Whether or not you personally like the concept of the AirPod Bluetooth headphones is irrelevant, as an Apple product one thing is certain: all the cool kids want them. That also means that plenty of overseas manufacturers are pumping out janky clones for a fraction of the price for those who are more about the Apple look than the Apple price tag. Are they any good? No, of course not. But that doesn’t mean you can’t do something interesting with them.
[Igor Kromin] took apart a pair of fake AirPods and was predictably underwhelmed. So much so that he didn’t even bother putting the things back together. Instead, he took the two poor Bluetooth audio receivers and combined them into one slightly less poor Bluetooth audio receiver. It probably doesn’t meet the classical definition of a “good” use of time and/or money, but at least he got some entertainment out of a product that was otherwise destined for the trash.
As you might imagine, the left and right “AirPod” each has its own battery, Bluetooth receiver, and speaker. It has to, as they have no physical connection to each other. That also means that each receiver is only playing one channel, making them useless individually. What [Igor] realized was that he could put together a little PCB that combines the two audio channels back into a regular stereo 3.5 mm audio jack.
While he was at it, he also wired the individual buttons on each headphone to a center button on the PCB which would allow him to physically synchronize them. Even still, [Igor] mentions that occasionally they don’t come on at the same time. But what do you expect for something that’s nearly a 20th the price of the original?
The last time we saw a hack related to the Apple AirPod, it was when somebody threw them out the window, so one might presume most hackers prefer their iDevice tethered.
Successfully connecting things without physical wires has a profound effect on the maker brain. Machines talking to each other without any cables is as amazing today as it was a decade ago. When Bluetooth came out, it was a breakthrough since it offered a wireless way to connect cellphones to a PC. But Bluetooth is a complicated, high-bandwidth power hog, and it didn’t make sense for battery-powered devices with less demanding throughput requirements to pay the energy price. Enter Bluetooth LE (BLE), with power requirements modest enough to enable a multitude of applications including low power sensor nodes and beacons.
Over the years, a number of gadgets with BLE have popped up such as the LightBlue Bean, BLE Beacons as well as quadcopters like the FlexBot that rely on BLE for communication. Android or iOS apps are the predominant method of talking to these wonderful gadgets though there are alternatives.
This is the first in a two part series on building with BLE devices. First, I’ll survey some BLE devices and how to get started with BLE from the Linux command line. Later, we will go into describing the process of making a NodeJS cross-platform app that will leverage the BLE capabilities and connect it to the Internet.
Lets get started.
Continue reading “Beginning BLE Experiments And Making Everything Better”
You shouldn’t transmit encryption keys over Bluetooth, but that’s exactly what some popular wireless-enabled microcontrollers are already doing. This is the idea behind Screaming Channels, an exploit published by researchers at EUERCOM, and will be a talk at Black Hat next week. So far, the researchers have investigated side-channel attacks on Bluetooth-enabled microcontrollers, allowing them to extract tinyAES keys from up to 10 meters away in controlled environments. A PDF of the paper is available and all the relevant code is available on GitHub.
The experimental setup for this exploit consisted of a BLE Nano, a breakout board for a Nordic nRF52832 Bluetooth microcontroller, a Hack RF, a USRB N210 software defined radio from Ettus, and a few high-gain antennas and LNAs. The example attack relies on installing firmware on the BLE Nano that runs through a few loops and encrypts something with tinyAES. Through very careful analysis of the RF spectrum, the AES keys can be extracted from the ether.
Side channel attacks have received a bit more popularity over recent years. What was once limited to Three Letter Agency-level Van Eck phreaking can now be done inexpensively and in a system with devices like the ChipWhisperer.
Of course, this is only a demonstration of what is possible with side-channel attacks in a highly controlled environment with a significant amount of work gone into the firmware running on the microcontroller. This isn’t evidence that balaclava-wearing hackers are sniffing your phone from across the parking lot to get the password to your Instagram account, but it does show what is possible with relatively cheap, off-the-shelf hardware.
There are a multitude of radio shields for the Arduino and similar platforms, but they so often only support one protocol, manufacturer, or frequency band. [Jan Gromeš] was vexed by this in a project he saw, so decided to create a shield capable of supporting multiple different types. And because more is so often better, he also gave it space for not one, but two different radio modules. He calls the resulting Swiss Army Knife of Arduino radio shields the Kite, and he’s shared everything needed for one on a hackaday.io page and a GitHub repository.
Supported so far are ESP8266 modules, HC-05 Bluetooth modules, RFM69 FSK/OOK modules, SX127x series LoRa modules including SX1272, SX1276 and SX1278, XBee modules (S2B), and he claims that more are in development. Since some of those operate in very similar frequency bands it would be interesting to note whether any adverse effects come from their use in close proximity. We suspect there won’t be because the protocols involved are designed to be resilient, but there is nothing like a real-world example to prove it.
This project is unique, so we’re struggling to find previous Hackaday features of analogous ones. We have however looked at an overview of choosing the right wireless tech.
As long as there has been radio, people have wanted to eavesdrop on radio transmissions. In many cases, it is just a hobby activity like listening to a scanner or monitoring a local repeater. But in some cases, it is spy agencies or cyberhackers. [Giovanni Camurati] and his colleagues have been working on a slightly different way to attack Bluetooth radio communications using a technique that could apply to other radio types, too. The attack relies on the ubiquitous use of mixed-signal ICs to make cheap radios like Bluetooth dongles. They call it “Screaming Channels” and — in a nutshell — it is relying on digital information leaking out on the device’s radio signal.
Does it work? The team claims to have recovered an AES-128 key from 10 meters away. The technique reminds us a bit of TEMPEST in that unintended radio transmissions provide insight into the algorithm the device applies to encrypt or decrypt data. Most (if not all) encryption techniques assume you can’t see inside the “black box.” If you can, then it’s because it is relatively easy to break the code.
Continue reading “Screaming Channels Attack RF Security”
Cheap Bluetooth speakers come in all different kinds of shapes and colors, and they let you conveniently stream music, for example from your mobile phone. For [mcmchris], they had one significant shortcoming though: while most of them come with some auxiliary input port as alternative audio source, they usually lack an audio output port that would let him route the audio to his more enjoyable big-speaker sound setup. Lucky for him, it’s a problem that can be fixed with a wire cutter and soldering iron, and so he simply turned his cheap speaker into a Bluetooth audio receiver.
After opening the speaker, [mcmchris] discovered a regular F-6188 Bluetooth audio module built around the BK8000L chip, with the audio jack connected to the chip’s aux input pins. Taking a close look at the PCB, the solution seemed obvious: cut the connection to the chip’s aux input pins, and connect the audio jack parallel to the audio signal itself. After some trial and error, the output pins of the on-board op amplifier seemed to provide the best audio signal for his shiny new output jack. You can see more details about the speaker’s inner life and a demonstration in the video after the break — in Spanish.
If the concept looks familiar to you, we’ve indeed seen a very similar approach to equip a Google Home Mini with an audio output jack before. The alternative is of course to just build a decent sized Bluetooth speaker yourself.
Continue reading “Turn A Cheap Bluetooth Speaker Into An Audio Receiver”
For several years now, a more energy-efficient version of Bluetooth has been available for use in certain wireless applications, although it hasn’t always been straightforward to use. Luckily now there’s a development platform for Bluetooth Low Energy (BLE) from Texas Instruments that makes using this protocol much easier, as [Markel] demonstrates with a homebrew video game controller.
The core of the project is of course the TI Launchpad with the BLE package, which uses a 32-bit ARM microcontroller running at 48 MHz. For this project, [Markel] also uses an Educational BoosterPack MKII, another TI device which resembles an NES controller. To get everything set up, though, he does have to do some hardware modifications to get everything to work properly but in the end he has a functioning wireless video game controller that can run for an incredibly long time on just four AA batteries.
If you’re building a retro gaming console, this isn’t too bad a product to get your system off the ground using modern technology disguised as an 8-bit-era controller. If you need some inspiration beyond the design of the controller, though, we have lots of examples to explore.
Continue reading “Explore Low-Energy Bluetooth by Gaming”