34C3: Fitbit Sniffing And Firmware Hacking

December 29, 2017 by 19 Comments

If you walked into a gym and asked to sniff exercise equipment you would get some mighty strange looks. If you tell hackers you’ve sniffed a Fitbit, you might be asked to give a presentation. [Jiska] and [DanielAW] were not only able to sniff Bluetooth data from a run-of-the-mill Fitbit fitness tracker, they were also able to connect to the hardware with data lines using test points etched right on the board. Their Fitbit sniffing talk at 34C3 can be seen after the break. We appreciate their warning that opening a Fitbit will undoubtedly void your warranty since Fitbits don’t fare so well after the sealed case is cracked. It’s all in the name of science.

There’s some interesting background on how Fitbit generally work. For instance, the Fitbit pairs with your phone which needs to be validated with the cloud server. But once the cloud server sends back authentication credentials they will never change because they’re bound to to the device ID of the Fitbit. This process is vulnerable to replay attacks.

Data begin sent between the Fitbit and the phone can be encrypted, but there is a live mode that sends the data as plain text. The implementation seemed to be security by obscurity as a new Bluetooth handle is used for this mode. This technique prevents the need to send every encrypted packet to the server for decryption (which would be for every heartbeat packet). So far the fix for this has been the ability to disable live mode. If you have your own Fitbit to play with, sniffing live mode would be a fun place to start.

The hardware side of this hack begins by completely removing the PCB from the rubber case. The board is running an STM32 and the team wanted to get deep access by enabling GDB. Unfortunately, the debug pins were only enabled during reset and the stock firmware disables them at startup (as it should). The workaround was to rewrite the firmware so that the necessary GPIO remain active and there’s an interesting approach here. You may remember [Daniel Wegemer] from the Nexmon project that reverse engineered the Nexus 5 WiFi. He leveraged the binary patching he used on Nexmon to patch the Fitbit firmware to enable debugging support. Sneaky!

For more about 34C3 we have a cheatsheet of the first day and for more about Fitbit security, check out this WAV file.

Continue reading “34C3: Fitbit Sniffing And Firmware Hacking”

Seven-Segment Flip Clock Display Finally Finished

December 29, 2017 by 24 Comments

Earlier this year, we mentioned in a Hackaday Links article that [Spencer Hamblin] was in the process of building a seven-segment flip clock. Well, it’s finally finished, and it looks great!

Vintage seven segment digits make up the display. These digits work the same way that flip-dot displays work – current through each segment’s coil creates a magnetic field which causes the segment to flip over. Current in the other direction creates the opposite magnetic field and flips the segment the other way. On these digits, there are three connections on the coils. The middle one is power and the other two are used to enable and disable the segment – ie., flip it one way or the other. To save on pins on the microcontroller, [Spencer] connected all the middle coil pins together on a digit. Each coil can be powered using a single pin on the microcontroller. Similarly, the segments for each digit are connected together as well, so one pin on the micro controls the same segment on each of the digits. The microcontroller in question is the AVR ATMega48.

There are two parts of the clock face left to do: AM/PM and whether the alarm is set or not. [Spencer] used a fifth digit, slightly offset, for those – the top and middle segments are used.

For the housing of the clock, [Spencer] used layers of offsetting colored wood. The wood (sapele and ash) were CNC cut and aligned. The back plate, also made from wood, holds buttons for setting the time and alarm, as well as some LEDs for what [Spencer] calls the “daylight alarm.” A capacitive sensor on the top of the unit (inside the wooden case) is used to turn the alarm off.

The result, after sanding and shellacing, looks amazing. [Spencer] nailed the art-deco look he was going for. There are plenty of pictures and the circuit designs, schematics and code are on [Spencer]’s Hackaday.io page, and you can find the Hackaday links post here. This is a complete log of a project we mentioned earlier on Hackaday, here, but there are other mechanical flip display clock projects, such as this DIY mechanical flip seven-segment prototype, or, you could create your own (really big) clock using this Lego mechanical seven-segment display.

via Reddit.

[Ken Shirriff] Becomes A Core Memory Repairman (Again)

December 29, 2017 by 5 Comments

Lately, [Ken Shirriff] has been on some of the most incredible hardware adventures. In his most recent undertaking we find [Ken] elbow-deep in the core memory of a 50-year-old machine, the IBM 1401. The computer wasn’t shut down before mains power was cut, and it has refused to boot ever since. The culprit is in the core memory support circuitry, and thanks to [Ken’s] wonderful storytelling we can travel along with him to repair an IBM 1401.

From a hardware standpoint core memory makes us giddy. It’s a grid of wires with ferrite toroids at every intersection. Bits can be set or cleared based on how electricity is applied to the intersecting wires. [Al Williams] walked through some of the core memory history last year and we enjoyed hearing [Pamela Liou] recount the story of how textile workers consulted on the fabrication of core memory for the Apollo missions during her OHWS Talk in October. But giddiness aside, core memory has pretty much gone the way of the dodo having been displaced by technologies that take up exponentially less space.

Bad inductor (green housing has been dissolved away)

We chuckle at [Ken’s] mention of the core memory capacity for the IBM 1401. It has 4000 characters of memory built-in (with another 12,000 in an expansion box) and he goes on to detail that these are 6-bit characters on a machine that operates in decimal and not binary (hence 4k instead of the base-2 friendly 4096).

You may remember his work a few years back to repair core memory on the same model. The Museum has two 1401’s, which turned out to be a huge help in trouble-shooting this. After tracing out the control lines, the repair team began swapping cards between the working and non-working machines. They were able to bring it back online — establishing one of the green inductors was bad — only to be struck with a second fault in the power supply.

Get this, [Ken] comments that “the whole computer is pre-silicon”. When working through the PSU, some suspect transistors were replaced with germanium power transistors. Those may have been a red-herring, as a penciled-in fuse on the original schematics turned out to be the linchpin of the PSU repair. Buried deep in the assembly, replacing the designed-to-fail part let the ancient beast awake once more.

Machines of this quality were heavily documented, and the schematics make this type of trouble-shooting a lot more manageable. But it’s still as much an art as it is skill. Make sure to give [Ken’s] article a read, and look around at the other repair jobs he’s documented — keeping these machines in service is becoming wizard-level work and we love being able to follow along.

Retrotechtacular: 1950s Televisions Were Beasts

December 29, 2017 by 34 Comments

Television has been around for a long time, but what we point to and call a TV these days is a completely different object from what consumers first fell in love with. This video of RCA factory tours from the 1950s drives home how foreign the old designs are to modern eyes.

Right from the start the apparent chaos of the circuitry is mindboggling, with some components on circuit boards but many being wired point-to-point. The narrator even makes comments on the “new technique for making electrical connections” that uses a wire wrapping gun. The claim is that this is cleaner, faster, and neater than soldering. ([Bil Herd] might agree.) Not all of the methods are lost in today’s manufacturing though. The hand-stuffing and wave soldering of PCBs is still used on lower-cost goods, and frequently with power supplies (at least the ones where space isn’t at a premium).

It’s no surprise when talking about 60+ year-old-designs that these were tube televisions. But this goes beyond the Cathode Ray Tube (CRT) that generates the picture. They are using vacuum tubes, and a good portion of the video delves into the manufacture and testing of them. You’ll get a glimpse of this at 3:20, but what you really want to see is the automated testing machine at 4:30. Each tube travels along a specialized conveyor where the testing goes so far as to give a  few automated whacks from corks on the ends of actuators. As the tube gauntlet progresses, we see the “aging” process (around 6:00) when each tube is run at 3-4 times the rated filament voltages. Wild!

There’s a segment detailing the manufacture of the CRT tubes as well, although these color tubes don’t seem to be for the model of TV being followed during the rest of the films. At about 7:07 they call them “Color Kinescopes”, an early name for RCA’s CRT technology.

During the factory tours we get the overwhelming feeling that this manufacturing is more related to automotive than modern electronic. These were the days when televisions (and radios) were more like pieces of furniture, and seeing the hulking chassis transported by hanging conveyors is just one part of it. The enclosure plant is churning out legions of identical wooden consoles. This begins at 11:55 and the automation shown is very similar to what we’d expect to see today. It seems woodworking efficiency was already a solved problem in the ’50s.

Continue reading “Retrotechtacular: 1950s Televisions Were Beasts”

Take The Coin Cell Challenge This Weekend!

December 29, 2017 by 7 Comments

The year is drawing to a close, and we have a weekend project for you to while away the remaining hours. Take the Coin Cell Challenge!

The point of the challenge is to do something interesting with a coin cell. That’s it! It’s a challenge that can be as simple or as involved as you want. Low power is where it’s at these days, so if you’ve never used the hardware sleep modes in your favorite microcontroller, that would make an excellent challenge entry. Show us what you’re able to do with short wake periods, and talk about when and why that wake happens. Or go a completely different route and build your own cell!

[Ben Krasnow] makes the most of a tiny power source
The top twenty entries will each receive a $100 Tindie credit so they can score some excellent gear. Three top winners in some special areas who will each be awarded a $500 cash prize. We’re looking for something interesting that demonstrates longest life (Lifetime Award), something that burns through that coin cell as if it’s going out of style (Supernova Award), and something that fills us with disbelief (Heavy Lifting Award) because it shouldn’t be possible with “just a coin cell”.

One of our biggest inspirations for this contest was [Ben Krasnow] who managed to squeeze enough juice out of a miniscule coin cell to power his Flashing Light Prize entry, only because he reduced internal resistance by heating the cell with an air gun (here’s the Hackaday coverage of that project). And [Elliot Williams] wrote a great guide on what kind of juice you can expect to get out of a cell. Take these to heart and do something interesting this weekend. Enter now!

Dig Into The Apple Device Design Guide

December 29, 2017 by 8 Comments

Millions of people worldwide have just added new Apple gadgets to their lives thanks to the annual end of December consumerism event. Those who are also Hackaday readers are likely devising cool projects incorporating their new toys. This is a good time to remind everybody that Apple publishes information useful for such endeavors: the Accessory Design Guidelines for Apple Devices (PDF).

This comes to our attention because [Pablo] referenced it to modify an air vent magnet mount. The metal parts of a magnetic mount interferes with wireless charging. [Pablo] looked in Apple’s design guide and found exactly where he needed to cut the metal plate in order to avoid blocking the wireless charging coil of his iPhone 8 Plus. What could have been a tedious reverse-engineering project was greatly simplified by Reading The… Fine… Manual.

Apple has earned its reputation for hacker unfriendliness with nonstandard fasteners and liberal use of glue. And that’s even before we start talking about their digital barriers. But if your project doesn’t involve voiding the warranty, their design guide eliminates tedious dimension measuring so you can focus on the fun parts.

Dimensioned drawing of Apple iPad Pro

This guide is packed full of dimensioned drawings. A cursory review shows that they look pretty good and aren’t terrible at all. Button, connector, camera, and other external locations make this an indispensable tool for anyone planning to mill or print an interface for any of Apple’s hardware.

So let’s see those projects! Maybe a better M&M sorter. Perhaps a time-lapse machine. Or cure your car’s Tesla envy and put a well-integrated iPad into the dashboard.

Try This For 3D Printing Without Support

December 29, 2017 by 46 Comments

Have a look at the object to the right. Using a conventional fused deposition printer, how would you print the object? There’s no flat surface to lay on the bed without generating a lot of overhangs. That usually requires support.

In theory, you might be able to print the bottom of the sphere down, but it is difficult to get that little spot to adhere to the bed. If you have at least two extruders and you are set up to print support material, that might even be the best option. However, printing support out of the same material you are printing with makes it hard to get a good clean print. There is another possibility. It does require some post-processing, but then again, not as much as hacking away a bunch of support material.

A Simple Idea

The idea is simple and — at first — it will sound like a lot of trouble. The basic idea is to cut the model in half at some point where both halves would be easy to print and then glue them together.  Stick around (no pun intended), though, because I’ll show you a way to make the alignment of the parts almost painless no matter how complex the object might be.

The practical problem with gluing together half models is getting the pieces in the exact position, but that turns out to be easy if you just make a few simple changes to your model. Another lesser problem is clamping a piece while gluing. You can use a vise, but some oddly-shaped parts are not conducive to traditional vise jaws.

In Practice

Starting with an OpenSCAD object, it is easy to cut the model in half. Actually, you could cut it anywhere. Then it is easy to rotate half of it so the cut line is at the bottom of each part. That doesn’t solve the alignment problem nor does it help you clamp when you glue.

The trick is to build a flange around each part. The flanges mate with a few screws after printing so alignment is perfect and bolts through the flange holes can keep the parts together and immobilized while your glue of choice sets. The kicker is that I even have an automated process to make the design side of this trick very easy.

Continue reading “Try This For 3D Printing Without Support”