Research: It’s Like Cheating, But Fair

My niece’s two favorite classes in high school this year are “Intro to AI” and “Ethical Hacking”. (She goes to a much cooler high school than I did!) In “Hacking”, she had an assignment to figure out some bug in some body of code. She was staring and staring, figuring and figuring. She went to her teacher and said she couldn’t figure it out, and he asked her if she’d tried to search for the right keywords on the Internet.

My niece responded “this is homework, and that’d be cheating”, a line she surely must have learned in her previous not-so-cool high school. When the teacher responded with “but doing research is how you learn to do stuff”, my niece was hooked. The class wasn’t abstract or academic any more; it became real. No arbitrary rules. Game on!

But I know how she feels. Whether it’s stubborn independence, or a feeling that I’m cheating, I sometimes don’t do my research first. But attend any hacker talk, where they talk about how they broke some obscure system or pulled off an epic trick. What is the first step? “I looked all over the Internet for the datasheet.” (Video) “I found the SDK and that made it possible.” (Video) “Would you believe this protocol is already documented?” In any serious hack, there’s always ample room for your creativity and curiosity later on. If others have laid the groundwork for you, get on it.

If you have trouble overcoming your pride, or NIH syndrome, or whatever, bear this in mind: the reason we share information with other hackers is to give them a leg up. Whoever documented that protocol did it to help you. Not only is there no shame in cribbing from them, you’re essentially morally obliged to do so. And to say thanks along the way!

Remoticon 2021 // Jeroen Domburg [Sprite_tm] Hacks The Buddah Flower

Nobody likes opening up a hacking target and finding a black epoxy blob inside, but all hope is not lost. At least not if you’ve got the dedication and skills of [Jeroen Domburg] alias [Sprite_tm].

It all started when [Big Clive] ordered a chintzy Chinese musical meditation flower and found a black blob. But tantalizingly, the shiny plastic mess also included a 2 MB flash EEPROM. The questions then is: can one replace the contents with your own music? Spoiler: yes, you can! [Sprite_tm] and a team of Buddha Chip Hackers distributed across the globe got to work. (Slides here.)

[Jeroen] started off with binwalk and gets, well, not much. The data that [Big Clive] dumped had high enough entropy that it looks either random or encrypted, with the exception of a couple tiny sections. Taking a look at the data, there was some structure, though. [Jeroen] smelled shitty encryption. Now in principle, there are millions of bad encryption methods out there for every good one. But in practice, naive cryptographers tend to gravitate to a handful of bad patterns.

Bad pattern number one is XOR. Used correctly, XORing can be a force for good, but if you XOR your key with zeros, naturally, you get the key back as your ciphertext. And this data had a lot of zeros in it. That means that there were many long strings that started out the same, but they seemed to go on forever, as if they were pseudo-random. Bad crypto pattern number two is using a linear-feedback shift register for your pseudo-random numbers, because the parameter space is small enough that [Sprite_tm] could just brute-force it. At the end, he points out their third mistake — making the encryption so fun to hack on that it kept him motivated!

Decrypted, the EEPROM data was a filesystem. And the machine language turned out to be for an 8051, but there was still the issue of the code resident on the microcontroller’s ROM. So [Sprite_tm] bought one of these flowers, and started probing around the black blob itself. He wrote a dumper program that output the internal ROM’s contents over SPI. Ghidra did some good disassembling, and that let him figure out how the memory was laid out, and how the flow worked. He also discovered a “secret” ROM area in the chip’s flash, which he got by trying some random functions and looking for side effects. The first hit turned out to be a memcpy. Sweet.

[Neil555]’s Rosetta Stone
Meanwhile, the Internet was still working on this device, and [Neil555] bought a flower too. But this one had a chip, rather than a blob, and IDing this part lead them to an SDK, and that has an audio suite that uses a derivative of WMA audio encoding. And that was enough to get music loaded into the flower. (Cue a short rick-rolling.) Victory!

Well, victory if all you wanted to do was hack your music onto the chip. As a last final fillip, [Sprite_tm] mashed the reverse-engineered schematic of the Buddha Flower together with [Thomas Flummer]’s very nice DIY Remoticon badge, and uploaded our very own intro theme music into the device on a badge. Bonus points? He added LEDs that blinked out the LSFR that were responsible for the “encryption”. Sick burn!

Editor’s Note: This is the last of the Remoticon 2 videos we’ve got. Thanks to all who gave presentations, to all who attended and participated in the lively Discord back channel, and to all you out there who keep the hacking flame alive. We couldn’t do it without you, and we look forward to a return to “normal” Supercon sometime soon.

You Break It, We Fix It

Apple’s AirTags have caused a stir, but for all the wrong reasons. First, they turn all iPhones into Bluetooth LE beacon repeaters, without the owner’s permission. The phones listen for the AirTags, encrypt their location, and send the data on to the iCloud, where the tag’s owner can decrypt the location and track it down. Bad people have figured out that this lets them track their targets without their knowledge, turning all iPhone users into potential accomplices to stalkings, or worse.

Naturally, Apple has tried to respond by implementing some privacy-protecting features. But they’re imperfect to the point of being almost useless. For instance, AirTags now beep once they’ve been out of range of their owner’s phone for a while, which would surely alert the target that they’re being tracked, right? Well, unless the evil-doer took the speaker out, or bought one with the speaker already removed — and there’s a surprising market for these online.

If you want to know that you’re being traced, Apple “innovated with the first-ever proactive system to alert you of unwanted tracking”, which almost helped patch up the problem they created, but it only runs on Apple phones. It’s not clear what they meant by “first-ever” because hackers and researchers from the SeeMoo group at the Technical University of Darmstadt beat them to it by at least four months with the open-source AirGuard project that runs on the other 75% of phones out there.

Along the way, the SeeMoo group also reverse engineered the AirTag system, allowing anything that can send BLE beacons to play along. This opened the door for [Fabian Bräunlein]’s ID-hopping “Find You” attack that breaks all of the tracker-detectors by using an ESP32 instead of an AirTag. His basic point is that most of the privacy guarantees that Apple is trying to make on the “Find My” system rely on criminals using unmodified AirTags, and that’s not very likely.

To be fair, Apple can’t win here. They want to build a tracking network where only the good people do the tracking. But the device can’t tell if you’re looking for your misplaced keys or stalking a swimsuit model. It can’t tell if you’re silencing it because you don’t want it beeping around your dog’s neck while you’re away at work, or because you’ve planted it on a luxury car that you’d like to lift when its owners are away. There’s no technological solution for that fundamental problem.

But hackers are patching up the holes they can, and making the other holes visible, so that we can at least have a reasonable discussion about the tech’s tradeoffs. Apple seems content to have naively opened up a Pandora’s box of privacy violation. Somehow it’s up to us to figure out a way to close it.

Flipper Zero tool reading bank card, displaying data on LCD

What’s On Your Bank Card? Hacker Tool Teaches All About NFC And RFID

The Flipper Zero is a multipurpose hacker tool that aims to make the world of hardware hacking more accessible with a slick design, wide array of capabilities, and a fantastic looking UI. They are struggling with manufacturing delays like everyone else right now, but there’s a silver lining: the team’s updates are genuinely informative and in-depth. The latest update is all about RFID and NFC, and how the Flipper Zero can interact with a variety of contactless protocols.

Drawing of Flipper Zero and a variety of RFID tags
Popular 125 kHz protocols: EM-Marin, HID Prox II, and Indala

Contactless tags are broadly separated into low-frequency (125 kHz) and high-frequency tags (13.56 MHz), and it’s not really possible to identify which is which just by looking at the outside. Flipper Zero can interface with both, but the update at the link above goes into considerable detail about how these tags are used in the real world, and what they look like from both the outside and inside.

For example, 125 kHz tags have an antenna made from many turns of very fine wire, with no visible space between the loops. High-frequency tags on the other hand will have antennas with fewer loops, and visible space between them. To tell them apart, a bright light is often enough to see the antenna structure through thin plastic.

Low-frequency tags are “dumb” and incapable of encryption or two-way communication, but what about high-frequency (often referred to as NFC) like bank cards and applications like Apple Pay? One thing demonstrated is that mobile payment methods offer up considerably less information on demand than a physical bank or credit card. With a physical contactless card it’s possible to read the full card number, expiry date, and in some cases the name as well as recent transactions. Mobile payment systems (like Apple or Google Pay) don’t do that.

Like many others, we’re looking forward to it becoming available, sadly there is just no getting around component shortages that seem to be affecting everyone.

Sad clown holding melted ice cream cone

Freezing Out Ice Cream Machine Competition

We always knew that McDonald’s soft serve (you can’t really call it ice cream) machines are known to be finicky. There’s even a website that tracks where the machines are broken and, apparently, it is usually about 10% or more of them at any given time. But when we saw a news article about a judge issuing a restraining order, we knew there must be more to the story. Turns out, these $18,000 soft serve machines are in the heart of something we are very interested in: when do you own your own technology?

Cold Tech

There are apparently 13,000 or so of these machines and they are supposedly high-tech marvels, able to produce soft serve and milkshakes at the same time. However, they are also high maintenance. Cleaning the machine every two weeks (try not to think about that) involves a complete teardown. Worse, if anything breaks, you need a factory-authorized service person.

Continue reading “Freezing Out Ice Cream Machine Competition”

Hacking A Netgear Router

Have you ever wanted to watch someone reverse engineer a piece of hardware and pick up some tips? You can’t be there while [Jeremy] tears open a Netgear N300 router, but you can see his process step by step in some presentation charts, and you’ll get a few ideas for the next time you want to do something like this.

The first part of the presentation might be a little basic for most Hackaday readers, but presumably, the intended audience might not know much about soldering or multimeters. But we enjoyed the methodology used to work out the UART pins on the board. We would have read the baud rate with the scope, which [Jeremy] does, but he also mentions a script to work it out and create a minicom profile that looked interesting.

Continue reading “Hacking A Netgear Router”

Seeing The Skill Is Better Than Seeing The Project

Pulling off a flashy project that gets the viral-media hug of widespread approval feels great. Getting there is no easy path to walk and often times the craft that went into a finished project doesn’t even take the back seat but gets no mention at all. Often I find I’m more impressed by — or a least my attention is more strongly captured by — the skills put on display as prominently as the finished build.

Case-in-point this week comes from the model railroad work of [Diorama111]. Seeing an OLED screen in the nose of an HO scale locomotive just like the real-life version is impressive, but how many people missed the one-off soldering masterpiece that went into this one? You’ll marvel at the SMD techniques used with through-hole protoboard on this one.

Occasionally we do get to look over the shoulder of the master as decades of skills are shared for the purpose of passing them on. So was the case back in May when we watched as [Leo] walked through his tips and tricks for prototyping at the electronics bench. This included a lot of non-obvious but clever stuff; tips on working with copper tape for solder buses, using Teflon tubing with bare wire instead of stripping PVC-insulated wire, and a deep dive into copper clad prototyping.

So remember all of us hardware geeks when you look to tell the story of your project. We want to know how it was done at least as much as what was done. There was a time when electronic designers were a separate work group from electronic technicians (and wow, those technicians were in a league of their own). These days we all have that technician hat hanging on our workbenches and I’m always interested in packing in yet another unlearnt skill. Throw us a bone!