diff options
-rw-r--r-- | pages/hackabike.en.md | 338 |
1 files changed, 338 insertions, 0 deletions
diff --git a/pages/hackabike.en.md b/pages/hackabike.en.md new file mode 100644 index 00000000..ab48554a --- /dev/null +++ b/pages/hackabike.en.md | |||
@@ -0,0 +1,338 @@ | |||
1 | title: hackabike | ||
2 | date: 2009-11-02 01:04:00 | ||
3 | updated: 2009-11-02 01:10:40 | ||
4 | author: admin | ||
5 | tags: | ||
6 | |||
7 | Ever needed to get somewhere quick but you had no car, too late for public | ||
8 | transportation and a bicycle could solve your problem? In Berlin and other | ||
9 | big cities in germany the german railway company 'Die Bahn' offers a solution | ||
10 | with the "Call-A-Bike" service. Read about the backdoor we put into nearly every 10th bike, | ||
11 | which gave us all the free rides we needed. | ||
12 | |||
13 | <!-- TEASER_END --> | ||
14 | |||
15 | **Short introduction to the CallABike system**The customer calls the | ||
16 | CallABike control center and transmits the four digit bicycle number via | ||
17 | touch-tone. Another four-digit number, the rental code that opens the | ||
18 | bike, is then submitted by the control center. The customer gets a | ||
19 | verification call after his initial transmission which he doesn't have | ||
20 | to pick up. The last four digits of the calling number are the rental | ||
21 | code again.\ | ||
22 | \ | ||
23 | From now on you have to pay six Eurocents per minute (customers with a | ||
24 | discount card issued by the german train company Deutsche Bahn only pay | ||
25 | four cents). The bike can be parked and locked while shopping or | ||
26 | visiting a restaurant by selecting 'don't return bike yet' in the menu | ||
27 | of the lock box at the bike's rear wheel and opened again with the | ||
28 | issued rental code you received initially - this procedure can be | ||
29 | repeated indefinitely. The bike meter keeps running of course.\ | ||
30 | \ | ||
31 | Returning the bike is easy as well: the customer simply has to lock the | ||
32 | bike and select 'return bike' on the menu - the bike now gives you the | ||
33 | return code, which you have to submit to the control center via phone, | ||
34 | to prove that you really locked the bike. Additionally, you have to | ||
35 | leave the address of the street corner where you parked the bike on the | ||
36 | answering machine. This ends the period of rental.\ | ||
37 | \ | ||
38 | It's also possible to rent or return up to four bikes with one call at a | ||
39 | time. If there is no bike near you, you can call the control center to | ||
40 | ask for the next bike. A call center agent then consults the | ||
41 | CallABike-database and submits the location of a nearby bike.\ | ||
42 | [Company Summary in english](http://www.callabike.de/i_english.html)\ | ||
43 | \ | ||
44 | "...There are of course other people, which have, for sportive reasons, | ||
45 | tried to test the robustness of the hardware or the electronic principle | ||
46 | of the built-in microchips and processors. They tried their luck with | ||
47 | screwdrivers and usual ordinary allen-wrenches. they even tried to use a | ||
48 | crowbar, a sledge hammer or a motor angle grinder. or totally smart: | ||
49 | with a laptop and some decrypting-tools, as well as some trick questions | ||
50 | to the maintainance staff. but without luck!". again reth is smiling, | ||
51 | who once took the first trip on a green puky-bike and looks at himself | ||
52 | no more as a postmodern urbanite than as bicycle freak. he smiles and | ||
53 | says: "this technology makes us to the premier station-independant | ||
54 | city-bike-sytem. the code is unbreakable and we are really proud | ||
55 | of"...An excerpt from a DB technician interview in the Mobil Magazine | ||
56 | which featured the CallABike. | ||
57 | |||
58 | ## Article: | ||
59 | |||
60 | In November 2003 a bike reached us that hadn't been locked properly. | ||
61 | This bike was subsequently objected to heavy testing. Most of us had | ||
62 | suspected the existence of GPS or a similar tracking device in the lock | ||
63 | box, but after opening it with a simple torx screwdriver, nothing like | ||
64 | this could be seen. To power the electronics, three 1.5 V batteries are | ||
65 | provided in another box on the other side of the rear wheel. Both boxes | ||
66 | are connected through a clamp, containing a six-pole power cable and two | ||
67 | coils. This detects if the lock was closed properly by the last customer | ||
68 | using the bolt, or just a generic piece of metal.\ | ||
69 | \ | ||
70 | The box with the display contains the motor that opens the lock, two | ||
71 | micro switches and a capacitive 5x2 touchpad. The main logic board is | ||
72 | located directly under the display. It is secured through a metal plate | ||
73 | which has openings only for the cables connecting it to the display. The | ||
74 | electric motor with its eccentric shaft and the locking mechanism are | ||
75 | thus protected from a brute force attack on the display.\ | ||
76 | \ | ||
77 | The whole board is dowsed in black silicone which had to be scraped off | ||
78 | before we could continue exploring. Apart from the matchbox-sized logic | ||
79 | board which incorporates an [Atmel | ||
80 | AT90S8535](http://www.atmel.com/dyn/products/product_card.asp?family_id=607&family_name=AVR+8%2DBit+RISC+&part_id=2000) | ||
81 | (8-bit RISC Processor, 4x8 IO-Pins, 8KB flash, 512 bytes EEPROM and 512 | ||
82 | bytes RAM), a few red, green and IR LEDs and an IR-receiver, the box | ||
83 | also contains a few electrical components (motor, switches and a | ||
84 | beeper). There is also a slope sensor, but it is never addressed in the | ||
85 | code. With this simple setup, it became clear that the bike couldn't | ||
86 | possibly contain a device to track or locate us. We made a few pictures | ||
87 | of it all, but then the hardware went into a corner for about two months | ||
88 | before we managed to boot the bike. It took us a while to notice that | ||
89 | the system had to be initialized by an IR-signal after booting. This | ||
90 | discovery was more or less coincidence.\ | ||
91 | \ | ||
92 | Our workplace was lighted by a normal lightbulb. We noticed that the | ||
93 | device seemed to be beeping erratically when subjected to the light. As | ||
94 | we discovered later, the IR part of the emitted light was sufficient to | ||
95 | trigger the IR-receiver and finish the booting sequence. Receiving an | ||
96 | IR-signal while booting is a part of the systems check that happens | ||
97 | during every booting sequence of the electronics. In the process of | ||
98 | professionalizing our research, the light bulb was replaced by an | ||
99 | infrared photon light. The next steps of our analysis consisted in | ||
100 | reverse engineering the Atmel chip to get an approximate wiring scheme | ||
101 | (see picture). The data sheet for this Atmel chip was found on the | ||
102 | Internet.\ | ||
103 | \ | ||
104 | It wasn't until January that one of us finally thought of a way to carry | ||
105 | on with hacking the bike. We had noticed an unused six-pole plug that | ||
106 | turned out to be the Atmel's ISP (In System Programming) connector. This | ||
107 | connector was plugged into an Atmel-Developer-Board | ||
108 | [STK500](http://www.atmel.com/dyn/products/tools_card.asp?tool_id=2735). | ||
109 | For reading the data we used the free | ||
110 | [UISP](http://savannah.nongnu.org/projects/uisp/) (a tool for AVR | ||
111 | microcontrollers which can access many hardware in-system programmers). | ||
112 | Since the 'Intellectual Property' lockbit of the Atmel was undefined, it | ||
113 | was possible to read out the 8KB firmware of the flash.\ | ||
114 | \ | ||
115 | The next few weeks were filled with understanding and documenting the | ||
116 | assembler code obtained from the bike. For this purpose we used AVR | ||
117 | Studio and [IDA Pro](http://www.datarescue.com/idabase/). We recognized | ||
118 | the initializing code because we knew the motor was turning twice during | ||
119 | initialization. The scramble code (that calculates the rental and return | ||
120 | codes) was also found pretty quickly, because it featured a lot of | ||
121 | rotate and shift commands.\ | ||
122 | \ | ||
123 | Our discoveries were always checked for correctness on our prototype. | ||
124 | The rental and return codes are generated by a scrambler, which is | ||
125 | called upon by a 16 bit counter of the bike and a current-state-value. | ||
126 | An even counter value generates the rental code, an odd value the return | ||
127 | code. The scrambler uses the counter and the current-state-byte to | ||
128 | calculate an offset on a 1024 bit array. This array is unique for every | ||
129 | bike which can (possibly) be called an explicit identifier for any given | ||
130 | CallABike. From this offset, 4x4 bit are used to represent the four | ||
131 | digits of the rental and return codes respectively. The counter's 16 bit | ||
132 | are used unwisely though, because the calculated codes repeat themselves | ||
133 | after only 1024 iterations. This results in only 512 different rental | ||
134 | codes per bike, because there are only 512 even offsets that can point | ||
135 | to a key (1024 bit).\ | ||
136 | \ | ||
137 | Bikes that had been opened by us but couldn't be read out because of the | ||
138 | lockbit being set were reset 511 times with the help of a script (the | ||
139 | reset increases the counter by two). This restored the original | ||
140 | condition and the bike was again 'in sync' with the control center.\ | ||
141 | \ | ||
142 | The character set of the display is proportional to its size. For this | ||
143 | there is a table in which character length and position are saved in the | ||
144 | flash memory. An 'i' and an 'l' use only one byte, whereas a 'w' uses up | ||
145 | seven bytes. The big logos and the input matrix are available as 400 | ||
146 | byte bitmaps. The big black line in the CallABike logo symbolizes the | ||
147 | field intensity of the coil in the lock. This we found out by code | ||
148 | auditing.\ | ||
149 | \ | ||
150 | Our primary goal was to adapt the source code coming from our | ||
151 | disassembler to the original binary, so that after assembling it with | ||
152 | the tool [Avra](http://avra.sourceforge.net/) (Assembler for the Atmel | ||
153 | AVR microcontrollers) we would get a binary exactly identical to the | ||
154 | original.\ | ||
155 | \ | ||
156 | On the basis of this reference, we could finally begin to make changes | ||
157 | and start to flash the bike with our own code. We couldn't find any | ||
158 | vulnerabilities or backdoors which could be used to exploit the device | ||
159 | without unscrewing it (every bike has its own key saved in the EEPROM), | ||
160 | so we conceived the idea of programming our own backdoor into the code. | ||
161 | Sounds easy, but wasn't really.\ | ||
162 | \ | ||
163 | First, we had to optimize the original code to create the space for the | ||
164 | insertion of our backdoor code, since we also wanted to add our very own | ||
165 | HackABike logo as 400 byte bitmap to the 8kb flash memory. The garbled | ||
166 | code which can still be seen above our new logo is the backdoor code. | ||
167 | This alone saved us about 150 bytes.\ | ||
168 | \ | ||
169 | We decided that it shouldn't be possible to 'steal' parked (locked but | ||
170 | not returned) bikes from paying customers with the backdoor code. This | ||
171 | required a few more lines of code. We also ascertained that with the | ||
172 | backdoor code it's not possible to park a bike, because the user knowing | ||
173 | the backdoor wouldn't pay anything and would therefore not be motivated | ||
174 | to take care of the bike (for example not locking it properly), thus | ||
175 | preventing paying customers to rent the bike. To differentiate a | ||
176 | HackABike from its untreated fellow bikes even from afar, we taught it a | ||
177 | different blinking sequence and removed a sticker on the lock box.\ | ||
178 | \ | ||
179 | During our further analysis of the code we discovered that a bike can | ||
180 | transmit several status messages, depending on its technical condition, | ||
181 | to the control center using its return code. It can inform about its | ||
182 | dying batteries, for example, or about its motor not being in the | ||
183 | correct position for the lock anymore. After the lock button being | ||
184 | pushed seven times without the clamp being inserted beforehand, a valid | ||
185 | return code is generated which nonetheless commits the information about | ||
186 | an unsuccessful locking event to the control center.\ | ||
187 | \ | ||
188 | All in all there are 52 of those codes (a matrix of 4x13). The backdoor | ||
189 | allows to open a modified bike with a certain rental code assigned by | ||
190 | us. After locking and thus returning the bike, it is again rentable by | ||
191 | paying customers. Even the rental code of the paying customer before | ||
192 | shows up on the display. The control center won't notice the backdoor - | ||
193 | apart from the fact that the bike surfaces at another part of the city | ||
194 | than indicated in the database. After a paying customer has rented and | ||
195 | returned the bike, the database entry for this bike is corrected again.\ | ||
196 | \ | ||
197 | To transform a CallABike into a HackABike, we had to unscrew six screws | ||
198 | on the inside of the box containing the display and plug the STK500 into | ||
199 | the ISP-connector of the logic board. After that we started a script to | ||
200 | read out the flash and the EEPROM area. The EEPROM is then again flashed | ||
201 | with a reset counter and the code including our backdoor. To ensure that | ||
202 | nobody could discover our tampering by reading out the firmware again, | ||
203 | we set the lockbit. It took a practised hacker about 12 minutes to turn | ||
204 | two CallABikes into two HackABikes at the same time. We flashed nearly | ||
205 | 10% of the 1700 bikes which are distributed in the city of Berlin.\ | ||
206 | \ | ||
207 | UISP didn't support the setting of the lockbits correctly at first, so | ||
208 | we had to put that in before we could continue. To do this, we sniffed | ||
209 | the AVR Studio output with a serial sniffer, looked for the | ||
210 | corresponding commands of the STK500 and put this into the UISP code.\ | ||
211 | \ | ||
212 | Finally, we have to admit that the technical design of the CallABike is | ||
213 | very good. The only way to tamper with the bikes is probably the route | ||
214 | we chose, namely to open and reflash the EEPROM. The only thing that was | ||
215 | missed was to set the lockbits that prevent the firmware from being | ||
216 | read. Our attack is probably worth the purchase price of a few dozen of | ||
217 | these CallABikes, seeing the time and manpower that went into | ||
218 | accomplishing it. | ||
219 | |||
220 | EEPROM Content: | ||
221 | |||
222 | 0x0000 - 0x0001 unused | ||
223 | 0x0002 lock_sensor_calibration | ||
224 | 0x0003 - 0x0019 unused | ||
225 | 0x001A - 0x001B 16bit counter (scrambler) | ||
226 | 0x001C unused | ||
227 | 0x001D - 0x001F CallABike Number | ||
228 | 0x0020 - 0x009F 128 Byte Random (Key) | ||
229 | 0x00A0 - 0x00A2 first three bytes of key again | ||
230 | 0x00A3 - 0x00AF unused | ||
231 | 0x00B0 - 0x01FF textmessages for display | ||
232 | |||
233 | |||
234 | bikecounter: 0x015E | ||
235 | EEPROM belongs to bike 3856 | ||
236 | |||
237 | Counter 0x0162: 3042 9843 5360 <-- rentcode | ||
238 | |||
239 | -00- -01- -02- -03- -04- -05- -06- -07- -08- -09- -10- -11- -12- -13- | ||
240 | 00: 8584 7572 6970 4597 9119 4285 2144 0277 3197 0072 5545 6487 6341 9664 | ||
241 | 01: 5244 2345 5463 6065 9493 2971 9352 5402 5519 4579 8355 9533 9245 4926 | ||
242 | 10: 6615 7508 8159 7355 8125 3632 2920 4348 0484 7784 0084 6154 8905 6742 | ||
243 | 11: 6234 7953 4741 7386 8181 2930 6280 8658 6805 5432 4092 7161 2070 8554 | ||
244 | |||
245 | Counter 0x0164: 7240 7043 9766 <-- rentcode | ||
246 | |||
247 | -00- -01- -02- -03- -04- -05- -06- -07- -08- -09- -10- -11- -12- -13- | ||
248 | 00: 1542 5463 4821 7206 8181 5293 5100 8370 7662 7831 6561 1071 9350 7554 | ||
249 | 01: 8480 7640 5094 4420 7470 5025 6472 0596 9260 5499 4274 0341 7092 7363 | ||
250 | 10: 6369 3545 6991 9042 0121 7702 7931 5600 6755 8264 9063 9596 6918 8761 | ||
251 | 11: 4254 0960 8294 7529 9793 4954 5455 9345 0183 3995 4992 5949 4392 9538 | ||
252 | |||
253 | Here you see the open and close pins of the bike 3856 with | ||
254 | the counter at 0x0162 | ||
255 | At first the Customer gets the open pin 3042. When the customer | ||
256 | closes the lock and everything is ok he gets the return code 8584. | ||
257 | When for example the battery (-01-) is exhausted he gets the return code | ||
258 | 7572. | ||
259 | |||
260 | |||
261 | The following commands are possible via infrared: | ||
262 | 0x5B read bikenumber | ||
263 | 0xCE calibrate coil | ||
264 | 0xC5 read RAM from 0x00AD | ||
265 | |||
266 | after transmit of the first 32 bytes of the key | ||
267 | 0xCA enable watchdog (reboot) | ||
268 | 0xC8 write and read the key of the EEPROM | ||
269 | 0xCD write and read other parts of the EEPROM | ||
270 | |||
271 | |||
272 | //code to generate the open and close pin | ||
273 | |||
274 | unsigned char g_key[4]; | ||
275 | |||
276 | void scrambler(uchar param, long counter) | ||
277 | { | ||
278 | long bitoffset; | ||
279 | uchar r21 = param, r28 = 1; | ||
280 | short r27_26 = counter, short r31_30; | ||
281 | r28 <<= r27_26 & 7; | ||
282 | r27_26 += r21; | ||
283 | r27_26 &= 0x3ff; | ||
284 | r31_30 = r27_26; | ||
285 | r27_26 <<= 5; | ||
286 | r27_26 -= r31_30; | ||
287 | r27_26 &= 0x3ff; | ||
288 | r27_26 += r28; | ||
289 | r27_26 &= 0x3ff; | ||
290 | bitoffset = r27_26 & 7; | ||
291 | r27_26 >>= 3; | ||
292 | r27_26 += 0x20; | ||
293 | r27_26 &= 0xff; | ||
294 | fillkey(r27_26,bitoffset); | ||
295 | } | ||
296 | |||
297 | void fillkey(long address, long bitoffset) | ||
298 | { | ||
299 | uchar r16; | ||
300 | long fullkey; | ||
301 | fullkey = eeprom[address++] << 16; | ||
302 | fullkey += eeprom[address++] << 8; | ||
303 | fullkey += eeprom[address++]; | ||
304 | fullkey >>= bitoffset; | ||
305 | r16 = fullkey & 0xf; | ||
306 | if(r16 >= 10) r16 -= 10; | ||
307 | g_key[3] = r16; | ||
308 | r16 = (fullkey >> 4 ) & 0xf; | ||
309 | if(r16 >= 10) r16 -= 6; | ||
310 | g_key[2] = r16; | ||
311 | r16 = (fullkey >> 8 ) & 0xf; | ||
312 | if(r16 >= 10) r16 -= 10; | ||
313 | g_key[1] = r16; | ||
314 | r16 = (fullkey >> 12) & 0xf; | ||
315 | if(r16 >= 10) r16 -= 6; | ||
316 | g_key[0] = r16; | ||
317 | } | ||
318 | |||
319 | //the key from CallABike 2883 | ||
320 | unsigned char eeprom[ ] = | ||
321 | { | ||
322 | 0x5A,0xD5,0xAD,0x6B,0xFD,0xD7,0x34,0x78, | ||
323 | 0xB3,0x03,0x22,0x13,0x61,0x23,0xAD,0xFE, | ||
324 | 0x51,0x6E,0xAA,0xA2,0xD4,0xB7,0xBA,0xC0, | ||
325 | 0x78,0x9A,0x84,0x55,0x2A,0xB9,0x6E,0xBC, | ||
326 | 0x33,0x15,0x2C,0x97,0x33,0x98,0x4B,0x78, | ||
327 | 0x43,0xE5,0x20,0xD5,0x1C,0x1C,0x75,0x12, | ||
328 | 0x2A,0x91,0x17,0xFC,0x0C,0x61,0x31,0x31, | ||
329 | 0x50,0x6D,0xFD,0x5C,0xC5,0x60,0x8D,0xE0, | ||
330 | 0x0A,0xF2,0x85,0xF1,0x3B,0xA3,0xBD,0x74, | ||
331 | 0xF3,0xD4,0x9E,0xBB,0x45,0x95,0x69,0x24, | ||
332 | 0x79,0x36,0x9A,0xA6,0x66,0x96,0xFB,0xE8, | ||
333 | 0x5D,0x38,0x34,0x28,0xC0,0x51,0x3B,0x18, | ||
334 | 0x46,0xCA,0xD9,0xE3,0xD7,0xC8,0x86,0x01, | ||
335 | 0x11,0x60,0xF2,0xF0,0xA4,0xA4,0xEF,0x16, | ||
336 | 0x3E,0xBE,0xB9,0x1F,0xA8,0xF9,0x61,0x0B, | ||
337 | 0xD6,0x7F,0x75,0xE7,0xF4,0x31,0x3F,0x6B | ||
338 | }; | ||