Musical Roombas!


A list of musical notes and teh Hex codes needed to make them play on the robot vacuum cleaner

A few years ago, I added WiFi to my Roomba using a 3rd party add-on. Sadly, it looks like Thinking Cleaner, the company which created the WiFi unit is no longer manufacturing them. But in their latest firmware release, they added a fun new option - the ability to make your Roomba sing! I've hacked […] Read More

Telnet and Root on the Sercomm iCamera2


A web browser displaying the message "Open Telnet Daemon successfully!"

tldr; URL http://[IP]/adm/file.cgi?todo=inject_telnetd Telnet username root Telnet password Aq0+0009 History Four years ago to the day, I wrote an exposé of the hideous security failings of Sercomm IP Cameras. The blog has since attracked 200 comments - as people try to unlock their cameras, and find out what flaws they have. Despite my best efforts […] Read More

Renault's Secret Mileage API


Website showing my car and its mileage

Last year I reverse engineered Renault's Electric Car API. One of the curious omissions was mileage - it just doesn't appear there. However! All is not lost. If you log in to your Renault Account - https://www.renault.co.uk/my-account/my-car.html - you'll get details back about your car including its make, model, date of next service, and mileage! […] Read More

Self-inflicted Denial of Service on GitHub (Disclosed)


I've found an interesting, but low severity, way for a malicious user to selectively deny access to specific GitHub issues and Pull Requests. This doesn't affect the whole site - just targeted pages. It doesn't require elevated permissions, nor any special skills. This is just GitHub punching itself in the face. Here's how it works. […] Read More

Introducing @FiverFun - silly things on Amazon for under £5


It's nearly Christmas! That means Secret Santa time at work, and the need for little stocking-filler gifts. But where can you find such cheap treats? Aha! I have created a service just for you! https://fiverfun.tumblr.com/ is my new(ish) project. It scours Amazon for the best and/or weirdest things for under a fiver! At the moment […] Read More

Should you open your WiFi during a disaster?


There has been a terrible natural disaster in Italy. A huge quake has broken a city. Rescue teams race to the scene to try to save lives and stabilise the situation. During the rescue efforts, the Italian Red Cross sends this tweet: #Terremoto, per favorire comunicazioni e operazioni di soccorso vi invitiamo a togliere la […] Read More

Easy APIs Without Authentication


This is a curated list of APIs which do not require usernames, passwords, access tokens, signing, accept-headers, or anything more complicated than sticking a URL in a browser. (This is an update to my post from two years ago.) When I introduce people to the concept of using RESTful APIs, they immediately get how powerful […] Read More

Disclosed - Lifx Security Issue


I love my Lifx Bulbs. They're a quick and easy way to retrofit Internet connected goodies into a smart-home. One of the best things about them is their open API. Sure, you can use IFTTT if you want something easy - but us 1337 hax0rs want an API and Lifx provides it. The API is […] Read More

Cheap BlueTooth Buttons and Linux


Selfie sticks - like most modern inventions - are utter tosh. But they've rapidly brought down the price of Bluetooth buttons. So who am I to complain? Let's take the venerable AB Shutter 3 - You can find it on Amazon for around £2 including postage - or around $2 on AliExpress. Frankly, that's stupidly […] Read More