[Bunnie] Launches The Novena Open Laptop

April 2, 2014 by Eric Evenchick 60 Comments

Today [Bunnie] is announcing the launch of the Novena Open Laptop. When we first heard he was developing an open source laptop as a hobby project, we hoped we’d see the day where we could have our own. Starting today, you can help crowdfund the project by pre-ordering a Novena.

The Novena is based on the i.MX6Q ARM processor from Freescale, coupled to a Xilinx Spartan 6 FPGA. Combined with the open nature of the project, this creates a lot of possibilities for using the laptop as a hacking tool. It has dual ethernet, for routing or sniffing purposes. USB OTG support lets the laptop act as a USB device, for USB fuzzing and spoofing. There’s even a high speed expansion bus to interface with whatever peripheral you’d like to design.

You can pre-order the Novena in four models. The $500 “just the board” release has no case, but includes all the hardware needed to get up and running. The $1,195 “All-in-One Desktop” model adds a case and screen, and hinges open to reveal the board for easy hacking. Next up is the $1,995 “Laptop” which includes a battery control board and a battery pack. Finally, there’s the $5000 “Heirloom Laptop” featuring a wood and aluminum case and a Thinkpad keyboard.

The hardware design files are already available, so you can drool over them. It will be interesting to see what people start doing with this powerful, open computer once it ships. After the break, check out the launch video.

Continue reading “[Bunnie] Launches The Novena Open Laptop” →

MSP430-Based CTF Hardware Hacking Challenge

April 2, 2014 by Eric Evenchick 6 Comments

Hacking conferences often feature a Capture the Flag, or CTF event. Typically, this is a software hacking challenge that involves breaking into targets which have been set up for the event, and capturing them. It’s good, legal, hacking fun.

However, some people are starting to build CTFs that involve hardware hacking as well. [Balda]’s most recent hardware hacking challenge was built for the Insomni’hack 2014 CTF. It uses an MSP430 as the target device, and users are allowed to enter commands to the device over UART via a Bus Pirate. Pull off the exploit, and the wheel rotates to display a flag.

For the first challenge, contestants had to decompile the firmware and find an obfuscated password. The second challenge was a bit more complicated. The password check function used memcpy, which made it vulnerable to a buffer overflow attack. By overwriting the program counter, it was possible to take over control of the program and make the flag turn.

The risk of memcpy reminds us of this set of posters. Only abstaining from memcpy can 100% protect you from overflows and memory disclosures!

NFC Ring Unlocks Your Phone

March 17, 2014 by Eric Evenchick 31 Comments

This little ring packs the guts of an NFC keyfob, allowing [Joe] to unlock his phone with a touch of his finger.

The NFC Ring was inspired by a Kickstarter project for a similar device. [Joe] backed that project, but then decided to build his own version. He took apart an NFC keyfob and desoldered the coil used for communication and power. Next, he wrapped a new coil around a tube that was matched to his ring size. With this assembly completed, epoxy was used to cast the ring shape.

After cutting the ring to size, and quite a bit of polishing, [Joe] ended up with a geeky piece of jewelry that’s actually functional. To take care of NFC unlocking, he installed NFC LockScreenOff. It uses Xposed, so a rooted Android device is required.

We’ll have to wait to see how [Joe]’s homemade solution compares to his Kickstarter ring. Until then, you can watch a quick video of unlocking a phone with the ring after the break.

Continue reading “NFC Ring Unlocks Your Phone” →

Hacking Rolling Code Keyfobs

March 17, 2014 by Eric Evenchick 39 Comments

Most keyfobs out there that open cars, garage doors, and gates use a rolling code for security. This works by transmitting a different key every time you press the button. If the keys line up, the signal is considered legitimate and the door opens.

[Spencer] took a look into hacking rolling code keyfobs using low cost software-defined radio equipment. There’s two pars of this attack. The first involves jamming the frequency the keyfob transmits on while recording using a RTL-SDR dongle. The jamming signal prevents the receiver from acknowledging the request, but it can be filtered out using GNU Radio to recover the key.

Since the receiver hasn’t seen this key yet, it will still be valid. By replaying the key, the receiver can be tricked. To pull off the replay, GNU Radio was used to demodulate the amplitude shift keying (ASK) signal used by the transmitter. This was played out of a computer sound card into a ASK transmitter module, which sent out a valid key.

A FPGA Based Bus Pirate Clone

March 10, 2014 by Eric Evenchick 19 Comments

A necessary tool for embedded development is a device that can talk common protocols such as UART, SPI, and I2C. The XC6BP is an open source device that can work with a variety of protocols.

As the name suggests, the XC6BP is a clone of the Bus Pirate, but based on a Xilinx Spartan-6 FPGA. The AltOR32 soft CPU is loaded on the FPGA. This is a fully functional processor based on the OpenRISC architecture. While the FPGA is more expensive than a microcontroller, it can be fully reprogrammed. It’s also possible to build hardware on the FPGA to perform a variety of tasks.

A simple USB stack runs on the soft CPU, creating a virtual COM port. Combined with the USB transceiver, this provides communication with a host PC. The device is even compatible with the Bus Pirate case and probe connector. While it won’t replace the Bus Pirate as a low-cost tool, it is neat to see someone using an open source core to build a useful, open hardware device.

Hacking Radio Controlled Outlets

March 10, 2014 by Eric Evenchick 5 Comments

It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.

He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface. After flashing the CC1111 with the RFCat firmware, the device was ready to use. Next up, [Gordon] goes into detail about replaying amplitude shift keying messages using the RFCat. He used an Arduino and the rc-switch library to generate signals that are compatible with the outlets.

In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle. By exporting the sniffed signal and analyzing it, the modulation could be determined. The final step was writing a Python script to replay the messages using the RFCat.

The hack is a good combination of software defined radio techniques, ending with a successful attack. Watch a video of the replay attack after the break.

Continue reading “Hacking Radio Controlled Outlets” →

TI Launches “Connected LaunchPad”

March 6, 2014 by Eric Evenchick 56 Comments

TI’s LaunchPad boards have a history of being both low cost and fully featured. There’s a board for each of TI’s major processor lines, and all of them support the same “BoosterPack” interface for additional functionality. Today, TI has announced a new LaunchPad based on their new Tiva C ARM processors, which is designed for connectivity.

The Tiva C Series Connected LaunchPad is based on the TM4C129x processor family. These provide an ethernet MAC and PHY on chip, so the only external parts required are magnetics and a jack. This makes the Connected LaunchPad an easy way to hop onto ethernet and build designs that require internet connections.

This development board is focused on the “Internet of Things,” which it seems like every silicon manufacturer is focusing on nowadays. However, the real news here is a low cost board with tons of connectivity, including ethernet, two CANs, 8 UARTs, 10 I2Cs, and 4 QSPIs. This is enough IO to allow for two BoosterPack connectors that are fully independent.

For the launch, TI has partnered with Exosite to provide easy access to the LaunchPad from the internet. A pre-loaded demo application will allow you to toggle LEDs, read button states, and measure temperature over the internet using Exosite. Unlike some past LaunchPads, this one is designed for easy breadboarding, with all MCU pins broken out to a breadboard compatible header.

Finally, the price is very right. The board will be release at $19.99 USD. This is less than half the price of other ethernet-ready development boards out there. This makes it an attractive solution for hackers who want to put a device on a wired network, or need a gateway between various devices and a network.