2022 FPV Contest: Congratulations To The Winners!

We wanted to see what the Hackaday crowd was up to in first-person view tech, and you didn’t disappoint! Commercial FPV quads have become cheap enough these days that everyone and their mom got one for Christmas, so it was fantastic to see the DIY spirit in these projects. Thanks to everyone who entered.

The Winners

None of the entries do the DIY quite as thoroughly as [JP Gleyzes]’s “poor man’s FPV journey”. This is actually three hacks in one, with DIY FPV goggles made from cheap optics and 3D printed additions, a USB joystick to PPM adapter to use arbitrary controllers with an RC transmitter, and even a fully DIY Bluetooth-based controller for a popular flight simulator. [JP] has done everything but build his own drone, and all the files are there for you to use, whether you’re goal is to do it on the cheap, or to do something new.

If you want to build your own drone from scratch, though, ESP32 Drone project has you covered. At least, mostly. This build isn’t entirely finished yet, and it’s definitely got some crash-testing still in its future, but the scope and accessibility of the project is what caught our eyes. The goal is to make a lightweight indoor quad around parts we can all get easily and cheaply, completely scratch-built. This drone is meant to be controlled by a smartphone, and the coolest parts for us are the ESP_Drone and ESPStream software that run on the drone and your phone respectively. Congrats to [Jon VB]! Now get that thing in the air.

And if you’re looking for a tidy little build, [Tobias]’s Mini FPV Speed Tank doesn’t disappoint. It’s a palm-sized mini tank, but this thing hauls, and looks like a ton of fun to drive around. It uses an absolutely tiny RP2040 module, an equally tiny receiver, and a nano FPV camera and transmitter to keep it compact. The 3D-printed frame and tracks are so nice that we’re not even complaining that the FPV rig is simply rubber-banded on top of the battery. This looks like a super fun build.

Each of these three projects have won a $150 Digi-Key shopping spree to help out with parts in this, or your next project. Thanks again to Digi-Key for sponsoring!

Continue reading “2022 FPV Contest: Congratulations To The Winners!”

Machining With Electricity Hack Chat

Join us on Wednesday, January 18 at noon Pacific for the Machining with Electricity Hack Chat with Daniel Herrington!

With few exceptions, metalworking has largely been about making chips, and finding something hard enough and tough enough to cut those chips has always been the challenge. Whether it’s high-speed steel, tungsten carbide, or even little chunks of rocks like garnet or diamond, cutting metal has always used a mechanical interaction between tool and stock, often with spectacular results.

But then, some bright bulb somewhere realized that electricity could be used to remove metal from a workpiece in a controlled fashion. Whether it’s using electric sparks to erode metal — electric discharge machining (EDM) — or using what amounts to electroplating in reverse — electrochemical machining (ECM) — electrical machining methods have made previously impossible operations commonplace.

join-hack-chatWhile the technology behind ExM isn’t really that popular in the hobby machine shop yet, a lot of the equipment needed and the methods to make it all work are conceivably DIY-able. But the first step toward that is understanding how it all works, and we’re lucky enough to have Daniel Herrington stop by the Hack Chat to help us out with that. Daniel is CEO and founder of Voxel Innovations, a company that’s on the cutting edge of electrochemical machining with its pulsed ECM technology. There’s a lot to unpack, so make sure you stop by so we can all get up to speed on what’s up with using electricity to do the machining.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, January 18 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Hackaday Links Column Banner

Hackaday Links: January 15, 2023

It looks like the Martian winter may have claimed another victim, with reports that Chinese ground controllers have lost contact with the Zhurong rover. The solar-powered rover was put into hibernation back in May 2022, thanks to a dust storm that kicked up a couple of months before the start of local winter. Controllers hoped that they would be able to reestablish contact with the machine once Spring rolled around in December, but the rover remains quiet. It may have suffered the same fate as Opportunity, which had its solar panels covered in dust after a planet-wide sandstorm and eventually gave up the ghost.

What’s worse, it seems like the Chinese are having trouble talking to the Tianwen-1 orbiter, too. There are reports that controllers can’t download data from the satellite, which is a pity because it could potentially be used to image the Zhurong landing site in Utopia Planitia to see what’s up. All this has to be taken with a grain of dust, of course, since the Chinese aren’t famously transparent with their space program. But here’s hoping that both the rover and the orbiter beat the odds and start doing science again soon.

Continue reading “Hackaday Links: January 15, 2023”

Too Many Pixels

Sometimes simpler is more impressive than complicated, and part of this is certainly due to Arthur C. Clarke’s third law: “Any sufficiently advanced technology is indistinguishable from magic.”. It’s counter-intuitive, though, that a high-tech project would seem any less amazing than a simpler one, but hear me out.

I first noticed this ages ago, when we were ripping out the blue laser diodes from Casio XJ-A130 laser projectors back when this was the only way to get a powerful blue laser diode. Casio had bought up the world’s supply of the 1.5 W Nichias, and was putting 24 of them in each projector, making them worth more dead than alive, if you know what I mean. Anyway, we were putting on a laser show, and the bright blue diode laser was just what we needed.

RGB Laser show
A sweeter setup than mine, but you get the idea. 

Color laser setups take three or more different lasers, combine the beams, and then bounce them off of mirrors attached to galvos. Steer the mirrors around, and you can project vector images. It’s pretty cool tech, and involves some serious fine-tuning, but the irony here is that we were tearing apart a device with 788,736 microscopic DLP mirrors to point the lasers through just two. And yet, a DIY laser show is significantly cooler than just putting up your powerpoint on the office wall.

The same thing goes for 2D plotting machines like the AxiDraw. The astonishing tech behind any old laser printer is mind-numbing. Possibly literally. Why else would we think that art drawn out by a pen in the hands of a stepper-powered robot is cooler than the output of a 1600 DPI unit coming from HP’s stable? I mean, instead of running an hours-long job to put ink on paper with a pen, my Laserjet puts out an image in ten seconds. But it’s just not as much fun.

So here we are, in an age where there’s so darn much magic all around us, in the form of sufficiently advanced technology, that comprehensible devices are actually more impressive. And my guess is that it’s partly because it’s not surprising when a device that’s already magic does something magical. I mean, that’s just what it’s supposed to do. Duh!

But when something beautiful emerges from a pair of mirrors epoxied to shafts on springs turned by copper coils, that’s real magic.

Hackaday Podcast 201: Faking A Transmission, Making Nuclear Fuel, And A Slidepot With A Twist

Even for those with paraskevidekatriaphobia, today is your lucky day as Editor-in-Chief Elliot Williams and Staff Writer Dan Maloney sit under ladders with umbrellas while holding black cats to talk about the week in awesome hacks. And what a week it was, with a Scooby Doo code review, mushrooms in your PCBs, and the clickiest automatic transmission that never was. Have you ever flashed the firmware on a $4 wireless sensor? Maybe you should try. Wondering how to make a rotary Hall sensor detect linear motion? We’ll answer that too. Will AI muscle the dungeon master out of your D&D group? That’s a hard no. We’ll talk about a new RISC-V ESP32, making old video new again, nuclear reactor kibble, and your least satisfying repair jobs. And yes, everyone can relax — I’m buying her a new stove.

Download the podcast in case our servers get unlucky.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Continue reading “Hackaday Podcast 201: Faking A Transmission, Making Nuclear Fuel, And A Slidepot With A Twist”

This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM

This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For: header in the request. Set it to the server’s IP, and the authentication code treats it like a localhost request, bypassing any real authentication process.

The second half is found in the remote_agent.php endpoint, where the poller_id is set by the user and treated as a string. Then, if the right host_id and local_data_id item is triggered, that string is concatenated into a proc_open() function call. The string isn’t sanitized, so it’s trivial enough to include a second command to run, dropping a webshell, for instance.

Version 1.2.23 of Cacti contains the fix, and released on the 2nd. This one is likely to be exploited, and if automated exploitation hasn’t started already, it likely will soon. So if you have a Cacti install, go double-check that the interface isn’t exposed to the world.

JSON Web Token

Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify() function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString() method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify() function was actually a complex object, bringing it’s own toString() method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js, that means a popped server.

But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable. Continue reading “This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM”

Art of 3D printer in the middle of printing a Hackaday Jolly Wrencher logo

3D Printering: Can You Ever Have Enough Vitamins?

As a community we owe perhaps more than we realise to the RepRap project. From it we get not only a set of open-source printer designs, but that 3D printing at our level has never become dominated by proprietary manufacturers in the way that for example paper printing is. The idea of a printer that can reproduce itself has never quite been fully realised though, because of what the RepRap community refer to as “vitamins“.

These are the mass-produced parts such as nuts, bolts, screws, and other parts which a RepRap printer can’t (yet) create for itself. It’s become a convenience among some of my friends to use this term in general for small pieces of hardware, which leads me to last week. I had a freshly printed prototype of one of my projects, and my hackerspace lacked the tiny self-tapping screws necessary for me to assemble it. Where oh where, was my plaintive cry, are the vitamins!

So my hackerspace is long on woodscrews for some reason, and short on machine screws and self-tappers. And threaded inserts for that matter, but for some reason it’s got a kit of springs. I’m going to have to make an AliExpress order to fix this, so the maybe I need you lot to help me. Just what vitamins does a a lone hardware hacker or a hackerspace need? Continue reading “3D Printering: Can You Ever Have Enough Vitamins?”