News

3602 Articles

Teensy Spectrum Analyzer Has 170 Channels

June 21, 2022 by 14 Comments

While high-fidelity audio has come a long way in the past several decades, a lot of modern stereo equipment is still missing out on some of the old analog meters that were common on amplifiers and receivers of the 60s through the 80s. Things like VU meters don’t tend to be common anymore, but it is possible to build them back in to your sound system with the help of some microcontrollers. [Mark] shows us exactly how to reclaim some of the old-school functionality with this twin audio visualizer display.

Not only does this build include two displays, but the microcontroller is keeping up with 170 channels in real-time in order to drive the display. What’s more impressive is that it’s being done all on a Teensy 4.1. To help manage all of the data and keep the speed as fast as possible it uses external RAM soldered to the board, and a second Teensy audio board is used to do the real time FFT analysis. Most of the channels are sent to the display hosting the spectrum analyzer but two are reserved for left and right stereo VU meters on the second display.

The project from [Mark] is originally based on this software from [DIYLAB] so everything is open-source. While it was originally built for a specific piece of hardware, [Mark] has it set up with a line in and line out plus a microphone input so it can be used for virtually any audio hardware now. For another take on the classic VU meter, take a look at this design based on an Arudino instead.

Continue reading “Teensy Spectrum Analyzer Has 170 Channels”

3D Printed Concrete Beam Improves Sustainability

June 20, 2022 by 38 Comments

Many of the 3D printed houses and structures we’ve seen use concrete and are — frankly — a little underwhelming. Making big squares out of concrete isn’t that hard and while we are sure there is some benefit, it isn’t overwhelming. [Andy Coward] apparently felt the same way and set out to find ways that 3D printing could offer unique benefits in building structures. The result: a beam that would be difficult to create with conventional techniques but is easy to make with a printer. The advantage is that it uses 78% less concrete than a conventional beam with the same properties.

The key is that in a normal beam, not much of the concrete is bearing a significant load. It is simply there because you need some concrete on one side of the beam and then some more on the other side. In the center, surprisingly little of the concrete actually supports anything. The new beam takes advantage of this along with a steel reinforcement at a strategic point. Still, it uses 70% less steel than a typical reinforced beam.

Continue reading “3D Printed Concrete Beam Improves Sustainability”

Can A Drone Push A Bike?

June 19, 2022 by 20 Comments

It sounds like a rhetorical question that a Midwestern engineer might ask, something on the order of ‘can you fix this bad PCB spin?’ [Tom Stanton] sets out to answer the title question and ends up building a working e-bike with a drone motor.

You might be thinking, a motor is a motor; what’s the big deal? But a drone motor and a regular e-bike motor are made for very different purposes. Drone motors spin at 30,000 RPM, and an e-bike hub motor typically does around 200-300 RPM while being much larger. Additionally, a drone motor goes in short spurts with a large fan blowing right on it, and an e-bike motor can run almost continuously.

The first step was to use gears and pulleys to reduce the RPM on the motor to provide more torque. A little bit of CAD and 3D printing later, [Tom] had a setup ready to try. However, the motor quickly burned out. With a slightly bigger motor and more gear reduction, version 2 performed remarkably well. After the race between a proper e-bike and the drone bike, the coils were almost melted.

If you’re thinking about making your bike electric, we have some advice. We’ll throw in a second piece of advice for free: use a larger motor than the drone motor, even though it technically works. Video after the break.

Continue reading “Can A Drone Push A Bike?”

Screenshot of the Insteon's new blog post, showing the Insteon logo in the header, the "A New Day for Insteon!" title, and some of the intro paragraph of the blog post

Insteon Gets Another Chance

June 18, 2022 by 31 Comments

It would appear that, sometimes, miracles happen. A few days ago, an update graced the website of Insteon, a company whose abrupt shuttering we covered in detail two months ago. An entity described as “small group of passionate Insteon users” has bought what was left of the company, and is working on getting the infrastructure back up. Previously, there was no sign of life from the company’s APIs. Now, Insteon hubs are coming back to life — or perhaps, they’re Inste-online again.

We’ve explained that revival of these devices without acquiring the company IP would’ve been tricky because of stuff like certificate pinning, and of course, a pile of proprietary code. Buying a company that’s undergoing a liquidation is not exactly end-user-friendly, but it would seem that someone sufficiently business-savvy got it done. The new CEO, as reported by [CNX Software], is a member of an investment committee — it’s fair to assert that this would help. A more sustainable funding source rather than ‘sell hardware and then somehow provide indefinite services’ is promised; they are moving to a subscription model, but only for Insteon Hub users. Recurring payments don’t sound as bad when it comes to paying developers and covering operational costs, and we hope that this revival succeeds.

Nothing is mentioned about moving towards openness in software and hardware — something that protects users from such failures in the first place. The new company is ultimately vulnerable to the same failure mode, and may leave the users in the dark just as abruptly as a result. However, we have our fingers crossed that the updated business model holds, purely for users’ sake. At least, unlike with the Wink hub, Insteon’s transition to a subscription model is better than the Inste-off alternative.

We thank [Itay] for sharing this with us! Via [CNX Software].

This Week In Security: Pacman, Hertzbleed, And The Death Of Internet Explorer

June 17, 2022 by 25 Comments

There’s not one, but two side-channel attacks to talk about this week. Up first is Pacman, a bypass for ARM’s Pointer Authentication Code. PAC is a protection built into certain ARM Processors, where a cryptographic hash value must be set correctly when pointers are updated. If the hash is not set correctly, the program simply crashes. The idea is that most exploits use pointer manipulation to achieve code execution, and correctly setting the PAC requires an explicit instruction call. The PAC is actually indicated in the unused bits of the pointer itself. The AArch64 architecture uses 64-bit values for addressing, but the address space is much less than 64-bit, usually 53 bits or less. This leaves 11 bits for the PAC value. Keep in mind that the application doesn’t hold the keys and doesn’t calculate this value. 11 bits may not seem like enough to make this secure, but keep in mind that every failed attempt crashes the program, and every application restart regenerate the keys.

What Pacman introduces is an oracle, which is a method to gain insight on data the attacker shouldn’t be able to see. In this case, the oracle works via speculation attacks, very similar to Meltdown and Spectre. The key is to attempt a protected pointer dereference speculatively, and to then observe the change in system state as a result. What you may notice is that this requires an attack to already be running code on the target system, in order to run the PAC oracle technique. Pacman is not a Remote Code Execution flaw, nor is it useful in gaining RCE.

One more important note is that an application has to have PAC support compiled in, in order to benefit from this protection. The platform that has made wide use of PAC is MacOS, as it’s a feature baked in to their M1 processor. The attack chain would likely start with a remote execution bug in an application missing PAC support. Once a foothold is established in uprivileged userspace, Pacman would be used as part of an exploit against the kernel. See the PDF paper for all the details.

Continue reading “This Week In Security: Pacman, Hertzbleed, And The Death Of Internet Explorer”

This Week In Security: For The Horde, Feature Not A Bug, And Confluence

June 10, 2022 by 7 Comments

If you roll way back through the history of open source webmail projects, you’ll find Horde, a groupware web application. First released in 1998 on Freshmeat, it gained some notoriety in early 2012 when it was discovered that the 3.0 release had been tampered with, and packages containing a backdoor had been shipped for three months. While this time around it isn’t an intentional backdoor, there is a very serious problem in the Horde webmail interface. Or more accurately, a pair of problems. The most serious is CVE-2022-30287, an RCE bug allowing an authenticated user to trigger code execution on the connected server.

The vulnerable element is the Turba address book module, which uses a PHP factory method to access a specific address book. The create() method has an interesting bit of code, that first checks the initialization value. If it’s a string, that value is understood as the name of the local address book to access. However, if the factory is initialized with an array, any of the address book drivers can be used, including the IMSP driver. IMSP fetches serialized data from remote servers, and deserializes it. And yes, PHP can have deserialization bugs, and this one runs code on the host.

But it’s not that bad, it’s only authenticated users, right? That would be bad enough, but that second bug is a Cross-site Request Forgery, CSRF, triggered by viewing an email. So on a vulnerable Horde server, any user viewing a malicious message would trigger RCE on the server. Oof. So let’s talk fixes. There is a new version of the Turba module that seems to fix the bugs, but it’s not clear that the actual Horde suite has pushed an update that includes it. So you may be on your own. As is pointed out on the Sonar Blog where the vulnerability was discovered, Horde itself seems to be essentially unmaintained at this point. Maybe time to consider migrating to a newer platform.
Continue reading “This Week In Security: For The Horde, Feature Not A Bug, And Confluence”

STEM Award Goes To Accessible 3D Printing Project

June 10, 2022 by 7 Comments

When you are a 15-year old and you see a disabled student drop the contents of their lunch tray while walking to a table, what do you do? If you are [Adaline Hamlin], you design a 3D printed attachment for the trays to stop it from happening again.

The work was part of “Genius Hour” where [Hamlin’s] teacher encouraged students to find things that could be created to benefit others. An initial prototype used straws to form stops to fit plates, cups, and whatever else fit on the tray. [Zach Lance], a senior at the school’s 3D printing club, helped produce the actual 3D printed pieces.

Continue reading “STEM Award Goes To Accessible 3D Printing Project”