This Week In Security: Retbleed, Post-Quantum, Python-atomicwrites, And The Mysterious Cuteboi

July 15, 2022 by 11 Comments

Yet another entry in the “why we can’t have nice things” category, Retbleed was announced this week, as yet another speculative execution vulnerability. This one is mitigated in hardware for AMD’s Zen 3 and Intel Generation 9 and later. For earlier devices the performance hit in mitigation is quite painful. What exactly makes this different from previous weaknesses, and why didn’t the previous mitigations cover this problem?
Continue reading “This Week In Security: Retbleed, Post-Quantum, Python-atomicwrites, And The Mysterious Cuteboi”

Showing an Ortur lasercutter control module in front of a screen. There's a serial terminal open on the screen, showing the "Ortur Laser Master 3" banner, and then a Grbl prompt.

Watch Out For Lasercutter Manufacturers Violating GPL

July 15, 2022 by 84 Comments

For companies that build equipment like CNC machines or lasercutters, it’s tempting to use open-source software in a lot of areas. After all, it’s stable, featureful, and has typically passed the test of time. But using open-source software is not always without attendant responsibilities. The GPL license requires that all third-party changes shipped to users are themselves open-sourced, with possibility for legal repercussions. But for that, someone has to step up and hold them accountable.

Here, the manufacturer under fire is Ortur. They ship laser engravers that quite obviously use the Grbl firmware, or a modified version thereof, so [Norbert] asked them for the source code. They replied that it was a “business secret”. He even wrote them a second time, and they refused. Step three, then, is making a video about it.

Unfortunately [Norbert] doesn’t have the resources to start international legal enforcement, so instead he suggests we should start talking openly about the manufacturers involved. This makes sense, since such publicity makes it way easier for a lawsuit eventually happen, and we’ve seen real consequences come to Samsung, Creality and Skype, among others.

Many of us have fought with laser cutters burdened by proprietary firmware, and while throwing the original board out is tempting, you do need to invest quite a bit more energy and money working around something that shouldn’t have been a problem. Instead, the manufacturers could do the right, and legal, thing in the first place. We should let them know that we require that of them.

Continue reading “Watch Out For Lasercutter Manufacturers Violating GPL”

Embedded Dashboard Definitely Displays Data

July 15, 2022 by 6 Comments

Oftentimes, we’ll find ourselves using an PC attached to a project for serial debugging. Other times, we’ll be squinting at a status LED trying to remember the flash code we invented. This embedded dashboard from [hgrodriguez] aims to land somewhere in the middle.

The dashboard features LEDs, several 5×7 matrix displays, and will also mount a small OLED display as well. Everything onboard is driven by an ItsyBitsy board, featuring an Atmega32u4 microcontroller. Data can be fed to the ItsyBitsy via UART, SPI, or eventually, I2C as well.

With the ItsyBitsy handling actually driving the various displays, your project only need send out debug data over one of the listed interfaces. The ItsyBitsy will then display your byte values or word values on the matrix displays, flash the LEDs as required, and so on.

The result is a useful little console that can show you what’s going on in the brain of your microcontroller project. It’s no substitute for a full serial terminal, but it could definitely come in handy when you need to get eyes on a few variables in RAM!

Homebrew Stream Deck Pedal Emulates The Real Thing

July 14, 2022 by 5 Comments

Pedals are a great way to control functions on your computer. You’re rarely using your feet for anything else, so they can handle some tasks, freeing up your hands. This Elgato Stream Deck controller from [DDRBoxman] does just that.

[DDRBoxman] wanted to control Elgato Stream Deck much like the offical pedal sold by the company. Thus, some hacking was in order. Using Wireshark with the Elgato pedal helped to determine the communication method of the real hardware.

Once the protocol was figured out, it was just a task of getting the Raspberry Pi Pico to replicate the same functionality. With the help of the tinyusb library, [DDRBoxman] was able to emulate the real Elgato device successfully. Paired with a 3D-printed footswitch design from Adafruit, and the project was functional and complete.

We’ve seen great foot pedal devices over the years, from a simple macro device to a super-useful page turner for sheet music. If you’ve been hacking away at your own nifty input devices, be sure to drop us a line!

Visual Cryptography For Physical Keyrings

July 14, 2022 by 14 Comments

Visual cryptography is one of those unusual cases that kind of looks like a good idea, but it turns out is fraught with problems. The idea is straightforward enough — an image to encrypt is sampled and a series of sub-pixel patterns are produced which are distributed to multiple separate images. When individual images are printed to transparent film, and all films in the set are brought into alignment, an image appears out of the randomness. Without at least a minimum number of such images, the original image cannot be resolved. Well, sort of. [anfractuosity] wanted to play with the concept of visual cryptography in a slightly different medium, that of a set of metal plates, shaped as a set of keyrings.

Two image ‘share pairs’ needed as a minimum to form an image when combined

Metal blanks were laser cut, with the image being formed by transmitted light through coincident holes in both plate pairs, when correctly aligned. What, we hear you ask, is the problem with this cryptography technique? Well, one issue is that of faking messages. It is possible for a malicious third party, given either one of the keys in a pair, to construct a matching key composing an entirely different message, and then substitute this for the second key, duping both original parties. Obviously this would need both parties to be physically compromised, but neither would necessarily notice the substitution, if neither party knew the originally encrypted message.  For those interested in digging in a little deeper, do checkout this classic paper by Naor and Shamir [pdf] of the Wiezmann Institute. Still, despite the issues, for a visual hack it’s still a pretty fun technique!

Want to learn a little more about crypto techniques you can do at home? Here’s our guide. Encryption too hard to break, but need a way to eavesdrop? Just punt out a flawed system, and you’re good to go.

Continue reading “Visual Cryptography For Physical Keyrings”

This Jet Engine Will See You Through

July 14, 2022 by 17 Comments

Have you ever wished you could peer inside a complex machine while it was still running? We sort of can with simulations and the CAD tools we have today, but it isn’t the same as doing IRL. [Warped Perception] made a see-thru jet engine to experience the feeling. The effect, we dare say, is better than any simulation.

[Warped Perception] has a good bit of experience with jet engines and previously mounted them to his car. The first step was balancing, and while he didn’t use an oscilloscope, he could get it within a few thousands of a gram balanced. Then, after some light CAD work, it was all machining. Brackets were fabricated, and gaskets were laser cut to hold the large thick clear cover together. There are a few exciting things to see (and hear). The engine expands and contracts significantly due to pressure and heat, but it’s interesting to see it move physically as it ramps up and down.

Additionally, the sound as it goes through the various thrust levels is quite impressive. But, of course, what’s a jet engine test with an airflow test? Surprisingly, the engine didn’t pull in as much air as he thought. Eighty pounds of thrust doesn’t mean eighty pounds of air.

This 3D-printed water-cooled jet engine isn’t quite see-through, but it is interesting to see the thorough process of making the engine itself. Video after the break.

Continue reading “This Jet Engine Will See You Through”

A Linux Business Card You Can Build

July 14, 2022 by 22 Comments

It is a sign of the times that one of [Dmitry’s] design criteria for his new Linux on a business card is to use parts you can actually find during the current component shortage. The resulting board uses a ATSAMD21 chip and emulates a MIPS machine in order to boot Linux.

We like that in addition to the build details, [Dmitry] outlines a lot of the reasons for his decisions. There’s also a a fair amount of detail about how the whole system actually works. For example, by using a 0.8 mm PCB, the board can accept a USB-C cable with no additional connector. There is also a great explanation of the MIPS MMU and don’t forget that MIPS begat RISC-V, so many of the MIPS core details will apply to RISC-V as well (but not the MMU).  You’ll also find some critiques of the ATSAMD21’s DMA system. It seems to save chip real estate, the DMA system stores configuration data in user memory which it has to load and unload every time you switch channels.

By the end of the post you get the feeling this may be [Dimitry]’s last ATSAMD21 project. But we have to admit, it seems to have come out great. This isn’t the first business card Linux build we’ve seen. This one sure reminded us of a MIDI controller card we once saw.