Custom Firmware For Cheap Bluetooth Thermometers

The Xiaomi LYWSD03MMC temperature and humidity sensor is ridiculously cheap. If you’re buying a few at a time, you can expect to pay as little as $5 USD a pop for these handy Bluetooth Low Energy environmental sensors. Unfortunately, that low price tag comes with a bit of a catch: you can only read the data with the official Xiaomi smartphone application or by linking it to one of the company’s smart home hubs. Or at least, that used to be the case.

Over the past year, [Aaron Christophel] has been working on a replacement firmware for these Xiomi sensors that unlocks the data so you can use it however you see fit. In addition, it allows the user to tweak various features and settings that were previously unavailable. For example, you can disable the little ASCII-art smiley face that usually shows on the LCD to indicate the relative comfort level of the room.

The new firmware publishes the temperature, humidity, and battery level every minute through a BLE advertisement broadcast. In other words, that means client devices can read data from the sensor without having to be paired. Scraping this data is quite simple, and the GitHub page includes a breakdown of what each byte in the broadcast message means. Avoiding direct connections not only makes it easier to quickly read the values from multiple thermometers, but should keep the device’s CR2032 battery going for longer.

But perhaps the most impressive part of this project is how you get the custom firmware installed. You don’t need to crack the case or solder up a programmer. Just load the flasher page on a computer and browser combo that supports Web Bluetooth (a smartphone is probably the best bet), point it to the MAC address of the thermometer you want to flash, and hit the button. [Aaron] is no stranger to developing user-friendly OTA installers for his firmware projects, but even for him, it’s quite impressive.

Continue reading “Custom Firmware For Cheap Bluetooth Thermometers”

Page-Turning Pedal Is Pretty Boss

Buying things to make your life easier certainly has its therapeutic joys, but if you really wanna feel good, you gotta make the thing yourself whenever possible. [Bjørn Brandal] happened to have a two-switch BOSS pedal just lying around, so it made sense to turn it into a wireless page turner for reading sheet music.

As [Bjørn] says, the circuit is simple — just two 1/4″ TRS jacks and an ItsyBitsy nRF52840 Express. The jacks are used to connect to the pedal outputs to the ItsyBitsy, which sends keystrokes over BLE.

The cool thing about this pedal is that it can work with a bunch of programs, like forScore, Abelton Live, Garage Band, and more. The different modes are accessed by holding down both pedals, and there’s confirmation via blinking LED and buzzing buzzer.

Our favorite part has to be the DIY light guide [Bjørn] that bends the ItsyBitsy’s RGB LED 90° and points it out the front of the enclosure. Nicely done!

Don’t play anything but the computer keyboard? Put those feet to work with shortcuts behind giant arcade buttons.

A Deep Dive Into The Sterzo Steering Plate

Pedaling in place isn’t the most exciting pastime, so it’s no surprise that modern technology is being used to make the in-home biking experience a bit more interactive. With a stand on the rear wheel providing resistance, and a movable steering plate under the front to read the handlebar angle, you can now use your standard bike as the “controller” in a virtual environment provided by software such as Zwift.

Paving the way towards a DIY Sterzo clone

[Keith Wakeham] wanted to take a closer look at how Zwift communicated with his Sterzo steering device, and it turned into a pretty epic bout of exploration and reverse engineering. As the video after the break shows, he didn’t just go from sniffing the device’s proprietary Bluetooth Low Energy (BLE) communications protocol to figuring out how to emulate it in software so you could roll your own Zwift peripheral. He also tore the device apart, pulled the firmware from its microcontroller, and postulated how you could build your own low-cost clone device that would work with the existing software.

Even if you have absolutely zero interest in virtual biking, the video [Keith] has put together for this project is really a must watch. Have you ever wanted to sniff and reverse engineer BLE communications? Looking for a real-world example of pulling the firmware off of a consumer device? Maybe in the market for some tips on how to identify unknown ICs on a board? All of that, and quite a bit more, is covered in this nearly hour long hacking tour de force.

On the other hand, if you are interested in adding your own hardware to Zwift, then this look at getting an unsupported stationary bike working with it should be useful.

Continue reading “A Deep Dive Into The Sterzo Steering Plate”

This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes

One of the fun things about vulnerability research is that there are so many places for bugs to hide. Modern devices have multiple processors, bits of radio hardware, and millions of lines of code. When [Veronica Kovah] of Dark Mentor LLC decided to start vulnerability research on the Bluetooth Low Energy protocol, she opted to target the link layer itself, rather than the code stack running as part of the main OS. What’s interesting is that the link layer has to process data before any authentication is performed, so if a vulnerability is found here, it’s guaranteed to be pre-authentication. Also of interest, many different devices are likely to share the same BLE chipset, meaning these vulnerabilities will show up on many different devices. [Veronica] shares some great info on how to get started, as well as the details on the vulnerabilities she found, in the PDF whitepaper. (Just a quick note, this link isn’t to the raw PDF, but pulls up a GitHub PDF viewer.) There is also a video presentation of the findings, if that’s more your speed.

The first vuln we’ll look at is CVE-2019-15948, which affects a handful of Texas Instruments BT/BLE chips. The problem is in how BLE advertisement packets are handled. An advertisement packet should always contain a data length of at least six bytes, which is reserved for the sending device address. Part of the packet parsing process is to subtract six from the packet length and do a memcpy using that value as the length. A malicious packet can have a length of less than six, and the result is that the copy length integer underflows, becoming a large value, and overwriting the current stack. To actually turn this into an exploit, a pair of data packets are sent repeatedly, to put malicious code in the place where program execution will jump to.

The second vulnerability of note, CVE-2020-15531 targets a Silicon Labs BLE chip, and uses malformed extended advertisement packets to trigger a buffer overflow. Specifically, the sent message is longer than the specification says it should be. Rather than drop this malformed message, the chip’s firmware processes it, which triggers a buffer overflow. Going a step further, this chip has non-volatile firmware, and it’s possible to modify that firmware permanently. [Veronica] points out that even embedded chips like these should have some sort of secure boot implementation, to prevent these sort of persistent attacks.
Continue reading “This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes”

DropController Sets The Bar For Documentation

dropController has the kind of documentation we wish would spontaneously generate itself whenever we build something. [Martyn Currey] built a robust rig for water droplet photography, and we don’t want to dismiss the hardware, but the most impressive part might be the website. It might not be very fancy, but it’s thorough and logically organized. You can find parts lists, assembly manuals, tutorials, sketches, and schematics. If only all the projects that came our way were so well detailed.

Water droplet photography is pretty cool, although freehanding it will make your patience fall faster than 9.81 m/s². The concept is that a solenoid valve will flicker open to release a drop of water, wait for a certain number of microseconds, and then trigger your DSLR via a wired remote cable. The tricky part comes from controlling as many as six valves and three flashes. We don’t have enough fingers and toes to press all those buttons.

The bill of materials contains many commonly available parts like an Arduino Nano, an LM2596 voltage regulator, some MOSFETS, an HC-06 Bluetooth module, plus standard audio connectors to hook everything up. Nothing should break the bank, but if money is not an issue, [Martyn] sells kits and complete units.

Waterdrop controllers are not the newest kids on the block, and strobe photography is a time-honored tradition.

Continue reading “DropController Sets The Bar For Documentation”

MenoPlay Through The Pain Of Menopause

Menopause, that fireworks finale of fertility, is like a second puberty that works in reverse. At least, that’s what we hear. Along with mood swings and acne, there are new joys like hot flashes that make you want to jump naked into the nearest snowdrift, or at least put your head in the freezer for a while. Sounds great; can’t wait.

The biggest problem with menopause is that it gives suffers pause when it comes to getting help. This is natural, they think. There’s nothing I can do but ride it out. Those who do seek relief are likely to find expensive products that only treat single symptoms. This dearth of solutions inspired [Moinak Ghosh] to create one system to rule them all, a wearable with a suite of sensors that’s designed to take the pause out of menopause.

MenoPlay will take temperature readings at the neck and pelvis and switch on a Peltier module worn on the back of the neck when it senses a hot flash in progress. Exercise is a natural defense against hormonal imbalance, but step counters are too easy to cheat or ignore. The MenoPlay system will model the user’s movements using 9DoF accelerometers and suggest exercises that fill in the gaps.

We particularly like the automation aspect of this wearable. After decades of manually tracking menstrual cycles and everything that implies, the idea of so much useful biological data being collected automatically and fed over BLE to a NodeRed application sounds wonderful.

Hot flashes may not feel useful internally, but would do a fine job of powering the right kind of flashlight.

Hands-On: Wireless Login With The New Mooltipass Mini BLE Secure Password Keeper

Remembering passwords is one of those things which one just cannot seem to escape. At the very least, we all need to remember a single password: namely the one for unlocking a password manager. These password managers come in a wide variety of forms and shapes, from software programs to little devices which one carries with them. The Mooltipass Mini BLE falls into the latter category: it is small enough to comfortably fit in a hand or pocket, yet capable of remembering all of your passwords.

Heading into its crowdfunding campaign, the Mooltipass Mini BLE is an evolution of the Mooltipass Mini device, which acts as a USB keyboard by default, entering log-in credentials for you. With the required browser extension installed, this process can also be automated when browsing to a known website. Any new credentials can also be saved automatically this way.

Where the Mooltipass Mini BLE differs from the original is in that it also adds a Bluetooth (BLE) mode, enabling it to be used easily with any BLE-capable device, including laptops and smartphones, without having to dig around for a USB cable and/or OTG adapter.

I have already been using the original Mooltipass Mini for a while, and the Mooltipass team was kind enough to send me a prototype Mooltipass Mini BLE for evaluation and comparison. Let’s take a look.

Continue reading “Hands-On: Wireless Login With The New Mooltipass Mini BLE Secure Password Keeper”