A Deep Dive Into The Sterzo Steering Plate

September 11, 2020 by Tom Nardi 15 Comments

Pedaling in place isn’t the most exciting pastime, so it’s no surprise that modern technology is being used to make the in-home biking experience a bit more interactive. With a stand on the rear wheel providing resistance, and a movable steering plate under the front to read the handlebar angle, you can now use your standard bike as the “controller” in a virtual environment provided by software such as Zwift.

Paving the way towards a DIY Sterzo clone

[Keith Wakeham] wanted to take a closer look at how Zwift communicated with his Sterzo steering device, and it turned into a pretty epic bout of exploration and reverse engineering. As the video after the break shows, he didn’t just go from sniffing the device’s proprietary Bluetooth Low Energy (BLE) communications protocol to figuring out how to emulate it in software so you could roll your own Zwift peripheral. He also tore the device apart, pulled the firmware from its microcontroller, and postulated how you could build your own low-cost clone device that would work with the existing software.

Even if you have absolutely zero interest in virtual biking, the video [Keith] has put together for this project is really a must watch. Have you ever wanted to sniff and reverse engineer BLE communications? Looking for a real-world example of pulling the firmware off of a consumer device? Maybe in the market for some tips on how to identify unknown ICs on a board? All of that, and quite a bit more, is covered in this nearly hour long hacking tour de force.

On the other hand, if you are interested in adding your own hardware to Zwift, then this look at getting an unsupported stationary bike working with it should be useful.

Continue reading “A Deep Dive Into The Sterzo Steering Plate” →

This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes

August 21, 2020 by Jonathan Bennett 4 Comments

One of the fun things about vulnerability research is that there are so many places for bugs to hide. Modern devices have multiple processors, bits of radio hardware, and millions of lines of code. When [Veronica Kovah] of Dark Mentor LLC decided to start vulnerability research on the Bluetooth Low Energy protocol, she opted to target the link layer itself, rather than the code stack running as part of the main OS. What’s interesting is that the link layer has to process data before any authentication is performed, so if a vulnerability is found here, it’s guaranteed to be pre-authentication. Also of interest, many different devices are likely to share the same BLE chipset, meaning these vulnerabilities will show up on many different devices. [Veronica] shares some great info on how to get started, as well as the details on the vulnerabilities she found, in the PDF whitepaper. (Just a quick note, this link isn’t to the raw PDF, but pulls up a GitHub PDF viewer.) There is also a video presentation of the findings, if that’s more your speed.

The first vuln we’ll look at is CVE-2019-15948, which affects a handful of Texas Instruments BT/BLE chips. The problem is in how BLE advertisement packets are handled. An advertisement packet should always contain a data length of at least six bytes, which is reserved for the sending device address. Part of the packet parsing process is to subtract six from the packet length and do a memcpy using that value as the length. A malicious packet can have a length of less than six, and the result is that the copy length integer underflows, becoming a large value, and overwriting the current stack. To actually turn this into an exploit, a pair of data packets are sent repeatedly, to put malicious code in the place where program execution will jump to.

The second vulnerability of note, CVE-2020-15531 targets a Silicon Labs BLE chip, and uses malformed extended advertisement packets to trigger a buffer overflow. Specifically, the sent message is longer than the specification says it should be. Rather than drop this malformed message, the chip’s firmware processes it, which triggers a buffer overflow. Going a step further, this chip has non-volatile firmware, and it’s possible to modify that firmware permanently. [Veronica] points out that even embedded chips like these should have some sort of secure boot implementation, to prevent these sort of persistent attacks.
Continue reading “This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes” →

DropController Sets The Bar For Documentation

August 18, 2020 by Brian McEvoy 4 Comments

dropController has the kind of documentation we wish would spontaneously generate itself whenever we build something. [Martyn Currey] built a robust rig for water droplet photography, and we don’t want to dismiss the hardware, but the most impressive part might be the website. It might not be very fancy, but it’s thorough and logically organized. You can find parts lists, assembly manuals, tutorials, sketches, and schematics. If only all the projects that came our way were so well detailed.

Water droplet photography is pretty cool, although freehanding it will make your patience fall faster than 9.81 m/s². The concept is that a solenoid valve will flicker open to release a drop of water, wait for a certain number of microseconds, and then trigger your DSLR via a wired remote cable. The tricky part comes from controlling as many as six valves and three flashes. We don’t have enough fingers and toes to press all those buttons.

The bill of materials contains many commonly available parts like an Arduino Nano, an LM2596 voltage regulator, some MOSFETS, an HC-06 Bluetooth module, plus standard audio connectors to hook everything up. Nothing should break the bank, but if money is not an issue, [Martyn] sells kits and complete units.

Waterdrop controllers are not the newest kids on the block, and strobe photography is a time-honored tradition.

Continue reading “DropController Sets The Bar For Documentation” →

MenoPlay Through The Pain Of Menopause

August 4, 2020 by Kristina Panos 7 Comments

Menopause, that fireworks finale of fertility, is like a second puberty that works in reverse. At least, that’s what we hear. Along with mood swings and acne, there are new joys like hot flashes that make you want to jump naked into the nearest snowdrift, or at least put your head in the freezer for a while. Sounds great; can’t wait.

The biggest problem with menopause is that it gives suffers pause when it comes to getting help. This is natural, they think. There’s nothing I can do but ride it out. Those who do seek relief are likely to find expensive products that only treat single symptoms. This dearth of solutions inspired [Moinak Ghosh] to create one system to rule them all, a wearable with a suite of sensors that’s designed to take the pause out of menopause.

MenoPlay will take temperature readings at the neck and pelvis and switch on a Peltier module worn on the back of the neck when it senses a hot flash in progress. Exercise is a natural defense against hormonal imbalance, but step counters are too easy to cheat or ignore. The MenoPlay system will model the user’s movements using 9DoF accelerometers and suggest exercises that fill in the gaps.

We particularly like the automation aspect of this wearable. After decades of manually tracking menstrual cycles and everything that implies, the idea of so much useful biological data being collected automatically and fed over BLE to a NodeRed application sounds wonderful.

Hot flashes may not feel useful internally, but would do a fine job of powering the right kind of flashlight.

Hands-On: Wireless Login With The New Mooltipass Mini BLE Secure Password Keeper

July 23, 2020 by Maya Posch 34 Comments

Remembering passwords is one of those things which one just cannot seem to escape. At the very least, we all need to remember a single password: namely the one for unlocking a password manager. These password managers come in a wide variety of forms and shapes, from software programs to little devices which one carries with them. The Mooltipass Mini BLE falls into the latter category: it is small enough to comfortably fit in a hand or pocket, yet capable of remembering all of your passwords.

Heading into its crowdfunding campaign, the Mooltipass Mini BLE is an evolution of the Mooltipass Mini device, which acts as a USB keyboard by default, entering log-in credentials for you. With the required browser extension installed, this process can also be automated when browsing to a known website. Any new credentials can also be saved automatically this way.

Where the Mooltipass Mini BLE differs from the original is in that it also adds a Bluetooth (BLE) mode, enabling it to be used easily with any BLE-capable device, including laptops and smartphones, without having to dig around for a USB cable and/or OTG adapter.

I have already been using the original Mooltipass Mini for a while, and the Mooltipass team was kind enough to send me a prototype Mooltipass Mini BLE for evaluation and comparison. Let’s take a look.

Continue reading “Hands-On: Wireless Login With The New Mooltipass Mini BLE Secure Password Keeper” →

Hackaday Links: April 26, 2020

April 26, 2020 by Dan Maloney 15 Comments

Gosh, what a shame: it turns out that perhaps 2 billion phones won’t be capable of COVID-19 contact-tracing using the API that Google and Apple are jointly developing. The problem is that the scheme the two tech giants have concocted, which Elliot Williams expertly dissected recently, is based on Bluetooth LE. If a phone lacks a BLE chipset, then it won’t work with apps built on the contact-tracing API, which uses the limited range of BLE signals as a proxy for the physical proximity of any two people. If a user is reported to be COVID-19 positive, all the people whose BLE beacons were received by the infected user’s phone within a defined time period can be anonymously notified of their contact. As Elliot points out, numerous questions loom around this scheme, not least of which is privacy, but for now, something like a third of phones in mature smartphone markets won’t be able to participate, and perhaps two-thirds of the phones in developing markets are not compatible. For those who don’t like the privacy-threatening aspects of this scheme, pulling an old phone out and dusting it off might not be a bad idea.

We occasionally cover stories where engineers in industrial settings use an Arduino for a quick-and-dirty automation solution. This is uniformly met with much teeth-gnashing and hair-rending in the comments asserting that Arduinos are not appropriate for industrial use. Whether true or not, such comments miss the point that the Arduino solution is usually a stop-gap or proof-of-concept deal. But now the purists and pedants can relax, because Automation Direct is offering Arduino-compatible, industrial-grade programmable controllers. Their ProductivityOpen line is compatible with the Arduino IDE while having industrial certifications and hardening against harsh conditions, with a rich line of shields available to piece together complete automation controllers. For the home-gamer, an Arduino in an enclosure that can withstand harsh conditions and only cost $49 might fill a niche.

Speaking of Arduinos and Arduino accessories, better watch out if you’ve got any modules and you come under the scrutiny of an authoritarian regime, because you could be accused of being a bomb maker. Police in Hong Kong allegedly arrested a 20-year-old student and posted a picture of parts he used to manufacture a “remote detonated bomb”. The BOM for the bomb was strangely devoid of anything with wireless capabilities or, you know, actual explosives, and instead looks pretty much like the stuff found on any of our workbenches or junk bins. Pretty scary stuff.

If you’ve run through every binge-worthy series on Netflix and are looking for a bit of space-nerd entertainment, have we got one for you. Scott Manley has a new video that goes into detail on the four different computers used for each Apollo mission. We knew about the Apollo Guidance Computers that guided the Command Module and the Lunar Module, and the Launch Vehicle Digital Computer that got the whole stack into orbit and on the way to the Moon, but we’d never heard of the Abort Guidance System, a backup to the Lunar Module AGC intended to get the astronauts back into lunar orbit in the event of an emergency. And we’d also never heard that there wasn’t a common architecture for these machines, to the point where each had its own word length. The bit about infighting between MIT and IBM was entertaining too.

And finally, if you still find yourself with time on your hands, why not try your hand at pen-testing a military satellite in orbit? That’s the offer on the table to hackers from the US Air Force, proprietor of some of the tippy-toppest secret hardware in orbit. The Hack-A-Sat Space Security Challenge is aimed at exposing weaknesses that have been inadvertantly baked into space hardware during decades of closed development and secrecy, vulnerabilities that may pose risks to billions of dollars worth of irreplaceable assets. The qualification round requires teams to hack a grounded test satellite before moving on to attacking an orbiting platform during DEFCON in August, with prizes going to the winning teams. Get paid to hack government assets and not get arrested? Maybe 2020 isn’t so bad after all.

Poking Around The Wide World Of Bluetooth

January 30, 2020 by Tom Nardi 8 Comments

Bluetooth is a technology with a very interesting history. When it first came around in the late 1990s, it promised to replace the mess of wires that was tucked behind every desk of the day. Unfortunately, the capabilities of early Bluetooth didn’t live up to the hype, and it never quite took off. It wasn’t until the rise of the smartphone more than a decade later that Bluetooth, now several versions more advanced, really started to make sense.

As [Larry Bank] explains in a recent blog post, that means there’s a whole lot to learn if you want to really understand Bluetooth hacking. For example, the Bluetooth versions that were used in the 1990s and 2000s are actually a completely different protocol from that which most modern devices are using. But the original protocol, now referred to as “Classic”, is still supported and in use.

That means to really get your head wrapped around working with Bluetooth, you need to learn about the different versions and all the tools and tricks associated with them. To that end, [Larry] does a great job of breaking down the primary versions of Bluetooth and the sort of tools you might find yourself using. That includes microcontrollers such as the ESP32 or Arduino Nano 33 BLE.

But the post isn’t just theory. [Larry] also goes over a few real-world projects of his that utilize Bluetooth, such as getting a portable printer working with his Arduino, or figuring out how to use those tiny mobile phone game controllers for his own purposes. Even if you don’t have these same devices, there’s a good chance that the methods used and lessons learned will apply to whatever Bluetooth gadgets you’ve got your eye on.

Readers may recall [Larry] from our previous coverage of his exploits, such as his efforts to increase the frame rate of the SSD1306 OLED display or his wireless bootloader for the SMART Response XE. Whenever we see his name pop up in the Tip Line, we know a fascinating hardware deep dive isn’t far behind.