 So I'm Caleb. This is entitled, Is Giannis Jaffens to open, maybe? We're going to get into it. I'm a researcher, computer science background. I really knew all the signals stuff, so it kind of intimidates me a little bit. But it's interesting, and I'm getting better. Kind of a tech hobbyist, so I fill in the things sometimes, more of a soccer enthusiast, actually. But that's OK. So prior work, Net Admin and Project Manager. I'm currently doing network security evaluating against Giannis. So Ben is the other person supposed to be here. He had surgery recently to have his appendix removed. So that kind of stinks. PhD in computer science, wireless geek. Couple of a lot of Z-Wave stuff from him. DerbyCon or Smookon, PUC, GTFO. You can go see all those things. If you want to use the clip on mic, go ahead and take off your badge. Sure, I'll do it. Yeah. And snap, put that in. So we'll clip on there on the other side. We'll just make sure. Cool. Not on? There's no dot on. There's a mute button. There we are. There you go. All right. I guess we could go in here then. YouTube videos, all that stuff, this good stuff. So real quick overview of the presentation. Lay out some goals for what I was looking to do. Review what NSEAN is. Look at what's been done before, how I made some of it better. Quick demo and questions. The main goal is to validate and improve any previous work. What's out there, what's been done before, how's it working, or it doesn't work, whatever it is. Out of that, I wanted to make it Wireshark capable and make sort of a network enumerator scanner type of tool, even though I don't like goals. So thank you, Yogi, for that one. What is NSEAN? NSEAN Home Animation Devices, brand, really. They have lots of stuff. Some of the documentation goes into really in-depth into what they can do, not all their products. I don't think they really maxed out the product capabilities, but whatever. So that's up. When you set up your network, it actually creates a mesh network. Both RF and PowerLine, they're incorrect anywhere. Anybody have the app on their watch? I see them off the phones, right? So you can 3G it back to your home, see if your garage is open, see if your sprinklers are on, see whatever you want to see. It integrates with a lot of third parties. So the Amazon Echo, like this is on their website, Amazon Alexa Eternal Lights. And the lights look good, it's pretty cool, right? All right, next. So in about three clicks on their website, you can find their public protocol information, right? And go through all that, 915, Manchester, whatever. Find their package structure, what it looks like. See the standard and extended, whatever. So really fast, you can find that stuff. Well, that seems all good to me. I was like, well, this seems pretty easy. Plug this into the SDR and start going. And then, but then before, well, yes, actually, about the time I started this, Peter Sibley's talk was put on YouTube and everything was great, fantastic. OK, so there's a tool. So you presented this, right? Anybody remember this? Have you seen this YouTube? I said, great one. He was like mad at Insteon. Insteon lied to him personally about their documentation. Bullshit, he said. Not 915, not really Manchester. All the deviations wrong. It's great. Everybody said, tune down just a little bit. Tokenized Manchester, it's not really just, you know, 1-0 is not really, 1-0-1 is not really 0, whatever. FSK's inverted all this stuff, OK? He was angry. How do you do that? Yeah. So the actual packet order is mixed around. Peter found this out. The tokenized Manchester comes from the bit at the bottom. They kind of, each of those Xs, each of the bytes gets chopped up a little bit and 1-1 followed by some other stuff, and then somehow it comes to be the byte. So interesting stuff, great stuff. So after some pretty heavy frequency testing, this, we strapped up some stuff to a really expensive frequency tester, I'm sorry, Peter, it's 915. That's all right. I've got to give credit to him. His parser, most of the stuff is fantastic, great stuff. But we were actually able to find this code. I didn't check this morning, but as of last week, his code had 914.95. So using the R sticks, which I'm using, we were able to tell that I was only getting maybe 50% with the R sticks, and then fixing the frequency, we get about 80% packet reception. So that's awesome. So fixing the frequency, that was kind of the first main fix. So here are our packet structure, not really a correction, kind of an addendum to the packet structure. So it's the unadvertised source, then destination, flags, such-and-such. Those are flags and sources switched, as it turns out, on most of the packets. I completely agree, I validated that. So there's another packet, another type of packet. I don't peter it into a dress in his slides or his talk. But there's some devices you can set up, rooms or scenes in your devices, so that this is actually set up how my setup is. The sensor, not only tells the hub that is open, but it also tells the light to turn on. So I can turn on the light from the sensor. That's how you get Alexa to turn on all the kitchen lights, you tell these devices to work together. And that's done with a group broadcast command. And so the destination of the group address actually gets moved to the third step there. And so it's, again, kind of flipping the bytes around. Cool. So kind of an addendum, not really a correction, but addendum, like I'm going to say. So that was, so here we are. We've fixed frequency, corrected some packet structure details, so goal number one is done. How can we make it better? Well, peter did, like I said, great stuff as far as reversing it. There's all command line. And like I mentioned, I'm a computer scientist. I like command line. It's good. But I want something that's kind of de facto gold standard. I want this in Wireshark. And I'm going to start making a network on a numerator. I want to know what is good. And I know the device IDs. I can just see those in the listen packet in a listener. But I don't know what those, what are all those devices? What are they? So has anybody made a program to output to Wireshark? Or included that in any way? You did it. Cool. Anybody else? No? Sweet. So there's kind of two methods of doing it. I guess you can make some C code and redo your make files and rebuild Wireshark altogether. Or you can modify the initlua and make a new luafile and incorporate the desector that way. That's the route I decided to go. It seemed pretty easy. It's a little simple protocol. It's not a huge desector file. So then you've got to tell Wireshark that when you see this kind of packet, treat it like an instant packet. So here's what you've got to do. Go to the edit preferences, use your DLT table. And when you see the little green box with your protocol, you know that it's going to work. OK. So then it's just converting the data, the string of packets, or the packet string, whatever, into pcap data format. My code is on GitHub. I'm not going to show you the code here. But it's on the GitHub that works fantastically. So I can write data to a file or a named pipe, which is how I'm going to get it into Wireshark later. The code at the bottom is kind of what my code is based on. So I want to give credit there. OK, so output Wireshark. Awesome. So I really want to know, OK, like I said, I can see these devices communicating when they communicate. They're kind of bursty. What are they? I have a lamp up here, but it could be anything. It could be someone's thermostat. They want to open the door, turn the thermostat down, right? So yeah, I need those device IDs, but I can definitely enumerate your devices. OK. So to go by doing this, I need some commands. That'd be helpful to do that, right? So not just on or off, but pinging an ID. That sounds like a great start, don't you think? So pinging is just what you'd expect if the device responds. ID request kind of starts off like pinging. It responds with the same command. But then it also sends this standard broadcast button press response, whatever that means, standard broadcast message. OK, and we talked about the broadcast message has some information about the source, actually. So the broadcast message contains a two-byte device type and a firmware version byte. This is from their documentation. So that sounds like a great way to go about this device type firmware version type. So there it is. I found this as of 2007, circa 2007. So it still works. These devices do it right now. So I can see that this is device type 3, subtype 33, firmware version, right there. OK, that's cool. I don't know what device type 3 means. There's just a number to me. Well, not anymore. As of 2008, they had some categories of the devices. So I can know what my hub is, this guy right here. I can see what the light is. I can see what the thermostat. If I had that hooked up, see what the thermostat is. Climate control, good stuff. So that's what I do. I wait. I can't really inject anything onto this network until I have some IDs. Those are hard coded under each device. Spoof the ping and ID request to really get the relationships, the controller, responder relationships, and start generating a map by tracking and labeling these devices. So I have a couple more devices I didn't bring. But I have kind of done this for my network. So great. So here's a copyright stuff credits. Obviously, Peter Shippley was huge in getting this started. And then their documentation is fantastic. So I'm going to cut over to Whyleth demo real fast. This is totally going to work. So first thing, like I said, I have to create a named pipe, make5fo, createNamePipe. I'm going to do that right now. Oh, it already exists. Hold on, real fast anyways. All right. Wireshark. Wireshark.i liveCapture. Here comes Wireshark. And I'm going to start this guy up. So this is the listener command. I have two yardsticks up here. So dash i0 is for the first one. Let me do that. That's a good call. Thank you very much. Let me make it a bit better. Dash l for live and dash p liveCapture. So here we go. So we're listening. So I'm going to create a scene. Here we are. We're listening. So I can see, this is the map side of it over here. So I can see who the controllers are, who the responders are. I don't yet know what is what. That's the top part. I don't yet know what is what. We're going to start filling that in. So I'm going to minimize that. Over the scanner, the different interface, 0 and 0 is going to use a 1. Is that over there? I don't know if you can see that. All right. So like I said, we're going to spoof these commands between devices. And I'm going to start filling this in. Sent, sent, sent. All right. Here we are. There's your hub. And there's your light. I can see who exactly responds to who and who controls who. Everything makes sense? Pretty cool. So that's pretty much it. That's in about 13 minutes. That's what I did. Cool. Any questions? That's all I had. There's the toys up there. Any questions at all? Yeah. Correct. From what I can tell. They advertise encryption, but I don't have any devices that use it. Yeah, it's all in the payload. It's all in the payload and not in the devices itself. It's not in the device IDs. Something I'm going to start looking to is how fast can I spoof any device ID, or if there's a hidden ID on all the devices that they have responded to, I don't know. So that's kind of the next way forward. Any other questions? So the documentation does have a subtype. There's the main device type and subtype. Like I said, the documentation's old. So this thing says a subtype of 33. It's not listed on their 2008 documentation, so I didn't want to incorporate that into this tool. But those of each have, I assume, their own device subtype. But if they're a hub or a network bridge, what they call them, then it would be that main type 3. It's not. You can still, so it's a hub. It converts or changes between two networks somehow. Another question over here? Yeah, some of those things, I haven't actually seen products. Like they've made these categories, but I haven't seen any products for it. So things like car starters and stuff. I don't know. Maybe they had it back in the day, and they don't seem to have it anymore now. Yeah, exactly, right? Even your thermostat. Like if I did this, and it's outside your house, and wash you up in your door and turn your thermostat down, well, now I can go turn your thermostat up and run your heat up or run your AC on for all day, right? So it's not very hard. I have not tested a lot of distance. Obviously, you could get a directional antenna and set up shop quite a ways away. They advertise 100 meters for 915 megahertz. I have not touched the power line directly. As long as it's going to jump from power line to RF, I'll get it anyways. Right. Into the RF side. Onto the power line. Right, so it's very accessible that way, but it's completely open. Any other questions? So I did have a sender. I didn't show off the sending specific, but yeah, I can turn on the light as long as I know a controller to it. I can turn on that lighter, turn down your thermostat, or whatever it would be. So, right. So I don't really have to get into your Wi-Fi. No, if you were to set up a power line version of this. It's not Wi-Fi, that's not Wi-Fi, that's the phone proprietary thing. Right, are they running back? So on the user's interface, like in the apps, no. This is all behind the scenes happening. It does not show up on the apps at all. Sorry? I think that's what it is. This is the Instagram brand hub that I got. OK, there you go. So I'm not adding devices to the network, though. I'm just simply using the spoofed addresses. So it's nothing new to the network. But each of the devices will still work. Gotcha. So, interesting stuff. Good questions, thank you.