bluetooth

582 Articles

35C3: Finding Bugs In Bluetooth

December 30, 2018 by 24 Comments

[Jiska Classen] and [Dennis Mantz] created a tool called Internal Blue that aims to be a Swiss-army knife for playing around with Bluetooth at a lower level. The ground for their tool is based in three functions that are common to all Broadcom Bluetooth chipsets: one that lets you read arbitrary memory, on that lets you run it, and one that lets you write it. Well, that was easy. The rest of their work was analyzing this code, and learning how to replace the firmware with their own version. That took them a few months of hard reversing work.

In the end, Internal Blue lets them execute commands at one layer deeper — the LMP layer — easily allowing monitoring and injection. In a series of live (and successful!) demos they probe around on a Nexus 6P from a modified Nexus 5 on their desk. This is where they started digging around in the Bluetooth stack of other devices with Broadcom chipsets, and that’s where they started finding bugs.

As is often the case, [Jiska] was just poking around and found an external code handler that didn’t do bounds checking. And that meant that she could run other functions in the firmware simply by passing the address handler offset. Since they’re essentially calling functions at any location in memory, finding which functions to call with which arguments is a process of trial and error, but the ramifications of this include at least a Bluetooth module crash and reset, but can also pull such tricks as putting the Bluetooth module into “Device Under Test” mode, which should only be accessible from the device itself. All of this is before pairing with the device — just walking by is sufficient to invoke functions through the buggy handler.

All the details of this exploit aren’t yet available, because Broadcom hasn’t fixed the firmware for probably millions of devices in the wild. And one of the reasons that they haven’t fixed it is that patching the bug will disclose where the flaw lies in all of the unpatched phones, and not all vendors can be counted on to push out updates at the same time. While they focused on the Nexus 5 cellphone, which is fairly old now, it’s applicable to any device with a similar Broadcom Bluetooth chipset.

Aside from the zero-day bug here, the big story is their Bluetooth analysis framework which will surely help other researchers learn more about Bluetooth, finding more glitches and hopefully helping make Bluetooth more openly scrutinized and more secure. Now anyone with a Raspberry Pi 3/3+ or a Nexus 5, is able to turn it into a low-level Bluetooth investigation tool.

You might know [Jiska] from her previous FitBit hack. If not, be sure to check it out.

Continue reading “35C3: Finding Bugs In Bluetooth”

Bose Wants You To Listen Up For Augmented Reality

December 9, 2018 by 21 Comments

Perhaps it is true that if all you have is a hammer every problem you see looks like a nail. When you think of augmented reality (AR), you usually think of something like the poorly-received Google Glass where your phone or computer overlays imagery in your field of vision. Bose isn’t known for video, though, they are known for audio. So perhaps it isn’t surprising that their upcoming (January 2019) AR sunglasses won’t feature video overlays. Instead, the $200 sunglasses will tell you what you are looking at.

The thing hinges on your device knowing your approximate location and the glasses knowing their orientation due to an inertial measuring system. In other words, the glasses — combined with your smart device — know where you are and what you are looking at. Approximately. So at the museum, if you are looking at a piece of art, the glasses could tell you more information about it. There’s a video showing an early prototype from earlier this year, below.

Continue reading “Bose Wants You To Listen Up For Augmented Reality”

Non-Nefarious Raspberry Pi Only Looks Like A Hack

November 13, 2018 by 50 Comments

We’re going to warn you right up front that this is not a hack. Or at least that’s how it turned out after [LiveOverflow] did some digital forensics on a mysterious device found lurking in a college library. The path he took to come to the conclusion that nothing untoward was going on was interesting and informative, though, as is the ultimate purpose of the unknown artifacts.

As [LiveOverflow] tells us in the video below, he came upon a Reddit thread – of which we can now find no trace – describing a bunch of odd-looking devices stashed behind garbage cans, vending machines, and desks in a college library. [LiveOverflow] recognized the posted pictures as Raspberry Pi Zeroes with USB WiFi dongles attached; curiosity piqued, he reached out to the OP and offered to help solve the mystery.

The video below tells the tale of the forensic fun that ensued, including some questionable practices like sticking the device’s SD card into the finder’s PC. What looked very “hackerish” to the finder turned out to be quite innocuous after [LiveOverflow] went down a remote-diagnosis rabbit hole to discern the purpose of these devices. We won’t spoil the reveal, but suffice it to say they’re part of a pretty clever system with an entirely non-nefarious purpose.

We thought this was a fun infosec romp, and instructive on a couple of levels, not least of which is keeping in mind how “civilians” might see gear like this in the wild. Hardware and software that we deal with every day might look threatening to the general public. Maybe the university should spring for some labels describing the gear next time.

Continue reading “Non-Nefarious Raspberry Pi Only Looks Like A Hack”

Lightsaber Uses Pogo Pins To Make Assembly A Breeze

November 7, 2018 by 9 Comments

There was an endless supply of fantastic projects at Supercon this year, but one whose fit and finish really stood out was [Scott]’s lightsaber. If you were walking around and saw someone with a very bright RGB device with a chromed-out handle hanging off their belt it was probably this, though it may have been hard to look at directly. On the outside, the saber looks like a well-polished cosplay prop, and it is! But when Scott quickly broke down the device into component pieces it was apparent that extra care had been put into the assembly of the electronics.

Like any good lightsaber replica the blade is lit, and wow is it bright. The construction is fairly simple, it’s a triplet of WS2812B LED strips back to back on a triangular core, mounted inside a translucent polycarbonate tube with a diffuser. Not especially unusual. But the blade can be popped off the hilt at a moments notice for easy transport and storage, so the strips can’t be soldered in. Connectors would have worked, but who wants flying wires when they’re disconnecting their lightsaber blade. The answer? Pogo pins! Scott runs the power, ground, and data lines out of the strips and into a small board with slip ring-style plated rings. On the hilt, there is a matching array of pogo pins to pass along power and data. The data lines from all the strips are tied together minimizing the number of connections to make, and the outer two power rings have more than one pin for better current-carrying capacity. A handy side effect is that there is nowhere on the blade where there aren’t LEDs; the strips go down to the very end of the blade where it meets the main board inside the hilt.

The hilt is filled with an assembly of 18650’s and a Teensy mounted with a custom shield, all fit inside a printed midframe. The whole build is all about robust design that’s easy to assemble. The main board is book-ended by perpendicular PCBs mounted to the ends, one at the top to connect to the blade and one at the bottom to connect to a speaker. Towards the bottom there is space for an optional Bluetooth radio to allow remote RGB control.

Scott is selling this as a product but also provides detailed instructions and parts lists for each component. Assembly instructions for the blade are here. The hilt is here. And pogo adapters are on OSH Park here. An overview of the firmware with links to GitHub is here. Check out a walkthrough of the handle assembly and blade attachment after the break!

Continue reading “Lightsaber Uses Pogo Pins To Make Assembly A Breeze”

A Bluetooth Upgrade For An Unusual Set Of Headphones

October 30, 2018 by 11 Comments

We will have all picked up something from a junk pile or swap meet in our time that caught our eye not because we needed it but because it looked cool. [Quinn Dunki] did just that with an irresistible set of 1980s air traffic control headphones. What did she do with them? Turn them into a set of Bluetooth headphones of course!

The ‘phones in question are particularly interesting, as they turned out upon inspection to be a two-way radio in disguise. Cracking them open revealed a radio board and a logic board, and what makes them particularly interesting to this Hackaday scribe’s eye is their choice of frequency. She finds a crystal with a VHF airband frequency multiplier and concludes that they must operate there, but a look at the photos reveals all the ingredients of a classic AM or low HF receiver. There is a ferrite rod antenna and a variable capacitor, if we didn’t know that these were very high-end professional ‘phones we’d almost suspect they were a novelty AM radio from Radio Shack. If any readers can shed any light on the frequency and purpose of this device, we’re all ears.

The conversion involved a Sparkfun Bluetooth module breakout board paired with a little audio power amplifier. The original drivers were high-impedance and one of them had died, so she replaced them with a modern pair of identical size. The control buttons were mounted in the headphone’s external housing, after a wrong turn into attempting to create a custom enclosure. The result is a rather novel but high-quality set of ‘phones, and one we rather wish we’d found ourselves.

Which Wireless Is Right Wireless?

October 19, 2018 by 24 Comments

Back in the early days of Arduino proliferation (and before you ask, yes we realize there was a time before that too), wireless was a strange and foreign beast. IR communication was definitely a thing. And if you had the funds there was this cool technology called ZigBee that was available, often in funny blue house-shaped XBee boards. With even more funds and a stomach for AT commands you could even bolt on a 2G cell radio for unlimited range. WiFi existed too, but connecting it to a hobbyist ecosystem of boards was a little hairier (though maybe not for our readership).

But as cell phones pushed demand for low power wireless forward and the progression of what would become the Internet of marking Terms (the IoT, of course) began, a proliferation of options appeared for wireless communication. Earlier this week we came across a great primer on some of the major wireless technologies which was put together by Digikey earlier in the year. Let’s not bury the lede. This table is the crux of the piece:

There are some neat entries here that are a little less common (and our old friend, the oft-maligned and never market-penetrating ZigBee). It’s actually even missing some entries. Let’s break it down:

  • Extremely short range: Just NFC. Very useful for transferring small amount of sensitive information slowly, or things with high location-relevance (like between phones that are touching).
  • Short range: BLE, Zigbee, Z-Wave, etc. Handy for so-called Personal Area Networks and home-scale systems.
  • Medium/long range: Wifi, Bluetooth, Zigbee, Z-Wave, LoRaWAN: Sometimes stretching for a kilometer or more in open spaces. Useful for everything from emitting tweets to stitching together a mesh network across a forrest, as long as there are enough nodes. Some of these are also useful at shorter range.
  • Very Long range/rangeless: Sigfox, NB-IoT, LTE Category-0. Connect anywhere, usually with some sort of subscription for network access. Rangeless in the sense that range is so long you use infrastructure instead of hooking a radio up to a Raspberry Pi under your desk. Though LoRa can be a fun exception to that.

You’re unlikely to go from zero to custom wireless solution without getting down into the mud with the available dev boards for a few different common protocols, but which ones? The landscape has changed so rapidly over the years, it’s easy to get stuck in one comfortable technology and miss the appearance of the next big thing (like how LoRaWAN is becoming new cool kid these days). This guide is a good overview to help catch you up and help decide which dev kits are worth a further look. But of course we still want to hear from you below about your favorite wireless gems — past, present, and future — that didn’t make it into the list (we’re looking at you 433 MHz).

Adding Bluetooth To Original SNES Controllers

October 10, 2018 by 14 Comments

There’s a bunch of companies selling wireless Super Nintendo style controllers out there. You can go on Amazon and get any number of modern pads that at least kinda-sorta look like what came with Nintendo’s legendary 1990’s game console. They’ve got all kinds of bells and whistles, Bluetooth, USB-C, analog sticks, etc. But none of them are legitimate SNES controllers, and for some people that’s just not good enough.

[sjm4306] is one of those people. He wanted to add Bluetooth and some other modern niceties to a legitimate first-party SNES controller, so he picked up a broken one off of eBay and got to work grafting in his custom hardware. The final result works with Nintendo’s “Classic Edition” consoles, but the concept could also work with the original consoles as well as the computer if you prefer your classic games emulated.

A custom ATMEGA328P-powered board polls the controller’s SPI serial shift register in much the same way the original SNES would have. It then takes those button states and sends them out over UART with a HC-05 Bluetooth module. The controller is powered by a 330 mAh 3.7V battery, and a charging circuit allows for easily topping the controller off with a standard USB cable.

A particularly nice touch on the controller is the use of custom light pipes for the status LEDs. [sjm4306] made them by taking pieces of transparent PLA 3D printer filament, heating and flattening the end, and then sanding it smooth. This provides a diffusing effect on the light, and we’ve got to say it looks very good. Definitely a tip to file away for the future.

On the receiving side, this project was inspired by a custom NES Classic Edition Advantage controller we featured last year, and borrows the work creator [bbtinkerer] did to get his receiver hardware talking to the Classic console over I2C.

We’ve seen a number of projects which have added wireless functionality to the classic Super Nintendo controller, but most tend to be more invasive than this one. We like the idea of reading the controller’s original hardware rather than completely gutting it.

Continue reading “Adding Bluetooth To Original SNES Controllers”