Wireless Hacks

1078 Articles

ToorCon 9: Retrieving WEP Keys From Road Warriors

October 23, 2007 by No comments


[Vivek Ramachandran]’s Cafe Latte attack was one of the last talks we caught at ToorCon. I’ve found quite a few articles about it, but none really get it right. It’s fairly simple and deals with cracking WEP keys from unassociated laptops. First your WEP honeypot tells the client that it has successfully associated. The next thing the client does is broadcast a WEP encrypted ARP packet. By flipping the bits in the ARP packet you can replay the WEP packet and it will appear to the client to be coming from an IP MAC combo of another host on the network. All of the replies will have unique IVs and once you get ~60K you can crack it using PTW. The bit flipping is the same technique used in the fragmentation attack we covered earlier, but Cafe Latte requires generation of far fewer packets. You can read about the Cafe Latte attack on AirTight Networks.

Build Your Own GPS And GLONASS Receiver

October 4, 2007 by 17 Comments

[superlopez] sent in this detailed article (mirrored here and here) which describes how to build a GPS and GLONASS (the Russian version of GPS) receiver. The resulting device is gigantic compared to one of those tiny bluetooth USB GPS units, but the ability to build one’s own receiver is one of those post-apocalyptic skills I sure would like to have. The creator of the article [Matjaz Vidmar] aka [S53MV] also has pages on Packet-Radio (PKT) transceiver improvements (PKT gets my vote for the best post-apocalyptic technology, and the only believable technology featured in the Transformers movie), and a more sophisticated homemade frequency counter than the one featured earlier this summer.

In 2005 we featured a from-scratch GPS receiver as well, thought the project site seems to be down. If your GPS unit just needs a better antenna, check out [Will]’s how-to from last year.

Automatic JTAG Pinout Detection

September 29, 2007 by 11 Comments

Figuring out the JTAG pinout on a device turns out to be the most time consuming hardware portion of many hacks. [hunz] started a project called JTAG Finder to automatically detect the JTAG pinouts on arbitrary devices using an 8bit AVR ATmega16/32L microcontroller. Check out the slides (PDF) from the talk as they break down how one finds JTAG ports on an arbitrary device, with or without a pinout detection tool. [hunz] is looking for people to pick up the project where he left off.

Once you determine the correct pinout, you will need a JTAG cable: there are two main types, buffered and unbuffered, both of which I have soldered up and tested from these circuit diagrams (image of completed buffered cable here). The software most hardware people use today are the openwince JTAG Tools. To get the JTAG Tools to compile, grab the latest source directly from their CVS repository.

The last time we featured JTAG was with regards to Linksys devices, but the tools listed above can be applied to any device with JTAG.

FON Mp3 Streaming Router

September 23, 2007 by 6 Comments


I was looking for streaming solutions the other day. Little did I know that [John] would be sending in a hack for adding an mp3 decoder board to the La Fonera. The final device has both a web and command line interface which let you connect to any shoutcast/icecast streaming server. John has even gone so far as to provide the Openwrt image for the router with all of the software components you need.

Electric Screwdriver Antenna Tuning

September 14, 2007 by 6 Comments


I just realized that we’d never covered the classic amateur radio antenna hack – known as the mobile electric screwdriver antenna. I was looking for a decent writeup, and ran across this interesting tunable indoor antenna. [W2BRI] put together a 5 foot cube loop antenna built from copper pipe. The tuning mechanism uses an electric screwdriver to tune his giant PC Board tuning capacitor. Looks like a nice solution if you’re into radio and have pesky neighbors.