A few weeks ago in Finland [Oona] discovered a radio data stream centered around 76KHz in a FM broadcast and she recently managed to decode it. This 16,000bps stream uses level-controlled minimum-shift keying (L-MSK) which detection can be quite tricky to implement. She therefore decoded the stream by treating the received signal as non-coherent binary FSK, which as a side effect increased the bit error probability. [Oona] then understood that the stream she was getting was the data broadcast by Helsinky buses to the nearby bus stop timetable displays. She even got lucky when she observed a display stuck in the middle of its bootup sequence, displaying a version string. This revealed that the system is called IBus and made by the Swedish company Axentia. However their website didn’t provide the specs for their proprietary protocol. After many hours of sniffing and coding, [Oona] successfully implemented the five layer protocol stack in Perl and can now read the arrival times of the nearby buses from her apartment.
[Matlo] wrote in to share his USB sniffing project using the BeagleBoard-xM. It builds on the Google Summer of Code project from 2010 that used the non-xM version of the hardware to build a pass through USB sniffer. [Matlo] couldn’t get it to work back then, but recently revisited the project. He’s cleaned up some scripts and generally made it a bit easier for others to pull off as well.
The ARM-based BeagleBoard seen above acts as man-in-the-middle. You connect your target USB device to the board and the board to a computer. The board emulates the target device, passing packets in either direction while also logging them. The captured data is in the correct format for display using WireShark, the de facto standard for making sense of captured communication packets.
This is great for figuring out how to use USB devices on non-standard systems, or vice versa.
The chip seen just above the center of this image is an ARM Cortex-M3. It provides the ability to interface and program the main chip on the STM32F3 Discovery board. The protocol used is the ST-Link/V2 which has become the standard for ST Microelectronics development boards. The thing is, that big ARM chip near the bottom of the image has multiple UARTs and bridging a couple of solder points will connect it to the ST-Link hardware. [Taylor Killian] wanted to figure out if there is built-in firmware support to make this a USB-to-serial converter and his path to the solution involved reverse engineering the ST-Link/V2 firmware.
The first part of the challenge was to get his hands on a firmware image. When you download the firmware update package the image is not included as a discrete file. Instead he had to sniff the USB traffic during a firmware update. He managed to isolate the file and chase down the encryption technique which is being used. It’s a fun read to see how he did this, and we’re looking forward to learning what he can accomplish now that’s got the goods he was after.
It seems that [Limpkin] was up to no good this weekend. He decided to snoop around inside a smart-card laundry machine. He posted about his
larceny adventure and shared the details about how card security works with this machine.
We’re shocked that the control hardware is not under lock and key. Two screws are all that secures the panel to which this PCB is mounted. We know that machines using coins have a key lock, but perhaps there isn’t much need for that if there’s no currency to steal. [Limpkin] made a pass-through connector for the ribbon cable coming in from the card reader. That’s the rainbow cable you can see above and it’s being fed to his logic sniffer. He used the ‘card detect’ signal as a trigger and captured enough data to take back to his lair for analysis. Using what he found and a Bus Pirate to test the smart card he laid bare all the data that’s being sent and received by the controller.
[Milosch] wrote in to tell us that he has recently released a bootable RFID live hacking system – something he has been diligently working on for quite some time. The live distro can be used for breaking and analyzing MIFARE RFID cards, as well as a reasonable selection of other well-known card formats. The release is based off the Fedora 15 live desktop system, and includes a long list of RFID hacking tools, as well as some applications that allow for NFC tag emulation.
His toolkit also contains a baudline-based LF RFID sniffer package, allowing for a real-time waveform display of low frequency RFID tags. The LF sniffer makes use of a cheap USB sound card, as well as a relatively simple reader constructed from a handful of easy to find components.
We have seen some of [Milosch’s] handiwork before, so we are fairly confident that his toolkit contains just about everything you need to start sniffing and hacking RFID tags. If you’re interested in grabbing a copy of the ISO, just be aware that the live CD is only compatible with 64-bit systems, so older laptops need not apply.
[Corrosion] sent in a tip about the Weaponised Auditing Response System he built inside a suitcase that, “has all the tools (and then some) for a wireless assault”.
The WARS is equipped with two WiFi adapters and two bluetooth adapters for all the wardriving and bluejacking anyone could ever want. [Corrosion] also included a 4 channel, 2.4GHz video scanner for warviewing. Everything runs off of a 12 inch netbook that will eventually run linux, and we’re really liking the 1970s suitcase aesthetic the WARS has – it looks like [Corrosion] is about to step into the set of a Beastie Boys video.
We were wondering about including a long range RFID sniffing antenna (PDF warning) behind the monitor of the suitcase’s monitor and asked [Corrosion] about it. He said it sounded doable, but is out of funds at the moment, so if you know how to build a cheap RFID antenna with a 50 foot range, drop [Corrosion] a line.
There’s a video demo with some stills of the build included after the break.
shackspace member [@dop3j0e] found himself in a real bind when trying to recover some data after his ThinkPad’s fingerprint scanner died. You see, he stored his hard drive password in the scanner, and over time completely forgot what it was. Once the scanner stopped working, he had no way to get at his data.
He brainstormed, trying to figure out the best way to recover his data. He considered reverse engineering the BIOS, which was an interesting exercise, but it did not yield any password data. He also thought about swapping the hard drive’s logic board with that of a similar drive, but it turns out that the password is stored on the platters, not the PCB.
With his options quickly running out, he turned to a piece of open-source hardware we’ve covered here in the past, the OpenBench Logic Sniffer. The IDE bus contains 16 data pins, and lucky for [@dop3j0e] the OpenBench has 16 5v pins as well – a perfect match. He wired the sniffer up to the laptop and booted the computer, watching SUMP for the unlock command to be issued. Sure enough he captured the password with ease, after which he unlocked and permanently removed it using hdparm.
Be sure to check out [@dop3j0e’s] presentation on the subject if you are interested in learning more about how the recovery was done.