Wireless Hacks

1096 Articles

New Part Day: The $15 ESP32 With Cellular

July 9, 2019 by 51 Comments

Cruise around AliExpress for long enough and you’ll find some interesting new hardware. The latest is the TTGO T-Call, an ESP32 breakout board that also has a cellular modem. Yes, it’s only a 2G modem, but that still works in a lot of places, and the whole thing is $15.

On board the TTGO T-Cal is the ESP-WROVER-B, the same module you all know and love that features a dual-core ESP running at 240 MHz with 4 MB of Flash and 8 MB of SRAM. Add to this WiFi and Bluetooth, and you have a capable microcontroller platform. Of note is that this board includes a USB-C port, ostensibly wired so that it behaves like a normal USB micro port. That’s neat, 2019 is the year USB C connectors became cheaper than USB micro connectors.

In addition to the ESP32 module, there’s also cellular in the form of a SIM800 module. This module has been around for a while and used in many, many cellular-connected projects and products like the ZeroPhone. This module is only a 2G module, and that’ll be going away shortly (if not already) in built-up areas, but this can serve as a building block for modules that have more Gees than a 2G module. That said, if you’re looking for a WiFi and cellular bridge for fifteen bucks, you could do a lot worse for a lot more money.

Amiga In The MiST Gets Online With An ESP8266

July 3, 2019 by 9 Comments

While he couldn’t quite come up with the cash to buy one in their hayday, [Bruno Antunes] has always been fascinated with the Amiga. When PCs got fast enough he used emulators like UAE to get a taste of the experience, but it was never quite the same thing. Not until he found the MiST anyway, which uses an FPGA to implement several retro computers such as the Apple II, Atari, and of course his beloved Amiga.

The only downside for [Bruno] was that the MiST has no network interfaces. To get onto the Internet, he had to install an ESP8266 inside the device and spend some quality time tweaking various software settings to get everything talking to each other. The end result is a BBS hosted on an Amiga 1200, that’s running on an FPGA, that’s connected to WiFi via an ESP8266. What a time to be alive.

Adding the ESP8266 to the MiST was actually quite straightforward, as there’s an unpopulated serial port header right on the board. Though [Bruno] cautions this header has been removed as of version 1.4 of the device, so if you’re in the market for an FPGA retro box and might want to get it online at some point, that may be a detail to keep in mind. The ESP is running a firmware which implements Serial Line IP (SLIP); which allows you to use TCP/IP over a serial port, albeit very slowly.

The hardware implant went well enough, but unfortunately [Bruno] found the ESP8266 was unable to communicate through the thick metal case of the MiST. He enlisted his girlfriend to make a new papercraft enclosure for the MiST that the ESP could talk though, and it even has the added benefit of glowing thanks to the internal LEDs. We probably would have just got one of the ESP modules that includes an external antenna, but to each their own.

With the hardware taken care of, the rest of the considerable write-up details how he got the Amiga operating system to talk to the Internet through the SLIP connection. He goes over everything from setting the system time with NTP to getting a Telnet daemon installed. As you might expect, this involves installing a number of additional software packages, but [Bruno] is kind enough to provide links for everything you’ll need.

We’ve seen the ESP8266 used to get other retro computers onto the modern Internet before, but it’s usually through the use of an external device. This internal modification is very clean, and seems like a no-brainer for anyone who owns a MiST and a soldering iron.

Continue reading “Amiga In The MiST Gets Online With An ESP8266”

Smart Bike Helmet Is Wireless

June 26, 2019 by 16 Comments

If you ride a bike, you probably share the road with a lot of cars. Unfortunately, they don’t always share the road very well with you. [Mech Tools] took a helmet, a few Arduinos, and some wireless transceivers and made headgear that shows when you stop and also shows turn signals. We were a little surprised, though, that the bike in question looks like a motorcycle. In most countries, motorcycle helmets meet strict safety standards and modifying them is probably not a good idea. However, it wasn’t exactly clear how the extra gear attached to the helmet, so it is hard to say if the project is very practical or not.

In particular, it looks as though the first version had the electronics just stuck to the outside of the helmet. The final one had things mounted internally and almost certainly had cuts or holes made for the lights. We aren’t sure which of those would be more likely to be a problem in the case of an accident.

Continue reading “Smart Bike Helmet Is Wireless”

Storm Chasers Score Bullseye On Tornado With Instrument-Packed Rocket

June 5, 2019 by 16 Comments

Model rockets are a heck of a lot of fun, and not a few careers in science and engineering were jump-started by the thrilling woosh and rotten-egg stench of an Estes rocket launch. Adding simple instrumentation to the rocket doubles the fun by allowing telemetry to be sent back, or perhaps aiding in recovery of a lost rocket. Sending an instrument-laden rocket into a tornado is quite a few notches past either of those scenarios, and makes them look downright boring by comparison.

A first and hopefully obvious point: just don’t do this. [ChasinSpin] and [ReedTimmer] are experienced storm chasers, and have a small fleet of purpose-built armored vehicles at their disposal. One such vehicle, the Dominator, served as a mobile launch pad for their rocket as they along with [Sean Schofer] and [Aaron Jayjack] chased what developed into an EF4 monster tornado near Lawrence, Kansas on May 28. They managed to score a direct hit on the developing tornado, only 100 feet (30 meters) away at the time, and which took the rocket to 35,000 ft (10.6 km) and dragged it almost 30 miles (42 km) downrange. They lost touch with it but miraculously recovered it from a church parking lot.

They don’t offer a lot of detail on the rocket itself, but honestly it looks pretty much off-the-shelf, albeit launched from an aimable launchpad. [ChasinSpin] does offer a few details on the instrument package, though – a custom PCB with GPS, IMU, a temperature/humidity/barometric pressure sensor, and a LoRa link to send a data packet back every second. The card also supported an SD card for high-resolution measurements at 10 times per second. Check out the launch in the video below, and be sure to mouse around to get a look at the chaotic environment they were working in.

Even if this isn’t as cool as sending a sounding rocket into an aurora, it’s still really cool. We’re looking forward to seeing what kind of data this experiment collected, and what it reveals about the inner workings of these powerful storms.

Continue reading “Storm Chasers Score Bullseye On Tornado With Instrument-Packed Rocket”

Mobile SIGINT Hacking On A Civilian’s Budget

June 5, 2019 by 19 Comments

Signals Intelligence (SIGINT) refers to performing electronic reconnaissance by eavesdropping on communications, and used to be the kind of thing that was only within the purview of the military or various three letter government agencies. But today, for better or for worse, the individual hacker is able to pull an incredible amount of information out of thin air with low-cost hardware and open source software. Now, thanks to [Josh Conway], all that capability can be harnessed with a slick all-in-one device: the RadioInstigator.

In his talk at the recent 2019 CircleCityCon, [Josh] (who also goes by the handle [CrankyLinuxUser]) presented the RadioInstigator as an affordable way to get into the world of wireless security research beyond the traditional WiFi and Bluetooth. None of the hardware inside the device is new exactly, it’s all stuff the hacking community has had access to for a while now, but this project brings them all together under one 3D printed “roof” as it were. The end result is a surprisingly practical looking device that can be used on the go to explore huge swaths of the RF spectrum at a cost of only around $150 USD.

So what has [Josh] packed into this wireless toybox? It will probably come as little surprise to find out that the star of the show is a Raspberry Pi 3 B+, combined with a touch screen display and portable keyboard so the user can interface with the various security tools installed.

To help the RadioInstigator surf the airwaves there’s an RTL-SDR and a 2.4 Ghz nRF24LU1+ “Crazyradio”, both broken out to external antenna connectors on the outside of the device. There’s even an external SMA connector hooked up to the Pi’s GPIO pin, which can be used for low-power transmissions from 5 KHz up to 1500 MHz with rpitx. Everything is powered by a beefy 10,000 mAh battery pack which should give you plenty of loiter time to perform your investigations.

[Josh] has also written several Bash scripts which will get a trove of radio hacking tools installed on the Pi automatically, either by pulling them in through the official repositories or downloading the source and compiling them. Getting the software environment into a known-good state can be a huge time sink, so even if you don’t build your own version of the RadioInstigator, his scripts are still worth checking out.

You can do some pretty incredible things with nothing more than a Pi and an RTL-SDR, but we can’t help but notice there’s still plenty of room inside the RadioInstigator for more gear. It could be the perfect home for a Mult-RTL setup, or maybe even a VGA adapter for spoofing cell networks.

Continue reading “Mobile SIGINT Hacking On A Civilian’s Budget”

Your Table Is Ready, Courtesy Of HackRF

June 4, 2019 by 28 Comments

Have you ever found yourself in a crowded restaurant on a Saturday night, holding onto one of those little gadgets that blinks and vibrates when it’s your turn to be seated? Next time, bust out the HackRF and follow along with [Tony Tiger] as he shows how it can be used to easily fire them off. Of course, there won’t actually be a table ready when you triumphantly show your blinking pager to the staff; but there’s only so much an SDR can do.

Even if you aren’t looking to jump the line at your favorite dining establishment, the video that [Tony] has put together serves as an excellent practical example of using software defined radio (SDR) to examine and ultimately replicate a wireless communications protocol. The same techniques demonstrated here could be applied to any number of devices out in the wild with little to no modification. Granted these “restaurant pagers” aren’t exactly high security devices to begin with, but you’d be horrified surprised how many other devices out there take a similarly cavalier attitude towards security.

[Tony] starts by using inspectrum to examine the Frequency-shift keying (FSK) modulation used by the 467.750 Mhz devices, and from there, uses Universal Radio Hacker to capture the actual binary data being sent over the air. Between studying the transmissions and the information he found online, he was eventually able to piece together the packet structure used by the restaurant’s base station.

Finally, he wrote a Python script which generates packets based on which pager he wants to set off. If he’s feeling particularly mischievous, he can even set them all off at once. The script outputs a binary file which is then loaded into GNU Radio for transmission via the HackRF. [Tony] says he’s not quite ready to release his script yet, but he gives enough information in the video that the intrepid hacker could probably get their own version up and running by the time he gets it posted up to GitHub anyway.

We saw some very similar techniques demonstrated at the recent WOPR Summit security conference, so once you’re done hacking the local restaurants, you can take these same lessons and apply them to the rest of the Internet of Things. If you’re wondering, it’s even easier to eavesdrop on the non-restaurant pagers.

Continue reading “Your Table Is Ready, Courtesy Of HackRF”

Solving The Final Part Of The IClicker Puzzle

May 21, 2019 by 9 Comments

The regular Hackaday reader might remember the iClicker from our previous coverage of the classroom quiz device, or perhaps you even had some first hand experience with it during your university days. A number of hackers have worked to reverse engineer the devices over the years, and on the whole, it’s a fairly well understood system. But there are still a few gaps in the hacker’s map of the iClicker, and for some folks, that just won’t do.

[Ammar Askar] took it upon himself to further the state of the art for iClicker hacking, and has put together a very detailed account on his blog. While most efforts have focused on documenting and eventually recreating how the student remotes send their responses to the teacher’s base station, he was curious about looking at the system from the other side. Specifically, he wanted to know how the base station was able to push teacher-supplied welcome messages to the student units, and how it informed the clients that their answers had been acknowledged.

He started by looking through the base station’s software update tool to find out where it was downloading the firmware files from, a trick we’ve seen used to great effect in the past. With the firmware in hand, [Ammar] disassembled the AVR code in IDA and got to work piecing together how the hardware works. He knew from previous group’s exploration of the hardware that the base station’s Semtech XE1203F radio is connected to the processor via SPI, so he started searching for code which was interacting with the SPI control registers.

This line of logic uncovered how the radio is configured over SPI, and ultimately where the data intended for transmission is stored in memory. He then moved over to running the firmware image in simavr. Just like Firmadyne allows you to run ARM or MIPS firmware with an attached debugger, this tool allowed [Ammar] to poke around in memory and do things such as simulate when student responses were coming in over the radio link.

At that point, all he had to do was capture the bytes being sent out and decode what they actually meant. This process was complicated slightly by the fact the system uses to use its own custom encoding rather than ASCII for the messages, but by that point, [Ammar] was too close to let something like that deter him. Nearly a decade after first hearing that hackers had started poking around inside of them, it looks like we can finally close the case on the iClicker.