Shmoocon 2017: On Not Reverse Engineering Through Emulation

Right now, I’m at Shmoocon, and it’s living up to all expectations. That’s a tall order — last year, the breakout talk was from [Travis Goodspeed] on his efforts to reverse engineer the firmware for a cheap Chinese radio. Four people in the room for that talk last year bought the radio on Amazon, and now there’s a legitimate open source project dedicated to building firmware and tools to support this radio.

tyteraNow that [Travis] has a few compatriots working on firmware for this radio, he has the same challenges as any other team. The project needs unit tests, and this isn’t easy to do when all the code is locked up inside a radio. Instead of setting up an entire development platform based around a cheap radio, [Travis] came up with a toolchain that’s unlike anything I’ve ever seen. Instead of reverse engineering the firmware for this radio, he’s simply emulating the ARM firmware on the desktop. Development is quick and easy, and he has the live demos to prove it.

The heart of the Tytera radio in question is an STM32F405. This is a pretty common part, and thanks to [Travis]’ work last year, he has all the firmware that ships on this radio. This doesn’t mean he has access to all the radio’s capabilities, though; there’s a black box in the code somewhere that translates .wav files to radio packets and back again. Open sourcing this would usually mean reverse engineering, but [Travis] had a better idea.

Instead of reverse engineering the entire radio, [Travis] is using QEMU to emulate an ARM microcontroller on his desktop, run the relevant code, and completely ignore any actual reverse engineering. Since this radio is already jailbroken and the community has a pretty good idea of where all the functions and subroutines are in the firmware, the most difficult part of pulling this trick off is setting up QEMU.

As a proof of concept, [Travis] downloaded raw AMBE packets from the radio to his laptop. These were then sent through the emulated radio, producing raw audio that was then converted into a .wav file. Effectively, a black box in this radio was emulated, which means [Travis] doesn’t need to know how the black box works.

All the code for this weird emulation / unit test, as well as everything the community has released for this radio is available on the GitHub. A lot of work has gone into the jailbreaking, reverse engineering, and emulation efforts here, making this radio somewhat ironically one of the most open radios you can buy.

Repurpose a Classroom Clicker for Great Justice

If you’ve been in a university class of a certain size, with a professor who wants to get live feedback from the students, you’ve probably been forced to buy a Turning Point “clicker”. Aside from the ridiculousness of making students pay for their professor’s instructional aides (do the make you pay extra for the chalk too?!?!) these clickers are a gauntlet thrown down to any right-minded hacker because they supposedly contain secrets.

[Nick] had one of these gadgets, and hopped right up on the shoulders of giants to turn it into a remote control that interfaces with his computer and drives a synthesizer, so he can work through the chord changes by clicking. His two references, to [Travis Goodspeed]’s nRF promiscuity hack and to [Taylor Killian]’s Arduino library for the clickers are a testament to why we need both reverse engineers doing the hard work and people who’ll wrap up the hard work in an easy-to-use library.

Continue reading “Repurpose a Classroom Clicker for Great Justice”

[Travis Goodspeed] starts a space agency in Southern Appalachia


His space agency hardware might be in Southern Appalachia, but he can control it from anywhere in the world. That’s right, [Travis Goodspeed] started his own space agency — well kinda. The first piece of hardware operated by the organization is this dish for tracking moving targets in near space.

The main part of the build is a Felcom 82B dish which  was designed to be a satellite link for naval vessels. The image showing the back side of it exposes all of the extras he built into the system. Don’t worry though, a dome goes over the top to keep the weather out without encumbering its operation.He uses an SDR dongle to handle the radio communications. That connects to a BeagleBone which pipes the data to his handheld over the Internet.

It’s amazing to see this type of hobby project. It wasn’t that long ago that you needed an entire room of hardware to communicate with satellites.

Exploiting DFU mode to snag a copy of firmware upgrades

[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image directly to a terminal window. This way you can get down to the nitty-gritty of decompiling and hex editing as quickly as possible.

For this hack he used his Facedancer board. We first saw the hardware used to emulate a USB device, allowing the user to send USB commands via software. Now it’s being used to emulate your victim hardware’s DFU mode. This is done by supplying the vendorID and productID of the victim, then pushing the firmware update as supplied by the manufacturer. In most cases this shouldn’t even require you to have the victim hardware on hand.

Facedancer board lets your Python programs pretend to be USB hardware

This is the prototype board for [Travis Goodspeed’s] new USB development tool called the Facedancer. He took on the design with USB security exploits in mind, but we think it’s got a lot of potential for plain old development as well.

Kudos on the [Frank Herbert] reference when naming the project. Like the characters from the Dune mythology that can perfectly mimic any person they touch, this device let’s you mimic whatever you can imagine. One the USB ports connects to the victim (or host) the other connects to a development machine. Python can then be used to send USB commands in real time. Think of this as doing the same thing the Bus Pirate does for SPI and i2c, except that it’s doing it on the USB protocol itself. This way you can feel your way through all of the road-bumps of developing a new device (or testing an exploit) without the need to continually compile and flash your hardware.

Wardriving for Zigbee

Wardriving started out as a search for unprotected WiFi access points before hot spots were prevalent. And so this ZigBee protocol wardriving hardware which [Travis Goodspeed] put together really gives us a sense of nostalgia for that time. Don’t get us wrong, we love our pervasive WiFi access and don’t wish to go back to simpler times. But if the radio signals your looking for are scarce, locating them provides a challenge.

Regular readers will recognize that [Travis] is interested in all things RF. One of his projects included sniffing wireless keyboard packets out of thin air and displaying them on the screen of his Nokia N900. This is right along those lines but he’s upgraded to an N9 phone for the display hardware. He switched up the RF hardware, using a TelosB (a board he’s already familiar with) to get on the 802.15.4 ZigBee spectrum. This dev board has an expansion port which let him use an RN42 module for wireless communications with the phone. This means the sniffing hardware can be hidden away in a backpack or jacket. After all, nobody will question someone walking around staring at a smart phone.

Reverse engineering Bluetooth using Android and SPOT as an example

[Travis Goodspeed] wrote in to tell us about his work reverse engineering the Bluetooth communications on this SPOT module. He’s targeted the post as a general guide to sniffing Bluetooth transmissions, but was inspired to use the SPOT as an example after seeing this other SPOT hack. We know he’s a fan of getting things to work with his Nokia N900, and that’s exactly where he ended up with the project.

This module was manufactured to be controlled by an Android phone. But there’s no control app available for the Nokia handset. Since Android uses the open-source Bluez package for the Bluetooth protocol, it’s actually pretty easy to get your hands on the packets. After grabbing a few test sets he shows how he deciphered the packets, then wrote a quick Python script to test out his findings. After working his way through the various commands available (grabbing the SPOT serial number, getting position data from it, etc) [Travis] wrote up a frontend in QT mobility for use on the N900.