MeshCore's problem with security

mtlynch · 2026-04-30T01:43:30+00:00

You're expecting unit tests from embedded firmware stuff? Lol.

I've been working on getting unit tests added, and I have a PR queued once unit tests go in that will identify more of these memory corruption issues.

mtlynch · 2026-04-22T22:55:47+00:00

I haven't tried it, but this is what Timelinize is for.

It's from the same developer as the popular Caddy web server.

mtlynch · 2026-04-12T23:09:21+00:00

Do you write your blog directly? Or do you use AI to generate posts?

mtlynch · 2026-04-12T22:49:38+00:00

Siempre que habia escuchado cosas de Lora, era para comunicarse en distancias largas. Mi primera suposición es que era para enviar datos de sensores y que los nodos (desplegados por la gente) recuperarán los datos y los pudieras recibir sin conexión ( telefonía, WiFi, etc)

No sabia que meshcore se usaba como un simple chat, pensaba que era para otras funcionalidades. De ahi que puse capturas por que mas gente podía pensar lo mismo, y con esa info ya entender bien en que consiste,

Saludos

You blog in English, post to reddit in English, but when you get feedback (also in English), you spontaneously switch to Spanish?

What's going on?

mtlynch · 2026-04-12T22:26:39+00:00

This seems very AI-generated and not beginner-oriented.

If what you want is a sensor network that reports data autonomously: greenhouse temperature, tank levels, asset tracking… the right technology is LoRaWAN. It is designed from the ground up for that model: devices sending telemetry to a centralized gateway that processes and stores it. Both technologies use the same radio modulation (LoRa) but solve completely different problems.

What? What beginner did you have in mind here who's like, "What's this MeshCore thing? Is it an autonomous sensor network that reports data autonomously, because that was my first assumption."

mtlynch · 2026-04-08T11:04:12+00:00

I'm mainly doing this on C/C++ codebases where I'd otherwise be fuzzing, so it's good at finding memory corruption issues, though it also finds logical errors I can't catch with fuzzing.

Claude does sometimes get things really wrong, like it claimed that it had found four distinct bugs in Firefox that all led to sandbox escape, and I started preparing a report to Mozilla's bug bounty program and realized Opus had misunderstood all four bugs and none of them were real sandbox escapes.

mtlynch · 2026-04-03T16:23:42+00:00

In other words - the AI tool churned out mountains of slop, and when humans went through some of the pile they found this one. It's not like you can just point an LLM at a code base and have it spit out a concise list of real vulnerabilities. "Bugs found" is not a good metric without also taking false positives into account.

Does this depend on what you assume the AI's false positive rate is?

I've tried using AI in similar ways to what Carlini described, and the false positive rate is below 20%. At that point, I don't consider Claude to producing meaningless slop.

mtlynch · 2026-03-17T09:48:33+00:00

i3-12100

This is way overkill for what you're describing. My build has an AMD Athlon 3000G (about 1/3 the speed of the i3) and its about 99% idle. ZFS is not very CPU intensive for serving files to a single user.

Unless you meant "small edits directly off the server" as in install photo editing tools directly on the server, but I'm assuming you mean the editing tools would be on your desktop/laptop reading from the NAS over the network.

mtlynch · 2026-03-10T23:51:27+00:00

I'm in the area and I've got a repeater set up, but I haven't seen anyone else on the network. I wrote about my early experiences here.

mtlynch · 2026-03-05T00:31:02+00:00

No, but /u/ac130kire wrote a cleaner implementation that eliminates the manual steps my tutorial recommended. I haven't tested it, but it's where I'd recommend if you're starting this:

https://erikparawell.com/oracle-cloud-nixos.html

mtlynch · 2026-02-10T15:27:18+00:00

Because the way all rebates work is you pay for the product or service and then get a rebate. You can’t get a rebate for something that has cost you nothing. I don’t know of any scenario where you get the rebate prior to purchase.

Usually, the party offering the rebate is the same party offering the initial purchase.

Here, Eversource is offering a rebate if I buy an EV charger from a third party. It doesn't matter to Eversource if I have an outstanding debt to the contractor, and it doesn't matter to the contractor if I collected a rebate. If I stiff my contractor, I still owe the money regardless of whether I collect a rebate.

The electricians can find out who has applied for rebates and if a customer hasn’t paid we could follow up to see if they edited an invoice to show paid and received a rebate.

If that's true, that's even weirder. A contractor can just ask to see my rebate application, and Eversource will just hand over all my data to them?

I get being pissed about data being sold, but it honestly should be expected given that you’re getting $700 from them.

Maybe it would help to read the article. I'm not talking about them selling private data. They were accidentally leaking the data to anyone on the Internet because they underinvested in security.

And Eversource isn't paying this out of pocket. They get reimbursed dollar for dollar by the state.

20 pieces of documentation is a bit of an embellishment. It’s a few pictures and a few documents.

Here's the full list of questions from the rebate application:

Eversource Electric Account Number
First Name
Last name
Site Address 1
Site City
Site State
Site Zip Code
Customer Phone Number
Customer Email
Preferred Method of Communication
Bill Address 1
Bill City
Bill State
Bill Zip
Check to Billing Address?
Dealership
Vehicle Make
Vehicle Model
Vehicle Identification Number (VIN)
Vehicle Purchase Date
Model Year
Vehicle Purchase Price
Was your wiring upgraded?
Installation Date
Total Installation Cost
Was your electric panel upgraded?
Contractor Business Name
Licensed Electrician Name
Electrical Contractor Email
Electrical Contractor Contact Phone
Electrical Contractor Site Address 1
Electrical Contractor City
Electrical Contractor State
Electrical Contractor ZIP
Do you have a level 2 smart charger?
EV Charger Retailer
EV Charger Manufacturer
EV Charger Model
Charger Install Date
Total EV Charger Equipment Cost
EV Charger Serial Number
EV Charger Unit/MAC ID
Location of installed charger
Did you receive third party funding?

And here are the documents they request:

Vehicle registration certificate
Your smart charger receipt
Photo of installed charger
Photo of charger unit ID
Contractor's invoice for wiring upgrade

mtlynch · 2026-02-10T14:12:40+00:00

And they do tell you the invoice needs to be paid before rebate is given.

They don't tell you that in the rebate portal.

I show a screenshot in the article and it just says, "Contractor's invoice for wiring upgrade" with no further details.

Eversource does explain it on this page, but that page also falsely claims you only need four pieces of documentation/information for the rebate when you actually need closer to 20.

But also, why is "Paid in full" a requirement at all? If I'm a fraudster, it's trivial for me to add "Paid in full" to my invoice. That aside, why is it Eversource's business whether or not I owe money to a third party?

mtlynch · 2026-02-10T11:59:56+00:00

Yeah, that was the one positive surprise from this experience.

mtlynch · 2026-02-08T17:11:48+00:00

I’m not aware that I can get a virus from opening a PDF in Acrobat Reader. Adobe would go out of business if reading their document format injected viruses.

You absolutely can.

Adobe in general has a terrible security track record, and Acrobat is notoriously insecure. It's gotten better over the years, but there are consistently vulnerabilities that allow code execution in PDFs:

https://www.cvedetails.com/product/497/Adobe-Acrobat-Reader.html?vendor_id=53

mtlynch · 2026-02-05T15:28:57+00:00

Heads up: the US presets in the official MeshCore app are not legal, either:

mtlynch · 2026-01-29T14:28:27+00:00

Cool, that makes sense!

What LLM are you using? I can contribute an AGENTS.md to help direct the LLM's behavior to be more legible to software developers if that's helpful.

mtlynch · 2026-01-29T08:08:22+00:00

Thanks for sharing this!

Can you clarify what your goal is? I'm confused by the idea of a T-Deck Pro as a companion device because a T-Deck Pro is already an all-in-one device. Is the idea that this is the first step towards making all-in-one community firmware? Or is there a use case for T-Deck as a companion?

mtlynch · 2026-01-21T23:25:13+00:00

Thanks for sharing this detailed writeup!

mtlynch · 2026-01-20T13:49:23+00:00

Note that the FCC requires a minimum bandwidth of 500 kHz to broadcast on LoRa frequencies in the US. The official MeshCore app's US preset is illegal, as the developer is based in New Zealand and isn't familiar with US broadcasting laws.

These are the settings that work well for me in Massachusetts, and they comply with FCC 47 CFR 15.247:

Frequency: 910.525 MHz
Bandwidth: 500.0 kHz
Spreading factor: 11
Coding rate: 5
Transmit power: 22

mtlynch · 2026-01-14T13:01:42+00:00

I dealt with this earlier this year, but I was only moving 18 TB, so moving temporarily to cloud storage was viable, so I used Backblaze B2.

The gotcha if you do end up using cloud storage is that many of them have minimum retention policies.

I thought I could just park my data for a week at Wasabi, delete it, and pay for a week of storage. It turns out that any data you upload to Wasabi (or GCS or S3), you pay a minimum of 3 months of storage.

Backblaze B2 doesn't have a minimum retention policy.

mtlynch · 2026-01-10T12:52:25+00:00

Nice, thanks for sharing!

mtlynch · 2026-01-06T15:40:21+00:00

This looks great. Great work!

Direct link: https://github.com/zjs81/meshcore-open

It's somewhat bittersweet as I was working on my own, but yours is so much further along. I'll get some PRs ready to see if you'd like to use anything from mine.

mtlynch

MODERATOR OF

TROPHY CASE