Hacking The Linksys WRT120N Part 2

February 21, 2014 by 12 Comments

linksysjtag

[Craig Heffner] has been busy with his Linksys WRT120N router. When we last checked in on [Craig] he had reverse engineered the obfuscation techniques used in the router’s firmware. Since then, he’s re-enabled JTAG, cracked the “encryption” used for saving configuration backups, and now he’s devised a simple attack to change the admin password.  With the firmware unlocked, [Craig] went after the hardware JTAG. His first hurdle was a missing jumper connecting the TDI pin to the processor. With a solder blob making the connection, he then found the router would connect to his JTAG debugger, and immediately reset. TDI had been re-used as a GPIO in software, and assigned to the reset button on the back of the router. [Craig’s] JTAG pod was pulling the pin low and causing the reset. To make matters worse, the bootloader also redefined and checked for the reset button. If the button were pressed it would boot into a recovery mode. [Craig] patched the bootloader with a little help from IDA pro. He then desoldered the router’s flash and programmed it outside the system. The firmware required a similar patch. Rather than desolder the flash chip again, [Craig] created a firmware update the router would accept and flashed it via the router’s web interface.

Since he already was deep into the Linksys Firmware, [Craig] looked for any obvious attack vectors. He found a big one in the /cgi/tmUnBlock.cgi. Inside the firmware, the URL sent to the CGI would be sent through sprintf().  In plain english, it means that no input length checking was happening – so a URL longer than the firmware engineers expected (in this case 256 bytes) would overflow into areas of memory it wasn’t supposed to – in this case, the stack. For an astute attacker, that’s a wide open door.  [Craig] was able to use find some Return Oriented Programming (ROP) gadgets and created an input value that would cause the router to reset its own administrator password. After running the exploit, a quick trip to the router’s webpage proved his attack was successful.

If that wasn’t enough, [Craig] also spent some time looking at the patches to the router’s firmware. The release notes of one of the patches mentioned encrypting configuration files. The WRT120N, like many routers, allows the owner to download and save the configuration as a file. It turned out that the “encryption” scheme was nothing more than an exclusive OR with 0xFF. A pretty weak encryption scheme by any standards. To [Craig] we send our congratulations. To the WRT120N software engineers, we’d suggest taking one of [Craig’s] embedded device exploitation classes.

We’re Going To The Midwest RepRap Fest

February 21, 2014 by 14 Comments

One month from now, Goshen, Indiana – deep in the land of Dairy Queens – will become one of the premier sites for RepRapping, 3D printing and everything involving open source manufacturing. It’s the 2nd annual Midwest RepRap Festival to be held March 14-16. Oh, Hackaday will also be there, cavorting around, distributing some swag, and doing some live videos and posts of the event.

Highlights of the Festival include [Prusa] giving a talk on the state of open source printing, [Sonny Monicou] discussing the challenges of his RepRap workshops, a roundtable discussion of the RepRap project, [Nicholas Seward] and his creations – the Wally, Simpson, and Lisa, along with a few folks from Lulzbot and UltiMachine. Basically, the only way to go to a bigger RepRap convention would be to visit a Maker Faire, and even that would only add a few hundred 9-year-olds astounded by printed Minecraft figurines.

If you’re willing to make the drive, there’s no fee to attend; just register, show up, and you’ll get a table for all that up-til-midnight RepRapping. There’s also a waffle breakfast on Sunday, along with me walking around makin’ it rain Hackaday stickers.

QFN Breakout Is Easy On The Eyes, Wallet

February 21, 2014 by 39 Comments

What do you do when you have ATMega328s in QFN package burning a hole in your bug box, but you aren’t set up for SMD and have limited access to parts? You man up and do what [Djpanjan] did: make your own breakout board with solder, right angle header, and many tiny, beautiful wires.

[Djpanjan] says the process is a simple one that requires great concentration. Once he had it broken out, he covered the wires with hot glue to make sure they all stay in place. He programmed it using an Arduino as an ISP and he was able to run the blink sketch without issue. He blinked all the output pins to make sure there were no shorts.

[Djpanjan] says that if he can’t get a breakout for his LQFP-144, he’s going to make his own again. Good luck, [Djpanjan]. We’re all counting on you.

If you’re set up for SMD and etching, there’s always the surface mount breakout route. If not, you can always use magnet wire and protoboard.

DIY Router Base For Your Dremel

February 21, 2014 by 12 Comments

dremel-attachment-main

Dremel rotary tools are handy. Some of the attachments are convenient.  [vreinkymov] felt the convenience wasn’t worth the cost, so he decided to make a Router Base for his Dremel. These types of attachments are used to hold the Dremel perpendicular to the work surface.

Underneath the little nut/cover near the spindle of the Dremel, there is a 3/4″-12 threaded feature used to attach accessories. A quick trip down the hardware store’s plumbing aisle resulted in finding a PVC reducer with the correct female thread to fit the Dremel. Once on the rotary tool, the reducer threads into a PVC nipple that is glued to a piece of acrylic. The acrylic acts as the base of the router attachment.

Continue reading “DIY Router Base For Your Dremel”

This Party Jukebox Is Bigger On The Inside

February 21, 2014 by 7 Comments

In honor of the recent 50th anniversary of Doctor Who, [David Prouty] decided to build a 1/3rd scale replica of the Tardis. He also decided to give it a few extra features on the inside… Introducing the Recycled Tardis Jukebox! 

It was constructed primarily out of recycled cardboard boxes (pizza, FedEx, UHaul, etc) and [David] has done an amazing job painting and detailing it!

Since it’s so big, [David] wanted it to be functional too, so he’s added Bluetooth speakers, sound activated lights, disco balls, and even a fog machine on the inside. It’s all controlled wirelessly by remote, and it’s sure to be a hit at any party he decides to throw.

Stick around for the videos showing it in action — and of course, making our favorite sound VWORRRRRP VWRORRRP VWORRRP!

Continue reading “This Party Jukebox Is Bigger On The Inside”

Open Bitcoin ATM

February 20, 2014 by 30 Comments

openBitcoinAtm

If there’s one thing Bitcoins can benefit from, it’s easier accessibility for first-time users. The process can be a bit daunting if you’re new to cryptocurrency, but [mayosmith] is developing an open Bitcoin ATM to help get coins in the hands of the masses. There are already some Bitcoin dispensers out there. The Lamassu is around 5k a pop, and then there’s always the option of low-tech Condom Vending Machine conversions.

[mayosmith’s] build is still in the proof-of-concept phase, but has some powerful functionality underway. The box is made from acrylic with a front plate of 12″x12″ aluminum sheet metal, held on by 2 aluminum angles and some bolts. Slots were carved out of the aluminum sheet for the thermal printer and for bill acceptor—the comments identify it as an Apex 7000. Inside is an Arduino with an SD Shield attached. Dollars inserted into the acceptor trigger the Arduino to spit out a previously-generated QR code for some coins via the thermal printer, though all values are pre-determined at the time of creation and stored sequentially on the SD card. Stick around for a quick video below, and check out the official page for more information: http://openbitcoinatm.org

Continue reading “Open Bitcoin ATM”

Scrappy Lil’ Circular Saw

February 20, 2014 by 22 Comments

Like a lot of us, [Andrea] has a habit  of disassembling everything he runs into. He recently came across a fairly substantial motor he’d salvaged and envisioned its new life as a small circular saw.

[Andrea] bought new cutting discs, but the rest is salvage and scrap. He had already mounted the motor, pivot, belt, and gear to a wood block, so he added two more wood scraps for a base and a cutting surface. He screwed a metal L beam to one side of the surface block to keep the disc adjacent to the edge. A couple of washers keep the disc rotating freely. [Andrea] used a piece of hydraulic pipe and a cylindrical nut to attach the disc to the pivot. This assembly can be easily tightened by hand, so changing discs is a quick operation.

He kept the electrical as-is and mounted the box to the saw body. This 30W motor runs at ~600-1000RPM which isn’t fast enough to cut wood. Undeterred, [Andrea] plans to use it to cut steel bolts, copper circuit boards, and metal plates. If you need to cut through anything and everything, try this 700W DIY table saw.