22 April 2010 -- Source Boston

Not Quite ZigBee; or,How to Sniff a Strange Radio

Travis Goodspeedtravis@radiantmachines.com

Open with “Why should you give a shit?”

List of Exploits

Introduction

✤ Wifi

✤ Bluetooth

✤ Ubertooth

✤ ZigBee

✤ KillerBee, GoodFET, Freakduino Chibi, Daintree

✤ What about everything else?

Introduction

✤ This is not a USRP lecture.

✤ Weird radios are usually one-off designs.

✤ Bad cryptography, if any.

✤ Little testing, quality control.

✤ Vulnerabilities inherited from the chipset.

Citations

✤ Max Moser and Thorsten Schröder

✤ Michael Ossmann

✤ Read my articles for the rest,http://travisgoodspeed.com

Example Targets

✤ Radio Remote Controls

✤ Apple/Nike+ Shoe Pod

✤ Garmin ANT+ Watch

✤ Microsoft Keyboard

Methodology

✤ Dissect a device.

✤ Part numbers, chip die photographs, firmware.

✤ Determine radio encoding, rate, and frequency.

✤ 2FSK, 2Mbps, 2.4GHz

✤ QPSK, 1Mbps, 2.4GHz

✤ Build a transceiver.

Part Numbers

✤ CC2420, EM250, A7125

✤ Uniquely identify the part, index the datasheet.

✤ Vulnerabilities are indexed by part number, not product name.

✤ Sometimes they are missing or ground off.

✤ HNO3 and H2SO4 are your friends!

Datasheets

✤ Describe registers and pins.

✤ Sometimes private, but often public.

✤ Read the whole damned thing, and you’re secure to find bugs.

✤ Also read the errata sheets.

✤ For this chip and its ancestors.

Datasheets

Die Badges

✤ Identify the internal part number.

✤ Sometimes this is the public one.

✤ Sometimes it isn’t.

✤ Animals, Logos

✤ Lot numbers.

TI/Chipcon CC1110

Amiccon 7125

Amiccon 7125

nRF24L01+

Ember EM357

Ember EM357 Magnum

Mystery 2.4GHz Radio

✤ Logo first.

✤ Inductors.

✤ Lollypops!

✤ Fill Pattern

nRF24E1G

✤ ffo

✤

Mystery vs. CC1110

Mystery vs. EM357

Mystery vs. nRF24L01+

Mystery vs. nRF24L01+

Meet the Lineup

✤ Chipcon

✤ Nordic RF

✤ Amiccom

✤ Others

Chipcon ISM Band

✤ CC1100, 2500 radio.

✤ CC1110, 2500 system-on-chip.

✤ Very configurable.

✤ CC1110 talks to anything sub-GHz.

✤ Undocumented 4FSK, use register settings for CC1101.

Nordic RF

✤ Microsoft Keyboards, Mice

✤ OpenBeacon

✤ Sparkfun Keyfob

✤ ANT+, Nike+

✤ No promiscuous mode.

✤ There’s a hack, but it’s ugly.

✤ Not very configurable:

✤ 2FSK, fixed deviation.

✤ Integer MHz channels.

Amiccom A7125

✤ 2.4GHz, 2FSK

✤ Doccos in English, Chinese

✤ Unbuffered mode for outputting symbols directly.

✤ 2 million symbols/second!

✤ Handy, but not necessary, for prom. sniffing of Nordic traffic.

Modulation Schemes

✤ Frequency Shift Keying (FSK)

✤ Cheap digital radios, Bluetooth.

✤ Amplitude Shift Keying (ASK, OOK)

✤ Car remotes, garage door openers.

✤ Phase Shift Keying (PSK)

✤ Wifi, ZigBee

✤ Complicated variations of each.

Frequency Shift Keying

✤ Symbol Rate: Integer or floating?

✤ Frequency: Integer or fractional?

✤ SYNC: Configurable? Repurposed as the address?

✤ Deviation: Space between highest and lowest symbol.

✤ Encoding:

✤ 2FSK: Low frequency is zero, high frequency is 1.

✤ 4FSK: +1, +1/3, -1/3, -1

Getting a radio board.

✤ Chips are difficult to use directly.

✤ QFN or BGA chip packages.

✤ Radio layout requires a custom board.

✤ Modules are available with radio and analog chain.

✤ Often lack an MCU, so use a GoodFET.

✤ Commercial boards are often useful.

✤ GirlTech IMME, Next Hope Badge

Configuring the Radio

✤ All digital radios are configured by Special Function Registers (SFR).

✤ Register settings can come from multiple sources:

✤ SmartRF Studio configuring TI/Chipcon radios.

✤ Datasheets

✤ Ask Ossmann

✤ RF Parameters

✤ Register Addresses

✤ Register Values

Always bring it back to Python

GoodFET Radio Architecture

✤ Firmware in C, client in Python.

✤ Py2Exe port for Win32.

✤ Only tested on the Chinese build.

✤ Firmware is trimmed to support only the needed drivers.

✤ New drivers can be written in pure-Python.

✤ Port functions to C as needed.

Turning Point Clicker

✤ Classroom remote control.

✤ Attendance, Quizzing

✤ Nordic nRF24E1G

✤ 8051 MCU

✤ 2.4GHz Radio

✤ External Flash

Radio+8051 MCU

SPI ROM

Dumping Firmware

✤ Chips

✤ nRF24E1G -- 8051 MCU + nRF2401 Radio

✤ 24C32 Boot Rom

✤ Documentation

✤ Datasheets, Reference Design

nRF24E1

✤ 8051 Microcontroller

✤ More popular than ARM and X86.

✤ Internal nRF2401 Radio

✤ 1Mbps GFSK Radio

✤ 2.4 to 2.5 GHz, 1MHz Channel Spacing

✤ No internal Flash. Boots from external EEPROM.

✤ No promiscuous mode. (The hack comes later.)

Radio+8051 MCU

SPI ROM

nRF24E1 Firmware in IDA

✤ ``goodfet.spi25c dump clicker.hex’’

✤ Copy all but first 7 bytes to clicker.bin.

✤ Load clicker.bin to CODE memory at 0x0000.

Just 3kB of Code

nRF24E1 Internal Arrangement

✤ 8051 MCU

✤ Internal SPI Bus

✤ RADIO register #0x80

Useful Registers

✤ SPI_DATA, SPICLK, SPI_CNTRL, EXIF

✤ P1 LED Port

✤ P0.0 SPI EEPROM Slave Select

✤ RADIO #0x80

✤ RADIO.3 is Radio Slave Select

✤ RADIO.7 is Power Up

From Registers to Functions

RADIOWRCONFIG

✤ Just a lot of SPIRXTX.

✤ 08 08 00 00 00 00 00 00 00

✤ (1B) (1C) (1D)

✤ 63 6F

✤ (1A)+1

Data Width

ADRADR WidthCRC LEN

Config Channel

RADIOWRCONFIG

✤ Just a lot of SPIRXTX.

✤ 08 08 00 00 00 00 00 00 00

✤ (1B) (1C) (1D)

✤ 63 6F

✤ (1A)+1

✤ Channel at 0x1A

✤ MAC at 0x1B, 0x1C, 0x1D

✤ 4 bytes of data

✤ 1 byte checksum

Transmission

✤ Function takes one byte of input.

✤ Repeated calls to SPITXRX

✤ (1E) (1F) (20) //Destination MAC Address

✤ (1B) (1C) (1D) //Source MAC Address

✤ (input) //Button Code

Destination MAC at 1E, 1F, 20

✤ MOV 0x1E, #0x12

✤ MOV 0x1F, #0x34

✤ MOV 0x20, #0x56

✤ DMAC is 0x123456

✤ Payload length is 4 bytes.

✤ One byte checksum.

Turning Point Sniffing

✤ 2.441 GHz, 1Mbps

✤ Address: [0x12, 0x34, 0x56]

✤ Payload:

✤ 3 byte MAC

✤ 1 byte Button (ASCII)

Load the Registers by GoodFET

Microsoft Keyboard

✤ 2.4GHz Nordic, XOR crypto

✤ SYNC varies by unit.

✤ Again, there’s no promiscuous mode.

✤ Initial Exploit in Keykeriki 2.0

✤ Max Moser and Thorsten Schröder

✤ Amiccom A7125, nRF24L01+

Holy crap that’s bad crypto!

Promiscuity is a Citizen’s Duty

✤ If the crypto is so bad, why is it hard to sniff?

✤ SYNC field is unique to the unit.

✤ Receiver must know the SYNC to receive a packet.

✤ Two solutions:

✤ 1) Search raw radio traffic for Preamble. (Keykeriki)

✤ 2) Use the preamble as if it were a SYNC. (GoodFET)

Schröder and Moser’s Solution

✤ A7125 samples raw bits at 2Mbps.

✤ ARM CPU looks for Preamble.

✤ When the MAC is found,

✤ Load nRF24L01+ to sniff.

✤ Dump to PC for interpretation.

✤ Can it be cheaper?

GoodFET Autotune

✤ Reduce MAC length to two bytes.

✤ Disable checksums.

✤ Set MAC to 0x0055 or 0x00AA.

✤ Count occurrences of 5-byte sequences:

✤ Might by shifted off by a bit.

✤ Filter out noise.

GoodFET Autotune

GoodFET Autotune

Conclusions

Sidebar

✤ Somehow we have time left.

✤ Let’s not waste it.