Alarm Panel Hack Defeats Encryption By Ignoring It

As frustrating as it may be for a company to lock you into its ecosystem by encrypting their protocols, you have to admit that it presents an enticing challenge. Cracking encryption can be more trouble than it’s worth, though, especially when a device gives you all the tools you need to do an end-run around their encryption.

We’ll explain. For [Valdez], the encrypted communication protocols between a DSC alarm panel and the control pads on the system were serious impediments to integration into Home Assistant. While there are integrations available for these alarm panels, they rely on third-party clouds, which means that not only is your security system potentially telling another computer all your juicy details, but there’s also the very real possibility that the cloud system can either break or be shut down; remember the Chamberlain MyQ fiasco?

With these facts in mind, [Valdez] came up with a clever workaround to DSC encryption by focusing on physically interfacing with the keypad. The device has a common 16×2 LCD and a 25-key keypad, and a little poking around with a multimeter and a $20 logic analyzer eventually showed that the LCD had an HD44780 controller, and revealed all the lines needed to decode the display with an ESP32. Next up was interfacing with the keypad, which also involved a little multimeter work to determine that the keys were hooked up in a 5×5 matrix. Ten GPIOs on the ESP32 made it possible to virtually push any key; however, the ten relays [Valdez] originally used to do the switching proved unwieldy. That led to an optocoupler design, sadly not as clicky but certainly more compact and streamlined, and enabling complete control over the alarm system from Home Assistant.

We love this solution because, as [Valdez] aptly points out, the weakest point in any system is the place where it can’t be encrypted. Information has to flow between the user and the control panel, and by providing the electronic equivalents to eyes and fingers, the underlying encryption is moot. Hats off to [Valdez] for an excellent hack, and for sharing the wealth with the HA community.

Breaking The Flash Encryption Feature Of Espressif’s Microcontrollers

Espressif’s ESP32 microcontrollers come with a Flash encryption feature that when enabled ensures that the data and code stored on the (usually external) Flash chip is encrypted with AES-256 (ESP32) or better (ESP32-C3, -C6). For the ESP32 this encryption feature has been shown to be vulnerable to side channel attacks (SCA), leading [courk] to not only replicate this result with a custom ESP Correlation Power Analysis (CPA) board (pictured) that captures power usage of the MCU, but also to try his luck with the ESP32-C3 and ESP32-C6 parts that should be tougher nuts to crack.

Whereas the ESP32 uses a fairly straightforward AES-256 encryption routine that together with the exposed Flash communication lines on the QSPI bus make for a textbook SCA example, the ESP32-C3 ups the encryption to XTS-AES, which uses two 128-bit keys on the -C3 part (XTS-256). This particular MCU is still susceptible to the same SCA attack with CPA, making it somewhat harder to attack than the ESP32, but by no means impossible.

Continue reading “Breaking The Flash Encryption Feature Of Espressif’s Microcontrollers”

Reverse-Engineering The ESP32’s WiFi Binary Blob With A Faraday Cage

The Faraday cage constructed by Jasper Devreker.
The Faraday cage constructed by Jasper Devreker.

As part of a team reverse-engineering the binary blob driver for the ESP32’s WiFi feature at Ghent University, [Jasper Devreker] saw himself faced with the need to better isolate the network packets coming from the ESP32-under-test. This is a tough call in today’s WiFi and 2.4 GHz flooded airwaves. To eliminate all this noise, [Jasper] had to build a Faraday cage, but ideally without racking up a massive invoice and/or relying on second-hand parts scavenged from eBay.

We previously reported on this reverse-engineering project, which has since seen an update. Although progress has been made, filtering out just the packets they were interested in was a big challenge. The solution was a Faraday cage, but on a tight budget.

Rather than relying on exotic power filters, [Jasper] put a battery inside a Faraday cage he constructed out of wood and conductive fabric. To get Ethernet data in and out, a fiber link was used inside a copper tube. Initial testing was done using a Raspberry Pi running usbip and a WiFi dongle.  The Faraday cage provided enough attenuation that the dongle couldn’t pick up any external WiFi signals in listening mode.

The total cost of this build came down to a hair over €291, which makes it feasible for a lot of RF experiments by hobbyists and others. We wish [Jasper] and the rest of the team a lot of luck in figuring out the remaining secrets of Espressif’s binary WiFi blob using this new tool.

No DAC? Try PDM

Ever notice that the ESP32-S3 doesn’t have a digital-to-analog converter? [Chris] did and asserts that he doesn’t care because he can just use the PDM system to get the same result. PDM — pulse density modulation — is similar to PWM and, like PWM, requires a filter that could range from a simple RC network to an active filter. You can see the result in the video below.

There are several ways [Chris] could produce the output he wanted. PWM was one choice, and some example code uses a timer to do PDM. However, that is not very efficient. The other alternative is to use the I2S output. However, this does require a few workarounds.

In particular, the I2S output is always stereo and incorporates a clock output that isn’t needed for this application. [Chris] simply output the same value on both channels and routed the clock to some pins that are normally used for startup options. That means they can’t easily be used for your own inputs, but it’s OK to use them for unimportant outputs.

We always enjoy seeing solutions like this because it can give you ideas for use in your own projects. Of course, this won’t apply to every project where you need a DAC, but it still might give you some ideas.

We have looked at PDM before. You could, too, build your own DAC hardware.

Continue reading “No DAC? Try PDM”

Telescope Rides On 3D Printed Equatorial Table

In the realm of amateur astronomy, enthusiasts find themselves navigating a cosmos in perpetual motion. Planets revolve around stars, which, in turn, orbit within galaxies. But the axial rotation of the Earth and the fact that its axis is tilted is the thing that tends to get in the way of viewing celestial bodies for any appreciable amount of time.

Amateur astronomy is filled with solutions to problems like these that don’t cost an arm and a leg, though, like this 3D printed equatorial table built by [aeropic]. An equatorial table is a device used to compensate for the Earth’s rotation, enabling telescopes to track celestial objects accurately. It aligns with the Earth’s axis, allowing the telescope to follow the apparent motion of stars and planets across the night sky.

Equatorial tables are specific to a location on the Earth, though, so [aeropic] designed this one to be usable for anyone between around 30° and 50° latitude. An OpenSCAD script generates the parts that are latitude-specific, which can then be 3D printed.

From there, the table is assembled, mounted on ball bearings, and powered by a small stepper motor controlled by an ESP32. The microcontroller allows a telescope, in this case a Newtonian SkyWatcher telescope, to track objects in the sky over long periods of time without any expensive commercially-available mounting systems.

Equatorial tables like these are indispensable for a number of reasons, such as long-exposure astrophotography, time lapse imaging, gathering a large amount of observational detail for scientific purposes, or simply as an educational tool to allow more viewing of objects in the sky and less fussing with the telescope. They’re also comparatively low-cost which is a major key in a hobby whose costs can get high quickly, but not even the telescope needs to be that expensive. A Dobsonian telescope can be put together fairly quickly sometimes using off-the-shelf parts from IKEA.

Current-Based Side-Channel Attacks, Two Ways

Funny things can happen when a security researcher and an electronics engineer specializing in high-speed circuits get together. At least they did when [Limpkin] met [Roman], which resulted in two interesting hardware solutions for side-channel attacks.

As [Limpkin] relates it, the tale began when he shared an office with [Roman Korkikian], a security researcher looking into current-based attacks on the crypto engine inside ESP32s. The idea goes that by monitoring the current consumption of the processor during cryptographic operations, you can derive enough data to figure out how it works. It’s difficult to tease a useful signal from the noise, though, and [Roman]’s setup with long wire runs and a noisy current probe wasn’t helping at all. So [Limpkin] decided to pitch in.

The first board he designed was based on a balun, which he used to isolate the device under test from the amplification stage. He found a 1:8 balun, normally used to match impedances in RF circuits, and used its primary as a shunt resistance between the power supply — a CR1220 coin cell — and the DUT. The amplifier stage is a pair of low-noise RF amps; a variable attenuator was added between the amp stages on a second version of the board.

Board number two took a different tack; rather than use a balun, [Limpkin] chose a simple shunt resistor with a few twists. To measure the low-current signal on top of the ESP32’s baseline draw would require such a large shunt resistor that the microcontroller wouldn’t even boot, so he instead used an OPA855 wideband low-noise op-amp as an amplified shunt. The output of that stage goes through the same variable attenuator as the first board, and then to another OPA855 gain stage. The board is entirely battery-powered, relying on nice, quiet 18650s to power both the DUT and the shunt.

How well does it work? We’ll let you watch the talk below and make up your own mind, but since they’ve used these simple circuits to break a range of different chips, we’d say this approach a winner.

Continue reading “Current-Based Side-Channel Attacks, Two Ways”

Open Source DC UPS Keeps The Low-Voltage Gear Going

We all like to keep our network gear running during a power outage — trouble is, your standard consumer-grade uninterruptible power supply (UPS) tends to be overkill for routers and such. Their outlet strips built quickly get crowded with wall-warts, and why bother converting from DC to AC only to convert back again?

This common conundrum is the inspiration for [Walker]’s DC UPS design, which has some interesting features. First off, the design is open source, which of course invites tinkering and repurposing. The UPS is built for a 12 volt supply and load, but that obviously can be changed to suit your needs. The battery bank is a 4S3P design using 18650 cells, and that could be customized as well. There’s an ideal diode controller that prevents DC from back-feeding into the supply when the lights go out, and a really interesting synchronous buck-boost converter in place of the power management chip you’d normally see in a UPS. The converter chip takes a PWM signal from an RP2040; there’s also an ESP32 onboard for web server and UI duties as well as an STM32 to run the BMS. The video below discusses the design and shows a little of the build.

We’ve seen a spate of DC UPS designs lately, some more elaborate than others. This one has quite a few interesting chips that most of us don’t normally deal with, and it’s nice to see how they’re used in a practical design.

Continue reading “Open Source DC UPS Keeps The Low-Voltage Gear Going”