Shmoocon 2016: Reverse Engineering Cheap Chinese Radio Firmware

January 19, 2016 by Brian Benchoff 128 Comments

Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Last weekend at Shmoocon, [Travis Goodspeed] presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.

The Tytera MD380 is a fairly basic radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.

The STM32 in the radio implements a USB Device Firmware Upgrade (DFU), probably because of some example code from ST. Dumping the memory from the standard DFU protocol just repeated the same binary string, but with a little bit of coaxing and investigating the terrible Windows-only official client application, [Travis] was able to find non-standard DFU commands, write a custom DFU client, and read and write the ‘codeplug’, an SPI Flash chip that stores radio settings, frequencies, and talk groups.

Further efforts to dump all the firmware on the radio were a success, and with that began the actual reverse engineering of the radio. It runs an ARM port of MicroC/OS-II, a real-time embedded operating system. This OS is very well documented, with slightly more effort new functions and patches can be written.

In Digital Mobile Radio, audio is sent through either a public talk group or a private contact. The radio is usually set to only one talk group, and so it’s not really possible to listen in on other talk groups without changing settings. A patch for promiscuous mode – a mode that puts all talk groups through the speaker – is just setting one JNE in the firmware to a NOP.

The Tytera MD-830 ships with a terrible Windows app used for programming the radio — The Tytera MD-380 ships with a terrible Windows app used for programming the radio

With the help of [DD4CR] and [W7PCH], the entire radio has been reverse engineered with rewritten firmware that works with the official tools, the first attempts of scratch-built firmware built around FreeRTOS, and the beginnings of a very active development community for a $140 radio. [Travis] is looking for people who can add support for P25, D-Star, System Fusion, a proper scanner, or the ability to send and receive DMR frames over USB. All these things are possible, making this one of the most exciting radio hacks in recent memory.

Before [Travis] presented this hack at the Shmoocon fire talks, intuition guided me to look up this radio on Amazon. It was $140 with Prime, and the top vendor had 18 in stock. Immediately after the talk – 20 minutes later – the same vendor had 14 in stock. [Travis] sold four radios to members of the audience, and there weren’t that many people in attendance. Two hours later, the same vendor had four in stock. If you’re looking for the best hardware hack of the con, this is the one.

Why No Plane Parachutes? And Other Questions.

January 19, 2016 by Nava Whiteford 54 Comments

This week I was approached with a question. Why don’t passenger aircraft have emergency parachutes? Whole plane emergency parachutes are available for light aircraft, and have been used to great effect in many light aircraft engine failures and accidents.

But the truth is that while parachutes may be effective for light aircraft, they don’t scale. There are a series of great answers on Quora which run the numbers of the size a parachute would need to be for a full size passenger jet. I recommend reading the full thread, but suffice it to say a ballpark estimate would require a million square feet (92903 square meters) of material. This clearly isn’t very feasible, and the added weight and complexity would no doubt bring its own risks.

Continue reading “Why No Plane Parachutes? And Other Questions.” →

Hacking Education – A Makerspace Experiment

January 19, 2016 by Anool Mahidharia 18 Comments

This is an Education hack, and it’s pretty awesome. [Abhijit Sinha] received an Engineering degree and took up a run-of-the mill IT job in Bangalore, considered India’s IT hub. 7 months down the line on Dec 31st, he gave notice to the company and quit his “boring” job. He ended up in Banjarpalya, a village just 30 kms out of Bangalore. But it could well have been 30 years back in time. The people there had never come across computers, and there wasn’t much sign of other modern technology. So he set up Project DEFY – Design Education for You.

He bought a few refurbished laptops, took a room, and put kids and computers together. Except, these kids just knew a smattering of English. They went to the village school, run by the government and staffed by teachers whose training was basic, at best. He told the kids there are games in those boxes for them to play, but they’d have to figure it out on their own, without help from him. Pretty soon, all of them were playing games like they were pros. That’s when [Abhijit] stepped in and told them that they’d created a base line for having fun. Everything else they did from now on had to be more fun than what they had just done. If they were interested, he would show them how.

He had a gaggle of kids waiting to hear him with rapt attention. He showed them how to look online for information. He showed them how they could learn how to build fun projects by looking up websites like Instructables, and then use locally available materials and their own ingenuity to build and modify. Once a project was done, he showed them how to post details about what they had done and learnt so others around the world could learn from them. The kids took to all this like fish to water. They couldn’t wait to get through 5 hours of school each day, and then head over to their makerspace to spend hours tinkering. Check out their Instructable channel – and see if you can give them some guidance and advice.

A year onwards, on Dec 31st again, [Abhijit] gathered the kids, and several adults who had joined in during the year, telling them he had news. He had figured they were independent enough to run the space on their own now, without any help from him. He would still get them the 500 odd Dollars they needed each month to keep it operational. Other than that, they were on their own. He’s been monitoring their progress, and from the looks of it, the hack seems to have worked. More power to [Abhijit] and others like him around the world who are trying to bring the spirit of making to those who probably stand to benefit from it the most. Check out the videos below where they show off their work.

PS : Here’s the latest update from [Abhijit] : “Got back to the Banjarapalya Makerspace after quite a while, and this is what they show me – they built a little plane. Of course it crash lands, and needs a better programming, but I am super impressed that they are ready to fly.
Anyone who wants to help them technically? Financially? With parts and components ?”

Continue reading “Hacking Education – A Makerspace Experiment” →

Cyborg Photosynthetic Bacteria!

January 19, 2016 by Elliot Williams 4 Comments

This is weird science. Researchers at Lawrence Berkeley National Laboratory have taken some normal bacteria and made them photosynthetic by adding cadmium sulfide nanoparticles. Cadmium sulfide is what makes the garden-variety photoresistor work. That’s strange enough. But the bacteria did the heavy lifting — they coated themselves in the inorganic cadmium — which means that they can continue to grow and reproduce without much further intervention.

Bacteria are used as workhorses in a lot of chemical reactions these days, and everybody’s trying to teach them new tricks. But fooling them into taking on inorganic light absorbing materials and becoming photosynthetic is pretty cool. As far as we understand, the researchers found a chemical pathway into which the electrons produced by the CdS would fit, and the bacteria took care of the rest. They still make acetic acid, which is their normal behavior, but now they produce much more when exposed to light.

If you want to dig a little deeper, the paper just came out in Science magazine, but it’s behind a paywall. But with a little searching, one can often come up with the full version for free. (PDF).

Or if you’d rather make electricity, instead of acetic acid, from your bacteria be our guest. In place of CdS, however, you’ll need a fish. Biology is weird.

Headline images credit: Peidong Yang

Naviator Drone Uses Its Propellers To Fly And Swim

January 18, 2016 by Gerrit Coetzee 40 Comments

Rutgers University just put out a video on a “drone” that can fly and then drop into a body of water, using its propellers to move around. This isn’t the first time we’ve covered a university making sure Skynet can find us even in the bathtub, but this one is a little more manageable for the home experimenter. The robot uses a Y8 motor combination. Each motor pair on its four arms spin in opposite directions, but provide thrust in the same direction. Usually this provides a bit more stability and a lot more redundancy in a drone. In this case we think it helps the robot leave the water and offers a bit more thrust underwater when the props become dramatically less efficient.

We’re excited to see where this direction goes. We can already picture the new and interesting ways one can lose a drone and GoPro forever using this, even with the integral in your toolbox. We’d also like to see if the drone-building community can figure out the new dynamics for this drone and release a library for the less mathematically inclined to play with. Video after the break.

Continue reading “Naviator Drone Uses Its Propellers To Fly And Swim” →

Shmoocon 2016: Hackers For Charity

January 18, 2016 by Mike Szczys 4 Comments

To one side of the “Chill Room” at this year’s Shmoocon were a few tables for Hackers for Charity. This is an initiative to make skills-training available for people in Uganda. The organization is completely supported by the hacker community.

Hackers for Charity was founded by Johnny Long about seven years ago. He had been working as a penetration tester but you perhaps know him better from his many books on hacking. Having seen the lack of opportunity in some parts of the world, Johnny started Hackers for Charity as a way to get used electronics and office equipment into the hands of people who needed it most. This led to the foundation of a school in Uganda that teaches technology skills. This can be life-changing for the students who go on to further schooling, or often find clerical or law enforcement positions. Through the charity’s donations the training center is able to make tuition free for about 75% of the student body.

The education is more than just learning to use a word processor. The group has adopted a wide range of equipment and digital resources to make this an education you’d want for your own children. Think Chromebooks, Raspberry Pi, robotics, and fabrication. One really interesting aspect is the use of RACHEL, which is an effort to distribute free off-line educational content. This is a searchable repository of information that doesn’t require an Internet connection. Johnny told me that it doesn’t stop at the schoolroom door; they have the system on WiFi so that anyone in the village can connect and use the resources whether they’re students or not.

Shmoocon does something interesting with their T-shirt sales. They’re not actually selling shirts at all. They’re soliciting $15 donations. You donate, and you get a shirt and a chit — drop you chit in a box to decide where your $15 should go. This year, Hackers for Charity, the EFF, and World Bicycle Relief were the charities to choose from. If you want to help out this 501c3 organization, consider clicking the donate button you’ll find on the sidebar and footer of their webpage.

Mouse Pen From Old Parts

January 18, 2016 by Al Williams 22 Comments

No offense to [Douglas Engelbart] but the computer mouse has always seemed a bit of a hack to us (and not in the good sense of the word). Sure we’ve all gotten used to them, but unlike a computer keyboard, there is no pre-computer analog to a mouse. There are plenty of alternatives, of course, like touchpads and trackballs, but they never seem to catch on to the extent that the plain old mouse has.

One interesting variation is the pen mouse. These do rely on a pre-computer analog: a pen or pencil. You can buy them already made (and they are surprisingly inexpensive), but what fun is that? [MikB] wanted one and decided to build it instead of buying it.

The main parts of the pen mouse include a cheap mouse with a failing scroll wheel, a bingo pen, and the base from an old web camera. There’s also a normal-sized pen to act as the handpiece. The project is mostly mechanical rather than electrical. [MikB] took the mouse apart and cut the PCB to fit inside the base. The rest of the build is a construction project.

The result appears to work well. [MikB] includes instructions for installing the mouse correctly in Linux. The net effect is like a tablet but doesn’t’ require much space on your desk. We’ve seen plenty of mouse projects in the past, of course. We’ve even seen hacks for a head mouse if that’s your thing.