About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Hop Hacking Hedy - ShmooCon 2011- 667

Q, Atlas, Cutaway Smash & Slugs on ToastPosted 4 Years Ago
  • Frequency Hopping Spread Spectrum (FHSS) changes frequencies constantly. This is a seemingly random but predictable by the receiver. It is incredibly efficient in the unlicensed bands, as data is easier to pick out.
  • Practically, this is used quite a bit! Back in the day, this was used for military communication with Single Channel Ground and Airborne Radio System (SINCGARS) for voice and data. This used 30-80MHz of bandwith with 120+ channels. The hopping was done 100ish times per second. The original implementation replied on the hopping for security!
  • Bluetooth uses FHSS as well. It has 79 total channels at 1MHz a piece. It has 3200 clock cycles and switch every other cycle. This means that bluetooth hops 1600 times per second. In implementation documentation, the authors came across an article that claimed that the FHSS modulation acts as a layer 1 encryption... this is not right but a common misconception.
  • How to break this? The most obvious way is to get the hopping pattern. There are a few ways mentioned:
    • Break the algorithm being used by figuring out the PRNG source.
    • Analyze data fast enough to catch hops.
    • Generate the pattern for all clock values associated with the radio. This was done by Michael Ossmann at ShmooCon 2009 on Bluetooth by listening for a whole day.
  • The purpose of this talk was evaluating the implementation of FHSS. They came up with a substantial amount of code for this and created their own platform to do so. This repo is called HedyAttack after the supposedly inventor of FHSS Hedy Lamarr. They noted they destroyed a bunch of hardware in the process and it is part of the process.
  • By the end of developing the project, they had some interesting firmware. The first program is maxscan, which is a simply spectrum analyzer. This is helpful for figuring out WHERE the hops are happening at and visualizing everything.
  • The next tool is minscan. This tool starts out by recording the average minimum RSSI value for each channel using a series of initialization passes. Once the minimum values have been recorded the tool changes mode to monitor ups in the RSSI value that should indicate transmission on that channel. This helps with tracking the switching.
  • While writing the firmware, a lot of code was borrowed from the IM-ME in order to make things and many things did not work. This radio communication stuff is really hard! A lot of things are hidden behind paywalls, which is really annoying to deal with. The code even has a Python interface in order to handle this on the computer side, away from the radio. This required them writing their own USB communication interface from scratch.
  • The amazing piece of software is that this can be used to do hop tracking! This does assume that the radio can be used on the entire bandwidth of the FHSS. The tool only works on the CC1111EMK868-915 TI board, which only operates on the 868 MHz and 915MHz frequency bands.
  • What are the steps for analysis?
    • Floor and Ceiling. Find the mins and maxs.
    • Channel threshold. How do we know that we have found a channel?
    • Channel identification and spacing.
    • Find the hopping pattern.
    • Find the sync word. This is the I'm starting to send data thing.
  • Although this is a lot of information to figure out, there is a finite amount of ways to configure most things. Since this is the case, people will just say this is secure. Interacting with FHSS is hard but not a security feature by itself. The Github repo has code for graphically viewing the spectrum, analyzing the hops to figure out parameters and actually sending data.
  • An additional piece I found while watching this talk was Combining the Bandwidth of Two HackRFs. Using this, you could use the HackRF to view a larger bandwidth than what we thought was possible. During this talk, the HackRF did not exist, requiring them to make their own tooling.
  • Overall, a really interesting talk about FHSS in the wild. It seems that this has died down some but this is not where it ends!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed