bluetooth

582 Articles

Custom Firmware For Cheap Bluetooth Thermometers

November 17, 2020 by 52 Comments

The Xiaomi LYWSD03MMC temperature and humidity sensor is ridiculously cheap. If you’re buying a few at a time, you can expect to pay as little as $5 USD a pop for these handy Bluetooth Low Energy environmental sensors. Unfortunately, that low price tag comes with a bit of a catch: you can only read the data with the official Xiaomi smartphone application or by linking it to one of the company’s smart home hubs. Or at least, that used to be the case.

Over the past year, [Aaron Christophel] has been working on a replacement firmware for these Xiomi sensors that unlocks the data so you can use it however you see fit. In addition, it allows the user to tweak various features and settings that were previously unavailable. For example, you can disable the little ASCII-art smiley face that usually shows on the LCD to indicate the relative comfort level of the room.

The new firmware publishes the temperature, humidity, and battery level every minute through a BLE advertisement broadcast. In other words, that means client devices can read data from the sensor without having to be paired. Scraping this data is quite simple, and the GitHub page includes a breakdown of what each byte in the broadcast message means. Avoiding direct connections not only makes it easier to quickly read the values from multiple thermometers, but should keep the device’s CR2032 battery going for longer.

But perhaps the most impressive part of this project is how you get the custom firmware installed. You don’t need to crack the case or solder up a programmer. Just load the flasher page on a computer and browser combo that supports Web Bluetooth (a smartphone is probably the best bet), point it to the MAC address of the thermometer you want to flash, and hit the button. [Aaron] is no stranger to developing user-friendly OTA installers for his firmware projects, but even for him, it’s quite impressive.

Continue reading “Custom Firmware For Cheap Bluetooth Thermometers”

Modern Network Adapter For Retro Computers

October 14, 2020 by 9 Comments

Universal Serial Bus, or USB, is so ingrained in modern computing that it’s hard to imagine a time without it. That time did exist, though, and it was a wild west of connector types, standards, and interfacing methods. One of the more interesting interfaces of the time was the SIO system found in 8-bit Atari computers which ended up sharing a lot of the features of modern USB, and its adaptability is displayed in this modern project which brings WiFi, Bluetooth, USB, and SD card slots to any old Atari with an SIO port.

The project is called FujiNet and it uses the lightweight protocol of SIO to add a number of modern features to the 8-bit machine. It’s based on an ESP32, and the chip performs the functions of a network adapter by bridging WiFi and Bluetooth to the Atari. It does this by simulating drives that would have potentially been used on the Atari in its time, such as a floppy disk drive, an RS232 interface, or a modem, and translating them to the modern wireless communication protocols. It even has the ability to emulate a printer by taking the output of the print job from the Atari and converting it to PDF within the device itself.

Not only does this bring a lot of functionality to the Atari, which you may be able to use to view sites like retro.hackaday.com, but the FujiNet is housed in a period-appropriate 3D-printed case that matches the look and feel of the original Atari. If you need a more generic solution for your retrocomputing networking adventures that isn’t limited to SIO, we recommend grabbing a Raspberry Pi to handle that.

Thanks to [Gavin] for the tip!

Teardown: BlackBerry Smart Card Reader

September 28, 2020 by 22 Comments

Years before Steve Jobs showed off the first iPhone, the BlackBerry was already the must-have accessory for mobile professionals. Back then, nobody was worried about watching movies or playing the latest games on their mobile devices, they just wanted a secure and fast way to send and receive email on the go. For that, the BlackBerry was king.

Fast forward to today, and the company is just a shell of what it once was. They don’t even bother making their own hardware anymore. Over the last several years they’ve opted to partner with a series of increasingly obscure manufacturers to produce a handful of lackluster Android phones so they still have something to sell to their dwindling userbase. Anyone excited about the new 5G BlackBerry being built by Texas start-up OnwardMobility? Did you even know it was in the works before now?

A DoD Common Access Card

But this article isn’t about BlackBerry phones. It’s about something that’s evenĀ more irrelevant to consumers: the BlackBerry Smart Card Reader. Technically, this little device isn’t dependent on the phones of the same name, but it makes sense that Research In Motion (which eventually just renamed itself to BlackBerry Limited) would market the gadget under the brand of their most popular product. Though as you might expect, software was available to allow it to work with the BlackBerry phone that you almost certainly owned if you needed a dedicated smart card reader.

For those who might not be aware, a smart card in this context is a two-factor authentication token contained in an ID card. These are used extensively by organizations such as the Department of Defense, where they’re known as Common Access Cards, that require you to insert your ID card into a reader before you can log into a secure computer system. This sleek device was marketed as a portable reader that could connect to computers over USB or Bluetooth. Worn around your neck with the included lanyard, the battery-powered reader allowed the card itself to remain on the user’s body while still being readable by nearby devices.

Civilians will recognize the basic technology from modern “Chip and PIN” debit and credit cards, but we’ve never had to stick one of those into our laptop just to log in. To be sure, the BlackBerry Smart Card Reader was never intended for the average home computer user, it was sold to companies and organizations that had tight security requirements; which just so happened to be the same places that would likely already be using BlackBerry mobile devices.

Of course, times and technology change. These devices once cost $200 apiece and were purchased in vast quantities for distribution to trusted personnel, but are now all but worthless. Even in new and unopened condition, they can be had for as little as $10 USD on eBay. For that price, it’s certainly worth taking a peek inside. Perhaps the hacker community can even find new applications for these once cutting-edge devices.

Continue reading “Teardown: BlackBerry Smart Card Reader”

Peripheral Doesn’t Need Deskspace

September 11, 2020 by 9 Comments

Some of us are suckers for new hardware. There’s absolutely nothing shameful about a drawer overflowing with gamepads, roll-up keyboards, and those funny-shaped ergonomic mice. MyTeleTouch won’t sate your itch for new hardware because [Dimitar Danailov] didn’t design hardware you hold, because it uses your phone as a catch-all Human Interface Device, HID. A dongle plugs into a standard USB port, and your Android phone can emulate a USB keyboard, mouse, or gamepad over Bluetooth.

Chances are high that you already set up your primary computer with your favorite hardware, but we think we’ve found a practical slant for a minimalist accessory. Remember the last time you booted an obsolete Windows desktop and dug out an old mouse with a questionable USB plug? How long have you poked around the bottom of a moving box trying to find a proprietary wireless keyboard dongle, when you just wanted to type a password on your smart TV? What about RetroPi and a game controller? MyTeleTouch isn’t going to transform your daily experience, but it’ll be there when you don’t want to carry a full-size keyboard down three flights of stairs to press {ENTER} on a machine that spontaneously forgot it has a touch screen. If you don’t have opportunities to play the hero very often, you can choose to play the villain. Hide this in a coworker’s USB port, and while they think you’re sending a text message, you could be fiddling with their cursor.

We enjoy a good prank that everyone can laugh off, and we love little keyboards and this one raises the (space) bar.

Continue reading “Peripheral Doesn’t Need Deskspace”

Mobile Transmitter Gets Internal GPS And Bluetooth

August 23, 2020 by 4 Comments

While [Selim Olcer] was relatively happy with his Kenwood TM-D710a radio, he didn’t like the fact that it needed a bulky external GPS “backpack” for APRS location data. So he decided to crack open the head unit and see if he couldn’t integrate his own GPS hardware (machine translation). Not only did he succeed, but he even threw in Bluetooth compatibility for good measure.

With the repair manual circuit diagrams in hand, it was no problem to find the GPS RX and TX lines that were being broken out to the external connector. Unfortunately, the radio’s electronics are all 5 volts and the GPS module [Selim] wanted to use was only 3.3 V. So he came up with a small PCB that included not only the voltage regulator to power the GPS module, but also some voltage-dividers to level shift those signals.

Since the Kenwood TM-D710a was already designed to accept a GPS upgrade module, he just needed to change some configuration options in the radio’s menus for it to see the new hardware. Technically the project was done at this point, but since there was still room in the case and he had a GPS module spitting out NMEA sentences, [Selim] tacked on a common Bluetooth serial module so he could see the position information on his smartphone. With an application like APRSdroid, he now has a nice moving map display using the position pulled from the radio’s GPS.

With this modification done it looks like the head unit is ready to go, but that’s only the beginning for a mobile rig. Now we want to see how he integrates the whole thing into the car.

This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes

August 21, 2020 by 4 Comments

One of the fun things about vulnerability research is that there are so many places for bugs to hide. Modern devices have multiple processors, bits of radio hardware, and millions of lines of code. When [Veronica Kovah] of Dark Mentor LLC decided to start vulnerability research on the Bluetooth Low Energy protocol, she opted to target the link layer itself, rather than the code stack running as part of the main OS. What’s interesting is that the link layer has to process data before any authentication is performed, so if a vulnerability is found here, it’s guaranteed to be pre-authentication. Also of interest, many different devices are likely to share the same BLE chipset, meaning these vulnerabilities will show up on many different devices. [Veronica] shares some great info on how to get started, as well as the details on the vulnerabilities she found, in the PDF whitepaper. (Just a quick note, this link isn’t to the raw PDF, but pulls up a GitHub PDF viewer.) There is also a video presentation of the findings, if that’s more your speed.

The first vuln we’ll look at is CVE-2019-15948, which affects a handful of Texas Instruments BT/BLE chips. The problem is in how BLE advertisement packets are handled. An advertisement packet should always contain a data length of at least six bytes, which is reserved for the sending device address. Part of the packet parsing process is to subtract six from the packet length and do a memcpy using that value as the length. A malicious packet can have a length of less than six, and the result is that the copy length integer underflows, becoming a large value, and overwriting the current stack. To actually turn this into an exploit, a pair of data packets are sent repeatedly, to put malicious code in the place where program execution will jump to.

The second vulnerability of note, CVE-2020-15531 targets a Silicon Labs BLE chip, and uses malformed extended advertisement packets to trigger a buffer overflow. Specifically, the sent message is longer than the specification says it should be. Rather than drop this malformed message, the chip’s firmware processes it, which triggers a buffer overflow. Going a step further, this chip has non-volatile firmware, and it’s possible to modify that firmware permanently. [Veronica] points out that even embedded chips like these should have some sort of secure boot implementation, to prevent these sort of persistent attacks.
Continue reading “This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes”

Fire Pit Burns To The Beat With Bluetooth

August 20, 2020 by 3 Comments

Humans have several primal fascinations and perhaps two of the biggest ones are fire and music. While you can picture some cavemen and cavewomen sitting around a fire beating on sticks for rhythm, we think they’d be impressed if the fire danced along with the music. Through the power of Bluetooth, that’s exactly what [Random Tech DIY’s] new fire pit does.

Technically, this is called a Rubens tube, and while it’s an old technology, the Bluetooth is a certainly a modern touch. As you might expect, most of this project is workshop time, cutting MDF and plastic. The audio system is off-the-shelf and drives some car stereo speakers. The results looked good, and although it always makes us nervous building things that carry propane gas, it seems to work well enough from where we’re sitting.

We had to wonder what things you could change that would affect the display. Changing the number of holes, the diameter of the holes, or the gas pressure, for example, would certainly change how the flames look and react to the sound waves.

We have seen other Rubens tube projects, of course. However, we were really interested in the use of these as crude oscilloscopes before the availability of cathode ray tubes. We’ve seen a modern take on that, too.

Continue reading “Fire Pit Burns To The Beat With Bluetooth”