PaperLedger: An E-Ink Cryptocurrency Ticker

August 12, 2019 by Tom Nardi 6 Comments

For a long time it seemed like e-ink displays were outside the reach of us lowly hackers, as beyond the handful of repurposed Kindles that graced these pages, we saw precious few projects utilizing this relatively exotic display. But that’s changed over the last couple of years, and we’re thrilled to start seeing hackers bend this incredible technology to their will.

A perfect example is PaperLedger, an entry into the 2019 Hackaday Prize by [AIFanatic]. This wireless device is designed to display the current price of various cryptocurrencies on its 2.9-inch e-ink screen and provide audible price alerts with its built-in speaker. It even has a web portal where users can configure the hardware or view more in-depth price information.

The PaperLedger is based on the TTGO T5 V2.2 ESP32, but it looks like [AIFanatic] is in the process of spinning up a new board for the MIT licensed project to address some nagging issues for this particular application. Unfortunately, it doesn’t look like there are any pictures of the new board yet, but a description of the changes on the Hackaday.IO page shows that most of the work seems to be going into improving support for running on batteries.

Even if you’re not interested in cryptocurrency, the PaperLedger looks like a fantastic little e-ink monitor for pretty much anything else you’d like to keep a close eye on. The GPLv3 licensed firmware is available on the project’s GitHub page, so expanding or completely changing the device’s functionality shouldn’t be too tricky for anyone with a desire to do so and a working knowledge of C++.

We’ve seen several projects using the various TTGO boards that mate an ESP32 with a display at this point, and it looks like a great platform to check out if you want to push some data to a little WiFi screen with the minimum amount of hassle.

New Bluetooth 5 Channel Hopping Reverse Engineered For Jamming And Hijacking

August 10, 2019 by Mike Szczys 9 Comments

Bluetooth Low Energy (BLE) 5 has been around since 2016 with the most recent version 5.2 published just this year. There’s not much hardware out there that’s using the new hotness. That didn’t stop [Damien Cauquil] from picking apart BLE 5’s new frequency hopping techniques and updating his BtleJack tool to allow sniffing, jamming and hijacking hardware using the new protocol.

As you can imagine, the BLE standard a complicated beast and just one part of it is the topic here: the PRNG-based frequency hopping scheme that is vastly different from BLE 4.x and earlier. The new standard, called Channel Selection Algorithm (CSA) #2 — uses 65535 possible channels, compared to just 37 channels used by its predecessor. Paired devices agree to follow a randomized list of all possible channels in sequence so that they remain in synchronization between hops. This was put in place to help avoid collisions, making it possible for many more BLE devices to operate in close proximity. This is important to note since it quickly becomes obvious that it’s not a robust security measure by any means.

To begin channel hopping the two devices must first agree on an order in which to hop, ensuring they’ll meet one another after each leap. To do so they both run the same 32-bit seed number through a PRNG algorithm, generating a list that will then be followed exactly in order. But it turns out this is not very difficult to figure out. All that’s needed is the access address whose top 16-bits are publicly available if you’re already sniffing packets, and the bottom 16-bits is the counter that increments the hop address list.

If you want to jam or hijack BLE 5 communication you need to establish which “randomized” channel list is being used, and the value of the counter that serves as an index to this list. To do so, [Damien] sniffs packets on two different channels. These channels will be used over and over again as it loops through the channel list, so calculating how much time occurs between each channel indicates how far apart these channels are on the list.

In practice, [Damien] first implemented a sieve (the same concept as the Sieve of Eratosthenes for finding primes) that starts with a list of all possibilities and removes those that don’t contain a matching timing between the two channels. Keep doing this, and eventually, you’ll whittle your list down to one possible channel order.

This certainly worked, but there were timing issues that sometimes meant you could learn the seed but couldn’t then sync with it after the fact. His second approach uses pattern matching. By measuring hops on 11 consecutive channels, he’s able to synchronize with target devices in a minute or less. From there, jamming or hijacking methods come into play. The randomization of this scheme is really marginal. A more robust technique would have used an internal state in both devices to generate the next hopping channel. This would have been much more difficult for an attacker to figure out. From the device perspective, CSA #2 takes very little computation power which is key for power-sipping IoT devices most often using BLE.

As mentioned before, [Damien] had trouble finding any hardware in the wild using the BLE 5 standard. His proof of concept is built on a pair of nRF52840 development boards. Because it needs more testing, the code hasn’t been merged into the main version of BtleJack, but you can still get it right now by heading over to BtleJack repo on GitHub.

This WiFi Spoofing Syringe Is For External Use Only

August 8, 2019 by Tom Nardi 6 Comments

A browse through his collected works will tell you that [El Kentaro] loves to build electronics into interesting enclosures, so when he realized there’s enough room inside a 150 ml plastic syringe to mount an ESP8266, a battery, and a copious amount of RGB LEDs, the “Packet Injector” was the inescapable result.

Granted, the current incarnation of this device doesn’t literally inject packets. But [El Kentaro] wasn’t actually looking to do anything malicious, either. The Injector is intended to be a fun gag for him to bring along to the various hacker cons he finds himself at, like his DEAUTH “bling” necklace we saw at DEF CON 26, so having any practical function is really more icing on the cake than a strict requirement.

In the end, the code he came up with for the Adafruit Feather HUZZAH that uses the FakeBeaconESP8266 library to push out fictitious networks on demand. This is a trick we’ve seen used in the past, and makes for a relatively harmless prank as long as you’re not pumping out any particularly unpleasant SSIDs. In this case, [El Kentaro] punctuates his technicolor resplendency with beacons pronouncing “The WiFi Doctor is Here.”

But the real hack here is how [El Kentaro] controls the device. Everything is contained within the syringe chamber, and he uses a MPL3115A2 I2C barometric pressure sensor to detect when it’s being compressed. If the sensor reads a pressure high enough over the established baseline, the NeoPixel Ring fires up and the fake beacon frames start going out. Ease up on the plunger, and the code detects the drop in pressure and turns everything back off.

If this build has piqued your interest, [El Kentaro] gave a fascinating talk about his hardware design philosophy during the WOPR Summit that included how he designed and built some of his “greatest hits”; including a Raspberry Pi Zero enclosure that was, regrettably, not limited to external use.

CB Radio + Arduino = 6 Meter Ham Band

August 5, 2019 by Al Williams 13 Comments

Somehow [hvde] wound up with a CB radio that does AM and SSB on the 11 meter band. The problem was that the radio isn’t legal where he lives. So he decided to change the radio over to work on the 6 meter band, instead.

We were a little surprised to hear this at first. Most radio circuits are tuned to pretty close tolerances and going from 27 MHz to 50 MHz seemed like quite a leap. The answer? An Arduino and a few other choice pieces of circuitry.

Continue reading “CB Radio + Arduino = 6 Meter Ham Band” →

Orphaned Amazon Dash Buttons Ripe For Hacking

August 5, 2019 by Roger Cheng 35 Comments

Amazon Dash buttons were the ultimate single purpose networked device; it really can’t get much simpler than a push button that sends a single message to a fixed endpoint. It was an experiment in ultimate convenience, an entry point to a connected home, and a target for critics of consumerism excess and technological overkill.

But soon they’ll be little more than a footnote in the history of online shopping, as CNet reports Amazon will take the order system offline at the end of the month. With the loss of their original intended usage, there’s nothing to stop us from hacking any Dash buttons we can get our hands on.

Of course, this decision should come as little surprise. Amazon’s in-home retail point of sale has graduated from these very limited $5 buttons to Alexa-powered voice controlled devices. Many people also carry a cell phone at all times capable of submitting Amazon orders. While there are many good reasons to be skeptical of internet connected appliances, they’re undeniably finding a niche in the market and some have integrated their own version of a Dash button to re-order household supplies.

But are hackers still interested in hacking Dash buttons? Over the lifespan of Amazon Dash buttons, our project landscape has shifted as well. We’re certainly still interested in the guts an Echo Dot. But if we wanted to build a simple networked button, we can use devices like an ESP8266 which are almost as cheap and far easier to use. Using something intended for integration means we don’t have headaches like determining which generation hardware we have.

Despite those barriers, we’ve had many Dash button hacks on these pages. A to-do list updater was the most recent and we doubt it will be the last, especially as Amazon’s deactivation should mean a whole new flood of these buttons will become available for hacking.

[via Ars Technica]

L Band Satellite Antennas Revealed

August 4, 2019 by Al Williams 7 Comments

[SignalsEverywhere] has a lot of satellite antennas and he’s willing to show them off — inside and out — in his latest video that you can see below. Using software-defined radio techniques, you can use these antennas to pull off weather satellite images and other space signals.

A lot of these antennas are actually made for some commercial purpose like keeping ships connected to Inmarsat. In fact, the shipborne antenna has a nice motorized system for pointing the antenna that [SignalsEverywhere] is hoping to modify for his own purposes.

With what appears to be standard NEMA 17 steppers onboard, it should be relatively easy to supplant the original controller with an Arduino and CNC shield. Though considering the resale value these particular units seem to have on eBay, we might be inclined to just roll our own positioner.

The ~~QHF~~ QFH antenna is another interesting teardown. The antenna makes a helix shape and looks like it would be interesting to build from scratch. There isn’t a lot of details about the antenna designs, but it is interesting to see the variety and range of antennas and how they appear internally.

L band is from 1 GHz to 2 GHz, so signals and antennas get very strange at these frequencies. The wavelength of a 2GHz signal is only 15cm, so small antennas can work quite well and are often as much mechanical designs as electrical. The L band contains everything from GPS to phone calls to ADS-B.

We’ve seen radiosonde antennas reborn before. Dish antenna repurposing is also popular.

Continue reading “L Band Satellite Antennas Revealed” →

Boost Your WiFi Range With Cookware

August 1, 2019 by Lewin Day 44 Comments

WiFi was the killer technology that made home networking easy. No more messing around with hubs and cables and drilling holes in walls, simply turn the devices on and hit connect. Over time the speed and range has increased, but those with larger houses or granny flats out back have suffered. There are tricks to boost range however, and some of them involve cookware.

The clever hack here is to use a metal strainer as a parabolic reflector, to capture signals and focus them onto the PCB antenna in a USB WiFi dongle. The strainer is drilled out, and a USB extension cable has its female end glued into the base. This allows the dongle to be positioned inside the strainer. For best results, the dongle should be positioned so that its antenna elements are sitting at the focal point of the parabola; this can be determined through mathematics or simply by experimenting with positions to see what gives the best signal strength.

It’s a design that is quite directional, and should help boost signals as well as block out those from unwanted stations. The build is simple, and can even be tripod mounted which helps with aiming and looks cool to boot.

For many, WiFi antenna hacks are old school, but it’s always good to keep the techniques in mind as you never know when it will come in handy to solve a new problem. Some crazy things are possible with the right gear, too.