Hacking Is Hacking

Tom Nardi and I had a good laugh this week on the Podcast when he compared the ECU hacks that enabled turning a VW with steering assist into a self-driver to a hack last week that modified a water cooler to fill a particular cup. But it’s actually no joke — some of the very same techniques are used in both efforts, although the outcome of one is life-and-death, and the other is just some spilled ice-cold water.

This reminded me of Travis Goodspeed’s now-classic talk “In Praise of Junk Hacking” from way back in 2016. For background, this was a time when IoT devices and their security were in their relative infancy, and some members of the security community were throwing shade on the dissection of “mere” commercial crap. (Looked back on from today, where every other member of a Botnet is an IP camera, that argument didn’t age well.)

Travis’ response was that hacking on junk lets us focus on the process — the hack itself — rather than getting distracted by the outcome. Emotions run high when a security flaw affects millions of individuals, but when it’s a Tamagotchi or a pocket calculator, well, it doesn’t really matter, so you focus on the actual techniques. And as Travis points out, many of these techniques learned on junk will be useful when it counts. He learned about methods to defeat address-space randomization, for instance, from an old hack on the TI-85 calculator, which garbage-collected the variables that needed to be overwritten.

So I had junk hacking in the back of my mind when I was re-watching Hash Salehi’s great talk on his work reverse engineering smart meters. Funnily enough, he started off his reverse engineering journey eleven years ago with work on a robot vacuum cleaner’s LIDAR module. Junk hacking, for sure, but the same techniques taught him to work on devices that are significantly more serious. And in the craziest of Hackaday synergies, he even hat-tipped Travis’ talk in his video! Hacking is hacking!

Shmoocon 2017: On Not Reverse Engineering Through Emulation

Right now, I’m at Shmoocon, and it’s living up to all expectations. That’s a tall order — last year, the breakout talk was from [Travis Goodspeed] on his efforts to reverse engineer the firmware for a cheap Chinese radio. Four people in the room for that talk last year bought the radio on Amazon, and now there’s a legitimate open source project dedicated to building firmware and tools to support this radio.

tyteraNow that [Travis] has a few compatriots working on firmware for this radio, he has the same challenges as any other team. The project needs unit tests, and this isn’t easy to do when all the code is locked up inside a radio. Instead of setting up an entire development platform based around a cheap radio, [Travis] came up with a toolchain that’s unlike anything I’ve ever seen. Instead of reverse engineering the firmware for this radio, he’s simply emulating the ARM firmware on the desktop. Development is quick and easy, and he has the live demos to prove it.

The heart of the Tytera radio in question is an STM32F405. This is a pretty common part, and thanks to [Travis]’ work last year, he has all the firmware that ships on this radio. This doesn’t mean he has access to all the radio’s capabilities, though; there’s a black box in the code somewhere that translates .wav files to radio packets and back again. Open sourcing this would usually mean reverse engineering, but [Travis] had a better idea.

Instead of reverse engineering the entire radio, [Travis] is using QEMU to emulate an ARM microcontroller on his desktop, run the relevant code, and completely ignore any actual reverse engineering. Since this radio is already jailbroken and the community has a pretty good idea of where all the functions and subroutines are in the firmware, the most difficult part of pulling this trick off is setting up QEMU.

As a proof of concept, [Travis] downloaded raw AMBE packets from the radio to his laptop. These were then sent through the emulated radio, producing raw audio that was then converted into a .wav file. Effectively, a black box in this radio was emulated, which means [Travis] doesn’t need to know how the black box works.

All the code for this weird emulation / unit test, as well as everything the community has released for this radio is available on the GitHub. A lot of work has gone into the jailbreaking, reverse engineering, and emulation efforts here, making this radio somewhat ironically one of the most open radios you can buy.

Repurpose A Classroom Clicker For Great Justice

If you’ve been in a university class of a certain size, with a professor who wants to get live feedback from the students, you’ve probably been forced to buy a Turning Point “clicker”. Aside from the ridiculousness of making students pay for their professor’s instructional aides (do the make you pay extra for the chalk too?!?!) these clickers are a gauntlet thrown down to any right-minded hacker because they supposedly contain secrets.

[Nick] had one of these gadgets, and hopped right up on the shoulders of giants to turn it into a remote control that interfaces with his computer and drives a synthesizer, so he can work through the chord changes by clicking. His two references, to [Travis Goodspeed]’s nRF promiscuity hack and to [Taylor Killian]’s Arduino library for the clickers are a testament to why we need both reverse engineers doing the hard work and people who’ll wrap up the hard work in an easy-to-use library.

Continue reading “Repurpose A Classroom Clicker For Great Justice”

[Travis Goodspeed] Starts A Space Agency In Southern Appalachia

travis-goodspeed-space-tracker

His space agency hardware might be in Southern Appalachia, but he can control it from anywhere in the world. That’s right, [Travis Goodspeed] started his own space agency — well kinda. The first piece of hardware operated by the organization is this dish for tracking moving targets in near space.

The main part of the build is a Felcom 82B dish which  was designed to be a satellite link for naval vessels. The image showing the back side of it exposes all of the extras he built into the system. Don’t worry though, a dome goes over the top to keep the weather out without encumbering its operation.He uses an SDR dongle to handle the radio communications. That connects to a BeagleBone which pipes the data to his handheld over the Internet.

It’s amazing to see this type of hobby project. It wasn’t that long ago that you needed an entire room of hardware to communicate with satellites.

Exploiting DFU Mode To Snag A Copy Of Firmware Upgrades

[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image directly to a terminal window. This way you can get down to the nitty-gritty of decompiling and hex editing as quickly as possible.

For this hack he used his Facedancer board. We first saw the hardware used to emulate a USB device, allowing the user to send USB commands via software. Now it’s being used to emulate your victim hardware’s DFU mode. This is done by supplying the vendorID and productID of the victim, then pushing the firmware update as supplied by the manufacturer. In most cases this shouldn’t even require you to have the victim hardware on hand.

Facedancer Board Lets Your Python Programs Pretend To Be USB Hardware

This is the prototype board for [Travis Goodspeed’s] new USB development tool called the Facedancer. He took on the design with USB security exploits in mind, but we think it’s got a lot of potential for plain old development as well.

Kudos on the [Frank Herbert] reference when naming the project. Like the characters from the Dune mythology that can perfectly mimic any person they touch, this device let’s you mimic whatever you can imagine. One the USB ports connects to the victim (or host) the other connects to a development machine. Python can then be used to send USB commands in real time. Think of this as doing the same thing the Bus Pirate does for SPI and i2c, except that it’s doing it on the USB protocol itself. This way you can feel your way through all of the road-bumps of developing a new device (or testing an exploit) without the need to continually compile and flash your hardware.

Wardriving For Zigbee

Wardriving started out as a search for unprotected WiFi access points before hot spots were prevalent. And so this ZigBee protocol wardriving hardware which [Travis Goodspeed] put together really gives us a sense of nostalgia for that time. Don’t get us wrong, we love our pervasive WiFi access and don’t wish to go back to simpler times. But if the radio signals your looking for are scarce, locating them provides a challenge.

Regular readers will recognize that [Travis] is interested in all things RF. One of his projects included sniffing wireless keyboard packets out of thin air and displaying them on the screen of his Nokia N900. This is right along those lines but he’s upgraded to an N9 phone for the display hardware. He switched up the RF hardware, using a TelosB (a board he’s already familiar with) to get on the 802.15.4 ZigBee spectrum. This dev board has an expansion port which let him use an RN42 module for wireless communications with the phone. This means the sniffing hardware can be hidden away in a backpack or jacket. After all, nobody will question someone walking around staring at a smart phone.