We return to [Tom Verbeure] hacking on Symmetricom GPS receivers. This time, the problem’s more complicated, but the solution remains the same – hardware hacking. If you recall, the previous frontier was active antenna voltage compatibility – now, it’s rollover. See, the GPS receiver chip has its internal rollover date set to 18th of September 2022. We’ve passed this date a while back, but the receiver’s firmware isn’t new enough to know how to handle this. What to do? Build an interposer, of course.

You can bring the module up to date by sending some extra init commands to the GPS chipset during bootup, and, firmware hacking just wasn’t the route. An RP2040 board, a custom PCB, a few semi-bespoke connectors, and a few zero-ohm resistors was all it took to make this work. From there, a MITM firmware wakes up, sends the extra commands during power-on, and passes all the other traffic right through – the system suspects nothing.

Everything is open-source, as we could expect. The problem’s been solved, and, as a bonus, this implant gives a workaround path for any future bugs we might encounter as far as GPS chipset-to-receiver comms are concerned. Now, the revived S200 serves [Tom] in his hacking journeys, and we’re reminded that interposers remain a viable way to work around firmware bugs. Also, if the firmware (or the CPU) is way too old to work with, an interposer is a great first step to removing it out of the equation completely.

Last year, we’ve featured a super cheap smart ring – BLE, accelerometer, heart sensor, and a battery, all in a tiny package that fits on your finger. Back when we covered it, we expected either reverse-engineering of stock firmware, or development of a custom firmware outright. Now, you might be overjoyed to learn that [Wesley Ellis] has written a Python client for the ring’s stock firmware.

Thanks to lack of any encryption whatsoever, you can simply collect the data from your ring, no pairing necessary, and [Wesley]’s work takes care of the tricky bits. So, if you want to start collecting data from this ring right now, integrate it into anything you want, such as your smart home or exoskeleton project, this client is enough. A few firmware secrets remain – for instance, the specific way that the ring keep track of day phases, or SPO2 intricacies. But there’s certainly enough here for you to get started with.

This program will work as long as your ring uses the QRing app – should be easy to check right in the store listing. Want to pick up the mantle and crack open the few remaining secrets? Everything is open-source, and there’s a notepad that follows the OG reverse-engineering journey, too. If you need a reminder on what this ring is cool for, here’s our original article on it.

In case you weren’t aware, Apple devices around you are constantly scanning for AirTags. Now, imagine you’re carrying your laptop around – no WiFi connectivity, but BLE’s on as usual, and there’s a little bit of hostile code running at user privileges, say, a third-party app. Turns out, it’d be possible to make your laptop or phone pretend to be a lost AirTag – making it and you trackable whenever an iPhone is around.

The nroottag website isn’t big on details, but the paper ought to detail more; the hack does require a bit of GPU firepower, but nothing too out of the ordinary. The specific vulnerabilities making this possible have been patched in newer iOS and MacOS versions, but it’s still possible to pull off as long as an outdated-firmware Apple device is nearby!

Of course, local code execution is often considered a game over, but it’s pretty funny that you can do this while making use of the Apple AirTag infrastructure, relatively unprivileged, and, exfiltrate location data without any data connectivity whatsoever, all as long as an iPhone is nearby. You might also be able to exflitrate other data, for what it’s worth – here’s how you can use AirTag infrastructure to track new letter arrivals in your mailbox!

Some of our devices look like they’re straight out of hacker movies. For instance, how about a small board you plant behind an RFID reader, collecting access card data and then replaying it when you next walk up the door? [Jakub Kramarz] brings us perhaps the best design on the DIY market, called The Tick – simple, flexible, cheap, tiny, and fully open-source.

Take off the reader, tap into the relevant wires and power pins (up to 25V input), and just leave the board there. It can do BLE or WiFi – over WiFi, you get a nice web UI showing you the data collected so far, and letting you send arbitrary data. It can do Wiegand like quite a few open-source projects, but it can also do arbitrary clock+data protocols, plus you can just wire it up quickly, and it will figure out the encoding.

We could imagine such a board inside a Cyberpunk DnD rulebook or used in Mr Robot as a plot point, except that this one is real and you can use it today for red teaming and security purposes. Not to say all applications would be NSA-catalog-adjacent pentesting – you could use such a bug to reverse-engineer your own garage door opener, for one.

A team from the University of Chicago brings us a new spin on sensory substitution, the “Seeing with the Hands” project, turning external environment input into sensations. Here specifically, the focus is on substituting vision into hand sensations, aimed at blind and vision disabled. The prototype is quite inspiration-worthy!

On the input side, we have a wrist-mounted camera, sprinkled with a healthy amount of image processing, of course. As for the output, no vibromotors or actuators are in use – instead, tactile receptors are stimulated by passing small amounts of current through your skin, triggering your touch receptors electrically. An 8×8 array of such “tactile” pixels is placed on the back of the hand and fingers. The examples provided show it to be a decent substitution.

This technique depends on the type of image processing being used, as well as the “resolution” of the pixels, but it’s a fun concept nevertheless, and the study preprint has some great stories to tell. This one’s far from the first sensory substitution devices we’ve covered, though, as quite a few of them were mechanical in nature – the less moving parts, the better, we reckon!

Got a Flipper Zero? Ever wanted to use a high-level but powerful scripting language on it? Thanks to [Oliver] we now have a MicroPython application for the Flipper, complete with a library for hardware and software feature support. Load it up, start it up, connect over USB, and you’ve got the ever-so-convenient REPL at your disposal. Or, upload a Python script to your Flipper and run them directly from Flipper’s UI at your convenience!

In the API docs, we’re seeing support for every single primitive you could want – GPIO (including the headers at the top, of course), a healthy library for LCD and LCD backlight control, button handling, SD card support, speaker library for producing tones, ADC and PWM, vibromotor, logging, and even infrared transmit/receive support. Hopefully, we get support for Flipper’s wireless capabilities at some point, too!

Check out the code examples, get the latest release from the Flipper app portal or GitHub, load it up, and play! Mp-flipper has existed for the better half of a year now, so it’s a pretty mature application, and it adds quite a bit to Flipper’s use cases in our world of hardware hacking. Want to develop an app for the Flipper in Python or otherwise? Check out this small-screen UI design toolkit or this editor we’ve featured recently!

Last year, Nintendo has released the Alarmo, a bedside-style alarm clock with a colourful display. Do you own one? You deserve full control over your device, of course. [KernelEquinox] has been reverse-engineering an Alarmo ever since getting one, and there’s no shortage of cool stuff you’ll be able to do with an Alarmo thanks to this work.

Now, just how can you improve upon the Alarmo? Looking through the Alarmo dev community site and threads on the subreddit, there are plenty of ideas, from themes to a ton of possible behaviour tweaks! In particular, Nintendo has already changed Alarmo’s behaviour in a way that is jarring to some users – a third-party development community will help us all make sure our Alarmos work exactly like we expect them to. Want to replace the sound files,  tie your Alarmo into your smart home setup, write your apps, tweak the UI or default behaviour, fix a bug that irks you real bad, or access a debug menu? Or, ensure that Alarmo doesn’t contribute to light pollution in your room? All appears to be doable.

Like the Alarmo, but don’t own one yet? They’re limited-release for now, but it will be more widely available this March; we thank [KernelEquinox] for the work in making Alarmo hacker-friendly. If you’ve forgotten, this project started off thanks to the efforts of [Gary] last year. We covered it back then — cat pictures included!

What is a sensory weaver? [Curiosiate] tells us: “A device which takes sensory data feeds in and converts it in various ways on the body as information streams as though a native sensory input.” As an example, they’ve built one.

This one, called “MK2 Lockpick” is a wrist-mounted array of linear actuators, with a lengthy design/build log to peek into. We don’t get PCB files (blame EasyEDA’s sharing), but we do at least get a schematic and more than enough pictures for anyone interested to reproduce the concept – the levels of bespoke-ness here warrant a new PCB for any newcomers to sensory weaver building, anyway. We also get a story of a proof-of-concept thermal input sensory weaver.  The team even includes a lessons learned da, and plenty of inspiration throughout the posts on the blog.

This kind of tech is getting more and more popular, and we are sure there will be more to come — especially as we keep getting cool new gadgets like linear actuators in form of replacement parts. For instance, the actuators in this sensory weaver are harvested from Samsung S23 smartphones, and you could probably find suitable ones as iPhone replacement parts, too. Looking to start out in this area but want a quick build? Look no further than the venerable compass belt.

In today’s “futuristic tech you can get for $5”, [RealCorebb] shows us a gesture sensor, one of the sci-fi kind. He was doing a desktop clock build, and wanted to add gesture control to it – without any holes that a typical optical sensor needs. After some searching, he’s found Microchip’s MGC3130, a gesture sensing chip that works with “E-fields”, more precise than the usual ones, almost as cheap, and with a lovely twist.

The coolest part about this chip is that it needs no case openings. The 3130 can work even behind obstructions like a 3D-printed case. You do need a PCB the size of a laptop touchpad, however — unlike the optical sensors easy to find from the usual online marketplaces. Still, if you have a spot, this is a perfect gesture-sensing solution. [RealCorebb] shows it off to us in the demo video.

This PCB design is available as gerbers+bom+schematic PDF. You can still order one from the files in the repo.  Also, you need to use Microchip’s tools to program your preferred gestures into the chip. Still, it pays off, thanks to the chip’s reasonably low price and on-chip gesture processing. And, [RealCorebb] provides all the explanations you could need, has Arduino examples for us, links all the software, and even provides some Python scripts! Touch-sensitive technology has been getting more and more steam in hacker circles – for instance, check out this open-source 3D-printed trackpad.

Own a Bus Pirate 5? Now, it can do power glitching, thanks to [Matt Brugman’s] demo and contributions to the stock code. This is also a great demo of Bus Pirate’s capabilities and programmability! All you need is the Bus Pirate and a generic Arduino – load a glitch-vulnerable code example into the Arduino, get yourself a generic FET-based glitching setup, and you too can play.

The Arduino board outputs data over UART, and that’s used as a trigger for the Bus Pirate’s new glitch feature – now mainline, thanks to [Matt]’s pull request. It’s pretty feature-complete, too — all parameters are configurable, it can vary the glitching interval, as one would want, and the code checks for success conditions so that it can retry glitching automatically.

In this demo, it only took six consecutive attempts to successfully glitch the ATMega328P – wouldn’t you know it, the code that got glitched was pulled almost wholesale from an IoT device. Glitching remains an underappreciated vector for reverse-engineering, and there’s really no shortage of hacks it allows you to do – get yourself a FET, a Bus Pirate, or maybe just an ESP8266, and join the glitching-aware hackers club!

Want to know more about the Bus Pirate 5? Check out our hands-on review of the hacker multi-tool from last year.

Money, status, or even survival – there’s no shortage of incentives for faking results in the scientific community. What can we do to prevent it, or at least make it noticeable? One possible solution is cryptographic signing of measurement results.

Here’s a proof-of-concept from [Clement Heyd] and [Arbion Halili]. They took a ThermoFisher Scientific 7500 Fast PCR (Polymerase Chain Reaction) machine, isolated its daughter-software, and confined it into a pipeline that automatically signs each result with help of a HSM (Hardware Security Module).

A many machines do, this one has to be paired to a PC, running bespoke software. This one’s running Windows XP, at least! The software got shoved into a heavily isolated virtual machine running XP, protected by TEE (Trusted Execution Environment). The software’s output is now piped into a data diode virtual serial port out of the VM, immediately signed with the HSM, and signed data is accessible through a read-only interface. Want to verify the results’ authenticity? Check them against the system’s public key, and you’re golden – in theory.

This design is just a part of the puzzle, given a typical chain of custody for samples in medical research, but it’s a solid start – and it happens to help make the Windows XP setup more resilient, too.

Wondering what PCR testing is good for? Tons of things all over the medical field, for instance, we’ve talked about PCR in a fair bit of detail in this article about COVID-19 testing. We’ve also covered a number of hacker-built PCR and PCR-enabling machines, from deceivingly simple to reasonably complex!

Looking to write Rust on the ESP32? You’re in luck, a new challenger has entered the scene, looking to help you write code that lasts – [Scott Mabin] and the team from Espressif have brought us the esp-hal 1.0.0-beta. From a personal project to an Espressif-sponsored one to an effort under Espressif’s wing, [Scott] tells us about the arduous journey of bringing first-class Rust support to ESP32 chips, Xtensa and RISC-V alike.

In particular, esp-hal, with the hal part standing for Hardware Abstraction Layer, focuses on providing you with a stable API to access hardware, making sure your code can remain stable for years to come. For now, you get drivers for GPIO, UART, SPI and I2C, as well as a number of auxiliary features like time and SoC reset, more than enough for a large amount of projects we hackers build with a generic MCU in mind.

Next stop? WiFi and BLE support, of course, an ESP32 just doesn’t feel the same without these two. Rust is a fun and seriously promising language, and it’s a joy to use! So, if you have a wireless-less project in mind and you’re looking for a HAL, try out the esp-hal, it might just be exactly what you need.

If you’re looking for examples, here’s an STM32 touchpad project with Rust firmware, a PIC32 Rust blinky demo, and we’ve even featured larger projects like this ESP32 open-source (reverse-engineered) WiFi MAC stack being written in Rust. In case you missed it, we’ve introduced Rust to you a couple of times, even as far as 2015!

Do you do PCB design for a living? Has KiCad been just a tiny bit insufficient for your lightning-fast board routing demands? We’ve just been graced with the KiCad 9 release (blog post, there’s a FOSDEM talk too), and it brings features of the rank you expect from a professional-level monthly-subscription PCB design suite.

Of course, KiCad 9 has delivered a ton of polish and features for all sorts of PCB design, so everyone will have some fun new additions to work with – but if you live and breathe PCB track routing, this release is especially for you.

One of the most flashy features is multichannel design – essentially, if you have multiple identical blocks on your PCB, say, audio amplifiers, you can now route it once and then replicate the routing in all other blocks; a stepping stone for design blocks, no doubt.

Other than that, there’s a heap of additions – assigning net rules in the schematic, dragging multiple tracks at once, selectively removing soldermask from tracks and tenting from vias, a zone fill manager, in/decrementing numbers in schematic signal names with mousewheel scroll, alternate function display toggle on symbol pins, improved layer selection for layer switches during routing, creepage and acute angle DRC, DRC marker visual improvements, editing pad and via stacks, improved third-party imports (specifically, Eagle and Altium schematics), and a heap of other similar pro-level features big and small.

Regular hackers get a load of improvements to enjoy, too. Ever wanted to add a table into your schematic? Now that’s doable out of the box. How about storing your fonts, 3D models, or datasheets directly inside your KiCad files? This, too, is now possible in KiCad. The promised Python API for the board editor is here, output job templates are here (think company-wide standardized export settings), there’s significantly more options for tweaking your 3D exports, dogbone editor for inner contour milling, big improvements to footprint positioning and moving, improvements to the command line interface (picture rendering in mainline!), and support for even more 3D export standards, including STL. Oh, add to that, export of silkscreen and soldermask into 3D models – finally!

Apart from that, there’s, of course, a ton of bugfixes and small features, ~1500 new symbols, ~750 footprints, and, documentation has been upgraded to match and beyond. KiCad 10 already has big plans, too – mostly engine and infrastructure improvements, making KiCad faster, smarter, and future-proof, becoming even more of impressive software suite and a mainstay on an average hacker’s machine.

For example, KiCad 10 will bring delay matching, Git schematic and PCB integrations, PNG plot exports, improved diffpair routers, autorouter previews, design import wizard, DRC and length calculation code refactoring, part height support, and a few dozen other things!

We love that KiCad updates yearly now. Every FOSDEM, we get an influx of cool new features into the stable KiCad tree. We’re also pretty glad about the ongoing consistent funding they get – may they get even more, in fact. We’ve been consistently seeing hackers stop paying for proprietary PCB software suites and switching to KiCad, and hopefully some of them have redirected that money into a donation towards their new favorite PCB design tool.

Join the pro club, switch to the new now-stable KiCad 9! If you really enjoy it and benefit from it, donate, or even get some KiCad merch. Want to learn more about the new features? Check out the release blog post (many cool animations and videos there!), or the running thread on KiCad forums describing the new features&fixes in length, maybe if you’re up for video format, check out the KiCad 9 release talk recording (29m48s) from this year’s FOSDEM, it’s worth a watch.