This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More

June 14, 2024 by 7 Comments

There’s a popular Sysadmin meme that system problems are “always DNS”. In the realm of security, it seems like “it’s always Unicode“. And it’s not hard to see why. Unicode is the attempt to represent all of Earth’s languages with a single character set, and that means there’s a lot of very similar characters. The two broad issues are that human users can’t always see the difference between similar characters, and that libraries and applications sometimes automatically convert exotic Unicode characters into more traditional text.

This week we see the resurrection of an ancient vulnerability in PHP-CGI, that allows injecting command line switches when a web server launches an instance of PHP-CGI. The solution was to block some characters in specific places in query strings, like a query string starting with a dash.

The bypass is due to a Windows feature, “Best-Fit”, an automatic down-convert from certain Unicode characters. This feature works on a per-locale basis, which means that not every system language behaves the same. The exact bypass that has been found is the conversion of a soft hyphen, which doesn’t get blocked by PHP, into a regular hyphen, which can trigger the command injection. This quirk only happens when the Windows locale is set to Chinese or Japanese. Combined with the relative rarity of running PHP-CGI, and PHP on Windows, this is a pretty narrow problem. The XAMPP install does use this arrangement, so those installs are vulnerable, again if the locale is set to one of these specific languages. The other thing to keep in mind is that the Unicode character set is huge, and it’s very likely that there are other special characters in other locales that behave similarly.

Downloader Beware

The ComfyUI project is a flowchart interface for doing AI image generation workflows. It’s an easy way to build complicated generation pipelines, and the community has stepped up to build custom plugins and nodes for generation. The thing is, it’s not always the best idea to download and run code from strangers on the Internet, as a group of ComfyUI users found out the hard way this week. The ComfyUI_LLMVISION node from u/AppleBotzz was malicious.

The node references a malicious Python package that grabs browser data and sends it all to a Discord or Pastebin. It appears that some additional malware gets installed, for continuing access to infected systems. It’s a rough way to learn. Continue reading “This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More”

2024 Business Card Challenge: T-800’s 555 Brain

June 14, 2024 by 12 Comments

In Terminator 2: Judgment Day it’s revealed that Skynet becomes self-aware in August of 1997, and promptly launches a nuclear attack against Russia to draw humanity into a war which ultimately leaves the door open for the robots to take over. But as you might have noticed, we’re not currently engaged in a rebellion against advanced combat robots.

The later movies had to do some fiddling with the timeline to explain this discrepancy, but looking at this 2024 Business Card Challenge entry from [M. Bindhammer] we think there’s another explanation for the Judgement Day holdup — so long as the terminators are rocking 555 timers in their chrome skulls, we should be safe.

While the classic timer chip might not be any good for plotting world domination, it sure does make for a great way to illuminate this slick piece of PCB art when it’s plugged into a USB port. Exposed copper and red paint are used to recreate the T-800’s “Brain Chip” as it appeared in Terminator 2, so even when the board isn’t powered up, it looks fantastic on display. The handful of components are around the back side, which is a natural place to put some info about the designer. Remember, this is technically supposed to be a business card, after all.

Continue reading “2024 Business Card Challenge: T-800’s 555 Brain”

Marimbatron: A Digital Marimba Prototyping Project

June 13, 2024 by 6 Comments

The Marimbatron is [Leo Kuipers] ‘s final project as part of the Fab Academy program supervised by [Prof. Neil Gershenfeld] of MIT’s Center for Bits and Atoms. The course aims to teach students how to leverage all the fab lab skills to create unique prototypes using the materials at hand.

The final polyurethane/PET/Flex PCB stack-up for the sensor pad

Fortunately, one of the main topics covered in the course is documentation, and [Leo] has provided ample material for review. The marimba consists of a horizontal series of wooden bars, each mounted over a metal resonator tube. It is played similarly to the xylophone, with a piano-type note arrangement, covering about five octaves but with a lower range than the xylophone. [Leo] converted this piano-type layout into a more logical grid arrangement. The individual pads are 3D printed in PETG and attached to a DIY piezoresistive pressure sensor made from a graphite-sprayed PET sheet laid upon a DIY flexible PCB. A central addressable LED was also included for indication purposes. The base layer is made of cast polyurethane, formed inside a 3D-printed rigid mould. This absorbs impact and prevents crosstalk to nearby sensors. The sensor PCB was initially prototyped by adhering a layer of copper tape to a layer of Kapton tape and cutting it out using a desktop vinyl cutter. While this method worked for the proof of concept, [Leo] ultimately outsourced the final version to a PCB manufacturer. The description of prototyping the sensor and dealing with over-moulding was particularly fascinating.

Continue reading “Marimbatron: A Digital Marimba Prototyping Project”

A 1940s Car Radio Receives Some Love

June 13, 2024 by 9 Comments

The entertainment systems in modern vehicles is akin to a small in-dash computer, and handles all manner of digital content. It probably also incorporates a radio, but increasingly that’s treated as something of an afterthought. There was a time though when any radio in a car was a big deal, and if you own a car from that era it’s possible that you’ve had to coax an aged radio into life. [The Radio Mechanic] is working on a radio from a 1946 Packard, which provides a feast for anyone with a penchant for 1940s electronics.

The unit, manufactured by Philco, is an all-in-one, with a bulky speaker in the chassis alongside the tubes and other components. It would have sat behind the dash in the original car, so some external cosmetic damage is not critical. Less easy to pass off is the cone rubbing on the magnet, probably due to water damage over the last eight decades. Particularly interesting are the controls, as we’re rather enamored with the multicolored filter attached to the tone control. A laser cutter makes short work of recreating the original felt gasket here.

The video below is the first of a series on this radio, so we don’t see it working. Ahead will be a lot more cleaning up and testing of components, and we’d expect a lot of those paper capacitors to need replacement. We can almost smell that warm phenolic smell.

If tube radio work is your thing, we’ve been there before.

Continue reading “A 1940s Car Radio Receives Some Love”

TDS 744A Scope Teardown Fixes Dodgy Channel

June 13, 2024 by 1 Comment

There are a lot of oscilloscopes from around the 1990s which are still very much desirable today, such as the Tektronix TDS 744A which [DiodesGoneWild] got his grubby mitts on. This is a 500 MHz, 4-channel scope, with a capture rate of 500 MS/s (4 channels) to 2 GS/s (1 channel). It also has a color display and even comes with a high-density (1.44 MB) floppy drive. Unfortunately this particular unit was having trouble with its fourth channel, and its NuColor display had degraded, something that’s all too common with this type of hybrid CRT/LCD (LCCS) technology.

Starting with a teardown of the unit to inspect the guts, there was no obvious damage on the PCBs, nor on the acquisition board which would explain the weird DC offset on the fourth channel. After cleaning and inspecting the capture module and putting the unit back together, the bias seen on channel four seemed to disappear. A reminder that the best problems are the ones that solve themselves. As for the NuColor display, this uses a monochrome CRT (which works fine) and an LCD with color filters. It’s the latter which seems degraded on this unit, with a repair still being planned.

We covered NuColor-based devices before, which offer super-sharp details that are hard to capture even with modern-day LCDs, never mind the ones of the 90s. Fixing these NuColor displays can be easy-ish sometimes, as [JVG] found when tearing apart a very similar Tektronix TDX-524A which required a power supply fix and the removal of goopy gel between the CRT and LCD to restore it.

Continue reading “TDS 744A Scope Teardown Fixes Dodgy Channel”

Long-Awaited SLS4All 3D Printer Now Shipping

June 13, 2024 by 35 Comments

We touched on the open source SLS4All DIY SLS 3D printer a year or two ago when the project was in the early stages. Finally, version one is complete, with a parts kit ready to ship and all design data ready for download if a DIY build or derivative is your style. As some already mentioned, this is not going to be cheap: with the full parts kit running at an eye-watering $7K before tax. But it’s possible to build or source almost all of it a bit at a time for those on a budget.

Try printing THIS benchy on an FDM machine!

It’s important to note that to access the detailed information, you’ll need to create an account, which is a bit inconvenient for an open source design. However, all the essential components seem to be available, so it’s forgivable. In terms of electronics, there are two custom PCBs: the GATE1 (GAlvo and Temperature Control) and the ZERO1 (Zero-crossing dimming) controller. Other than that, all the electronics seem to be standard off-the-shelf components. Both of these PCBs are designed using EasyEDA.

Unfortunately we couldn’t find access to the PCB Gerbers, nor does there appear to be a link to their respective EasyEDA projects, just the reference schematics. This is a bit of a drawback, but it’s something that could easily be reproduced with enough motivation. Control is courtesy of a Radxa Rock Pi, as there were ‘problems’ with a Raspberry Pi. This is paired with a 7-inch touchscreen to complete the UI. This is running a highly modified version of the Klipper together with their own control software, which is still undergoing testing before release.

The laser head is built around a 10 W 450 nm laser module from China and a high-end galvanometer set. Two 200 W halogen tube heaters heat the print bed, and 200 W silicone heating pads heat both the powder bed and the print bed.

Continue reading “Long-Awaited SLS4All 3D Printer Now Shipping”

Restoring A Vintage CGA Card With Homebrew HASL

June 12, 2024 by 26 Comments

Right off the bat, we’ll stipulate that what [Adrian] is doing in the video below isn’t actual hot air solder leveling. But we thought the results of his card-edge connector restoration on a CGA video card from the early 80s was pretty slick, and worth keeping in mind for other applications.

The back story is that [Adrian], of “Digital Basement” YouTube fame, came across an original IBM video card from the early days of the IBM-PC. The card was unceremoniously dumped, probably due to the badly corroded pins on the card-edge bus connector. The damage appeared to be related to a leaking battery — the corrosion had that sickly look that seems to only come from the guts of batteries — leading him to try cleaning the formerly gold-plated pins. He chose naval jelly rust remover for the job; for those unfamiliar with this product, it’s mostly phosphoric acid mixed with thickeners and is used as a rust remover.

The naval jelly certainly did the trick, but left the gold-plated pins a little worse for the wear. Getting them back to their previous state wasn’t on the table, but protecting them with a thin layer of solder was easy enough. [Adrian] used liquid rosin flux and a generous layer of 60:40 solder, which was followed by removing the excess with desoldering braid. That worked great and got the pins on both sides of the board into good shape.

[Adrian] also mentioned a friend who recommended using toilet paper to wick up excess solder, but sadly he didn’t demonstrate that method. Sounds a little sketchy, but maybe we’ll give it a try. As for making this more HASL-like, maybe heating up the excess solder with an iron and blasting the excess off with some compressed air would be worth a try.

Continue reading “Restoring A Vintage CGA Card With Homebrew HASL”