Repairs You Can Print: Fixing Pegboard Clips That Break Too Easily

February 14, 2018 by Brian Benchoff 8 Comments

Right now, we’re running the Repairs You Can Print Contest, where one lucky student and one lucky organization will win the fancy-schmancy Prusa i3 MK3, with the neato multi-extrusion upgrade. [Budiul] is a student, so he figured he would repair something with a 3D printer. Lucky for him, the pegboard in his workshop was completely terrible, or at least the pegboard hooks were. These hooks were made out of PVC, and after time, more and more hooks broke. The solution? Print his own, and make them stronger in the process.

[Budiul] started his fix by taking the remaining, unbroken hooks on his pegboard wall organizer and measuring the relevant dimensions. These were modeled in Creo 4.0, printed out, and tested to fit. After many errors and failed models, he finally got a 3D printable version of his plastic pegboard hooks.

Of course, replacing PVC pegboard hooks with ABS hooks really isn’t that great of a solution. To fix this problem of plastic pegboard hooks for good, he printed the hooks in halves, with a channel running down the middle. This channel was filled with some steel wire and acetone welded together. The result is a fantastically strong pegboard hook that will hold up to the rigors of holding up some tools.

While printing out pegboard hooks might not seem like the greatest use of time, there are a few things going for this hack. Firstly, these aren’t the pegboard hooks made out of steel rod we all know and love; this is some sort of weird proprietary system that uses plastic molded hooks. If they’re made out of plastic anyway, you might as well print them. Secondly, being able to print your own pegboard hooks is a severely underrated capability. If you’ve ever tried to organize a workbench, you’ll know that you’ll never be able to find the right hook for the right spot. There is, apparently, a mystical superposition of pegboard hooks somewhere in the universe.

This is a great hack, and a great entry for the Repairs You Can Print contest. You can check out a video of the hack below.

Continue reading “Repairs You Can Print: Fixing Pegboard Clips That Break Too Easily” →

34C3: Hacking Into A CPU’s Microcode

December 28, 2017 by Elliot Williams 67 Comments

Inside every modern CPU since the Intel Pentium fdiv bug, assembly instructions aren’t a one-to-one mapping to what the CPU actually does. Inside the CPU, there is a decoder that turns assembly into even more primitive instructions that are fed into the CPU’s internal scheduler and pipeline. The code that drives the decoder is the CPU’s microcode, and it lives in ROM that’s normally inaccessible. But microcode patches have been deployed in the past to fix up CPU hardware bugs, so it’s certainly writeable. That’s practically an invitation, right? At least a group from the Ruhr University Bochum took it as such, and started hacking on the microcode in the AMD K8 and K10 processors.

The hurdles to playing around in the microcode are daunting. It turns assembly language into something, but the instruction set that the inner CPU, ALU, et al use was completely unknown. [Philip] walked us through their first line of attack, which was essentially guessing in the dark. First they mapped out where each x86 assembly codes went in microcode ROM. Using this information, and the ability to update the microcode, they could load and execute arbitrary microcode. They still didn’t know anything about the microcode, but they knew how to run it.

So they started uploading random microcode to see what it did. This random microcode crashed almost every time. The rest of the time, there was no difference between the input and output states. But then, after a week of running, a breakthrough: the microcode XOR’ed. From this, they found out the syntax of the command and began to discover more commands through trial and error. Quite late in the game, they went on to take the chip apart and read out the ROM contents with a microscope and OCR software, at least well enough to verify that some of the microcode operations were burned in ROM.

The result was 29 microcode operations including logic, arithmetic, load, and store commands — enough to start writing microcode code. The first microcode programs written helped with further discovery, naturally. But before long, they wrote microcode backdoors that triggered when a given calculation was performed, and stealthy trojans that exfiltrate data encrypted or “undetectably” through introducing faults programmatically into calculations. This means nearly undetectable malware that’s resident inside the CPU. (And you think the Intel Management Engine hacks made you paranoid!)

[Benjamin] then bravely stepped us through the browser-based attack live, first in a debugger where we could verify that their custom microcode was being triggered, and then outside of the debugger where suddenly xcalc popped up. What launched the program? Calculating a particular number on a website from inside an unmodified browser.

He also demonstrated the introduction of a simple mathematical error into the microcode that made an encryption routine fail when another particular multiplication was done. While this may not sound like much, if you paid attention in the talk on revealing keys based on a single infrequent bit error, you’d see that this is essentially a few million times more powerful because the error occurs every time.

The team isn’t done with their microcode explorations, and there’s still a lot more of the command set left to discover. So take this as a proof of concept that nearly completely undetectable trojans could exist in the microcode that runs between the compiled code and the CPU on your machine. But, more playfully, it’s also an invitation to start exploring yourself. It’s not every day that an entirely new frontier in computer hacking is bust open.

Analysing 3D Printer Songs For Hacks

August 20, 2017 by Inderpreet Singh 8 Comments

3D printers have become indispensable in industry sectors such as biomedical and manufacturing, and are deployed as what is termed as a 3D print farm. They help reduce production costs as well as time-to-market. However, a hacker with access to these manufacturing banks can introduce defects such as microfractures and holes that are intended to compromise the quality of the printed component.

Researchers at the Rutgers University-New Brunswick and Georgia Institute of Technology have published a study on cyber physical attacks and their detection techniques. By monitoring the movement of the extruder using sensors, monitored sounds made by the printer via microphones and finally using structural imaging, they were able to audit the printing process.

A lot of studies have popped up in the last year or so including papers discussing remote data exfiltration on Makerbots that talk about the type of defects introduced. In a paper by [Belikovetsky, S. et al] titled ‘dr0wned‘, such an attack was documented which allowed a compromised 3D printed propeller to crash a UAV. In a follow-up paper, they demonstrated Digital Audio Signing to thwart Cyber-physical attacks. Check out the video below.

In this new study, the attack is identified by using not only the sound of the stepper motors but also the movement of the extruder. After the part has been manufactured, a CT scan ensures the integrity of the part thereby completing the audit.

Disconnected printers and private networks may be the way to go however automation requires connectivity and is the foundation for a lot of online 3D printing services. The universe of Skynet and Terminators may not be far-fetched either if you consider ambitious projects such as this 3D printed BLDC motor. For now, learn to listen to your 3D printer’s song. She may be telling you a story you should hear.

Thanks for the tip [Qes] Continue reading “Analysing 3D Printer Songs For Hacks” →

3D Printed Curta Gets Upgrades

August 1, 2017 by Inderpreet Singh 16 Comments

It is amazing how makers can accomplish so much when they put their mind to something. [Marcus Wu] has uploaded a mesmerizing video on how to build a 3D printed Curta Mechanical Calculator. After nine iterations of design, [Marcus] presents a polished design that not only works but looks like a master piece.

For the uninitiated, the Curta is a mechanical calculator designed around the time of World War II. It is still often seen used in time-speed-distance (TSD) rallies to aid in the computation of times to checkpoints, distances off-course and so on. Many of these rallies don’t allow electronic calculators, so the Curta is perfect. The complex inner workings of the contraption were a key feature and point of interest among enthusiasts and the device itself is a highly popular collectible.

As for the 3D printed design, the attention to detail is impeccable. The current version has around 80 parts that need to 3D printed and a requires a few other screws and springs. Some parts like the reversing lever and selector knobs have been painted and digits added to complete the visual detail. The assembly took [Marcus Wu] around 40 minutes to complete and is one of the most satisfying builds we have ever seen.

What is even more amazing is that [Markus Wu], who is a software engineer by profession has shared all the files including the original design files free of cost on Thingiverse. A blog with written instructions is also available along with details of the iterations and original builds. We already did a post on a previous version so check it out for a little more background info.

Thanks for the tip [lonestar] Continue reading “3D Printed Curta Gets Upgrades” →

Backchannel UART Without The UART

July 18, 2017 by Inderpreet Singh 22 Comments

Anyone who has worked with a microcontroller is familiar with using printf as a makeshift debugger. This method is called tracing and it comes with the limitation that it uses up a UART peripheral. Believe it or not, there are 8051 variants out there that come with only one serial block and you are out of luck if your application needs it to communicate with another device.

[Jay Carlson] has a method by which he can piggyback these trace messages over an on-chip debugger. Though the newer ARM Cortex-M software debugger already has this facility but [Jay Carlson]’s hack is designed to work with the SiLabs EFM8 controllers. The idea is to write these debug messages to a predefined location in the RAM which the debugger can access anyway. His application polls a certain area of the memory and when it finds valid information, it reads the data and spits it out into a dedicated window. It’s using the debugger as a makeshift printf!

[Jay Carlson] used slab8051.dll interface and put together a C# program and GUI that works alongside the SiLab’s IDE. The code is available on GitHub for you to check out if you are working the EFM8 and need a helping hand. The idea is quite simple and can be ported to other controllers in a multitude of ways like the MSP430 perhaps. For those of you who like the Teensy, you might want to take a look at adding debugger support to the Teensy 3.5/3.6.

Hacking IBeacons For Automating Routines

July 17, 2017 by Inderpreet Singh 17 Comments

Every self-respecting hacker has an automation hack somewhere in his/her bag of tricks. There are a lot of modern-day technologies that facilitate the functionality like GPS, scripting apps, and even IFTTT. In an interesting hack, [Nick Lee] has combined iBeacons and a reverse engineered Starbucks API to create an automated morning routine.

By creating a mobile app that scans for iBeacons, [Nick Lee] was able to reduce the effort made every morning while heading to his office. When the app encounters a relevant beacon, a NodeJS app sitting in the cloud is triggered. This consequently leads to desired actions like ordering an Uber ride and placing an order for an iced latte.

[Nick Lee] shares the code for the Starbucks application on GitHub for anyone who wants to order their favorite cup of joe automatically. This project can be easily expanded to work with GPS or even RFID tags and if you feel like adding IoT to a coffee machine, you could automate all of your beverage requirements in one go.

Completely Owning The Dreamcast Add-on You Never Had

July 17, 2017 by Elliot Williams 30 Comments

If you’ve got a SEGA Dreamcast kicking around in a closet somewhere, and you still have the underutilized add-on Visual Memory Unit (VMU), you’re in for a treat today. If not, but you enjoy incredibly detailed hacks into the depths of slightly aged silicon, you’ll be even more excited. Because [Dmitry Grinberg] has a VMU hack that will awe you with its completeness. With all the bits in place, the hacking tally is a new MAME emulator, an IDA plugin, a never-before ROM dump, and an emulator for an ARM chip that doesn’t exist, running Flappy Bird. All in a month’s work!

The VMU was a Dreamcast add-on that primarily stored game data in its flash memory, but it also had a small LCD display, a D-pad, and inter-VMU communications functions. It also had room for a standalone game which could interact with the main Dreamcast games in limited ways. [Dmitry] wanted to see what else he could do with it. Basically everything.

We can’t do this hack justice in a short write-up, but the outline is that he starts out with the datasheet for the VMU’s CPU, and goes looking for interesting instructions. Then he started reverse engineering the ROM that comes with the SDK, which was only trivially obfuscated. Along the way, he wrote his own IDA plugin for the chip. Discovery of two ROP gadgets allowed him to dump the ROM to flash, where it could be easily read out. Those of you in the VMU community will appreciate the first-ever ROM dump.

On to doing something useful with the device! [Dmitry]’s definition of useful is to have it emulate a modern CPU so that it’s a lot easier to program for. Of course, nobody writes an emulator for modern hardware directly on obsolete hardware — you emulate the obsolete hardware on your laptop to get a debug environment first. So [Dmitry] ported the emulator for the VMU’s CPU that he found in MAME from C++ to C (for reasons that we understand) and customized it for the VMU’s hardware.

Within the emulated VMU, [Dmitry] then wrote the ARM Cortex emulator that it would soon run. But what ARM Cortex to emulate? The Cortex-M0 would have been good enough, but it lacked some instructions that [Dmitry] liked, so he ended up writing an emulator of the not-available-in-silicon Cortex-M23, which had the features he wanted. Load up the Cortex emulator in the VMU, and you can write games for it in C. [Dmitry] provides two demos, naturally: a Mandlebrot set grapher, and Flappy Bird.

Amazed? Yeah, we were as well. But then this is the same guy emulated an ARM chip on the AVR architecture, just to run Linux on an ATMega1284p.