SHMOOCON 2017

MARC NEWLIN // MATT KNIGHT // BASTILLE NETWORKS

SO YOU WANT TO HACK RADIOS

A PRIMER ON WIRELESS REVERSE ENGINEERING
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

WHO ARE THESE GUYS

▸ Marc “mou$e whisperer” Newlin
▸ Security Researcher @
▸ Discovered Mousejack vulnerability in 2016
▸ Finished 2rd in DARPA Spectrum Challenge in 2013 marc@ .net
▸ Finished 3nd in DARPA Shredder Challenge in 2011 @marcnewlin

▸ Matt Knight
▸ Software Engineer and Security Researcher @
▸ Reverse engineered the LoRa wireless protocol in 2016
▸ BE & BA from Dartmouth matt@ .net
@embeddedsec
WHO IS THIS FOR?
WHY SHOULD YOU
CARE?
WIRELESS SYSTEMS
ARE EVERYWHERE
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

WIRELESS PROLIFERATION
▸ Cisco IBSG: 50 billion devices by 2020
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

WIRELESS PROLIFERATION
▸ Cisco IBSG: 50 billion devices by 2020

MOBILE
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

WIRELESS PROLIFERATION
▸ Cisco IBSG: 50 billion devices by 2020

IOT
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

WIRELESS PROLIFERATION
▸ Cisco IBSG: 50 billion devices by 2020

▸ Fewer wires every year

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

ABOUT THE INTERNET OF THINGS…

▸ America’s Favorite Buzzword™
▸ What is it, actually?

▸ Sales and marketing speak for “connected embedded devices”

▸ “Smart” devices are usually pretty stupid

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

EMBEDDED REALITIES
▸ Embedded systems are built on compromise

▸ Hardware: Small, inexpensive: Limits connectivity and encryption capabilities

▸ Power: Battery powered: Not promiscuous, intensive duty/sleep cycling

▸ Deployment: Hard to reach locations: Wireless, easily configurable, legacy compatible

▸ Updates: Difficult to update: OTP memory, network limitations, OEM/vendor supply
chain

Vulnerable by Virtue of Being Constrained

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

ALARM SYSTEM VULNERABILITIES

▸ Discovered by ‘s Logan Lamb in
2014

▸ Legacy RF link between home alarm system

sensors and control panel is vulnerable to:

▸ Jamming (denying alarm reporting)

▸ Command injection (trigger false alarms)

▸ Eavesdropping (detect occupancy, monitor

movement)

Image credit: Logan Lamb

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

MOUSEJACK
▸ Discovered by ‘s Marc Newlin in
2015

▸ RF link between non-Bluetooth wireless

keyboards and mice (100MMs of devices)
vulnerable to:

▸ Command injection (running arbitrary

commands at current permissions level)

▸ Eavesdropping (sniffing passwords, credit

card #s, etc.)
@krystalmead
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

IOT VILLAGE FEEDBACK

▸ Interest in Software Defined Radio and RF systems is high

▸ RF is intimidating!

▸ Too much EE for software people

▸ Too academic!
NO PHD?
NO PROBLEM!
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

AGENDA
1. So you want to hack RF…

2. Introduce essential RF concepts

3. Introduce RF reverse engineering workflow that applies to all systems

4. Do it live!

1. Z-Wave home automation protocol

This is what it’s all about
2. Wireless doorbell

3. HP wireless keyboard
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

WHAT WE WON’T COVER

Digital Signal Processing

SO YOU WANT TO

HACK WIRELESS
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

BARRIERS TO ENTRY
▸ Lower than ever before

▸ Commodity hardware is:

▸ Really powerful

▸ Increasingly cheap

▸ Free (beer && liberty) software is abundant!

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

HARDWARE TOOLS
▸ Dedicated Radio Chipset (Hardware Defined Radio)

▸ Does 1 protocol really well

▸ Pros: single-protocol performance, cost, simplicity, low power
▸ Cons: lack of flexibility
▸ Examples:
▸ Ubertooth ($200)
▸ RFCat / Yardstick One ($100)
▸ nRF24 dongles ($35)
▸ ApiMote ($90)
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

HARDWARE TOOLS
▸ Software Defined Radio (SDR)

▸ Swiss army knife for most-things RF

▸ Pros: flexibility (can implement any protocol)

▸ Cons: cost, complexity, power, performance (software and RF)

▸ Examples:

▸ Ettus USRP ($686—>$$$$$)

▸ HackRF ($300)

▸ BladeRF ($420-$650)
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

FREE SOFTWARE
▸ SDR:

▸ GNU Radio: open source digital signal processing suite

▸ GNU Radio OOT Modules: third party plugins

▸ gr-lora, gr-nordic

▸ Baudline, Inspectrum, Fosphor: powerful analysis tools

▸ HDR:

▸ Bluez, libubertooth, Killerbee

▸ Marc’s nRF24 library

 TOOLS ARE
RIDICULOUS
OFFENS I V EL Y
OBSCENELY SHORT

RADIO CRASH COURSE

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

PHY LAYER
▸ Lowest layer in communication stack
▸ In wired protocols: voltage, timing,
and wiring defining 1s and 0s

▸ In wireless: patterns of energy being

sent over RF medium

[Link]
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

WHAT IS RF?
▸ “One of the four fundamental forces
of the universe” — Tom Rondeau,
DARPA Program Manager, former
GNU Radio lead

▸ “Radio Frequency”
▸ Electromagnetic waves
▸ Energy
Time
Spectrogram
a.k.a. “waterfall”

Frequency
Power (z-axis)
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

MANIPULATING RF
▸ Done with a radio

▸ Hardware defined

▸ RF and protocol in silicon

▸ Software defined radio (SDR)

▸ Flexible silicon handles RF

▸ Protocol-specific components implemented in software (CPU or FPGA)

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

PHY COMPONENTS
▸ Modulation

▸ How digital values are mapped to RF energy

▸ RF parameters that can be modulated:

▸ Amplitude

▸ Frequency

▸ Phase

▸ some combination of the above

[Link]
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

MODULATION
▸ Modulators can modulate analog or digital information

▸ Digital modulation

▸ Symbols: discrete RF energy state representing some quantity of information

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

COMMON IOT PHYS

▸ Frequency Shift Keying: FSK, GFSK

▸ RF energy alternates between two

frequencies to signify digital values

▸ Amplitude Shift Keying: ASK, OOK

▸ Changes in RF power on a certain

frequency signify digital values

[Link]
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

SYMBOLS ILLUSTRATED
▸ Top: FSK

▸ Bottom: OOK/ASK

▸ Compare with analog modulation

▸ Analog = infinite possible symbols

▸ Digital = finite number of possible

symbols, defined by modulation

[Link]
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

MORE COMPLICATED IOT PHYS 2 MHz

▸ Spread spectrum

▸ Data bits are encoded at a higher rate and

occupy more spectrum

▸ Resilient to RF noise
125, 250, or 500 kHz
▸ Examples:

▸ 802.15.4 (top)

▸ LoRa (bottom)
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

RADIOS CONTINUED
▸ Radios can have two functions:

▸ Transmitting

▸ Receiving

▸ If a radio can do both it is dubbed a transceiver

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

ON REVERSE ENGINEERING
▸ How does one reverse engineer an arbitrary wireless system?

▸ Main objective: figure out how data is mapped to symbols

▸ Reverse engineering boils down to building receivers

WIRELESS REVERSE ENGINEERING

METHODOLOGY
[INTERACTIVE]
LET’S FORMALIZE
THIS
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

RF REVERSE ENGINEERING METHODOLOGY

1. Characterize the channel
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

2
1. CHANNEL CHARACTERIZATION
▸ Things to identify:
1. Where on the spectrum is it? i.e.
what is its Center Frequency?

2. How wide is the channel? (kHz or

MHz)

3. Is the channel static or does it

hop? If latter, what
pattern/timing?

1
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

RF REVERSE ENGINEERING METHODOLOGY

1. Characterize the channel

2. Identify the modulation

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

2. IDENTIFY THE MODULATION

▸ Defines how data is mapped to RF energy

▸ This is the scariest part!

▸ …until you realize that most modulations are

variations on a theme

▸ How to identify:
1. OSINT/Documentation

2. Intuition!
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

RF REVERSE ENGINEERING METHODOLOGY

1. Characterize the channel

2. Identify the modulation

3. Determine the symbol rate

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

3. DETERMINE SYMBOL RATE

▸ How often does the symbol state change?

▸ How to identify:

▸ OSINT/Documentation

▸ Measurement (Baudline, Inspectrum)

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

RF REVERSE ENGINEERING METHODOLOGY

1. Characterize the channel

2. Identify the modulation

3. Determine the symbol rate

4. Synchronize
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

4. SYNCHRONIZE
▸ Things to identify:
1. Preamble: pattern that tells receivers
“data to follow”, clock recovery 1
2. Start of Frame Delimiter (SFD): tells
receiver “preamble is over, data 2
follows from here on out”

▸ These are present in essentially ALL

digital communication schemes!
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

RF REVERSE ENGINEERING METHODOLOGY

1. Characterize the channel

2. Identify the modulation

3. Determine the symbol rate

4. Synchronize

5. Extract symbols
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

5. EXTRACT SYMBOLS
▸ De-map symbols into data based on the
expected modulation topology

▸ Profit! (more on this later)

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

RF REVERSE ENGINEERING METHODOLOGY

1. Characterize the channel

2. Identify the modulation

3. Determine the symbol rate

4. Synchronize

5. Extract symbols
LET’S SEE IT IN
ACTION
BUT FIRST
 OPEN SOURCE
A word on INTELLIGENCE
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

OPEN SOURCE INTELLIGENCE (OSINT)

▸ Information gleaned from public sources:

▸ FCC/regulatory filing documents

▸ Technical documentation (datasheets, application notes)

▸ Patents

▸ etc.

▸ See Marc’s prior talks on OSINT from FCC filings

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

RF REVERSE ENGINEERING METHODOLOGY

0. Open-source intelligence research

1. Characterize the channel

2. Identify the modulation

3. Determine the symbol rate

4. Synchronize

5. Extract symbols
Frequency Shift Keying

Z-WAVE
 HOME
AUTOMATION
PROTOCOL
FULL STACK
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Z-WAVE HOME AUTOMATION SYSTEM

▸ Competes with ZigBee Home Automation cluster library

▸ Full stack mesh networking protocol, from PHY to application

▸ Totally closed source!

▸ Let’s build a PHY to enable analysis of the upper layers

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Z-WAVE: RF REVERSE ENGINEERING METHODOLOGY

0. Open-source intelligence research

1. Characterize the channel

2. Identify the modulation

3. Determine the symbol rate

4. Synchronize

5. Extract symbols
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Z-Wave Device FCCID

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

FCC ID U2Z45602-3 Test Photos

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

FCC Test Report EUT Description

Channel and
modulation clues

Good start…
Let’s see what
else we can find
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

FCC Reports from Z-Wave IC Manufacturer

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Pick an arbitrary one

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Z-Wave Channel Mapping

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Looking at the 9.6 kbps @ 908.42 MHz channel

0. OSINT
▸ Frequency: 908.42 MHz 1. Channel

▸ Modulation: FSK 2. Modulation

▸ Deviation: +/- 20 kHz

▸ Bit rate: 9600 bits/s

3. Symbol Rate

OSINT leads to clues for first 3 steps

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Validating OSINT
▸ Frequency: 908.42 MHz Measure center frequency

▸ Modulation: FSK Visually confirm

▸ Deviation: ? kHz Measure width of channel

▸ Bit rate: 9600 bits/s Measure symbol timing

[INTERACTIVE]
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Validating Symbol Rate

Inspectrum

2x expected bit rate (9600 bits/s)

Manchester encoding!
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Manchester Encoding
Data Bits (un-encoded) Manchester Bits (encoded)
0b0 0b01
0b1 0b10
(illegal state) 0b00
(illegal state) 0b11

Result: encoded bitstream has no more than 2 adjacent symbols with the same value
0b0000 → 0b01010101
0b1111 → 0b10101010

Benefit: lots of symbol changes for receivers to perform clock recovery/synchronization against

Cost: restricts bit rate to ½ baud rate (symbol rate)

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

0. OSINT
▸ Frequency: 908.42 MHz 1. Channel

▸ Modulation: FSK 2. Modulation

▸ Deviation: +/- 20 kHz
Symbol Rate
▸ Bit rate: 9600 bits/s → 19,200 bits/s OTA due to encoding
3. Symbol Rate
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Z-WAVE: RF REVERSE ENGINEERING METHODOLOGY

0. Open-source intelligence research

1. Characterize the channel

GNU Radio Flowgraph to
2. Identify the modulation produce a stream of symbols

3. Determine the symbol rate

4. Synchronize Python scripting to parse

5. Extract symbols symbols into data
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Translate OSINT into GNU Radio Flowgraph

1. Channel

3. Symbol Rate

2. Demodulation
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

4. Synchronization and 5. Symbol Extraction

1. Look for preamble
2. Look for SFD to synchronize
3. Read out frame and de-Manchester. Frame length determined by:
a. Preconfigured MTU size
b. Power squelch (FSK is constant envelope)
c. Decoding failure (i.e. Manchester decoding hits an illegal state)
d. Decoded length field
4. Parse frame
Demo Time!
On-Off Keying / Pulse-Width Modulation

WIRELESS DOORBELL
SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

HeathZenith SL-7762
▸ Wireless Doorbell

▸ Battery operated

▸ Two transmitters (buttons)

▸ FCC ID BJ4-WLTX201

▸ One receiver (chime)

▸ Receive-only, no FCC ID
 7
SO YOU WANT TO HACK RADIOS // BASTILLE8 NETWORKS

DOORBELL FCC EXHIBITS

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

DOORBELL FCC TEST REPORT

▸ 315MHz center frequency
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

DOORBELL FCC TEST REPORT

▸ 315MHz center frequency
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

DOORBELL FCC TEST REPORT

▸ 320us duration bit 1

▸ 13 bits per packet

▸ 25.48ms packet spacing

▸ ~30% duty cycle

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

DOORBELL FCC TEST REPORT

▸ 320us duration bit 1

▸ 13 bits per packet

▸ 25.48ms packet spacing

▸ ~30% duty cycle

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

DOORBELL FCC TEST REPORT

▸ 320us duration bit 1

▸ 13 bits per packet

▸ 25.48ms packet spacing

▸ ~30% duty cycle

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

DOORBELL FCC TEST REPORT

▸ 320us duration bit 1

▸ 13 bits per packet

▸ 25.48ms packet spacing

▸ ~30% duty cycle

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

DOORBELL FCC TEST REPORT

▸ 320us duration bit 1

▸ 13 bits per packet

▸ 25.48ms packet spacing

▸ ~30% duty cycle

SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

LOOK AT SIMILAR PRODUCTS

 8
SO YOU WANT TO HACK RADIOS // BASTILLE8 NETWORKS

OSINT SANITY CHECK

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

BUTTON WAVEFORMS IN BAUDLINE

Start of Frame (1 bit)

Button ID (8 bits)

Tone ID (4 bits)
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

WHAT DID WE LEARN FROM OSINT?

▸ 315MHz center frequency [channel]
▸ Pulse width modulation [modulation]
▸ 1KHz data rate [symbol timing]
▸ Bit 1 is ~700us off and ~300us on
▸ Bit 0 us ~300us off and ~700us on
▸ Packets are 13 bits long [synchronize]
▸ 1 “start bit”
▸ 8 button ID bits
▸ 4 tone ID bits
DOORBELL
DEMOS
this image is
1000 x 1337
pixels
TDMA Frequency Shift Keying

HP KEYBOARD
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

HP CLASSIC WIRELESS DESKTOP

▸ 2.4GHz Wireless Keyboard/Mouse
▸ OEM = ACROX
▸ Keyboard
▸ FCC ID PRDKB14
▸ Mouse
▸ FCC ID PRDMU26
▸ Dongle
▸ FCC ID PRDRX02
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

HP DONGLE TEST REPORT

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

HP KEYBOARD TEST REPORT

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

HP DONGLE DMESG OUTPUT

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

DONGLE IN BAUDLINE
▸ Always transmitting at 8ms intervals

▸ No channel hopping

▸ TDMA? (Time Division Multiple Access)

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

KEYBOARD IN BAUDLINE
▸ Keystrokes follow dongle packets by 2ms

▸ Keyboard transmits up to every 8ms

▸ Dongle behavior doesn’t change

DONGLE

KEYBOARD
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

KEYBOARD DEMOD FLOWGRAPH

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

GREP FOR PACKETS

xxd -p [Link] |

tr -d "\n" |

grep -Po "(00|ff|aa|55)+.{8}" |

sort |

uniq -c |

sort -nr |

Head -n 10
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

GREP FOR PACKETS

xxd -p [Link] |
Bytes to Hex
tr -d "\n" |

grep -Po "(00|ff|aa|55)+.{8}" |

sort |

uniq -c |

sort -nr |

Head -n 10
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

GREP FOR PACKETS

xxd -p [Link] |
Bytes to Hex
tr -d "\n" |

grep -Po "(00|ff|aa|55)+.{8}" | Grep for Packets

sort |

uniq -c |

sort -nr |

Head -n 10
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

GREP FOR PACKETS

xxd -p [Link] |
Bytes to Hex
tr -d "\n" |

grep -Po "(00|ff|aa|55)+.{8}" | Grep for Packets

sort |

uniq -c | Sort by Count

sort -nr |

Head -n 10
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

DONGLE PACKET BYTES

ffffaaaaaaaaaaaaaaaaaeddd4e8
sed s/[dongle packets]//g
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

KEYBOARD PACKET BYTES

aaaaaaddd4e8
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

GREP, GREP, AND GREP SOME MORE!

aaaaaa ddd4e8 2e db 3f 384a
aaaaaa ddd4e8 2d db 37 6092
aaaaaa ddd4e8 28 db 3f 98f8
aaaaaa ddd4e8 25 db 3f c9ba
aaaaaa ddd4e8 25 db 21 3649
aaaaaa ddd4e8 21 db 27 30f5
aaaaaa ddd4e8 20 db 3f 3951
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

GREP, GREP, AND GREP SOME MORE!

aaaaaa ddd4e8 2e db 3f 384a
aaaaaa ddd4e8 2d db 37 6092
aaaaaa ddd4e8 28 db 3f 98f8
aaaaaa ddd4e8 25 db 3f c9ba
aaaaaa ddd4e8 25 db 21 3649
aaaaaa ddd4e8 21 db 27 30f5
aaaaaa ddd4e8 20 db 3f 3951

preamble
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

GREP, GREP, AND GREP SOME MORE!

aaaaaa ddd4e8 2e db 3f 384a
aaaaaa ddd4e8 2d db 37 6092
aaaaaa ddd4e8 28 db 3f 98f8
aaaaaa ddd4e8 25 db 3f c9ba
aaaaaa ddd4e8 25 db 21 3649
aaaaaa ddd4e8 21 db 27 30f5
aaaaaa ddd4e8 20 db 3f 3951

preamble address
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

GREP, GREP, AND GREP SOME MORE!

aaaaaa ddd4e8 2e db 3f 384a
aaaaaa ddd4e8 2d db 37 6092
aaaaaa ddd4e8 28 db 3f 98f8
aaaaaa ddd4e8 25 db 3f c9ba
aaaaaa ddd4e8 25 db 21 3649
aaaaaa ddd4e8 21 db 27 30f5
aaaaaa ddd4e8 20 db 3f 3951

preamble address sequence

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

GREP, GREP, AND GREP SOME MORE!

aaaaaa ddd4e8 2e db 3f 384a
aaaaaa ddd4e8 2d db 37 6092
aaaaaa ddd4e8 28 db 3f 98f8
aaaaaa ddd4e8 25 db 3f c9ba
aaaaaa ddd4e8 25 db 21 3649
aaaaaa ddd4e8 21 db 27 30f5
aaaaaa ddd4e8 20 db 3f 3951

preamble address sequence frame type

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

GREP, GREP, AND GREP SOME MORE!

aaaaaa ddd4e8 2e db 3f 384a
aaaaaa ddd4e8 2d db 37 6092
aaaaaa ddd4e8 28 db 3f 98f8
aaaaaa ddd4e8 25 db 3f c9ba
aaaaaa ddd4e8 25 db 21 3649
aaaaaa ddd4e8 21 db 27 30f5
aaaaaa ddd4e8 20 db 3f 3951

preamble address sequence frame type keystroke

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

GREP, GREP, AND GREP SOME MORE!

aaaaaa ddd4e8 2e db 3f 384a
aaaaaa ddd4e8 2d db 37 6092
aaaaaa ddd4e8 28 db 3f 98f8
aaaaaa ddd4e8 25 db 3f c9ba
aaaaaa ddd4e8 25 db 21 3649
aaaaaa ddd4e8 21 db 27 30f5
aaaaaa ddd4e8 20 db 3f 3951

preamble address sequence frame type keystroke crc16

tl;dr
smarter people than me
made that easy
Common Threads

Methodology Revisited
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Reverse Engineering Methodology

0. Open-source intelligence research

1. Characterize the channel

2. Identify the modulation

3. Determine the symbol rate

4. Synchronize

5. Extract symbols
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

1. Channel Characterization

All 3 PHYs share a common notion of a channel

Z-Wave Doorbell Keyboard

+/- 20 kHz @ 908.42 315 MHz 2416 MHz

(plus other channels)
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

2. Identify Modulation

Modulation is the biggest variable

(but OSINT makes identifying it easy)

Z-Wave Doorbell Keyboard

Frequency Shift Keying Pulse-Width Modulation / TDMA Frequency Shift

On-Off Keying Keying
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

3. Symbol Rate Recovery

All 3 PHYs share a common notion of discrete

symbol timing

Z-Wave Doorbell Keyboard

19,200 symbols/s 1000 symbols/s 1,000,000 symbols/s

40,000 symbols/s
100,000 symbols/s
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

4. Synchronization

All 3 PHYs contain synchronization features

(preamble and/or Start of Frame delimiter)

Z-Wave Doorbell Keyboard

Manchester(0x55..55f0) Start Bit Preamble (0xaa..aa)

SFD (3 byte address)
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

5. Symbol Extraction

Once you get here it’s just bits on a disk

Z-Wave Doorbell Keyboard

 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Reverse Engineering Methodology

0. Open-source intelligence research

1. Characterize the channel

2. Identify the modulation

3. Determine the symbol rate

Same process for
3 different PHYs!
4. Synchronize

5. Extract symbols
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Conclusions
Disparate wireless systems can be rationalized via process

OSINT will help you skip the complex/domain-specific radio parts

Once you demodulate, you have bits on a disk which you can handle any way you
please

One last thought to leave you with...

 The IoT won’t
pwn itself
marc@ .net matt@ .net
@marcnewlin @embeddedsec
 ...actually,
nevermind
marc@ .net matt@ .net
@marcnewlin @embeddedsec
 Thanks!
marc@ .net matt@ .net
@marcnewlin @embeddedsec
 Questions?
marc@ .net matt@ .net
@marcnewlin @embeddedsec
 SO YOU WANT TO HACK RADIOS // BASTILLE NETWORKS

Preamble and SFD Defines

Preamble = Manchester coded symbols 0110 repeating

Manchester de-coded: 0b01 repeating

SFD = Manchester coded symbols 1010101001010101

Manchester de-coded: 0b11110000 == 0xF0