Great Scott Gadgets

open source tools for innovative people


Talking about GreatFET with Limor "Ladyada" Fried at Adafruit, 2019

In this interview, Michael Ossmann visits Adafruit in New York and chats with Limor “Ladyada” Fried about GreatFET and HackRF. The two talk about what GreatFET neighbours are, how to design GreatFET neighbours, and Mike demonstrates how to use a wiggler to separate neighbours from a GreatFET. This is followed up with a short discussion on HackRF and Portapack and how they work together.


Free Stuff, October 2020–December 2020

October 2020

Kyle Kaminky from Arvada, Colorado emailed us in October to ask for a HackRF One. He’s an EE with a young family who told us, “After becoming familiar with my HackRF One and GNU Radio, I hope to use it to begin making tutorials on wireless communications and other RF topics. I picture a series of follow-on classes to Michael Ossmann’s DSP course. I would also enjoy getting enough experience and expertise to be able to write my own GNU Radio blocks and post them online for others to use to aid in their SDR projects. Ultimately I want to get others excited and informed about SDRs and the awesome things they can do.” He also told us to hold him accountable, so let’s have an update, Kyle.

November 2020

For November, we sent a handful of Throwing Star LAN Tap Kits to Bobby Dominguez in New Mexico because he wants to learn about networking and soldering.

December 2020

James is a teenager in Australia who is really interested in experimenting with RF and hacking embedded devices, so we sent him a YARD Stick One.


Free Stuff, July 2020–September 2020

July 2020

Anna from South Carolina had a lame quarantined birthday in July, so we sent her a present- a GreatFET One. She recently started taking cybersecurity classes and wants to learn about hardware hacking.

August 2020

Ed from the Suffolk County (NY) Radio Club wrote to us in August to ask for free stuff for learning activities with their new members, mainly scouts and their parents. We sent a bunch of Throwing Star LAN Tap Kits, and hopefully they’ll be able to get together to use them soon.

September 2020

Axell Macclawd is a security researcher in Brazil. He requested a HackRF One for his project developing open source equipment and techniques to fight cargo theft and protect drivers, a large problem in Brazil. Drivers are held hostage and sometimes killed by thieves who use jammers to thwart the transportation companies’ GPS and GSM trackers. Axell’s goal is to prevent more loss of life.


Free Stuff, April 2020–June 2020

April 2020

Dave Ferguson of the Woodinville (WA) Emergency Communications Team asked us for a HackRF One in April. This volunteer ARES group is turning a donated fire department aid truck into a mobile communications center that will service local public events (runs, bike rides, etc.) as well as provide essential communications via ham radio during emergencies. Their new HackRF One will allow them to watch communications across the entire spectrum and to potentially automate their systems.

May 2020

We sent a couple of YARD Stick Ones to the MCH2021 Badge Team. We can’t say any more than that, other than they are planning to make something really cool. And we sure are looking forward to 2021 and in-person hacker camps!

June 2020

Tim Fogle had some Good Ideas in June, so we sent him a GreatFET One. He wants to build a neighbor for CTF challenges.


Free Stuff, January 2020–March 2020

January 2020

The Free Stuff recipient for January was Gabriel Sheeley, who runs an electrical engineering/embedded software meetup in Columbus, Ohio. They do do everything from soldering workshops, to tearing apart smart TVs, to automating chicken coops to keep out raccoons. Gabriel asked for a YARD Stick One to use in a talk about RF hacking, and now that the meetup is remote, the group will have to take turns with their new gadget.

February 2020

We sent a HackRF One to the CU Boulder Sounding Rocket Lab Avionics Team for their ground station. They told us that they are “building an 18-foot-tall rocket from scratch (all student-built) that will leave this humble planet for a brief period of time, before drifting gracefully back to earth and our eagerly waiting hands. We intend to shatter the records for collegiate and amateur rocketry at our upcoming launch later this year. Our most up-to-date simulations project a maximum altitude of 190km and speeds topping out at Mach 7. During the entire flight we aim to maintain contact with the vehicle so we can continuously monitor its physical (and emotional) state.”

We are looking forward to attending the launch, hopefully in 2021.

March 2020

In March, Luis Salha asked us for a YARD Stick One to use for RF encryption research for his current Swiss army knife project BlackBox. He says he’s been experimenting with RF capture, analysis, replay, and brute force attacks, and he hopes to learn more about key rolling/hopping and cracking keeloq encryption using readily available hardware.


Free Stuff Update, September 2019–December 2019

September 2019

In September, we gave Chuck McManis a GreatFET One to experiment with. He owes us an update!

October 2019

Paul wrote to us from his shed in County Kildare to ask us for a few Throwing Star LAN Tap Kits to teach his kids how to solder.

November 2019

Way back in the Before Times, the organizers of the WOPR Summit 0x01 asked us to contribute a couple of GreatFET Ones for a hardware hacking booth. They planned to let attendees use the GreatFET Ones to run through some hands-on demos, then give them to the most passionate experimenters. That was a GreatPlan, but sweeping gesture. They are hoping to have a virtual event sometime in September 2020.

December 2019

Daniel Valdez, a student from Mexico City, requested a YARD Stick One. He is working on the development of a communication system through a router that sends a series of packets to an embedded system in order to automate control of devices in the home. He also wants to test the security protocols in the transmission of data from the different devices connected to the router.

Daniel Valdez, un estudiante de la Cuidad de México, solicitó un YARD Stick Uno. Está trabajando en el desarrollo de un sistema de comunicación por medio de un rúter que envía una serie de paquetes a un sistema embebido para poder tener el control de una casa por medio de domótica. Él también quiere probar la seguridad para establecer los protocolos de seguridad en lo que es la trasmisión de datos de los diferentes dispositivos comunicados con el rúter.


Exploring Open FPGA Hardware

Last month, Kate Temkin began her blog series aimed at comparing FPGA families that have open source toolchains available. In the first post she reviews the pros, cons, and features of the Lattice iCE40 LP/HX, Lattice iCE40 UltraPlus, and Lattice ECP5 families.

Excerpt:

“The world of FPGAs has traditionally been full of closed-source mysteries: designs have long been crafted using expensive, multi-gigabyte vendor tools, and the inner working of vendors’ hardware and software have remained closely guarded secrets.

This changed when Claire Wolf created her IceStorm project, which reverse engineered Lattice’s low-cost iCE40 FPGAs, and led to an expansive ecosystem for creating FPGA designs using entirely open-source tools. Today, open-source toolchains exist targeting a handful of FPGA families; and a huge swathe of compatible FPGA hardware exists.

In this series, I’ll ‘show off’ a variety of hardware you can use to develop your own designs using open-toolchains– and hopefully help people to get a feel for the ecosystem.” Read the full post here.


Free Stuff, July and August 2019

Julio y August 2019

This summer we heard from two biomedical engineers. Juan Ignacio Cerrudo es nuestro receptor de julio. Él es el Jefe de Trabajos Prácticos en Laboratorio de Prototipado Electrónico y 3D en la Universidad Nacional de Entre Ríos (Argentina). He plans to use his HackRF One to assess security in medical devices and in classes to introduce students to signal processing.

Roy Morris with Gift of Life International asked us for a HackRF One in August. Roy travels throughout the developing world helping children with congenital heart defects receive the medical care they need. He’s going to use the HackRF One to troubleshoot the aging telemetry systems that send medical data to patient monitors.

If you’d like to be considered to receive free hardware from Great Scott Gadgets, please visit the Free Stuff page and send us a message with lots of details about your project.


Free Stuff, May and June 2019

May 2019

We sent a bunch of Throwing Star LAN Tap Kits to a high school in California in May. The computer science department will use them in several classes.

June 2019

Brooklyn Research is an interdisciplinary creative space focused on technological innovation. They provide a platform for established artists, technologists, and researchers to foster engaging discourse and experimentation. One of their groups is going to use their new HackRF One to experiment with finding a way to translate satellite signals to G-Code for a printer which will deposit nutritional paste for a slime mold culture. That slime mold culture will be a pretty artifact/visualization of the satellite signal as it grows and expands based on where the nutrients have been deposited. The shape of the slime mold growth then may be used for experimenting with new antenna shapes.


Tools of the KNOB Attack

This week at USENIX three researchers published information about a new attack against classic Bluetooth. Known as KNOB, the attack takes advantage of a weakness in the Bluetooth specification to force target Bluetooth connections to use 8-bit encryption keys instead of larger keys that would be resilient against brute-force attack.

This weakness in classic Bluetooth (not Bluetooth Low Energy) is a big one. I don’t recall seeing such a significant vulnerability in Basic Rate Bluetooth security since pairing was improved with the introduction of Secure Simple Pairing in Core Specification v2.1 in 2007.

One of the things that intrigued me when I heard about the KNOB attack this week was that it sounded very familiar. After chatting with Dominic Spill, we’re pretty sure we discussed the potential for this attack about ten years ago. I’m fairly certain that I had highlighted Encryption Key Size Request in a printed copy of the specification around that time.

What we didn’t have back then was a way to test for this vulnerability. The specification allows for devices to reject key sizes they consider too small, and I guessed at the time that vendors would enforce a more reasonable minimum key size than the smallest (1 byte) allowed by the specification. As demonstrated this week by Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen, I was wrong!

In order to test this attack it is necessary to modify the behavior of the Link Manager, the part of a Bluetooth chip that creates logical links with other Bluetooth devices. The Link Manager Protocol (LMP) is the low layer protocol that Link Managers use to communicate with one another and negotiate things including encryption for protection of higher layer protocols. LMP messages are not visible over the Host Controller Interface (HCI) that carries information between a Bluetooth chip and an application processor. If you only have the ability to control a Bluetooth chip by modifying an Operating System driver, you can alter behavior at the HCI level but not the LMP level. Ten years ago I was working on creating tools for monitoring Bluetooth signals, and I used off-the-shelf Bluetooth adapters for security testing, but I didn’t have any tools capable of active attacks below the HCI layer.

Last year things changed when Dennis Mantz released InternalBlue along with his award winning master’s thesis. Dennis reverse engineered the firmware of a popular Bluetooth chip and with InternalBlue provided a method to alter the firmware, enabling modification of Link Manager behavior for the first time. Since then Dennis and Jiska Classen have published a series of papers and presentations demonstrating powerful uses of this important tool.

It was InternalBlue that enabled the KNOB researchers to test attacks against key size negotiation for the first time. They used InternalBlue to implement a man-in-the-middle attack that inserted requests for a key size of one byte and successfully demonstrated the attack against nearly every Bluetooth device they tested. This weakness existed in the Bluetooth specification for twelve years, but nobody had tools to test it. Once a tool became available, KNOB was discovered within a year.

Another tool used by the KNOB researchers was Ubertooth One, the open source Bluetooth monitoring platform I designed almost a decade ago. They used Ubertooth One to eavesdrop on encrypted packets in order to prove the weakness of the encryption after forcing a key size of one byte. They correctly point out in their paper that Ubertooth One lacks an effective ability to follow the hopping sequence of classic Bluetooth connections (it is better at this with Bluetooth Low Energy, thanks to Mike Ryan), but they worked around that problem by capturing a single packet and then iterating over all possible clock values to interpret the packet. This ingenuity allowed them to use the low cost Ubertooth One instead of a Bluetooth analyzer costing tens of thousands of dollars.

The KNOB researchers demonstrated that Wright’s Law still holds true after all these years:

“Security will not get better until tools for practical exploration of the attack surface are made available.” –Josh Wright


subscribe to GSG feed