Travis Goodspeed - Not Quite ZigBeePresentation Transcript
Not Quite ZigBee; or, How to Sniff a Strange Radio Open with “Why should you give a shit?” List of Exploits Travis Goodspeed22 April 2010 -- Source Boston email@example.com
Introduction✤ Wiﬁ✤ Bluetooth ✤ Ubertooth✤ ZigBee ✤ KillerBee, GoodFET, Freakduino Chibi, Daintree✤ What about everything else?
Introduction✤ This is not a USRP lecture.✤ Weird radios are usually one-off designs. ✤ Bad cryptography, if any. ✤ Little testing, quality control.✤ Vulnerabilities inherited from the chipset.
Citations✤ Max Moser and Thorsten Schröder✤ Michael Ossmann✤ Read my articles for the rest, http://travisgoodspeed.com
Example Targets✤ Radio Remote Controls✤ Apple/Nike+ Shoe Pod✤ Garmin ANT+ Watch✤ Microsoft Keyboard
Methodology✤ Dissect a device. ✤ Part numbers, chip die photographs, ﬁrmware.✤ Determine radio encoding, rate, and frequency. ✤ 2FSK, 2Mbps, 2.4GHz ✤ QPSK, 1Mbps, 2.4GHz✤ Build a transceiver.
Part Numbers✤ CC2420, EM250, A7125 ✤ Uniquely identify the part, index the datasheet. ✤ Vulnerabilities are indexed by part number, not product name.✤ Sometimes they are missing or ground off. ✤ HNO3 and H2SO4 are your friends!
Datasheets✤ Describe registers and pins.✤ Sometimes private, but often public.✤ Read the whole damned thing, and you’re secure to ﬁnd bugs.✤ Also read the errata sheets. ✤ For this chip and its ancestors.
Die Badges✤ Identify the internal part number.✤ Sometimes this is the public one.✤ Sometimes it isn’t. ✤ Animals, Logos ✤ Lot numbers.
Ember EM357 Magnum
Mystery 2.4GHz Radio nRF24E1G✤ Logo ﬁrst.✤ Inductors. ✤ Lollypops!✤ Fill Pattern
Mystery vs. CC1110
Mystery vs. EM357
Mystery vs. nRF24L01+
Mystery vs. nRF24L01+
Meet the Lineup✤ Chipcon✤ Nordic RF✤ Amiccom✤ Others
Chipcon ISM Band✤ CC1100, 2500 radio.✤ CC1110, 2500 system-on-chip.✤ Very conﬁgurable. ✤ CC1110 talks to anything sub-GHz. ✤ Undocumented 4FSK, use register settings for CC1101.
Nordic RF✤ No promiscuous mode. ✤ There’s a hack, but it’s ugly.✤ Not very conﬁgurable: ✤ Microsoft Keyboards, Mice ✤ 2FSK, ﬁxed deviation. ✤ OpenBeacon ✤ Integer MHz channels. ✤ Sparkfun Keyfob ✤ ANT+, Nike+
Amiccom A7125✤ 2.4GHz, 2FSK✤ Doccos in English, Chinese✤ Unbuffered mode for outputting symbols directly. ✤ 2 million symbols/second! ✤ Handy, but not necessary, for prom. snifﬁng of Nordic trafﬁc.
Modulation Schemes✤ Frequency Shift Keying (FSK) ✤ Cheap digital radios, Bluetooth.✤ Amplitude Shift Keying (ASK, OOK) ✤ Car remotes, garage door openers.✤ Phase Shift Keying (PSK) ✤ Wiﬁ, ZigBee✤ Complicated variations of each.
Frequency Shift Keying✤ Symbol Rate: Integer or ﬂoating?✤ Frequency: Integer or fractional?✤ SYNC: Conﬁgurable? Repurposed as the address?✤ Deviation: Space between highest and lowest symbol.✤ Encoding: ✤ 2FSK: Low frequency is zero, high frequency is 1. ✤ 4FSK: +1, +1/3, -1/3, -1
Getting a radio board.✤ Chips are difﬁcult to use directly. ✤ QFN or BGA chip packages. ✤ Radio layout requires a custom board.✤ Modules are available with radio and analog chain. ✤ Often lack an MCU, so use a GoodFET.✤ Commercial boards are often useful. ✤ GirlTech IMME, Next Hope Badge
Configuring the Radio✤ All digital radios are conﬁgured by Special Function Registers (SFR).✤ Register settings can come from multiple sources: ✤ SmartRF Studio conﬁguring TI/Chipcon radios. ✤ Datasheets ✤ Ask Ossmann
GoodFET Radio Architecture✤ Firmware in C, client in Python.✤ Py2Exe port for Win32. ✤ Only tested on the Chinese build.✤ Firmware is trimmed to support only the needed drivers.✤ New drivers can be written in pure-Python. ✤ Port functions to C as needed.
Turning Point Clicker✤ Classroom remote control.✤ Attendance, Quizzing✤ Nordic nRF24E1G ✤ 8051 MCU ✤ 2.4GHz Radio ✤ External Flash
nRF24E1✤ 8051 Microcontroller ✤ More popular than ARM and X86.✤ Internal nRF2401 Radio ✤ 1Mbps GFSK Radio ✤ 2.4 to 2.5 GHz, 1MHz Channel Spacing✤ No internal Flash. Boots from external EEPROM.✤ No promiscuous mode. (The hack comes later.)
Radio+8051 MCUSPI ROM
nRF24E1 Firmware in IDA✤ ``goodfet.spi25c dump clicker.hex’’✤ Copy all but ﬁrst 7 bytes to clicker.bin.✤ Load clicker.bin to CODE memory at 0x0000.
Useful Registers✤ SPI_DATA, SPICLK, SPI_CNTRL, EXIF✤ P1 LED Port✤ P0.0 SPI EEPROM Slave Select✤ RADIO #0x80 ✤ RADIO.3 is Radio Slave Select ✤ RADIO.7 is Power Up
From Registers to Functions
RADIOWRCONFIG✤ Just a lot of SPIRXTX. ✤ 08 08 00 00 00 00 00 00 00 ✤ (1B) (1C) (1D) ✤ 63 6F ✤ (1A)+1
Data Width ADR ADR Width CRC LENConﬁg Channel
RADIOWRCONFIG✤ Just a lot of SPIRXTX. ✤ Channel at 0x1A ✤ 08 08 00 00 00 00 00 00 00 ✤ MAC at 0x1B, 0x1C, 0x1D ✤ (1B) (1C) (1D) ✤ 4 bytes of data ✤ 63 6F ✤ 1 byte checksum ✤ (1A)+1
Transmission ✤ Function takes one byte of input. ✤ Repeated calls to SPITXRX ✤ (1E) (1F) (20) //Destination MAC Address ✤ (1B) (1C) (1D) //Source MAC Address ✤ (input) //Button Code
Destination MAC at 1E, 1F, 20✤ MOV 0x1E, #0x12 ✤ DMAC is 0x123456✤ MOV 0x1F, #0x34 ✤ Payload length is 4 bytes.✤ MOV 0x20, #0x56 ✤ One byte checksum.
Turning Point Sniffing✤ 2.441 GHz, 1Mbps✤ Address: [0x12, 0x34, 0x56]✤ Payload: ✤ 3 byte MAC ✤ 1 byte Button (ASCII)
Load the Registers by GoodFET
Microsoft Keyboard✤ 2.4GHz Nordic, XOR crypto✤ SYNC varies by unit. ✤ Again, there’s no promiscuous mode.✤ Initial Exploit in Keykeriki 2.0 ✤ Max Moser and Thorsten Schröder ✤ Amiccom A7125, nRF24L01+
Holy crap that’s bad crypto!
Promiscuity is a Citizen’s Duty✤ If the crypto is so bad, why is it hard to sniff? ✤ SYNC ﬁeld is unique to the unit. ✤ Receiver must know the SYNC to receive a packet.✤ Two solutions: ✤ 1) Search raw radio trafﬁc for Preamble. (Keykeriki) ✤ 2) Use the preamble as if it were a SYNC. (GoodFET)
Schröder and Moser’s Solution✤ A7125 samples raw bits at 2Mbps.✤ ARM CPU looks for Preamble.✤ When the MAC is found, ✤ Load nRF24L01+ to sniff. ✤ Dump to PC for interpretation.✤ Can it be cheaper?
GoodFET Autotune✤ Reduce MAC length to two bytes.✤ Disable checksums.✤ Set MAC to 0x0055 or 0x00AA.✤ Count occurrences of 5-byte sequences: ✤ Might by shifted off by a bit. ✤ Filter out noise.
Sidebar✤ Somehow we have time left.✤ Let’s not waste it.