Sun On The Run: Diving Into Solar With A Mobile PV System

January 17, 2024 by 36 Comments

For obvious reasons, there has been a lot of interest in small-scale residential solar power systems lately. Even in my neck of the woods, where the sun doesn’t shine much from October to April, solar arrays are sprouting up on rooftops in a lot of local neighborhoods. And it’s not just here in suburbia; drive a little way out into the country or spend some time looking around in Google maps and it won’t take long to spy a sizable array of PV panels sitting in a field next to someone’s ranch house or barn.

Solar has gotten to the point where the expense of an installation is no longer a serious barrier to entry, at least if you’re willing to put in a little sweat equity and not farm the project out to a contractor. Doing it yourself requires some specialized tools and knowledge, though, over and above your standard suite of DIY skills. So, in the spirit of sharing hard-won knowledge, I decided to take the somewhat unusual step of writing up one of my personal projects, which has been in progress for a couple of years now and resulted in a solar power system that isn’t on a rooftop or a ground-mounted array at all, but rather is completely mobile: my solar trailer.

Continue reading “Sun On The Run: Diving Into Solar With A Mobile PV System”

A Web Server, The Sixteen Bit Way

December 25, 2023 by 13 Comments

If you were to talk about sixteen bit computing in retrocomputing circles, misty-eyed reminiscences of the ST or Amiga would emerge. Both fine platforms, but oddly the elephant in the 16-bit room has become a victim of its own success. DOS, the granddaddy of all PC operating systems, seems oddly overshadowed by its 68000-based competitors in a way it certainly wasn’t back in the day. Perhaps it’s the often-atrocious graphics when cards designed for business graphics were pressed into gaming service, but it’s easy to forget that DOS PCs were the powerhouses of their day. They still pack a punch even in 2023, as [Lunduke] is here to show us by running a DOS web server. Take that, nginx! Continue reading “A Web Server, The Sixteen Bit Way”

This Week In Security: Browser Exploits, Play Protect, And Turn ON Your Firewall!

October 20, 2023 by 5 Comments

Google Chrome has done a lot of work on JavaScript performance, pushing the V8 engine to more and more impressive feats. Recently, that optimization has one more piece, the Maglev compiler, which sits between Sparkplug and TurboFan, as a mid-tier optimization step. With a Just In Time (JIT) system, the time saving of code optimization steps has to be carefully weighed against the time costs, and Maglev is another tool in that endless hunt for speed. And with anything this complicated, there’s the occasional flaw found in the system. And of course, because we’re talking about it here, it’s a security vulnerability that results in Remote Code Execution (RCE).

The trick is to use Maglev’s optimization against it. Set up a pair of classes, such that B extends A. Calling new B() results in an attempt to use the constructor from A. Which works, because the compiler checks to make sure that the constructors match before doing so. There’s another way to call a constructor in JS, something like Reflect.construct(B, [], Array);. This calls the B constructor, but indicates that the constructor should return an Array object. You may notice, there’s no array in the A class below. Tricking the compiler into using the parent class constructor in this fashion results in the array being uninitialized, and whatever happens to be in memory will set the length of the array. Continue reading “This Week In Security: Browser Exploits, Play Protect, And Turn ON Your Firewall!”

Meshtastic And Owntracks To Kick Your Google Habit

October 11, 2023 by 20 Comments

I have an admission to make. I have a Google addiction. Not the normal addiction — I have a problem with Google Maps, and the timeline feature. I know, I’m giving my location data to Google, who does who-knows-what-all with it. But it’s convenient to have an easy way to share location with my wife, and very useful to track my business related travel for each month. What we could really use is a self-hosted, open source system to track locations and display location history. And for bonus points, let’s include some extra features, like the ability to track vehicles, kids, and pets that aren’t carrying a dedicated Internet connection.

You can read the title — you know where we’re going with this. We’re setting up an Owntracks service, and then tying it to Meshtastic for off-Internet usability. The backbone that makes this work is MQTT, a network message bus that has really found its niche in the Home Assistant project among others. It’s a simple protocol, where clients send brief messages labeled by topic, and can also subscribe to specific topics. For this little endeavor we’ll use the Mosquito MQTT broker.

One of the nice things about MQTT is that the messages are all text strings, and often take the form of JSON. When trying to get two applications to talking using a shared MQTT server, there may need to be a bit of translation. One application may label a field latitude, and the other shortens it to lat. The glue code to put these together is often known as an MQTT translator, or sometimes an MQTT bridge. This is a program that listens to a given topic, ingests each message, and sends it back to the MQTT server in a different format and topic name.

The last piece is Owntracks, which has a recorder project, which pulls locations from the MQTT server, and stores it locally. Then there’s Owntracks Frontend, which is a much nicer user interface, with some nice features like viewing movement a day at a time. Continue reading “Meshtastic And Owntracks To Kick Your Google Habit”

This Week In Security: Your Car’s Extended Warranty, Seizing The Fediverse, And Arm MTE

August 4, 2023 by 15 Comments

If you’ve answered as many spam calls as I have, you probably hear the warranty scam robocall in your sleep: “We’ve been trying to reach you about your car’s extended warranty.” That particular robocalling operation is about to run out of quarters, as the FCC has announced a nearly $300 million fine levied against that particular operation. The scammers had a list of 500 million phone numbers, and made over five billion calls in three months. Multiple laws were violated, including some really scummy behavior like spoofing employer caller ID, to try to convince people to pick up the call.

Now, that record-setting fine probably isn’t ever going to get paid. The group of companies on the hook for the amount don’t really exist in a meaningful way. The individuals behind the scams are Roy Cox and Aaron Jones, who have already been fined significant amounts and been banned from making telemarketing calls. Neither of those measures put an end to the problem, but going after Avid Telecom, the company that was providing telephone service, did finally put the scheme down.

Mastodon Data Scooped

There are some gotchas to Mastodon. Direct Messages aren’t end-to-end encrypted, your posts are publicly viewable, and if your server operator gets raided by law enforcement, your data gets caught up in the seizure.

The background here is the administrator of the server in question had an unrelated legal issue, and was raided by FBI agents while working on an issue with the Mastodon instance. As a result, when agents seized electronics as evidence, a database backup of the instance was grabbed too. While Mastodon posts are obviously public by design, there is some non-public data to be lost. IP addresses aren’t exactly out of reach of law enforcement, it’s still a bit of personal information that many of us like to avoid publishing. Then there’s hashed passwords. While it’s better than plaintext passwords, having your password hash out there just waiting to be brute-forced is a bit disheartening. But the one that really hurts is that Mastodon doesn’t have end-to-end encryption for private messages. Continue reading “This Week In Security: Your Car’s Extended Warranty, Seizing The Fediverse, And Arm MTE”

Bluetooth Battery Monitors That Also Monitor Your Position, Without Asking

June 27, 2023 by 40 Comments

These days Bluetooth-based gadgets are everywhere, including for car and solar batteries. After connecting them up to the battery, you download the accompanying app on your smartphone, open it up and like magic you can keep tabs on your precious pile of chemistry that keeps things ticking along. Yet as [haxrob] discovered during an analysis, many of these devices will happily pass your location and other information along to remote servers.

The device in question is a Bluetooth 4.0 Battery Monitor that is resold under many brands, and which by itself would seem to do just what it is said to do, from monitoring a battery to running crank tests. Where things get unpleasant is with the Battery Monitor 2 (BM2) mobile app that accompanies the device. It integrates a library called AMap which is “a leading provider of digital map in China” and part of Alibaba. Although the app’s information page claims that no personal information is collected, the data intercepted with Wireshark would beg to differ.

In part 2 of this series, the BM2 app is reverse-engineered, decompiling the Java code. The personal information includes the latitude and longitude, as well as GPS, cell phone tower cell IDs and WiFi beacon data, which understandably has people rather upset. In addition to leaking your personal info, the BM2 app seems to be also good at running constantly in the background, which ironically drains your phone’s battery at an alarming rate.

Cases like these should be both a warning to not just install any app on your smartphone, as well as a wake-up call to Google and others to prevent such blatant privacy violations.

(Thanks to [Drew] for the tip)

Commodore 64 Web Server Brings 8-Bit Into The Future

June 1, 2023 by 28 Comments

These days, most webservers are big hefty rackmount rigs with roaring fans in giant datacenters. [naDDan]’s webserver is altogether more humble, as it runs on a single Commodore 64. 

The C64 is running Contiki OS, an operating system for 6502-based computers. It’s built with an eye to networking, requiring ethernet hardware for full functionality. In [naDDan]’s case, he’s outfitted his C64 with an ETFE network adapter in the cartridge port to get it online. It serves up the HTML file off a 1541C floppy drive, with the drive buzzing away every time someone loads up the page.

The page itself is simple, showing some basic information on a simple blue background. There is some scrolling text though, as is befitting the 8-bit era. It’s also available in four languages.

[naDDan’s] server can be found here, according to his video, but at the time of writing, it was down for the count. Whether that’s due to a dynamic DNS issue or the simple fact that an 8-bit 6502 isn’t up to heavy traffic is up for debate. Regardless, try for yourself and see how you go. Video after the break.