Shmoocon 2017: Dig Out Your Old Brick Phone

The 90s were a wonderful time for portable communications devices. Cell phones had mass, real buttons, and thick batteries – everything you want in next year’s flagship phone. Unfortunately, Zach Morris’ phone hasn’t been able to find a tower for the last decade, but that doesn’t mean these phones are dead. This weekend at Shmoocon, [Brandon Creighton] brought these phones back to life. The Motorola DynaTAC lives again.

[Brandon] has a history of building ad-hoc cell phone networks. A few years ago, he was part of Ninja Tel, the group that set up their own cell phone network at DEF CON. That was a GSM network, and brickphones are so much cooler, so for the last few months he’s set his sights on building out a 1G network. All the code is up on GitHub, and the hardware requirements for building a 1G tower are pretty light; you can roll your own 1G network for about $400.

The first step in building a 1G network, properly referred to as an AMPS network, is simply reading the documentation. The entire spec is only 136 pages, it’s simple enough for a single person to wrap their head around, and the concept of a ‘call’ really doesn’t exist. AMPS looks more like a trunking system, and the voice channels are just FM. All of this info was translated into GNU Radio blocks, and [Brandon] could place a call to an old Motorola flip phone.

As far as hardware is concerned, AMPS is pretty lightweight when compared to the capabilities of modern SDR hardware. The live demo setup used an Ettus Research USRP N210, but this is overkill. These phones operate around 824-849 MHz with minimal bandwidth, so a base station could easily be assembled from a single HackRF and an RTL-SDR dongle.

Yes, the phones are old, but there is one great bonus concerning AMPS. Nobody is really using these frequencies anymore in the US. That’s not to say building your own unlicensed 1G tower in the US is legally permissible, but if nobody reports you, you can probably get away with it.

Shmoocon 2017: A Simple Tool For Reverse Engineering RF

Anyone can hack a radio, but that doesn’t mean it’s easy: there’s a lot of mechanics that go into formatting a signal before you can decode the ones and zeros.

At his Shmoocon talk, [Paul Clark] introduced a great new tool for RF Reverse Engineering. It’s called WaveConverter, and it is possibly the single most interesting tool we’ve seen in radio in a long time.

If you wanted to hack an RF system — read the data from a tire pressure monitor, a car’s key fob, a garage door opener, or a signal from a home security system’s sensor — you’ll be doing the same thing for each attack. The first is to capture the signal, probably with a software defined radio. Take this data into GNU Radio, and you’ll have to figure out the modulation, the framing, the encoding, extract the data, and finally figure out what the ones and zeros mean. Only that last part, figuring out what the ones and zeros actually do, is the real hack. Everything before that is just a highly advanced form of data entry and manipulation.

[Paul]’s WaveConverter is the tool built for this data manipulation. Take WaveConverter, input an IQ file of the relevant radio sample you’d like to reverse engineer, and you have all the tools to turn a radio signal into ones and zeros at your disposal. Everything from determining the preamble of a signal, figuring out the encoding, to determining CRC checksums is right there.

All of this is great for reverse engineering a single radio protocol, but it gets even better. Once you’re able to decode a signal in WaveConverter, it’s set up to decode every other signal from that device. You can save your settings, too, which means this might be the beginnings of an open source library of protocol analyzers. If someone on the Internet has already decoded the signals from the keyfob of a 1995 Ford Taurus, they could share those settings to allow you to decode the same keyfob. This is the very beginnings of something very, very cool.

The Github repo for WaveConverter includes a few sample IQ files, and you can try it out for yourself right now. [Paul] admits there are a few problems with the app, but most of those are UI changes he has in mind. If you know your way around programming GUIs, [Paul] would appreciate your input.

Shmoocon 2017: So You Want To Hack RF

Far too much stuff is wireless these days. Home security systems have dozens of radios for door and window sensors, thermostats aren’t just a wire to the furnace anymore, and we are annoyed when we can’t start our cars from across a parking lot. This is a golden era for anyone who wants to hack RF. This year at Shmoocon, [Marc Newlin] and [Matt Knight] of Bastille Networks gave an overview of how to get into hacking RF. These are guys who know a few things about hacking RF; [Marc] is responsible for MouseJack and KeySniffer, and [Matt] reverse engineered the LoRa PHY.

In their talk, [Marc] and [Matt] outlined five steps to reverse engineering any RF signal. First, characterize the channel. Determine the modulation. Determine the symbol rate. Synchronize a receiver against the data. Finally, extract the symbols, or get the ones and zeros out of the analog soup.

From [Marc] and [Matt]’s experience, most of this process doesn’t require a radio, software or otherwise. Open source intelligence or information from regulatory databases can be a treasure trove of information regarding the operating frequency of the device, the modulation, and even the bit rate. The pertinent example from the talk was the FCC ID for a Z-wave module. A simple search revealed the frequency of the device. Since the stated symbol rate was twice the stated data rate, the device obviously used Manchester encoding. These sorts of insights become obvious once you know what you’re looking for.

In their demo, [Marc] and [Matt] went through the entire process of firing up GNU Radio, running a Z-wave decoder and receiving Z-wave frames. All of this was done with a minimum of hardware and required zero understanding of what radio actually is, imaginary numbers, or anything else a ham license will hopefully teach you. It’s a great introduction to RF hacking, and shows anyone how to do it.

Shmoocon 2017: On Not Reverse Engineering Through Emulation

Right now, I’m at Shmoocon, and it’s living up to all expectations. That’s a tall order — last year, the breakout talk was from [Travis Goodspeed] on his efforts to reverse engineer the firmware for a cheap Chinese radio. Four people in the room for that talk last year bought the radio on Amazon, and now there’s a legitimate open source project dedicated to building firmware and tools to support this radio.

tyteraNow that [Travis] has a few compatriots working on firmware for this radio, he has the same challenges as any other team. The project needs unit tests, and this isn’t easy to do when all the code is locked up inside a radio. Instead of setting up an entire development platform based around a cheap radio, [Travis] came up with a toolchain that’s unlike anything I’ve ever seen. Instead of reverse engineering the firmware for this radio, he’s simply emulating the ARM firmware on the desktop. Development is quick and easy, and he has the live demos to prove it.

The heart of the Tytera radio in question is an STM32F405. This is a pretty common part, and thanks to [Travis]’ work last year, he has all the firmware that ships on this radio. This doesn’t mean he has access to all the radio’s capabilities, though; there’s a black box in the code somewhere that translates .wav files to radio packets and back again. Open sourcing this would usually mean reverse engineering, but [Travis] had a better idea.

Instead of reverse engineering the entire radio, [Travis] is using QEMU to emulate an ARM microcontroller on his desktop, run the relevant code, and completely ignore any actual reverse engineering. Since this radio is already jailbroken and the community has a pretty good idea of where all the functions and subroutines are in the firmware, the most difficult part of pulling this trick off is setting up QEMU.

As a proof of concept, [Travis] downloaded raw AMBE packets from the radio to his laptop. These were then sent through the emulated radio, producing raw audio that was then converted into a .wav file. Effectively, a black box in this radio was emulated, which means [Travis] doesn’t need to know how the black box works.

All the code for this weird emulation / unit test, as well as everything the community has released for this radio is available on the GitHub. A lot of work has gone into the jailbreaking, reverse engineering, and emulation efforts here, making this radio somewhat ironically one of the most open radios you can buy.

Bring Your Palm VII To ShmooCon This Weekend

We’re not even halfway through January, and already the conference season is upon us. This weekend, Hackaday will be attending Shmoocon at the Hilton in Washington, DC. I’ll be there getting the full report on Russian hackers, reverse engineering, and what the beltway looks like with an ice storm during morning rush hour.

What’s in store for Shmoocon attendees? The schedule looks really cool with talks on something like inline assembly in Python, tools for RF reverse engineering, manufacturing and selling a U2F token, emulating ARM firmware, and so much more. Want to attend Shmoocon? Too bad! Tickets sold out in less than 10 seconds, and we’re totally not going to talk about the BOTS Act at all. If you’re clever you can still pick up a barcode on Craigslist for $300-400, but I wouldn’t recommend that.

As we did last year, Hackaday is going to have a lobbycon with Dunkin Saturday morning at 08:30, although which lobby is still up in the air. Check out the Hackaday Twitter for a few real-time updates. This is a bring-a-hack event, and I’ll be showing off how to add 18dBi of gain to a standard ESP8266 module. Show off what you’re working on and get a donut.

Donuts of ShmooCon

This weekend is ShmooCon, a hacker convention held in Washington DC. Brian Benchoff and I will be there, both of us for the first time. We’d love your input on what talks look the most interesting. Check out the schedule of speakers, then leave a comment below to let us know which talks you think we should cover.

It’s great hearing the big presentations, but I find a lot of times great hacks can be found in smaller venues, or just by walking around. Two examples from 2015 DEF CON: the best talk I sat in on had about 10 people spectating in the IoT village, and I had a great time trying to track down everyone who had an unofficial hardware badge. If you’re at ShmooCon and have something to show off, please find us (@szczys, @bbenchoff)!

On Saturday join us for a Hackaday meetup in the lobby of the Washington Hilton. ShmooCon is well-regarded for the quality of its “lobby-con”, what better place to gather? Look for the Hackaday crowd starting Saturday 1/16 at 8:45am. We’ll bring the donuts, and some swag like Hackaday Omnibus Vol. 02 and of course, some Jolly Wrencher stickers.

Hackaday at 32C3 and Shmoocon

We are just a few days away from the 2015 Chaos Communications Congress in Hamburg Germany and we’re happy to say that a couple of the Hackaday crew will be on hand.
The annual event is one of the premier hacker conferences in the entire world. CCC-fairydustBoth [Voja Antonic] and [Nava Whiteford] will be attending this year’s 32C3, which runs from Sunday the 27th through Wednesday the 30th.

[Voja] will be pretty busy working a booth that will show off two of his projects. One is his Single-Chip Gaming System and the other is his DIY Book Scanner. If you do want to track him down, he dusted off his Twitter account, @Voja_Antonic, just for the event.

[Nava] will be less tied town, and looking for the best there is to see at the conference. If you want to connect with him, give his Twitter account a jingle: @new299.

2016 Shmoocon

schmoocon-bikerShmoocon is in the middle of January and boasts “Less Moose than Ever”. It’s notoriously hard to get a ticket for the annual hacker convention held in Washington, DC. We asked for three press passes and they were kind enough to provide one. We tried and failed to get tickets during the second public release, which sold out 900 passes in 7.58 seconds.

We’re Looking for One More Ticket!

We were able to purchase a single ticket second-hand, so along with the press pass we now have two. [Mike] and [Brian] are both planning to attend, but we’d like it if [Sophi] could be there as well. If you know of an extra ticket which we can buy at face value, please email mike at Hackaday with the details.

Will you be at Shmoocon? Want to meet up with [Brian], [Mike], and hopefully [Sophi], or know of an activity there we just shouldn’t miss? Ping us on Twitter (@szczys, @bbenchoff, @sophikravitz).

Also, how are our choices on con attendance so far? Leave a comment below and let us know what hacking events you think we just shouldn’t miss in the coming year.