Streaming Video From An ESP32

The ESP32, while first thought to be little more than a way of adding wireless capabilities to other microcontrollers, has quickly replaced many of them with its ability to be programmed as its own platform rather than simply an accessory. This also paved the way for accessories of its own, such as various sensors and even a camera. This guide goes over taking the input from the camera and streaming it out over the network to multiple browsers.

On the server side of things, the ESP32 and its attached camera are set up with MQTT, a lightweight communications protocol which uses a publish/subscribe model to send information. The ESP32 is configured to publish its images only, but not subscribe to any other nodes. On the client side, the browser runs a JavaScript program which is able to gather these images and stitch them together into a video.

This can be quite a bit of data to send out over the ESP32’s compact hardware, so there are some tips and tricks for getting more out of these little devices, including using an external antenna for better Wi-Fi signal, or omitting it entirely in favor of Ethernet. As far as getting a lot out of a tiny microcontroller, though, leveraging MQTT really helps the ESP32 go a long way. These chips have come along way since they were first introduced; they’re powerful enough to act as 8-bit gaming consoles too.

Thanks to [Surfskidude] for the tip!

The ‘Scope Of This Kickstarter? Ten Years.

It may have taken ten years to come through on this particular Kickstarter, but a promise is a promise. In late August 2023, backers who had since likely forgotten all about the project started receiving their oscilloscope watches from creator [Gabriel Anzziani]. Whatever the reason(s) for the delay, the watch looks great, and is miles ahead of the prototype pictures.

As you may have guessed, it functions as both a watch and an oscilloscope. The watch has 12- and 24-hour modes as well as an alarm and calendar, and the ‘scope has all the features of the Xprotolab dev board, which [Gabriel] also created: ‘scope, waveform generator, logic analyzer, protocol sniffer, and frequency counter.

Internally, it has an 8-bit Xmega microcontroller which features an internal PDI, and the display is a 1.28″ E ink display. When we covered this ten years ago, the screen was the type of Sharp LCD featured in the Pebble watch. [Gabriel]’s ‘scope watch features eight buttons around the edge which are user-programmable. One of [Gabriel]’s goals was for people to make their own apps.

Of course, the Kickstarter rewards are no longer available, but if you want to build your own small, digital ‘scope, check out this DIY STM32 project.

Image via the Company Formerly Known As Twitter

This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack

Curl was recently notified of a CVE, CVE-2020-19909, rated at a hair-raising 9.8 on the CVSS scale. And PostgreSQL has CVE-2020-21469, clocking in with a 7.5 severity. You may notice something odd about those two vulnerabilities, but I promise the 2020 date is only the tip of the iceberg here.

Let’s start with PostgreSQL. That vulnerability was only present in version 12.2, which released in February of 2020, and was fixed with the 12.3 release in May of that same year. The problem is a stack buffer overflow, which doesn’t seem to enable code execution, but does cause a denial of service situation. To trigger the bug? Repeatedly send the PostgreSQL daemon the SIGHUP signal.

If you’re familiar with Linux signals, that might sound odd. See, the SIGHUP signal technically indicates the end of a user session, but most daemons use it to indicate a restart or reload request. And to send this signal, a user has to have elevated privileges — elevated enough to simply stop the daemon altogether. Put simply, it’s not a security vulnerability, just a minor bug.

And now on to curl — This one is just bizarre. The issue is a integer overflow in the --retry-delay argument, which specifies in seconds how often curl should retry a failing download. The value is multiplied by 1000 to convert to milliseconds, resulting in an overflow for very large values. The result of that overflow? A smaller value for the retry delay.

[Daniel Stenberg] makes the point that this tale is a wonderful demonstration of the brokenness of the CVE system and NVD’s handling of it. And in this case, it’s hard not to see this as negligence. We have to work really hard to construct a theoretical scenario where this bug could actually be exploited. The best I’ve been able to come up with is an online download tool, where the user can specify part of the target name and a timeout. If that tool had a check to ensure that the timeout was large enough to avoid excess traffic, this bug could bypass that check. Should we be assigning CVEs for that sort of convoluted, theoretical attack?

But here’s the thing, that attack scenario should rate something like a CVSS of 4.8 at absolute worst. NVD assigned this a 9.8. There’s no way you can squint at this bug hard enough to legitimately rank it that severe. At the time of writing, the NVD lists this as “UNDERGOING REANALYSIS”.
Continue reading “This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack”

Diving Into Starlink’s User Terminal Firmware

The average Starlink user probably doesn’t spend a lot of time thinking about their hardware after getting the dish aligned and wiring run. To security researchers, however, it’s another fascinating device to tinker with as they reverse-engineer the firmware and try to both find out what makes it tick, as well as how to break it. This is essentially the subject of [Carlo Ramponi]’s article over at Quarkslab as he digs into the firmware architecture and potential weaknesses in its internal communication.

The user terminal hardware itself is a quite standard AArch64 ARM-based SoC, along with the proprietary communication interface, all of which is controlled by the Linux-based firmware. Dumping the firmware itself was made easy thanks to existing work by researchers at the KU Leuven, involving dumping the contents of the onboard eMMC storage. After this the firmware architecture could be analyzed, which turned out to consist out of mostly C++-based binaries, but with a single big binary for the user front-end written in Go.

Communication between these processes is handled through a custom inter-process protocol called ‘Slate Sharing’, all of which is coordinated via the core User Terminal Control process. It are these Slate IPC messages which form the most likely attack surface for a fuzzing attack, with the SoftwareUpdateRequest command being an interesting target as it would seem to not require authentication since it doesn’t address a specific user. This work is part of [Carlo]’s master’s thesis, and should form the basis of further research on the Starlink User Terminal firmware.

Logic Analyzers: Tapping Into Raspberry Pi Secrets

Today, I’d like to highlight a tool that brings your hacking skills to a whole new level, and does that without breaking the bank – in fact, given just how much debugging time you can save, how many fun pursuits you can unlock, and the numerous features you can add, this might be one of the cheapest tools you will get. Whether it’s debugging weird problems, optimizing your code, probing around a gadget you’re reverse-engineering, or maybe trying to understand someone’s open-source library, you are likely missing out a lot if you don’t have a logic analyzer on hand!

It’s heartbreaking to me that some hackers still don’t know the value that a logic analyzer brings. Over and over again, tactical application of a logic analyzer has helped me see an entirely different perspective on something I was hacking on, and that’s just the thing I’d like to demonstrate today.

Diving In

A logic analyzer has a number of digital inputs, and it continuously reads the state of these digital inputs, sending them to your computer or showing them on a screen – it’s like a logic-level-only oscilloscope. If you have an I2C bus with one MCU controlling a sensor, connect a logic analyzer to the clock and data pins, wire up the ground, launch the logic analyzer software on your computer, and see what’s actually happening.

For instance, have you ever noticed the ID_SC and ID_SD pins on the Raspberry Pi GPIO connector? Are you wondering what they’re for? Don’t you want to check what actually happens on these pins? Let’s do that right now! Continue reading “Logic Analyzers: Tapping Into Raspberry Pi Secrets”

ACK1 Makes Getting To Know The ATtiny1616 Easy

Many readers will be familiar with Microchip’s ATtiny85, which has been a popular choice for DIY projects in the past for its low price and (for the time) small size. But those looking for a more modern and capable 8-bit chip may find the ATtiny1616-MNR of interest. It offers expanded flash storage, more GPIO, and ditches SPI programming in favor of UPDI — a protocol that can be done using nothing more than an USB-UART converter and a resistor.

The contents of the ACK1 kit
What’s in the kit if you buy it.

But here’s the catch: the new chip is only available in SMD and there are far fewer tutorials for it! That’s why [Bradán Lane] has created ACK1, a cute little AVR Coding Kit for those of us who want to play with the ATtiny1616 and a companion for his free and open-source course.

The board contains an array of 6 by 7 LEDs in a charlieplexed configuration, a large piezo buzzer, two push buttons, an on/off switch, and a CR2032 battery holder to keep it on without the need for a cable. The kit looks gorgeous in its white-on-black theme with gold plated contacts and can be had for $20 on Tindie at the time of writing.

The ATtiny1616 itself runs at up to 20 MHz and has 17 GPIO pins, 16 KiB of flash storage, 2 KiB of RAM, and 256 bytes of EEPROM for configuration — making it roughly on par with the original Arduino Uno.

The course that goes hand-in-hand with the ACK1 is all about the features of the ATtiny1616, from the basics of using the programmer to reading the buttons, using timers, driving the charlieplexed LEDs, storing data in the EEPROM and much more. Though it does not cover the basics of C, the course is free, and even licensed MIT, so that anyone can share it and improve upon it.

If you enjoy seeing beautiful microcontrollers, you’ll definitely want to see the stylish Uno Plus+.

Wireless Data Connections Through Light

When wired networking or data connections can’t be made, for reasons of distance or practicality, various wireless protocols are available to us. Wi-Fi is among the most common, at least as far as networking personal computers is concerned, but other methods such as LoRa or Zigbee are available when data rates are low and distances great. All of these methods share one thing in common, though: their use of radio waves to send data. Using other parts of the electromagnetic spectrum is not out of the question, though, and [mircemk] demonstrates using light as the medium instead of radio.

Although this isn’t a new technology (“Li-Fi” was first introduced in 2011) it’s not one that we see often. It does have a few benefits though, including high rates of data transmission. In this system, [mircemk] is using an LED to send the information and a solar cell as the receiver. The LED is connected to a simple analog modulator circuit, which takes an audio signal as its input and sends the data to the light. The solar cell sends its data, with the help of a capacitor, straight to the aux input on a radio which is used to convert the signal back to audio.

Some of the other perks of a system like this are seen here as well. The audio is clear even as the light source and solar cell are separated at a fairly significant distance, perhaps ten meters or so. This might not seem like a lot compared to Wi-Fi, but another perk shown is that this method can be used within existing lighting systems since the modulation is not detectable by the human eye. Outside of a home or office setting, systems like these can also be used to send data much greater distances as well, as long as the LED is replaced with a laser.

Continue reading “Wireless Data Connections Through Light”