Successfully reported this slideshow.

Electromagnetic Hypersensitivity and You

1

Share

Upcoming SlideShare
Diploma 1
Diploma 1
Loading in …3
×
1 of 105
1 of 105

Electromagnetic Hypersensitivity and You

1

Share

Download to read offline

Presentation by Wesley Wineberg at B-Sides Vancouver 2015. It includes an analysis of EMU-2, introduction to hardware security and the ZigBee Smart Energy device.

Presentation by Wesley Wineberg at B-Sides Vancouver 2015. It includes an analysis of EMU-2, introduction to hardware security and the ZigBee Smart Energy device.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Electromagnetic Hypersensitivity and You

  1. 1. Wesley Wineberg B-Sides Vancouver 2015
  2. 2.   
  3. 3.   
  4. 4.   
  5. 5.   
  6. 6.    
  7. 7.    
  8. 8.     
  9. 9.    • PORT NAME: determined by OS • BAUD RATE: 115,200 • DATA BITS: 8 • STOP BITS: 1
  10. 10.  <Command> <Name>get_device_info</Name> </Command>
  11. 11.  <DeviceInfo> <DeviceMacId>0xFFFFFFFFFFFFFFFF</DeviceMacId> <InstallCode>0xFFFFFFFFFFFFFFFF</InstallCode> <LinkKey>0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF</LinkKey> <FWVersion>{string}</FWVersion> … </DeviceInfo>
  12. 12.
  13. 13. <NickName>test</NickName> <Command> <Name>set_meter_info</Name> <NickName>testtesttesttesttesttesttesttesttesttesttesttestt esttesttesttesttesttest</NickName> </Command>
  14. 14. <MeterInfo> <DeviceMacId>0xd8d5b90000001e74</DeviceMacId> <MeterMacId>0x00078100008dc8e6</MeterMacId> <Nickname>testtesttesttesttesttesttesttesttesttesttesttes ttesttesttesttesttesttest</Nickname> <Account>sttesttesttesttesttest</Account> <Auth></Auth> </MeterInfo>
  15. 15.   
  16. 16.    /debug /trace
  17. 17.
  18. 18.  
  19. 19.   
  20. 20.      
  21. 21.     
  22. 22. stringBuilder.AppendLine("<command>"); stringBuilder.AppendLine("<name>image_block_dump</name>"); stringBuilder.AppendLine("<offset>0x" + offset.ToString("X8") + "</offset>"); stringBuilder.AppendLine("<blksize>0x" + blksize.ToString("X2") + "</blksize>"); stringBuilder.AppendLine("</command>");
  23. 23.     
  24. 24.   
  25. 25.   
  26. 26.     
  27. 27.    
  28. 28.    
  29. 29.     
  30. 30.  
  31. 31.   
  32. 32.  
  33. 33.      
  34. 34.    
  35. 35.    
  36. 36.      echo -e $(cut -d',' -f4 spi.txt | sed -e 's/0x(..).?/x1/g' | tr -d 'n')
  37. 37.  
  38. 38.   
  39. 39.   
  40. 40.     
  41. 41.  
  42. 42. JN5142 and JN5148-J01/Z01 Flash Header Bytes Word Contents 0x0000 to 0x000F 0 - 3 16-byte Boot Image Record 0x0010 to 0x0017 4 - 5 64-bit MAC address 0x0018 to 0x0027 6 - 9 Encryption Initialisation Vector (ignored if unencrypted) 0x0028 to 0x0029 10 16-bit load address for .text segment in RAM (word aligned) 0x002A to 0x002B 10 16-bit length of .text segment, in 32-bit words 0x002C to 0x002D 11 16-bit load address for .bss segment in RAM (word aligned) 0x002E to 0x002F 11 16-bit length of .bss segment in RAM, in 32-bit words 0x0030 to 0x0033 12 32-bit wake-up entry point (word aligned) – warm start 0x0034 to 0x0037 13 32-bit reset entry point (word aligned) – cold start 0x0038 to (MemA –1) 14 - .text segment MemA to (MemB-1) .data segment MemB Overlay segment
  43. 43.    
  44. 44.   
  45. 45.     
  46. 46.   
  47. 47.
  48. 48.   
  49. 49.   
  50. 50.  
  51. 51.   
  52. 52.  get_meter_attributes set_meter_attributes erase_halt secret 
  53. 53.     
  54. 54.      
  55. 55.   
  56. 56.      
  57. 57.     
  58. 58.   
  59. 59.     
  60. 60.     
  61. 61.     
  62. 62.  Send Beacon Request, and look for a device that has the 'join' flag enabled in its beacon.  After joining the network, wait for the Coordinator to send the network key encrypted with our link key (derived from the install code).  Look for the Key Establishment Cluster using match descriptor.  Perform Key Exchange.  If successful, look for the time cluster…
  63. 63.    
  64. 64.    
  65. 65. Source Address (8 bytes) + Frame Counter (4 bytes) + Security Control (1 byte)
  66. 66.    
  67. 67.    
  68. 68.    
  69. 69.   
  70. 70.  https://bitbucket.org/secdev/scapy-com   
  71. 71.   
  72. 72.   
  73. 73.   
  74. 74.     
  75. 75.    
  76. 76.   

×