Cellphone Hacks

526 Articles

AsciiCam: Make ASCII Art With Your Phone

November 25, 2017 by 10 Comments

We admit it, we have a nostalgic soft spot for ASCII Art. Pictures made form characters, printed on an old-fashioned line printer. They’ve been a hacker standby since the 1960’s. Times have moved on though. These days we’re all carrying supercomputers in our pockets.  Why not use them to create more great ASCII art? That’s exactly what [Brian Nenninger] did with AsciiCam. AsciiCam lets you use your Android phone’s camera to create ASCII images.

Using the software is simple. Just launch it and you’re greeted with an ASCII preview of the camera image. Users can select from a 16 color palette and full 24 bit color. Monochrome modes are also available. You can also choose from black text on a white background or white text on black.

The great thing about AsciiCam is the fact that it is open source. You can download the full source code from Github. If you just want to run the software, it’s available through the Google Play Store. This is a labor of love. The first Github commits were six years ago, and [Bran] is still working — the most recent commits were made only a few days back. AsciiCam is also a good example for neophyte Android programmers.

Want to know more about ASCII art? Check out Al’s history of ASCII art, or this talk about both ASCII and ANSI creations.

Face ID Defeated With 3D Printed Mask (Maybe)

November 14, 2017 by 44 Comments

Information about this one is still tricking in, so take it with a grain of salt, but security company [Bkav] is claiming they have defeated the Face ID system featured in Apple’s iPhone X [Dead link, try the Internet Archive]. By combining 2D images and 3D scans of the owner’s face, [Bkav] has come up with a rather nightmarish creation that apparently fools the iPhone into believing it’s the actual owner. Few details have been released so far, but a YouTube video recently uploaded by the company does look fairly convincing.

For those who may not be keeping up with this sort of thing, Face ID is advertised as an improvement over previous face-matching identification systems (like the one baked into Android) by using two cameras and a projected IR pattern to perform a fast 3D scan of the face looking at the screen. Incidentally, this is very similar to how Microsoft’s Kinect works. While a 2D system can be fooled by a high quality photograph, a 3D based system would reject it as the face would have no depth.

[Bkav] is certainly not the first group to try and con Apple’s latest fondle-slab into letting them in. Wired went through a Herculean amount of effort in their attempt earlier in the month, only to get no farther than if they had just put a printed out picture of the victim in front of the camera. Details on how [Bkav] managed to succeed are fairly light, essentially boiling down to their claim that they are simply more knowledgeable about the finer points of face recognition than their competitors. Until more details are released, skepticism is probably warranted.

Still, even if their method is shown to be real and effective in the wild, it does have the rather large downside of requiring a 3D scan of the victim’s face. We’re not sure how an attacker is going to get a clean scan of someone without their consent or knowledge, but with the amount of information being collected and stored about the average consumer anymore, it’s perhaps not outside the realm of possibility in the coming years.

Since the dystopian future of face-stealing technology seems to be upon us, you might as well bone up on the subject so you don’t get left behind.

Thanks to [Bubsey Ubsey] for the tip.

Continue reading “Face ID Defeated With 3D Printed Mask (Maybe)”

Review: New 3G And Cat-M1 Cellular Hardware From Hologram

October 5, 2017 by 31 Comments

In July we reported on the launch of the Hologram developer program that offered a free SIM card and a small amount of monthly cellular data for those who wanted to build connectivity into their prototypes. Today, Hologram has launched some new hardware to go along with that program.

Nova is a cellular modem in a USB thumb drive form factor. It ships in a little box with a PCB that hosts the u-blox cellular module, two different antennas, a plastic enclosure, and a SIM card. The product is aimed at those building connected devices around single-board computers, making it easy to plug Nova in and get connected quickly.

This device that Hologram sent me is a 3G modem. They have something like 1,000 of them available to ship starting today, but what I find really exciting is that there is another flavor of Nova that looks the same but hosts a Cat-M1 version of the u-blox module. This is a Low Power Wide Area Network technology built on the LTE network. We’ve seen 2G and 3G modems available for some time now, but if go that route you’re building a product around a network which has an end-of-life concern.

Cat-M1 will be around for much longer and it is designed to be low power and utilizes a narrower bandwidth for less radio-on time. I asked Hologram for some power comparison estimates between the two technologies:

AVERAGE current consumption comparisons:

Cat-M1: as low as 100 mA while transmitting and never more than 190 mA
Equivalent 3G: as high as 680 mA while transmitting

PEAK current consumption comparisons (these are typically filtered through capacitors so the power supply doesn’t ever witness these values, and they are only momentary):

Cat-M1: Less than 490 mA
Equivalent 3G: As high as 1550 mA

This is an exciting development because we haven’t yet seen LTE radios available for devices — of course there are hotspots but those are certainly not optimized for low power or inclusion in a product. But if you know your ESP8266 WiFi specs you know that those figures above put Cat-M1 on a similar power budget and in the realm of battery-operated devices.

The Cat-M1 Nova can be ordered beginning today, should ship in limited quantities within weeks, with wider availability by the end of the year. If you can’t get one in the first wave, the 3G Nova is a direct stand-in from the software side of things.

I suspect we’ll see a lot of interest in Cat-M1 technology moving forward simply because of the the technology promises lower power and longer support. (I’m trying to avoid using the term IoT… oops, there it is.) For today, let’s take a look at the 3G version of the new hardware and the service that supports it.

Continue reading “Review: New 3G And Cat-M1 Cellular Hardware From Hologram”

Emergency Cell Tower On A Budget

September 30, 2017 by 22 Comments

Cell phone towers are something we miss when we’re out of range, but imagine how we’d miss them if they had been destroyed by disastrous weather. In such emergencies it is more important than ever to call loved ones, and tell them we’re safe. [Matthew May] and [Brendan Harlow] aimed to make their own secure and open-source cellular network antenna for those occasions. It currently supports calling between connected phones, text messaging, and if the base station has a hard-wired internet connection, users can get online.

This was a senior project for a security class, and it seems that the bulk of their work was in following the best practices set by the Center for Internet Security. They adopted a model intended for the Debian 8 operating system which wasn’t a perfect fit. According to Motherboard their work scored an A+, and we agree with the professors on this one.

Last year, the same SDR board, the bladeRF, was featured in a GSM tower hack with a more sinister edge, and of course Hackaday is rife with SDR projects.

Thank you [Alfredo Garza] for the tip.

Hologram.io Offers Developers Free Cell Data

July 25, 2017 by 68 Comments

If you’ve been thinking of adding cellular connectivity to a build, here’s a way to try out a new service for free. Hologram.io has just announced a Developer Plan that will give you 1 megabyte of cellular data per month. The company also offers hardware to use with the SIM, but they bill themselves as hardware agnostic. Hologram is about providing a SIM card and the API necessary to use it with the hardware of your choice: any 2G, 3G, 4G, or LTE devices will work with the service.

At 1 MB/month it’s obvious that this is aimed at the burgeoning ranks of Internet of Things developers. If you’re sipping data from a sensor and phoning it home, this will connect you in 200 countries over about 600 networks. We tried to nail them down on exactly which networks but they didn’t take the bait. Apparently any major network in the US should be available through the plan. And they’ve assured us that since this program is aimed at developers, they’re more than happy to field your questions as to which areas you will have service for your specific application.

The catch? The first taste is always free. For additional SIM cards, you’ll have to pay their normal rates. But it’s hard to argue with one free megabyte of cell data every month.

Hologram originally started with a successful Kickstarter campaign under the name Konekt Dash but has since been rebranded while sticking to their cellular-connectivity mission. We always like getting free stuff — like the developer program announced today — but it’s also interesting to see that Hologram is keeping up with the times and has LTE networks available in their service, for which you’ll need an LTE radio of course.

EMMC To SD Hack Rescues Data From A Waterlogged Phone

July 12, 2017 by 59 Comments

How do I get the data off this destroyed phone? It’s a question many of us have had to ponder – either ourselves or for friends or family. The easy answer is either spend a mint for a recovery service or consider it lost forever.  [Trochilidae] didn’t accept either of those options, so he broke out the soldering iron and rescued his own data.

A moment’s inattention with a child near a paddling pool left [Trochilidae’s] coworker’s wife with a waterlogged, dead phone. She immediately took apart the phone and attempted to dry it out, but it was too late. The phone was a goner. It also had four months of photos and other priceless data on it. [Trochilidae] was brought in to try to recover the data.

The phone was dead, but chances are the data stored within it was fine. Most devices built in the last few years use eMMC flash devices as their secondary storage. eMMC stands for Embedded Multimedia Card. What it means is that the device not only holds the flash memory array, it also contains a flash controller which handles wear leveling, flash writing, and host interface. The controller can be configured to respond exactly like a standard SD card.

The hard part is getting a tiny 153 ball BGA package to fit into an SD card slot.  [Trochilidae] accomplished that by cutting open a microSD to SD adapter. He then carefully soldered the balls from the eMMC to the pins of the adapter. Thin gauge wire, a fine tip iron, and a microscope are essentials here. Once the physical connections were made,  [Trochilidae] plugged the card into his Linux machine. The card was recognized, and he managed to pull all the data off with a single dd command.

[Trochilidae] doesn’t say what happened after the data was copied, but we’re guessing he analyzed the dump to determine the filesystem, then mounted it as a drive. The end result was a ton of recovered photos and a very happy coworker.

If you like crazy soldering exploits, check out this PSP reverse engineering hack, where every pin of a BGA was soldered to magnet wire.

LTE IMSI Catcher

May 30, 2017 by 19 Comments

GSM IMSI catchers preyed on a cryptographic misstep in the GSM protocol. But we have LTE now, why worry? No one has an LTE IMSI catcher, right? Wrong. [Domi] is here with a software-defined base transceiver station that will catch your IMSI faster than you can say “stingray” (YouTube video, embedded below).

First of all, what is an IMSI? IMSI stands for International Mobile Subscriber Identity. If an IMEI (International Mobile Equipment Identity) is your license plate, your IMSI would be your driver’s license. The IMEI is specific to the phone. Your IMSI is used to identify you, allowing phone companies to verify your origin country and mobile network subscription.

Now, with terminology in tow, how does [Domi] steal your IMSI? Four words: Tracking Area Update Request. When a phone on an LTE network received a tracking area request, the LTE protocol mandates that the phone deletes all of its authentication information before it can reconnect to a base station. With authentication out of the way [Domi] spoofs a tower, waits for phones to connect, requests the phone’s IMSI and then rejects the phones authentication request, all under the nose of the phone’s user.

Now, before you don your tinfoil hat, allow us to suggest something more effective. Need more cell phone related hacks? We’ve got your back.

Continue reading “LTE IMSI Catcher”