Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Not Quite ZigBee; or,   How to Sniff a Strange Radio                                                        Open with “Why...
Introduction✤   Wifi✤   Bluetooth    ✤   Ubertooth✤   ZigBee    ✤   KillerBee, GoodFET, Freakduino Chibi, Daintree✤   What ...
Introduction✤   This is not a USRP lecture.✤   Weird radios are usually one-off designs.    ✤   Bad cryptography, if any. ...
Citations✤   Max Moser and Thorsten Schröder✤   Michael Ossmann✤   Read my articles for the rest,    http://travisgoodspee...
Example Targets✤   Radio Remote Controls✤   Apple/Nike+ Shoe Pod✤   Garmin ANT+ Watch✤   Microsoft Keyboard
Methodology✤   Dissect a device.    ✤   Part numbers, chip die photographs, firmware.✤   Determine radio encoding, rate, an...
Part Numbers✤   CC2420, EM250, A7125    ✤   Uniquely identify the part, index the datasheet.    ✤   Vulnerabilities are in...
Datasheets✤   Describe registers and pins.✤   Sometimes private, but often public.✤   Read the whole damned thing, and you...
Datasheets
Die Badges✤   Identify the internal part number.✤   Sometimes this is the public one.✤   Sometimes it isn’t.    ✤   Animal...
TI/Chipcon CC1110
Amiccon 7125
Amiccon 7125
nRF24L01+
Ember EM357
Ember EM357 Magnum
Mystery 2.4GHz Radio                     nRF24E1G✤   Logo first.✤   Inductors.    ✤   Lollypops!✤   Fill Pattern
✤   ffo✤
Mystery vs. CC1110
Mystery vs. EM357
Mystery vs. nRF24L01+
Mystery vs. nRF24L01+
Meet the Lineup✤   Chipcon✤   Nordic RF✤   Amiccom✤   Others
Chipcon ISM Band✤   CC1100, 2500 radio.✤   CC1110, 2500 system-on-chip.✤   Very configurable.    ✤   CC1110 talks to anythi...
Nordic RF✤   No promiscuous mode.    ✤   There’s a hack, but it’s ugly.✤   Not very configurable:                ✤   Micros...
Amiccom A7125✤   2.4GHz, 2FSK✤   Doccos in English, Chinese✤   Unbuffered mode for outputting symbols directly.    ✤   2 m...
Modulation Schemes✤   Frequency Shift Keying (FSK)    ✤   Cheap digital radios, Bluetooth.✤   Amplitude Shift Keying (ASK,...
Frequency Shift Keying✤   Symbol Rate: Integer or floating?✤   Frequency: Integer or fractional?✤   SYNC: Configurable? Repu...
Getting a radio board.✤   Chips are difficult to use directly.    ✤   QFN or BGA chip packages.    ✤   Radio layout require...
Configuring the Radio✤   All digital radios are configured by Special Function Registers (SFR).✤   Register settings can co...
✤   RF Parameters✤   Register Addresses✤   Register Values
Always bring it back to Python
GoodFET Radio Architecture✤   Firmware in C, client in Python.✤   Py2Exe port for Win32.    ✤   Only tested on the Chinese...
Turning Point Clicker✤   Classroom remote control.✤   Attendance, Quizzing✤   Nordic nRF24E1G    ✤   8051 MCU    ✤   2.4GH...
Radio+8051 MCUSPI ROM
Dumping Firmware✤   Chips    ✤   nRF24E1G -- 8051 MCU + nRF2401 Radio    ✤   24C32 Boot Rom✤   Documentation    ✤   Datash...
nRF24E1✤   8051 Microcontroller    ✤   More popular than ARM and X86.✤   Internal nRF2401 Radio    ✤   1Mbps GFSK Radio   ...
Radio+8051 MCUSPI ROM
nRF24E1 Firmware in IDA✤   ``goodfet.spi25c dump clicker.hex’’✤   Copy all but first 7 bytes to clicker.bin.✤   Load clicke...
Just 3kB of Code
nRF24E1 Internal Arrangement✤   8051 MCU✤   Internal SPI Bus✤   RADIO register #0x80
Useful Registers✤   SPI_DATA, SPICLK, SPI_CNTRL, EXIF✤   P1 LED Port✤   P0.0 SPI EEPROM Slave Select✤   RADIO #0x80    ✤  ...
From Registers to Functions
RADIOWRCONFIG✤   Just a lot of SPIRXTX.    ✤   08 08 00 00 00 00 00 00 00    ✤   (1B) (1C) (1D)    ✤   63 6F    ✤   (1A)+1
Data Width                 ADR        ADR Width         CRC LENConfig    Channel
RADIOWRCONFIG✤   Just a lot of SPIRXTX.                                     ✤   Channel at 0x1A    ✤   08 08 00 00 00 00 0...
Transmission ✤   Function takes one byte of input. ✤   Repeated calls to SPITXRX     ✤   (1E) (1F) (20)   //Destination MA...
Destination MAC at 1E, 1F, 20✤   MOV 0x1E, #0x12   ✤   DMAC is 0x123456✤   MOV 0x1F, #0x34   ✤   Payload length is 4 bytes...
Turning Point Sniffing✤   2.441 GHz, 1Mbps✤   Address: [0x12, 0x34, 0x56]✤   Payload:    ✤   3 byte MAC    ✤   1 byte Butt...
Load the Registers by GoodFET
Microsoft Keyboard✤   2.4GHz Nordic, XOR crypto✤   SYNC varies by unit.    ✤   Again, there’s no promiscuous mode.✤   Init...
Holy crap that’s bad crypto!
Promiscuity is a Citizen’s Duty✤   If the crypto is so bad, why is it hard to sniff?    ✤   SYNC field is unique to the uni...
Schröder and Moser’s Solution✤   A7125 samples raw bits at 2Mbps.✤   ARM CPU looks for Preamble.✤   When the MAC is found,...
GoodFET Autotune✤   Reduce MAC length to two bytes.✤   Disable checksums.✤   Set MAC to 0x0055 or 0x00AA.✤   Count occurre...
GoodFET Autotune
GoodFET Autotune
Conclusions
Sidebar✤   Somehow we have time left.✤   Let’s not waste it.
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Upcoming SlideShare
Loading in …5
×

Travis Goodspeed - Not Quite ZigBee

2,165 views

Published on

Published in: Technology, Business
  • Be the first to comment

Travis Goodspeed - Not Quite ZigBee

  1. 1. Not Quite ZigBee; or, How to Sniff a Strange Radio Open with “Why should you give a shit?” List of Exploits Travis Goodspeed22 April 2010 -- Source Boston travis@radiantmachines.com
  2. 2. Introduction✤ Wifi✤ Bluetooth ✤ Ubertooth✤ ZigBee ✤ KillerBee, GoodFET, Freakduino Chibi, Daintree✤ What about everything else?
  3. 3. Introduction✤ This is not a USRP lecture.✤ Weird radios are usually one-off designs. ✤ Bad cryptography, if any. ✤ Little testing, quality control.✤ Vulnerabilities inherited from the chipset.
  4. 4. Citations✤ Max Moser and Thorsten Schröder✤ Michael Ossmann✤ Read my articles for the rest, http://travisgoodspeed.com
  5. 5. Example Targets✤ Radio Remote Controls✤ Apple/Nike+ Shoe Pod✤ Garmin ANT+ Watch✤ Microsoft Keyboard
  6. 6. Methodology✤ Dissect a device. ✤ Part numbers, chip die photographs, firmware.✤ Determine radio encoding, rate, and frequency. ✤ 2FSK, 2Mbps, 2.4GHz ✤ QPSK, 1Mbps, 2.4GHz✤ Build a transceiver.
  7. 7. Part Numbers✤ CC2420, EM250, A7125 ✤ Uniquely identify the part, index the datasheet. ✤ Vulnerabilities are indexed by part number, not product name.✤ Sometimes they are missing or ground off. ✤ HNO3 and H2SO4 are your friends!
  8. 8. Datasheets✤ Describe registers and pins.✤ Sometimes private, but often public.✤ Read the whole damned thing, and you’re secure to find bugs.✤ Also read the errata sheets. ✤ For this chip and its ancestors.
  9. 9. Datasheets
  10. 10. Die Badges✤ Identify the internal part number.✤ Sometimes this is the public one.✤ Sometimes it isn’t. ✤ Animals, Logos ✤ Lot numbers.
  11. 11. TI/Chipcon CC1110
  12. 12. Amiccon 7125
  13. 13. Amiccon 7125
  14. 14. nRF24L01+
  15. 15. Ember EM357
  16. 16. Ember EM357 Magnum
  17. 17. Mystery 2.4GHz Radio nRF24E1G✤ Logo first.✤ Inductors. ✤ Lollypops!✤ Fill Pattern
  18. 18. ✤ ffo✤
  19. 19. Mystery vs. CC1110
  20. 20. Mystery vs. EM357
  21. 21. Mystery vs. nRF24L01+
  22. 22. Mystery vs. nRF24L01+
  23. 23. Meet the Lineup✤ Chipcon✤ Nordic RF✤ Amiccom✤ Others
  24. 24. Chipcon ISM Band✤ CC1100, 2500 radio.✤ CC1110, 2500 system-on-chip.✤ Very configurable. ✤ CC1110 talks to anything sub-GHz. ✤ Undocumented 4FSK, use register settings for CC1101.
  25. 25. Nordic RF✤ No promiscuous mode. ✤ There’s a hack, but it’s ugly.✤ Not very configurable: ✤ Microsoft Keyboards, Mice ✤ 2FSK, fixed deviation. ✤ OpenBeacon ✤ Integer MHz channels. ✤ Sparkfun Keyfob ✤ ANT+, Nike+
  26. 26. Amiccom A7125✤ 2.4GHz, 2FSK✤ Doccos in English, Chinese✤ Unbuffered mode for outputting symbols directly. ✤ 2 million symbols/second! ✤ Handy, but not necessary, for prom. sniffing of Nordic traffic.
  27. 27. Modulation Schemes✤ Frequency Shift Keying (FSK) ✤ Cheap digital radios, Bluetooth.✤ Amplitude Shift Keying (ASK, OOK) ✤ Car remotes, garage door openers.✤ Phase Shift Keying (PSK) ✤ Wifi, ZigBee✤ Complicated variations of each.
  28. 28. Frequency Shift Keying✤ Symbol Rate: Integer or floating?✤ Frequency: Integer or fractional?✤ SYNC: Configurable? Repurposed as the address?✤ Deviation: Space between highest and lowest symbol.✤ Encoding: ✤ 2FSK: Low frequency is zero, high frequency is 1. ✤ 4FSK: +1, +1/3, -1/3, -1
  29. 29. Getting a radio board.✤ Chips are difficult to use directly. ✤ QFN or BGA chip packages. ✤ Radio layout requires a custom board.✤ Modules are available with radio and analog chain. ✤ Often lack an MCU, so use a GoodFET.✤ Commercial boards are often useful. ✤ GirlTech IMME, Next Hope Badge
  30. 30. Configuring the Radio✤ All digital radios are configured by Special Function Registers (SFR).✤ Register settings can come from multiple sources: ✤ SmartRF Studio configuring TI/Chipcon radios. ✤ Datasheets ✤ Ask Ossmann
  31. 31. ✤ RF Parameters✤ Register Addresses✤ Register Values
  32. 32. Always bring it back to Python
  33. 33. GoodFET Radio Architecture✤ Firmware in C, client in Python.✤ Py2Exe port for Win32. ✤ Only tested on the Chinese build.✤ Firmware is trimmed to support only the needed drivers.✤ New drivers can be written in pure-Python. ✤ Port functions to C as needed.
  34. 34. Turning Point Clicker✤ Classroom remote control.✤ Attendance, Quizzing✤ Nordic nRF24E1G ✤ 8051 MCU ✤ 2.4GHz Radio ✤ External Flash
  35. 35. Radio+8051 MCUSPI ROM
  36. 36. Dumping Firmware✤ Chips ✤ nRF24E1G -- 8051 MCU + nRF2401 Radio ✤ 24C32 Boot Rom✤ Documentation ✤ Datasheets, Reference Design
  37. 37. nRF24E1✤ 8051 Microcontroller ✤ More popular than ARM and X86.✤ Internal nRF2401 Radio ✤ 1Mbps GFSK Radio ✤ 2.4 to 2.5 GHz, 1MHz Channel Spacing✤ No internal Flash. Boots from external EEPROM.✤ No promiscuous mode. (The hack comes later.)
  38. 38. Radio+8051 MCUSPI ROM
  39. 39. nRF24E1 Firmware in IDA✤ ``goodfet.spi25c dump clicker.hex’’✤ Copy all but first 7 bytes to clicker.bin.✤ Load clicker.bin to CODE memory at 0x0000.
  40. 40. Just 3kB of Code
  41. 41. nRF24E1 Internal Arrangement✤ 8051 MCU✤ Internal SPI Bus✤ RADIO register #0x80
  42. 42. Useful Registers✤ SPI_DATA, SPICLK, SPI_CNTRL, EXIF✤ P1 LED Port✤ P0.0 SPI EEPROM Slave Select✤ RADIO #0x80 ✤ RADIO.3 is Radio Slave Select ✤ RADIO.7 is Power Up
  43. 43. From Registers to Functions
  44. 44. RADIOWRCONFIG✤ Just a lot of SPIRXTX. ✤ 08 08 00 00 00 00 00 00 00 ✤ (1B) (1C) (1D) ✤ 63 6F ✤ (1A)+1
  45. 45. Data Width ADR ADR Width CRC LENConfig Channel
  46. 46. RADIOWRCONFIG✤ Just a lot of SPIRXTX. ✤ Channel at 0x1A ✤ 08 08 00 00 00 00 00 00 00 ✤ MAC at 0x1B, 0x1C, 0x1D ✤ (1B) (1C) (1D) ✤ 4 bytes of data ✤ 63 6F ✤ 1 byte checksum ✤ (1A)+1
  47. 47. Transmission ✤ Function takes one byte of input. ✤ Repeated calls to SPITXRX ✤ (1E) (1F) (20) //Destination MAC Address ✤ (1B) (1C) (1D) //Source MAC Address ✤ (input) //Button Code
  48. 48. Destination MAC at 1E, 1F, 20✤ MOV 0x1E, #0x12 ✤ DMAC is 0x123456✤ MOV 0x1F, #0x34 ✤ Payload length is 4 bytes.✤ MOV 0x20, #0x56 ✤ One byte checksum.
  49. 49. Turning Point Sniffing✤ 2.441 GHz, 1Mbps✤ Address: [0x12, 0x34, 0x56]✤ Payload: ✤ 3 byte MAC ✤ 1 byte Button (ASCII)
  50. 50. Load the Registers by GoodFET
  51. 51. Microsoft Keyboard✤ 2.4GHz Nordic, XOR crypto✤ SYNC varies by unit. ✤ Again, there’s no promiscuous mode.✤ Initial Exploit in Keykeriki 2.0 ✤ Max Moser and Thorsten Schröder ✤ Amiccom A7125, nRF24L01+
  52. 52. Holy crap that’s bad crypto!
  53. 53. Promiscuity is a Citizen’s Duty✤ If the crypto is so bad, why is it hard to sniff? ✤ SYNC field is unique to the unit. ✤ Receiver must know the SYNC to receive a packet.✤ Two solutions: ✤ 1) Search raw radio traffic for Preamble. (Keykeriki) ✤ 2) Use the preamble as if it were a SYNC. (GoodFET)
  54. 54. Schröder and Moser’s Solution✤ A7125 samples raw bits at 2Mbps.✤ ARM CPU looks for Preamble.✤ When the MAC is found, ✤ Load nRF24L01+ to sniff. ✤ Dump to PC for interpretation.✤ Can it be cheaper?
  55. 55. GoodFET Autotune✤ Reduce MAC length to two bytes.✤ Disable checksums.✤ Set MAC to 0x0055 or 0x00AA.✤ Count occurrences of 5-byte sequences: ✤ Might by shifted off by a bit. ✤ Filter out noise.
  56. 56. GoodFET Autotune
  57. 57. GoodFET Autotune
  58. 58. Conclusions
  59. 59. Sidebar✤ Somehow we have time left.✤ Let’s not waste it.

×