Reverse Engineering Bluetooth Using Android And SPOT As An Example

December 5, 2011 by Mike Szczys 4 Comments

[Travis Goodspeed] wrote in to tell us about his work reverse engineering the Bluetooth communications on this SPOT module. He’s targeted the post as a general guide to sniffing Bluetooth transmissions, but was inspired to use the SPOT as an example after seeing this other SPOT hack. We know he’s a fan of getting things to work with his Nokia N900, and that’s exactly where he ended up with the project.

This module was manufactured to be controlled by an Android phone. But there’s no control app available for the Nokia handset. Since Android uses the open-source Bluez package for the Bluetooth protocol, it’s actually pretty easy to get your hands on the packets. After grabbing a few test sets he shows how he deciphered the packets, then wrote a quick Python script to test out his findings. After working his way through the various commands available (grabbing the SPOT serial number, getting position data from it, etc) [Travis] wrote up a frontend in QT mobility for use on the N900.

RF Sniffing On-the-go

October 8, 2011 by Mike Szczys 2 Comments

It’s been a while since we checked in on [Travis Goodspeed]. His latest post makes RF sniffing with the Next HOPE badge more portable by ditching the need to display data on a computer. He’s built on the work he did at the beginning of the year, replacing the FTDI chip on the badge with a Bluetooth module. Now he can use his Nokia N900 as a GoodFET terminal to not only display the packets pulled from the air, but the control the badge as well.

Previously, the client running on the computer was communicating with the badge via a serial connection. To get it working on the N900 [Travis] transitioned from using py-serial over to using py-bluez. All of the code changes are available from the GoodFET repository.

He’s got a few other tricks planned for this concept. He put in a parts order to add Bluetooth to the Girltech IM-ME. The pretty pink pager has the same radio chip on board, so adding Bluetooth connectivity will allow it to be used in the same way. There are also plans in the works to add a couple other packet sniffing protocols to the bag of tricks, including ZigBee.

Project 25 Digital Radios (law Enforcement Grade) Vulnerable To The IM-ME

August 18, 2011 by Mike Szczys 73 Comments

Would you believe you can track, and even jam law enforcement radio communications using a pretty pink pager? It turns out the digital radios using the APCO-25 protocol can be jammed using the IM-ME hardware. We’ve seen this ‘toy’ so many times… yet it keeps on surprising us. Or rather, [Travis Goodspeed’s] ability to do amazing stuff with the hardware is what makes us perk up.

Details about this were presented in a paper at the USENIX conference a few weeks ago. Join us after the break where we’ve embedded the thirty-minute talk. There’s a lot of interesting stuff in there. The IM-ME can be used to decode the metadata that starts each radio communication. That means you can track who is talking to whom. But for us the most interesting part was starting at about 15:30 when the presenter, [Matt Blaze], talked about directed jamming that can be used to alter law enforcement behavior. A jammer can be set to only jam encrypted communications. This may prompt an officer to switch off encryption, allowing the attackers to listen in on everything being said to or from that radio.

Continue reading “Project 25 Digital Radios (law Enforcement Grade) Vulnerable To The IM-ME” →

Sniffing RF Hardware Communication Packets

February 7, 2011 by Mike Szczys 7 Comments

[Travis Goodspeed] put together a proof of concept hack that sniffs wireless keyboard data packets. He’s using the Next HOPE badge that he designed as the hardware platform for these tests. It has an nRF24L01+ radio on-board which can easily communicate with 2.4 GHz devices.

The real trick comes in getting that radio to listen for all traffic, then to narrow that traffic down to just the device from which you want data. He covers the protocol that is used, and his method of getting around MAC address verification on the hardware. In the end he can listen to all keyboard data without the target’s knowledge, and believes that it is possible to inject data using just the hardware on the badge.

Knitting Machine Hack By Keypad Emulation

December 6, 2010 by Mike Szczys 3 Comments

[Travis Goodspeed] and Hackaday alum [Fabienne Serriere] joined forces to develop an alternative interface for a knitting machine. They’re working with the Brother KH-930E machine. We saw [Becky Stern] use the same model by manipulating data on an emulated floppy drive for the device. [Travis] and [Fabienne] went a different route, and are emulating the keypad using an Arduino and a set of transistors.

They started by reverse engineering the keypad matrix using a continuity tester. Once they worked out the column and row layout they connected each to an NPN transistor. The Arduino sketch simulates button presses to set knitting bits for each row, with just one reset button for user input. This can be used to send data from a PC, or as a standalone system. Either way, it’s not only a great way to add functionality to the kitting machine, but a good example of how to interface with the keypad on just about any device.

IM-ME Graphic Manipulation Using Sprites

November 1, 2010 by Mike Szczys 7 Comments

Here’s a study in sprite animations that [Travis Goodspeed] put together. He’s working with one of his favorites, the pink IM-ME device that he’s been hacking on for a while now. But if you don’t have this hardware that shouldn’t discourage you. There’s a lot to be learned from his methods which will translate to any microcontroller working with a graphic LCD.

He starts with a 24-bit PNM sprite that includes three frames of his desired animation. From there he needs a way to store the data for use with 8-bit microcontrollers. He chose to write a Perl script that will translate the image format into a 1-bit map. Each frame of the animation takes up a column width that is a multiple of 8 for easy retrieval by the processor. This translation into a C array, and the accompanying code that translates it into data for the frame buffer is the key to the animation process. What is he shooting for? A sprite-based video game on the handheld.

Pulling Data From The IM-ME Spectrum Analyzer

October 9, 2010 by Mike Szczys 4 Comments

A small, cheap spectrum analyzer with an LCD can be a fun thing to play with. But to be truly usefully you need access to raw data, and lots of it. [Travis Goodspeed] set out to make that possible by pulling data with a GoodFET and a Python script.

He started with [Michael Ossmann’s] IM-ME spectrum analyzer, which uses a CC1110 chip. The two of them are giving a lecture at Toorcon 12 (called Real Men Carry Pink Pagers) and this will be used as a demonstration device. After studying the datasheet he found the starting RAM address and did some further work to deciphered how the data is stored in it. From there it was a matter of working out the timing for grabbing the data, and coding a method for storing it. Now he’s looking for brave souls to help him trailblaze with this newly-discovered tool. It seems that if you know what you are doing, and have abundant patience, you can use this for a bit of old-fashioned reverse engineering.