A New Javascript Runtime Fresh Out Of The Oven

A sizable portion of the Hackaday audience groans and runs their eyes when some new-fangled Javascript thing comes out. So what makes Bun different? Bun is a runtime (like Node or Deno)t that offers a performant all-in-one approach. Much to the Spice Girl’s delight, it is written in Zig. It offers bundling, transpiling, module resolution, and a fantastic foreign-function interface.

Node.js and Deno run on the V8 Javascript engine and provide the Node-API to access different features, such as filesystems, that don’t apply to web browsers. However, vast amounts of tooling have built up around Node.js and NPM (node package manager). Many Javascript projects have a bundling and transpiling step that takes the source and packages it together in a more standard format. Typescript needs to be packaged into javascript, and modules need to be resolved. Continue reading “A New Javascript Runtime Fresh Out Of The Oven”

A tiny TV playing Super Mario All-Stars

The SF1 Mini Is A Homebrew Version Of An Obscure Nintendo Console

The Super NES is arguably the best known console of the 16-bit era. It typically came in the form of a grey box with either grey or purple buttons, and an angular or streamlined design, depending on whether you lived in North America, Europe or Asia. Compact and mini versions followed later, but there were also a few lesser-known models released during the SNES’s heyday in the early 1990s. One of these was the Sharp SF1: a CRT television with a built-in Super Nintendo. The cartridge slot was located at the top, with the controllers connecting at the front. The internal video connection even provided better image quality than a typical SNES setup.

Some light soldering required.

The SF1 was never sold outside Japan and is quite rare nowadays. But even if you can find one, the bulky CRT will take up a lot of space in your home. [Limone] therefore decided to build himself a smaller replica instead. His “SF1 mini” comes in a 3D printed case that holds a 5.5″ TFT screen, stereo speakers, and connections for game paks and game pads.

Thankfully, [Limone] didn’t sacrifice an original SNES to make this project: instead, he used a DIY Super Nintendo kit developed by a company called Columbus Circle. This kit contains a modern replica of a SNES motherboard and is intended for custom builds like this. However, the layout of the motherboard didn’t match [Limone]’s intended design, so he desoldered several components and re-attached them using a huge web of magnet wire. An RGB-to-HDMI converter connects the SNES’s video output to the TFT screen and provides for remarkably sharp graphics.

[Limone] explains the build process in detail in the video embedded below (in Korean, with English subs available). We’ve seen a couple of neat SNES replicas, some small and some particularly tiny, but this has to be the first SF1 replica.

Ceramic stove (credit: Felix Reimann)

Same Taste With Less Energy: Optimizing The Way We Cook Food

Preparing food is the fourth most energy-intensive activity in a household. While there has been a lot of effort on the first three — space heating, water heating, and electrical appliances — most houses still use stoves and ovens that are not too dissimilar to those from half a century ago.

More recent technologies that make cooking more efficient and pleasant have been developed, such as induction heating. Other well-known and common appliances are secretly power savers: microwaves and electric kettles. In addition, pressure cookers enable the shortening of cooking times, and for those who like dishes that take hours to simmer, vacuum-insulated pans can be a real energy-saver.

Hackaday Podcast 176: Freezing Warm Water, Hacking Lenses, Hearing Data, And Watching YouTube On A PET

It’s podcast time again, and this week Editor-in-Chief Elliot Williams sat down with Staff Writer Dan Maloney to review the best hacks on the planet, and a few from off. We’ll find out how best to capture lightning, debate the merits of freezing water — or ice cream — when it’s warm, and see if we can find out what R2D2 was really talking about with all those bleeps and bloops. Once we decode that, it’ll be time to find out what Tom Nardi was up to while the boss was away with his hidden message in episode 174, and how analog-encoded digital data survives the podcast production and publication chain. But surely you can’t watch a YouTube video on a Commodore PET, can you? As it turns out, that’s not a problem, and neither apparently is 3D printing a new ear.

The meat of Elliot’s “super secret mastering script”?  Use it on your videos too!

ffmpeg -i $infile.wav -c:v copy -af loudnorm=I=-17:LRA=5:tp=-1.5 -ar 44100 $outfile.flac

Direct download, record it to tape, and play it on your boombox.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

The OpenMV board inside a security camera shell on the left, an AprilTag on smartphone's screen on the right

Use AprilTags To Let Guests Open Your Front Gate

[Herb Peyerl] is part of a robotics team, and in his robotics endeavours, learned about AprilTags; small QR-code-like printable patterns that are easily recognizable by even primitive machine vision. Later on, when thinking about good ways to let his guests through his property’s front gate, the AprilTags turned out to be a wonderful solution. Now all he needs to do is send his guest a picture of the appropriate AprilTag, which they can present to the camera at his front gate using their smartphone.

He used an OpenMV board for this – thanks to its wide variety of available libraries, the AprilTag recognition is already baked in, and the entire script is merely a hundred lines of MicroPython. An old surveillance camera gave up its dome-shaped housing, and now the OpenMV board is doing guest access duty on a post in front of his property’s front gate. He’s shared the code with us, and says he’s personally running a slightly modified version for security reasons — not that a random burglar is likely to stumble upon this post anyway. Besides it looks like the gate would be easy for a burglar to jump over without any need for security bypass, and the convenience benefits of this hack are undeniable.

In the unlikely chance a burglar is reading this, however, don’t be sad. We do happen to have a bunch of hacks for you, too. There’s far less secure systems out there, from building RFID keyfobs to gated community access control systems, sometimes all you need is a 12 V battery. If you’re not into burglary, that’s okay too — we’ve covered other guest access hacks before, for instance, this ESP8266-powered one.

This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It

To start with, Microsoft’s June Security Patch has a fix for CVE-2022-26925, a Man-In-The-Middle attack against NTLM. According to NIST, this attack is actively being exploited in the wild, so it landed on the KEV (Known Exploited Vulnerabilities) Catalog. That list tracks the most important vulnerabilities to address, and triggers a mandated patch install no later than July 22nd. The quirk here is that the Microsoft Patch that fixes CVE-2022-26925 also includes a fix for a couple certificate vulnerabilities including CVE-2022-2693, Certifried. That vulnerability was one where a machine certificate could be renamed to the same as a domain controller, leading to organization-wide compromise.

The fix that rolled out in June now requires that a "strong certificate mapping" be in place to tie a user to a certificate. Having the same common name is no longer sufficient, and a secure value like the Security IDentifier (SID) must be mapped from certificate to user in Active Directory. The patch puts AD in a compatibility mode, which accepts the insecure mapping, so long as the user account predates the security certificate. This has an unintended consequence of breaking how the US Government uses CACs (Common Access Cards) to authenticate their users. Government agencies typically start their onboarding by issuing a CAC, and then establishing an AD account for that user. That makes the certificate older, which means the newest patch rejects it. Thankfully there's a registry key that can be set, allowing the older mapping to still work, though likely with a bit of a security weakness opened up as a result.

A Honda car behind a gate, with its turn signals shown blinking as it's being unlocked by a portable device implementing the hack in question. Text under the car says "Rolling Pwned".

Unlock Any (Honda) Car

Honda cars have been found to be severely  vulnerable to a newly published Rolling PWN attack, letting you remotely open the car doors or even start the engine. So far it’s only been proven on Hondas, but ten out of ten models that [kevin2600] tested were vulnerable, leading him to conclude that all Honda vehicles on the market can probably be opened in this way. We simply don’t know yet if it affects other vendors, but in principle it could. This vulnerability has been assigned the CVE-2021-46145.

[kevin2600] goes in depth on the implications of the attack but doesn’t publish many details. [Wesley Li], who discovered the same flaw independently, goes into more technical detail. The hack appears to replay a series of previously valid codes that resets the internal PRNG counter to an older state, allowing the attacker to reuse the known prior keys. Thus, it requires some eavesdropping on previous keyfob-car communication, but this should be easy to set up with a cheap SDR and an SBC of your choice.

If you have one of the models affected, that’s bad news, because Honda probably won’t respond anyway. The researcher contacted Honda customer support weeks ago, and hasn’t received a reply yet. Why customer support? Because Honda doesn’t have a security department to submit such an issue to. And even if they did, just a few months ago, Honda has said they will not be doing any kind of mitigation for “car unlock” vulnerabilities.

As it stands, all these Honda cars affected might just be out there for the taking. This is not the first time Honda is found botching a rolling code implementation – in fact, it’s the second time this year. Perhaps, this string of vulnerabilities is just karma for Honda striking down all those replacement part 3D models, but one thing is for sure – they had better create a proper department for handling security issues.