National Research Council laboratories in Ottawa

Canada Abruptly Ends Official Time Signal

October 13, 2023 by 47 Comments

In a sudden move that was noted not only by Canadian media, but also international media channels, the National Research Council Time Signal that was broadcast by Canadian Broadcasting Corporation (CBC) on CBC Radio One since November 5 1939 was turned off on October 9th, after eighty-four years, one world war, countless generations, and the rise of modern technology. Although perhaps obsolete by today’s standards, this 15 to 60 second long broadcast at 13:00 Eastern Time every single day has been a constant in the life of Canadians, whether they tuned into local radio, or (increasingly) via Internet radio.

The NRC Time Signal consisted out of a series of 800 Hz sinewave ‘beeps’ followed by a second-long signal to indicate the top of the hour. Back in the day this was extremely useful to sync one’s clocks, watches and other time-keeping devices to. Yet between the transmission delays caused by Internet radio and the increased availability of NTP and other time sources on modern-day devices, the signal’s main use appears to have become a nostalgic reminder of what once was a constant of each and every day.

In this regard the public response to the rather unceremonious decommissioning without prior announcement was rather predictable. After all, even if it wasn’t that useful, why throw out something that is more recognizable than any other radio jingle for generations of Canadians?

Top image: National Research Council laboratories in Ottawa.

This Week In Security: Curl Reveal, Rapid Reset DDoS, And Libcue

October 13, 2023 by 17 Comments

Curl gave us all a big warning that a severe security problem had been found in that code-base. Given the staggering number of Curl installs around the world, we held our collective breath and waited for the bombshell to drop this Wednesday. It turns out, it’s not quite as bad as feared — so long as you don’t have a SOCKS proxy.

In hindsight, shipping a heap overflow in code installed in over twenty billion instances is not an experience I would recommend. — Daniel Stenberg

The trouble started when the SOCKS5 proxy support was converted to a non-blocking implementation. It’s a win for libcurl to work on requests asynchronously, but refactoring code and new features always runs a bit of risk. SOCKS5 proxying has some quirks, like allowing DNS resolution to happen locally or at the proxy. The new async code starts out with:

bool socks5_resolve_local =
(proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;

First off, unnecessary ternary is unnecessary. But note that this local variable gets set by the proxytype. If that’s CURLPROXY_SOCKS5_HOSTNAME, then it uses remote resolution. But inherited from old code is a check for a hostname that is too long for a SOCKS request (255 bytes). This code converts back to local resolution in this case.

The important detail here is that this function is now a state machine, that potentially runs multiple times for a single request, to achieve that asynchronous execution. The check for a too-long hostname only happens during the initialization state. Copying the hostname into the buffer happens in a different state. If setting up the connection takes enough time, the function will return and be executed again when something has changed. The ternary check runs again, but not the hostname-too-long. So if set to do remote resolution with a long enough host name, execution slips through this edge case, and the long hostname is copied into a too-small buffer.

It’s safe to assume that this heap overflow can result in arbitrary code execution. The fix has landed in 8.4.0, after being present for 1,315 days. [Daniel] goes ahead and gets ahead of the inevitable suggestion that Curl should be written in rust or another memory-safe language. Curl was started before those alternatives existed, and there is a very slow effort to move portions of the project to memory-safe languages. And you’re welcome to help out. Continue reading “This Week In Security: Curl Reveal, Rapid Reset DDoS, And Libcue”

Debian Bookworm Comes To The Raspberry Pi, And Wayland Is Now Default

October 13, 2023 by 48 Comments

It must have been a busy week for the PR department at Raspberry Pi, with the launch of their latest single-board computer, the Pi 5. Alongside the new board comes something else, an updated Raspberry Pi OS version.

This is built from Debian 12 “Bookworm”, and supplants the previous “Bullseye” version. As well as the new OS base it comes with a pile of Pi-specific upgrades including an optimsied version of Mozilla Firefox. Probably most important is that henceforth (at least on 64-bit boards) its desktop will use the Wayland compositor rather than X11 to draw and manipulate windows. This is a development that has been in the works for a very long time — it must be almost a decade since the first Raspberry Pi blog entry about Wayland — so it’s welcome at last to see it.

The new tweaks as well as Wayland are supposed to deliver a much faster Pi experience, so we thought we’d break out the stopwatch and do some rough real-world tests. The bench 8GB Pi 4 here has a vanilla 64-bit Bullseye installed, so off we went to measure boot time, Chromium browser opening time, and Hackaday load time. It was time to download the new 64-bit Bookworm image and do the same. Have we just downloaded a power-up?

Both tests were done with an everyday boot, after the first-time OS set-up, and with all browser caches emptied. First up was a significant boost, with Bookworm booting in 37.14 seconds to Bullseye’s 53.5, but the Chromium opening was a little more disappointing. On Bullseye it took 7.15s, while Bookworm’s Chromium managed a more pedestrian 9.13s. The new Firefox takes only 7.95s to open. Both Chromium browsers load Hackaday in about 1.8s, while the new Firefox did the same job in a shade over 3s.

So allowing for our stopwatch reaction time and the ad-hoc nature of the test, this is a faster-booting OS, but the underlying hardware is still the limiting factor. We’re disappointed to see that there’s no update for the x86 version of the Raspberry Pi Desktop, and we hope they’ll be able to rectify this in the future.

An In-Depth Comparison Of Hobby PCB Manufacturers

October 13, 2023 by 46 Comments

[Icamtuf] has been working on a prototyping run of a project, which involves getting PCBs made by several low volume PCB manufacturing companies. After receiving the boards, he analyzed the results and produced an interesting analysis.

The project he is working on is Sir-Box-A-Lot, a Sokoban gaming console clone that we’ve covered before. It uses an AVR128DA28 microcontroller to emulate the original box-pushing game and drive the OLED display. He ordered PCBs from OSHPark, DigiKey Red, JLCPCB, PCBWay and Aisler.

OSHPark boards are gorgeous, but you pay for it.

There were pros and cons for each of the services: OSHPark produced the nicest-looking boards, but at the highest cost. DigiKey Red had a flawless solder mask, but a rather sloppy-looking silkscreen and shipped the boards covered in adhesive gunk. JLCPCB was fast, shipping the boards in less than 7 days, but the smaller details of the silkscreen were blurry and the solder mask was thinner than the others. The solder mask from PCBWay was very slightly misaligned but was thicker than most, and they were the only ones who queried a badly shaped hole to see what [Icamtuf] wanted to do: the others just made assumptions and made the boards without checking.

To be fair, this analysis is based on a single PCB design ordered once and it is possible that some companies were having a bad day. These were also delivered to the US, so your delivery times may vary. So, there are no clear winners and I wouldn’t make a choice based on this alone. But the analysis is well worth a read if you want to know what to look out for on your own PCBs.

Removing The Air Gap From An IPad Display

October 12, 2023 by 31 Comments

Some recent models of the Apple iPad have a rather annoying air gap in between the display and the outer touch surface. This can be particularly frustrating for users that press hard or use the Apple Pencil regularly. It is possible to eliminate this gap in the iPad 9, at least, as demonstrated by [serg1us_eng]. (Warning: TikTok)

Doing the job well takes some finesse, however, and plenty of fancy equipment. The iPad’s front touch glass was first covered to avoid scratches during the work, and then heated to 60 C to remove it. The display was also removed, with several glued-down ribbon cables having to be carefully pried off to avoid damage. A layer of transparent material was then cut to size to fit in the gap between the display and the front glass, with the stack laminated together. Getting this result without air bubbles or dust particles spoiling the result involved the use of a heated press and a clean room, which are now widely used in phone repair shops around the world.

For the average user, it might not be a big deal. For power users and touch-and-feel fanatics, though, there’s great appeal in an iPad without this annoying flaw. Video after the break.

Continue reading “Removing The Air Gap From An IPad Display”

Ingenuity’s 62nd Flight And Attempting A New Speed Record

October 12, 2023 by 17 Comments

One of the fun aspects of exploring a new planet is that you can set a lot of new records, as is the case with the very first Mars-based helicopter, Ingenuity. Since its inaugural flight on April 19th of 2021, Ingenuity has flown 61 times, setting various records for distance traveled and other parameters. Although setting the first record is easy on account of anything being better than literally nothing, the real challenge lies in exceeding previously set records, as the team behind Ingenuity seeks to do again with flight 62 and a new speed record.

Targeting October 12th, the goal is to travel 268 meters (1.33 furlong) at a maximum altitude of 18 meters while hitting 10 meters per second (36 km/h), which would shatter the 8 m/s (28.8 km/h) set by flight 60. Although still quite a distance to the 240 m/s required to hit Mach 1 on Mars, the fact that this feat is being performed by a first-of-its-kind helicopter in the thin Martian atmosphere, using off-the-shelf components that were expected to last maybe a handful of flights, is nothing short of amazing.

(Thanks to [Mark Stevens] for the tip!)

(Top image: Fourth flight of Ingenuity (circled), captured by Perseverance rover. Source: NASA/JPL)

2023 Halloween Hackfest: Musical Jack-o-Lanterns Harmonize For Halloween

October 12, 2023 by 4 Comments

Halloween is many things to many people. For some, it’s a chance to dress up and let loose. For others, it’s a chance to give everyone in the neighborhood a jump scare. For [Aaron], it’s the perfect time to put on a show in the yard with some musical, light-up jack-o-lanterns.

[Aaron] came across some deeply-discounted light-up jack-o-lanterns a few years ago. They all had one of those Try Me buttons that’s powered by a couple of coin cells and uses a temporary two-wire connection to the PCB, and [Aaron] figured he could remotely control them using this port of sorts.

Now the guts are made of addressable RGB LEDs that are connected through the battery compartment via weatherproofed pigtails.

On the control side, he has a Raspberry Pi 3, an amplifier, and a couple of power supplies all housed in a weatherproof box. Since it’s not possible to multiplex both the lights and the audio on a Pi 3, he added a USB sound card into the mix.

Be sure to check out the awesome demo video after the break, followed by a pumpkin conversion video.

If you’re more into scaring people, carve up an animated evil-eye pumpkin.

Continue reading “2023 Halloween Hackfest: Musical Jack-o-Lanterns Harmonize For Halloween”