Shmoocon 2016: Reverse Engineering Cheap Chinese Radio Firmware

Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Last weekend at Shmoocon, [Travis Goodspeed] presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.

Tytera
The Tytera MD-380 digital radio

The Tytera MD380 is a fairly basic radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.

The STM32 in the radio implements a USB Device Firmware Upgrade (DFU), probably because of some example code from ST. Dumping the memory from the standard DFU protocol just repeated the same binary string, but with a little bit of coaxing and investigating the terrible Windows-only official client application, [Travis] was able to find non-standard DFU commands, write a custom DFU client, and read and write the ‘codeplug’, an SPI Flash chip that stores radio settings, frequencies, and talk groups.

Further efforts to dump all the firmware on the radio were a success, and with that began the actual reverse engineering of the radio. It runs an ARM port of MicroC/OS-II, a real-time embedded operating system. This OS is very well documented, with slightly more effort new functions and patches can be written.

In Digital Mobile Radio, audio is sent through either a public talk group or a private contact. The radio is usually set to only one talk group, and so it’s not really possible to listen in on other talk groups without changing settings. A patch for promiscuous mode – a mode that puts all talk groups through the speaker – is just setting one JNE in the firmware to a NOP.

The Tytera MD-830 ships with a terrible Windows app used for programming the radio
The Tytera MD-380 ships with a terrible Windows app used for programming the radio

With the help of [DD4CR] and [W7PCH], the entire radio has been reverse engineered with rewritten firmware that works with the official tools, the first attempts of scratch-built firmware built around FreeRTOS, and the beginnings of a very active development community for a $140 radio. [Travis] is looking for people who can add support for P25, D-Star, System Fusion, a proper scanner, or the ability to send and receive DMR frames over USB. All these things are possible, making this one of the most exciting radio hacks in recent memory.

Before [Travis] presented this hack at the Shmoocon fire talks, intuition guided me to look up this radio on Amazon. It was $140 with Prime, and the top vendor had 18 in stock. Immediately after the talk – 20 minutes later – the same vendor had 14 in stock. [Travis] sold four radios to members of the audience, and there weren’t that many people in attendance. Two hours later, the same vendor had four in stock. If you’re looking for the best hardware hack of the con, this is the one.

Emulating and Cloning Smart Cards

A few years ago, we saw a project from a few researchers in Germany who built a device to clone contactless smart cards. These contactless smart cards can be found in everything from subway cards to passports, and a tool to investigate and emulate these cards has exceptionally interesting implications. [David] and [Tino], the researchers behind the first iteration of this hardware have been working on an improved version for a few years, and they’re finally ready to release it. They’re behind a Kickstarter campaign for the ChameleonMini, a device for NFC security analysis that can also clone and emulate contactless cards.

While the original Chameleon smart card emulator could handle many of the contactless smart cards you could throw at it, there at a lot of different contactless protocols. The new card can emulate just about every contactless card that operates on 13.56 MHz.

The board itself is mostly a PCB antenna, with the electronics based on an ATXMega128A4U microcontroller. This micro has AES and DES encryption engines, meaning if your contactless card has encryption and you have the cryptographic key, you can emulate that card with this device. They’re also making a more expensive version that also has a built-in reader that makes the ChameleonMini a one-stop card cloning tool.

Hackaday Links: January 17, 2016

The BBC has commissioned a new series of Robot Wars. This is not Battlebots; that show was revived last year, and a second season will air again this summer. Robot Wars is the one with the ‘house’ robots. We would like to take this opportunity to remind the BBC that Robot Wars is neither Scrapheap Challenge nor Junkyard Wars, and by virtue of that fact alone is an inferior show.

[Fran] is a favorite around these parts. She’s taken apart a Saturn V Launch Vehicle Digital Computer, visited the Smithsonian Air and Space Museum warehouse, and is the occasional host of the Dinosaur Den with [Bil Herd]. Now, she’s relaunching her line of guitar pedals. ‘Boutique’ pedals are a weird market, but with the help of a few manufacturers, [Fran] is bringing her Peachfuzz pedal back to life through Kickstarter.

Want to be an astronaut? Here’s the application.

Here’s your monthly, ‘WTF is this thing on eBay’ link. It’s a clamshell/toilet seat iBook (c.2000), loaded up with an Intel i5 Broadwell CPU, 128 GB of Flash storage, 4 GB of RAM, a 12″ 1024×768 LCD, Gigabit Ethernet, WiFi, Bluetooth, and runs OS X El Capitan. I might be mistaken, but it looks like someone took the motherboard out of a 2015 MacBook Air, crammed it into a sixteen year old computer, and put it up on eBay. I’m not saying that’s what it is; this is from China, and there are people over there making new improved motherboards for a Thinkpad x61. Weirder stuff has already happened.

In the last installment of the Travelling Hacker Box, I asked if anyone can receive mail in Antarctica. A person with friends in the British survey team emailed me, but nothing came of that. It’s summer, so if Antarctica is going to happen, it needs to happen soon.

Shmoocon 2016: The Best Conference Booth You’ll Ever See

Shmoocon is here, and that means a dozen or so security companies have bought a booth and are out to promote themselves. Some are giving out shot glasses. One is giving out quadcopters. It is exceedingly difficult to stand out in the crowd.

At least one company figured it out. They’ve built a game so perfect for the computer literate crowd, so novel, and so interesting it guarantees a line in front of their booth. Who are they? Fortego, but that’s not important right now. The game they’ve created, BattleBits, is the perfect conference booth.

The game play for BattleBits is as simple as counting to two. You’re presented with an eight-bit hexidecimal number, and the goal is to key them into a controller with eight buttons for 1, 2, 4, 8, 16, 32, 64, and 128. The answer for 0x56 is 01010110, and the answer for 0xFF is mashing all the buttons.

BattleBits Screenshot

To anyone not familiar with hex, there’s actually a rather handy trick to the game: you only need to memorize 16 different numbers. Hexadecimal numbers are easily broken up into nibbles, or groups of four bits. All you need to do is solve one hexadecimal digit at a time.

The controllers, or ‘decks’ as they’re, are built around a BeagleBone and a custom cape running a mishmash of Javascript and Python. When the game starts the player or players are presented with random bytes in hexadecimal format. Input the right bits in the shortest amount of time and you’ll work your way up the leader board.

This is by far the best conference booth I’ve ever seen. The creator of the BattleBits hardware, [Riley Porter], says he’ll be releasing the design files and code for this game so anyone can make one, something we really look forward to.

[Riley] also got a video of someone entering nibbles super, super fast.

Shmoocon 2016: Computing In A Post Quantum World

There’s nothing more dangerous, so the cryptoheads say, than quantum computing. Instead of using the state of a transistor to hold the value of a bit as in traditional computers, quantum computers use qubits, or quantum information like the polarization of a photon. According to people who know nothing about quantum computers, they are the beginning of the end, the breaking of all cryptography, and the Rise of the Machines. Lucky for us, [Jean-Philippe Aumasson] actually knows a thing or two about quantum computers and was able to teach us a few things at his Shmoocon talk this weekend, “Crypto and Quantum and Post Quantum”

This talk is the continuation of [Jean-Philippe]’s DEF CON 23 talk that covered the basics of quantum computing (PDF) In short, quantum computers are not fast – they’re just coprocessors for very, very specialized algorithms. Quantum computers do not say P=NP, and can not be used on NP-hard problems, anyway. The only thing quantum computers have going for them is the ability to completely destroy public key cryptography. Any form of cryptography that uses RSA, Diffie-Hellman, Elliptic curves is completely and totally broken. With quantum computers, we’re doomed. That’s okay, according to the DEF CON talk – true quantum computers may never be built.

The astute reader would question the fact that quantum computers may never be built. After all, D-Wave is selling quantum computers to Google, Lockheed, and NASA. These are not true quantum computers. Even if they’re 100 Million times faster than a PC, they’re only faster for one very specific algorithm. These computers cannot simulate a universal quantum computer. They cannot execute Shor’s algorithm, an algorithm that finds the prime factors of an integer. They are not scalable, they are not fault-tolerant, and they are not universal quantum computers.

As far as true quantum computers go, the largest that has every been manufactured only contain a handful of qubits. To crack RSA and the rest of cryptography, millions of qubits are needed. Some algorithms require quantum RAM, which nobody knows how to build. Why then is quantum computing so scary? RSA, ECC, Diffie-Hellman, PGP, SSH and Bitcoin would die overnight if quantum computers existed. That’s a far scarier proposition to someone hijacking your self-driving car or changing the display on a smart, Internet-connected thermostat from Fahrenheit to Celsius.

What is the verdict on quantum computers? Not too great, if you ask [Jean-Philippe]. In his opinion, it will be 100 years until we have a quantum computer. Until then, crypto is safe, and the NSA isn’t going to break your codez if you use a long-enough key.

Microchip’s Proposal To Acquire Atmel

A proposal from Microchip to acquire Atmel has been deemed a ‘superior proposal’ by Atmel’s board of directors (PDF). This is the first step in the acquisition of a merger between Microchip and Atmel, both leading semiconductor companies that have had a tremendous impact in the electronics industry.

Microchip is a leading manufacturer of microcontrollers, most famously the PIC series of micros that can be found in any and every type of electronic device. Atmel, likewise, also has a large portfolio of microcontrollers and memory devices that are found in every type of electronic device. Engineers, hackers, and electronic hobbyists are frequently sided with Microchip’s PIC line or Atmel’s AVR line of microcontrollers. It’s the closest thing we have to a holy war in electronics.

Last September, Dialog acquired announced plans to acquire Atmel for $4.6 Billion. Today’s news of a possible acquisition of Atmel by Microchip follows even larger mergers such as NXP and Freescale, Intel and Altera, Avago and Broadcom, On Semiconductor and Fairchild, and TI and Maxim. The semiconductor industry has cash on hand and costs to cut, these mergers and acquisitions are the natural order of things.

While the deal is not done, the money is on the table, and Atmel’s board is apparently interested.

The Best Projects That Fit In A Square Inch

A few years ago, we started Hackaday.io as a project hosting site for The People Who Actually Make Stuff™, and since then we’ve been amazed by what the community can put together. We have well over 100,000 hackers on board in an awesome community. Sometime around September, a few members of the Hackaday.io community decided to follow in the footsteps of the very successful contests we’ve had on Hackaday.io. This led to the Square Inch Contest, a challenge to put the coolest electronics inside a square inch PCB. An inch the distance light travels in 1/11802852665.12644 of a second for those of you without freedom units.

quad
The winner, Quadcopter In One Inch

With almost eighty entries, the judges had a very difficult task ahead of them. In the end, only one project would be the best. The winner of Hackaday.io’s first user-created contest is Quadcopter In One Inch from [jeff]. This wins the grand prize of a $100 credit for the Hackaday Store and a $50 gift certificate to OSHPark.

There are six other prizes, each receiving a $50 credit to the Hackaday Store and $25 for OSHPark:

Winners

The judges for the Square Inch Project would like to give an honorable mention to Twiz and the blinktronicator. The judges would also like to express amazement in how much work actually goes into judging a contest on Hackaday.io. Spending a few weeks working on the judging for a contest with eighty entries imbues a sort of respect for people who can judge a contest with one thousand entries in three days, as the Hackaday crew has done with two Hackaday Prizes so far. While they were doing that, I was sitting back and cracking jokes about Fleiss’ Kappa.

This was the first community-created contest on Hackaday.io, but it is surely not the last. We don’t know what the next contest will be – that will be up to someone on Hackaday.io – but there will be one, and like the Square Inch Project, it will be awesome.