The end of a Era and start of a New, IoT era of hacking hardware

Samurize is done, gone. Its website is now just a shell. Files can be access directly over ftp but link to them have been broken on the site.

Vepar Config

Samurize is, was “an advanced system monitoring and desktop enhancement engine”. I’ve used it for years but now there is no point as it will not be supported. Community is trying to open source it but libs and code have become cumbersome and compiling errors are to many.

For some reason, there is no interest in keeping such tool alive. Which is a huge surprise to me as I found it extremely useful, and have participated in plugin and theme development.

VeparVUOne of my most popular plugin with last count of over 6229  downloads was KeyLed.  It allowed the user to define triggers and to control the status leds on keyboard as VU meter, HDD read/write indicator and much more. The trick is that the trick of controlling your keyboard lights is a very, very old one.  Like the 2B2B2B41544829 bug in telephone modems, , the COM1 in zip files or the legendary 2600hz. Sigh…The good old days …. … are coming back 🙂

Those issues are so low level, so embedded in the operation of devices or firmware that some of them have not been solved up to this day as it would require too much investment of time and money to fix them and it is easier to just keep calm and quiet hoping no one notices.

Old issues and exploits are a good starting point when looking at future of IoT security problems. Some of those problems have already surfaced especially with most of current devices being shipped and installed with default or no passwords. What is your bluetooth device password? Is it 0000 ? Now, imagine that you have bluetooth mic or data storage.

The next era is of disposable powerful and cheap interconnected devices that are full of holes and possibly have access to your personal data. What is even more worrisome is that most of those devices will be connected to some device that interacts with its environment. Devices such as garage doors, temperature controllers, wireless lights. I would suggest watching Mr. Robot or at least reading this.

This is on its way, and that train can not and should not be stopped as it represent an evolution of internet. What you need to be is informed so you can ask proper questions and be mindful and critical of producers of IoT gear.

One of the best examples of weak security in embedded systems is described in a document  Internet Census 2012 – Port scanning /0 using insecure embedded devices. It describes one person’s quest to do a scan of entire internet for the last time before the change over to IPv6. At one point it contained over 420 Thousand Clients out of which most were embedded machines; Coffee machines, refrigerators, routers and other machines with weak, default or no security. It is one extremely interesting read, I would highly recommend it.  I especially liked and enjoyed the joke at the end.

Now imagine if such project had malicious intent and place it some 5 to 10 years in the future where a lot of additional thing will be in IoT. The launch of Stuxnet showed just how much damage a piece of code can do, and not to software which for most people is rather abstract but to physical objects.

Now, back to KeyLed or low level Port 64h. It’s not an exploit per se but a good example of hardware hacking and works only on keyboards connected using PS/2 connector, not USB.

Computer communicates with keyboard on I/O ports 60h which is data port, and with port 64h which is Command/Status port of keyboard. By writing to port 60h we bypass the system and change the LED indicator for eg. Caps Lock to off without changing the Caps Lock status. Caps Lock stays on even if LED is off. This enables us to play with keyboard lights without any worries.

Port 64h is used to detect if keyboard is ready. We do that by waiting that status of port 64h becomes 0. Then we prepare keyboard to change keyboard light by writing EDh to port 60h and then wait port 64h to once again become 0.

The waiting for 64h port to become 0 is a safety measure that can be bypassed but I would recommend against it. You would still be able to change the LED state but by waiting for ready state you remove some unwanted artifacts like missing keystrokes etc.

After we prepare the keyboard we can turn off and on Keyboard lights. By writing to port 60h combinations of

  1. Caps Lock = 4 or second bit = 1 (00000100)
  2. Num Lock = 2 or first bit = 1 (00000010)
  3. Scroll Lock = 1 or zero bit = 1 (00000001)

We can selectively turn on and off lights on the keyboard without changing capslock or numlock status.

Windows XP introduced restrictive methods for accessing hardware ports, most of IoT devices deployed currently around the world that have Over the Air update enabled (OTA) have no security check. This enables an attacker to basically overwrite the embedded devices firmware with his own and do it remotely with little to no risk of detection. An attacker would need to know the target device make and model which is, trust me,  not that difficult to find out.

So, to bypass that restriction we need a way to access those hardware ports in Windows. Luckily, there already is a library that can to that for us. In the good old Dos there was Int 9 and direct access to ports but not anymore. Library that I used was Inpout32.dll. It is open source so if you really like it you could incorporate it directly into your applications removing the need for “one additional file to carry around”.  After registering the dll functions in your code you can simply do the following:

Procedure Set_keyboard_lights(n,c,s : boolean);
var
	bErr:byte;
	val : byte;
Begin
	val := 0;
	IF s THEN inc(val);
	IF n THEN inc(val,2);
	IF c THEN inc(val,4);
	repeat until (inp32($64) AND 2)=0;
	bErr:=(Out32($60,$ED));
	repeat until (inp32($64) AND 2)=0;
	bErr:=(Out32($60,val));
end;

Procedure presented will take three parameters that can be either true of false; NumLock Status, CapsLock Status and NumLock Status.

This small snippet is all you need to control your Keyboard Lights. Have Fun!!

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Online ASCII Art Generators

Ever since the early 90’s and the start of the end of Bulletin Board Systems ASCII Art has become neglected unlike Pixel Art that is still doing fine. Coding, Demo scene have kept the tradition and continue to use ASCII codes extensively. One of best examples is cosmblop 4k demo. More about what is ASCII and for what it is used, and it is used ALL the time, can be found on Wiki.

The basic form of ASCII art is creating big letters out of special characters. The one I use most often is Text to ASCII Art Generator.  or TAAG

ascitext

Now, why would anyone use ASCII art today, in 2016? Well, I use it as source code separator and organizational tool while coding. It is especially useful with Sublime Text, where right side of the screen offers an overview of the code and Large Banner like ASCII art stands out denoting individual parts of the code.

Sublimetext3

A step from using ASCII just for creating large letters we can use them to create pictures. This started almost with the dawn of computers as they had no Graphic User Interface. When something graphic had to be shown it was done using combination of special characters from the ASCII set. They are still used today and the most famous is the smiley. Smiley is the most used ASCII art. 🙂
There are allot of archives online that organize and host tutorials on how to create ASCII art. Some of them are Chris.com and Ascii Art Dictionary. ASCII Art Dictionary also hosts tutorials on how to create animated ASCII graphics. ASCII Art doesn’t has to be black and white. Wikipedia has surprisingly detailed entry about all kind of ASCII art.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

What I learned from over a year or two of using ESP8266 01 module.

First off, ESP does not tolerate 5v, under any circumstances. Not to power it up nor as communication voltage. Usually when you read that a piece of tech does not tolerate 5v, usually it does. It tolerates it but for short time, not ESP. Just try and show it 5v and it will blow up. And the worst thing is that there will be no white smoke to indicate that something went very wrong. It will continue to sit there, not working, while you rearrange the code for the tenth time trying to figure out what’s wrong. To make things even worse, the red led will be on just to taunt you into believing it’s still alive.

There are 12+ different variants of basic ESP reference board. With the simplest and most prolific being the ESP-01.

A good and stable power supply is a must as ESP does not like fluctuations. The ones that happen when it turns on its WiFi are enough for it to reboot. ESP-01 onboard power supply filter is virtually nonexistent with only a small 100 nF capacitor. There should have been at least another 10 uF, which is not there. I would suggest adding another 10-100nF decoupling capacitor together with a larger >300uF capacitor between Vcc and Gnd to the board.

Who ever designed ESP-01 board was one massive troll. All of those component should have been there in the first place. I can almost see him, the engineer that designed the ESP boards, snickering as he plots his troll move on the unsuspecting Makers around the world .

Most of those traps are now fixed with more complete prototyping boards like NodeMCU and others.

USB, Arduino and other power sources will not be sufficient for normal operations of ESP with WiFi turned on. Most such sources only provide around 100ma while ESP needs more than 150ma to work properly. One symptom of not enough current is that you can upload a firmware but it will constantly cause watchdog timer (wdt) reset if you try to connect to a network. Or, in other words it will constantly reboot. A good rule of thumb is to provide at least 300ma or even better, a minimum of 500ma able power supply. ESP consumption can peak at around 300ma.

ESP ADC is used internally by the chip to measure internal voltage and to adjust WiFi power output. This causes a lot of problems if you wish to sample a large sample using ADC. If watchdog timer can not access ADC ti will raise a fault.

There is no warning faults, all faults are critical and cause reset of watchdog or a straight out reboot. If anything goes wrong, even if it’s not important it makes it important.

The good practice is to allow the watchdog to do its thing every now and again or simply call delay() or yield() every 50ms or 500ms on the outside. This will let watchdog do its thing and keep WiFi alive. This is true for all actions not just when reading ADC. It’s more sensitive when ADC is used but any task that takes more than 500ms to finish without watchdog having its chance to rowe around will cause it to crash and burn, or just reboot.

As with all new things ESP had its childhood problems (and trolls). As the platform matures and bugs are ironed out, both hardware and software it’s becoming a powerful replacement for Atmel based arduino.

Facebooktwittergoogle_plusredditpinterestlinkedinmail