• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Comments on "A novice guide to Homebrew data bugs"

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering

View previous topic :: View next topic  
Author Message
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Sun Aug 15, 2004 1:51 pm    Post subject: Comments on "A novice guide to Homebrew data bugs" Reply with quote

Right, off to Maplins next weekend Smile

Moderator note: I split this thread from A novice guide to Homebrew data bugs..., to help keep the 3 parts of the tutorial uncluttered. Feel free to carry on in here Smile - capi
Back to top
View user's profile Send private message
TaloneR
Just Arrived
Just Arrived


Joined: 16 Apr 2003
Posts: 2


Offline

PostPosted: Sun Aug 15, 2004 3:06 pm    Post subject: Reply with quote

Cool article dude... gotta make some of these ... Smile it goes in my *cool home made gizmo list*
Back to top
View user's profile Send private message AIM Address MSN Messenger
Abbos
Just Arrived
Just Arrived


Joined: 26 Feb 2003
Posts: 0
Location: Berkshire, UK

Offline

PostPosted: Tue Aug 17, 2004 4:15 pm    Post subject: Reply with quote

Wow! I get the feeling there might be a few more followups to this M3Dz, and sincerely thank you for all the time and effort put into it. I have read both parts fully and will be printing them off to get ready to constructing this.

Again, many thanks.
Back to top
View user's profile Send private message
decypherohm
Just Arrived
Just Arrived


Joined: 16 Nov 2002
Posts: 1
Location: World - Europe - Portugal - Lisbon

Offline

PostPosted: Tue Aug 17, 2004 6:29 pm    Post subject: Reply with quote

I wish i knew electronics and/or had the equipment to make one of those...
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Agentsmith15
Just Arrived
Just Arrived


Joined: 15 Jul 2004
Posts: 0
Location: Texas...

Offline

PostPosted: Tue Aug 17, 2004 8:41 pm    Post subject: Reply with quote

Could you also post the source code's as ASM, and preferable in the MASM format?
Back to top
View user's profile Send private message Send e-mail AIM Address
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Tue Aug 17, 2004 10:18 pm    Post subject: Reply with quote

Agentsmith15 wrote:
Could you also post the source code's as ASM, and preferable in the MASM format?

Agentsmith15, surely it wouldn't give you too much trouble to convert it to ASM for yourself... M3Dz gave you the source code, it's already in C, that's 99% of the work already layed out there...
Back to top
View user's profile Send private message
Agentsmith15
Just Arrived
Just Arrived


Joined: 15 Jul 2004
Posts: 0
Location: Texas...

Offline

PostPosted: Tue Aug 17, 2004 11:25 pm    Post subject: Reply with quote

I just starting to learn ASM over the past week, and I haven't learned C yet.
Back to top
View user's profile Send private message Send e-mail AIM Address
M3DU54
Trusted SF Member
Trusted SF Member


Joined: 11 May 2002
Posts: 1
Location: Las Palmas de Gran Canaria

Offline

PostPosted: Wed Aug 18, 2004 1:33 pm    Post subject: Reply with quote

Agentsmith15 wrote:
Could you also post the source code's as ASM, and preferable in the MASM format?


Heres the two languages interleaved to help you relate the ASM to the C... Bear in mind that the assembly for PIC is considerably different than assembly for 80x86, so this might not make a great deal of sense to you unless you have a reference on the PICs opcodes.

Code:

// Stats:
//
//               ROM used: 120 (12%)
//                         Largest free fragment is 904
//               RAM used: 7 (10%) at main() level
//                         7 (10%) worst case
//               Stack:    1 locations
//

*
0000:  MOVLW  00
0001:  MOVWF  0A
0002:  GOTO   03B
0003:  NOP
.................... #include <16F84A.h>
.................... #device PIC16F84A
.................... #list
....................
.................... #use delay(clock=10000000)
.................... #fuses NOWDT,HS, NOPUT, NOPROTECT
.................... #use rs232(baud=1200,parity=N,xmit=PIN_A2,rcv=PIN_A3,bits=9)
....................
.................... // prototypes
.................... void clockwait(void);
....................
.................... unsigned char val;
....................
.................... void main()
.................... {
*
003B:  CLRF   04
003C:  MOVLW  1F
003D:  ANDWF  03,F
003E:  CLRF   0E
003F:  BSF    03.5
0040:  BCF    05.2
0041:  BCF    03.5
0042:  BSF    05.2
....................    unsigned char t;     // Loop control variable
....................    unsigned char byt;   // Holds each byte received
....................
....................    setup_counters(RTCC_INTERNAL,RTCC_DIV_1);
0043:  MOVLW  08
0044:  MOVWF  0C
0045:  BTFSS  0C.3
0046:  GOTO   04F
0047:  MOVLW  07
0048:  CLRF   01
0049:  MOVLW  81
004A:  MOVWF  04
004B:  MOVF   00,W
004C:  ANDLW  C0
004D:  IORLW  0F
004E:  MOVWF  00
004F:  CLRWDT
0050:  MOVLW  81
0051:  MOVWF  04
0052:  MOVF   00,W
0053:  ANDLW  C0
0054:  IORWF  0C,W
0055:  MOVWF  00
....................
....................    while(1)         // Loop forever...
....................    {
....................       byt=0;         // Starting a new data frame
0056:  CLRF   11
....................
....................       clockwait();      // Ignore start bit
0057:  CALL   004
....................       for(t=0;t<8;t++)      // Grab eight bits of data...
0058:  CLRF   10
0059:  MOVF   10,W
005A:  SUBLW  07
005B:  BTFSS  03.0
005C:  GOTO   071
....................       {
....................          clockwait();
005D:  CALL   004
....................             byt|=input(PIN_A0)<<t;
005E:  BSF    03.5
005F:  BSF    05.0
0060:  MOVLW  00
0061:  BCF    03.5
0062:  BTFSC  05.0
0063:  MOVLW  01
0064:  MOVWF  0C
0065:  MOVF   10,W
0066:  MOVWF  0D
0067:  BTFSC  03.2
0068:  GOTO   06D
0069:  BCF    03.0
006A:  RLF    0C,F
006B:  DECFSZ 0D,F
006C:  GOTO   069
006D:  MOVF   0C,W
006E:  IORWF  11,F
....................       }
006F:  INCF   10,F
0070:  GOTO   059
....................       clockwait();         // Ignore parity bit
0071:  CALL   004
....................       clockwait();      // Ignore stop bit
0072:  CALL   004
....................
....................       putc(byt);         // Send byte to the transmitter
0073:  MOVF   11,W
0074:  MOVWF  12
0075:  GOTO   00F
....................
....................    }            // ... rinse and repeat :)
0076:  GOTO   056
.................... }
....................
0077:  SLEEP
.................... void clockwait(void)
.................... {
....................    // Waits for the next clock cycle...
....................       while(!input(PIN_A1));   // Wait for clock to go HI
*
0004:  BSF    03.5
0005:  BSF    05.1
0006:  BCF    03.5
0007:  BTFSS  05.1
0008:  GOTO   004
....................       while(input(PIN_A1));   // Wait for clock to go LO
0009:  BSF    03.5
000A:  BSF    05.1
000B:  BCF    03.5
000C:  BTFSC  05.1
000D:  GOTO   009
000E:  RETLW  00
.................... }
....................
000F:  BSF    03.5
0010:  BCF    05.2
0011:  BCF    03.5
0012:  BCF    05.2
0013:  MOVLW  09
0014:  MOVWF  0D
0015:  NOP
0016:  NOP
0017:  NOP
0018:  BSF    0D.7
0019:  GOTO   02B
001A:  BCF    0D.7
001B:  RLF    0E,W
001C:  DECFSZ 0D,W
001D:  RRF    12,F
001E:  BTFSC  03.0
001F:  BSF    05.2
0020:  BTFSS  03.0
0021:  BCF    05.2
0022:  BSF    0D.6
0023:  GOTO   02B
0024:  BCF    0D.6
0025:  DECFSZ 0D,F
0026:  GOTO   01B
0027:  NOP
0028:  NOP
0029:  NOP
002A:  BSF    05.2
002B:  MOVLW  02
002C:  MOVWF  0C
002D:  CLRF   04
002E:  DECFSZ 04,F
002F:  GOTO   02E
0030:  DECFSZ 0C,F
0031:  GOTO   02D
0032:  MOVLW  AD
0033:  MOVWF  04
0034:  DECFSZ 04,F
0035:  GOTO   034
0036:  BTFSC  0D.7
0037:  GOTO   01A
0038:  BTFSC  0D.6
0039:  GOTO   024
003A:  GOTO   076 (RETURN)

Configuration Fuses:
   Word  1: 3FFA   HS NOWDT NOPUT NOPROTECT


And, for the lazy - heres the hex...

Code:

:1000000000308A003B280000831685148312851C6B
:100010000428831685148312851809280034831652
:1000200005118312051109308D0000000000000049
:100030008D172B288D130E0D0D0B920C0318051523
:10004000031C05110D172B280D138D0B1B28000009
:1000500000000000051502308C008401840B2E285E
:100060008C0B2D28AD308400840B34288D1B1A286E
:100070000D1B2428762884011F3083058E018316EA
:1000800005118312051508308C008C1D4F28073090
:100090008101813084000008C0390F38800064007D
:1000A000813084000008C0390C04800091010420D4
:1000B00090011008073C031C7128042083160514C6
:1000C00000308312051801308C0010088D000319D0
:1000D0006D2803108C0D8D0B69280C089104900A73
:1000E000592804200420110892000F285628630084
:02400E00FA3F77
:00000001FF


...I aim to please ; )~


Part three is going to be delayed, possibly a few days, due to other commitments. Stay tuned though because its gonna be rather su-weeet.


M3Dz
Back to top
View user's profile Send private message
luck___
Just Arrived
Just Arrived


Joined: 20 Sep 2004
Posts: 0


Offline

PostPosted: Mon Sep 20, 2004 12:59 pm    Post subject: Reply with quote

Hi, loved the tutorial - very informative. Would it be possible to implement the project using LC series http://www.linxtechnologies.com/interface.php?section=products&category=rf_modules&subcategory=lc_series or LR series http://www.linxtechnologies.com/interface.php?section=products&category=rf_modules&subcategory=lr_series of chips as these are considerably cheaper (student budget Crying or Very sad )

The LC series looks very attractive but it only offers 5kbps, would this be sufficient?

Many Thanks

Simon Walker
Back to top
View user's profile Send private message
M3DU54
Trusted SF Member
Trusted SF Member


Joined: 11 May 2002
Posts: 1
Location: Las Palmas de Gran Canaria

Offline

PostPosted: Wed Sep 22, 2004 1:47 am    Post subject: Reply with quote

luck___ wrote:
Would it be possible to implement the project using LC series http://www.linxtechnologies.com/interface.php?section=products&category=rf_modules&subcategory=lc_series or LR series http://www.linxtechnologies.com/interface.php?section=products&category=rf_modules&subcategory=lr_series of chips as these are considerably cheaper (student budget :cry: )

The LC series looks very attractive but it only offers 5kbps, would this be sufficient?


Those LCs are nice but I don't get as much range from them even under optimum conditions with a properly tuned antena. As regards speed 5kbps is sufficient but often the closer you are to the chips maximum rate the less reliability you will get at distance.

Remember that keypresses consist of a few bytes followed by relatively long periods of silence (Even with a fast typist) ... because of this you can use anything down to 300 bps provided that you buffer any new keypresses that may occur whilst transmitting. Sure, the buffer fills up faster than it empties, but it empties continuously and therefore easily catches up between keystrokes. So, if using a much slower transmit rate be sure to code to safely deal with 'buffer full' conditions ... but expect them to occur very infrequently.

A good way to think of this is that if 5 bytes of data from a keypress takes less than a tenth of the duration between two very rapid keypresses from a typist, then even if retransmitting at half the rate we can still send 5 times as much data as we are recieving... Not only this, if we ignore the key-down/key-up sequences and send single ASCII (Or scancode KEY without STATE information) we find that transmitter speed is even less important for real-time key transmission. Of course, devices offering hourly databursts are a completely different animal, there speed will depend on buffer size, the interval between bursts and what you consider an acceptable burst duration : )

M3Dz
Back to top
View user's profile Send private message
bigal2
Just Arrived
Just Arrived


Joined: 21 May 2005
Posts: 0


Offline

PostPosted: Tue May 24, 2005 7:26 pm    Post subject: Reply with quote

Hi,
sorry to resurrect such an old thread but i am interested in building one of these things. I have the following transmitter / reciever module:

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=7515473139

which should do the job i think, however my concerns are that i cant find a 16F87 pic, planty of 16F87x (x can be 1,4,7 etc) and i have 2 16f877 (40DIP) controllers i can use, but will it work. Also does the 16F87 code work, has anyone tried it?

thanks
Alex. Confused
Back to top
View user's profile Send private message MSN Messenger
M3DU54
Trusted SF Member
Trusted SF Member


Joined: 11 May 2002
Posts: 1
Location: Las Palmas de Gran Canaria

Offline

PostPosted: Thu Sep 29, 2005 12:19 am    Post subject: Reply with quote

bigal2 wrote:
Hi,
sorry to resurrect such an old thread but i am interested in building one of these things. I have the following transmitter / reciever module:

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=7515473139

which should do the job i think, however my concerns are that i cant find a 16F87 pic, planty of 16F87x (x can be 1,4,7 etc) and i have 2 16f877 (40DIP) controllers i can use, but will it work. Also does the 16F87 code work, has anyone tried it?

thanks
Alex. :?

Sorry Alex, I havent been around for an age :)

How did you get on ? If you did hit any problems get back to me. Also, if you like building things I have some FPGA based devices that you may find rather interesting.

You may find the code needs tweaking for the modules you have, if so let me know.

-Meds
Back to top
View user's profile Send private message
phreakre
Just Arrived
Just Arrived


Joined: 30 Sep 2005
Posts: 2
Location: The Death Star

Offline

PostPosted: Fri Sep 30, 2005 11:29 pm    Post subject: Reply with quote

M3D,

First of all, that is a great tutorial and kudos to you for putting it together in a readable, understandable format for a hardware novice [namely me ].

I have a quick [ I hope ] question regarding hardware in the US. You mention that the *418 or *433 parts based on being in the UK or the rest of Europe, do you have any advice for someone in the US?

[ first post, been reading a while but never had a reason to contribute ]
Back to top
View user's profile Send private message Visit poster's website
M3DU54
Trusted SF Member
Trusted SF Member


Joined: 11 May 2002
Posts: 1
Location: Las Palmas de Gran Canaria

Offline

PostPosted: Sat Oct 01, 2005 9:19 pm    Post subject: Reply with quote

phreakre wrote:
First of all, that is a great tutorial and kudos to you for putting it together in a readable, understandable format for a hardware novice [namely me ].

Thank you :)

phreakre wrote:
I have a quick question regarding hardware in the US. You mention that the *418 or *433 parts based on being in the UK or the rest of Europe, do you have any advice for someone in the US?

Theres no real difference between the two besides their frequency. The reason for different frequencies is entirely political. Most countries have allocated certain public frequencies that are 'licence free' for 'low power' operations ... It just happens that the UK chose a different range, thats all.

That said, I'm not entirely sure about the frequencies the FCC have set aside for this... If I had to guess I'd say the UK module is probably also FCC friendly - But you should check with the FCC (at least, if you are looking to resell)

However, it should be noted that theres nothing (besides other users of those frequencies) preventing you from using either frequency range - or even both if you want full duplex (bidirectional communication) going on. Simply don't submit the design for FCC approval.<Grin>

But theres no reason to stick with these two ranges... if you want a little privacy you can subtly detune most RF modules without great problems - often with a change of crystal or tweaking a preset on the board. Power can often be bumped past the FCC limits too using similar mods or even just with the addition of a high-gain antenna. I guess what I'm saying is that in hacking, anything goes - so feel free to play.

In actual fact, you may find it an advantage to use european frequencies if it removes interference from other devices using this public area of the radio spectrum. You wont have any problems ordering ... suppliers don't care which device they ship you, and neither device is illegal to own 'out-of-area' ... If they point out your 'possible error' just say that you are modifying a design for the european market which you later hope to sell on eBay... thats sufficient.


As an example of modding, I have a friend who made a 100Mbps remotely programmable 10/100 ethernet bug that reported 'interesting' packets via WiFi and also allowed him to be a remote node on the network ... nothing new there, but he tweaked the WiFi module into a private frequency range where it wouldn't be easily stumbled upon and also boosted the power by cutting some tracks on the 'limiter' circuit. Essentially, took licence-free public equipment and pushed it into an illegal band with illegal power. Its little mods like that which can make the difference between good covert equipment and great covert equipment - just be careful you're not stepping on someones toes when you do it ... if a mod stamps on Ambulances or a Taxi services private frequencies then you're headed for problems. Use of a scanner will tell you where your signal is and who your neighbours are. Of course, with powers this low its going to inconvenience you more than the legitamate traffic - which probably wont even be affected.

But if you're after simplicity just phone the FCC, give them the power and frequency, and ask if either combination is acceptable for use in the US. Then use the approved module 'as is'. If not, ask an electronics supplier or nip down to WalMart and flip over a crap 99cent radio keyboard and read the FCC approval sticker ... should give the frequency and thats a fair starting point when sourcing a similar module as they always use public unlicensed frequencies.

M3Dz
Back to top
View user's profile Send private message
phreakre
Just Arrived
Just Arrived


Joined: 30 Sep 2005
Posts: 2
Location: The Death Star

Offline

PostPosted: Fri Oct 07, 2005 7:04 pm    Post subject: Reply with quote

Sorry for the long delay in replies, as you can probably tell from the frequency of my posts, I've been busy this week and haven't had much time for the internet, sadly.

First, thanks again for the lengthy reply to my earlier statements. I've been thinking about this project a lot the last few days and I was wondering if you thought a 2.4ghz [ the wifi b/g band in the US ] application of this would be hard [ especially w/ regards to interference ] or defeat the purpose of the pieces you chose? Tagging along with my last question about 433 vs 418 mhz, I know that the 2.4ghz range is completely unregulated right now in the US [thus everything seems to operate there in the US ] and I thought maybe all that traffic would mask the presence of a bug like this to a site survey.
Back to top
View user's profile Send private message Visit poster's website
0mega
Just Arrived
Just Arrived


Joined: 15 May 2004
Posts: 1
Location: In Front of My Computer

Offline

PostPosted: Fri Oct 07, 2005 7:33 pm    Post subject: Reply with quote

Abso-freakin-lutely brilliant.

That's awesome, M3Dz!

Make a toast

Cheers,
0mega
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register