Build-your-own sniffer

Build-your-own sniffer
Michael Ossmann
Great Scott Gadgets
Mike Kershaw
Kismet Wireless
Us
Mike Kershaw
Kismet & Kisbee creator
Us
Michael Ossmann
Creator of Ubertooth One
Founder of Great Scott
Gadgets
Why make your own?
●
●
●
●
●
●
●
●
It's easy to sniff Ethernet
It's easy to sniff Wi-Fi
But what else is out there?
Bluetooth... zigbee... nRF... DECT.. and
dozens or hundreds of others
Might contain useful data
Might be a security risk for your company
Might need to interface to devices
Pure spite ("No-one can sniff this...")
Golden Age of HW Hacking
●
●
●
●
●
●
This truly is the magic era
Want to do 4-layer PCB prototypes using
QFN radio chips?
$50 or so for boards + stencil
This is amazing
Insanely cheap to prototype
Tools are cheap too
Initial design checklist
●
●
●
●
●
●
●
Can you get a radio that already does
what you need?
How technical is your target audience
Will you be making more than a couple for
yourself?
What firmware do you need?
What host code do you need?
How will you integrate with existing tools?
How will you fab and assemble them?
Can you get a radio?
●
●
●
Some protocols (wifi, zigbee) have easyto-use transceiver Integrated Circuits
(ICs) or modules.
Some protocols do not have easy ways to
monitor them (ie, Bluetooth) and you can't
use an off-the-shelf radio module
Some protocols have no commodity
hardware at all and you have to decode
everything!
SDR vs Dedicated radio
●
●
●
Instead of an IC for a particular protocol,
you could turn to Software Defined Radio
(SDR).
SDR is like using the sound card in a
computer but with the speaker and
microphone replaced by antennas (and
about 1000 times faster).
Digital Signal Processing (DSP) is used
on raw radio waveforms in the digital
domain.
SDR Receiver
SDR gets complicated
HackRF Design Goals
●
●
●
●
●
●
●
●
●
Transceiver
Operating frequencies from 100 MHz to 6
GHz
20 Million samples per second
8 bit resolution
High Speed USB interface
Bus powered
Portable
Open source hardware and software
Low cost
SDR is great!
●
●
●
●
For development
For reverse engineering radio protocols
For building radio systems without having
to break out the soldering iron
For implementing multiple protocols
but there are drawbacks. . .
SDR is not so great
●
●
●
The hardware is more expensive than a
dedicated solution.
DSP is complicated (both in development
time and CPU utilization).
It draws more power, making portable
solutions difficult.
In general, we recommend SDR for
research and development but recommend
dedicated hardware for deployment.
How technical is your audience
●
●
●
●
Audience dictates complexity of device
The more work you can do on your tools
to make the device easy to use, the more
people you'll be able to reach
Decide what platforms you will give
primary support to (Linux, OSX,
Windows?) Each has challenges
Don't sacrifice functionality for simplicity,
however
How many are you making?
●
●
●
Making 2 or 3? Use whatever you want!
Just make sure you can solder it.
Making 10-50? Make sure you can get
what you need (check stocks), try to
optimize for price. Realize you will soon
hate building them.
Making 100+? Time to start seriously
looking at bulk price breaks, and
designing with machine fab in mind
Picking a Microcontroller
●
●
●
●
For low-bandwidth applications you have
a lot of choices, power not a concern
For SDR and high bandwidth, you need
high speed processor, communication,
USB2 or gbit ethernet support
Look at support - libraries, existing code,
toolchains, licensing
Look at peripherals - what's built in to the
chip already?
Microcontroller peripherals
●
●
●
●
●
●
●
Peripherals = Features
Pick chips based on what you need
ADC - Analog to Digital
PWM - Pulse Width Modulation, digital
control of output
GPIO - General Purpose IO. "Set pin 10
to 1, set pin 9 to 0"
UART - Serial
SPI, I2C - Inter-chip comms protocols
Pre-made tools
●
●
●
●
●
●
Arduino - can talk to a lot of things and is
useful to prototype, but expensive for
production. Be careful of 3v/5v!
Bus Pirate - lots of chip comms protocols
GoodFET - lots of comms, easy to make
A lot of radio components are surfacemount only
Some require custom ($$) programmers
Sometimes you can hack a programmer
$400 programmer, $0.50 wire
Firmware
●
●
●
●
●
Look for communities around the chips
you're considering
Look for libraries which take care of a lot
of the low level stuff
Most firmware is in C now, with
occasional assembler
Some chips don't have open licensing on
demo code, beware!
Lots of common cores (like Arm)
Device to host
●
●
●
●
Make sure your communications channel
has enough bandwidth!
Make sure your communications doesn't
directly interfere with the spectrum you're
monitoring
USB2 is relatively easy to do at high rates
of speed
Another option is gbit ethernet with raw
frames
Host code
●
●
●
●
Needs to get data from device somehow
Libusb allows raw usb xfer without having
to write a driver, and relatively crossplatform
Usb-Serial is handy, if you can use it.
Bandwidth is definitely an issue for very
high rate devices
Tcpdump or similar to get packets from
raw ethernet devices
Integrating with existing code
●
●
●
●
●
●
Lots of existing code - lets leverage it!
Wireshark (obviously)
Tcpdump?
Kismet?
Scapy?
Almost all tools expect to get packets, you
just need to get your data to them
Wireshark
●
●
●
●
There needs to be, or you need to get, a
DLT linktype definition, to tell what kind of
packets
If it shows up as a netdev, Wireshark can
read it. On Linux, we can fake this with
tuntap
If it writes a pcap file, Wireshark can read
it. Writing pcap is easy!
I've been thinking about ways to plug in
non-netdev capture to Wireshark
Kismet
●
●
●
●
●
Major rewrite almost complete to make
Kismet handle any Phy type on equal
footing
Usable in SVN now!
Plugins to make Kismet "anything
wireless" not just Wi-Fi
Inspired by Ubertooth, expanding to as
many wireless protocols as possible
Please, consider talking to me if you want
to make a wireless sniffer!
Kismet Phy-N
●
Plugging into Kismet gets you "free":
○
○
○
○
○
○
●
●
GPS logging
Signal logging
XML logging
Pcap
Virtual netdev export to Wireshark
Basic UI
Minimal code needed to add new UI
elements
Just need a packet with a device identifier
Kismet Phy-Neutral UI
Portable devices
●
●
●
●
Android 2.2+ can talk Bluetooth RFCOMM
SPP, serial over Bluetooth. Minimal
permissions
Android Dev Kit, Arduino-like device acts
as USB host. Low bandwidth.
IOIO, like ADK, needs USB debug mode
Android 3.1+ can talk USB as a host
device! Control and bulk standard and
interrupt IO
Problem devices we can't use
●
●
●
●
iPhone is a locked platform
Want to talk serial? Requires licensed
auth chip hardware
Want to talk bluetooth? Requires...
licensed auth chip hardware
Rooted i-Device could do it, but I don't
have one. Anyone want to write an
iPhone zigbee sniffer?
Sniffer projects
Kisbee
Ubertooth
Kisbee
●
●
●
●
●
Talks 802.15.4
SCADA, sensor grids,
smart grid, etc
Portable sniffer
Talks USB &
Bluetooth
Able to use highpower antennas
802.15.4/Zigbee
●
●
●
●
Low-bandwidth (max packet size 127
bytes, including framing)
Multiple topologies for sensor networks
(star, mesh, etc)
Used in home automation, industrial
monitoring, smartgrid, etc
Shares spectrum with Wi-Fi, Bluetooth,
etc, but not otherwise detectable
Kisbee Goals
●
●
Different design goals lead to different
decisions
Kisbee designed to be:
○
○
○
○
Low power consumption (battery powered)
Low host device CPU power (works with
phones)
Hand-assemble-able (original designs
entirely for manual assembly)
Consistent platform for Kismet/Zigbee/etc
dev
Not revolutionary, but useful
●
●
●
●
Kisbee isn't a giant revolution in zigbee
devices...
Travis Goodspeed doing portable zigbee
stuff (but non-reproducible)
Multiple USB zigbee interfaces, but often
with wacky firmware (Raven + KillerBee)
But.. Kisbee designed as a portable,
robust platform, open hardware, open
software
Version 0
Version 0
●
●
●
●
●
●
●
Started in Feb 2012
CC2420 zigbee radio
CC2591 2.4ghz amplifier
MSP430 microcontroller
FTDI TTL to USB serial adapter
Hard to hand assemble (0402 and QFN)
Expensive components - MSP is $15,
FTDI is $5
Version 1
Version 1
●
●
●
●
●
●
●
Started in March
Much simpler to assemble radio module
Board is 2 layers instead of 4
Still uses expensive MSP and FTDI
Radio module is expensive
Didn't work - dramatically. Issues in
power circuit caused lots of problems.
Physical layout wasn't very good.
Version 2
Version 2
●
●
●
●
●
●
Final design in April
Switch from MSP430 to LPC1343 ARM
Integrates flashing, USB, etc in one chip,
which costs $4.50!
Revised layout
Everything works!
Some quirks here and there in design but
generally pleased, making 50, & more to
come!
Dedicated radio
●
●
●
●
Kisbee uses a discrete 802.15.4 radio
Acts similar to a Wi-Fi card in monitor
mode
Signal decoding in hardware on the radio
chip
Provides decoded packets, NOT raw
waveform samples
Talking to the radio
●
●
●
●
●
The MRF radio talks SPI, a common
protocol
The commands are well-documented by
Microchip, fortunately!
It includes a monitor/promiscuous mode
Packets reported via SPI
The vast majority of things you'll
encounter making boards will talk SPI
SPI
●
●
●
●
●
●
Clocked serial protocol (which means it's
easy! No syncing!)
Set data high (or low)
Raise clock
Read incoming data line
Lower clock
Most microcontrollers have SPI built in as
a peripheral function, acts like writing to a
serial port
LPC1343
●
●
●
●
●
●
●
Flashable over USB (presents as a mass
storage disk!), no custom programmer!
Built-in USB (no $5 FTDI serial chip)
Can do bulk transfer USB as well
Nice support libraries
SPI, UART peripherals
Very cheap! $4 in small quantities
Plenty of GPIO pins
Talking to the PC (or phone)
●
●
●
●
LPC1343 can communicate via USB
directly
CDC-ACM serial driver
Implemented an extended version of the
Serialdev protocol (simple serial protocol
for talking to Zigbee devices)
Bluetooth is done over RFCOMM SPP,
bluetooth serial port
Firmware
●
●
●
●
Microbuilder.de has a LPC1343 firmware
library
Makes most things VERY easy
Core firmware to get packets took 2 days
or so to create
Custom firmware is only about 1000 lines
of C, including full MRF radio interface
Kisbee Android app
Android mapping
More android mapping
Ubertooth One
Sniffing Bluetooth is hard
●
●
●
Off-the-shelf Bluetooth adapters are not
capable of monitor mode.
The ICs aren't capable of monitor mode
either.
Commercial Bluetooth sniffer costs $30k.
I developed some SDR solutions with
Dominic Spill (ShmooCon 2009), but I
wanted something lower cost that everyone
can use.
Frequency Hopping Spread
Spectrum
Whitening (scrambling)
Searching for packets
The middle road
●
●
●
●
Dedicated ICs were not available.
SDR solutions were complicated and
expensive.
However, some transceiver ICs support
Bluetooth's modulation (1 Mbps GFSK)
even though they don't support the
Bluetooth packet format.
And some of them provide a way to
bypass the on-chip packet handling!
Ubertooth One design
Designing
How do you actually start these things?
Making the design
●
●
●
●
Create the schematic (logical connections
between components)
Route the PCB (physical connections
between components, linked to the
schematic)
Generate Gerber files (standard CAD file
format used to make PCBs)
Send it off to get made!
CAD / EDA
●
●
●
●
Dozens of CAD/EDA layout programs out
there
We use Kicad - GPL, 100% free, no
license encumberances
Eagle has free version, but size, layer
limited, and cannot be used for sale
Plenty of very fancy, but very expensive,
commercial CAD (Orcad, Altium, etc)
10 seconds on Kicad
●
●
●
●
●
●
Very capable
OSS - with all the implications of that,
good and bad
Sometimes UI is ... quirky.
Tutorials are getting better
LEARN THE KEYBOARD SHORTCUTS.
There's a lot of things you can't do without
them!
Footprint library slowly growing
Types of components
●
●
PTH - Plated through hole, big wires
through holes. For radios, these won't be
an option.
Passive (resistor, capacitor, etc)
○
○
●
Integrated Circuit (IC)
○
○
●
Common sizes 0805, 0603, 0402
0.08 x 0.05 inches, 0.06x0.03, etc
Vast rainbow of packaging types
TSSOP, SOT, PFQ, QFN...
May have no choice, may be able to pick
what types you use
0603 passives
QFP
●
●
●
Many different pin
counts
Common
Not as hard to
solder as you'd
fear
QFN
●
●
●
●
Many radio chips
are QFN only
No leads - solder
attaches to bottom
Simple ones can
be done with hot
air
Usually have to be
done with reflow
Quick design tips
●
●
●
●
●
●
Look for app notes with example circuits
Try to stay to 2-layer for prototypes
Design in cut-outs to let you build and test
in stages
Avoid doing RF paths if you can
Look for OSS projects using your MCU or
radios
Find someone to beg for help
PCB Fab
●
●
●
You can make your own boards at home,
sort of. Single layer is easy. Dual layer is
a lot harder. 4 layer is right out. Precision
is vital for many rf chips.
Prototype quantity fabrication is cheap
now!
The trade off is time - all the inexpensive
prototype has a several week turnaround
Prototype fabs
●
●
●
●
Laen's OSH Park (formerly Dorkbot PDX)
batch fab. This is our favorite - great
price, quality, and customer service! And
the fab is in the US!
BatchPCB - Run by the Sparkfun folks,
uses Gold Phoenix
Others, but these are really good
For larger prototype runs, talk to Laen, or
send to Gold Phoenix
Soldering!
●
●
●
●
●
Who has tried to solder something?
How'd it go?
End up with a big blob of solder that won't
go where you want and everything
bridged?
Soldering is about 5% skill, 5%
experience, and 90% equipment and
supplies
Fortunately, it's pretty cheap! $200 will
get you everything you'll need
SMT Soldering
●
●
●
●
PTH soldering applies flux and solder to
the component
SMT soldering, apply flux to the board
and component, and bring solder to it
Flux keeps the solder from balling up and
sticking
Lots of tutorial videos on Sparkfun and
Youtube, better taught by video
The iron
●
●
●
●
●
Did you buy it from
Radioshack? Get rid of
it. Unless you do wood
burning.
You NEED temp control!
Hakko, Weller both good
brands
I like the Hakko FX-951
The Hakko FX-888 is $80
and fine too
The tips
●
●
●
Conical tips are usable but
not really want you want,
the solder will rarely go
where you need
Chisel tip is the most
useful general tip
Bevel tip is fantastic for
ICs
Flux
●
●
●
●
●
Remember how the solder balled up and
wouldn't flow onto pins?
All the flux was burned off
Flux makes solder runny and want to stick
to metal
Get no-clean and non-corrosive fluxes
or you will be sorry!
Chipquick paste flux (again from Amazon)
Solder
●
●
●
●
I've had good luck with almost any solder,
including generic radio shack solder
Leaded is easier to work with but nonleaded is safer
Don't use acid-core plumbing solder!
Get as thin a solder as you can
Hot air
●
●
●
●
Sooner or later you
need to remove an IC
Can't do it with an iron
Hot air guns are cheap
($80!)
Not vital, but definitely
useful
Hot air for less
Pick up an
embossing tool for
$20 at your local
craft store
Reflow soldering
●
●
●
●
●
●
Uses solder paste
Applied through a stencil to the board
Place components with tweezers or
vacuum tool
Heat entire board on a hotplate or in a
toaster oven
Only way to do some things like QFN
Surface tension helps auto-align
components!
Soldering tricks
●
●
●
●
●
When in doubt, FLUX IT
When trying to remove a component, add
more solder - it'll come off easier
Desoldering braid needs to be pulled
apart a little to be more effective
When you have flux on the board, you
can stop worrying about the flux burning
off on your iron
Almost anything can be fixed w/ hot air,
desoldering, etc
Reflow tricks
●
●
●
●
Set your paste layer apertures to about
88% of the pad size
Leaded paste melts quicker, lead-free is
safer/better
Apparently you can't do it when it's 100%
humidity or the chips pop off the board
like popcorn :(
Skillet works as well as a toaster oven
Picture time!
It's photo time!
Stencil - laser cut from kapton
Applying paste
Pasted - a little thick
Components placed
Reflowed (with problems)
Batch + Electric skillet
Batch reflowing
Smooth reflow
Corrosive flux
Hakko bevel tip
Simple boards are cheap too!
Hot air the middle of a board
"Dead-Bug"ing a chip
Fixing your design
●
●
●
●
It's not going to go right the first time
You can do a lot of fixes to make it work
before you order the second design
Sometimes, things just go a little wrong
making the boards and you have to kluge
a fix, too
Fly-wires, drilling out traces, etc
Fly-wire
Cut trace & hack resistor
More fly-wires
More emergency wiring
Handymans helper: Power drill
Get your own!
●
●
●
We have Kisbee units with us, come find
us after
Get an Ubertooth at Great Scott Gadgets
Support your local hackers!
Great Scott Gadgets
http://greatscottgadgets.com/
Build a Throwing Star LAN Tap
Be sure to grab a business card!
Q&A
Ask away