 I am Pierce, this is a SMIG, that's Goldie in the far corner over there, and our special guest is Sanity Bit. You could also say my name is a SMIG, sort of like you're sneezing, you know, a SMIG. That works pretty well. Just saying. So who here uses internet? Yay! A basic overview of the technology. Ymax is fast wireless internet. It's the 802.16 protocol, which is sort of similar to the 802.11 protocol, and it's especially interesting because it is under IEEE control. It's very different from a lot of the other mobile wireless specs that are under control of different mobile companies and things like LTE is the 4G technology that was come up with by the cell phone industry, and it's another high-speed wireless internet system. And currently with Ymax, there is a large nationwide network being developed and deployed by ClearWire, and it is branded under the name Clear, and a lot of people have probably seen it, or commercials, closer to the mic. Okay. God damn it. So in the U.S., there are a couple of Ymax networks. The largest one, however, is Clear, founded originally as ClearWire. They provided proprietary wireless internet from Motorola called Expedience, and then later on, bought up a lot of 2.5 gigahertz spectrum and started providing 802.16 Ymax over that network. They're currently deployed in 79 markets across 21 states, and they have a very aggressive rollout plan. They're hoping to hit all major U.S. markets by the end of 2012. In the next three months alone, they're planning on making another 22 markets, including New York, Miami, San Francisco. They've also just opened up in Washington, D.C., and they're really aggressively rolled out in Texas right now. There are actually a couple other services using Clear's network, and these are all investors in Clear's initial infrastructure. It's Time Warner Cable, rebranded as Roadrunner Mobile, Comcast, high-speed to go, and Sprint, which is one of the larger investors in Clear, which is using it for their 4G service with their HTC Evo. They're all placed on the same physical network. There's no difference on the infrastructure. As you can see in the screenshot, all of the signal over there are the same. It's the same tower. The only difference is what portal pages that are company-specific you get redirected to when you get on. So this is a map. The gray stuff is a couple of the markets that they're opening. It's not showing all of them because of the zoom coverage. And they're in a lot of major markets, including Las Vegas. So last year, we discussed a couple of ways to bypass their portal page. And apparently they were listening because they kind of tried to put a little plug in it. So last year, we told you that you use OpenVPN over UDP port 53. And it just blasts right through the portal page. So their fix to that problem was they blocked large UDP packets from exiting the network on port 53. The counter fix to that was we just fragmented the packets to make them a little bit smaller. It works great. You've had to add two options to your OpenVPN config file. And that's pretty much all she wrote. Next slide. That's an example of OpenVPN config file right there. And anyone who's configured or played with OpenVPN, you already know how easy it is to get that set up. And you just got to add those two options. And you can go right through the portal page from the service providers. Going into some of the hardware now. This is a picture of some Echo Peak hardware, which is Ymax gear from Intel. The interesting stuff about this is that it works in Linux. Unlike a lot of the more consumer grade Ymax gear. A lot of the Ymax stuff that you buy at the store is for consumers. And these come in a lot of, I guess, some of the newer ThinkPads. And there are some companies that are selling laptops that have these built in. They're tiny PCI cards. And you can actually buy them on eBay for about $80 now. The 5150 and the 5350 are the best supported in Linux. And you go to linuxymax.org and you can download the network tools and all that. And the version 1.4 is what you're looking for with the current version of Ubuntu. And it actually has the firmware and the kernel drivers already installed. It just doesn't have the tools to connect to the network. If you want to use these in an actual computer, you pretty much need to buy the USB PCIe cradle. And those are about $40 that you can get them online. The PCIe cards, if you plug them into laptops, they typically don't work. The wireless part will work because this is actually 802.11 and 802.16 on this card. The 802.11 will work fine in any computer, but the 802.16 is not... We figure that it's not powered high enough or there's some weird issues. Like newer PCIe buses are required. But it hasn't worked in any of the laptops that we've tested, even though there have been some ThinkPads and stuff that we've seen that it will work on. Good morning. Okay, cool. I wasn't sure if anybody was actually awake this early on Sunday. This is my first time to DEF CON. No, it isn't. But I got the impression that people would be partying late last night and have a hard time rolling out of bed this morning. So anyway, again, my name is Asmig. Atchoo, Asmig, just like that. I'm talking about hardware hacking a little bit. I don't really know much about it. I'm just getting started, but I've had some fun with it so far. And so what we're looking at right now is the Motorola CPE150 and 750 devices. It's also known as the home router. Sort of like a cable modem, but no wires. It's kind of cool. It says down there, got root. And do you? Well, you could. They are running Linux. So inside, 64 megs of RAM, 32 megs of flash. Has a Basim wireless chipset. Kind of cool. It's a Texas Instruments TNET V1061 at 213 megahertz. Pretty awesome stuff there. Very speedy. It's a MIPS 32 core. So if you want to know what your instruction set is, there it is. MIPS 32, pretty easy. The debugging is via JTAG. EJTAG in specific. And so it's all nice, standard stuff. But I didn't know how to use any of that stuff. So I had to learn from scratch. It's kind of fun, though. And yeah, it is actually running Linux. We weren't sure at first. We thought it was probably Linux, but didn't see any source floating around. So weren't sure until we pulled some firmware dumps. So when you're looking at a device like those, there they are. What do you do to figure out what it's actually running? Does anybody have any thoughts? Take it apart. Exactly. And then what? Burn it. Yeah? Because it's crap. Well, okay, sure. Yeah, looking at those specs, I might say that too. Pull off the RAM and chuck the rest. Any other thoughts? Serial console. Serial console. Good. Where do you find it, though? Here's my trick. This is a logic probe. And it's kind of like my little magic wand. I'd be waving it around right now except that I left it in my hotel room. Sorry. It's pretty cool. I mean, all you have to do is you find the negative, you find the positive, and you clip those little the color-coded ones, the red one for positive, the black one for negative. Really complicated stuff. It took me ages to figure that one out. And then there's the pointy bit. And then you plug that at the device randomly until something happens. It's like, I thought it was pretty cool. I don't know. So eventually what I found is that if you put it on this one pad and then you plug in the device, then all of a sudden the red and green light on this thing would just light up like a Christmas tree. I was like, oh, awesome. Hey, that's doing something. And it was right next to a couple other pads. Seems like maybe that was serial. So sure enough, I found the serial port. And it was poking around a little bit more. And I also labeled the processor flash RAM, P1. Just in case. I actually had to solder the headers on myself. And there are surface amount headers. So they're kind of a hassle. You've actually all seen them. If you've seen the DevCon badge this year, which I hope you have, if you're in this room and you haven't seen the DevCon badge, get the hell out. Anyhow, that JTAG connector is actually the exact same connector as used on the DevCon badge. And the serial connector is a little bit different, but pretty close. So how do you talk to the JTAG? Well, I stole this from the Internet. And if Alec at scentsy.org is here, thank you for this fine schematic. It came in handy. I built this thing out of it. And it actually worked. Nobody else is surprised. I'm freaking surprised. Yeah. Thank you. Thank you. Thank you. And it gave me stuff like this. Now, I know you can't actually read that. You're not supposed to be able to read that. This is like the token slide. Everybody has a presentation with a slide that has so much crap in it. You can't actually read it. Well, this is that one. Except the people that are right next to the projectors might see something in the bottom two lines that looks interesting. Anybody who just, like, shout that out? I don't know. Well, okay. So it also has some other information in there that seems pretty handy. It talks about where the boot loader it is. It talks about where the different images are, the configurations, the certificates for the device. Yeah, X509 certificate. That's pretty cool. And factory defaults. Also this JFFS2. Has anybody heard of that? Yeah, cool. For those of you who don't know, this is Nancy for Flash anyway. So what about the root? Yeah, yeah, yeah. Okay, so this device, it can be rooted. I did it the worst possible way. Okay. So this way works, but it sucks. And I know that it sucks now because I've actually gotten into the device and been able to play with it. But for our first approach, you know, it got the jump done. And my approach was, well, let's just jump back a couple slides. We saw that information that had the console state locked and all that stuff. And that's actually the default boot loader configuration that gets dropped into the boot loader config area. So if you take the boot loader config area and you delete it, then it reloads from the boot loader area. And you can easily modify the boot loader config default. Have it regenerate a new boot loader config and then let it boot up. But the problem is, once it boots up a little ways, then this fancy program runs. And what it does, according to the strings here, is basically it says, oh, did the console state somehow magically get set to unlocked? We don't want that. And it resets it to locked. So that's kind of a hassle. So my work around for that was to reset it to unlocked, boot part of the way, freeze it, reset it back to locked so that it doesn't change anything. And then I finished booting. And a little trickery, you know, I have JTAG control, so I can control the operation. And I don't really know how that stuff works. So I'm taking a poor man's approach and, hey, it got the job done. Then I found that there's some interesting stuff with this file that's being called from that previous script. And it turns out that as long as this file exists, then that previous program doesn't actually do this relocking thing. That makes it really handy to continue having root on the device once you get it. So basically all you'd have to do is just drop in this file as soon as you've got access to the thing. And then you can reboot it and you've got complete access for as long as you want. It enables SSH, so you can SSH into it with a default user pass, which is pretty cool. And this file even gets executed. So if you have anything that you want to have run every time you boot up the device, like killing SNMPD or changing your firewall rules or changing passwords so that you're not using default everything for everything, it's a handy place to do that. So once you have root, you can go ahead and enable SSH. And then you can SSH into the device with a default login of admin and password tools. It drops you into a debug command line, which you can drop out of with the type in shell, which then drops into a very old version of busybox. By exporting the path of all the binary locations, we can see all the system binaries. There's a lot of stuff there. There's stuff to control the radio. There's some debug commands that were built in by Basim. But there's just way too much to cover here. What is interesting is that you have direct access to IP tables and you can access the CBE tools, to directly read and write to certain parts of memory on the device. Adjust radio configuration parameters and possibly break your device if you don't know what you're doing. So be careful. So the devices have a web interface with a default password of Motorola you just type in the password. If you look behind the scenes though, it's just passing the username router behind the form. If you change that to admin tools and bypass any password protections on the web interface and there's no changing that unless you actually have a shell on a device so any default consumer device that hasn't been unlocked is affected by this. By default it's not web accessible but if anyone gets on your land and you've changed your password on your device they can get right back in and change everything. This year at B-Sides I logged in and changed the host name to my username so when people trace write it out I think who the fuck is that guy? These are some of the clear mobile devices. The one that you see in the middle is the basic mobile USB stick. It's been out for a while. You plug it into your laptop and you get a 4G connection. It works in it works in Windows and OS 10 now. It's got some people working on trying to get Linux support but it's still kind of sketchy. The second device that you see is the 3G 4G USB stick and that will actually downgrade to 3G if you are in an area that doesn't have the 4G which is nice. The next spot that you see here is the next device at the top is the clear spot. The clear spot is essentially a wireless access point which is really neat because then you can plug in the mobile device and it will use the mobile device to get to the internet and distribute out the connection to a local wireless network so anyone can connect in. By default all the passwords for the clear spot to log on and to get into the admin interface is the last 3 bytes of the MAC address in hex form so 6 characters and you can just see that from the network traffic so that's not necessarily the best default password to use if you're going to use a default password. You have to listen to me again. So the mobile devices are not quite as exciting less RAM, less flash a little bit faster processor it's a weird one. It's a mass or massy I've never actually seen one of these before but not that I've seen much. The chip debugging is a royal pain in the behind it's not using standard JTAG it's using SPI now a lot of you are probably familiar with SPI as a method for accessing flash or RAM or other devices but for actually doing debugging it's kind of a strange thing I've never seen it before I had to read some articles to figure that one out it's using a completely proprietary instruction set I managed to figure out exactly what's going on inside and it's definitely not running Linux so at that point I became a lot less interested in it but in order to figure that out of course you have to figure out what's in the board again and since the JTAG interface was non-existent and that was really frustrating for me I didn't really know how to pull the memory out of the or hold the dumps out of the flash so I got creative and oh I just gave it away shoot I was going to show something else which got oh there it is in the wrong order interesting so if you look at this chip that's in the red box and I know that you can't actually tell from where you're sitting most likely the solder job on that chip looks really horrible it's because I did it by hand and basically what I did is I just pulled a flash off of the clear spot and I put it onto a different device and I'm curious if anybody out there can recognize that device I heard Linksys is it a WR54G no it is not it's close though oh hand over here Motorola surfboard that is correct what model well okay cheater yeah okay so here's a closer view yes it's the surfboard 5120 and yeah that board has MIPS32, EJTAG all the stuff that I'm totally familiar with which is basically the same as on the the home router so I was able to just drop the flash on there and my tool set was already ready for me and I was able to pull the flash off like that so this is a mod that was done by a friend of ours Loki basically just putting a big antenna onto the USB stick and it works great so there's a lot of different options as far as the mobile devices and turning them apart and playing with them this is the HTC Evo I'm very happy to have gotten mine a couple weeks ago it is the first mobile device that has the 4G built into it and so it uses YMAX, it uses a sequence chipset so it's a bit different than anything that we've really looked at before but when I was getting familiar with some of the android tools I did the whole ADB shell and poked around a bit and noticed that if you use get prop and set prop you can list out a lot of the variables that are stored in the environment variables sort of deal that has a lot of the configuration details for the YMAX which is really interesting and it will tell you things about the towers that you're connected to and like MAC address and just a whole bunch of really interesting numbers when I flashed my modem using toasts what step 2 of how to root your android I noticed that he had modified an engineering build of the Evo firmware which is really neat because that came with a bunch of diagnostic tools for YMAX I ripped those APKs out of that build and put them on the website and so now if you download the APKs you can install them onto whatever version of the phone that you have so that's kind of fancy and it lets you see things like tower connectivity and little debug logs and all sorts of fun with that also if you have a rooted phone you can do the YMAX tether which essentially turns the phone into a device that also has really good access controls yesterday I got to play with a deactivated Evo and I noticed that even when it has no service you get the captive portal page and the captive portal page can be bypassed with the same techniques that were discussed earlier except it's on a phone which is nice right now if you want to be using YMAX on the phone you pretty much have to be using 2.1 which is like android 2.1 which is the version that comes with the phone and I've messed with fresh and I've messed with damage control and they both seem to work fine for the YMAX cyanogen it does not quite work yet but TOSCFH and the other guy are working really really hard on getting that working and they're trying to get it working with the android YMAX framework that was released from clear about a year ago because then it would all be open source connectivity to the drivers and that will allow cyanogen to continue to have the 4G in their builds from then on. So by show of hands how many people here like their privacy when they're using their wireless devices of any kind very cool you guys are going to be upset with this they're running location based services a lot of the major telcos wireless telcos are getting all ramped up and they're trying to say that this is the next thing for social networking and that you should just let all your friends know where you're at with the phone that's in your pocket things like Google Latitude are taking advantage of that one up but with location based services with YMAX it's a little bit different basically there's two types of ways you can get your location with Clear or Sprint or any of them the first one is a client-server relationship that is done through Ajax and a web page so you go to the web page or the URL that's listed right there and it will bring up a pretty little Google Maps and put a dot with a circle around it roughly the location that you're in the second way is for direct server-to-server communication and that's using Apparel AX API and that allows me as a developer or the service provider to put in your IP address or MAC address and I can just find out where you're at no questions asked and so basically so after playing around with this a little bit as soon as I got access to this how accurate is this I mean is this something where they're going to be able to drop a missile on your head by using LBS or not so set up a script, recorded my location and just drove around town for hours and hours and hours and it was actually pretty impressive driving around like you maintain connectivity at 60 miles an hour going down the freeway so I was pretty impressed by that but I started to notice that through the Apparel AX API all the ranges that I was getting seemed to be predefined it wasn't dynamic and all the ranges were listed right there that I saw driving around town and there was nothing in between those numbers so you can see the level of accuracy that the location-based services has now the way they're doing this is based on the tower and the sector panel location and the orientation of that panel they keep track of every panel they know exactly which degree it is pointing and then they take the power reading and basically are determining how far away or how accurate that is however they are working on using multiple towers to help basically triangulate where you are at and to increase the accuracy of that it is being worked on and announced ETA on that and I'm kind of curious to see how accurate that's going to be and see if the predefined ranges kind of goes out the window and it gets a little bit more accurate so this is the part that really kind of caught my attention was that with the location-based services if you go sign up or you just buy hardware you're opted in by default and if you don't like that tough shit they don't let you opt out you have to email engineering you've got to get a hold of the right people in the engineering department and say I want my LBS turned off otherwise doesn't matter if you're using Sprint Comcast, Clear, Time Warner someone gets your IP address they can pop it in there and find out roughly where you're at and another thing we notice driving around is that there seems to be random dead spots throughout the network and you drive into this area and you're gone like LBS, Quits Reporting gives you back a service error and you just find a dead spot so that might be interesting if anyone's doing any fun things over YMAX you might want to maybe play around with that and go find a dead spot that might be advisable so right now none of these YMAX devices have an open source firmware and that's definitely something that I think is cool to see in the future we're also looking at trying to put something like OpenWert on one of these home devices to actually get real control and package management on what's going on on the system also the future of YMAX the 802.16M spec provides one gigabit fixed bandwidth pretty fast I don't know how they're going to pull that off I've looked at the spec but I've seen it in labs and I don't know how they're claiming they're going to get one gigabit a second over the airway so I don't buy it I'll believe it when I see it so I just posted some stuff to our Google group which will be listed on a slide later on maybe it's the next one oh what do you know there it is right there there's the YMAX hacking Google group that's second from the bottom down there and if you go to that list you'll see the post that I just made that points to the Google Code project and that has some code for you to play with the APKs that Pierce mentioned earlier for your Evo and also some stuff that I put together for using OpenOCD in order to do the JTAG with the home router device and does anybody want to see a demo of the device getting rooted yeah because I think we have a couple of minutes we could probably set that up that seems like a medium we could also do it somewhere else yeah okay I heard the bring it that sounds good is there anything else on here does everybody have these URLs down pull the plug they're on the internet they're on the interwebs and the disk points you to the interwebs so it'll get you there eventually pardon our brief change over so while he's doing that I would like to point out that it was pretty disturbing that even through your when you go to the clear website you're paying customer you log into your account check your account or whatever there is no option to opt out of this LBS system it just it doesn't exist and that really kind of sucks because we would like to see a opt out option especially as a paying customer when we're paying for you know half a dozen devices we just don't want to be tracked that's it they don't know has a right to know my location and we just think that they should give us an option to opt out of this because right now you're stuck that's it you buy this gear you can be tracked so that's something to think about those of you who go out and get YMAX if it comes to your areas consider emailing customer service if you can go to developer.clear.com dig around you can find some engineers that are on there and say your piece and hopefully we can get this implemented and that's being tracked by anyone with a developer key which by the way they gave me for free they just asked for it they sent it back right now we cannot change our MAC address well you're not supposed to anyway so is this supposed to just pop up there or somebody have to push a button somewhere okay that means I'm doing it wrong nope, nope, screen's doing something oh there we go, yeah thanks hey Kenny, check screen check screen hey I'm so sad it was totally there where'd it go? I didn't change anything control Z, I sure did it's still before noon LBS will work if you're on the tower if you're connected to the network it will be able to tell roughly where you're at it's there it's there hahaha alright Kenny Kenny look at this screen I think that one's being chopped at the top dude hit enter a couple times pressing enter now it's gone again alright I'll keep stalling so yeah right now it's a single tower and single panel antenna and that's really the only way they're determining where you're at again like I said several hundred meters is generally the distance between each predefined range right now that they can determine so it's not horribly accurate but if I really was determined to go get you I could use LBS to narrow down roughly where you're at and kind of go snoop around from there alright I see a hand, yeah go ahead yes here's the caveat with that location based services will tell if you're lying so so we've noticed we've noticed with clear because we had some friends that we all met when we all came to DEF CON we told them buy some gear and they got here and it just started working for days I mean they didn't register didn't do anything so it's kind of like they're giving you a teaser when you buy the gear it just works for a little bit so you can get a taste of it and then they're just like oh okay pass so mmhmm yeah no and they do do that we've also noticed that with some of these home routers they seem to kind of keep tabs on your home router once it's been turned on they're like hey we noticed you in this area and then if your home router starts jumping all over the place they it quits working in some areas so it doesn't stop LBS so we haven't any luck yet I see Blinky Cursor maybe hey we got a Blinky Cursor that's good so what this is doing right now is basically this is really gross I'm kind of embarrassed by it actually I'm really embarrassed by it it took me a long time to be okay and settle in with the concept of releasing this code to the public because it's so awful but it's effective so I've got a shell script that's starting screen using OpenOCD load some TCL scripts because OpenOCD uses TCL as its script interpreter man I haven't touched TCL in like 10 years you guys remember egg drop bots anyway different story so these TCL code bits they're bringing in some MIPS 32 machine code and dropping it via JTAG and that's what's actually transferring data between Flash and RAM and moving things around so I'm taking hey I think it's mostly done actually there's a nice little PS listing and that's what's running on the box and there's root it takes about a minute and a half to run so what it did does anybody care sort of a little bit because there's the mailing list too and there's going to be documentation there so I don't want to bore everybody to death here what the hell did it do I don't know I tried to figure it out sometimes a year ago so I've kind of forgotten but generally so what it's doing is it goes in and it transfers the bootloader config to a temporary area you know just somewhere else in Flash where it won't get nuked and then allows the original bootloader config to be overwritten or to it actually erases it and lets a temporary one be written I just said I'm trying not to do that mental note thanks have any of you spoken before at one of these conferences show your hands there's a couple people this is my first time and it's still 10 am and god damn last night was awesome it's almost 11 the time is anyway I should get the hell out of here then so the gist of the story is it shuffles a bunch of junk around lets things get recreated kind of does a little gerry-rigging and a little bit of this and a little bit of that to sneak this console state unlocked past the scripts that are checking for it and the program that automatically resets it to locked I can page up through this stuff but it's really boring if you want more detail really I think you should just come and chat with me because seriously the details and the integrity and looking at the MIPS 32 code but the code is available for perusal at this point and there are some comments in there that probably don't make any sense because I've been making them for the last 8 hours or so instead of sleeping it's good times and we have the breakout session in 107 I think 107 so if you want any more intimate question-asking sessions or anything then we'll be over there are there any questions while we're in here any big ones I got a question over here no okay so the question was last year during the talk we announced that any two modems on the network whether they were registered or not could talk to each other and so the question was did they ever patch that? did they do anything to it? no they didn't if you have the hardware it gives you an IP address it's pretty much like a big IP address go nuts just tunnel play video games stream movies do whatever the hell you want I mean oh I didn't say that yeah make sure you pay for service so you don't get in trouble you know yeah LBS is a bitch they will be able to come find you it's gonna be a lot different than like big giant shared wired you know cable networks like Comcast they'll be able to attract you a lot more finite than Comcast could do on their network with people who are you know stealing service it's very important to balance the give and take ratio how much do you pay them versus how much do you take from them you know it's very important to keep that all in mind also one thing that we did mention last year apparently was that the clear spot runs Linux and that's not true it does not run Linux we learned a hard way sorry about that but just so you know it's not Linux any other questions can LBS be used for mass surveillance so I think what you'd be referring to is like just drift netting anything everything that comes in there I believe it could they have two different servers they got a development server and a production server but both kind of give you the same results and with the development environment though they're a little bit more restrictive than the production environment the production environment sitting on some big old servers that just kind of let you go nuts and again like I said it's opt in you really do not have control of that you are you get on the network within a few minutes someone could look you up on LBS and there's not a whole lot you could do and you could just start going through every possible MAC address or IP address in the net block and just start pulling people's locations and you could after several hours probably data mine a good portion of everyone's location going through one of these networks so so I think the short version of that is LBS scary and the answer is LBS very scary yes yes any other questions? yes sir it does clear tell people that they're being tracked via LBS is it in the contract? has anybody seen it? I think that's the answer really if nobody's noticed that it's in the contract then it's not visible enough whether they're actually including it or not it's not visible enough and that's effectively a no yes it's that anyone can do it like I said before I mean it does require authorized access but I asked for access and they gave it to me for free so the question comment was what's the difference here between E911 tracking and this LBS stuff while LBS is available to any developer who wants to sign up for it E911 you kind of have to be like E911 I think that's the significant difference is we're giving our location information in real time to anyone else who wants it and I'm not cool with that anybody else? cool well thanks a lot for your time again this is Goldie Sanity Big Pierce and I am a Smig have a great day