toorcamp badge hacking

The badges at Toorcamp were solder-yourself passive RFID detectors. With the jumper in one position, an LED lights up in the presence of 125 kHz signals (used by low frequency RFID tags). With the jumper in the other position, a second LED indicates the presence of 13.56 MHz signals (used by high frequency RFID tags and Near Field Communication).

The circuit is very simple. Each side consists of an inductive loop (of traces on the circuit board), a tuning capacitor (forming a tank circuit with the loop), and an LED. It is powered by the received signals (as are passive RFID tags). I've tested my badge by holding it up to both types of RFID readers, and it works perfectly. Unfortunately it only works at very close range, so it isn't the most useful device on its own. As a component in other circuits, however, the unit has great potential.

Thanks to some spare parts and excellent soldering equipment provided by my friends at the Dorkbot campsite, I was able not only to assemble the badge but to perform a simple modification that turned it into a low frequency RFID decoder (in conjunction with a laptop computer). All I had to do was attach a cable with an audio plug in place of the jumper. At the camp, I soldered the audio cable directly to the board, but I have since reworked it with a plug that can be removed or repositioned on the header.

125 kHz RFID tags (at least the ones I've had an opportunity to play with) use a double modulation scheme. The data signal is frequency modulated (FSK) in the neighborhood of 14 kHz, and then the resulting signal is amplitude modulated up to 125 kHz. One way to demodulate the over-the-air signal is to perform the whole process in reverse: undo the amplitude modulation to get back to 14 kHz FSK, and then FM demodulate back to the baseband signal.

The fist step can be done with a small analog circuit. The simplest way to demodulate an AM signal is to rectify the signal (only allowing current to pass in one direction) with a diode and then smooth the resulting signal with a low pass filter (which can be as simple as a single capacitor). This results in a waveform that represents the envelope, the amplitude variations over time, of the original signal. Lucky for me, the LED on the Toorcamp badge is a diode that rectifies the signal! With the badge plugged into a laptop's microphone jack, the sound card's anti-aliasing filter does the smoothing, and the resulting signal of approximately 14 kHz is within the range that the sound card can record.

The FSK demodulation can then be done in software, allowing the whole setup to act as a close-range RFID decoder. You could even plug the badge into a small audio recorder and decode recorded signals later on a computer.

This simple modification just scratches the surface of what can be done with the Toorcamp badges. Having RFID frequency tuned loops available to plug into your own circuits makes it easy to play with both reception and transmission of RFID and NFC signals. For example, at the camp I used a second badge plugged into a USRP in order to transmit the 125 kHz signal needed to excite an RFID tag for testing the decoder.

Thanks again to everyone who made Toorcamp possible and to all the new friends I made there, especially the Dorkbot campers. It was an incredible experience.

toorcamp awaits

Next week Dominic and I will reprise our ShmooCon Bluetooth talk at Toorcamp, North America's first hacker camp (which happens to be taking place at a defunct Titan-1 missile silo). The nice folks from DorkbotPDX have allowed us to join their campsite. While we're there we also plan to run a software radio workshop. It is high time that more hackers learn how to use this technology.

Black Hat video up

Video (warning! 283 MB!) of my talk, Software Radio and the Future of Wireless Security, at Black Hat USA 2008 is now available along with all the other presentations from the event.

Star Crossed

After four years of developing tools and techniques, three gloves and mittens cut by angle grinders, two broken slabs of ice intended for moving parts, one tool confiscated by the TSA, and zero broken beaks, we completed Star Crossed. The sculpture features a realistic penguin on the left and a mechanical penguin on the right. It is the first working mechanical ice sculpture that we have completed in the Single Block Classic.

The head of the realistic penguin is shown in this detail photo. We used two textures: scratched and transparent.

This shot shows the mechanism on edge. The head piece rotates on the upper axle and has a long slot that extends downward. The key on the lower axle turns a cam with a lug that rides along the slot. You can watch a video of the mechanism in action.

We carved Star Crossed in three days and had a great time doing it. Thanks to all the volunteers and sculptors at Ice Alaska who make the experience a fun one every year. Thanks to Sharon Hansen for the shooting the photos and video.

night

Throughout the final day of competition we worked primarily on converting the rough penguin bodies into finished sculptures. The first step was a thorough scratching with the devil's back scratcher. This removed all the chainsaw and chisel marks, refined the shape of the piece, and left only small scratches to be polished away. We decided to use the scratched texture for the black portion of the realistic penguin and a transparent texture for the white portion and for the entire mechanical penguin (in order to make the machine parts visible).

For the transparent texture, we removed the scratches by polishing with a Scotch Brite pad on an angle grinder and applied heat with a weed burner and hair dryer for the final finish. "Scratch, buff, burn" was our mantra for the day. By dinner, both penguins were finished as were all of the machine parts.

After a quick dinner, our first priority was assembly of the machine. We had done a trial assembly the day before to verify fit and clearance for all the parts, but the final assembly was a bit different. For one thing, we had to add bushings to keep parts from sliding along the length of axles. We also had to waterglue parts together, eliminating a bit of play between various parts. Once we had everything welded into place, the mechanism didn't work! There wasn't enough clearance for the cam's lug at one end of the slot in the head piece. Fortunately we had anticipated that this might happen, so Lars was able to correct the problem by thinning the lug while I worked on finishing the beak of the realistic bird. The rest of the penguin was done, but we had left the beak for last in order to avoid breaking it. I trimmed an inch or so of diameter with a small chisel and added a beak line and eyes.

By the time I was done, Lars had the mechanism working, but he had only tested it with his hands guiding the interior parts. He hadn't actually turned the entire mechanism from the key on the front. We decided to try it together, rotating it a few times just before the final horn sounded. It worked!

During clean-up, several people, including sculptors and the event director, stopped by to try it out. We constructed fence posts within reach of the key and a sign instructing people to turn it gently. Sharon made a short video of Lars and I turning it as well. When we left, the mechanism was still working, but we didn't know how long it would last.

We crashed at Belfair that night and woke up the next day in time to thaw and dry our equipment before heading out for an 11 mile hike-and-sled to remote Tolovana Hot Springs. It was a delightful weekend of snow, sun, and good company.

morning

It is the morning of the final day of competition. Last night we stopped a bit early (?) and made it back to Belfair around 11:00. Lars made lesson plans while I sharpened chisels. (Thanks for the diamond stone, mom and dad!) Actually, Lars made lesson plans while I had a beer (Belfair home brew) and played guitar. Then I stayed up a couple hours after him to sharpen chisels, and I'm glad I did! I made short work of the head first thing this morning, and I did it all with two freshly sharpened chisels. Meanwhile Lars taught a pre-calculus class and has now arrived at the warming hut to join me in a mid-morning snack. (Unlimited coffee and doughnuts!) We didn't get much sleep last night, but at least we didn't spend the entire night carving ice like a few of the other sculptors.

day two

What a beautiful day for carving ice! The weather has been perfect for ice, not too warm, not too cold. After the ice warmed up a bit in the morning and our liquid water cooled down, we worked on the welds and had them done by lunch. They could be prettier, but they are structurally sound. After lunch we finished the mechanism pieces (except for the handle) and performed a trial assembly. Everything fit and had enough clearance through the complete range of motion.

Later in the day we turned to the task of removing large quantities of ice to shape the bodies. It has been slow going but is mostly done. While Lars is at school for a bit Thursday morning I'll tackle the head of the realistic penguin. I'm terrified that I will ruin the thing!

the penguins are coming! the penguins are coming!

Day one was quite successful. Our ice had several large cracks (and the heat of the giant chansaw produced an additional one), but we've managed to work around them well. We have been able to find high quality sections for our mechanical parts. We made a last minute decision the night before the event to increase the overall size of the piece. This has required a considerable effort to add large chunks to the top of the pengiuns, but we think it will be worth it. Hopefully the additional time required to do this doesn't burn us later.

By the end of the day we had both penguin bodies very roughly formed, a cavity for moving parts carved out of the mechanical penguin, one of two axle holes drilled, a head roughed out and lifted (oof!) up on top of a body (not yet oriented correctly), and both axles turned on the lathe.

Toward the end of the day, we started doing stupid things. Lars had to remind me to get my safety equipment on before using a chainsaw, we forgot that we should have drilled the axle holes before cutting out the cavity, and we drilled a hole through two panels that only needed to go through one. Fortunately we decided to quit early in the evening before doing anything terribly disastrous. That enabled us to get an early start today, and we are making good progress again.

Lars had a wonderful (terrible?) idea for a technique to deliver liquid water to a weld. We were attaching the shoulders to the body of the mechanical penguin, so we packed the edges with snow and then drilled a 3/4 inch hole all the way from the top of the shoulder piece down to the thin gap between the parts and poured water right down the hole. Unfortunately the liquid water never spread further than an inch from the hole because, we suspect, it encountered too much snow deposited by the drill bit. Maybe it would have worked if we had blown out the hole with compressed air before pouring the water. Anyway we'll have to try to bond the pieces together better today. We hope to have that and the head of the other penguin done very soon.

Watch us on our webcam!

site

We are in site number one this year. Matt, our inside man in the webcam crew, tells us that our webcam was the first one made operational yesterday, so it should be available when the event starts Tuesday morning at 9:00. We might not be there right when the horn sounds, however, due to some scheduling difficulties. Lars has recently been promoted (yay!) to a full-time teaching position at a local high school, but his students have had so many different teachers that they need a bit of stability. For this reason he'll have to teach one morning class on Tuesday and Thursday, but he'll have substitutes for his other classes.

sketch

Here is our official sketch for this year's Single Block Classic. Our plan is to carve a pair of star-crossed lovers, a realistic penguin and a mechanical penguin. The mechanical penguin's head bobs up and down when a wind-up-toy-style key is turned.

greetings, ice machine enthusiasts!

I am a terrible blogger. As all (three) of you know, I have failed to finish blogging about the 2008 World Ice Art Championships. Now a whole year has passed, and I find myself back at Belfair preparing for the 2009 event! Perhaps I will properly finish telling last year's tale at some point, but I want to start blogging about this year, so here is a quick summary: Lars and I constructed what we felt was our best sculpture yet, but the machine portion was non-functional. The primary mechanical problem was that we failed to make gears precise enough to mesh (so what else is new). We did, however, complete a giant half gear, several smaller gears, the flywheel, and axles. Then we made an abstract sculpture with rounded edges and round gears on one end and square edges and square gears (not even pretending to be functional) at the other end. It was great fun and hard work, and we ended up rather burnt out (a contributing factor to the non-blogging condition).

On to 2009! We are back in action with a great new design. We contemplated trying a non-mechanical sculpture this year (I suggested penguins). We also had an idea for a simpler, gear-less mechanical windmill. We ended up deciding that mechanical ice sculpture is our own particular. . . idiom, so a machine it will be. We combined the ideas and intend to produce a mechanical penguin. No gears!

Our goal has been to produce a mechanical sculpture that is visually interesting yet requires minimal preparation. We haven't constructed any new tools this year! I'm sure we'll enhance our arsenal in the future, but we needed a year without the hundreds of hours of tool preparation that has kept us so busy in the past. It will be fun to see what we can create using only previously developed tools and techniques.

thanks, ShmooCon

Dominic and I had a great time at ShmooCon. Our talk was fun and well attended. Video of the talk will be posted "soon." Slides (PDF, ODP, PPT) and code are up.

We met a lot of great people and had some interesting feedback and discussions of new ideas. We're still working on this stuff, so hopefully we'll have something even better to show off later this year.

see you at ShmooCon

Dominic Spill and I are presenting Building an All-Channel Bluetooth Monitor at ShmooCon this weekend. It should be fun!

narrowing the hop search

Dominic Spill has been kind enough to correspond with me about my recent work on reversing the Bluetooth hopping sequence. He pointed out some interesting ideas he had proposed last May. One essential idea I had overlooked is that 6 bits of clock can be recovered along with the partial address from (almost) any frame. These clock bits can be used to narrow the search space of possible clock values.

In my original analysis, I looked at the hopping algorithm and assumed that an observer is somehow able to accurately measure the intervals between frames captured on one or more channels. I also assumed that the observer has partial knowledge of the master's address, but I did not consider partial knowledge of the master's clock.

How can the observer measure intervals between frames? The method Dominic proposed (and I overlooked) is to decode the 6 bits of the master's clock from each frame. Differences from one frame to the next reveal information about the interval between frames. Unfortunately, the six bits of clock only describe 64 different time slot intervals, yet there is an average of 79 slots between two frames on a single channel. When observing a single channel, a difference of 47 might indicate an interval of 47 slots, but it could also represent an interval of 111 slots (47 + 64). A more direct approach would be to count the number of samples between observed frames. Perhaps the best method would be to combine direct measurement with confirmation by decoded clock values.

No matter how the intervals are determined, the 6 decoded clock bits can be used to narrow the search space. My first simulations included a search through 134217728 possible clock values. Taking advantage of the 6 known clock bits, it is possible to reduce the search space to 2097152 possible values. I ran a new set of simulations to find out how much this helps.

In order to have 95% chance of a unique match, we could observe all 79 channels for 3/8 of a second (30 channel seconds processed). Alternatively, we could observe a single channel for 3/5 of a second (3/5 channel seconds processed).

When narrowing the search space by the 6 known clock bits, the observation time required when observing all 79 channels changes very little, but the time required when observing a single channel changes considerably. This result strengthens support of my conclusion that the most efficient method to reverse the hopping sequence is to monitor a single channel.

reversing the Bluetooth hopping sequence

Monitoring Bluetooth is hard. A Bluetooth piconet (a small network of two or more Bluetooth devices) continually hops through 79 adjacent channels, each 1 MHz wide. The piconet uses one channel at a time, hopping to a new channel 1600 times each second according to a pseudo-random channel sequence based on semi-secret information.

In order to capture all the transmissions of a particular piconet, a receiver must predict and execute the piconet's hopping sequence. (An alternative approach is to capture all 79 channels simultaneously and then throw out the 78 that are unused at any particular time after identifying the channel that is active for a particular time slot. I'm considering this to be too expensive, but it can be done and will become less expensive over time.)

We can only predict the hopping sequence if we know two pieces of information. The first is a portion (the 28 lowest bits) of the piconet master device's numeric address (the "MAC address" or more properly "BD_ADDR"), and the second is the master's clock, a 28 bit integer value that increments 3200 times per second. If we know both the address and the clock at a particular time, then we can correctly predict the hopping sequence forever. We just have to use the hopping algorithm dictated by the Bluetooth specification.

In 2007, Spill and Bittau demonstrated that the necessary portion of the address can be derived from the contents of any single frame. [update: see Thierry Zoller's comment below.] It is easy to capture a frame by listening on a single channel and waiting for the piconet to hop through it. With 79 channels and 1600 hops per second, this doesn't take long. All that we are then missing is the clock.

One way to acquire the clock is to join the piconet. When we successfully join, the master shares its clock with us so that we can follow along from then on. In order to join, we need to know the entire address of the master, not just the lowest 28 bits. Since we already know part of the address, the remaining bits can be guessed fairly easily (see Josh Wright's BNAP BNAP project). Armed with the complete address, we can attempt to join the piconet. This works in a great many cases, even when you might think it shouldn't, but it is possible that we could encounter a master device that will not let us join. It is also possible that we would prefer to monitor passively and do not want to interfere with the piconet in any way.

There is a way to acquire the clock passively by observing another device joining the piconet. Unfortunately, this requires some combination of luck and patience. If we don't have an opportunity to observe a device joining the piconet, this technique doesn't help us.

It is possible to reliably determine the master's clock completely passively, and that is by reversing the hopping sequence. That is, instead of using the hopping algorithm in the forward direction (determining the sequence from the clock), we use it in reverse (determining the clock from the hopping sequence). The hopping sequence repeats every 134217728 steps (28 clock bits minus one bit because it only hops every other clock cycle) with each step calculated from the address and clock. You can think of it as a static sequence based on the address with the clock value indicating the current index or position within the sequence. Using the address, we can pre-calculate the entire sequence. If we then observe a small number of hops taken by the target piconet, we can search through the complete sequence to find the index that matches the observed hops. This index is the clock.

At first, I thought this would be a great application for a high-bandwidth (79 MHz) software radio device. We could capture all 79 channels for a fraction of a second, do a bunch of number crunching to identify target frames and reveal a short segment of the hopping sequence, and then search through the complete sequence to find the clock. Even if we can't decode all 79 channels simultaneously in real time, we can probably do real time decoding of one channel at a time after (slowly) reversing the hopping sequence. Assuming that the pseudo-random hopping sequence is reasonably random, we would only need to observe a few hops in order to have a high probability of locating a unique match within the complete sequence; five hops ought to be enough in most cases.

Unfortunately, the pseudo-random hopping sequence is a long way from being reasonably random. The algorithm does a good job of spreading nearby time slots across a wide range of channels, but it does so with a great deal of repetition in the long run. If we capture all 79 channels for five hops, our chance of finding a unique match in the complete sequence is almost nil. Even after observing fifty consecutive hops we would have less than a 50% chance of success.

To illustrate this, I simulated the results for a large number of cases (with random address and random clock). This graph shows how often an observed sequence segment turned out to be unique for various observation periods. One set of simulations was done assuming a single observed channel, one with eight adjacent channels (randomly selected), and one with all 79 channels. When observing fewer than 79 channels, we miss many of the hops, but we are able to capture a frame each time the piconet hops through one of the observed channels.

It turns out that, in order to have a 95% chance of getting a unique match while observing all 79 channels, we have to capture not five hops, but about 650! This requires an observation period of about four tenths of a second and a great deal of computation. Multiplying the four tenths of a second by the number of channels observed (79), the result is about 32 channel seconds processed. At the other end of the scale, if we only observe a single channel, it takes about 2000 total hops (out of which only about 25 will be captured) to get to a 95% chance of a unique match. It takes almost a second longer of observation, but the number of channel seconds processed is only 1.25.

Adding channels helps quite a bit less than I expected. Regardless of the number of channels observed, the important thing is to capture frames that span a long enough period of time. Since the observation of more channels involves significantly more computation and more expensive hardware, it looks like the best way to reverse the hopping sequence is to listen to a single channel until a unique match is found.

Here is the code I used for the simulations. It includes a fast (I think) implementation of the hopping algorithm. Please let me know if you find any bugs! I'd love to hear from you if you find this interesting or useful.

mystery signal challenge results

Congratulations to Emily Metcalfe for winning the Mystery Signal Challenge I announced at my Black Hat talk! Emily correctly identified the signal as a DECT cordless phone and was awarded a 5-in-1 network admin's cable plus a throwing star lan tap.

software radio at Black Hat and DEFCON

My Black Hat talk, Software Radio and the Future of Wireless Security went very well. Thanks to everyone who showed up. I've posted the final slides, demo code, and mystery signal stuff here.

Also at Black Hat were Olle's Mobitex talk and Kevin and Yoshi's talk on implantable medical devices. The Mobitex presentation was full of technical protocol details and described a method of decoding Mobitex traffic in software using sound card input from a radio receiver (more here). The medical devices talk was less technical but briefly covered wireless attacks on medical devices using the USRP (more here).

At DEFCON, NYCMIKE spoke about software-based decoding of pager networks. This was far less technical than Olle's talk, but it was nice to get a perspective from someone who just likes monitoring/scanning stuff. The canceled talk on MBTA vulnerabilities would have included a bit on using the USRP for everyone's favorite new hobby, attacking Mifare Classic RFID cards. It would have been nice to see their code. Thanks to the EFF for helping out on this one.

In his presentation at DEFCON, Rick pointed out the fact that the ath5k driver can be easily modified to tune wireless cards to a fairly impressive range of licensed bands. He also hinted that the cards might be able to be used as software radio devices for non-802.11 functions. I'm skeptical of this because it appears that ADC and DAC are tightly bound to PHY in the Atheros chipsets, but there are some interesting things like "i/q calibration" and "AR5K_ADDAC_TEST" that might be worth a closer look.

Software radio is certainly exploding in the security community. Maybe I should have called my talk, Software Radio and the Present of Wireless Security.

working into the night

It is getting colder tonight, but we are making good progess and having a great time at the World Ice Art Championships. We've had to abandon our plan A design (and even plan B) due to a variety of problems including gear cutting difficulties and poor ice quality. We had one large gear mysteriously break over night, perhaps due to cracks in the original block. Our block has many cracks this year. I guess this year's ice just isn't that great because we've seen other blocks that are much worse than ours.

We have made some small gears successfully, and we are well on our way toward completing an alternate design. Most of our new tools have performed admirably this year, and we'll continue to use them tomorrow until the horn sounds at 9:00 PM.

and we're off!

The Single Block Classic began at 9:00 this morning, and we are carving our block to bits! We are on camera this year. Check out the web cam for our site throughout the next three days, or stop by for a visit if you are lucky enough to be enjoying the Fairbanks winter. The temperature is currently slightly above 0°F, which is much, much friendlier than last year. As of Tuesday lunch, we are on schedule.

Unfortunately it has been more difficult this year for me to get photos online, but the web cam should fill the gap a bit. Also, Dan is here taking a lot of pictures again, and I'm sure he'll be happy to share some for the blog when we have a little time to devote to the project.

So far we have sliced off a new face on the front end of our block and taken three slabs out from the rear portion. We've also marked axle hole drilling locations on the front face that is quite planar thanks to the chainsaw guide rails that Lars bolted right into the ice. This afternoon I'll be roughing out the gears and flywheel while Lars gets started on the axles. The lathe is just to the right of the web cam view, but we'll see if we can get the camera position adjusted.

blogging from Ice Park

Alas, the computers at Ice Park are not in very good shape, and they fail to handle USB mass storage devices correctly. I was hoping that a little CF/USB adapter would allow me to get photos from my camera to the blog in record time. Oh well.

We have registered and are about to check out the condition of our block. We are site number six. Who is number one?