Hackaday Podcast Episode 289: Tiny Games, Two Modern Modems, And The Next Big Thing

September 20, 2024 by Kristina Panos 9 Comments

This week on the Podcast, Hackaday’s Elliot Williams and Kristina Panos joined forces to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous week.

First up in the news: we’ve announced the 2024 Tiny Games Contest winners! We asked you to show us your best tiny game, whether that means tiny hardware, tiny code, or a tiny BOM, and you did so in spades. Congratulations to all the winners and Honorable Mentions, and thanks to DigiKey, Supplyframe, and all who entered!

We also announced the first round of Supercon speakers, so if you haven’t gotten your ticket yet, now’s the second best time.

But wait, there’s more! We’re already a few weeks into the next contest, where we want you to show us your best ~~Simple~~ Supercon Add-On. We love to see the add-ons people make for the badge every year, so this time around we’re really embracing the standard. The best SAOs will get a production run and they’ll be in the swag bag at Hackaday Europe 2025.

Then it’s on to What’s That Sound, which completely stumped Kristina once again. Can you get it? Can you figure it out? Can you guess what’s making that sound? If you can, and your number comes up, you get a special Hackaday Podcast t-shirt.

Now it’s on to the hacks, beginning with non-planar ironing for smooth prints, and a really neat business card that also plays tiny games. Then we’ll discuss USB modems, cool casts for broken wrists, and archiving data on paper. Finally, we ask two big questions — where do you connect the shield, and what’s the Next Big Thing gonna be? Inquiring minds want to know.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Download in DRM-free MP3 and savor at your leisure.

Continue reading “Hackaday Podcast Episode 289: Tiny Games, Two Modern Modems, And The Next Big Thing” →

Inviting The Public To Take Stereo Photos For Science

September 20, 2024 by Al Williams 14 Comments

[Lynnadeng]’s team wanted to monitor the Los Angeles River over time and wanted citizen scientists — or anyone, for that matter — to help. They built a dual phone holder to allow random passersby to use their phones to take photos. A QR code lets them easily send the pictures to the team. The 3D printed holder is fixed in place and has a known gap that allows stereo reconstruction from pairs of photos.

Of course, people aren’t going to know what to do, so you need a sign with instructions along with the QR code. One advantage to this scheme is that it’s cheap. All the camera hardware is in the public’s phone. Of course, you still have to make the holder robust to the elements, but that’s not nearly as difficult as supplying power and weatherproofing cameras and radios.

The real interesting part is the software. At first, we were disappointed that the post had a dead link to GitHub, but it was easy enough to find the correct one. In some cases, people will use a single camera, so 3D reconstruction isn’t always possible.

We love citizen science around here. No matter where you live, there are many opportunities to contribute.

This Week In Security: Open Source C2, Raptor Trains, And End To End Encryption

September 20, 2024 by Jonathan Bennett 14 Comments

Open Source has sort of eaten everything in software these days. And that includes malware, apparently, with open source Command and Control (C2) frameworks like Sliver and Havoc gaining traction. And of course, this oddball intersection of Open Source and security has intrigued at least one security researcher who has found some interesting vulnerabilities.

Before we dive into what was found, you may wonder why open source malware tools exist. First off, trustworthy C2 servers are quite useful for researchers, who need access to such tools for testing. Then there is Red Teaming, where a security professional launches a mock attack against a target to test its defenses. A C2 is often useful for education and hobby level work, and then there are the true criminals that do use these Open Source tools. It takes all types.

A C2 system consists of an agent installed on compromised systems, usually aiming for stealth. These agents connect to a central server, sending information and then executing any instructions given. And finally there’s a client, which is often just a web interface or even a command line interface.

Now what sort of fun is possible in these C2 systems? Up first is Sliver, written in Go, with a retro command line interface. Sliver supports launching Metasploit on compromised hosts. Turns out, it accidentally supported running Metasploit modules against the server’s OS itself, leading to an easy remote shell from an authenticated controller account.

Havoc has a fancy user interface for the clients, and also a command injection flaw. A service name field gets used to generate a shell command, so you’re only a simple escape away from running commands. That’s not quite as useful as the API that failed open when a bad username/password was given. Oops. Continue reading “This Week In Security: Open Source C2, Raptor Trains, And End To End Encryption” →

COBB Tuning Hit With $2.9 Million Fine Over Emissions Defeat Devices

September 20, 2024 by Maya Posch 110 Comments

Recently, the EPA and COBB Tuning have settled after the latter was sued for providing emissions control defeating equipment. As per the EPA’s settlement details document, COBB Tuning have since 2015 provided customers with the means to disable certain emission controls in cars, in addition to selling aftermarket exhaust pipes with insufficient catalytic systems. As part of the settlement, COBB Tuning will have to destroy any remaining device, delete any such features from its custom tuning software and otherwise take measures to fully comply with the Clean Air Act, in addition to paying a $2,914,000 civil fine.

The tuning of cars has come a long way from the 1960s when tweaking the carburetor air-fuel ratios was the way to get more power. These days cars not only have multiple layers of computers and sensor systems that constantly monitor and tweak the car’s systems, they also have a myriad of emission controls, ranging from permissible air-fuel ratios to catalytic converters. It’s little surprise that these systems can significantly impact the raw performance one might extract from a car’s engine, but if the exhaust of nitrogen-oxides and other pollutants is to be kept within legal limits, simply deleting these limits is not a permissible option.

COBB Tuning proclaimed that they weren’t aware of these issues, and that they never marketed these features as ’emission controls defeating’. They were however aware of issues regarding their products, which is why they announced ‘Project Green Speed’ in 2022, which supposedly would have brought COBB into compliance. Now it would seem that the EPA did find fault despite this, and COBB was forced to making adjustments.

Although perhaps not as egregious as modifying diesel trucks to ‘roll coal’, federal law has made it abundantly clear that if you really want to have fun tweaking and tuning your car without pesky environmental laws getting in the way, you could consider switching to electric drivetrains, even if they’re mind-numbingly easy to make performant compared to internal combustion engines.

Laser Fault Injection, Now With Optional Decapping

September 20, 2024 by Dan Maloney 3 Comments

Whether the goal is reverse engineering, black hat exploitation, or just simple curiosity, getting inside the packages that protect integrated circuits has long been the Holy Grail of hacking. It isn’t easy, though; those inscrutable black epoxy blobs don’t give up their secrets easily, with most decapping methods being some combination of toxic and dangerous. Isn’t there something better than acid baths and spinning bits of tungsten carbide?

[Janne] over at Fraktal thinks so, and the answer he came up with is laser decapping. Specifically, this is an extension of the laser fault injection setup we recently covered, which uses a galvanometer-scanned IR laser to induce glitches in decapped microcontrollers to get past whatever security may be baked into the silicon. The current article continues that work and begins with a long and thorough review of various IC packaging technologies, including the important anatomical differences. There’s also a great review of the pros and cons of many decapping methods, covering everything from the chemical decomposition of epoxy resins to thermal methods. That’s followed by specific instructions on using the LFI rig to gradually ablate the epoxy and expose the die, which is then ready to reveal its secrets.

The benefit of leveraging the LFI rig for decapping is obvious — it’s an all-in-one tool for gaining access and executing fault injection. The usual caveats apply, of course, especially concerning safety; you’ll obviously want to avoid breathing the vaporized epoxy and remember that lasers and retinas don’t mix. But with due diligence, having a single low-cost tool to explore the innards of chips seems like a big win to us.

Inside A Portable Satellite Dish

September 19, 2024 by Al Williams 22 Comments

Like many of us, [Gabe] has things he just can’t stop buying. In his case, it is portable satellite dishes. You’ve seen these. They look like a dome or maybe a hard hat on some kind of motorized base. What’s in them? What can you do with them? Watch the video below and find out.

As [Gabe] points out, you can often find these on the surplus market for very little money. You can sometimes find them on the side of the road for free, too. Although we’ve never been that lucky.

The video shows three generations of Winegard antennas. It shows what’s inside and how to command them. Of course, the obvious use for these is as an antenna. But we also were thinking they’d make a fair motion base for something, too.

Some of the antennas lack any limit switches. On startup, the system spins until it grinds the plastic gears to find its travel limits. We expect that’s not good for the gears, but it does work. [Gabe] mentions it might be a bit of planned obsolescence, but we imagine it is more of a cost-saving measure.

Junkyards are a frequent source for satellite gear, apparently. Dishes have lots of other uses, too.

Continue reading “Inside A Portable Satellite Dish” →

A golden Jolly Wrencher SAO that works as an NFC tag for sharing contact info.

2024 SAO Contest: The Jolly Tagger Is A Golden Way To Share Info

September 19, 2024 by Kristina Panos 16 Comments

For this contest, we’re asking you to come up with the best SAO you can think of that does something cool. What could be cooler than sharing your contact information all over Supercon and beyond with a tap of a Jolly Wrencher? It’s way better than just some sticker, and with the extra solder pad on the back, you can turn it into a pin once the con is over. Contact data can be uploaded over I²C.

An antenna coil PCB trace as generated by a KiCad plugin. — The KiCad-generated coil.

Here, [Phil Weasel] seeks to answer the question of whether one can make a working NFC tag with the M24LR04E IC, using a PCB trace as a coil. If there is an issue, it’s probably going to be that copper plane inside the antenna.

Designing the antenna itself proved fairly easy after checking the datasheet for the internal tuning capacitance (~27.5 pF), verifying the frequency of NFC (~13.56 MHz), and doing the math to find the inductance needed. After confirming everything in LTSpice, [Phil] used a PCB coil calculator and let the KiCad coil generator draw it out.

Did we mention the Jolly Wrencher is backlit by four side-mounted LEDs? Because what’s an SAO without a few blinkenlights?