The Tesla turbine is a bladeless centripetal-flow turbine invented by Nikola Tesla in 1913, using the boundary-layer effect rather than having a stream of gases or a fluid impinge on blades. Recently [Jamie’s Brick Jams] constructed one using Lego to demonstrate just how well these turbines work compared to their bladed brethren.

Since it uses the boundary-layer effect, the key is to have as much surface area as possible. This means having many smaller discs stacked side by side with some spacing between them.

Interestingly, the air that is directed against the turbine will travel inwards, towards the axle of the discs and thus requiring some way to vent the air. In the video a number of design prototypes are tested to see how they perform before settling on a design suitable for a functional generator.

The first discs are printed in PLA with an FDM printer, which are put on a shaft with 1 mm spacers. What becomes clear during testing is that these turbines can reach ridiculous speeds, but torque is really quite weak until you hit very high RPMs, well beyond 10,000 RPM. This is a bit of an issue if you want to drive any load with it, especially on start-up, but managed to propel a walker robot as a quick torque test.

After all that testing and experimenting, the right material for the turbine discs was investigated, with PLA pitted against ‘PLA tough’, PETG, PC and TPU. Of these PLA Tough got the best results in terms of RPM at the same air pressure. This was assembled into a basic generator, but the turbine struggled to generate enough torque.

Here the solution was to create a custom generator that would be much easier to spin up. To this was added a much larger turbine with 0.3 mm thin discs, using which ultimately some power could be generated, along with a considerable amount of torque. To adjust the RPM into the generator from the turbine a CVT initially was used to provide a gradual adjustment, but this had to be replaced with metal gears.

After this change the generator was good enough for a power output of about 14 Watt at 30 V with 85 PSI as input. Which is more than enough to charge a smartphone or light up a big LED panel. The design files for all of these turbines are provided on MakerWorld, such as for the big turbine.

Although Tesla turbines never made much of a splash as turbines, they are quite nice as pumps that can take a bit of abuse, including ingesting debris that would wreck other types of pumps. As a turbine they remain a fun hobbyist toy, with us covering various designs over the years. Take for example this one from 2011 based on HDD platters, or a micro turbine out of metal.

youtube.com/embed/f65jOURRJKg?…

hackaday.com/2026/03/13/making…

Remember those brick cellphones in the 1990s? They were comically large by today’s standards. These phones used the 1G network to communicate and, as such, have been unusable for decades now. However [Alan Boris] has resurrected this classic phone to operate today.

Originally costing as much as today’s top-of-the-line phones, but instead of weighing just a few ounces this classic Motorola DynaTAC 8000 Classic 2 tips the scales at a hefty 1.5 lbs. [Alan Boris] decided to not just bring the electronics back to life, but to even stuff a modern cellphone inside it to make it fully functional. Given the size of this phone, finding room for the new innards wasn’t much of a challenge. In fact, after the retrofit there was less in the phone than when it started life.

Using a perfboard and some tactile switches he was able to sense the button presses on the phone’s keypad and relay those to a Raspberry Pi Pico 2. The Pico in turn drove a small color LCD to replicate the original screen and controlled a pair of ADG729 boards used to dial the BM10 cellphone within this cellphone. The BM10 is a cellphone about the size of a 9V battery, making it easy to put inside the DynaTAC and bring the handset back to the modern cellular network.

Thanks [Alan Boris] for the tip! Be sure to check out our other cellphone hacks as well as some of our other retrofit hacks.

youtube.com/embed/6bUMHgfxNoo?…

hackaday.com/2026/03/13/no-mor…

Join Hackaday Editors Elliot Williams and Tom Nardi as they cover their favorite hacks and stories from the week. The episode kicks off with some updates about Hackaday Europe and the recently announced Green Power contest, as well as the proposal of a new feature of the podcast where listeners are invited to send in their questions and comments. After the housekeeping is out of the way, the discussion will go from spoofing traffic light control signals and the line between desktop computers and smartphones, all the way to homebrew e-readers and writing code with chocolate candies. You’ll hear about molding replacement transparent parts, a collection of fantastic tutorials on hardware hacking and reverse engineering, and the recent fireball that lit up the skies over Germany. The episode wraps up with a fascinating look at how the developer of Pokemon Go is monetizing the in-game efforts of millions of players.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download this episode in DRM-free MP3 so you can listen to it while doing unpaid labor in Pokemon Go.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

News:

• 2026 Hackaday Europe Call For Participation: We Want You!
• Get Your Green Power On!

What’s that Sound?

• Think you know that sound? Fill out the form for a chance to win!

Interesting Hacks of the Week:

• Spoofing An Emergency Traffic Preemption Signal
• Hands On With Creality’s New M1 Filament Maker
  
  • ERRF 22: Recreator 3D Turns Trash Into Filament

  
  

• DIY 3D Pen Is Born To Weld
• Are We Finally At The Point Where Phones Can Replace Computers?
  
  • Smartphone Hackability, Or, A Pocket Computer That Isn’t
  • Google Will Require Developer Verification Even For Sideloading

  
  

• Power Control For A Busy Workbench
• Calculator Case To Scratch-Built Pocket E-Reader

Quick Hacks:

• Elliot’s Picks:
  
  • Building A Class 100 Semiconductor Cleanroom Inside A Shed
  • The Sweetest Programming Language: MNM
  • A Rotary Dial The 3D Printed Way

  
  

• Tom’s Picks:
  
  • Reverse-Engineering The Bluetooth Fichero Thermal Label Printer Protocol
  • Clear Resin Casting Replicates Old Acrylic For Selectric Repair
  • Take A Ride On Wrongbaud’s Hardware Hacking Highway

  
  

Can’t-Miss Articles:

• German Fireball’s 15 Minutes Of Fame
  
  • The Moon Is Safe, For Now: No Collision In 2032 After All
  • The Solar System Is Weirder Than You Think
  • Accidental Climate Engineering With Disintegrating Satellites

  
  

• Pokemon Go Had Players Capturing More Than They Realized

hackaday.com/2026/03/13/hackad…

After the previous attempt of running a PC off AA cells got a lot of comments, [ScuffedBits] decided to do the scientifically responsible thing and re-ran the experiment with all the peer-reviewed commentary in mind. Although we noted with the previous experiment that only alkaline cells were used, [ScuffedBits] rectified this by stating that both carbon and alkaline AA cells were used the first time around.

For this second experiment a number of changes were made, though still both carbon and alkaline cells were put into the mix. To these a third string was added, consisting of NiMH cells, for a total of 64 cells with each of the three strings outputting around 25 VDC when fully charged. These fed a cheap buck regulator module to generate the 12 VDC for the DC-DC converter on the mainboard’s ATX connector.

Although it appears that the same thin Cat-5e-sourced wiring was used, with the higher voltage this meant a lower current, making it significantly less sketchy. Unlike with the first experiment, this time around the Core i3 530 based PC could run much longer and even boot off the DIY battery pack. After a quick game and pushing through a Cinebench run for 64 Watts maximum power usage, it turned out that there was still plenty of time for more fun activities, such as troubleshooting Minecraft and even playing it.

After a total runtime of 33 minutes and 19 seconds the voltage finally dropped too low to continue. A quick check of cells in each string, it turned out that the carbon cells were the most drained with significant terminal voltage drop. The alkaline cells had been pushed down to a level where they could still probably run a wall clock, but the NiMH cells showed a healthy 1.2 V, meaning that a fully NiMH battery pack could go a lot longer.

This probably isn’t too surprising when we look at the history of battery packs in laptops, where NiCd quickly got pushed out by NiMH-based packs for having significantly higher power density and none of the problems with recharging and disposal. Even today 1.5 V Li-ion-based AA cells do not have significantly more capacity than NiMH AA cells, making this chemistry still very relevant today. Even if you’re not trying to build your own battery pack for running a desktop PC off.

youtube.com/embed/gjh34YvYS-c?…

hackaday.com/2026/03/13/runnin…

When Friday the Thirteenth and Patch Tuesday happen on the same week, we’re surely in for a good time.

Anyone who maintains any sort of Microsoft ecosystem knows by now to brace for impact come Patch Tuesday; March brings the usual batch of “interesting” issues, including:

• Two high-risk Microsoft Office vulnerabilities (CVE-2026-26110 and CVE-2026-26113), both of which allow execution of arbitrary code with no user interaction other than opening a hostile file. Vulnerabilities like these are especially dangerous in environments where transferring Office documents is considered normal, such as (unsurprisingly) offices, but also for home users who may not be savvy enough to avoid opening hostile files. Arbitrary code execution allows the attacker to run essentially any commands the user would be able to run themselves, typically leveraging it to install remote access or keyboard logging malware.
• Excel gets a different vulnerability, CVE-2026-26144, which allows leaking of data through a cross-site scripting vulnerability. Coupled with CoPilot Agent, this can be used to leak contents of spreadsheets, again with no direct user interaction.

On the server and container side, this month includes a fairly typical collection of patches for SQL Server, and vulnerabilities in the Microsoft-hosted device pricing and payment orchestrator services, which have been automatically patched by Microsoft.

When it’s Time to Replace Old Gear

We all love getting every ounce of usability from our old gear, but sometimes enough is enough – at least with the stock firmware. The FBI has issued a warning about decommissioning end-of-life routers made by several large companies, with eleven Linksys and one Cisco branded routers being specifically called out for vulnerabilities under active exploitation.

A notice such as this that an exploit is under active exploitation means that a theoretical vulnerability has been commoditized into specific attacks, typically used against all devices accessible from the Internet. It’s generally safe to assume that at this point, if a vulnerable device is exposed to the Internet, it’s been compromised.

The FBI notice doesn’t call out the specific vulnerabilities used, however there’s a wide variety to pick from:

• CVE-2025-60690 is a simple buffer overflow allowing code execution from parameters passed to the web UI.
• CVE-2025-60692 is a buffer overflow allowing arbitrary code execution from the local network via control of entries in /proc/net/arp – unlikely to be used for a remote compromise, but still amusing.
• CVE-2025-60694 and CVE-2025-60693 are both additional stack overflow and code execution from web bugs, which sets a real pattern for the quality of the webserver in the stock firmware.
• CVE-2025-60689, CVE-2025-60691 and CVE-2025-34037 however appear to be the most likely culprits, both allowing arbitrary execution on the router without authentication, with CVE-2025-34037 rated a full 10/10 on the vulnerability scale and explicitly mentioning being used to deploy worm firmware.

Once an attacker is inside your router, the possible havoc they might cause is extensive:

• Redirecting requests to malicious or fake websites by taking control of the DNS or rewriting requests at other layers.
• Exposing systems on your private network – such as less secured IoT devices or other local devices with weak internal passwords – to the attackers.
• Using your Internet connection to perform other attacks or pivots. Installing proxies on home equipment is a common method used for international attackers to appear as a normal home user in a target country.
• Reselling your Internet access. Ever wonder how “free” VPN apps are able to offer access in random countries? Often an international VPN is just an infected home user!
• Adding you to a botnet. Some of the largest distributed denial of service (DDoS) attacks have been carried out not by systems with huge bandwidth, but by tens of thousands (or more) of comrpomised small home routers, cameras, and other IoT type devices acting together.

If you have a Linksys E1200, E2500, E1000, E4200, E1500, E3000, E3200, E1550, WRT320N, WRT160N, WRT310N, or a Cisco M10 router still in use, the time is now to finally upgrade it – or at least explore the options of third-party firmware like OpenWRT. Unfortunately, many of these devices are so old that even OpenWRT may have difficulty running well on them, but all the more reason to update to something a little newer!

State-level Exploits in the Wild

In a pattern which should be familiar to anyone who had to deal with the leak of the Eternal Blue exploit as part of a dump of tools from the NSA which later evolved into the Wannacry and NotPetya global ransomware campaigns, another government-backed exploit toolkit has been captured and converted to a more generic criminal exploit.

Google Threat Intelligence documents the “Coruna” exploit kit, a rare public example of an attack against iPhones from iOS 13 to iOS 17.2.1. Often we see “advanced attack methods” or “targeted specific attacks” in release notes; rarely do we get further insight into the actual attacks!

Evolving from a government-backed tool to a financial crimeware exploit deployed widely to steal cryptocurrencies is interesting on its own, but perhaps the most fascinating aspect is the insight into how difficult modern exploits can be. Coruna combines 23 exploits into 5 chained attacks to be able to actually execute code from a web page. The final payload of the exposed version doesn’t deliver a spy payload, but instead focuses on cryptocurrency: searching for QR codes on disk to discover wallet addresses and saved recovery keys, wallet recovery phrases, and mentions of bank accounts, and leveraging those to steal cryptocurrency.

In true Google fashion, they’ve published indicators of compromise (IOCs) to inspect if a device has been attacked and a map of the control domains. Additional work deobfuscating the attacks and payloads can be found on GitHub here.

More Government Warnings

The US Government Cyber Defense Agency (CISA) has added additional warnings to the Known Exploited Vulnerabilities database (KEV) database. The KEV attempts to distill the torrent of security issues assigned a CVE into the most actionable vulnerabilities which have been observed being used in the wild. CISA advises not only federal and government agencies, but offers guidance for businesses of all sizes.

Many vulnerabilities on the KEV already have fixes. Paradoxically, this can sometimes make a vulnerability higher risk. Attackers have two advantages: a patch to reverse engineer to discover the exact mechanisms to trigger the flaw, and a motivation to use any exploits on a massive scale, knowing that the window of opportunity is about to close. Most of these vulnerabilities will likely be of interest mostly to readers who are in the enterprise space, but the first one regarding Android is a good reminder to everyone that the KEV isn’t just for giant companies.

As for the latest known exploited issues:

• CVE-2026-21385 sounds very boring – an integer overflow in Qualcomm graphics drivers – except that those chipsets and drivers are found in a huge percentage of Android phones, tablets, set-top boxes, and likely more than a few smart TVs. This fix is bundled into the March Android security release and may prove critical. Remember to keep your devices up to date!
• CVE-2026-22719 is a patched vulnerability in VMWare enterprise software (Aria Operations, specifically); if you need to care about enterprise-scale VMWare, you’ll care about this one!
• CVE-2021-22054 resurfaces from 2021, again in VMWare enterprise consoles. The number of unpatched systems exposing a vulnerability from 2021 must be quite scary.
• CVE-2025-26399 is a vulnerability in SolarWinds help desk sofware, which is a return of a bug not fully fixed in CVE-2024-28988. Which is, itself, the return of a bug not fully fixed in CVE-2024-28986. Look, bug fixing can be hard.
• CVE-2026-1603 is an authentication bypass in Ivanti Endpoint Manager which allows access to stored credential secrets. Ivanti is an endpoint and device management system, used for monitoring, patching, upgrading, and controlling access on corporate device fleets.

Phrack Calls for Papers

The venerable Phrack has an open call for papers to be contributed to the summer issue. Released since 1985, Phrack has been a font of telecom and computer security hackery, including the critical “Smashing the Stack for Fun and Profit”, one of the first explanations of the now-ubiquitous buffer overflow and stack smashing attack.

If you think you’ve got something to contribute, or just want to check out their awesome retro demo scene loading page and some back issues, head over to the Phrack website.

hackaday.com/2026/03/13/this-w…

Most people love arcade games, but putting a full-sized arcade cabinet in the living room can lead to certain unpleasant complications. Ergo the market for fun-sized cabinets has exploded alongside the availability of cheap SBCs and MCUs that can run classical arcade titles. Microcontrollers like the ESP32 with its dual 240 MHz cores can run circles around the CPU grunt of 1980s arcade hardware. Cue [Till Harbaum]’s Galagino ESP32-based arcade emulator project, that recently saw some community versions and cabinet takes.

There was a port to the PlatformIO framework by [speckhoiler] which also added a few more arcade titles and repurposed the enclosure of an off-the-shelf ‘My Arcade’ by stuffing in an ESP32-based ‘Cheap Yellow Display‘ (CYD) board instead. These boards include the ESP32 module, a touch display, micro SD card slot, sound output, and more; making it an interesting all-in-one solution for this purpose.

Most recently [Davide Gatti] and friends ported the Galagino software to the Arduino platform and added a 3D printed enclosure, though you will still need to source a stack of parts which are listed in the bill of materials. What you do get is a top display that displays the current game title in addition to the display of the usual CYD core, along with an enclosure that can be printed both in single- or multi-color.

There’s also a build video that [Davide Gatti] made, but it’s only in Italian, so a bit of a crash course in this language may be required for some finer details.

youtube.com/embed/Nz3LRrY3Ukw?…

Thanks to [ZT] for the tip.

hackaday.com/2026/03/11/mini-m…

ArcaOS is an operating system you might not have heard of, but you will recognize it when we tell you that it’s the direct descendant of IBM’s OS/2. It’s just received a major update, and delivers this persuasive argument for its uptake:

“How about a commercial operating system which doesn’t spy on you, does not report your online activity to anyone, and gives you complete freedom to choose the applications you want to use, however you want to use them?”

We’re guessing that a higher-than-average number of Hackaday readers use open-source operating systems, but in a world in which the commercial OS everyone loves to hate is ever more turning the Play button into the Pay button, we have to admit that’s attractive if you pay for your software.

This update, version 5.1.2, brings support for the very latest UEFI systems to the table, keeping the platform alive in a manner we’d never have guessed would happen back in the 1990s. It’s true it’s a 32-bit system rather than 64-bit, and you’d be unlikely to buy it for your high-end gaming machine, but we remember OS/2 Warp back in the day as being very nice indeed and particularly stable. We’re interested enough to have put in a cheeky request for a review ISO, so should that come off we’d love to give it the Jenny’s Daily Drivers treatment.

ArcaOS has been mentioned here before. Do any of our readers encounter it in your daily lives? We’d love to hear in the comments.

hackaday.com/2026/03/13/os-2-n…