Showing an Ortur lasercutter control module in front of a screen. There's a serial terminal open on the screen, showing the "Ortur Laser Master 3" banner, and then a Grbl prompt.

Watch Out For Lasercutter Manufacturers Violating GPL

July 15, 2022 by Arya Voronova 84 Comments

For companies that build equipment like CNC machines or lasercutters, it’s tempting to use open-source software in a lot of areas. After all, it’s stable, featureful, and has typically passed the test of time. But using open-source software is not always without attendant responsibilities. The GPL license requires that all third-party changes shipped to users are themselves open-sourced, with possibility for legal repercussions. But for that, someone has to step up and hold them accountable.

Here, the manufacturer under fire is Ortur. They ship laser engravers that quite obviously use the Grbl firmware, or a modified version thereof, so [Norbert] asked them for the source code. They replied that it was a “business secret”. He even wrote them a second time, and they refused. Step three, then, is making a video about it.

Unfortunately [Norbert] doesn’t have the resources to start international legal enforcement, so instead he suggests we should start talking openly about the manufacturers involved. This makes sense, since such publicity makes it way easier for a lawsuit eventually happen, and we’ve seen real consequences come to Samsung, Creality and Skype, among others.

Many of us have fought with laser cutters burdened by proprietary firmware, and while throwing the original board out is tempting, you do need to invest quite a bit more energy and money working around something that shouldn’t have been a problem. Instead, the manufacturers could do the right, and legal, thing in the first place. We should let them know that we require that of them.

Continue reading “Watch Out For Lasercutter Manufacturers Violating GPL” →

Visual Cryptography For Physical Keyrings

July 14, 2022 by Dave Rowntree 14 Comments

Visual cryptography is one of those unusual cases that kind of looks like a good idea, but it turns out is fraught with problems. The idea is straightforward enough — an image to encrypt is sampled and a series of sub-pixel patterns are produced which are distributed to multiple separate images. When individual images are printed to transparent film, and all films in the set are brought into alignment, an image appears out of the randomness. Without at least a minimum number of such images, the original image cannot be resolved. Well, sort of. [anfractuosity] wanted to play with the concept of visual cryptography in a slightly different medium, that of a set of metal plates, shaped as a set of keyrings.

Two image ‘share pairs’ needed as a minimum to form an image when combined

Metal blanks were laser cut, with the image being formed by transmitted light through coincident holes in both plate pairs, when correctly aligned. What, we hear you ask, is the problem with this cryptography technique? Well, one issue is that of faking messages. It is possible for a malicious third party, given either one of the keys in a pair, to construct a matching key composing an entirely different message, and then substitute this for the second key, duping both original parties. Obviously this would need both parties to be physically compromised, but neither would necessarily notice the substitution, if neither party knew the originally encrypted message. For those interested in digging in a little deeper, do checkout this classic paper by Naor and Shamir [pdf] of the Wiezmann Institute. Still, despite the issues, for a visual hack it’s still a pretty fun technique!

Want to learn a little more about crypto techniques you can do at home? Here’s our guide. Encryption too hard to break, but need a way to eavesdrop? Just punt out a flawed system, and you’re good to go.

Continue reading “Visual Cryptography For Physical Keyrings” →

This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It

July 8, 2022 by Jonathan Bennett 16 Comments

To start with, Microsoft’s June Security Patch has a fix for CVE-2022-26925, a Man-In-The-Middle attack against NTLM. According to NIST, this attack is actively being exploited in the wild, so it landed on the KEV (Known Exploited Vulnerabilities) Catalog. That list tracks the most important vulnerabilities to address, and triggers a mandated patch install no later than July 22nd. The quirk here is that the Microsoft Patch that fixes CVE-2022-26925 also includes a fix for a couple certificate vulnerabilities including CVE-2022-2693, Certifried. That vulnerability was one where a machine certificate could be renamed to the same as a domain controller, leading to organization-wide compromise.

The fix that rolled out in June now requires that a “strong certificate mapping” be in place to tie a user to a certificate. Having the same common name is no longer sufficient, and a secure value like the Security IDentifier (SID) must be mapped from certificate to user in Active Directory. The patch puts AD in a compatibility mode, which accepts the insecure mapping, so long as the user account predates the security certificate. This has an unintended consequence of breaking how the US Government uses CACs (Common Access Cards) to authenticate their users. Government agencies typically start their onboarding by issuing a CAC, and then establishing an AD account for that user. That makes the certificate older, which means the newest patch rejects it. Thankfully there’s a registry key that can be set, allowing the older mapping to still work, though likely with a bit of a security weakness opened up as a result. Continue reading “This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It” →

Hacker Camps Post-Pandemic, Electromagnetic Field 2022

July 5, 2022 by Jenny List 21 Comments

After a four-year hiatus and a cancelled event, it was time earlier this month for British and European hackers to return to their field in Herefordshire. A special field, Eastnor Castle Deer Park, venue for the Electromagnetic Field 2022 hacker camp. I packed up an oversized rucksack and my folding bike, and set off to enjoy a few days in the company of my fellow geeks.

As the first of the large European hacker camps since 2019 there was both an excitement and a slight trepidation in finally hanging out with several thousand people, even if mostly outdoors. The UK has a good COVID vaccine uptake and the camp organisers requested that attendees test themselves before travelling to Eastnor, but after two years of precautions and the pandemic still being with us there’s still some risk to take into account. Happily they were able to strike a decent balance between precautions and event progress, and we were able to proceed with a fairly normal hacker camp.

Plenty Of Talks, But They’re Not Online Yet

Sadly the extensive programme of talks has yet to make it onto YouTube or media.ccc.de at the time of writing, so the section I’d normally devote to them may have to wait for another time. Thus this write-up is more about the social aspect than the action.

Eastnor Castle Deer Park lies in a secluded Herefordshire valley, and the entry is vla a small estate road that treats you to an unfolding vista as you approach, of the marquees and other structures nestled among the trees. The usual queue for a wristband and you’re in, with the minor inconvenience of a trek trough the site to wherever your village lies. This year I was with my hackerspace in the Milton Keynes Makerspace village, next to one of the estate roads at the side of the valley and clustered round a tent with the commendable purpose of distributing free cups of very high quality tea. My tent up, I was ready to tour the site, and renew some friendships after so long apart. Continue reading “Hacker Camps Post-Pandemic, Electromagnetic Field 2022” →

Raspberry Pi Pico “Modchip” Unlocks The GameCube

July 5, 2022 by Tom Nardi 30 Comments

In terms of units sold, it’s no secret that the GameCube was one of Nintendo’s poorest performing home consoles. You could argue increased competition meant sales of the quirky little machine were destined to fall short of the system’s legendary predecessors, but that didn’t keep the Wii from outselling it by a factor of five a few years later. Still, enough incredible games were released for the GameCube that the system still enjoys a considerable fanbase.

Now, with the release of PicoBoot by [webhdx], we suspect the GameCube is about to gain a whole new generation of fans. With just a Raspberry Pi Pico, some jumper wires, and a widely available third-party SD card adapter, this open source project bypasses the console’s original BIOS so it can boot directly into whatever homebrew application the user selects. With how cheap and easy to perform this modification is, we wouldn’t be surprised if it kicked off something of a renaissance for GameCube homebrew development.

In the video after the break, [Tito] of Macho Nacho Productions provides a rundown of this new project, including a fantastic step-by-step installation guide that covers everything from soldering the jumper wires to the console’s motherboard to getting the firmware installed on the Pico. He then demonstrates booting the console into various community developed front-ends and tools, showing just how versatile the modification is. While some will see this as little more than an easier way to run bootleg games, we can’t help but be excited about what the future holds now that getting your own code to run on the system is so easy.

Alright, maybe it’s not so easy. To solder on the five wires that will eventually snake their way to the GPIO pins of the Pi Pico, you’ll need to strip the console all the way down to the main board. That wouldn’t be too bad itself, but unfortunately to reach two of the connections you’ll need to remove the system’s massive heatsink — which means you’ll need to clean up the old sticky thermal pads and apply new ones if you don’t want your GameCube to turn into a GameCrisp. It’s nothing that would scare off the average Hackaday reader, but it might give pause to those less handy with an iron.

The release of PicoBoot comes hot on the heels of the revelation that the Raspberry Pi Pico can be used not only as an N64 flash cart but as a supercharged PlayStation Memory Card. These projects would all be significantly improved with a custom RP2040 board, and no doubt that’s the direction they’ll eventually head, but it’s hard not to be impressed by what the low-cost microcontroller development board is capable of in its native form. Especially now that it comes in WiFi flavor.

Continue reading “Raspberry Pi Pico “Modchip” Unlocks The GameCube” →

LMN-3: Putting The ‘OP’ In Open Source Synthesizers

June 14, 2022 by Sven Gregori 10 Comments

Some projects you come across simply leave you in awe when you look at the thought and the resulting amount of work that went into it, not only for the actual implementation, but everything around it. Even more so when it’s a single-developer open source project. [Stone Preston]’s synth / sampler / sequencer / DAW-in-a-box LMN-3 absolutely fits the description here, and it seems like he has set his heart on making sure everyone can built one for themselves, by providing all the design files from case down to the keycaps.

The LMN-3 (LMN as in “lemon”, not “comes before the OP“) is intended as a standalone, portable digital audio workstation, and is built around a Raspberry Pi 4 with a HyperPixel display for the user interface. The UI itself, and with it the core part of the software, was created using the Tracktion Engine, which itself uses the JUCE framework and combines your typical synthesizer, sequencer, and sampler features with the DAW part to handle recording, editing, and mixing. The remaining hardware is a custom-designed PCB with a set of function and keyboard buttons, along with a pitch bend joystick and four rotary encoders with push buttons that serve as main input handlers. Oh yes, and a Teensy board.

The UI is actually entirely controlled via MIDI commands, and custom firmware on the Teensy is translating the input events from buttons, encoders, and joystick accordingly. This essentially decouples the hardware from the software, and using a cross-platform framework underneath, you can also run the UI standalone on your computer and use any 3rd-party MIDI controller you like. Or then, as [Stone] thought really about everything, use a hardware emulator he created in addition. You could even leave out the Raspberry Pi and software altogether and turn this into a pure MIDI controller. If that sounds tempting, but you’re looking for something with more knobs and sliders instead of buttons, check out the Traktorino. And if you actually prefer a mouse as input device, there’s always something running in a browser.

Continue reading “LMN-3: Putting The ‘OP’ In Open Source Synthesizers” →

Hackaday Podcast 172: Frickin’ Laser Beams, Squishy Stomp Switches, And A Tiny But Powerful DIY Loom

June 10, 2022 by Kristina Panos 4 Comments

Join Hackaday Editor-in-Chief Elliot Williams and Assignments Editor Kristina Panos for a free-as-in-beer showcase of the week’s most gnarly but palatable hacks. But first, a reminder! Round 2 of the 2022 Hackaday Prize comes to an end in the early hours of Sunday, June 12th, so there’s still enough time to put a project together and get it entered.

This week, we discuss the utility of those squishy foam balls in projects and issue the PSA that it is in fact pool noodle season, so go get ’em. We drool over if-you-have-to-ask-you-can’t-afford-it 3D printers with staircases and such, and wonder why breadboard game controls didn’t already exist. Later on we laugh about lasers, shake the bottle of LTSpice tips from [fesz], and ponder under-door attacks. Finally, we’re back to frickin’ laser beams again, and we discover that there’s a fruity demoscene in Kristina’s backyard.

Direct Download link

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!