Sometimes it helps to have an entire set of tools with you to tackle a problem, and sometimes it helps to take the discreet route. [StenoPlasma] took the latter of these approaches, and stuffed a USB hub, a 16 GB flash drive, and an Atheros based USB wireless adapter into a regular looking USB mouse to make a Linux bootable system in a mouse. Because he chose the Atheros adapter, he is also capable of doing packet injection with tools like Aircrack-ng, which can invaluable in a security audit or (white hat) hacking situation.

This is the only photo we have, so it could be possible that the mouse is no more than a mouse, however we know all of what [StenoPlasma] claims is 100% possible, so we’ll give him the benefit of the doubt, and hope this inspires others to hack up your own mouse kits. Be sure to check out the full parts list after the break.

Parts:

• Targus USB 2.0 4-Port Bend-a-Hub (Stripped and re-soldered)
• Belkin USB 10′ Extension Cord (with the extension USB in place to make it easy for me to change cable lengths)
• IOGEAR Atheros Wireless B/G Injectable Cracking Adapter
• Corsair Voyager Mini 16 GB Thumb Drive
• Logitech MX310 Wired Optical Mouse

For those out there who would enjoy a quick and interesting weekend project, this odometer made by [PeckLauros] is for you. Featured on Instructables it is made from the simplest of materials including some cardboard, a calculator, wires, glue, hot glue, magnetic drive key, an old CD and a reader, and a rubber band.  The magnets, when attached to the CD work in a calculation to add 0.11m to the calculator when a magnet closes the circuit. [PeckLauros] points out that since it is a homebrewed device, it does have flaws such as adding 0.11m twice when the CD is rotated too slowly.  It is easily fixed by simply running faster.  The video is below the break.

When a new virus or other piece of malware is identified, security researchers attempt to get a hold of the infection toolkit used by malicious users, and then apply this infection into a specially controlled environment in order to study how the virus spreads and communicates. Normally, these toolkits also include some sort of management console commonly used to evaluate successfulness of infection and other factors of the malware application. In the case of the EFTPS Malware campaign however, the admin console had a special trick.

This console was actually a fake, accepting a number of generic passwords and user accounts, and provide fake statistics to whoever looked in to it. All the while, the console would “call home” with as much data about the researcher as possible. By tricking the researchers in this way, the crooks would be able to stay one step ahead of anti-virus tools that would limit the effectiveness of any exploit. Thankfully though, the researchers managed to come out on top this time.

[via boingboing]

Ever find yourself in the middle of a Game Boy game and your hand cramps up?  Save that sore wrist for something else because now you can hack the Game Boy Advance to add Rapid Fire for the B button.  [William] has developed a way to do this by creating a simple circuit that generates a square wave on the B button when it is pressed.  To do this hack all that was needed was a short shopping list of:

• A Couple NAND Gate ICs
• 2n2222 NPN Transistor
• 0.1uF ceramic capacitor
• A Switch
• 1M ohm resistor
• Some Thin Wire

After that you’re off to the races as [William] documents how he goes about transforming the Game Boy Advance and includes a ton of great pictures and a schematic.  This operation ends with [William] placing the switch for Rapid Fire excellence next to the Right Bumper where it is inconspicuous and yet easy enough to access.

Via [HackedGadgets]

Recently, research students at Georgia Tech released a report outlining the dangers that GPUs pose to the current state of password security. There are a number of ways to crack a password, all with their different pros and cons, but when it comes down to it, the limiting factor in all of these methods is processing complexity. The more operations that need to be run, the longer it takes, and the less useful each tool is for cracking passwords. In the past, most recommendations for password security revolved around making sure your password wasn’t something predictable, such as “password” or your birthday. With today’s (and tomorrows) GPUs, this may no longer be enough.

Although the article never mentions them by name, the newest tools in password cracking are based around two tools, nVidia’s CUDA and AMD’s Stream SDKs. These tools allow programs to be written in C that can be broken up and utilize the parallel nature of the hardware that is usually optimized for graphics. GPUs are much better at large-scale mathematical operations than CPUs because of this parallel layout. Chances are, if you have a somewhat recent graphics card, it is probably compatible with either CUDA or Stream, and if you already know C, you have all the tools necessary to get started.

The lesson to learn here, the longer or more complex a password is, generally the safer it is. Because of this, a number of tools, both software and hardware, may become more and more popular, or necessary, to accommodate this need.

Irongeek.com is hosting an online class on password exploitation. The event was a fundraiser called ShoeCon, but they are hosting the entire series for everyone to share. Not only are the videos there, but you can download the powerpoint slides as well. There is a massive amount of information here on various topics like Hashcat, OCLHashcat, Cain, SAMDump2, Nir’s Password Recovery Tools, Password Renew, Backtrack 4 R1, UBCD4Win. There’s so much info, they split it into 3 sections. The videos are fairly long, between 1 and 2.5 hours each. What might surprise people is the amount of time that google is actually one of the main tools.

These videos can be a fantastic resource for hobby hackers, IT admins, and security professionals.

Yes, its true. Facebook has completely rewritten the PHP runtime to make it faster and more efficient, and its completely open source. Named HipHop, its described as a source code transformer, changing PHP into optimized C++ which is then compiled using g++. Thus keeping the best aspects of PHP while taking advantage of the performance of C++. Using HipHop, the Facebook web server CPU usage has been decreased by about fifty percent! And who would have thought that this and many other cool advances in programming, started at a Hackathon.

You can now download the exploit package for the PlayStation 3. [Geohot] just posted the code you need to pull off the exploit we told you about on Sunday, making it available on a “silver platter” with just a bit of explanation on how it works. He’s located a critical portion of the memory to attack. By allocating it, pointing a whole bunch of code at those addresses, then deallocating it he causes many calls to invalid addresses. At the same time as those invalid calls he “glitches” the memory bus using a button on his FPGA board to hold it low for 40ns. This trips up the hypervisor security and somehow allows read/write access to that section of memory. Gentleman and Ladies, start your hacking. We wish you the best of luck!

[Thanks Phileas]

There’s a warm place in our hearts for the original Nintendo Entertainment System. It’s too bad we don’t have that hardware sitting around anymore. But if you do there’s a chance it needs some TLC and there’s always room for a blue LED mod. [Raph] has a wonderful collection of NES hardware repairs and hacks that you should take a look at. These include replacing the power supply, fixing the cartridge connector, monkeying with the CIC chip, adding a reset button on the controller, converting the audio from mono to stereo, and yes, swapping in a blue LED. Oh, and as a side note, [Raph] gets a bit of extra hacker ‘cred for including “coded manually using VIM” at the bottom of his page. Classic.

While we have our fun ethically hacking, its very easy to forget that sometimes our ideas could be used with malicious goals. Take for instance SparkFun’s BlueSMiRF – the device’s original intention is simply to act as a wireless serial cable replacement. After hackers discovered several PIN pads use a serial interface, they put one and one together to steal several hundreds of people’s personal bank accounts.

It seems SparkFun is getting a lot of heat lately, but we’re glad they stand up and address these issues. You can check out the original news clipping here.

Wired Threat Level has posted an interview with the hacker who recently broke into several high profile twitter accounts, such as Fox News, and Barack Obama. Since we know how much you all love twitter, we thought you might want to learn more about it. Apparently he used a brute force method to get into a member of the support team. The password was “happiness” which was cracked pretty quickly. This might be a good time to review your own strategies to prevent brute force attacks.

Our wallets are filling up with SIM and RFID cards that contain hidden information. Using our latest project, the Bus Pirate universal serial interface, we can dump the memory from many common smart cards. In today’s How-to, we show you how to interface common smart cards, and walk you through the data stored on a FedEx Kinko’s prepaid value card.

Background

The FedEx Kinko’s prepaid card is actually a SLE4442 smart card. There’s nothing secret about the SLE4442, it’s completely documented in the datasheet (PDF), and you can buy blank cards on the web.

The card is openly readable, we’ll be able to look at the contents without any sort of malicious intrusion. It’s protected from writes by a three byte password, with a ‘three strikes you’re out’ policy that renders the card useless after three failed password attempts.

Due to its wide-spread use, in Kinko’s and other capacities, the SLE4442 has been the target of several high-profile hacks.  At the ’06 Toorcon, [bunnie] and [Chris Tarnovsky] hosted a discussion on the card. [Chris] examined the silicon die and suggested that shorting a trace might defeat the security measures. You can see high-resolution images of the die on his site. [Strom Carlson] went right to the source and snooped the password with a logic analyzer, as documented in his famous ’06 Defcon presentation. The card even makes appearances in artwork.

We’re not planning on maliciously intruding on the card, but we can still look at the contents and demonstrate how to interface arbitrary protocols with our latest project, the Bus Pirate.

Connecting to the SLE4442

Grab the SLE4442 datasheet (PDF) if you haven’t already. The pinout is shown in the picture above. If you’re having trouble orienting the card, note that the large center pad connects to ground.

The card requires 5volts DC (datasheet page 27, table 3.2.2), we used the Bus Pirate’s handy 5volt supply. Interfacing at five volts is no problem because the Bus Pirate inputs are all 5volt tolerant.

A two-wire interface is used, with a clock line and bi-directional data line. We connected these to the Bus Pirate’s SDA and SCL pins. A third signal, reset, is required to initialize the chip; we used the Bus Pirate’s auxiliary output to control the reset line. The maximum clock frequency we can use to interface the device is 50kHz, with a 7kHz stated minimum (page 28, table 3.2.4:fCLK). The Bus Pirate’s raw 2 wire protocol runs at about 5kHz, but we didn’t have any problems interfacing the device.

The sle4442 has open collector outputs, and depends on pull-up resistors to hold the bus high. Instead of switching the data pin between ground and 5volts, it switches between ground and high-impedance states. High-impedance means that the chip exerts no state on the line, it lets it float, like a microcontroller input pin.

Each of the signal lines need to be pulled-up to 5volts with a 2K-10K resistor, the value isn’t particularly important.  Without the pull-up resistor, we’ll never see anything but 0 (ground) on the bus because the sle4442 doesn’t exert a voltage of it’s own. A benefit of this technique is that the Bus Pirate, which only switches at 3.3volts, will talk to the sle4442 at a full 5volts, in compliance with the 3.5volt minimum voltage for a high level (datasheet, page 27, table 3.2.3:Vih).

Initializing the card

Before we can read data from the card, we have to initialize it. This is done with a standard ISO 7816-3 Answer to Reset (ATR) command. After initialization, we can read from the card using a simple two wire protocol.

Setup raw 2 wire mode

The interface shares some characteristics with I2C, but it’s not compatible. We used the Bus Pirate’s raw 2 wire bus mode to interface the device.

RAW2>m
1. SPI
2. I2C
3. UART
4. RAW 2 WIRE
5. RAW 3 WIRE
MODE>4 <– raw 2 wire bus mode
900 MODE SET
…
SPEED>1 <– speed setting is ignored in current firmware
901 SPEED SET
1. High-Z outputs (H=input, L=GND)
2. Normal outputs (H=Vcc, L=GND)
MODE>1 <– high impedance output type
9xx OUTPUT HIGHZ
402 RAW2WIRE READY, P FOR PULLUPS
RAW2>

The Bus Pirate has on-board pull-up resistors, but they only pull to 3.3volts. We must use external pull-ups to 5volts, as shown in the picture. High-Z output mode is compatible with the bus, normal outputs would put 3.3volts on the bus, potentially damaging something.

RAW2>l <–configure MSB/LSB
1. MSB first
2. LSB first
MODE>2 <– LSB first
9xx LSB: LEAST SIG BIT FIRST
RAW2>

The card reads and writes each byte least significant bit first (datasheet page 10). We use menu option L to set the data mode to LSB first.

Send 7816-3 ISO answer to reset command

ISO 7816-3 “answer to reset” is a standardized command used among many smart cards. The ATR sequence is shown above: reset is held high, one clock pulse is sent, reset is released. The next 32 clock pulses (4 bytes) read a generic ATR header from the card. The header contains information about the card type and protocol. Multi-card smart card readers use this to determine how to read each card.

RAW2>@^arrrr <– aux high (highz), clock tick, aux low, read 4 bytes
952 AUX HIGH IMP, READ: 1
4xx RAW2WIRE 0×01 CLOCK TICKS
950 AUX LOW
430 RAW2WIRE READ: 0xA2 <–begin ATR header bytes
430 RAW2WIRE READ: 0×13
430 RAW2WIRE READ: 0×10
430 RAW2WIRE READ: 0×91
RAW2>

We issue the command @^arrrr to the Bus Pirate. @ puts the auxiliary pin in high-impedance input mode, the pull-up resistor holds the reset at 5volts. ^ issues one clock pulse, with delay. a returns the auxiliary pin to output and holds the reset line at ground.

r issues 8 clock pulses and displays the returned bits as a byte. This is one instance where the protocol is incompatible with I2C. I2C includes an additional acknowledge bit between each byte, the sle4442 outputs 32bits consecutively.

Page 25 of the datasheet explains the ISO7816-3 header. It’s easiest to interpret in binary. Rather than convert everything to binary, we set the Bus Pirate to binary display mode and issued another ATR command.

RAW2>o <–setup the output mode
1. HEX
2. DEC
3. BIN
4. RAW
OUTPUT MODE>3 <–show numbers in binary
903 OUTPUT MODE SET
RAW2>@^arrrr <–another ATR command
952 AUX HIGH IMP, READ: 1
4xx RAW2WIRE 0b00000001 CLOCK TICKS
950 AUX LOW
430 RAW2WIRE READ: 0b10100010 <–0xA2
430 RAW2WIRE READ: 0b00010011 <–0×13
430 RAW2WIRE READ: 0b00010000 <–0×10
430 RAW2WIRE READ: 0b10010001 <–0×91
RAW2>

The first 2 bytes are protocol header bytes according to ISO 7816-3 (datasheet page 25).

Byte 1 identifies the protocol type.

0b10100010
7:4 – Protocol type (1010=2 wire)
3:3 – RFU (0)
2:0 – Structure Identifier (010=general)

Byte 2, protocol parameters, tells us about the card if we didn’t have a datasheet.

0b00010011
7:7 – Supports random read lengths (0=no, read to end)
6:3 – Data units (0010=256units)
2:0 – Data unit bits (011=8bits per unit)

From the header we can tell that the protocol type is 10, a two wire bus. The card must be read all the way to the end before it accepts a new command. It has 8bits to a unit, and 256units; 256bytes total storage. The final two bytes are 7814-4 data, which seems uninteresting (see datasheet page 26).

Dump main memory (256 bytes)

Once the card is reset and the ATR bytes are read, we can send commands to the card. Commands are three bytes long; they begin with a I2C-style start condition, and end with an I2C-style stop condition. Start and stop conditions can be generated manually with \-/_\ and _/-\, but the raw 2 wire library also includes the shortcuts { and }. The start and stop conditions are the same as I2C, but they’re used at a different point in the transmission.

The read main memory command is 0×30, followed by a read start address (0), and a third byte that doesn’t matter (0xff).  After the stop condition, the card outputs data on every clock until it reaches the end of the memory.  As described by the ATR header, no new commands can be sent until the card reaches the last byte of memory.  Starting at read address 0, it takes 256*8 clock pulses to complete the read cycle.

RAW2>{0×30 0 0xff} 0r255 0r10 <–command
410 RAW2WIRE START CONDITION (\-/_\)
420 RAW2WIRE WRITE: 0×30
420 RAW2WIRE WRITE: 0×00
420 RAW2WIRE WRITE: 0×00
440 RAW2WIRE STOP CONDITION (_/-\)
431 RAW2WIRE BULK READ, 0xFF BYTES: <–bulk read of 255 bytes
0xA2 0×13 0×10 0×91 0×46 0xFF 0×81 0×15
0xFF 0×01 0x4B 0×03 0×00 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xD2 0×76 0×00
0×00 0×04 0×09 0xFF 0xFF 0xFF 0xFF 0xFF
0x7B 0×14 0xAE 0×47 0xE1 0x7A 0×94 0x3F
0x4C 0×46 0xC6 0x3B 0×00 0×00 0×00 0×00
0×20 0×08 0×03 0×04 0×09 0x** 0x** 0x**
0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00
0×00 0×00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0×30 0×31 0×3* 0×3* 0×30 0×30 0×31 0×33
0×3* 0×3* 0×3* 0×00 0×00 0×00 0×00 0×00
0×00 0×00 0×00 0×00 0×43 0×61 0×73 0×68
0×20 0×43 0×75 0×73 0×74 0x6F 0x6D 0×65
0×72 0×00 0×00 0×00 0×00 0×00 0×00 0×00
0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×39
0×39 0×31 0×31 0×00 0×31 0×30 0×31 0×00
0×30 0×30 0×30 0×30 0×30 0×00 0×00 0×00
0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00
0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00
0×00 0×00 0×00 0×03 0×00 0×00 0×01 0×00
0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00
0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×20
0×08 0×03 0×04 0×09 0x** 0x** 0x** 0×00
0×00 0×00 0×00 0×00 0×00 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0×00 0×00
431 RAW2WIRE BULK READ, 0x0A BYTES: <–again to get last byte (256)
0×00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
RAW2>

{ issues the bus start condition. 0×30 sends the read address, 0 is the start byte, and 0xff could be anything. } sends the bus stop condition. 0r255 clocks in 255 8bit bytes and displays them on the screen. The card actually has 256 bytes of main memory, so we issue an additional read command to get the last byte and verify that the bus returns to high after the read is over. We can’t use 0r256 because the Bus Pirate doesn’t understand decimal numbers greater than 255 (we should address that).

What does the data mean?

We dissected the card according the datasheet, [Strom]‘s Defcon presentation, and this handy guide (PDF).

32byte Header…

0xA2 0×13 0×10 0×91 <–The first four bytes are a repeat of the ATR data
0×46 0xFF 0×81 0×15<–manufacturer tags, other junk
0xFF 0×01 0x4B 0×03 0×00 <–ICCF, IC card fabricator id
0xFF 0xFF 0xFF 0xFF <–ICCN, IC serial number, 0
0xFF 0xFF 0xFF 0xFF<– misc tags and lengths, 0
0xD2 0×76 0×00 0×00 0×04 0×09 <–application identifier (Kinko’s?)
0xFF 0xFF 0xFF 0xFF 0xFF <–all other bytes 0

The first 32 bytes are a permanently burned header with serial numbers, manufacturer codes, and other unique data (datasheet page 24). This header prevents exact duplication of cards, even if you have a blank card and a security code. Kinko’s didn’t have a custom serial number permanently burned into each card.

Now data….

0x7B 0×14 0xAE 0×47 0xE1 0x7A 0×94 0x3F <– IEEE-754 value, $0.02

This is the value stored on the card, in IEEE-754 format. You can use this utility to make it readable. 0x3f947ae147ae147b=$0.02.

…8 bytes of junk…
0×20 <– 0×20 after copy, 0×00 after computer time
0×08 0×03 0×04 0×09 0x** 0x** 0x**<–date/time purchased

This is the date and time the card was purchased, 2008 March 4, 9:**:**.**. Some digits have been obscured to protect the anonymity of our supplier.

…40 bytes of junk…
0×30 0×31 0×3* 0×3* <–Store number: 01**
0×30 0×30 0×31 0×33 0×3* 0×3* 0×3* <– SN: 0013***

The card serial number consists of the store number and a unique, seven digit number. Some digits obscured.

…more bytes…
0×08 0×03 0×04 0×09 0x** 0x** 0x** <– another time
…more bytes…
0xFF 0xFF 0xFF 0xFF 0xFF 0×00 0×00 0×00<– last 8 bytes on the card
0xFF 0xFF… <-not real data bytes

Dump protection memory (4 bytes)

The first 32 bytes of the data memory can be write protected. Each bit of the four byte data protection register (command 0×34) represents a byte of data memory. A bit set to 1 cannot be overwritten. We can read the data protection register and find out which bytes of the main memory are write protected. This is easiest to understand in binary, so we did this operation in binary output mode.

RAW2>{0×34 0 0} 0r4 <–command
410 RAW2WIRE START CONDITION (\-/_\)
420 RAW2WIRE WRITE: 0b00110100
420 RAW2WIRE WRITE: 0b00000000
420 RAW2WIRE WRITE: 0b00000000
440 RAW2WIRE STOP CONDITION (_/-\)
431 RAW2WIRE BULK READ, 0b00000100 BYTES:
0b00100000 0b11100001 0b00011111 0b11111000 <–data protection register
RAW2>

Each bit corresponds with one of the first 32 bytes of the card memory. If the bit is one, the corresponding byte is write protected. This register can be written, but only if you have the correct password.

Dump security memory (4 bytes)

The security memory contains a password verification attempt counter, and the three byte password. We can read the read the security memory without the password, but the password bytes will read as 0. The security memory address is 0×31.

RAW2>{0×31 0 0} 0r4 <–command
410 RAW2WIRE START CONDITION (\-/_\)
420 RAW2WIRE WRITE: 0b00110001
420 RAW2WIRE WRITE: 0b00000000
420 RAW2WIRE WRITE: 0b00000000
440 RAW2WIRE STOP CONDITION (_/-\)
431 RAW2WIRE BULK READ, 0b00000100 BYTES:
0b00000100 0b00000000 0b00000000 0b00000000<–bytes
RAW2>

The attempt counter starts at three (0b00000111), and counts down to 0. When the counter reads 0, the card is essentially destroyed. We used two access attempts to test the password commands, this card has one try left.

Taking it further

We’d like to demonstrate all the capabilities of this card, including password verification and data updates, but we need to buy a new card with a known security code.

Due to the range of interesting smart cards cards out there, it might be handy to add an ISO 7816-3 ATR command macro and reply decoder to the Bus Pirate.

This is a paid, freelancing position that requires professionalism, consistency, and reliability. We want to hear from people that are passionate about software/hardware hacking and growing Hack a Day. To apply, send the following to jobs@hackaday.com

• A short bio about yourself
• 3 example daily posts written in the style of Hack a Day
• 3 software or hardware how-tos you’d like to see. For examples of work we’ve done in the past, look here, here, here, and here.
• A couple sentences on how you would improve the site either through features or content
• Any additional reasons why you would make a good fit for Hack a Day

Do not send any attachments. Having your own blog you can show off is a definite plus.

[photo:fbz]

A few days ago a lone individual decided to crack [Governor Sarah Palin]‘s private Yahoo! email account. He did this by navigating the password reset procedure. [Gov. Palin]‘s birthday was publicly available and Wasilla only had two zip codes to guess. The follow up question “Where did you meet your spouse” required some more research. They met in high school so a few more guesses turned up “Wasilla high” as the answer. The original poster then read every single email only to discover that there really wasn’t anything of interest there. Frustrated, he posted the details to 4chan to let any wonk have at it. /b/ members began posting screenshots of the account, but very little came of it.

One screenshot of her inbox even revealed her daughter Bristol’s cell phone number. While there was no groundbreaking political information revealed, it is important to point out that it appears that Gov. Palin was using this private account to correspond to her assistants about potentially sensitive government information. This security breach should serve as a wake-up call to many public officials by showing how dangerous it can be to have a private e-mail account, especially when a free web-based service such as Yahoo! is used.