Adding PoE(Power over Ethernet) just wasn’t good enough for [steve]. Not only does he have power running over his Cat-5, he shared the ground wire and used the remaining pair to add a serial console to his rooftop mounted wireless router. Nice.
Wireless Hacks1095 Articles
DIY 2.4ghz Spectrum Analyser
This project got some blog love last year, but it slipped past my radar. [jhecker] built a parallel port interfaced device based on a Cypress 2.4ghz transceiver module. The module is pretty complete, so as long as you can wield a soldering iron, you can pull this one off. The module is pretty cheap, so it could be just the thing for building your own signal detector.
[Ed Note, Stardate 2018: There seems to be some linkrot. Try this link instead.]
24C3 Mifare Crypto1 RFID Completely Broken
Another highlight for us at CCC was [Karsten Nohl] and [Henryk Plötz] presenting how they reversed Philips crypto-1 “classic” Mifare RFID chips which are used in car keys, among other things. They analyzed both the silicon and the actual handshaking over RF. Looking at the silicon they found about 10K gates. Analyzing with Matlab turned up 70 unique functions. Then they started looking “crypto-like” parts: long strings of flip-flops used for registers, XORs, things near the edge that were heavily interconnected. Only 10% of the gates ended up being crypto. They now know the crypto algorithm based on this analysis and will be releasing later in the year.
The random number generator ended up being only 16-bit. It generates this number based on how long since the card has been powered up. They controlled the reader (an OpenPCD) which lets them generate the same “random” seed number over and over again. This was actually happening on accident before they discovered the flaw.
One more broken security-through-obscurity system to add to the list. For more fun, watch the video of the presentation.
ToorCon 9: Retrieving WEP Keys From Road Warriors
[Vivek Ramachandran]’s Cafe Latte attack was one of the last talks we caught at ToorCon. I’ve found quite a few articles about it, but none really get it right. It’s fairly simple and deals with cracking WEP keys from unassociated laptops. First your WEP honeypot tells the client that it has successfully associated. The next thing the client does is broadcast a WEP encrypted ARP packet. By flipping the bits in the ARP packet you can replay the WEP packet and it will appear to the client to be coming from an IP MAC combo of another host on the network. All of the replies will have unique IVs and once you get ~60K you can crack it using PTW. The bit flipping is the same technique used in the fragmentation attack we covered earlier, but Cafe Latte requires generation of far fewer packets. You can read about the Cafe Latte attack on AirTight Networks.
Drive Bay PoE Adapter
Sure, we’ve seen Power over Ethernet before – I even whipped up a simple adapter for my modded wrt54gs. This is a nice clean setup, and it’ll save you from yet another power brick. (I’ve got a power strip dedicated to the things in my tiny home data center.)
Build Your Own GPS And GLONASS Receiver
[superlopez] sent in this detailed article (mirrored here and here) which describes how to build a GPS and GLONASS (the Russian version of GPS) receiver. The resulting device is gigantic compared to one of those tiny bluetooth USB GPS units, but the ability to build one’s own receiver is one of those post-apocalyptic skills I sure would like to have. The creator of the article [Matjaz Vidmar] aka [S53MV] also has pages on Packet-Radio (PKT) transceiver improvements (PKT gets my vote for the best post-apocalyptic technology, and the only believable technology featured in the Transformers movie), and a more sophisticated homemade frequency counter than the one featured earlier this summer.
In 2005 we featured a from-scratch GPS receiver as well, thought the project site seems to be down. If your GPS unit just needs a better antenna, check out [Will]’s how-to from last year.
Automatic JTAG Pinout Detection
Figuring out the JTAG pinout on a device turns out to be the most time consuming hardware portion of many hacks. [hunz] started a project called JTAG Finder to automatically detect the JTAG pinouts on arbitrary devices using an 8bit AVR ATmega16/32L microcontroller. Check out the slides (PDF) from the talk as they break down how one finds JTAG ports on an arbitrary device, with or without a pinout detection tool. [hunz] is looking for people to pick up the project where he left off.
Once you determine the correct pinout, you will need a JTAG cable: there are two main types, buffered and unbuffered, both of which I have soldered up and tested from these circuit diagrams (image of completed buffered cable here). The software most hardware people use today are the openwince JTAG Tools. To get the JTAG Tools to compile, grab the latest source directly from their CVS repository.
The last time we featured JTAG was with regards to Linksys devices, but the tools listed above can be applied to any device with JTAG.
