Getting Root On Cheap WiFi Repeaters, The Long Way Around

What can you do with a cheap Linux machine with limited flash and only a single free GPIO line? Probably not much, but sometimes, just getting root to prove you can is the main goal of a project. If that happens to lead somewhere useful, well, that’s just icing on the cake.

Like many interesting stories, this one starts on AliExpress, where [Easton] spied some low-cost WiFi repeaters, the ones that plug directly into the wall and extend your wireless network another few meters or so. Unable to resist the siren song, a few of these dongles showed up in the mailbox, ripe for the hacking. Spoiler alert: although the attempt on the first device had some success by getting a console session through the UART port and resetting the root password, [Easton] ended up bricking the repeater while trying to install an OpenWRT image.

The second attempt, this time on a different but similar device, proved more fruitful. The rudimentary web UI provided no easy path in, although it did a pretty good job enumerating the hardware [Easton] was working with. With the UART route only likely to provide temptation to brick this one too, [Easton] turned to a security advisory about a vulnerability that allows remote code execution through a specially crafted SSID. That means getting root on these dongles is as simple as a curl command — no hardware hacks needed!

As for what to do with a bunch of little plug-in Linux boxes with WiFi, we’ll leave that up to your imagination. We like [Easton]’s idea of running something like Pi-Hole on them; maybe Home Assistant would be possible, but these are pretty resource-constrained machines. Still, the lessons learned here are valuable, and at this price point, let the games begin.

MUDLink Is Making UART Data Links More Reliable

Many of us have used UARTs to spit data from one system or chip to another. Normally, for quick and dirty maker projects, this is good enough. However, you’ll always get the odd dropped transmission or glitch that can throw a spanner in the works if you’re not careful. [Jake Read] decided to work on a system that could use UARTs while being far more reliable. Enter MUDLink.

MUDLink is a library that works with an Arduino’s UART port and stacks on a bit of protocol to clean things up. It uses a packetized method of sending data to ensure that transmissions are received reliably as intended by the sender. Packets are framed using a method called Consistent Overhead Byte Stuffing, which is a nice lightweight way of doing so. The system also uses CRC16-CCITT as an error checking mechanism. There’s also an ack-and-retransmit system for ensuring any dropped transmissions are repeated and received successfully.

If you need reliable UART transmissions without too much overhead, you might want to look at what Jake is doing. It’s a topic we’ve looked at before, too.

Manta project logo - a manta ray, with cursive 'manta' written next to it

Manta: An Open On-FPGA Debug Interface

We always can use more tools for FPGA debugging, and the Manta project by [Fischer Moseley] delivers without a shadow of a doubt. Manta lets you add a debug and data transfer channel between your computer and your FPGA, that you can easily access with helpfully included Python libraries.

With just a short configuration file as input, it gives you cores you add into your FPGA design, tapping the signals of interest as an FPGA-embedded logic analyzer, interacting with registers, and even letting you quickly transfer tons of data if you so desire.

Manta is easy to install, is developer-friendly, has been designed in Amaranth, and is fully open source as you would expect. At the moment, Manta supports both UART and Ethernet interfaces for data transfer. As for embedding the Manta cores into your project, they can be exported to both Amaranth and Verilog. You should check out the documentation website — it contains everything you might want to know to get started quick.

The Manta project has started out as our hacker’s MIT thesis, and we’re happy that we can cover it for you all. FPGA-embedded logic analyzers are a fascinating and much-needed tool, and we’ve had our own [Al Williams] tell you about his on-FPGA logic analysis journey!

Souped-Up Reflective Sensor Uses Itself For Wireless Programming

Proximity sensors are common enough in automation projects that we hardly give them a second thought — pick something with specs that match the job and move on. But they can be fussy to get adjusted just right, a job made more difficult if they’re located in some out-of-the-way corner.

But where lies a challenge, there’s also an opportunity, as [Ido Gendel] shows us with this remote-controlled proximity sensor. The story behind this clever little hack starts with an off-the-shelf sensor, the kind with an IR LED and a phototransistor pointed in the same direction that gives a digital output when the light bouncing back into the phototransistor exceeds a certain threshold. It was setting the threshold that gave [Ido]’s client trouble, so [Ido] decided to build a programmable drop-in replacement to make the job easier.

The first try at this used an OBP732 reflective transmitter and an ATtiny202 microcontroller and had three pads on the PCB for programming. This still required physical contact for programming, though, so [Ido] had the idea to use the sensor for wireless IR programming. The microcontroller on version two was switched to an ATtiny212, and a couple of components were added to control the power of the LED so the sensor could do double duty. A programmer using the same sensor and a USB-to-UART adapter completes the system, and allows the sensor threshold to be set just by shining the programmer in its general direction from up to 25 cm away.

We think that getting multiple uses from a single sensor is pretty clever, so hats off for this one. It’s not the first time we’ve featured one of [Ido]’s projects, but it’s been quite a while — this one-clock-cycle-a-day Shabbat clock was the most recent, but you can clearly see the roots of the sensor project in this mouse pointer data encoder that goes all the way back to 2015.

Reverse Engineering Reveals EV Charger Has A Sense Of Security

As more and more electric vehicles penetrate the market, there’s going to have to be a proportional rise in the number of charging stations that are built into parking garages, apartment complexes, and even private homes. And the more that happens, the more chargers we’re going to start seeing where security is at best an afterthought in their design.

But as this EV charger teardown and reverse engineering shows, it doesn’t necessarily have to be that way. The charger is a Zaptec Pro station that can do up to 22 kW, and the analysis was done by [Harrison Sand] and [Andreas Claesson]. These are just the kinds of chargers that will likely be widely installed over the next decade, and there’s surprisingly little to them. [Harrison] and [Andreas] found a pair of PCBs, one for the power electronics and one for the control circuits. The latter supports a number of connectivity options, like 4G, WiFi, and Bluetooth, plus some RFID and powerline communications. There are two microcontrollers, a PIC and an ARM Cortex-A7.

Despite the ARM chip, the board seemed to lack an obvious JTAG port, and while some unpopulated pads did end up having a UART line, there was no shell access possible. An on-board micro SD card slot seemed an obvious target for attack, and some of the Linux images they tried yielded at least a partial boot-up, but without knowing the specific hardware configuration on the board, that’s just shooting in the dark. That’s when the NAND flash chip was popped off the board to dump the firmware, which allowed them to extract the devicetree and build a custom bootloader to finally own root.

The article has a lot of fascinating details on the exploit and what they discovered after getting in, like the fact that even if you had the factory-set Bluetooth PIN, you wouldn’t be able to get free charging. So overall, a pretty good security setup, even if they were able to get in by dumping the firmware. This all reminds us a little of the smart meter reverse engineering our friend [Hash] has been doing, in terms of both methodology and results.

Thanks to [Thinkerer] for the tip.

A light blue marker with a two-pin header replacing the tip, being pressed against the back of the keypad baord that's removed from the safe

Anyone Can Be The Master Of This Master Lock Safe

[Etienne Sellan] got one of these lovely $5 logic analyzers. As with any shiny new tool, he started looking for things to investigate with it, and his gaze fell on a Sentry Safe (produced by Master Lock). On the surface level, this keypad-equipped safe is designed decently when it comes to privilege separation. You can take the keypad board off and access its backside, but the keypad doesn’t make any decisions, it merely sends the digits to a different board embedded behind the safe’s door. The solenoid-connected board receives the PIN, verifies it, and then controls the solenoid that unlocks the safe.

[Etienne] hooked up a logic analyzer to the communication wire, which turned out to be a UART channel, and logged the keypad communication packets — both for password entry and for password change. Then, he wrote some Arduino code to send the same packets manually, which worked wonders. Bruteforcing wasn’t viable, however, due to rate limitation in the solenoid controller. Something drew his attention from there – if you want to change the password, the keypad requires you enter the factory code, unique to each safe and supplied in the instruction manual. That code entry is a separate kind of packet from the “change password” one.

More after the break…

Continue reading “Anyone Can Be The Master Of This Master Lock Safe”

Two pairs of boards described in the article, with toggle switches and RCA jacks, shown interconnected, LEDs on all four boards lit up.

Boards For Playful Exploration Of Digital Protocols

Teaching people efficiently isn’t limited to transmitting material from one head to another — it’s also about conveying the principles that got us there. [Mara Bos] shows us a toolkit (Twitter,
nitter link
) that you can arm your students with, creating a small playground where, given a set of constraints, they can invent and figure communication protocols out on their own.

This tool is aimed to teach digital communication protocols from a different direction. We all know that UART, I2C, SPI and such have different use cases, but why? Why are baud rates important? When are clock or chip select lines useful? What’s the deal with the start bit? We kinda sorta figure out the answers to these on our own by mental reverse-engineering, but these things can be taught better, and [Mara] shows us how.

Gently guided by your observations and insights, your students will go through defining new and old communication standards from the ground up, rediscovering concepts like acknowledge bits, bus contention, or even DDR. And, as you point out that the tricks they just discovered have real-world counterparts, you will see the light bulb go on in their head — realizing that they, too, could be part of the next generation of engineers that design the technologies of tomorrow.

Continue reading “Boards For Playful Exploration Of Digital Protocols”