AM/FM Radio Gets Bluetooth Upgrade

February 2, 2021 by Tom Nardi 13 Comments

For many commercial broadcast radio has lost its luster, leaving an unknowable number of perfectly serviceable AM/FM radios to lie dormant. But they don’t have to. As [Dan Gebhardt] shows in his recent hack, integrating a Bluetooth audio receiver into portable radio may be easier than you think.

For this project, [Dan] wanted to make sure no original functionality was lost. The radio still functions on the AM/FM bands, but now with the flip of a switch, he can listen to the audio coming his way courtesy of a Apt-X low-latency Bluetooth receiver. It sounds like the link is quick enough that he can even use this as a wireless speaker for watching TV, which isn’t always possible with cheaper chipsets that introduce a noticeable lag.

The trick was to track down the receiver IC, a Silicon Labs chip similar to ones we’ve seen used in a few DIY radio projects previously. A peek at the datasheet told him which pins were carrying the audio signal, and after following them around the board, he found a convenient spot to cut the trace before it went into the volume control. From there is was just a matter of wiring in a SPDT slide switch that allowed him to select which device was passed through to the radio’s audio hardware.

While he had everything apart, [Dan] exorcised the Apt-X’s original 300 mAh LiPo pouch and replaced it with a DC-DC converter connected to the radio’s battery compartment. This allows him to run all of the hardware off of the same set of rechargeable NiMH cells, and also provides considerably improved runtime for the Bluetooth receiver.

Now as for physically integrating the Apt-X into the case of the radio…well, what can we say? [Dan] admits it’s a bit rough, but then the point was never to enter the thing into beauty pageants. It works well enough for his purposes, and in the end that’s all that matters.

This Week In Security: Android Bluetooth RCE, Windows VMs, And HTTPS Everywhere

January 8, 2021 by Jonathan Bennett 5 Comments

Android has released it’s monthly round of security updates, and there is one patched bug in particular that’s very serious: CVE-2021-0316. Few further details are available, but a bit of sleuthing finds the code change that fixes this bug.

Fix potential OOB write in libbluetooth Check event id if of register notification command from remote to avoid OOB write.

It’s another Bluetooth issue, quite reminiscent of BleedingTooth on Linux. In fact, in researching this bug, I realized that Google never released their promised deep-dive into Bleedingtooth. Why? This would usually mean that not all the fixes have been rolled out, or that a significant number of installations are unpatched. Either way, the details are withheld until the ramifications of releasing them are minimal. This similar Bluetooth bug in Android *might* be why the BleedingTooth details haven’t yet been released. Regardless, there are some serious vulnerabilities patched this in this Android update, so make sure to watch for the eventual rollout for your device. Continue reading “This Week In Security: Android Bluetooth RCE, Windows VMs, And HTTPS Everywhere” →

Sit Up Straight!: Open Source Bluetooth Posture Sensing

December 16, 2020 by Danie Conradie 4 Comments

As more and more people spend their working hours behind a computer, bad posture and the accompanying back pain and back problems become a growing epidemic. To combat this in his own daily life, [ImageryEel] made PosturePack, a wearable Bluetooth-enabled posture sensor.

The PosturePack is designed to fit into a small pocket sewn into the pack of an undershirt, between the shoulder blades. It consists of a custom PCB with an ATmega32U4, BNO055 IMU, Bluetooth module, small LiPo and power circuitry. Based on the orientation data from the IMU, a notification is sent over Bluetooth to a smartphone whenever the user hunches forward.

[ImageryEel] says although the mobile notifications worked, haptic feedback integrated into the unit would be a better option. This could also be used to remind the user to stand up and take a break now and then, and provide an alternative to a smartwatch for activity monitoring without sending every movement to someone else’s servers. Software will always be the hardest part for projects like these, especially as the device become “smarter”. Learning to recognize activity and postures is actually a good place for tiny machine learning models.

Compared The posture sensors we covered before had to be installed and set up at a specific workstation, like an ultrasound-based version attached to a chair, and a webcam-based version.

New Part Day: Bouffalo Labs BL602 RISC-V Wi-Fi/Bluetooth SoC

November 20, 2020 by Jenny List 20 Comments

We should all by now be used to microcontrollers with wireless hardware on board, with Espressif or Nordic Labs dominating the hacker scene. There have been several other contenders in this arena over the years that haven’t really caught the attention of our community, usually because of the opacity of their available information.

A new contender should be worth a second look though. The BL602 from Bouffalo Labs is a Wi-Fi- and Bluetooth LE-capable microcontroller with a 32-bit RISC-V derived core. If that doesn’t interest you much, perhaps news that the PINE64 folks are spearheading an effort to reverse engineer it for a fully open-source blob-free wireless implementation might sharpen your attention.

So where can you get your hands on one? Hold your horses, this chip is at an early stage in its gestation. We can see that there are some exciting possibilities in store, but we’re still figuring out the hardware interfaces and other software required to make it work. A community is hard at work reverse engineering it, which leads us back to the PINE64 story we mentioned earlier.

You can find BL602 modules from AliExpress vendors, but the PINE64 folks will offer you a free one if you join their blob reverse engineering effort. Take note though, this offer is for those prepared to show commitment to the project, so don’t spam them in the hope of free stuff if you won’t be helping deliver the goods.

We might see the BL602 gaining an open-source toolchain and internal blobs over the coming months thanks to the efforts of those working on it. Just as the ESP8266 did back in 2014, it’s starting as a black box with a relative scarcity of information. But if this hacking effort pays off, we’ll have a cheap RISC-V Wi-Fi and Bluetooth module with entirely open-source software from the silicon upwards. What a time to be alive!

Thanks [Renze] for the tip.

Custom Firmware For Cheap Bluetooth Thermometers

November 17, 2020 by Tom Nardi 52 Comments

The Xiaomi LYWSD03MMC temperature and humidity sensor is ridiculously cheap. If you’re buying a few at a time, you can expect to pay as little as $5 USD a pop for these handy Bluetooth Low Energy environmental sensors. Unfortunately, that low price tag comes with a bit of a catch: you can only read the data with the official Xiaomi smartphone application or by linking it to one of the company’s smart home hubs. Or at least, that used to be the case.

Over the past year, [Aaron Christophel] has been working on a replacement firmware for these Xiomi sensors that unlocks the data so you can use it however you see fit. In addition, it allows the user to tweak various features and settings that were previously unavailable. For example, you can disable the little ASCII-art smiley face that usually shows on the LCD to indicate the relative comfort level of the room.

The new firmware publishes the temperature, humidity, and battery level every minute through a BLE advertisement broadcast. In other words, that means client devices can read data from the sensor without having to be paired. Scraping this data is quite simple, and the GitHub page includes a breakdown of what each byte in the broadcast message means. Avoiding direct connections not only makes it easier to quickly read the values from multiple thermometers, but should keep the device’s CR2032 battery going for longer.

But perhaps the most impressive part of this project is how you get the custom firmware installed. You don’t need to crack the case or solder up a programmer. Just load the flasher page on a computer and browser combo that supports Web Bluetooth (a smartphone is probably the best bet), point it to the MAC address of the thermometer you want to flash, and hit the button. [Aaron] is no stranger to developing user-friendly OTA installers for his firmware projects, but even for him, it’s quite impressive.

Continue reading “Custom Firmware For Cheap Bluetooth Thermometers” →

Hackaday Podcast 083: Soooo Many Custom Peripherals, Leaving Bluetooth Footprints, And A Twirlybird On Mars

September 4, 2020 by Mike Szczys 3 Comments

Hackaday editors Mike Szczys and Elliot Williams ogle the greatest hacks from the past 168 hours. Did you know that Mars Rover didn’t get launched into space all alone? Nestled in it’s underbelly is a two-prop helicopter that’s a fascinating study in engineering for a different world. Fingerprinting audio files isn’t a special trick reserved for Shazam, you can do it just as easily with an ESP32. A flaw in the way Bluetooth COVID tracing frameworks chirp out their anonymized hashes means they’re not as perfectly anonymized as planned. And you’re going to love these cool ways to misuse items from those massive parts catalogs.

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Continue reading “Hackaday Podcast 083: Soooo Many Custom Peripherals, Leaving Bluetooth Footprints, And A Twirlybird On Mars” →

COVID-tracing Framework Privacy Busted By Bluetooth

September 3, 2020 by Elliot Williams 60 Comments

[Serge Vaudenay] and [Martin Vuagnoux] released a video yesterday documenting a privacy-breaking flaw in the Apple/Google COVID-tracing framework, and they’re calling the attack “Little Thumb” after a French children’s story in which a child drops pebbles to be able to retrace his steps. But unlike Hänsel and Gretl with the breadcrumbs, the goal of a privacy preserving framework is to prevent periodic waypoints from allowing you to follow anyone’s phone around. (Video embedded below.)

The Apple/Google framework is, in theory, quite sound. For instance, the system broadcasts hashed, rolling IDs that prevent tracing an individual phone for more than fifteen minutes. And since Bluetooth LE has a unique numeric address for each phone, like a MAC address in other networks, they even thought of changing the Bluetooth address in lock-step to foil would-be trackers. And there’s no difference between theory and practice, in theory.

In practice, [Serge] and [Martin] found that a slight difference in timing between changing the Bluetooth BD_ADDR and changing the COVID-tracing framework’s rolling proximity IDs can create what they are calling “pebbles”: an overlap where the rolling ID has updated but the Bluetooth ID hasn’t yet. Logging these allows one to associate rolling IDs over time. A large network of Bluetooth listeners could then trace people’s movements and possibly attach identities to chains of rolling IDs, breaking one of the framework’s privacy guarantees.

This timing issue only affects some phones, about half of the set that they tested. And of course, it’s only creating a problem for privacy within Bluetooth LE range. But for a system that’s otherwise so well thought out in principle, it’s a flaw that needs fixing.

Why didn’t the researchers submit a patch? They can’t. The Apple/Google code is mostly closed-source, in contrast to the open-source nature of most of the apps that are running on it. This remains troubling, precisely because the difference between the solid theory and the real practice lies exactly in those lines of uninspectable code, and leaves all apps that build upon them vulnerable without any recourse other than “trust us”. We encourage Apple and Google to make the entirety of their COVID framework code open. Bugs would then get found and fixed, faster.

Continue reading “COVID-tracing Framework Privacy Busted By Bluetooth” →