This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.
Join Hackaday Editor-in-Chief Elliot Williams and Staff Writer Dan Maloney as they review the top hacks for the week. It was a real retro-fest this time, with a C64 built from (mostly) new parts, an Altoids Altair, and learning FPGAs via classic video games. We also looked at LCD sniffing to capture data from old devices, reimagined the resistor color code, revisited the magic of Polaroid instant cameras, and took a trip down television’s memory lane. But it wasn’t all old stuff — there’s flat-packing a sphere with math, spraying a fine finish on 3D printed parts, a DRM-free label printer, and a look at what’s inside that smartphone in your pocket — including some really weird optics.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments below!
F5’s BIG-IP platform has a Remote Code Execution (RCE) vulnerability: CVE-2022-1388. This one is interesting, because a Proof of Concept (PoC) was quickly reverse engineered from the patch and released on Twitter, among other places.
HORIZON3.ai researcher [James Horseman] wrote an explainer that sums up the issue nicely. User authentication is handled by multiple layers, one being a Pluggable Authentication Modules (PAM) module, and the other internally in a Java class. In practice this means that if the PAM module sees an X-F5-Auth-Token, it passes the request on to the Java code, which then validates the token to confirm it as authentic. If a request arrives at the Java service without this header, and instead the X-Forwarded-Host header is set to localhost, the request is accepted without authentication. The F5 authentication scheme isn’t naive, and a request without the X-F5-Auth-Token header gets checked by PAM, and dropped if the authentication doesn’t check out.
So where is the wiggle room that allows for a bypass? Yet another HTTP header, the Connection header. Normally this one only comes in two varieties, Connection: close and Connection: keep-alive. Really, this header is a hint describing the connection between the client and the edge proxy, and the contents of the Connection header is the list of other headers to be removed by a proxy. It’s essentially the list of headers that only apply to the connection over the internet. Continue reading “This Week In Security: F5 Twitter PoC, Certifried, And Cloudflare Pages Pwned”→
No matter your project or field of endeavor, simulation is a useful tool for finding out what you don’t know. In many cases, problems or issues aren’t obvious until you try and do something. Where doing that thing is expensive or difficult, a simulation can be a low-stakes way to find out some problems without huge costs or undue risks.
Going to Mars is about as difficult and expensive as it gets. Thus, it’s unsurprising that NASA relies on simulations in planning its missions to the Red Planet. Now, the space agency is working to create a Mars sim in VR for training and assessment purposes. The best part is that you can help!
As one of the most popular buses today for on- and inter-board communication within systems, there’s a good chance you’ll end up using it with an embedded system. I2C offers a variety of speeds while requiring only two wires (clock and data), which makes it significantly easier to handle than alternatives, such as SPI. Within the STM32 family of MCUs, you will find at least one I2C peripheral on each device.
As a shared, half-duplex medium, I2C uses a rather straightforward call-and-response design, where one device controls the clock, and other devices simply wait and listen until their fixed address is sent on the I2C bus. While configuring an STM32 I2C peripheral entails a few steps, it is quite painless to use afterwards, as we will see in this article. Continue reading “Bare-Metal STM32: Using The I2C Bus In Master-Transceiver Mode”→
Even though a computer’s memory map looks pretty smooth and very much byte-addressable at first glance, the same memory on a hardware level is a lot more bumpy. An essential term a developer may come across in this context is data alignment, which refers to how the hardware accesses the system’s random access memory (RAM). This and others are properties of the RAM and memory bus implementation of the system, with a variety of implications for software developers.
For a 32-bit memory bus, the optimal access type for some data would be a four bytes, aligned exactly on a four-byte border within memory. What happens when unaligned access is attempted – such as reading said four-byte value aligned halfway into a word – is implementation defined. Some hardware platforms have hardware support for unaligned access, others throw an exception that the operating system (OS) can catch and fallback to an unaligned routine in software. Other platforms will generally throw a bus error (SIGBUS in POSIX) if you attempt unaligned access.
The smartphone represents one of the most significant shifts in our world. In less than thirteen years, we went from some people owning a dumb phone to the majority of the planet having a smartphone (~83.7% as of 2022, according to Statista). There are very few things that a larger percentage of people on this planet have. Not clean water, not housing, not even food.
How does a smartphone work? Most people have no idea; they are insanely complicated devices. However, you can break them down into eight submodules, each of which is merely complex. What makes them work is that each of these components can be made small, at massive economies of scale, and are tightly integrated, allowing easy assembly.
So without further ado, the fundamental eight building blocks of the modern cellphone are: the application processor, the baseband processor, a SIM card, the RF processor, sensors, a display, cameras & lenses, and power management. Let’s have a look at them all, and how they fit together.
Russia’s loose cannon of a space boss is sending mixed messages about the future of the International Space Station. Among the conflicting statements from Director-General Dmitry Rogozin, the Roscosmos version of Eric Cartman, is that “the decision has been made” to pull out of the ISS over international sanctions on Russia thanks to its war on Ukraine. But exactly when would this happen? Good question. Rogozin said the agency would honor its commitment to give a year’s notice before pulling out, which based on the current 2024 end-of-mission projections, means we might hear something definitive sometime next year. Then again, Rogozin also said last week that Roscosmos would be testing a one-orbit rendezvous technique with the ISS in 2023 or 2024; it currently takes a Soyuz about four orbits to catch up to the ISS. So which is it? Your guess is as good as anyones at this point.
At what point does falsifying test data on your products stop being a “pattern of malfeasance” and become just the company culture? Apparently, something other than the 40 years that Mitsubishi Electric has allegedly been doctoring test results on some of their transformers. The company has confessed to the testing issue, and also to “improper design” of the transformers, going back to the 1980s and covering about 40% of the roughly 8,400 transformers it made and shipped worldwide. The tests that were falsified were to see if the transformers could hold up thermally and withstand overvoltage conditions. The good news is, unless you’re a power systems engineer, these aren’t transformers you’d use in any of your designs — they’re multi-ton, multi-story beasts that run the grid. The bad news is, they’re the kind of transformers used to run the grid, so nobody’s stuff will work if one of these fails. There’s no indication whether any of the sketchy units have failed, but the company is “considering” contacting owners and making any repairs that are necessary.
For your viewing pleasure, you might want to catch the upcoming documentary series called “A League of Extraordinary Makers.” The five-part series seeks to explain the maker movement to the world, and features quite a few of the luminaries of our culture, including Anouk Wipprecht, Bunnie Huang, Jimmy DiResta, and the gang at Makers Asylum in Mumbai, which we assume would include Anool Mahidharia. It looks like the series will focus on the real-world impact of hacking, like the oxygen concentrators hacked up by Makers Asylum for COVID-19 response, and the influence the movement has had on the wider culture. Judging by the trailer below, it looks pretty interesting. Seems like it’ll be released on YouTube as well as other channels this weekend, so check it out.
But, if you’re looking for something to watch that doesn’t require as much commitment, you might want to check out this look at the crawler-transporter that NASA uses to move rockets to the launch pad. We’ve all probably seen these massive beasts before, moving at a snail’s pace along a gravel path with a couple of billion dollars worth of rocket stacked up and teetering precariously on top. What’s really cool is that these things are about as old as the Space Race itself, and still going strong. We suppose it’s easier to make a vehicle last almost 60 years when you only ever drive it at half a normal walking speed.
And finally, if you’re wondering what your outdoor cat gets up to when you’re not around — actually, strike that; it’s usually pretty obvious what they’ve been up to by the “presents” they bring home to you. But if you’re curious about the impact your murder floof is having on the local ecosystem, this Norwegian study of the “catscape” should be right up your alley. They GPS-tagged 92 outdoor cats — which they dryly but hilariously describe as “non-feral and food-subsidized” — and created maps of both the ranges of individual animals, plus a “population-level utilization distribution,” which we think is a euphemism for “kill zone.” Surprisingly, the population studied spent almost 80% of their time within 50 meters of home, which makes sense — after all, they know where those food subsidies are coming from.
