Not On The Internet

July 2, 2022 by Elliot Williams 106 Comments

Whenever you need to know something, you just look it up on the Internet, right? Using the search engine of your choice, you type in a couple keywords, hit enter, and you’re set. Any datasheet, any protocol specification, any obscure runtime error, any time. Heck, you can most often find some sample code implementing whatever it is you’re looking for. In a minute or so.

It is so truly easy to find everything technical that I take it entirely for granted. In fact, I had entirely forgotten that we live in a hacker’s utopia until a couple nights ago, when it happened again: I wanted to find something that isn’t on the Internet. Now, to be fair, it’s probably out there and I just need to dig a little deeper, but the shock of not instantly finding the answer to a random esoteric question reminded me how lucky we actually are 99.99% of the time when we do find the answer straight away.

So great job, global hive-mind of über-nerds! This was one of the founding dreams of the Internet, that all information would be available to everyone anywhere, and it’s essentially working. Never mind that we can stream movies or have telcos with people on the other side of the globe – when I want a Python library for decoding Kansas City Standard audio data, it’s at my fingertips. Detailed SCSI specifications? Check.

But what was my search, you ask? Kristina and I were talking about Teddy Ruxpin, and I thought that the specification for the servo track on the tape would certainly have been reverse engineered and well documented. And I’m still sure it is – I was just shocked that I couldn’t instantly find it. The last time this happened to me, it was the datasheet for the chips that make up a Speak & Spell, and it turned out that I just needed to dig a lot harder. So I haven’t given up hope yet.

And deep down, I’m a little bit happy that I found a hole in the Internet. It gives Kristina and me an excuse to reverse engineer the format ourselves. Sometimes ignorance is bliss. But for the rest of those times, when I really want the answer to a niche tech question, thanks everyone!

Unraveling The Hackaday Podcast Hidden Message

July 1, 2022 by Tom Nardi 7 Comments

When Elliot and I record the raw audio for the weekly podcast, it’s not unusual for us to spend the better part of two hours meandering from topic to topic. During one of these extended gab sessions, we wondered if it would be possible to embed a digital signal into the podcast in such a way that it could be decoded by the listener. Of course, storing and transmitting data via sound is nothing new — but the podcast format itself introduced some level of uncertainty.

Would the encoded sound survive the compression into MP3? Would the syndication service that distributes the file, or the various clients listeners will use to play it back, muddy the waters even further? Was it possible that the whole episode would get flagged somewhere along the line as malicious? After a bit of wild speculation, the conversation moved on to some other topic, and the idea was left to stew on one of our infinite number of back burners.

That is, until Elliot went on vacation a couple weeks back. In place of a regular episode, we agreed that I’d try my hand at putting together a special edition that consisted of pre-recorded segments from several of the Hackaday contributors. We reasoned this simplified approach would make it easier for me to edit, or to look at it another way, harder for me to screw up. For the first time, this gave me the chance to personally oversee the recording, production, and distribution of an episode. That, and the fact that my boss was out of town, made it the perfect opportunity to try and craft a hidden message for the Hackaday community to discover.

I’m now happy to announce that, eleven days after the EMF Camp Special Edition episode was released, ferryman became the first to figure out all the steps and get to the final message. As you read this, a coveted Hackaday Podcast t-shirt is already being dispatched to their location.

As there’s no longer any competition to see who gets there first, I thought it would be a good time to go over how the message was prepared, and document some interesting observations I made during the experiment.

Continue reading “Unraveling The Hackaday Podcast Hidden Message” →

Hackaday Podcast 175: Moonrocks And Cockroach Chyme, A Raspberry Pi IPad, And A Retro-Respectful Tape Deck

July 1, 2022 by Kristina Panos No comments

Join Editor-in-Chief Elliot Williams and Assignments Editor Kristina Panos as we cuss and discuss all the gnarliest hacks from the past week. We kick off this episode with a gentle reminder that the Odd Inputs and Peculiar Peripherals Contest ends this Monday, July 4th, at 8:30 AM PDT. We’ve seen a ton of cool entries so far, including a new version of [Peter Lyons]’ Squeezebox keyboard that we’re itching to write up for the blog.

In other contest news, the Round 2 winners of the Reuse, Recycle, Revamp challenge of the 2022 Hackaday Prize have been announced. Elliot is super stoked about [Jason Knight]’s open-source recycled skateboard deck-making apparatus, and Kristina wishes she had the time and money to build some of the fundamental Precious Plastic machines.

Elliot managed to stump Kristina with this week’s What’s That Sound, though she probably should have made a semi-educated guess. From there, it’s on to missing moon rocks and the word of the day before we get into a handful of contest entries, including a mechanical keyboard to end all mechanical keyboards.

This really just scratches the surface of this week’s show, which includes some new hardware stuffed into old, as well as modern implementations of old technology. And in case you didn’t get enough of Kristina’s childhood memoirs, she goes a bit deeper into the teddy bears and telephones rooms of her memory palace.

Direct download, record it to tape, and play it on your boombox.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Continue reading “Hackaday Podcast 175: Moonrocks And Cockroach Chyme, A Raspberry Pi IPad, And A Retro-Respectful Tape Deck” →

This Week In Security: Zimbra RCE, Routers Under Attack, And Old Tricks In WebAssembly

July 1, 2022 by Jonathan Bennett 8 Comments

There’s a problem in the unrar utility, and as a result, the Zimbra mail server was vulnerable to Remote Code Execution by simply sending an email. So first, unrar is a source-available command-line application made by RarLab, the same folks behind WinRAR. CVE-2022-30333 is the vulnerability there, and it’s a classic path traversal on archive extraction. One of the ways this attack is normally pulled off is by extracting a symlink to the intended destination, which then points to a location that should be restricted. unrar has code hardening against this attack, but is sabotaged by its cross-platform support. On a Unix machine, the archive is checked for any symbolic links containing the ../ pattern. After this check is completed, a function runs to convert any Windows paths to Unix notation. As such, the simply bypass is to include symlinks using ..\ traversal, which don’t get caught by the check, and then are converted to working directories.

That was bad enough, but Zimbra made it worse by automatically extracting .rar attachments on incoming emails, in order to run a virus and spam check. That extraction isn’t sandboxed, so an attacker’s files are written anywhere on the filesystem the zimbra user can write. It’s not hard to imagine how this turns into a full RCE very quickly. If you have an unrar binary based on RarLab code, check for version 6.1.7 or 6.12 of their binary release. While Zimbra was the application specifically called out, there are likely to be other cases where this could be used for exploitation.
Continue reading “This Week In Security: Zimbra RCE, Routers Under Attack, And Old Tricks In WebAssembly” →

Raspberry Pi Pico W Adds Wireless

June 30, 2022 by Elliot Williams 63 Comments

News just in from the folks at Raspberry Pi: the newest version of their Pico has WiFi and is called, obviously, the Pico W. We were going to get our hands on a sample unit and kick its tires, but it’s stuck in customs. Boo! So until it shows up, here’s what we can glean from the press releases and documentation.

The Pico is, of course, the Raspberry Pi microcontroller dev board based on their RP2040 microcontroller. This in turn has two Cortex M0+ cores and a good chunk of onboard RAM, which has made it a popular target for MicroPython. They had some extra real estate on the PCB, so they’ve added an Infineon CYW43439 WiFi chip, and voila: Pico W.

As of now, the WiFi is supported in both the C SDK and the pre-baked MicroPython image. It looks trivially easy to get it working, and it’s based on the time-tested lwIP stack, a classic in the embedded world. The CYW43439 is also Bluetooth capable, but there’s no firmware support for that yet, but we wouldn’t be surprised if it showed up soon.

The price? $6 for the whole shooting match. You can view this two ways: a small $2 premium over the old Pico, or a price increase of 50%. How you see things probably depends on your order quantity. Either way, it’s firmly in the ESP32 module price range, so you’ve got some comparison shopping to do if your project needs a microcontroller and WiFi. And in these days of silicon shortages, it’s nice to have a couple of options.

Bare-Metal STM32: Adding An Analog Touch With ADCs

June 29, 2022 by Maya Posch 11 Comments

An Analogue to Digital Converter (ADC) is at its core a straight-forward device: by measuring an analog voltage within a set range and converting the measured level to a digital value we can use this measurement value in our code. Through the use of embedded ADCs in microcontrollers we can address many essential use cases, ranging from measuring the setting on a potentiometer, to reading an analog output line on sensors, including the MCU’s internal temperature and voltage sensors.

The ADCs found in STM32 MCUs have a resolution between 12 to 16 bits, with the former being the most common type. An ADC can be configured to reduce this resolution, set a specific sampling speed, and set up a multi-mode configuration depending on the exact ADC peripheral. STM32 MCUs feature at least a single ADC peripheral, while some have multiple. In this article we will take a look at how to configure and use the basic features of the ADCs in STM32 MCUs, specifically the ADCs found in F0 and the ADC5_V1_1 type as found in most F3-family MCUs.

Continue reading “Bare-Metal STM32: Adding An Analog Touch With ADCs” →

2022 Hackaday Prize: Reuse, Recycle, Revamp Finalists

June 28, 2022 by Elliot Williams 13 Comments

The 2022 Hackaday Prize is focused on taking care of the planet. The theme of our second challenge round, “Reduce, Recycle, Revamp” is all about tailoring your projects to make use of existing resources and keeping material out of the landfill rather than contributing to it. Our judges have scrutinized the entries and handed me the sealed envelope. All of these ten projects will receive $500 right now and are eligible for the Grand Prize of $50,000, to be announced in November.

We were looking for two broad types of recycling projects in this round, either projects that incorporate a significant recycled component in their build, or projects that facilitate recycling themselves, and frankly we got a good mix of both!
Continue reading “2022 Hackaday Prize: Reuse, Recycle, Revamp Finalists” →