[Joby Taffey] just rolled out a serial bootloader for the Chipcon CC1110/CC1111 processors. The project is called CCTL and aims to make prototyping with the Girltech IM-ME a bit less tedious. Up until now firmware for the device had to be pushed in with a GoodFET or TI proprietary programmer which was quite slow. But this bootloader makes it possible to push your code via the chip’s serial port at 115200 baud. But the pretty pink pager isn’t the only device using these chips and to prove it [Joby] send this picture of all the electronics he has on hand running this architecture.
Once the 1KB CCTL bootloader has been flashed to the chip, a serial port or USB to Serial converter can be used as a programmer. [Joby] warns that the Chipcon processors are not 5V tolerant so you need to either use a 3V serial converter or add a level converter into the mix.
CCTL provides the features you’d expect from a bootloader. It uses the chip’s watchdog timer to guard against failure due to broken code. And there is an upgrade mode available at power up. Instruction for use are included in the Github repo linked at the top.
Would you believe you can track, and even jam law enforcement radio communications using a pretty pink pager? It turns out the digital radios using the APCO-25 protocol can be jammed using the IM-ME hardware. We’ve seen this ‘toy’ so many times… yet it keeps on surprising us. Or rather, [Travis Goodspeed’s] ability to do amazing stuff with the hardware is what makes us perk up.
Details about this were presented in a paper at the USENIX conference a few weeks ago. Join us after the break where we’ve embedded the thirty-minute talk. There’s a lot of interesting stuff in there. The IM-ME can be used to decode the metadata that starts each radio communication. That means you can track who is talking to whom. But for us the most interesting part was starting at about 15:30 when the presenter, [Matt Blaze], talked about directed jamming that can be used to alter law enforcement behavior. A jammer can be set to only jam encrypted communications. This may prompt an officer to switch off encryption, allowing the attackers to listen in on everything being said to or from that radio.
Continue reading “Project 25 Digital Radios (law enforcement grade) vulnerable to the IM-ME”
So you’ve hacked your IM-ME six ways from Sunday but don’t know what to do with the USB dongle? [Joby Taffey] set out to make this leftover a useful part of the hacking arsenal. He pulled off the USB connector and the USB controller chip. From there he glued on the pin headers as pictured above in order to turn this into a breadboard-friendly single in-line package. But wait, that’s not all… for the low-low price of common components he also built a power and programming cable. Once it’s all said and done you can load PinkOS, an operating system he developed for the device which lets you operate the onboard radio via serial protocol.
Need a better overview of the hardware on the board? [Joby] laid the groundwork for this hack back in October.
The ubiquitous presence of wireless devices combined with easy access to powerful RF development platforms makes the everyday world around us a wireless hacker’s playground. Yesterday [Travis Goodspeed] posted an article showing how goodfet.cc can be used to sniff wireless traffic and also to jam a given frequency. We’ve previously covered the work of [Travis] in pulling raw data from the IM-ME spectrum analyzer, which also uses goodfet.cc.
The Texas Instruments Chronos watch dev platform contains a C1110 chip, which among other things can provide accelerometer data from the watch to an interested sniffer. The i>clicker classroom response device (which houses a XE1203F chip) is also wide open to this, yielding juicy info about your classmates’ voting behaviour. There is still some work to be done to improve goodfet.cc, and [Travis] pays in beer–not in advance, mind you.
With products like the Chronos representing a move towards personal-area wireless networks, this sort of security hole might eventually have implications to individual privacy of, for example, biometric data–although how that might be exploited is another topic. Related to this idea is that of sniffable RFID card data. How does the increasing adoption of short-range wireless technologies affects us, both for good and bad? We invite you to share your ideas in the comments.
[Joby Taffey] takes the prize for the first completed homebrew game for the IM-ME. Over the last few weeks we’ve seen [Travis Goodspeed] working with sprite graphics, and [Emmanuel Roussel] developing game music for the pink pager. But [Joby] didn’t really use either of those.
[Travis’] sprites were using a framebuffer that fills up a lot of valuable RAM. [Joby] decided to draw the room screens (all of them have been stitched together for the image above) as a one-time background image to keep the memory free. From there, the screen is updated in 8×8 blocks based on cursor movement. He also decided not to add music as he feels the high-pitched piezo is not capable making sound without driving everyone crazy.
Source code is available and for those of you who don’t own this pretty handheld, the game can also be compiled in Linux.
[Emmanuel Roussel] is coding a version of Tetris for the IM-ME. Before you get too excited, he hasn’t actually written the game yet, but instead started with the familiar theme music. The IM-ME has a piezo speak on board so it’s just a question of frequency and duration. [Emmanuel] developed an Open Office spread sheet that calculates each note’s frequency and the timer value needed to produce it. He then created a data type that stores a note and its duration and used an array of those structures to store the song. If you’ve ever wondered how to cleanly code music this is a wonderful example to learn from because right now the code doesn’t have anything other than that code to get in the way.
The ground work for this was established in the other hacks we’ve seen. Now we’re left wondering who will finish coding their game first. Will it be [Emmanuel’s] Tetris or [Travis’] Zombie Gotcha?
It’s fun to pick apart code, but it gets more difficult when you’re talking about binaries. [Joby Taffey] opened up the secrets to one of [Travis Goodspeed’s] hacks by disassembling and sniffing the data from a Zombie Gotcha game binary.
We looked in on [Travis’] work yesterday at creating a game using sprites on the IM-ME. He challenged readers to extract the 1-bit sprites from an iHex binary and that’s what got [Joby] started. He first tried to sniff the LCD data traces using a Bus Pirate but soon found the clock signal was much too fast for the device to reliably capture the signals. After looking into available source code from other IM-ME hacks [Joby] found how the SPI baud rate is set, then went to work searching for that in a disassembly of [Travis’] binary. Once found, he worked through the math necessary to slow down communication from 2.7 Mbit/s to 2400 bps and altered the binary data to match that change. This slower speed is more amenable to the Bus Pirate’s capabilities and allowed him to dump the sprite data as it was sent to the LCD screen.