Attack on the Clones: A Review of Two Common ESP8266 Mini D1 Boards

ESP8266-based development boards have proliferated rapidly. One favorite, the WEMOS Mini-D1 is frequently imitated and sold without any branding. As these boards continue to ship to hobbyists and retailers around the world, we thought it might be interesting to conduct a little experiment.

There are a few ESP8266 development boards available, and the most popular seem to be the NodeMCU ‘Amica’ board. Of course, there are dozens of other alternatives including the WiFiMCU, Sparkfun’s ESP8266 Thing, and Adafruit’s HUZZAH ESP8266. Given that, why is this review limited to the Mini D1 boards? Because the Mini D1 is the cheapest. Or was, until it was cloned.

We took a look at some of these ‘clone’ boards to figure out the differences, find out if they work as intended, and perhaps most importantly, are these clone boards shipped out reliably. What are the results? Check that out below.

Continue reading “Attack on the Clones: A Review of Two Common ESP8266 Mini D1 Boards”

Son of Sonoff

We’ve covered the Sonoff a few times–a very inexpensive box with an ESP8266, a power supply, and an AC relay along with a way to tap into a power cord. Very inexpensive means $5 or $6. The supplied software will work with several systems (including, recently, Alexa). But what self-respecting hacker wants to run the stock firmware on something with an ESP8266 inside?

[Tzapu] certainly didn’t. But he also knew he didn’t want to start from scratch every time he wanted to deploy a switch. So he built SonoffBoilerplate and put the code on GitHub. The code manages taking configuration (including network settings) using a web-portal, can update itself over the air, and integrates with Blynk and MQTT. If you don’t like that code base, there are other choices including one that has a failsafe reconfiguration mode.

Continue reading “Son of Sonoff”

TI 99/4A Weather Station

If you still have a drawer full of slap bracelets from the 1990s because, you know, they might come back, then you’ll appreciate [Vorticon’s] latest project. Sure, we see lots of weather stations, but this one is controlled by a TI 99/4A computer. This home computer from the 1980s was actually ahead of its time with a 16-bit processor.

The sensors use Xbee modules and an Arduino Uno. Of course, the Uno has more power than the TI computer, but that’s not really the point, right? He’s made a series of videos detailing the construction (you can see the first one below, but there are five, so far).

Continue reading “TI 99/4A Weather Station”

Stealing Cars for 20 Bucks

[Yingtao Zeng], [Qing Yang], and [Jun Li], a.k.a. the [UnicornTeam], developed the cheapest way so far to hack a passive keyless entry system, as found on some cars: around $22 in parts, give or take a buck. But that’s not all, they manage to increase the previous known effective range of this type of attack from 100 m to around 320 m. They gave a talk at HITB Amsterdam, a couple of weeks ago, and shown their results.

The attack in its essence is not new, and it’s basically just creating a range extender for the keyfob.  One radio stays near the car, the other near the car key, and the two radios relay the signals coming from the car to the keyfob and vice-versa. This version of the hack stands out in that the [UnicornTeam] reverse engineered and decoded the keyless entry system signals, produced by NXP, so they can send the decoded signals via any channel of their choice. The only constraint, from what we could tell, it’s the transmission timeout. It all has to happen within 27 ms. You could almost pull this off over Internet instead of radio.

The actual keycode is not cracked, like in a HiTag2 attack. It’s not like hacking a rolling key keyfob either. The signals are just sniffed, decoded and relayed between the two devices.

A suggested fix from the researchers is to decrease this 27 ms timeout. If it is short enough, at least the distance for these types of attacks is reduced. Even if that could eventually mitigate or reduce the impact of an attack on new cars, old cars are still at risk.  We suggest that the passive keyless system is broken from the get-go: allowing the keyfob to open and start your car without any user interaction is asking for it. Are car drivers really so lazy that they can’t press a button to unlock their car? Anyway, if you’re stuck with one of these systems, it looks like the only sure fallback is the tinfoil hat. For the keyfob, of course.

[via Wired]

ESP32’s Freedom Output Lets You Do Anything

The ESP32 is Espressif’s new wonder-chip, and one of the most interesting aspects of its development has been the almost entirely open-source development strategy that they’re taking. But the “almost” in almost entirely open is important — there are still some binary blobs in the system, and some of them are exactly where a hacker wouldn’t want them to be. Case in point: the low-level WiFi firmware.

So that’s where [Jeija]’s reverse engineering work steps in. He’s managed to decode enough of a function called ieee80211_freedom_output to craft and send apparently arbitrary WiFi data and management frames, and to monitor them as well.

This ability is insanely useful for a WiFi device. With low-level access like this, one can implement custom protocols for mesh networking, low-bandwidth data transfers, or remove the requirement for handshaking entirely. One can also spam a system with so many fake SSIDs that it crashes, deauth everyone, or generally cause mayhem. Snoop on your neighbors, or build something new and cool: with great power comes great responsibility.

Anyway, we reported on [Jeija]’s long distance hack and the post may have read like it was all about the antenna, but that vastly underestimates the role played by this firmware reverse-engineering hack. Indeed, we’re so stoked about the hack that we thought it was worth reiterating: the ESP32 is now a WiFi hacker’s dream.

Simple Scanner Finds the Best WiFi Signal

Want to know which way to point your WiFi antenna to get the best signal? It’s a guessing game for most of us, but a quick build of a scanning WiFi antenna using mostly off-the-shelf components could point you in the right direction.

With saturation WiFi coverage in most places these days, optimizing your signal might seem like a pointless exercise. And indeed it seems [shawnhymel] built this more for fun than for practical reasons. Still, we can see applications where a scanning Yagi-Uda antenna would come in handy. The build started with a “WiFi divining rod” [shawnhymel] created from a simple homebrew Yagi-Uda and an ESP8266 to display the received signal strength indication (RSSI) from a specific access point. Tired of manually moving the popsicle stick and paperclip antenna, he built a two-axis scanner to swing the antenna through a complete hemisphere.

The RSSI for each point is recorded, and when the scan is complete, the antenna swings back to the strongest point. Given the antenna’s less-than-perfect directionality — [shawnhymel] traded narrow beam width for gain — we imagine the “strongest point” is somewhat subjective, but with a better antenna this could be a handy tool for site surveys, automated radio direction finding, or just mapping the RF environment of your neighborhood.

Yagi-Uda antennas and WiFi are no strangers to each other, whether it be a WiFi sniper rifle or another recycling bin Yagi.  Of course this scanner isn’t limited to WiFi. Maybe scanning a lightweight Yagi for the 2-meter band would be a great way to lock onto the local Ham repeater.

Continue reading “Simple Scanner Finds the Best WiFi Signal”

DIY DynDNS with ESP8266 and Dweets

You’re on a home router, and your IP address keeps changing. Instead of paying a little bit extra for a static IP address (and becoming a grownup member of the Internet) there are many services that let you push your current IP out to the rest of the world dynamically. But most of them involve paying money or spending time reading advertisements. Who has either money or time?!

[Alberto Ricci Bitti] cobbled together a few free services and an ESP8266 module to make a device that occasionally pushes its external IP address out to a web-based “dweet” service. The skinny: an ESP8266 gets its external IP address from ipify.org and pushes it by “dweet” to a web-based data store. Freeboard reads the “dweet” and posts the resulting link in a nice format.

Every part of this short chain of software services could be replaced easily enough with anything else. We cobbled together our own similar solution, literally in the previous century, back when we were on dialup. But [Alberto R B]’s solution is quick and easy, and uses no fewer than three (3!) cloud services ending in .io. Add an ESP8266 to the WiFi network that you’d like to expose, and you’re done.