Chinese Temperature/Humidity Sensor Is Easily Hacked

December 5, 2014 by 25 Comments

There’s a new piece of electronics from China on the market now: the USR-HTW Wireless Temperature and Humidity Sensor. The device connects over Wi-Fi and serves up a webpage where the user can view various climate statistics. [Tristan] obtained one of these devices and cracked open the data stream, revealing that this sensor is easily manipulated to do his bidding.

Once the device is connected, it sends an 11-byte data stream a few times a minute on port 8899 which can be easily intercepted. [Tristan] likes the device due to the relative ease at which he could decode information, and his project log is very detailed about how he went about doing this. He notes that the antenna could easily be replaced as well, just in case the device needs increased range.

There are many great reasons a device like this would be useful, such as using it as a remote sensor (or in an array of sensors) for a homemade thermostat, or a greenhouse, or in any number of other applications. The sky’s the limit!

MicroDMA And LEDs

December 4, 2014 by 19 Comments

[Jordan] has been playing around with WS2812b RGB LED strips with TI’s Tiva and Stellaris Launchpads. He’s been using the SPI lines to drive data to the LED strip, but this method means the processor is spending a lot of time grabbing data from a memory location and shuffling it out the SPI output register. It’s a great opportunity to learn about the μDMA available on these chips, and to write a library that uses DMA to control larger numbers of LEDs than a SPI peripheral could handle with a naive bit of code.

DMA is a powerful tool – instead of wasting processor cycles on moving bits back and forth between memory and a peripheral, the DMA controller does the same thing all by its lonesome, freeing up the CPU to do real work. TI’s Tiva C series and Stellaris LaunchPads have a μDMA controller with 32 channels, each of which has four unique hardware peripherals it can interact with or used for DMA transfer.

[Jordan] wrote a simple library that can be used to control a chain of WS2812b LEDs using the SPI peripheral. It’s much faster than transferring bits to the SPI peripheral with the CPU, and updating the frames for the LED strip are easier; new frames of a LED animation can be called from the main loop, or the DMA can just start again, without wasting precious CPU cycles updating some LEDs.

Motion Through Time Painted In Light

December 4, 2014 by 7 Comments

Photographer [Stephen Orlando] has an awesome body of work that focuses on human motion. The images he captures with colored light and a camera set up in a setting of choice tell a story of time in a way that’s visually stunning.

[Stephen] has experimented with various types of action. He’s attached LED strips onto props like oars in order to capture the rhythmic movements of rowing, or directly onto parts of the body to visualize more chaotic gestures, like the forms of a martial artist. His camera is set up to take long exposures, soaking in the light as it plots itself through space over time.

karateLight

Though this isn’t a hack directly in itself, [Stephen’s] experimentation with time and light is a great case of technology being added to the arsenal of traditional mediums we’re accustomed to seeing in the production of artistic work. The clean execution of his idea to tell a story about what we don’t typically get to see by use of light should inspire all of us who love to play around with LEDs in our projects. Sometimes the more interesting aspects of our work are created in the negative space we forget to consider.

The next time you find yourself working on a hack, look at what you’re creating from a perspective beyond its original context. For example, 3D printing with a delta robot is a bit of a departure from it’s original purpose as a pick and place machine. Even further yet is the concept of using one to draw images in space with light. Often the process of somethings creation, as well as the byproduct of what it took to make it, is just as worthy of investigation. Don’t forget to search between the lines… that’s where the magic is.

Generating Laser Cut Boxes In C

December 4, 2014 by 31 Comments

[Mike] is a laser cutting newbie and has never had the opportunity to create a file and send it off to a laser for cutting. He knew he didn’t want to squint at a CAD package, nudging lines by tenths of a millimeter, only to screw something up and have to do it all over again. His solution, like so many other automation tasks, was to create a program that would generate a box of any size in .SVG format.

[Mike]’s program runs in C, and only requires a few variables set in the program to create a box of any size. There’s no argc or argv for the program – the one thing that would turn this into a command line utility that simply creates SVG boxes. Perhaps another time.

The rest of [Mike]’s hackerspace, Fab Lab xChc, was impressed the program worked the first time. With this small bit of C code, [Mike] has an easy, simple tool to generate laser cut boxes. The only remotely complicated bit of C this program uses is printf(), so even an Arduino can spit out the SVG for a laser cut box.

Paypal CSRF

Hacking PayPal Accounts With CSRF

December 4, 2014 by 17 Comments

The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time.

Paypal is a huge player in the payment processing world, but that doesn’t mean they aren’t without their flaws. Sometimes the bigger the target, the more difficult it is to find problems. [Yasser] wanted to experiment with a cross-site request forgery attack. This type of attack typically requires the attacker to trick the victim into clicking a malicious link. The link would then impersonate the victim and make requests on the victim’s behalf. This is only made possible if the victim is logged into the target website.

PayPal has protection mechanisms in place to prevent this kind of thing, but [Yasser] found a loophole. When a user logs in to make a request, PayPal gives them an authentication token. This token is supposed to be valid for one user and one request only. Through experimentation, [Yasser] discovered a way to obtain a sort of “skeleton key” auth token. The attacker can attempt to initiate a payment transfer without first logging in to any PayPal account. Once the transfer is attempted, PayPal will request the user to authenticate. This process produces an auth token that apparently works for multiple requests from any user. It renders the authentication token almost entirely ineffective.

Once the attacker has a “universal auth token”, he can trick the victim into visiting a malicious web page. If the user is logged into their PayPal account at the time, the attacker’s webpage can use the universal auth token to trick the victim’s computer into making many different PayPal requests. Examples include adding email addresses to the account, changing the answers to security questions, and more. All of this can be done simply by tricking the user into clicking on a single link. Pretty scary.

[Yasser] was responsible with his disclosure, of course. He reported the bug to PayPal and reports that it was fixed promptly. It’s always great to see big companies like PayPal promoting responsible disclosure and rewarding it rather than calling the lawyers. Be sure to catch a video demonstration of the hack below. Continue reading “Hacking PayPal Accounts With CSRF”

[Amazing Science’s] Simple Electric Train

December 4, 2014 by 106 Comments

Making an electromagnet is as simple as wrapping some wire around a nail and taping the wire to both ends of a battery. When you’re done, you can pick up some paper clips – it demonstrates the concept well, but it could use some more oomph. [Amazing Science] has done just that, making an “electric train” (YouTube link). All that’s needed is some coiled copper wire, a battery and magnets thin enough to fit through the coils. The magnets snap onto both ends of the battery. Put the battery inside the coil and watch the fun! The electromagnetic force generated by the current moving through the coil pushes against the magnets attached to the battery, pushing the battery along the way.

[Amazing Science] plays with the setup a bit. Connect both ends of the coil together and the battery will travel in a loop until it’s drained. Add a small hill, or even another battery/magnet set to the mix, and watch them go! We may even make a version of this ourselves to take with us to family gatherings this holiday season – it’s simple, fun, and can teach the young ‘uns about science while we swig some egg nog.

[via Reddit]

Continue reading “[Amazing Science’s] Simple Electric Train”

Flash Memory Endurance Testing

December 4, 2014 by 21 Comments

[Gene] has a project that writes a lot of settings to a PIC microcontroller’s Flash memory. Flash has limited read/erase cycles, and although the obvious problem can be mitigated with error correction codes, it’s a good idea to figure out how Flash fails before picking a certain ECC. This now became a problem of banging on PICs until they puked, and mapping out the failure pattern of the Flash memory in these chips.

The chip on the chopping block for this experiment was a PIC32MX150, with 128K of NOR Flash and 3K of extra Flash for a bootloader. There’s hardware support for erasing all the Flash, erasing one page, programming one row, and programming one word. Because [Gene] expected one bit to work after it had failed and vice versa, the testing protocol used RAM buffers to compare the last state and new state for each bit tested in the Flash. 2K of RAM was tested at a time, with a total of 16K of Flash testable. The code basically cycles through a loop that erases all the pages (should set all bits to ‘1’), read the pages to check if all bits were ‘1’, writes ‘0’ to all pages, and reads pages to check if all bits were ‘0’. The output of the test was a 4.6 GB text file that looked something like this:
Continue reading “Flash Memory Endurance Testing”