 All right guys, we're gonna get and start with the next presentation Stefan and Brian will be talking about the hack me RF. Hi guys, so Yeah, thanks for coming around for our small talk. I'm Brian the Stefan. We are both security researchers Analysts penetration testers from Heidelberg And we'd actually just like to introduce you to one of our small projects After the talk we love stacks of feedback concerning the project Because we are still in a let's say rather early stage and you know, there's still chance to change things and bring things forward We both work for year and W in Germany, which is a small IT security company. We do Penetration tests stacks of research for about 60 people Yeah hacking workshop and And he did the very great thing of introducing us to the IME Do all of you know what the IME is No, perfect, so Yeah, my classman came by introduced us to the hacker F1 and we needed a victim to hack So he brought a small little toy a little pink girls pager The stuff has been in the news a few times With various hacking projects So the sweet thing about the IME is it's a toy It's been off the market for a few years now. You can get it on eBay. You used to be able to get it for about You actually opened it had to look inside and you know, if you've got a simple RF device It does sub gigahertz radio and you can play around with it It's just the perfect thing both as a victim and as an tech tool The way things went round there was the first our infirmware for it The possibility to use bright Then it went on with a little spectrum analyzer Which yet again, you know, if you've got a sub gigahertz spectrum analyzer for under $20 That's round about what you want Here you've actually got to say what my classman did was kind of actually bring the device Really to its edge of existence, you know, it's an 8051 architecture in there The chip isn't very fast and he's actually done quite or is able to do quite a lot of frequency hopping to actually Create these diagrams. So it's actually. Yeah, rather fascinating that the chip is able to do all that Then the project that yeah kind of raised the price of the IME was open sesame by semi-kamka Which I guess some of you might know And yet again, it was this nice little children's toy that you could actually use to, you know, brute force and attack garage doors And basically that's exactly what we want that, you know We do quite a few courses we do some teaching and if you've got a little device with the keyboard on it that you can play around with That's just awesome, especially if it's cheap So as said the IME itself is based on the CC 1110 and our chip coin chip Nowadays they belong to TI It's it runs on the 8051 architecture. So You know, if you want to do a little bit more sophisticated radio stuff Not really perfectly possible It comes with the LCD display it's got the keyboard the keyboard really is very nice to use even for a little bit faster typing One of the things that were done is actually it comes with a small USB adapter I think actually skip that so the way this toy works is You know, it's for girls and girls have to be protected on the internet. That's where things go So you've got this USB dongle you connected to the computer you've got a software running on there you've got chat server somewhere in the background The parents are able to look after the friends list and the kids then simply have this little device just to be able to chat to their friends So, you know, you've got a limited set of users that the kids can talk to so nothing can go wrong So this way, of course the device is completely standalone. It runs on two AA batteries Actually, I think 100% of the GPIO pins of the CC 1110 is actually in use just to be able to have the keyboard on it So the thing is really, yeah Used as far as it can be used So as I said pros, of course, yeah, it's pink It's portable. It's easy to use. It's simple With the programming adapter that I showed somewhere here You know, you've got the debugging header on the back of it. You use Pogo pins the GIMME Or in future, my classmates great fat to program it And you're ready to go and ready to have lots of fun The con says that you can't really get a menu The con says that you can't really get them anymore As I said, you can try to find one even you can be lucky you can be very unlucky Actually think the most expensive one that I've seen on eBay the guy actually wanted $600 for this device For, yeah, not really perfect And that way it's rare. It's hard to get And if you want a device like this for the community, you know, you've got to start with something new And as heads Yeah, and doubly we've got our own conference in Heidelberg We've got, you know, try quite a tradition of electronic badges And yeah, we kind of finally made it into the RF world for an electronic badge Yes, as Brian already said, Troopers is our home conference in Heidelberg We got a tradition now for several years for electronic badges I think the first electronic badge was back in 2012 And finally 2011, sorry Not this long at ERNW as Brian And finally we made a step into the RF world As Brian mentioned at the beginning, we started working with software defined radio When Michael was first time at Heidelberg in 2014 So it was time for an RF badge So we did this this year starting at the end of 2015 The aim was to receive and show broadcast messages for the attendees of the conference Ensured we have some fun to integrate it in different games While the conference was running The concept was about an RF system on a chip Like we have now Or an Arduino paired with a sub-gearheads radio IC Like Nordic semiconductors, an RF chip By an RF signal So the attendees had to find each other Worked quite well We used Michael Osman's Yardstick once to broadcast the messages Which was using RFCAD on the laptop The badge was inspired by the IMME As Brian already said We started evaluating different chips, different combinations of ICs So finally we came up to the successor of the chip which was used in the IMME Which was CC1110 I think And this is the successor, this is the CC1310 So it was released in October 2015 We took the full risk We didn't know if TI would release it just in time So it was a big risk And we got it at the end of October We had many problems with the chip As you will see later on So that's actually you know We're trying not to do a lot of bashing But we actually had quite a lot of fun during the first few steps You know the chip was announced So went to TI, you know the classical paperwork To get a little bit of previous information And actually the documents that we got under NDA The four side data sheet that was already on the website for two months So actually our first prototype was really just based on Yeah the footprint with the preliminary pin outs And a little bit of information And we kind of well really had luck with our sales representative His main field actually were low power DC-DC converters And he was the guy coming in to tell us about RF chips So that kind of went well You know he told us he'd be able to get us a few samples You know pre-market release classical stuff Actually in the end the samples that we had ordered over the TI website Arrived I think two weeks before the samples we had ordered under NDA So you know it was kind of the perfect time frame We had about five months for the overall project And about two months just went into waiting for samples So that was real fun getting into this chip Yep, so that's that Another thing was how do we communicate with people How could they use the device On the conference nobody wants to attach this batch the whole time on his laptop So we came up, we were really lucky with a chip TFT LCD screen With a touch And yeah this worked quite well We got no problems except of the driver Which we had to write for the Konchiki real-time operating system And we used also which was a big cost factor Lithium polymeric batteries as a power source Actually this was the batch So it was integrated in the corporate identity Style and the look for the conference We got a non-board PCB antenna And also a connector for the SMA antenna Some footprints like for micro SD cards And I square C e-proms and spy e-proms Okay, this was the bag This was this year's conference style The Troopers team chose Okay, so it was kind of James Bond spies and evil persons That's why we came up with this design Yeah, so Brian wanted to show us some schematics So the schematics that we made actually were comparably simple I'm just trying to shift them over and find my mouse The CC-1310 actually works with a rather small amount of We're actually able to deactivate the DC-DC for the display And as such if the batch went into kind of a standby mode We really save stacks of energy The CC-1310 which we were showing in a second Actually has a M3 and a M0 processor in them So even there you can put the M3 completely to sleep And just have the M0 waiting So it's rather nice even for long term use And for communication we went for a very simple USB UART bridge by FTDI Even there we had the great thing The CC-1310 can be flashed via serial So it's got a serial boot loader And if you actually look through the data sheet You'll see that absolutely all peripheral pins can be mapped to every other output pin You know the way it is with modern CPUs or with modern socks The only thing that you can't remap are the two serial pins for the boot loader And that's actually in the data sheet somewhere on page 700 and a bit So even if you go through these three pages of tables We've got an expansion header at the bottom Just you know if you want something to play around with Finally actually the feedback that we had concerning stuff like the SD card reader was The device had so much potential that wasn't used So instead of the people thinking about grabbing a soldering iron and adding it There was a little bit of flaming but we worked our way through that As I already said we had a PCB antenna on the top As an R connector which could be optionally used by the users The CC-1310 was hidden behind the display So it couldn't be damaged in an easy way If people were walking around hitting each other The batch consisted of a few parts as the CC-1310 The FTDI FT-231X which was not just a USB serial thread It also got some charging support for LTC-3554 We've got Chatek and the serial bootloader Brian also already mentioned the problems we had with the Europe pins We've got a real-time clock as TI says a true random number generator An AES module over the air capability and an integrated temperature sensor If I may just ask, does anybody here actually know what the means with modern RF socks? The chip is able to write flash pages while it's running So that's actually everything that it means There is actually no functionality for how TI implemented The only thing that you can do is basically machine the BMR file from somewhere Overwrite a certain flash page, link it back to the boot page So we had lots of pitfalls in the blog post of the conference Brian already wrote about it So we had not supported frequency bands at the release of the chip The CC-1310 only supported the 800 MHz ISM band and the 900 MHz ISM band So it could work in Europe and the US Every other ISM band was not supported and is still not supported by TI Also there are not all modulations supported So there is only 2FSK, 4FSK, D3S, and OOK GFSK is not supported as an example And also not the digital features like automatic listen before talk and clear channel assist Now the important part is we've got it here on the pitfalls All the functionality that we're talking about is in the datasheet But it's simply an errata document by TI that came out after the chip release Saying you know the features are in the chip but we aren't really ready with specifying the features and the ranges So you won't be able to use it until we publish an update for the M0 firmware So basically it's a question of waiting and hoping that it will work Another pitfall was the RC oscillator which was not working Still not working, also not working on other chips of the series like the CC-1350 Also the data rates are only supported up to 100 kbps, not 2 MHz as TI announced earlier Still the current state Also the TI RTOS which we wanted to use because our driver lib is already included Got some strange like they say a BSD-like license Which forbids to release binary code, if I remember correctly So we switched over to Kentucky which is an IoT RTOS As I said status today is unchanged I had a look at the documents yesterday and still on the same state like back in March on our conference We are waiting for TI to finally release the whole thing they announced But yeah, here are no updates Yep, the Cortex M0 pitfalls, there's no firmware, you can modify in an easy way as the vendor There are some update files in the Kentucky repo which seems that they could be modified So maybe we'll have a look at it in the future if we need access to the M0 for power saving or for getting faster channel switching Firmware is Kentucky RTOS It works in a single process for the whole thing, Kentucky also supports multi-threading But we didn't use it by now Yeah, it decodes the data it receives, so the batch on the conference was programmed and received only But we got some people which were transmitting while the conference and spoofing some data transmissions So it was quite fun and that's what we wanted people to do Okay, we transmitted the broadcast messages like what talk is on which track next Okay, I think I have to speak a little louder Yeah, and also the name change game I mentioned earlier We used 2FSK, of course we did not have a lot of choice Because the other modulations were not supported on the release So finally we got a good first prototype after the pitfalls were handled Okay, I think Brian will show you some demo So basically, I hope it's fine if I don't use the microphone In and out you say This one seems like it's basically off Yeah As said, we like the IME, it's a great toy During our conference we basically did quite a bit of work towards the successor for it And that's basically the project why we're here today Following Michael Osman's naming scheme We actually decided to simply give it the name HACME RF As both a victim, a teaching and yeah, also a hacking device So quick disclaimer here is The work that we've shown so far was, you know, our business time creating a batch for our internal conference Everything after now is kind of what we made out of it It's just running into a yeah, private project or rather we're hoping to actually turn it into a community project Luckily we've got a little bit of support of Michael Osman who's already helped us doing some firmware and is playing around with it We've also got two prototypes lying with Semicamca who wanted to have a look So everything after there is the interesting stuff Yeah, the HACME RF is intended to be an IME successor So actually what we want is we want a small handheld device that's standalone Being able to do sub gigahertz RF stuff, have the display, have a keyboard on it and work our way through that You know of course the optimal version would be having the own case, create own molds Having rechargeable batteries in there, have a perfectly nice need But the way it is with new projects something like that to start with is simply unrealistic So at the moment we are working on what we call the HACME RF Lite Simply take a PCB, add the display, go for the CC1310 We are hoping that TI will actually release a few software updates in the near future The support of all bands was announced for June this year So we are hoping that they won't just drop the chip We want to add a little bit of external flash, want to have an SD card slot on there Actually so if you have collected certain samples or you want to have some scripts running on there That you can store it on there Have USB UART as a power supply Micro USB slot have a few straps so that you can add something like an external battery And an expansion header So yeah that's currently the thing that we are working on We've decided to also add a keyboard simply because if you are on the road and you want to play around a bit The keyboard always is perfect, especially if you want to send arbitrary messages For the keyboard we've got two concepts So the first one is I don't know if you know these snaptron buttons There's something like small metal domes that you actually place on a PCB and that you can then press as a keyboard I've got quite a few samples of them at home, they are rather comfortable But the alternative that we are actually aiming for are these rubber matte keyboards as you've got in TV remotes And of course in a TV remote you've usually got the whole plastic case But with a little bit of playing around we actually worked out that it's enough if you've got a PCB underneath With the contacts, have the rubber matte and have another PCB with holes in it on top of it Add a few screws, fixate the whole thing and you've actually got a really nice rubber keyboard to work with And also you know for a small project it's affordable A mold is something like about $700 and you'll be able to produce I think about 900 rubber mattes with it Just for a prototype and process, so that's still something that we can afford And as we're in contact with Michael Osman a lot, the kind of shows Following the making good fat great again movement Initially we had a few discussions with Michael Osman You know actually making the device a good fat Adding the MSP processor to it so that you've got a little bit more of power on it But eventually we actually worked out you know the ARM Cortex M3 should be enough for most things And adding the extra MSP simply would raise the price of the overall project So we're going for the easy solution now We'll be adding the footprints so that the HACME RF will be a simple great fat neighbor So if you want more power you attach a great fat You can do whatever you want with it, you can still power it from a portable battery And otherwise if the Cortex M3 is enough for what you want to do You know you're up and running in a few seconds Yes, so the current current of future plans depending on how you want to call it We want to set up the whole thing we've got our basic schematics We're just in the middle of creating a new layout for the HACME for the light version We know that we've still got to do some work on the antenna design Transmitting with it on maximum power I think we should or we currently are reaching about 8 to 10 meters Which for sub gigahertz simply isn't a lot And actually as we only wanted our troopers to be able to receive data We didn't really care about the antenna a lot because the transmitter was strong enough So what we're working on is yeah creating a proper antenna design increasing the reach on that And yeah we are currently putting together the website it's not up yet but it will be up in the next few days So if you want to follow us if you're interested feel free to visit HACMEORF.org We will also have a look at the CC1350 The CC1350 has the same sub gigahertz radio as the CC1310 It's got the same Cortex M3 processor but they actually also added a CC2410 I think the naming scheme should be So it's actually also got a 2.4 gigahertz radio in it So you know as we are making the device we're still you know rather at the beginning We'll actually try to see if we're able to have the sub gigahertz and the 2.4 gigahertz in the same portable device Simply because you know it's a little bit more power The chip I think is about $2 dearest so it's something like $6 instead of $4 So that's probably worth the hassle and worth the extra money The biggest to do that we still have is finding a proper contact in TI that will actually help us And somebody who might actually be able to tell us when the silicon errata will be put into place And when the great updates will come that will actually make the chip usable the way it's in the data sheet So you know it's not that we want new features we just want everything that's in the data sheet We are going to hit Kickstarter soon We're currently aiming at middle to end of September where you know we don't want to kick off a ginormous project directly But we actually want to you know produce a series of maybe 100-200 devices to get a few into the community Price wise the way it looks at the moment even with a small amount we should be staying under about $70 We aren't perfectly sure yet we've got to put everything together so we hope that it's actually still affordable So yeah that's currently what we're working on right now Last but not least what I've got to do now I've got to thank a few people who've been helping us with the project Christopher Scheuring and Oli Gephardt actually and Timo Schmidt are two of the guys working with us at ERNW Who actually also put quite a lot of sweat and blood into the overall project And yeah as such thank you for listening Feel free to follow us on Twitter or wait for the website to come up in the next few days And now after the talk we'd be happy for any kind of feedback any recommendations As said we're trying to work rather closely together with Michael Osman to get a little bit of inspiration from that side But as in the end it's supposed to be a community project you know we need you we need your feedback And thanks for listening Thank you There might still be a few people from great Scott gadgets running around here Michael Osman gave a talk at Black Hat and they just handed out the hats So you might be lucky by contacting him Yes we've got the SMA port already in the schematics and on the PCB so that's something that we surely need We're actually also looking into Michael Osman's design on the yardstick one because he's got the amplifiers on there So we're actually looking if it's feasible for us actually to transfer the same circuit onto the device Actually just to get a little bit more range and have a bit more fun with it Perfect thank you Thanks