cons

1392 Articles

Eclipse 2017: Where Will You Be When The Sun Goes Away?

August 2, 2017 by 62 Comments

In less than a month, on August 21, 2017, the Moon will cast its shadow upon the Earth, a relative pinprick at only 60 miles across. The shadow will begin in the Pacific Ocean off North America, make landfall south of Portland, Oregon, and rake diagonally across the United States. Charging southeastward at about 2000 miles an hour, the path of totality will touch 12 states before racing off into the Atlantic Ocean around Charleston, South Carolina.

Those are the dry facts of the eclipse, the wheres and the whens of an event that hasn’t been visible to a majority of the US population in 47 years. But beyond the science and the natural wonder of the celestial alignment lies a simple question: Where will you be when the sun goes away?

An Eclipse from a Volcano

Bullseye! The center of totality passes right through North Menan Butte in Rexburg, ID.

For me, the answer is simple: I’ll be smack dab in the middle of totality on top of an extinct volcano in eastern Idaho. To see an eclipse is pretty cool; to watch the mechanics of the heavens work above you while standing in a unique geological feature will be far cooler.

It will take me eight hours to drive to Menan Buttes with my family from our home in the Panhandle; Idaho is an enormous state. We’ll be camping on private land outside the southern butte, probably in pretty rustic conditions and without a lot of rough camping experience. OK, none. But I don’t care because I want to see totality, and the 92% totality we’d see if we stayed home just won’t cut it.

While most people will likely have their eyes cast heavenward with their cheap cardboard and plastic eclipse glasses or shade 14 welding lens when the big moment arrives, my eyes will be locked on the ground to the west of our vantage point. Menan Butte stands about 500′ above the flat, featureless Snake River plain, and I intend to watch the moon’s shadow racing across the planet toward us. That’s the draw for me, and I hope I get to see it.

That’s not to say I won’t look skyward once the shadow is upon us, gazing in wide wonder at the incandescent dance of our sun’s atmosphere against the suddenly dark sky. I’ll bask in the unnatural twilight, listen to the gasps and cheers of my fellow watchers, and feel the sudden temperature drop, which should be quite marked in the east Idaho drylands. We’ll have about two minutes of totality before the shadow races east toward the vast majority of the US population, and I plan to enjoy every second of it.

Hackaday Eclipse Meetups

Aside from just watching the eclipse, there’s plenty else to do. Hackaday.io members across the country are hosting Hackaday Eclipse Meetups, where like minded folks can mix and mingle before the eclipse. If you know where you’ll be to watch the eclipse — like an extinct volcano, for instance — and you don’t mind sharing the experience with some of your fellow enthusiasts, be sure to post a meetup on the Eclipse Meetups page. Make your event page and we’ll send you some eclipse glasses with the Jolly Wrencher on the side of them for you and your guests.

Have you started thinking of what you’re going to bring with you to the viewing? There are a lot of eclipse projects, from pinhole cameras to watch the eclipse safely, to the Ham operators who will be taking advantage of localized ionospheric changes to make long-distance contacts. Those of us with telescopes might want to build a low-cost solar filter. Someone will likely be trying to prove General Relativity somewhere along the path of totality, and we’d love to see the rig for that. And there will no doubt be petabytes of photographs and videos taken with everything ranging from smartphones to professional cinematic cameras. We’d love to hear what you’re planning and see your setups. And even if you’ve got something cool that’s not eclipse related, bring it along. It’s always a good time to talk shop for hackers.

Continue reading “Eclipse 2017: Where Will You Be When The Sun Goes Away?”

This Weekend: Vintage Computer Festival West

August 1, 2017 by 3 Comments

Next weekend is the Vintage Computer Festival West, held at the Computer History Museum. Hackaday is once again proud to sponsor this event that brings together the people and hardware that drove the information revolution. [Bil Herd] and [Joshua Vasquez] will be on hand representing the Hackaday Crew.

This year’s talks show an impressive lineup of people. [Bil Herd] will be on stage with a collection of other engineers who secured Commodore’s place in history. The Computer History Museum has a very active restoration program for original computer hardware. Friend of Hackaday, [Ken Shirriff], has been working on a restoration of the Xerox Alto and is on the panel giving a talk about the process. And just to cherry-pick one more highlight, there’s a talk on system debugging before you even turn the thing on — a topic that can save you from having a very bad day with very ancient hardware.

A great part of VCF is that the exhibits are often either hands-on or demonstrations so you can actually play around with hardware which most people have never even seen in person. Add to that the collection at the Computer History Museum plus some extra exhibits they have planned for the event and you’re likely to run out of time before you make your way through everything.

Since we’ve mentioned the Computer History Museum, we also have some upcoming news. A bit later this month, Hackaday Contributor-at-Large [Voja Antonic] has been invited to visit the museum, record his oral history, and deliver to their collection an original Galaksija computer — wildly successful first as a kit and then as a manufactured computer which he built in Yugoslavia 1983. Congratualtions [Voja]!

Look What People Brought To Breakfast At DEF CON

August 1, 2017 by 14 Comments

Sunday was our Breakfast at Hackaday meetup and a swarm of folks showed up, take a look at the hardware they brought with them! Vegas can be a tough place to set up a meetup — especially if you don’t want to rent a room. We filtered into a Starbucks across the street from Caesar’s and ended up packing the high-top table areas. It turns out you get a really funny look from the baristas when you go through the coffee line and ask for four dozen pastries and a few buckets of coffee.

About 30 minutes before official start
Too busy talking hardware to look

The size of the space made it hard to get a picture of the entire crowd. I did manage to get a posed photo with the people who showed up about a half hour early. Once it filled up all I got for crowd shots were people with their back to me and heads down comparing hardware projects — that might actually be more appropriate for DEF CON where people generally don’t want to be photographed (case in point our bandanna wearing friend).

 

Swag, pastries, and RF hacking
print your Storm Trooper helmet
custom headgear

There was a ton of different hardware on hand. If you look at a picture of the swag and pastries tables, look closely at the high-top behind that. There were a couple of people hacking on RTL-SDRs before we arrive (which means they were at least 45 minutes early).

I’m a fan of wearing your hardware projects at events and this year was really great for that. First, a Captain Phasma helmet from The Force Awakens. It’s 3D printed in ABS, using an acetone/ABS slurry to glue (actually to weld) the parts before sanding and painting to finish the job.

Dragonfly badge (proper name: Sympetrum)
AND!XOR badges within BT range

Most of the hacks on hand were unofficial hardware badges built specifically for DEF CON. I was at the Badge Build’s meetup and have a megapost on everything I saw there coming out a bit later. But here we get a look at the dragonfly badge which [Kerry] brought along with him as well as the rectangular PCB that was the prototype. The AND!XOR crew was in the house and I decided to bug [Hyr0n] about the password hashes I was trying to crack from their badge’s firmware. He pulled up the app and it wasn’t surprising to see so many of the Bender on a bender badges in the area. Their botnet was a huge hit this year!

At some point, I was handed this book-like box which had been laser cut and etched out of plywood. It’s a beautiful piece and I had no idea what I would find inside. Turns out it’s a complete quadcopter-badge fun kit. I must have been so enthralled with the electronics when we covered this badge a few weeks back that I completely missed the beautiful box they built for it.

Inside the box, you’ll find two versions of the badge (one that flies, the other that blinks and has a red PCB handkerchief), a separate PCB that is the controller, and a goodie bag with extra batteries and charging hardware. We didn’t fire this up at the meetup, but we’ll have it at the Hackaday Superconference for you to play with. It was really great to get a group picture with so many of the people who worked on making this badge happen.

There was one high-top over in the corner that had been mobbed with people all morning and I only got a look at it when the crowd started to clear out around noon. [Brian McEvoy] built a custom controller for OpenSCAD and did a great job of bringing along a demo. A tablet is running the software, with the controller connected via USB. There are 3 knobs on the right that allow you to adjust height, width, and depth. The fourth knob is for adjusting precision. That precision is displayed in a very clever way. You can see the LED strip with has a red dot on the right (the decimal point) and three colored pixels to the left of it. These are the tens, hundreds, and thousands, but just turn the crank until the red dot is at the other end of the strip and you’ll be setting precision to tenths, hundreths, etc. [Brian] even added a button you can hold down to 10x the precision without making a permanent adjustment. The project is driven by a Teensy LC board.

Is wonderful to see the Hackaday Community turn out for a meetup like this even though so much other stuff is going on at DEF CON. Thank you to all of you for coming to say hi, share your stories, and show off your handy work!

“Borrow” Payment Cards With NFC Proxy Hardware

July 31, 2017 by 31 Comments

Contactless payments are growing in popularity. Often the term will bring to mind the ability to pay by holding your phone over a reader, but the system can also use NFC tags embedded in credit cards, ID card, passports, and the like. NFC is a reasonably secure method of validating payments as it employs encryption and the functional distance between client and reader is in the tens of centimeters, and often much less. [Haoqi Shan] and the Unicorn team have reduced the security of the distance component by using a hardware proxy to relay NFC interactions over longer distances.

The talk, give on Sunday at DEF CON, outlined some incredibly simple hardware: an NFC antenna connected to a PN7462AU, an NRF24L01 wireless transceiver, and some power regulation. The exploit works by using a pair of these hardware modules. A master interfaces with the NFC reader, and a slave reads the card. The scenario goes something like this: a victim NFC card is placed near the slave hardware. The master hardware is placed over a payment kiosk as if making a normal payment. As the payment kiosk reader begins the process to read an NFC card, all of the communications between it and the actual card are forwarded over the 24L01 wireless connection.

The demo video during the talk showed a fast-food purchase made on the Apple Pay network while the card was still at a table out in the dining area (resting on the slave hardware module). The card used was a QuickPass contactless payment card from China UnionPay. According to a 2016 press release from the company, over two billion of these cards had been issued at the time. With that kind of adoption rate there is a huge incentive to find and patch any vulnerabilities in the system.

The hardware components in this build aren’t really anything special. We’ve seen these Nordic wireless modules used in numerous projects over they years, and the NXP chip is just NFC build around an ARM core. The leaps that tie this together are the speed-ups to make it work. NFC has tight timing and a delay between the master and slave would invalidate the handshake and subsequent interactions. The Unicorn team found some speedups by ensuring the chip was waking from suspend mode (150 µS) and not a deeper sleep. Furthermore, [Haoqi] mentioned they are only transmitting “I/S/R Block Data” and not the entirety of the interaction to save on time transmitting over the 24L01 wireless link. He didn’t expand on that so if you have details about what those blocks actually consist of please let us know in the comments below.

To the card reader, the emulated payment card is valid and the payment goes through. But one caveat to the system is that [Haoqi] was unable to alter the UID of the emulator — it doesn’t spoof the UID of the payment card being exploited. Current readers don’t check the UID and this could be one possible defense against this exploit. But to be honest, since you need close physical proximity of the master to the reader and the slave to the payment card simultaneously, we don’t see mayhem in the future. It’s more likely that we’ll see hacker cred when someone builds a long-range link that lets you leave your NFC cards at home and take one emulator with you for wireless door access or contactless payments in a single device. If you want to get working on this, check out the talk slides for program flow and some sourcecode hints.

Looking Forward To SHA2017

July 30, 2017 by 17 Comments

We’re at the start of August, which can only mean one thing. Europe’s hackers and makers are about to converge in a field somewhere for a long weekend of sitting around drinking beer and Club-Mate, eating unhealthy street food, being assaulted by some of the most underground chiptune electronic dance music on the planet, sharing the fruits of their labours with their peers, and gazing lovingly upon other people’s hacks. This year it’s the turn of the Netherlands, for over the first full weekend in August that country will host the SHA2017 outdoor hacker camp in a scouting camp on the polders. It promises to be quite an event, with just short of 4000 attendees spread over several fields, arenas, and social areas, and we’re going to be there. Tent and power lead with Schuko plug sorted, massive pile of stickers secured, DECT phone charged, emergency supplies of PG Tips packed.

There is so much to take in at these events that it can sometimes be difficult to catch everything. One can do the rounds as diligently as possible and still miss some of the cool stuff, so this is where you come in. Are you going to SHA? Are you bringing anything you consider cool to the event? Tell us about it in the comments, we’d love to hear about it as would we’re sure the rest of our readers.

Meanwhile, if you think you’ve missed the boat, don’t panic! At the time of writing, there are about 180 tickets still unsold, but they’ll be going fast! Head over to the SHA2017 tickets site to get yours.

(The stripey header, in case you were wondering, is SHA2017’s branding using as you might have guessed, the SHA algorithm to generate HTML colours. What you see are the colours for “Hackaday”.)

Michael Ossmann Pulls DSSS Out Of Nowhere

July 29, 2017 by 23 Comments

[Michael Ossmann] spoke on Friday to a packed house in the wireless hacking village at DEF CON 25. There’s still a day and a half of talks remaining but it will be hard for anything to unseat his Reverse Engineering Direct Sequence Spread Spectrum (DSSS) talk as my favorite of the con.

DSSS is a technique used to transmit reliable data where low signal strength and high noise are likely. It’s used in GPS communications where the signal received from a satellite is often far too small for you to detect visually on a waterfall display. Yet we know that data is being received and decoded by every cell phone on the planet. It is also used for WiFi management packets, ZigBee, and found in proprietary systems especially any dealing with satellite communications.

[Michael] really pulled a rabbit out of a hat with his demos which detected the DSSS signal parameters in what appeared to be nothing but noise. You can see below the signal with and without noise; the latter is completely indiscernible as a signal at all to the eye, but can be detected using his techniques.

Strong DSSS Signal, no noise
Same DSSS signal not apparent

Detecting DSSS with Simple Math

[Michael] mentioned simple math tricks, and he wasn’t kidding. It’s easy to assume that someone as experienced in RF as he would have a different definition of ‘simple’ than we would. But truly, he’s using multiplication and subtraction to do an awful lot.

DSSS transmits binary values as a set called a chip. The chip for digital 1 might be 11100010010 with the digital 0 being the inverse of that. You can see this in the slide at the top of this article. Normal DSSS decoding compares the signal to expected values, using a correlation algorithm that multiplies the two and gives a score. If the score is high enough, 11 in this example, then a bit has been detected.

To reverse engineer this it is necessary to center on the correct frequency and then detect the chip encoding. GNU radio is the tool of choice for processing a DSSS capture from a SPOT Connect module designed to push simple messages to a satellite communication network. The first math trick is to multiply the signal by itself and then look at spectrum analysis to see if there is a noticeable spike indicating the center of the frequency. This can then be adjusted with an offset and smaller spikes on either side will be observed.

When visualized in a constellation view you begin to observe a center and two opposite clusters. The next math trick is to square the signal (multiply it by itself) and it will join those opposite clusters onto one side. What this accomplishes is a strong periodic component (the cycle from the center to the cluster and back again) which reveals the chip rate.

Detecting symbols within the chip is another math trick. Subtract each successive value in the signal from the last and you will mostly end up with zero (high signal minus high signal is zero, etc). But every time the signal spikes you’re looking at a transition point and the visualization begins to look like logic traced out on an oscilloscope. This technique can deal with small amounts of noise but becomes more robust with a bit of filtering.

This sort of exploration of the signal is both fun and interesting. But if you want to actually get some work done you need a tool. [Michael] built his own in the form of a python script that cobbles up a .cfile and spits out the frequency offset, chip rate, chip sequence length, and decoded chip sequence.

Running his sample file through with increasing levels of noise added, the script was rock solid on detecting the parameters of the signal. Interestingly, it is even measuring the 3 parts per million difference between the transmitter and receiver clocks in the detected chip rate value. What isn’t rock solid is the actual bit information, which begins to degrade as the noise is increased. But just establishing the parameters of the protocol being used is the biggest part of the battle and this is a dependable solution for doing that quickly and automatically.

You can give the script a try. It is part of [Michael’s] Clock Recovery repo. This talk was recorded and you should add it to your reminder list for after the con when talks begin to be published. To hold you over until then, we suggest you take a look at his RF Design workshop from the 2015 Hackaday Superconference.

Injecting Code Into Mouse Firmware Should Be Your Next Hack

July 29, 2017 by 22 Comments

Here’s a DEF CON talk that uses tools you likely have and it should be your next hacking adventure. In their Saturday morning talk [Mark Williams] and [Rob Stanely] walked through the process of adding their own custom code to a gaming mouse. The process is a crash course in altering a stock firmware binary while still retaining the original functionality.

The jumping off point for their work is the esports industry. The scope of esporting events has blown up in recent years. The International 2016 tournament drew 17,000 attendees with 5 million watching online. The prize pool of $20 million ($19 million of that crowdfunded through in-game purchases) is a big incentive to gain a competitive edge to win. Contestants are allowed to bring their own peripherals which begs the questions: can you alter a stock gaming mouse to do interesting things?

The steelseries Sensei mouse was selected for the hack because it has an overpowered mircocontroller: the STM32F103CB. With 128 KB of flash the researchers guessed there would be enough extra room for them to add code. STM32 chips are programmed over ST-Link, which is available very inexpensively through the ST Discovery boards. They chose the STM32F4DISCOVERY which runs around  $20.

Perhaps the biggest leap in this project is that the firmware wasn’t read-protected. Once the data, clock, and ground pads on the underside of the board were connected to the Discovery board the firmware was easy to dump and the real fun began.

They first looked through the binary for a large block of zero values signifying unused space in flash. The injected firmware is designed to enumerate as a USB keyboard, open Notepad, then type out, save, and execute a PowerShell script before throwing back to the stock firmware (ensuring the mouse would still function as a mouse). Basically, this builds a USB Rubber Ducky into stock mouse firmware.

There are a few useful skills that make taking on this project a worthwhile learning experience. To compile your custom code correctly you need to choose the correct offset address for where it will end up once pasted into the firmware binary. The vector table of the original code must be rewritten to jump to the injected code first, and it will need to jump back to the mouse execution once it has run. The program flow on the left shows this. Both of these jumps require the program counter and registers to be saved and restored. The ARM stack is subtractive and the address will need to be updated to work with the added code.

The talk ended with a live demo that worked like a charm. You can check out the code in the MDHomeBrew repo. In this case the PowerShell script adds keyboard shortcuts for DOOM cheats. But like we said before, the experience of getting under the hood with the firmware binary is where the value will be for most people. With this success under your belt you can take on more difficult challenges like [Sprite_TM’s] gaming keyboard hack where the firmware couldn’t easily be dumped and an update binary was quite obsfucated.