There are (probably) less than two dozen fundemental constants that define the physics of our universe. Determining the value of them might seem like the sort of thing for large, well funded University labs, but many can be determined to reasonable accuracy on the benchtop, as [Marb’s Lab] proves with this experiment to find the value of Planck’s Constant.

[Marv’s Lab] setup is on a nice PCB that uses a rotary switch to select between 5 LEDs of different wavelengths, with banana plugs for the multi-meter so he can perform a linear regression on the relation between energy and frequency to find the constant. He’s also thoughtfully put connectors in place for current measurement, so the volt-current relationship of the LEDs can be characterized in a second experiment. Overall, this is a piece of kit that would not be out of place in any high school or undergraduate physics lab.

To use this to determine Planck’s constant, you need to use Planck’s relation for the energy of a photon:

E = hf

Get some Energies (E), get some energies (f), and bam! You can generate a value for h, Planck’s constant. The energies? Well, that’s a very easy measurement, but it requires some understanding of how LEDs work. [Marb] is simply measuring the voltage needed to just barely light the LED of a given frequency. (For frequency, he’s relying on the LED datasheets.) That translates to the energy of the photon because it corresponds to the energy (in electron volts) required to jump electrons over the bandgap of the semiconductor in the LED– that’s how the light is generated. Those photons will have the energy of the gap, in theory.

In practice, the LEDs do not emit perfectly monochromatic light; there’s a normal distribution centered on the color they’re “supposed” to be, but it is fairly tight. That’s probably why is able to [Marv] get to within 5% of the canonical value, which is better than we’d expect.

This isn’t the first time we’ve determined plank’s constant; it’s quite possible to get to much higher accuracy. The last time we featured this particular technique, the error was 11%.

youtube.com/embed/P9X2qtBVRxA?…

hackaday.com/2025/05/17/determ…

Solder fumes are not nice on the lungs; nor are fumes from superglue, epoxy, or a whole mess of other things we often find ourselves using on the bench. Some people might be able to go the fume hood route to toss that all outside, but for the rest of us, there’s fume extractors. [Raph] has produced an extra-large, carbon-filtering, two-stage fume extractor that by all accounts really sucks — it is effective at hoovering up solder fumes up to 10″ from its inlet.
Note the 18V tool battery in the base. That’ll go for a bit.
Even better, [Raph] built a battery box for an 18 V cordless tool battery, and broke out banana plugs so this doubles as a variable power supply via a cheap LM2596 based DC-DC converter. It also serves as a speed controller for the fans, which makes us wonder if you can adjust the PSU output and the fan speed independently…

Maximum suckage is achieved through careful baffle design. Check out the blog to see the trial-and-error process at work. Of course, having a 200 mm axial fan and 140 mm blower fan front and rear is going to move some air no matter what. Which is required to get air flow through the 38 mm thick activated carbon filter that should scrub all nasties quite nicely. We aren’t filtration experts but we can agree with [Raph]’s estimate that it will last “a while”.

If you want to roll your own, all of the STEP files are on GitHub, and [Raph]’s blog has an excellent step-by-step build guide. We’ve seen other hacks from [Raph] before, from his dovetailed modular breadboard to the machine that shaped his bed and automation for his camper van.

hackaday.com/2025/05/17/this-e…

An intriguing mouth-played instrument emerged—and won—at the 2023 Guthman Musical Instrument Contest hosted by Georgia Tech. [Keith Baxter] took notice and reproduced the idea for others to explore. The result is the Zen Flute Mouth Theremin, a hybrid of acoustics, electronics, and expressive performance.

At its core lies a forced Helmholtz resonator, a feedback system built with a simple microphone and speaker setup. The resonator itself? The user’s mouth. The resulting pitch, shaped by subtle jaw and tongue movements, is detected and used to drive a MIDI controller feeding an external synthesizer.

Like a trombone or classic electromagnetic theremin, the Zen Flute doesn’t rely on discrete notes. Instead, the pitch is bent manually to the desired frequency. That’s great for expression, but traditional MIDI quantisation can map those “in-between” notes to unexpected semitones. The solution? MIDI Polyphonic Expression (MPE). This newer MIDI extension allows smooth pitch transitions and nuanced control, giving the Zen Flute its expressive character without the hiccups.

Physically, it’s an elegant build. A flat speaker and microphone sit side-by-side at the mouth end, acoustically isolated with a custom silicone insert. This assembly connects to a length of clear PVC pipe, flared slightly to resemble a wind instrument. Inside, a custom PCB (schematic here) hosts a mic preamp, an audio power amp, and a Teensy 4.1. The Teensy handles everything: sampling the mic input, generating a 90-degree phase shift, and feeding it back to the speaker to maintain resonance. It also detects the resonant frequency and translates it to MPE over USB. A push-button triggers note onset, while a joystick adjusts timbre and selects modes. Different instrument profiles can be pre-programmed and toggled with a joystick click, each mapped to separate MIDI channels.

Mouth-controlled instruments are a fascinating corner of experimental interfaces. They remind us of this Hackaday Prize entry from 2018, this wind-MIDI hybrid controller, and, of course, a classic final project from the Cornell ECE4760 course, a four-voice theremin controlled by IR sensors.

youtube.com/embed/4GKWIpESRjg?…

hackaday.com/2025/05/17/zen-fl…

On the podcast, [Tom] and I were talking about the continuing saga of the libogc debacle. [Tom] has been interviewing some of the principals involved, so he’s got some first-hand perspective on it all – you should really go read his pieces. But the short version is that an old library that many Nintendo game emulators use appears to have cribbed code from both and open-source real-time operating system called RTEMS, and the Linux kernel itself.

You probably know Linux, but RTEMS is a high-reliability RTOS for aerospace. People in the field tell me that it’s well-known in those circles, but it doesn’t have a high profile in the hacker world. Still, satellites run RTEMS, so it’s probably also a good place to draw inspiration from, or simply use the library as-is. Since it’s BSD-licensed, you can also borrow entire functions wholesale if you attribute them properly.

In the end, an RTOS is an RTOS. It doesn’t matter if it’s developed for blinking LEDs or for guiding ICBMs. This thought got [Tom] and I to thinking about what other high-reliability open-source code is out there, hidden away in obscurity because of the industry that it was developed for. NASA’s core flight system came instantly to mind, but NASA makes much of its code available for you to use if you’re interested. There are surely worse places to draw inspiration!

What other off-the-beaten-path software sources do you know of that might be useful for our crowd?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

hackaday.com/2025/05/17/open-s…

If you’ve ever looked at widgets on your iPhone, you’ve probably noticed they’re largely static, save for a few first-party apps. By and large, third party developers are not supposed to be able to animate them. However, [Bryce Bostwick] found a workaround.

You might be confused as to the idea of animated widgets, but it’s quite simple. For example, think of a clock app with a widget in which the hands always display the current time, or a calendar app with an icon that shows the current date. Apple’s own apps have long been able to do this, but the functionality has mostly been locked out for third parties.

One way to get around this limitation is by using a timer feature baked into the widget functionality. The timer tool is one of the few ways that third-party apps are allowed to do animation. By running a timer with a custom font, you can display various graphical elements instead of numbers counting down to create a hacky animation that updates every second.

However, there are even more advanced techniques that can get you faster, smoother animations. [Bryce] breaks down the private techniques used to rotate the clock hands on Apple’s own widget, and how to use those tools for your own purposes. It takes some sneaky Xcode tricks and a bit of math to make it fully flexible for doing arbitrary animations, but it works surprisingly well.

Will this backdoor last ? Well, Apple is always updating and changing iOS and its associated software, so don’t expect it to work forever.

youtube.com/embed/NdJ_y1c_j_I?…

Thanks to [gnif] for the tip!

hackaday.com/2025/05/17/animat…

I dati che inserisci dentro i social network sono cibo per le intelligenze artificiali.

L’ONG austriaca per la protezione dei dati noyb (non sono affari tuoi) ha inviato una lettera alla sede irlandese di Meta chiedendole di interrompere immediatamente la raccolta dei dati degli utenti per addestrare modelli di intelligenza artificiale senza esplicito consenso. Se le richieste verranno ignorate, gli attivisti per i diritti umani hanno minacciato una class action da parte degli utenti dell’UE.

Il motivo era l’iniziativa di Meta di utilizzare dati pubblici di utenti adulti di Facebook e Instagram nell’Unione Europea per addestrare i suoi modelli di intelligenza artificiale. L’inizio della campagna è previsto per il 27 maggio 2025. L’azienda aveva già tentato di attuare una pratica simile nel giugno 2024, ma è stata costretta a sospenderla a causa delle richieste dell’autorità irlandese per la protezione dei dati.

Secondo noyb, invece di chiedere il consenso volontario degli utenti (opt-in), Meta fa riferimento a un “interesse legittimo” e offre solo la possibilità di rinunciare, e solo in forma limitata: solo prima dell’inizio del processo di addestramento dell’IA. Tuttavia, secondo gli attivisti, la procedura di opt-out non è trasparente e viola le disposizioni del Regolamento generale sulla protezione dei dati (GDPR).

L’organizzazione ha inoltre sottolineato che anche se solo il 10% degli utenti accettasse di fornire i propri dati, ciò sarebbe sufficiente per addestrare modelli linguistici per tutte le lingue dell’Unione Europea. Meta, da parte sua, afferma di raccogliere i dati per “riflettere la diversità linguistica, geografica e culturale della regione” nei suoi prodotti di intelligenza artificiale. Tuttavia, secondo noyb, tali spiegazioni non fanno altro che mascherare l’estrazione di massa di dati con il pretesto del progresso tecnologico.

noyb ha notato che Meta sta ancora una volta entrando in conflitto diretto difendendo ostinatamente il diritto all’uso “silenzioso” dei dati. Si sottolinea inoltre che altri sviluppatori di intelligenza artificiale riescono a fare a meno di raccogliere dati degli utenti dai social network e comunque creano modelli di qualità superiore. In una dichiarazione, Meta ha respinto le affermazioni di noyb, affermando di aver fornito agli utenti dell’UE una “chiara” opportunità di opporsi all’uso dei loro dati. L’azienda sostiene di operare nel rispetto della legge e di non violare il GDPR.

Tuttavia, vale la pena ricordare che Meta ha già dovuto affrontare accuse simili. Nell’agosto 2023, l’azienda ha accettato di modificare la base giuridica per la raccolta di dati a fini pubblicitari mirati, passando dal “legittimo interesse” al consenso dell’utente. La decisione è stata presa sotto la pressione delle autorità di regolamentazione europee preoccupate per le violazioni dei diritti digitali.

Sulla scia del conflitto Meta, cresce l’attenzione verso gli aspetti legali dell’elaborazione dei dati. Una recente sentenza della Corte d’appello belga ha stabilito che il Transparency and Consent Framework, ampiamente utilizzato in Europa da Google, Microsoft, Amazon e altri per ottenere il consenso degli utenti per la pubblicità mirata, è illegale. Il tribunale ha evidenziato la non conformità agli standard del GDPR e la violazione dei principi di trasparenza.

Nel frattempo, secondo noyb, le autorità di regolamentazione nazionali dell’UE rimangono in silenzio sulla questione dell’utilizzo dei dati dei social media per addestrare l’intelligenza artificiale senza esplicito consenso. Questo, secondo gli attivisti, consente a Meta di attuare i suoi piani senza ostacoli, nonostante le possibili conseguenze legali e la violazione dei diritti di milioni di utenti.

L'articolo L’ONG noyb contro Meta: “Basta addestrare l’IA coi dati degli utenti europei” proviene da il blog della sicurezza informatica.

The hack we have for you today is among our most favorite types of hack: a good, honest, simple, and well documented implementation that meets a real need. Our hacker [Solo Pilot] has sent in a link to their basement monitor.

The documentation is quite good. It’s terse but comprehensive with links to related information. It covers the background, requirements, hardware design, sensors, email and SMS alerts, software details, and even has some credits at the end.

Implementing this project would be a good activity for someone who has already made an LED flash and wants to take their skills to the next level by sourcing and assembling the hardware and then configuring, compiling, deploying, and testing the software for this real-world project.

To make this project work you will need to know your way around the Arduino IDE in order to build the software from the src.zip file included with the documentation (hint: extract the files from src.zip into a directory called AHT20_BMP280 before opening AHT20_BMP280.ino and make sure you add necessary boards and libraries).

One feature of the basement monitor that we would like to see is a periodic “everything’s okay” signal from the device, just so we can confirm that the reason we’re not getting an alarm about flooding in the basement is because there is no flood, and not because the battery ran dead or the WiFi went offline.

If you’ve recently started on your journey into where electronics meets software a project such as this one is a really great place to go next. And of course once you are proficient with the ESP8266 there are a thousand such projects here at Hackaday that you can cut your teeth on. Such as this clock and this fault injection device.

hackaday.com/2025/05/17/making…

All’inizio di questo mese, è stato segnalato su Windows 11 24H2 un bug di sicurezza che ha portato alla perdita di dati da parte di utenti ignari. Tuttavia, i problemi di BitLocker hanno ora colpito anche Windows 10. In seguito agli ultimi aggiornamenti del Patch Tuesday rilasciati all’inizio di questa settimana per il mese di maggio 2025 (KB5058379/ KB5058392/ KB5058383/ KB5058387), gli utenti segnalano che i loro sistemi visualizzano la schermata di ripristino di BitLocker al riavvio dopo l’installazione.

Il problema è diffuso tra gli OEM hardware, poiché gli utenti Lenovo, Dell e HP segnalano tutti lo stesso problema. Si tratta di un bug che colpisce i PC aziendali gestiti tramite Intune, WSUS e SCCM ed è il secondo bug importante correlato alle aziende a colpire tali dispositivi questo mese, dopo il precedente che ha bloccato l’aggiornamento di Windows 11 2024 sui dispositivi 22H2/23H2.

Un utente mersongeorge su un forum Microsoft ha aperto una discussione intitolata “13 maggio – KB5058379 Windows 10 causa danneggiamenti e gli endpoint richiedono la chiave BitLocker…”. L’utente descrive il problema così: “L’ultimo aggiornamento di qualità KB5058379 , rilasciato il 13 maggio, non funziona sui dispositivi Windows 10. In alcuni dispositivi, causava l’attivazione della finestra della chiave BitLocker dopo il riavvio. L’aggiornamento sembra comunque fallire. Alcuni dispositivi si bloccano in un ciclo di riavvii. Questo problema riguarda principalmente i dispositivi gestiti da Intune. Lenovo Thinkpad. In alcuni casi, la tastiera viene disabilitata e l’utente non riesce a passare la chiave BitLocker.”

Fortunatamente, Microsoft è a conoscenza del bug presente nell’aggiornamento KB5058379 e di come questo causi loop di riavvio, errori di aggiornamento e richieste di ripristino di BitLocker. L’azienda ha anche fornito una soluzione alternativa. Il problema è stato convalidato sui modelli Dell Precision 5570 e 5680 basati su Intel. Un utente Callum Hargreaves2 sullo stesso thread lo ha confermato. L’azienda ha suggerito che il problema sia correlato alla tecnologia Trusted Execution Technology (TXT) di Intel, ma sono in corso ulteriori indagini. Pertanto, disabilitare la funzionalità TXT nel BIOS potrebbe potenzialmente risolvere il problema. L’utente ha scritto quanto segue:

Prossimi passi e raccomandazioni:

• Continua a tenere sospesi i dispositivi interessati con l’installazione degli aggiornamenti.
• Per i dispositivi già interessati e che necessitano del ripristino di BitLocker, la misura provvisoria consigliata è l’applicazione della chiave di ripristino e il ripristino dell’aggiornamento come descritto.
• Un’altra possibile soluzione alternativa è la disattivazione di TXT nel BIOS, ma, come hai notato, potrebbe richiedere l’intervento di personale remoto e non è la soluzione ideale per distribuzioni di grandi dimensioni.
• Microsoft sta lavorando per documentare il problema su Windows Release Health e MicrosoftPortali del Centro di amministrazione 365; gli aggiornamenti saranno forniti non appena saranno disponibili nuove informazioni.

Per chi non lo sapesse, Intel TXT è una funzionalità di sicurezza integrata nei processori e nei chipset Intel. Aiuta a proteggere i computer dagli attacchi software garantendo che le applicazioni vengano eseguite in uno spazio sicuro e isolato. TXT utilizza la sicurezza basata su hardware per proteggere i dati e integra funzionalità come Intel PTT (o comunemente chiamato TPM) e Secure Boot.

L'articolo Lenovo, Dell, HP bloccati dal bug BitLocker di Windows: ecco cosa sta succedendo proviene da il blog della sicurezza informatica.

Microsoft ha iniziato a licenziare circa 6.000 dipendenti martedì, quasi il 3% della sua forza lavoro globale, nel più grande ciclo di tagli di posti di lavoro degli ultimi due anni. La decisione arriva mentre il colosso della tecnologia raddoppia gli investimenti nell’intelligenza artificialee mira a semplificare le operazioni riducendo i livelli di gestione.

Tra le persone colpite c’era Gabriela de Queiroz, Direttore dell’IA di Microsoft. De Queiroz ha condiviso un sentito messaggio su LinkedIn, esprimendo la sua tristezza e il suo shock per essere stata licenziata, nonostante il suo importante contributo all’azienda.

I licenziamenti riguardano dipendenti di tutti i team, livelli e aree geografiche; sono già stati emessi avvisi di licenziamento. Nonostante abbia registrato ricavi e profitti elevati per il trimestre gennaio-marzo, superando le aspettative di Wall Street, Microsoft si è unita ad altre importanti aziende tecnologiche nel tagliare posti di lavoro a causa della crescente incertezza economica. Di seguito la traduzione del post su Linkedin di Gabriela de Queiroz, Direttore dell’IA di Microsoft.
💔 Notizia agrodolce da condividere: sono stato colpito dall'ultimo round di licenziamenti di Microsoft.

Me lo aspettavo? Forse.

Al giorno d'oggi, non importa quanto duramente lavori, quanto sostieni la tua azienda o quanti risultati e visibilità porti, che si tratti di aiutare Microsoft a diventare un nome di fiducia tra le startup di intelligenza artificiale o di promuovere iniziative per renderla un posto migliore in cui lavorare per centinaia di persone, niente di tutto ciò ti rende immune alla ristrutturazione.

Sono triste? Assolutamente. Ho il cuore spezzato nel vedere così tante persone di talento con cui ho avuto l'onore di lavorare essere lasciate andare. Queste sono persone che si sono preoccupate profondamente, sono andate ben oltre e hanno davvero fatto la differenza. 💙

Ma se mi conoscete, sapete che guardo sempre il lato positivo. ✨

Sono un ottimista nel cuore. Questo non è cambiato. Il mio sorriso, la mia gratitudine, la mia convinzione che ogni giorno è un dono: tutto questo è ancora qui.

Ci è stato chiesto di interrompere immediatamente il lavoro e di fissare un'assenza dall'ufficio. Ma ho scelto di rimanere un po' più a lungo, presentandomi alle riunioni, salutandomi, impacchettando quello che potevo. Mi sembrava giusto.

Qual è il prossimo passo? Non lo so ancora. È troppo presto per dirlo. Ma confido che ne verrà fuori qualcosa di buono.

A coloro che ne sono stati colpiti: non siete soli. Siamo almeno in 6.000.

E a coloro che ci hanno contattato, grazie. La tua gentilezza significa tutto in questo momento. ❤️
Ha rivelato che, nonostante ai dipendenti fosse stato chiesto di interrompere immediatamente il lavoro, lei ha scelto di rimanere brevemente per salutare e concludere le attività in corso. De Queiroz, pur mantenendo un atteggiamento ottimista, ha affermato di non sapere ancora cosa le riserva il futuro, ma di confida che dalla transizione scaturirà qualcosa di buono.

Ha anche riconosciuto l’entità dei licenziamenti e ha offerto solidarietà alle altre persone colpite: “A chi è stato colpito: non siete soli. Siamo almeno 6.000”. Microsoft non ha rilasciato dichiarazioni sui singoli licenziamenti, ma ha confermato che i tagli al personale rientrano in un più ampio processo di aggiustamento strutturale.

L'articolo Microsoft licenzia 6000 persone e la Direttrice dell’IA: “Ho dato tutto, ma non è bastato” proviene da il blog della sicurezza informatica.

There’s just some joy in an instant camera. They were never quality cameras, even in the glory days of Polaroid, but somehow the format has survived while the likes of Kodachrome have faded away. [Mellow_Labs] decided he wanted the instacam experience without the Polaroid pricing, so he made his own in the video embedded after the break.
He says “Polaroid’ but we see Game Boy.
At its core, it’s a simple project: an ESP32-CAM for the image (these were never great cameras, remember, so ESP32 is fine– and do you really get to call it an instant camera if you have to wait for a Raspberry Pi to boot up?) and a serial thermal printer for the “instant photo”part. This admittedly limits the project to black and white, and pretty low res, but B/W is artistic and Lo-Fi is hip, so this probably gives the [Mellow Labs] camera street cred with the kids, somehow. Honestly, this reminds us more of the old Gameboy Camera and its printer than anything made by Polaroid, and we are here for it.

The build video goes through the challenges [Mellow Labs] found interfacing the serial printer to the ESP32–which went surprisingly well for what looks like mostly vibe coding, though we’re not sure how much time he spent fixing the vibe code off camera–as well as a the adventure of providing a case that includes the most absurdly beefy battery we’ve ever seen on a camera. Check out the full video below.

Instant cameras are no stranger to Hackaday: this one used e-ink; this one uses film, but is made of gingerbread. In 2022 we wondered if we’d ever shake the Polaroid picture, and the answer appears to be “no” so far.

Thanks to [Mellow] for tooting his own horn by submitting this project to the tip line. We love to see what our readers get up to, so please– toot away!

youtube.com/embed/8lnDPz4QZjQ?…

hackaday.com/2025/05/16/hack-a…

We love clocks, but we especially love unusual timepieces that aren’t just about showing the hour of the day. [Simone Giertz] built a flip clock moon phase tracker for a friend.

While in Egypt for Cairo Maker Faire, [Giertz] and [dina Amin] found some old flip clocks at a flea market and had to have them. [Amin] mentioned wanting to make a moon phase tracker with one, and [Giertz] decided to try her hand at making her own version. A side quest in more comfortable flying is included with the price of admission, but the real focus is the process of figuring out how to replicate the flip clocks original mechanism in a different size and shape.

[Giertz] cut out 30 semi-circle flaps from polystyrene and then affixed vinyl cut-outs to the flaps. The instructions for the assembly suggest that this might not be the best way to do it, and that printing stickers to affix to the flaps might work better since the cut vinyl turned out pretty fiddly. We really like the part where she built a grid jig to determine the optimal placement of the beams to keep the flaps in the right position after a disheartening amount of difficulties doing it in a more manual way. Her approach of letting it rest for twenty minutes before coming back to it is something you might find helpful in your own projects.

Best of all, if you want to build your own, the files are available for the flip moon station on the Yetch website. You’ll have to come up with your own method to drive it though as that isn’t in the files from what we saw.

youtube.com/embed/-4VeoAkKFg4?…

hackaday.com/2025/05/16/moon-p…

Recently in material science news from China we hear that [Hailin Peng] and his team at Peking University just made the world’s fastest transistor and it’s not made of silicon. Before we tell you about this transistor made from bismuth here’s a whirlwind tour of the history of the transistor.

The Bipolar Junction Transistor (BJT, such as NPN and PNP) was invented by Bell Labs in 1947. Later came Transistor-Transistor Logic (TTL) made with BJTs. The problem with TTL was too much power consumption.

Enter the energy-efficient Field-Effect Transistor (FET). The FET is better suited to processing information as it is voltage-controlled, unlike the BJT which is current-controlled. Advantages of FETs include high input impedance, low power consumption, fast switching speed, being well suited to Very-Large-Scale Integration (VLSI), etc.

The cornerstone of Complementary Metal-Oxide-Semiconductor (CMOS) technology which came to replace TTL was a type of FET known as the Metal-Oxide-Semiconductor Field-Effect Transistor (MOSFET). The type of MOSFET most commonly used in CMOS integrated circuits is the Enhancement-mode MOSFET which is normally off and needs gate voltage to conduct.

A transistor’s technology generation is given with the “process node”, in nanometers (nm). This used to mean the size of the smallest feature that could be fabricated, but these days it’s just a marketing term (smaller is “better”). Planar CMOS MOSFETs were initially dominant (through ~28nm), then came SOI MOSFETs (28nm to 16nm), then FinFETs (16nm to 5nm), and now finally Gate-All-Around FETs (GAAFETs, 3nm and beyond).

All of that in order to say that this new transistor from [Hailin Peng] and his team is a GAAFET. It’s made from bismuth oxyselenide (Bi₂O₂Se) for the channel, and bismuth selenite oxide (Bi₂SeO₅) as the gate material. See the article for further details.

Keep in mind that at this point in time we only have a prototype from a lab and the gory details about how to mass-produce these things, assuming that’s even possible, haven’t yet been worked out. We have previously discussed the difficulty of manufacturing state-of-the-art transistors. If you’re interested in bismuth be sure to check out how to use bismuth for desoldering.

hackaday.com/2025/05/16/new-bi…

The Mac mini is the closest to an Apple-based SBC you can get, so it lends itself to unusual portable computers. [Scott Yu-Jan] is back to tackle a portable build using the latest and greatest M4 mini.

[Yu-Jan] walks us through his thought process of how to maximize the portability of the system without all that tedious mucking about with setting up a separate keyboard, monitor, and the mini while on the go. With the more complicated electronics, the monitor risked tipping the keyboard over when attached, particularly since [Yu-Jan] isn’t a fan of batteries for his portables.

By affixing the Mac mini to the side of the keyboard, it makes the whole thing easier to slip into a bag without being overly thick. We get a peek into his iterative process as well when he evaluates the build and decides that the closing of the lid wasn’t what he was hoping for. By adding some TPU rests for the monitor to rest on in the closed position, he says it’s really brought the whole project up a notch. We certainly have had our own projects where one little detail really moves it from sketchy to polished, and we appreciate when makers clue us in on where that happened for them.

You may recognize [Yu-Jan] from our previous coverage of his older portable all-in-one Mac mini and this luggable version where he explains why he doesn’t like laptops. If you like your computers more stationary, how about some G4 iMacs with the newer internals from an M-series mini?

youtube.com/embed/MNnpzamnX84?…

hackaday.com/2025/05/16/a-port…

Remember The Clapper? It was a home automation tool (of sorts) that let you turn appliances on and off by clapping. [Kevin O’Connor] has built something rather similar, if more terrifying. It’s called The Screamer.

The build is based around a Sonoff S31 smart switch. [Kevin] selected an off-the-shelf device because he wanted something that was safe to use with mains power out of the box. But specifically, he selected the S31 because it has an ESP8266 inside that’s easy to reprogram with the aid of ESPHome. He ended up hooking up a whole extra ESP32 with an INMP441 microphone over I2S to do the scream detection. This was achieved with a simple algorithm that looked for high amplitude noises with lots of energy in the 1000 – 4000 Hz frequency range. When a scream is detected, it flips a GPIO pin which is detected by the S31, which then toggles the state of the smart switch in turn. Job done.

It’s a simple project that does exactly what it says on the tin. It’s The Screamer! If you’d like to learn more about the original Clapper that inspired this build, we’ve looked at that before, too. Meanwhile, if you’re cooking up your own excuses to scream at the lights and walls in your home, please only notify the tipsline if it has something vaguely to do with electronics or hackery.

hackaday.com/2025/05/16/the-sc…

For a while now part of my email signature has been a quote from a Hackaday commenter insinuating that an article I wrote was created by a “Dumb AI”. You have my sincerest promise that I am a humble meatbag scribe just like the rest of you, indeed one currently nursing a sore shoulder due to a sporting injury, so I found the comment funny in a way its writer probably didn’t intend. Like many in tech, I maintain a skepticism about the future role of large-language-model generative AI, and have resisted the urge to drink the Kool-Aid you will see liberally flowing at the moment.

Hackaday Is Part Of The Machine

As you’ll no doubt be aware, these large language models work by gathering a vast corpus of text, and doing their computational tricks to generate their output by inferring from that data. They can thus create an artwork in the style of a painter who receives no reward for the image, or a book in the voice of an author who may be struggling to make ends meet. From the viewpoint of content creators and intellectual property owners, it’s theft on a grand scale, and you’ll find plenty of legal battles seeking to establish the boundaries of the field.

Anyway, once an LLM has enough text from a particular source, it can do a pretty good job of writing in that style. ChatGPT for example has doubtless crawled the whole of Hackaday, and since I’ve written thousands of articles in my nearly a decade here, it’s got a significant corpus of my work. Could it write in my style? As it turns out, yes it can, but not exactly. I set out to test its forging skill.

In Which I Meet My Digital Impostor

A couple of weeks ago I covered the news of the impending re-entry of a failed Soviet Venus mission stuck in orbit since 1972. It’s a fascinating story because the craft may survive the experience, and it’s possible that by the time you read this it might have been retrieved. I asked ChatGPT to provide me with a 200 word article on the story “in the voice of the Hackaday writer Jenny List”. Here’s what it came up with:

In the early days of the Space Race, the Soviet Union launched a bold bid to reach Venus: the Venera missions. Among them was Kosmos 482, a 1972 mission that never made it past Earth’s gravity. Now, over five decades later, its descent craft is finally coming home—with a bang.

Kosmos 482 was intended to deliver a lander to Venus, but due to a malfunction in its upper stage, it was stranded in a highly elliptical orbit around Earth. Encased in a semi-spherical titanium shell, the descent craft—designed to survive the brutal atmosphere of Venus—has been orbiting quietly, steadily losing altitude. By early May 2025, that orbit had decayed to a precarious 232 x 136 km, setting the stage for an uncontrolled reentry around May 10th.

Unlike typical space debris, Kosmos 482’s reentry carries a bit more drama. Built to endure Venus’s hellish surface, the lander is expected to survive Earth’s atmospheric plunge mostly intact. Impact predictions estimate it will hit the ground at about 65-70 m/s, roughly the speed of a meteorite, packing the punch of a 500 kg hunk of Soviet engineering.

With an orbital inclination of 51.95 degrees, it could come down anywhere between 52°N and 52°S, adding an element of unpredictability. One thing is certain: after 53 years in limbo, Kosmos 482 is finally coming back to Earth—whether we’re ready or not.

Reading it is a fascinating experience, because superficially it feels like a Hackaday piece. It has my vague style with some phrases such as “packing the punch of a 500 kg hunk of Soviet engineering“. It’s casual in its language, and it’s captured my wordiness; in contrast to the more terse style it does when for example I ask it to do the same thing in the voice of my colleague Al Williams. It fails though in several senses, I feel it doesn’t capture my sentence style and the very British way I use punctuation, it relies on far more figures than I would put in a piece, and perhaps most importantly it has no inference. It relies only on the facts it can find, indeed those figures are a sign of it overusing them, and it doesn’t go further in commenting on any likely outcomes. In my human-written version of the same piece I finished up by speculating on who would own it if retrieved, and anything of that nature is absent in its output.

Don’t Worry, Humans Still Needed

So it’s clear from the above that while it can write something which is superficially coverage of the same story in my voice when writing a Hackaday piece, it still fails at the task in hand. Where we would try to give a little introduction, background and comment to the story, it instead presents only a summary of facts it has found. The fact that it can’t infer beyond the story is reassuring, because it means we meat-based Hackaday scribes still have the edge. There are many people who will tell you to look for certain words as clues to AI-written text, but the truth is much simpler. Look for the human touch.

hackaday.com/2025/05/16/chatgp…

Join Hackaday Editors Elliot Williams and Tom Nardi as they take a whirlwind tour of the best and brightest hacks of the last week. This episode starts off with an update about that Soviet Venus lander that’s been buzzing the planet, then moves on to best practices for designing 3D printed parts, giving Chrome OS devices a new lease on life, and a unique display technology that brings a Star Wars prop to life.

You’ll also hear about designing new motherboards for beloved old computers, why you might want to put your calipers on a flatbed scanner, and a NASA science satellite that’s putting in double duty as a wartime reporter. Finally, they’ll cover the interesting physics of meteor burst communications, and the latest developments in the ongoing libogc license kerfuffle.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download in DRM-free MP3.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 321 Show Notes:

News:

• Reentry prediction Soviet-era Venera Venus lander – Rocket Science
• Telegram: View @roscosmos_gk

What’s that Sound?

• Know that sound? Fill out this form for a chance to win!

Interesting Hacks of the Week:

• Best Practices For FDM Printing
  
  • Learn 15 Print-in-Place Mechanisms In 15 Minutes

  
  

• Turning A Chromebox Into A Proper Power-Efficient PC
• Let The Wookie Win With This DIY Holochess Table
  
  • Aska3D
  • A Little Optical Magic Makes This Floating Display Pop
  • What’s Inside A Neonode Laser Sensor?

  
  

• A Brain Transplant For A Philips Smart Lamp
• Tearing Down A Forgotten Video Game
  
  • Pong-Story : PONG in a Chip

  
  

• Another Old ThinkPad Gets A New Motherboard
  
  • Replacement Motherboard Brings New Lease Of Life To Classic Thinkpads
  • Revive A Sony Vaio P-Series With KiCad’s Background Bitmaps

  
  

Quick Hacks:

• Elliot’s Picks:
  
  • Move Over, Lithophane: 3D Printed 3D Photos With Gaussian Splats
  • A Single-Pixel Camera Without Moving Parts Using Compressed Sensing
  • Scan Your Caliper For Physical Part Copies

  
  

• Tom’s Picks:
  
  • Studying QR Code Degradation
  • The World’s Longest Range LED Flashlight
  • Open Source ELINT Accidentally From NASA

  
  

Can’t-Miss Articles:

• Radio Apocalypse: Meteor Burst Communications
• RTEMS Statement Deepens Libogc License Controversy
  
  • Libogc Allegations Rock Wii Homebrew Community

  
  

hackaday.com/2025/05/16/hackad…

Intuitively, you think that everything that you stretch will pull back, but you wouldn’t expect a couple of pieces of plastic to win. Yet, researchers over at [AMOLF] have figured out a way to make a mechanism that will eventually shrink once you pull it enough.

Named “Counter-snapping instabilities”, the mechanism is made out of the main sub-components that act together to stretch a certain amount until a threshold is met. Then the units work together and contract until they’re shorter than their initial length. This is possible by using compliant joints that make up each of the units. We’ve seen a similar concept in robotics.

Potentially this may be used as a unidirectional actuator, allowing movement inch by inch. In addition, one application mentioned may be somewhat surprising: damping. If a structure or body is oscillating through a positive feedback loop it may continue till it becomes uncontrollable. If these units are used, after a certain threshold of oscillation the units will lock and retract, therefore stopping further escalation.

Made possible by the wonders of compliant mechanics, these shrinking instabilities show a clever solution to some potential niche applications. If you want to explore the exciting world of compliance further, don’t be scared to check out this easy to print blaster design!

youtube.com/embed/KxtkcL0z5j0?…

Thanks to [I’m Not Real] for the tip!

hackaday.com/2025/05/16/compli…

Hacking, hacking, hacking! Al Pwn2Own non si scherza: è qui che l’élite mondiale della cybersicurezza mostra quanto sia fragile il mondo digitale. In palio? Fama, gloria… e più di un milione di dollari in premi per gli zero-day scoperti!

Nel primo giorno della competizione di hacking Pwn2Own Berlin 2025, i ricercatori sono riusciti a guadagnare 260.000 dollari dimostrando catene di vulnerabilità zero-day in Windows 11, Red Hat Linux e Oracle VirtualBox. Organizzato durante la conferenza OffensiveCon, il torneo di quest’anno si concentra sull’hacking delle tecnologie aziendali e include per la prima volta una categoria di attacchi basati sull’intelligenza artificiale.

Uno dei primi ad essere colpito è stato Red Hat Enterprise Linux for Workstations. Un membro del team di ricerca DEVCORE che utilizzava lo pseudonimo Pumpkin è riuscito a eseguire un’escalation di privilegi locali tramite un integer overflow e ha ricevuto 20.000 dollari per aver dimostrato l’exploit.

Hyunwoo Kim e Wonghee Lee hanno ottenuto risultati simili. Tuttavia, in questo tentativo, uno dei collegamenti si è rivelato essere una vulnerabilità nota (N-day), motivo per cui è stato considerato una “collisione” con un errore già documentato, piuttosto che una scoperta completa.

Anche Windows 11 è risultato vulnerabile. Chen Le Qi di STARLabs SG ha ricevuto 30.000 $ per aver aumentato con successo i privilegi a SYSTEM tramite una catena use-after-free e un integer overflow. Il sistema è stato compromesso altre due volte: Marcin Wiązowski ha sfruttato un bug di scrittura fuori limite e Hyunjin Choi ha dimostrato un attacco di type confusion.

Il Team Prison Break ha dato un contributo significativo all’ammontare delle ricompense. Sono riusciti a uscire dall’isolamento di Oracle VirtualBox e ad eseguire codice arbitrario sul sistema host utilizzando un integer overflow, guadagnando 40.000 dollari. Questa direzione è tradizionalmente considerata difficile, poiché richiede non solo il superamento della sandbox, ma anche un controllo affidabile dell’esecuzione sul sistema operativo sottostante.

Inoltre, il primo giorno di gara, sono stati hackerati degli strumenti di intelligenza artificiale. Sina Heirhach del Summoning Team ha ricevuto 35.000 dollari per aver sfruttato una vulnerabilità zero-day in Chroma e un bug noto in Nvidia Triton Inference Server. Billy e Ramdhan, membri di STARLabs SG, hanno impiegato 60.000 dollari per uscire da Docker Desktop ed eseguire codice sull’host sfruttando una vulnerabilità di tipo use-after-free.

Classifica TOP-5 del primo giorno di gara ( Trend Zero Day Initiative )

L’hackathon durerà fino al 17 maggio e il secondo giorno i partecipanti tenteranno di compromettere Microsoft SharePoint, VMware ESXi, Mozilla Firefox, Oracle VirtualBox e Red Hat Linux. Tutti i prodotti vengono tenuti aggiornati, il che sottolinea l’importanza di ogni 0day che viene dimostrato. I produttori hanno 90 giorni di tempo per rilasciare gli aggiornamenti dopo che le vulnerabilità sono state ufficialmente divulgate.

In totale, a Berlino 2025 sono in palio più di un milione di dollari. Le categorie di attacco non riguardano solo browser e virtualizzazione, ma anche applicazioni aziendali, infrastrutture cloud, automobili e intelligenza artificiale. Sebbene nell’elenco degli obiettivi figurino anche le unità di prova Tesla Model 3 (2024) e Model Y (2025), finora non è stato registrato alcun tentativo di attacco contro di esse.

L'articolo Pwn2Own Berlin 2025: Windows, Linux e Virtualbox cadono miseramente in un giorno. Ed è solo l’inizio proviene da il blog della sicurezza informatica.

Spectre lives. We’ve got two separate pieces of research, each finding new processor primitives that allow Spectre-style memory leaks. Before we dive into the details of the new techniques, let’s quickly remind ourselves what Spectre is. Modern CPUs use a variety of clever tricks to execute code faster, and one of the stumbling blocks is memory latency. When a program reaches a branch in execution, the program will proceed in one of two possible directions, and it’s often a value from memory that determines which branch is taken. Rather than wait for the memory to be fetched, modern CPUs will predict which branch execution will take, and speculatively execute the code down that branch. Once the memory is fetched and the branch is properly evaluated, the speculatively executed code is rewound if the guess was wrong, or made authoritative if the guess was correct. Spectre is the realization that incorrect branch prediction can change the contents of the CPU cache, and those changes can be detected through cache timing measurements. The end result is that arbitrary system memory can be leaked from a low privileged or even sandboxed user process.

In response to Spectre, OS developers and CPU designers have added domain isolation protections, that prevent branch prediction poisoning in an attack process from affecting the branch prediction in the kernel or another process. Training Solo is the clever idea from VUSec that branch prediction poisoning could just be done from within the kernel space, and avoid any domain switching at all. That can be done through cBPF, the classic Berkeley Packet Filter (BPF) kernel VM. By default, all users on a Linux system can run cBPF code, throwing the doors back open for Spectre shenanigans. There’s also an address collision attack where an unrelated branch can be used to train a target branch. Researchers also discovered a pair of CVEs in Intel’s CPUs, where prediction training was broken in specific cases, allowing for a wild 17 kB/sec memory leak.

Also revealed this week is the Branch Privilege Injection research from COMSEC. This is the realization that Intel Branch Prediction happens asynchronously, and in certain cases there is a race condition between the updates to the prediction engine, and the code being predicted. In short, user-mode branch prediction training can be used to poison kernel-mode prediction, due to the race condition.

(Editor’s note: Video seems down for the moment. Hopefully YouTube will get it cleared again soon. Something, something “hackers”.)

youtube.com/embed/jrsOvaN7PaA?…

Both of these Spectre attacks have been patched by Intel with microcode, and the Linux kernel has integrated patches for the Training Solo issue. Training Solo may also impact some ARM processors, and ARM has issued guidance on the vulnerability. The real downside is that each fix seems to come with yet another performance hit.

Is That Real Cash? And What Does That Even Mean?

Over at the Something From Nothing blog, we have a surprisingly deep topic, in a teardown of banknote validators. For the younger in the audience, there was a time in years gone by where not every vending machine had a credit card reader built-in, and the only option was to carefully straighten a bill and feed it into the bill slot on the machine. Bow how do those machines know it’s really a bill, and not just the right sized piece of paper?

And that’s where this gets interesting. Modern currency has multiple security features in a single bill, like magnetic ink, micro printing, holograms, watermarks, and more. But how does a bill validator check for all those things? Mainly LEDs and photodetectors, it seems. With some machines including hall effect sensors, magnetic tape heads for detecting magnetic ink, and in rare cases a full linear CCD for scanning the bill as it’s inserted. Each of those detectors (except the CCD) produces a simple data stream from each bill that’s checked. Surely it would be easy enough to figure out the fingerprint of a real bill, and produce something that looks just like the real thing — but only to a validator?

In theory, probably, but the combination of sensors presents a real problem. It’s really the same problem with counterfeiting a bill in general: implementing a single security feature is doable, but getting them all right at the same time is nearly impossible. And so with the humble banknote validator.

Don’t Trust That Phone Call

There’s a scam that has risen to popularity with the advent of AI voice impersonation. It usually takes the form of a young person calling a parent or grandparent from jail or a hospital, asking for money to be wired to make it home. It sounds convincing, because it’s an AI deepfake of the target’s loved one. This is no longer just a technique to take advantage of loving grandparents. The FBI has issued a warning about an ongoing campaign using deepfakes of US officials. The aim of this malware campaign seems to be just getting the victim to click on a malicious link. This same technique was used in a LastPass attack last year, and the technique has become so convincing, it’s not likely to go away anytime soon.

AI Searching SharePoint

Microsoft has tried not to be left behind in the current flurry of AI rollouts that every tech company seems to be engaging in. Microsoft’s SharePoint is not immune, and the result is Microsoft Copilot for SharePoint. This gives an AI agent access to a company’s SharePoint knowledge base, allowing users to query it for information. It’s AI as a better search engine. This has some ramifications for security, as SharePoint installs tend to collect sensitive data.

The first ramification is the most straightforward. The AI can be used to search for that sensitive data. But Copilot pulling data from a SharePoint file doesn’t count as a view, making for a very stealthy way to pull data from those sensitive files. Pen Test Partners found something even better on a real assessment. A passwords file hosted on SharePoint was unavailable to view, but in an odd way. This file hadn’t been locked down using SharePoint permissions, but instead the file was restricted from previewing in the browser. This was likely an attempt to keep eyes off the contents of the file. And Copilot was willing to be super helpful, pasting the contents of that file right into a chat window. Whoops.

Fuzzing Apple’s CoreAudio

Googler [Dillon Franke] has the story of finding a type confusion flaw in Apple’s CoreAudio daemon, reachable via Mach Inter-Process Communication (IPC) messages, allowing for potential arbitrary code execution from within a sandboxed process. This is a really interesting fuzzing + reverse engineering journey, and it starts with imagining the attack he wanted to find: Something that could be launched from within a sandboxed browser, take advantage of already available IPC mechanisms, and exploit a complex process with elevated privileges.

Coreaudiod ticks all the boxes, but it’s a closed source daemon. How does one approach this problem? The easy option is to just fuzz over the IPC messages. It would be a perfectly viable strategy, to fuzz CoreAudio via Mach calls. The downside is that the fuzzer would run slower, and have much less visibility into what’s happening in the target process. A much more powerful approach is to build a fuzzing harness that allows hooking directly to the library in question. There is some definite library wizardry at play here, linking into a library function that hasn’t been exported.

The vulnerability that he found was type confusion, where the daemon expected an ioctl object, but could be supplied arbitrary data. As an ioctl object contains a pointer to a vtable, which is essentially a collection of function pointers. It then attempts to call a function from that table. It’s an ideal situation for exploitation. The fix from Apple is an explicit type check on the incoming objects.

Bits and Bytes