Steady Hand Repurposes Cheap SSD Modules

For hackers, cheap (and arguably disposable) consumer hardware makes for a ready supply of free or low-cost components. When you can walk into a big box store and pick up a new low-end laptop for $150, how many are going to spend the money to repair or upgrade the one they have now? So the old ones go to the bin, or get sold online for parts. From an ecological standpoint our disposable society is terrible, but at least we get some tech bargains out of the deal.

Case in point, the dirt cheap 32 GB eMMC SSDs [Jason Gin] recently scored. Used by Hewlett Packard on their line of budget laptops, he was able to snap up some of these custom drives for only $12 each. Only problem was, since they were designed for a very specific market and use case, they aren’t exactly the kind of thing you can just slap in your computer’s drive bay. He had to do some reverse engineering to figure out how to talk to them, and then some impressive fine-pitch soldering to get them plugged in, but in the end he got some very handy drives for an exceptionally low price.

[Jason] starts by figuring out the drive’s pinout using the cornerstone of the hacker’s electronic toolkit: the multimeter. By putting one lead on an obvious ground point such as the PCB’s screw holes, you can work through the pins on the connector and make some educated guesses as to what’s what. Ground pins will read as a short, but the meter should read power and data pins as a forward-biased diode. With a rough idea of the pin’s identities and some luck, he was able to figure out that it was basically a standard SATA connection in a different form factor.

To actually hook it up to his computer, he pulled the PCB off of a dead SATA hard drive, cut it down to size, and was able to use fine magnet wire to attach the conductors in the drive’s ribbon cable to the appropriate pads. He sealed everything up with a healthy dose of hot glue to make sure it didn’t pull loose, and then ran some drive diagnostics on his cobbled together SSD to make sure it was behaving properly. [Jason] reports the drive isn’t exactly a speed demon, but given the low cost and decent performance he still thinks it’s worth the work to use them for testing out different operating systems and the like.

[Jason] seems to have something of an obsession with eMMC hacking. Last time we heard from him, he was bringing a cheap Windows tablet back from the dead by replacing its shot eMMC chip.

An OpenSCAD Mini-ITX Computer Case

We’re no strangers to 3D printed enclosures here at Hackaday. From the plethora of printed Raspberry Pi cases out there to custom enclosures for electronic projects, small plastic boxes turn out to be an excellent application for desktop 3D printing. But as printers get bigger and filament gets cheaper, those little boxes don’t always need to be so little. We aren’t talking about running off boxes for your sneaker collection either, if you’ve got the time and the print volume, you could whip up an enclosure for your PC.

[Nirav Patel] writes in to share his impressive 3D printed Mini-ITX computer case project, which would be a neat enough trick in its own right, but he took the concept one step farther and made it a parametric design in OpenSCAD. This allows the user to input their particular hardware configuration and receive STL files for a bespoke case. The list of supported hardware isn’t that long yet, but with the OpenSCAD code up on GitHub and released under the BSD license, hopefully the community can improve on that as time goes on.

To keep things simple (and strong), [Nirav] implemented what he refers to as a “bucket” design. The majority of the case is a single print, which does take a long time (just shy of 40 hours on his Prusa i3 MK3), but nearly eliminates any post-printing assembly. Only the optional feet and the lid need to be printed separately. Threaded inserts are used throughout the design for mounting hardware, so you don’t run the risk of blowing out the printed holes during hardware changes or upgrades.

A particularly neat feature, and a testament to the power of OpenSCAD, is the fact that the case’s internal volume is calculated and embossed into the side of the design. Does this have any practical purpose? Not exactly, but [Nirav] thought it would be appealing to the Mini-ITX case modding community which apparently measures their accomplishments in liters of volume.

We’ve seen a 3D printed computer case before, but it used acrylic sheets and couldn’t be made without a large format printer. There’s something to be said for a project that can be completed on the hacker community’s favorite printer.

The Linux Throwie: Powering a Linux Server with a 0.3W Solar Panel

Have you ever had one of those moments, when you’re rummaging through your spare parts heap, and have a rather bizarre project idea that you can’t quite get out of your head? You know, the ones that have no clear use, but simply demand to be born, of glass and steel and silicon?

This time, the stubborn idea in question was sort of like a solar-rechargeable LED throwie, but instead of a blinking light, it has a fully cloud-accessible embedded Linux server in the form of a Raspberry Pi 3 Model B+. Your choice of embedded Linux board should work — I just happen to have a lot of these due to a shipping error.

There were two main challenges here: First, it would have to combine the smallest practical combination of solar panel, power supply, and Li-ion cell that could run the Raspberry Pi. Second, we’ll need to remotely activate and access the Pi regardless of where it is, as well as be able to connect it to WiFi without direct physical access. In this article we’ll be dealing with the first set of problems — stay tuned for the rest.

Continue reading “The Linux Throwie: Powering a Linux Server with a 0.3W Solar Panel”

Apple Kernel Code Vulnerability Affected All Devices

Another day, another vulnerability. Discovered by [Kevin Backhouse], CVE-2018-4407 is a particularly serious problem because it is present all throughout Apple’s product line, from the Macbook to the Apple Watch. The flaw is in the XNU kernel shared by all of these products.

This is a buffer overflow issue in the error handling for network packets. The kernel is expecting a fixed length of those packets but doesn’t check to prevent writing past the end of the buffer. The fact Apple’s XNU kernel powers all their products is remarkable, but issues like this are a reminder of the potential downside to that approach. Thanks to responsible disclosure, a patch was pushed out in September.

Anatomy of a Buffer Overflow

Buffer overflows aren’t new, but a reminder on what exactly is going on might be in order. In low level languages like C, the software designer is responsible for managing computer memory manually. They allocate memory, tagging a certain number of bytes for a given use. A buffer overflow is when the program writes more bytes into the memory location than are allocated, writing past the intended limit into parts of memory that are likely being used for a different purpose. In short, this overflow is written into memory that can contain other data or even executable code.

With a buffer overflow vulnerability, an attacker can write whatever code they wish to that out-of-bounds memory space, then manipulate the program to jump into that newly written code. This is referred to as arbitrary code execution. [Computerphile] has a great walk-through on buffer overflows and how they lead to code execution.

This Overflow Vulnerabilty Strikes Apple’s XNU Kernel

[Kevin] took the time to explain the issue he found in further depth. The vulnerability stems from the kernel code making an assumption about incoming packets. ICMP error messages are sent automatically in response to various network events. We’re probably most familiar with the “connection refused’ message, indicating a port closed by the firewall. These ICMP packets include the IP header of the packet that triggered the error. The XNU implementation of this process makes the assumption that the incoming packet will always have a header of the correct length, and copies that header into a buffer without first checking the length. A specially crafted packet can have a longer header, and this is the data that overflows the buffer.

Because of the role ICMP plays in communicating network status, a closed firewall isn’t enough to mitigate the attack. Even when sent to a closed port, the vulnerability can still trigger. Aside from updating to a patched OS release, the only mitigation is to run the macOS firewall in what it calls “stealth mode”. This mode doesn’t respond to pings, and more importantly, silently drops packets rather than sending ICMP error responses. This mitigation isn’t possible for watchOS and iOS devices.

The good news about the vulnerability is that a packet, malformed in this way, has little chance of being passed through a router at all. An attacker must be on the same physical network in order to send the malicious packet. The most likely attack vector, then, is the public WiFi at the local coffee shop.

Come back after the break for a demonstration of this attack in action.

Continue reading “Apple Kernel Code Vulnerability Affected All Devices”

Building a Proof of Concept Hardware Implant

You’ve no doubt heard about the “hardware implants” which were supposedly found on some server motherboards, which has led to all sorts of hand-wringing online. There’s no end of debate about the capabilities of such devices, how large they would need to be, and quite frankly, if they even exist to begin with. We’re through the looking-glass now, and there’s understandably a mad rush to learn as much as possible about the threat these types of devices represent.

EEPROM (left) can be edited to enable SMBus access on this card (header to the right)

[Nicolas Oberli] of Kudelski Security wanted to do more than idly speculate, so he decided to come up with a model of how an implanted hardware espionage device could interact with the host system. He was able to do this with off the shelf hardware, meaning anyone who’s so inclined can recreate this “Hardware Implant Playset” in their own home lab for experimentation. Obviously this is not meant to portray a practical attack in terms of the hardware itself, but gives some valuable insight into how such a device might function.

One of the most obvious attack vectors for hardware implants is what’s known as the Baseboard Management Controller (BMC). This is a chip used on modern motherboards to allow for remote control and monitoring of the system’s hardware, and promises to be a ripe target for attackers. There are a few sideband channels which can be used by the BMC chip to talk to other chips. To keep things simple [Nicolas] focused on the older I2C-derived SMBus (rather than the newer and more complex NC-SI), demonstrating what can be done once you have control of that bus.

Only problem was, he didn’t have a motherboard with a BMC to experiment with. After a little research, the answer came in the form of the Intel EXPI9301CTBLK network card, which features the 82574L SMBus chip. This allows for experimenting with a subset of SMBus functionality on any machine with a PCI-E slot. Even better, the card has an SMBus header on the top to plug into. [Nicolas] describes in detail how he enabled the SMBus interface by modifying the card’s EEPROM, which then allowed him to detect it with his HydraBus.

With the hardware setup, the rest of the write-up focuses on what you can do with direct control of SMBus on the network card. [Nicolas] demonstrates not only creating and sending Ethernet packets, but also intercepting an incoming packet. In both cases, a running instance of tcpdump on the host computer fails to see the packets even exist.

He goes on to explain that since SMBus is very similar to I2C and only requires four wires, the techniques shown could easily be moved from the Hydrabus dev board used in the demo, to a small microcontroller like the ATtiny85. But you would still need to find a way to add that microcontroller directly onto the network card without it being obvious to the casual observer.

Our previous coverage of suspected hardware implants sparked considerable discussion, and it looks like no matter what side of the fence you’re on, the debate isn’t going away anytime soon.

You’ll Flip for This 7404 IC Motherboard Fix

We often lament that the days of repairable electronics are long gone. It used to be you’d get schematics for a piece of gear, and you could just as easily crack it open and fix something as the local repairman — assuming you had the knowledge and tools. But today, everything is built to be thrown away when something goes wrong, and you might as well check at the end of a rainbow if you’re searching for a circuit diagram for a new piece of consumer electronics.

But [Robson] writes in with an interesting story that gives us hope that the “old ways” aren’t gone completely, though they’ve certainly changed for the 21st century. After blowing out his laptop’s USB ports when he connected a suspect circuit, he was desperate for a fix that would fit his student budget (in other words, nearly zero). Only problem was that he had no experience fixing computers. Oh, and it takes months for his online purchases to reach him in Brazil. Off to a rocky start.

His first bit of luck came with the discovery he could purchase schematics for his laptop online. Now, we can’t vouch for the site he used (it sure isn’t direct from Dell), but for under $5 USD [Robson] apparently got complete and accurate schematics that let him figure out what part was blown on the board without even having to open up the computer. All he had to do was order a replacement IC (SY6288DAAC), and solder it on. It took two months for the parts to arrive, and had to do it with an iron instead of a hot air station, but in the end, he got the part installed.

Continue reading “You’ll Flip for This 7404 IC Motherboard Fix”

Recovering Data From A Vintage MFM Drive

Even if you aren’t a vintage computer aficionado, you’re probably aware that older computer hard drives were massive and didn’t hold much data. Imagine a drive that weighs several pounds, and only holds 1/1000th of what today’s cheapest USB flash drives can. But what you might not realize is that if you go back long enough, the drives didn’t just have lower capacity, they utilized fundamentally different technology and relied on protocols which are today little more than historical footnotes.

A case in point is the circa 1984 Modified Frequency Modulation (MFM) drive which [Michał Słomkowski] was tasked with recovering some files from. You can’t just pop this beast into a USB enclosure; copying files from it required an interesting trip down computing’s memory lane, with a sprinkling of modern techniques that are sure to delight hackers who still like to dip their toes into the MS-DOS waters from time to time.

The drive, a MiniScribe 2012, has its own WD1002A-WX1 8-bit ISA controller card. [Michał] is the kind of guy who just so happens to have an ISA-compatible AT motherboard laying around, but he didn’t have the correct cooler for its Pentium processor. He stuck a random heatsink down onto it with a rubber band and set the clock speed as low as possible, which worked well enough to get him through the copying process.

Not wanting to fiddle with floppies, [Michał] then put together a setup which would let him PXE boot MS-DOS 6.22 under Arch Linux. He used PXELINUX, part of the syslinux package, and created an entry for DOS in the configuration file under the pxelinux.cfg directory. He then installed netboot which combines a DHCP and TFTP server into one simple package, and configured it for the MAC address of the AT machine’s 3com 3C905C-TXM network card.

With the hardware and operating system up and running, it was just a matter of getting the files off of the MFM drive and onto something a bit more contemporary. He tried to copy them to a secondary IDE drive, but it seemed there was some kind of conflict as both drives wouldn’t operate at the same time. So he pulled another solution from his bag of tricks: using a USB mass storage device on MS-DOS. By emulating a SCSI drive, he was able to get a standard flash drive plugged into a PCI USB card working, which ultimately dragged these ~35 year old files kicking and screaming into the 21st century.

We love keeping old hardware alive here at Hackaday, and documented methods to not only PXE boot DOS but use USB storage devices when you get it up and running will hopefully inspire some more hackers to blow the dust off that old 386 in the attic.