Slider

4881 Articles

Hands On: The Hacker Pager

July 31, 2025 by 27 Comments

It should come as no surprise that the hacker community has embraced the Meshtastic project. It’s got a little bit of everything we hold dear: high quality open source software, fantastic documentation, a roll-your-own hardware ethos, and just a dash of counterculture. An off-grid communications network cobbled together from cheap parts, some of which being strategically hidden within the urban sprawl by rogue operators, certainly sounds like the sort of thing you’d read about it in a William Gibson novel.

But while the DIY nature of Meshtastic is one of its most endearing features for folks like us, it can also be seen as one of its weak spots. Right now, the guidance for those looking to get started is to pick a compatible microcontroller development board, 3D print a case for it, screw on an antenna from AliExpress, flash your creation with the latest firmware, and then spend some quality time with the documentation and configuration tools to actually get it on the air. No great challenge for the average Hackaday reader, but a big ask for the weekend adventurer that’s just looking for a way to keep in touch with their friends while camping.

Quality hardware that offers a turn-key experience will be critical to elevating Meshtastic from a hobbyist’s pastime to something that could actually be fielded for applications such as search and rescue. Plus, let’s be honest, even those of us who like to put together our own gadgets can appreciate a more consumer-oriented piece of hardware from time to time. Especially if that hardware happens to be open source and designed to empower the user rather than hold them back.

Enter the Hacker Pager from exploitee.rs. As the name implies, it’s still very much a device intended for hackers — a piece of hardware designed for the halls of DEF CON rather than trekking through the wilderness. But it’s also an important step towards a new generation of Meshtastic hardware that meets the high standard of quality set by the software itself.

Continue reading “Hands On: The Hacker Pager”

Farewell Shunsaku Tamiya: The Man Who Gave Us The Best Things To Build

July 31, 2025 by 36 Comments

In the formative experiences of most Hackaday readers there will almost certainly be a number of common threads, for example the ownership of a particular game console, or being inspired into engineering curiosity by the same TV shows. A home computer of a TV show may mark you as coming from a particular generation, but there are some touchstones which cross the decades.

Of those, we are guessing that few readers will not at some point have either built, owned, or lusted after a Tamiya model kit at some point over the last many decades, so it’s with some sadness that we note the passing of Mr. Tamiya himself, Shunsaku Tamiya, who has died at the age of 90.

Continue reading “Farewell Shunsaku Tamiya: The Man Who Gave Us The Best Things To Build”

Power Line Patrols: The Grid’s Eye In The Sky

July 29, 2025 by 18 Comments

Those of us who like to monitor air traffic with ADS-B aggregators such as FlightAware and ADS-B Exchange tend to see some interesting flight paths. I’m not talking about the truly ambitious pictures drawn by pilots, or even the more ribald ones, but rather flights that follow paths that seem to make little sense from either a commercial or leisure standpoint.

Most of these mystery flights have long straight stretches interrupted by occasional tight loops, and often cover great distances across rural and urban landscapes alike. A glance at the ADS-B data indicates that these flights are usually pretty close to the ground, and are often completed by helicopters. Occasionally, the registration of the aircraft will even indicate ownership by some “three-letter” federal agency.

Although mystery helicopters flying odd patterns in the sky seems like a good excuse to don a tinfoil hat and head to one’s bunker, chances are pretty good that these aircraft are engaged in a far less nefarious and far more useful endeavour: aerial transmission line patrols. These flights are key to keeping the transmission lines that form the backbone of the grid in tip-top shape, especially at a time of unprecedented growth in load and a shift in the generation profile away from fossil fuels towards renewables.

Continue reading “Power Line Patrols: The Grid’s Eye In The Sky”

Hackaday Links Column Banner

Hackaday Links: July 27, 2025

July 27, 2025 by 9 Comments

Sad breaking news late this Sunday afternoon of the passing of nerd icon Tom Lehrer at 97. Coming up through the culture, knowing at least a few of Tom’s ditties, preferably “The Elements” or “Poisoning Pigeons in the Park,” was as essential to proving one’s bona fides as committing most Monty Python bits to memory. Tom had a way with words that belied his background as a mathematician, spicing his sarcastic lyrics with unusual rhymes and topical references that captured the turbulence of the late 50s and early 60s, which is when he wrote most of his well-known stuff. First Ozzy, then Chuck Mangione, now Tom Lehrer — it’s been a rough week for musicians.

Here we go again. It looks like hams have another spectrum grab on their hands, but this time it’s the popular 70-cm band that’s in the crosshairs. Starlink wannabe AST SpaceMobile, which seeks to build a constellation of 248 ridiculously large communication satellites to offer direct-to-device service across the globe, seeks a substantial chunk of the 70-cm band, from 430 to 440 MHz, to control the satellites. This is smack in the middle of the 70-cm amateur radio band allocation here in the US, but covers the entire band for unlucky hams in Europe and the UK. The band is frequently used for repeaters, which newbie hams can easily access using a cheap hand-held radio to start learning the ropes.

Continue reading “Hackaday Links: July 27, 2025”

Personalization, Industrial Design, And Hacked Devices

July 26, 2025 by 28 Comments

[Maya Posch] wrote up an insightful, and maybe a bit controversial, piece on the state of consumer goods design: The Death Of Industrial Design And The Era Of Dull Electronics. Her basic thesis is that the “form follows function” aesthetic has gone too far, and all of the functionally equivalent devices in our life now all look exactly the same. Take the cellphone, for example. They are all slabs of screen, with a tiny bezel if any. They are non-objects, meant to disappear, instead of showcases for cool industrial design.

Of course this is an extreme example, and the comments section went wild on this one. Why? Because we all want the things we build to be beautiful and functional, and that has always been in conflict. So even if you agree with [Maya] on the suppression of designed form in consumer goods, you have to admit that it’s not universal. For instance, none of our houses look alike, even though the purpose is exactly the same. (Ironically, architecture is the source of the form follows function fetish.) Cars are somewhere in between, and maybe the cellphone is the other end of the spectrum from architecture. There is plenty of room for form and function in this world.

But consider the smartphone case – the thing you’ve got around your phone right now. In a world where people have the ultimate homogeneous device in their pocket, one for which slimness is a prime selling point, nearly everyone has added a few millimeters of thickness to theirs, aftermarket, in the form of a decorative case. It’s ironically this horrendous sameness of every cell phone that makes us want to ornament them, even if that means sacrificing on the thickness specs.

Is this the same impetus that gave us the cyberdeck movement? The custom mechanical keyboard? All kinds of sweet hacks on consumer goods? The need to make things your own and personal is pretty much universal, and maybe even a better example of what we want out of nice design: a device that speaks to you directly because it represents your work.

Granted, buying a phone case isn’t necessarily creative in the same way as hacking a phone is, but it at least lets you exercise a bit of your own design impulse. And it frees the designers from having to make a super-personal choice like this for you. How about a “nothing” design that affords easy personalized ornamentation? Has the slab smartphone solved the form-versus-function fight after all?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Hackaday Podcast Episode 330: Hover Turtles, Dull Designs, And K’nex Computers

July 25, 2025 by 1 Comment

What did you miss on Hackaday last week? Hackaday’s Elliot Williams and Al Williams are ready to catch you up on this week’s podcast. First, though, the guys go off on vibe coding and talk about a daring space repair around Jupiter.

Then it is off to the hacks, including paste extruding egg shells, bespoke multimeters, and an 8-bit mechanical computer made from a construction toy set.

For can’t miss articles, you’ll hear about boring industrial design in modern cell phones and a deep dive into how fresh fruit makes it to your table in the middle of the winter.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

The DRM-free MP3 was stored in a public refrigerated warehouse to ensure freshness. Why not download it and add it to your collection?

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast Episode 330: Hover Turtles, Dull Designs, And K’nex Computers”

This Week In Security: Sharepoint, Initramfs, And More

July 25, 2025 by 12 Comments

There was a disturbance in the enterprise security world, and it started with a Pwn2Own Berlin. [Khoa Dinh] and the team at Viettel Cyber Security discovered a pair of vulnerabilities in Microsoft’s SharePoint. They were demonstrated at the Berlin competition in May, and patched by Microsoft in this month’s Patch Tuesday.

This original exploit chain is interesting in itself. It’s inside the SharePoint endpoint, /_layouts/15/ToolPane.aspx. The code backing this endpoint has a complex authentication and validation check. Namely, if the incoming request isn’t authenticated, the code checks for a flag, which is set true when the referrer header points to a sign-out page, which can be set arbitrarily by the requester. The DisplayMode value needs set to Edit, but that’s accessible via a simple URL parameter. The pagePath value, based on the URL used in the call, needs to start with /_layouts/ and end with /ToolPane.aspx. That particular check seems like a slam dunk, given that we’re working with the ToolPane.aspx endpoint. But to bypass the DisplayMode check, we added a parameter to the end of the URL, and hilariously, the pagePath string includes those parameters. The simple work-around is to append another parameter, foo=/ToolPane.aspx.

Putting it together, this means a POST of /_layouts/15/ToolPane.aspx?DisplayMode=Edit&foo=/ToolPane.aspx with the Referrer header set to /_layouts/SignOut.aspx. This approach bypasses authentication, and allows a form parameter MSOTlPn_DWP to be specified. These must be a valid file on the target’s filesystem, in the _controltemplates/ directory, ending with .iscx. But it grants access to all of the internal controls on the SafeControls list.

There’s an entire second half to [Khoa Dinh]’s write-up, detailing the discovery of a deserialization bug in one of those endpoints, that also uses a clever type-confusion sort of attack. The end result was remote code execution on the SharePoint target, with a single, rather simple request. Microsoft rolled out patches to fix the exploit chain. The problem is that Microsoft often opts to fix vulnerabilities with minimal code changes, often failing to fix the underlying code flaws. This apparently happened in this case, as the authentication bypass fix could be defeated simply by adding yet another parameter to the URL.

These bypasses were found in the wild on July 19th, and Microsoft quickly confirmed. The next day, the 20th, Microsoft issued an emergency patch to address the bypasses. The live exploitation appears to be coming from a set of Chinese threat actors, with a post-exploitation emphasis on stealing data and maintaining access. There seem to be more than 400 compromised systems worldwide, with some of those being rather high profile.

Continue reading “This Week In Security: Sharepoint, Initramfs, And More”