1. Not Quite ZigBee; or,
How to Sniff a Strange Radio
Open with “Why should
you give a shit?”
List of Exploits
Travis Goodspeed
22 April 2010 -- Source Boston
travis@radiantmachines.com

2. Introduction
✤ Wifi
✤ Bluetooth
✤ Ubertooth
✤ ZigBee
✤ KillerBee, GoodFET, Freakduino Chibi, Daintree
✤ What about everything else?

3. Introduction
✤ This is not a USRP lecture.
✤ Weird radios are usually one-off designs.
✤ Bad cryptography, if any.
✤ Little testing, quality control.
✤ Vulnerabilities inherited from the chipset.

4. Citations
✤ Max Moser and Thorsten Schröder
✤ Michael Ossmann
✤ Read my articles for the rest,
http://travisgoodspeed.com

5. Example Targets
✤ Radio Remote Controls
✤ Apple/Nike+ Shoe Pod
✤ Garmin ANT+ Watch
✤ Microsoft Keyboard

6. Methodology
✤ Dissect a device.
✤ Part numbers, chip die photographs, firmware.
✤ Determine radio encoding, rate, and frequency.
✤ 2FSK, 2Mbps, 2.4GHz
✤ QPSK, 1Mbps, 2.4GHz
✤ Build a transceiver.

8. Part Numbers
✤ CC2420, EM250, A7125
✤ Uniquely identify the part, index the datasheet.
✤ Vulnerabilities are indexed by part number, not product name.
✤ Sometimes they are missing or ground off.
✤ HNO3 and H2SO4 are your friends!

9. Datasheets
✤ Describe registers and pins.
✤ Sometimes private, but often public.
✤ Read the whole damned thing, and you’re secure to find bugs.
✤ Also read the errata sheets.
✤ For this chip and its ancestors.

10. Datasheets

13. Die Badges
✤ Identify the internal part number.
✤ Sometimes this is the public one.
✤ Sometimes it isn’t.
✤ Animals, Logos
✤ Lot numbers.

14. TI/Chipcon CC1110

16. Amiccon 7125

17. Amiccon 7125

18. nRF24L01+

19. Ember EM357

20. Ember EM357 Magnum

21. Mystery 2.4GHz Radio
nRF24E1G
✤ Logo first.
✤ Inductors.
✤ Lollypops!
✤ Fill Pattern

22. ✤ ffo
✤

23. Mystery vs. CC1110

24. Mystery vs. EM357

25. Mystery vs. nRF24L01+

28. Mystery vs. nRF24L01+

29. Meet the Lineup
✤ Chipcon
✤ Nordic RF
✤ Amiccom
✤ Others

30. Chipcon ISM Band
✤ CC1100, 2500 radio.
✤ CC1110, 2500 system-on-chip.
✤ Very configurable.
✤ CC1110 talks to anything sub-GHz.
✤ Undocumented 4FSK, use register settings for CC1101.

32. Nordic RF
✤ No promiscuous mode.
✤ There’s a hack, but it’s ugly.
✤ Not very configurable: ✤ Microsoft Keyboards, Mice
✤ 2FSK, fixed deviation. ✤ OpenBeacon
✤ Integer MHz channels. ✤ Sparkfun Keyfob
✤ ANT+, Nike+

35. Amiccom A7125
✤ 2.4GHz, 2FSK
✤ Doccos in English, Chinese
✤ Unbuffered mode for outputting symbols directly.
✤ 2 million symbols/second!
✤ Handy, but not necessary, for prom. sniffing of Nordic traffic.

36. Modulation Schemes
✤ Frequency Shift Keying (FSK)
✤ Cheap digital radios, Bluetooth.
✤ Amplitude Shift Keying (ASK, OOK)
✤ Car remotes, garage door openers.
✤ Phase Shift Keying (PSK)
✤ Wifi, ZigBee
✤ Complicated variations of each.

37. Frequency Shift Keying
✤ Symbol Rate: Integer or floating?
✤ Frequency: Integer or fractional?
✤ SYNC: Configurable? Repurposed as the address?
✤ Deviation: Space between highest and lowest symbol.
✤ Encoding:
✤ 2FSK: Low frequency is zero, high frequency is 1.
✤ 4FSK: +1, +1/3, -1/3, -1

38. Getting a radio board.
✤ Chips are difficult to use directly.
✤ QFN or BGA chip packages.
✤ Radio layout requires a custom board.
✤ Modules are available with radio and analog chain.
✤ Often lack an MCU, so use a GoodFET.
✤ Commercial boards are often useful.
✤ GirlTech IMME, Next Hope Badge

52. Configuring the Radio
✤ All digital radios are configured by Special Function Registers (SFR).
✤ Register settings can come from multiple sources:
✤ SmartRF Studio configuring TI/Chipcon radios.
✤ Datasheets
✤ Ask Ossmann

55. ✤ RF Parameters
✤ Register Addresses
✤ Register Values

56. Always bring it back to Python

57. GoodFET Radio Architecture
✤ Firmware in C, client in Python.
✤ Py2Exe port for Win32.
✤ Only tested on the Chinese build.
✤ Firmware is trimmed to support only the needed drivers.
✤ New drivers can be written in pure-Python.
✤ Port functions to C as needed.

58. Turning Point Clicker
✤ Classroom remote control.
✤ Attendance, Quizzing
✤ Nordic nRF24E1G
✤ 8051 MCU
✤ 2.4GHz Radio
✤ External Flash

62. Radio+8051 MCU
SPI ROM

63. Dumping Firmware
✤ Chips
✤ nRF24E1G -- 8051 MCU + nRF2401 Radio
✤ 24C32 Boot Rom
✤ Documentation
✤ Datasheets, Reference Design

64. nRF24E1
✤ 8051 Microcontroller
✤ More popular than ARM and X86.
✤ Internal nRF2401 Radio
✤ 1Mbps GFSK Radio
✤ 2.4 to 2.5 GHz, 1MHz Channel Spacing
✤ No internal Flash. Boots from external EEPROM.
✤ No promiscuous mode. (The hack comes later.)

65. Radio+8051 MCU
SPI ROM

66. nRF24E1 Firmware in IDA
✤ ``goodfet.spi25c dump clicker.hex’’
✤ Copy all but first 7 bytes to clicker.bin.
✤ Load clicker.bin to CODE memory at 0x0000.

67. Just 3kB of Code

68. nRF24E1 Internal Arrangement
✤ 8051 MCU
✤ Internal SPI Bus
✤ RADIO register #0x80

69. Useful Registers
✤ SPI_DATA, SPICLK, SPI_CNTRL, EXIF
✤ P1 LED Port
✤ P0.0 SPI EEPROM Slave Select
✤ RADIO #0x80
✤ RADIO.3 is Radio Slave Select
✤ RADIO.7 is Power Up

70. From Registers to Functions

71. RADIOWRCONFIG
✤ Just a lot of SPIRXTX.
✤ 08 08 00 00 00 00 00 00 00
✤ (1B) (1C) (1D)
✤ 63 6F
✤ (1A)+1

72. Data Width
ADR
ADR Width
CRC LEN
Config Channel

73. RADIOWRCONFIG
✤ Just a lot of SPIRXTX.
✤ Channel at 0x1A
✤ 08 08 00 00 00 00 00 00 00
✤ MAC at 0x1B, 0x1C, 0x1D
✤ (1B) (1C) (1D)
✤ 4 bytes of data
✤ 63 6F
✤ 1 byte checksum
✤ (1A)+1

74. Transmission
✤ Function takes one byte of input.
✤ Repeated calls to SPITXRX
✤ (1E) (1F) (20) //Destination MAC Address
✤ (1B) (1C) (1D) //Source MAC Address
✤ (input) //Button Code

75. Destination MAC at 1E, 1F, 20
✤ MOV 0x1E, #0x12 ✤ DMAC is 0x123456
✤ MOV 0x1F, #0x34 ✤ Payload length is 4 bytes.
✤ MOV 0x20, #0x56 ✤ One byte checksum.

76. Turning Point Sniffing
✤ 2.441 GHz, 1Mbps
✤ Address: [0x12, 0x34, 0x56]
✤ Payload:
✤ 3 byte MAC
✤ 1 byte Button (ASCII)

78. Load the Registers by GoodFET

80. Microsoft Keyboard
✤ 2.4GHz Nordic, XOR crypto
✤ SYNC varies by unit.
✤ Again, there’s no promiscuous mode.
✤ Initial Exploit in Keykeriki 2.0
✤ Max Moser and Thorsten Schröder
✤ Amiccom A7125, nRF24L01+

81. Holy crap that’s bad crypto!

82. Promiscuity is a Citizen’s Duty
✤ If the crypto is so bad, why is it hard to sniff?
✤ SYNC field is unique to the unit.
✤ Receiver must know the SYNC to receive a packet.
✤ Two solutions:
✤ 1) Search raw radio traffic for Preamble. (Keykeriki)
✤ 2) Use the preamble as if it were a SYNC. (GoodFET)

83. Schröder and Moser’s Solution
✤ A7125 samples raw bits at 2Mbps.
✤ ARM CPU looks for Preamble.
✤ When the MAC is found,
✤ Load nRF24L01+ to sniff.
✤ Dump to PC for interpretation.
✤ Can it be cheaper?

84. GoodFET Autotune
✤ Reduce MAC length to two bytes.
✤ Disable checksums.
✤ Set MAC to 0x0055 or 0x00AA.
✤ Count occurrences of 5-byte sequences:
✤ Might by shifted off by a bit.
✤ Filter out noise.

85. GoodFET Autotune

86. GoodFET Autotune

89. Conclusions

90. Sidebar
✤ Somehow we have time left.
✤ Let’s not waste it.