Root, On An Amazon Echo Dot

The Amazon Echo has become an indispensable device for many people unconcerned by its privacy implications. It’s easy to forget that it’s not quite a new product anymore, with the oldest examples now long in the tooth enough to no longer receive security updates. A surprise is that far from being mere clients to Amazon cloud services, they in fact run a version of Android. This makes old dots interesting to experimenters, but first is it possible to gain root access? [Daniel B] has managed it, on a second-generation Echo Dot.

In a sense, this is nothing new, as root has previously been achieved on an Echo Dot through means of a patched kernel. Echo devices use a chain of trust boot process in which each successive step must verify the Amazon signing of the previous one. The kernel patch method breaks the ability to reboot the device with root access. [Daniel’s] method bypasses that chain of trust by using a custom pre-loader injected over USB through an exploit.

As an example, [Daniel] created a web server on his Dot, which can serve audio captured by the device. Don’t panic just yet — an analysis of the other security features suggests that this is not the dangerous exploit it might seem. It does however open up these powerful but now pretty cheap devices as potentially usable for other purposes, which can only be a good thing.

We’ve previously brought you [Daniel]’s work freeing the WiFi details from a Dot.

An Android Phone Powers A Self Driving Car

As auto manufacturers have brought self-driving features to their products, we’re told about how impressive their technologies are and just how much computing power is on board to make it happen. Thus it surprised us (and it might also surprise you too) that some level of self-driving can be performed by an Android phone. [Mankaran Singh] has the full details.

It starts with the realization that a modern smartphone contains the necessary sensors to  perform basic self-driving, and then moves on to making a version of openpilot that can run on more than the few supported phones. It’s not the driver-less car of science fiction but one which performs what we think is SAE level 2 self driving, which is cruise control, lane centering, and collision warning. They take it out on the road in a little Suzuki on a busy Indian dual carriageway in the rain, and while we perhaps place more trust in meat-based driving, it does seem to perform fairly well

Self driving features are codified into a set of levels for an easy reference on what each is capable of doing. We’ve taken a look at it in the past, should you be interested.

Review: InfiRay P2 Pro Thermal Camera

It probably won’t surprise you to learn that Hackaday is constantly hounded by companies that want us to review their latest and greatest gadget. After all, getting us to post about their product is cheaper, easier, and arguably more effective than trying to come up with their own ad campaign. But if you’ve been with us for awhile, you’ll also know that in-house reviews aren’t something we actually do very often.

The reason is simple: we’re only interested in devices or products that offer something useful or unique to this community. As such, the vast majority of these offers get ignored. I’ll give you an example. For whatever reason, multiple companies have been trying desperately to send me electric bikes with five-figure price tags this year. But since there’s no obvious way to turn that into useful content for the readers of Hackaday, I’m still stuck pedaling myself around like it’s the 1900s. I kid of course…I haven’t dared to get on a bike in a decade.

So I don’t mind telling you that, when InfiRay contacted me about reviewing their P2 Pro thermal camera, the email very nearly went into the trash. We’ve seen these kind of phone-based thermal cameras before, and it seemed to be more of the same. But after taking a close look at the specs, accessories, and claims laid out in the marketing material, I thought this one might be worth checking out first-hand.

Continue reading “Review: InfiRay P2 Pro Thermal Camera”

RetroPie, Without The Pi

The smart television is an interesting idea in theory. Rather than having the cable or satellite company control all of the content, a small computer is included in the television itself to host and control various streaming clients and other services. Assuming you have control of the software running on the computer, and assuming it isn’t turned into a glorified targeted advertising machine, this can revolutionize the way televisions are used. It’s even possible to turn a standard television into a smart TV with various Android devices, and it turns out there’s a lot more you can do with these smart TV contraptions as well.

With most of these devices, a Linux environment is included running on top of an ARM platform. If that sounds similar to the Raspberry Pi, it turns out that a lot of these old Android TV sets are quite capable of doing almost everything that a Raspberry Pi can do, with the major exception of GPIO. That’s exactly what [Timax] is doing here, but he notes that one of the major hurdles is the vast variety of hardware configurations found on these devices. Essentially you’d have to order one and hope that you can find all the drivers and software to get into a usable Linux environment. But if you get lucky, these devices can be more powerful than a Pi and also be found for a much lower price.

He’s using one of these to run RetroPie, which actually turned out to be much easier than installing a more general-purpose Linux distribution and then running various emulation software piecemeal. It will take some configuration tinkering get everything working properly but with [Timax] providing this documentation it should be a lot easier to find compatible hardware and choose working software from the get-go. He also made some improvements on his hardware to improve cooling, but for older emulation this might not be strictly necessary. As he notes in his video, it’s a great way of making use of a piece of electronics which might otherwise be simply thrown out.

Continue reading “RetroPie, Without The Pi”

Probably The Most Over-Specified Calculator To Ever Be Manufactured

It’s possible quite a few of our older readers will remember the period from the 1960s into the ’70s when an electronic calculator was the cutting edge of consumer-grade digital technology. By the 1980s though, they were old hat and could be bought for only a few dollars, a situation that remains to this day. But does that mean calculator development dead?

Perhaps not, as [Li Zexi] writes for CNX Software, when he reviews a simple non-scientific calculator that packs an Alwinner A50 tablet SoC and the Android operating system. As shipped they lack the Android launcher, so they aren’t designed to run much more than the calculator app. Of course that won’t stop somebody who knows their way around Google’s mobile operating system for very long — at the end of the review, there’s some shots of the gadget running Minecraft and playing streaming video.

These devices can be had for not a lot on the Chinese second-hand electronics market, and after an extensive teardown he comes to the conclusion that besides their novelty they’re an older specification so not really worth buying.

But it does beg the question as to why such a product was put into production when the same task could have been performed using very cheap microcontroller. Further, having done so they make it a non-scientific machine, not even bestowing it with anything that could possibly justify the hardware. Is there a use case he, and us, have missed? We’d love to know.

We cover a lot of calculator stories here at Hackaday. Sometimes they’re classic machines, but more often they’re modern takes on an old idea.

 

Inspect The RF Realm With Augmented Reality

Intellectually, we all know that we exist in a complex soup of RF energy. Cellular, WiFi, TV, public service radio, radar, ISM-band transmissions from everything from thermometers to garage door openers — it’s all around us. It would be great to see these transmissions, but alas, most of us don’t come from the factory with the correct equipment.

Luckily, aftermarket accessories like RadioFieldAR by [Manahiyo] make it possible to visualize RF signals. As the name suggests, this is an augmented reality system that lets you inspect the RF world around you. The core of the system is a tinySA, a pocket-sized spectrum analyzer that acts as a broadband receiver. A special antenna is connected to the tinySA; unfortunately, there are no specifics on the antenna other than it needs to have a label with an image of the Earth attached to it, for antenna tracking purposes. The tinySA is connected to an Android phone — one that supports Google’s ARCore — by a USB OTG cable, and a special app on the phone runs the show.

By slowly moving the antenna around in the field of view of the phone’s camera, a heat map of signal strength at a particular frequency is slowly built up. The video below shows it in action, and the results are pretty cool. If you don’t have a tinySA, fear not — [Manahiyo] has a version of the app that supports a plain old RTL-SDR dongle too. That should make it easy for just about anyone to try this out.

And if you’re feeling deja vu about this, you’re probably remembering the [Manahiyo]’s VR spectrum analyzer, upon which this project is based.

Continue reading “Inspect The RF Realm With Augmented Reality”

This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis

If you use PHP, you likely use the Composer tool for managing dependencies, at least indirectly. And the good folks at SonarSource found a nasty, potential supply chain attack in this tool, when used in the Packagist repository. The problem is the support for arbitrary README filenames. When a package update shows up on Packagist, that service uses a Version Control Service (VCS) like Git or Mercurial to pull the specified readme location. That pull operation is subject to argument injection. Name your branch --help, and Git will happily run the help argument instead of doing the pull intended. In the case of Git commands, our intrepid researchers were unable to weaponize the issue to achieve code execution.

Composer also supports projects that use Mercurial as their VCS, and Mercurial has a --config option that has… interesting potential. It allows redefining a Mecurial command as a script snippet. So a project just has to contain a malicious payload.sh, and the readme set to --config=alias.cat=!hg cat -r : payload.sh|sh;,txt. For those keeping track at home, the vulnerability is that this cursed string of ugly is accepted by Composer as a valid filename. This uses the --config trick to redefine cat as a bit of script that executes the payload. It ends in .txt because that is a requirement of Composer.

So let’s talk about what this little hack could have been used for, or maybe still used for on an unpatched, private install of Packagist. This is an unattended attack that jumps straight to remote script execution — on an official package repository. If discovered and used for evil, this would have been a massive supply chain attack against PHP deployments. Instead, thanks to SonarSource, it was discovered and disclosed privately back in April. The official Packagist repo at packagist.org was fixed the day after disclosure, and a CVE and updated packages went out six days later. Great work all around.
Continue reading “This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis”