Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
Key Takeaways
The video demonstrates how to use Saleae Logic Pro 8 to capture and analyze packets from an air conditioner remote, and how to reverse engineer the protocol using a custom analyzer written in Python. The Saleae Logic Pro 8 is used in conjunction with Python and the Saleae SDK to interpret and analyze the packets.
Full Transcript
let's continue with our project reverse engineering the protocol of my air conditioner remote last time we implemented our own porman logic analyzer but this time we will use something more advanced last time we tried to log the digital output with an Arduino in serial communication to the laptop though that was a little bit too slow we could try to speed up the implementation by for example not sending the text via serial in every iteration because that is slow we could do this by implementing a buffer and an array that always saves 100 samples and then pushes them out but I want to show you a real logic analyzer this time this is the S Logic Pro 8 this is a professional analog and digital logic analyzer let's hook this one up to the circuit and collect samples so this one can collect a lot of signals in parallel but we only need one in this case we connect the black ground wire to the ground pin it uses these precise hooks which can be easily attached to a pin and the orange wire goes to the data out of the IR receiver the Arduino is only still connected because we use it for the 5vt power supply then we connect it to the laptop and launch the S logic application with the big green button we can configure the device we can select the sample rate the speed it collects data points with so for example currently it will collect 500 million samples per second of Digital Data and 50 million samples per second of analog data in this case our orange cable was channel number three and we can also specify to only lock for a tenth of a second that should be enough but we really don't need to collect such a crazy detail Trace we can select the way slower sampling rate like with our Arduino we can now find a trigger we want to trigger the recording only when the input drops too low because then the IR receiver saw infrared light let's try it we Press Start wait for the trigger pressing a button on the remote and boom there is our collected Trace so first of all you can see two traces of channel 3 the top one is the digital trace and the bottom one is the analog Trace so what does it mean let's zoom into one of those edges okay as you can see the top channel always has a sharp vertical Edge down because in digital logic there's only one or zero but in the analog world we measure a voltage and we can see that we measured almost 5 volt at the start and then over roughly maybe 5 micros seconds the voltage slowly dropped down to basically zero volt in the real analog world obviously voltage doesn't drop immediately it takes a short amount of time to drop down and when it dropped under roughly 1.5 volt that's a threshold The Logical interpretation becomes then a zero you can see how many sample points the device can collect we have here I don't know hundreds of collected points per Peak while with the aino we only had one to maximum three samples per Peak and this traces also now much more beautiful there are no wider Peaks they all have the same width just some have bigger gaps between each other now last time I already hinted at the bit interpretation of this trace this is a very typical PN for an IR consumer remote As far as I know it's based on the protocol created by a company called NEC um but it can vary in bandwidth and frequency and so forth but in general the idea is the same you always have a pulse and then either a short or long pause until the next PSE and a long PSE refers to a one and a short PSE refers to zero this means we can now extract the bits of a transmission and try to reverse engineer which bits are used to do what so let's start okay that that's definitely a one that's a one this is a zero that's a one ah I already have enough this is annoying so this application also has a cool feature called analyzers protocol analyzers so we can select from a big list of lowlevel protocols how we want to interpret our data the issue is only that it doesn't have the NEC or IR consumer protocol by default the one you see here in the list is the one I have written myself so that's what you have to do if you face a protocol that is either unknown customer just not supported but s offers an analyzer SDK which you can use to implement your own protocol analyzers and that's what I did the documentation of the SDK was a bit rough and it was C++ and it took me several hours so I will not do this here again but I will put my code on GitHub so it hopefully helps other people in fact you can even install the logic application you don't need the device for that and compile my code to check out the traces yourself I will also make them available now let's add my analyzer first of all we have to tell the analyzer some information in this case it wants a pulse with you will see in a second what I mean by that then we can also Define if it if it wants to inter had plus 5 volt as one or zero usually it's seen as one but in this case we might want to invert this just because the output is low when the LED of the remote is on but in the end it doesn't matter we can also select what we want to display so in case let's go with single bits and save let's also set the text output to hex only and then then let's have a look at the data that looks pretty cool you can see those blue bubbles over the Digital Data telling us if it was was a zero or a one and you can see the long pauses are a one and the short pauses are a zero you can also see those white dots which I have added to show you what is interpreted as a pulse with you can see in a long one there are basically four pulses in a short zero there are basically two so if we had the PSE withth in a longer or shorter then we wouldn't be able to read the data properly for example if you would use 530 then you see the PS will slowly drift away and then kind of corrupt the data we read another available setting is interpreting the data as a whole word so now the whole packet becomes one frame and the bits are shifted into a 64-bit variable now let's document our test properly that we can collect a longer sample with a lot of different commands and we are able to identify which one is which so let's start I suggest we start with turning it on and while it's set to the lowest temperature which is 18 and then we increase the temperature up to a maximum of 32 after that we turn it off and on again then we cycle through the three modes afterwards we cycle through the four fan modes while we are on AC then we switch to the mode fan and we cycle through those three fan modes back to the C mode then we switch from Celsius to Fahrenheit and back and honestly don't know how the timer works so I ignore that one last two modes are the weird Feelgood home thing and the silent mode and then we finish it by turning it off again cool we stopped the collection and now we can inspect them on the right you can see the decoded protocol view which is super cool because it displays us each individual captured packet and we click on one we automatically jump there we can now also export data as a simple CSV file for further analysis in Python now let's explore this data in Python we open the file and read it split it by new lines to have a list of each line but we don't want the CSV header and the last empty line so let's slice that and we can use Python list comprehension to already split each line at the comma and we Loop over each command by the way you can can execute Python scripts directly in subline with control b or shift b or whatever next let's convert the hex value to an integer and then a binary string because we did like a sequence of commands it would make sense to compare each line and visualize which characters change so let's always save the last printed value and diff it with the current one we can simply Define a function diff which iterates over both strings and adds a character if the characters differ and then we can take this output and analyze it further so the first packet was 18° C and then we incremented it up to 32 and we notice that this one bit here changes every increment and then the second bit here changes with every second increment this looks like a counter just reversed so it looks like we do want to change the endianness of those words and we can do that by changing the settings in the analyzer and Export it again so it looks like up to five bits are involved in the temperature selection it's not qu quite regular binary to decimal but it's definitely incrementing after that we turn it off and on again and looks like this bit is responsible for that next we cycle through the four different modes first one is the humidifier Sy simp increment but the one after is fan which has a different fan intensity than the other modes so those two might be the fan intensity and we look closely at the commands after those where we tested changing the four fan settings we can see that those one are now incrementing after that we switched to Fan mode which again changes also the fan intensity but then we tested the different fan levels here too and we see those change as well I guess you get the idea now how it works this is how we can slowly reverse engineer which bit is responsible for what so now it's your turn can you figure out which bits are responsible to change the screen from Fahrenheit to Celsius or activate the silent mode the S logic Trace as well as my analyzer code and exported text values are available on the GitHub for you to play around with [Music] [Applause] oh
Original Description
Using the Saleae Logic Pro 8 digital analyzer to reverse engineer the packets from my air conditioner remote.
NECAnalyzer code and captured trace: https://github.com/LiveOverflow/NECAnalyzer
Saleae Logic Pro 8: https://www.saleae.com/
-=[ 🔴 Stuff I use ]=-
→ Microphone:* https://geni.us/ntg3b
→ Graphics tablet:* https://geni.us/wacom-intuos
→ Camera#1 for streaming:* https://geni.us/sony-camera
→ Lens for streaming:* https://geni.us/sony-lense
→ Connect Camera#1 to PC:* https://geni.us/cam-link
→ Keyboard:* https://geni.us/mech-keyboard
→ Old Microphone:* https://geni.us/mic-at2020usb
US Store Front:* https://www.amazon.com/shop/liveoverflow
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#HardwareSecurity
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveOverflow · LiveOverflow · 33 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
▶
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
LiveOverflow - Trailer
LiveOverflow
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
Writing a simple Program in C
LiveOverflow
Writing a simple Program in Python - bin 0x03
LiveOverflow
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
LiveOverflow
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
The Heap: Once upon a free() - bin 0x17
LiveOverflow
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
Linux signals and core dumps - bin 0x1C
LiveOverflow
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
How to learn hacking? ft. Rubber Ducky
LiveOverflow
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow
More on: AI Security
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
Sudden SSL Error for github pages custom domain website
Reddit r/webdev
Nobody Is Coming to Save Your Privacy. Build the Tools Yourself
Dev.to · v. Splicer
The Billion Dollar Business of Making You Forget Passwords
Medium · Cybersecurity
Your ChatGPT History Is a Liability. I Fixed That With a $80 Chip and a Pi5.
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI