Unlocking SIM Cards With A Logic Analyzer

[Jason Gin] wanted to reuse the SIM card that came with a ZTE WF721 wireless terminal he got from AT&T, but as he expected, it was locked to the device. Unfortunately, the terminal has no function to change the PIN and none of the defaults he tried seemed to work. The only thing left to do was crack it open and sniff the PIN with a logic analyzer.

This project is a fantastic example of the kind of reverse engineering you can pull off with even a cheap logic analyzer and a keen eye, but also perfectly illustrates the fact that having physical access to a device largely negates any security measures the manufacturer tries to implement. [Jason] already knew what the SIM unlock command would look like; he just needed to capture the exchange between the WF721 and SIM card, find the correct byte sequence, and look at the bytes directly after it.

Finding the test pads on the rear of the SIM slot, he wired his DSLogic Plus logic analyzer up to the VCC, CLK, RST, and I/O pins, then found a convenient place to attach his ground wire. After a bit of fiddling, he determined the SIM card was being run at 4 MHz, so he needed to configure a baud rate of 250 kbit/s to read the UART messages passing between the devices.

Once he found the bytes that signified successful unlocking, he was able to work his way backwards and determine the unlock command and its PIN code. It turns out the PIN was even being sent over the wire in plain text, though with the way security is often handled these days, we can’t say it surprises us. All [Jason] had to do then was put the SIM in his phone and punch in the sniffed PIN when prompted.

Could [Jason] have just run out to the store and picked up a prepaid SIM instead of cracking open this wireless terminal and sniffing its communications with a logic analyzer? Of course. But where’s the fun in that?

Ask Hackaday: Are Unlockable Features Good For The User?

There are numerous examples of hardware which has latent features waiting to be unlocked by software. Most recently, we saw a Casio calculator which has the same features as its bigger sibling hidden within the firmware, only to be exposed by a buffer overflow bug (or the lead from a pencil if you prefer a hardware hack).

More famously, oscilloscopes have been notorious for having crippled features. The Rigol DS1052E was hugely popular on hacker benches because of it’s very approachable price tag. The model shipped with 50 MHz bandwidth but it was discovered that a simple hack turned it into the DS1102E 100 MHz scope. Tektronix has gotten in on this action as well, shipping modules like I2C, CAN, and LIN analyzation on the scope but requiring a hardware key to unlock (these were discovered to have a horribly insecure unlock method). Similar feature barriers are found on Rigol’s new reigning entry-level scope, the DS1054Z, which ships with protocol analyzation modules (among others) that are enabled only for the first 70 hours of scope operation, requiring an additional payment to unlock them. Most scope manufacturers are in on the game, and of course this is not limited to our tools. WiFi routers are another great example of hardware hosting firmware-unlockable features.

So, the question on my mind which I’d like to ask all of the Hackaday community is this: are unlockable features good for us, the people who use these tools? Let’s take a look at some of the background of these practices and then jump into a discussion in the comments.

Continue reading “Ask Hackaday: Are Unlockable Features Good For The User?”

Hand Waving Unlocks Door

Who doesn’t like the user interface in the movie Minority Report where [Tom Cruise] manipulates a giant computer screen by just waving his hands in front of it? [AdhamN] wanted to unlock his door with hand gestures. While it isn’t as seamless as [Tom’s] Hollywood interface, it manages to do the job. You just have to hold on to your smartphone while you gesture.

The project uses an Arduino and a servo motor to move a bolt back and forth. The gesture part requires a 1sheeld board. This is a board that interfaces to a phone and allows you to use its capabilities (in this case, the accelerometer) from your Arduino program.

The rest should be obvious. The 1sheeld reads the accelerometer data and when it sees the right gesture, it operates the servo. It would be interesting to do this with a smart watch, which would perhaps look a little less obvious.

We covered the 1sheeld board awhile back. Of course, you could also use NFC or some other sensor technology to trigger the mechanism. You can find a video that describes the 1sheeld below.

Continue reading “Hand Waving Unlocks Door”

Remote Control For An Elevator

Electric_Imp_elevator_hack_overview

The elevator at [Alex]’s office building has some quirks which make it very inconvenient to everyone in the building. The major problem was that the doors of the elevator at each floor stay locked until someone walks down the hall to hit a button. Obviously this was a hassle, so [Alex] built a controller that can remotely call and unlock the elevator. (Part 2 of the project is located on a separate page.)

The first step was to source the hardware and figure out exactly how the controls for the elevator worked. [Alex] decided to use an Electric Imp for this project, and after getting it connected to the Internet, he realized that he could power it directly off of the elevator’s 10V supply. From there, he used relays to interface the Electric Imp with the “elevator call” and “elevator unlock” buttons inside the elevator’s control panel.

Once the hardware side was completed, it was time to move on to the software side. [Alex] wrote a mobile app for a user interface that can be accessed from anywhere, and also wrote the code for the Electric Imp agent and the code that runs on the Electric Imp itself. Now, a simple tap of a button on a mobile device is enough to call the elevator or unlock it, rather than in the past where someone had to run down a hall to hit the button.

We hope there is some security on the mobile app, otherwise anyone in the world will be able to call the elevator and turn it into a passenger-less useless machine!

Unlocking Verizon Galaxy Note II And Galaxy S3

galaxy-note-II-verizon-unlock

[Adam Outler] and friends have been hard at work unlocking the bootloader of some Verizon Android devices. His most recent adventure involves unlocking the Verizon branded Samsung Galaxy Note II.

You can’t run Cyanogenmod on a device that has a locked bootloader. This is presumably why it took no time at all for the XDA forum users with Verizon phones to raise enough money to put one of these puppies in [Adam’s] hands. He walks through the process he used to find the exploit in the video after the break. We’re not experts on the process, but apparently the .pit file used when flashing Odin is the entry point for the exploit. A bit of code has been injected into it which provides an opening to flash a replacement bootloader.

We mentioned the Galaxy S3 in the title. Apparently that has been unlocked as well but with one big hang-up. An over-the-air update could possibly brick the S3. To avoid this issue with the Galaxy Note II the original bootloader is patched and reflashed as part of the exploit.

Continue reading “Unlocking Verizon Galaxy Note II And Galaxy S3”

Sony Ericsson Promotes Android Bootloader Unlocking

Sony Ericsson recently added a new section to their developer world portal called Unlocking the boot loader. They provide all the information and tools needed to root some of their newer Android phones.

Of course, this information comes from Sony Ericsson dripping with warnings, disclaimers and warranty-voiding rhetoric. Once you’ve waded through all of that, you’ll have to enter your phone’s IMEI number, your name and email address in order to get your phone’s unique bootloader unlock key. Here’s hoping they don’t use the form information to instantly void warranties.

Unlocking doesn’t come without consequences, but from UI tweaks and performance improvements to custom apps and tethering, there are probably more reasons to unlock your Android device than there are reasons to leave it alone. In an age where people are making a fuss about companies adding stumbling blocks for would-be jailbreakers, it’s good to see that at least one of them is doing what they can to help hackers take the plunge. Anyone want to clear up why Sony Ericsson feels like supporting hackers but Sony sues people for doing similar things on the ps3?

Thanks to [flip] | remixed image credit (cc by-sa 2.0): [taka@p.p.r.s]