Hacking Dell Laptop Charger Identification

March 3, 2014 by Eric Evenchick 99 Comments

If you’ve ever had a laptop charger die, you know that they can be expensive to replace. Many laptops require you to use a ‘genuine’ charger, and refuse to boot when a knock off model is used. Genuine chargers communicate with the laptop and give information such as the power, current, and voltage ratings of the device. While this is a good safety measure, ensuring that a compatible charger is used, it also allows the manufacturers to increase the price of their chargers.

[Xuan] built a device that spoofs this identification information for Dell chargers. In the four-part series (1, 2, 3, 4), the details of reverse engineering the communications and building the spoofer are covered.

Dell uses the 1-Wire protocol to communicate with the charger, and [Xuan] sniffed the communication using a MSP430. After reading the data and verifying the CRC, it could be examined to find the fields that specify power, voltage, and current.

Next, a custom PCB was made with two Dell DC jacks and an MSP430. This passes power through the board, but uses the MSP430 to send fake data to the computer. The demo shows off a 90 W adapter pretending to run at 65 W. With this working, you could power the laptop from any supply that can meet the requirements for current and voltage.

TARDIS Alarm Doesn’t Go VWORRRRRP VWRORRRP VWORRRP

February 11, 2014 by James Hobson 11 Comments

tardis alarm

Motion sensors are pretty useful — but they’re just so darn ugly! Well — if you’re a Whovian — maybe this hack is for you. A 3D printed TARDIS Motion Sensor Alarm!

[Malcolm] has a home security system that uses a series of motion sensors to detect movement in the house. When movement is detected an indicator LED turns on, and a wireless signal is sent to the main control system. So after discovering a nice 3D model of the TARDIS (Time and Relative Dimension in Space) on Thingiverse, he decided to see if he could hack one of his motion sensors to fit inside of it instead.

As it turns out, it was as simple as removing the sensor’s external shell, 3D printing a few support pieces inside of the TARDIS, and soldering on a bright blue LED to replace the dinky indicator light. Simple, but effective!

Don’t forget to check out the following video. Allons-y!

Continue reading “TARDIS Alarm Doesn’t Go VWORRRRRP VWRORRRP VWORRRP” →

Reverse Engineering A Bank’s Security Token

February 7, 2014 by Brian Benchoff 20 Comments

app

[Thiago]’s bank uses a few methods besides passwords and PINs to verify accounts online and at ATMs. One of these is a ‘security card’ with 70 single use codes, while another is an Android app that generates a security token. [Thiago] changes phones and ROMs often enough that activating this app became a chore. This left only one thing to do: reverse engineer his bank’s security token and build a hardware device to replicate the app’s functionality.

After downloading the bank’s app off his phone and turning the .APK into a .JAR, [Thiago] needed to generate an authentication code for himself. He found a method that generates a timestamp which is the number of 36-second intervals since April 1st, 2007. The 36-second interval is how long each token lasts, and the 2007 date means this part of the code was probably developed in late 2007 or 2008. Reverse engineering this code allowed [Thiago] to glean the token generation process: it required a key, and the current timestamp.

[Thiago] found another class that reads his phone’s android_id, and derives the key from that. With the key and timestamp in hand, he figured out the generateToken method and found it was remarkably similar to Google Authenticator’s implementation; the only difference was the timestamp epoch and the period each token lasts.

With the generation of the security token complete, [Thiago] set out to put this code into a hardware device. He used a Stellaris Launchpad with the Criptosuite and RTClib libraries. The hardware doesn’t include a real-time clock, meaning the date and time needs to be reset at each startup. Still, with a few additions, [Thiago] can have a portable device that generates security tokens for his bank account. Great work, and great example of how seriously his bank takes account security.

Microcorruption Embedded CTF

January 18, 2014 by Eric Evenchick 14 Comments

The folks at Matasano Security and Square have teamed up to build an online capture the flag (CTF) competition. The Microcorruption CTF focuses on embedded security and challenges players to reverse engineer a fictional “Lockitall LockIT Pro” lock system.

Each level places you in a debugging environment with a disassembly listing, live memory view, register view, and debugging console. You can set breakpoints, step through code, and modify registers like in a real debugging environment. Your goal is to figure out how to bypass the lock to collect bearer bonds.

While the device and motive may be fictional, the assembly is actual MSP430 code. The debugger is similar to GDB connected to a remote target using OpenOCD. There’s even a manual (PDF) to help you get up to speed with writing MSP430 code for the device.

This CTF looks like a great introduction to embedded security, and doesn’t require buying real hardware. It even includes a full tutorial to get you started.

Clever Reed Switch Catches Thief

January 8, 2014 by James Hobson 58 Comments

When [Abhimanyu Kumar] noticed money going missing from his small bookshop, he decided to set up a little trap to catch the thief.

The problem was that the bookshop’s money was stored inside a cupboard in their house (back end of the shop), which meant that the culprit was likely one of their own employees. They already have a CCTV system installed in the actual store, and although he could simply add another camera in the house, [Abhimanyu] didn’t really want to do that.

He instead devised a simple security trap: dubbed the Jugaad Security System. In Hindi, Jugaad quite literally means “hack”. He added a small magnetic reed switch to the cupboard where the money is stored—well, was stored—which is then linked directly to an intervalometer. This then connects to an inconspicuous DSLR sitting on one of the work benches. He aimed the camera at the cupboard and, in case the lights are out when the system is tripped, set it to an extremely high ISO.

Continue reading “Clever Reed Switch Catches Thief” →

Keeping The Family Off The Net With An Undocumented Backdoor

January 6, 2014 by Brian Benchoff 33 Comments

memetics

When [Eloi] was home for Christmas, he faced one of the most difficult problems man has ever faced: his entire family, equipped with smartphones and laptops, siphoning all the Internet through a 1Mb/s connection. For any technically minded person, the fix for this problem is to limit the bandwith for all those Facebook and Twitter-heads, while leaving [Eloi]’s battlestation unaffected. [Eloi] had originally set up the Linksys WAG200G router in the family home a few years ago but had since forgotten the overly complex admin password. No worries, then, because apparently the WAG200G is open as wide as a barn door with a completely undocumented backdoor.

Without the password to the admin panel of the router, [Eloi] needed a way in. After pointing nmap at the router, he found an undocumented service running on port 32764. Googling this observation resulted in a lot of speculation, so the only option was to download the router’s firmware, look for the service, and figure out a way in.

[Eloi] eventually got a shell on the router and wrote a very short Python script to automate the process for all WAG200G routers. As for where this backdoor came from, it appears a SerComm device on the router is responsible. This means a whole bunch of routers with this specific SerComm module also have this backdoor, and we’d assume anything with a service running on port 32764 is suspect.

If you’re looking for a fix for this backdoor, your best bet is probably installing OpenWRT or Tomato. The OpenWAG200 project, an open firmware specifically designed for [Eloi]’s router, still has this vulnerability, though.

Doggy DVR Alarm Sensor

January 6, 2014 by James Hobson 10 Comments

2014-01-05-13.22.20

[Martin] lives in a small village about 25km from his job in a major city. Occasionally his home alarm system will trip and he will rush home to make sure everything is okay. So he decided to buy a DVR system instead… and he turned his dog’s collar into one of the main sensors.

As you may know, DVR’s also have sensor inputs in addition to loads of video cameras. These can be very handy to tell you other things that a small video clip will not, such as moisture, humidity, temperature etc. [Martin’s] DVR has 8 sensor inputs which he has configured to be the normally open type of sensors. By using a Sharp 817 optocoupler and a Funky v3 wireless module he made one of the sensor inputs wireless.

On the other end of the Funky wireless setup is a Kinder Surprise shell attached to his dog’s collar. In addition to the wireless module, it also contains a rudimentary 2-axis shock sensor consisting of a small spring that floats over a metal pin — when moved violently (when the dog is running about) it makes contact and [Martin’s] DVR alerts him by email and sends him pictures from the system.

He suspects he’ll be getting lots of pictures of the dog getting spooked by cats wandering by.