Poking Around The Wide World Of Bluetooth

January 30, 2020 by Tom Nardi 8 Comments

Bluetooth is a technology with a very interesting history. When it first came around in the late 1990s, it promised to replace the mess of wires that was tucked behind every desk of the day. Unfortunately, the capabilities of early Bluetooth didn’t live up to the hype, and it never quite took off. It wasn’t until the rise of the smartphone more than a decade later that Bluetooth, now several versions more advanced, really started to make sense.

As [Larry Bank] explains in a recent blog post, that means there’s a whole lot to learn if you want to really understand Bluetooth hacking. For example, the Bluetooth versions that were used in the 1990s and 2000s are actually a completely different protocol from that which most modern devices are using. But the original protocol, now referred to as “Classic”, is still supported and in use.

That means to really get your head wrapped around working with Bluetooth, you need to learn about the different versions and all the tools and tricks associated with them. To that end, [Larry] does a great job of breaking down the primary versions of Bluetooth and the sort of tools you might find yourself using. That includes microcontrollers such as the ESP32 or Arduino Nano 33 BLE.

But the post isn’t just theory. [Larry] also goes over a few real-world projects of his that utilize Bluetooth, such as getting a portable printer working with his Arduino, or figuring out how to use those tiny mobile phone game controllers for his own purposes. Even if you don’t have these same devices, there’s a good chance that the methods used and lessons learned will apply to whatever Bluetooth gadgets you’ve got your eye on.

Readers may recall [Larry] from our previous coverage of his exploits, such as his efforts to increase the frame rate of the SSD1306 OLED display or his wireless bootloader for the SMART Response XE. Whenever we see his name pop up in the Tip Line, we know a fascinating hardware deep dive isn’t far behind.

SMA-Q2 Smart Watch Is Completely Hackable

January 30, 2020 by Danie Conradie 30 Comments

The search for the ultimate hacker’s smart watch probably won’t end any time soon. [emeryth] has nominated another possible candidate in the form of the SMA-Q2, and has made a lot of progress in making it accessible.

Also known as the SMA-TIME, the watch is based around the popular NRF52832 Bluetooth SoC, with a colour memory LCD, accelerometer, and a heart rate sensor on the back. The main feature that makes it so easy to hack is the stock bootloader on the NRF52832 that works with generic Nordic upload tool, making firmware upgrades a breeze via a smart phone. Unfortunately the bootloader itself is locked, so it must be completely wiped to gain debugging access. The hardware configuration has also been well reverse engineered with all the details available.

Custom main board with a NRF52840 module

[emeryth] has most of the basic features working with his custom firmware, although it’s still in the early stages. He designed a new watch face that includes weather updates and basic audio controls. The 3-bit display’s power consumption has also been reduced by only refreshing the necessary parts. The heart rate sensor outputs the raw waveforms, and it’s pretty accurate after a bit of FFT and filtering magic. Built-in tap and tilt detection is available on the accelerometer, which works well, but strangely doesn’t appear to have been used in the stock firmware.

Unfortunately the original enclosure design that used screws was dropped for glued version. It’s still possible to open without breaking anything, just a bit more difficult. ~~[emeryth]~~ Another hardware hacker named [BigCorvus] has even designed a completely new open-source main board with a NRF52840 module and heart rate sensor on a small flex PCB, with everything up on GitHub.

We really hope the community takes a liking to this watch, and look forward to seeing some awesome hacking. This is an excellent addition to the list of candidates for the perfect hacker’s smart watch that [Lewin Day] has already investigated . We also see a lot of DIY smart watches including one with a beautiful wood-filled 3D printed housing and another with LED matrix display.

Teardown: BilBot Bluetooth Robot

January 20, 2020 by Tom Nardi 16 Comments

Historically, the subject of our January teardown has been a piece of high-tech holiday lighting from the clearance rack; after all, they can usually be picked up for pocket change once the trucks full of Valentine’s Day merchandise start pulling up around the back of your local Big Box retailer. But this year, we’ve got something a little different.

Today we’re looking at the BilBot Bluetooth robot, which over the holidays was being sold at Five Below for (you guessed it) just $5 USD. These were clearly something the company hoped to sell a lot of, with stacks of the little two-wheeled bots in your choice of white and yellow livery right by the front door. With wireless control from your iOS or Android device, and intriguing features like voice command, I’d be willing to bet they managed to move quite a few of these at such a low price.

For folks like us, it can be hard to wrap our minds around a product like this. It must have a Bluetooth radio, some kind of motor controller, and of course the motors and gears themselves. Yet they can sell it for the price of a budget hamburger and still turn a profit. If you wanted to pick up barebones robotics platform, with just a couple gear motors and some wheels, it would cost more than that. The economies of scale are a hell of a thing.

Which made me wonder, could hackers take advantage of this ultra-cheap robot for our own purposes? It’s pretty much a given that the software for this robot will be terrible, and that whatever control electronics live inside it will be marginal at best. But what if we write those off and just look at the BilBot as a two-wheeled platform to carry our own electronics? It’s certainly worth $5 to find out.

Continue reading “Teardown: BilBot Bluetooth Robot” →

A Simple App Controlled Door Lock

January 16, 2020 by Gerrit Coetzee 9 Comments

[Adnan.R.Khan] had a sliding door latch plus an Arduino, and hacked together this cool but simple app controlled door lock.

Mechanically the lock consists of a Solarbotics GM3 motor, some Meccano, and a servo arm. A string is tied between two pulleys and looped around the slide of a barrel latch. When the motor moves back and forth it’s enough to slide the lock in and out. Electronically an Arduino and a Bluetooth module provide the electronics. The system runs from a 9V battery, and we’re interested to know whether there were any tricks pulled to make the battery last.

The system’s software is a simple program built in MIT App Inventor. Still, it’s pretty cool that you can get functionally close to a production product with parts that are very much lying around. It also makes us think of maybe keeping our childhood Meccano sets a little closer to the bench!

36C3: All Wireless Stacks Are Broken

December 30, 2019 by Elliot Williams 29 Comments

Your cellphone is the least secure computer that you own, and worse than that, it’s got a radio. [Jiska Classen] and her lab have been hacking on cellphones’ wireless systems for a while now, and in this talk gives an overview of the wireless vulnerabilities and attack surfaces that they bring along. While the talk provides some basic background on wireless (in)security, it also presents two new areas of research that she and her colleagues have been working on the last year.

One of the new hacks is based on the fact that a phone that wants to support both Bluetooth and WiFi needs to figure out a way to share the radio, because both protocols use the same 2.4 GHz band. And so it turns out that the Bluetooth hardware has to talk to the WiFi hardware, and it wouldn’t entirely surprise you that when [Jiska] gets into the Bluetooth stack, she’s able to DOS the WiFi. What this does to the operating system depends on the phone, but many of them just fall over and reboot.

Lately [Jiska] has been doing a lot of fuzzing on the cell phone stack enabled by some work by one of her students [Jan Ruge] work on emulation, codenamed “Frankenstein”. The coolest thing here is that the emulation runs in real time, and can be threaded into the operating system, enabling full-stack fuzzing. More complexity means more bugs, so we expect to see a lot more coming out of this line of research in the next year.

[Jiska] gives the presentation in a tinfoil hat, but that’s just a metaphor. In the end, when asked about how to properly secure your phone, she gives out the best advice ever: toss it in the blender.

Inject Keystrokes Any Way You Like With This Bluetooth Keystroke Injector

December 3, 2019 by Gerrit Coetzee 10 Comments

[Amirreza Nasiri] sends in this cool USB keystroke injector.

The device consists of an Arduino, a Bluetooth module, and an SD card. When it’s plugged into the target computer the device loads the selected payload from the SD card, compromising the system. Then it does its unique trick which is to switch the injector over to Bluetooth mode. Now the attacker has much more control, albeit local, over the system.

While we would never even be tempted to plug this device into a real computer, we like some of the additional features, like how an added dip switch can be used to select from up to eight different payloads depending on the required attack. The addition of a photo diode is also interesting, and makes us dream of all sorts of impractical movie hacker scenarios. [Amirreza] says it’s to trigger when the person leaves the room and turns the lights off.

[Amirreza] has all the code and design files on the GitHub. There are also a few payload examples, which should be fun to hack on. After all, one of life’s pleasures is to find new ways to mess with your friends.

Vintage Plotter Gets Bluetooth Upgrade

December 2, 2019 by Tom Nardi 25 Comments

Recently [iot4c] stumbled upon this gorgeous Robotron Reiss plotter from 1989, brand-new and still in its original box. Built before the fall of the Berlin Wall in East Germany, it would be a crime to allow such a piece of computing history to go unused. But how to hook it up to a modern system? Bad enough that it uses some rather unusual connectors, but it’s about to be 2020, who wants to use wires anymore? What this piece of Cold War hardware needed was an infusion of Bluetooth.

While the physical ports on the back of the Robotron certainly look rather suspect, it turns out that electrically they’re just RS-232. In practice, this means converting it over was fairly straightforward. With a Bolutek BK3231 Bluetooth module and an RS-232 to UART converter, [iot4c] was able to create a wireless adapter that works transparently on the plotter by simply connecting it to the RX and TX pins.

A small DC buck converter was necessary to provide 3.3 V for the Bluetooth adapter, but even still, there was plenty of room inside the plotter’s case to fit everything in neatly. From the outside, you’d have no idea that the hardware had ever been modified at all.

But, like always, there was a catch. While Windows had no trouble connecting to the Bluetooth device and assigning it a COM port, the 512 byte buffer on the plotter would get overwhelmed when it started receiving commands. So [iot4c] wrote a little script in Node.js that breaks the commands down into more manageable chunks and sends them off to the plotter every 0.1 seconds. With this script in place the Robotron moved under its own power for the first time in ~30 years by parsing a HP-GL file generated by Inkscape.

If you’re interested in a plotter of your own but don’t have a vintage one sitting around, never fear. We’ve seen an influx of DIY plotters recently, ranging from builds that use popsicle sticks and clothespins to customizable 3D printed workhorses.