if he ever needs to sync the Wiimote to a new console, he can do it by holding a magnet in the right place. This is a function that isn’t often used, so the inconvenience should be negligible.

The next step was to connect the buttons from the original NES controller up to the wires that were added to the Wiimote. [Pietronet] left the original circuit board mostly intact. He did have to cut a small chunk of it away in order to make room for two AAA batteries, but this didn’t affect the functionality of the controller.

The inside of the NES controller had to be cleaned out of various standoffs and plastic bits to make room for all of the extra components. The Wiimote has an LED to indicate that the controller is connected properly. [Pietronet] soldered a red SMD LED in its place on the end of two thin wires. This LED was then placed on the bottom left side of the directional pad. It’s visible through a translucent filter. This allows [Pietronet] to see when the NES controller is synced up properly.

The case fits back together and everything is held in place. The result is what looks and feels like a classic NES controller, only this one has Bluetooth connectivity and a vibration motor. Check out the video demonstration below to get an idea of what it looks like in use. Continue reading “Turning A Classic NES Controller Into A Bluetooth Controller”

Adjustable Desk

An Adjustable Sit/Stand Desk For Under $100

January 23, 2015 by 33 Comments

[Cornel Masson] is a 46-year-old computer programmer. He’s been working on his computer for the last 30 years. Computer work can be good for the wallet but it can be bad for our health, particularly the neck and back. You can purchase adjustable desks to allow you to change positions from sitting to standing, but unfortunately these desks are often expensive. [Cornel] took matters into his own hands and build his own adjustable riser for under $100.

To start, [Cornel] used a typical computer desk. He didn’t want to build the entire thing from scratch. Instead he focused on building a riser that sits on top of the desk, allowing him to change the height of both the monitor and keyboard. His design used mostly wood, aluminum stock, threaded rods, and drawer slides.

The main component is the monitor stand and riser. The riser is able to slide up and down thanks to four drawer slides mounted vertically. [Cornel] wanted his monitor to move up and down with ease, which meant he needed some kind of counter weight. He ended up using a gas strut from the trunk of a Nissan, which acts as a sort of spring. The way in which it is mounted makes for a very close approximation of his monitor’s weight. The result is a monitor that can be raised or lowered very easily. The stand also includes a locking mechanism to keep it secured in the top position.

The keyboard stand is also mounted to drawer slides, only these are in the horizontal position. When the monitor is lowered for sitting, the keyboard tray is removed from the keyboard stand. The stand can then be pushed backwards, overlapping the monitor stand and taking up much less space. The keyboard stand has small rollers underneath to help with the sliding. The video below contains a slideshow of images that do a great job explaining how it all works.

Of course if replacing the entire desk is an option go nuts.

Continue reading “An Adjustable Sit/Stand Desk For Under $100”

Inventory Report

Security Problems With Gas Station Automated Tank Gauges

January 22, 2015 by 29 Comments

[HD Moore] recently posted an article on Rapid 7’s blog about an interesting security problem. They’ve been doing some research into the security of automated tank gauges (ATGs). These devices are used at gas stations and perform various functions including monitoring fuel levels, tracking deliveries, or raising alarms. [Moore] says that ATGs are used at nearly every fueling station in the United States, but they are also used internationally. It turns out these things are often not secured properly.

Many ATG’s have a built-in serial port for programming and monitoring. Some systems also have a TCP/IP card, or even a serial to TCP/IP adapter. These cards allow technicians to monitor the system remotely. The most common TCP port used in these systems is port 10001. Some of these systems have the ability to be password protected, but Rapid 7’s findings indicate that many of them are left wide open.

The vulnerability was initial reported to Rapid 7 by [Jack Chadowitz]. He discovered the problem due to his work within the industry and developed his own web portal to help people test their own systems. [Jack] approached Rapid 7 for assistance in investigating the issue on a much larger scale.

Rapid 7 then scanned every IPv4 address looking for systems with an open port 10001. Each live system discovered was then sent a “Get In-Tank Inventory Report” request. Any system vulnerable to attack would respond with the station name, address, number of tanks, and fuel types. The scan found approximately 5,800 systems online with no password set. Over 5,300 of these stations are in the United States.

Rapid 7 believes that attackers may be able to perform such functions as to reconfigure alarm thresholds, reset the system, or otherwise disrupt operation of the fuel tank. An attacker might be able to simulate false conditions that would shut down the fuel tank, making it unavailable for use. Rapid 7 does not believe this vulnerability is actively being exploited in the wild, but they caution that it would be difficult to tell the difference between an attack and a system failure. They recommend companies hide their systems behind a VPN for an additional layer of security.

[Thanks Ellery]

Mario Hack

Reprogramming Super Mario World From Inside The Game

January 22, 2015 by 72 Comments

[SethBling] recently set a world record speed run of the classic Super Nintendo game Super Mario World on the original SNES hardware. He managed to beat the game in five minutes and 59.6 seconds. How is this possible? He actually reprogrammed the game by moving specific objects to very specific places and then executing a glitch. This method of beating the game was originally discovered by Twitch user [Jeffw356] but it was performed on an emulator. [SethBling] was able to prove that this “credits warp” glitch works on the original hardware.

If you watch the video below, you’ll see [SethBling] visit one of the first available levels in the game. He then proceeds to move certain objects in the game to very specific places. What he’s doing here is manipulating the game’s X coordinate table for the sprites. By moving objects to specific places, he’s manipulating a section of the game’s memory to hold specific values and a specific order. It’s a meticulous process that likely took a lot of practice to get right.

Once the table was setup properly, [SethBling] needed a way to get the SNES to execute the X table as CPU instructions. In Super Mario World, there are special items that Mario can obtain that act as a power up. For example, the mushroom will make him grow in size. Each sprite in the game has a flag to tell the SNES that the item is able to act as a power up. Mario can either collect the power up by himself, or he can use his friendly dinosaur Yoshi to eat the power up, which will also apply the item’s effects to Mario.

The next part of the speed run involves something called the item swap glitch. In the game, Mario can collect coins himself, or Yoshi can also collect them by eating them. A glitch exists where Yoshi can start eating a coin, but Mario jumps off of Yoshi and collects the coin himself simultaneously. The result is that the game knows there is something inside of Yoshi’s mouth but it doesn’t know what. So he ends up holding an empty sprite with no properties. The game just knows that it’s whatever sprite is in sprite slot X.

Now comes the actual item swap. There is an enemy in the game called Chargin’ Chuck. This sprite happens to have the flag set as though it’s a power up. Normally this doesn’t matter because it also has a set flag to tell the game that it cannot be eaten by Yoshi. Also, Chuck is an enemy so it actually hurts Mario rather than act as a power up. So under normal circumstances, this sprite will never actually act as a power up. The developers never programmed the game to properly handle this scenario, because it was supposed to be impossible.

If the coin glitch is performed in a specific location within the level, a Chargin’ Chuck will spawn just after the coin is collected. When the Chuck spawns, it will take that empty sprite slot and suddenly the game believes that Yoshi is holding the Chuck in his mouth. This triggers the power up condition, which as we already know was never programmed into the game. The code ends up jumping to an area of memory that doesn’t contain normal game instructions.

The result of all of this manipulation and glitching is that all of the values in the sprite X coordinate table are executed as CPU instructions. [SethBling] setup this table to hold values that tell the game to jump to the end credits. The console executes them and does as commanded, and the game is over just a few minutes after it began. The video below shows the speed run but doesn’t get too far into the technical details, but you can read more about it here.

This isn’t the first time we’ve seen this type of hack. Speed runs have been performed on Pokemon with very similar techniques. Another hacker managed to program and execute a version of single player pong all from within Pokemon Blue. We can’t wait to see what these game hackers come up with next. Continue reading “Reprogramming Super Mario World From Inside The Game”

Tetris

Arduino Tetris On A Multiplexed LED Matrix

January 21, 2015 by 19 Comments

[Alex] needed a project for his microcomputer circuits class. He wanted something that would challenge him on both the electronics side of things, as well as the programming side. He ended up designing an 8 by 16 grid of LED’s that was turned into a game of Tetris.

He arranged all 128 LED’s into the grid on a piece of perfboard. All of the anodes were bent over and connected together into rows of 8 LED’s. The cathodes were bent perpendicularly and forms columns of 16 LED’s. This way, if power is applied to one row and a single column is grounded, one LED will light up at the intersection. This method only works reliably to light up a single LED at a time. With that in mind, [Alex] needed to have a very high “refresh rate” for his display. He only ever lights up one LED at a time, but he scans through the 128 LED’s so fast that persistence of vision prevents you from noticing. To the human eye, it looks like multiple LED’s are lit up simultaneously.

[Alex] planned to use an Arduino to control this display, but it doesn’t have enough outputs on its own to control all of those lights. He ended up using multiple 74138 decoder/multiplexer IC’s to control the LED’s. Since the columns have inverted outputs, he couldn’t just hook them straight up to the LED’s. Instead he had to run the signals through a set of PNP transistors to flip the logic. This setup allowed [Alex] to control all 128 LED’s with just seven bits, but it was too slow for him.

His solution was to control the multiplexers with counter IC’s. The Arduino can just increment the counter up to the appropriate LED. The Arduino then controls the state of the LED using the active high enable line from the column multiplexer chip.

[Alex] wanted more than just a static image to show off on his new display, so he programmed in a version of Tetris. The controller is just a piece of perfboard with four push buttons. He had to work out all of the programming to ensure the game ran smoothly while properly updating the screen and simultaneously reading the controller for new input. All of this ran on the Arduino.

Can’t get enough Tetris hacks? Try these on for size.

Zubie

Remotely Controlling Automobiles Via Insecure Dongles

January 21, 2015 by 56 Comments

Automobiles are getting smarter and smarter. Nowadays many vehicles run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled. We’re not just talking about the window or seat adjustment controls, but also the instrument cluster, steering, brakes, and accelerator. These systems can make the driving experience better, but they also introduce an interesting avenue of attack. If the entire car is controlled by a computer, then what if an attacker were to gain control of that computer? You may think that’s nothing to worry about, because an attacker would have no way to remotely access your vehicle’s computer system. It turns out this isn’t so hard after all. Two recent research projects have shown that some ODBII dongles are very susceptible to attack.

The first was an attack on a device called Zubie. Zubie is a dongle that you can purchase to plug into your vehicle’s ODBII diagnostic port. The device can monitor sensor data from your vehicle and them perform logging and reporting back to your smart phone. It also includes a built-in GPRS modem to connect back to the Zubie cloud. One of the first things the Argus Security research team noticed when dissecting the Zubie was that it included what appeared to be a diagnostic port inside the ODBII connector.

Online documentation showed the researchers that this was a +2.8V UART serial port. They were able to communicate over this port with a computer with minimal effort. Once connected, they were presented with an AT command interface with no authentication. Next, the team decompiled all of the Python pyo files to get the original scripts. After reading through these, they were able to reverse engineer the communication protocols used for communication between the Zubie and the cloud. One particularly interesting finding was that the device was open for firmware updates every time it checked in with the cloud.

The team then setup a rogue cellular tower to perform a man in the middle attack against the Zubie. This allowed them to control the DNS address associated with the Zubie cloud. The Zubie then connected to the team’s own server and downloaded a fake update crafted by the research team. This acted as a trojan horse, which allowed the team to control various aspects of the vehicle remotely via the cellular connection. Functions included tracking the vehicle’s location, unlocking hte doors, and manipulating the instrument cluster. All of this can be done from anywhere in the world as long as the vehicle has a cellular signal.

A separate but similar project was also recently discussed by [Corey Thuen] at the S4x15 security conference. He didn’t attack the Zubie, but it was a similar device. If you are a Progressive insurance customer, you may know that the company offers a device that monitors your driving habits via the ODBII port called SnapShot. In exchange for you providing this data, the company may offer you lower rates. This device also has a cellular modem to upload data back to Progressive.

After some research, [Thuen] found that there were multiple security flaws in Progressive’s tracker. For one, the firmware is neither signed nor validated. On top of that, the system does not authenticate to the cellular network, or even encrypt its Internet traffic. This leaves the system wide open for a man in the middle attack. In fact, [Thuen] mentions that the system can be hacked by using a rogue cellular radio tower, just like the researchers did with the Zubie. [Thuen] didn’t take his research this far, but he likely doesn’t have too in order to prove his point.

The first research team provided their findings to Zubie who have supposedly fixed some of the issues. Progressive has made a statement that they hadn’t heard anything from [Thuen], but they would be happy to listen to his findings. There are far more devices on the market that perform these same functions. These are just two examples that have very similar security flaws. With that in mind, it’s very likely that others have similar issues as well. Hopefully with findings like this made public, these companies will start to take security more seriously before it turns into a big problem.

[Thanks Ellery]