Let's see what's been up on crowdfunding sites in the past couple of months... Oh god. Oh my god.

Sometimes, the gods/goddesses/g*(various other genders) of the internet looks down upon you and smile, and apparently that's what they're doing today, 'cause hoooo boy do we got some campaigns. I just. Wow.

Starting with least interesting/already finished and progressing in WTFness.

The Lovense Hush Plug

528% (US$76859 raised / US$20000 needed) - Campaign Over

Ok, posting this not because it's new, but because it just actually shipped and backers have started receiving their hardware. They're still $59 if you buy from Indiegogo, so get on that! Remember, if you're interested in controlling it with your own code, check out the liblovense library.

Hex Condom by Lelo

1982% (US$237851 raised / US$12000 needed) - Campaign Over

Charlie Sheen? Fucking really? Lux Alptraum even pulled her support for the condom over their weird PR choices and lackluster initial reviews.

Remoji Sex Toys

1229% (US$129804 raised / US$10000 needed) - Campaign Over

Eh. Toys seem kinda uninspired, and the PR is just fucking WEIRD. "Make public sex legal!". It's kind of a combination of skeezy and porn parody that just doesn't seem like it works. Lux Alptraum included them in her article on why phone apps are a horrible idea, which I highly recommend checking out. That said, $129000 (which isn't actually all that much) says at least some people think it'll turn out ok, so we'll see what happens when they ship.

The Rabbitow

0% (US$0 raised / US$10000 needed) - 30 days (?) left

Your standard onahole, with heating element. Nothing Tenga hasn't done before. However, this image is worthy of a toy that would show up on Kanojo Toys:

Yeah. Um. Why is the onahole her whole digestive tract. WHY. EW.

Complete Oral Pleasure Sex Toy

0% (US$0 raised / US$50000 needed)

There's no pictures of what they're producing, just description of a toy that acts like a tongue. There's a lot of those. I'm posting this because of their opening image mostly, which is just... WTF.

Sir Frots-A-Lot Dual Onahole

0% (US$58 raised / US$64000 needed)

So Sir-Frots-A-Lot is ostensibly a good idea. It's a dual onahole for pokey-thing/pokey-thing interaction. Made for two guys, but hey, you could totally stick two Ambrosia toys in there and go to town, so who knows. Has some interesting points about safe sex uses. But the marketing. Christ, the marketing. I understand swordplay and all that, but really?

That said, the fact that they're using diverse (in so many senses of the word) fantasy art on their site is a surprisingly bold move.

I honestly feel like this could be a really interesting product if it had better marketing behind it. Ah well.

The Tight-O-Meter

0% (US$20 raised / US$150000 needed)

Is it like a thing now to get drunk and make crowdfunding campaigns? I mean, I'm totally down with it if it is, it makes writing this post so much easier. But my god, this one's a doozy. It's a "toy" that measures how tight you are and gives you a score. They aren't stopped there though!

"The Tight-O-Meter branding (T-O-M) will rely on various accesories to hit the market and to be a worldwide success. T-shirts (the 1k club;[ your ex..data, your next..data]; my gf is 850, T-O-M entertainment for adults, T-O-M Æ For those who knows <--- mistake voluntary), headbands, wristbands (600 blue;700 green;800 orange;900 silver;1000 gold), lubricants, cleaning wipes, etc."

YES THEY HAVE THEIR BRANDING PLANNED OUT.

"One day every pornstars, will have their own score. This way you
could have a realistic idea of the tightness of your favorite
pornstar."

In the future, everyone will be requires to have their tightness score on their government issued ID. Societal castes will be set based on tightness.

Never stop dreaming, Tight-O-Meter Dude. And yes, I'm guessing you're a dude but I'm pretty sure I'm right.

It's time to round up the sex tech news again! And I haven't done it in 2.5 months so there's probably a lot of it.

• Robots, VR, and the Future of Male Masturbators - Engadget
  • Thoughts on the future of male sex toys, from someone whose had their fair share of up close experience with them over the past year.
• Why don't men have good sex toys? - The Verge
  • It's been a penis-focused couple of months! Article about the production of the Blew-It onahole, which we featured in our crowdfunding roundups. At the time I just passed it off as another onahole, but apparently it's worth a look.
• A Viral VR Sex Suit and what it says about Us - Engadget
  • tl;dr: You're all idiots who will click on anything that even resembles the word sex. (Note: I may be biasing this with my own opinion, but only slightly)
• 6 Things Cannabis and Sex Tech Have In Common That Means Investors Should Flock To Both - Volteface
  • tl;dr: Cindy Gallop wants money.
• High Tech Sex Toys - CNet
  • Some pictures of sex toys.

On reddit? Really need to talk about internet buttplugs?

Now you can! There's now /r/cyberdildonics for all your reddit internet buttplug discussion needs

Due to /r/teledildonics being banned for some reason or another, that name wasn't usable, but people were wondering where they could talk about wifi dildos, and here we are.

While we're at it, you may also be interested in /r/oculusnsfw, a subreddit about VR porn that sometimes also covers toys.

Annnnd 2 months later, we're back!

Ended up getting a bit too involved in the ET-312 reversing project, and then writing a Telegram Bot, but now I'm back on the blogging wagon! (Hopefully.)

In terms of Buttshock (which is now the official name of the estim projects we've got going on at Metafetish), thanks to a group effort, we managed to crack the firmware "encryption" right after I made that last post. I'll be doing a longer writeup on this later, but for now:

• There's been a ton of work annotating the firmware to figure out what's going on in the box, as well as drawing up schematics. The annotations and schematics are available in the buttshock et-312 firmware repo.
• We've managed to build a firmware that will work on all systems, regardless if they required v1.5 or v1.6 in the past. There's also a patching system available for inserting new features into the firmware blobs.
• We're now working on figuring out the pattern building language. Yes, the ET-312 has its own DSL for estim patterns! Once we do this, we'll be able to build patterns to load into the ROM area.

As usual, all of our work is available in the metafetish organization on github. Thanks to all contributors so far!

Ok, honestly I could even probably just do with a crypto teenager at this point.

tl;dr for the non-technically minded: Things are coming along well, protocol documentation work is happening (See latest protocol docs here), but still working on firmware extraction.

Now, for the nerds:

First off, please check out the firmware reverse engineering document on the erosoutsider github site. This outlines our goals, attack vectors, and status. I'm trying to keep these as up to date as I can. But for those that hate reading:

• We're trying to extract firmware for an ATMega16 with JTAG/OCD off and lock fuses set.
• It has 512 bytes of bootloader.
• We have some knowntext.

Last week, using a string overflow and a logic analyzer on the LCD pins, I managed to extract around 1600 bytes of ET-312 firmware. Yay! Previously we only had 255 bytes.

For those interested, the extracted blob is in our github repo. I believe this is all of the .data and .bss sections, followed by some garbage data (explained in a bit).

So now we have:

• The encrypted, full v1.6 firmware upgrade file
• 1600 bytes of knowntext from an unknown location in v1.6 upgrade file
• The encrypted, full v1.5 firmware upgrade file

What we don't have:

• Knowledge of the position of the knowntext in flash or in the firmware upgrade file. I modified a multiplier to get the string overrun to work, but the offset the multiplier is working on is a constant in flash.
• Knowledge of whether the encrypted upgrade file is in flash load order from 0 to 15872 (we're assuming it is).

We want is the full, unencrypted firmware. The problem is, I'm running out of ways to access memory. I don't have access to the stack space via the serial protocol, and things get very rebooty if I try to change the stack pointer origin.

Now we get to the part where things turn a bit handwavey and I need a crypto grownup. From the XOR of the two upgrade files, it seems like there's a noticable lack of entropy in the encryption even though the files have different contents. Also, the bootloader is only 512 bytes, meaning it's not the usual AES/DES provided in Atmel Application Notes, which requires a minimum of 2k bytes of space.

Also, when inspecting the XOR, some parts show patterns, while some are garbage. I have a feeling the garbage parts may just be random bytes used in something like an srec_cat call to fill unused flash space. In our knowntext, the transition from .data/.bss to garbage is pretty obvious, meaning we /might/ be able to guess a vague position of the knowntext in the encrypted file, not that the search space is all that huge to begin with.

So, there's a chance this is just some set of operations (XOR, arithmatic, etc) on a multibyte key. However, using the known text as a sliding window and searching for repeating substrings hasn't resulted in much. I'm sure I'm probably missing some pretty obvious attacks, but this is why we've got neighbors, right?

If you've got any tips, either:

• Email me via the tips address (tips at metafetish dot com)
• Poke me on twitter
• Poke me on IRC (qDot__ on freenode, or channel #teledildonics on irc.hackint.org)
• Join the Metafetish Telegram Group, where there's quite a few people working on this.

Together, we can help people shock themselves in the butt better.

UPDATE: Twitter has been helpful already! See this thread for more info, but current thought is that it may be a 32-bit LFSR. Thanks to scanlime for the help!