Scratching That Itch

October 31, 2020 by Elliot Williams 11 Comments

I did something silly. I bought a lot of ten “broken” cheesy indoor quadcopters on eBay — to hopefully cobble one working one together and to amuse my son. At this point, I’ve got eight working. The bad news is that they all come with dirt-cheap transmitters that aren’t really conducive to flying at all. They’d be a lot more fun if they could be controlled with a real remote. Enter the hackers.

Most all of the cheap quads are based on one of a handful of radio chipsets, although they use different protocols. An enterprising hacker could conceivably just bundle together this handful of radio modules, and the rest would be a simple matter of software. That’s exactly what Pascal Langer’s DIY Multiprotocol TX and supporting firmware does. This hobby project was so successful that compatible hardware is manufactured by more than a few Chinese companies, and non-geeks have them installed in their radios. The module lets you control virtually anything that uses 2.4 GHz. Of course, I’ve got one of them.

I opened up the cheesy drone’s transmitter, found that it used a popular chipset, and worked through all the different supported protocols that used it. No dice. But the radio module did have nicely labeled SPI lines, so I reached out to Pascal. A couple of Sigrok sessions later, he’d figured out that it was trying to bind on a different channel, I’d recompiled the firmware, and was playing with the drone’s other functions.

I just love a good SPI-sniffing session. sigrok-cli -d fx2lafw -c samplerate=4000000 -P spi:clk=D0:mosi=D1:cs=D2 -A spi="mosi transfer" --continuous | grep A0 | uniq reads the SPI lines, decodes the packets, filters out the commands, and removes duplicates, in real-time. All that’s left to do is wiggle the sticks, mash buttons, and take good notes.

None of this was hard, and certainly none of it was expensive. I got my drones under the control of my fancy-schmancy remote, and have a good foothold into controlling them algorithmically later on thanks to everyone’s previous work on reverse engineering these protocols. Support for DF Drone’s SkyTumbler will be included in the next DIY Multiprotocol TX release, and I spent about four or five pleasant hours on this project. Maybe only a handful of people will stumble on this particular protocol — or maybe it will just be me. I did it mostly just to scratch my own particular itch.

But that’s one way open source works, thrives, and grows. Here’s to you all out there, from the Deviation team, who did a lot of the early drone protocol reverse engineering, to Pascal for the DIY Module, to the Sigrok folks who made the tools accessible for me to piggyback on everyone’s previous work. Keep on hacking!

Hackaday Podcast 091: Louisville Exploder, Generating Japanese Joinery, Relay Retrocomputer Rally, And Chop The Robopup

October 30, 2020 by Mike Szczys 3 Comments

Hackaday editors Mike Szczys and Elliot Williams dig through the greatest hacks that ought not be missed this week. There’s a wild one that flexes engineering skills instead of muscles to beat the homerun distance record with an explosively charged bat. A more elegant use of those engineering chops is shown in a CNC software tool that produces intricate wood joinery without needing an overly fancy machine to fabricate it. If your flesh and blood pets aren’t keeping up with your interests, there’s a new robot dog on the scene that far outperforms its constituent parts which are 3D-printed and of the Pi and Arduino varieties. And just when you thought you’d seen all the craziest retrocomputers, here’s an electromechanical relay based machine that took six years to build (although there’s so much going on here that it should have taken sixteen).

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (~60 MB)

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 091: Louisville Exploder, Generating Japanese Joinery, Relay Retrocomputer Rally, And Chop The Robopup” →

This Week In Security: Discord, Chromium, And WordPress Forced Updates

October 30, 2020 by Jonathan Bennett 42 Comments

[Masato Kinugawa] found a series of bugs that, when strung together, allowed remote code execution in the Discord desktop app. Discord’s desktop application is an Electron powered app, meaning it’s a web page rendered on a bundled light-weight browser. Building your desktop apps on JavaScript certainly makes life easier for developers, but it also means that you inherit all the problems from running a browser and JS. There’s a joke in there about finally achieving full-stack JavaScript.

The big security problem with Electron is that a simple Cross Site Scripting (XSS) bug is suddenly running in the context of the desktop, instead of the browser. Yes, there is a sandboxing option, but that has to be manually enabled.

And that brings us to the first bug. Neither the sandbox nor the contextIsolation options were set, and so both defaulted to false. What does this setting allow an attacker to do? Because the front-end and back-end JavaScript runs in the same context, it’s possible for an XSS attack to override JS functions. If those functions are then called by the back-end, they have full access to Node.js functions, including exec(), at which point the escape is complete.

Now that we know how to escape Electron’s web browser, what can we use for an XSS attack? The answer is automatic iframe embeds. For an example, just take a look at the exploit demo below. On the back-end, all I have to do is paste in the YouTube link, and the WordPress editor does its magic, automatically embedding the video in an iframe. Discord does the same thing for a handful of different services, one being Sketchfab.

This brings us to vulnerability #2. Sketchfab embeds have an XSS vulnerability. A specially crafted sketchfab file can run some JS whenever a user interacts with the embedded player, which can be shoehorned into discord. We’re almost there, but there is still a problem remaining. This code is running in the context of an iframe, not the primary thread, so we still can’t override functions for a full escape. To actually get a full RCE, we need to trigger a navigation to a malicious URL in the primary pageview, and not just the iframe. There’s already code to prevent an iframe from redirecting the top page, so this RCE is a bust, right?

Enter bug #3. If the top page and the iframe are on different domains, the code preventing navigation never fires. In this case, JavaScript running in an iframe can redirect the top page to a malicious site, which can then override core JS functions, leading to a full escape to RCE.

It’s a very clever chaining of vulnerabilities, from the Discord app, to an XSS in Sketchfab, to a bug within Electron itself. While this particular example required interacting with the embedded iframe, it’s quite possible that another vulnerable service has an XSS bug that doesn’t require interaction. In any case, if you use Discord on the desktop, make sure the app is up to date. And then, enjoy the demo of the attack, embedded below.

Continue reading “This Week In Security: Discord, Chromium, And WordPress Forced Updates” →

Alfred Jones And Kipp Bradford To Deliver Keynotes At Remoticon Next Week

October 29, 2020 by Mike Szczys No comments

There’s just one week left until Hackaday Remoticon, our online gathering in place of our traditional in-person conference during this time of social distancing. Joining the more than 20 hands-on workshops that make up the bulk of Remoticon, we’re excited to announce the two keynote speakers who will be taking the virtual stage: Alfred Jones and Kipp Bradford.

Tickets to see these keynote talks, to watch the SMD Challenge, to see hardware demos, and to take part in the show and tell are free, so get yours today!

Alfred Jones

Head of Mechanical Engineering at Lyft’s Self-Driving Division

Alfred Jones is the Head of Mechanical Engineering at Lyft’s level 5 self-driving division. Level 5 means there are no humans involved in operating the vehicle and it is still capable of driving anywhere a human could have. What goes into modifying a vehicle for this level of self-driving? What processes does his team use to deliver safe automation? And will cars in the near future completely get rid of the driver’s seat? Alfred knows and we’ll be hanging on his every word!

Kipp Bradford

CTO fo Treau

Kipp Bradford is the CTO of Treau, a company bringing heating, ventilation, and air conditioning (HVAC) into the information age. These systems contribute as much as 20% of global emissions each year, so even small efficiency gains stand to have a huge impact. The industry has remained nearly unchanged for decades, and Kipp is at the forefront of evolving the hidden systems found in nearly every building. Will the air conditioner of tomorrow make the one we have today look like a rotary telephone? We look forward to hearing what Kipp has to say about it.

We’re so excited to have these two phenomenal speakers who have also both been involved as expert judges in the Hackaday Prize (Alfred in 2020, Kipp in 2017 and 2018). Help us show our appreciation by packing the virtual lecture halls for their talks on Saturday, November 7th! Get your free ticket now.

DSL Is Barely Hanging On The Line As Telcos Stop Selling New Service

October 29, 2020 by Kristina Panos 170 Comments

Are you reading this over AT&T DSL right now? If so, you might have to upgrade or go shopping for a new ISP soon. AT&T quietly stopped selling new traditional DSLs on October 1st, though they will continue to sell their upgraded fiber-to-the-node version. This leaves a gigantic digital divide, as only 28% of AT&T’s 21-state territory has been built out with full fiber to the home, and the company says they have done almost all of the fiber expansion that they intend to do. AT&T’s upgraded DSL offering is a fiber and copper hybrid, where fiber ends at the network node closest to the subscriber’s home, and the local loop is still over copper or coax.

At about the same time, a report came out written jointly by members of the Communications Workers of America union and a digital inclusion advocacy group. The report alleges that AT&T targets wealthy and non-rural areas for full fiber upgrades, leaving the rest of the country in the dark.

As the internet has been the glue holding these unprecedented times together, this news comes as a slap in the face to many rural customers who are trying to work, attend school, and see doctors over various videoconferencing services.

If you live in a big enough city, chances are you haven’t thought of DSL for about twenty years, if ever. It may surprise you to learn of the popularity of ADSL in the United Kindom. ADSL the main source of broadband in the UK until 2017, having been offset by the rise of fibre-to-the-cabinet (FTTC) connections. However, this Ofcom report shows that in 2018 ADSL still made up more than a third of all UK broadband connections.

Why do people still have it, and what are they supposed to do in the States when it dries up?

Continue reading “DSL Is Barely Hanging On The Line As Telcos Stop Selling New Service” →

Linux Fu: Troubleshooting Incron

October 28, 2020 by Al Williams 18 Comments

You probably know about cron, a program that lets you schedule programs to run at various times. We’ve also talked about incron, which is very similar but instead of time, it reacts to changes in the file system. If you ever wanted to write a program that, say, detects a change in a file and automatically uploads it to a programmer, backs it up, e-mails it somewhere, or anything else, then incron might be for you. Although we’ve talked about it before, incron has some peculiarities that make it very difficult to debug problems, so I thought I’d share some of the tricks I use when working with incron.

I was thinking about this because I wanted to set up a simple system where I have a single document directory under git control. Changing a markdown file in that folder would generate Word document and PDF equivalents. Conversely, changing a Word document would produce a markdown version.

This is easy to do with pandoc — it speaks many different formats. The trick is running it only on changed files and as soon as they change. The task isn’t that hard, but it does take a bit to debug since it’s a bit nontrivial.

Continue reading “Linux Fu: Troubleshooting Incron” →

The Ground Beneath Your Feet: SuperAdobe Construction

October 27, 2020 by Bryan Cockfield 25 Comments

Homes in different parts of the world used to look different from each other out of necessity, built to optimize for the challenges and benefits of local climate. When residential climate control systems became commonplace that changed. Where a home in tropical south Florida once required very different building methods (and materials) compared to a home in the cold mountains of New England, essentially identical construction methods are now used for single-family homes in any climate. The result is inefficient and virtually indistinguishable housing from coast to coast, regardless of climate. As regions throughout the world are facing increasingly dire housing shortages, the race is on to find solutions that are economical and available to us right now.

The mission of CalEarth, one of the non-profits that Hackaday has teamed up with for this year’s Hackaday Prize, is to address that housing shortage by building energy-efficient homes out of materials already available in the areas that they will be built. CalEarth specializes in building adobe, or earth, homes that have a large thermal mass and an inexpensive bill of materials. Not only does this save on heating and cooling costs, but transportation costs for materials can be reduced as well. Some downside to this method of construction are increased labor costs and the necessity of geometric precision of the construction method, both of which are tackled in this two-month design challenge.

Continue reading “The Ground Beneath Your Feet: SuperAdobe Construction” →