Cellphone Hacks

526 Articles

Unlocking SIM Cards With A Logic Analyzer

January 2, 2020 by 20 Comments

[Jason Gin] wanted to reuse the SIM card that came with a ZTE WF721 wireless terminal he got from AT&T, but as he expected, it was locked to the device. Unfortunately, the terminal has no function to change the PIN and none of the defaults he tried seemed to work. The only thing left to do was crack it open and sniff the PIN with a logic analyzer.

This project is a fantastic example of the kind of reverse engineering you can pull off with even a cheap logic analyzer and a keen eye, but also perfectly illustrates the fact that having physical access to a device largely negates any security measures the manufacturer tries to implement. [Jason] already knew what the SIM unlock command would look like; he just needed to capture the exchange between the WF721 and SIM card, find the correct byte sequence, and look at the bytes directly after it.

Finding the test pads on the rear of the SIM slot, he wired his DSLogic Plus logic analyzer up to the VCC, CLK, RST, and I/O pins, then found a convenient place to attach his ground wire. After a bit of fiddling, he determined the SIM card was being run at 4 MHz, so he needed to configure a baud rate of 250 kbit/s to read the UART messages passing between the devices.

Once he found the bytes that signified successful unlocking, he was able to work his way backwards and determine the unlock command and its PIN code. It turns out the PIN was even being sent over the wire in plain text, though with the way security is often handled these days, we can’t say it surprises us. All [Jason] had to do then was put the SIM in his phone and punch in the sniffed PIN when prompted.

Could [Jason] have just run out to the store and picked up a prepaid SIM instead of cracking open this wireless terminal and sniffing its communications with a logic analyzer? Of course. But where’s the fun in that?

36C3: SIM Card Technology From A To Z

December 30, 2019 by 1 Comment

SIM cards are all around us, and with the continuing growth of the Internet of Things, spawning technologies like NB-IoT, this might as well be very literal soon. But what do we really know about them, their internal structure, and their communication protocols? And by extension, their security? To shine some light on these questions, open source and mobile device titan [LaForge] gave an introductory talk about SIM card technologies at the 36C3 in Leipzig, Germany.

Starting with a brief history lesson on the early days of cellular networks based on the German C-Netz, and the origin of the SIM card itself, [LaForge] goes through the main specification and technology parts of each following generation from 2G to 5G. Covering the physical basics, I/O interfaces, communication protocols, and the file system located on the SIM card, you’ll get the answer to “what on Earth is PIN2 for?” along the way.

Of course, a talk like this, on a CCC event, wouldn’t be complete without a deep and critical look at the security side as well. Considering how over-the-air updates on both software and — thanks to mostly running Java nowadays — feature side are more and more common, there certainly is something to look at.

Continue reading “36C3: SIM Card Technology From A To Z”

Modulated Pilot Lights Anchor AR To Real World

December 17, 2019 by 26 Comments

We’re going to go out on a limb here and say that wherever you are now, a quick glance around will probably reveal at least one LED. They’re everywhere – we can spot a quick half dozen from our desk, mostly acting as pilot lights and room lighting. In those contexts, LEDs are pretty mundane. But what if a little more flash could be added to the LEDs of the world – literally?

That’s the idea behind LightAnchors, which bills itself as a “spatially-anchored augmented reality interface.” LightAnchors comes from work at [Chris Harrison]’s lab at Carnegie Mellon University which seeks new ways to interface with computers, and leverages the ubiquity of LED point sources and the high-speed cameras on today’s smartphones. LightAnchors are basically beacons of digitally encoded data that a smartphone can sense and decode. The target LED is modulated using amplitude-shift keying and each packet contains a data payload and parity bits along with a pre- and post-amble sequence. Software on the phone uses the camera to isolate the point source, track it, and pull the data out of it, which is used to create an overlay on the scene. The video below shows a number of applications, ranging from displaying guest login credentials through the pilot lights on a router to modulating the headlights of a rideshare vehicle so the next fare can find the right car.

An academic paper (PDF link) goes into greater depth on the protocol, and demo Arduino code for creating LightAnchors is thoughtfully provided. It strikes us that the two main hurdles to adoption of LightAnchors would be convincing device manufacturers to support them, and advertising the fact that what looks like a pilot light might actually be something more, but the idea sure beats fixed markers for AR tracking.

Continue reading “Modulated Pilot Lights Anchor AR To Real World”

Accessibility Apps Get Help From Bluetooth Buttons

November 10, 2019 by 4 Comments

Ever hear of Microsoft Soundscape? We hadn’t, either. But apparently it and similar apps like Blindsquare provide people with vision problems context about their surroundings. The app is made to run in the background of the user’s mobile device and respond to media controls, but if you are navigating around with a cane, getting to media controls on a phone or even a headset might not be very convenient. [Jazzang] set out to build buttons that could control apps like this that could be integrated with a cane or otherwise located in a convenient location.

There are four buttons of interest. Play/pause, Next, Back, and Home. There’s also a mute button and an additional button you can use with the phone’s accessibility settings. Each button has a special function for Soundscape. For example, Next will describe the point of interest in front of you. Soundscape runs on an iPhone so Bluetooth is the obvious choice for creating the buttons.

To simplify things, the project uses an Adafruit Feather nRF52 Bluefruit board. Given that it’s Arduino compatible and provides a Bluetooth Human Interface Device (HID) out of the box, there’s almost nothing else to do for the hardware but wire up the switches and some pull up resistors. That would make the circuit easy to stick almost anywhere.

Software-wise, things aren’t too hard either. The library provides all the Bluetooth HID device trappings you need, and once that’s set up, it is pretty simple to send keys to the phone. This is a great example of how simple so many tasks have become due to the availability of abstractions that handle all of the details. Since a Bluetooth HID device is just a keyboard, you can probably think of many other uses for this setup with just small changes in the software.

We covered the Bluefruit back when it first appeared. We don’t know about mounting this to a cane, but we do remember something similar attached to a sword.

Continue reading “Accessibility Apps Get Help From Bluetooth Buttons”

Finally, A Usable Rotary Phone From A Conference Badge

November 9, 2019 by 2 Comments

A few weeks ago we featured a project from [Dan], a work-in-progress in which he was attaching an EMF 2018 electronic conference badge to a rotary phone. At the time we looked forward to his progress, expecting maybe to see it in our travels round the field at EMF 2021. We have to say we did him a disservice then, because he’s made excellent progress and has now turned it into a fully functional cellular rotary phone.

When we left him he’d interfaced the dial to the badge and not a lot else, but it was enough to spark our interest because we think there should be more re-use of old electronic conference badges. Since then he’s reverse engineered the original bell with the help of a motor driver and a cheap DC-to-DC converter, and the handset with the guts of a Bluetooth headset because in experimenting he managed to kill the badge’s audio circuitry.

The result can be seen in the video below the break, and we have to admit it looks pretty good. Depending where you are in the world you’ll either love or hate the ringing sound, but that is of little consequence to the utility of the device. If you have a drawer full of conference badges gathering dust, perhaps it’s time to give them a second look.

Continue reading “Finally, A Usable Rotary Phone From A Conference Badge”

Laser-Based Audio Injection On Voice-Controllable Systems

November 6, 2019 by 27 Comments

In one of the cooler hacks we’ve seen recently, a bunch of hacking academics at the University of Michigan researched the ability to flicker a laser at audible sound frequencies to see if they could remotely operate microphones simply by shining a light on them. The results are outstanding.

While most Hackers will have heard about ‘The Thing’ – a famous hack where Russian KGB agents would aim a radio transmitter at the great seal in the US embassy,  almost none of us will have thought of using lasers shined in from distant locations to hack modern audio devices such as Alexa or Google Assistant. In the name of due diligence, we checked it out on Wikipedia: ‘The Photoacoustic Effect’ , and indeed it is real – first discovered in 1880 by Alexander Bell! The pulsing light is heating the microphone element and causing it to vibrate along with the beam’s intensity. Getting long range out of such a system is a non-trivial product of telescopes, lasers, and careful alignment, but it can be made to work.

Digging deeper into the hack, we find that the actual microphone that is vulnerable is the MEMS type, such as the Knowles SPV0842LR5H. This attack is relatively easy to prevent; manufacturers would simply need to install screens to prevent light from hitting the microphones. For devices already installed in our homes, we recommend either putting a cardboard box over them or moving them away from windows where unscrupulous neighbors or KGB agents could gain access. This does make us wonder if MEMS mics are also vulnerable to radio waves.

As far as mobile phones are concerned, the researchers were able to talk into an iPhone XR at 10 metres, which means that, very possibly, anybody with a hand held ultra violet / infra red equipped flashlight could hack our phones at close range in a bar, for example. The counter-measures are simple – just stick some black electrical tape over the microphone port at the bottom of the phone. Or stay out of those dodgy bars. Continue reading “Laser-Based Audio Injection On Voice-Controllable Systems”

Finally, A Rotary Cell Phone With Speed Dial

September 24, 2019 by 10 Comments

If you’re reading this, chances are good that you’re the family IT department. We do what we can to help them, but there’s just no changing the fact that smartphones are difficult to operate with aging eyes and hands. When [sideburn’s] dad started complaining, he took a different approach. Instead of helping his dad adapt, [sideburn] stuffed modern cell phone guts into a 1970s rotary phone — if all you want to use it for is phone calls, why not reach for a battle-tested handset?

[sideburn] figured out the most important part first, which is getting the thing to ring. The bells in those old phones are driven by a huge relay that requires a lot of voltage, so he boosted a 3.2V rechargeable to 34V. Then it was just a matter of getting the GSM module to play nice with the microcontroller, and programming a MOSFET to trigger the boost module that makes the beast jingle.

The worst thing about rotary phones is that they were never meant to be dialed in a hurry. But [sideburn] took care of that. Once Rotocell was up and working, he added an SMS interface that makes the phone a lot more useful. Dad can add contacts to Rotocell by texting the name and number to it from a modern phone. Once it’s in there, he can dial by name, speeding up the process a tiny bit.

The SMS interface can also report back the signal strength and battery level, and will send battery low alerts when it’s under 20%. You can see Rotocell in action after the break.

Got an old rotary or two lying about? If modernizing the internals to make calls doesn’t light up your circuits, try turning it into a voice-controlled assistant instead.

Continue reading “Finally, A Rotary Cell Phone With Speed Dial”