Cryptanalyse Your Air Con

Infrared remote controls are simple and ubiquitous. Emulating them with the aid of a microcontroller is a common project that hackers use to control equipment as diverse as televisions, cable boxes, and home stereos. Some air conditioners can be a little more complicated, however, but [Ken]’s here to help.

The root of the problem is that the air conditioner remote was using a non-obvious checksum to verify if commands received were valid. To determine the function generating the checksum, [Ken] decided to bust out the tools of differential cryptanalysis. This involves carefully varying the input to a cryptographic function and comparing it to the differences in the output.

With 35 signals collected from the remote, a program was written to find input data that varied by just one bit. The checksum outputs were then compared to eventually put together the checksum function.

[Ken] notes that the function may not be 100% accurate, as they’re only using a limited sample of data in which not all the bytes change significantly. However, it shows that a methodical approach is valuable when approaching such projects.

Thirsty for more checksum-busting action? Check out this hacked weather station.

Mike Ossmann and Dominic Spill: IR, Pirates!

Mike Ossmann and Dominic Spill have been at the forefront of the recent wave of software-defined radio (SDR) hacking. Mike is the hardware guy, and his radio designs helped bring Bluetooth and ISM-band to the masses. Dominic is the software guy who makes sure that all this gear is actually usable. The HackRF SDR is still one of the best cheap choices if you need an SDR that can transmit and receive.

So what are these two doing on stage giving a talk about IR communication? Can you really turn traffic lights green by blinking lights? And can you spoof a TV remote with a cardboard cutout, a bicycle wheel, and a sparkler? What does IR have to do with pirates, and why are these two dressed up as buccaneers? Watch our video interview and find out, or watch the full talk for all of the juicy details.

Continue reading “Mike Ossmann and Dominic Spill: IR, Pirates!”

A Motion Sensing Light For Your Entrance Hallway

Arriving home to a dark house with an armful of anything is usually an exercise in fumbling confusion until someone manages to turn on a light. [Pavel Gesyuk] has circumvented this problem entirely by building and installing a motion detecting entrance light!

[Gesyuk] is using an Arduino clone by the name of  Funduino Mini Pro, a 2-channel, 2-way relay, — he only needed one, but you use what you have on hand — a recycled power supply to convert 220V AC to 5V DC, and an infrared sensor.

The project’s goal — in excess of a lighting solution for an entrance hallway — was the learn the ins and outs of the Arduino and motion sensors. After some initial hurdles familiarizing himself with the Arduino, [Gesyuk] wired everything together on a protoboard and stuck it in a plastic case — loose wires in a high traffic area doesn’t a safe home make.

Continue reading “A Motion Sensing Light For Your Entrance Hallway”

Another Day, Another Air Gap Breached

What high-tech, ultra-secure data center would be complete without dozens of video cameras directed both inward and outward? After all, the best informatic security means nothing without physical security. But those eyes in the sky can actually serve as a vector for attack, if this air-gap bridging exploit using networked security cameras is any indication.

It seems like the Cyber Security Lab at Ben-Gurion University is the place where air gaps go to die. They’ve knocked off an impressive array of air gap bridging hacks, like modulating power supply fans and hard drive activity indicators. The current work centers on the IR LED arrays commonly seen encircling the lenses of security cameras for night vision illumination. When a networked camera is compromised with their “aIR-Jumper” malware package, data can be exfiltrated from an otherwise secure facility. Using the camera’s API, aIR-Jumper modulates the IR array for low bit-rate data transfer. The receiver can be as simple as a smartphone, which can see the IR light that remains invisible to the naked eye. A compromised camera can even be used to infiltrate data into an air-gapped network, using cameras to watch for modulated signals. They also demonstrated how arrays of cameras can be federated to provide higher data rates and multiple covert channels with ranges of up to several kilometers.

True, the exploit requires physical access to the cameras to install the malware, but given the abysmal state of web camera security, a little social engineering may be the only thing standing between a secure system and a compromised one.

Continue reading “Another Day, Another Air Gap Breached”

Complete IR Control

What can you do with an IR remote? How about anything? Maybe not. We’ll settle for issuing arbitrary commands and controlling tasks on our computer.

The first step in [Fungus]’s hack is straightforward: buy an IR receiver for a buck, plug it into an Arduino, and load up some IR-decoding code. If you haven’t done this before, you owe it to yourself to take some time now. Old IR remotes are very useful, and dead simple, to integrate into your projects.

But here comes the computer-control part. Rather than interpret the codes on the Arduino, the micro just sends them across the USB serial to a laptop. A relatively straightforward X11 program on the (Linux) computer listens for codes and does essentially anything a user with a mouse and keyboard could — that is to say, anything. Press keys, run programs, open webpages, anything. This is great for use with a laptop or desktop, but it’d also be a natural for an embedded Raspberry Pi setup as well.

Hacking the code to do your particular biddings is a simple exercise in monkey-patching. It’s like a minimal, hacked-together, USB version of LIRC, and we like it.

Thanks [CoolerVoid] for the tip!

Controlling A Micro Helicopter with a PS2 Controller

The Syma S107G is a venerable stalwart of the micro helicopter market. Affordable, robust, and ubiquitous, the S107G relies on infrared to receive its control signals. Emboldened by the prior work of others, [Robert] set out to control his with a Playstation 2 controller.

In this project, [Robert] is standing on the shoulders of giants, so to speak – we’ve seen others reverse engineer the S107G’s communications protocol before. [Robert] combined the efforts of several others to understand how to send commands to the helicopter, including use of two separate channels for controlling two at once.

With the knowledge of the necessary protocols, it’s then a matter of hooking up 3 LEDs in a somewhat unconventional series arrangement with a 9 volt supply, to be switched by an Arduino hooked up to a computer. A Javascript application running on the computer reads the state of a Playstation 2 controller, and spits it out over serial to the Arduino, which flashes the LEDs.

It’s not the neatest, most lightweight way of building a new controller for your remote control toy, but it does show how quickly one can throw together a project in a weekend by combining modern hardware and software tools. Plus, it’s a great learning experience on a platform that’s been experimented with the world over.

Reflective Sensor Becomes Kart Racing Lap Counter

Once you have a track and a kart to race on it, what’s missing? A lap counter that can give your lap times in hardcopy, obviously! That’s what led [the_anykey] to create the Arduino-based Lap Timer to help him and his kids trim those precious seconds off their runs, complete with thermal printer for the results.

The hardware uses an infrared break-beam sensor module (a Velleman PEM10D) to detect when a kart passes by. This module is similar to a scaled-up IR reflective object sensor; it combines an IR emitter and receiver on one end, and is pointed at a reflector placed across the track, up to 10 meters away. When a kart breaks the beam, the module reports the event to the rest of the hardware. Only needing electronics on one side allows the unit to be self-contained.

An obvious shortcoming of this system is the inability to differentiate between multiple karts, but for timing a single driver’s performance it does the trick. What’s great about this project is it showcases how accessible hardware is today; a device like this is possible to put together with what are essentially off-the-shelf components available to any hobbyist, using an Arduino as the glue to hold it together. We’d only comment that a red-tinted piece of plastic as an overlay for the red display (and a grey-tinted one for the green) would make the LED displays much easier to read. Still, this is a very clean and well-documented build. See it in action in the video embedded below.

Continue reading “Reflective Sensor Becomes Kart Racing Lap Counter”