Hacking The IM-ME To Open Garages

If you have a wireless controlled garage door, a child’s toy can wirelessly open it in a few seconds. [Samy Kamkar] is a security researcher who likes to”think bad, do good”. He’s built OpenSesame, a device that can wirelessly open virtually any fixed-code garage door in seconds, exploiting a new attack he’s discovered in wireless fixed-pin devices, using the Mattel IM-ME toy.

The exploit works only on a gate or garage which uses “fixed codes”. To prevent this type of attack, all you need to do is to upgrade to a system which uses rolling codes, hopping codes, Security+ or Intellicode. These are not foolproof from attack, but do prevent the OpenSesame attack along with other traditional brute forcing attacks. It seems there are at least a couple of vendors who still have such vulnerable products, as well as several more whose older versions are affected too.

Before you read further, a caveat – the code released by [Samy] is intentionally bricked to prevent it from being abused. It might work, but just not quite. If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn’t need his help in the first place, would you?

The IM-ME is a defunct toy and Mattel no longer produces it, but it can be snagged from Amazon or eBay if you’re lucky. The Radica Girltech IM-ME texting toy has been extensively hacked and documented. Not surprising, since it sports a TI CC1110 sub-GHz RF chip, an LCD display, keyboard, backlight, and more.  A good start point is the GoodFET open-source JTAG adapter, followed by the work of [Travis Godspeed] , [Dave] and [Michael Ossmann].

One issue with fixed code systems is their limited key space. For example, a remote with 12 binary dip switches supports 12 bits of possible combinations. Since its binary and 12 bits long, that’s 2^12, which is 4096 possible combinations. With a bit of math, [Samy] shows that it takes 29 minutes to open an (8-12)-bit garage, assuming you know the frequency and baud rate, both of which are pretty common. If you have to attempt a few different frequencies and baud rates, then the time it takes is a multiple of 29 minutes. If you don’t transmit the codes multiple times, and remove the pauses in between codes, the whole exercise can be completed in 3 minutes.

The weak link in the hardware is how the shift registers which decode the received codes work. Each bit is loaded in the register sequentially, gradually moving as additional bits come in and push the previous ones. This, and using an algorithm [Samy] wrote based on the De Bruijn sequence, the whole brute force attack can be completed in just over 8 seconds. OpenSesame implements this algorithm to produce every possible overlapping sequence of 8-12 bits in the least amount of time.

You can take a look at understanding how the code works by checking it out on Github. [Samy] loves doing such investigative work – check out his combo lock code breaker we featured recently, the scary, keyboard sniffing wall wart and the SkyJack – a drone to hack all drones.

Continue reading “Hacking The IM-ME To Open Garages”

Chipcon CC1110/CC1111 serial bootloader

[Joby Taffey] just rolled out a serial bootloader for the Chipcon CC1110/CC1111 processors. The project is called CCTL and aims to make prototyping with the Girltech IM-ME a bit less tedious. Up until now firmware for the device had to be pushed in with a GoodFET or TI proprietary programmer which was quite slow. But this bootloader makes it possible to push your code via the chip’s serial port at 115200 baud. But the pretty pink pager isn’t the only device using these chips and to prove it [Joby] send this picture of all the electronics he has on hand running this architecture.

Once the 1KB CCTL bootloader has been flashed to the chip, a serial port or USB to Serial converter can be used as a programmer. [Joby] warns that the Chipcon processors are not 5V tolerant so you need to either use a 3V serial converter or add a level converter into the mix.

CCTL provides the features you’d expect from a bootloader. It uses the chip’s watchdog timer to guard against failure due to broken code. And there is an upgrade mode available at power up. Instruction for use are included in the Github repo linked at the top.

Project 25 Digital Radios (law enforcement grade) vulnerable to the IM-ME

Would you believe you can track, and even jam law enforcement radio communications using a pretty pink pager? It turns out the digital radios using the APCO-25 protocol can be jammed using the IM-ME hardware. We’ve seen this ‘toy’ so many times… yet it keeps on surprising us. Or rather, [Travis Goodspeed’s] ability to do amazing stuff with the hardware is what makes us perk up.

Details about this were presented in a paper at the USENIX conference a few weeks ago. Join us after the break where we’ve embedded the thirty-minute talk. There’s a lot of interesting stuff in there. The IM-ME can be used to decode the metadata that starts each radio communication. That means you can track who is talking to whom. But for us the most interesting part was starting at about 15:30 when the presenter, [Matt Blaze], talked about directed jamming that can be used to alter law enforcement behavior. A jammer can be set to only jam encrypted communications. This may prompt an officer to switch off encryption, allowing the attackers to listen in on everything being said to or from that radio.

Continue reading “Project 25 Digital Radios (law enforcement grade) vulnerable to the IM-ME”

Making the IM-ME dongle more useful

So you’ve hacked your IM-ME six ways from Sunday but don’t know what to do with the USB dongle? [Joby Taffey] set out to make this leftover a useful part of the hacking arsenal. He pulled off the USB connector and the USB controller chip. From there he glued on the pin headers as pictured above in order to turn this into a breadboard-friendly single in-line package. But wait, that’s not all… for the low-low price of common components he also built a power and programming cable. Once it’s all said and done you can load PinkOS, an operating system he developed for the device which lets you operate the onboard radio via serial protocol.

Need a better overview of the hardware on the board? [Joby] laid the groundwork for this hack back in October.

Wireless Sniffing and Jamming of Chronos and iclicker

The ubiquitous presence of wireless devices combined with easy access to powerful RF development platforms makes the everyday world around us a wireless hacker’s playground. Yesterday [Travis Goodspeed] posted an article showing how goodfet.cc can be used to sniff wireless traffic and also to jam a given frequency. We’ve previously covered the work of [Travis] in pulling raw data from the IM-ME spectrum analyzer, which also uses goodfet.cc.

The Texas Instruments Chronos watch dev platform contains a C1110 chip, which among other things can provide accelerometer data from the watch to an interested sniffer. The i>clicker classroom response device (which houses a XE1203F chip) is also wide open to this, yielding juicy info about your classmates’ voting behaviour. There is still some work to be done to improve goodfet.cc, and [Travis] pays in beer–not in advance, mind you.

With products like the Chronos representing a move towards personal-area wireless networks, this sort of security hole might eventually have implications to individual privacy of, for example, biometric data–although how that might be exploited is another topic. Related to this idea is that of sniffable RFID card data. How does the increasing adoption of short-range wireless technologies affects us, both for good and bad? We invite you to share your ideas in the comments.

Dungeon crawler game for IM-ME (and Linux)

[Joby Taffey] takes the prize for the first completed homebrew game for the IM-ME. Over the last few weeks we’ve seen [Travis Goodspeed] working with sprite graphics, and [Emmanuel Roussel] developing game music for the pink pager. But [Joby] didn’t really use either of those.

[Travis’] sprites were using a framebuffer that fills up a lot of valuable RAM. [Joby] decided to draw the room screens (all of them have been stitched together for the image above) as a one-time background image to keep the memory free. From there, the screen is updated in 8×8 blocks based on cursor movement. He also decided not to add music as he feels the high-pitched piezo is not capable making sound without driving everyone crazy.

Source code is available and for those of you who don’t own this pretty handheld, the game can also be compiled in Linux.

IM-ME plays music in preparation for gaming

[Emmanuel Roussel] is coding a version of Tetris for the IM-ME. Before you get too excited, he hasn’t actually written the game yet, but instead started with the familiar theme music. The IM-ME has a piezo speak on board so it’s just a question of frequency and duration. [Emmanuel] developed an Open Office spread sheet that calculates each note’s frequency and the timer value needed to produce it. He then created a data type that stores a note and its duration and used an array of those structures to store the song. If you’ve ever wondered how to cleanly code music this is a wonderful example to learn from because right now the code doesn’t have anything other than that code to get in the way.

The ground work for this was established in the other hacks we’ve seen. Now we’re left wondering who will finish coding their game first. Will it be [Emmanuel’s] Tetris or [Travis’] Zombie Gotcha?