Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1

LiveOverflow · Intermediate ·🔐 Cybersecurity ·9y ago

Key Takeaways

This video teaches how to build a Poor Man's Logic Analyzer using an Arduino to reverse engineer the protocol of an air conditioner remote control.

Full Transcript

in this miniseries I want to explore a hardware reversing project I have this air conditioner which uses a remote and we want to understand how it works so in this miniseries I want to reverse engineer the communication between the remote and the AC unit it's not Advanced or New in any way it was done countless of times already but if you have never done any electronic stuff I think is an awesome example to get started I have not done this before either I just know theoretically how it should work so I want to take you along how I approach this project first we try to understand the behavior of the remote and AC unit because from that we can already infer a lot of information and after that we will use some electronics and build a poor man's logic analyzer with an Arduino I have here this remote with a display showing the temperature and other settings such as cooling or fan motors and some other stuff the first question is how does the click information on the remote travel to the AC and is there any communication back from the AC because we can see the temperature on the remote screen this is easy to test we can simply walk into another room far away from the AC change a few settings and then walk back to the main unit and look at the display and we can see that the set settings on the main unit hasn't changed but the remote says something else and when we click now another button on the remote the AC unit immediately jumps to that value this already tells us so much on how the protocol works not every single press is transmitted alone so when I press temperature up it doesn't send an up command it actually transmit the whole state of the settings this means there's some kind of packet that is transmitted that contains all values to verify this assumption we can also change the settings on the unit and see if the remote changes which it doesn't and as soon as we press something on the remote it jumps back to that value so this reveals so much about the protocol already it's one way from the remote to the AC unit and it seems to be a bigger packet containing all the settings information so how does the remote transmit this information well when when we look at the remote we can see at the front what looks like any normal LED and you probably know that that is an infrared LED just a quick refresher about the electromagnetic spectrum not that I claim to know any physics in any meaningful way but we should have some idea about it so visible light is a tiny area of the electromagnetic radiation our cells just happen to respond to those wavelengths and our eyes are dark for all others that's bad for a few things so for example we cannot see dangerous Gamma or x-rays but also good because we can use the nonvisible EM spectrum to transmit data so your Wi-Fi Bluetooth Mobile Radio is all just different kinds of electromagnetic radiation it just happens to be a different wavelength our eyes can't pick up an infrared is also defined as a certain wavelength which is just barely out of our capabilities to see though there are some animals that can see infrared light also most of our photo sensors in our cameras react to the wavelength of infrared light we can also point the remote at our phone camera to see that light um I can barely see it well a lot of times camera use an IR filter because humans can't see infrared th capturing infrared could falsify the colors and stuff I'm using an iPhone here and I know that the front-facing camera doesn't have an IR filter so we can see it better with that one and also if we go into a darker room we can really see it easily so to properly analyze this because it just quickly flashes we need something that captures this the 24 or maybe 60 frames a second of a camera are way too slow to capture the fast flickering so we will build a small circle to analyze this we need a sensor that reacts to infrared light but not other light there are light sensors so called photo resistors which increase or decrease resistance depending on the amount of light though this one one is calibrated for regular visible light so it's no good use to us but I have here this IR receiver which works more like a transistor it has three pins two pins are basically the power supply Plus 5 volt and ground and the third pin is either high or low depending on if it captures a significant amount of IR light or not I put this here on a so called breadboard that is a convenient rapid prototyping platform so for example the long red blue lines on the sides are all connected in a row which are used for the power supply so I can connect the IR receiver's power supply with those lines and the holes in the middle are also connected in columns but divided in the middle so I can plug in the IR here and it will get the power there's also this great hobby electronics platform which you probably know called Arduino which makes it super easy to use by everybody I use an Arduino compatible board from Saints smart because it came in this cheap ronics tutorial learning box but you should definitely check out all those Arduino learning packs and resources they are awesome those $50 $60 are worth more than buying a game you learn so much anyhow this board has some pins and they are labeled and we can see here a 5V and gnd which stands for ground pin so we can use that to supply the breadboard with power and can use one of the digital input and output pins to connect to the Third Leg of of the receiver if you have never done this yourself it might look already a bit complicated but it's really really easy you just have to do it once yourself here's also the schematics of how the setup looks like we have the IR receiver it's connected to ground here and to VCC which refers to the power supply and the third pin is connected to the digital pin of the Arduino or St smart Leonard board arduinos have a super easy programming IDE where you can program and see and simply upload the compiled program to the board and it just works so we want to write some code that reads the output of the IR receiver so we can analyze it we can take an aino example that would read the state of a button and just modify to read the state of the IR receiver so there are two main functions the setup function which initializes the serial communication uh that's a protocol so the computer can communicate with the board and send text and out of scope right now but we will look at seral some other time and we initiate the pin number eight as an input pin then the loop function here is like an endless while loop this is what will be executed constantly in a loop and here we want to read the state of input pin 8 and send this input via serial to our computer then we can compile it we have to make sure the board is properly recognized with the software and then we can push it onto the board now it's running there we can open the serial console and see the output So currently it's sending only once so the I IR receiver outputs always High 5 Vol which is a digital one and now we point the remote at it and when we press it we can see some zeros rushing by that's cool but a bit hard to analyze so let's modify the code to use a so-called trigger we can start with a state zero where we constantly read the input and once it drops to a zero for the the first time we switch to State one where we now send the input including the microsc so we have some timing information as well to the computer now we push it to the board wait until it's booted and now we see no input being sent to the computer but if we point now the remote at the IR receiver and press the button we get the first zero and now the data is rushing in that's better now we can simply copy this output into a text file to analyze we can now collect multiple samples for example the packet to select Fahrenheit or Celsius or turning it on and off then I use two pyer notebooks to work with stuff like this it's basically python just with an awesome interface to do explorative scripts I first start by including some important modules so we can plot data and then we read one of the lock data files with numpy and specify that the data is comma separate ated this will give us a big numpy array and we can then extract the microsc and the single bits next we can use P plot to plot this data in steps looks a bit awkward so let's play around a little bit with the limits of the Y and xaxis as well as the figure size of the plot and maybe also cut the data points at some length because we only are interested in the data at the front we might want to add some points so we can see exactly where our data points are we can now also wrap this into a function so we can simply call load with a file name and get this nice digital logic plot awesome look at this this is great this is a great Poor Man's logic analyzer and we can compare for example Celsius to Fahrenheit packet and the on and off packet but how do we read this they clearly look similar so this is not some random wiggling this is some kind of real pattern this is the infrared LED flickering on and off in a specific way but how the LED flickers is defined in the protocol and somehow we have to understand how the protocol works so one attack you can do without knowing the protocol is compare multiple packets of the same command like multiple turning on packets and then you could see that this always the same so there's no crypto or time stamp or whatever involved so replay attack is easily possible without knowing what the bits mean we can just reset sent the pattern to perform this action another thing to work out uh the protocol is to compare similar packets like Celsius and Fahrenheit and we notice that some spikes are very close together and some spikes are far apart and we can try to see if this pattern is different for both of them because Fahrenheit and Celsius can be represented by one bit it's either zero or one we can inere from that what a bit zero or one might look like in this pattern maybe you can pause this video here and try to extract the single bits from those packets but there's a big problem here each single dot is a point where we read the state of the receiver and they are so little compared to amount of spikes thus maybe we miss some spikes or some spikes appear wider or thinner even though they were the same in proper terms we have a way too low sampling rate for the frequency of the input signal so this aino and laptop setup is a great start but it's not very precise it is enough to work out the protocol but next video I want to show you how you can do this a little bit more advanced and we will start reversing the packets [Music] [Applause] [Music]

Original Description

Capturing the packets from my air conditioner remote to reverse engineer the protocol. Longer and way better reverse engineering video by EEVblog: https://www.youtube.com/watch?v=BUvFGTxZBG8 Jupyter Notebook: https://jupyter.org/ -=[ ❤️ Support ]=- → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join -=[ 🐕 Social ]=- → Twitter: https://twitter.com/LiveOverflow/ → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ -=[ 📄 P.S. ]=- All links with "*" are affiliate links. LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm. #HardwareSecurity
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveOverflow · LiveOverflow · 29 of 60

1 LiveOverflow - Trailer
LiveOverflow - Trailer
LiveOverflow
2 Introduction to Linux - Installation and the Terminal - bin 0x01
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
3 Writing a simple Program in C
Writing a simple Program in C
LiveOverflow
4 Writing a simple Program in Python - bin 0x03
Writing a simple Program in Python - bin 0x03
LiveOverflow
5 Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
6 Reversing and Cracking first simple Program - bin 0x05
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
7 Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
8 ROP with a very small stack - 32C3CTF teufel (pwnable 200)
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
9 Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
10 Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
11 Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
12 Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
13 Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
14 First Stack Buffer Overflow to modify Variable - bin 0x0C
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
15 First Exploit! Buffer Overflow with Shellcode - bin 0x0E
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
16 Buffer Overflows can Redirect Program Execution - bin 0x0D
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
17 Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
18 Reverse engineering C programs (64bit vs 32bit) - bin 0x10
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
19 pwnable.kr - Levels: fd, collision, bof, flag
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
20 Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
21 Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
22 Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
23 Live Hacking - Internetwache CTF 2016 - web50, web60, web80
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
24 Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
25 A simple Format String exploit example - bin 0x11
A simple Format String exploit example - bin 0x11
LiveOverflow
26 NEW VIDEOS ARE COMING - loopback 0x00
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
27 HTML + CSS + JavaScript introduction - web 0x00
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
28 The HTTP Protocol: GET /test.html - web 0x01
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
30 What is PHP and why is XSS so common there? - web 0x02
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
31 Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
32 Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
33 Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
34 XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
35 Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
36 New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
37 The Heap: what does malloc() do? - bin 0x14
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
38 The Heap: How to exploit a Heap Overflow - bin 0x15
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
39 Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
40 Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
41 Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
42 Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
43 Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
44 Explaining Dirty COW local root exploit - CVE-2016-5195
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
45 What is CTF? An introduction to security Capture The Flag competitions
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
46 The Heap: How do use-after-free exploits work? - bin 0x16
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
47 The Browser is a very Confused Deputy - web 0x05
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
48 The Heap: Once upon a free() - bin 0x17
The Heap: Once upon a free() - bin 0x17
LiveOverflow
49 Simple reversing challenge and gaming the system - BruCON CTF part 1
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
50 int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
51 The Heap: dlmalloc unlink() exploit - bin 0x18
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
52 MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
53 TCP Protocol introduction - bin 0x1A
TCP Protocol introduction - bin 0x1A
LiveOverflow
54 Socket programming in python and Integer Overflow - bin 0x1B
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
55 Linux signals and core dumps - bin 0x1C
Linux signals and core dumps - bin 0x1C
LiveOverflow
56 [Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
57 Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
58 Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
59 How to learn hacking? ft. Rubber Ducky
How to learn hacking? ft. Rubber Ducky
LiveOverflow
60 Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow

Related AI Lessons

Nobody Is Coming to Save Your Privacy. Build the Tools Yourself
Take charge of your own privacy by building tools yourself, as relying on others may not be effective
Dev.to · v. Splicer
The Billion Dollar Business of Making You Forget Passwords
Learn how the internet is shifting away from password-based security and what this means for cybersecurity, as companies invest billions in alternative authentication methods
Medium · Cybersecurity
Your ChatGPT History Is a Liability. I Fixed That With a $80 Chip and a Pi5.
Protect your ChatGPT history from being used as evidence against you by building a secure local solution using a Raspberry Pi and external chip
Medium · Cybersecurity
Aikido buys Root to patch open source in place, without the upgrade dance
Aikido Security acquires Root to patch open source vulnerabilities in-place, streamlining dependency management
Dev.to · Leo
Up next
Cyber security threats @FameWorldEducationalHub #cybersecurity #threats #shorts #ytshorts
FAME WORLD EDUCATIONAL HUB
Watch →