summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoradmin <admin@cccms.de>2009-11-02 01:10:40 +0000
committeradmin <admin@cccms.de>2020-05-23 13:38:36 +0000
commit2bc430c4280516cb02e6cab0e2b50bc7d08fdc76 (patch)
tree172b0009c22bf639726c9d8dc3221639e60e7b22
parent8d0eb5cd48042ba782938cf1c68a6864a9885881 (diff)
committing page revision 1
-rw-r--r--pages/hackabike.en.md338
1 files changed, 338 insertions, 0 deletions
diff --git a/pages/hackabike.en.md b/pages/hackabike.en.md
new file mode 100644
index 00000000..ab48554a
--- /dev/null
+++ b/pages/hackabike.en.md
@@ -0,0 +1,338 @@
1title: hackabike
2date: 2009-11-02 01:04:00
3updated: 2009-11-02 01:10:40
4author: admin
5tags:
6
7Ever needed to get somewhere quick but you had no car, too late for public
8transportation and a bicycle could solve your problem? In Berlin and other
9big cities in germany the german railway company 'Die Bahn' offers a solution
10with the "Call-A-Bike" service. Read about the backdoor we put into nearly every 10th bike,
11which gave us all the free rides we needed.
12
13<!-- TEASER_END -->
14
15**Short introduction to the CallABike system**The customer calls the
16CallABike control center and transmits the four digit bicycle number via
17touch-tone. Another four-digit number, the rental code that opens the
18bike, is then submitted by the control center. The customer gets a
19verification call after his initial transmission which he doesn't have
20to pick up. The last four digits of the calling number are the rental
21code again.\
22\
23From now on you have to pay six Eurocents per minute (customers with a
24discount card issued by the german train company Deutsche Bahn only pay
25four cents). The bike can be parked and locked while shopping or
26visiting a restaurant by selecting 'don't return bike yet' in the menu
27of the lock box at the bike's rear wheel and opened again with the
28issued rental code you received initially - this procedure can be
29repeated indefinitely. The bike meter keeps running of course.\
30\
31Returning the bike is easy as well: the customer simply has to lock the
32bike and select 'return bike' on the menu - the bike now gives you the
33return code, which you have to submit to the control center via phone,
34to prove that you really locked the bike. Additionally, you have to
35leave the address of the street corner where you parked the bike on the
36answering machine. This ends the period of rental.\
37\
38It's also possible to rent or return up to four bikes with one call at a
39time. If there is no bike near you, you can call the control center to
40ask for the next bike. A call center agent then consults the
41CallABike-database and submits the location of a nearby bike.\
42[Company Summary in english](http://www.callabike.de/i_english.html)\
43\
44"...There are of course other people, which have, for sportive reasons,
45tried to test the robustness of the hardware or the electronic principle
46of the built-in microchips and processors. They tried their luck with
47screwdrivers and usual ordinary allen-wrenches. they even tried to use a
48crowbar, a sledge hammer or a motor angle grinder. or totally smart:
49with a laptop and some decrypting-tools, as well as some trick questions
50to the maintainance staff. but without luck!". again reth is smiling,
51who once took the first trip on a green puky-bike and looks at himself
52no more as a postmodern urbanite than as bicycle freak. he smiles and
53says: "this technology makes us to the premier station-independant
54city-bike-sytem. the code is unbreakable and we are really proud
55of"...An excerpt from a DB technician interview in the Mobil Magazine
56which featured the CallABike.
57
58## Article:
59
60In November 2003 a bike reached us that hadn't been locked properly.
61This bike was subsequently objected to heavy testing. Most of us had
62suspected the existence of GPS or a similar tracking device in the lock
63box, but after opening it with a simple torx screwdriver, nothing like
64this could be seen. To power the electronics, three 1.5 V batteries are
65provided in another box on the other side of the rear wheel. Both boxes
66are connected through a clamp, containing a six-pole power cable and two
67coils. This detects if the lock was closed properly by the last customer
68using the bolt, or just a generic piece of metal.\
69\
70The box with the display contains the motor that opens the lock, two
71micro switches and a capacitive 5x2 touchpad. The main logic board is
72located directly under the display. It is secured through a metal plate
73which has openings only for the cables connecting it to the display. The
74electric motor with its eccentric shaft and the locking mechanism are
75thus protected from a brute force attack on the display.\
76\
77The whole board is dowsed in black silicone which had to be scraped off
78before we could continue exploring. Apart from the matchbox-sized logic
79board which incorporates an [Atmel
80AT90S8535](http://www.atmel.com/dyn/products/product_card.asp?family_id=607&family_name=AVR+8%2DBit+RISC+&part_id=2000)
81(8-bit RISC Processor, 4x8 IO-Pins, 8KB flash, 512 bytes EEPROM and 512
82bytes RAM), a few red, green and IR LEDs and an IR-receiver, the box
83also contains a few electrical components (motor, switches and a
84beeper). There is also a slope sensor, but it is never addressed in the
85code. With this simple setup, it became clear that the bike couldn't
86possibly contain a device to track or locate us. We made a few pictures
87of it all, but then the hardware went into a corner for about two months
88before we managed to boot the bike. It took us a while to notice that
89the system had to be initialized by an IR-signal after booting. This
90discovery was more or less coincidence.\
91\
92Our workplace was lighted by a normal lightbulb. We noticed that the
93device seemed to be beeping erratically when subjected to the light. As
94we discovered later, the IR part of the emitted light was sufficient to
95trigger the IR-receiver and finish the booting sequence. Receiving an
96IR-signal while booting is a part of the systems check that happens
97during every booting sequence of the electronics. In the process of
98professionalizing our research, the light bulb was replaced by an
99infrared photon light. The next steps of our analysis consisted in
100reverse engineering the Atmel chip to get an approximate wiring scheme
101(see picture). The data sheet for this Atmel chip was found on the
102Internet.\
103\
104It wasn't until January that one of us finally thought of a way to carry
105on with hacking the bike. We had noticed an unused six-pole plug that
106turned out to be the Atmel's ISP (In System Programming) connector. This
107connector was plugged into an Atmel-Developer-Board
108[STK500](http://www.atmel.com/dyn/products/tools_card.asp?tool_id=2735).
109For reading the data we used the free
110[UISP](http://savannah.nongnu.org/projects/uisp/) (a tool for AVR
111microcontrollers which can access many hardware in-system programmers).
112Since the 'Intellectual Property' lockbit of the Atmel was undefined, it
113was possible to read out the 8KB firmware of the flash.\
114\
115The next few weeks were filled with understanding and documenting the
116assembler code obtained from the bike. For this purpose we used AVR
117Studio and [IDA Pro](http://www.datarescue.com/idabase/). We recognized
118the initializing code because we knew the motor was turning twice during
119initialization. The scramble code (that calculates the rental and return
120codes) was also found pretty quickly, because it featured a lot of
121rotate and shift commands.\
122\
123Our discoveries were always checked for correctness on our prototype.
124The rental and return codes are generated by a scrambler, which is
125called upon by a 16 bit counter of the bike and a current-state-value.
126An even counter value generates the rental code, an odd value the return
127code. The scrambler uses the counter and the current-state-byte to
128calculate an offset on a 1024 bit array. This array is unique for every
129bike which can (possibly) be called an explicit identifier for any given
130CallABike. From this offset, 4x4 bit are used to represent the four
131digits of the rental and return codes respectively. The counter's 16 bit
132are used unwisely though, because the calculated codes repeat themselves
133after only 1024 iterations. This results in only 512 different rental
134codes per bike, because there are only 512 even offsets that can point
135to a key (1024 bit).\
136\
137Bikes that had been opened by us but couldn't be read out because of the
138lockbit being set were reset 511 times with the help of a script (the
139reset increases the counter by two). This restored the original
140condition and the bike was again 'in sync' with the control center.\
141\
142The character set of the display is proportional to its size. For this
143there is a table in which character length and position are saved in the
144flash memory. An 'i' and an 'l' use only one byte, whereas a 'w' uses up
145seven bytes. The big logos and the input matrix are available as 400
146byte bitmaps. The big black line in the CallABike logo symbolizes the
147field intensity of the coil in the lock. This we found out by code
148auditing.\
149\
150Our primary goal was to adapt the source code coming from our
151disassembler to the original binary, so that after assembling it with
152the tool [Avra](http://avra.sourceforge.net/) (Assembler for the Atmel
153AVR microcontrollers) we would get a binary exactly identical to the
154original.\
155\
156On the basis of this reference, we could finally begin to make changes
157and start to flash the bike with our own code. We couldn't find any
158vulnerabilities or backdoors which could be used to exploit the device
159without unscrewing it (every bike has its own key saved in the EEPROM),
160so we conceived the idea of programming our own backdoor into the code.
161Sounds easy, but wasn't really.\
162\
163First, we had to optimize the original code to create the space for the
164insertion of our backdoor code, since we also wanted to add our very own
165HackABike logo as 400 byte bitmap to the 8kb flash memory. The garbled
166code which can still be seen above our new logo is the backdoor code.
167This alone saved us about 150 bytes.\
168\
169We decided that it shouldn't be possible to 'steal' parked (locked but
170not returned) bikes from paying customers with the backdoor code. This
171required a few more lines of code. We also ascertained that with the
172backdoor code it's not possible to park a bike, because the user knowing
173the backdoor wouldn't pay anything and would therefore not be motivated
174to take care of the bike (for example not locking it properly), thus
175preventing paying customers to rent the bike. To differentiate a
176HackABike from its untreated fellow bikes even from afar, we taught it a
177different blinking sequence and removed a sticker on the lock box.\
178\
179During our further analysis of the code we discovered that a bike can
180transmit several status messages, depending on its technical condition,
181to the control center using its return code. It can inform about its
182dying batteries, for example, or about its motor not being in the
183correct position for the lock anymore. After the lock button being
184pushed seven times without the clamp being inserted beforehand, a valid
185return code is generated which nonetheless commits the information about
186an unsuccessful locking event to the control center.\
187\
188All in all there are 52 of those codes (a matrix of 4x13). The backdoor
189allows to open a modified bike with a certain rental code assigned by
190us. After locking and thus returning the bike, it is again rentable by
191paying customers. Even the rental code of the paying customer before
192shows up on the display. The control center won't notice the backdoor -
193apart from the fact that the bike surfaces at another part of the city
194than indicated in the database. After a paying customer has rented and
195returned the bike, the database entry for this bike is corrected again.\
196\
197To transform a CallABike into a HackABike, we had to unscrew six screws
198on the inside of the box containing the display and plug the STK500 into
199the ISP-connector of the logic board. After that we started a script to
200read out the flash and the EEPROM area. The EEPROM is then again flashed
201with a reset counter and the code including our backdoor. To ensure that
202nobody could discover our tampering by reading out the firmware again,
203we set the lockbit. It took a practised hacker about 12 minutes to turn
204two CallABikes into two HackABikes at the same time. We flashed nearly
20510% of the 1700 bikes which are distributed in the city of Berlin.\
206\
207UISP didn't support the setting of the lockbits correctly at first, so
208we had to put that in before we could continue. To do this, we sniffed
209the AVR Studio output with a serial sniffer, looked for the
210corresponding commands of the STK500 and put this into the UISP code.\
211\
212Finally, we have to admit that the technical design of the CallABike is
213very good. The only way to tamper with the bikes is probably the route
214we chose, namely to open and reflash the EEPROM. The only thing that was
215missed was to set the lockbits that prevent the firmware from being
216read. Our attack is probably worth the purchase price of a few dozen of
217these CallABikes, seeing the time and manpower that went into
218accomplishing it.
219
220 EEPROM Content:
221
222 0x0000 - 0x0001 unused
223 0x0002 lock_sensor_calibration
224 0x0003 - 0x0019 unused
225 0x001A - 0x001B 16bit counter (scrambler)
226 0x001C unused
227 0x001D - 0x001F CallABike Number
228 0x0020 - 0x009F 128 Byte Random (Key)
229 0x00A0 - 0x00A2 first three bytes of key again
230 0x00A3 - 0x00AF unused
231 0x00B0 - 0x01FF textmessages for display
232
233
234 bikecounter: 0x015E
235 EEPROM belongs to bike 3856
236
237 Counter 0x0162: 3042 9843 5360 <-- rentcode
238
239 -00- -01- -02- -03- -04- -05- -06- -07- -08- -09- -10- -11- -12- -13-
240 00: 8584 7572 6970 4597 9119 4285 2144 0277 3197 0072 5545 6487 6341 9664
241 01: 5244 2345 5463 6065 9493 2971 9352 5402 5519 4579 8355 9533 9245 4926
242 10: 6615 7508 8159 7355 8125 3632 2920 4348 0484 7784 0084 6154 8905 6742
243 11: 6234 7953 4741 7386 8181 2930 6280 8658 6805 5432 4092 7161 2070 8554
244
245 Counter 0x0164: 7240 7043 9766 <-- rentcode
246
247 -00- -01- -02- -03- -04- -05- -06- -07- -08- -09- -10- -11- -12- -13-
248 00: 1542 5463 4821 7206 8181 5293 5100 8370 7662 7831 6561 1071 9350 7554
249 01: 8480 7640 5094 4420 7470 5025 6472 0596 9260 5499 4274 0341 7092 7363
250 10: 6369 3545 6991 9042 0121 7702 7931 5600 6755 8264 9063 9596 6918 8761
251 11: 4254 0960 8294 7529 9793 4954 5455 9345 0183 3995 4992 5949 4392 9538
252
253 Here you see the open and close pins of the bike 3856 with
254 the counter at 0x0162
255 At first the Customer gets the open pin 3042. When the customer
256 closes the lock and everything is ok he gets the return code 8584.
257 When for example the battery (-01-) is exhausted he gets the return code
258 7572.
259
260
261 The following commands are possible via infrared:
262 0x5B read bikenumber
263 0xCE calibrate coil
264 0xC5 read RAM from 0x00AD
265
266 after transmit of the first 32 bytes of the key
267 0xCA enable watchdog (reboot)
268 0xC8 write and read the key of the EEPROM
269 0xCD write and read other parts of the EEPROM
270
271
272 //code to generate the open and close pin
273
274 unsigned char g_key[4];
275
276 void scrambler(uchar param, long counter)
277 {
278 long bitoffset;
279 uchar r21 = param, r28 = 1;
280 short r27_26 = counter, short r31_30;
281 r28 <<= r27_26 & 7;
282 r27_26 += r21;
283 r27_26 &= 0x3ff;
284 r31_30 = r27_26;
285 r27_26 <<= 5;
286 r27_26 -= r31_30;
287 r27_26 &= 0x3ff;
288 r27_26 += r28;
289 r27_26 &= 0x3ff;
290 bitoffset = r27_26 & 7;
291 r27_26 >>= 3;
292 r27_26 += 0x20;
293 r27_26 &= 0xff;
294 fillkey(r27_26,bitoffset);
295 }
296
297 void fillkey(long address, long bitoffset)
298 {
299 uchar r16;
300 long fullkey;
301 fullkey = eeprom[address++] << 16;
302 fullkey += eeprom[address++] << 8;
303 fullkey += eeprom[address++];
304 fullkey >>= bitoffset;
305 r16 = fullkey & 0xf;
306 if(r16 >= 10) r16 -= 10;
307 g_key[3] = r16;
308 r16 = (fullkey >> 4 ) & 0xf;
309 if(r16 >= 10) r16 -= 6;
310 g_key[2] = r16;
311 r16 = (fullkey >> 8 ) & 0xf;
312 if(r16 >= 10) r16 -= 10;
313 g_key[1] = r16;
314 r16 = (fullkey >> 12) & 0xf;
315 if(r16 >= 10) r16 -= 6;
316 g_key[0] = r16;
317 }
318
319 //the key from CallABike 2883
320 unsigned char eeprom[ ] =
321 {
322 0x5A,0xD5,0xAD,0x6B,0xFD,0xD7,0x34,0x78,
323 0xB3,0x03,0x22,0x13,0x61,0x23,0xAD,0xFE,
324 0x51,0x6E,0xAA,0xA2,0xD4,0xB7,0xBA,0xC0,
325 0x78,0x9A,0x84,0x55,0x2A,0xB9,0x6E,0xBC,
326 0x33,0x15,0x2C,0x97,0x33,0x98,0x4B,0x78,
327 0x43,0xE5,0x20,0xD5,0x1C,0x1C,0x75,0x12,
328 0x2A,0x91,0x17,0xFC,0x0C,0x61,0x31,0x31,
329 0x50,0x6D,0xFD,0x5C,0xC5,0x60,0x8D,0xE0,
330 0x0A,0xF2,0x85,0xF1,0x3B,0xA3,0xBD,0x74,
331 0xF3,0xD4,0x9E,0xBB,0x45,0x95,0x69,0x24,
332 0x79,0x36,0x9A,0xA6,0x66,0x96,0xFB,0xE8,
333 0x5D,0x38,0x34,0x28,0xC0,0x51,0x3B,0x18,
334 0x46,0xCA,0xD9,0xE3,0xD7,0xC8,0x86,0x01,
335 0x11,0x60,0xF2,0xF0,0xA4,0xA4,0xEF,0x16,
336 0x3E,0xBE,0xB9,0x1F,0xA8,0xF9,0x61,0x0B,
337 0xD6,0x7F,0x75,0xE7,0xF4,0x31,0x3F,0x6B
338 };