Not Quite ZigBee; or,   How to Sniff a Strange Radio                                                        Open with “Why...
Introduction✤   Wifi✤   Bluetooth    ✤   Ubertooth✤   ZigBee    ✤   KillerBee, GoodFET, Freakduino Chibi, Daintree✤   What ...
Introduction✤   This is not a USRP lecture.✤   Weird radios are usually one-off designs.    ✤   Bad cryptography, if any. ...
Citations✤   Max Moser and Thorsten Schröder✤   Michael Ossmann✤   Read my articles for the rest,    http://travisgoodspee...
Example Targets✤   Radio Remote Controls✤   Apple/Nike+ Shoe Pod✤   Garmin ANT+ Watch✤   Microsoft Keyboard
Methodology✤   Dissect a device.    ✤   Part numbers, chip die photographs, firmware.✤   Determine radio encoding, rate, an...
Part Numbers✤   CC2420, EM250, A7125    ✤   Uniquely identify the part, index the datasheet.    ✤   Vulnerabilities are in...
Datasheets✤   Describe registers and pins.✤   Sometimes private, but often public.✤   Read the whole damned thing, and you...
Datasheets
Die Badges✤   Identify the internal part number.✤   Sometimes this is the public one.✤   Sometimes it isn’t.    ✤   Animal...
TI/Chipcon CC1110
Amiccon 7125
Amiccon 7125
nRF24L01+
Ember EM357
Ember EM357 Magnum
Mystery 2.4GHz Radio                     nRF24E1G✤   Logo first.✤   Inductors.    ✤   Lollypops!✤   Fill Pattern
✤   ffo✤
Mystery vs. CC1110
Mystery vs. EM357
Mystery vs. nRF24L01+
Mystery vs. nRF24L01+
Meet the Lineup✤   Chipcon✤   Nordic RF✤   Amiccom✤   Others
Chipcon ISM Band✤   CC1100, 2500 radio.✤   CC1110, 2500 system-on-chip.✤   Very configurable.    ✤   CC1110 talks to anythi...
Nordic RF✤   No promiscuous mode.    ✤   There’s a hack, but it’s ugly.✤   Not very configurable:                ✤   Micros...
Amiccom A7125✤   2.4GHz, 2FSK✤   Doccos in English, Chinese✤   Unbuffered mode for outputting symbols directly.    ✤   2 m...
Modulation Schemes✤   Frequency Shift Keying (FSK)    ✤   Cheap digital radios, Bluetooth.✤   Amplitude Shift Keying (ASK,...
Frequency Shift Keying✤   Symbol Rate: Integer or floating?✤   Frequency: Integer or fractional?✤   SYNC: Configurable? Repu...
Getting a radio board.✤   Chips are difficult to use directly.    ✤   QFN or BGA chip packages.    ✤   Radio layout require...
Configuring the Radio✤   All digital radios are configured by Special Function Registers (SFR).✤   Register settings can co...
✤   RF Parameters✤   Register Addresses✤   Register Values
Always bring it back to Python
GoodFET Radio Architecture✤   Firmware in C, client in Python.✤   Py2Exe port for Win32.    ✤   Only tested on the Chinese...
Turning Point Clicker✤   Classroom remote control.✤   Attendance, Quizzing✤   Nordic nRF24E1G    ✤   8051 MCU    ✤   2.4GH...
Radio+8051 MCUSPI ROM
Dumping Firmware✤   Chips    ✤   nRF24E1G -- 8051 MCU + nRF2401 Radio    ✤   24C32 Boot Rom✤   Documentation    ✤   Datash...
nRF24E1✤   8051 Microcontroller    ✤   More popular than ARM and X86.✤   Internal nRF2401 Radio    ✤   1Mbps GFSK Radio   ...
Radio+8051 MCUSPI ROM
nRF24E1 Firmware in IDA✤   ``goodfet.spi25c dump clicker.hex’’✤   Copy all but first 7 bytes to clicker.bin.✤   Load clicke...
Just 3kB of Code
nRF24E1 Internal Arrangement✤   8051 MCU✤   Internal SPI Bus✤   RADIO register #0x80
Useful Registers✤   SPI_DATA, SPICLK, SPI_CNTRL, EXIF✤   P1 LED Port✤   P0.0 SPI EEPROM Slave Select✤   RADIO #0x80    ✤  ...
From Registers to Functions
RADIOWRCONFIG✤   Just a lot of SPIRXTX.    ✤   08 08 00 00 00 00 00 00 00    ✤   (1B) (1C) (1D)    ✤   63 6F    ✤   (1A)+1
Data Width                 ADR        ADR Width         CRC LENConfig    Channel
RADIOWRCONFIG✤   Just a lot of SPIRXTX.                                     ✤   Channel at 0x1A    ✤   08 08 00 00 00 00 0...
Transmission ✤   Function takes one byte of input. ✤   Repeated calls to SPITXRX     ✤   (1E) (1F) (20)   //Destination MA...
Destination MAC at 1E, 1F, 20✤   MOV 0x1E, #0x12   ✤   DMAC is 0x123456✤   MOV 0x1F, #0x34   ✤   Payload length is 4 bytes...
Turning Point Sniffing✤   2.441 GHz, 1Mbps✤   Address: [0x12, 0x34, 0x56]✤   Payload:    ✤   3 byte MAC    ✤   1 byte Butt...
Load the Registers by GoodFET
Microsoft Keyboard✤   2.4GHz Nordic, XOR crypto✤   SYNC varies by unit.    ✤   Again, there’s no promiscuous mode.✤   Init...
Holy crap that’s bad crypto!
Promiscuity is a Citizen’s Duty✤   If the crypto is so bad, why is it hard to sniff?    ✤   SYNC field is unique to the uni...
Schröder and Moser’s Solution✤   A7125 samples raw bits at 2Mbps.✤   ARM CPU looks for Preamble.✤   When the MAC is found,...
GoodFET Autotune✤   Reduce MAC length to two bytes.✤   Disable checksums.✤   Set MAC to 0x0055 or 0x00AA.✤   Count occurre...
GoodFET Autotune
GoodFET Autotune
Conclusions
Sidebar✤   Somehow we have time left.✤   Let’s not waste it.
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
Upcoming SlideShare
Loading in …5
×

Travis Goodspeed - Not Quite ZigBee

1,928 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,928
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
65
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Travis Goodspeed - Not Quite ZigBee

  1. 1. Not Quite ZigBee; or, How to Sniff a Strange Radio Open with “Why should you give a shit?” List of Exploits Travis Goodspeed22 April 2010 -- Source Boston travis@radiantmachines.com
  2. 2. Introduction✤ Wifi✤ Bluetooth ✤ Ubertooth✤ ZigBee ✤ KillerBee, GoodFET, Freakduino Chibi, Daintree✤ What about everything else?
  3. 3. Introduction✤ This is not a USRP lecture.✤ Weird radios are usually one-off designs. ✤ Bad cryptography, if any. ✤ Little testing, quality control.✤ Vulnerabilities inherited from the chipset.
  4. 4. Citations✤ Max Moser and Thorsten Schröder✤ Michael Ossmann✤ Read my articles for the rest, http://travisgoodspeed.com
  5. 5. Example Targets✤ Radio Remote Controls✤ Apple/Nike+ Shoe Pod✤ Garmin ANT+ Watch✤ Microsoft Keyboard
  6. 6. Methodology✤ Dissect a device. ✤ Part numbers, chip die photographs, firmware.✤ Determine radio encoding, rate, and frequency. ✤ 2FSK, 2Mbps, 2.4GHz ✤ QPSK, 1Mbps, 2.4GHz✤ Build a transceiver.
  7. 7. Part Numbers✤ CC2420, EM250, A7125 ✤ Uniquely identify the part, index the datasheet. ✤ Vulnerabilities are indexed by part number, not product name.✤ Sometimes they are missing or ground off. ✤ HNO3 and H2SO4 are your friends!
  8. 8. Datasheets✤ Describe registers and pins.✤ Sometimes private, but often public.✤ Read the whole damned thing, and you’re secure to find bugs.✤ Also read the errata sheets. ✤ For this chip and its ancestors.
  9. 9. Datasheets
  10. 10. Die Badges✤ Identify the internal part number.✤ Sometimes this is the public one.✤ Sometimes it isn’t. ✤ Animals, Logos ✤ Lot numbers.
  11. 11. TI/Chipcon CC1110
  12. 12. Amiccon 7125
  13. 13. Amiccon 7125
  14. 14. nRF24L01+
  15. 15. Ember EM357
  16. 16. Ember EM357 Magnum
  17. 17. Mystery 2.4GHz Radio nRF24E1G✤ Logo first.✤ Inductors. ✤ Lollypops!✤ Fill Pattern
  18. 18. ✤ ffo✤
  19. 19. Mystery vs. CC1110
  20. 20. Mystery vs. EM357
  21. 21. Mystery vs. nRF24L01+
  22. 22. Mystery vs. nRF24L01+
  23. 23. Meet the Lineup✤ Chipcon✤ Nordic RF✤ Amiccom✤ Others
  24. 24. Chipcon ISM Band✤ CC1100, 2500 radio.✤ CC1110, 2500 system-on-chip.✤ Very configurable. ✤ CC1110 talks to anything sub-GHz. ✤ Undocumented 4FSK, use register settings for CC1101.
  25. 25. Nordic RF✤ No promiscuous mode. ✤ There’s a hack, but it’s ugly.✤ Not very configurable: ✤ Microsoft Keyboards, Mice ✤ 2FSK, fixed deviation. ✤ OpenBeacon ✤ Integer MHz channels. ✤ Sparkfun Keyfob ✤ ANT+, Nike+
  26. 26. Amiccom A7125✤ 2.4GHz, 2FSK✤ Doccos in English, Chinese✤ Unbuffered mode for outputting symbols directly. ✤ 2 million symbols/second! ✤ Handy, but not necessary, for prom. sniffing of Nordic traffic.
  27. 27. Modulation Schemes✤ Frequency Shift Keying (FSK) ✤ Cheap digital radios, Bluetooth.✤ Amplitude Shift Keying (ASK, OOK) ✤ Car remotes, garage door openers.✤ Phase Shift Keying (PSK) ✤ Wifi, ZigBee✤ Complicated variations of each.
  28. 28. Frequency Shift Keying✤ Symbol Rate: Integer or floating?✤ Frequency: Integer or fractional?✤ SYNC: Configurable? Repurposed as the address?✤ Deviation: Space between highest and lowest symbol.✤ Encoding: ✤ 2FSK: Low frequency is zero, high frequency is 1. ✤ 4FSK: +1, +1/3, -1/3, -1
  29. 29. Getting a radio board.✤ Chips are difficult to use directly. ✤ QFN or BGA chip packages. ✤ Radio layout requires a custom board.✤ Modules are available with radio and analog chain. ✤ Often lack an MCU, so use a GoodFET.✤ Commercial boards are often useful. ✤ GirlTech IMME, Next Hope Badge
  30. 30. Configuring the Radio✤ All digital radios are configured by Special Function Registers (SFR).✤ Register settings can come from multiple sources: ✤ SmartRF Studio configuring TI/Chipcon radios. ✤ Datasheets ✤ Ask Ossmann
  31. 31. ✤ RF Parameters✤ Register Addresses✤ Register Values
  32. 32. Always bring it back to Python
  33. 33. GoodFET Radio Architecture✤ Firmware in C, client in Python.✤ Py2Exe port for Win32. ✤ Only tested on the Chinese build.✤ Firmware is trimmed to support only the needed drivers.✤ New drivers can be written in pure-Python. ✤ Port functions to C as needed.
  34. 34. Turning Point Clicker✤ Classroom remote control.✤ Attendance, Quizzing✤ Nordic nRF24E1G ✤ 8051 MCU ✤ 2.4GHz Radio ✤ External Flash
  35. 35. Radio+8051 MCUSPI ROM
  36. 36. Dumping Firmware✤ Chips ✤ nRF24E1G -- 8051 MCU + nRF2401 Radio ✤ 24C32 Boot Rom✤ Documentation ✤ Datasheets, Reference Design
  37. 37. nRF24E1✤ 8051 Microcontroller ✤ More popular than ARM and X86.✤ Internal nRF2401 Radio ✤ 1Mbps GFSK Radio ✤ 2.4 to 2.5 GHz, 1MHz Channel Spacing✤ No internal Flash. Boots from external EEPROM.✤ No promiscuous mode. (The hack comes later.)
  38. 38. Radio+8051 MCUSPI ROM
  39. 39. nRF24E1 Firmware in IDA✤ ``goodfet.spi25c dump clicker.hex’’✤ Copy all but first 7 bytes to clicker.bin.✤ Load clicker.bin to CODE memory at 0x0000.
  40. 40. Just 3kB of Code
  41. 41. nRF24E1 Internal Arrangement✤ 8051 MCU✤ Internal SPI Bus✤ RADIO register #0x80
  42. 42. Useful Registers✤ SPI_DATA, SPICLK, SPI_CNTRL, EXIF✤ P1 LED Port✤ P0.0 SPI EEPROM Slave Select✤ RADIO #0x80 ✤ RADIO.3 is Radio Slave Select ✤ RADIO.7 is Power Up
  43. 43. From Registers to Functions
  44. 44. RADIOWRCONFIG✤ Just a lot of SPIRXTX. ✤ 08 08 00 00 00 00 00 00 00 ✤ (1B) (1C) (1D) ✤ 63 6F ✤ (1A)+1
  45. 45. Data Width ADR ADR Width CRC LENConfig Channel
  46. 46. RADIOWRCONFIG✤ Just a lot of SPIRXTX. ✤ Channel at 0x1A ✤ 08 08 00 00 00 00 00 00 00 ✤ MAC at 0x1B, 0x1C, 0x1D ✤ (1B) (1C) (1D) ✤ 4 bytes of data ✤ 63 6F ✤ 1 byte checksum ✤ (1A)+1
  47. 47. Transmission ✤ Function takes one byte of input. ✤ Repeated calls to SPITXRX ✤ (1E) (1F) (20) //Destination MAC Address ✤ (1B) (1C) (1D) //Source MAC Address ✤ (input) //Button Code
  48. 48. Destination MAC at 1E, 1F, 20✤ MOV 0x1E, #0x12 ✤ DMAC is 0x123456✤ MOV 0x1F, #0x34 ✤ Payload length is 4 bytes.✤ MOV 0x20, #0x56 ✤ One byte checksum.
  49. 49. Turning Point Sniffing✤ 2.441 GHz, 1Mbps✤ Address: [0x12, 0x34, 0x56]✤ Payload: ✤ 3 byte MAC ✤ 1 byte Button (ASCII)
  50. 50. Load the Registers by GoodFET
  51. 51. Microsoft Keyboard✤ 2.4GHz Nordic, XOR crypto✤ SYNC varies by unit. ✤ Again, there’s no promiscuous mode.✤ Initial Exploit in Keykeriki 2.0 ✤ Max Moser and Thorsten Schröder ✤ Amiccom A7125, nRF24L01+
  52. 52. Holy crap that’s bad crypto!
  53. 53. Promiscuity is a Citizen’s Duty✤ If the crypto is so bad, why is it hard to sniff? ✤ SYNC field is unique to the unit. ✤ Receiver must know the SYNC to receive a packet.✤ Two solutions: ✤ 1) Search raw radio traffic for Preamble. (Keykeriki) ✤ 2) Use the preamble as if it were a SYNC. (GoodFET)
  54. 54. Schröder and Moser’s Solution✤ A7125 samples raw bits at 2Mbps.✤ ARM CPU looks for Preamble.✤ When the MAC is found, ✤ Load nRF24L01+ to sniff. ✤ Dump to PC for interpretation.✤ Can it be cheaper?
  55. 55. GoodFET Autotune✤ Reduce MAC length to two bytes.✤ Disable checksums.✤ Set MAC to 0x0055 or 0x00AA.✤ Count occurrences of 5-byte sequences: ✤ Might by shifted off by a bit. ✤ Filter out noise.
  56. 56. GoodFET Autotune
  57. 57. GoodFET Autotune
  58. 58. Conclusions
  59. 59. Sidebar✤ Somehow we have time left.✤ Let’s not waste it.

×