Entries Tagged 'hack' ↓

Check out my post over at GumboLabs about hacking the Asus WL-520gu with openWRT. I am in the process over creating a wireless home power monitoring system that connects to pachube. I have been really busy at work and other projects lately so it may not happen for a while, if at all.

I am going to be writing a few articles on the GumboLabs blog from time to time to help get it going and hopefully get a small readership. I will be posting links from here.

I have been thinking about designing, coding, and building a quad copter for a long time. I think I am finally at a level of experience and financial security to give it a run. In the mean time, I got a Silverlit x-ufo off with a broken mechanical gyro off ebay and did a plottermeier mod. I just wanted to start fooling around with a quadrotor to get used to some of the controls and terminologies. I got the electronic gyros from two WarioWare Twisted games : http://en.wikipedia.org/wiki/WarioWare_Twisted!. Here’s a video.

I know a lot of people have covered this, but I thought I would share my process behind creating my little multifunctional webserver. I had an old tower that I wasn’t really using. It has an Intel chip (Celeron possibly?), 2G of memory, and 2 hard drives [50GB and 500GB]. I also have a decent Nvidia video card with DVI output. I originally just used it as a mediabox. I had it hooked up to my TV, I ripped Netflix movies on my OS X machine using handbrake into an AVI format, then I put them on this system [which is running Ubuntu] and played them using VLC. This was all well and good, but I didn’t like the idea of having a mouse and keyboard hanging around all the time. So I turned to VLC’s command line interface. After playing around for a while, I was able to get the http interface working. I created an alias in my ~/.bashrc as a little macro :

alias vlcrc='export DISPLAY=:0 ; vlc -I http --no-media-library'

** The DISPLAY=:0 may or may not be necessary to get your video card to display to the attached monitor or TV **

After this, I setup SSH for Ubuntu. Then I gave the Ubuntu machine a static ip address [192.168.0.100] through my router’s admin interface [instructions depend on router, GIYF]. Now, from my laptop connected to the same network over Wifi,  I am able to SSH into the mediabox, and run something like this:

vlcrc There_Will_Be_Blood.avi

Then I can open up Firefox and go to this URL:

http://192.168.0.100:8080/

and I am presented with this beautiful javascript interface:

It allows you to control everything in your VLC instance like volume, position, fullscreen, pause/play, and etc just like a remote control. The coolest thing for me was that I could control this with my G1 :) If you try this and get a 403 error, you need to configure your .hosts file. Look here : http://www.videolan.org/developers/vlc/NEWS and do a browser search for ‘.hosts’ to see the instructions. You just need to add IPs of computers that want access to the http interface to a whitelist. I just added a bunch of IPs between 192.168.0.101 and 110 b/c I knew my laptops would never get assigned anything out of that range. By this point, I was able to hide the PC behind my TV and not worry about connecting a mouse and keyboard to it. I was able to pick up a DVI to HDMI cable for 10 dollars at Optimized Cable. They are cheap, but adhere to the HDMI 1.3b standard and as long as they are 6 feet or under, you shouldn’t be able to tell the difference between these and the expensive Monster cables.

From here I started to setup the Torrent side of the box. Ubuntu now comes with Transmission which is arguably one of the best clients around. To save yourself from problems later on, make sure it is upgraded to something over 1.5. If you need to update, go to getdeb.net and get transmission-common and transmission-gtk. Download and install them in that order. After you run it, you can go to Preferences –> Web and setup the web interface. I set mine up on port 9091 and then went to this URL from my laptop:

http://192.168.0.100:9091

You are then presented with a cool interface for uploading, controlling, and monitoring your torrents:

This was really helpful but I soon wanted a little more functionality. Wouldn’t it be cool if I could control this from anywhere on the net? Of course. For that, I needed to make this computer visible to net.

The thing that makes this part difficult is the way in which most residential users access the internet. As you may know, accessing a domain name, like datasingularity.com, requires a DNS lookup to find the IP address that the domain is referring to. The problem is that most people don’t keep the same IP address for very long. Much like DHCP on your router, your ISP often assigns you different IPs when you connect to their network. This is called having a dynamic IP as opposed to having a static ‘non-changing’ IP. Since your IP is not always the same, registering a domain for your current IP in some nameservers may not last long. If you are not on a business network and don’t know if you have a static or dynamic IP, we can just assume that you have a dynamic IP. That is why you need the DynDNS service. They constantly update your DNS information for you. You just install a client on your webserver and it tells their service when your IP changes. Kick ass.

You can get a free domain like mydomainname.homelinux.net, or you can pay for a custom one. I went ahead and signed up then registered a free domain. I then followed the instructions at this informative link : http://mexpolk.wordpress.com/2008/01/29/ubuntu-gutsy-dyndns-client-setup/.Then I went to this link :
http://www.portforward.com/routers.htm to set up port forwarding on my DLink DI-604 ethernet router. The first port I set up was port 22. This now allows me to SSH and SFTP to my home computer. Yessss. Then I forwarded the 9091 port to get to my Transmission web interface. If your router supports it, you can forward from port external 80 to port 9091 internal, that way, you can just go here:

http://mydomain.homelinux.net

and it takes you straight to the interface! Otherwise, you need to forward 9091 external to 9091 internal and go here:

http://mydomain.homelinux.net:9091

If you want this to be a regular webserver at the same time, it is best to leave port 80 clear and just use 9091. You have to ensure a few things in your Transmission client. Make sure that you go to Preferences –> Web tab and set it up to require a username and password. You don’t want anyone on the net to just go in and mess with your torrents! Then make sure you disable the IP whitelist so any IP can access it. I think it is just a checkbox somewhere in the Preferences –> Web tab.

I am currently in the process of creating a Rails web application to be served locally. It basically holds all the metadata for my media [tied to imdb web service] and lets me browse my system from another web browser on the same network. I can then click a movie or TV show to play it. It launches a VLC process and the HTTP javascript interface in a new browser window! Not done yet but will keep anyone interested updated.

I am somewhat of an idiot when it comes to security, so anyone please chime in if you see any obvious problems here. Any comments, tips, or criticisms are appreciated.

A while back, I wrote a small python script to act as a proxy between IRC and an Arduino. This video illustrates some of the details.

Here is a zip file with everything to download.

The basic idea was this, the python IRC bot sits in the chat room and waits until someone addresses it’s nick like so:

     {NICK}: {command} {arg1} {arg2} ... {etc}

The bot parses the response into a command and a series of arguments. Originally, all this was hardcoded, but through python’s powers of introspection, I realized I could make this way more dynamic. The end result is a framework of sorts. The user can edit the Commands.py file adding functions and settings to his/her specification. The example in the video would be written like this:

#
# module for configuration and commands
#
from Arduinos import Arduino

# Program Settings
DEBUG = True

# IRC Settings
NICK = "arduino"
SERVER = "irc.paraphysics.net"
CHANNEL = "#arduinoroom"
PORT = 6667

# Arduino Settings
USB_PATH = '/dev/tty.usbserial-A7006Qe8'
BAUD = 9600

# define methods
def lightLed(arduino, args):
	arduino.send('~') # header
	arduino.send(args[0])
	arduino.send('~') # terminating
	return arduino.read(4) # read 4 bytes from arduino

def readPot(arduino):
	arduino.send('}}') # header
	return arduino.read(4) # read 4 bytes from arduino

Obviously, you can change the constants to what you need and the daemon picks up on these when it is started. The nice thing about this ‘framework’ is the second half of the script. When you define a method, the IRC bot automagically “understands” it. This is because every time it receives a message directed to it, it calls

    reload(Commands)

and reads the function names. So you don’t have to restart the server while developing your functions [An idea stolen from Rails]! Then it parses the message coming in and tries to call the first word as a method and parses the rest of the message into a list. There is no need to worry about the details, what you do need to know to use it is that there are two types of functions, ones with and ones without arguments. The above example illustrates both. Let’s say we define 2 functions:

# define methods
def function1(arduino, args):
    print "function1"
    print args

def function2(arduino):
    print "function 2"
    print "no args"

Now, we go into the IRC chat room and issue a command like this:

   arduino: function2

The output would be this:

   function 2
   no args

Then lets say we send this:

   arduino: function1 hello world!

The bot would parse it and you would see this output:

   function1
   ['hello', 'world!']

so args becomes a list by splitting the rest of the statement between whitespaces. Your function always needs to have the ‘arduino’ argument. This argument is a custom class I created which looks like this:

   import serial

class Arduino():

	def __init__(self, path='/dev/tty.usbserial', baud=9600):
		self.ser = serial.Serial(path, baud)	

	def send(self, data):
		self.ser.write(data)

	def read(self, bytes):
		while (1):
			if (self.ser.inWaiting() > bytes-1):
				return self.ser.read(bytes)

	def flush():
		self.ser.flushInput()

It is pretty simple, send() sends a string. read() waits for the defined number of bytes to come in and returns the results. To better understand how the example Commands.py script works, take a look at the arduino sketch:

#define LED 13

void setup() {
  pinMode(LED, OUTPUT);
  Serial.begin(9600);
}

void loop() {
  if (nextByte() == 126) { // header byte ('~' character) led command
    char args[] = {0,0,0,0,0,0,0,0,0,0};
    char charIn = 0;
    byte i = 0;
    while (charIn != 126) {  // wait for header byte again
       charIn = nextByte();
       args[i] = charIn;
       i += 1;
    }
    if ((args[0] == 'o') && (args[1] == 'n')) {
      digitalWrite(LED, HIGH);
      Serial.print("on  ");
    }
    else if ((args[0] == 'o') && (args[1] == 'f')) {
      digitalWrite(LED, LOW);
      Serial.print("off ");
    }
    delay(10);
    Serial.flush();
  }
  else if (nextByte() == 125) { // header byte pot command
    int val = analogRead(0);
    if (val < 10) {
      Serial.print(val);
      Serial.print("   ");
    }
    else if (val < 100) {
      Serial.print(val);
      Serial.print("  ");
    }
    else if (val < 1000) {
      Serial.print(val);
      Serial.print(" ");
    }
    else {
      Serial.print(val);
    }
  }
  delay(10);
  //if(Serial.available() > 0) {
    Serial.flush();
  //}
}

byte nextByte() {
    while(1) {
      if(Serial.available() > 0) {
          byte b =  Serial.read();
	  return b;
       }
    }
}

Yeah, not the cleanest code but hopefully you get the idea. I am not releasing a whole lot of detail on how to use this because I figure If you are using it, then you already know enough about python and Arduino to get by. I have created this to allow for support for firmata but have yet to implement it and probably never will until/if people beg. To run, first get pyserial and irclib.py. Upload the sketch to your arduino and run:

   python Main.py

I wrote this article a few months ago and it generated a lot of interest. It describes how to decode IR signals just using your electric guitar, a wav editor, and your eyeballs.

If you are in college, you are more than likely familiar with the DoorKing. You are probably also familiar with how much these things suck. There are a million of these in Baton Rouge and they never work. I am going to briefly explain the process of changing the greeting message on them (for almost all models). The routine is pretty easy. It relies on the fact that most people keep the default password: 9999 . You can get all this information from the Doorking manual. I suggest you read that first, then read this to get the finer details.

First off, if the password has been changed, this won’t work. But don’t let that stop you! Remember, 10^4 is only 10,000 numbers. That sounds like a lot but people always try to make codes that are easy to remember. Try 1234, 1940-1980 (birth-years), 1776, etc. No worries though, the password is a pain to change for the technological layman. You have to open the machine and set a specific switch, program it, then switch it back so your chances are pretty good. Every one I have tested has had a default password. Now, here is a step-by-step process for a successful hack.

1. You have a space of 48 characters to work with, plan it out before hand. Your character set is every capital letter, 0-9, and a space character. Also, the more your message has that “blue” tinge, the less time it will be up.
2. Go at a time when you will be less likely to have to deal with people coming up behind you. The whole process should take about 1 or 2 minutes depending on your alphanumeric keyboard ability.
3. When you pull up press *80 (the greeting input function) then 9999 (or the password you found). You have to enter these seamlessly or it won’t work.
4. After this, you enter the input mode. The display will say BLOCK 1. There are 3 “blocks”, Block 1 and Block 2 are 20 characters long and Block 3 is 8 characters long.
5. The interface works a lot like a phone. For example, “L” is 555, “P” is 7, “N” is 66, and “2″ is 2222. You can see the character as you push the button, this makes it pretty easy. After each character hit *. You will hear a short beep for each one and the cursor will move over (although not visible). BTW, the space character is 1. // Refer to page 34 of the manual.
6. Now a full example: “TWO 2″ is 8*9*666*1*2222* .
7. Okay, so you keep typing these in until you run out of space on the screen. This is the 20 character limit specified for a “block”. If you keep going, it will start to write over the beginning of the block. You have to enter the block into memory by pressing *. You will see the screen clear and it should say: BLOCK 2.
8. If your message is not done, enter a second block the same way.
9. Do the same for Block 3. Remember, the 3rd block is only 8 characters. // At any point, hitting # will clear the entire block.
10. At the end, press * again to enter all the blocks into system memory. You should hear a long beep. If it doesn’t work out, keep hitting * until it does. You must hear that long beep to finish!
11. Also, if your message is really short, you can skip blocks by hitting *. You may need to enter at least one character, preferably a space (1*), in each block to enter it. I’m not sure about this. Experiment.

That is pretty much it. If you are feeling really adventurous, and psychotic, you could build a small box with 12 solenoids to push the buttons. It could quickly program messages and maybe even brute force a password. There are also other ways to do this. There is special software, that you can probably download easily for free, to do this stuff and more. Anyway, be careful with some of these functions, changing the relay strike time may not be too nice, along with other things.

/** For the record, I recommend that you never do this. I have never done this. Any comment I make about a “real-world” situation is fiction. Also, I’ve heard this has been done before so I can’t take credit for figuring it out. */

Here in Baton Rouge, people love TV, especially sports motivated programing. I hate this. Take a place like Plucker’s for instance (if you have never been to Plucker’s, imagine a bar/restaurant built with plasma TVs in-place of drywall). The great people at Plucker’s have assured that no matter where you sit at their round tables you are forced to watch at least 5 different TV programs at the same time, killing all chances of conversation with your friends or family. Alas, there is hope.

TV-B-Gone from Cornfield Electronics is really one of my favorite little inventions. It is an extremely simple and elegant little hack that allows you to turn off (or on) any TV by cycling through the ‘on/off’ codes of every TV manufacturer in less than 60 seconds. The best thing about it is the priority list it uses to start off with the more popular TV brands assuring that you will usually succeed within 10 seconds of pointing the device at the TV. I had a lot of fun playing with my TV-B-Gone but after my first field test, I found that holding up your keys to your head and having people laughing at your table was not going to work out. I needed a stealthier approach which would allow me to conceal my plans from everyone, including the people I was with. So I opened up the TV-B-Gone to see how it worked and found it is ready and willing to be hacked.

My idea was to extend the IR-LED to the button region on the front pocket of my shirt, place the TV-B-Gone module in the pocket, and extend the button through the inside of my shirt and down to my pocket. Essentially, the are only two parts you need to know about: the button which initiates the sequence (which looks like this) and the infra-red led (which looks like this). First, desolder the button and the IR-LED. Remember, the LED is a polarized component, so try to remember which way it was connected. The button can be a little confusing too, but it’s not polarized. Just do some test. Then, cut a few inches of some light gauge wire for the IR-LED and solder the wire to the leads. Do the same for the button and feed the wires from the button through the ’skin-side’ of the inside of your pocket. Here is a picture of the module in the pocket: Remember, the leads on the top (for the button) go into my shirt.

Take the IR-LED and poke the leads through the front of the pocket right under the shirt button and wire it up inside the pocket.

Next, open up the shirt (or flip it inside-out). Get the leads from the TV-B-Gone button and measure out a few long pieces of wire to where your pants pocket would be. I used speaker wire but that’s all I had.

Then solder up the button and tape it to prevent bounces and shorts.

This is the part that goes in your pants pocket so you can inconspicuously trigger the TV-B-Gone. There are a million ways to do this and many are probably better. If you really want to make this a full project, I would recommend a hat, with LEDs all around it (some how disguised) and powered up a little stronger. Also, some kind of auto-fire function, maybe with a 555 timer, would be cool. This technique I have could be a little stronger and have a lot wider field. However, I did manage to turn off nearly every TV at Plucker’s recently without any of my friends noticing it was me. Finished product: