Netgear recently launched the WGR614L wireless router targeted specifically at open source firmware enthusiasts. It can use Tomato, DD-WRT, and soon OpenWRT. The core is a 240MHz MIPS processor with 16MB of flash and 4MB of RAM. You'll probably remember when Linksys decided to dump Linux from their iconic WRT54G line in favor of VxWorks; they released the similarly speced WRT54GL for enthusiasts. Netgear seems to be arriving pretty late in the game, but they've set up a community specifically for this router. Time will tell whether community support is enough to make this the router of choice for hackers. We wish someone would release an x86 based router in the same price range just to make porting stupidly simple.
You may have already heard that Chrysler is planning to provide in-car wireless internet access to its vehicles. If not, expect to hear more about it later this year when the requisite hardware becomes a sales-floor option, or next year when it becomes factory standard for some cars.
We can't say it's a bad idea, it's just not a new one. Plenty of commercial portable routers are available, but they still need a modem and data plan to provide internet access. For internet access and wireless routing, look to [Nate True]'s cellphone-router combo, which uses a spare Nokia cellphone and a highly modded Wi-Fi router running OpenWRT. [True] has made it easy by providing the instructions and necessary custom code, but it seems like a lot of effort for a relatively slow connection. We think the original Stompbox is still the most fun since it has the speed of commercial devices and an open x86 OS to modify.
We Make Money Not Art recently visited the LABoral Art and Industrial Creation Centre in Gijón, Spain. The installation that left the strongest impression on [Regine] was the WiFi sightseeing telescope built by Clara Boj and Diego Diaz. Spain is in a situation similar to the USA: A few years ago many municipal WiFi projects launched only to be squashed because of theoretical unfair competition with local utilities. Now commercial projects like WeFi, Whisher, and FON encourage people to "share" their WiFi. Observatorio (Observatory) is designed to provide insight into the current state of local WiFi. It uses a highly directional Yagi antenna to collect wireless access data from the local area. The antenna has a 30deg aperture which is matched to a camera with an identical field of view. The observer sees the camera's viewpoint with the WiFi data overlaid showing where accesspoints are and whether the AP is open. WMMNA also recommends you check out the WiFi Camera which photographs electromagnetic space.
While in Vancouver, Canada for CanSecWest we had a chance to catch up with [Marc]. He showed off a very simple Denial-of-Service attack that works for most commercial RFID reader systems. He worked out this physical DoS with [Adam Laurie], whose RFID work we featured last year.
Our friend [tnkgrl] has successfully added HSDPA to a Vulcan Flipstart. The Flipstart is a palmtop Windows machine with 1.1GHz Pentium M, 512MB RAM, 30GB hard drive, and an EVDO option. Before starting, you need to come up with a mini-PCI Express HSDPA card. Instead of trying for a random bare mini-PCIe card on eBay, she purchased an unlocked AT&T Sierra Wireless Aircard 875U USB dongle. Inside of the dongle is a battery, SIM slot, and a mini-PCI Express card. The Flipstart lid comes off with just a few screws and the card drops into place. Even though the antenna isn't tuned for all the possible bands you should still get good signal most of the time. The best part of this mod is that it doesn't require any obvious modification, so your warranty will be intact... as far as anyone can tell. Embedded below is the video of the easy swap. In the past, she added HSDPA to the OQO 02, which definitely takes a lot more work.
Not even a week ago we asked what we should do with our OLPC XO. InformIT's [Seth Fogie] has written a great two part article that covers turning it into a hacker toolkit. Part one is an overview of the OLPC, how to upgrade it, and do some usability tweaks. Part two covers installing Nessus, Metasploit, and doing some wireless sniffing. We'll be building our own little green monster based on this and let you know how it goes.
Tomorrow the High District Court of Munich will hear Skype argue against the validity of the GPL. Last June, the court issued an injunction against Skype for selling the SMC WSKP 100, a Linux-based WiFi VoIP phone. After the initial GPL violation, a flier with the URL for the source was added to the package. The GPL wasn't provided and the court found this insufficient for fulfilling the requirements of the GPL. Skype is appealing and claims that the GPL as a whole violates anti-trust regulation. The case against Skype was brought by OpenMoko's original system architect, Harald Welte, as part of his work for gpl-violations.org.
Adding PoE(Power over Ethernet) just wasn't good enough for [steve]. Not only does he have power running over his Cat-5, he shared the ground wire and used the remaining pair to add a serial console to his rooftop mounted wireless router. Nice.
This project got some blog love last year, but it slipped past my radar. [jhecker] built a parallel port interfaced device based on a Cypress 2.4ghz transceiver module. The module is pretty complete, so as long as you can wield a soldering iron, you can pull this one off. The module is pretty cheap, so it could be just the thing for building your own signal detector.
Another highlight for us at CCC was [Karsten Nohl] and [Henryk Plötz] presenting how they reversed Philips crypto-1 "classic" Mifare RFID chips which are used in car keys, among other things. They analyzed both the silicon and the actual handshaking over RF. Looking at the silicon they found about 10K gates. Analyzing with Matlab turned up 70 unique functions. Then they started looking "crypto-like" parts: long strings of flip-flops used for registers, XORs, things near the edge that were heavily interconnected. Only 10% of the gates ended up being crypto. They now know the crypto algorithm based on this analysis and will be releasing later in the year.
The random number generator ended up being only 16-bit. It generates this number based on how long since the card has been powered up. They controlled the reader (an OpenPCD) which lets them generate the same "random" seed number over and over again. This was actually happening on accident before they discovered the flaw.
One more broken security-through-obscurity system to add to the list. For more fun, watch the video of the presentation.
[Vivek Ramachandran]'s Cafe Latte attack was one of the last talks we caught at ToorCon. I've found quite a few articles about it, but none really get it right. It's fairly simple and deals with cracking WEP keys from unassociated laptops. First your WEP honeypot tells the client that it has successfully associated. The next thing the client does is broadcast a WEP encrypted ARP packet. By flipping the bits in the ARP packet you can replay the WEP packet and it will appear to the client to be coming from an IP MAC combo of another host on the network. All of the replies will have unique IVs and once you get ~60K you can crack it using PTW. The bit flipping is the same technique used in the fragmentation attack we covered earlier, but Cafe Latte requires generation of far fewer packets. You can read about the Cafe Latte attack on AirTight Networks.
Sure, we've seen Power over Ethernet before - I even whipped up a simple adapter for my modded wrt54gs. This is a nice clean setup, and it'll save you from yet another power brick. (I've got a power strip dedicated to the things in my tiny home data center.)
[superlopez] sent in this detailed article (mirrored here and here) which describes how to build a GPS and GLONASS (the Russian version of GPS) receiver. The resulting device is gigantic compared to one of those tiny bluetooth USB GPS units, but the ability to build one's own receiver is one of those post-apocalyptic skills I sure would like to have. The creator of the article [Matjaz Vidmar] aka [S53MV] also has pages on Packet-Radio (PKT) transceiver improvements (PKT gets my vote for the best post-apocalyptic technology, and the only believable technology featured in the Transformers movie), and a more sophisticated homemade frequency counter than the one featured earlier this summer.
In 2005 we featured a from-scratch GPS receiver as well, thought the project site seems to be down. If your GPS unit just needs a better antenna, check out [Will]'s how-to from last year.
Figuring out the JTAG pinout on a device turns out to be the most time consuming hardware portion of many hacks. [hunz] started a project called JTAG Finder to automatically detect the JTAG pinouts on arbitrary devices using an 8bit AVR ATmega16/32L microcontroller. Check out the slides (PDF) from the talk as they break down how one finds JTAG ports on an arbitrary device, with or without a pinout detection tool. [hunz] is looking for people to pick up the project where he left off.
Once you determine the correct pinout, you will need a JTAG cable: there are two main types, buffered and unbuffered, both of which I have soldered up and tested from these circuit diagrams (image of completed buffered cable here). The software most hardware people use today are the openwince JTAG Tools. To get the JTAG Tools to compile, grab the latest source directly from their CVS repository.
The last time we featured JTAG was with regards to Linksys devices, but the tools listed above can be applied to any device with JTAG.
