tag:blogger.com,1999:blog-28833895513231874702024-03-13T23:21:04.173-07:00Chaos-Sec-LabUnknownnoreply@blogger.comBlogger13125tag:blogger.com,1999:blog-2883389551323187470.post-33234768280936305082023-10-31T03:03:00.009-07:002023-10-31T17:16:35.882-07:00Grand Theft Auto – RF Locks Hacking Flipper-Zero Edition Part 2<p><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;"><br /></span></b></p><p><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x00. INTRODUCTION</span></b></p><p></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">Previously from part1, we have looked at
some common methods for hacking fixed-code RF Locks, such as signal jamming, replay,
and brute-force attack. In part2, we are going to look at more advanced
techniques to hack the rolling codes of RF Locks. This series of articles
serves as a beginner’s RF lock system hacking journey, performing lock hacking
with Flipper-Zero and other RF hacking tools. I hope each case study will help
people get a better idea of what they would need for hacking RF locks.<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixlhpMmlKn_kpB1bAT7gIw-ArRsC5fVVneNsUehO8leq4gifsIjJV9TKqL_W2xdyC0XpUHYUleBPLpbAcmxorhj84v3HVwYP_8KHHi4vOTL1EgrzF5g2SNSFd__J3Orn4RcYjMWXnEwsFhosx7Ah91cXZTzCCuJU8rAdRn9rLbROs0HNdxWCDZ2wJmWX6_/s1205/aaaa.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1203" data-original-width="1205" height="279" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixlhpMmlKn_kpB1bAT7gIw-ArRsC5fVVneNsUehO8leq4gifsIjJV9TKqL_W2xdyC0XpUHYUleBPLpbAcmxorhj84v3HVwYP_8KHHi4vOTL1EgrzF5g2SNSFd__J3Orn4RcYjMWXnEwsFhosx7Ah91cXZTzCCuJU8rAdRn9rLbROs0HNdxWCDZ2wJmWX6_/w280-h279/aaaa.JPG" width="280" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><p></p><p class="MsoNormal"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x01. PROPRIETARY ENCRYPTION <o:p></o:p></span></b></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">In part1 we mainly target RF locks that
rely on fixed-code. Fixed-code locks are vulnerable to replay attack by design.
One solution to prevent replay attacks is to implement a so-called rolling codes
mechanism. For example, the keyfob and the car synchronized with the same rolling
codes algorithm. As the codes change with each use, we will not be able to
predict the next sequence of rolling code. The car will not accept the command
until the rolling codes is valid, so a simple replay attack will not work.</span></p><p class="MsoNormal" style="text-align: justify;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYKsalOrIfly25quvLKmf8NGj9yC8z7_7oy2UjZc1NQ35ckYUA1rgilbwxUU_YjhJk70afi9vYuQq3PtIwc2eeb9UcgD2y6R16nyCUDSDAGsw1EPkQqxTz_XUFyHvdDFDn42qSdIZW6SIK1-zzP_0gNmJNKlkHhDYBJ5BdHLwyW6vtH9u-GJe9zWLKZqWY/s684/bbbb.JPG" style="margin-left: 1em; margin-right: 1em; text-align: left;"><img border="0" data-original-height="259" data-original-width="684" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYKsalOrIfly25quvLKmf8NGj9yC8z7_7oy2UjZc1NQ35ckYUA1rgilbwxUU_YjhJk70afi9vYuQq3PtIwc2eeb9UcgD2y6R16nyCUDSDAGsw1EPkQqxTz_XUFyHvdDFDn42qSdIZW6SIK1-zzP_0gNmJNKlkHhDYBJ5BdHLwyW6vtH9u-GJe9zWLKZqWY/w379-h153/bbbb.JPG" width="379" /></a></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">When it
comes to designing a secure cryptosystem, people always say we should never use
untested proprietary encryption algorithms in our products.</span><span lang="EN-US"> However, there are always some “smart” people trying to challenge
this statement. Let's take this commercial RF remote control lock as an example.
What makes it very eye-catching is the advertising terms, such as the lock is
use a “US military grade of rolling code” chip. What could possibly go wrong
then?</span><span lang="EN-US"><o:p></o:p></span></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizbveIMJHkT0nKEyHMhfs4Hu_F5HHsKg8c8CArhKV8Ybgn_zOUuCCwntJ3yrW5vnqcNuVlbO5-v6AMo9aAwxbU1k-iagole6BSd7nxHeQH5cdfFhksQNNjWhURj1BKIIjOSnSY1x_mwviYTcWiqdsk7n23I5PUNLmd0MzNaaeEQbWIEyGKj_zDWeMjY8Iv/s1080/cccc.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="750" data-original-width="1080" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizbveIMJHkT0nKEyHMhfs4Hu_F5HHsKg8c8CArhKV8Ybgn_zOUuCCwntJ3yrW5vnqcNuVlbO5-v6AMo9aAwxbU1k-iagole6BSd7nxHeQH5cdfFhksQNNjWhURj1BKIIjOSnSY1x_mwviYTcWiqdsk7n23I5PUNLmd0MzNaaeEQbWIEyGKj_zDWeMjY8Iv/s320/cccc.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;">As always, we can fire up our URH with
HackRF and capture some unlock signals as sample data to reverse engineer. Of
course, just to be sure we can try the replay attack first. However, the lock
did not respond, indicating that a rolling codes mechanism was indeed applied.</span></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjtoH_B5fB16ELf9YDCL-MSFFh_MtiBb_P56oAwFHyb2V2iDdIA36jNUrwuxNO1oO3KKDfFQ8eYOsh-wouIzRU8yjuvn5c8zh6VOi_szsYhURjjqMqhIH2Pqmj3i7xOnWa0Bq_OfCSpQ6L67h7POx0aYAK11CQllVjIGsokQvHzGqbfOEs5FJTYKBbsiRu/s563/dddd.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="334" data-original-width="563" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjtoH_B5fB16ELf9YDCL-MSFFh_MtiBb_P56oAwFHyb2V2iDdIA36jNUrwuxNO1oO3KKDfFQ8eYOsh-wouIzRU8yjuvn5c8zh6VOi_szsYhURjjqMqhIH2Pqmj3i7xOnWa0Bq_OfCSpQ6L67h7POx0aYAK11CQllVjIGsokQvHzGqbfOEs5FJTYKBbsiRu/w364-h216/dddd.JPG" width="364" /></a></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;">We need to go back and analyze those unlock
samples. For the sake of easy comparison, we view the data as Hex mode and
decoding the data as Manchester. We soon found some interesting rolling code
flaws; every unlock command only randomly changes at bytes 15th, 31st, and 47th,
all other bytes remain the same. Not only have that, the rolling codes return
to an expired command value every 5 to 10 rounds. This indicates that the
keyspace of such proprietary rolling codes is extremely small and we do not
even need bruteforce to unlock it.</span></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzWIJj6jW2V71sZLQTcFVxiavQinaWK71g1sKzwC66FoBVXuWGqMylJn6t9LxMWOucpCtW8izvZBXmAGEJwldZmDz0y6oaEHVVudN9yvUfe711KDHJLZWmOm_mlKbZdqIceNVKkSaEso8IU26wyR8SDQldPw3HIVhg-c7RdfAE__LNVqeD_H3Aj7Vyt-Dv/s583/eeee.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="255" data-original-width="583" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzWIJj6jW2V71sZLQTcFVxiavQinaWK71g1sKzwC66FoBVXuWGqMylJn6t9LxMWOucpCtW8izvZBXmAGEJwldZmDz0y6oaEHVVudN9yvUfe711KDHJLZWmOm_mlKbZdqIceNVKkSaEso8IU26wyR8SDQldPw3HIVhg-c7RdfAE__LNVqeD_H3Aj7Vyt-Dv/w366-h178/eeee.JPG" width="366" /></a></div><div><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">As you can see in the demo video below, we
only need to capture the unlocking command once, and then replay it repeatedly,
until the lock is finally unlocked. <o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"> <iframe allowfullscreen="" class="BLOG_video_class" height="334" src="https://www.youtube.com/embed/EruaGuE-cWI" width="402" youtube-src-id="EruaGuE-cWI"></iframe></div><p class="MsoNormal"><span lang="EN-US">In addition, Flipper-Zero can add some
well-known keyfobs protocols manually. Take LiftMaster_315 as an example. It
implemented a rolling code mechanism. However, as you can see in the pics
below, the counter value is predictable, so does the key. Therefore, it is very
easy to capture then spoof an unlock command to such system.<o:p></o:p></span></p><p class="MsoNormal"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-0buSQ9HP7yHH2Zo6Hi_X8x7S4XjIcC93vXEJaO-GmP3tFH7lK-toa9QONzDoZNNHerGFHBu1GxsIvbt07rw4fRY9aCdCu79ekfbuGakhmHy1SbMWhSfplXnD7rMiD4YdRjgKXiuz65hQsaXNcOK52ux7y21sR8JuutnHppnc4s1KTcpC8ayQ_gP4Xn1D/s4096/F9j11MNaUAAcAwg.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="3072" data-original-width="4096" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-0buSQ9HP7yHH2Zo6Hi_X8x7S4XjIcC93vXEJaO-GmP3tFH7lK-toa9QONzDoZNNHerGFHBu1GxsIvbt07rw4fRY9aCdCu79ekfbuGakhmHy1SbMWhSfplXnD7rMiD4YdRjgKXiuz65hQsaXNcOK52ux7y21sR8JuutnHppnc4s1KTcpC8ayQ_gP4Xn1D/w352-h264/F9j11MNaUAAcAwg.jpg" width="352" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEwEMOpDuHNl12QFsQu9I6i3XX83AfaT_ZC385TrRkEfyr5AJjagrlD6245U8wYFoaVKSD-tONOgi_zDrprsmMrnP8OA_uyuYHMq6efgRJU1rLVmXRCw7hCZGfGbcuIV-dMmtAoYWbaDXrq-LyLqykpi2fSSAppHfHC27su3cD3eMw5fmIarUsq5SmqXs9/s4096/F9j1yd_bsAAppNS.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="3072" data-original-width="4096" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEwEMOpDuHNl12QFsQu9I6i3XX83AfaT_ZC385TrRkEfyr5AJjagrlD6245U8wYFoaVKSD-tONOgi_zDrprsmMrnP8OA_uyuYHMq6efgRJU1rLVmXRCw7hCZGfGbcuIV-dMmtAoYWbaDXrq-LyLqykpi2fSSAppHfHC27su3cD3eMw5fmIarUsq5SmqXs9/w354-h266/F9j1yd_bsAAppNS.jpg" width="354" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><p></p><p class="MsoNormal"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x02. ROLLJAM ATTACK<o:p></o:p></span></b></p><p class="MsoNormal"><span lang="EN-US">Fortunately, most car manufacturers will
not use such naive designs for the car door locks. They prefer to use their own
proprietary encryption algorithms instead. As you can see in the picture below is
a 2014 Jetta keyfob. Since Volkswagen keeps the algorithms secret, the
flipper-zero is not able to recognize it. <o:p></o:p></span></p><p></p><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaKYLrNJPNBWcsYd73QhDC1v5BEqGxugFfxED5OXUVFTsVtIho_nUl7ucKdQ-YrWt_8PClerB7IgXdc7euoRUUosa-TXXoIXxPB272vBLRf-4ZGSKuzRkR7EYv5iexPNCOSSpxE-uNbS2T0ykN0dRS4o2ZTkx8ho5O_wFDzvWiiviSvVL1Y8wEoTce6at2/s4195/IMG_20231025_165213_edit_136891628395778.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="3840" data-original-width="4195" height="301" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaKYLrNJPNBWcsYd73QhDC1v5BEqGxugFfxED5OXUVFTsVtIho_nUl7ucKdQ-YrWt_8PClerB7IgXdc7euoRUUosa-TXXoIXxPB272vBLRf-4ZGSKuzRkR7EYv5iexPNCOSSpxE-uNbS2T0ykN0dRS4o2ZTkx8ho5O_wFDzvWiiviSvVL1Y8wEoTce6at2/w329-h301/IMG_20231025_165213_edit_136891628395778.jpg" width="329" /></a></div><div class="separator" style="clear: both; text-align: left;"><span lang="EN-US" style="text-align: justify;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span lang="EN-US" style="text-align: justify;">Again, we
use URH for the analyzing </span><span lang="EN-US" style="text-align: justify;">Jetta keyfob packets</span><span lang="EN-US" style="text-align: justify;">. One nice feature of URH is that we
can highlight the </span><span lang="EN-US" style="text-align: justify;">sequence of packets in color; this
makes analyzing job much easier. </span><span lang="EN-US" style="text-align: justify;">Each valid </span><span lang="EN-US" style="text-align: justify;">sequence of commands will start with
10101000 in green as the sync-word. </span></div><div><br /></div></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_yJi_S7A13lRe8TGIK1f2u3Ei22RRBfEd4UJRpUrZGxf2e0tB9wbbDmcY6NFxT2Cot7F9GbcHJ7yBuKyxccprj6FTwwNsJtm68BjtvjUWPHO2i18wpI0ZIlTt7C0OoWnlokHgCpSw3441PYvY-UPjiJ3wrh99Em_POLnzGs9NAWXOtnbNhhopa_GrdoKq/s1050/937445_QCSBBDEXPW4XD63.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="152" data-original-width="1050" height="74" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_yJi_S7A13lRe8TGIK1f2u3Ei22RRBfEd4UJRpUrZGxf2e0tB9wbbDmcY6NFxT2Cot7F9GbcHJ7yBuKyxccprj6FTwwNsJtm68BjtvjUWPHO2i18wpI0ZIlTt7C0OoWnlokHgCpSw3441PYvY-UPjiJ3wrh99Em_POLnzGs9NAWXOtnbNhhopa_GrdoKq/w445-h74/937445_QCSBBDEXPW4XD63.jpg" width="445" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div style="clear: both; text-align: justify;"><span face="等线">From the 305th to the 312th in red are operation commands. For example, 00011100 is the command to open the door, and 00101010 is the command to close the door. The blue part is the rolling codes that change every time. </span></div><br /><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiQ3KNd0dzC7BUVFUJrGvtxpc4jEdV6wfhNuLlGdI_lsvxbWLaPUE71o9aiJgUrSQMM6JSD4hhk0kvMh5JU1KOoSmSl95A7jyk7mOQvqBKRNBFVHYEimyDkXuiqlupaP6cn5Cnqmoh5rZnUwZ73n_gNRXX5wUSrXkDcw7Jk3MTe69zHuF8JyyiBXt4eBU7/s1196/937445_GV8SDY2UTFJYY9H.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="180" data-original-width="1196" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiQ3KNd0dzC7BUVFUJrGvtxpc4jEdV6wfhNuLlGdI_lsvxbWLaPUE71o9aiJgUrSQMM6JSD4hhk0kvMh5JU1KOoSmSl95A7jyk7mOQvqBKRNBFVHYEimyDkXuiqlupaP6cn5Cnqmoh5rZnUwZ73n_gNRXX5wUSrXkDcw7Jk3MTe69zHuF8JyyiBXt4eBU7/w452-h68/937445_GV8SDY2UTFJYY9H.jpg" width="452" /></a></div><div class="separator" style="clear: both; text-align: justify;"><p class="MsoNormal" style="text-align: left;"><span lang="EN-US">URH comes with a
comparison function that can be used to compare and analyze the rolling code
parts between different commands.</span><span lang="EN-US"><o:p></o:p></span></p></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi09IRPQQtM_MJMpciaBZY04McK2kMXgjg6ZAzDti3SjyuEwHseSL5-MeoUsKVJ0zWRUh136sn8x6T0wWolphHU0dKN-TKSF5YfcDtHCrzA8E-MHZsY11LGxCAYJOtH-XKo6JMaeu0irJw7IPLk5Fczs_4RxUPrS4dkatWEFr0oJ-xiHcWmB81XpiY8ugDy/s1094/937445_5SUB26SJDF3JJGV.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="115" data-original-width="1094" height="49" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi09IRPQQtM_MJMpciaBZY04McK2kMXgjg6ZAzDti3SjyuEwHseSL5-MeoUsKVJ0zWRUh136sn8x6T0wWolphHU0dKN-TKSF5YfcDtHCrzA8E-MHZsY11LGxCAYJOtH-XKo6JMaeu0irJw7IPLk5Fczs_4RxUPrS4dkatWEFr0oJ-xiHcWmB81XpiY8ugDy/w463-h49/937445_5SUB26SJDF3JJGV.jpg" width="463" /></a></div><div class="separator" style="clear: both; text-align: left;"><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">As you
can see in the demo video below, since modern cars nowadays have implemented
the proprietary rolling code mechanism, we can only replay the unlock command
once.<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"> <iframe allowfullscreen="" class="BLOG_video_class" height="303" src="https://www.youtube.com/embed/kNzH_on9HlM" width="364" youtube-src-id="kNzH_on9HlM"></iframe></div><p></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">Years ago, a security researcher, Samy Kamkar, came up with an idea that can
manipulate certain rolling code system. He called it the Rolljam Attack. How
Rolljam attack works is well explained in the slides below. The Rolljam attack
works by jamming the target radio signal at slightly deviated frequency and
recording the signal at tight receiver filter bandwidth from the keyfob at the
same time. Since the first unlock signal is blocked, the car door will not
unlock and the car owner will likely try again. Attacker can again record and
block the second signal, but this time the attackers also replays the first
code to unlock the car door.<o:p></o:p></span></p><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoBQ0UFIqhxLVCD1Wf5F7LskCRuVBv6nBWf4SwbOiO2tjrRD4vhVCBgCl27PwcTAKxinL5-Z0uZVaU6VRqbz9shH4WJ06KQLxkaYX1kjjjZVrLQotPOgjI0-GlDuJoDG3MYq7loK-DETdAfWOG24g-ArjE0PPXPxfPgo38pBSDNhDSNtkGYiX-G2ADVNLN/s886/Rolljam.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="640" data-original-width="886" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoBQ0UFIqhxLVCD1Wf5F7LskCRuVBv6nBWf4SwbOiO2tjrRD4vhVCBgCl27PwcTAKxinL5-Z0uZVaU6VRqbz9shH4WJ06KQLxkaYX1kjjjZVrLQotPOgjI0-GlDuJoDG3MYq7loK-DETdAfWOG24g-ArjE0PPXPxfPgo38pBSDNhDSNtkGYiX-G2ADVNLN/w377-h272/Rolljam.jpg" width="377" /></a></div><div class="separator" style="clear: both; text-align: left;"> <span style="font-size: x-small;"> (Source
from Samy Kamkar)</span></div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">As you
can see in the demo video of rolljam attack below, the HackRF has been used as
a signal jammer, and Yardstick 1 as the recorder and transmitter.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: left;"> <iframe allowfullscreen="" class="BLOG_video_class" height="318" src="https://www.youtube.com/embed/Yesp2NRBiCM" width="382" youtube-src-id="Yesp2NRBiCM"></iframe></div><div class="separator" style="clear: both; text-align: left;"><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">Since
Rolljam attack needs a jammer and recorder work at the same time, we can use
HackRF and Flipper-Zero as combo tools for this attack.</span></p><p class="MsoNormal" style="text-align: justify;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYvG7wd42W6x1NXgqmCmYdR1TwTPSc1K1kILj9oDFG5zj-FTY0PPofMkW4ILOvv_lGbP37lye1zMq4B7Gfsh0DcJfdJP8shgNuQ9O3xlNFUpRufK36gftSB9An3WmaKhkiNWHk80kafGGH92dTFACkLXdfxX_uAF8CE_-rOwlA0jrHVCkTWPaHfyt97lU6/s752/%E5%9B%BE%E7%89%87_0880c08b0110f5f78311.JPG" style="margin-left: 1em; margin-right: 1em; text-align: left;"><img border="0" data-original-height="474" data-original-width="752" height="229" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYvG7wd42W6x1NXgqmCmYdR1TwTPSc1K1kILj9oDFG5zj-FTY0PPofMkW4ILOvv_lGbP37lye1zMq4B7Gfsh0DcJfdJP8shgNuQ9O3xlNFUpRufK36gftSB9An3WmaKhkiNWHk80kafGGH92dTFACkLXdfxX_uAF8CE_-rOwlA0jrHVCkTWPaHfyt97lU6/w363-h229/%E5%9B%BE%E7%89%87_0880c08b0110f5f78311.JPG" width="363" /></a></p><p class="MsoNormal" style="text-align: justify;"><span style="font-size: small; text-align: left;"> (Source
from @takeapart)</span></p><p class="MsoNormal" style="text-align: justify;"><span style="font-size: small; text-align: left;"><br /></span></p></div></div><div class="separator" style="clear: both; text-align: left;"><p class="MsoNormal"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x03. ROLLING-PWN </span></b><span lang="EN-US"><o:p></o:p></span></p></div><div class="separator" style="clear: both; text-align: left;"><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">In year
2021, I have found a very interesting yet scary car lock vulnerability, which
affected all Honda vehicles currently existing on the market globally from year
2012 up to year 2023. All Honda vehicles allow a replay of the already expired
commands in a consecutive sequence to unlock the car door permanently. <o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: justify;"> <iframe allowfullscreen="" class="BLOG_video_class" height="313" src="https://www.youtube.com/embed/BtYhD1X_L3A" width="376" youtube-src-id="BtYhD1X_L3A"></iframe></div><p></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">The
CVE-2021-46145 has assigned to this bug, and I have written an article
dedicated to this bug (</span><span lang="EN-US"><a href="https://rollingpwn.github.io/rolling-pwn">https://rollingpwn.github.io/rolling-pwn</a></span><span lang="EN-US">). Special thanks to researcher,
Rob Stumpf helped us to verify the bug with his own 2021 Honda Accord from the
US.</span><span lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz6XCUsuqfFqBBDxqtIK5xtoqEbcVsYVktd795DuQTXkPbFX1MBocHgh4wFmzP2f5hadhQdZ99PmMVFFYRscMhqMR-gzmqF4WeQIWywQxjKRQzrd3RcdtYS_X6wSOg8eCJcpeRscnyI-OqI9Wx4CnpqWt6q0taq-w-5F0tHA09WxN4WsRDs_bw5uSunaAg/s1078/Honda-Vulnerability.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1078" data-original-width="1038" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz6XCUsuqfFqBBDxqtIK5xtoqEbcVsYVktd795DuQTXkPbFX1MBocHgh4wFmzP2f5hadhQdZ99PmMVFFYRscMhqMR-gzmqF4WeQIWywQxjKRQzrd3RcdtYS_X6wSOg8eCJcpeRscnyI-OqI9Wx4CnpqWt6q0taq-w-5F0tHA09WxN4WsRDs_bw5uSunaAg/w262-h272/Honda-Vulnerability.jpg" width="262" /></a></div><div class="separator" style="clear: both; text-align: justify;"><span style="font-size: small;"> (Source
from @RobDrivesCars)</span></div><p></p><div class="separator" style="clear: both; text-align: left;"></div><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">Moreover,
Honda officially acknowledge the bug. However, Honda concluded this is a low
risk to customers, and Honda regularly improves security features as new models
are introduced that would thwart this and similar approaches. Fingers crossed.<o:p></o:p></span></p><div class="separator" style="clear: both; text-align: left;"></div><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinXHaJ_cnq3qOVLD166yyAqHuhcNoyjNahZISMTG7dvgTMi376uLsrOHRWV5jpxO7fgT88V9r9vGJywZ2TNS-4o6g7EVIpRek-lUq-GswMy_G9eOgdpyRuOfFdrh0XYHTVEda13NvDl6B15_bl4Vn8eYifdS4o9OImud5w2SVVhhErUu_f6isNVRRol0fv/s690/ffff.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="458" data-original-width="690" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinXHaJ_cnq3qOVLD166yyAqHuhcNoyjNahZISMTG7dvgTMi376uLsrOHRWV5jpxO7fgT88V9r9vGJywZ2TNS-4o6g7EVIpRek-lUq-GswMy_G9eOgdpyRuOfFdrh0XYHTVEda13NvDl6B15_bl4Vn8eYifdS4o9OImud5w2SVVhhErUu_f6isNVRRol0fv/w415-h275/ffff.JPG" width="415" /></a></div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;">In later
Aug 2022, group of researchers from Singapore presented a talk at Blackhat USA
addressing the same issue, and they found out the bug also affected many other
brands of cars. As we mentioned in the Rolling-Pwn article, we knew about this.</span></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;">However, we were keeping what other brands were also affected by the bug quiet
at that time. Because we are busy preparing for a Pwn2own style hacker
competition called Geekpwn, and one of our modern smart car targets for the
competition is vulnerable to the bug. </span><span style="text-align: justify;">Luckily, we
won second runner-up in the end. As you can see in the pic below, we were using
a high gain antenna to pwned those two different brands of cars in a fairly long
distance.</span></div><p></p><p class="MsoNormal"><span lang="EN-US"><o:p></o:p></span></p><div class="separator" style="clear: both; text-align: left;"></div><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2zMETO4eA7ckiE1qNwVEGfz58bQ9ZU4smaoBT3-fMqRY9qd5CV7QF4L_nliCK_YypkYFIHbRnuzQm3UAPkYxS16x2ptTfLlYrj5vTUC0Wng8YQo_RhBVWbjwLspHs9gOy1WRuZ2lwmMk5pqCOvu8jwP11nQN7sxr1ScNzj8-JyYWuBpsERIbRoP8mnVaL/s1080/%E5%9B%BE%E7%89%87_0880c08b0110f9a1b121.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="740" data-original-width="1080" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2zMETO4eA7ckiE1qNwVEGfz58bQ9ZU4smaoBT3-fMqRY9qd5CV7QF4L_nliCK_YypkYFIHbRnuzQm3UAPkYxS16x2ptTfLlYrj5vTUC0Wng8YQo_RhBVWbjwLspHs9gOy1WRuZ2lwmMk5pqCOvu8jwP11nQN7sxr1ScNzj8-JyYWuBpsERIbRoP8mnVaL/w350-h240/%E5%9B%BE%E7%89%87_0880c08b0110f9a1b121.jpg" width="350" /></a></div><br /><div class="separator" style="clear: both; text-align: justify;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivsRgSeCPHyxxvyqEt1LbDl0mjaVw9u8XeSYenq_SJCM9Y-JH9gi9cqT-jv4_MFK1MGFO9kjXYZ8P40iwIdiD-lTF-o2u7brJlim8GV2b5f3sPNGb_HYawI9FBtyg8V8ES1Q2aicVKqLTVEdfILT6S_12KGLyYyVRmQd7jhBtvF6olKtj2ClWiyH3kTc44/s300/%E5%9B%BE%E7%89%87_0880c08b0110f9e18127.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="300" data-original-width="285" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivsRgSeCPHyxxvyqEt1LbDl0mjaVw9u8XeSYenq_SJCM9Y-JH9gi9cqT-jv4_MFK1MGFO9kjXYZ8P40iwIdiD-lTF-o2u7brJlim8GV2b5f3sPNGb_HYawI9FBtyg8V8ES1Q2aicVKqLTVEdfILT6S_12KGLyYyVRmQd7jhBtvF6olKtj2ClWiyH3kTc44/w289-h304/%E5%9B%BE%E7%89%87_0880c08b0110f9e18127.jpg" width="289" /></a></div><br /><p></p><p class="MsoNormal"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x04. KEELOQ DECRYPTION<o:p></o:p></span></b></p><p class="MsoNormal"><span lang="EN-US">In the world of
crypto, there is a well-known Kerckhoff principle; a crypto system should be
secure even if the attacker knows all the details about the system, except the
secret key. However, have you ever wondered what happen if that secret key
leaked from manufacturer or a default <span style="text-align: justify;">manufacturer key</span> from the datasheet used in
the final products? These kinds of incidents are not uncommon; remember the
mifare crypto1 default key hacks, anyone? Let’s take a widely used rolling code
algorithm called Keeloq as an example.<o:p></o:p></span></p><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzANv9Gypo9SLdCKOcxmQE24M1HSVKMTNUevVELK5VKjChyphenhyphenDVum1MfGsfTweR8R12zGGoqGpFOspI4PWmq9Ntdtwh8kycLQTBtp94VbFXcE2e0y1lojk5uT469LkUC_woQFue6_H2VQDa7aueBwGnj9Ux8rN_i0jFT4GeRWjwVTZziM8kZXwzZr11TtKn2/s4800/%E5%9B%BE%E7%89%87_0880c08b0110faa3d727.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="3752" data-original-width="4800" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzANv9Gypo9SLdCKOcxmQE24M1HSVKMTNUevVELK5VKjChyphenhyphenDVum1MfGsfTweR8R12zGGoqGpFOspI4PWmq9Ntdtwh8kycLQTBtp94VbFXcE2e0y1lojk5uT469LkUC_woQFue6_H2VQDa7aueBwGnj9Ux8rN_i0jFT4GeRWjwVTZziM8kZXwzZr11TtKn2/w373-h291/%E5%9B%BE%E7%89%87_0880c08b0110faa3d727.jpg" width="373" /></a></div><div class="separator" style="clear: both; text-align: left;"><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">KeeLoq is
a proprietary cipher owned by Microchip. It is widely used in keyfob systems by
car companies such as Honda, Toyota, Volvo, Volkswagen Group and so on. If we
found HCS200 or HCS300 series chipset inside the keyfob, which means we are
facing the Keeloq cipher based system. In March 2008, researchers from the Ruhr
University, Bochum, broke the KeeLoq-based cipher with side-channel analysis.
By measuring the power consumption of a device during encryption, the
researchers can extract the manufacturer key from the receivers and the remote
control.</span></p></div></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9t50hZf-_r-IUyAWXcELbJGv73JTBOcdBcnMFZ47ocCPXtBtzog32_7bLoOXHfZu0QVq1KAHCpj5U5TcxT8sQMU_A7IE_B4adNezq7lmuopryoCOwL4MMhOdSilsXta2e-AHxjhsLmY_vSWXDJkLDIc5BSdO3sTfN183f2NSzJDkVxEEDEGPPs5GeJe2b/s756/937445_VNWY42YX45MWC9E.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="592" data-original-width="756" height="289" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9t50hZf-_r-IUyAWXcELbJGv73JTBOcdBcnMFZ47ocCPXtBtzog32_7bLoOXHfZu0QVq1KAHCpj5U5TcxT8sQMU_A7IE_B4adNezq7lmuopryoCOwL4MMhOdSilsXta2e-AHxjhsLmY_vSWXDJkLDIc5BSdO3sTfN183f2NSzJDkVxEEDEGPPs5GeJe2b/w368-h289/937445_VNWY42YX45MWC9E.jpg" width="368" /></a></div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">When we
connect the HCS201 chip to an oscilloscope or logic analyzer, we can see
Keeloq's signal waveform. First, there will be a preamble at the start of the
signal, followed by the rolling codes, serial number, function code and status
code.</div><br /><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDPR3RWLE8CbR4jaZxs_g_H5OBU6dGEEGhlopTPKBsYybywKYkiBp-BVqiurQdqHYDqpieOZIEsyxvayorqP5wjmn987oH4G7cNFsqEmsLQ1y64kODYFRxYX60Z_prsm9gKO2o9gIts1yZ10yDgyMjIXNhSxktITkELp6Dx0_MCyavobBq0TH_WyYTnkBM/s1076/937445_8MAH8QNWCJQ7AHU.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="886" data-original-width="1076" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDPR3RWLE8CbR4jaZxs_g_H5OBU6dGEEGhlopTPKBsYybywKYkiBp-BVqiurQdqHYDqpieOZIEsyxvayorqP5wjmn987oH4G7cNFsqEmsLQ1y64kODYFRxYX60Z_prsm9gKO2o9gIts1yZ10yDgyMjIXNhSxktITkELp6Dx0_MCyavobBq0TH_WyYTnkBM/s320/937445_8MAH8QNWCJQ7AHU.jpg" width="320" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilp5Fq0Hd97Ym0DNQuHk38rifmVZ1xDE3dCRafay5A4zB8rSB_C7UIz8BBAun0yOjHXOZJ_xv7AiEoLPL1CUwYy7IdBFjTmd1RSZBKBFfY3JsxXFmMggGE2kg65Xg01jLbbJhkzsazcmm8r3c5_jIiupSuReWpSkIV5a56gRaIGZd_NmC3GDwiXeXyqua0/s1398/937445_3HEC8QST4QWXZEA.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1398" data-original-width="1132" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilp5Fq0Hd97Ym0DNQuHk38rifmVZ1xDE3dCRafay5A4zB8rSB_C7UIz8BBAun0yOjHXOZJ_xv7AiEoLPL1CUwYy7IdBFjTmd1RSZBKBFfY3JsxXFmMggGE2kg65Xg01jLbbJhkzsazcmm8r3c5_jIiupSuReWpSkIV5a56gRaIGZd_NmC3GDwiXeXyqua0/w319-h242/937445_3HEC8QST4QWXZEA.jpg" width="319" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: justify;">Keeloq
data structure has a total of 66 bits, including 32 bits of rolling code, 28
bits of serial number, and 4 bits of button function code and 2 bits of status
code. The encoding is PWM.</div><br /><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVMhSgEt3Jm-nPQGRg6fcnTav27sf-E9UagKMI20u3cW0Jeh1yA3Xio46IP71p0FJO3nnl2UB-u93GLP5QBaWENZd3MqreZXi2td0enR8U1RXckmzV5PGUV2DEPCOG4sR_AkfAlsL-pa3VQLjoE0-UuhPVbhA3mC6twhY-apGZ9LWEGTCW39nKj7Q3l0J-/s375/gggg.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="47" data-original-width="375" height="53" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVMhSgEt3Jm-nPQGRg6fcnTav27sf-E9UagKMI20u3cW0Jeh1yA3Xio46IP71p0FJO3nnl2UB-u93GLP5QBaWENZd3MqreZXi2td0enR8U1RXckmzV5PGUV2DEPCOG4sR_AkfAlsL-pa3VQLjoE0-UuhPVbhA3mC6twhY-apGZ9LWEGTCW39nKj7Q3l0J-/w425-h53/gggg.JPG" width="425" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: justify;">In terms
of encryption key generation, Keeloq has three modes: simple, standard and
secure. The manufacturer's secret key for simple encryption is the same. For
standard encryption, the manufacturer's secret key for each keyfob is unique. Taking
standard encryption as an example, assumes that the serial number is 0x1234567.
First add 2 as prefix for serial numbers, it become 0x21234567, then encrypted
using the manufacturer's secret key to get a 32-bit LSB of 0x89074278. Second
add 6 as prefix for serial numbers, it become 0x61234567, again encrypted using
the manufacturer's secret key to get the 32 bit MSB 0x0516FBE9. The encryption
key to this is 0x0516FBE989074278.</div><br /><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWzZNaTuWXEKZmUTDZTzbcBLyZMcmBIbwn1XAl545lxFLoFcjgFI4wrqzMhGD5BSdA5n1CmdqMPB4dLv6gHHttZgUDfjbVWHnHGtt4epNUyr1pMhAAkzqKs-fykXLvdih870Q2TlQvxK1d2BnsaG-T0A9a_EzZ-ofWQesBfRqEimPs-IGocahGF_HRD5CZ/s841/937445_XESD2ADW2FAMX9T.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="548" data-original-width="841" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWzZNaTuWXEKZmUTDZTzbcBLyZMcmBIbwn1XAl545lxFLoFcjgFI4wrqzMhGD5BSdA5n1CmdqMPB4dLv6gHHttZgUDfjbVWHnHGtt4epNUyr1pMhAAkzqKs-fykXLvdih870Q2TlQvxK1d2BnsaG-T0A9a_EzZ-ofWQesBfRqEimPs-IGocahGF_HRD5CZ/w359-h235/937445_XESD2ADW2FAMX9T.jpg" width="359" /></a></div><div class="separator" style="clear: both; text-align: left;"><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">We can
use the simulator to demonstrate it in practice. Here we set the manufacturer's
secret key to 0123456789ABCDEF, the serial number to 4141410, and the counter
starts from 2600.<o:p></o:p></span></p></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfSnm5LCx07CaT_AAjK-6ggoxIRoH6qY1cGfJCFE8v2B6LgBxuC4eGUIcpQUCXhQMli5fJrkr_J5kRCtFSrOs1kA5O6hB92igja1eoHWmBqQjHNrBT7jgE6j6VmQY4-47UpQwXcQ4ZJEDa2gztduTjHcqroCHnWOWoNEN4uq1bcLiqRTAmcOM_-rSWclIE/s565/hhhh.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="341" data-original-width="565" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfSnm5LCx07CaT_AAjK-6ggoxIRoH6qY1cGfJCFE8v2B6LgBxuC4eGUIcpQUCXhQMli5fJrkr_J5kRCtFSrOs1kA5O6hB92igja1eoHWmBqQjHNrBT7jgE6j6VmQY4-47UpQwXcQ4ZJEDa2gztduTjHcqroCHnWOWoNEN4uq1bcLiqRTAmcOM_-rSWclIE/w375-h226/hhhh.JPG" width="375" /></a></div><div><br /></div><div style="text-align: justify;">After
analyzing the packets with URH, we can see that the 28-bit serial number is
indeed 4141410.</div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnQEhInS5AGPMLlD62lRN8yjsHuirRlBbJWRsji3l1MAsh0nFpmCQMOSNt5pnjavdYpSFVk8KPAdYMlcFRnKH6kYrIqG5Dj_Dp6HM5CW01NknC4pl0YECWtsEKsbPG6Hwrp5t7bI3_vQisgMXw3T_g27Tt-FHISsS20ddecCppvlXeqzQ9QZ4ZgueKBD6z/s581/iiii.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="484" data-original-width="581" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnQEhInS5AGPMLlD62lRN8yjsHuirRlBbJWRsji3l1MAsh0nFpmCQMOSNt5pnjavdYpSFVk8KPAdYMlcFRnKH6kYrIqG5Dj_Dp6HM5CW01NknC4pl0YECWtsEKsbPG6Hwrp5t7bI3_vQisgMXw3T_g27Tt-FHISsS20ddecCppvlXeqzQ9QZ4ZgueKBD6z/w399-h300/iiii.JPG" width="399" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">The
32-bits rolling code contains key information such as counters to prevent a
replay attack.<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWGeMHDngjDI6DvDQ1lol8n2WA7qAiqNRcd6wEBqT6Ox26WhUwaCBDT3PEdCV5Bsc-38tzaOEcd6DX1HA5ftz0VuCMAPZ1P-UkXIDNaBYpZkQXMhIOzlCfNR0wFgqb1BoZcPiIAJdCvOoSqs69GzV0tk_LvdpuUIlXHoJzLyDhuKfu0WOWL1MYFQQTlf62/s574/jjjj.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="240" data-original-width="574" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWGeMHDngjDI6DvDQ1lol8n2WA7qAiqNRcd6wEBqT6Ox26WhUwaCBDT3PEdCV5Bsc-38tzaOEcd6DX1HA5ftz0VuCMAPZ1P-UkXIDNaBYpZkQXMhIOzlCfNR0wFgqb1BoZcPiIAJdCvOoSqs69GzV0tk_LvdpuUIlXHoJzLyDhuKfu0WOWL1MYFQQTlf62/w377-h158/jjjj.JPG" width="377" /></a></div><p></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US"><span style="text-align: left;">As mentioned earlier, if the default <span style="text-align: justify;">manufacturer key</span> has been used.</span> We can
decrypt the 32-bits rolling codes with the program, you can see the rolling
code in sequence in the decrypted message, which matches the starting value of
2600 we set earlier.<o:p></o:p></span></p><div class="separator" style="clear: both; text-align: left;"></div><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguG9Boqdohyphenhyphen4y5sni5AYMCgfaeJo3pkl9UZAQLhHEeXmzwh-Hj1fu5SkpoTNSnR7x0kcWp29KFuHmh2pPuSd2o1Q-5z2wFphEspr7yBWl3tFHv5pDn47jjRgJjnTx8I3VUyHyXzd_1vPfY05MvSt9AApkAwfMM579dQ5SFPEfE-dPZ1oRp9j8-CpW-mY1P/s597/kkkk.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="186" data-original-width="597" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguG9Boqdohyphenhyphen4y5sni5AYMCgfaeJo3pkl9UZAQLhHEeXmzwh-Hj1fu5SkpoTNSnR7x0kcWp29KFuHmh2pPuSd2o1Q-5z2wFphEspr7yBWl3tFHv5pDn47jjRgJjnTx8I3VUyHyXzd_1vPfY05MvSt9AApkAwfMM579dQ5SFPEfE-dPZ1oRp9j8-CpW-mY1P/w496-h155/kkkk.JPG" width="496" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">As you
can see the video below, we can spoof a new command to turn on the light.</div><p></p><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"> <iframe allowfullscreen="" class="BLOG_video_class" height="295" src="https://www.youtube.com/embed/uyk0xOtnUew" width="355" youtube-src-id="uyk0xOtnUew"></iframe></div><div class="separator" style="clear: both; text-align: left;"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;"><br /></span></b></div><div class="separator" style="clear: both; text-align: justify;"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x05. SUMMARY</span></b></div><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">In Part 2, we
have looked at some of the advanced techniques, such as RollJAM; Rolling-PWN
and Keeloq Decryption. However, there are many other types of encryption and rolling
code algorithms to play with. Stay tuned.<o:p></o:p></span></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0EwPNhxVgoWawuPl0GeOBO2OApxpPidro-qciGUUS7OWvtVNFEpIQnYUR2ffEhYqE44ta-uCBX45w95tlfdCtUGRmwI21AM59iq9jeS2W20eRtwcrJDrVjPpG_OJmdTkFIAQYkyaoSoH3PVFeOUC_BFXQz1Fg6TaRTTFQnZ_jMG7WRBV-JLn6yi1dpjiE/s1280/%E5%9B%BE%E7%89%87_0880c08b0110f8fdba21.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="893" data-original-width="1280" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0EwPNhxVgoWawuPl0GeOBO2OApxpPidro-qciGUUS7OWvtVNFEpIQnYUR2ffEhYqE44ta-uCBX45w95tlfdCtUGRmwI21AM59iq9jeS2W20eRtwcrJDrVjPpG_OJmdTkFIAQYkyaoSoH3PVFeOUC_BFXQz1Fg6TaRTTFQnZ_jMG7WRBV-JLn6yi1dpjiE/w365-h254/%E5%9B%BE%E7%89%87_0880c08b0110f8fdba21.jpg" width="365" /></a></div>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-2883389551323187470.post-13590042848654803222023-10-20T05:19:00.003-07:002023-10-22T11:44:56.743-07:00Grand Theft Auto – RF Locks Hacking Flipper-Zero Edition Part 1<p style="text-align: left;"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;"><br /></span></b></p><p style="text-align: left;"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x00. INTRODUCTION</span></b></p><p style="text-align: left;"></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">I believe when people are new to hacking RF
locks system. One of the most common questions they will ask is which tools
they will need. Usually I would say HackRF is a must to have tool. Up recently,
the Flipper-Zero became one of the most popular gadgets among RF hackers. To be
honest, the first time I heard about Flipper-Zero, I was not that impressed. I
already owned a bunch of wireless hacking tools, such as Proxmark3, Yardstick1
and HackRF-Portapack. Why should we get another toy that provides similar
functions? Soon I learned that I was wrong about it. For instance, other than
its rich wireless capability, Flipper-Zero has also provided extendable
external modules through the GPIO ports. This feature made the Flipper-Zero
become a LEGO of hackers ;)<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfr7b-Bb_7AEUGAV-0E7nVjQKt0lDKASHrLMJirXVVh6O36DhSzYjbjTWAX0bijEuvn7fz3Ht_xR-E29UX27a9N5Heo5mCW5Xg_zhrsKREdKh1nNqc110oduI-w4i6UFqikk13nGuAUr_Imy8XR-VgTNvI5hNVgAPXjKaNlTlUkE4Dfo05EfgDYxz43hZw/s5120/%E5%9B%BE%E7%89%87_0880c08b0110f4eda527.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="3840" data-original-width="5120" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfr7b-Bb_7AEUGAV-0E7nVjQKt0lDKASHrLMJirXVVh6O36DhSzYjbjTWAX0bijEuvn7fz3Ht_xR-E29UX27a9N5Heo5mCW5Xg_zhrsKREdKh1nNqc110oduI-w4i6UFqikk13nGuAUr_Imy8XR-VgTNvI5hNVgAPXjKaNlTlUkE4Dfo05EfgDYxz43hZw/w375-h251/%E5%9B%BE%E7%89%87_0880c08b0110f4eda527.jpg" width="375" /></a></div><p></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US"><span style="font-size: xx-small;"> (After 2-hours long wait in the queue, I finally got one at DEFCON31)</span><span style="font-size: 10pt;"><o:p></o:p></span></span></p><p class="MsoNormal"><span lang="EN-US"></span></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">This article serves as a beginner’s RF lock
system hacking journey, performing lock hacking with Flipper-Zero and other RF
hacking tools. I hope each case study will help people get a better idea of
what they would need for hacking RF locks.</span></p><div style="text-align: justify;"><span lang="EN-US"><br /></span></div><p class="MsoNormal"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x01. SIGNAL JAMMING <o:p></o:p></span></b></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">
</span></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">One of
the easiest yet effective RF attack techniques called signal jamming. The
attacker is constantly sending noise signals at that same frequency channel as
the target, hoping to jam the original signal to achieve interference. Jamming
essentially disrupts communication between two or more devices by shouting
louder. It does not matter what to shout, as long as others cannot hear you.<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW0YVb2-rB2umQehjHD4Vs4qP5FNtwjeu3eRJJCqokuX3ZYH472dKWpKAewr_2bkfsUayZdMEECqWGSxnHoKnoMa_gB5GRmxbg7kcP1qYqiVaR82hs9H54yVITiLOkKJQaJeyv5BFp6HTdxdHksrBBsPDgz_JJlRiNoSzpAQuJf5reKd0OZlVoAFJ8uOXP/s1252/gpsjam_jammed.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="706" data-original-width="1252" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW0YVb2-rB2umQehjHD4Vs4qP5FNtwjeu3eRJJCqokuX3ZYH472dKWpKAewr_2bkfsUayZdMEECqWGSxnHoKnoMa_gB5GRmxbg7kcP1qYqiVaR82hs9H54yVITiLOkKJQaJeyv5BFp6HTdxdHksrBBsPDgz_JJlRiNoSzpAQuJf5reKd0OZlVoAFJ8uOXP/w398-h224/gpsjam_jammed.jpg" width="398" /></a></div><p></p><p class="MsoNormal"><span lang="EN-US" style="font-size: 10pt;"> (Jamming signals
on the spectrum diagram)<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US"></span></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">Jamming
attacks against car locks are also one of thieves' favorites. Criminals use hidden
jamming equipment to prevent car owners from locking their cars. Once car
owners leave, they can easily open the car door and steal the belongings left inside
the car.</span><span lang="EN-US"> </span><span lang="EN-US">Although signal jamming is not a new concept, it continues to grow in
popularity among criminals, as the technology used becomes more sophisticated
and easily accessible.</span></p><p class="MsoNormal" style="text-align: justify;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0TkM0j-x2bLEH9gDzN0jDryZKA1NCsdnJM3KluuoYjYWOZpqeHMA3zskgAZ8U0DAjiZR-3jG2lwq0I9G4Iw52SsrZs96p254rXDILcRk7eF_UYsaf98MGN_5EBcmXULmzz3EdpeSqChkybApsObwOATu-AhJMXf4niBPxW8jT5cHq6oBFyVQMus1-HrMn/s544/222.JPG" style="margin-left: 1em; margin-right: 1em; text-align: left;"><img border="0" data-original-height="275" data-original-width="544" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0TkM0j-x2bLEH9gDzN0jDryZKA1NCsdnJM3KluuoYjYWOZpqeHMA3zskgAZ8U0DAjiZR-3jG2lwq0I9G4Iw52SsrZs96p254rXDILcRk7eF_UYsaf98MGN_5EBcmXULmzz3EdpeSqChkybApsObwOATu-AhJMXf4niBPxW8jT5cHq6oBFyVQMus1-HrMn/w436-h271/222.JPG" width="436" /></a></p><div class="separator" style="clear: both; text-align: left;"><span lang="EN-US" style="text-align: justify;">Below is a video demonstration of the car jamming
attack with HackRF. </span><span lang="EN-US" style="text-align: justify;">As you can see in the video below</span><span lang="EN-US" style="text-align: justify;"> how effective the attack is. Please ensure the car door is securely locked before you leave.</span></div><div class="separator" style="clear: both; text-align: left;"><span lang="EN-US" style="text-align: justify;"><br /></span></div><div class="separator" style="clear: both; text-align: justify;"><iframe allowfullscreen="" class="BLOG_video_class" height="290" src="https://www.youtube.com/embed/iuRdLtz4pmY" width="450" youtube-src-id="iuRdLtz4pmY"></iframe></div><div class="separator" style="clear: both; text-align: left;"><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">Although
Flipper Zero comes with certain regional and frequency restrictions, by
installing a custom firmware (Xtreme) can bypassed this limit. This
made Flipper-Zero perfect for experimenting with the jamming attack. </span></p><p class="MsoNormal" style="text-align: justify;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaIHxqJzmE2VBIz0P1sM1ogadJCCzN2PJkM_W2lY9CbLYMw7I-pSvbhqiYoORcL647w6R8mMKsPvA7hZuujMnXicn5sO4hLdprxhS0DhCXzSADfINWxcVkf5cnEyTea7ervwBsSMUq5LPTRB_NG2vwgsGBzEPYe5CRcEzM6bjl1kToxQAOtZ8zBOPZJrxd/s994/Zero%20Jamming.JPG" style="margin-left: 1em; margin-right: 1em; text-align: left;"><img border="0" data-original-height="871" data-original-width="994" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaIHxqJzmE2VBIz0P1sM1ogadJCCzN2PJkM_W2lY9CbLYMw7I-pSvbhqiYoORcL647w6R8mMKsPvA7hZuujMnXicn5sO4hLdprxhS0DhCXzSADfINWxcVkf5cnEyTea7ervwBsSMUq5LPTRB_NG2vwgsGBzEPYe5CRcEzM6bjl1kToxQAOtZ8zBOPZJrxd/w347-h280/Zero%20Jamming.JPG" width="347" /></a></p><p class="MsoNormal"><span lang="EN-US"> <span style="font-size: x-small;"> (</span></span><span style="font-size: x-small;"><span lang="EN-US">Source from @McSHUR1KEN</span><span lang="EN-US">)</span></span></p><p class="MsoNormal"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;"><br /></span></b></p><p class="MsoNormal"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x02. SIGNAL REPLAY BLINDLY <o:p></o:p></span></b></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">Of course, it would be cooler if we can control
the target. The replay attack is one of the oldest tricks from the book that
can achieve exactly that. Since most RF lock system operating frequency is at 315
MHz or 433 MHz range, and some of them still use fixed-code mechanism. Meaning
we can just leave the capture device near the target and wait patiently. If
lucky enough we will be able to catch the unlock signal for a later replay.<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy1SCS3BMQ1u7NrsiuW1aCYTb6uaqvu_5yTnUJDZfJOTUa3grv8Kp5rY87yHstmSdDmNLnyJSnMjo3nBxHaLEsiMJfB8jT2qt9piTM85TLy4p18PhJG3RRP-orZAAhx1FjhP3AJ8-eGlM6RdjgOvwPXT3YtYd6SotpGmxAqwVtpFJwUpCzqsp3dOVe9wKq/s594/111.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="396" data-original-width="594" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy1SCS3BMQ1u7NrsiuW1aCYTb6uaqvu_5yTnUJDZfJOTUa3grv8Kp5rY87yHstmSdDmNLnyJSnMjo3nBxHaLEsiMJfB8jT2qt9piTM85TLy4p18PhJG3RRP-orZAAhx1FjhP3AJ8-eGlM6RdjgOvwPXT3YtYd6SotpGmxAqwVtpFJwUpCzqsp3dOVe9wKq/w442-h256/111.JPG" width="442" /></a></div><p></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US"></span></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US"><span style="font-family: inherit;">This is a lot like fishing, but the reward is
unlock signal instead. Below is a video demonstration of the replay attack with
HackRF. As you can see in the video below, it works as a charm.</span><o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><iframe allowfullscreen="" class="BLOG_video_class" height="287" src="https://www.youtube.com/embed/jUGePOmJzac" width="430" youtube-src-id="jUGePOmJzac"></iframe></div><p></p><p style="clear: both; text-align: justify;"><span lang="EN-US"><span style="font-family: inherit;">Interestingly for Tesla’s charging port, it
still uses a fixed-code mechanism. People can download the pre-recorded Tesla
Charge Port files to the Flipper-Zero, and messing with other Tesla vehicle
owners, yet not knowing what is really going on behind the scenes. </span></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/SDuiAK10B3U" width="431" youtube-src-id="SDuiAK10B3U"></iframe></div><p></p><p class="MsoNormal"><span lang="EN-US"><span style="font-size: x-small;">(Source from @takeapart)</span></span></p><p class="MsoNormal"><span lang="EN-US"><span style="font-size: x-small;"><br /></span></span></p><p class="MsoNormal"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x03. SIGNAL REPLAY ANALYZE<o:p></o:p></span></b></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US"></span></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">Only blindly replaying the signal is not
going to satisfy the Hackers. Unlike the jamming attacks, if we like to get to
know our target better, we need to find out the target frequency, encoding
method, chip model, etc. For example, we can learn the operating frequency by
using the Frequency Analyzer application provided by Flipper-Zero.<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBkMlMSDjBhEB05jAcTRICFbQdOsw-P_LJOhdFN9OBwrbgMoBePLhO4Lr522Uxhzibw0m73su_2MAZuy6778hugdxn-ULywAuhxQ1OexdK1VhZ0wJp1emZ1nKp5kB3_tl4HG1oH0L5GF64ewSrgu3FP-u8zgMasxNEHuHRUXu_Wi6bCArOdQkKS68W2sIS/s547/%E5%9B%BE%E7%89%87_0880c08b0110f5f78327.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="335" data-original-width="547" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBkMlMSDjBhEB05jAcTRICFbQdOsw-P_LJOhdFN9OBwrbgMoBePLhO4Lr522Uxhzibw0m73su_2MAZuy6778hugdxn-ULywAuhxQ1OexdK1VhZ0wJp1emZ1nKp5kB3_tl4HG1oH0L5GF64ewSrgu3FP-u8zgMasxNEHuHRUXu_Wi6bCArOdQkKS68W2sIS/w359-h212/%E5%9B%BE%E7%89%87_0880c08b0110f5f78327.JPG" width="359" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Alternatively, do an old school way by disassemble the keyfob and investigating the PCB. Here we see the IC chip model (CMT2150L) and a component crystal (26.250M) on an E-Scooter Keyfob. By checking the datasheet, we can found the operating frequency. The encoder is 1527. Most importantly the pinout diagram of the CMT2150L chip.</div><div style="text-align: justify;"></div><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwiB0PvPlnKGljkEKgemPWJ4nIKUtP3hyphenhypheny1HDHffDXggRI1SOcJjePGnLQx5ewR1HeUByZgePtQ2jFrVsZixDcT3EJ4f6Qdzpe285gpbekBC9T5fOfNHV6nInuu2hdAFbdC2w0l5w6JQV71iwYT5yZtOV9ohbC7Labdy3to9P0dKMgqOUm-qE8CCVqgyBN/s1080/%E5%9B%BE%E7%89%87_0880c08b0110f6cee821.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="866" data-original-width="1080" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwiB0PvPlnKGljkEKgemPWJ4nIKUtP3hyphenhypheny1HDHffDXggRI1SOcJjePGnLQx5ewR1HeUByZgePtQ2jFrVsZixDcT3EJ4f6Qdzpe285gpbekBC9T5fOfNHV6nInuu2hdAFbdC2w0l5w6JQV71iwYT5yZtOV9ohbC7Labdy3to9P0dKMgqOUm-qE8CCVqgyBN/w391-h266/%E5%9B%BE%E7%89%87_0880c08b0110f6cee821.jpg" width="391" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_EhJ35x3_WjPRiqrFHxrr1m423cpqOQ9N6M3IWN6W0aHxIzPHBxQ7LSSZhigY1pO9VoeRXCvEVjyy1MSRcrb953QyI4xa70PVZoT2jvmwot9zljxzfQI8EOwytVVL1qqAoRMZPkD4_Utv3wxDWM5WZsVi4mm_lsDtANZwgOhNSL6rDxa0fBxg_nYz_HHS/s1080/%E5%9B%BE%E7%89%87_0880c08b0110f6ce8826.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="726" data-original-width="1080" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_EhJ35x3_WjPRiqrFHxrr1m423cpqOQ9N6M3IWN6W0aHxIzPHBxQ7LSSZhigY1pO9VoeRXCvEVjyy1MSRcrb953QyI4xa70PVZoT2jvmwot9zljxzfQI8EOwytVVL1qqAoRMZPkD4_Utv3wxDWM5WZsVi4mm_lsDtANZwgOhNSL6rDxa0fBxg_nYz_HHS/w392-h215/%E5%9B%BE%E7%89%87_0880c08b0110f6ce8826.jpg" width="392" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;">Once we connect the correct pins on IC to
an oscilloscope and press the unlock button on the keyfob, the data pulse of
the unlock signal will be present in front of us. To make analyzing jobs
easier, we can use a software called RTL_433 to capture the raw data generated
by this E-Bike keyfob by wireless.</span></div><p></p><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhddHVIQzDFkIyM207vLAh8pvHW_rkU6N4IlpKiMxMwGL-kJL1ZQxdGZCAn1SxyhDEHRdJzPtkyLnYGuCm0ucD6H10kSSleZm5HFg4PFBVBGHnf8Qu6o3limjmGMux05cuc5p-mdsvXCrxcokyjbiy4X7XAPA9NoBGloDXUS2sxemf1UGQTXyyhpmQ4b6PR/s1080/%E5%9B%BE%E7%89%87_0880c08b0110f6ce8823.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="802" data-original-width="1080" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhddHVIQzDFkIyM207vLAh8pvHW_rkU6N4IlpKiMxMwGL-kJL1ZQxdGZCAn1SxyhDEHRdJzPtkyLnYGuCm0ucD6H10kSSleZm5HFg4PFBVBGHnf8Qu6o3limjmGMux05cuc5p-mdsvXCrxcokyjbiy4X7XAPA9NoBGloDXUS2sxemf1UGQTXyyhpmQ4b6PR/w369-h275/%E5%9B%BE%E7%89%87_0880c08b0110f6ce8823.jpg" width="369" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZGPBSB4T7oc9B84UEMvFFR5b-UvSEUTvmI2_f5c3UZYEXKizZA-QHj2JDNXh0fgR9SXBvXFVjRZM-bn7UY5iG9rfa-RGELUDnzr3JgBufzEfeE8hNgV88VKS_6OIQIRa0fPkhZqrVohAHeexhMN9bjtASZigdG1drcuH1NK0ym_TrsgtbajE08UOQ03mF/s984/%E5%9B%BE%E7%89%87_0880c08b0110f6ce8824.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="390" data-original-width="984" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZGPBSB4T7oc9B84UEMvFFR5b-UvSEUTvmI2_f5c3UZYEXKizZA-QHj2JDNXh0fgR9SXBvXFVjRZM-bn7UY5iG9rfa-RGELUDnzr3JgBufzEfeE8hNgV88VKS_6OIQIRa0fPkhZqrVohAHeexhMN9bjtASZigdG1drcuH1NK0ym_TrsgtbajE08UOQ03mF/w368-h127/%E5%9B%BE%E7%89%87_0880c08b0110f6ce8824.jpg" width="368" /></a></div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">Since the lock system of this E-Scooter again
relies on the fixed-code, we can simply use Flipper-Zero to unlock it as you
can see in the video below.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: left;"><iframe allowfullscreen="" class="BLOG_video_class" height="316" src="https://www.youtube.com/embed/jkHhvKER4ZE" width="432" youtube-src-id="jkHhvKER4ZE"></iframe></div><div class="separator" style="clear: both; text-align: left;"><p class="MsoNormal"><span lang="EN-US"><span style="font-size: x-small;">(Source from a good amigo)</span><o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US"><span style="font-size: x-small;"><br /></span></span></p></div><div class="separator" style="clear: both; text-align: left;"><p class="MsoNormal"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x04. SIGNAL REPLAY
BRUTEFORCE<o:p></o:p></span></b></p>
<p style="text-align: justify;"><span lang="EN-US"><span style="font-family: inherit;">Have you ever wondered if those fixed-code lock systems
are bruteforceable? Here is an interesting lock; it comes with 8 DIP switches
on both the lock and keyfob side, we can switch up, center and down to have
different combinations. </span></span></p></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsBJWkjIOaZnogDZSkrTa-ymFJKbz_NItObN2DjscqZkrbyOIhWajQA305Qe3Ccy4liGcRmyM3PuIRpXk539g0K0VyU99zkRBXw8kFAG_vG5CgrO2yI5VtFSshdRbKryHl8iGO1V2pkg4-6vB7lnltM5xj8_0wNhEwV23J3o2di02u1RYm_p8gRtmWFnCq/s606/937445_D8ADZEH82JYJFTG.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="277" data-original-width="606" height="169" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsBJWkjIOaZnogDZSkrTa-ymFJKbz_NItObN2DjscqZkrbyOIhWajQA305Qe3Ccy4liGcRmyM3PuIRpXk539g0K0VyU99zkRBXw8kFAG_vG5CgrO2yI5VtFSshdRbKryHl8iGO1V2pkg4-6vB7lnltM5xj8_0wNhEwV23J3o2di02u1RYm_p8gRtmWFnCq/w371-h169/937445_D8ADZEH82JYJFTG.jpg" width="371" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNKW6raOTeHoureeoIwAo-jCUZTw6dlUAJiSYRhhpGZ6z0YE8MdtZ4OiL2n_kwBnwOqJL2d2l4jgIyh-HlZwnUS-I1Fk_bcfso0rlpoeqipbTCraBGBfHfVd3lrvt5ObaO2irrw1QD4eOnxAWHrNx-YtQwQKGucOUVChJm8sNdab51fDU6FzjP0K-BU_lg/s578/937445_72YKXY757XESVNJ.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="308" data-original-width="578" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNKW6raOTeHoureeoIwAo-jCUZTw6dlUAJiSYRhhpGZ6z0YE8MdtZ4OiL2n_kwBnwOqJL2d2l4jgIyh-HlZwnUS-I1Fk_bcfso0rlpoeqipbTCraBGBfHfVd3lrvt5ObaO2irrw1QD4eOnxAWHrNx-YtQwQKGucOUVChJm8sNdab51fDU6FzjP0K-BU_lg/w370-h171/937445_72YKXY757XESVNJ.jpg" width="370" /></a></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;">By using the Flipper-Zero we are able to
tell this lock is based on Princeton. We also can use app Pulse Plotter from
Flipper-Zero to analyzing the signal. However, I would like to recommend a
software designed for reversing wireless signal called Universe Radio Hacker to
do the job. </span><span style="text-align: justify;">URH is a complete suite for wireless protocol investigation. URH
allows easy demodulation of signals combined with an automatic detection of
modulation parameters making it a breeze to identify the bits and bytes that
fly over the air.</span></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVaDXQfvmxO6ZfZ3pNHJZpOzX3Jk5tvBlnC4jFP-8N3jESe-LqTMW0RQa_OG-lYcGf7FYkLdrWF2yx4_bXaWAofijr79vSZ3r30IZepxUxuhSfVA_eyER-EgcOnMvanbR10qYzHr60QBaqhXzeY_-l4VNL84cyd-_Cj3fTdVTPDGVSkqCKkGXl2g4cQS1U/s1706/%E5%9B%BE%E7%89%87_0880c08b0110f6d4e921.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1280" data-original-width="1706" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVaDXQfvmxO6ZfZ3pNHJZpOzX3Jk5tvBlnC4jFP-8N3jESe-LqTMW0RQa_OG-lYcGf7FYkLdrWF2yx4_bXaWAofijr79vSZ3r30IZepxUxuhSfVA_eyER-EgcOnMvanbR10qYzHr60QBaqhXzeY_-l4VNL84cyd-_Cj3fTdVTPDGVSkqCKkGXl2g4cQS1U/w376-h282/%E5%9B%BE%E7%89%87_0880c08b0110f6d4e921.jpg" width="376" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdTmHLSgdQUcHSREvN-xrrNDmMU0a6DSZ9JZM_T-Bie1tHEhyphenhyphenElSRvU1u4uRSl52TO3est3G8bMFhC94kYuEQivWLWsP19nuZAljN_SjJZ7PuwiQYKwJ8dWGXau-S_m8cLzuBwpsdfbVSVs7hyfQfzhZV_wa3GN3ApawqgqigOJfAlWH4Kx-DVQmGpacx4/s574/937445_AFJYG87VKF27SYE.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="151" data-original-width="574" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdTmHLSgdQUcHSREvN-xrrNDmMU0a6DSZ9JZM_T-Bie1tHEhyphenhyphenElSRvU1u4uRSl52TO3est3G8bMFhC94kYuEQivWLWsP19nuZAljN_SjJZ7PuwiQYKwJ8dWGXau-S_m8cLzuBwpsdfbVSVs7hyfQfzhZV_wa3GN3ApawqgqigOJfAlWH4Kx-DVQmGpacx4/w476-h125/937445_AFJYG87VKF27SYE.jpg" width="476" /></a></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;">After capturing the unlock signal from the
keyfob, the fixed code contents can be easily analyzed with URH. Since the DIP
switch only 3^8 combination. It is very easy to brute force all 6561
combinations through the Fuzzing function of URH. As you can see in the video
below.</span></div><div class="separator" style="clear: both; text-align: left;"><p class="MsoNormal" style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: left;"><iframe allowfullscreen="" class="BLOG_video_class" height="308" src="https://www.youtube.com/embed/wgWMDBtQYrw" width="445" youtube-src-id="wgWMDBtQYrw"></iframe></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: justify;">A person
called Hong5489 has implemented the brute force sub files for Flipper-Zero. You
can get sub files from his github. One thing need to be careful though is that
when he tries to brute force his own gate, accidentally opens the neighbors
gate.</span></div><p></p><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4sOlycHbXTHWqTsarjFU5gaAxIo2mFs0E-zHgeEEbmj7GqjtSb4edA4TPrnhTsRhszlQBqvg9umaLKh4cwDAPG_u8DuD0Ff5RV8QMEsA_ObKX_TA3eCh6g8Zk0dDfYKcHsfkdzMJyai_D7_IazTbtpxCXSQ9V1m1HSGqIRMPHbeo5npvWpd94paFVsd7b/s641/Zero-BruteForce.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="261" data-original-width="641" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4sOlycHbXTHWqTsarjFU5gaAxIo2mFs0E-zHgeEEbmj7GqjtSb4edA4TPrnhTsRhszlQBqvg9umaLKh4cwDAPG_u8DuD0Ff5RV8QMEsA_ObKX_TA3eCh6g8Zk0dDfYKcHsfkdzMJyai_D7_IazTbtpxCXSQ9V1m1HSGqIRMPHbeo5npvWpd94paFVsd7b/w510-h207/Zero-BruteForce.JPG" width="510" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><p class="MsoNormal"><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;">0x05. SUMMARY<o:p></o:p></span></b></p><p class="MsoNormal" style="text-align: justify;"><span lang="EN-US">In this article, we have looked at the
common methods of RF Locks hacking. In Part2, we are going to look at more
advanced and interesting RF Locks hacking techniques. Stay tuned.</span><b><span lang="EN-US" style="font-size: 12pt; mso-bidi-font-size: 11.0pt;"><o:p></o:p></span></b></p><p class="MsoNormal" style="text-align: justify;"><br /></p></div></div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2883389551323187470.post-86394514295339663902023-05-15T03:29:00.005-07:002023-05-15T03:33:40.900-07:00Nissan Sylphy Classic 2021 Fixed Code Vulnerability<p>Last year a security researcher Ayyappan Rajesh found a fixed code keyfob vuln for the Honda vehicles (CVE-2022-27254). According to him it affected 2016-2020 Honda Civic (LX, EX, EX-L, Touring, Si, Type R). </p><p>More details can be found on (https://github.com/nonamecoder/CVE-2022-27254) and his DEFCON talk (https://www.youtube.com/watch?v=AxkRnUnvYWw)</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzA54wkACZdFJaMVhy6oUqOKs2lpIlu_wXkpc0kvJMgtNe9w7s2arHGDQINsoTwxw5mxkMqL8QYcP99Ui_fLCGl2CPYpBXieVR3eZgTq6zgBM0m9WItGEyjR1O4yZfG02sY-TU2C4QKrZ4Qj8LcY_3BSENyJLB53VlNMviaGo7qMRxZSwfo-TswD4HMw/s949/adfsdf.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="494" data-original-width="949" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzA54wkACZdFJaMVhy6oUqOKs2lpIlu_wXkpc0kvJMgtNe9w7s2arHGDQINsoTwxw5mxkMqL8QYcP99Ui_fLCGl2CPYpBXieVR3eZgTq6zgBM0m9WItGEyjR1O4yZfG02sY-TU2C4QKrZ4Qj8LcY_3BSENyJLB53VlNMviaGo7qMRxZSwfo-TswD4HMw/w481-h251/adfsdf.JPG" width="481" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both;">Turns out this may not be the Honda-only issue. A few days ago we found another fixed codes vuln, but it's on Nissan Sylphy Classic 2021 this time. </div></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7h4CoaObuqWpJAYNP_JHKW8ZwQHuL69kvCnEHZf-aky4jn5eUdfMYZNc4BNDZO0aj4DxTumjdNbTF-Ec3Vgs0IlgCbjpKsm56Z58tFqxFoHdK1vsmOALO3zBsNqjlHKAf6KuAN0T7tvgAUwejORXDyNwQ4oks88CAf1dWkHpOcj4JwbYGBSBDmuPGGA/s3648/IMG_20230512_153142_edit_73658981672614.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="3648" data-original-width="2736" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7h4CoaObuqWpJAYNP_JHKW8ZwQHuL69kvCnEHZf-aky4jn5eUdfMYZNc4BNDZO0aj4DxTumjdNbTF-Ec3Vgs0IlgCbjpKsm56Z58tFqxFoHdK1vsmOALO3zBsNqjlHKAf6KuAN0T7tvgAUwejORXDyNwQ4oks88CAf1dWkHpOcj4JwbYGBSBDmuPGGA/w240-h320/IMG_20230512_153142_edit_73658981672614.jpg" width="240" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both;">As we can see from the packets diagram, no signs of rolling codes applied to lock or unlock commands. </div><div class="separator" style="clear: both;"><br /></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYkMezfEvq_lW7JXuKgWLBAtqgo7An7VfqtAjpLbCgBmNtOi7tQrsHB0L945WEc1Ixsdl9mhqF26kIL8ZaesHI-0QxjLwaR4y3KUBVdNJZs9kfUe2_6ovY0-WIoi2xuF0vtMgV5HV-7XftfRO-nzFkxwMfVO74IFkDTQCqVhPdZIXJOOiwvs-AbV6eQg/s1823/Nissan-Lock1.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="461" data-original-width="1823" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYkMezfEvq_lW7JXuKgWLBAtqgo7An7VfqtAjpLbCgBmNtOi7tQrsHB0L945WEc1Ixsdl9mhqF26kIL8ZaesHI-0QxjLwaR4y3KUBVdNJZs9kfUe2_6ovY0-WIoi2xuF0vtMgV5HV-7XftfRO-nzFkxwMfVO74IFkDTQCqVhPdZIXJOOiwvs-AbV6eQg/w637-h143/Nissan-Lock1.JPG" width="637" /></a></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaDW25JrydIWDSEF85IngYb1QXfNL6sCTTSsNwZxNZmVEeTwiJXIHDWDoPbnyy9nePhuSCZoIPoSl9jI4mcAZVCMfR5Q1gYdrhq0sWRyWoo7SAE1xQBWA60_VOsB5oSqr0BoGIoTLZ-JvsgX4m8jiNHzZFtyhvx-bJAPgAhDGWk5LX2yiW8E3gFWMTTA/s1777/Nissan-Unlock1.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="528" data-original-width="1777" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaDW25JrydIWDSEF85IngYb1QXfNL6sCTTSsNwZxNZmVEeTwiJXIHDWDoPbnyy9nePhuSCZoIPoSl9jI4mcAZVCMfR5Q1gYdrhq0sWRyWoo7SAE1xQBWA60_VOsB5oSqr0BoGIoTLZ-JvsgX4m8jiNHzZFtyhvx-bJAPgAhDGWk5LX2yiW8E3gFWMTTA/w629-h163/Nissan-Unlock1.JPG" width="629" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both;">Here is the video demo for this Vulnerability</div></div><br /><div> <a href="https://www.youtube.com/watch?v=GG1utSdYG1k">Nissan Sylphy Classic 2021 Fixed Code Vulnerability</a><br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/GG1utSdYG1k" width="320" youtube-src-id="GG1utSdYG1k"></iframe></div><div><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2883389551323187470.post-13025592918988635652013-08-03T16:29:00.003-07:002013-08-03T16:31:11.868-07:00DEFCON 20 Documentary Full Version<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Hey Guys, I've uploaded this Full Version of DEFCON 20 Documentary! Or Can go (http://youtu.be/rVwaIe6CiHw) directly. Enjoy!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/rVwaIe6CiHw?feature=player_embedded' frameborder='0'></iframe></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2883389551323187470.post-69061122847767228832013-07-12T17:17:00.001-07:002013-07-12T17:17:14.878-07:00USRP Sniffing Logitech wireless keyboard!<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmSj29Z_LBDYo0mkTO7QFzIN4X1Z8wIzbrZGbxH7_45auVWaLV4PHT84p7WGgTIVylnADrlLYTyPRwYnpG1hZE4kDGipZIpHrF2WjL3RKE8s3ndNtY9Qseh-jbe1Fpc4-VhWYX63kyKGqR/s1600/27Mhz1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmSj29Z_LBDYo0mkTO7QFzIN4X1Z8wIzbrZGbxH7_45auVWaLV4PHT84p7WGgTIVylnADrlLYTyPRwYnpG1hZE4kDGipZIpHrF2WjL3RKE8s3ndNtY9Qseh-jbe1Fpc4-VhWYX63kyKGqR/s400/27Mhz1.jpg" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj08pqe-vcdpDzXKKjBj858723P0FnhIYyLZzCtpjKrYBPS5A0QmvXBDiVL4yOh3rvHML0YUX0LTjxx7l45P9IczloQi-iJFEs2g0cS_WfONHjTmYH0iBnDTamj9S9_-Q7KFrNONBnA3N_J/s1600/27Mhz2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj08pqe-vcdpDzXKKjBj858723P0FnhIYyLZzCtpjKrYBPS5A0QmvXBDiVL4yOh3rvHML0YUX0LTjxx7l45P9IczloQi-iJFEs2g0cS_WfONHjTmYH0iBnDTamj9S9_-Q7KFrNONBnA3N_J/s400/27Mhz2.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyVq-sKhEJcp1v8scKX2ho42B1tU4EBeHqKPJSEezch_lhCe5zQmkrB7sp3GNujZC4ad7qiXdFCK6_1uHFO-O_FXS2dh7lukUGrWrX2XUETVvkplR5zHPOJWDyGvaDxLymf5DbOwCQk7tS/s1600/27Mhz3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyVq-sKhEJcp1v8scKX2ho42B1tU4EBeHqKPJSEezch_lhCe5zQmkrB7sp3GNujZC4ad7qiXdFCK6_1uHFO-O_FXS2dh7lukUGrWrX2XUETVvkplR5zHPOJWDyGvaDxLymf5DbOwCQk7tS/s400/27Mhz3.jpg" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2883389551323187470.post-88503921025105974132013-06-22T23:58:00.001-07:002013-06-22T23:58:56.904-07:00Old school hacking -- DIY Magstripe ReaderNo Mag reader? No problem...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLgxiIAu2t1Li-1WILiUW7mQl5f0IOl1v99f8zHhqMIjC743P0giVfupm1g3bV0uOoVMHzdgZOpldKJtFSZX4VwM6RoFOwMQLKOkzk6NtiMuN1SD9LdOWxPA5MXa7qHnoEoWYPeALyZFva/s1600/8b20d035jw1e5xvbcjo4ej218g0x7h5x.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLgxiIAu2t1Li-1WILiUW7mQl5f0IOl1v99f8zHhqMIjC743P0giVfupm1g3bV0uOoVMHzdgZOpldKJtFSZX4VwM6RoFOwMQLKOkzk6NtiMuN1SD9LdOWxPA5MXa7qHnoEoWYPeALyZFva/s320/8b20d035jw1e5xvbcjo4ej218g0x7h5x.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV-syosP5Ppgevyq9cJIlqxvTLfszmA4f1bvbUucRpENE8NTAu0xKV8HnxBTsl22vbhSjYhg-_bJSO5b4nt9p7YYJvf9aTindxtgZ_OWPHiSoz-m3INr_loLszmBU9KVeJsXty9zfjlk4e/s1600/8b20d035jw1e5xvb4ewgsj218g0x7qku.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV-syosP5Ppgevyq9cJIlqxvTLfszmA4f1bvbUucRpENE8NTAu0xKV8HnxBTsl22vbhSjYhg-_bJSO5b4nt9p7YYJvf9aTindxtgZ_OWPHiSoz-m3INr_loLszmBU9KVeJsXty9zfjlk4e/s320/8b20d035jw1e5xvb4ewgsj218g0x7qku.jpg" width="320" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQPYCIQAO-nbYk5JneiMlsYljXLhjoFOKCJD4P9oPLm80TNtcevnMctY2-xfY-8DtjDuv7K-fY-dcbaZ2sFrAbcF8PpUvc3AXWBTwDQEgBj-G7bhUYPzdnM7vDrfqRqN85sT2y1UMizWQp/s1600/8b20d035jw1e5xvawb0ovj218g0x77h8.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQPYCIQAO-nbYk5JneiMlsYljXLhjoFOKCJD4P9oPLm80TNtcevnMctY2-xfY-8DtjDuv7K-fY-dcbaZ2sFrAbcF8PpUvc3AXWBTwDQEgBj-G7bhUYPzdnM7vDrfqRqN85sT2y1UMizWQp/s320/8b20d035jw1e5xvawb0ovj218g0x77h8.jpg" width="320" /></a><br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2883389551323187470.post-21781132073826124692013-05-13T13:47:00.003-07:002013-05-13T13:48:02.260-07:00Project of "RF-Ninjia-101" initiate!<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwURp4IfAL5gJQeYxQW19s3OdPKz-MUEfpQBTyW1qM0_IriPIcRBB9H6RK5ckJrip2HcYpN1FrqFxM0PJUj9nrxtqTDHyXlfP2UUgFB5sQksLci_XELEaa-NPsX749TUmgnK4gc4H05uwx/s1600/IMG_0808.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwURp4IfAL5gJQeYxQW19s3OdPKz-MUEfpQBTyW1qM0_IriPIcRBB9H6RK5ckJrip2HcYpN1FrqFxM0PJUj9nrxtqTDHyXlfP2UUgFB5sQksLci_XELEaa-NPsX749TUmgnK4gc4H05uwx/s320/IMG_0808.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIzb47lDQ-d0jiczEXsVRaRe9ZwyFtIwu-8dVxIKgZNRPBFdM-mybrbWBcSM2MUOs5SvjBv-hcVSqm0RjymqDF_CW3rDV90nKjYC3NfCtockDC9sw-K9mABGkwMvML75b-rBlTQfQVAzWp/s1600/Ninja3.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIzb47lDQ-d0jiczEXsVRaRe9ZwyFtIwu-8dVxIKgZNRPBFdM-mybrbWBcSM2MUOs5SvjBv-hcVSqm0RjymqDF_CW3rDV90nKjYC3NfCtockDC9sw-K9mABGkwMvML75b-rBlTQfQVAzWp/s320/Ninja3.jpeg" width="320" /></a></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2883389551323187470.post-66409211389888215132013-05-05T23:44:00.001-07:002013-05-05T23:44:36.481-07:00Sniffing ADS-B traffics near Ontario lake <div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQlSovw5S38D5S2Sb6_-b6hzGt_CuvzqZ9oV8s00PRLGmLRIUvIMnTf9lxB-5caGlKJJdFBBycGCuR_E5Mst2iMapMIMBM5H1CdvUcBtDo-rU6gGNCDKTgIZDoFyv975QBDWNYsrgcRVNX/s1600/1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQlSovw5S38D5S2Sb6_-b6hzGt_CuvzqZ9oV8s00PRLGmLRIUvIMnTf9lxB-5caGlKJJdFBBycGCuR_E5Mst2iMapMIMBM5H1CdvUcBtDo-rU6gGNCDKTgIZDoFyv975QBDWNYsrgcRVNX/s640/1.jpg" width="457" /></a></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2883389551323187470.post-52203274460087543992013-04-28T16:02:00.002-07:002013-04-28T16:02:42.574-07:00Manual Fuzzing ATM? Show me the crash dump now ... :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/MVO1KxmFXkQ?feature=player_embedded' frameborder='0'></iframe></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2883389551323187470.post-15112437272212749482013-02-19T22:43:00.000-08:002013-02-19T22:45:41.280-08:00IOToronto Hardware MeetupIt was so nice to meet you all. And I hope everyone enjoy my talk. Here is the PPT link of my talk. :) Any comment welcome! <a href="http://www.slideshare.net/Kevin2600/meetup-rfid" style="background-color: red; color: red;"><span style="background-color: white;">(Slideshare-meetup-rfid)</span></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHi2kmTxx2jYG_mmSnS87UgTZSNOq5CfVzpIfYPHZacNMNf0JeD6t4gV8cLi4iy9OSBze7-0NOn2lo4mhhV9ks6icb6eXyj9SKCcj6GfFcxra0TrLVdNPAFbVB_1jp29TccLiH2QJ4xO7b/s1600/3.jpeg" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHi2kmTxx2jYG_mmSnS87UgTZSNOq5CfVzpIfYPHZacNMNf0JeD6t4gV8cLi4iy9OSBze7-0NOn2lo4mhhV9ks6icb6eXyj9SKCcj6GfFcxra0TrLVdNPAFbVB_1jp29TccLiH2QJ4xO7b/s320/3.jpeg" /></a>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2883389551323187470.post-41285168661447284302013-02-17T15:42:00.002-08:002013-02-17T15:45:47.453-08:00PoC of Hackable Griffith College Student card<div id="eow-description">
A demo video to show that, Student card of Griffith College,Ireland is Hackable. </div>
<div id="eow-description">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/5WvdebLIKL0?feature=player_embedded' frameborder='0'></iframe></div>
<div id="eow-description">
</div>
<div id="watch-description-text">
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2883389551323187470.post-39630555086165439032013-02-17T15:35:00.004-08:002013-02-17T15:46:12.924-08:00PoC of Clone-able DKIT Student cardThis is a demo video to proof, Student card of Dundalk institute technology is Clone-able. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/E-nk4Jrm-gA?feature=player_embedded' frameborder='0'></iframe></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2883389551323187470.post-77706685471836723902012-07-17T16:33:00.001-07:002013-03-27T21:32:58.257-07:00USB Plug-over bypass attack on Integral USB Drive.<div style="text-align: justify;">
I was read this article "Crypto hardware Plug-over attack" <a href="http://www.thice.nl/crypto-hardware-plug-over-attack/">(Crypto-plug-over-attack)</a> the other day. And think will be a nice weekend project. I happened to have 2 Integral Crypto USB drives. Integral claim this drive is enhanced with 256 bit hardware based AES encryption and FIPS 197 approved, which allowing for advanced security of confidential data. However it only works on Windows. :(</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
From Thice's article, the reason why this work, because after user unlock the USB drive, for some reason the encryption system isn’t able to lock itself again. Even after switch USB drive over to a new system, as long as power is provided. So if we can find some way to provide un-cut power. We can keep access the data on USB drive without provide passwords.</div>
<br />
The schematic overview<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcr7nkHWX-MEGMgAXua903jcpvNzU_HtawMhjpWVvf2-4ZpyTmXWarb4GBrTYd9M7CiIhxOQnHnEyW6yLPeAZasuBjA59gKjSrQsDJPeg073PwzKtEbktZI5r6xbX3R5YwLofDlLRfYAfZ/s1600/encrypted-drive-hotplug-vulnerability-e1340718485444.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcr7nkHWX-MEGMgAXua903jcpvNzU_HtawMhjpWVvf2-4ZpyTmXWarb4GBrTYd9M7CiIhxOQnHnEyW6yLPeAZasuBjA59gKjSrQsDJPeg073PwzKtEbktZI5r6xbX3R5YwLofDlLRfYAfZ/s400/encrypted-drive-hotplug-vulnerability-e1340718485444.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBEk5GHxCtT_Oo3BgZa2OtoL4dP1w_31RxN5ylrRAZPaPZVB603I4_bFLx40dLJn_rqHLWC8LTJuitc44ETSA06scP8RxcZMpKqn9Y2UYZ7giIGaDaiSm_9iIs3fvJ5SPIJf6DyyTfTPKx/s1600/USB6.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBEk5GHxCtT_Oo3BgZa2OtoL4dP1w_31RxN5ylrRAZPaPZVB603I4_bFLx40dLJn_rqHLWC8LTJuitc44ETSA06scP8RxcZMpKqn9Y2UYZ7giIGaDaiSm_9iIs3fvJ5SPIJf6DyyTfTPKx/s400/USB6.jpg" width="400" /></a> </div>
<div class="separator" style="clear: both; text-align: center;">
As picture shows, we only able to access date after unlock it. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis1rHBmN89UxVP6OjLhVhU8KIdmJ5_UHP2NsTN2IvJ9fBcICZ5V3u_KdgDX4fhFxXnr2KOzYrUAsiaQvI1wqcCtffJDI7dCFQ75LnxDO8ChhqcQTQ2iOZPr6LV7koskU5UxSEakIg4qvQg/s1600/USB7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgRSH_18KfsqCmI33ssXlV3nvRRkwNnw6Qbqj82cdq3hkNVdEsdijDe44T480snru5DBOHOV8boUquHLGhwp4Zi7ifIt3QjfYXJJe84hqOkA9qiFE52L-qb8IGeF3aFsXf3BvY7CPBel1c/s1600/A.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgRSH_18KfsqCmI33ssXlV3nvRRkwNnw6Qbqj82cdq3hkNVdEsdijDe44T480snru5DBOHOV8boUquHLGhwp4Zi7ifIt3QjfYXJJe84hqOkA9qiFE52L-qb8IGeF3aFsXf3BvY7CPBel1c/s400/A.png" width="400" /></a> </div>
<div class="separator" style="clear: both; text-align: center;">
But it dos not work under Linux system! :( </div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-2PoBFekPOxTk-sMqClmW5SmpPbpWKIt_DNo7XKdv0CGuPkHjtluUQxjyMBMCaNxYNGZZRIHtRzkX67lT_p5KGjOuJyfkFaUeKGL3d0Yrz3LLOu6SeTpKh_9g7xBwQW3jmedf1mNcF6da/s1600/B.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-2PoBFekPOxTk-sMqClmW5SmpPbpWKIt_DNo7XKdv0CGuPkHjtluUQxjyMBMCaNxYNGZZRIHtRzkX67lT_p5KGjOuJyfkFaUeKGL3d0Yrz3LLOu6SeTpKh_9g7xBwQW3jmedf1mNcF6da/s400/B.png" width="400" /></a> </div>
<div class="separator" style="clear: both; text-align: center;">
If unlocked under Windows 1st. and switch to Linux. </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis1rHBmN89UxVP6OjLhVhU8KIdmJ5_UHP2NsTN2IvJ9fBcICZ5V3u_KdgDX4fhFxXnr2KOzYrUAsiaQvI1wqcCtffJDI7dCFQ75LnxDO8ChhqcQTQ2iOZPr6LV7koskU5UxSEakIg4qvQg/s1600/USB7.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis1rHBmN89UxVP6OjLhVhU8KIdmJ5_UHP2NsTN2IvJ9fBcICZ5V3u_KdgDX4fhFxXnr2KOzYrUAsiaQvI1wqcCtffJDI7dCFQ75LnxDO8ChhqcQTQ2iOZPr6LV7koskU5UxSEakIg4qvQg/s400/USB7.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Because the power is uncut, we now can access the data without ask for password anymore. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ_JIiR5XWFZBmr5GNhIj6HGZZfXYLHVRXL3RXfMZHMpM7oZICErQAVif6X68fAtC5zwRe0dKaJ2YApYMnXrbxVqtb_i5axXfa3Zd1_quM73429CSq4ypfJOry05_bFm-JN28pLhNFN8dt/s1600/USB4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ_JIiR5XWFZBmr5GNhIj6HGZZfXYLHVRXL3RXfMZHMpM7oZICErQAVif6X68fAtC5zwRe0dKaJ2YApYMnXrbxVqtb_i5axXfa3Zd1_quM73429CSq4ypfJOry05_bFm-JN28pLhNFN8dt/s400/USB4.png" width="400" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAzBXk0G4pTWBHS2Wsz3bG3cQXK9k-_ZadcLr68daU0LWawP5qfYkDnKpNr26KZEfbC9uYvh-YMKlkS46lbROFBajrTp00og1JwxjhGFHlszTIMnVNDdx4F23h5056JSodkozGxflmaDkX/s1600/C.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Unknownnoreply@blogger.com0