Easton's stuff

I stumbled upon another series of single board computers capable of running Linux online, the Milk V Duo S. These boards are interesting because they have both an ARM and a RISC V processor.

At first look, the idea of having two CPUs in one board is appealing. The possibility of dedicating one core to real‑time tasks while the other handles a full Linux stack seems like the ultimate design. As I dug into the documentation, it turns out that the board uses a simple switch to choose which core boots. In other words, you can boot either the ARM side or the RISC‑V side, but not run both concurrently. The board in conjunction runs FreeRTOS.

With the inexpensive cost of electronic components online, I am amassing quite a library of modules and parts to build whatever little contraption my silly little brain dreams up. Lately I've been working on a portable GPS unit using an ESP32, with an off the shelf GPS module and 1" OLED screen. 

Quite often I'm in the woods and I know where I am, but I don't know where I want to go. Thus, navigating back home safely is important if I feel like simply walking into the forest alone. I wanted a simple GPS unit where I could calculate distances and display a map of my location, with beacons displaying waypoints and markers.

Over the last month or so, I have a fully-featured unit that can display the current longitude, latitude and latitude,  calculate distances between two points, displays a vector map, and a settings menu allowing the user to enter low power mode and change display settings. 

I’m no stranger to stumbling upon oddities in software, and this time, I found something big—a vulnerability in a popular Shopify app, Loox Reviews that made me raise an eyebrow. Loox, a well-known reviews app that many Shopify merchants use to build credibility with customer feedback. What I found was a critical flaw that could expose sensitive customer data, all because of an insecure direct object reference (IDOR). 
Please note this vulnerability was discovered and fixed in 2023, this blog post is a post-mortem.

The Vulnerability: What Was the Issue?

It all started with a seemingly innocent GET request. I was poking around the Loox reviews widget for some work project when I noticed something odd. Loox uses publicly accessible merchant IDs as part of their request URL. No big deal, right? Well, it became a big deal when I realized that by simply modifying the merchant ID in the URL, I could access another merchant’s review data—including sensitive customer information, such as email addresses, review content, and admin settings. It's one thing to access publicly-available information, product reviews in this case, but this was much more.

To make matters worse, this didn’t even require any sort of authentication. Anyone, even if not logged in to Shopify, could exploit this vulnerability. All an attacker had to do was find a merchant ID (easily scraped from public pages) and modify a URL. With that simple change, you could pull down entire CSV files filled with reviews and customer data.

The Technical Breakdown

At the core of the issue was Loox’s hash generation mechanism. When a URL is requested, Loox generates a hash via a public URL, and this process bypasses standard authentication protocols. The system allowed anyone with the right merchant ID to manipulate the URL, grab an export hash, and download review data—all without needing a valid login.

I have a habit of diving headfirst into projects that are fun but maybe not super useful. A project I worked on a few months ago  MuStack MicroVM (msmv) —a project that took far more effort than necessary to create something that, in all honesty, I’ll probably never use again. But hey, at least it works, right?

So, What Exactly is msmv?

At its core, MuStack MicroVM is a minimalistic Linux virtual machine build system. Think Docker, but without all the convenience and with way more manual labour involved. It's designed to create lightweight, secure, and isolated virtual machines for testing environments. Perfect if you're someone who enjoys the thrill of complexity, like building a ship in a bottle—but digitally. Plus, I'm a sucker for naming projects with an acronym.

After bricking the last wifi repeater in my last post, I was determined not do that again. At least not intentionally.

This time around, I purchased the same model as before (U13) as well as three more units of a different model, for $10 and $7 CAD respectively. The goal here is to get root access via SSH/telnet and use these devices as general purpose Linux single board computers. With an ethernet port, built in power supply and wifi, these boards are great for single-purpose servers.

New hardware

These models kept popping up in recommended items in the Aliexpress app, so I thought I would check it out. Just like the previous model, there's no technical information about these devices or who makes them. All we know is that there's an ethernet port, it has 2.4Ghz wifi...and that there's a WPS button. Some listings display the brand as iMice but nothing turns up on Google. 

Searching around YouTube, I was able to find branded devices using the same hardware:

• MECO WIFI Wireless Signal Amplifier 
• Accmor 300Mbps 802.11 n Wireless WiFi Repeater
• AMAKE Wifi Repeater 300M Range Extender
• NoyoKere Wifi Repeater 300Mbps Range Expander
• Seaidea 300Mbps Wireless-N Mini Wifi Repeater
• iMeshbean® Wifi Repeater 300M Range Extender
• NINISEI Wifi Router/Repeater
• F&M Wireless-N 300Mbps 2.4G Wifi Repeater
• PIX-LINK WR03 Wireless WiFi Repeater 
• Wi-Fi Repeater XY-300MZJ1
  • This one I was able to find an FCC listing under 2BD24XY-300MZJ1 see: https://fccid.io/2BD24XY-300MZJ1
     

One funny misspelling is the username "admim" on the sticker:

The 4 LED model seems to differ from the 7 LED model, and on the latter model listing the seller displays the chipset as RTL8196E with 16MB flash and 128MB RAM.

Software

Plugging the device into the wall, and going to the printed address (192.168.11.1) we get a very familiar web admin UI. This time, the manufacturer decided to use orange instead of blue.

I have a fixation of buying little electronic trinkets and gadgets on foreign websites for cheap prices. Something about the cost of such little things, and that it takes 3-4 weeks to arrive to my door, provides me with excitement when I visit the post office to pick up my parcels. Lately, I purchased some ESP32 and ESP8266 boards for around $3, and various other programmers and jumper cables for around the same price point. It makes experimenting with a new project fun and inexpensive (great if you like to drop projects after a month too).

In the hot summer we're having out here, I like to sit in my yard and read online tech news and blogs on my phone. Being the hedonistic person I am, I cannot wait 3-4 seconds for a page to load. The wifi coverage at my house is sufficient in doors, but when I go 150 yards away, it can be abysmal. 

The purchase

So, in my regular late night Aliexpress shopping sprees, I found a $10 ($7 USD) wifi repeater that might fit the bill. 

There's really no information about this device, anywhere. No model number. These seem to get the model numbers of AC1200M and also U13 if you poke around Aliexpress. If you look on Amazon, you'll find the exact same model selling for over double. It seems to connect this device to your wifi network, you use the WPS button and voila, it connects and you have a repeated signal.

So when it finally arrived the other day, I plugged it into the wall, followed the not-so-cryptic instruction manual and I was on my way. 

I enjoy building small, self-contained software for the pure joy of simplifying what you build. Building complex software is easy; small and maintainable software is not (not always anyway).
To take that same vein of thought, I have been working on a floppy-sized Linux distro (fluxflop) for the pure fun of how small I can build the Linux kernel, while keeping it usable. Running make tinyconfig is easy enough, but how small can you truly make the kernel? 

In my quest to find any resources on this, I stumbled upon Linux Tiny. It's a set of patches (with the intention of getting the patches merged into mainline to make future builds easier) that can slim down the kernel and add additional Kconfig options for reducing the compiled size. The project has not been updated since approx 2007 and uses Linux 2.6.23.0. Backporting these patches (whats the opposite of backport with newer software? haha) would take time and it's not guaranteed that the patch intention would work the same. Well, with too much time on my hands, I dug deep and did just that. You can see the git repo here with updated patches for Linux 6.9. Now, they are not guaranteed to work for everyone and every arch, but for i386 I was able to shave off about ~80KB which doesn't seem like much, but it all adds up in the end. For fluxflop, I was able to trim bzImage down to 712KB, and an aarach64 kernel down to about 820KB. 

I found this presentation that Matt Mackall gave in 2004 for the introduction of Linux Tiny. In the slides, it is mentioned that the Linux kernel produced, with net, EXT2, a NIC (not mentioned which one) and IDE, was 363KB! Very impressive. For my project, that 712KB is without /dev/ram, no filesystems, network capabilities, VGA and not even PS/2. All over serial too, so good luck having it be any use on a desktop box. Still, this is something to aim for. I would be curious to replicate the results in the presentation to build a 720KB floppy-sized Linux distro.
 

Here's something fun: Enable HTTPS browsing on IE5/Windows 98 with a Flask proxy that handles SSL and rewrites web content.

For whatever reason, I have a Windows 98 virtual machine in UTM (which is fantastic on Apple Silicon) that I like to boot in to and take a trip down memory lane. It's fun, and painful at the same time. But, the modern web has moved on from Internet Explorer 6 (and Internet Explorer in general, but we're not celebrating that in this post). Lost in the dust, Internet Explorer of the Windows 98 days doesn't quite work anymore. IE6, released in 2001, came with support for SSL 2.0 and 3.0, and later updates added support for TLS 1.0. At the time, this was sufficient. The web was a different place, less sophisticated in both the technology it used and the threats it faced (generally speaking, of course).

OpenAI released the GPT Store earlier this week, allowing users to share their prompts with anyone with ChatGPT Plus. This follows the GPT Builder program's introduction, allowing users to create tailored chatbots for various tasks. The store has reviews and even a revenue-sharing feature for custom GPTs.

I am not swayed by anyone's custom [instruction] GPT, there are many posted to Reddit and around the web touting their benefits. Well, I had some time this weekend and spent some time learning about prompt injection and how to leak the initial prompt.
 

Backstory
 

For creating a custom GPT, you can include specific instructions (duh) as well as include documents and interact with web APIs.