Hacking with Hardware

foreign [Music] I've collaborated with a bunch of different initiatives and institutions my main line of work is not Hardware surprisingly it's just my hobby there's my my contacts feel free to to reach out if you have any questions or you want to discuss some cool Hardware or not projects so what is this talk going to be about hacking with Hardware hacking with Hardware is not Hardware hacking so we are not going to hack into a GPS tracker we're not going to break your Samsung trying to grab your Bitcoin wallet that you forgot the password by some of those promises although not not all are starting to materialize in very cool gadgets that are used to hacking to

systems so I want to share my experiences my tips my my fails I especially some fails that if you're starting out they are very painful and costly so hopefully you will not repeat my my mistakes again I want to try to encourage to bring more folks into the Hardware's makers movement with a security mindset we are more as the each day passes but there's there's some space and I think the one of the resistances that we had into Hardware tinkering was the what I call the analog Multiverse this is just uh something that that I refer as a bunch of us probably most of us have a strong software engineering background right so it's okay when it's binary ones

and zeros but it's not so so okay when we start to talk about resistance capacitators soldiering stuff uh and there's this resistance into thinking this is too hard and people give up before they they start trying so before I get into that I want to give a brief uh historical Hardware device overview and its creators I think they lay the ground for for the current times of of hacking some of them are just Curiosities and and some of them maybe some inspirational stories for you so I want to start with this guy nothing masculine 11 maskeline was contemporary of uh Guillermo Marconi so this was around 1903 it was a British inventor magician and probably it was the first Wireless

hacker although he probably didn't think of himself like that at the time so Marconi developed uh Wireless telegraphy and he had a bunch of secure and private communication claims they had a lot of patents masculine was not fan of patents they had like maybe an activist mindset he didn't like the things that Marconi was claiming he was able to do and one of the demonstrations that Marconi did at the Royal Institution he was demo his new technology to secure and private radio communication so this was essentially you cannot predict or know the frequency that the transmission was going on so of course for us now uh this kind of security to obscurity does not work and

it's obvious but keep in mind this was the first days of radio so most people didn't even understand how that worked and in Marconi's head you could not figure out which frequency was being transmitted some communication so so it was Secure and masculine did not agree so what it did was that you learn when this demo was going to happen at the Royal Institution and it was near the West End music music also it rented a house nearby it had a lot of experience in radio he have he had built radios and antennas some of them 50 meters high so it was not properly an amateur uh although the e was self-taught so he rented this house and

when the demonstration was going on what masculine did was it started to transmit Morse code of a very dirty poem so people in the house they started to listen the audience most of them knew how to uh you know understood Morse code so they they started to understand something was going on it was a dirty poem so so it probably was the first Wireless hacker in this sense so moving forward Mary adamski was a Polish mathematician and cryptologist that invented the bomba cryptological so this is where around 1932 when the Germans created Enigma I'm pretty sure almost everyone probably knows what the Enigma machine did was kind of to encrypt Communications right so razowski bought a commercial Enigma

machine and it was very smart he was able to reverse engineer the the uh using just the commercial version it was able to reverse engineer the military version so the the fun part was that so the Enigma machine works with a set of rotors that have to be pre-configured in a certain order using the letters from the alphabet so the commercial version was uh like the query it was not exactly QWERTY but configured like the quality keyboard and it was trying to understand this was fundamental to the crypto Communications and nobody knew how the military one was configured and the British were working on this and it just decided to try every combination and it started you know at

the alphabetic order ABCD and it worked at the first time so the British didn't try this combination because they thought it was too obvious they didn't even try to to break the first Enigma machine like this so then he produced kind of Einstein of um uh Frankenstein sorry of six Enigma machines and he was able to break codes in in real time then the Germans found out it stopped working then came along Alan Turing uh a man that did too much work for us to start talking about all the things that he did we are probably here because of him having this conversation he developed the bomb that was based on the bomba cryptologic with

some help from from Welshman and they were able to decrypt Communications in almost well real real time for for the time we can call it almost real time it was practical to use and it was fundamental to win the World War II moving again just Hardware that was made with the specific purpose of hacking into stuff in this case in the cryptology field now for the older guys here probably they know who shot bubbles or Joe ingressier was uh it was a famous character he didn't kind of invented any hardware I think he was born with a hardware built in it was uh he was born blind it was very interesting in playing with telephones at the time and and he

discovered that by the age seven he discovered that he could whistle into the phone and control the telephony network so he was actually able to dial just by whistling a perfect pitch so this was a precursor for for a very prolific period for for a specific set of hackers back in the days called freakers and Hardware making was involved and I just want to quickly share a video with you of him oh

can you hear humans by mechanical systems to trigger the switches

if you had perfect pets like blind phone free Joe and Grecia you could whistle calls through the network let's see if I make it this time now [Music] okay it hit the phone it's a little while he even showed off his skills for the locals

um so yeah the hardware was built in but I like to talk about Joe bubbles because he was in the origin of a very very prolific Hardware hacking and making period so in the 70s and 60s it was the Golden Age of freaking uh freaking was essentially foreign hackers if you will um one guy very famous also at the time called John Draper or Captain Crunch uh he was kind of into it but not much there was a a group of also blind folks that were doing the same thing as Joe ingrasia but none of them have electrical engineering background and they talked to John Draper which had an electric engineering background saying look you you we are whistling or

recording sounds and then playing the back to the to the network and if we could just have some kind of device that we dial in and produces the exact frequencies that we want it will be much easier so it was a period where boxes started to appear like the blue box the red box the there's a lot of boxes it was essentially each box had a function uh how to hack into networks like placing long distance phone calls and and you wouldn't pay at the time uh phone calls were very expensive not not like today so again a lot of Hardware that was made just for the purpose of hiking into systems now moving a bit forward uh van

Heck if you heard about Tempest which is not exactly uh it's a specification but this guy was in the origin of of of that that word so to speak so he invented this device which essentially it could point and antenna 20 CRT screen and have the screen being reproduced in its own screen so he could see what was on the computer screen uh 100 200 300 meters away so it was deemed not possible but he proved it was possible very cheap and almost off the shelf components so then if we move forward to 1998 we we have the Deep crack that was a piece of Hardware specifically designed also to to break into cryptography in this this

case the purpose was to really demonstrate that Des was was broken and should not be used it was known by the cryptologist community for a long time but this was the demonstration in Practical use that it was not saved so uh several things were happening in this period so the the internet kind of was born so the the community started to to grain strength and share knowledge on the internet vendors started to produce uh more accessible devices and cheaper there was the Peaks the basic stamps the avrs they were very commonplace into building lots of of Hardware projects and then came along with websites like eBay and Alibaba then paved the road for a very cheap components so it was

getting more and more accessible to start to play around with hardware at the same time the hackerspace movements were were kind of growing up in a lot of different cities and Arduino was created Arduino was if you look back a very important tool because kind of crystallized some of the stuff that the teachers wanted to to to teach so it was a great platform to teach later Raspberry Pi did the same now we have esps and other chips that you know you can connect everything to the internet nowadays which is sometimes not a very good idea but people keep doing it and and then there's a lot of online PCB maker services that you can actually

order your PCB sometimes you can actually order for them to be a symbol at the price that is not prohibitive so that's why I think today we live in privileged times for for Hardware office obvious there's a abundance of online information there's Community the hardware parts are cheap and you can just buy a starting kit of wherever piece of technology that you are interesting so do it yourself and kind of learn how that worked and we saw uh since 2019 till today there's a lot of new devices here that did not exist I think at in 2019 I think everybody knows that those eyes and faces the panagachi nobody talks about pedagogy anymore because we

have a new mascot uh new aquatic mammal mammal that people some some have already and some are still waiting for it to arrive The Flipper which is a great great tool so this was kind of how we get to today as a community for for me for myself it all started with that little guy over there actually that one but I had a spectrum when I was eight I read my first program when I was 10 by reading the manuals then I I got a PC rather late I had I was 14 at the time already and of course I got my first computer virus and this was kind of what started it all I had a friend of mine

that asked if two these drives were near to each other if the other one would become infected okay I knew it was impossible but I also could not explain to him why how the virus propagate how do they work and that question was in back of my mind like I think the analogy that we chose for virus uh make sense for us as a community but but for the people that have no info info knowledge information technology knowledge for example um they think it works like a normal biological virus right so it's it's it's a valid question so I bought an assembly book and I start to reverse engineer baratas until I understood how it worked

and then I learned Pascal but yes I know Pascal by by 16 years old it was at what I had and then the internet came and the internet changed everything a lot of knowledge was uh accessible you can start to source for parts and learn new stuff and actually in the University I found this this device still in my house it's completely full of rest but that was my first decent Hardware it was a 266 256 with memory that starts an encryption key and I wrote some programs my computer will need this to unlock itself of course it had batteries inside and it was volatile memory so when the batteries died I had to you know format

my computer still I produce more gizmos mainly to interface with pay phones and stuff like that that I will not share with you in the stock uh and then I built some other stuff and my what I always try to do is to to I don't have an electrical engineering background so uh to avoid the analog Multiverse what I try to do is figure out modules how do they work how do you communicate with each other and bring whatever I want to do as fast as I can to the digital world meaning uh I if I can I will Implement a filter using software instead of capacitators I know it's not right to do but since I'm

producing a prototype I can do it and if it works and if I want to make some product to commercialize for example then I will talk to an electrical engineer and it will help me figure out the perfect solution but you don't need to worry about everything when you're just producing a prototype just just make it happen especially if you just read the fine documentation you'll find a lot of information about every ship set nowadays and and you take your time to read it and you can interface almost everything just by yourself if it's not very small to Soldier but we'll get into that so I'm going to share my Hardware building approach like your mileage may vary it's

my Approach it's it's as valid as as as another I guess it works for me and usually it has a bunch of phases so of course there's a motivation when I start some project we I'm going to base the second part of the presentation on a device that I'll be built called io433 there was some motivation behind it how it why I started to build the thing or thinking about building then I tried to Define properly Define which features and how how do I want the this this project to look like and I you'll do a bit of research Which models can you use to implement the functions that you are looking for to make it work then you get

to the design part where you see that your computer you actually design the PCB and the computers you Source the parts fabricate test and just Loop it and try to figure out what went wrong because things will go wrong of course so for this particular project my motivation was as usual necessity I lost my my garage door opener okay so yeah I'm I think of myself as as a hacker so why why would I buy a garage door opener very expensive like 40 euros when I can spend a lot more money trying to build one myself so yeah I had I always had this uh urge to hack into this kind of devices like door

opener sensors and things that work on the 43 megahertz so this was the perfect excuse and then I think okay if something cool comes out of this I can publish the code like share the code harder my results and stuff stuff like that but I was just trying to build a remote okay so this was not io43 yet um then I had some issues to reverse engineer the remote I had to understand how frequencies work and I had to sniff the transmissions and I could have some tool that could you know make my job easier then I started to think about and learn there's a lot of applications that usually use this particular frequency to communicate like

animometers remote Keys thermometers I don't know Wireless plugs water stations whatever and maybe if I have some kind of multi-tool that for 433 that helped me I I could develop a remote uh faster so the i o 433 was born at kind of at the same time I was trying to clone a remote it was not a remote it was something that I wish I had that will help me build the remote so I built this boat at the same time kind of so essentially when I get to the definition I said Okay I want a sniffer that can store replay and dump and monitor signals it would be cool if you had some some other features

but this is this is where I want to start it has to be able to replay and analyze signals so so that's the way I can build another uh garage door opener so that was the first features that I want when I started I know there were some projects that could do similar things you could use software defined and radio to analyze signals and replay it with your computer for example and there was a promise at the time because this is not a new project that a new like I said the Aquatic mammal The Flipper was going to be born I'm not sure if the they started the kickstarter campaign just a bit before or after I

started this this project but it would took it would take a long time so I just did it myself so in in the research phase as I was saying I just broke down the project for functionalities and I searched for for parts that could perform whatever I wanted to do so I wanted to be able to sniff and to replay if there's some particular chipset that already does this how can I interface with this chipset uh and so forth and if it is easy or not for me to implement it myself or should I use modules instead of trying to design the entire thing and of course uh reading the documentation helped me I also did a bit of research about how

signals work in the 433 megahertz bands like are we talking about modulations like ask FSK ask's amplitude Chief King it means that when there's a signal being transmitted it works a bit like Morse code if you want or imagine a light bulb going on and off and it's the transmission being kind of transmitted sorry and and and and radio silence and that's amplitude Chief King there's frequency shifting so I had to kind of reverse my own remote and figure out uh which one will I be using so so the functionality is read write 43 Mega signals I want it to be portable ideally with with the battery and a graphic user interface I want to be able

to store signals and to connect to the PC and and decode the signals in in real time if I want and not in the platform you can see the the upper side is the remotes so the remotes that I were able I was able to clone it was based on on fs1000a and and other chipsets but they were kind of not enough for what I wanted to do with the i o they were enough to open my garage door but not to sniff all signals so in in the bottom side you see the first the very first prototype uh with the ticc 1101 which is the antenna one and then the SP 32 with with a small display

so research now I knew what I wanted well before the before building the the actual device uh when you're into this part you should you should elect your electronic design automation software so this is essentially the software where you design the schematic and usually you design the schematic and is the the software itself is able to also produce the board and the copper traces and so forth there are several available there's ego there's Kika there's commercial programs there are free ones also you should if you're starting now you should try a very small project like a LED blinking and design it from from zero to board to to having the actual board produced and and understand which one do you want

I I don't I don't have a favorite I use usually ego because I started with eagle they are not very user friendly I don't think they are there are some stuff that takes a lot of work to learn how to do in one and if there's changes in in other piece of software I I don't want to lose a lot of time just learning a new Eda so it will be wise to select uh one first like eagle has a free version but it's also a paid version if you want to build bigger projects and for me I should probably have thought about this advice before choosing ego but now it's late so choose your parts wisely also you

have to decide are you going to make the PCB are you going to order the piece like if you want to actually etch the PCB yourself or are you ordering the PCB are you going to hand Soldier it uh are you going to order the symbol and spend a bit more money this is all decisions in the design process so last year uh last Visa as I I presented very more complicated project than this one this is super super simple if if you want to start soldiering stuff and in the end have a very cool device that can hack into garage doors and stuff stuff like that so it's essentially just a PCB world so

it was designing Eagle uh uh and I didn't have to worry about package types or smds or or I just had to worry about the design which is essentially keep it simple and I did uh it's a breakout board where you can buy two modules You Soldiers the two modules together and it's done and it's working and and you can do a lot of interesting stuff so so but if you're doing more complicated stuff then you have to worry about package types you have to understand the difference between a dip for example package type and and keyfn and if you look at your badge in the back you can kind of see the spacing differences if you want to hand Soldier

those components by yourself some of them in the design phase if there's a chip available for example in different packaging types you should be wise and choose one that you can actually hand solder if you're going to do it yourself otherwise you're in trouble then there's a lot of them so then you have to know about s and D sizes if you're using seminal components like resistors and and capacitators you should look careful before you order because there are some sizes that in the metric code and Imperial code the code is the same but the size is really really differ again if you look into your badge I once ordered a full reel of zero six zero three components that I

was going to end Soldier but instead of ordering Imperial I ordered the metric one and if you look at the size of the 0603 metric one try to soldier that by hand good luck so be careful when you're choosing components then when when you're designing uh choose a choose a Eda that has outer root every every idea nowadays have auto route Auto routing is just the translation of the your schematic connections into the copper traces so if if your project is small enough you can do it by hand and optimize it by hand it's fun but it doesn't have to grow a lot so it becomes impossible to actually root all the wires by hand so so yes

this in this case the on the middle it's the the io433 here on the right was the 2019 project it was a bit harder to to root by hand uh it was a it was called Uber heat and had a bunch of neat features that I thought before I talked before so in the end this was the PCB advice double check before production you can see here there's the version 0.1 and 0.2 because again I failed to listen to my own advices and uh so I wanted to support more boards and quickly found out that I produced and order a bunch of pcbs that were not compatible with some of the more accessible chipsets that I was using

so I had to do everything again and make another board that now has this uh on off jumper switch which uh what what that does is it actually supports like the device here so it actually supports different modules just by you you just select the soldier jumper there you can choose between two models some of them are easier to find than the others to control the 43 megahertz communication so and then you just burn a different firmware so when you're sourcing the parts choose your vendor for the PCB and components sometimes they sell just the PCB sometimes you can or in the same uh vendor you can order the PCB the components and the assembly all in one

there are some cool ones and very accessible nowadays usually the the shipping speed versus money is important because most things come from China and uh if you pcbs tend to be heavy when you're just designing one not it's not heavy but for example the badges this year were 13 kilos of badges so that costs a lot uh when you're Cheap shipping right be careful when choosing components we thought for about future availability of the parts which was a problem for this because the io433 the parts that you need for it are still available but you see there's there's another uh version of the ships being produced so it's harder and harder to find a specific version to that supports

the the same the same peanuts for example and in in projects that make sense uh get this PCB stencil the stencil is that metallic uh sheet that's perforated with the right sizing when you're hand sold during small components so essentially you put the PCB board below and you put the the the metallic sheet above and you spread Soldier and then it becomes a lot more easy if you're solving soldering very small parts so you don't need high-tech or expensive gear you just need to practice myself I usually travel with one of those soldering irons that it's gas powered so you don't even need electricity and you can just uh by unscrewing the the tip it

becomes a hot air gun so it's two in one it's super cheap you can order this starting kits just to try and and practice uh drag Soldier or hot air Soldier uh other than that you need a multimeter if you want to spend a bit more money you can order an oscilloscope like this one which is also cheap around 150 Euros I think and infrared thermometer if a lot of things start to produce smoke don't don't touch it like [Music] a burnt chip can go up to 500 Degrees so your your your your skin will just slide off when you you touch something very hot I I know how that works fortunately so yeah then you come to the

testing phase you just figure out if things start to go wrong and just Loop iterate the process start by going to the schematics to see if there's a routing issue of you you choose the wrong combination or you connect some the pin out uh some somewhat wrong if everything is okay then go to the PCB to see if the corporate races were were badly designed and and start to work start to test this each connection for connectivity so there's there's a bunch of work involved that that it's in the testing phase if things don't work at first and they won't I'm sorry it takes some time and practice for things to work so this was kind of the

evolution of the the i o uh on the upper left you can see the remotes that were Arduino based and then the evolution into something with an asp that has a screen so I can actually program a graphic user interface on the upper right side it was this uh it was a very small it was actually uh the the remote for for my door uh and then the first prototypes and then the prototypes that had like a 3D casing that you can download it's all on GitHub you can actually Soldier and and use the case like this put a small battery and you can go and hack garage doors but please not mine so this is the the final

the final revision uh I already talked about the some mistakes that I did with with the PCB the green one and the black one so I have some some here um so essentially what iot io433 prototype become is an open source esp32 and cc1101 based sniffer has Bluetooth low energy and Wi-Fi capabilities I'm not using it now in this in this firmware because I'm waiting for very smart people like yourselves to come join and help me with the firmware you can order the parts online and just those some wires or you can actually order the PCB or ask me for one PCB to sold your yourself I have some if you want and then 3D print the

case and it looks very professional like this so yeah feel free to join in I will try and make a demo I wanted to bring my garage door but it's too big to fit my car so I'll just uh I'll just demo it with a doorbell I know I just connect this buffing reindeer so you can also hear the hopefully if Murphy was allowed okay so what I'm going to do is I'm going to replay the signal and record it here it's it's hard to see I cannot show you but trust me I'm I will not press this button now recording

and replaying no wait I have time we'll do it again replay awesome okay well I have a lucky charm here so I'll try and copy it again Okay so wash it up and again

so it this is just a replay no no you can stop this is just someone is using uh I know thank you okay I could detect it here like it said flipper zero being used to screw up your presentation so yeah so this does a lot more than just replaying you can actually connect it with your serial port to your computer analyze the signal in real time if you want to have some scripts running or or detect uh spoofed signals and things like that or you can just use it to to play around and also ruin other people's presentations so so essentially this is what I wanted to share with you guys I think we live in a

fantastic time to Tinker with Hardware anyone can make it uh you don't have to make very complicated projects nowadays with with the amount of of different chipsets that we have available to really produce useful devices and prototypes that you can use while hacking I think we are getting our our own promised Hollywood style gadgets and there's so much more to be invented if you just have the courage to to invest a bit more into Hardware making and take that that step please join in I'm sure you can do it too so thank you oh this is also a hardware device

so thank you very much better any questions still have quite some time

okay there's one question here no stuff hello Pedro in terms of financials what are we talking about a prototype like that yeah so so the components for building one prototype like the last time I saw Chinese Parts kind of really got a lot of expensive nowadays probably they they grew by 100 I guess the price but let's say the ttgo goes around for nowadays maybe 20 dollars uh and the the cc1101 goes around for maybe five so 25 uh and you can then you buy a battery or use a very of another device so all in all I'll guess you spend like 30 bucks building building this it was much cheaper at the time when it started

uh if you want to order the PCB then it's probably better if you uh join with some friends and order some bigger and bulkier order but but there are websites that support makers and you can actually order like just five and they they ship it for two dollars and and if you just ask for five you can get very low prices yeah okay thank you cheap fun questions three two one yeah where there's somewhere yeah

hey Pedro awesome presentation thank you um would it be possible to use something similar to a breadboard instead of just going out and print the PCB absolutely the the reason you want to print the PCB is that when you print the 3D case it just slides it's the only reason you can in this project which is a very simple project you can actually Soldiers the the wires or just use a breadboard and it's the same thing okay perfect thank you

anyone else anymore

another great presentation thank you and uh what other device do you know that um talk in that uh megahertz or Hertz that you already had fun with that I had fun with yeah uh if you can tell us yes well there are wells they do it like garage door opener doorbells there's there's also uh uh in the agricultural sector there's there's a bunch of devices that are based on 423 to monitor the growth of trees in particular I don't know about a big Olive Tree Plantation that uses this to monitor the growth and the watering and of course it's completely insecure it's just you can ruin an entire crop just by watering or turning off the

water uh any this device has a quite powerful antenna so it yes there's there it's a field that is not very been very explored because I think everyone assumes it's just uh broken uh but yeah thank you one on this side thank you better um just one question about the io433 do you have some uh road map or Evolution things that you wanted to do more that aren't currently being implemented or something like that yes absolutely my roadmap is coming to besides to share this with you and uh hopefully thank you people who helped join and develop from no I don't have a particular roadmap for this it it was a hobby project it can

grow or not if the community is interested I'm not planning on commercializing or whatever uh the the plans are available there online like I said I ordered a bunch of pcbs that I can give some and either things go from there or not there are commercial available projects nowadays that do kind of the same thing this is another one if you want to understand and play around and and develop for your own personal growth because there are some things that maybe you cannot do with other other people's firmware that you can do with this so yeah thank you

anyone else I guess that wraps it up thanks again thank you for everything and your talk [Applause] [Music]