USB sniffing with the BeagleBoard-xM

[Matlo] wrote in to share his USB sniffing project using the BeagleBoard-xM. It builds on the Google Summer of Code project from 2010 that used the non-xM version of the hardware to build a pass through USB sniffer. [Matlo] couldn’t get it to work back then, but recently revisited the project. He’s cleaned up some scripts and generally made it a bit easier for others to pull off as well.

The ARM-based BeagleBoard seen above acts as man-in-the-middle. You connect your target USB device to the board and the board to a computer. The board emulates the target device, passing packets in either direction while also logging them. The captured data is in the correct format for display using WireShark, the de facto standard for making sense of captured communication packets.

This is great for figuring out how to use USB devices on non-standard systems, or vice versa.

Reverse engineering ST-Link/V2 firmware

reverse-engineering-stlink-v2

The chip seen just above the center of this image is an ARM Cortex-M3. It provides the ability to interface and program the main chip on the STM32F3 Discovery board. The protocol used is the ST-Link/V2 which has become the standard for ST Microelectronics development boards. The thing is, that big ARM chip near the bottom of the image has multiple UARTs and bridging a couple of solder points will connect it to the ST-Link hardware. [Taylor Killian] wanted to figure out if there is built-in firmware support to make this a USB-to-serial converter and his path to the solution involved reverse engineering the ST-Link/V2 firmware.

The first part of the challenge was to get his hands on a firmware image. When you download the firmware update package the image is not included as a discrete file. Instead he had to sniff the USB traffic during a firmware update. He managed to isolate the file and chase down the encryption technique which is being used. It’s a fun read to see how he did this, and we’re looking forward to learning what he can accomplish now that’s got the goods he was after.

Signal sniffing some laundry pay cards

It seems that [Limpkin] was up to no good this weekend. He decided to snoop around inside a smart-card laundry machine. He posted about his larceny  adventure and shared the details about how card security works with this machine.

We’re shocked that the control hardware is not under lock and key. Two screws are all that secures the panel to which this PCB is mounted. We know that machines using coins have a key lock, but perhaps there isn’t much need for that if there’s no currency to steal. [Limpkin] made a pass-through connector for the ribbon cable coming in from the card reader. That’s the rainbow cable you can see above and it’s being fed to his logic sniffer. He used the ‘card detect’ signal as a trigger and captured enough data to take back to his lair for analysis. Using what he found and a Bus Pirate to test the smart card he laid bare all the data that’s being sent and received by the controller.

Live CD for RFID hacking on the go

live_rfid_sniffing_distro

[Milosch] wrote in to tell us that he has recently released a bootable RFID live hacking system – something he has been diligently working on for quite some time. The live distro can be used for breaking and analyzing MIFARE RFID cards, as well as a reasonable selection of other well-known card formats. The release is based off the Fedora 15 live desktop system, and includes a long list of RFID hacking tools, as well as some applications that allow for NFC tag emulation.

His toolkit also contains a baudline-based LF RFID sniffer package, allowing for a real-time waveform display of low frequency RFID tags. The LF sniffer makes use of a cheap USB sound card, as well as a relatively simple reader constructed from a handful of easy to find components.

We have seen some of [Milosch’s] handiwork before, so we are fairly confident that his toolkit contains just about everything you need to start sniffing and hacking RFID tags. If you’re interested in grabbing a copy of the ISO, just be aware that the live CD is only compatible with 64-bit systems, so older laptops need not apply.

A suitcase for all your wardriving needs

[Corrosion] sent in a tip about the Weaponised Auditing Response System he built inside a suitcase that, “has all the tools (and then some) for a wireless assault”.

The WARS is equipped with two WiFi adapters and two bluetooth adapters for all the wardriving and bluejacking anyone could ever want. [Corrosion] also included a 4 channel, 2.4GHz video scanner for warviewing. Everything runs off of a 12 inch netbook that will eventually run linux, and we’re really liking the 1970s suitcase aesthetic the WARS has – it looks like [Corrosion] is about to step into the set of a Beastie Boys video.

We were wondering about including a long range RFID sniffing antenna (PDF warning) behind the monitor of the suitcase’s monitor and asked [Corrosion] about it. He said it sounded doable, but is out of funds at the moment, so if you know how to build a cheap RFID antenna with a 50 foot range, drop [Corrosion] a line.

There’s a video demo with some stills of the build included after the break.

Continue reading “A suitcase for all your wardriving needs”

IDE bus sniffing and hard drive password recovery

hdd_password_recovery

shackspace member [@dop3j0e] found himself in a real bind when trying to recover some data after his ThinkPad’s fingerprint scanner died. You see, he stored his hard drive password in the scanner, and over time completely forgot what it was. Once the scanner stopped working, he had no way to get at his data.

He brainstormed, trying to figure out the best way to recover his data. He considered reverse engineering the BIOS, which was an interesting exercise, but it did not yield any password data. He also thought about swapping the hard drive’s logic board with that of a similar drive, but it turns out that the password is stored on the platters, not the PCB.

With his options quickly running out, he turned to a piece of open-source hardware we’ve covered here in the past, the OpenBench Logic Sniffer. The IDE bus contains 16 data pins, and lucky for [@dop3j0e] the OpenBench has 16 5v pins as well – a perfect match. He wired the sniffer up to the laptop and booted the computer, watching SUMP for the unlock command to be issued. Sure enough he captured the password with ease, after which he unlocked and permanently removed it using hdparm.

Be sure to check out [@dop3j0e’s] presentation on the subject if you are interested in learning more about how the recovery was done.

Enhance your key fob via CAN bus hacking

[Igor] drives a 4th generation Volkswagen Golf, and decided he wanted to play around with the CAN bus for a bit. Knowing that the comfort bus is the most accessible and the safest to toy with, he started poking around to see what he could see (Google translation).

He pulled the trim off one of the rear doors and hooked into the comfort bus with an Arudino and a CAN interface module. He sniffed the bus’ traffic for a bit, then decided he would add some functionality to the car that it was sorely lacking. The car’s windows can all be rolled down by turning the key in any lock for more than a few seconds, however this cannot be done remotely. The functionality can be added via 3rd party modules or through manipulating the car’s programming with some prepackaged software, but [Igor] wanted to give it a go himself.

He programmed the Arduino to listen for longer than normal button presses coming from the remote. Once it detects that he is trying to roll the windows up or down, the Arduino issues the proper window control commands to the bus, and his wish is the car’s command.

It’s a pretty simple process, but then again he has just gotten started. We look forward to seeing what else [Igor] is able to pull off in the future.  In the meantime, continue reading to see a quick video of his handiwork.

If you are interested in seeing what you might be able to do with your own car, check out this CAN  bus sniffer we featured a while back.

Continue reading “Enhance your key fob via CAN bus hacking”