OSINT RF Reverse Engineering by Marc Newlin
1 like•887 views
The document discusses the reverse engineering process of wireless devices, specifically focusing on a RadioShack wireless mouse and its dongle using software-defined radio (SDR) techniques. It covers essential concepts such as hardware vs. software-defined radios, signal modulation, and the steps for open-source intelligence (OSINT) in gathering data. The author provides insights on analyzing RF packets, understanding protocol behavior, and identifying payload structures, ultimately concluding that the mouse operates independently of Bluetooth with combined channel agility.
![Find the longest repeated sequences (dongle)
$ grep -Po "(ffff[a5]{12}).{16}" dongle.bytes.hex | sort |
uniq -c | sort -nr
392 ffffaaaaaaaaaaaa1116e8d14b782aff
1 ffff5aaaaaaaaaaa1116e8d14b782aff
• Look for shifted preamble variants (FFFF followed by 12 A’s or 5’s)
• Increase the number of bytes after the preamble until it no longer repeats
• The most repeated sequence is likely the dongle sync packet](https://image.slidesharecdn.com/takedowncon-160726183840/85/OSINT-RF-Reverse-Engineering-by-Marc-Newlin-56-320.jpg)
OSINT RF Reverse Engineering by Marc Newlin
- 1. OSINT RF Reverse Engineering Marc Newlin / [email protected] / @marcnewlin
- 2. Marc Newlin Security Researcher @ Bastille Networks
- 3. Agenda 1. Radio Primer 2. OSINT for ARFz 3. Reverse Engineering 4. MouseJack Demo
- 4. Radio Primer (from a hacker’s perspective)
- 5. Hardware vs. Software Defined Radio Hardware Defined Radio • Fixed functionality • Really good at one thing • Wifi card, wireless mouse dongle, bluetooth dongle, cellular modem, etc Software Defined Radio • Reconfigurable on the fly • Relies on computer or FPGA • Lots of open source protocol stacks available • USB and host computer timing limitations
- 6. Modulation • Defines how the carrier wave is modified to encode the bits we are transmitting • FSK - frequency shift keying • OOK - on off keying • ASK, QAM, OFDM, DSSS, FHSS • Generally knowing the modulation is sufficient to decode w/ GNU Radio
- 7. Symbols and Samples • Symbol is a fixed-length state that encodes one or more bits • Sample is a single value resulting from quantizing radio data by the SDR • Need at least two samples per symbol • 1Mbps FSK needs a 2MS/s sample rate
- 8. Frequencies and Hopping • Device can operate on one or more frequencies (channels) • Frequency hopping -- actively hopping between channels • Frequency agility -- opportunistically selecting channels for best performance • Some devices stay on a single channel, regardless of transceiver support
- 9. Channel Coding • Add redundancy to detect and correct errors during transmission • Has the potential to alter payloads so they aren’t immediately recognizable • FEC (Forward Error Correction) • ARQ (Automatic Repeat Request) • Repetition Coding • Convolutional Coding
- 11. MouseJack necessitated efficiency • 50+ devices, 4 transceiver families
- 12. What are we trying learn? • How does device work? • Can we uniquely identify each device? • What data can we passively sniff? • Does its presence pose a risk? • What does aberrant or malicious behavior look like? • How can we fuzz the device/protocol? • How quickly can we find all this out?
- 13. Standardized vs. Proprietary 1. Fully Standardized (Bluetooth, BLE, ZigBee, etc) 2. Partially Proprietary (nRF24L, TI-CC2544, etc) 3. Fully Proprietary (undocumented RFIC, SDR, etc)
- 14. RadioShack Wireless Mouse/Dongle • Fully Proprietary • 2.4GHz wireless mouse + dongle • Need to do some OSINT!
- 15. Reverse Engineering Process 1. OSINT 2. Sanity Check 3. ARFz to Bytes 4. Packet Formats 5. Payloads and Protocol (Where da ARFz at??)
- 16. 1. OSINT for ARFz
- 17. OSINT Resources • FCC documents • RFIC product specifications • The Google
- 18. Best case, what will we find? • Modulation • Symbol Rate / Data Rate • Frequencies • Frequency Hopping Behavior • Channel Coding • Whitening / Scrambling • Packet Format • Protocol Behavior
- 19. FCC Certification Process 1. Device is manufactured 2. Test lab evaluates the device 3. Telecommunications certification body issues a grant of certification 4. Test report, application, and related exhibits published in FCC database 5. Some exhibits are confidential (temporarily or permanently)
- 20. Finding FCC Exhibits • Lookup FCC ID @ https://www.fcc.gov/general/fcc-id-search- page • Click on the ‘Detail’ link on the results page
- 21. Relevant Exhibit Types Test Reports Internal Photos User Manuals Schematics Operational Descriptions Behavior of RF emissions What’s in the box?!? Can get quite technical Rare, but useful Rare, but useful
- 22. Test Reports • Does the device meet FCC guidelines? • Transmit power • Bandwidth • Frequencies • Duty cycle • 2498 authorized test labs • Each lab has one or more report formats • Each lab provides a varying degree of detail
- 23. Test Report (from Bureau Veritas lab)
- 24. RadioShack Mouse Test Report • 2408-2474 MHz • 67 channels • Intertek test lab
- 25. RadioShack Dongle Test Report • 2408-2474 MHz • 34 channels, 2 MHz spacing • GFSK modulation • 1Mbps data rate • Neutron Engineering test lab
- 26. Internal Photos • Varying degree of resolution • Some vendors blackout RFIC markings • No standardization
- 27. Internal photo of a Microsoft dongle • nRF24LU+ • Partially hidden markings • Well documented RFIC • (easy mode)
- 28. RadioShack Mouse Internal Photos • Low resolution • Nothing useful
- 29. RadioShack Dongle Internal Photos • Better picture • Still nothing useful
- 30. Schematics • Most vendors request permanent confidentiality on schematics • More common with lesser known manufacturers • When available, extremely useful to learn RFIC specifics
- 31. RadioShack Mouse Schematic • MA4302 RFIC
- 32. Operational Descriptions / User Manuals • Describes the device behavior in an undefined format • Hit or miss, but potentially fruitful • Some vendors include useful technical details
- 33. RadioShack Mouse Operational Description • Bluetooth !?!? • FSK modulation • 2408-2474 MHz • 67 channels • MA4302 RFIC
- 34. RadioShack Dongle User Manual • 2408-2472 MHz • GFSK modulation • 1Mbps data rate • human house only?
- 35. MA4302 mouse via Google-fu • Marketing material from another mouse with the same RFIC • FSK modulation • FHSS • Mosart MA4302 RFIC • More Google-fu, still no RFIC spec sheet
- 36. So what do we “know”? • GFSK modulation • 2408-2474 MHz frequency range • 34 or 67 channels • 1Mbps data rate • Maybe FHSS? • Maybe Bluetooth?
- 37. 2. Sanity Check
- 38. Tools and Equipment • Software Defined Radio • RF Test Enclosure • GNU Radio • gr-fosphor • baudline • RadioShack mouse and dongle
- 39. Software Defined Radio 1. Streams raw RF data to a host computer 2. Reconfigurable bandwidth and center frequency 3. Lots of popular options (USRP, BladeRF, HackRF, RTL-SDR, LimeSDR, etc)
- 40. GNU Radio • Open source SDR toolkit written in C/C++ and Python • Large selection of signal processing libraries • Hardware support for common SDR platforms • Efficient prototyping
- 41. GNU Radio Companion • Drag and drop flow graph creator • Quick and easy
- 42. gr-fosphor • OpenCL/OpenGL accelerated spectrum visualization tool • Out-of-tree GNU Radio module
- 43. baudline / gr-baz • Spectrum visualization tool • Excellent for analyzing signals • GNU Radio block in gr-baz
- 44. RF Test Enclosure (Faraday Cage) • Attenuates the ARFz • Isolate devices for reverse engineering • Prevent unintended side effects of fuzzing • Keeps the FCC happy :)
- 45. SDR to gr-fosphor flow graph • USRP data source • gr-fosphor data sink • 40 MHz bandwidth • 2420 MHz center freq • 15 dB antenna gain
- 46. RF Test Enclosure Setup
- 47. gr-fosphor: RadioShack dongle • 2414 MHz • TX at regular intervals • Looks about 1 MHz wide • Sync packet?
- 48. gr-fosphor: RadioShack mouse + dongle • Also camped at 2414 MHz • 3 packet sequence with mouse movement • Sync + data + ack?
- 49. 3. ARFz to Bytes
- 50. Flowgraph to demodulate mouse/dongle traffic • USRP data source at 2414 MHz • GFSK demodulator • 2 MHz sample rate • 2 SPS (1Mbps data rate) • Bits to bytes • File data sink
- 51. Capture some packets • Need to generate repeated packets • Capture dongle alone to isolate the sync packets • Capture mouse + dongle, repeatedly clicking the mouse
- 52. 4. Packet Format
- 53. Anatomy of an RF packet Preamble Sync field Address Header Payload Checksum Postamble Clock correction / synchronization Start of payload delimiter, can be static value or the address Receiver address Describes the packet, depending on protocol complexity The actual data being transmitted Checksum, CRC, etc End of frame delimiter, more clock correction
- 54. Prep the data (binary to hex) $ xxd -p dongle.bytes | tr -d 'n' > dongle.bytes.hex $ xxd -p dongle-mouse.bytes | tr -d 'n' > dongle-mouse. bytes.hex Standard command line tools enable quick and dirty analysis. • grep • xxd • sort • uniq Byte boundaries mean we only see a subset of the packets.
- 55. Find the preamble (dongle) $ grep -Po "(00|ff|aa|55)+" dongle.bytes.hex | sort | uniq -c | sort -nr 528 5555555555 514 ffff 468 aaaaaaaaaa 392 ffff5555555555 349 ffffaaaaaaaaaaaa 281 55ff 243 aaaa 226 5555 158 aa55 156 55aa We grep for a tone (0x00 or 0xFF), or alternating 1’s and 0’s (0xAA or 0x55).
- 56. Find the longest repeated sequences (dongle) $ grep -Po "(ffff[a5]{12}).{16}" dongle.bytes.hex | sort | uniq -c | sort -nr 392 ffffaaaaaaaaaaaa1116e8d14b782aff 1 ffff5aaaaaaaaaaa1116e8d14b782aff • Look for shifted preamble variants (FFFF followed by 12 A’s or 5’s) • Increase the number of bytes after the preamble until it no longer repeats • The most repeated sequence is likely the dongle sync packet
- 57. Sanity check the packets (dongle) $ grep -Pob "(ffffaaaaaaaaaaaa1116e8d14b782aff)+" dongle.bytes.hex | head -n 10 28215:ffffaaaaaaaaaaaa1116e8d14b782aff 32221:ffffaaaaaaaaaaaa1116e8d14b782aff 44253:ffffaaaaaaaaaaaa1116e8d14b782aff 46255:ffffaaaaaaaaaaaa1116e8d14b782aff 56291:ffffaaaaaaaaaaaa1116e8d14b782aff 58297:ffffaaaaaaaaaaaa1116e8d14b782aff 80365:ffffaaaaaaaaaaaa1116e8d14b782aff 84377:ffffaaaaaaaaaaaa1116e8d14b782aff 98420:ffffaaaaaaaaaaaa1116e8d14b782aff 126506:ffffaaaaaaaaaaaa1116e8d14b782aff Packet offsets are multiples of ~2000 bytes, or 16ms. Looks good!
- 58. Isolate the mouse packets $ sed -i "s/ffffaaaaaaaaaaaa1116e8d14b782aff//g" dongle-mouse.bytes.hex Remove the dongle packets from the mouse + dongle capture to isolate the mouse packets.
- 59. Find the preamble! (mouse) $ grep -Po "(00|ff|aa|55)+" dongle.bytes.hex | sort | uniq -c | sort -nr 2898 ffff 765 5555555555 666 aaaaaaaaaa 578 ff00 357 55ff 280 aaaa 272 5555 215 55aa 204 aa55 We grep for a tone (0x00 or 0xFF), or alternating 1’s and 0’s (0xAA or 0x55). No repeated occurrences of the dongle preamble, so we’ll try ‘em all!
- 60. Find the longest repeated sequences (mouse) $ grep -Po "aaaa.{20}" dongle-mouse.bytes.hex | sort | uniq -c | sort -nr | head -n 10 14 aaaa1116e8d126dbfa706aff 11 aaaa1116e8d121dbfae0efff 10 aaaa1116e8d12edbfad1c3ff 8 aaaa1116e8d12fdbfae1f4ff 7 aaaa1116e8d12ddbfa819aff 7 aaaa1116e8d129dbfa4146ff 7 aaaa1116e8d128dbfa7171ff 6 aaaa1116e8d123dbfa8081ff 6 aaaa1116e8d122dbfab0b6ff 5 aaaa1116e8d12ddbfa819aff Many repeated payloads, which may point to a sequence number.
- 61. Sanity check the packets (mouse) $ grep -Pob "(...)" dongle-mouse.bytes.hex | head -n 10 167823:aaaa1116e8d126dbfa706aff 263746:aaaa1116e8d122dbfab0b6ff 303715:aaaa1116e8d126dbfa706aff 423469:aaaa1116e8d121dbfae0efff 455379:aaaa1116e8d127dbfa405dff 591291:aaaa1116e8d124dbfa1004ff 691083:aaaa1116e8d121dbfae0efff 738884:aaaa1116e8d128dbfa7171ff 878869:aaaa1116e8d129dbfa4146ff 1170597:aaaa1116e8d12edbfad1c3ff Packet offsets are multiples of ~2000 bytes and more spaced out than the dongle packets. Looks good!
- 62. Packet candidates Dongle packet: ffffaaaaaaaaaaaa1116e8d14b782aff Address / sync word?: 1116e8d1 Preambles / postambles: ffffaaaaaaaaaaaa aaaa ff Mouse packets: aaaa1116e8d126dbfa706aff aaaa1116e8d121dbfae0efff aaaa1116e8d12edbfad1c3ff aaaa1116e8d12fdbfae1f4ff aaaa1116e8d12ddbfa819aff aaaa1116e8d129dbfa4146ff aaaa1116e8d128dbfa7171ff aaaa1116e8d123dbfa8081ff aaaa1116e8d122dbfab0b6ff aaaa1116e8d12ddbfa819aff
- 63. Checksum / CRC • 3 byte dongle payload • 5 byte mouse payload • potentially an 8 or 16 bit CRC (if any) • check dongle payloads with CRC RevEng $ reveng -w 16 -s 26dbfa706a 21dbfae0ef 2edbfad1c3 2fdbfae1f4 2ddbfa819a 29dbfa4146 28dbfa7171 23dbfa8081 22dbfab0b6 2ddbfa819a reveng: no models found No dice :/
- 64. How about whitening? • Some guesswork is required • XOR’ing with some value? • Reverse byte order? $ ./reveng -w 16 -s 7c81a0302a 7b81a0b5ba 7481a0998b 7581a0aebb 7781a0c0db 7381a01c1b 7281a02b2b 7981a0dbda 7881a0ecea 7781a0c0db width=16 poly=0x1021 init=0x0000 refin=false refout=false xorout=0x0000 check=0x31c3 name="XMODEM" Success!! Payloads are whitened by XOR’ing with 0x5A repeated, and the CRC is in reversed byte order. Dongle payload appears to have no CRC.
- 65. Mouse click packet format Preamble Address Payload Checksum Postamble AAAA 1116E8D1 3 bytes CRC-16 XMODEM FF
- 66. 5. Payloads and Protocol
- 67. Build out the model with additional test data • Test second mouse/dongle set to identify static vs. dynamic values • Dongle sync packets are identical across devices, appear to be unprotected by CRCs • Sync field is unique across devices, so it is indeed an address • Second mouse/dongle set camps at 2426 MHz • Mouse movement packets are 5 bytes in length
- 68. What about ACKs? $ grep -Pob "1116e8d1.{12}" dongle-mouse.bytes.rev.hex 1932509:1116e8d120dbfad0d8 - mouse click payload 1932592:1116e8d14b78ff2752 - ACK(?), ~300us later
- 69. TDMA timing • Dongle transmits sync packets every 16ms • Mouse transmits packets following sync packets • Dongle ACKs mouse packets
- 70. Reverse Engineering Payloads • Generate RF traffic with known expected behavior • Mouse clicks, scrolling, movement • What changes over the air?
- 71. Mouse Payload Formats Movement 4D 08 07 06 05 4 | Frame Type D | Sequence Number 08 | X1 07 | X2 06 | Y1 05 | Y2 Scroll 7E 81 FF 7 | Frame Type E | Sequence Number 81 | “Button” State F | Button Type (Scroll Wheel) F | Scroll Motion (Down 1) Click 7A 81 A1 // left down 7A 01 A1 // left up 7 | Frame Type A | Sequence Number 81 | Button State A | Button Type (Button) 1 | Button (Left)
- 72. So what have we learned about the mouse? • 4 packet formats • Dongle sync • Dongle ACK • Mouse movement • Mouse click • GFSK modulation, 1Mbps data rate • Device pair camps on a single channel • Dongle transmits timing and frequency synchronization packets • Mouse times its transmissions based on the dongle • Likely 34 channels, spaced at 2 MHz, between 2408-2474 MHz • Definitely not Bluetooth • XMODEM variant of CRC-CCITT
- 73. Process Recap 1. OSINT 2. Sanity Check 3. ARFz to Bytes 4. Packet Formats 5. Payloads and Protocol
- 74. MouseJack Demo - Logitech • Forced pairing • Disguise keyboard as mouse • Unencrypted keystroke injection into keyboard address • Firmware patch issued by Logitech