The Internet at DEF CON 33 (and BOM to make your very own)

 And it came to pass that the Pope of the Church of Wi-fi, yeah, even Renderman, didst bless and consecrate The Internet in this the 2025th year of the common era (and 35 years after Tim Berners-Lee invented it) on August 8th, the second night of DEF CON 33.

And lo, DuncanYoudaho didst capture the consecration thereof in an image. In the self-same breath as the consecration, the Pope did also pronounce a holy quest upon him as a teacher doth chastise the student that readeth not the book but kind of fumbles through the book report anyway.

Yeah, he was admonished with much reproachment to not share the graven image of the consecration until such time as the quest was fulfilled. That all the world wouldst see and hear and follow in the path. And this was the quest:

"DuncanYoudaho, if ye be a loyal servant of The Internet, teach those who see the image of this blessing how they also might obtain an Internet of their very own. Yeah, promulgate and proclaim the BOM that thou didst fulfill when making The Internet."

And so if thou wisheth to make this Thine Internet, obtain the shards of circuitry, and resistors, and switches, and hookup wire, and make ye an earthly copy of what is now The Blessed Internet!

Instructables

I made The Internet thanks to a great Instructable. The parts list has atrophied a bit with time, so I’m reproducing a BOM here with more modern selections. When in doubt, they’ve probably got better step by step instructions, so head there. What I did not do (and wish I did) is take the advice to make curly LED hookups and stand-offs.  Making the wires as tight as they are has lead to almost every solder joint breaking. The Internet has required constant maintenance which various users have graciously done and received stickers in return, most recently, Chip from Aviation Hacking Village.

Parts List

• Hammond 1591XX Series enclosure in a chosen size (Mouser/Digikey) or a similar looking enclosure - The plastic enclosure of The Internet uses a Radio Shack ABS project box. As these are no longer available in large quantities, I found a similar project box in the Hammond 1591XX Series enclosures.  These come in black, have a detachable bottom with rounded exterior edges, and come with PCB mounting holes inside the case for easy attachment of the strip board components.
• Red LED inside chrome-plated enclosure (Mouser/Digikey) - Pay particular attention to the voltage. Higher voltage LEDs will need more batteries.
• NE555 Timer (Mouser/Digikey) - The through-hole TI model is linked here. This is the grand-daddy of them all. The IC that birthed all other blinky lights. Kneel and say thanks. And provide at least 4.5V to power it.
• Resistors: 330Ohm, 2x 1M Ohm - The 330Ohm resistor can be changed to tune the blink to your liking.
• Battery Holder(s) for at least 6V power. 
• Hook-up Wire, Solid Core.
• Strip Board sufficient for mounting the components and attaching inside the case.

Equipment

• Wire Strippers
• Soldering Iron and Solder
• Double-sided Tape
• Screw Driver for case and PCB Screws

Steps

• Get circuit working on Strip Board or Bread Board.
• Cut 8mm hole in case for light
• Cut hole in case for switch. I put mine on the side of the box 
• Make stand-offs and long curly q's for LED, switch, and batteries
• Make final solder joints to hook everything up
• TEST IT 
• Screw down the Strip board to the box
• Affix the batteries to the strip board (I had to wire the 4x AA holder down as it kept breaking loose)
• Close it all up and test it again
• Get it demagnetized by the Elders of the Internet, or find another Pope of the Church of Wi-fi to bless it for you. 

Pinout stolen from NE555P Datasheet

 

Circuit Design

 

Pictures of The Internet

 

And the Lord did grin...

Currently, The Internet was handed off to members of DC404 for an East Coast Adventure. If Flat Stanley returns to DEF CON 34, I'm sure it will come with plenty of stickers. 

Fix Always-on Defrost + Floor for Ford/Lincoln/Mercury EATC Climate Control

So there we were: driving from Portland to San Diego, car full of apartment supplies and heading into the desert south of Eugene, OR on a 95F/35C day. When we hit the first hill, the AC makes a sound and switches from Max to Defrost and looses all efficiency. Ugh.

I had a hell of a time getting the air conditioning on my 2000s Mercury Grand Marquis to blow anything but Defrost/Floor. It started with family smelling exhaust when it was on Max AC/Recirculate. Then it would switch to Defrost when going uphill. Finally, it stopped sending air through anything by the top vent/floor.  Turns out the vacuum-actuated doors run through the notoriously leaky EATC HVAC Control Head. The troubleshooting advice below should apply equally to any vacuum system Ford/Lincoln/Mercury AC units.

Initial Troubleshooting - O-Rings

If you're here, you have probably seen the archived MercuryMarauder.net thread with tons of advice, pictures, and fixes to help you get started. The best fix to start with is to swap out the o-rings inside the solenoids. The fix is a few dollars (007 O-Rings from any Ace should work, or get the silicone ones from eBay from sellers that have them specifically labeled for this fix). It can be done in an hour with the proper tools, and there are a ton of YouTube videos detailing the fix.

007 O Rings at Ace hardware

 

Next Step - Leaking Valve Body

Sometimes, the o-ring fix doesn't work. Farther down the thread, fastblackmerc details how to fix a leaky valve body -- the part that connects the hoses to the solenoids:

1. Disassemble the EATC Head. Take off the solenoids completely so it is just black plastic.
2. Plug the solenoid tubes with 5/8" vac caps (made mine out of kinked tubes)
   
3. Plug the vac hose tubes with 1/8" vac caps (connected these to each other, see below)
   
4. Check to see if the body is holding pressure: Hook a length of spare tube up to one of the tubes and blow with your mouth. If it's not holding pressure, you will hear a hissing from the tubes or body.
5. Check where the leaks are coming from: Submerse the entire valve body in water and blow again. You'll see bubbles rising from the micro-cracks letting out the air.
6. Dry off the valve body and cover/fill up cracks with 2-part epoxy. You can also use the same tube you used to blow in air to subject the valve body to a vacuum and draw the epoxy into the cracks. Careful! Don't get too aggressive with this or you might plug the pathways for vacuum.
   
7. Wait for the epoxy to cure and repeat the check for cracks/fill steps until the valve body is no longer leaking.
   

For me, I took his advice and it still didn't work. I had leaks elsewhere. But it might work for you.

Valve Body with all it's holes plugged

Desperation Move - Bypass Valve Body

If the fixes to the valve body are still not working, you might needs to bypass the head completely. This can be done as easily as hard-wiring 1/8" vacuum tubing to the two mixer doors that control air flow. Or you can follow a simple extra step to ensure you can restore Defrost as needed.

I followed Victor's video about the bypass. He gets under the dash (two plastic panel shield retainers hold it to a metal bracket) and is able to access the vacuum coupling behind the EATC Head.  1/8 hose and T connectors from AutoZone helped me get the bypass and Recirculate working just like him.

To take it a step further, I bought a 1/4 sprinkler valve from Lowes and patched it in with an additional T. Now I can turn the valve to open on cold mornings, let the vacuum out, and get Defrost/Floor when I want. I left the hose extra long and ran it up into the glove box. Easy access but still hidden.

Bodge under the dash for Recirculate

Valve that an be opened at will for turning on Defrost/Floor

Side Step - Check that the Door Actuators Still Work

If this isn't your first crack at the fix, you might want to make sure the door actuators are actually working. If the issue started occurring for you gradually, and all mix doors won’t respond, this is unlikely to be your problem. However, it can help to rule out all possible causes if it is driving you crazy.

To do this, you will need to access the vacuum lines (detailed above) and a length of vacuum hose and some fittings to get a good seal. You can either create your own vacuum with a hand-pump of the type used to bleed brakes, or pipe the existing vacuum main line from one line to each outlet and listen for the doors as they actuate beneath the dash. An extreme solution is pictured below. Using sprinkler fittings, I bodged together a 4-way plug to make sure I was getting Recirculate mode activated.

The hand pump vacuum is holding pressure. The EATC is probably at fault.

Taming an AnyCubic Kossell Pulley 3D Printer

Quick post to note how I got my Anycubic Kossel Pulley basically working.  It took me forever to find how to do some of this, and I know I will forget it if I do not write it down.

• Use DaHai's configuration video for starters.
• Upgrade the firmware to Marlin 1.1.9.  I ended up using 1.1.9.1 as of this writing.
• Use DaHai's files and modify them to work with stock Steppers.  Use Arduino IDE to load the firware after replacing Configuration.h and Configuration_adv.h (which I did not make changes to).  Here are the changes I made to his Configuration.h:
• Line 624-626: Change these from his upgraded TMC2130_STANDALONE to stock A4988
• Line 705: I got crazy loud stuttering when first descending to the bed during a print.  Lower this to get rid of that.
• Line 868: I and several people online have measured and gotten good resulting prints with the Type 2 Probe Offset at -15.88
• Line 938 to 940: These need to be true for stock steppers.  DaHai's steppers did not need to be inverted.
• Line 1358-1364: Define your temperature presets. I have used PETG to great success with a preheat of 70C for the bed and 230C for the hotend.  This rises to print at 80C and 245C respectively during the print.
• When following the leveling instructions, the video shows a "Set Delta Height" option that is absent in the version of the firmware I loaded.  This caused me no end of headaches later when the method of subtracting the bed distance from both the Z-Height and Probe Offset produced weird math and never worked properly.  Instead, I ran auto-calibration, saved the settings, then:
• Noted my Z after going to Prepare -> Auto Home
• Brought the nozzle to the bed using Prepare -> Move Axis -> Move Z until a business card wouldn't move when squished between the axis and the bed.  I then noted the height
• Changed my Z height only by this amount by subtracting the number from the Z height, and a negative Z Height is thus added.
• Saved and Auto Homed
• Set my Probe Offset to 15.88 per recommendations online.
• Checked it again and only touched the Z Height when it was off.  Repeat the Z height move if this is still not right.
• With the printer calibrated, it was time to print.  I just used Cura because I couldn not get Slic3r or Pronterface to work easily.  Cura does not have the Kossel in it by default, but it can be easily added.  JDHarris on Thingiverse even shared the configuration file they made which can be picked up by Cura after a restart.
• I printed with PETG which has a high temp but no fumes.  I found hairspray for adhesion worked best thanks to several awesome tips by people connected with the PDX hacker community.  Thanks all!

After this, it just worked and keeps working.  It's magical what a little math and open source firmware will do.  That being said, it's my first printer.  It is bound to break in ways I can't even imagine now.  First order of business?  Print things that make the printer better, as is tradition.

Update: Not all is well in Whoville.  I've developed some Heat Creep with this PETG printing at 245C, and I haven't had the time to troubleshoot it.  Wish me luck!

The Aviary: Huckleberry

The Aviary, Pg 404

One of the cocktails hailing from The Office, a speakeasy basement bar underneath The Aviary, this seemed simple to assemble with only one bit of complicated machinery: a sous vide.  Also, the presentation alone was intoxicating: a frothy head atop a mauve concoction? Sign me up!

I was able to obtain a chinois at a Goodwill.  The strainer and pestle separates juice from pulp and seeds.  However, the main ingredient is a clove tincture (fancy word for Everclear infused with clove). This required a sous vide as written.  As long as I've heard about them, I have never pulled the trigger on this low temperature wonder-machine (I don't have an instant pot either).  I figured it was time to lay that to rest.

There are plenty of DIY sous vide videos on the internet.  I settled on one that recommended a rice cooker combined with an industrial 110V AC temperature controller instead of a brewer's setup.  The most important part of this setup is the type of heated pot you use.  I couldn't use my crock pot, for example, because it had a digital control.  Every time the power cut off and then back on, it would not return to heating the pot.  My manual-switch rice cooker worked like a charm, however.  Then, for $20 in parts from the hardware store and $20 for the temperature controller on Amazon, I had a safe contraption through which to control my rice cooker and keep a pot of water within 2 degrees of a specific temperature for any length of time (perhaps "safe" is relative; use wire nuts and an electrical box when playing with mains, kids; the picture below shows iteration one with no cover).

The clove tincture was dead simple but extremely smelly.  $1 in bulk cloves and some Everclear got me a half dropper full of the cloviest drops the ever passed your nose. A word of warning: toasting the cloves is a horrendously smokey business.  Do this with a hood on full blast or outside.  We had to open all the windows and run for coffee.  I already had a vacuum sealer so I dumped the toasted cloves into a bag, poured on the alcohol, and dunked it into the rice cooker for an hour.  I decanted the result into an amber bottle with dropper and savored the aroma (which wasn't hard; it was everywhere).

The rest of the recipe was fairly simple.  Huckleberries don't come into season until August, so we went with blackberries from Mexico.  The syrup came together easy with a few gradually finer strainings.  6oz made 166g of juice.  Amaro Averna from Total Wine, Bombay Gin on sale, and Angostura bitters I already had on hand completed the boozy bits.  A quick trip through a shaker came out with a pink foamy pour that gradually separated into mauve and foam.  The bitters and pepper hit our nose, and the herbal hit of the drink completes it.  It's just sweet enough with off-season blackberries to be pleasant without being overpowering.  As we drank, we noticed the colors change and aromas deepen.  Very fun and dynamic drink.

A second round (can't waste syrup, after all) made with vodka toned down the herbal nature.  This will probably be the version I make for myself unless the guests are already gin drinkers.  Too close to 'too much' pine.  A friend suggested ditching the clove and replacing it by painting the glass with Chartreuse.  Either way, this seems to be a reliable cocktail to just have on hand.  Freezing berry syrup during their season in 2oz portions and the huge amount of clove tincture I have left over means it will be quick to assemble with a fun story to tell while we shake it up.

Wristband Teardown from Amazon's #FireTVSDCC Event at San Diego Comic Con

A friend returned from San Diego Comic Con 2018 with an RFID bracelet used to track users in the Amazon Fire TV experience (on Twitter, #FireTVSDCC).  This is a teardown of the bracelet after the event.  At this time, I was unable to read from the bracelet.

The bracelet is fairly simple with a cloth band and plastic/paper tab threaded through.  The closure is plastic and one-way.  It bites into and mangles the cloth band if you attempt to remove, but you could probably shim it with tools and practice.  Might be a fun thing for the Tamper Evident Village if it turned out events were trying to use this for access control like plastic self-destructing wristbands.

The back contains a serial number.  I would like to see if this serial number would match the data read off the tag.

Separating the badge by prying them apart, I  spot the prize: an adhesive RFID tag placed between the glossy plastic covers.  It appears to have a model number of "CXJ-040" in the center of the tag.  It uses a circular antenna.  CXJ is the initials of Shenzen manufacturer Chuangxinjia.  Their product pages show many similar wristbands in a few different frequencies.

The tag didn't respond to my Android phone, so it is not a Mifare or similar.  Hopefully I can find a reader at the local Hackerspace or DEF CON 26.

Quotes from Dan Kaminsky's Keynote at DEF CON China

Above is Dan Kaminsky's keynote at the inaugural DEF CON China.  It was nominally about Spectre and Meltdown, and I thought it was immediately applicable to testing at all levels.  Here are some moments that jumped out at me:

On Context:

"There's a problem where we talk about hacking in terms of only software...What does hacking look like when it has nothing to do with software." 1:55

"But let's keep digging." Throughout, but especially 5:40

"Actual physics encourages 60 frames per second. I did not expect to find anything close to this when I started digging into the number 60...This might be correct, this might not be. And that is a part of hacking too." 6:10

"Stay intellectually honest as go through these deep dives. Understand really you are operating from ignorance. That's actually your strong point. You don't know why the thing is doing what it is doing...Have some humility as you explore, but also explore." 7:40

"We really really do not like having microprocessor flaws...and so we make sure where the right bits come in, the right bits come out. Time has not been part of the equation...Security [re: Specter/Meltdown] has been made to depend on an undefined element. Context matters." 15:00

"Are two computers doing the same thing?...There is not a right answer to that. There is no one context. A huge amount of what we do in hacking...is we play contexts of one another." 17:50

[Re: Spectre and Meltdown] "These attackers changed time which in this context is not defined to exist...Fast and slow...means nothing to the chip but it means everything to the users, to the administrators, to the security models..." 21:00

"Look for things people think don't matter. Look for the flawed assumptions...between how people think the system works and how it actually does." 35:00

"People think bug finding is purely a technical task. It is not because you are playing with people's assumptions...Understand the source and you'll find the destination." 37:05

"Our hardest problems in Security require alignment between how we build systems, and how we verify them. And our best solutions in technology require understanding the past, how we got here." 59:50

On Faulty Assumptions:

"[Example of clocks running slow because power was not 60Hz] You could get cheap, and just use whatever is coming out of the wall, and assume it will never change. Just because you can doesn't mean you should...We'll just get it from the upstream." 4:15

"[Re: Spectre and Meltdown] We turned a stability boundary into a security boundary and hoped it would work. Spoiler alert: it did not work." 18:40

"We hope the design of our interesting architectures mean when we switch from one context to another, nothing is left over...[but] if you want two security domains, get two computers. You can do that. Computers are small now. [Extensive geeking out about tiny computers]" 23:10

"[RIM] made a really compelling argument that the iPhone was totally impossible, and their argument was incredibly compelling until the moment that Steve Jobs dropped an iPhone on the table..." 25:50

"If you don't care if your work affects the [other people working on the system], you're going to crash." 37:30

"What happens when you define your constraints incorrectly?... Vulnerabilities. ...At best, you get the wrong answer. Most commonly, you get undefined behavior which in the presence of hacking becomes redefinable behavior." 41:35

"It's important to realize that we are loosening the assumption that the developer knows what the system is supposed to do...Everyone who touches the computer is a little bit ignorant." 45:20

On Heuristics

"When you say the same thing, but you say it in a different time, sometimes you're not saying the same thing." 9:10

"Hackers are actually pretty well-behaved. When hackers crash code...it does really controlled things...changing smaller things from the computer's perspective that are bigger things from a human's perspective." 20:25

"Bugs aren't random because their sources aren't random." 35:25

"Hackers aren't modeling code...hackers are modeling the developers and thinking, 'What did [they] screw up?' [I would ask a team to] tell me how you think your system works...I would listen to what they didn't talk about. That was always where my first bugs came from." 35:45

On Bug Advocacy

"In twenty years...I have never seen stupid moralization fix anything...We're engineers. Sometimes things are going to fail." 10:30

"We have patched everything in case there's a security boundary. That doesn't actually mean there's a security boundary." 28:10

"Build your boundaries to what the actual security model is...Security that doesn't care about the rest of IT, is security that grows increasingly irrelevant." 33:20

"We're not, as hackers, able to break things. We're able to redefine them so they can't be broken in the first place." 59:25

On Automation

"The theorem provers didn't fail when they showed no leakage of information between contexts because the right bits went to the right places They just weren't being asked to prove these particular elements." 18:25

"All of our tools are incomplete. All of our tools are blind" 46:20

"Having kind of a fakey root environment seems weird, but it's kind of what we're doing with VMs, it's what we're doing with containers." 53:20

On Testing in the SDLC

"We do have cultural elements that block the integration of forward and reverse [engineering], and the primary thing we seem to do wrong is that we have aggressively separated development and testing, and it's biting us." 38:20

"[Re Penetration Testing]: Testing is the important part of that phrase. We are a specific branch of testers that gets on cooler stages...Testing shouldn't be split off, but it kinda has been." 38:50

Ctd. "Testing shouldn't be split off, but it kinda has to have been because people, when they write code, tend to see that code for what it's supposed to be. And as a tester, you're trying to see it for what it really is. These are two different things." 39:05

"[D]evelopers, who already have a problem psychologically of only seeing what their code is supposed do, are also isolated from all the software that would tell them [otherwise]. Anything that's too testy goes to the test people." 39:30

"[Re: PyAnnotate by @Dropbox] 'This is the thing you don't do. Only the developer is allowed to touch the code.' That is an unnecessary constraint." 43:25

"If I'm using an open source platform, why can't I see the source every time something crashes? ...show me the source code that's crashing...It's lovely." 47:20

"We should not be separating Development and Testing... Computers are capable of magic, and we're just trying to make them our magic..." 59:35

Misc

"Branch Prediction: because we didn't have the words Machine Learning yet. Prediction and learning, of course they're linked. Kind of obvious in retrospect." 27:55

"Usually when you give people who are just learning computing root access, the first thing they do is totally destroy their computer." 53:40 #DontHaveKids

"You can have a talent bar for users (N.B.: sliding scale of computer capability) or you can make it really easy to fix stuff." 55:10 #HelpDesk

"[Re: Ransomware] Why is it possible to have all our data deleted all at once? Who is this a feature for?!... We have too many people able to break stuff." 58:25

A) Original Twitter Thread
B) Thread Unroll from @threadunrollapp

Fixing Ford AC Head Controller Vacuum Problem

The AC on my land yacht (2009 Mercury Grand Marquis) has been in the fritz for a while. Last winter, it gradually stopped switching from max AC/recirculate (a necessary in Vegas), then got stuck on norm AC until it rested on Defrost/Floor. I was able to fix it with some basic troubleshooting, YouTube sleuthing, and two bucks in o-rings.

This shaky yet informative video by Ian Smith helped me diagnose it as a problem with vacuum only. The AC itself was fine. It blows cool air all day long. It just did so at the windshield. It couldn't be the blend-door actuator.

The same video showed me how to diagnose the vacuum problems. The black hose providing vacuum from the engine seemed fine: I was getting 20 inches of vacuum with the car turned on when I hooked up a bleed pump with a gauge (mine came from Harbor Freight, shown in the video). To test the actuators, all I had to do was hook a 'jumper' pipe from black to the other pipes. Each one seemed to hold air, and the actuators sprang to life once again. For the first time in a year, I had cold air blowing from the vents. The problem couldn't be in the lines. I pulled the controller head for a closer look.

The head itself is a bunch of electronics, a control panel, and one removable plate with four solenoids. The vacuum hoses come into this through a manifold, and the head controls trigger the solenoids to route vacuum from the black hose to the others. This triggers different actuators under the dash. Something was amiss in the manifold.

I returned to YouTube looking for rebuild instructions. I found this extremely helpful video from a Chicago mechanic. The solenoids contain an o-ring that dries out, wears out, and loses the ability to hold vacuum. I obtained close to the recommended o-rings from Lowes (#36, 5/16 OD, 3/16 ID, 1/16 thickness) as I was not willing to wait for Amazon. A little Oatey silicone lubricant made the tight squeeze work a little better. I found I had to seat the solenoid heads at least once before total reassembly. It was too difficult to do so at the end and fight with the other small parts at the same time. 45 minutes later, I had full control of my AC restored.

I can't believe it was this simple to fix the controller. I think I was intimidated by the AC (having spent $1500 last year to have the dealer redo the whole system from seals to refrigerant). I didn't want to break anything. A few targeted troubleshooting steps helped assuage any fears of irreparable harm, and now I have a comfortable cabin once again.

R00tz Asylum 2014

I took Ethan to the event run in parallel with DEF CON, R00tz Asylum.  I think he had a blast as they covered a lot of traditional hacker topics at multiple levels of complexity.  The highlights are below.

Structure

The event was held in the Crown Theater at the Rio.  It was about a 10 minute walk from DEF CON proper.  The separation was nice as it made for a more quiet and contained experience.  The stage was occupied by a speaker almost all the time.  Spread around the perimeter (mezzanine?) were tables with activities that changed every day.  Kids could choose to listen, play or work on challenges.  Most activities stayed the entire day, though some were more transient.

This setup was advantageous for my son.  He has little ability to focus on any one thing for an extended period of time, so the variety of activities was nice.  Much like its parent conference, R00tz Asylum did well when it focused on hands-on learning.  Toool, Google and Wickr held contests and learning opportunities that pushed attendees and their parents to participate together.  In particular, Ethan loved the puzzles, and I finally got him to solder something.  He did a bang-up job.

Speakers

The speaker experience was less than optimal with a few notable exceptions.  The stand-outs were Gene Bransfield's hilarious "Weaponizing your Pets" and Meredith Patterson's engaging activity "The Telephone Game" about Man-in-the-Middle attacks.  Special mention goes to @muffenboy and Esau Kang for being kid attendees and speakers.  For the rest, it would be good to learn that speaking to children is not the same as speaking to hackers, and most talks were too technical, lacked a hands-on component, and thus ended up being torture for the little ones.  From speaking with the organizers, I can tell this is something they are trying to focus on next year.

The Gift

R00tz Asylum is the opposite of DEF CON in one respect: it relies on sponsors to add pizzazz and to make ends meet.  One of those traditions that may or may not hold in coming years is the gift of a hackable piece of technology to attendees.  This year brought ASUS Chromebooks care of Google.  My son was enthralled, and I spent most of the conference convincing him to get off the Chromebook and out to the activities.  By the end of the conference, we had Linux in addition to Chrome, and we were running Wireshark thanks to perseverance by Joe and Chris, a father/son team.  This effort won Chris a trophy, even.  My son begged me to put Minecraft on there, but then quickly forgot how to get back to it and reformatted his Chromebook undoing all our hard work.  Hats off to Google, and congrats to Chris on the win.

Hardware Hacking

By far, my favorite part of the conference was the Hardware Hacking table.  Not only did the goodie bag include a HakTeam Throwing Star LAN Tap, but a table full of old equipment was available from which attendees could rip apart and salvage components.  The LAN Taps were used in an activity that taught wireshark and packet sniffing.  The hardware component salvage table was exploited for speakers, LEDs, gears and motors for all sorts of toys.  I am definitely bringing projects for Ethan next year.  I already recommended the salvage table to the official DEF CON Hardware Hacking Village.  Las Vegas thrift shops may see a run on their printers, VCRs and routers before next year's conference.

Lock picking

The one talk and table I was surprised that Ethan was interested in was from Toool.  Their interactive 101 talk caught his attention, and we worked on a lock at their companion activity table.  Though he ended up losing interest before successfully opening a lock, it gave me a clue of the type of activity he could do on his own between conferences.

Going Forward

I would definitely recommend any hacker parent to bring their child to R00tz Asylum.  Its expanding and evolving to be a great summer camp weekend that dovetails with the DEF CON experience.  As the organizers ger more experienced, I expect the content to grow and change to fit the kids and their interests.  We all started somewhere, and I hope R00tz is that start for the next generation.  I started a subreddit for R00tz, though it hasn't taken off.

As for Ethan and I, we are preparing a talk on how to hack Skylanders figures.  We hope it will be a fun combination of encryption, hardware hacking and games that will draw the attention of attendees and inspire them to really dig in and explore the technology that is used around them every day.

RadioShack LED Strip Driver

I modified the Pololu RGB LED Strip drivers from version 1.2.0 to support Radio Shack's behind the times model that is 30 LEDs controlled in 3-diode sections.  I had to swap the colors around to match this pinout, and I changed the struct to a class (because why not).

The fix was to physically reorder the declaration of red/gree/blue variables in the struct declaration.  This way, when the information is written to the strip, it is sent in a different (and now correct) order.  You can make the fix yourself by changing the file PololuLedStrip.h:

typedef struct rgb_color  {    

   unsigned char red, green, blue;  

} rgb_color;

becomes:

typedef struct rgb_color  {    

   unsigned char green, blue, red;  

} rgb_color;

And here it is on GitHub: https://github.com/RangerDan/RadioShackTricolorLEDStrip

I should probably talk to Pololu on licensing concerns here.  I found the license from the original driver and copied it into my repo.  I couldn't figure out how to fork this properly, so I just re-uploaded it until I understand git a bit better.

C3BO: Proof of Concept using Timbermanbot Schematic

This post is part of a series about building electro-mechnical PIN-cracking robots, R2B2 and C3BO.



This is a proof of concept for @JustinEngler's C3BO (https://github.com/justinengler/C3BO) using transistor controlled relays. It was prototyped by modifying Blink from the Arduino sample project.

The schematic was obtained from Timbermanbot (https://github.com/vheun/ArduinoPlays...) as seen on Hackaday (http://hackaday.com/2014/07/26/pwning...).

In the video, You'll notice I've replaced the touchpad for your finger with a wire to the headphone jack's ground as the circuit ground. The two pieces of copper tape were no longer sticky enough to stay by themselves, so I am holding them down. They press two and 5 with about 8 key presses per second.

OFBC: Putting it All Together

Note: This is part of the Project Write-up for OFBC: One Fluorescent Beer Coaster

After months of effort, we had a circuit, PCB and shell design to accomplish our goal.  Putting it all together meant solving some unique challenges in the home stretch.  By far the most communal part of the project was finishing the circuit.  Parts were bought by three different people.  It took hours of trial runs and four different nights in my shop to finally get the circuit assembled and ready.  In all, the project taught us to keep moving in spite of obstacles.

Internals

The main obstacle was PCB manufacture.  As detailed in that post, uncooperative copper and etchant lead to abominations not fit for solder.  Drill bits broke in PCBs, holes were misaligned, and traces were torn up as we worked and reworked the boards.  The major blunder was the reversed PCBs, but it was tempered by the lack of polar components.  Only the transistor and MOSFET needed to be adjusted when we realized our mistakes.  The quality checks and encouragement as we worked as a definite plus.  There were several times I wanted to just give up and abandon the project.  Truly, I get by with a little help fro my friends.

After the PCBs were in our hands, the task of soldering all the components was a team effort.  One person ran continuity tests on newly etched boards.  Another bridged scratches and pasted down traces.  Buttons (functional and fake) were inserted and crimped at one station while a fourth person began to solder on components.

That moment of truth when the LED lit up was breathtaking all nine times it happened.  When it, more often than not, didn't work on the first try, the scramble to troubleshoot was a team effort as well.  A loose connection, bad trace or through hole in need of a reflow was rooted out in minutes. I can't describe the feelings from closing the box with nine functional copies of the idea sketched out on a picnic table the year before.

Externals

Shell manufacture forced choices between what we wanted versus what we needed.  The mechanical ideas at the outset gave way to manufacturing considerations.  Features were pared back to match timelines, work schedules and summer vacation.  Anyone reading this who has worked in an Agile Development environment will recognize similar decisions they make every Sprint.  To borrow a cliché, "Perfect is the enemy of good enough."  With this in mind, we have an eleventh hour compromise ready: should the 3D printer prove a roadblock, we have arranged for a Wednesday night Hail Mary meeting to turn Ziploc Containers into eternal glory.

The Ziploc idea produced 4 "just in case" models.  We stabilized them with glass beads and hot glue.  The containers became the shell and mount for the PCB.  The beverage lid was provided by another ziploc container hot-glued onto the buttons.  Hot glue for grip and stabilization of the platform finished the job.  See the result in the pic below next to the finished shells.

Luckily, the 3D Printer roadblock was cleared just two days before the BBQ.  Poor quality filament lead to clogged extruders.  After a good cleaning, we were back in business.  5 shells total were produced with various upgrades.  We got a top that nested well with the shell, and the mouse-hole in the shell was added to allow the USB to be passed out of the body.  We did not get impressions in the top to get the lid closer to the lens of the LED.  We also did not get any part of the body held together by magnets.

Final assembly took place at Toxic BBQ itself.  The lights stayed on this year, but we started conversations and passed out some business cards with links here.  We placed a few on the tables farther out that didn't have light, and we presented two to the organizer in a Utilikilt.  Furthermore, it went on display in r00tz and the HHV for most of the convention.

Final Word

I left DEF CON for two years running with a profound sense of my own shortcomings.  I saw people around me doing amazing things, but I couldn't point to similar achievements for myself.  Though not terribly complex (most ideas came from Instructables, after all), the process and coordination required to pull off this simple idea has been eye opening.  It all started by pivoting from planning to doing.  It finished with an 80's-montage-worthy string of late nights and high fives.

Already, these efforts are fertile ground from which numerous other ideas have sprung.  Facing another DEF CON, I'm looking for the next big project instead of lamenting my noob credentials.  Only time will tell how many of these work their way to reality.

Touchscreen on Raspberry Pi

A friend has a few Elo Touchscreens from a past venture, and I have racked my brain trying to figure out a use for them. After giving up on Android PCs, I took a stab with a Raspberry Pi Model B running the Raspbian image from Noobs.  Two obstacles presented themselves:

1. The Raspberry Pi only outputs HDMI.  For now, I'm going to try an HDMI to VGA converter. Better to get this thing off the ground than hem and haw about a 'better' solution.
2. The touchscreen is inverted.  For this, I installed the xinput-calibrator tool per the instructions on the Raspberry Pi forums given by msmithy12 and a helpful config guide:

sudo apt-get install libx11-dev
sudo apt-get install libxext-dev
sudo apt-get install libxi-dev
sudo apt-get install x11proto-input-dev

download http://github.com/downloads/tias/xinput_calibrator/xinput_calibrator-0.7.5.tar.gz 

tar xvzf (downloaded file)
cd (downloaded file)
./configure
make
sudo make install

Then, from the menu: Preferences/Calibrate Touchscreen

3.  Do not immediately follow the instructions given when you run calibration (place the calibration in a /etc/Xll/...).  Doing so borked my Raspbian install.  Instead, create the file specified in /usr/share/X11/xorg.conf.d/.  I ran "sudo leafpad 99-calibration.conf" to create and edit the file.  After dropping in the calibration indicated, I restarted and found out it stuck.  Woo hoo!

 I will update this space with my progress.  Currently, the setup is:

• Raspberry Pi Model B ($35)
• Elo Touchscreen ET1939L (Pre-owned)
• BYTECC HM-VGA005 HDMI-A to VGA Female Adapter/Converter ($20)
• 1 x WiFi Dongle (Ralink RT5370 chipset) ($10)

Lessons Learned

• Single User Mode could have beenused to save my Raspbian install.  It can be entered by adding init=/bin/sh to cmdline.txt.  I was using Noobs, so holding Shift while the PI boots got me into the editor.
• I like Linux more and more each project.

OFBC: Inspiration and Research

Note: This is part of the Project Write-up for OFBC: One Fluorescent Beer Coaster

The Idea

As night descended at Toxic Barbecue at DEF CON 21, everyone was working through the meat and alcohol they'd consumed much too fast and in much too large a quantity.  Rather than move the party somewhere else (Las Vegas' Sunset Park is safe at night, right?), we began to experiment with cell phone screens, then their flashes.  The lights were bright, but they were also extremely narrow in focus.  

The Liter of Light project gave us an idea to use a liquid to diffuse the light.  As there was still copious amounts of alcohol left behind, we started experimenting.  This 'research' lead us to decide that Smirnoff Ice was the best diffuser.  Filtered beers were awful due to both the dark bottles absorbing light as well as the liquid having no solids to scatter any that was left. Smirnoff had the clear bottle and label as well as a ton of solids from the included fruit juice.  As this was a hacker party and not for frat boys, we had plenty left. The misogynists among us named them 'Bitch Lights' after the colloquial term for Smirnoff Ice: Bitch Drinks.  We had our product; now we needed to separate it from the phones.

Research

DEF CON 22 planning made us realize that we needed to make good on our promises made while too intoxicated to realize we knew nothing about how LEDs actually work.  First stop?  The local Hackerspace, of course.  SYN Shop is in downtown Las Vegas.  Multiple forum members are lighting and electronics techs on The Strip.  They pointed me towards specific packages, drivers and batteries.  I took this foundation and boiled it down to specifics.  I wanted the light to be composed of the following elements:

1. Super Bright LED (1W, 100 lumens)
2. LED driving circuit
3. Battery (3-4 hours of time)
4. Charging circuit (USB)
5. Switch to turn it on
6. 3D Printed Body

Armed with search terms from the forum, I found a wealth of helpful links.  I found LED packages that fit the "Super Bright" definition all over the web.  I learned a ton about batteries and chargers (did you know Sears still exists and has an online store?).  The most helpful site was Instructables.  There, I found several LED driver circuits that I actually understood.  After a trip to Frys left me bewildered with options, I learned to better read datasheets.  Finally, I had a working circuit design.

R2B2

I built a copy of Justin Engler's Delta Bot R2B2.  Here's how I did it with a revised parts list.

Inspiration

Justin Engler and his iSEC Partners team presented his PIN punching robot at DEF CON 21.  Even though it was, by his own admission, a last resort in cracking phone PINs, it received coverage in Forbes and other outlets. 

Build

The 3D prints from my brother's Replicator came out well.  The dimensions were correct overall, but I had to do some filing to get the mounting bracket to slot together.  The servos I used required me to file out the slots a bit as well.  The spokes from my servo mount were a little large, so I filed those down too.  Overall, it wasn't too tough to fit everything together.  When I build another one, I need to see if my problems were caused by the STL files, how the G-Code was generated or the calibration of the printer itself.

The local RC shop called Hobby People had most of the small and moving parts.  Servos, ball joints and such came in at under $30.  Lowe's had the right sized all-thread to finish the job.  One thing about the construction was that I originally bought 10mm hex cap screws to join the ball joints to the biceps.  The way the bicep is built, though, the joint tends to hit the side of the bicep and limit the range of the effector.  To solve this, I moved the ball joints outward with small washers.  This made the 10mm hex caps too short, so I went with 15's instead.  Redesigning the bicep to free up movement might resolve this problem.  I slipped a metal stylus pen through a rubber grommet and effector.  The stylus was grounded with an alligator clip onto the breadboard.

The rest of the robot (as you can see in the pic) are an Arduino Uno, a small breadboard and a four-legged stand I put together from a 1x2 and some angle braces.  The robot is held to the frame by a fender washer through the central hole of the mounting bracket.  The sketch had to be modified with the correct measurements on the actual robot.  Most everything matched, so that built my confidence.  Once I uploaded the sketch, I played around with the machine code and made it dance.  This is when I found out the ball joints were binding against the bicep.  I also dropped the robot, and the short hex caps made it go eveywhere.  D'oh!

I forked and cloned Justin's github to prep for writing some code and tidying up the notes.  Rather than cracking phone PINs, I plan to use this to punch card PINs on PIN Pads used in credit card processing.  I don't think I'll need the OpenCV code, so I'll have a blind version of R2B2 up in my own repository once I learn enough Python to be dangerous.

Finally, Marginally Clever has a new version of the delta bot that uses laser cut parts.  The R2B2 that Justin demoed at SXSW seems to have been made from this version out of acrylic.  Snazzy!  This comes with its own platen and looks mighty sturdy.  I might have to grab one and give it a spin.

New parts list

Count	Cost Each	Name	Description
2	$1.94	Du-Bro 2123 3.0 mm x 10mm Socket Head Cap Screw (4-Pack) P/N 2123	Screws to connect effector to ball joints
2	$1.94	Du-Bro 2124 3.0 mm x 15mm Socket Head Cap Screw (4-Pack) P/N 2124	Screws to connect bicep to ball joints
2	$1.98	Traxxas 5347 Rod Ends with Hollow Balls Large Revo (12)	Ball joints to form the arms from threaded rod
6	$1.04	The Hillman Group 44817 8-32 x 6-Inch Threaded Rod, 10-Pack	Threaded rod for ball joints to connect bicep to effector.
3	$7.99	The Hillman Group 44817 8-32 x 6-Inch Threaded Rod, 10-Pack	Servos that connect to bice. Most will work, but Hobby People has adequate ones for cheap
As needed	Varies	Washers,Flat,3mm DUB2109 and The Hillman Group 36-Count #6 x 3/8-in Zinc Plated Standard (SAE) Flat Washer	Washers to separate arm from bicep and effector. Used to give arms maximum freedom.
1	$2.00	Like Hillman Rubber Grommet (5/16x5/8x5/8x7/16)	Rubber grommet for effector to hold stylus
1	$4.00	Like Stylus pen	Stylus for effector
1	$1.13	1 x 2 x 8 Spruce-Pine Furring Strip	Body for robot
1	$1.13	1-in Zinc Corner Braces	Braces to hold shape of robot
X	$2	Bolt, fender washers and wingnut	Bolt to hold robot to body