Pause Your Tunes When It Is Time To Listen Up!

September 2, 2020 by Brian McEvoy 9 Comments

“Sorry. I had music playing. Would you say that again?” If we had a money-unit every time someone tried talking to us while we were wearing headphones, we could afford a super-nice pair. For an Embedded C class, [extremerockets] built Listen Up!, a cutoff switch that pauses your music when someone wants your attention.

The idea was born while sheltering in place with his daughter, who likes loud music, but he does not want to holler to get her attention. Rather than deny her some auditory privacy, Listen Up! samples the ambient noise level, listens for a sustained rise in amplitude, like speech, and sends a pause signal to the phone. Someday, there may be an option to route the microphone’s audio into the headphones, but for now there is a text-to-speech module for verbalizing character strings. It might be a bit jarring to hear a call to dinner in the middle of a guitar riff, but we don’t like missing dinner either, so we’re with [extremerockets] on this one.

We don’t really need lots of money to get fun headphones, and we are not afraid of making our own.

Grasp Kotlin’s Coroutines With This Short Tutorial

August 31, 2020 by Donald Papp 1 Comment

Kotlin is a relatively new programming language; a derivative of Java with lots of little handy functional bits such as coroutines. [Foalyy] is porting an app to Android and learning Kotlin at the same time, and after wrapping their mind around coroutines, has written up a concise five-part tutorial on them.

Coroutines in Kotlin are a way to simplify writing asynchronous code, which is code that doesn’t necessarily execute in the order it is written. Coroutines are like light-weight threads that can be launched and managed easily, making it simpler to bridge together blocking and non-blocking code. (However, coroutines are not threads. They are more akin to suspending functions that play very well together.)

[Foalyy] found that the official Kotlin documentation on coroutines went into great detail on how coroutines function, but wanted a more bottom-up approach to understanding how they work and can be used. Luckily for anyone who thinks the same way, [Foalyy] wrote it all up and begins with a great recap of important elements, but if you prefer you can jump straight to the examples.

Kotlin has been around for a while, and readers with sharp memories may recall it was featured in this excellent introduction to what neural networks are and how they work.

Breaking Smartphone NFC Firmware: The Gory Details

August 23, 2020 by Sven Gregori 2 Comments

Near-field Communication (NFC) has been around a while and is used for example in access control, small data exchange, and of course in mobile payment systems. With such sensitive application areas, security is naturally a crucial element of the protocol, and therefore any lower-level access is usually heavily restricted and guarded.

This hardware is especially well-guarded in phones, and rooting your Android device won’t be of much help here. Well, that was of course only until [Christopher Wade] took a deep look into that subject, which he presented in his NFC firmware hacking talk at for this year’s DEF CON.

But before you cry out “duplicate!” in the comments now, [Jonathan Bennett] has indeed mentioned the talk in a recent This Week In Security article, but [Christopher] has since written up the content of his talk in a blog post that we thought deserves some additional attention.

To recap: [Christopher] took a rooted Samsung S6 and searched for vulnerabilities in the NFC chip’s safe firmware update process, in hopes to run a custom firmware image on it. Obviously, this wouldn’t be worth mentioning twice if he hadn’t succeeded, and he goes at serious length into describing how he got there. Picking a brain like his by reading up on the process he went through — from reverse engineering the firmware to actually exploiting a weakness that let him run his own code — is always fascinating and downright fun. And if you’re someone who prefers the code to do the talking, the exploits are on GitHub.

Naturally, [Christopher] disclosed his findings to Samsung, but the exploited vulnerability — and therefore the ability to reproduce this — has of course been out there for a long time already. Sure, you can use a Proxmark device to attack NFC, or the hardware we saw a few DEF CONs back, but a regular-looking phone will certainly raise a lot less suspicion at the checkout counter, and might open whole new possibilities for penetration testers. But then again, sometimes a regular app will be enough, as we’ve seen in this NFC vending machine hack.

Continue reading “Breaking Smartphone NFC Firmware: The Gory Details” →

DropController Sets The Bar For Documentation

August 18, 2020 by Brian McEvoy 4 Comments

dropController has the kind of documentation we wish would spontaneously generate itself whenever we build something. [Martyn Currey] built a robust rig for water droplet photography, and we don’t want to dismiss the hardware, but the most impressive part might be the website. It might not be very fancy, but it’s thorough and logically organized. You can find parts lists, assembly manuals, tutorials, sketches, and schematics. If only all the projects that came our way were so well detailed.

Water droplet photography is pretty cool, although freehanding it will make your patience fall faster than 9.81 m/s². The concept is that a solenoid valve will flicker open to release a drop of water, wait for a certain number of microseconds, and then trigger your DSLR via a wired remote cable. The tricky part comes from controlling as many as six valves and three flashes. We don’t have enough fingers and toes to press all those buttons.

The bill of materials contains many commonly available parts like an Arduino Nano, an LM2596 voltage regulator, some MOSFETS, an HC-06 Bluetooth module, plus standard audio connectors to hook everything up. Nothing should break the bank, but if money is not an issue, [Martyn] sells kits and complete units.

Waterdrop controllers are not the newest kids on the block, and strobe photography is a time-honored tradition.

Continue reading “DropController Sets The Bar For Documentation” →

An HDMI Monitor From Your Phone

July 18, 2020 by Jenny List 46 Comments

Digital video has proceeded to the point at which we have near-broadcast-quality HD production capabilities in the palm of our hand, and often for a surprisingly affordable price. One area in which the benefits haven’t quite made it to our wallets though is in the field of small HD monitors of the type you might place on top of a camera for filming. It’s a problem noted by [Neon Airship], who has come up with a solution allowing the use of an Android mobile phone as an HDMI monitor. Since many of us will now have a perfectly capable older phone gathering dust, it’s an attractive proposition with the potential to cost very little.

The secret isn’t the most elite of hacks in that it uses all off-the-shelf hardware, but sometimes that isn’t the only reason to be interested in a project such as this one. [Neon] is using an HDMI-to-USB capture card of the type that has recently become available from the usual sources for an astoundingly small sum. When paired with a suitable USB OTG cable, the adapter can be seen by the phone as just another webcam.

We see him try a few webcam viewer apps including one that rather worryingly demands a direct APK download, and the result is a very good quality HDMI monitor atop his camera that really didn’t break the bank. Sometimes the simplest of solutions deliver the most useful of results.

This is something of special interest to those of us who experiment with our own camera form factors.

Continue reading “An HDMI Monitor From Your Phone” →

This Week In Security: Twitter, Windows DNS, SAP RECON

July 17, 2020 by Jonathan Bennett 8 Comments

Twitter just had their biggest security breach in years. Mike warned us about it on Wednesday, but it’s worth revisiting a few of the details. The story is still developing, but it appears that malicious actors used social engineering to access an internal Twitter dashboard. This dashboard, among other interesting things, allows directly changing the email address associated with an account. Once the address is changed to the attacker’s, it’s simple to do a password reset and gain access.

The bitcoin address used in the crypto scam ended up receiving nearly $120,000 USD worth of bitcoin, all of which has been shuffled off into different accounts. It’s an old and simple scam, but was apparently rather believable because the messages were posted by verified Twitter accounts.

A series of screenshots have been posted, claiming to be the internal Twitter dashboard used in the attack. More than a few eyebrows have been raised, as a result of that dashboard. First off, the fact that Twitter employees can directly change an account’s email address is asking for trouble. Even more interesting are the tags that can be added to an account. “Trends Blacklist” and “Search Blacklist” do call to mind the rumors of shadow-banning, but at this point it’s impossible to know the details. Motherboard is reporting that Twitter is removing that screenshot across the board when it’s posted, and even suspending accounts that post it. Of course, they’d do that if it were faked as well, so who knows? Continue reading “This Week In Security: Twitter, Windows DNS, SAP RECON” →

PHONK – A Hacker’s Fun Shortcut To Android Programming

July 2, 2020 by Sven Gregori 31 Comments

As the common myth goes, the average human utilizes only about 10% of the true potential their smartphone is capable of. Especially when it comes to electronics projects, it seems that we often overlook how we can integrate and take advantage of their functionality here. Maybe that’s not a big surprise though — while it isn’t rocket science, getting into mobile development certainly has its hurdles and requires a bit of commitment. [Victor Diaz] figured there had to be a better way, so he went on and created PHONK, the self-contained creative scripting toolbox for Android.

PHONK is installed like any other app, and allows rapid prototyping on your Android device via JavaScript by abstracting away and simplifying the heavily boilerplated, native Java parts. So instead of setting up an app from scratch with all the resources defining, UI design, activity and application lifecycle management — not to mention the Android development environment itself — PHONK takes care of all that behind the curtain and significantly reduces the amount of code required to achieve the task you’re actually interested in. In case you’re worrying now that you have to actually program on your phone, well, you can, which can definitely come in handy, but you don’t have to.

Once the app is opened, a web server is started, and connecting to it from any modern browser within the same WiFi network presents you the PHONK development environment with everything you need: editor, file browser, console, and API documentation. You can write your code in the browser, and pressing the run button will execute it straight on the device then. As everything is self-contained within the app itself, no additional software is required, and you can start right away by exploring the set of provided examples that showcase everything supported so far: sensor interaction, BLE server and client, communication protocols like MQTT or WebSockets, OpenStreetMap maps, and even integration with Pure Data and Processing. Attach a USB OTG cable and you can program your Arduino, have serial communication, or interface a IOIO board. You can even connect a MIDI controller.

This is really impressive work done by [Victor], and a lot of attention to detail went into the development. If you have an old Android phone collecting dust somewhere, this would be a great opportunity to revive it and build something with it. And as [Victor] writes on the project’s GitHub page, he’s always curious what people will come up with. If you’re thinking about building a mobile sensor lab, or want to learn more about the sensors inside your phone, have a look at the 36C3 talk about phyphox.