Messaging On Signal Via The ESP32

July 5, 2021 by 15 Comments

Signal is a popular encrypted messaging app, typically used on smartphones. The cross-platform service can now be used via the ESP32, however, thanks to the work of [Dharmik] and [Tirth].

The demonstration is simple, using an ESP32 microcontroller fitted with two push buttons. When one button is pushed, it increments a counter and sends a Signal message noting the current count. The other button sends an image as a Signal message.

The project relies on a Signal bot to deliver an API key that enables the project to work. Messages are sent by making HTTP requests with this key to the CallMeBot.com server. With the API key as authentication, users can only send messages to their own number, keeping the system safe from spammers.

While the demonstration is basic, it merely serves to illustrate how the project works. The aim was to allow home automation and other Internet of Things systems to send Signal messages, and through this method, it’s now possible. The highly security conscious likely won’t want to rely on a random third party server, but for those tinkering around, it may not be such a big deal.

The Internet of Things has a long history with self-messaging projects; we featured the Twittering Toaster back in 2008! Video after the break.

Continue reading “Messaging On Signal Via The ESP32”

Rocky Linux Is Ready For Prime Time!

June 24, 2021 by 23 Comments

For some small percentage of the Hackaday crowd, our world got turned upside down at the end of last year, when Red Hat announced changes to CentOS. That distro is the official repackage of Red Hat Enterprise Linux, providing a free, de-branded version of RHEL. The big problem was that CentOS 8 support has been cut way short, ending at the end of 2021 instead of the expected 2029. This caused no shortage of consternation in the community, and a few people and companies stepped forward to provide their own CentOS alternative, with AlmaLinux and Rocky Linux being the two most promising. AlmaLinux minted their first release in March, but the Rocky project made the decision to take things a bit slower. The wait is over, and the Rocky Linux 8.4 release is ready.

Not only are there ISOs for new installs, there is also a script to convert a CentOS 8 install to Rocky. Now before you run out and convert all your CentOS machines, there are a few caveats. First, the upgrade script is still being tested and fixed as problems are found. The big outstanding issue is that Secure Boot isn’t working yet. The process of spinning up a new Secure Boot shim and getting it properly signed is non-trivial, and takes time. The plan is to do an 8.4 re-release when the shim is ready, so keep an eye out for that, if you need Secure Boot support.

The future looks bright for enterprise Linux, with options such as Rocky Linux, AlmaLinux, and even CentOS Stream. It’s worth noting that Rocky has a newly formed company behind it, CIQ, offering support if you want it. The Rocky crew is planning a launch party online on June 25th, so tune in if that’s your thing. Regardless of which Linux OS you run, it’s good to have Rocky in the game.

What Every Geek Must Know

June 12, 2021 by 176 Comments

How is it possible that there’s a geek culture? I mean, it’s one thing to assume that all folks of a nerdy enough bent will know a little Ohm’s law, can fake their way through enough quantum mechanics to at least be interesting at a cocktail party, and might even have a favorite mnemonic for the resistor colors or the angles involved in sine, cosine, and tangents. But how is it that we all know the answer to life, the universe, and everything?

Mike and I were podcasting a couple of weeks back, and it came out that he’d never played Starcraft. I was aghast! Especially since he’s into video games in general, to have not played the seminal 3-way-without-being-rock-scissors-paper game! My mind boggled. But then again, there was a time in my life when I hadn’t actually read all of Dune or Cryptonomicon, which would have left Mike’s jaw on the floor.

Whether you prefer Star Trek or Star Wars, the Matrix or the Hobbit, it’s even more surprising that we have so much in common! And thinking about it, I’m pretty sure that exactly our interchange is the reason — it’s a word of mouth culture thing. Some folks at the hackerspace are talking about Cthulu, and chances are you’re going to be reading some Lovecraft. An argument about the plausibility of the hacks in The Martian has sent at least a couple of geeks to the cinema or the library. And so it goes.

So do your part! Share your geek-culture recommendations with us all in the comments. If you were stranded on a desert island, with a decent bookshelf and maybe even a streaming video service, what’s on your top-10 list? What do you still need to see, read, or hear?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Dreamcast Homebrew Gets Boost From SD Card Cache

June 4, 2021 by 10 Comments

While it might have been a commercial failure compared to contemporary consoles, the Sega Dreamcast still enjoys an active homebrew scene more than twenty years after its release. Partly it’s due to the fact that you can burn playable Dreamcast discs on standard CD-Rs, but fans of the system will also point out that the machine was clearly ahead of its time in many respects, affording it a bit of extra goodwill in the community.

That same community happens to be buzzing right now with news that well-known Dreamcast hacker [Ian Micheal] has figured out how to cache data to an SD card via the console’s serial port. At roughly 600 KB/s the interface is too slow to use it as swap space for expanding the system’s paltry 16 MB of memory, but it’s more than fast enough to load game assets which otherwise would have had to be loaded into RAM.

A third-party Dreamcast SD adapter.

In the video below, [Ian] shows off his new technique with a port of DOOM running at 640×480. He’s already seeing an improvement to framerates, and thinks further optimizations should allow for a solid 30 FPS, but that’s not really the most exciting part. With the ability to load an essentially unlimited amount of data from the SD card while the game is running, this opens the possibility of running mods which wouldn’t have been possible otherwise. It should also allow for niceties like saving screenshots or game progress to the SD card for easy retrieval.

[Ian] says he’ll be bringing the same technique to his Dreamcast ports of Quake and Hexen in the near future, and plans on posting some code to GitHub that demonstrates reading and writing to FAT32 cards so other developers can get in on the fun. The downside is that you obviously need to have an SD card adapter plugged into your console to make use of this technique, which not everyone will have. Luckily they’re fairly cheap right now, but we wouldn’t be surprised if the prices start climbing. If you don’t have one already, now’s probably the time to get one.

To be clear, this technique is completely separate from replacing the Dreamcast’s optical drive with an SD card, which itself is a very popular modification that’s helped keep Sega’s last home console kicking far longer than anyone could have imagined.

Continue reading “Dreamcast Homebrew Gets Boost From SD Card Cache”

Building Fallout’s Super Sledge

May 31, 2021 by 7 Comments

The Fallout series of games has a variety of ridiculous weapons, not least the Super Sledge — a rocket propelled sledgehammer that looks about as dangerous for the wielder as it does for the opponent. [JAIRUS OF ALL] decided he had to recreate this build in real life, risks be damned.

Unwilling to go the single-use, solid rocket route for his build, [JAIRUS] instead elected to go with an electric ducted fan, supplemented with a propane supply for added flames. It’s not really a rocket of any form, and it’s unlikely the burning propane adds any real thrust, but it does shoot huge flames out the back and it is terrifying. The EDF idle speed can be set by a potentiometer on a servo tester hooked up to a speed controller, while there’s a valve for adjusting propane flow. A switch can then be used to boost the EDF speed higher and increase the propane flow, increasing the violence of the flow out the back of the hammer.

Notably, [JAIRUS] doesn’t actually demonstrate swinging the hammer at anything in particular. We’re kind of glad, as we suspect it might end with a sizable explosion, or burns at the very least. Nonetheless, it would easily be the most terrifying prop weapon at most any Halloween party you took it to. It’s in a similar vein to the fire vortex cannon [JAIRUS] also designed. Video after the break.

Continue reading “Building Fallout’s Super Sledge”

Tiny Gasoline Engine Fitted With A Custom Billet Waterpump

May 31, 2021 by 31 Comments

We don’t typically use gasoline engines smaller than 50 cc or so on a regular basis. Below that size, electric motors are typically less messy and more capable of doing the job. That doesn’t mean they aren’t cute, however. [JohnnyQ90] is a fan of tiny internal combustion engines, and decided to whip up a little water pump for one of his so it could do something useful besides make noise.

The pump is built out of billet aluminium, showing off [JohnnyQ90]’s machining skills. The two pieces that make up the main body and cover plate of the pump are impressive enough, but the real party piece is the tiny delicate impeller which actually does the majority of the work. The delicate curves of the pump blades are carefully carved out and look exquisite when finished.

The pump’s performance is adequate, and the noise of the tiny gasoline engine makes quite a racket, but it’s a great display of machining skill. If so desired, the pump could also do a great job for a small liquid delivery system if hooked up to a quiet electric motor, too. The aluminium design has the benefit of being relatively leak free when assembled properly, something a lot of 3D printed designs struggle to accomplish.

We’ve seen [JohnnyQ90]’s micro engine experiments before, too — like this small generator build. Video after the break.

Continue reading “Tiny Gasoline Engine Fitted With A Custom Billet Waterpump”

This Week In Security: M1RACLES, The Full Half-Double, And Patch Gaps

May 28, 2021 by 10 Comments

We occasionally make fun of new security vulnerabilities that have a catchy name and shiny website. We’re breaking new ground here, though, in covering a shiny website that makes fun of itself. So first off, this is a real vulnerability in Apple’s brand-new M1 chip. It’s got CVE-2021-30747, and in some very limited cases, it could be used for something malicious. The full name is M1ssing Register Access Controls Leak EL0 State, or M1RACLES. To translate that trying-too-hard-to-be-clever name to English, a CPU register is left open to read/write access from unprivileged userspace. It happens to be a two-bit register that doesn’t have a documented purpose, so it’s perfect for smuggling data between processes.

Do note that this is an undocumented register. If it turns out that it actually does something important, this vulnerability could get more serious in a hurry. Until then, thinking of it as a two-bit vulnerability seems accurate. For now, however, the most we have to worry about is that two processes can use this to pass information back and forth. This isn’t like Spectre or Rowhammer where one process is reading or writing to an unrelated process, but both of them have to be in on the game.

The discoverer, [Hector Martin], points out one example where this could actually be abused: to bypass permissions on iOS devices. It’s a clever scenario. Third party keyboards have always been just a little worrying, because they run code that can see everything you type, passwords included. The long-standing advice has been to never use such a keyboard, if it asks for network access permissions. Apple has made this advice into a platform rule — no iOS keyboards get network access. What if a device had a second malicious app installed, that did have Internet access permissions? With a covert data channel, the keyboard could shuffle keystrokes off to its sister app, and get your secrets off the device.

So how much should you care about CVE-2021-30747? Probably not much. The shiny site is really a social experiment to see how many of us would write up the vulnerability without being in on the joke. Why go to the hassle? Apparently it was all an excuse to make this video, featuring the appropriate Bad Apple!! music video.

Half-Double’ing Down on Rowhammer

A few days ago, Google announced the details of Half-Double, and the glass is definitely Half-Double full with all the silly puns that come to mind. The concept is simple: If Rowhammer works because individual rows of ram are so physically close together, does further miniaturization enable attacks against bits two rows away? The answer is a qualified yes.

Quick refresher, Rowhammer is an attack first demonstrated against DDR3 back in 2014, where rapid access to one row of memory can cause bit-flip errors in the neighboring row. Since then, there have been efforts by chip manufacturers to harden against Rowhammer, including detection techniques. At the same time, researchers have kept advancing the art through techniques like Double-Sided Rowhammer, randomizing the order of reads, and attempts to synchronize the attack with the ram’s refresh intervals. Half-Double is yet another way to overcome the protections built into modern ram chips.

We start by specifying a particular ram row as the victim (V). The row right beside it will be the near aggressor row (N), and the next row over we call the far aggressor row (F). A normal Rowhammer attack would simply alternate between reading from the near aggressor and a far-off decoy, rapidly toggling the row select line, which degrades the physical charge in neighboring bits. The Half-Double attack instead alternates between the far aggressor and a decoy row for 1000 cycles, and then reads from the near aggressor once. This process is repeated until the victim row has a bit flip, which often happens within a few dozen iterations. Because the hammering isn’t right beside the victim row, the built-in detection applies mitigations to the wrong row, allowing the attack to succeed in spite of the mitigations.

More Vulnerable Windows Servers

We talked about CVE-2021-31166 two weeks ago, a wormable flaw in Windows’ http.sys driver. [Jim DeVries] started wondering something as soon as he heard about the CVE. Was Windows Remote Management, running on port 5985, also vulnerable? Nobody seemed to know, so he took matters into hiis own hands, and confirmed that yes, WinRM is also vulnerable to this flaw. From what I can tell, this is installed and enabled by default on every modern Windows server.

And far from his optimistic assertion that surely no-one would expose that to the Internet… It’s estimated that there over 2 million IPs doing just that.

More Ransomware

On the ransomware front, there is an interesting story out of The Republic of Ireland. The health system there was hit by Conti ransomware, and the price for decryption set at the equivalent of $20 million. It came as a surprise, then, when a decryptor was freely published. There seems to be an ongoing theme in ransomware, that the larger groups are trying to manage how much attention they draw. On the other hand, this ransomware attack includes a threat to release private information, and the Conti group is still trying to extort money to prevent it. It’s an odd situation, to be sure.

Inside Baseball for Security News

I found a series of stories and tweets rather interesting, starting with the May Android updates at the beginning of the month. [Liam Tung] at ZDNet does a good job laying out the basics. First, when Google announced the May Android updates, they pointed out four vulnerabilities as possibly being actively exploited. Dan Goodin over at Ars Technica took umbrage with the imprecise language, calling the announcement “vague to the point of being meaningless”.

Shane Huntley jumped into the fray on Twitter, and hinted at the backstory behind the vague warning. There are two possibilities that really make sense here. The first is that exploits have been found for sale somewhere, like a hacker forum. It’s not always obvious if an exploit has indeed been sold to someone using it. The other possibility given is that when Google was notified about the active exploit, there was a requirement that certain details not be shared publicly. So next time you see a big organization like Google hedge their language in an obvious and seemingly unhelpful way, it’s possible that there’s some interesting situation driving that language. Time will tell.

The Patch Gap

The term has been around since at least 2005, but it seems like we’re hearing more and more about patch gap problems. The exact definition varies, depending on who is using the term, and what product they are selling. A good working definition is the time between a vulnerability being public knowledge and an update being available to fix the vulnerability.

There are more common reasons for patch gaps, like vulnerabilities getting dropped online without any coordinated disclosure. Another, more interesting cause is when an upstream problem gets fixed and publicly announced, and it takes time to get the fix pulled in. The example in question this week is Safari, and a fix in upstream WebKit. The bug in the new AudioWorklets feature is a type confusion that provides an easy way to do audio processing in a background thread. When initializing a new worker thread, the programmer can use their own constructor to build the thread object. The function that kicks off execution doesn’t actually check that it’s been given a proper object type, and the object gets cast to the right type. Code is executed as if it was correct, usually leading to a crash.

The bug was fixed upstream shortly after a Safari update was shipped. It’s thought that Apple ran with the understanding that this couldn’t be used for an actual RCE, and therefore hadn’t issued a security update to fix it. The problem there is that it is exploitable, and a PoC exploit has been available for a week. As is often the case, this vulnerability would need to be combined with at least one more exploit to overcome the security hardening and sandboxing built into modern browsers.

There’s one more quirk that makes this bug extra dangerous, though. On iOS devices, when you download a different browser, you’re essentially running Safari with a different skin pasted on top. As far as I know, there is no way to mitigate against this bug on an iOS device. Maybe be extra careful about what websites you visit for a few days, until this get fixed.

Via Ars Technica