33C3: Dissecting 3G/4G Phone Modems

[LaForge] and [Holger] have been hacking around on cell phones for quite a while now, and this led to them working on the open cellphone at OpenMoko and developing the OsmocomBB GSM SDR software. Now, they are turning their sights on 3G and 4G modems, mostly because they would like to use them inside their own devices, but would also like to make them accessible to the broader hacker community. In this talk at the 33rd Chaos Communications Congress (33C3), they discuss their progress in making this darkest part of the modern smartphone useful for the rest of us.

This talk isn’t about the plug-and-play usage of a modern cell-phone modem, though, it’s about reprogramming it. They pick a Qualcomm chipset because it has a useful DIAG protocol, and in particular choose the Quectel EC20 modem that’s used in the iPhone5, because it makes the DIAG stream easily available.

Our story begins with a firmware upgrade from the manufacturer. They unzipped the files, and were pleasantly surprised to find that it’s actually running Linux, undocumented and without the source code being available. Now, [LaForge] just happens to be the founder of gpl-violations.org and knows a thing or two about getting code from vendors who use Linux without following the terms and conditions. The legal story is long and convoluted, and still ongoing, but they got a lot of code from Quectel, and it looks like they’re trying to make good.

Qualcomm, on the other hand, makes the Linux kernel source code available, if not documented. (This is the source on which Quectel’s code is based.) [LaForge] took over the task of documenting it, and then developing some tools for it — there is more going on than we can cover. All of the results of their work are available on the wiki site, if you’re getting ready to dig in.

Continue reading “33C3: Dissecting 3G/4G Phone Modems”

ESP8266 BASIC Sets Up a Web Remote in No Time

One of the sticking points for us with our own Internet of Things is, ironically, the Internet part. We build hardware happily, but when it comes time to code up web frontends to drive it all, the thrill is gone and the project is only half-done.

Including some simple web-based scripting functionality along with the microcontroller basics is one of the cleverest tricks up ESP8266 BASIC’s sleeves. BASIC author [mmiscool] puts it to good use in this short demo: a complete learning IR remote control that’s driven through a web interface, written in just a few lines of BASIC.

Note that everything happens inside the ESP8266 here, from hosting the web page to interpreting and then blinking back out the IR LED codes to control the remote. This is a sophisticated “hello world”, the bare minimum to get you started. The interface could look slicker and the IR remote could increase its range with more current to the LED, but that would involve adding a transistor and some resistors, doubling the parts count.

For something like $10 in parts, though, this is a fun introduction to the ESP and BASIC. Other examples are simpler, but we think that this project has an awesome/effort ratio that’s hard to beat.

The Best Conference Badge Of 2017 Is A WiFi Lawn

It’s February, conference season hasn’t even started yet, and already there’s a winner of the best electronic badge of the year. For this year’s MAGfest, [CNLohr] and friends distributed 2,000 ESP8266-based swag badges.

These custom #badgelife badges aren’t. Apparently, MAGFest wouldn’t allow [CNLohr] to call these devices ‘badges’. Instead, these are ‘swadges’, a combination of swag and badges.  On board theses swadges is an ESP-12, a quartet of RGB LEDs, and buttons for up, down, left, right, A, B, Select, and Start. The swadge is powered by two AA batteries (sourced from Costco of all places), and by all accounts the badge was a complete success.

[CNLohr] is one of the great ESP8266 experts out there, and one of the design goals of this badge is to have all of these swadges communicate over raw WiFi frames. This turned out to be a great idea – using normal WiFi infrastructure with two thousand badges saturated the spectrum. The control system for was simply three badges, one per WiFi channel, that tells all the badges to change the color of the LEDs.

The swadge was a complete success, but with a few hundred blinkey glowey WiFi devices, you know [CNLohr] is going to come up with something cool. This time, he turned his lawn into a rave. About 175 swadges were laid out on the lawn, all controlled by a single controller swadge. The color of the LEDs on each swadge in the yard changes in response to the WiFi signal strength. By swinging the controller badge around his head, [CNLohr] turned his yard into a disco floor of swirling blinkieness. It looks awesome, although it might not visualize WiFi signals as well as some of [CNLohr]’s other ESP hacks.

This is a fantastic build and was well received by everyone at MAGFest. Be sure to check out the videos below, they truly show off the capabilities of this really cool piece of wearable hardware.

Continue reading “The Best Conference Badge Of 2017 Is A WiFi Lawn”

Hacking on the Weirdest ESP Module

Sometimes I see a component that’s bizarre enough that I buy it just to see if I can actually do something with it. That’s the case with today’s example, the ESP-14. At first glance, you’d ask yourself what AI Thinker, the maker of many of the more popular ESP8266 modules, was thinking.

The ESP-14 takes the phenomenally powerful ESP8266 chip and buries it underneath one of the cheapest microcontrollers around: the 8-bit STM8S003 “value line” chip. Almost all of the pins of the ESP chip are locked inside the RF cage’s metal tomb — only the power, bootloader, and serial TX/RX pins see the light of day, and the TX/RX pins are shared with the STM8S. The rest of the module’s pins are dedicated to the STM8S. Slaving the ESP8266 to an STM8S is like taking a Ferrari and wrapping it inside a VW Beetle.

I had never touched an STM8 chip before, and just wanted to see what I could do with this strange beast. In the end, ironically, I ended up doing something that wouldn’t be too far out of place on Alibaba, but with a few very Hackaday twists: a monitor for our washer and dryer that reports power usage over MQTT, programmed in Forth with a transparent WiFi serial bridge into the chip for interactive debugging without schlepping down into the basement. Everything’s open, tweakable, and the Forth implementation for the STM8S was even developed here on Hackaday.io.

It’s a weird project for the weirdest of ESP modules. I thought I’d walk you through it and see if it sparks you to come up with any alternative uses for the ESP8266-and-STM8S odd couple that is the ESP-14.

Continue reading “Hacking on the Weirdest ESP Module”

Ham Radio Trips Circuit Breakers

Arc-fault circuit breakers are a boon for household electrical safety. The garden-variety home electrical fire is usually started by the heat coming from a faulty wire arcing over. But as any radio enthusiast knows, sparks also give off broadband radio noise. Arc-fault circuit interrupters (AFCI) are special circuit breakers that listen for this noise in the power line and trip when they hear it. The problem is that they can be so sensitive that they cut out needlessly. Check out the amusing video below the break.

Our friend [Martin] moved into a new house, and discovered that he could flip the breakers by transmitting on the 20-meter band. “All the lights in the place went out and my rig switched over to battery. I thought it was strange as I was certainly drawing less than 20 A. I reset the breakers and keyed up again. I reset the breakers again and did a [expletive] Google search.” Continue reading “Ham Radio Trips Circuit Breakers”

Jamming WiFi by Jumping on the ACK

As we fill our airwaves with more and more wirelessly connected devices the question of what could disrupt this systems becomes more and more important. Here’s a particularly interesting example because the proof of concept shows that you don’t need specialized hardware to pull it off. [Bastian Bloessl] found an interesting tweak to previous research that allows an Atheros WiFi card to jam WiFi by obscuring ACK frames.

The WiFi protocol specifies an Acknowledgement Frame (ACK) which is sent by the receiving device after error correction has been performed. It basically says: “yep, I got that data frame and it checks out”. This error correcting process turns out to be the key to [Bastian’s] technique as it provides time for the attack hardware to decide if it’s going to jam the ACK or not.

The jamming technique presented by [Mathy Vanhoef] at the end 2014 outlined both constant and selective jamming. The selective part involved listening for data packets and analyzing them to determine if they are headed to a MAC the attacker wishes to jam. The problem is that by the time your commodity hardware has decoded that address it’s too late to jam the packet. [Bastian] isn’t trying to jam the data frame, he’s jamming the ACK that the receiver sends back. Without that acknowledgement, the sender will not transmit any new data frames as it assumes there is a problem on the receiving end.

SDR and Node.js Remote-Controlled Monster Drift

Most old-school remote controlled cars broadcast their controls on 27 MHz. Some software-defined radio (SDR) units will go that low. The rest, as we hardware folks like to say, is a simple matter of coding.

So kudos to [watson] for actually doing the coding. His monster drift project starts with the basics — sine and cosine waves of the right frequency — and combines them in just the right durations to spit out to an SDR, in this case a HackRF. Watch the smile on his face as he hits the enter key and the car pulls off an epic office-table 180 (video embedded below).

Continue reading “SDR and Node.js Remote-Controlled Monster Drift”