Cellphone Hacks

541 Articles

Simplify Your Life With This Pocket Rotary Cellphone

February 13, 2020 by 40 Comments

With its constant siren song of distraction and endless opportunity for dopamine hits, a smartphone can cause more problems than it solves. The simple solution would be a no-nonsense flip phone, but that offers zero points for style. So why not build your own rotary dial pocket cellphone?

Of course, what style points accrue to [Justine Haupt] take a hit in terms of practicality, but that was never really the point of this build. And even then, the phone appears to be surprisingly useful. It’s based on the rotary dial from a Trimline phone, which itself was an epic hack back in 1965 when it was introduced. The 3D-printed case contains an ATmega2560V microcontroller and an Adafruit FONA 3G cell module, while a flexible mono eInk display adorns the outside. Some buttons, a folding SMA antenna, and some LEDs for signal strength and battery level complete the build, which easily slips into a pocket. The dial can be used not only to dial the phone but to control the speaker volume; in practice, [Justine] mainly uses the speed dial buttons to make calls, though.

We’ve seen rotary phones converted to cell before, but this one is a next-level integration of the retro and the modern. It’s simple, intuitive, and distraction-free, and best of all, it’s a great excuse not to return a text.

Thanks to [J. Peterson] for the tip.

Unlocking SIM Cards With A Logic Analyzer

January 2, 2020 by 20 Comments

[Jason Gin] wanted to reuse the SIM card that came with a ZTE WF721 wireless terminal he got from AT&T, but as he expected, it was locked to the device. Unfortunately, the terminal has no function to change the PIN and none of the defaults he tried seemed to work. The only thing left to do was crack it open and sniff the PIN with a logic analyzer.

This project is a fantastic example of the kind of reverse engineering you can pull off with even a cheap logic analyzer and a keen eye, but also perfectly illustrates the fact that having physical access to a device largely negates any security measures the manufacturer tries to implement. [Jason] already knew what the SIM unlock command would look like; he just needed to capture the exchange between the WF721 and SIM card, find the correct byte sequence, and look at the bytes directly after it.

Finding the test pads on the rear of the SIM slot, he wired his DSLogic Plus logic analyzer up to the VCC, CLK, RST, and I/O pins, then found a convenient place to attach his ground wire. After a bit of fiddling, he determined the SIM card was being run at 4 MHz, so he needed to configure a baud rate of 250 kbit/s to read the UART messages passing between the devices.

Once he found the bytes that signified successful unlocking, he was able to work his way backwards and determine the unlock command and its PIN code. It turns out the PIN was even being sent over the wire in plain text, though with the way security is often handled these days, we can’t say it surprises us. All [Jason] had to do then was put the SIM in his phone and punch in the sniffed PIN when prompted.

Could [Jason] have just run out to the store and picked up a prepaid SIM instead of cracking open this wireless terminal and sniffing its communications with a logic analyzer? Of course. But where’s the fun in that?

36C3: SIM Card Technology From A To Z

December 30, 2019 by 1 Comment

SIM cards are all around us, and with the continuing growth of the Internet of Things, spawning technologies like NB-IoT, this might as well be very literal soon. But what do we really know about them, their internal structure, and their communication protocols? And by extension, their security? To shine some light on these questions, open source and mobile device titan [LaForge] gave an introductory talk about SIM card technologies at the 36C3 in Leipzig, Germany.

Starting with a brief history lesson on the early days of cellular networks based on the German C-Netz, and the origin of the SIM card itself, [LaForge] goes through the main specification and technology parts of each following generation from 2G to 5G. Covering the physical basics, I/O interfaces, communication protocols, and the file system located on the SIM card, you’ll get the answer to “what on Earth is PIN2 for?” along the way.

Of course, a talk like this, on a CCC event, wouldn’t be complete without a deep and critical look at the security side as well. Considering how over-the-air updates on both software and — thanks to mostly running Java nowadays — feature side are more and more common, there certainly is something to look at.

Continue reading “36C3: SIM Card Technology From A To Z”

Modulated Pilot Lights Anchor AR To Real World

December 17, 2019 by 26 Comments

We’re going to go out on a limb here and say that wherever you are now, a quick glance around will probably reveal at least one LED. They’re everywhere – we can spot a quick half dozen from our desk, mostly acting as pilot lights and room lighting. In those contexts, LEDs are pretty mundane. But what if a little more flash could be added to the LEDs of the world – literally?

That’s the idea behind LightAnchors, which bills itself as a “spatially-anchored augmented reality interface.” LightAnchors comes from work at [Chris Harrison]’s lab at Carnegie Mellon University which seeks new ways to interface with computers, and leverages the ubiquity of LED point sources and the high-speed cameras on today’s smartphones. LightAnchors are basically beacons of digitally encoded data that a smartphone can sense and decode. The target LED is modulated using amplitude-shift keying and each packet contains a data payload and parity bits along with a pre- and post-amble sequence. Software on the phone uses the camera to isolate the point source, track it, and pull the data out of it, which is used to create an overlay on the scene. The video below shows a number of applications, ranging from displaying guest login credentials through the pilot lights on a router to modulating the headlights of a rideshare vehicle so the next fare can find the right car.

An academic paper (PDF link) goes into greater depth on the protocol, and demo Arduino code for creating LightAnchors is thoughtfully provided. It strikes us that the two main hurdles to adoption of LightAnchors would be convincing device manufacturers to support them, and advertising the fact that what looks like a pilot light might actually be something more, but the idea sure beats fixed markers for AR tracking.

Continue reading “Modulated Pilot Lights Anchor AR To Real World”

Accessibility Apps Get Help From Bluetooth Buttons

November 10, 2019 by 4 Comments

Ever hear of Microsoft Soundscape? We hadn’t, either. But apparently it and similar apps like Blindsquare provide people with vision problems context about their surroundings. The app is made to run in the background of the user’s mobile device and respond to media controls, but if you are navigating around with a cane, getting to media controls on a phone or even a headset might not be very convenient. [Jazzang] set out to build buttons that could control apps like this that could be integrated with a cane or otherwise located in a convenient location.

There are four buttons of interest. Play/pause, Next, Back, and Home. There’s also a mute button and an additional button you can use with the phone’s accessibility settings. Each button has a special function for Soundscape. For example, Next will describe the point of interest in front of you. Soundscape runs on an iPhone so Bluetooth is the obvious choice for creating the buttons.

To simplify things, the project uses an Adafruit Feather nRF52 Bluefruit board. Given that it’s Arduino compatible and provides a Bluetooth Human Interface Device (HID) out of the box, there’s almost nothing else to do for the hardware but wire up the switches and some pull up resistors. That would make the circuit easy to stick almost anywhere.

Software-wise, things aren’t too hard either. The library provides all the Bluetooth HID device trappings you need, and once that’s set up, it is pretty simple to send keys to the phone. This is a great example of how simple so many tasks have become due to the availability of abstractions that handle all of the details. Since a Bluetooth HID device is just a keyboard, you can probably think of many other uses for this setup with just small changes in the software.

We covered the Bluefruit back when it first appeared. We don’t know about mounting this to a cane, but we do remember something similar attached to a sword.

Continue reading “Accessibility Apps Get Help From Bluetooth Buttons”

Finally, A Usable Rotary Phone From A Conference Badge

November 9, 2019 by 2 Comments

A few weeks ago we featured a project from [Dan], a work-in-progress in which he was attaching an EMF 2018 electronic conference badge to a rotary phone. At the time we looked forward to his progress, expecting maybe to see it in our travels round the field at EMF 2021. We have to say we did him a disservice then, because he’s made excellent progress and has now turned it into a fully functional cellular rotary phone.

When we left him he’d interfaced the dial to the badge and not a lot else, but it was enough to spark our interest because we think there should be more re-use of old electronic conference badges. Since then he’s reverse engineered the original bell with the help of a motor driver and a cheap DC-to-DC converter, and the handset with the guts of a Bluetooth headset because in experimenting he managed to kill the badge’s audio circuitry.

The result can be seen in the video below the break, and we have to admit it looks pretty good. Depending where you are in the world you’ll either love or hate the ringing sound, but that is of little consequence to the utility of the device. If you have a drawer full of conference badges gathering dust, perhaps it’s time to give them a second look.

Continue reading “Finally, A Usable Rotary Phone From A Conference Badge”

Laser-Based Audio Injection On Voice-Controllable Systems

November 6, 2019 by 27 Comments

In one of the cooler hacks we’ve seen recently, a bunch of hacking academics at the University of Michigan researched the ability to flicker a laser at audible sound frequencies to see if they could remotely operate microphones simply by shining a light on them. The results are outstanding.

While most Hackers will have heard about ‘The Thing’ – a famous hack where Russian KGB agents would aim a radio transmitter at the great seal in the US embassy,  almost none of us will have thought of using lasers shined in from distant locations to hack modern audio devices such as Alexa or Google Assistant. In the name of due diligence, we checked it out on Wikipedia: ‘The Photoacoustic Effect’ , and indeed it is real – first discovered in 1880 by Alexander Bell! The pulsing light is heating the microphone element and causing it to vibrate along with the beam’s intensity. Getting long range out of such a system is a non-trivial product of telescopes, lasers, and careful alignment, but it can be made to work.

Digging deeper into the hack, we find that the actual microphone that is vulnerable is the MEMS type, such as the Knowles SPV0842LR5H. This attack is relatively easy to prevent; manufacturers would simply need to install screens to prevent light from hitting the microphones. For devices already installed in our homes, we recommend either putting a cardboard box over them or moving them away from windows where unscrupulous neighbors or KGB agents could gain access. This does make us wonder if MEMS mics are also vulnerable to radio waves.

As far as mobile phones are concerned, the researchers were able to talk into an iPhone XR at 10 metres, which means that, very possibly, anybody with a hand held ultra violet / infra red equipped flashlight could hack our phones at close range in a bar, for example. The counter-measures are simple – just stick some black electrical tape over the microphone port at the bottom of the phone. Or stay out of those dodgy bars. Continue reading “Laser-Based Audio Injection On Voice-Controllable Systems”