"We are not as strong as we think we are"

• Rich Mullins

<6Hz or bust!

leveraging the power of the
chipcon 1111
(and RFCAT)

0x1000 - intro to <GHz

• FCC Rules(title 47) parts 15 and 18 allocate and govern parts of the
RF spectrum for unlicensed ISM in the US (US adaptation of the ITU
R 5.138, 5.150, and 5.280 rules)

- Industrial - power grid stuff and more!

- Science - microwave ovens?

- Medical - insulin pumps and the like

• US ISM bands:

- 300:300

- 433 : 433.050 - 434.790 MHz

- 915: 902.000 -928.000 MHz

- cd 1 1 1 does 300-348, 372-460, 779-928... but we've seen more.

• Popular European ISM band:

- 868 : 863.000 - 870.000 MHz

• Other ISM includes 2.4 GHz and 5.8 GHz

- cc2531.... hmmm... maybe another toy?

0x1010 - what is <GHz? what plays t

• Industry, Science, Medical bands, US and EU

• Cell phones

• Cordless Phones II ||

• Personal Two-Way Radios W B~T 1

• Car Remotes r^^^MpI

• Pink IM-ME Girl Toys!

• Tl Chronos Watches

Ipi I

Medical Devices (particularly 401-402MHz, 402-405MHz, 405-406MHz)

Power Meters
custom-made devices
Old TV Broadcast
much, much more...

0x1020 — how do we play with it?

cd 1 10/cd 1 1 1 do 300-348MHz, 391 -464MHz, 782-928MHz

- and more...
RFCAT uses the CC1 1 1x on some common dongles

- Chronos dongle (sold with every Tl Chonos watch)
, - "Don's Dongles", aka Tl CC1 1 1 1 EMK

r H > t i i x ,

J- IMME (currently limited to sniffer/detection firmware)

but there are some catches

- rf comms configuration?

- channel hopping sequence?

- bluetooth and DSSS? (not hap'nin)

0x1030 - why do i care!?

the inner rf geek in all of us

your security research may require that you consider
comms with a wireless device

your organization may have 900MHz devices that
should be protected!

0x2 000 - ccllll summary -SPEED READER!

modified 8051 core

- 8-bit mcu

- single-tick instructions

- 256 bytes of iram

- 4kb of xram

- XDATA includes all code, iram, xram

- execution happens anywhere :)

• Full Speed USB

• RfCat hides most of these details by default!

0x20

•IDLE

•CAL

•FSTXON

•RX

•TX

Used for ca I ibrat.ng frequency
synthesizer upfront (entering ,- "' M , f
receive or transmit mode can „„„,,, .
then be done quicker) . ^ ntn " calibration.

Transitional state.

<

SRKof STX or SFSTXQN

r~r«quc;n::y sy-it--;js 3i: .
ready to start transmitting.
Transmission starts very
'.|L. '■ -: y iiftcr receiving the
STX command strobe.

Transmission is
turned off and this
s:ste s entered it
the RFD register
becomes empty in
the middle of a
packeL
Typ. current
consumption:
1.8 mA

Frequency Frequency synthesiser is turned on, can optionally

.KynthcHize- ;-:tnrlup, be calibrated, and then settles to ■ Dor red f'equency.

. optional cal.brat.on, , Trarisjtiona | state
settling

TXOFF_MODE=00 RXOFF_MODE=00
0:)t • .in: I i: II :il;.l..-.

TX Overflow

RX Overflow

Reception is turned
off and this steto is.
entered if the RFD
register overflows.

0x2020 — ccllll radio configuration

• configuring the radio is done through updating a set of
1-byte registers in varying bit-size fields

- MDMCFG4 - MDMCFGO - modem control

- PKTCTRL1 , PKTCTRLO - packet control

- FSCTRL1 , FSCTRLO - frequency synth control

- FREND1 , FRENDO - front end control

- FREQ2, FREQ1 , FREQO - base frequency

- MCSM1, MCSMO - radio state machine

- SYNC1 , SYNCO - SYNC word, or the SFD

- CHANNR, ADDR - channel and address

- AGCCTRL2, AGCCTRL1 , AGCCTRLO - gain control

• RfCat hides most of these details by default!

0x2030 - Smart RF Studio ( f tw

CC1 1 1 1 - Device Control Panel (offline}

Data rate
Data rate

2 kBaud,
4 kBaud ,
4 kBaud,

.4 kBaud,

Data rate: 250 kBaud, Dev.

5 . 1 Zr.Z

5.1 kHz
5.1 kHz
5.1 kHz
20 kHz r
20 kHz,

.29 kHz, Med.: GFSK

7-7. 3~~

fiX BH
fiX BW:

ax b;j

Cp-oi-ized zz~
Cp-irr.ized rcr
Optimized fox
>:-.i:-.ized fcr ;
Optimized foe c
€00 kHz, Optimized foi

c Qiisujr.pt ic
ccnaumptii
ent c cn3uir.pt i ci

RF Parameters

Base frequency

|aS5.2996B3 ] Mh
Xtal frequency

J 4S.000000 j^J MHz
Modulation format

Channel number
[° ±3
Data rats

1 1.19877 | kBaud
Deviation

5 126953 ^\ kHz

Channel spacing
■199.951172 | kHz
RX filter BW
52.500000 | kHz
IX power
C - dBm

Carrier frequency
|aS3.2996B3 ] MHz

V Manchester enable

r PA ramping

Packet payload size: | 30 | p? Add seq. number

Packet count: | 10Q | T Infinite

(f Random <*7 de b2 12 id cS ^2 bb 5b a= 1f C2 Ea 7d OS 232E 1f Ed da cb fc 3? fE ^E 2b 12 Cd SB Ca
r Text
r Hex

A

Sent packets:
Output power:

B8S.2M6B3 MHz

I0CFG2

I0CFG1

IOCFG0

SYNC1

SYNC0

PKJLEN

PKTCTRL1

PKTCTRL0

ADDR

CHANNR

FSCTRL1

FSCTRLD

FREQ2

FREQ1

FREQG

MDMCFG4

MDMCFG3

MDMCFG2

MDMCFG1

MDMCFGQ

DEVIATN

MCSM2

MCSM1

MCSMO

FOCCFG

BSCFG

AGCCTRL2

AGCCTRL1

AGCCTRLO

FREND1

FRENDQ

FSCAL3

FSCAL2

Data Rate, Bandwidth, and Intermediate Frequency and Freq-Deviation depend on each other

0x2100 - RfCat for devs

cc1 1 1 lusb.c provides usb descriptors and framework

- shouldn't need much tinkering

cc1 1 1 1 rf.c provides the core of the radio firmware

- shouldn't need much tinkering

application. c provides the template for new apps

- copy it and make your amazing toy

txdata(buffer, length) to send data IN to host

registerCbEP50UT() to register a callback function to handle data
OUT from host

- data is in ep5iobuf[]

transmit(*buf 5 length) allows you to send on the RF pipeline
appMainLoop() - modify this for handling RF packets, etc...
follow the examples, luke!

- RfCat's "application" source is appFHSSNIC.c

0x3000 — radio info we want to know

frequencies

modulation (2FSK/GFSK, MSK, ASK/OOK, other)
intermediate frequency (IF)
baud rate

channel width/spacing/hopping?
bandwidth filter
sync words / bit-sync
variable length/fixed length packets

data whitening?

any encoding (manchester, fee, enc, etc..)

0x3010

— interesting frequencies

• 315MHz -car fobs

• 433MHz - medical devices, garage door openers

• 868MHz - EU loves this range

• 915MHz - NA stuff of all sorts (power meters, insulin
pumps, industrial plant equipment, industrial backhaul)

• 2.4GHz - 802.1 1/wifi, 802.1 5.4/zigbee/6lowpan, bluetooth

• 5.8GHz - cordless phones

• FREQ2, FREQ1, FREQ0

0x3020 — modulations

• 2FSK/GFSK - Frequency Shift Key

- (digital FM)

- cordless phones (DECT/CT2)

• ASK/OOK - Amplitude Shift Key

- (digital AM)

- morse-code, car-remotes, etc...

MSK - Minimal Shift Key (a type of quadrature shift
modulation like QPSK) BHH

MDMCFG2, DEVIATN

0x3030

— intermediate frequency

• cc1 1 1 1 supports a wide range of 31 different IF options:

- 23437 hz apart, from - 726.5 khz

• Smart RF Studio recommends:

- 140khzupto38.4kbaud

- 187.5 khz at 38.4 kbaud

- 281 khz at 250 kbaud

- 351 .5khz at 500 kbaud

• FSCTRL1

ate an IF (heterodyne)

IF that can be manipulated easily

Amplitude
m Modulated

Corner

f.T: ii( - T:.

.in:; .■ >- iii:.:. |.i::iI m.

Irsquencycariiar^difcad |
toy tie mitfn# process.

Diir«snca rrequancy
carder wMlcSi felalns

tfWiTOf&lflbrKj signal.

0x3040 - data rate (baud)

• much like your modems or old

• the frequency of bits

- some can overlap and get garbage!
• garbage can be good...

• baud has significant impact on IF, Deviation and
Channel BW

• seeing use of 2400, 19200, 38400, 250000

• MDMCFG3 / 4

0x3050

— channel width / spacing

0x3060 - bandwidth filter

• programmable receive filter

• provides for flexible channel sizing/spacing

• total signal bw = signal bandwidth + (2*variance)

• total signal bw wants to be les s than 80% bw filter!

• MDMCFG4

0x3070 — preamble / sync words

identify when real messages are being received!
starts out with a preamble (10 10 10 1 0...)
then a sync word (programmable bytes)

- marking the end of the preamble

- aka 'SFD' - start of frame delimiter
configurable to:

- nothing (just dump received crap)

- carrier detect (if the RSSI value indicates a message)

- 15 or 16 bits of the SYNC WORD identified

- 30 out of 32 bits of double-SYNC WORD
SYNC1, SYNC0, MDMCFG2

0x3080 — variable / fixed-length packet

packets can be fixed length or variable length
variable length assumes first byte is the length
both modes use the PKTLEN register:

- Fixed: the length

- Variable: MAX length
PKTCTRLO, PKTLEN

ckets
jth byte

0x3090 - CRC - duh, but not

• crc16 check on both TX and RX

• uses the internal CRC (part of the RNG) seeded by Oxffff

• DATA_ERROR flag triggers when CRC is enabled and fails

• some systems do this in firmware instead

• PKTCTRLO

— Oplional data whitening-

— Optionally FEC encoded/decoded—

-Optional CRC-1 & calculation-

1

to

Preamble bits

s

Data field

RC-1

(1010. ..1010)

c

I

C

<

416/32 bits*: * hi

Legend:

□ Inserted automatically in TX.
processed and removed in RX.

J processed bui not removed in RX.

□ Unprocessed user data {apart from FEC
and/or whitening)

Figure 51 : Packet Format

0x30a0 — data whitening — 9 bits of pain

ideal radio data looks like random data

real world data can contain long sequences of or 1

data to be transmitted is first XOR'd with a 9-bit sequence

- sequence repeated as many times as necessary to
match the data ^^^hc^^^^^sh

PKTCTRLO

0x30b0 — encoding

manchester

<*** J\JUUU\J\J\JUUUl_

Data _TlS1 I I □_

10100111001

- MDMCFG2
forward error correction B

- convolutional i

• MDMCFG1 '

- reed-solomon (not supported) »;
encryption - AES in chip

AtMrib^heet

8wammm

sorry , couldn f t resist

BAP

B£TT£1

0x3100 — how can we figure it out!?

open / public documentation

- insulin pump published frequency
open source implementation / source code
"public" but harder to find (google fail!)

- fcc.gov - search for first part of F

>ition. fcc.gov/oet/ea/fccid/

- patents - a

ittp://freepatentsonline.com

http://www.freepatentsonline.com/8189577.html
http://www.freepatentsonline.com/20090168846.pdf

0x3101 — how can we figure it out!? -

-part2

reversing hw

- tapping bus lines - logic analyzer

• grab config data

• grab tx/rx data

- pulling and analyzing firmware
hopping pattern analysis

- arrays of dongles - space them out and record results

- hedyattack, or something similar

- spectrum analyzer

- USRP2 or latest gadget from Michael Ossman
trial and error - rf parameters

MAC layer? - takes true reversing., unless you find a patent :)

0x4000 - intro 2 FHSS - SPDY!

• FHSS is common for devices in the ISM bands

- provides natural protection against unintentional

jamming /interferance

- US Title 47 CFR 15.247 affords special power

considerations to FHSS devices

• >25khz between channels

• pseudorandom pattern

• each channel used equally (avg) by each transmitter

• if 20db of hopping channel < 250khz:

- must have at least 50 channels

- average <0.4sec per 20 seconds on one channel

• if 20dB of hopping channel >250khz:

^ must have at least 25 channels

- average <0.4sec per 10 seconds on one channel

0x4010 — FHSS, the one and only - not !

• different technologies:

- DSSS - Direct Sequence Spread Spectrum

• hops happen more often than bytes (ugh)

• typically requires special PHY layer

- "FHSS"

• hops occur after a few symbols are transmitted

• different topologies: (allow for different synch methods)

- point-to-point (only two endpoints)

- multiple access systems (couple different options)

• each cell has their own hopping pattern

• each node has own hopping pattern

• different customers:

- military has used frequency hopping since Hedy and George submitted the

patent in 1941.

- commercial folks (WiFi, Bluetooth, proprietary stuff like power meters)

0x4020 - FHSS intricacies

what's so hard about FHSS?

- must know or be able to come up with the hopping pattern

• can be anywhere from 50 to a million distinct channel hops

before the pattern repeats (or more)

- must be able to synchronize with an existing cell or partner

• or become your own master!

- must know channel spacing

- must know channel dwell time (time to sit on each channel)

- likely need to reverse engineer your target

- DSSS requires that you have special hardware

military application will be very hard to crack, as it typically will have hops
based on a synchronized PRNG to select channels

0x4030 — FHSS, the saving graces

any adhoc FHSS multi-node network: (power meters / sensor-nets)

- node sync in a reasonable timeframe

• limited channels in the repeated pattern

- each node knows how to talk to a cell

• let one figure it out, then tap the SPI bus to see what the

pattern is...

two keys to determining hopping pattern:

- hop pattern generation algorithm

• often based on the CELL ID

- one pattern gets you the whole cell :)

• others generate a unique pattern per node

- some sync information the cell gives away for free

• gotta tell the nOObs how to sync up, right?

• for single-pass repeating sequences, it's just the channel

0x4040

— FHSS summary

FHSS comes in different forms for different uses and
different users

FHSS is naturally tolerant to interference, and allows a
device to transmit higher power than nonFHSS comms

getting the FHSS pattern, timing, and appropriate sync
method for proprietary comms can be a reversing
challenge

getting a NIC to do something with the knowledge
gained above has - to date - been very difficult

0x5000

— intro to RfCat

• RfCat: RF Chipcon-based Attack Toolset

• RfCat is many things, but I like to think of it as an interactive
python access to the <GHz spectrum!

0x5010 — rfcat background

the power grid

- power meters and the folks who love them (yo cutaway,

q, travis and josh!)

- no availability of good attack tools for RF
vendor at Distributech 2008:

"Our Frequency Hopping Spread Spectrum is too fast
for hackers to attack."

• OMFW! really?

0x5020 - rfcat goals

RE tools - "how does this work?"

security analysis tools - "your FHSS and Crypto is weak!
satiate my general love of RF

a little of Nevil Maskelyne

"I will not demonstrate to any man who throws doubt upon the
system" - Guglielmo Marconi, 1903

- lulwut?

0x5030 — rfcat f s interface

- FHSS-capable NIC

• some assembly may be required for FHSS to arbitrary devices

- toolset for discovering/interfacing with RF devices

rfcat server

- access the <GHz band over an IP network or locally and

configure on the fly

- connect to tcp port 1900 for raw data channel

- connect also to tcp port 1899 for configuration

0x5050 — rfcat server

bringing <GHz over the IP network!

connect on TCP port 1900 to access the wireless network

connect on TCP port 1899 to access the wireless configuration

created to allow non-python clients to play too

- stdin is not always the way you want to interact with
embedded wireless protocols

0x5060 — rfsnif f (pink version too! )

focused primarily on capturing data from the wireless network
IMME used to provide a nice simple interface
RF config adjustment using keyboard!

5065 — rfsniff — key bindings

a - inc/dec highest sync word nibble

s - inc/dec high-middle sync word nibble

cl - inc/dec low-middle sync word nibble

f - inc/dec lowest sync word nibble

- NO sync word matching

menu - inc Modulation type
byef - dec Modulation type

up - inc recv bandwidth
down - dec recv bandwidth

Bright - inc baud rate
left - dec bauclrate

Enter - inc/dec frequency

- faster inc/dec frequency
m - even faster inc/dec frequency

- set freq to 91 5mhz

- set freq to 868mhz

- set freq to 433mhz

- set freq to 31 5mhz
v - inc/dec channels

- set channel =

SPACE -
SPKR -

switch screens

toggle CARRIER TX mode [good for showing up on a SpecAn, or, umm, jamming?)

0x5070 — rfcat wicked coolness — WORK-

RK-PIX

d._debug = 1 - dump debug messages as things happen
d.debug() - print state infoz once a second
d. discover^) - listen for specific SYNCWORDS
d.lowball() - disable most "filters" to see more packets
d.lowballRestore() - restore the config before calling lowball()
d.RFIisten() - simply dump data to screen
d.RFcapture() - dump data to screen, return list of packets
d.SCanQ - scan a configurable frequency range for "stuff
print d.reprRadioConfig() - print pretty config infoz
d.setMdm*() d.setPkt*() d.make*()

0x5100 — example lab setup

example RF attack lab setup:

- dongle "Gina" running hedyattack speoan code

- dongle "Paul" running rfcat

- IMME running rfsniff

- (possibly an IMME's running SpecAn)

- saleae logic analyzer for hacking of the wired variety

- FunCube Dongle and quisk/qthid or other SDR

rf attack form

• basefreq:

• modulation:

• baud/bandwidth:

• deviation:

• channel hopping?

- how many channels: channel spacing:

- pattern and effective sync method? dwell period (ms):

• fixed-/variable-length packets: len/maxlen:

• "address":

• sync word (if applicable):

• crc16 (y/n): does chip do correct style?

• fee (y/n): type (convolutional/reed-soloman/other):

• manchester encoding (y/n):

• data whitening? and 9bit pattern:

• more complete information:

"esources/rf-recon-form.pdf

0x6000 — playing with medical devic

CAUTION: MUCKING WITH THESE CAN KILL PEOPLE.

- THIS FIRMWARE AND CLIENT NOT PROVIDED

found frequency in the pdf manual from the Internet

- what random diabetic cares what frequency his pumf

communicates with!? ok, who cares!

modulation guessed based on spectrum analysis and trial/er

- the wave form just looks like <blah> modulation!

other characteristics discovered using a USRP and baudline
(and some custom tools, thanks Mike Ossman!)

es

EOPLE.

nis pump

d trial/error
tion!

0x6010 — the discovery process

glucometer was first captured using Spectrum Analyzer ^* B ^ S
(IMME/hedyattack) to validate frequency range from the lay-
documentation

next a logic analyzer (saleae) used to tap debugging lines

next, the transmission was captured using a USRP (thank you
Mike Ossman for sending me your spare!) - alt:

next, the "packet capture" was loaded into Baudline, and
analysis performed to identify baudrate and modulation
scheme, and get an idea of bits

next, Mike Ossman did amazing-sauce, running
the capture through GnuRadio Companion
(the big picture on next slide)

RF parameters confirmed through RF analysis,
and real-life capture.

0x6020 —the immaculate reception

• punched in the RF parameters into a RFCAT dongle

- created subclass of RFNIC (in python) for new RF config
Dped into "discover" mode to ensure I had the modem right

irned to normal NIC mode to receive real packets
now need the pump to reverse the bi-dir protocol

0x6100 — playing with a power meter

CAUTION: MUCKING WITH power systems without appropriate

AUTHORIZATION IS ILLEGAL, EVEN IF IT IS ON THE SIDE OF YOUR HOUSE!

most power meters use their own proprietary "Neighborhood Area Network"
(NAN), typically in the 900MHz range and sometimes 2.4GHz or licensed
spectrum.

to get the best reception over distance and gain tolerance to interference, all
implement FHSS to take advantage of the Title 47: Part 15 power
allowances

many of the existing meters use the same cc1 111 or cc1 1 1 chips, or the
cc1 101 radio core

this is the reason I'm here today

0x6110 — as sands through the hourglass

power meter RF comms have long been "unavailable" for
most security researchers

some vendors understand the benefits of security
rigor by outside researchers

- others, however, do not.

the gear used in my presentation was given to me by one
who understands

- for various reasons, they have asked to remain

anonymous, however, their security team has a
well founded approach to finding out "how their
baby is ugly" I would like to give them credit for
their commitment to the improved security of their
products.

atlas , tell us what you really think

0x6120 — smart meter — the complication

• power meters are not so simple as glucometers

- proprietary FHSS in a multiple-access topology

- have to endure the RF abuse of the large metropolis

• complex mac sync/net-registration

• not easy to show with a single meter without a Master node.

• initial analysis was performed via my saleae LA:

• SpecAn code on IMME's and hedyattack dongles

- good for identifying periods of scanning

• although the dongle can hop along with the meter, we won't be
demoing synching with the meter today

0x6130 — the approach

• determine the rf config and hopping pattern through SPI Bus sniffing
(and my saleae again)

0x6140 — the approach (2)

mode:

disables sync-word so radio sends unaligned bi

- algorithm looks for preamble (Oxaa or Ox

- then determines possible dwords

ummm... but that's not any bit-derivation of the sync word(s) I
expect, wut? I am confident those are coming from the meter

- intro: Bit Inversion (see highlighted hex)

0x6145 — new developments

vendors have filed numerous patents with hopping
pattern calculations, comms parameters, etc

- WIN!

- plenty of work to be done! jump right in!

• http://www.patentstorm.us/patents/7064679/fulltext.html

• http://www. patentstorm . us/patents/7962 101 /f u I Itext. html

• http://www.patentstorm.us/applications/20080204272/fulltext.html

• http://www.patentstorm.us/applications/20080238716/fulltext.html

"Abuse is no argument"
- Nevil Maskelyne

0x6150 - conclusions

rfcat discover mode roxors

rfcat is a foundation for your attack tool

- way more than just a tool in itself

are responsible for ensuring our devices use
appropriate security, do not simply expect someone
else to do it. the first med-device death could be your
best friend.

References

• http://rfcat.googlecode.com

• http://en.wikipedia.org/wiki/Part_1 5_(FCC_rules)

• http://en.wikipedia.org/wiki/ISM_band

• http://www.ti.com/lit/ds/swrs033g/swrs033g.pdf - "the" manual

• http://edge.rit.edu/content/P1 1207/public/CC1 1 1 1_USB_HW_User_s_Guide.pdf

• http://www.ti.com/litv/pdf/swru082b

• http://www.ti.com/product/cc1 1 1 1f32#technicaldocuments

• http://www.ti . com/I it/an/swra077/swra077 . pdf

http://www.newscientist.com/article/mg21 228440 .700-dotdashdiss-the-gentleman-hackers-1903-lulz.html

• http://saleae.com/

• http://zone.ni.eom/devzone/cda/epd/p/id/5150 - FSK details (worthwhile!)

• http://www.radagast.org/~dplatt/hamradio/FARS_presentation_on_modulation.pdf

- very good detailed discussion on deviation/modulation

• http://en.wikipedia.org/wiki/Frequency_modulation

• http://en.wikipedia.org/wiki/Minimum-shift_keying

Oxgreetz

power hardware folk who play nice with security researchers
cutaway and q (awesome hedyattackers)
gerard van den bosch
travis and mossman
skOdO and the four J's
invisigoth and kenshoto
Jewel, bug, ringwraith, diva
Jesus Christ