Smart Ovens Are Doing Dumb Checks For Internet Connectivity

If you’ve ever worked in IT support, you’ll be familiar with users calling in to check if the Internet is up every few hours or so. Often a quick refresh of the browser is enough to see if a machine is actually online. Alternatively, a simple ping or browsing to a known-working website will tell you what you need to know. The one I use is koi.com, incidentally.

When it comes to engineers coding firmware for smart devices, you would assume they have more straightforward and rigorous ways of determining connectivity. In the case of certain smart ovens, it turns out they’re making the same dumb checks as everyone else.

Continue reading “Smart Ovens Are Doing Dumb Checks For Internet Connectivity”

Hackaday Podcast 204: Cesium, Colorful Cast Buttons, And CNC Pizza

This week, Editor-in-Chief Elliot Williams and Assignments Editor Kristina Panos met up over thousands of miles to discuss the hottest hacks of the past seven days. There’s a whole lot of news this week, and the really good part is the the small radioactive source that went missing in Australia has been found. Phew!

Kristina is still striking out on What’s That Sound, but we’re sure you’ll fare better. If you think you know what it is, fill out the form and you’ll be entered to win a coveted Hackaday Podcast t-shirt!

Finally, we get on to the hacks with an atomic pendulum clock that’s accurate enough for CERN, safecracking the rough-and-ready way, and plenty of hacks that are non-destructive to nice, old things. We’ll gush over a tiny DIY adjustable wrench, drool over CNC pizza, and rock out to the sounds of a LEGO guitar/synthesizer thing.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode inĀ  the comments!

And/or download it and listen offline.

Continue reading “Hackaday Podcast 204: Cesium, Colorful Cast Buttons, And CNC Pizza”

Showing two MCP23017 expanders soldered onto a PCB

MCP23017 Went Through Shortage Hell, Lost Two Inputs

The MCP23017, a 16-bit I2C GPIO expander, has always been a tasty chip. With 16 GPIOs addressable over I2C, proper push/pull outputs, software-enabled pull-ups, eight addresses, maskable interrupts for all pins, and reasonably low price, there’s a reason it’s so popular. No doubt due in part to that popularity, it’s been consistently out of stock during the past year and a half, as those of us unlucky enough to rely on it in our projects will testify.

Now, the chip is back in stock, with 23,000 of them to go around on Mouser alone, but there’s a catch. Apparently, the lengthy out-of-stock period has taken a heavy toll on the IC. Whether it’s the recession or perhaps the gas shortages, the gist is — the MCP23017 now a 14/16-bit expander, with two of the pins (GPA7 and GPB7) losing their input capabilities. The chips look the same, are called the same, and act mostly the same — if you don’t download the latest version of the datasheet (Revision D), you’d never know that there’s been a change. This kind of update is bound to cause a special kind of a debugging evening for a hobbyist, and makes the chip way less suitable for quite a few applications.

It’s baffling to think about such a change happening nearly 20 years after the chip was initially released, and we wonder what could have caused it. This applies to the I2C version specifically — the SPI counterpart, MCP23S17, stays unaffected. Perhaps, using a microcontroller or shift registers for your GPIO expansion isn’t as unattractive of an option after all. Microcontroller GPIO errata are at least expected to happen, and shift registers seem to have stayed the same since the dawn of time.

The reasons for MCP23017 silicon getting cut in such a way, we might never know. At least now, hopefully, this change will be less of a bitter surprise to those of us happy to just see the chip back in stock — and for hackers who have already restocked their MCP23017 hoards, may your shelved boards magically turn out to have a compatible pinout.

This Week In Security: Github, Google, And Realtek

GitHub Desktop may have stopped working for you yesterday, Febuary 2nd. The reason was an unauthorized access to some decidedly non-public repositories. The most serious bit of information that escaped was code signing certificates, notably used for GitHub Desktop and Atom. Those certificates were password protected, so it’s unlikely they’ve been abused yet. Even so, Github is taking the proper steps of revoking those certificates.

The only active certificate that was revoked was used for signing the Mac releases of GitHub Desktop, so quite a few older versions of that software is no longer easily installed. If nothing else, it’s a reminder that even a project with a well run security team can have problems.

Sh1mmer-ing Chromebooks

There’s a new, clever attack on the Chromebook, specifically with the goal of unenrolling the device from an educational organization. And the “vulnerability” is a documented feature, the RMA Shim. That’s a special boot loader target that contains a valid signature, but allows the booting of other code, intended for troubleshooting and fixing devices in a repair center. Quite a few of those images have leaked, and Sh1mmer combines the appropriate image with a boot menu with some interesting options.

The first is unenrolling, so the device will act like a privately owned computer. This gets rid of content blocks and allows removing extensions. But wait, there’s more. Like rooting the device, a raw Bash terminal, and re-enabling developer mode. Now, as far as we can tell, this doesn’t *directly* break device encryption, but it’s likely that the RMA shim could be abused to tamper with the device’s filesystem. Meaning that the leak of a bunch of signed shims is a big problem for device security. If you use a Chromebook, it might be time to do some research on whether that model’s shim has been leaked. Continue reading “This Week In Security: Github, Google, And Realtek”

End Of An Automation Era As Twitter Closes Its Doors To Free API Access

Over the last few months since Elon Musk bought Twitter there has been a lot of comment and reaction, but not much with relevance to Hackaday readers. Today though that has changed, with an announcement from the company that as of February 9th they will end their free API tier. It’s of relevance here because Twitter has become one of those glue items for connected projects and has appeared in many featured works on this site. A week’s notice of a service termination is exceptionally short, so expect to see a lot of the Twitter bots you follow disappearing.

Twitter bot owners have the option of paying to continue with Twitter, or rebuilding their service to use a Mastodon instance such as botsin.space. If the fediverse is new to you, then the web is not short of tutorials on how to do this.

We feel that Twitter will be a poorer place without some of the creative, funny, or interesting bots which have enriched our lives over the years, and we hope that the spam bots don’t remain by paying for API access. We can’t help feeling that this is a misguided step though, because when content is the hook to bring in the users who are the product, throwing out an entire category of content seems short-sighted. We’re not so sure about it as a move towards profitability either, because the payback from a successful social media company is never profit but influence. In short: social media companies don’t make money but the conversation itself, and that can sometimes be worth more than money if you can avoid making a mess of it.

If the bots from our field depart for Mastodon, we look forward to seeing whether the new platform offers any new possibilities. Meanwhile if your projects don’t Toot yet, find out how an ESP32 can do it.

Header: D J Shin, CC BY-SA 3.0.

The Struggle Of Keeping A 1950s Candlepin Bowling System Working

When we hear the term ‘bowling’, most of us think of what is known as ten-pin bowling, yet this is only one of the many variations. Candlepin bowling — so called because of the distinctive pin shape — has been around since 1880, yet is mostly played within the US New England and Canadian Maritime provinces. Because of how relatively uncommon it is, candlepin bowling alleys such as the one that [Autumn Mowery]’s family runs is struggling to keep the system working, much of it due to a lack of spare parts.

On [Autumn]’s YouTube channel she goes through many of the behind the scene details at the Ellsworth, Maine-based bowling alley, the repairs and the scavenging of spare parts from the sacrificial bowling lanes that are used to keep the other lanes going for as long as possible. With the mechanics of the installed candlepin bowling system dating back to the 1940s and having been use constantly since the 1950s, it’s an every day struggle to keep the system from breaking down, with no spare parts available for sale.

Although the financially responsible approach might be to give up on the system and have a readily available tenpin bowling system installed instead, there’s a lot more to this form of bowling than the difference in pin shape. Differences include the much stricter rules, the use of a smaller ball without finger holes, lower chance of hitting a pin, and so on. This, along with the historical significance of the sport and this particular system would make it appear to be something that’s right up the (bowling) alley of our audience.

How’d you keep a 1950s-era bowling system up and running?

Thanks to [Tara Calishain] for the tip!

Picture of the dumper board, with a ROM chip and a Pi Pico inserted

A Disposable Dumper For ROM Chips With A Pi Pico

ROM dumping is vital for preserving old hardware, and we’ve seen many hacks dedicated to letting someone dump a ROM and send its contents to some hacker stuck with a piece of technology that lost its firmware. However, that requires ROM dumping tools of some kind, and it’s often that the lucky ROM-equipped hacker doesn’t own such tools. Now, you could mail the chip to someone else, but postal services in many countries are known to be UDP-like — lossy and without delivery guarantees. The risk of leaving both hackers without a ROM chip is quite real, so, instead of mailing ROM chips or expensive devices around, [Amen] proposes a cheap and disposable flash dumping tool that you could mail instead.

The ROMs in question are 24-pin 2332 and 2364 chips, which run at 5 V and can easily be read with any microcontroller. Thus, his concept is a very simple board, with a Pi Pico and flash chip socket on it, as well as some resistors. Those are used to provide rudimentary GPIO over-voltage protection, since the RP2040 runs its GPIOs at 3.3 V. All the magic is in the software – the tool can both write the chip contents in the RP2040’s internal memory, as well as dump it over USB to the computer. Everything is open-source – if you ever need to dump a rare chip on the other side of the world, modify the design to your liking, order a few copies and then mail them to the hacker involved – losing such a package is way less significant than losing a ROM chip with last-of-its-kind firmware on it.

Old ROM chips are dying out, causing whole generations of hardware, like synths, to fade away – with tools like this one, you can lend a hand in preserving the legacy of many an industry and hobby, and many hackers do. Looking to learn about the basics of parallel flash dumping? This post from 2012 will be a good start, and then check out a more recent venture to learn how things are done with more recent parts.