Travis Goodspeed, Reverse Engineering Small Radios for Compatibility

including these registers from the datasheet as possible but it involves a lot of arithmetic and engineers are lazy so they want proprietary Windows tools to calculate a balanced corner so generally what you do is you run this program of smart art studio and it presents you with a list of the register values that you will be using in your own code among other things you can set up a template in over that X amount of you set up a template and then if you generate those settings to match your source code style so you can have an expert registers to Python array or to C array or whatever your internal code is using this becomes a good starting point

but then you need to manually address the values in order to actually match your target I always begin a new standard by implementing the register settings in Python until I can get back individual packets of my UNIX command and at this stage of development I am completely away from my receiver herder and we usually go to a coffee house SSH home and then use the but just so that I could get out of the lab for a while and be away from it because there's no reason to touch the physical hardware while something else is your mystery the rate of configuration registers themselves are unique to the type of radio you're dealing with and like as a vendor or a

chip family and then even within a family they will usually be different for the 2.4 gig levels and the sub big return policy the disappearance models will be less configurable sorry the 2.4 gate will be less than figural because I guess regulation reasons or ability reasons there's something here it's level you have to choose how wide your filter back with is and what your deviation is and all these other fancy settings a 2.4 gig you generally just a what channel number your honor you can't even choose an individual frequency then you specify your rate and the rate won't be an exact bit timing if you do in the setting of Hertz bubbles instead it will just be 1 negative per

second or 2 and also the modulation matters is this to FSK in which the higher frequencies of line and the lower frequencies is zero where is it for FS k which you have multiple steps and in code of two bits personal in addition to the five layer fields there are also some digital feels like I started frame delimiter the transmitter will send this before every packet that goes out so if you need to equate the transfer you can corrupt this to something else and that would just look like background noise and receiver there's also a length field which the receiver can optionally use in order to buffer up the packet for you so that your microcontroller can be

alerted when the complete packet has arrived and is waiting in a buffer ready to be read the alternative to that is that your microcontroller might means you race the packet transmission flushing bikes out of the radios buffers so that it doesn't overfill have to do this for very long transmissions which are commonly found in voice and pager but you won't for short chirps that you would find in a home automation sensors and things like that in order to get like the very first packet out you just need to know your symbol rate like how fast are these symbols come again your modulation are you turning the radio on and off where are you taking as we can

see you need to know that deviation if you are transmitting which is how wide of a channel you're actually using we're in two of us pay it's the distance between a 1 and a 0 on their receiving end you care more about the filter bandwidth and the filter benefit is a tricky thing to decide upon because if you make it too narrow that you might miss a transmission that is slightly off in frequency and if you make it too quiet then you might be blinded by a lot of transmission to the side when your real transmission is coming on exactly different but luckily in reverse engineering we can set aside the question of performance and so after we

get things working now in pluck sag we have a defined standard that we can read and it says civil rate is 1200 by it says that it's two FS kangh which means that the that you have a one frequency for a one in a different frequency for a zero and you switch between them the deviation is defined as twelve and a half kilohertz older networks will use 25 and the filter bandwidth like two hundred big best 8 kilohertz is fine and this part of frame delimiter is described 17 B 2 1 5 deal as far as the receivers to serve everything that comes in garbage and background doughnuts until it sees those 32 bits and that's what it

is to begin measuring the simples reading the packet and then we get to the real-world complications where all of this is ever so slightly so the simple rate of 1200 body is like the standard definition but the chip itself doesn't need to know that the chip itself needs to know how wide a bit is and that is 8.3 3 times 10 to the negative 4 seconds personal so that's easy we're just like inverting a fraction here but then it comes to modulation so modulation is inverted to FSK which means that a1 is the lower frequency and 0 is a higher currency and the deviation of filter bandwidth is insane but that means because our ones

and zeros are upside down our packet will arrive in the buffer upside down and we need to match on the inverse of the start of frame delimiter so instead of 7 CD 2 we have to measure out an 8-3 each unique and the same is true for all of the bits in our packet every single one of them will be inverted so we have 2x wear them with apps after they arrive we also need a transmitter to work with you're not going to be able to make this work if you do it in tired and blind with nothing to test against because any small mistake with them snowballing and nothing working so we have a

concept president here in the form of an MMOG the airport this is a cute little attachment that you throw into a Raspberry Pi that allows it to speak p25 DMR Parkside and many other UHF and VHF burglars and we need a network so that we can send a packet of this device so I've been testing through Daphna which is the decentralized amateur paging network if you're a ham radio operator you can register for a future number through them and then order a painter to receive it from the network or build your own and then there's a Hindi little website and the cell phone app that allows you to send the page at this point you can finally break out with

software-defined radio and record a signal and then compare it to the values that we calculated with the standard down here at the bottom are the actual zeros and ones the message probably can't focus at this distance but it begins with a whole lot of one zero one zero one zero one zero the preamble is 480 milliseconds long almost half a second and that's none of your pain free stuff such a good battery life your beeper will be off for 400 milliseconds and then it will turn on just to see if the packet is coming and it's not it turns everything all the way off again so that when that late battery can last for months of uptime far better

than any handheld voice radio so we begin by recording a legitimate this SDR mentoring it to learn the parameters and then when they're correct we can parse the decoded bits as strings and begin building our software software parser for the incoming packets then after we get the right register settings where I guess is that them we talked about in Python connected to our secret board or is it real quick this way we make mistakes they're easy to fix we can try things out live on the interpreted Python command line and the results come out to a UNIX shell like if something is working on reliably you just correct for the right answer or exporting into another python class to

begin writing a decoder on the host so that we understand the problem before we sit down to write firmer and we'd do this because fixing mistakes inside of the watch without a command line is a lot harder than fixing them on the desktop with all the resources and logging in the world after we then understand the problem in Python on the host we write a parser library and C to run hosts aside with test cases again away from the harbor and then finally we make to meet in the middle by having a good partnership library having our C code running inside of the radio and then making an interactive application to show the incoming papers this is my

test device it's a watch wire to the USB serial adapter how much like one kick with your badges it has no display it has no keypad it has no buttons because everything is being done for side as I use it I have a Python script that connects to it and then it dumps back we're all packets which I can then begin to parts the Canada parser in the see this section of the C code has a mini-map if stand 11 is defined innocent it's being compiled to front of my desktop and I run all of the tests in amd64 Linux away from the watch so that I know that my code is correct before I begin

moving it into firmer and then when I move it into firmware it works or this being me sides we can send that message this is a page being received in a wristwatch about six hours of battery life more than enough to cheat the pop quiz knowing from knock you guys is here right so that was a lot of work right we had many different stages what we would much rather do is take the easy way out and reuse what's already available in enough hardware a receiver to sort of shortcut the process and known and that's what the right settings are to many of these devices the configuration and the packets are exposed over an SPI

ms this is the same protocol that your laptop uses to grab a copy of the bios from the flash rom chip so we can just copy its configuration out by sniffing it and again thank you kindly Dusty Baker Corporation of America for making this possible so for this target we're going to use the next hook batch which I designed for the hook conference in 2010 on the left actually I can highlight stuff so on the Left we have this chip here and this chip is an msp430 running the open beacon in the firmware throughout the conference these badges would beep out like a little packet and then there were receivers running an open beacon infrastructure software that we record

these packets and try to triangulate through the packet error rate figuring out where the attendees were at all times it was like some artistic mumbo-jumbo about surveillance and then over here on the right side of the board is this much smaller chip that is the actual radio this is an n RF 24 L 0 11 plus it has its own crystal who is it has the most of the analog components on board involved in the filtering and that's what actually he sends out the packets in the air and it's really capable of receiving though even though that wasn't used in the open B confirm we're as configured at this event so the radio chip pointing to where this arrow

has its own copper traces and the the microcontroller has its own copper traces that connects to them and they connect on this little sequence of hats here which is perhaps better seen in the photograph so these pins break out the SPI bus I did this is like an expansion port so that you can add a new device in addition to the radio to your match but it's also very handy and sniffing the connection between the CPU and the radio and you can use this in order to watch the CPU configure the radio because every time the radio is powered on the CPU will write into it the channel that it uses the the date array of the

modulation type the start of frame delimiter all of the settings that you need to participate in the open beacon network are unloaded into this chip and another nordic rfj you'll then be able to sniff the packets that come out of the open Beca never it it's not Wi-Fi it's not bluetooth it's it's own thing but you can become compatible with it just by tapping those wires back in the day you would use a dedicated logic analyzer you use a dedicated protocol snipper for this like the Beagle from toad things nowadays these silly devices are more than fast and more than reliable enough so as you just brighten the pins from here to the board and

you're trying to tap and then the signals will come out of it and you tell it which pin means whip-like which one is the data from the host of the device and which one is from the device to the host which one is the clock and with those three it's able to parse the entire recording and tell you an every transaction that occurred between the CPM chip and the radiation and usually you grab the setting is just after reset but you also get the packets that go across in the case of the open B confirm are the radio is held off and it never receives an impact but if you have something that is communicating

bi-directionally is the network then you can see the packets themselves come in over the bus and that could be enough for us ever without having to write any firmware of your own or build any art renderer there's also a lovely case that a lot of these microcontrollers were too little power to support hardware acceleration of cryptography so the radio vendors said hey that's not so hard we're making our chip anyways let's add it yesterday but then you have the situation that the radio chip is encrypting the packet that is outbound and we're decrypting the packet that is inbound away from the CPU and the clear text packet is exposed over the bus and on those devices not only you get all the

radio configuration settings but it also takes care about doing the cryptography for you so you can sniff the packets in the bra which is very handy now many boards won't tap out all of the spike pins as easily as like a development board or a hacker combat twin but none of this I may use hypodermic syringes I just stick a wire down the barrel and then poke them the end of the board not only can you poke them into BS as I don't care but if you're careful you can also hit a wire trace and the sharp end of the needle allows you to push it through within these solder nuts in order to touch the expensive board you

generally do this I think is fair and then you switched a very thin wire after you know which are the right pins to town and then the end result you get their text packets and your then on the network of this strange device for which you have no documentation now as technology moves forward and time marches on especially in the very lowest powered devices the radios are beginning to become combined with the microcontroller and in these cases you have no expenses five us at the time instead you need to read out the firmware and then look at the firmware to see what's going on but as before your lazing in one of them is as quickly

as possible so after you rip Dakota I heard three of exploiting the bootloader we're through reading a for update we're finding an unlocked chip in an early prototype device before they locked everything down you have this blob and you have to figure out where the radio code is inside of what might be a very large application so inside of the device the the raincoat is still connected to the CPU somehow and if you can find the development guide for the studio it will tell you that you write a byte to this address in order to send it off to the radio and you read the reply from this other press and you can search these addresses

within the code as viola as as features of how the packets of formatted so for example in DMR a an address is forget how many bits long but they'll have a mask against them I think it's zero F F F so everywhere in the DMR code that you see something being bitwise anding zero of F F F that's involving the addressing of the DMR Network layer let's take a simple example which is the turning-point clicker I like using this as an example because when I was a graduate student they threatened to sue me today they click erase a classroom for mental control so I don't know any left college but about 2007 this dude is

trying to starting never once said hey you know how students would really love they'd love to blow 50 dollars and electronic is now at the bookstore that they can't make themselves so he was however going to make one ourselves so this uses a tip called the NRF 24e 1 and the 2041 is a 2.4 gigahertz transceiver it operates in two FS k at one megabit per second and when you push a button on your on your clicker like the one button in the top left that connects with paths the firmware makes up but it transmits your serial number along with your guests the instructors never cease votes from the class and can use it for classroom participation

grades other within range of these things you better book that you're not sitting in the back of the classroom

be the but here the vulnerability that prevents the design from being protected is this little chip here you - so this chip is the Nordic RF radio and it's a most of the CPU but when you're adding a radio and the CPU into the same package that season waiting you have a memory package and you got a CPU on top of that that's also easy when a CPU manufacturer is trying to add both the radio and flash at the same time that becomes rather hard so rather than try they have the Suffolk chip out of the side and that contains the reprogrammable memory the nordic RF chip here boots from internal master own and then copies the

actual application out of the reprogrammable chip and this ugly why are you over here taps that out using a single bus that they used in the factory which allows us to read out all of the firmware and then have a copy of it to reverse engineer ITIN desktop computer now in order to lunate we need to know a couple of things we need to know the architecture of the furniture because each one of these devices we use a different instruction set in the case the turning-point clicker is in 805 line which is very old Ian towel that 8-bit architecture that's fun to work with and has excellent support in Ida we also need to know the loading address

sometimes code is loaded to FST zero other times it goes for higher address like 1,100 is it common loading point to them as before 30 and zero eight zero zero and change is a popular loading address for arm you also need to know where the register addresses are you can find this either in the datasheet or in the header files for the development kit the header files will declare that a particular variable is volatile and it's located within the IR region and it will just have hundreds of these things for everything from general purpose i/o pins to interacting with the radio once you know their names you can search for the juicy ones you should always sanity

check the firmware before you begin digging into it because it's easy to think that things are working right it is loaded to an incorrect address for example in embedded arm code which is called thumb function calls is a program relative program counter relative addressing so if you load your image to the wrong address all of the function calls will look right but none of the function pointers will attract okay so we begin with the basic spray we know that there will be functions inside of the code that use the i/o ports and we also know the functions which read global variables so if we see code interacting with a particular address as part of sending a packet like the

destination address field for example we can mark those addresses in our reverse engineering tour item ports are even better because they're like global variables that can't move and are the same for everything in that everything that might possibly be compiled for that show so we can use this to identify like the valuable low-level functions and then work outward from there to the parent functions that call these the little ones to be identified so the first thing that I look for is the function that receives and transmits a byte over the SPI bus this is that function from the turning point clicker firmware now it's important understand the despite bus can have more than one slave device attached to it and that

these are distinguished by a chip select pin so you use the chip select pin to choose which chip you want to talk to and then you send the data across but everything that sends data to either the the radio or the EEPROM will go over this function now I mentioned before that the radio is not a separate chip but here I'm saying that it's still over the spike ups in order to simplify there and there should play out they just put a CPU core right next to the radio core as if they were wired together on a piece of beef so it's using the same wiring we then can identify the all of the function calls that are made to this

function so this list continues off the screen this is a list of everywhere in the firmware image that a byte is received and transmitted over a DSP honest when I first saw this list of course I didn't know what any of those other functions did but I could begin looking into them by how often they call the function about what else they had until eventually I had the names for all so this function down here transmits the packet and in this function here writes the configuration and these functions down here read from the external spike hutch and then these functions I haven't gotten around to reverse engineering in it but I don't eat them is I found

everything that you need to elsewhere in the code so when you've got a firmware image of hundreds and thousands of or tens of thousands of functions you generally ignore everything that doesn't immediately relate to the mystery that you're trying to solve you're not trying to convert the entire thing back to source code you just try to understand it enough you can be producing or interactive so we have spyware it's the first you select the chip and then you call the the spy receive transmit function a bunch like for everybody and the buffer that want to exchange and then you have n select the shape so knowing the function that that actually transmits the bytes we can then begin looking for

the instructions that select the radio and these are documented in the datasheet for the new Redick RF it's just one ship device the radio is selected by using the deceptive instruction to set the third bit of the radio register and then the EEPROM is selected by clearing and we take it low instead of taking it high as and into the radio but clearing general purpose i/o port 0 10 0 and then we can identify this code and see you how the radio is being set up so we see the calls being made and you see that it's calling spectrum here at Radio W our config and if we jump to that we jump to that we

can see that this is really sloppy code instead of running through like a buffer they're just calling the function 30 times in two rounds and you can see that it's bragging eight eight zero zero zero zero zero and so on until one B 1 C 1 D and so on this is the code that actually configures the radio and if you - in your order to save chip you have configured a radio the function on their network it's a similar function that reads our of the is my flash and I was confused as to why they would bother because spy flash gets copied into the radio in round to actually be the program and run the small low-end

equivalent of the loader as the fax was talking about this morning the reason for this is that they wanted to be able to read the serial number out of the deep problem without mixing it with the code so by finding the region in the EEPROM that had the serial number that was written in hexadecimal on the sticker on the back of the device I was then able to know what the address field was and where to place it myself this means that not only can I communicate on the network but I can also go forward and metric between like a physical unit and its packets in the network and accurately identify who said what

and this gives us all the results that we need without ever touching a software-defined radio we know the rating of rounds of 2.4 or 11 megahertz that she say kickers the dimension webbing bit per second into of his pay and the trickiest part of this the the thing that kept me from being able to sniff these packets without even opening device was that the Nordic RF devices have an unknown started frame delimiter that marks the beginning of the packers so without knowing that at the time I wasn't able to sniff for mischievously and later figured that out but did not notice the time so I needed to know this three to five by field that would describe where

the packets begin in the air in order to tell my receiver when to match on and this secret number that made me do all of this work turned out to be 12 3456 so having these parameters you can then sniff the traffic so you can see like is the classroom voting for any women foresee what's the most popular one you can emulate it in order to transmit your own packets so you could follow along with the majority and time device inside the rafters and just always voted as a straight-a student but had perfect attendance this also tells you that you can do jamming if you just jam 2.44 blind gigahertz and none of these devices will get signal

little bit of a channel and the network won't function again I'd like to thank the speed of expert company god bless those fine folks the new to 1964 models are really something different to Studebaker is different by design okay so we want other offensive targets right what other devices might apply these techniques to because unless you are both into electrical engineering and suffering through an undergrad psychology class you really don't care about acting the clicker for the results of it you care about it for the techniques better how might apply to something else so one handy target is the textarea nd 380 some friends and I reverse engineered this we started a project that you can find on github

called md380 tools this is a $90 handheld radio it's very popular for amateur radio but it also works on business networks it can be either murder turbo digital standard were regular narrowband FM modulation we wrote from our patches enable things like so that you can hear all of the audio going on in the channel and know not to accidentally stump on someone else's conversations in the business radio this doesn't make sense because you don't want the guys to the line with a carry management talked about them but in amateur radio it matters a lot because in amateur radio before I transmit I need to make sure that no one else is transmitting on that same repeater and

there are time slots so two people can talk at the same time as long as they're different types of see and none of the commercial radio is except for the really high-end Motorola's allowing allows you to do that so you couldn't listen before you transmit it you then weren't able to know that the channel is really clear and people would interfere with each other all the time with permissiveness note you can then hear all of the conversations and know not to interfere we added a universal address book so the inside of the radio firmware we we hollowed out a bunch of flash memories where our own code but there's also an external spy flash chip with

just tons of space available that was abused by the manufacturer so we replaced that with a caller ID database of every amateur radio user in the world who had registered for using its protocol so that when you get an incoming packet you know that it's like Jim and Arkansas and not the other Jim in Philadelphia yeah broad packet sniffing an injection so that you could catch all of the packets that in order to learn how the protocol really works and we ripped out the audio codec which is a proprietary phonetic called mu 2 plus and we've relinked the firmer image to run as a linux executable so that you have a command-line tool that can turn packets

to a WAV audio file were WAV audio file back in packets this is a screenshot of the caller ID database sharing an instrument call and you know that the guys also I mean I was dating Susanna mistake with country that's red a little southern the common application that would connect to the radio through USB host mode so this is sharing a log of all the calls that were made at the bottom in the raw data of text message the program he was twelve years ago this thing came out as a text messaging toy for kids his parents didn't want to give them so instead of plugging the desktop computer if you have a little USB dongle

plugged in and then this would allow them to chat with their friends and get the text back this breach at here is running a random number generator test the results of it showed that the CP protocol for this chip was using background number generators and their encryption making it exploitable over-the-air the hardware has been completely documented and reversed and you could write whatever you want to run inside this my favorite thing that I wrote for this is when I had the privilege of collaborating with Santa Clara that blades parents of a they're fine folks at UPenn we wrote a reflexive jammer for app could be 25 produced videos so that when the packet comes in

it then transmits during only the destination in an address field which causes the receiver to believe that the packet was intended for someone else and it's able to do this by transmitting only 0.3% of the time we have Lee ran this on an amateur radio frequencies we got all sorts of phone calls from every fire department was having trouble with her life there's a lot to be done in making these radiators more reliable that needs to be done such as automatic failover when the tower is I drink completely with you and then the next time that makes it earlier in srinagar F chip is compatible with the ones you used you know Microsoft Wireless keywords so max Buddha's are

interested shrewder made this Hardware clunky three key the used custom hardware in order to to skip the start of frame delimiter in order to mistress these no devices using a key creepy and I could've known the the turning point decorated secret number was one two three four five six without having to reverse engineering so 2010 I figured out how to port that technique to write entirely in software with build custom hardware and got that running on the next foot badge so here on the right you see the macro West text editor the string is being typed in and the same T prices are being caught up by the next web badge over the air because the

closest thing to encryption we're using the time was excellent with their own address since then there's been a mouse Jack and many other projects that are playing with these devices as as these sort of like dongle keywords and protect for votes as they have an encryption it is optional so you wouldn't be able to know what was sent up the network but you could inject you new packets Mouse record abuses this to inject key presses into a mouse because the USB they're the same thing and aside from the Spanish language speed of April 1964

yeah I have just a few minutes for questions and the way that the light works so the way the way I'm kind of lined up here [Music]