HARDWARE HACKING VILLAGE - Hacking your HackRF
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 322 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/39893 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | |
| Genre |
DEF CON 2687 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
BitHardwareComputersicherheitHackerApp <Programm>Twitter <Softwareplattform>
00:52
Software RadioHackerHardwareTabelleSoftwareOpen Source
01:21
HackerCASE <Informatik>App <Programm>MultiplikationsoperatorRauschen
01:36
CASE <Informatik>InternetworkingTypentheorieInformationsspeicherungVideokonferenzMAP
02:01
E-MailFormation <Mathematik>GarbentheorieMereologiePersönliche IdentifikationsnummerFokalpunktDezimalzahlWort <Informatik>TypentheorieE-MailDebuggingSoftware RadioRechter WinkelSoftwareMinimumDigitalsignalStichprobenumfangVerknüpfungsgliedCASE <Informatik>Güte der AnpassungCoprozessorWärmeübergangMathematikBit
03:34
GarbentheorieE-MailDateiformatLogikanalysatorBitMikrocontrollerHackerComputeranimation
04:21
Open SourceHardwareWeb SiteComputerunterstützte ÜbersetzungCoprozessorWhiteboardMultiplikationsoperatorHackerApp <Programm>Wiederkehrender ZustandOpen SourceVerschlingungHardwareProjektive EbeneSichtenkonzeptComputeranimation
05:10
E-MailCoprozessorSmileyComputerunterstützte ÜbersetzungAblaufverfolgungSichtenkonzeptBitMultiplikationPersönliche IdentifikationsnummerOpen SourceCoprozessorZusammenhängender GraphE-MailKlon <Mathematik>KontrollstrukturMereologieHardwareWeb-SeiteZentrische StreckungHyperbelverfahrenComputeranimation
06:46
ARM <Computerarchitektur>SpeicherabzugAnalog-Digital-UmsetzerDigital-Analog-UmsetzerCoprozessorBefehlsprozessorApp <Programm>Wiederkehrender ZustandHackerPersönliche IdentifikationsnummerTermPlastikkarteWeb-SeiteBitCoprozessorCASE <Informatik>LoopCodeLeistung <Physik>SpeicherabzugStichprobenumfangDatensichtgerätNP-hartes ProblemE-MailFunktion <Mathematik>Analog-Digital-UmsetzerComputeranimation
08:06
E-MailE-MailMinimumComputeranimation
08:24
E-MailSmileyGEDCOMEinsE-MailPlastikkarteCoprozessorComputeranimation
08:48
E-MailPersönliche IdentifikationsnummerFirmware
09:04
Open SourceFirmwareLoopOpen SourceRepository <Informatik>FirmwareLoopCASE <Informatik>Computeranimation
09:30
Open SourceFirmwareMetropolitan area network
10:03
Persönliche IdentifikationsnummerEin-AusgabeHackerApp <Programm>CASE <Informatik>Interaktives Fernsehen
10:29
LoopLoop
10:44
ProgrammierungCodeZweiProgrammierung
11:02
ProgrammierungVererbungshierarchieCodeFlash-SpeicherHackerATMLoopLastBinärcodeProgrammierungSystemprogrammComputeranimation
11:54
LoopLoopCodeTermWort <Informatik>SchnittmengeWärmeübergangZweiEinfach zusammenhängender Raum
12:39
LoopProgrammierungDemo <Programm>CodeSpeicherabzugDemo <Programm>HardwareCodeQuellcodeProjektive EbeneHackerZeichenketteBitApp <Programm>RouterOpen SourceComputeranimation
13:31
ProgrammierungLeistung <Physik>App <Programm>ComputerDemo <Programm>Spannungsmessung <Mechanik>Bus <Informatik>HackerComputeranimation
14:15
MIDI <Musikelektronik>Demo <Programm>Physikalische TheorieBitPunktspektrumDatensichtgerätDemo <Programm>LoopCodeQuick-SortBinärdatenHackerStapeldateiTreiber <Programm>Kontrast <Statistik>Peripheres GerätApp <Programm>Computeranimation
15:22
StandardabweichungHackerMultiplikationBandmatrixMathematikEin-AusgabeMultiplikationsoperatorProjektive EbeneDifferenteWiederkehrender ZustandBitCASE <Informatik>App <Programm>SynchronisierungFormation <Mathematik>RichtungComputeranimation
17:00
GarbentheorieWhiteboardSocket-SchnittstelleCoprozessorField programmable gate arrayCoprozessorGarbentheorieWhiteboardDatenstrukturMultiplikationMereologieApp <Programm>HackerFitnessfunktionProjektive EbeneRepository <Informatik>Arithmetische FolgeProzess <Informatik>Field programmable gate array
18:21
HackerProjektive EbeneApp <Programm>
19:15
KontrollstrukturFlächeninhaltTouchscreen
Transkript: Englisch(automatisch erzeugt)
00:00
I'm Mike Davis, I'm uh, here to talk about hacking or hackerf. Louder? Can you hear me now? Yeah? Okay, I'll just shout a bit. I'm a little bit hungover and uh, got a bit of a cold, so you know, uh, my voice is a bit deep but yeah, so I'm talking about hacking or hackerf, um, basically the idea is to show you guys how to take a hackerf apart a
00:22
little bit and maybe modify it and do, make it do some things it's not supposed to, uh, which is kind of cool. Um, I'm elasticninja on Twitter, Mike Davis, um, I'm doing a masters in information security and uh, yeah, I love hacking stuff. I've done a lot of hardware talks and uh, I bought this badge as well, so yeah, you can talk to me about
00:46
that later if you want. Um, okay, so, what is a hackerf? Um, so I've actually got my hackerf apart on the table in front of me here and it's a pretty sketchy, uh, set up there but that's, that's a hackerf, uh, pretty much open. Um, it's a software
01:04
defined radio and you can get it from Great Scott Gadgets. Um, it's uh, it's quite a nice accessible device, uh, it's $330 I think and it's open source hardware which is why I get all excited about it. So, oops, so one of the fun things about a hackerf if you
01:26
wanna change it is actually taking it apart. Um, the first time I did it, uh, there were a lot of bad cracking noises and um, it, uh, I actually broke the case. Um, I used the tool on the left and if you go search on the internet, there's quite a few talks about, um, how
01:44
to actually do it the proper way and the best way is to use, um, Jared Boon, Sharebrain's, um, little guitar pick and he's got a very specific type so you can just go buy one at the, at the store and the thing just pops open. So, he's actually done a, a 10 second video on it so that's what you can look at. So, here's a map of the world of, of
02:05
the internals of the hackerf. Um, on the top right, top right hand section is just RF and dragons and like don't fiddle there. Um, there's not a lot you can do in there but you can, uh, change it in software so, uh, that's the interesting part but I'm
02:21
gonna focus on the other side of it, um, which is basically everything from the RF section onwards. Um, if you go have a look at the baseband header, you can get the, the raw 20 mega sample, megahertz rather, uh, baseband, both the transmit and the receivers in there. The only problem I have with that header is I don't think it's a good RF header so
02:42
you probably, if you wanna do something with that, you probably wanna replace it or, um, maybe put something with better contacts in it. Um, this is the CPLD, it does a lot of the heavy lifting, uh, decimation and moving the data from the, um, so I didn't mention the front end which is the little chip on the bottom left there and that does the, that
03:01
samples the, the raw baseband and turns it into digital data. So that's actually the, the bit that you, um, uh, gives you the digital part of the STR. Um, so the CPLD is a, kind of like a, um, I like to call it a weak FPGA but that's not really what it is. It's a logical device, um, you can program it to map, I mean, in this case, I think it's
03:23
mapping pins between, um, the front end and the, um, and the actual processor. It does decimation and does a whole bunch of other RF type, uh, activities. Um, and then you've got the actual microcontroller itself with all the headers and that's the bit that, uh,
03:41
that's pretty interesting for me. Um, and if you take a look at this, this is a great FET, so they've actually chopped the packer up in half and just given you that bit on the left there, um, in a slightly different format and slightly different chip as well. But if you ask them about the great FET, um, it's quite a nice little device. I think they've
04:03
done a lot of talks on, uh, like infrared and all that kind of thing and basically you can also use it for, as a kind of logic analyzer as well if you want. Uh, so that's quite a cool thing. Um, so most of the work I've done has been in this little section here. Uh, it involves a lot of this, a lot of this kind of thing, breadboards and
04:25
little wires sticking all over the place. Um, I've seen someone did a very nice PCB to join two hacker refs together. Uh, it was an academic project and I'll try and find that link but, um, it's really cool what they did. They worked on the CPLD side and
04:41
modified that to synchronize two hacker refs. Um, I focused on the processor side and I failed. So, anyway, I had a good time doing it. Um, so, like I said before, one of the great things about the hacker ref is that it's, uh, it's open source hardware. They publish all the schematics, um, and you can go have a look through it and really you
05:03
can go to Michael Osman's, uh, GitHub and just have a look at the, um, have a look at in, uh, KiCad. So, when you open in KiCad, that's the kind of view you get. Um, you can see all the traces between the different components and if you do a little bit of work,
05:21
you can just get rid of all the layers that you don't care about and instead focus on the processor and the headers for, for this particular thing. Um, the datasheet for the processor that they use is really hard to, like, if you look for the pinouts, it's somewhere in the middle of the, of the documents and I, I can never find it. I wanted to
05:40
put it on the page here but, uh, basically the, um, most of the pins that you would be interested in are actually mapped to the, the headers. But, um, yeah, so, uh, so the
06:02
question is, is it just open source hardware and, uh, are multiple manufacturers manufacturing it? Um, so, Grayskull Gadgets designed it and, and make it and I believe there's a thing called a blue RF or something like that which is cheaper and uses cheaper components and breaks more often and occasionally if you ask them very
06:20
nicely, they'll fix it for you but I wouldn't recommend using it, um, especially because, um, it's literally a clone that's using cheaper parts. So, uh, I'd rather support, um, uh, Grayskull Gadgets. But there are, I mean, you could make it yourself. So, I'll talk a little bit later about what I want to do and how I want to change it and, uh, so I'll be kind of, I'll be making a few myself and then making
06:43
it open source as well. Yup. Um, okay, so it's got a, I didn't put the name on it. LPC4320 is on the hack RF. Uh, like I said, that data sheet is terrible, uh, in terms of just trying to find the pin out. Usually it's the first 10 pages but in this case, I, I
07:04
checked last night, I couldn't actually find it. Um, but it has everything you need in there for, to, to do what you want to do. It's got two cores in it. It's got an M4 which is a reasonably powerful kind of processor and then it's got a little, uh, M0 sitting on the side. Um, that is, it's kind of difficult to get them to communicate but you
07:23
can actually pass data between them. So, that's useful for things like driving displays and doing all that kind of thing while the main processor does a lot of the hard work. Um, as I'll show you later, uh, there's DMA in the, you know, as you'd expect from a modern processor and a lot of the hack RFs, uh, the main loop in the hack RF
07:42
doesn't actually do anything. So, most of the work is done in DMA. So, if you want to do a little in there, it's a little bit of assembly and that kind of thing. So, but it's not a lot of code. Um, it can drive an SD card, it can drive Ethernet, it's got ADCs and DACs, so you can do things like sample microphones and output speakers and that kind
08:01
of thing. It's pretty cool. Uh, and it's got all the rest of the kind of things you may expect. Um, just a quick overview of all the different headers. Um, there's, there's four headers. The, this P22, it's got stuff like the clocks and, uh, SPI, you can see in the bottom left there. Um, I don't, I don't use this very often. Uh, P28 headers,
08:27
these are all the ones that are surrounding the, the actual processor. Um, again, this is, uh, SD card stuff. Um, there's your baseband header and like I said, I'm not sure, I haven't tried it, but I'm not sure that that's actually, I'm not sure that you'd
08:41
actually be able to get the quality of signal that you want out of it, but I, like, I haven't really tried it. So, um, yeah. And this is the one that I normally, I normally play with. It's got a whole bunch of things. It's got the, um, you can get, uh, push voltage into it, you can get voltage out of it. Uh, a lot of ground pins and a whole bunch of GPIO pins that are kind of useful. Okay, so, the firmware is also open
09:07
source, so you can just go to Michael Osman's, uh, uh, GitHub repo and you can play with the firmware. Um, so, as I said before, the typical main loop is just setting up, uh,
09:20
USB mainly and then, um, and then just sitting in a while, true. So, it doesn't really do a lot. Normally, I take this out and replace it with something else. Um, and in this case, I want to show off a little, the typical kind of hello world, which is a blinky light, blinky LED. I believe so, but I'll tweet them out, last signature, make it easy.
10:01
Have you got it? Yeah? Okay. So, I mean, if you, if you want to, uh, typically, if you want to blink a light, you have to interact with, uh, GPIO pins, so general purpose IO pins. Um, in this case, it's neatly wrapped up in, uh, for the, anyway, they've got three LEDs in the front of the hacker wrap, so this is neatly wrapped up in a little LED
10:23
on, LED off and LED toggle and, uh, and so you can literally just, for hello worlds, replace the whole main loop with just LED on, delay for half a second, LED off and delay again. And, uh, I'm going to try my best not to break this. So, you can see the
10:47
green light, I hope, and that is currently blinking. Um, so that's basically that code there, just, um, just blinking every half second or so. Okay, so, when you program
11:05
the device, um, normally, there's the hacker of SPI flash and that just interacts with USB and then pushes that, uh, pushes your binary into the flash chip and then, you know, as soon as you reboot, it loads off that and it's fine, but I tend to remove the
11:21
USB handling because most of what I'm doing doesn't actually have USB attached to it. Um, so, after breaking the USB, you have to use DFU utility and it's super easy, you just push the DFU button on the front, reset it and then it's in DFU mode and that'll get it into, uh, it'll get your code onto the device. Um, getting it back is an
11:42
interesting exercise in get reset and that kind of thing. Okay, so, um, that's the typical loop that I, I, I mean, that's the base of the loop. So, the question is how do you break USB or why does it break? Um, uh, where was that code? So, this is the actual
12:05
main loop in the, in the normal code and as you can see, there's, there's two sets of, uh, USB kind of transfer code and it runs that continuously and as soon as you take that out, I think it's within a couple of seconds, the device, uh, it, it times out and it
12:21
stops responding to USB in terms of the, the host, actually, um, I've forgotten the disconnects it. Uh, so, it's very quickly not useful as a USB device. I mean, you can leave this stuff in here, um, but if there's no USB device connected while your stuff is running, weird things happen. So, I, I'll just take it out. Yeah. Um, okay, so, I did the
12:45
blinky demo, sorry. Uh, right, so, obviously, you want to do something useful with a router. Um, so, there's quite a few interesting other open source projects. There's the Portapak, uh, which I'll describe later. Uh, I've got a badge that I wrote, so I use
13:04
some of that code. Um, and if you dig around in the hacker code itself, there's a lot of, uh, a lot of bits of code that actually access the, the hardware in interesting ways. So, like, there's a blinky demo in the actual hacker app source code. So, um, you can go dig around there, have a look, but Portapak is actually a
13:22
great thing to look at if you want to build something that's not a, uh, a host-based STR, you know, or a host-connected STR. Um, and I'll show you that just now. One of the more interesting things about what I've been doing is trying to power a hacker app without blowing it up. So, what I like to do is push it into the USB bus, um, which
13:42
means that I run the risk of blowing up my computer when I program it, but if you're careful enough, you can basically power it off, uh, you put, uh, 5 volts into the USB bus and then, uh, it manages the rest itself. So, uh, you can, you can't really plug a battery in there. There is actually a VBAT, uh, pin, but I haven't tried that. I'm not
14:02
actually sure what that does. But it, it says battery. Sorry? Okay, yeah, that makes more sense. But, um, if you want it, you really need to give it 5 volts and then it's, everything's happy. So, um, okay. So, I, I built a, a shaky demo. It basically
14:21
um, I'll show you the code now, but it sits in a loop and it, um, it pulls, pulls the 2.4 gig spectrum into little bins and then tries to display it on my little badge here. So, I did it in my hotel room. It's a little bit sketchy, but it kind of works. Also, the
14:43
contrast is a bit rubbish. I don't know if you can all see that. But, so, in theory, that's the 2.4 spectrum, uh, just doing a waterfall down here. So, again, the nice sort of, um, device. But, uh, if you wanted to put a display on, there's also display
15:01
drivers, uh, on the, well, there's a display peripheral on the actual hacker app as well. So, you could plug that in too. Um, so, this is just a bit banged SPI talking to my badge. Anyway, um, so, the reason I started all of this was I wanted to have multiple
15:28
hacker apps, um, synchronized. So, I could do TX and RX or I could do, uh, like multiple, so, the whole band of Wi-Fi or, uh, in the one case, it was, uh, direction finding. So,
15:41
that was my actual intent and the reason I started taking my devices apart. I also have far too many hacker apps because I was trying to do that kind of thing. So, um, if you want to buy one. Anyway, um, but, uh, so, it was relatively simple. It's just like basically plugging a few GPIOs in together and synchronizing the clocks. So, you'll see,
16:05
you'll see on the hacker app there's two ports on the back and those are for, um, for accepting or transmitting a clock. And, um, the clock in the hacker app is not that great. So, it drifts a bit. I think it's a, it's just a standard or relatively standard crystal and it's got 20 to 100 PPM kind of, um, accuracy. So, there are, um, changes you
16:26
can make to it to get much better. So, doing things like GPS and that kind of thing you can actually do with a hacker app but you need to do a lot of work. Anyway, so, um, the problem with this approach is you've got multiple USB ports that you have to synchronize and it turns out that synchronized USB is actually a terrible idea. So, it
16:44
doesn't actually work but it, uh, for very low bandwidth signals you can actually get away with it. So, the, the difference between the time of arrival of packets and that kind of thing is actually, it's, you can get away with it. But, um, I gave up on that project, uh, and I started thinking about cutting a hacker app in half. And, uh, so the
17:05
idea is that what I want to do is take the RF section on one side, not physically cutting it, sorry, but, uh, I don't know what would happen. But taking the RF section on one side and putting the processing section on another and then hopefully making little boards that I can plug the, uh, you plug multiple RF sections into and, and then the
17:26
discussion becomes what kind of processor do you use and how do you get all that data across. So, then all of a sudden I'm working with USB 3, FPGAs and that kind of thing. So, um, I've kind of, uh, kind of put it on the shelf for now but I still, I
17:41
still dream about it. It's like something I'd really like to do. Um, and there is actually a great scot gadget board out there that does multiple, it can do, uh, it adds another radio section to the hacker app. Um, I've kind of forgotten the name of it, um, but it's a work in progress and I think that might be the easier path, I'm not sure. But,
18:03
um, so, if you have a look around at the, at Michael Osmond's GitHub repo, you'll actually find it there. Like all of the boards, the great FET and everything are there. So, um, if you wanted to go make one and give me one, that'd be great. But, um, anyway, so, that's a project I'm working on. Um, I also fly drones and, uh, that's a
18:25
picture of my drone hanging off a wire that I, it took me ages to get out of, get it off of there. But, um, one of my projects is actually to put hacker apps, uh, or one hacker app that I'm willing to risk onto a drone and use it in place of, um, uh, the
18:44
FPV gear that you can buy commercially is pretty shockingly bad stuff. Um, it's, uh, FM modulated, um, uh, video signal and it doesn't do well with, you know, interference, it doesn't do well with the bad antenna. So, I thought maybe I could do better. So, I've
19:01
been strapping hacker app onto it and trying to receive the signal and I'm, I'm getting somewhere, you know. But, I'm, I'm always worried about that, you know, landing up on, on something and then my hacker app is, you know, gone. So, anyway. Um, so, all of the things I've been talking about are kind of encapsulated in the
19:21
Portapak. Um, you can buy it at, uh, at the vendor area. It's got little screens, got buttons, it's got, um, it's got a battery, it's got all the things in there. Um, I haven't bought one because I like to break stuff myself, but, uh, this thing's pretty cool if that's all you're looking for. Okay. Um, yeah. And that is pretty much my
19:44
talk. So, yeah.