#garfield Logs
Mar 29 2023
#garfield Calendar
06:45 AM polprog: WormFood: oooh what did you get?
07:17 AM WormFood: polprog, my radio?
07:18 AM WormFood: My newest radio, is a Flex-3000. It's used of course, but very little, as the former owner isn't a computer guy, and didn't get into it.
07:20 AM WormFood: If you were referring to my 16 port switch, it's a netgear ProSAFE JGS516PE ;)
07:22 AM WormFood: Right now, I'm waiting for the bands to open up, on frequencies I can transmit on. I can cover 10, 12, and 15 meters, without any additional equipment, as my antenna is tuned for 10m, and it's close enough, that the internal antenna tuner can handle those bands. But I'm gonna be building a dipole antenna soon, so I can get on lower bands.
09:09 AM aandrew: my son took a job up in Yellowknife. He's driving out there in June so we've got this giant checklist to prepare
09:10 AM aandrew: I've got a ud-5r I'm sending with him, just found a list of all repeaters along the way so I'm organizing that and printing it out so he has a hard copy
09:11 AM aandrew: am looking at cell phone boosters too, looks like they're all so-so
09:15 AM aandrew: WormFood: that sdr radio sounds neat
09:15 AM aandrew: I am on the uSDX mailing list
09:16 AM WormFood: Cool! Are you using anything like d-star to route your calls places?
09:17 AM WormFood: I just got the GPS antenna for my d-star radio today.
09:22 AM aandrew: no no, nothing like that. this is just an emergency radio for my son since he's driving in the middle of nowhere
09:23 AM aandrew: I'm super excited for him and a little nervous. his mom (my ex) is SUPER against all this but I' mlike you go dude, this is exactly the time to do this
09:23 AM aandrew: aircraft maintenance (mostly helicopters) way up near the arctic circle
09:23 AM WormFood: For emergency use, I suggest you program GMRS/FRS freqs, if you can do UHF
09:26 AM aandrew: yeah that's what I'm recommending too, the radio will do it and he's also got his license for these use cases
09:27 AM WormFood: Yeah. That's great. But, you know, without testing it, it may not meet emission standards for those frequencies, unless the radio was designed for it, and if it's a ham radio, then it wasn't designed for it ;) But, that shouldn't be a problem.
09:27 AM aandrew: I'm aiming for his regular phone with a booster for general use and if he's really stuck he's got the radio along with an oldschool GPS. two sets of good paper maps and a second (dumb) phone, hand crank generator etc
09:27 AM aandrew: oh yeah I'm not worried ab out emissions or even legality if he's stuck
09:27 AM WormFood: Sounds like he's prepared!
09:27 AM aandrew: get safe, worry about the FCC later
09:27 AM WormFood: If you're in an emergency, then all frequencies and emissions are acceptable.
09:28 AM aandrew: well that's just the comms. vacuum packed dry/warm clothes, food/water, jerry can, etc etc
09:28 AM WormFood: Even the FCC says, in an emergency, you are authorized to use any frequency to get the help you need.
09:28 AM aandrew: there's a whole list we've put together and are working on so he's not unprepared but he's young (21) and some of the planning shows
09:28 AM WormFood: How long is he expected to be gone for?
09:29 AM WormFood: If nothing else, it should be a good experience for him.
09:29 AM aandrew: his initial itinerary was calling for 12h drive/day and I'm like no dude, 8h at most. you need to sleep, you need to stretch, you need to piss, and let's face it, you're also on an adventure so you'll want some time to enjoy it
09:29 AM WormFood: I'm sure he'd most likely be ok with 12 hrs a day. That's not really pushing it.
09:30 AM aandrew: he was also contemplating just pitching a tent with the car in a lot with a camera and I'm like no... you need REST and drunks/skunks/bears don't care for cameras
09:30 AM aandrew: well 12h up there is about 1000km (600mi) in the best case. he will have rough roads and unfamiliar territory
09:31 AM aandrew: well he's taken a job so it might be for 6mo, it might be forever
09:31 AM WormFood: Yeah, cameras may only help you after the fact, but it's probably not gonna prevent anything. Prevention is better strategy.
09:31 AM aandrew: he's already received the lectures from the employer abotu staying the fuck away from the native girls
09:31 AM WormFood: One thing that comes to mind, is "luck favors those who are prepared"
09:32 AM WormFood: Make sure you pack some condoms for him too :D
09:32 AM aandrew: it's funny, he's fixing helis and his sister is jumping out of them (or planning to, she's on her way to ACP/S&R, doing CCP/paramedic and firefighting in the city for now)
09:32 AM WormFood: Because you know...he won't listen to those warnings, when he "pitches a tent"
09:32 AM aandrew: yep exactly
09:33 AM aandrew: I told him why not just sell his pos car and fly out there, it's $350 to fly and then just buy or lease something up there that's AWD but he wants the adveneture and I don't blame him
09:33 AM WormFood: Hopefully it will be fun, and it should be a good experience for him. I hope everything goes smoothly for him.
09:34 AM aandrew: oh yeah I think he's gonna love it and he'll have some serious experinece by 25yo that his peers won't have working at a standard airport
09:34 AM aandrew: I told him when he's settled I'm gonna take the two youngest boys and come visit him
09:34 AM WormFood: If you want some "serious experiences", then try moving overseas ;)
09:34 AM aandrew: yeah you know just a little bit about that don't you
09:35 AM WormFood: And for even more, move to some place not in north america, or europe (that's what I did)
09:35 AM aandrew: yep
09:35 AM WormFood: It was a real adventure, and a half.
09:35 AM aandrew: I think my comfort level extends to me divorcing and moving into a 5th wheel with a thousand trails membership
09:35 AM WormFood: I've gotten to travel all over China, and see places most foreigners never get to see.
09:36 AM WormFood: Ahhh, but pushing yourself outside of your comfort zone, is the best way to grow and experience the world.
09:36 AM aandrew: if I wasn't such a chickenshit for CCP I'd have come seen you when I was in hong kong
09:37 AM WormFood: Or, alternatively, I could have gone to HK to visit you (if I didn't need to be in another part of the country at that time).
09:38 AM WormFood: I used to walk to HK, from my 3rd apartment in Shenzhen, which was walking distance from the port, but no subway, so you have to take a bus into downtown HK.
09:39 AM WormFood: I have no intentions of ever going back to China. Their dictator 习近平 is a fuckin' lunatic. They banned Winnie the Pooh in China! How fucked up are they going to get, before they destroy their country, or get overthrown?
09:39 AM WormFood: I love the country and the people, but their shitty government is what is keeping me away.
09:41 AM WormFood: One thing I used to carry in my backpack, and came in really handy in a number of instances, is a towel. Not a full size towel, but something bigger than a hand towel.
09:41 AM aandrew: reflections of HHGTTG?
09:43 AM WormFood: I was thinking more South Park ;)
09:43 AM aandrew: hm I don't watch much of that
09:44 AM WormFood: But both come to mind, when talking about towels. But, yeah, probably HHGTTG was probably what inspired me to consider it. I actually put some thought into it, and didn't just pack it because of the book.
09:45 AM WormFood: I remember once, I rescued a kitten, after a big rain, and he was soaking wet, and I just whipped out my towel, and wrapped him up, and dried him off. If I didn't have a towel, it would have been a mess, and I had to help that kitten.
09:50 AM WormFood: And I presume, he has access to a credit card, in case of emergencies, right? I don't know how that works with most people. I have my mom's credit card, that she gave me for emergencies, and I've never been tempted to misuse it. But I suspect a lot of people might be tempted to use their emergency credit card for non-emergencies.
09:52 AM WormFood: One thing, that might be good, for emergencies, would be an HF radio. I mean, if he really is in the middle of nowhere, then VHF and UHF radios are unlikely to help him...not unless he has a repeater in a drone (there are projects for that). With HF, he could contact someone, to make a phone call to summon help.
11:14 AM aandrew: yeah that's why I was looking at the repeater maps
11:15 AM aandrew: the cell coverage is just not there in only about 300km total of the trip (broken up in to two larger areas and a few smaller ones, and his plan is to hit relatively big cities and stick on the trans canada highway so he shouldn't be too far from help
11:15 AM aandrew: that's why I was looking at the ud-5r, it's cheap, 8W and should be able to hit a repeater should he really need it
11:16 AM aandrew: once he's there I'm assuming (should verify) the company is giving him equipment like sat phone and HF
11:16 AM aandrew: my dad has some nice ham equipment including car mount HF, I bet he could give him one for emergencies
11:17 AM aandrew: he's got a couple 2m radios too which would be perfect
11:28 AM aandrew: bah I mixed up 2m and 20m, lol
04:11 PM polprog: WormFood: wow that looks pretty fantastic (re: flex-3000)
04:14 PM aandrew: blah
04:14 PM aandrew: apparently I tested positive for covid, very very faint line, no symptoms, but that means I can't be on set with my son so scrambling to find someone to take him
04:14 PM aandrew: probably my dad
04:20 PM WormFood: That sucks aandrew. I hope you're able to kick it in the ass, and not have any lasting effects (we still don't know the long-term effects of covid)
04:46 PM aandrew: my breathing is absoutely clear, my nose and throat are fine, no fever, no joint pain, I haven't fucking got covid
04:47 PM WormFood: I hope not.
04:47 PM aandrew: this would be the first time I have it
04:47 PM WormFood: You know, for communications, you can probably pick up a high power (50 watts) 2m rig used, for cheap. I picked up an IC-2820H for $200 on CL last week.
04:48 PM WormFood: couple that with an NMO mag mount high-gain antenna, and that'd give him his best chance of getting into any repeaters.
04:49 PM WormFood: You'd probably be better off with a high gain single band antenna, than a lower gain dual band antenna, as UHF is not used much in that type of environment.
04:52 PM aandrew: yeah I think you're right
04:53 PM WormFood: Too bad you don't have d-star with gps. That could report to you his location in real time ;)
04:53 PM aandrew: :-)
04:53 PM WormFood: My friend does that. Tells people what call he's using for his GPS, so people can track where he is.
04:54 PM aandrew: I wonder how many d-star repeaters are up in that area
04:55 PM WormFood: Not sure. Probably not enough for it to give you the peace of mind you'd like to have.
04:56 PM polprog: I still have not unpacked my mmdvm
04:56 PM polprog: D: 2 years
04:56 PM WormFood: Why not?
04:56 PM polprog: no time
04:56 PM polprog: also i need to see if i can use it to monitor traffic
04:57 PM polprog: i dont want to build any repeaters or anything
04:57 PM WormFood: My flex 3000 spent most of it's life in a box. I doubt it was out of it's box more than a few months, and probably not used more than a few weeks.
04:57 PM polprog: heh, what are you gonna use it for?
04:57 PM WormFood: It's my radio, I talk on.
04:57 PM WormFood: It's a ham radio
04:58 PM polprog: oh
04:59 PM polprog: im mad cause someone was selling a baofeng-tier small base radio for 1/6 the shelf price
04:59 PM polprog: it was listed as "Does not turn on"
04:59 PM WormFood: It's just an SDR based radio, with no display. All the heavy lifting is done by the CPU in the computer.
04:59 PM WormFood: You didn't get it?
05:00 PM WormFood: or a scam?
05:00 PM polprog: i didnt buy it
05:00 PM polprog: i thought ill wait
05:01 PM WormFood: Rarely have I regretted waiting, on buying something.
05:01 PM polprog: yea..
05:02 PM polprog: i wanted to get home
05:02 PM polprog: before i buy it
05:02 PM polprog: ehh
05:02 PM WormFood: I was looking at a motherboard on Ebay yesterday. Really good price. Starting bit of $27, but it has a make an offer open, so I was thinking to make an offer, just before the auction ended. Someone bid on it, with like 15 minutes left. My friend suggested I out bid him, but I said no.
05:02 PM polprog: i wanted it to be another receiver for my RF experiments when they come about
05:02 PM polprog: but i have a baofeng portable anyway and a few SDRs
05:02 PM WormFood: An hour or two later, I see the same guy, selling the same type motherboard, for the same price. I can put in my make-an-offer
05:02 PM polprog: so nothing lost, i just liked the form factor
05:03 PM WormFood: Yeah, if you don't need it, it's probably better to not get it.
05:03 PM WormFood: My feeling is, if you wait a little longer, an even better deal will roll around....only problem is, how long do you need to wait?
05:03 PM polprog: heh
05:04 PM polprog: something will come around
05:04 PM polprog: which reminds me to finish hacking/fixing the motorola radios
05:04 PM WormFood: I wasn't looking for either of the 2 radios I just got, but I got both of them, at a too-good-to-pass-up kinda deals.
05:04 PM WormFood: I have some Kenwood radios I need to hack.
05:05 PM WormFood: They're 450-470. Of course they'll tune into the ham bands, but not very far...but I can hit the 446 Mhz simplex call freq.
05:06 PM WormFood: They make other models with lower frequency ranges, like 400-440 Mhz, and I have the schematics, so I should be able to swap out a few caps, and retune the VCOs (there are 2 of 'em), to cover the whole ham band.
05:06 PM polprog: Hmm
05:06 PM WormFood: By the way, I'm a former radio tech. I used to fix 2-way radios for about 6-7 years.
05:07 PM polprog: I have one GP1200 that I bricked, so i need to rewrite it's flash
05:07 PM polprog: There's also one where the fuse resistor cracked in half
05:07 PM WormFood: So, I feel right at home mucking around with the PLL and VCO circuits.
05:07 PM polprog: that makes two of them
05:07 PM polprog: ooo
05:07 PM polprog: thats cool!
05:07 PM polprog: i have a Motorola MC Micro that i mucked around with in the 446 range
05:08 PM polprog: i think little polprog screwed up the RX filters tho, some day i have to sit down with the current kit and fix it up for good
05:08 PM WormFood: For many people, the PLL works on FM...Fuckin' Magic...to be honest, I spent hours trying to understand how exactly PLLs work.
05:08 PM polprog: counter, divider, error signal to VCO
05:08 PM polprog: rinse and repeat :P
05:08 PM WormFood: And reference osc
05:08 PM polprog: yes
05:09 PM WormFood: I've hacked many a PLL in my day.
05:09 PM polprog: ive almost built one with a GAL
05:09 PM polprog: but it turned out that my oscillators just synced each other to themselves without the pll
05:09 PM polprog: i should redo it
05:10 PM polprog: (i used a simple HC14 oscillator and it was on the same breadboard, you can guess they like to synchronize)
05:10 PM WormFood: My very first microcontroller project (using a BS2), was to replace the 16-channel selector, eprom, and associated circuitry in a VHF business band radio, with a microcontroller and LCD display.
05:10 PM polprog: Now i could use my siggen for a ref osc
05:10 PM polprog: what's a BS2?
05:10 PM polprog: basic stamp?
05:10 PM WormFood: Basic Stamp
05:10 PM polprog: ah
05:10 PM polprog: woooow
05:10 PM WormFood: They're crappy, but I knew nothing about them at the time, but I knew I wanted to play around with them.
05:11 PM WormFood: I kinda pissed off one of my customers, when I told him I got it, because he wants to play with that stuff too, but doesn't have the technical skills (and doesn't want to invest the time to get those skills, it seems)...I thought it was funny.
05:12 PM WormFood: After the BS2, I got into AVRs, which was *the* MCU to use for hacking satellite TeeVee, back in the day.
05:12 PM polprog: :p i might have a card emulator with an avr
05:13 PM WormFood: Using the avr to convert the serial port speed to something the IRD can handle?
05:13 PM polprog: no, a shim shaped PCB that has smartcard contacts and emulates the pay tv card
05:13 PM WormFood: The smart card on the IRD runs at 4.5 Mhz (for 4.0 for some older ones), so that comes out to something like 160k bps
05:14 PM polprog: one day old hacker friend just dumped his box of paytv hacker shit on me, as it was obsolete
05:14 PM WormFood: I have one of those. Uses an ATmega128
05:14 PM polprog: yes
05:14 PM WormFood: It's not entirely obsolete.
05:14 PM WormFood: I mean, it is, but not entirely useless.
05:14 PM polprog: I used it to play with my student ID card a bit so it is still useful
05:15 PM WormFood: I want to reuse the smart cards for a crypto/math co-processor for 8-bit machines....not sure if it's feasible, since it uses serial, but it may with the right interface.
05:15 PM polprog: i was thinking about that too
05:15 PM polprog: you can get programmable SIM card blanks from china
05:15 PM polprog: Just upload your key and ask it to RUN GSM ALGORHITM (thats the command name)
05:15 PM WormFood: Oh, by the way, there is a program, and probably the same one you were using, that would emulate the ROM3 smart card, and you just load up a normal EEPROM image into the AVR's EEPROM space.
05:15 PM polprog: i have a few, never got around to talking to them
05:16 PM polprog: i did not emulate any card, i dont have anything to plug the shim into
05:16 PM WormFood: No way to program it?
05:16 PM polprog: No use for a ROM3 card
05:16 PM WormFood: It should have another set of contacts, just like the contacts made for the smart card, but not in a position to actually contact anything, right?
05:17 PM WormFood: What satellite system?
05:17 PM polprog: I dont have a satellite TV system :D
05:17 PM polprog: the only smart card system i have is 1) my student ID, 2) my credit card
05:18 PM WormFood: There is a special programmer socket, that card plugs into, that has the additional connections, to make contact with those extra pins, so you can program it. My programmer uses a parallel port interface, which was common back in the day.
05:18 PM polprog: i guess i could try to make an emulator/logger shim that emulates a card and sees what the reader looks for
05:18 PM polprog: yeah
05:18 PM WormFood: I see. What satellite system was it for?
05:18 PM polprog: No idea :D
05:19 PM polprog: as i said, i completely missed that era (too young)
05:19 PM WormFood: That shim, as you call it, was originally designed to sit between a legit card and the receiver. It's called a "wedge", in satellite slang. It used to be, that when you subscribed, it set your expiration date for 30 years in the future, and that wedge would block the describe packets.
05:19 PM polprog: Ah right!
05:19 PM WormFood: So, without having access to the cards, that was used for a semi-legit system.
05:20 PM polprog: i know @philpem on twitter/mastodon does stuff with old payTV boxes
05:20 PM WormFood: BUT, that wedge/shim is powerful enough, that it can actually emulate the ST16CF54A smart card, used in the ROM2 and ROM3 smart card, from nagravision.
05:20 PM polprog: https://www.philpem.me.uk/hacktv/start
05:21 PM polprog: https://www.philpem.me.uk/hacktv/analogcable/start
05:21 PM WormFood: That card, is more or less a 68C05 CPU (the C indicates it has multiply, and some other feature) emulator...and I was friends with the dude that wrote that software, and he was kind enough to share the source code freely.
05:21 PM polprog: this is what i got most use out as its just a smartcard serial adapter
05:21 PM polprog: https://polprog.net/rozne1/ircjunk/various/iso7816/phoenix_funprog.jpg
05:22 PM polprog: I used this to initially read out my student ID (at least the part available w/o the crypto key)
05:22 PM polprog: .... i may or may not have an un-l00per...
05:22 PM polprog: but i dont think Gemalto IDPrime is vulnerable for attacks that simple
05:22 PM WormFood: An unlooper can be programmed to act like a phoenix interface.
05:22 PM polprog: oh
05:23 PM polprog: but as in re-flashed?
05:23 PM WormFood: But I doubt, if you were using it, that it'd be in a glitching mode.
05:23 PM WormFood: Yes
05:23 PM polprog: right
05:23 PM WormFood: I feel it's more likely you were using a phoenix interface.
05:24 PM polprog: this project culminated into this: https://polprog.net/rozne1/ircjunk/various/iso7816/feedlistener/feedlistener.png
05:24 PM polprog: which is a smart card power draw analyzer
05:24 PM WormFood: I now have a usb smart card interface, I picked up a good will for $1, and it works with Linux. I plugged all my cards into it, and some program (forget the name), told me info about the card based on it's ATR (it didn't actually probe the card for anything, just the ATR)
05:24 PM polprog: but i designed rev 3, saw that it works and then just put it away
05:24 PM polprog: yeah theres one, i forgot the name too
05:25 PM polprog: ive scripted these readers
05:25 PM polprog: pcsc-scan
05:26 PM WormFood: That's an interesting interface you have there. I've never seen one with both a 25 and 9 pin port. It appears the 25-pin port is for a parallel interface, for programming the AT90S8515 or AT80S2313 on the card....but why that AVR is on the board, I don't know.
05:27 PM polprog: its 2-in-1
05:27 PM polprog: the parport can be used to program pin compatible AVRs
05:27 PM WormFood: Oh, I see
05:27 PM polprog: or you can move the 8 jumpers to connect the card to the partport instead
05:27 PM WormFood: It's a programmer for AVRs too, in addition to a phoenix interface....clever...good idea actually.
05:27 PM polprog: I think it is for synchronous cards like SLE4442
05:27 PM polprog: 4442? SLE-something
05:28 PM polprog: payphone EEPROM cards and the like
05:28 PM WormFood: Not sure. With the AVR on there, it could be programmed to literally do anything.
05:28 PM polprog: hm, good point..
05:29 PM WormFood: Anyways, it's a very interesting design, and a good design for many people, as it can do multiple functions, that most people hacking smart cards needs, but not all the time.
05:29 PM WormFood: I actually have a stack, of brand new phoenix interfaces.
05:29 PM polprog: i think its european or polish design
05:29 PM WormFood: Well, NOS
05:29 PM polprog: heh
05:29 PM polprog: I have 2 of them
05:29 PM WormFood: It could be.
05:30 PM WormFood: What do the smart cards you got look like? Any names or identifying logos? Also, what part of the world were these used in?
05:30 PM polprog: right i mirrored the site
05:30 PM polprog: https://polprog.net/rozne1/ircjunk/mir/www.ksw-funcard.civ.pl/FunCard/programatory_recy.htm
05:30 PM polprog: it was made by some polish guy
05:31 PM WormFood: Guys in europe have it easier than those of us in the us, as frequently in europe they use multiple decryption streams, and usually at any time, one of them has been cracked. (at least it was like that, back in the day)
05:31 PM polprog: for programming 90s8515 and 90s231, and for interfacing synchronous cards
05:32 PM WormFood: The clock on it gives me a clue, that it's not the type that I worked on.
05:33 PM polprog: on the bottom or top part?
05:33 PM WormFood: That's the clock speed the used to read directtv cards, back in the day. The dishnetwork guys would change the crystal from 3.57 to 3.68, to make the card operate at the correct speed.
05:33 PM WormFood: In the schematics. The crystal speed.
05:33 PM WormFood: not schematics...in his text, at the tope of the page
05:34 PM polprog: I dont know but both of my interfaces have the standard-issued clock speed that makes the card talk at 9600 baud
05:34 PM WormFood: I saw that philpem stuff before. Very, very cool.
05:35 PM WormFood: It's only standard for some types of cards. For other types of cards, it will spit out the wrong bit rate.
05:35 PM polprog: he is very smart
05:35 PM polprog: yeah i've seen socketed crystals on these
05:35 PM WormFood: At 3.68, the cards I use, spit out an ATR at 9600, but communicate at 115.2k bps
05:35 PM polprog: or one Phoenix interface with USB and like, 6 different crystals that you set with a jumper
05:35 PM WormFood: I have at least one programmer, that is dual xtal, with a switch
05:35 PM polprog: eek
05:36 PM WormFood: I have seen others with more xtals, but I don't think I've ever seed 6 of 'em on a single board.
05:36 PM polprog: kind of a dead end of a design, the scene is dead anyway
05:37 PM WormFood: Yes...for hacking satellite TV....but still useful for communicating with smart cards. They're still in style.
05:37 PM polprog: i know a guy who knows a guy who used to work in nagra-kudelski
05:37 PM WormFood: Oh really? That's very cool. I'd love to chat with that guy.
05:37 PM polprog: Over here it all moved to RFID, the APDUs are similar but i havent seen anyone use the chip interface anymore, maybe except for credit cards
05:37 PM WormFood: I used to write software for those cards. The ROM2/3/10/11 mostly, but I also emulated the ROM101/102/103
05:38 PM polprog: i know Sebastien "F4GRX" used to work with smart cards too
05:38 PM WormFood: It was a lot of fun, back in the day.
05:39 PM polprog: I dont remember if i got that far but i need to see if my card returns a different error for when you try to read a nonexistend DF vs a DF you cannot read
05:39 PM WormFood: The very first program I ever wrote for a smart card, as a program that would allow me to order PPVs from the remote, never subtract money from my credit, get around the receiver's limit of 9 unpaid PPVs, and delete the PPV when it expired.
05:39 PM polprog: i've been collecting info about student ID cards, i know some of the common AIDs
05:39 PM polprog: i could scan them too
05:40 PM WormFood: When I was in China, I had an open source app, that would read the balance on my subway card, and show me the last 10 or so transactions on the card.
05:40 PM WormFood: Actually, that app would read a LOT of different subway/bus/metro cards.
05:40 PM polprog: There is one yes
05:41 PM polprog: for some cards the keys are public
05:41 PM polprog: for some are not
05:41 PM WormFood: I had a samsung note 2, and it would read the chip in my passport, but the Note 5 wouldn't do it.
05:41 PM polprog: Warsaw transit cards are the latter, tho the keys were leaked at some point
05:41 PM polprog: and its a vulnerable card anyway
05:41 PM WormFood: With enough time and effort, the keys can be cracked.
05:41 PM WormFood: Also, many cards are vulnerable to glitching.
05:42 PM polprog: i mean RFID
05:42 PM polprog: chip cards.. yeah id like to try
05:42 PM WormFood: That's how we'd break the security on the newer smart cards, by glitching them.
05:42 PM WormFood: Sadly, I don't think you can glitch an NFC card, without accessing the hardware.
05:42 PM polprog: but are the new-new ones still vulnerable to glitches?
05:42 PM WormFood: You'll probably need to pull the IC out, and power it from a non-rf source.
05:43 PM WormFood: I'm not sure, but I'd expect somewhere they are.
05:43 PM polprog: No, but the NFC ones had badly designed crypto engines and you could deduce the keys with enough challenge-response data
05:43 PM polprog: Mifare classic 1k is basically cracked, there is a script that uses off the shelf readers
05:43 PM WormFood: What I wanted to know, is why nobody tried to glich the cards into issuer mode. If we could do that, we could access any card, no matter what the provider put on it.
05:43 PM polprog: leave it for 2h and it will crack the card
05:44 PM WormFood: Oh wow! That's awesome. I hadn't heard about that one yet.
05:45 PM polprog: it was ages ago :D
05:45 PM WormFood: Someone figured out, how to erase the OTP EEPROM bytes on the ST16CF54A (and probably the whole ST16CFxx family), so I could put a card into issuer mode, to play with.
05:45 PM WormFood: If you don't want the smart cards, I'll pay to ship 'em to me.
05:46 PM WormFood: I have a collection of smart cards...most for satellite tv.
05:46 PM WormFood: I have one card, that is solid white, except for the bar code/serial number...and it's a ROM3 :D Very hard to find card.
05:47 PM WormFood: And you'll appreciate this....I think....
05:47 PM polprog: one of the slides https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Hacking-MIFARE-Classic-Cards-Slides.pdf
05:48 PM WormFood: So, they had the 1st generation of cards, we call it nagra1, and the first 2 versions were the ROM2 and ROM3...these were based on the ST16CF54A smart card. The next version was based on the ST19CF54 smart card, and was used in the ROM10 and ROM11
05:48 PM WormFood: They were planning on doing a card swap. Kill all first gen card (rom2/3), and keep the new cards (rom10/11) online....but they never did that, because we hacked the rom10/11 cards before they could even start the card swap process.
05:49 PM polprog: hmm
05:49 PM WormFood: So, they introduced the nagra2 generation, starting with the rom101 card, which is based on the ST19CF54 card...the same IC used in the ROM10/11
05:50 PM polprog: I have some phone cards I could share my collection, but other than that.. old SIM cards
05:50 PM WormFood: They started a card swap, to kill all nagra1 (rom2/3/10/11), and keep only the new one....but before they could finish their card swap, we cracked the new cards.
05:50 PM polprog: i have the pic+eprom "Gold Card", and some nagravision TV card
05:50 PM WormFood: by then they had started the 2nd gen of nagra2, with the rom102 and rom103 cards, that were based on the ST19XLxx family.
05:51 PM polprog: i think the only TV card i have is one like this https://allegro.pl/oferta/cyfrowy-polsat-13493669048
05:51 PM WormFood: So, because they had to keep the ROM101 cards running, that they had just replaced, we were able to emulate the ROM101 (nagra2), on all of the older Nagra1 cards.
05:52 PM polprog: oooooh
05:52 PM polprog: https://allegro.pl/oferta/2-s-m-modul-bezpieczenstwa-rrr-13488305839
05:52 PM WormFood: This hack was private, and I told my friends to buy all the ROM10 cards they could find, for cheap. After they killed off Nagra1, prices dropped really fast on ebay, but a few months later, prices spiked as this new hack was made public.
05:53 PM WormFood: I had a blast hacking this stuff.
05:53 PM polprog: i didnt know you were involved
05:54 PM WormFood: Yeah. I did hardware and software hacks
05:54 PM polprog: thats pretty awesome
05:54 PM WormFood: Only had one good idea, for new attacks, and I didn't implement it, but someone else did, and it worked. Not really an attack per se, but I figured out how to decode more of the data stream
05:55 PM polprog: Perhaps i should get the unlo0per running on my cards...
05:55 PM WormFood: There is a tool, made just for glitching. I forget the name at the moment, but it's about $600, and I want one.
05:55 PM polprog: chipwhisperer?
05:55 PM WormFood: yes! That's it!
05:56 PM polprog: I was thinking about making one myself from some hv inverters
05:56 PM WormFood: I want so much to play with one of those, on my old smart cards.
05:56 PM polprog: as its basically that
05:56 PM polprog: oh yeah, you can take it to a lot of things :P
05:56 PM WormFood: Not if it does everything it claims to do.
05:56 PM WormFood: There are LOTS of different ways to glitch chips.
05:56 PM polprog: They put a lot of R&D into it
05:56 PM polprog: yeah
05:57 PM polprog: i think ill try with the unlooper first
05:57 PM WormFood: you have spikes, glitches, and noise, and you can apply those to the negative or positive on any inputs/outputs.
05:57 PM polprog: chipshisperer is just for EMI glithes
05:57 PM WormFood: There is even a technique called "ground bounce"
05:57 PM WormFood: oh really, just EMI?
05:58 PM polprog: So they use it by applyint the EMI spike at different places on the die
05:58 PM WormFood: How can they do that?
05:58 PM polprog: yeah the ones i saw were just emi
05:58 PM polprog: HV discharge through a small coil
05:58 PM WormFood: an EMI spike is just radio waves. The near field would cover the entire IC, I would expect.
05:58 PM WormFood: Are they really able to direct it to a specific area of the IC?
05:59 PM polprog: It makes a difference where you spike it
05:59 PM WormFood: Interesting.
05:59 PM polprog: they had a demo with a 3d printer used to move the coil around the chip and it would show vulnerable places on a heatmap
05:59 PM WormFood: I wonder how these old cards would handle that, and what it would allow me to do.
06:00 PM polprog: good question
06:00 PM WormFood: I have a big stack of looped cards, that I could repair, I think, with the right tools. Of course, I don't need the cards, but it's something I want to experiment with.
06:00 PM polprog: so another thing I was wondering about was that power draw analysis
06:00 PM WormFood: DPA
06:00 PM polprog: my rev3 of that board I showed you can detect different patterns for different cards
06:00 PM polprog: But i only did ATRs first
06:00 PM WormFood: That always seemed kinda suspect to me.
06:01 PM polprog: let me show you
06:01 PM WormFood: I totally understand how DPA works, but I feel like it would be of limited value. Not toally useless, but not totally useful on it's own.
06:01 PM polprog: in theory you can guess the state of the register but i think its more of an observation
06:02 PM polprog: if the system is not hardened against it you can for example see
06:02 PM polprog: that after N bytes of keycode or access code the circuit turns off
06:02 PM polprog: simple example but i think Dave Jones used that to guess the code to a supermarket electronic safe
06:04 PM WormFood: That would be very cool.
06:04 PM polprog: http://0x0.st/Ho7A.jpg
06:04 PM polprog: This is what i got so far
06:04 PM polprog: i build and perfected rev2
06:05 PM polprog: and then shelved the project
06:05 PM polprog: i need to get the analog part right. Too much noise
06:05 PM WormFood: I'm not sure if philpem is the same guy that made a DVB-S SDR transmitter. That was really cool. Had a satellite receiver with a little antenna in it's coax port, displaying TeeVee he was broadcasting with his SDR
06:06 PM WormFood: That's some interesting stuff.
06:06 PM WormFood: DPA is a side channel attack, and I always found that type of stuff interesting.
06:07 PM polprog: Yes
06:08 PM WormFood: Funny story I just remembered....I had written a program, that was avoiding all the attacks thrown at us for months. Someone else, wanted a copy of the card I was using, so he unlocked it, and read the card, and was really pissed off to see the card was blank.
06:08 PM polprog: lol
06:08 PM WormFood: I had written the back door unlock routine, so it would erase the card before it unlocked it. If you wanted to be clever, and reset the card in the middle of an erase, the most you could get out of it is the code that erases the code.
06:09 PM WormFood: And I only left one tiny little thing behind, that could identify it as a hacked card. Something I had to change to make my hack work.
06:10 PM WormFood: And something I couldn't restore (safely), to original condition.
06:10 PM WormFood: I never released my self-erasing back door publicly.
06:11 PM polprog: :) good to leave something for yourself
06:11 PM WormFood: And they had a flaw in the back door unlock routine, that everyone used. It was supposed to be 256^8 but due to a timing attack, it became 256*8. I fixed that by XORing the password bytes, and checking at the end, to see if anything is a 1.
06:12 PM WormFood: I did a lot of cool stuff with satellite TeeVee back in the day. I miss how much fun I had exploring and hacking their system.
06:12 PM polprog: you made me want to go pack to poking my student id
06:13 PM polprog: finish the command scanner
06:13 PM polprog: perhaps see if i can glitch it
06:13 PM WormFood: Oh yeah...for compiling software, most people would use a 6805 assembler, then someone wrote a tool that would convert the output of the assembler, into something our smart card programming software uses. But I took a 6805 assembler, and modified the hell out of it, and made it specific to our smart cards, and it output the right format.
06:13 PM polprog: gotta hit the hay
06:13 PM WormFood: I wouldn't doubt you could glitch it.
06:14 PM WormFood: I enjoyed the conversation. Chat later. Have a good night.
06:14 PM polprog: Thanks
06:14 PM polprog: See you around
06:15 PM WormFood: 晚安
07:31 PM rue_mohr: :]
10:26 PM WormFood: I just got finished making my first 40 meter dipole antenna. All I have left to do, is make the insulators for the ends, tune it, and mount it somewhere.
10:26 PM rue_mohr: :]
10:26 PM WormFood: They're amazingly easy to make...those an 1/2 way ground planes.
10:26 PM WormFood: wave*
10:27 PM WormFood: I've made VHF antennas before. Those are easy to work with, because the elements are so short. My dipole is over 60 feet long
10:34 PM rue_mohr: me and RF do not get along
10:34 PM WormFood: Really? Did you get burned once?
10:35 PM rue_mohr: no, nothing RF works for me
10:35 PM WormFood: RF is some weird shit sometimes. It's very picky
10:47 PM rue_mohr: yep
10:47 PM rue_mohr: I didn't get past crystal radio