Michael Ossmann Pulls DSSS Out Of Nowhere

July 29, 2017 by Mike Szczys 23 Comments

[Michael Ossmann] spoke on Friday to a packed house in the wireless hacking village at DEF CON 25. There’s still a day and a half of talks remaining but it will be hard for anything to unseat his Reverse Engineering Direct Sequence Spread Spectrum (DSSS) talk as my favorite of the con.

DSSS is a technique used to transmit reliable data where low signal strength and high noise are likely. It’s used in GPS communications where the signal received from a satellite is often far too small for you to detect visually on a waterfall display. Yet we know that data is being received and decoded by every cell phone on the planet. It is also used for WiFi management packets, ZigBee, and found in proprietary systems especially any dealing with satellite communications.

[Michael] really pulled a rabbit out of a hat with his demos which detected the DSSS signal parameters in what appeared to be nothing but noise. You can see below the signal with and without noise; the latter is completely indiscernible as a signal at all to the eye, but can be detected using his techniques.

Strong DSSS Signal, no noise

Same DSSS signal not apparent

Detecting DSSS with Simple Math

[Michael] mentioned simple math tricks, and he wasn’t kidding. It’s easy to assume that someone as experienced in RF as he would have a different definition of ‘simple’ than we would. But truly, he’s using multiplication and subtraction to do an awful lot.

DSSS transmits binary values as a set called a chip. The chip for digital 1 might be 11100010010 with the digital 0 being the inverse of that. You can see this in the slide at the top of this article. Normal DSSS decoding compares the signal to expected values, using a correlation algorithm that multiplies the two and gives a score. If the score is high enough, 11 in this example, then a bit has been detected.

To reverse engineer this it is necessary to center on the correct frequency and then detect the chip encoding. GNU radio is the tool of choice for processing a DSSS capture from a SPOT Connect module designed to push simple messages to a satellite communication network. The first math trick is to multiply the signal by itself and then look at spectrum analysis to see if there is a noticeable spike indicating the center of the frequency. This can then be adjusted with an offset and smaller spikes on either side will be observed.

When visualized in a constellation view you begin to observe a center and two opposite clusters. The next math trick is to square the signal (multiply it by itself) and it will join those opposite clusters onto one side. What this accomplishes is a strong periodic component (the cycle from the center to the cluster and back again) which reveals the chip rate.

Detecting symbols within the chip is another math trick. Subtract each successive value in the signal from the last and you will mostly end up with zero (high signal minus high signal is zero, etc). But every time the signal spikes you’re looking at a transition point and the visualization begins to look like logic traced out on an oscilloscope. This technique can deal with small amounts of noise but becomes more robust with a bit of filtering.

This sort of exploration of the signal is both fun and interesting. But if you want to actually get some work done you need a tool. [Michael] built his own in the form of a python script that cobbles up a .cfile and spits out the frequency offset, chip rate, chip sequence length, and decoded chip sequence.

Running his sample file through with increasing levels of noise added, the script was rock solid on detecting the parameters of the signal. Interestingly, it is even measuring the 3 parts per million difference between the transmitter and receiver clocks in the detected chip rate value. What isn’t rock solid is the actual bit information, which begins to degrade as the noise is increased. But just establishing the parameters of the protocol being used is the biggest part of the battle and this is a dependable solution for doing that quickly and automatically.

You can give the script a try. It is part of [Michael’s] Clock Recovery repo. This talk was recorded and you should add it to your reminder list for after the con when talks begin to be published. To hold you over until then, we suggest you take a look at his RF Design workshop from the 2015 Hackaday Superconference.

Injecting Code Into Mouse Firmware Should Be Your Next Hack

July 29, 2017 by Mike Szczys 22 Comments

Here’s a DEF CON talk that uses tools you likely have and it should be your next hacking adventure. In their Saturday morning talk [Mark Williams] and [Rob Stanely] walked through the process of adding their own custom code to a gaming mouse. The process is a crash course in altering a stock firmware binary while still retaining the original functionality.

The jumping off point for their work is the esports industry. The scope of esporting events has blown up in recent years. The International 2016 tournament drew 17,000 attendees with 5 million watching online. The prize pool of $20 million ($19 million of that crowdfunded through in-game purchases) is a big incentive to gain a competitive edge to win. Contestants are allowed to bring their own peripherals which begs the questions: can you alter a stock gaming mouse to do interesting things?

The steelseries Sensei mouse was selected for the hack because it has an overpowered mircocontroller: the STM32F103CB. With 128 KB of flash the researchers guessed there would be enough extra room for them to add code. STM32 chips are programmed over ST-Link, which is available very inexpensively through the ST Discovery boards. They chose the STM32F4DISCOVERY which runs around $20.

Perhaps the biggest leap in this project is that the firmware wasn’t read-protected. Once the data, clock, and ground pads on the underside of the board were connected to the Discovery board the firmware was easy to dump and the real fun began.

They first looked through the binary for a large block of zero values signifying unused space in flash. The injected firmware is designed to enumerate as a USB keyboard, open Notepad, then type out, save, and execute a PowerShell script before throwing back to the stock firmware (ensuring the mouse would still function as a mouse). Basically, this builds a USB Rubber Ducky into stock mouse firmware.

There are a few useful skills that make taking on this project a worthwhile learning experience. To compile your custom code correctly you need to choose the correct offset address for where it will end up once pasted into the firmware binary. The vector table of the original code must be rewritten to jump to the injected code first, and it will need to jump back to the mouse execution once it has run. The program flow on the left shows this. Both of these jumps require the program counter and registers to be saved and restored. The ARM stack is subtractive and the address will need to be updated to work with the added code.

The talk ended with a live demo that worked like a charm. You can check out the code in the MDHomeBrew repo. In this case the PowerShell script adds keyboard shortcuts for DOOM cheats. But like we said before, the experience of getting under the hood with the firmware binary is where the value will be for most people. With this success under your belt you can take on more difficult challenges like [Sprite_TM’s] gaming keyboard hack where the firmware couldn’t easily be dumped and an update binary was quite obsfucated.

Building A DEF CON Badge In Two Weeks

July 27, 2017 by Brian Benchoff 9 Comments

DEF CON is starting right now, and this is the year of #badgelife. For the last few years, independent hardware wizards have been creating and selling their own unofficial badges at DEF CON, but this year it’s off the charts. We’ve already taken a look at Bender Badges, BSD Puffer Fish, and the worst idea for a conference badge ever, and this is only scratching the surface.

This is also a banner year for the Hackaday / Tindie / Supplyframe family at DEF CON. We’re on the lookout for hardware. We’re sponsoring the IoT village, [Jasmine] — the high priestess of Tindie — and I will be spending some time in the Hardware Hacking Village, praising our overlords and saying the phrase, ‘like Etsy, but for electronics’ far too much. We’ll be showing people how to solder, fixing badges, and generally being helpful to the vast unwashed masses.

Obviously, this means we need our own unofficial DEF CON badge. We realized this on July 10th. That gave us barely more than two weeks to come up with an idea for a badge, design one, order all the parts, wait on a PCB order, and finally kit all the badges before lugging them out to DEF CON. Is this even possible? Surprisingly, yes. It’s almost easy, and there are zero excuses for anyone not to develop their own hardware badge for next year’s con.

Continue reading “Building A DEF CON Badge In Two Weeks” →

Sunday: Breakfast At DEF CON

July 25, 2017 by Mike Szczys 6 Comments

Nurse your hangover by having Breakfast at DEF CON with Hackaday this Sunday. You’re invited to our yearly ritual by marking the beginning of the end with coffee and pastries at 10:30 am.

Choosing an exact location in advance is always tricky (anyone who’s been to DEF CON understands). We’ll pick a place once we hit town later this week. For now, head over to the Breakfast at DEF CON event page and hit the “join the team” button on the bottom left so we can let you know when we’ve found the perfect location for the breakfast meetup.

Extra internet points go to those who bring some hardware to show off… and especially for anyone who is making this the end of their Saturday rather than the beginning of Sunday. [Brian] and [Mike] will be there, joined by our friends [Jasmine] and [Shulie] who are on the scene for Tindie, a sponsor of the IoT Village this year. See you on Sunday!

Hackaday Links: July 23, 2017

July 23, 2017 by Brian Benchoff 21 Comments

Hey, you know what’s happening right now? We’re wrapping up the third round of The Hackaday Prize. This challenge, Wheels, Wings, and Walkers, is dedicated to things that move. If it’s a robot, it qualifies, if it’s a plane, it qualifies, if it passes butter, it qualifies. There’s only a short time for you to get your entry in. Do it now. Superliminal advertising.

Speaking of the Hackaday Prize, this project would be a front-runner if only [Peter] would enter it in the competition. It’s one thing to have a cult; I have a cult and a petition to ‘stop’ me.

We were completely unaware of this project, but a few weeks ago, a cubesat was launched from Baikonur. This cubesat contains a gigantic mylar reflector, and once it’s deployed it will be the second brightest object in the night sky after the moon. I don’t know why we haven’t seen this in the press, but if you have any pictures of sightings, drop those in the comments.

In a mere two years, we’ll be looking at the 50th anniversary of the Apollo 11 landing. The mission control center at Johnson Space Center — where these landings were commanded and controlled — is still around, and it’s not in the best shape. There’s a Kickstarter to restore the Apollo Mission Control Center to its former glory. For the consoles, this means restoring them to Apollo 15 operational configuration.

We’ve seen 3D printed remote control airplanes, and at this point, there’s nothing really exceptional about printing a wing. This user on imgur is going a different direction with 3D printed fiberglass molds. Basically, it’s a fuselage for a Mustang that is printed, glued together, with the inside sanded and coated in wax. Two layers (3 oz and 6 oz) fiberglass is laid down with West Systems epoxy. After a few days, the mold is cracked open and a fuselage appears. This looks great, and further refinements of the process can include vapor smoothing of the inside of the mold, a few tabs to make sure the mold halves don’t break when the part is released, and larger parts in general.

The Darknet’s Casefile will take you to the limit of your existing knowledge. Join them, to go on a quest to improve your technical abilities.

This week is Def Con. That means two things. First, we’re on a hardware hunt. If you’ve been dedicating the last few months to #badgelife or other artisanal electronics, we want to hear about it. Second, [Joe Kim] made a graphic of the Tindie dog wearing a Hackaday hoodie and it’s adorable. There are a limited number of stickers of our hacker dog.

Gigabyte launched a single board computer with an Intel Apollo Lake CPU, discrete memory and storage, and a mini PCIe slot. Of course, this is being incorrectly marketed as a ‘Raspberry Pi competitor’, but whatever.

DEF CON Badgelife: The ESP Rules All

July 19, 2017 by Brian Benchoff 8 Comments

Badgelife is the celebration of independent hardware creators, working for months at a time to bring custom electronic badges to conferences around the world. This year at DEF CON, Badgelife is huge. It’s not just because this year was supposed to feature a non-electronic badge, and it’s not because the official badge imploded last month — Badgelife is all about people spending most of the year designing, and manufacturing hardware, culminating in one very special weekend.

[Garrett] owns Hacker Warehouse, a store providing all kinds of neat hacker tools ranging from software-defined radios to lock pick sets to side channel analysis toolkits. This year, [Garrett] decided he wanted to branch out his business and get involved in a little bit of hardware creation. He’s been curious about this for some time and figured a limited edition DEF CON badge made sense. What he wound up with is a beautiful little badge with games, blinkies, graphics, and potential to cause a lot of wireless mischief.

Would you look at that. RF design on an independent badge.

The design of the Hacker Warehouse badge is surprisingly simple compared to the Bender Badges and puzzling crypto badges that are also part of this year’s Badgelife hardware celebration. On board is an ESP8266 with a custom PCB implementation that includes a larger Flash chip. The other side of the board is loaded up with four tact switches in a D-pad arrangement. On top is a 96 x 64 pixel full-color OLED display, and blinkies are provided by fourteen mini WS2812 RGB LEDs. Power is provided by two AA cells and what looks to be a nice fancy switching regulator. This is real hardware, not just a few modules thrown together with a bunch of LEDs.

Oh, what wireless fun

This badge is built around the ESP8266, a very interesting WiFi-enabled microcontroller that has more features than it should. [Garrett] is using the ESP as a WiFi scanner of sorts, allowing anyone with this badge to monitor WiFi channels, APs, packets, and — this is important — deauth packets.

Over the last year, there have been a number of projects around the Internet that take an ESP8266 and spew deauthorization frames into the spectrum. These frames cause a WiFi client to stop using an access point, and basically shuts down all the WiFi in an area. It’s well documented, and people have been doing it for years, but the ESP8266 makes deauth attacks so very, very easy. We’re going to see a lot of deauth frames this year at DEF CON, and the Hacker Warehouse badge will be able to detect them. It can also generate these frames, but that capability is locked for now.

Blinking and glowing

An electronic conference badge isn’t cool unless it has obnoxiously bright and glowy LEDs, and the Hacker Warehouse badge is very cool.

Onboard the Hacker Warehouse badge are 14 RGB LEDs, programmed with 46 different patterns that are certainly bright enough to annoy someone. This is what you need for a badge, and it’s beautiful.

This is a truly fantastic badge that’s also a great development board for the ESP8266. Everything you need for portable WiFi gaming fun is already there — you have blinky LEDs, an OLED, what seems to be a fairly nice power supply, and enough buttons to do something interesting. All you need to do to program this badge is attach a USB to serial adapter to the pre-populated header and you really have something. It’s a great badge, and we can’t wait to see the hacks for this great piece of hardware next week at DEF CON.

DEF CON Badgelife: Someone Finally Did It

July 18, 2017 by Brian Benchoff 11 Comments

Badgelife is the celebration of electronic conference badges, a way of life that involves spending far too much time handling the logistics of electronics manufacturing, and an awesome hashtag on Twitter. Badgelife isn’t a new thing; it’s been around for a few years, but every summer we see a massive uptick in the lead up to Def Con.

For the last few years, the designers and engineers deep into Badgelife have had the same conversation dozens of times. One person says, “you know, someone should build a badge that’s a quadcopter.” Another person replies, “Can you imagine how annoying that would be? You’d be putting ten thousand people in a room during the closing ceremonies at DefCon, and a few dozen people would have quadcopters. It would be horrible” Yes, there have been plans to build a quadcopter badge for the last few years, but cooler heads prevailed.

Someone finally did it. The wearable electronic conference badge that’s also a quadcopter is finally here. It’s the work of [b1un7], and it’s going to be exactly as annoying as you would expect.

Yaaar matey

The controller for the badge quad.

The wearable quadcopter badge with a ‘map’ controller

This quadcopter badge will come in a beautiful laser-cut enclosure

A box with two quads

This badge is actually two PCBs, the first being the quadcopter itself, the second being the joystick/controller. The quad is shaped like the familiar jolly roger found in most Whiskey Pirate badges ([b1un7] hangs with that crew), and the controller is a pirate’s treasure map loaded up with joysticks, buttons, and radios. The motors for this quad appear to be brushed, not brushless, and it looks like the arms of the quad have some space for obnoxiously bright LEDs.

This is an awesome badge but it’s still [b1un7]’s first attempt at making a badge. Right now, there’s still a bit of work to do — there’s only one week until Defcon — but with any luck [b1un7] will have 25 of these wearable electronic conference badges buzzing around. It’s a terrible idea and we love it.