We have to admit that in the hardware hacking universe, there aren’t generally too many chances to hack elevators. Well, at least not opportunities that don’t also include the risk of incarceration. But fortune favors the bold, and when he found the remains of an elevator control panel in an abandoned Croatian resort hotel, [Davor Cihlar] undertook an extensive and instructive reverse-engineering of the panel.
The video below highlights his efforts, which were considerable given the age and state of the panel. This is a relay-only control panel, after all, with most of the relays missing and a rat’s nest of wires connecting the sockets. So [Davor] put his “RevIng” concept to work. This uses a custom PCB with a microcontroller on-board that plugs into each relay socket and probes the connections between it and every other socket. Very clever stuff, and it presented him with the data needed to develop a ladder-logic diagram of the board, with the help of some custom software.
With the original logic in hand, [Davor] set about building a simulator for the panel. It’s a lovely piece of work, with buttons and lights to mimic the control panel inside the elevator car, as well as the call stations that would have graced each lobby of the hotel. Interestingly, he found logic that prevented the elevator from being called to some floors from anywhere but inside the car. The reason remains a mystery, but we suppose that a hotel built by Penthouse publisher [Bob Guccione] would have plenty of secrets.
We love the supremely satisfying clickiness of this build, and the reverse engineering prowess on display, but we can’t find much practical use for something like this. Then again, DIY elevators are a thing.
Continue reading “Reverse-Engineering An Elevator Control Panel Results In Clicky Goodness”
There are a lot of things in our everyday life that are holdovers from an earlier time that we continue to use simply because of inertia even if they don’t make a lot of sense in modern times. Examples include a 60 Hz power grid, the spacing between railroad tracks, and of course the self-contained attic ladder which is made to fit in between standard spaced ceiling joists. It’s not wide enough to get big or heavy stuff into an attic, and building standards won’t change just for this one inconvenience, so if you want to turn that space into something more usable you’re going to need to build a custom elevator.
This attic elevator comes to us from [Brian] who recently moved into a home with about half the square footage as his previous home, but still needed to hold all of his stuff. That means clever ways of using the available space. For the elevator he constructed a platform out of 2x lumber held together with bolts and steel supports. The carriage runs up and down on a track made out 1 5/8″ super strut and is hoisted by a winch motor rated for 550 pounds, which is more than enough to hoist up most household items including a large toolbox.
The only thing that we would have liked to have seen in the video is how the opening was made. Presumably this would have involved cutting into a ceiling joist to make the opening wider than the standard attic ladder, and care would have needed to be taken to ensure the ceiling/floor wasn’t weakened. Either way, this is a great solution to a common problem, and could perhaps be made to work on more than two levels with a custom controller. Continue reading “Build Your Own Custom Elevator”
Join us on Wednesday, June 3 at noon Pacific for the Physical Security Hack Chat with Deviant Ollam!
You can throw as many resources as possible into securing your systems — patch every vulnerability religiously, train all your users, monitor their traffic, eliminate every conceivable side-channel attack, or even totally air-gap your system — but it all amounts to exactly zero if somebody leaves a door propped open. Or if you’ve put a $5 padlock on a critical gate. Or if your RFID access control system is easily hacked. Ignore details like that and you’re just inviting trouble in.
Once the black-hats are on the inside, their job becomes orders of magnitude easier. Nothing beats hands-on access to a system when it comes to compromising it, and even if the attacker isn’t directly interfacing with your system, having him or her on the inside makes social engineering attacks that much simpler. System security starts with physical security, and physical security starts with understanding how to keep the doors locked.
To help us dig into that, Deviant Ollam will stop by the Hack Chat. Deviant works as a physical security consultant and he’s a fixture on the security con circuit and denizen of many lockpicking villages. He’s well-versed in what it takes to keep hardware safe from unauthorized visits or to keep it from disappearing entirely. From CCTV systems to elevator hacks to just about every possible way to defeat a locked door, Deviant has quite a bag of physical security tricks, and he’ll share his insights on keeping stuff safe in a dangerous world.
Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, June 3 at 12:00 PM Pacific time. If time zones have you down, we have a handy time zone converter.
Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.
We’ve all stared at that button in the elevator with the phone icon on it, supremely confident that if the cab came to a screeching halt while rocketing up to the 42nd floor, a simple button press would be your salvation. To be fair, that’s probably true. But the entire system is not nearly as robust as most people think.
Friday at DEF CON 27, [Will Caruana] took the stage to talk about phone phreaking on an elevator. The call buttons first appeared on elevators in 1968 as actual phone handsets, eventually becoming a mandated feature starting in 1976. Unfortunately, the technology they use hasn’t come all that far since. Phone modules on elevators did benefit when DTMF (touch tones) and voice menu systems rolled around. But for the most part, they are a plain old telephone service (POTS) frontend.
[Will] spends his spare time between floors pressing the call button and asking for the phone number. It’s the lowest bar of social engineering, by identifying yourself as an elevator service technician and asking for the number he is calling from. His experience has been that the person at the other end of the phone will give you that number no questions asked nearly every time. What can you do with a phone number? Turns out quite a bit.
The keys to the castle are literally in the elevator phone user manuals. The devices, shipped by multiple manufacturers, come with a default password and [Will’s] experience has been that nobody changes them. This means that once you have the phone number, you can dial in and use the default password to reprogram how the system works. This will not let you directly control the elevator, but it will let you speak to the people inside, and even change the call-out number so that the next time that little button is pressed it calls you, and not the phone service it’s intended to dial. That is, if the system was even correctly set up in the first place. He mentioned that it’s not too hard to find elevators that don’t have their location set up in the system — if you do need help, it may be hard to figure out which elevator you’re actually in. There have also been instances where these call the 24-hour maintenance staff for the building, a bewildering experience for sleepy personnel who didn’t sign up for this.
Want to go beyond the call button and dig deeper into the secrets of pwning elevators? [Will] suggests watching the HOPE X talk from [Deviant Ollam] and [Howard Payne] called Elevator Hacking: From the Pit to the Penthouse.
The Amoreiras Tower, in Lisbon, Portugal, recently added a rooftop viewing area that is open to the public. The top of the tower is one of the highest spots in the city, and the viewing area gives an impressive 360º view of the surrounding area. However, the elevator to get to the top left a lot to be desired. It’s an interior elevator, and didn’t itself offer any view.
So, Artica, along with Schindler, were brought in to solve that problem. The solution was to mount displays on the interior of the elevator, in order to simulate a 360º panoramic view of the city outside. The video is synced up with the elevator, so the view changes as the elevator passengers move up and down between floors.
Artica, who was responsible for the concept, design, and electronics installation accomplished this by first building a prototype in their office building. This was a full-size elevator replica with which they could test the design and get it ready for installation. They then partnered with Schindler to actually install the system in the elevator of the Amoreiras Tower, which necessitated almost completely rebuilding the elevator. As you can see in the video, the resulting view and accompanying music (definitely not elevator music) are fantastic, and it was even done in time for the public opening of the rooftop viewing area.
Like us, you may be wondering where the video footage came from. The scene moves in apparent parallax so video was obviously captured with continuous motion and isn’t a scrolling image. This is the work of a camera toting drone.
Continue reading “A Windowless Elevator With A 360º Panoramic View”
The elevator at [Alex]’s office building has some quirks which make it very inconvenient to everyone in the building. The major problem was that the doors of the elevator at each floor stay locked until someone walks down the hall to hit a button. Obviously this was a hassle, so [Alex] built a controller that can remotely call and unlock the elevator. (Part 2 of the project is located on a separate page.)
The first step was to source the hardware and figure out exactly how the controls for the elevator worked. [Alex] decided to use an Electric Imp for this project, and after getting it connected to the Internet, he realized that he could power it directly off of the elevator’s 10V supply. From there, he used relays to interface the Electric Imp with the “elevator call” and “elevator unlock” buttons inside the elevator’s control panel.
Once the hardware side was completed, it was time to move on to the software side. [Alex] wrote a mobile app for a user interface that can be accessed from anywhere, and also wrote the code for the Electric Imp agent and the code that runs on the Electric Imp itself. Now, a simple tap of a button on a mobile device is enough to call the elevator or unlock it, rather than in the past where someone had to run down a hall to hit the button.
We hope there is some security on the mobile app, otherwise anyone in the world will be able to call the elevator and turn it into a passenger-less useless machine!
[Niklas Roy] calls it his Perpetual Energy Wasting Machine, but we know it for what it truly is: a building-sized most useless machine. You’ll remember that a most useless machine is a bobble that uses clever design to turn itself off once you have turned it on. This does the same thing with the elevator of the WRO Art Center in Wroclaw, Poland. The one difference is that it continually turns itself on and off.
He rigged up a pulley system that travels through the stairwell of the building. Whenever the elevator door on the top floor opens it causes the call button on the bottom floor to be pressed. The same thing happens when the elevator reaches the ground floor. But he didn’t stop there. Since the device is just wasting electricity whenever the elevator moves without passengers in it, he added a meter to track the loss. It’s the guts of a printing calculator strapped to the inside of the car. Every time the doors open it adds to the total.
You can see the installation in the video clip after the jump.
Continue reading “Most Useless Machine: Building Elevator Edition”