Hackaday Links: April 24, 2022

April 24, 2022 by Dan Maloney 11 Comments

Wait, what? Is it possible that a tech company just killed off a product with a huge installed base of hardware and a community of dedicated users, and it wasn’t Google? Apparently not, if the stories of the sudden demise of Insteon are to be believed. The cloud-based home automation concern seems to have just disappeared — users report the service went offline at the end of last week, and hasn’t been back since. What’s more, the company’s executives removed Insteon from their LinkedIn profiles, and the CEO himself went so far as to remove his entire page from LinkedIn. The reasons behind the sudden disappearance remained a mystery until today, when The Register reported that Smartlabs, Inc., the parent company of Insteon, had become financially insolvent after an expected sale of the company failed in March. The fact that the company apparently knew this was going to happen weeks ago and never bothered to give the community a heads up before pulling the switches has led to a lot of hard feelings among the estimated 100,000 Insteonhub users.

Then again, with a comet the size of Rhode Island heading our way, a bunch of bricked smart bulbs might just be a moot point. The comet, known as C/2014 UN271, has a nucleus that is far larger than any previously discovered comet, which makes it a bit of an oddball and an exciting object to study. For those not familiar with the United States, Rhode Island is said to be a state wedged between Connecticut and Massachusetts, but even having lived in both those states, we couldn’t vouch for that. For scale, it’s about 80 miles (128 km) across, or a little bit bigger than Luxembourg, which we’re pretty sure is mythical, too. The comet is a couple of billion miles away at this point; it may never get closer than a billion miles from the Sun, and that in 2031. But given the way things have been going these last few years, we’re not banking on anything.

From the “Answering the Important Questions” file, news this week of the Massachusetts Institute of Technology’s breakthrough development of the “Oreometer,” a device to characterize the physical properties of Oreo cookies. The 3D printed device is capable of clamping onto the wafer parts of the popular sandwich cookie while applying axial torque. The yield strength of the tasty goop gluing the two wafers together can be analyzed, with particular emphasis on elucidating why it always seems to stay primarily on one wafer. Thoughtfully, the MIT folks made the Oreometer models available to one and all, so you can print one up and start your own line of cookie-related research. As a starting point, maybe take a look at the shear strength of the different flavors of Oreo, which might answer why the world needs Carrot Cake Oreos.

And finally, since we mentioned the word “skiving” last week in this space, it seems like the all-knowing algorithm has taken it upon itself to throw this fascinating look at bookbinding into our feed. We’re not complaining, mind you; the look inside Dublin’s J.E. Newman and Sons bookbinding shop, circa 1981, was worth every second of the 23-minute video. Absolutely everything was done by hand back then, and we’d imagine that very little has changed in the shop over the ensuing decades. The detail work is incredible, especially considering that very few jigs or fixtures are used to ensure that everything lines up. By the way, “skiving” in this case refers to the process of thinning out leather using a razor-sharp knife held on a bias to the material. It’s similar to the just-as-fascinating process used to make heat sinks that we happened upon last week.

2022 Sci-Fi Contest: CyberGlove Tests Your Reactions

April 24, 2022 by Lewin Day 1 Comment

Since the 1980s, we’ve seen innumerable attempts to revolutionize the way we interact with computers. Since the advent of keyboards and mice, we’ve seen everything from magic wands to electric gloves, with [Deemo Chen]’s project fitting into the latter category.

The build takes on a cyberpunk aesthetic, with addressable LEDs installed along each digit. The various digits light up randomly, and the wearer of the glove must tap a button on the corresponding digit in order to test their reaction times. An Arduino Uno runs the show, and keeps track of the score, displaying the results on an attached HD44870-compatible LCD.

The mess-o’-wires aesthetic, with bare electronics hanging off the glove, goes a long way to making this look like a proper bit of sci-fi kit. The lurid, colorful glow is a key part of this look, and something we’ve seen on many projects over the years.

Overall, the reaction trainer served as a great freshman project for [Deemo], along with their chums [Dhruv] and [Ryan]. Along the way, the team clearly picked up skills in microcontroller programming, as well as learning how to work with LCD displays and addressable LEDs. Master these skills and you can pull off some impressive feats. Video after the break.

Continue reading “2022 Sci-Fi Contest: CyberGlove Tests Your Reactions” →

The dash of Xiaomi Mi 1S scooter, with the top panel taken off and an USB-UART adapter connected to the dashboard, sniffing the firmware update process

Xiaomi Cryptographically Signs Scooter Firmware – What’s Next?

April 24, 2022 by Arya Voronova 33 Comments

[Daljeet Nandha] from [RoboCoffee] writes to us, sharing his research on cryptographic signature-based firmware authenticity checks recently added to the Xiaomi Mi scooter firmware. Those scooters use an OTA firmware update mechanism over BLE, so you can update your scooter using nothing but a smartphone app – great because you can easily get all the good new features, but suboptimal because you can easily get all the bad new features. As an owner of a Mi 1S scooter but a hacker first and foremost, [Daljeet] set up a HTTPS proxy and captured the firmware files that the app downloaded from Xiaomi servers, dug into them, and summarized what he found.

Scooter app firmware update dialog, saying "New firmware update available. Update now?" — Confirming this update will indefinitely lock you out of any third-party OTA updates

Unlike many of the security measures we’ve seen lacking-by-design, this one secures the OTA firmware updates with what we would consider the industry standard – SHA256 hash with elliptic cryptography-backed signing. As soon as the first firmware version implementing signature checks is flashed into your scooter, it won’t accept anything except further firmware binaries that come with Xiaomi’s digital signature. Unless a flaw is found in the signature checking implementation, the “flash a custom firmware with a smartphone app” route no longer seems to be a viable pathway for modding your scooter in ways Xiaomi doesn’t approve of.

Having disassembled the code currently available, [Daljeet] tells us about all of this – and more. In his extensive writeup, he shares scripts he used on his exploration journey, so that any sufficiently motivated hacker can follow in his footsteps, and we highly recommend you take a look at everything he’s shared. He also gives further insights, explaining some constraints of the OTA update process and pointing out a few security-related assumptions made by Xiaomi, worth checking for bypassing the security implemented. Then, he points out the firmware filenames hinting that, in the future, the ESC (Electronic Speed Control, responsible for driving the motors) board firmware might be encrypted with the same kind of elliptic curve cryptography, and finds a few update hooks in the decompiled code that could enable exactly that in future firmware releases.

One could argue that these scooters are typically modified to remove speed limits, installed there because of legal limitations in a variety of countries. However, the legal speed limits are more nuanced than a hard upper boundary, and if the hardware is capable of doing 35km/h, you shouldn’t be at mercy of Xiaomi to be able to use your scooter to its full extent where considerate. It would be fair to assert, however, that Xiaomi did this because they don’t want to have their reputation be anywhere near “maker of scooters that people can modify to break laws with”, and therefore we can’t expect them to be forthcoming.

Furthermore, of course, this heavily limits reuse and meaningful modification of the hardware we own. If you want to bring a retired pay-to-ride scooter back to usefulness, add Bluetooth, or even rebuild the scooter from the ground up, you should be able to do that. So, how do we go around such restrictions? Taking the lid off and figuring out a way to reflash the firmware through SWD using something like a Pi Pico, perhaps? We can’t wait to see what hackers figure out.

SSH Is Magic, But Tunnels Are Even Better

April 24, 2022 by Jonathan Bennett 17 Comments

Once upon a time, I was doing on-site support for a hardware install at a hotel a few years ago. The remote tech’s remote desktop software didn’t want to play with my Linux laptop, so he couldn’t get into the switch he needed to configure, to make the install work. I asked if it had an SSH port he could use, were he were in the room with me. Of course it did, but that didn’t do him much good. I ran a reverse SSH tunnel out to my public server, and pointed it at the switch on the local side. I convinced him to SSH to my server on the given port, and he was magically connected to his switch. He was literally in awe of that trick, and demanded to know how it could be done. SSH is magical, but tunneling traffic over SSH is straight-up wizardry. [Shawn Powers] agrees, and decided to help the rest of us understand the process.
Continue reading “SSH Is Magic, But Tunnels Are Even Better” →

DIY Laptop Stand: Why Stop At One When You Can Slot Three?

April 24, 2022 by Donald Papp 15 Comments

We make the tools we need, and that’s definitely the case with [Marco Schulte]’s laptop stand. It slots not one, not two, but three laptops at once.

For all their portability, multiple laptops can be a bit clunky to manage on a desk, so [Marco]’s solution definitely saves space while keeping things accessible. The laptop in the front can be open for use and easy access, while the two in the back are held vertically and can be attached to external monitors or other peripherals.

Not only does it save space, but the stand provides ample spots to anchor cable ties for securing the inevitable mess of wires and cables that dealing with three laptops brings. It makes for a tidier desk, that’s for sure.

The stand was designed in Fusion 360 and was cut from plywood with a CNC router. Does this design give you any ideas, or would you like to make one for yourself? The design files are here.

No access to a CNC router? No problem if you have glue and some spare boxes laying around! You might be surprised at how sturdy a few layers of cardboard and glue can be.

Can You Identify This Mystery Unicode Glyph?

April 24, 2022 by Jenny List 58 Comments

For anyone old enough to have worked with the hell of multiple incompatible character sets, Unicode has been a liberation; a true One Character Set To Contain Them All. We have so many Unicode characters to play with that there’s a fascinating pursuit in itself in probing at the obscure corners of what can be rendered on screen as a Unicode glyph. With so many disparate character sets having been brought together to make the Unicode standard there are plenty of unusual characters to choose from, and it’s one of them that [Jonathan Chan] has examined in detail.

U+237C ⍼, or the right angle with downwards zigzag arrow, is a mysterious Unicode symbol with no known use and from an unknown origin. XKCD featured it as a spoof “Larry Potter”, but as [Jonathan]’s analysis shows it’s proving impossible to narrow down where it came from. Mystical cult symbol? Or perhaps fiscal growth in an economy in which time runs downwards? Either way, when its lineage has been traced into the early 1990s with no answer to the question it appears that there may be a story behind it.

Hackaday readers never cease to amaze us with the breadth of their knowledge, ingenuity, and experience, so we think it’s not impossible that among you there may be people who will turn and pull a dusty computer manual from the shelf to give us the story behind this elusive glyph. We’d love to hear in the comments below.

Meanwhile if Unicode sparks your interest, we’ve given it a close look in the past.

Thanks [Jonty] for the tip.

A FET Oscilloscope Probe For Higher Frequencies

April 23, 2022 by Jenny List 8 Comments

It’s a problem that has dogged electronic engineers since the first electrons were coaxed along a wire: that measuring instruments can themselves disrupt the operation of a circuit. Older multimeters for example had impedances low enough to pull resistor values, thus our multimeters today have high-impedance FET inputs. [Christoph] faced it with his oscilloscope probe, its input capacitance was high enough to put unacceptable load on a crystal oscillator and stop it oscillating. He thus built a FET input probe for higher RF frequencies, and its construction is an accessible view of wideband RF instrumentation design.

The circuit is a very simple one using a dual-gate FET, but the interest comes in the PCB and screening can design to ensure good RF performance. Off-the-shelf cans have four sides, so to accommodate the circuit one wall of the can had to be removed. The end result is a tiny PCB with miniature co-ax connectors for power and signal, which when characterised was found to have a 1.3 GHz bandwidth and a very low input capacitance.

If the language of RF design is foreign to you, may we recommend [Michael Ossmann]’s talk at a Superconference a few years ago.