Shmoocon 2017: A Simple Tool For Reverse Engineering RF

January 15, 2017 by Brian Benchoff 23 Comments

Anyone can hack a radio, but that doesn’t mean it’s easy: there’s a lot of mechanics that go into formatting a signal before you can decode the ones and zeros.

At his Shmoocon talk, [Paul Clark] introduced a great new tool for RF Reverse Engineering. It’s called WaveConverter, and it is possibly the single most interesting tool we’ve seen in radio in a long time.

If you wanted to hack an RF system — read the data from a tire pressure monitor, a car’s key fob, a garage door opener, or a signal from a home security system’s sensor — you’ll be doing the same thing for each attack. The first is to capture the signal, probably with a software defined radio. Take this data into GNU Radio, and you’ll have to figure out the modulation, the framing, the encoding, extract the data, and finally figure out what the ones and zeros mean. Only that last part, figuring out what the ones and zeros actually do, is the real hack. Everything before that is just a highly advanced form of data entry and manipulation.

[Paul]’s WaveConverter is the tool built for this data manipulation. Take WaveConverter, input an IQ file of the relevant radio sample you’d like to reverse engineer, and you have all the tools to turn a radio signal into ones and zeros at your disposal. Everything from determining the preamble of a signal, figuring out the encoding, to determining CRC checksums is right there.

All of this is great for reverse engineering a single radio protocol, but it gets even better. Once you’re able to decode a signal in WaveConverter, it’s set up to decode every other signal from that device. You can save your settings, too, which means this might be the beginnings of an open source library of protocol analyzers. If someone on the Internet has already decoded the signals from the keyfob of a 1995 Ford Taurus, they could share those settings to allow you to decode the same keyfob. This is the very beginnings of something very, very cool.

The Github repo for WaveConverter includes a few sample IQ files, and you can try it out for yourself right now. [Paul] admits there are a few problems with the app, but most of those are UI changes he has in mind. If you know your way around programming GUIs, [Paul] would appreciate your input.

Shmoocon 2017: So You Want To Hack RF

January 15, 2017 by Brian Benchoff 6 Comments

Far too much stuff is wireless these days. Home security systems have dozens of radios for door and window sensors, thermostats aren’t just a wire to the furnace anymore, and we are annoyed when we can’t start our cars from across a parking lot. This is a golden era for anyone who wants to hack RF. This year at Shmoocon, [Marc Newlin] and [Matt Knight] of Bastille Networks gave an overview of how to get into hacking RF. These are guys who know a few things about hacking RF; [Marc] is responsible for MouseJack and KeySniffer, and [Matt] reverse engineered the LoRa PHY.

In their talk, [Marc] and [Matt] outlined five steps to reverse engineering any RF signal. First, characterize the channel. Determine the modulation. Determine the symbol rate. Synchronize a receiver against the data. Finally, extract the symbols, or get the ones and zeros out of the analog soup.

From [Marc] and [Matt]’s experience, most of this process doesn’t require a radio, software or otherwise. Open source intelligence or information from regulatory databases can be a treasure trove of information regarding the operating frequency of the device, the modulation, and even the bit rate. The pertinent example from the talk was the FCC ID for a Z-wave module. A simple search revealed the frequency of the device. Since the stated symbol rate was twice the stated data rate, the device obviously used Manchester encoding. These sorts of insights become obvious once you know what you’re looking for.

In their demo, [Marc] and [Matt] went through the entire process of firing up GNU Radio, running a Z-wave decoder and receiving Z-wave frames. All of this was done with a minimum of hardware and required zero understanding of what radio actually is, imaginary numbers, or anything else a ham license will hopefully teach you. It’s a great introduction to RF hacking, and shows anyone how to do it.

Shmoocon 2017: On Not Reverse Engineering Through Emulation

January 14, 2017 by Brian Benchoff 12 Comments

Right now, I’m at Shmoocon, and it’s living up to all expectations. That’s a tall order — last year, the breakout talk was from [Travis Goodspeed] on his efforts to reverse engineer the firmware for a cheap Chinese radio. Four people in the room for that talk last year bought the radio on Amazon, and now there’s a legitimate open source project dedicated to building firmware and tools to support this radio.

Now that [Travis] has a few compatriots working on firmware for this radio, he has the same challenges as any other team. The project needs unit tests, and this isn’t easy to do when all the code is locked up inside a radio. Instead of setting up an entire development platform based around a cheap radio, [Travis] came up with a toolchain that’s unlike anything I’ve ever seen. Instead of reverse engineering the firmware for this radio, he’s simply emulating the ARM firmware on the desktop. Development is quick and easy, and he has the live demos to prove it.

The heart of the Tytera radio in question is an STM32F405. This is a pretty common part, and thanks to [Travis]’ work last year, he has all the firmware that ships on this radio. This doesn’t mean he has access to all the radio’s capabilities, though; there’s a black box in the code somewhere that translates .wav files to radio packets and back again. Open sourcing this would usually mean reverse engineering, but [Travis] had a better idea.

Instead of reverse engineering the entire radio, [Travis] is using QEMU to emulate an ARM microcontroller on his desktop, run the relevant code, and completely ignore any actual reverse engineering. Since this radio is already jailbroken and the community has a pretty good idea of where all the functions and subroutines are in the firmware, the most difficult part of pulling this trick off is setting up QEMU.

As a proof of concept, [Travis] downloaded raw AMBE packets from the radio to his laptop. These were then sent through the emulated radio, producing raw audio that was then converted into a .wav file. Effectively, a black box in this radio was emulated, which means [Travis] doesn’t need to know how the black box works.

All the code for this weird emulation / unit test, as well as everything the community has released for this radio is available on the GitHub. A lot of work has gone into the jailbreaking, reverse engineering, and emulation efforts here, making this radio somewhat ironically one of the most open radios you can buy.

Sophi Kravitz: State Of The IO

January 12, 2017 by Mike Szczys 17 Comments

At the Hackaday SuperConference in November, Sophi Kravitz had the chance to look back on the past year of Hackaday.io, and what a great year it has been. Hackaday.io now has over 178k members who have published 12.6k projects with about 10% of those being collaborative team projects. But the numbers tell just a small story of the vibrant community Hackaday has.

Continue reading “Sophi Kravitz: State Of The IO” →

Bring Your Palm VII To ShmooCon This Weekend

January 12, 2017 by Brian Benchoff 29 Comments

We’re not even halfway through January, and already the conference season is upon us. This weekend, Hackaday will be attending Shmoocon at the Hilton in Washington, DC. I’ll be there getting the full report on Russian hackers, reverse engineering, and what the beltway looks like with an ice storm during morning rush hour.

What’s in store for Shmoocon attendees? The schedule looks really cool with talks on something like inline assembly in Python, tools for RF reverse engineering, manufacturing and selling a U2F token, emulating ARM firmware, and so much more. Want to attend Shmoocon? Too bad! Tickets sold out in less than 10 seconds, and we’re totally not going to talk about the BOTS Act at all. If you’re clever you can still pick up a barcode on Craigslist for $300-400, but I wouldn’t recommend that.

As we did last year, Hackaday is going to have a lobbycon with Dunkin Saturday morning at 08:30, although which lobby is still up in the air. Check out the Hackaday Twitter for a few real-time updates. This is a bring-a-hack event, and I’ll be showing off how to add 18dBi of gain to a standard ESP8266 module. Show off what you’re working on and get a donut.

What Makes The Perfect Hardware Badge

January 10, 2017 by Mike Szczys 10 Comments

There are only a handful of people who can say they’ve built several successful electronic badges for conferences. Voja Antonic is not just on that list, he’s among the leaders in the field. There are a lot of pressures in this type of design challenge: aesthetics, functionality, and of course manufacturability. If you want to know how to make an exposed-PCB product that will be loved by the user, you need to study Voja’s work on the 2016 Hackaday SuperConference Badge. The badge is completely open, with all the design files, firmware, and a manual on the badge project page.

Between travelling from Belgrade to Pasadena and guiding production of 300 badges across the finish line before the conference deadline Voja took ill. He made it to the conference but without a voice he asked me to give his badge design talk for him. You can check that talk out below but let’s touch briefly on why Voja’s design is so spectacular.

Continue reading “What Makes The Perfect Hardware Badge” →

The 3D Printers Of CES

January 10, 2017 by Brian Benchoff 30 Comments

CES is over, and now we can take a step back, distance ourselves from the trade show booths, and figure out where 3D printing will be going over the next year.

The Hype Cycle is a great way to explain trends in fads and technological advances. VR and autonomous cars are very early on the Hype Cycle right now. Smartphones are on the plateau of productivity. 3D printing is head-down in the trough of disillusionment.

For this year’s CES, 3D printing is not even a product category. In fact, the official documentation I found at Prusa’s booth listed their company in the ‘Assistive Technologies’ category. These are dark days for the public perception of 3D printing. The source of this perception can be brilliantly presented in a pair of graphs:

The perception of 3D printing has been tied inexorably to Makerbot. Makerbot presented the only 3D printer on The Colbert Report. Only Makerbot had their 3D printing storefronts featured on CNN. It’s been like this for half a decade, and hopefully things will get better.

This doesn’t mean 3D printing isn’t improving. In fact, it’s the best it’s ever been. CES had the most innovative printers I’ve seen in years. I caught a glimpse of this year’s top-selling printer (and it launches in April). Resin machines are going to be very popular soon. What did CES have to offer? Check it out below.

Continue reading “The 3D Printers Of CES” →