Friday, August 13, 2010

Great ARM devkit from eBay

I recently bought this great kit:
http://cgi.ebay.com/STM32F103RBT6-development-board-2-8-TFT-module-/120602449193?pt=BI_Electrical_Equipment_Tools

 $40 for an ARM Cortex M3 microcontroller plus a color LCD touchscreen!

You don't need a programmer to start playing with it, as all STM32 chips come with a software bootloader, allowing for firmware uploading through UART.

Setting up a development environment is a bit complicated, but I've managed to get it working using the free Yagarto toolchain and a modified Makefile from this project.

Before I bought it, I found out on their site (http://www.powermcu.com/) that they are selling a new revision of the board (http://item.taobao.com/item.htm?id=5717559340) for almost the same price, so i asked them how much it would cost me, they said that it's gonna be $10 more.
I decided to buy the cheaper one on eBay and, to my surprise, they sent me the new one! :D

 So here is my awesome ARM devkit running a preprogrammed demo:

Thursday, August 12, 2010

"Wifon" - the Fonera powered handheld wifi pentesting device

Introduction
 "La Fonera" is one of the names for a certain WiFi access point produced by Accton.
It's popular because it's cheap, small and very hackable.

It's got a great Atheros chipset and is well suited for use with "pentesting" software such as aircrack-ng, mdk3 or Karma/Jasager , and there have been attempts at making it portable by adding battery power.

But I've never heard of anyone adding a physical user interface to make the Fonera a truly portable and autonomous device, and I decided to change that...

To get some help and motivation to finish it, I've registered it as a team project for school.

So with 5 people and 6 months of work we came up with this:














I did the hardware and uC firmware, while the rest of the team wrote software that ran on the AP.

The Hardware


- La Fonera WiFi AP running OpenWrt
- ATMEGA88 microcontroller
- 16x4 Character LCD (hd44780 compatible)
- 6 buttons
- power supply
- 2 Li-ion AA sized cells
- box of chocolates, lots of hot glue and tape :P

The total cost (not counting the Fonera) was about $20.

Power

The power supply had to be efficient and provide two voltages - 3.3V for the AP and 5V for the uC and LCD.
3.3V is provided by LM2576 - a switching regulator (for high efficiency), and 5V is provided by a cheap 7805 linear regulator, because the LCD and uC don't require much power.

As a result, the device accepts any voltage above 6V (tested up to 16V), and two 900mAh Li-ion cells allow for 90 minutes of operation.

Microcontroller

No Arduino here, because I'm a cheap anti-arduino bastard ;P
I chose the ATMEGA88 chip, because it's cheap and I'm familiar with it.

The buttons and LCD are directly connected to the uC, which communicates with the AP via UART at 9600 bps. There is a transistor between the TX pin of the uC and the AP to bring down 5V signals to 3.3V, a conversion is not needed for the other UART pin.

Grab the firmware source here: firmware.c


The communication protocol

The communication protocol between the uC and AP is very simple.
A button press sends a single ASCII symbol followed by a carriage return symbol, for example the UP button sends the letter 'w' (0x77) followed by CR (0x0D) .

The screen is updated by sending a 0x02 ASCII symbol followed by 64 bytes of data - the text to be displayed.
The screen is updated frequently enough that we are not using any error checking or correction.

Software on the Fonera

Most of the software was written in Ruby, because that was the only reasonable scripting language that fits on the flash memory of the Fonera, and to our surprise it wasn't very resource-intensive, even on such limited hardware.

My friend - Kacper, wrote the software to allow other applications to use the screen and buttons.
He also wrote a great menu system used by the rest of the team for their apps.

The interface software runs on the serial port instead of a regular terminal.
It poses as a regular terminal, but with a size of 16x4, so that any existing app can run in it, but you have to modify it to be able to read anything :P

Grab the code and more documentation of the interface here:
http://code.mwgamera.name/gitphp/index.php?p=wifon.git


The rest of the team - Adam, Marek and MichaƂ, adapted software to work nicely with the LCD and buttons.

In the end we got these things working:
- displaying networks found by airodump-ng
- deauthentication of a selected client
- connecting to an unsecured network and scanning i with nmap
- several attacks using mdk3
- displaying CPU and memory usage

Example code - script displaying airodump-ng scan results: WifiScan.rb

Conclusion
 



As with most school projects, some things were rushed to meet the deadline, but we're satisfied with the result.

All in all, it's not really a useful device, more of a proof of concept, but it was fun to build and it's working.

Also, we did it because we could, and that is all that matters!

I will post the full sources as soon as all the team members agree.

Yay, a blog!

I've decided it's time to share my awesome hacks with the world.
Hopefully somebody will find something interesting here.