A Zhengbang Pick&Place machine, with a Virustotal 53/69 result and "53 security vendors and 1 sandbox flagged this file as mailcious" crudely overlaid on top of the image

Zhengbang Pick & Places Your Confidential Data In The Bag, Slowly

Isn’t it convenient when your pick-and-place machine arrives with a fully-set-up computer inside of it? Plug in a keyboard, mouse and a monitor, and you have a production line ready to go. Turns out, you can have third parties partake in your convenience by sharing your private information with them – as long as you plug in an Ethernet cable! [Richard] from [RM Cybernetics] has purchased a ZhengBang ZB3245TSS machine, and in the process of setting it up, dutifully backed up its software onto a USB stick – as we all ought to.

This bit of extra care, often missed by fellow hackers, triggered an antivirus scanner alert, and subsequently netted some interesting results on VirusTotal – with 53/69 result for a particular file. That wasn’t conclusive enough – they’ve sent the suspicious file for an analysis, and the test came back positive. After static and dynamic analysis done by a third party, the malware was confirmed to collect metadata accessible to the machine and send it all to a third-party server. Having contacted ZhengBang about this mishap, they received a letter with assurances that the files were harmless, and a .zip attachment with replacement “clean” files which didn’t fail the antivirus checks.

It didn’t end here! After installing the “clean” files, they also ran a few anti-malware tools, and all seemed fine. Then, they plugged the flash drive into another computer again… to encounter even more alerts than before. The malware was equipped with a mechanism to grace every accessible .exe with a copy of itself on sight, infecting even .exe‘s of the anti-malware tools they put on that USB drive. The article implies that the malware could’ve been placed on the machines to collect your company’s proprietary design information – we haven’t found a whole lot of data to support that assertion, however; as much as it is a plausible intention, it could have been a case of an unrelated virus spread in the factory. Surprisingly, all of these discoveries don’t count as violations of Aliexpress Terms and Conditions – so if you’d like to distribute a bunch of IoT malware on, say, wireless routers you bought in bulk, now you know of a platform that will help you!

This goes in our bin of Pretty Bad News for makers and small companies. If you happen to have a ZhengBang pick-and-place machine with a built-in computer, we recommend that you familiarize yourself with the article and do an investigation. The article also goes into details on how to reinstall Windows while keeping all the drivers and software libraries working, but we highly recommend you worry about the impact of this machine’s infection spread mechanisms, first.

Supply chain attacks, eh? We’ve seen plenty of these lately, what’s with communities and software repositories being targeted every now and then. Malware embedded into devices from the factory isn’t a stranger to us, either – at least, this time we have way more information than we did when Supermicro was under fire.

Editor’s Note: As pointed out by our commenters, there’s currently not enough evidence to assert that Zhengbang’s intentions were malicious. The article has been edited to reflect the situation more accurately, and will be updated if more information becomes available.

Editor’s Note Again: A rep from Zhengbang showed up in the comments and claims that this was indeed a virus that they picked up and unintentionally passed on to the end clients.

A Xilinx Zynq Linux FPGA Board For Under $20? The Windfall Of Decommissioned Crypto Mining

One of the exciting trends in hardware availability is the inexorable move of FPGA boards and modules towards affordability. What was once an eye-watering price is now merely an expensive one, and no doubt in years to come will become a commodity. There’s still an affordability gap at the bottom of the market though, so spotting sub-$20 Xilinx Zynq boards on AliExpress that combine a Linux-capable ARM core and an FPGA on the same silicon is definitely something of great interest. A hackerspace community friend of mine ordered one, and yesterday it arrived in the usual anonymous package from China.

There’s a Catch, But It’s Only A Small One

The heftier of the two boards, in all its glory.
The heftier of the two boards, in all its glory.

There are two boards to be found for sale, one featuring the Zynq 7000 and the other the 7010, which the Xilinx product selector tells us both have the same ARM Cortex A9 cores and Artix-7 FPGA tech on board. The 7000 includes a single core with 23k logic cells, and there’s a dual-core with 28k on the 7010. It was the latter that my friend had ordered.

So there’s the good news, but there has to be a catch, right? True, but it’s not an insurmountable one. These aren’t new products, instead they’re the controller boards for an older generation of AntMiner cryptocurrency mining rigs. The components have 2017 date codes, so they’ve spent the last three years hooked up to a brace of ASIC or GPU boards in a mining data centre somewhere. The ever-changing pace of cryptocurrency tech means that they’re now redundant, and we’re the lucky beneficiaries via the surplus market.

Continue reading “A Xilinx Zynq Linux FPGA Board For Under $20? The Windfall Of Decommissioned Crypto Mining”

MIT Mini Cheetah Made And Improved In China

We nearly passed over this tip from [xoxu] which was just a few links to some AliExpress pages. However, when we dug a bit into the pages we found something pretty surprising. Somewhere out there in the wild we…east of China there’s a company not only reverse engineering the Mini Cheetah, but improving it too.

We cover a lot of Mini Cheetah projects; it’s a small robot that can do a back-flip after all. When compared to the servo quadruped of not so many years ago it’s definitely exciting magic. Many of the projects go into detail about the control boards and motor modifications required to build a Mini Cheetah of your own. So we were especially interested to discover that this AliExpress seller has gone through the trouble of not just reverse engineering the design, but also improving on it. Claiming their motors are thinner and more dust resistant than what they’ve seen from MIT.

To be honest, we’re not sure what we’re looking at. It’s kind of cool that we live in a world where a video of a research project and some papers can turn into a $12k robot you can buy right now. Let us know what you think after the break.

What Good Are Counterfeit Parts? Believe It Or Not, Maybe A Refund

[Charles Ouweland] purchased some parts off Aliexpress and noticed that the Texas Instruments logo on some of his parts wasn’t the Texas Instruments logo at all, it was just some kind of abstract shape that vaguely resembled the logo. Suspicious and a little curious, he decided to take a closer look at the MCP1702 3.3v LDO regulators he ordered as well. Testing revealed that they were counterfeits with poor performance.

Left: counterfeit part. Right: genuine Microchip MCP1702-3302

Looking at the packages, there were some superficial differences in the markings of the counterfeit MCP1702 versus genuine parts from Microchip, but nothing obviously out of place. To conclusively test the devices, [Charles] referred to Microchip’s datasheet. It stated that the dropout voltage of the part should be measured by having the regulator supply the maximum rated 250 mA in short pulses to avoid any complications from the part heating up. After setting up an appropriate test circuit with a 555 timer to generate the pulses for low duty cycle activation, [Charles] discovered that the counterfeit parts did not meet Microchip specifications. While the suspect unit did output 3.3 V, the output oscillated badly after activation and the dropout voltage was 1.2 V, considerably higher than the typical dropout voltage of 525 mV for the part, and higher even than the maximum of 725 mV. His conclusion? The parts would be usable in the right conditions, but they were clearly fakes.

The usual recourse when one has received counterfeit parts is to dump them into the parts bin (or the trash) and perhaps strive to be less unlucky in the future, but [Charles] decided to submit a refund request and to his mild surprise, Aliexpress swiftly approved a refund for the substandard parts.

While a refund is appropriate, [Charles] seems to interpret the swift refund as a sort of admission of guilt on the part of the reseller. Is getting a refund for counterfeit parts a best-case outcome, evidence of wrongdoing, or simply an indication that low value refund requests get more easily approved? You be the judge of that, but if nothing else, [Charles] reminds us that fake parts may be useful for something perhaps unexpected: a refund.

Fail Of The Week: Cheap Chips Cause Chaos

We all know the old saw: if it’s too good to be true, it probably is. But nowhere does this rule seem to break down as regularly as when we order parts. Banggood, AliExpress, and eBay are flooded with parts ready to be magically transported across the globe to our doorsteps, all at prices that seem to defy the laws of economics.

Most of these transactions go off without a hitch and we get exactly what we need to complete our Next Cool Thing. But it’s not always so smooth, as [Kerry Wong] recently discovered with an eBay order that resulted in some suspicious chips. [Kerry] ordered the AD633 analog multiplier chips as a follow-up to his recent Lorenz Attractor X-Y recorder project, where he used an Arduino to generate the chaotic butterfly’s data set as a demo for the vintage instrument. Challenged in the comments to do it again in analog, [Kerry] did his homework and found a circuit to make it happen. The needed multipliers were $10 a pop on DigiKey, so he sourced cheaper chips from eBay. The $2 chips seemed legit, with the Analog Devices logo and everything, but the circuit didn’t work. [Kerry]’s diagnosis in the video below is interesting, and it’s clear that the chips are fakes. Caveat emptor.

Here’s hoping that [Kerry] sources good chips soon and regales us with a successful build. Until then, what are your experiences with cheap chips? Have you been burned by overseas or domestic suppliers before? Does any single supplier seem like a better bet to you, or is it all hit or miss? Sound off in the comments below.

Continue reading “Fail Of The Week: Cheap Chips Cause Chaos”

Hackaday Links Column Banner

Hackaday Links: May 28, 2017

Boeing and DARPA are building a spaceplane. Right now it’s only a press release and a few concept images, but it looks like this is an air-launched system kind of like a Tristar/Pegasus, only much higher and completely unmanned. It’s a ton and a half to low earth orbit, with a goal of 10 flights in 10 days.

Up in Albany? There’s a new hacker con happening in a few weeks. Anycon is a hacking, infosec, and cyber security conference happening June 16 & 17th in Albany, NY. The organizers of this con ([Chris], and his company Leet Cybersecurity) are loosely modeling this con after Derbycon. [Dave Kennedy] of TrustedSec will be attending as the keynote speaker.

GOOD NEWS! [Casey Neistat] is under investigation by the FAA. [Casey Neistat] is the YouTuber that flies drones right in the middle of the Hudson River corridor, and is a menace to general aviation around NYC.

This is neat. The Supplyframe Design Lab is the Hackaday Mothership right in the middle of Pasadena where we host our designers in residence, host a few meetups, and slowly fill every cubic inch of space with either dust or tools. The Design Lab just won a design award. You can check out the ‘design’ part of the Design Lab here, but keep in mind it will never be that clean ever again.

Here’s an interesting Twitter to follow. Alitronik is a curator of the weird and wonderful cheap crap that can be found on AliExpress. Need an Altera Cyclone dev board? Here you go. A desk-mountable OLED inspection microscope? Done. A seven dollar Tesla coil? Dude, you can totally fit this inside a hat.

[Drygol] had a nice old Commodore C16 with a broken TED chip. A shame, really. He did what anyone would do: put a C64 motherboard in the case for a fancy stealth upgrade.

Is the great crowdfunded 3D printer boom over? Some would say that ship sailed after dozens of 3D printer crowdfunding projects failed to deliver, or delivered very low-quality machines. These people were wrong. This Polaroid-branded 3D printing pen might not get funding. A year ago, this project would have been funded on day one. There would have been writeups in The Verge on how Polaroid is turning the corner after decades of wasted opportunities. Now, the Crowdfunded 3D printer boom is finally over.

The Hackaday crew was at the Bay Area Maker Faire last weekend and holy crap did we have a blast. Everyone came to the meetup on Saturday except for the fire marshall. The secret OSHPark bringahack on Sunday was even more impressive. We also saw a Donkey Car capable of driving around a track autonomously, but the team behind it didn’t have their work up on the Internet at the time.

$10 Orange Pi 2G-IoT Released To Compete With Pi Zero W

A new single-board computer by Orange Pi has popped up for sale on AliExpress. The Orange Pi 2G-IoT is designed to compete with the Raspberry Pi Zero, and if specs are anything to go by they have done a nice job.

There are a lot of options for extra small single board computers these days and there’s a growing list at the lowest price points. Let’s call it the sub-$20 cost range (to quell the argument of shipping fees). We have seen C.H.I.P., the Raspberry Pi Foundation released the Pi Zero W (an update to the Zero line that included WiFi and Bluetooth), the already available Orange Pi Zero (which was featured in a project on Monday), and now add to that list the unfortunately named Orange Pi 2G-IoT.

The 2g-IoT is sporting an ARM Cortex-A5 32bit clocked at 1GHz with 256MB DDR2 RAM. It’s nice to see 500 MB of on-board NAND to go along with an SD card slot for larger storage. It also has a CSI camera connector, WiFi, Bluetooth, an FM Radio and GSM/GPRS with a sim card slot on the bottom. It is pin compatible with Raspberry Pi’s almost standardized GPIO layout.

All this for $10 is quite impressive to say the least, especially the addition of GSM/GPRS. Will it kill Raspberry Pi Zero W sales? We think not. While the Orange Pi’s are great little computers, they don’t have the community support that is afforded to Raspberry Pi products making for less support online when you run into a problem. That’s if you can even get the thing running in the first place. The Orange Pi’s website has not yet been updated to reflect the new release. However if you are interested in getting one for yourself right now, head over to your favorite Chinese electronics supplier.

[via Geeky Gadgets and CNX]