This Week In Security: AI Is Terrible, Ransomware Wrenches, And Airdrop

January 12, 2024 by 8 Comments

So first off, go take a look at this curl bug report. It’s a 8.6 severity security problem, a buffer overflow in websockets. Potentially a really bad one. But, it’s bogus. Yes, a strcpy call can be dangerous, if there aren’t proper length checks. This code has pretty robust length checks. There just doesn’t seem to be a vulnerability here.

OK, so let’s jump to the punch line. This is a bug report that was generated with one of the Large Language Models (LLMs) like Google Bard or ChatGPT. And it shouldn’t be a surprise. There are some big bug bounties that are paid out, so naturally people are trying to leverage AI to score those bounties. But as [Daniel Stenberg] point out, LLMs are not actually AI, and the I in LLM stands for intelligence.

There have always been vulnerability reports of dubious quality, sent by people that either don’t understand how vulnerability research works, or are willing to waste maintainer time by sending in raw vulnerability scanner output without putting in any real effort. What LLMs do is provide an illusion of competence that takes longer for a maintainer to wade through before realizing that the claim is bogus. [Daniel] is more charitable than I might be, suggesting that LLMs may help with communicating real issues through language barriers. But still, this suggests that the long term solution may be “simply” detecting LLM-generated reports, and marking them as spam. Continue reading “This Week In Security: AI Is Terrible, Ransomware Wrenches, And Airdrop”

Bambu Lab To Allow Installing Open Firmware After Signing Waiver

January 12, 2024 by 26 Comments

On January 10th Bambu Lab published a blog post in which they address the issue of installing custom firmware on your Bambu Lab X1 3D printer. This comes hot on the heels of a number of YouTube channels for the first time showing off the X1Plus firmware that a number of X1 users have been working on as an open source alternative to the closed, proprietary firmware. Per the Bambu Lab blog post, there is good and bad news for those wanting to use X1Plus and similar projects that may pop up in the future.

After Bambu Lab consulted with the people behind X1Plus it was decided that X1 users would be provided with the opportunity to install such firmware without complaints from Bambu Lab. They would however have to sign a waiver that declares that they agree to relinquish their rights to warranty and support with the printer. Although some details are left somewhat vague in the blog post, it appears that after signing this waiver, and with the target X1 printer known to Bambu Lab, it will have a special firmware update (‘Firmware R’) made available for it.

This special firmware then allows for third-party firmware to be installed, with the ability to revert to OEM firmware later on. The original exploit in pre-v1.7.1 firmware will also no longer be used by X1Plus. Hopefully Bambu Lab will soon clarify the remaining questions, as reading the Reddit discussion on the blog post makes it clear that many statements can be interpreted in a variety of ways, including whether or not this ‘Firmware R’ is a one-time offer only, or will remain available forever.

It’s not the first time we’ve seen a 3D printer manufacturer give users this sort of firmware ultimatum. Back in 2019 Prusa added a physical “appendix” to their new 32-bit control board that the user would have to snap off before they could install an unsigned firmware, which the company said signified the user was willing to waive their warranty for the privilege.

Thanks to [Aaron] for the tip.

Decoding A ROM From A Picture Of The Chip

January 12, 2024 by 14 Comments

Before there were home computers, among the hottest pieces of consumer technology to own was a pocket calculator. In the early 1970s a series of exciting new chips appeared which allowed the impossible to become the affordable, and suddenly anyone with a bit of cash could have one.

Perhaps one of the more common series of chips came from Texas instruments, and it’s one of these from which [Veniamin Ilmer] has retrieved the ROM contents. In a way there’s nothing new here as the code is well known, it’s the way it was done which is of interest. A photo of the die was analysed, and with a bit of detective work the code could be deduced merely from the picture.

These chips were dedicated calculators, but under the hood they were simple pre-programmed microcontrollers. Identifying the ROM area of the chip was thus relatively straightforward, but some more detective work lay in getting to the bottom of how it could be decoded before the code could be verified. So yes, it’s possible to read code from an early 1970s chip by looking at a photograph.

A very similar chip to this one was famously reprogrammed with scientific functions to form the heart of the inexpensive Sinclair Cambridge Scientific.

E-Ink Photo Frame Is A Simple, Pleasing Design

January 11, 2024 by 3 Comments

Regular photo frames are good, but they tend to only display a single photo unless you pull them to bits and swap out what’s inside. [Ben] decided to make a digital photo frame using an e-ink display to change things up, and unlike some commercial versions we’ve seen, it’s actually pretty tasteful!

The build is based on a Nook Simple Touch Reader, which can be had pretty cheaply on the used market. It was chosen for the fact it runs Android, which makes it comparatively easy to hack and customize compared to some other e-readers on the market. Once it’s running a custom Android brew, it can be set to run an app called Electric Sign which simply shows a given website fullscreen and updates it at regular intervals. That turns the Nook into a remotely updateable photo frame in one fell swoop. From there, it just took a little trickery to access an iCloud album to update the frame with fresh pics. Then [Ben] just had to customize a nice photo frame to neatly mount the e-reader with room for the cable to subtly snake out the back.

It’s a simple build that relies on some existing tools already laying around the Internet. That’s nice, because it makes it easy for anyone to replicate themselves at home given the same materials. We’ve seen some other great digital photo frames before, too. If you’ve built your own neat and creative way to display your pics, don’t hesitate to drop us a line!

Weird Trashcan Is Actually Advanced 1990s Robot

January 11, 2024 by 8 Comments

[Clay Builds] found a bit of a gem at a recent auction, picking up a Nomadic Technologies N150 robot for just $100. It actually looks like something out of science fiction, with its cylindrical design, red bumpers, and many sensors. He decided to try and restore the research-grade robot to functionality with the aid of modern hardware.

Right away, it’s clear this was an expensive and serious bit of kit. It’s full of hardcore gears and motors for driving three rubber-tired wheels, each of which has a pivoting mount for steering the thing. Through his research, [Clay] was able to find some ancient websites documenting university work using the robots. His understanding is that the platform was designed for researchers experimenting with simultaneous localization and mapping (SLAM) algorithms, and other robotic navigation tasks.

[Clay] doesn’t just settle for a teardown, though. He’s been able to get the platform running again in one sense, using an Arduino to manually run the robot’s drive controls under the command of a gamepad. Without official software or resources, it’s perhaps unlikely he’ll be able to get the stock hardware to do much without completely rebraining it, so this method makes sense. In future he hopes to get the bumper sensors and sonar modules working too.

It’s a fair effort given [Clay] was working with no documentation and no supporting software. We’ve seen similar efforts for robotic arms before, too. Video after the break.

Continue reading “Weird Trashcan Is Actually Advanced 1990s Robot”

A Dashboard Outside The Car

January 11, 2024 by 11 Comments

One of the biggest upsides of open communications standards such as CAN or SPI is that a whole world of vehicle hacking becomes available, from simple projects like adding sensors or computers to a car or even building a complete engine control unit from the ground up. The reverse is true as well; sensors and gauges using one of these protocols can be removed from a car and put to work in other projects. That’s the idea that [John] had when he set about using a vehicle’s dashboard as a information cluster for his home.

The core of the build is an Astra GTE dashboard cluster, removed from its host vehicle, and wired to an Arduino-compatible board, in this case an ESP32. The code that [John] wrote bit-bangs an SPI bus and after some probing is able to address all of the instrument gauges on the dashboard. For his own use at home, he’s also configured it to work with Home Assistant, where each of the gauges is configured to represent something his home automation system is monitoring using a bit mask to send data to specific dials.

While this specific gauge cluster has a lot of vehicle-specific instrumentation and needs a legend or good memory to tie into a home automation system without any other modification, plenty of vehicle gauges are more intuitive and as long as they have SPI they’d be perfect targets for builds that use this underlying software. This project takes a similar tack and repurposes a few analog voltmeters for home automation, adding a paper background to the meters to make them easier to read.

Continue reading “A Dashboard Outside The Car”

Voice Controlled Rover Follows Verbal Instructions To Get Around

January 11, 2024 by 3 Comments

Typically, when we want to tell a robot where to go, we either pre-program a route or drive it around with some kind of gamepad or joystick controller. [Robotcus] decided to build a simple robot platform that drove around in response to voice commands instead.

The robot is based around a Raspberry Pi Zero, charged with instructing the motor controllers to drive the ‘bot around. The Pi Zero is also in charge of interpreting the voice commands via Google’s speech recognition tool. The ‘bot itself is a fairly simple design using brushed gearmotors for propulsion and a 3D-printed chassis to tie everything together.

The car is capable of understanding five commands – drive, turn left, turn right, go backwards, and “attack”. The last command simply activates a flipper from the robot’s former life as a battlebot. Things ran okay at first, but the Pi Zero was slow at processing commands. The wheels also had minimal traction. A full-fat Raspberry Pi solved the latter issue, while a new chassis provided better grip.

It’s a simple project, but one that taught [Robotcus] plenty about programming and building small robots in the process. Like so many learning experiences, it’s easy to see how the robot starts out flailing uselessly and eventually starts to perform as intended. It’s always nice to see that progression. Video after the break.

Continue reading “Voice Controlled Rover Follows Verbal Instructions To Get Around”