Implementácia prelomenia Keeloq – šifra používaná v autách, je prelomiteľná ?
Čítané celkom 96 x, Dnes prečítané 2 x
Možnosť prečítať Keeloq komunikáciu pomocou USRP2/GNURadio. Samotné USRP rádio a VF technológiu máme na Slovensku už k dispozícii. Takže v testoch nič nebráni. Je skôr problém nájsť na testy schopných ľudí a ľudí, ktorí nás presvedčia, že to zvládnu do zdarného konca. Nájde sa niekto komu sme schopný pomôcť a zapožičať kompletný hardvér a za oplátku nám odovzdá funkčný projekt ? Odmena ? Možno cena samotného zapožičaného hardvéru. Je to na Vás.
Spomenutý digitálny prijímač má už v jednom kuse zapožičaná skupina H4f. Ako sami popisujú jedná sa o lukratívny kus hardware pod názvom USRP. Krátka zmienka padla v článku GSM fail, v ktorom popisovali možnosti využitia tohto zariadenia. Po krátkej chvíli administrátor H4f vyriešil závislosti a inštaláciu GNU rádio na komunitnej verzii BackTrack 4 CZ c00k. K dispozícií bude niekoľko deb balíkov pre GNU radio, OpenBTS, Airprobe, Asterisk, Kraken a pár ďalších podporných nástrojov. Po sérii testov na systéme BackTrack 4 c00k plánujú vytvoriť komunitnú unikátnu verziu tejto Linxovej distribúcie pre analýzu GSM, resp. Live CD pre USRP.
USRP1 ->> USRP PKG, HDW-U1, TVRX, DBSRX2, 2x RFX900, VERT 400/1200, VERT 900, SMA-SMA, SMA-Bulkhead, MCX-Bulkhead, F-Bulkhead.
Čo viac si môžeme u Nás v EU priať ? Snáď viac takýchto firiem, ktoré sú ochotné a schopné podporiť aj finančne náročné projekty a to špičkovou novou VF technikov. Škoda, že firmy, ktoré majú napr. k dispozícii OLD VF hardvér, nie sú ochotné ho darovať mládeži, skôr skončí v zberných surovinách. Veľa krát sa pritom jedná o pekné vysokofrekvenčné kúsky, kde pre optimalizované testy by úplne mohli postačovať pre zábavu a testy pre ľudí, ktorých to zaujíma, alebo nemajú dostatok financií na realizáciu svojich projektov. Pomôžte im získať to, čo nikde legálne nezískajú. Veď kto sa legálne dostane k vyradenej OLD GSM BTS stanici ? Niečo z vyradeného VF hardvéru sa dá využiť aj po dobe samotnej životnosti. Ďakujeme. Vašu hardvérovú pomoc rozdistribuujeme …
USRP 101: Unlocking Wireless PC Locks (and freeing dolphins)
Have you ever seen one of these “USB Proximity PC Locks” before and thought “There’s NO way that piece of junk is secure”… turns out, you were right.
We had a little office challange recently to break this system, just for fun, and along the way document our Universal Software Radio Peripheral (USRP) which I’m still just starting to get to know. By now, I figure most of our readers would be familiar with the OpenBTS Project which uses an USRP to impersonate a GSM base-station. While this is an impressive use of the hardware at a fraction of the cost of a comercial base-station, the USRP can also be used to impersonate less functional and almost
worthless priceless equipment… like that USB proximity lock.
First things first, we need to get one of these locks ourselves. Surprisingly, I got one of these as a gift from ThinkGeek years ago and you can still find them on eBay and a few other sites. I was missing the drivers for mine, but you can still find a copy online. I installed it in an XP virtual machine and paired the remote with the USB dongle. Now anytime the remote was powered down or more than 30 feet away, the lock screen with these pretty dolphins was displayed.
Wireless Lock “lock” screen on XP
What I needed to know next was the approximate frequency. which the remote used to send data to the dongle and unlock the computer. My goal was to capture this transmission with the USRP, then replay the signal when the remote was turned off or out of range. Unfortunately the documentation that came with the wireless lock was pretty silent on what it used to do this. Given the device is so old, I doubted it would use BlueTooth, so I started to look through the installed application files for clues. The application is sold to be re-branded by many companies, but the string “Copyright (C) 2003 Dritek System Inc” in the HIDRead.dll seems to point to the actual manufacture. The USB dongle installed as a HID device under Windows, but the driver does not appear to say anything about the frequency which the dongle and the remote communicate. Neither does the documentation with the driver nor the PDFs I found online. However, one EBay post did contain an image of the back packaging which seems to have “FCC 434Mhz”. This matches the unlicensed spectrum that is commonly used for remote keyless car unlocking and garage doors.
This was also backed up when the remote device was taken apart. There are 2 main chips on the remote I was interested in, one labeled “NDR 550″ and the other “MDT10P55B1S”. Some surfing around leads to the NDR550 being from “Najing Electronic Devices Institute” which list this as a One Port Resonator which operates at 433.92 Mhz. Also looking at the remote’s PCB near the battery there are markings “315″ and “434″. Mine had a blue pen marks next to the “434″ text which falls within the range of the WBX board in our USRP.
Wireless PC Lock Remote
Using the GNU Radio spectrum analyzer around the 433.92Mhz frequency with our USRP N210, we do in fact receive a signal when the unlock remote is powered up and transmitting. The “uhd_fft.py” script comes with GNURadio UHD package. While the GUI was a bit unstable on my system, command line parameters worked well.
uhd_fft.py -f 433.9M -A TX/RX
The next step was to capture the signal coming from the remote to the dongle. While far from stealthy, the Log Periodic antenna we had from WA5VJB works for 400-1000MHz ranges. So with a bit of gain tweaking and proper timing, we were able to snag a good complex capture of the signal out of the air. Again, GNU Radio makes this easy with the “uhd_rx_cfile.py” script.
uhd_rx_cfile.py -f 433.9M -A TX/RX -g 35 outfile.dump
Then it was time to replay the signal. To do this, we wrote a GNU Radio Companion (GRC) file. I’d recommend looking at the OZ9AEC GRC examples if you’re new to GRC and have a UHD device like our N210. However, this replay script was so easy you could basically point and click to get it working. You’ll need just one source (something that will generate a signal in this case) and one sink (something to transmit the signal). The source was the file we had just captured which we sent to the UHD: USRP Sink. Set the sample rate to match that of the capture (default 1M), the center frequency (433.9 MHz in this case), and adjust the gain depending on your antenna and range. We set the file sink to repeat so running the script would continuously replay the unlock command to the dongle. From there, simply execute the script and watch the PC unlock (Go free my dolphin friends!)
GRC Transmit from File
We also looked at unlocking the system using a Teensy USB development board as a fake dongle (Sid, I want my Teensy back!). We plan to have a follow up post on that, but if you start looking though the registry and configuration settings for this wireless lock, you’ll notice some data looks strange. The “SqrtyKey.Cfg” file and HKLMSOFTWAREKeyMarkWireless PC LockPassword Answer registry setting are encoded with a transposition cipher. It shouldn’t take you long to figure out the pattern, so once you have, you can use the python script below to save you some decoding time. UNencode Dritek System Inc encoding (update: link should now work) (update 2: the maddman posted an awesome clean up of the script for Python 3 here)
So there you have it. Want to defeat a $20 wireless PC lock? All you have to do is spend $2500 on USRP hardware
~Corey and Max
www.sigint.sk tam kde nakúpite aj to, čo potrebujete k danej akcii.