Drone Gives Up Its Wireless Secrets To Zigbee Sniffer

There’s something thrilling about decoding an unknown communications protocol. You start with a few clues, poke at the problem with some simple tools, and eventually work your way up to that first breakthrough that lets you crack the code. It can be frustrating, but when you eventually win, it can be very rewarding.

It seems that [Jason] learned this while decoding the wireless conversation between his mass-market quad and its controller. The quad in question, a Yuneec Q500, is one of those mid-range, ready-to-fly drones that’s targeted at those looking to get in the air easily and take some cool pictures. Unsure how the drone and controller were talking, [Jason] popped the covers and found a Zigbee chipset within. With the help of a $14 Zigbee USB dongle and some packet sniffing software from TI, [Jason] was able to see packets flowing, but decoding them was laborious. Luckily, the sniffer app can be set up to stream packets to another device, so [Jason] wrote a program to receive and display packets. He used that to completely characterize each controller input and the data coming back from the drone. It’s a long and strange toolchain, but the upshot is that he’s now able to create KML in real time and track the drone on Google Earth as it flies. The video below shows the build and a few backyard test flights.

Congratulations to [Jason] for breaking the protocol and opening up drones like this for other hackers. If you’re interested in learning more about Zigbee sniffing, you can actually hack a few smarthome gadgets into useful sniffers.

Continue reading “Drone Gives Up Its Wireless Secrets To Zigbee Sniffer”

Cryptanalyse Your Air Con

Infrared remote controls are simple and ubiquitous. Emulating them with the aid of a microcontroller is a common project that hackers use to control equipment as diverse as televisions, cable boxes, and home stereos. Some air conditioners can be a little more complicated, however, but [Ken]’s here to help.

The root of the problem is that the air conditioner remote was using a non-obvious checksum to verify if commands received were valid. To determine the function generating the checksum, [Ken] decided to bust out the tools of differential cryptanalysis. This involves carefully varying the input to a cryptographic function and comparing it to the differences in the output.

With 35 signals collected from the remote, a program was written to find input data that varied by just one bit. The checksum outputs were then compared to eventually put together the checksum function.

[Ken] notes that the function may not be 100% accurate, as they’re only using a limited sample of data in which not all the bytes change significantly. However, it shows that a methodical approach is valuable when approaching such projects.

Thirsty for more checksum-busting action? Check out this hacked weather station.

Squoze Your Data

I have a confession to make. I enjoy the challenge of squeezing software into a tiny space or trying to cut a few more cycles out of a loop. It is like an intricate puzzle. Today, of course, there isn’t nearly as much call for that as there used to be. Today even a “small” microcontroller has a ton of memory and resources.

Even so, there’s still a few cases where you need to squeeze those last few bytes out of memory. Maybe you are trying to maximize memory available for some purpose. Maybe you are anticipating mass production and you are using the smallest microcontroller you can find. Or maybe you’re doing the 1 kB Challenge and just want some advice.

One way to find techniques to maximize resources is to look at what people did “in the old days.” Digital Equipment computers once had a special character set called Squoze (or sometimes DEC Radix-50). This technique can be useful when you need to get a lot of strings into memory. The good news is that you can reliably get 3 characters into 2 bytes (or, as DEC did, 6 characters into 4 bytes). The bad news is that you have to pick a limited character set that you can use. However, that’s not always a big problem.

Continue reading “Squoze Your Data”

Crack Mike Tyson’s Punch Out Bang Bang Passwords

[Bisqwit] has feelings about games that use exclamation points in his idiosyncratic walkthrough of all the nuances of the passwords in the famous Punch Out Bang Bang.

As he states in his deeply weird (though in no way wrong) channel intro, when he’s not driving a bus or teaching Israeli dance, he works hard to understand the things around him. Naturally, a mysterious phone number shaped set of digits in a favorite game was a secret worth extracting.

The digits can represent every possible state in the game.  It uses a pretty simple decoding and encoding scheme, which he walks through. As he says, it all becomes clear when you can see the source code.

After working through all the quirks he is able to arbitrarily generate any state in the game and handle the exceptions (such as Nintendo USA’s phone number). You can see all his code here and try it out for yourself. Video after the break.

We’ve grown to respect [Bisqwit] as the explainer of all things console games. You will like his explanation of how to write a code emulator for an NES CPU.

Continue reading “Crack Mike Tyson’s Punch Out Bang Bang Passwords”