Cryptic Calendar Makes For A Useful Wall Ornament

October 30, 2020 by 7 Comments

Hackers love a good clock build, but its longer term cousin, the calendar, is more seldom seen in the wild. Regardless, they can be just as useful and elegant a project, as this cryptic design from [Wolfspaw] demonstrates.

The project consists of a series of rotating wheels, displaying a series of arcane symbols. When the markings on the wheel align correctly with the viewing window, they display the date, month, and day of the week, respectively. The wheels themselves are fitted with 3D printed gear rings, which are turned by stepper motors under the control of an Arduino Nano. Hall effect sensors and magnets are used to keep everything appropriately aligned, while a DS3231 real time clock handles timekeeping duties.

It’s a tidy build, and we think the cryptic design adds a little mystery, making this an excellent conversation piece. The build is actually a remix of a project we’ve featured before, scaled and given a unique twist to suit [Wolfspaw]’s own personal aesthetic. Video after the break.

Continue reading “Cryptic Calendar Makes For A Useful Wall Ornament”

Adding Remote Control To The Elegoo Mars Pro

October 30, 2020 by 5 Comments

Recent price drops put entry level masked stereolithography (MSLA) resin 3D printers at around $200 USD, making them a very compelling tool for makers and hackers. But as you might expect, getting the price this low often involves cutting several corners. One of the ways manufacturers have made their machines so cheap is by simplifying the electronics and paring down the feature set to the absolute minimum.

So it was hardly a surprise for [Luiz Ribeiro] to find that his new Elegoo Mars Pro didn’t offer WiFi connectivity or a remote control interface. You’re supposed to just stick a USB flash drive into the printer and select the object you want to print from its menu system. But that doesn’t mean he couldn’t hack the capability in himself.

Monitoring a print with Mariner.

If this were a traditional 3D printer, he might have installed OctoPrint and been done with it. But resin printers are a very different beast. In the end, [Luiz] had to develop his own remote control software that worked around the unique limitations of the printer’s electronics. His software runs on a Raspberry Pi Zero and uses Linux’s “USB Gadget” system to make it appear as a flash drive when plugged into the USB port on the Elegoo Mars Pro.

This allows sending object files to the printer over the network, but there was a missing piece to the puzzle. [Luiz] still needed to manually go over to the printer and select which file he wanted to load from the menu. Until he realized there was an exposed serial port on control board that allowed him to pass commands to the printer. Between the serial connection and faux USB Mass Storage device, his mariner software has full control over the Mars Pro and is able to trigger and monitor print jobs remotely.

It might not offer quite the flexibility of adding OctoPrint to your FDM 3D printer, but it’s certainly a start.

Animated Pumpkins Sing And Scare On Halloween

October 30, 2020 by 5 Comments
The animated video combined with the 3D-printed prop makes for an excellent effect.

Carving Jack O’ Lanterns out of pumpkins is a favorite Hallowe’en tradition for many, but relying on candles and knives is decidedly low-tech. [Lewis] of [DIY Machines] decided to whip up something a little more animated to scare the local trick-or-treaters instead.

The build consists of 3D printed pumpkins, lit from behind with a low-cost projector. Driven by a Raspberry Pi, the projector plays video files that project animated faces onto the pumpkins. The effect is great, giving the illusion of a real anthropomorphic Jack O’ Lantern sitting on your very porch. To control the system, a series of arcade buttons are hooked up to the Raspberry Pi allowing visitors to activate a song, a scare, or a story.

It’s a fun build that is a great way to add some interactivity to your Hallowe’en decorations. If you want to take your work up a notch, consider projecting on to your whole house. Video after the break.

Continue reading “Animated Pumpkins Sing And Scare On Halloween”

Clara Rockmore. Photo by Renato Toppo, © The Nadia Reisenberg / Clara Rockmore Foundation

The Theremin Is 100 Years Old; Celebrating The Spookiest Of Instruments

October 30, 2020 by 16 Comments

It wouldn’t be October without Halloween, and it wouldn’t be Halloween without some spooky music. There’s no instrument spookier than a Theremin, which also happens to be one of the world’s first electronic instruments.

Leon Theremin plays his namesake instrument. Image via Linda Hall Library

You’ve no doubt heard the eerie, otherworldly tones of the Theremin in various 1950s sci-fi films, or heard the instrument’s one-of-a-kind cousin, the Electro-Theremin in “Good Vibrations” by the Beach Boys. The Theremin turns 100 years old this month, so we thought we’d take a look at this strange instrument.

One hundred years ago, a young Russian physicist named Lev Sergeyevich Termen, better known as Leon Theremin, was trying to invent a device to measure the density of various gases. In addition to the standard analog needle readout, he wanted another way to indicate the density, so he devised an oscillator whistle that would change pitch based on the density.

He discovered by accident that having his hand in the field of the antenna changed the pitch of the whistle, too. Then he did what any of us would do — played around until he made a melody, then called everyone else in the lab over to check it out.

Theremin soon showed his device to Lenin, who loved it so much that he sent Lev on a world tour to show it off. While in New York, he played it for Rachmaninoff and Toscanini. In fact you can see a video recording of Leon playing the instrument, a performance that’s more hauntingly beautiful than spooky. In 1928, he patented the Theremin in the United States and worked with RCA to produce them.

Continue reading “The Theremin Is 100 Years Old; Celebrating The Spookiest Of Instruments”

Hackaday Podcast 091: Louisville Exploder, Generating Japanese Joinery, Relay Retrocomputer Rally, And Chop The Robopup

October 30, 2020 by 3 Comments

Hackaday editors Mike Szczys and Elliot Williams dig through the greatest hacks that ought not be missed this week. There’s a wild one that flexes engineering skills instead of muscles to beat the homerun distance record with an explosively charged bat. A more elegant use of those engineering chops is shown in a CNC software tool that produces intricate wood joinery without needing an overly fancy machine to fabricate it. If your flesh and blood pets aren’t keeping up with your interests, there’s a new robot dog on the scene that far outperforms its constituent parts which are 3D-printed and of the Pi and Arduino varieties. And just when you thought you’d seen all the craziest retrocomputers, here’s an electromechanical relay based machine that took six years to build (although there’s so much going on here that it should have taken sixteen).

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (~60 MB)

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 091: Louisville Exploder, Generating Japanese Joinery, Relay Retrocomputer Rally, And Chop The Robopup”

ESP8266 Does RC Without The Transmitter

October 30, 2020 by 27 Comments

While the cost of a hobby-grade remote control transmitter has dropped significantly over the last decade or so, even the basic models are still relatively expensive. It’s not such a big deal if you only need to get one for personal use, but for a school to outfit a classroom’s worth of students their own radios, they’d need to have a serious STEM budget.

Which is why [Miharix], himself an educator with a decade of experience, developed a project that leverages the ESP8266 to create affordable RC vehicles that can be controlled with a smartphone’s web browser. There’s a bit of irony at play since the smartphones are more expensive than the RC transmitters would have been; but with more and more school-age kids having their own mobile devices, it takes the cost burden off of the educators. Depending on the age of the students, the teacher would only need to keep a couple of burner phones on hand for student that doesn’t have a device of their own.

A custom PCB makes connections easier for students.

In its fully realized form, the project uses an open hardware board that allows standard RC hobby servos to be connected to the GPIO pins of a ESP-12E module. But if you don’t want to go through the trouble of building the custom hardware, you could put something similar together with an ESP development board. From there it’s just a matter of installing the firmware, which starts up a server providing a touch-based controller interface that’s perfect for a smartphone’s screen.

Since the ESP8266 pops up as an Access Point that client devices can connect to, you don’t even need to have an existing network in place. Or Internet access, for that matter. [Miharix] says that in tests, the range between a common smartphone and the ESP8266 is approximately 85 meters (260 feet), which should be more than enough to get the job done.

In the videos after the break you can see this system being used with an RC car and boat, though the only limit to what you could control with this project is your own imagination.

Continue reading “ESP8266 Does RC Without The Transmitter”

This Week In Security: Discord, Chromium, And WordPress Forced Updates

October 30, 2020 by 42 Comments

[Masato Kinugawa] found a series of bugs that, when strung together, allowed remote code execution in the Discord desktop app. Discord’s desktop application is an Electron powered app, meaning it’s a web page rendered on a bundled light-weight browser. Building your desktop apps on JavaScript certainly makes life easier for developers, but it also means that you inherit all the problems from running a browser and JS. There’s a joke in there about finally achieving full-stack JavaScript.

The big security problem with Electron is that a simple Cross Site Scripting (XSS) bug is suddenly running in the context of the desktop, instead of the browser. Yes, there is a sandboxing option, but that has to be manually enabled.

And that brings us to the first bug. Neither the sandbox nor the contextIsolation options were set, and so both defaulted to false. What does this setting allow an attacker to do? Because the front-end and back-end JavaScript runs in the same context, it’s possible for an XSS attack to override JS functions. If those functions are then called by the back-end, they have full access to Node.js functions, including exec(), at which point the escape is complete.

Now that we know how to escape Electron’s web browser, what can we use for an XSS attack? The answer is automatic iframe embeds. For an example, just take a look at the exploit demo below. On the back-end, all I have to do is paste in the YouTube link, and the WordPress editor does its magic, automatically embedding the video in an iframe. Discord does the same thing for a handful of different services, one being Sketchfab.

This brings us to vulnerability #2. Sketchfab embeds have an XSS vulnerability. A specially crafted sketchfab file can run some JS whenever a user interacts with the embedded player, which can be shoehorned into discord. We’re almost there, but there is still a problem remaining. This code is running in the context of an iframe, not the primary thread, so we still can’t override functions for a full escape. To actually get a full RCE, we need to trigger a navigation to a malicious URL in the primary pageview, and not just the iframe. There’s already code to prevent an iframe from redirecting the top page, so this RCE is a bust, right?

Enter bug #3. If the top page and the iframe are on different domains, the code preventing navigation never fires. In this case, JavaScript running in an iframe can redirect the top page to a malicious site, which can then override core JS functions, leading to a full escape to RCE.

It’s a very clever chaining of vulnerabilities, from the Discord app, to an XSS in Sketchfab, to a bug within Electron itself. While this particular example required interacting with the embedded iframe, it’s quite possible that another vulnerable service has an XSS bug that doesn’t require interaction. In any case, if you use Discord on the desktop, make sure the app is up to date. And then, enjoy the demo of the attack, embedded below.

Continue reading “This Week In Security: Discord, Chromium, And WordPress Forced Updates”