A Spectrum Analyzer For The Smart Response XE

October 22, 2019 by Tom Nardi 27 Comments

Remember the Girl Tech IM-me? It was a hot-pink clearance rack toy that suddenly became one of the hottest commodities in the hacking world when it was discovered they could be used for all sorts of radio frequency shenanigans. Now they go for triple digits on eBay, if you can even find one. Well, we’re probably about to see the same thing happen to the Smart Response XE.

Thanks to the work of a hacker named [ea], this cheap educational gadget is finally starting to live up to the potential we saw in it back when a teardown revealed it was powered by an Arduino-compatible ATmega128RF chip. With a big screen, a decent QWERTY keyboard, and integrated wireless hardware, it seemed obvious that the Smart Response XE was poised to be the next must-have repurposed piece of kit.

Though as it turns out, [ea] isn’t using the device’s built-in wireless hardware. Step one in this exceptionally well documented and photographed project is to tack a CC1101 transceiver module to the SPI pins on the ATmega128RF. Then with the appropriate firmware loaded up, that nice big screen will show you what’s happening on the 300 MHz, 400 Mhz and 900 MHz bands.

But the fun doesn’t stop there. With the CC1101-modified Smart Response XE, there’s a whole new world of radio hacks you can pull off. As a proof of concept, [ea] has also included a POCSAG pager decoder. Granted the RTL-SDR has already made pulling pager messages out of the air pretty easy, but there’s something to be said for being able to do it on something so small and unassuming.

If you can’t tell, we’re exceptionally interested in seeing what the community can do with the Smart Response XE. At the time of this writing, the going rate on eBay for a good condition unit looks to be about $10 USD, plus the $3 or so for the CC1101 module. But the prices went through the roof when we first posted about it, so get them cheap while you still can.

[Thanks to bburky for the tip.]

Hacking The IM-ME To Open Garages

June 8, 2015 by Anool Mahidharia 32 Comments

If you have a wireless controlled garage door, a child’s toy can wirelessly open it in a few seconds. [Samy Kamkar] is a security researcher who likes to”think bad, do good”. He’s built OpenSesame, a device that can wirelessly open virtually any fixed-code garage door in seconds, exploiting a new attack he’s discovered in wireless fixed-pin devices, using the Mattel IM-ME toy.

The exploit works only on a gate or garage which uses “fixed codes”. To prevent this type of attack, all you need to do is to upgrade to a system which uses rolling codes, hopping codes, Security+ or Intellicode. These are not foolproof from attack, but do prevent the OpenSesame attack along with other traditional brute forcing attacks. It seems there are at least a couple of vendors who still have such vulnerable products, as well as several more whose older versions are affected too.

Before you read further, a caveat – the code released by [Samy] is intentionally bricked to prevent it from being abused. It might work, but just not quite. If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn’t need his help in the first place, would you?

The IM-ME is a defunct toy and Mattel no longer produces it, but it can be snagged from Amazon or eBay if you’re lucky. The Radica Girltech IM-ME texting toy has been extensively hacked and documented. Not surprising, since it sports a TI CC1110 sub-GHz RF chip, an LCD display, keyboard, backlight, and more. A good start point is the GoodFET open-source JTAG adapter, followed by the work of [Travis Godspeed] , [Dave] and [Michael Ossmann].

One issue with fixed code systems is their limited key space. For example, a remote with 12 binary dip switches supports 12 bits of possible combinations. Since its binary and 12 bits long, that’s 2^12, which is 4096 possible combinations. With a bit of math, [Samy] shows that it takes 29 minutes to open an (8-12)-bit garage, assuming you know the frequency and baud rate, both of which are pretty common. If you have to attempt a few different frequencies and baud rates, then the time it takes is a multiple of 29 minutes. If you don’t transmit the codes multiple times, and remove the pauses in between codes, the whole exercise can be completed in 3 minutes.

The weak link in the hardware is how the shift registers which decode the received codes work. Each bit is loaded in the register sequentially, gradually moving as additional bits come in and push the previous ones. This, and using an algorithm [Samy] wrote based on the De Bruijn sequence, the whole brute force attack can be completed in just over 8 seconds. OpenSesame implements this algorithm to produce every possible overlapping sequence of 8-12 bits in the least amount of time.

You can take a look at understanding how the code works by checking it out on Github. [Samy] loves doing such investigative work – check out his combo lock code breaker we featured recently, the scary, keyboard sniffing wall wart and the SkyJack – a drone to hack all drones.

Continue reading “Hacking The IM-ME To Open Garages” →

Chipcon CC1110/CC1111 Serial Bootloader

March 9, 2012 by Mike Szczys 5 Comments

[Joby Taffey] just rolled out a serial bootloader for the Chipcon CC1110/CC1111 processors. The project is called CCTL and aims to make prototyping with the Girltech IM-ME a bit less tedious. Up until now firmware for the device had to be pushed in with a GoodFET or TI proprietary programmer which was quite slow. But this bootloader makes it possible to push your code via the chip’s serial port at 115200 baud. But the pretty pink pager isn’t the only device using these chips and to prove it [Joby] send this picture of all the electronics he has on hand running this architecture.

Once the 1KB CCTL bootloader has been flashed to the chip, a serial port or USB to Serial converter can be used as a programmer. [Joby] warns that the Chipcon processors are not 5V tolerant so you need to either use a 3V serial converter or add a level converter into the mix.

CCTL provides the features you’d expect from a bootloader. It uses the chip’s watchdog timer to guard against failure due to broken code. And there is an upgrade mode available at power up. Instruction for use are included in the Github repo linked at the top.

Project 25 Digital Radios (law Enforcement Grade) Vulnerable To The IM-ME

August 18, 2011 by Mike Szczys 73 Comments

Would you believe you can track, and even jam law enforcement radio communications using a pretty pink pager? It turns out the digital radios using the APCO-25 protocol can be jammed using the IM-ME hardware. We’ve seen this ‘toy’ so many times… yet it keeps on surprising us. Or rather, [Travis Goodspeed’s] ability to do amazing stuff with the hardware is what makes us perk up.

Details about this were presented in a paper at the USENIX conference a few weeks ago. Join us after the break where we’ve embedded the thirty-minute talk. There’s a lot of interesting stuff in there. The IM-ME can be used to decode the metadata that starts each radio communication. That means you can track who is talking to whom. But for us the most interesting part was starting at about 15:30 when the presenter, [Matt Blaze], talked about directed jamming that can be used to alter law enforcement behavior. A jammer can be set to only jam encrypted communications. This may prompt an officer to switch off encryption, allowing the attackers to listen in on everything being said to or from that radio.

Continue reading “Project 25 Digital Radios (law Enforcement Grade) Vulnerable To The IM-ME” →

Making The IM-ME Dongle More Useful

January 26, 2011 by Mike Szczys 15 Comments

So you’ve hacked your IM-ME six ways from Sunday but don’t know what to do with the USB dongle? [Joby Taffey] set out to make this leftover a useful part of the hacking arsenal. He pulled off the USB connector and the USB controller chip. From there he glued on the pin headers as pictured above in order to turn this into a breadboard-friendly single in-line package. But wait, that’s not all… for the low-low price of common components he also built a power and programming cable. Once it’s all said and done you can load PinkOS, an operating system he developed for the device which lets you operate the onboard radio via serial protocol.

Need a better overview of the hardware on the board? [Joby] laid the groundwork for this hack back in October.

Wireless Sniffing And Jamming Of Chronos And Iclicker

January 25, 2011 by Joseph Thibodeau 1 Comment

The ubiquitous presence of wireless devices combined with easy access to powerful RF development platforms makes the everyday world around us a wireless hacker’s playground. Yesterday [Travis Goodspeed] posted an article showing how goodfet.cc can be used to sniff wireless traffic and also to jam a given frequency. We’ve previously covered the work of [Travis] in pulling raw data from the IM-ME spectrum analyzer, which also uses goodfet.cc.

The Texas Instruments Chronos watch dev platform contains a C1110 chip, which among other things can provide accelerometer data from the watch to an interested sniffer. The i>clicker classroom response device (which houses a XE1203F chip) is also wide open to this, yielding juicy info about your classmates’ voting behaviour. There is still some work to be done to improve goodfet.cc, and [Travis] pays in beer–not in advance, mind you.

With products like the Chronos representing a move towards personal-area wireless networks, this sort of security hole might eventually have implications to individual privacy of, for example, biometric data–although how that might be exploited is another topic. Related to this idea is that of sniffable RFID card data. How does the increasing adoption of short-range wireless technologies affects us, both for good and bad? We invite you to share your ideas in the comments.

Dungeon Crawler Game For IM-ME (and Linux)

November 11, 2010 by Mike Szczys 14 Comments

[Joby Taffey] takes the prize for the first completed homebrew game for the IM-ME. Over the last few weeks we’ve seen [Travis Goodspeed] working with sprite graphics, and [Emmanuel Roussel] developing game music for the pink pager. But [Joby] didn’t really use either of those.

[Travis’] sprites were using a framebuffer that fills up a lot of valuable RAM. [Joby] decided to draw the room screens (all of them have been stitched together for the image above) as a one-time background image to keep the memory free. From there, the screen is updated in 8×8 blocks based on cursor movement. He also decided not to add music as he feels the high-pitched piezo is not capable making sound without driving everyone crazy.

Source code is available and for those of you who don’t own this pretty handheld, the game can also be compiled in Linux.