USB chargers are everywhere and it is the responsibility of every hacker to use this commonly available device to its peak potential. [Septillion] and [Hugatry] have come up with a hack to manipulate a USB charger into becoming a variable voltage source. Their project QC2Control works with chargers that employ Quick Charge 2.0 technology which includes wall warts as well as power banks.
Qualcomm’s Quick Charge is designed to deliver up to 24 watts over a micro USB connector so as to reduce the charging time of compatible devices. It requires both the charger as well as the end device to have compatible power management chips so that they may negotiate voltage limiting cycles.
In their project, [Septillion] and [Hugatry] use a 3.3 V Arduino Pro Mini to talk to the charger in question through a small circuit consisting of a few resistors and diodes. The QC2.0 device outputs voltages of 5 V, 9 V and 12 V when it sees predefined voltage levels transmitted over the D+ and D- lines, set by Arduino and voltage dividers. The code provides function calls to simplify the control of the power supply. The video below shows the hack in action.
Quick Charge has been around for a while and you can dig into the details of the inner workings as well as the design of a compatible power supply from reference designs for the TPS61088 (PDF). The patent (PDF) for the Quick Charge technology has a lot more detail for the curious.
Similar techniques have been used in the past and will prove useful for someone looking for a configurable power supply on the move. This is one for the MacGyver fans.
Continue reading “USB Charger Fooled into Variable Voltage Source”
Google’s voice assistant has been around for a while now and when Amazon released its Alexa API and ported the PaaS Cloud code to the Raspberry Pi 2 it was just a matter of time before everyone else jumped on the fast train to maker kingdom. Google just did it in style.
Few know that the Google Assistant API for the Raspberry Pi 3 has been out there for some time now but when they decided to give away a free kit with the May 2017 issues of MagPi magazine, they made an impression on everyone. Unfortunately the world has more makers and hackers and the number of copies of the magazine are limited.
In this writeup, I layout the DIY version of the AIY kit for everyone else who wants to talk to a cardboard box. I take a closer look at the free kit, take it apart, put it together and replace it with DIY magic. To make things more convenient, I also designed an enclosure that you can 3D print to complete the kit. Lets get started.
Continue reading “How to Build Your Own Google AIY without the Kit”
It is amazing how the game Doom has been ported to so many things. Enter one more port, where the hardware in question is a Honeywell Prestige thermostat.
In his video, [cz7asm] shows us the game running quite nicely on the 480 x 272 LCD with an NES controller plugged into the USB port originally intended for software updates. The thermostat runs on a STM32F429 which is an ARM9 processor that has the juice to pull it off. The Doom engine being used is based on Chocolate Doom, an open source port of the game, and the binaries can be downloaded for Windows and Mac. The source code is also available as a download for your tinkering pleasure. This project by [cz7asm] is extended from a code on GitHub by [floppes] that was meant for the STM32F429IDISCOVERY evaluation board.
The author shares his code for the STM32F4 on Dropbox as a zip and in order to compile it, the Atmel BSP for GNU GCC is used. The video below demonstrates the hack in action and, though there is no sound yet, the satisfaction that comes from such modifications is its own reward.
What else can you run Doom on? How about a calculator or maybe the Intel Edison or even an ATM machine! If there is a processor with enough muscle power, hackers will find a way to run Doom on it. So have you seen any alien computers lately that you think can be hacked? Continue reading “Doomed Thermostat”
[Alexander Reben] makes tech art, and now he’s encouraging you to do the same — within a URL. The gimmick? Making the code small enough to fit the data portion of a link. And to help with that, he has set up a webpage that uncompresses and wraps code from the URL and inserts it into the HTML on the fly. His site essentially applies or un-applies all the tricks of JS minification in the URL, and turns that into content.
So, for instance,
Something strikes us as fishy about passing JS code opaquely in links, but since the URL decodes on [Alexander]’s server, we don’t see the XSS attack just yet. If you can find the security problem with this setup, or better yet if you write up a nice animation, let us know in the comments.
French hacker [akila] is building up a home automation system. In particular, he’s been working with the “SmartHome” series of gadgets made by Chinese smartphone giant, Xiaomi. First, he started off by reverse-engineering their very nicely made temperature and humidity sensor. (Original in French, hit the translate button in the lower right.) With that under his belt, he opened up the PIR motion sensor unit to discover that it has the same debugging pinouts and the same processor. Almost too easy.
For a challenge, [akila] decided it was time to implement something useful in one of these gadgets: a ZigBee sniffer so that he can tell what’s going on in the rest of his home network. He built a USB/serial programming cable to work with the NXP JN5169’s bootloader, downloaded the SDK, and rolled up his sleeves to get to work.
While trolling through the SDK, he found some interesting firmware called “JennicSniffer”. Well, that was easy. There’s a demo version of a protocol analyzer that he used. It would be cool to get this working with Wireshark, but that’s a project for another day. [Akila] got far enough with the demo analyzer to discover that the packets sent by the various devices in the home network are encrypted. That’s good news for the security-conscious out there and stands as the next open item on [akila]’s to-do list.
We don’t see as many ZigBee hacks as we’d expect, but they’ve definitely got a solid niche in home automation because of commercial offerings like Philips Hue and Wink. And of course, there’s the XBee line of wireless communications modules. We just wrote up a ZigBee hack that aims to work with the Hue system, though, so maybe times are changing?
As if you needed any reason other than “just for the heck of it” to hack into a gadget that you own, it looks like nearly all of the GSM-to-IP bridge devices make by DBLTek have a remotely accessible “secret” backdoor account built in. We got sent the link via Slashdot which in turn linked to this story on Techradar. Both include the scare-words “Chinese” and “IoT”, although the devices seem to be aimed at small businesses, but everything’s “IoT” these days, right?
What is scary, however, is that the backdoor isn’t just a sloppy debug account left in, but rather only accessible through an elaborate and custom login protocol. Worse still, when the company was contacted about the backdoor account, they “fixed” the problem not by removing the account, but by making the “secret” login procedure a few steps more complicated. Which is to say, they haven’t fixed the problem at all.
This issue was picked up by security firm Trustwave, but they can’t check out every device on the market all the time. We may be preaching to the choir here, but if you’re ever wondering why it’s important to be able to break into stuff that you own, here’s another reminder.
Wow. [Dmitry Grinberg] just broke into the SROM on Cypress’ PSoC 4 chips. The supervisory read-only memory (SROM) in question is a region of proprietary code that runs when the chip starts up, and in privileged mode. It’s exactly the kind of black box that’s a little bit creepy and a horribly useful target for hackers if the black box can be broken open. What’s inside? In the manual it says “The user has no access to read or modify the SROM code.” Nobody outside of Cypress knows. Until now.
This matters because the PSoC 4000 chips are among the cheapest ARM Cortex-M0 parts out there. Consequently they’re inside countless consumer devices. Among [Dmitry]’s other tricks, he’s figured out how to write into the SROM, which opens the door for creating an undetectable rootkit on the chip that runs out of each reset. That’s the scary part.
The cool parts are scattered throughout [Dmitry]’s long and detailed writeup. He also found that the chips that have 8 K of flash actually have 16 K, and access to the rest of the memory is enabled by setting a single bit. This works because flash is written using routines that live in SROM, rather than the usual hardware-level write-to-register-and-wait procedure that we’re accustomed to with other micros. Of course, because it’s all done in software, you can brick the flash too by writing the wrong checksums. [Dmitry] did that twice. Good thing the chips are inexpensive.
The nitty-gritty on the ROP (return oriented programming) tricks that [Dmitry] had to pull, and a good look into the design of the system itself, are all up on [Dmitry]’s blog. We can’t wait to see what other buried treasure he’s going to find as he continues to play around with these chips. And in case you’re wondering what type of mad genius it takes to pull this off, consider that [Dmitry] runs Linux on AVRs, fools nRF24 chips into transmitting Bluetooth LE beacons, and re-writes his own airplane’s GPS.
[Main image is a PSoC4200 dev kit, and [Dmitry] has only been working with the 4000 and 4100 series. Just so you know.]