Build-your-own sniffer. Michael Ossmann Great Scott Gadgets Mike Kershaw Kismet Wireless

Transcription

1 Build-your-own sniffer Michael Ossmann Great Scott Gadgets Mike Kershaw Kismet Wireless

2 Us Mike Kershaw Kismet & Kisbee creator

3 Us Michael Ossmann Creator of Ubertooth One Founder of Great Scott Gadgets

4 Why make your own? It's easy to sniff Ethernet It's easy to sniff Wi-Fi But what else is out there? Bluetooth... zigbee... nrf... DECT.. and dozens or hundreds of others Might contain useful data Might be a security risk for your company Might need to interface to devices Pure spite ("No-one can sniff this...")

5 Golden Age of HW Hacking This truly is the magic era Want to do 4-layer PCB prototypes using QFN radio chips? $50 or so for boards + stencil This is amazing Insanely cheap to prototype Tools are cheap too

6 Initial design checklist Can you get a radio that already does what you need? How technical is your target audience Will you be making more than a couple for yourself? What firmware do you need? What host code do you need? How will you integrate with existing tools? How will you fab and assemble them?

7 Can you get a radio? Some protocols (wifi, zigbee) have easyto-use transceiver Integrated Circuits (ICs) or modules. Some protocols do not have easy ways to monitor them (ie, Bluetooth) and you can't use an off-the-shelf radio module Some protocols have no commodity hardware at all and you have to decode everything!

8 SDR vs Dedicated radio Instead of an IC for a particular protocol, you could turn to Software Defined Radio (SDR). SDR is like using the sound card in a computer but with the speaker and microphone replaced by antennas (and about 1000 times faster). Digital Signal Processing (DSP) is used on raw radio waveforms in the digital domain.

9 SDR Receiver

10 SDR gets complicated

11 HackRF Design Goals Transceiver Operating frequencies from 100 MHz to 6 GHz 20 Million samples per second 8 bit resolution High Speed USB interface Bus powered Portable Open source hardware and software Low cost

12 SDR is great! For development For reverse engineering radio protocols For building radio systems without having to break out the soldering iron For implementing multiple protocols but there are drawbacks...

13 SDR is not so great The hardware is more expensive than a dedicated solution. DSP is complicated (both in development time and CPU utilization). It draws more power, making portable solutions difficult. In general, we recommend SDR for research and development but recommend dedicated hardware for deployment.

14 How technical is your audience Audience dictates complexity of device The more work you can do on your tools to make the device easy to use, the more people you'll be able to reach Decide what platforms you will give primary support to (Linux, OSX, Windows?) Each has challenges Don't sacrifice functionality for simplicity, however

15 How many are you making? Making 2 or 3? Use whatever you want! Just make sure you can solder it. Making 10-50? Make sure you can get what you need (check stocks), try to optimize for price. Realize you will soon hate building them. Making 100+? Time to start seriously looking at bulk price breaks, and designing with machine fab in mind

16 Picking a Microcontroller For low-bandwidth applications you have a lot of choices, power not a concern For SDR and high bandwidth, you need high speed processor, communication, USB2 or gbit ethernet support Look at support - libraries, existing code, toolchains, licensing Look at peripherals - what's built in to the chip already?

17 Microcontroller peripherals Peripherals = Features Pick chips based on what you need ADC - Analog to Digital PWM - Pulse Width Modulation, digital control of output GPIO - General Purpose IO. "Set pin 10 to 1, set pin 9 to 0" UART - Serial SPI, I2C - Inter-chip comms protocols

18 Pre-made tools Arduino - can talk to a lot of things and is useful to prototype, but expensive for production. Be careful of 3v/5v! Bus Pirate - lots of chip comms protocols GoodFET - lots of comms, easy to make A lot of radio components are surfacemount only Some require custom ($$) programmers Sometimes you can hack a programmer

19 $400 programmer, $0.50 wire

20 Firmware Look for communities around the chips you're considering Look for libraries which take care of a lot of the low level stuff Most firmware is in C now, with occasional assembler Some chips don't have open licensing on demo code, beware! Lots of common cores (like Arm)

21 Device to host Make sure your communications channel has enough bandwidth! Make sure your communications doesn't directly interfere with the spectrum you're monitoring USB2 is relatively easy to do at high rates of speed Another option is gbit ethernet with raw frames

22 Host code Needs to get data from device somehow Libusb allows raw usb xfer without having to write a driver, and relatively crossplatform Usb-Serial is handy, if you can use it. Bandwidth is definitely an issue for very high rate devices Tcpdump or similar to get packets from raw ethernet devices

23 Integrating with existing code Lots of existing code - lets leverage it! Wireshark (obviously) Tcpdump? Kismet? Scapy? Almost all tools expect to get packets, you just need to get your data to them

24 Wireshark There needs to be, or you need to get, a DLT linktype definition, to tell what kind of packets If it shows up as a netdev, Wireshark can read it. On Linux, we can fake this with tuntap If it writes a pcap file, Wireshark can read it. Writing pcap is easy! I've been thinking about ways to plug in non-netdev capture to Wireshark

25 Kismet Major rewrite almost complete to make Kismet handle any Phy type on equal footing Usable in SVN now! Plugins to make Kismet "anything wireless" not just Wi-Fi Inspired by Ubertooth, expanding to as many wireless protocols as possible Please, consider talking to me if you want to make a wireless sniffer!

26 Kismet Phy-N Plugging into Kismet gets you "free": GPS logging Signal logging XML logging Pcap Virtual netdev export to Wireshark Basic UI Minimal code needed to add new UI elements Just need a packet with a device identifier

27 Kismet Phy-Neutral UI

28 Portable devices Android 2.2+ can talk Bluetooth RFCOMM SPP, serial over Bluetooth. Minimal permissions Android Dev Kit, Arduino-like device acts as USB host. Low bandwidth. IOIO, like ADK, needs USB debug mode Android 3.1+ can talk USB as a host device! Control and bulk standard and interrupt IO

29 Problem devices we can't use iphone is a locked platform Want to talk serial? Requires licensed auth chip hardware Want to talk bluetooth? Requires... licensed auth chip hardware Rooted i-device could do it, but I don't have one. Anyone want to write an iphone zigbee sniffer?

30 Sniffer projects Kisbee Ubertooth

31 Kisbee Talks SCADA, sensor grids, smart grid, etc Portable sniffer Talks USB & Bluetooth Able to use highpower antennas

32 /Zigbee Low-bandwidth (max packet size 127 bytes, including framing) Multiple topologies for sensor networks (star, mesh, etc) Used in home automation, industrial monitoring, smartgrid, etc Shares spectrum with Wi-Fi, Bluetooth, etc, but not otherwise detectable

33 Kisbee Goals Different design goals lead to different decisions Kisbee designed to be: Low power consumption (battery powered) Low host device CPU power (works with phones) Hand-assemble-able (original designs entirely for manual assembly) Consistent platform for Kismet/Zigbee/etc dev

34 Not revolutionary, but useful Kisbee isn't a giant revolution in zigbee devices... Travis Goodspeed doing portable zigbee stuff (but non-reproducible) Multiple USB zigbee interfaces, but often with wacky firmware (Raven + KillerBee) But.. Kisbee designed as a portable, robust platform, open hardware, open software

35 Version 0

36 Version 0 Started in Feb 2012 CC2420 zigbee radio CC ghz amplifier MSP430 microcontroller FTDI TTL to USB serial adapter Hard to hand assemble (0402 and QFN) Expensive components - MSP is $15, FTDI is $5

37 Version 1

38 Version 1 Started in March Much simpler to assemble radio module Board is 2 layers instead of 4 Still uses expensive MSP and FTDI Radio module is expensive Didn't work - dramatically. Issues in power circuit caused lots of problems. Physical layout wasn't very good.

39 Version 2

40 Version 2 Final design in April Switch from MSP430 to LPC1343 ARM Integrates flashing, USB, etc in one chip, which costs $4.50! Revised layout Everything works! Some quirks here and there in design but generally pleased, making 50, & more to come!

41 Dedicated radio Kisbee uses a discrete radio Acts similar to a Wi-Fi card in monitor mode Signal decoding in hardware on the radio chip Provides decoded packets, NOT raw waveform samples

42 Talking to the radio The MRF radio talks SPI, a common protocol The commands are well-documented by Microchip, fortunately! It includes a monitor/promiscuous mode Packets reported via SPI The vast majority of things you'll encounter making boards will talk SPI

43 SPI Clocked serial protocol (which means it's easy! No syncing!) Set data high (or low) Raise clock Read incoming data line Lower clock Most microcontrollers have SPI built in as a peripheral function, acts like writing to a serial port

44 LPC1343 Flashable over USB (presents as a mass storage disk!), no custom programmer! Built-in USB (no $5 FTDI serial chip) Can do bulk transfer USB as well Nice support libraries SPI, UART peripherals Very cheap! $4 in small quantities Plenty of GPIO pins

45 Talking to the PC (or phone) LPC1343 can communicate via USB directly CDC-ACM serial driver Implemented an extended version of the Serialdev protocol (simple serial protocol for talking to Zigbee devices) Bluetooth is done over RFCOMM SPP, bluetooth serial port

46 Firmware Microbuilder.de has a LPC1343 firmware library Makes most things VERY easy Core firmware to get packets took 2 days or so to create Custom firmware is only about 1000 lines of C, including full MRF radio interface

47 Kisbee Android app

48 Android mapping

49 More android mapping

50 Ubertooth One

51 Sniffing Bluetooth is hard Off-the-shelf Bluetooth adapters are not capable of monitor mode. The ICs aren't capable of monitor mode either. Commercial Bluetooth sniffer costs $30k. I developed some SDR solutions with Dominic Spill (ShmooCon 2009), but I wanted something lower cost that everyone can use.

52 Frequency Hopping Spread Spectrum

53 Whitening (scrambling)

54 Searching for packets

55 The middle road Dedicated ICs were not available. SDR solutions were complicated and expensive. However, some transceiver ICs support Bluetooth's modulation (1 Mbps GFSK) even though they don't support the Bluetooth packet format. And some of them provide a way to bypass the on-chip packet handling!

56 Ubertooth One design

57 Designing How do you actually start these things?

58 Making the design Create the schematic (logical connections between components) Route the PCB (physical connections between components, linked to the schematic) Generate Gerber files (standard CAD file format used to make PCBs) Send it off to get made!

59 CAD / EDA Dozens of CAD/EDA layout programs out there We use Kicad - GPL, 100% free, no license encumberances Eagle has free version, but size, layer limited, and cannot be used for sale Plenty of very fancy, but very expensive, commercial CAD (Orcad, Altium, etc)

60 10 seconds on Kicad Very capable OSS - with all the implications of that, good and bad Sometimes UI is... quirky. Tutorials are getting better LEARN THE KEYBOARD SHORTCUTS. There's a lot of things you can't do without them! Footprint library slowly growing

61 Types of components PTH - Plated through hole, big wires through holes. For radios, these won't be an option. Passive (resistor, capacitor, etc) Integrated Circuit (IC) Common sizes 0805, 0603, x 0.05 inches, 0.06x0.03, etc Vast rainbow of packaging types TSSOP, SOT, PFQ, QFN... May have no choice, may be able to pick what types you use

62 0603 passives

63 QFP Many different pin counts Common Not as hard to solder as you'd fear

64 QFN Many radio chips are QFN only No leads - solder attaches to bottom Simple ones can be done with hot air Usually have to be done with reflow

65 Quick design tips Look for app notes with example circuits Try to stay to 2-layer for prototypes Design in cut-outs to let you build and test in stages Avoid doing RF paths if you can Look for OSS projects using your MCU or radios Find someone to beg for help

66 PCB Fab You can make your own boards at home, sort of. Single layer is easy. Dual layer is a lot harder. 4 layer is right out. Precision is vital for many rf chips. Prototype quantity fabrication is cheap now! The trade off is time - all the inexpensive prototype has a several week turnaround

67 Prototype fabs Laen's OSH Park (formerly Dorkbot PDX) batch fab. This is our favorite - great price, quality, and customer service! And the fab is in the US! BatchPCB - Run by the Sparkfun folks, uses Gold Phoenix Others, but these are really good For larger prototype runs, talk to Laen, or send to Gold Phoenix

68 Soldering! Who has tried to solder something? How'd it go? End up with a big blob of solder that won't go where you want and everything bridged? Soldering is about 5% skill, 5% experience, and 90% equipment and supplies Fortunately, it's pretty cheap! $200 will get you everything you'll need

69 SMT Soldering PTH soldering applies flux and solder to the component SMT soldering, apply flux to the board and component, and bring solder to it Flux keeps the solder from balling up and sticking Lots of tutorial videos on Sparkfun and Youtube, better taught by video

70 The iron Did you buy it from Radioshack? Get rid of it. Unless you do wood burning. You NEED temp control! Hakko, Weller both good brands I like the Hakko FX-951 The Hakko FX-888 is $80 and fine too

71 The tips Conical tips are usable but not really want you want, the solder will rarely go where you need Chisel tip is the most useful general tip Bevel tip is fantastic for ICs

72 Flux Remember how the solder balled up and wouldn't flow onto pins? All the flux was burned off Flux makes solder runny and want to stick to metal Get no-clean and non-corrosive fluxes or you will be sorry! Chipquick paste flux (again from Amazon)

73 Solder I've had good luck with almost any solder, including generic radio shack solder Leaded is easier to work with but nonleaded is safer Don't use acid-core plumbing solder! Get as thin a solder as you can

74 Hot air Sooner or later you need to remove an IC Can't do it with an iron Hot air guns are cheap ($80!) Not vital, but definitely useful

75 Hot air for less Pick up an embossing tool for $20 at your local craft store

76 Reflow soldering Uses solder paste Applied through a stencil to the board Place components with tweezers or vacuum tool Heat entire board on a hotplate or in a toaster oven Only way to do some things like QFN Surface tension helps auto-align components!

77 Soldering tricks When in doubt, FLUX IT When trying to remove a component, add more solder - it'll come off easier Desoldering braid needs to be pulled apart a little to be more effective When you have flux on the board, you can stop worrying about the flux burning off on your iron Almost anything can be fixed w/ hot air, desoldering, etc

78 Reflow tricks Set your paste layer apertures to about 88% of the pad size Leaded paste melts quicker, lead-free is safer/better Apparently you can't do it when it's 100% humidity or the chips pop off the board like popcorn :( Skillet works as well as a toaster oven

79 Picture time! It's photo time!

80 Stencil - laser cut from kapton

81 Applying paste

82 Pasted - a little thick

83 Components placed

84 Reflowed (with problems)

85 Batch + Electric skillet

86 Batch reflowing

87 Smooth reflow

88 Corrosive flux

89 Hakko bevel tip

90 Simple boards are cheap too!

91 Hot air the middle of a board

92 "Dead-Bug"ing a chip

93 Fixing your design It's not going to go right the first time You can do a lot of fixes to make it work before you order the second design Sometimes, things just go a little wrong making the boards and you have to kluge a fix, too Fly-wires, drilling out traces, etc

94 Fly-wire

95 Cut trace & hack resistor

96 More fly-wires

97 More emergency wiring

98 Handymans helper: Power drill

99 Get your own! We have Kisbee units with us, come find us after Get an Ubertooth at Great Scott Gadgets Support your local hackers!

100 Great Scott Gadgets

101 Build a Throwing Star LAN Tap Be sure to grab a business card!

102 Q&A Ask away