Extracting secured firmware from Freescale Zigbee radios

decapped_MC13224

[Travis Goodspeed] recently tore down the Freescale MC13224 wireless radio chip in an effort to demonstrate how the device’s firmware could be read, even when locked down in “secure” mode. While you might not recognize the Freescale MC13224 radio by name alone, you are certainly familiar with some of its practical applications. Found in the QuahogCon and Ninja Party badges among other consumer goods, the popular Zigbee radio turned out to be a fairly easy conquest.

[Travis] first used acid to decap one of the microcontrollers to see what was going on under the plastic casing. Inside, he discovered a discrete flash memory chip, which he removed and repackaged using a wedge wire bonder. He was easily able to extract the firmware, however decapping and repackaging a flash chip isn’t necessarily the most user-friendly process.

After digging further, he discovered that holding one of the chip’s pins low during boot would allow him to run custom code that recovers the firmware image once the pin is pulled high once again. This far more practical means of firmware recovery can be easily facilitated via a circuit board revision, as [Travis] mentions in his blog.

IP-based engine remote enable switch

remote_enable_switch

[Mariano] owns a late 90’s Jeep Wrangler, and had no idea just how easy it was to steal. Unfortunately for him, the guy who made off with his Jeep was well aware of the car’s vulnerabilities. The problem lies in the ignition – it can be broken out with a screwdriver, after which, the car can be started with a single finger. How’s that for security?

[Mariano] decided that he would take matters into his own hands and add a remote-controlled switch to his car in order to encourage the next would-be thief to move on to an easier target. He describes his creation as a “remote kill” switch, though it’s more of a “remote enable” switch, enabling the engine when he wants to start the car rather than killing it on command.

The switch system is made up of two pieces – a server inside the car’s engine bay, and a remote key fob. The server and the fob speak to one another using IPv6 over 802.15.4 (the same standard used by ZigBee modules). Once the server receives a GET request from the key fob, it authenticates the user with a 128-bit AES challenge/response session, allowing the car to be started.

It is not the simplest way of adding a remote-kill switch to a car, but we like it. Unless the next potential car thief digs under the hood for a while, we’re pretty sure [Mariano’s] car will be safe for quite some time.

Ball bot constructed from power tools and pet toys

ballbot

Hackaday forum member [machinelou] says he’s been fascinated with remote controlled hamster balls for quite some time. Inspired by a ball bot he saw on a BBC show, he finally picked up a 12″ plastic ball and got to work.

He used a small drill to provide the power required to roll the ball, and an Arduino is used as the brains of the device. This is his first major project outside of simple I/O and servo control, so he’s taking things slowly. While all this is a bit new to him, he already has things up and running to a degree as you can see in the video below. In its current state, the ball is programmed to roll forward and backwards for a few seconds before going back to sleep.

His future plans include adding a servo-controlled weight to allow him to steer the ball as well as using a pair of Zigbee modules in order to control the ball remotely.

It’s a neat little project, and definitely one that would be a fan favorite among kids. Stick around to see a quick video of his bot’s progress thus far.

[Read more...]

The Energy Detective TED 5000-G teardown

Ted 5000-G Teardown

Before [Steve] realized that it didn’t play nice with his network, he dismantled his Energy Detective TED 5000-G to see what made the device tick. He put together a nice teardown with high-res pictures throughout.  Each component of the TED 5000-G is dissected, with the exception of the current transformers, which he claims are pretty boring anyhow.  The gateway module is particularly interesting as it contains both an Ethernet interface as well as a 802.15.4 radio for wireless communications.  While the device is still a bit expensive at the moment, the gateway module could be useful in projects requiring PLC or ZigBee communications some time down the road, once prices ease a little.

Bringing the Shark to the Bee

Wireshark, a tool recognized universally as being one of the best network analyzers available, has long been used by legitimate network professionals as well as a shadier crowd (and everywhere in between). While useful for analyzing both wired and Wi-Fi traffic, monitoring 802.15.4 protocols (such as Zigbee) have not been a common use in the past. [Akiba] of FreakLabs has brought us a solution which works around the normal limitations of Wireshark’s libpcap base, which does not accept simple serial input from most homebrew setups that use FTDI or Arduinos to connect to Zigbee devices. Using named pipes and a few custom scripts, [Akiba] has been able to coax Wireshark into accepting input from one of FreakLabs Freakduino boards.

While there are certainly professional wireless analyzing tools out there that connect directly into Wireshark, we at Hackaday love showing off anyone who takes the difficult, cheap, out of the way method of doing things over the neat, expensive, commercial method any day.

Data plotting for the visually impaired

This setup helps to represent data in a meaningful way to for visually impaired people. It uses a combination of physical objects to represent data clusters, and audio feedback when manipulating those objects. In the video after the break you’ll see that the cubes can orient themselves to represent data clusters. The table top acts as a graphing field, with a textured border as a reference for the user. A camera mounted below the clear surface allows image processing software to calculate the locations for the cubes. Each cube is motorized and contains an Arduino and ZigBee module, listening for positioning information from the computer that is doing the video processing. Once in position, the user can move the cubes, with modulated noise as a measure of how near they are to the heart of each data cluster.

The team plans to conduct further study on the usefulness of this interactive data object. We certainly see potential for hacking as this uses off-the-shelf components that are both inexpensive, and easy to find. It certainly reminds us of a multitouch display with added physical tokens.

[Read more...]

Intelligent Ground Vehicle Competition 2010 Day Two Report

Culture Shock II, a robot by the Lawrence Tech team, first caught our eye due to its unique drive train. Upon further investigation we found a very well built robot with a ton of unique features.

The first thing we noticed about CultureShockII are the giant 36″ wheels. The wheel assemblies are actually unicycles modified to be driven by the geared motors on the bottom. The reason such large wheels were chosen was to keep the center of gravity well below the axle, providing a very self stabilizing robot. The robot also has two casters with a suspension system to act as dampers and stabilizers in the case of shocks and inclines. Pictured Below. [Read more...]

Follow

Get every new post delivered to your Inbox.

Join 98,246 other followers