35C3: Finding Bugs In Bluetooth

December 30, 2018 by 24 Comments

[Jiska Classen] and [Dennis Mantz] created a tool called Internal Blue that aims to be a Swiss-army knife for playing around with Bluetooth at a lower level. The ground for their tool is based in three functions that are common to all Broadcom Bluetooth chipsets: one that lets you read arbitrary memory, on that lets you run it, and one that lets you write it. Well, that was easy. The rest of their work was analyzing this code, and learning how to replace the firmware with their own version. That took them a few months of hard reversing work.

In the end, Internal Blue lets them execute commands at one layer deeper — the LMP layer — easily allowing monitoring and injection. In a series of live (and successful!) demos they probe around on a Nexus 6P from a modified Nexus 5 on their desk. This is where they started digging around in the Bluetooth stack of other devices with Broadcom chipsets, and that’s where they started finding bugs.

As is often the case, [Jiska] was just poking around and found an external code handler that didn’t do bounds checking. And that meant that she could run other functions in the firmware simply by passing the address handler offset. Since they’re essentially calling functions at any location in memory, finding which functions to call with which arguments is a process of trial and error, but the ramifications of this include at least a Bluetooth module crash and reset, but can also pull such tricks as putting the Bluetooth module into “Device Under Test” mode, which should only be accessible from the device itself. All of this is before pairing with the device — just walking by is sufficient to invoke functions through the buggy handler.

All the details of this exploit aren’t yet available, because Broadcom hasn’t fixed the firmware for probably millions of devices in the wild. And one of the reasons that they haven’t fixed it is that patching the bug will disclose where the flaw lies in all of the unpatched phones, and not all vendors can be counted on to push out updates at the same time. While they focused on the Nexus 5 cellphone, which is fairly old now, it’s applicable to any device with a similar Broadcom Bluetooth chipset.

Aside from the zero-day bug here, the big story is their Bluetooth analysis framework which will surely help other researchers learn more about Bluetooth, finding more glitches and hopefully helping make Bluetooth more openly scrutinized and more secure. Now anyone with a Raspberry Pi 3/3+ or a Nexus 5, is able to turn it into a low-level Bluetooth investigation tool.

You might know [Jiska] from her previous FitBit hack. If not, be sure to check it out.

Continue reading “35C3: Finding Bugs In Bluetooth”

A Bluetooth Upgrade For An Unusual Set Of Headphones

October 30, 2018 by 11 Comments

We will have all picked up something from a junk pile or swap meet in our time that caught our eye not because we needed it but because it looked cool. [Quinn Dunki] did just that with an irresistible set of 1980s air traffic control headphones. What did she do with them? Turn them into a set of Bluetooth headphones of course!

The ‘phones in question are particularly interesting, as they turned out upon inspection to be a two-way radio in disguise. Cracking them open revealed a radio board and a logic board, and what makes them particularly interesting to this Hackaday scribe’s eye is their choice of frequency. She finds a crystal with a VHF airband frequency multiplier and concludes that they must operate there, but a look at the photos reveals all the ingredients of a classic AM or low HF receiver. There is a ferrite rod antenna and a variable capacitor, if we didn’t know that these were very high-end professional ‘phones we’d almost suspect they were a novelty AM radio from Radio Shack. If any readers can shed any light on the frequency and purpose of this device, we’re all ears.

The conversion involved a Sparkfun Bluetooth module breakout board paired with a little audio power amplifier. The original drivers were high-impedance and one of them had died, so she replaced them with a modern pair of identical size. The control buttons were mounted in the headphone’s external housing, after a wrong turn into attempting to create a custom enclosure. The result is a rather novel but high-quality set of ‘phones, and one we rather wish we’d found ourselves.

Adding Bluetooth To Original SNES Controllers

October 10, 2018 by 14 Comments

There’s a bunch of companies selling wireless Super Nintendo style controllers out there. You can go on Amazon and get any number of modern pads that at least kinda-sorta look like what came with Nintendo’s legendary 1990’s game console. They’ve got all kinds of bells and whistles, Bluetooth, USB-C, analog sticks, etc. But none of them are legitimate SNES controllers, and for some people that’s just not good enough.

[sjm4306] is one of those people. He wanted to add Bluetooth and some other modern niceties to a legitimate first-party SNES controller, so he picked up a broken one off of eBay and got to work grafting in his custom hardware. The final result works with Nintendo’s “Classic Edition” consoles, but the concept could also work with the original consoles as well as the computer if you prefer your classic games emulated.

A custom ATMEGA328P-powered board polls the controller’s SPI serial shift register in much the same way the original SNES would have. It then takes those button states and sends them out over UART with a HC-05 Bluetooth module. The controller is powered by a 330 mAh 3.7V battery, and a charging circuit allows for easily topping the controller off with a standard USB cable.

A particularly nice touch on the controller is the use of custom light pipes for the status LEDs. [sjm4306] made them by taking pieces of transparent PLA 3D printer filament, heating and flattening the end, and then sanding it smooth. This provides a diffusing effect on the light, and we’ve got to say it looks very good. Definitely a tip to file away for the future.

On the receiving side, this project was inspired by a custom NES Classic Edition Advantage controller we featured last year, and borrows the work creator [bbtinkerer] did to get his receiver hardware talking to the Classic console over I2C.

We’ve seen a number of projects which have added wireless functionality to the classic Super Nintendo controller, but most tend to be more invasive than this one. We like the idea of reading the controller’s original hardware rather than completely gutting it.

Continue reading “Adding Bluetooth To Original SNES Controllers”

Bring Your Own Controller Kits Just Add Bluetooth

September 26, 2018 by 12 Comments

Known for their build quality and low latency, the [8bitdo] line of Bluetooth controllers are generally well liked among classic videogame devotees. They match modern conveniences like rechargeable batteries and Bluetooth connectivity with old school color schemes and the tried-and-true feel of a D-pad. All of their current offerings are modeled to invoke the same feel of console controllers of the past, however, for some there is no substitute for the original. For that type of hobbyist, the company created DIY Bluetooth mod kits in the form of drop-in replacement PCBs.

The featured mod kits are for the original NES controller, SNES controller, and 6-button Genesis Controller. They feature a 180 mAh Li-ion battery for an estimated 7.5 hours of gameplay, and a unique barrel plug type USB charging cable. The charging port fills the void left by the controller’s connection cable and also doubles a the LED status indicator. Though for the Sega Genesis mod kit, the charge port changes to a standard micro USB.

The [8bitdo] website boasts compatibility across Android, Linux, Mac, and Windows (drivers permitting) and even Nintendo Switch. With the addition of one of the company’s Retro Receivers, you are able to use the controllers on the original NES or SNES alongside their contemporary NES/SNES classic console counterparts.

Continue reading “Bring Your Own Controller Kits Just Add Bluetooth”

Knock-Off AirPods Merged Into Bluetooth Receiver

August 31, 2018 by 8 Comments

Whether or not you personally like the concept of the AirPod Bluetooth headphones is irrelevant, as an Apple product one thing is certain: all the cool kids want them. That also means that plenty of overseas manufacturers are pumping out janky clones for a fraction of the price for those who are more about the Apple look than the Apple price tag. Are they any good? No, of course not. But that doesn’t mean you can’t do something interesting with them.

[Igor Kromin] took apart a pair of fake AirPods and was predictably underwhelmed. So much so that he didn’t even bother putting the things back together. Instead, he took the two poor Bluetooth audio receivers and combined them into one slightly less poor Bluetooth audio receiver. It probably doesn’t meet the classical definition of a “good” use of time and/or money, but at least he got some entertainment out of a product that was otherwise destined for the trash.

As you might imagine, the left and right “AirPod” each has its own battery, Bluetooth receiver, and speaker. It has to, as they have no physical connection to each other. That also means that each receiver is only playing one channel, making them useless individually. What [Igor] realized was that he could put together a little PCB that combines the two audio channels back into a regular stereo 3.5 mm audio jack.

While he was at it, he also wired the individual buttons on each headphone to a center button on the PCB which would allow him to physically synchronize them. Even still, [Igor] mentions that occasionally they don’t come on at the same time. But what do you expect for something that’s nearly a 20th the price of the original?

The last time we saw a hack related to the Apple AirPod, it was when somebody threw them out the window, so one might presume most hackers prefer their iDevice tethered.

Vintage Silverstone Bluetooth speaker

Vintage Silvertone Cabinet Gets Bluetooth Treatment

July 30, 2018 by 7 Comments

This Bluetooth speaker is full of delightful surprises. The outer shell is an antique radio cabinet, but its practically empty interior is a combination of Dead Bug circuitry and modern BT receiver.

[PJ Allen] found the BT receiver on Groupon and decided to whip up amplifier and threshold detector circuits using only parts he already had in order to make this vintage-looking Bluetooth speaker. The cabinet is from a Silvertone Model 1955 circa 1936. Don’t worry, no antiques were harmed in the making of this hack, the cabinet was empty when he bought it.

LM4871 based amplifiers
LM4871 based amplifiers

The amplifiers, one per speaker, began life as a circuit from TI’s LM4871  datasheet. Some of the departures came about because he didn’t have the exact component values, even paralleling capacitors to get in the right range. The finished board is a delightful mix of “Dead Bug” and quasi-Manhattan style construction, “quasi” because he carved up the ground plane instead of laying pads on top of it.

Look at the front of the cabinet and you’ll see a rectangular display. Watch the video below and you’ll see that it throbs in time to the music. To do that he came up with a threshold detector circuit which started out based on a circuit from a  Sharp/Optonica cassette tape deck, but to which he made improvements.

Not all cabinets come empty though. Check out this post by our own [Gregory L. Charvat] about restoring these wonderful old radios.

Continue reading “Vintage Silvertone Cabinet Gets Bluetooth Treatment”

Turn A Cheap Bluetooth Speaker Into An Audio Receiver

July 23, 2018 by 16 Comments

Cheap Bluetooth speakers come in all different kinds of shapes and colors, and they let you conveniently stream music, for example from your mobile phone. For [mcmchris], they had one significant shortcoming though: while most of them come with some auxiliary input port as alternative audio source, they usually lack an audio output port that would let him route the audio to his more enjoyable big-speaker sound setup. Lucky for him, it’s a problem that can be fixed with a wire cutter and soldering iron, and so he simply turned his cheap speaker into a Bluetooth audio receiver.

After opening the speaker, [mcmchris] discovered a regular F-6188 Bluetooth audio module built around the BK8000L chip, with the audio jack connected to the chip’s aux input pins. Taking a close look at the PCB, the solution seemed obvious: cut the connection to the chip’s aux input pins, and connect the audio jack parallel to the audio signal itself. After some trial and error, the output pins of the on-board op amplifier seemed to provide the best audio signal for his shiny new output jack. You can see more details about the speaker’s inner life and a demonstration in the video after the break — in Spanish.

If the concept looks familiar to you, we’ve indeed seen a very similar approach to equip a Google Home Mini with an audio output jack before. The alternative is of course to just build a decent sized Bluetooth speaker yourself.

Continue reading “Turn A Cheap Bluetooth Speaker Into An Audio Receiver”