Sunday, July 4, 2010

Reversing an RF Clicker

by Travis Goodspeed <travis at radiantmachines.com>
concerning the Turning Point ResponseCard RF,
having FCC ID R4WRCRF01,
patented as USA 7,330,716.


Turning Point Clicker

In this article, I describe in detail the methods by which I have reverse engineered the TurningPoint ResponseCard RF, casually known among students as a "Clicker". This 2.4GHz radio transceiver is used in undergraduate university classrooms for automated roll-call and in-class quizzing or voting. By dumping and analyzing its firmware, one can determine the radio protocol necessary to intercept and forge packets, as well as to build a custom base station. The radio hardware that I have used is a reprogrammed Next HOPE Badge running the GoodFET firmware.

A follow-up article will likely describe the writing of replacement firmware, but that can be easily enough discovered by an enterprising reader. My purpose instead is to provide the information necessary to build compatible products, as well as to teach the technique of reverse engineering these products to find such information when none is available.

Disassembly


The Clicker's keypad is attached only with adhesive, and it can be pulled off after lifting an edge with a knife blade. Beneath the keypad, there are four screws holding the board in place, plus a fifth from the rear of the device. If you are lucky, these will be small Phillips screws, but the unlucky will find tri-wing "Nintendo" screws. I was lucky to have one of each type, but those with neither a Phillips-screwed Clicker nor a tri-wing screwdriver can buy one or try one of these tricks.
Devil Screws

In either case, it isn't strictly necessary to open your clicker, as test-points for dumping and replacing its firmware are accessible from the battery compartment. Further, the radio communications are accessible with no hardware access whatsoever.

Hardware


The Clicker is built upon a Nordic nRF24E1 chip, which combines an 8051 microcontroller with an nRF2401 radio transceiver. Although the two cores have been combined into a single package, the 8051 core speaks to the radio through a few bit-field registers and an internal SPI bus, which is shared with the external SPI bus.

As the nRF24E1 lacks internal non-volatile storage, a CAT25C32 (pdf) SPI EEPROM is used for program and configuration storage. Within the microcontroller, there is a masked ROM bootloader from 8000h to 81FFh that loads executable code from the EEPROM into executable RAM from 0000h to 0FFFh.

Hacked Clicker Board

Dumping Firmware


At the base of the circuit board's primary side, there are test points for the SPI EEPROM. As the default firmware only uses the SPI bus when buttons are pressed, this EEPROM may be dumped at any point after the device has booted. The test points are as follows, which should be matched to those of equivalent names in the GoodFET SPI Table. They were determined by use of a continuity tester.
T4MISO
T5SCK
T6MOSI
T3!CS
T1VCC
GNDGND


In order to dump the firmware, I quickly wrote a GoodFET client for the 25C32 using its datasheet. A read is performed by sending {0x02, AL, AH, 0} as a SPI transaction, with the result coming back as the fourth byte. Doing it this way with the GoodFET's SPI driver is slower than having C code within the GoodFET dump the whole ROM, but it's fast enough for a dump and takes very little code.
Quick and Dirty 25C32 Driver

From this point, I dumped the firmware with 'goodfet.spi25c dump image.hex', converted the Intel Hex file to binary, and popped it open in Emacs/hexl. The result looks something like the following, whose format is described in the nRF24E1 datasheet. The opening passage is {u8 config, u8 entry offset, u8 blockcount}. Here {0x0B, 0x07, 0x0B} means that executable code begins at byte 0x07, and that the total image length is 0x0B*256==2,816 bytes. (Additional space within the SPI ROM is unused and left as 0xFF.)
Clicker ROM

To produce an image suitable for a disassembler, I cut the bytes before 0x07 to make an image beginning with {0x02, 0x0A, 0xB7, ...}. The extra bytes in this region are the serial number and default frequency, but we'll get back to that later.
Clicker Dev Kit

Firmware Analysis


As the firmware is only three kilobytes, it doesn't take terribly long to reverse engineer. First, the Special Function Registers (SFR) which are defined on pages 79 and 81 of the nRF24E1 datasheet are fed to the disassembler.

(I'm using IDA Pro here, but any 8051 disassembler with a decent text editor could suffice. All of the following function labels are from my imagination, while Special Function Registers (SFRs) come from the nRF24E1 datasheet.)

For example, "MOV 0xA0, #0x80" is rather opaque, but "MOV RADIO, #0x80" makes it clear that the immediate value 0x80 is being placed into the RADIO register. Page 89 of the datasheet will then explain that the high bit of the radio register is power control, so this instruction is powering up the radio for use. Similarly, "SETB RADIO.3" is setting the fourth bit of the RADIO register, which the datasheet describes as raising the CS signal.

Once the SFR addresses are known, it becomes useful to search for them in order to identify the I/O routines. In the nRF24E1, the radio is accessed across a SPI bus, so a good first step is to identify the SPI routine. The function containing this code will always include a MOV involving the SPI_DATA register.
SPIRXTX for 8051

Having this, a list of cross-references quickly shows that while few functions call the SPIRXTX function, each calls it many times. This is because the author has chosen to repeatedly call that function with immediate values, rather than to dump an array of bytes with a for(){} loop.
Functions calling SPITXRX

While the disassembler can automatically identify the function entry points in the table above, it is not capable of giving them English names or descriptions. To understand how this is done, it is necessary to read the datasheets of the SPI devices.

The SPI EEPROM chip, a CAT25C32, is used by dropping the !CS line then writing an opcode byte followed by its parameters or results. Opcodes include WREN/WRDI for write protection, RDSR/WRSR for accessing a status register, and READ/WRITE for reading and writing bytes. A WRITE may only be performed when the external !WP pin is low and the software write protect has been disabled by opcode. A transaction begins when !CS drops low and ends when it drops high.

To identify the function which reads a byte from the 25C32, a few things can be safely assumed: (1) The function will begin by dropping some I/O pin (!CS). (2) The function will then broadcast the READ opcode, 0x03. (3) It will then broadcast a sixteen bit parameter; that is, DPL followed by DPH. (4) Finally, it will return the result of a fourth SPIRXTX call. In pseudocode, that would be something like
SPIROMPEEK(u16 ADR){
SPIRXTX(0x03);
SPIRXTX(ADRL);
SPIRXTX(ADRH);
return SPIRXTX();
}


Sure enough, one of the few functions calling SPIRXTX does exactly this. The constant pushing and popping of the parameters is a quirk of the compiler, which might possibly allow it to be identified. From the code below, it is clear that P0.0 is the !CS line of the CAT25C32.
SPIROMPEEK

The SPIROMPOKE function looks similar, except that two transactions are performed. First the WREN (0x06) opcode is sent to enable writing, then WRITE (0x02) is used to perform the actual write.

The other SPI operations concern the nRF2401 radio core, which behaves differently from the EEPROM. Rather than transactions being an opcode followed by parameters, there is only a single SPI register that must be completely written during a transaction. A second register, selected by the CE line, contains the packets.

The configuration is set by one big register, sent MSBit first. If fewer than the needed bytes are sent, the value is right-aligned into the lower bytes of the register. That is, the last byte sent is always (CHAN<<1)|RXMODE and the second to last always describes the radio configuration.
nRF2401 Config Register

Searching around a bit yields the RADIOWRCONFIG function, the tail of which is below. It can be seen from the code that the 0x1A IRAM byte holds the channel number. That is, if 0x20 is stored at 0x1A, the radio will be configured to 2,432 MHz. The other configuration bytes reveal that the MAC addresses are 24 bits, the checksum is 16 bits, and the device broadcasts at maximum power sourced from a 16MHz crystal. (That the configured crystal is identical to the one on the board is very important. Some enterprising coders will lie to a chip about its crystal in order to access an unsupported radio frequency.)
Clicker RF Config

At this point, it still remains to sniff traffic is to find the target address to which packets are broadcast as well as the frequency. We'll start with the address, because that's a bit easier.

The TXPACKET function involves a lot of PUSH and POP instructions, but it otherwise looks very similar to the RADIOWRCONFIG function, in that a series of bytes are written in order with repeated function calls to SPIRXTX. In pseudocode, this function becomes the following. From the radio documentation and configuration, it is clear that the first three bytes will be the target MAC address. From the RADIOWRCONFIG() function, it is equally clear that the three bytes at 0x1B are the receiving MAC address of the unit. (The parameter of the function happens to be the button press, as can be determined by tracking the keyboard I/O routines or viewing a few packets.)
void TXPACKET(u8 button){
RADIOHOP(); //set channel

//Target MAC address
SPIRXTX(&0x1E);
SPIRXTX(&0x1F);
SPIRXTX(&0x20);

//Source MAC address
SPIRXTX(&0x1B);
SPIRXTX(&0x1C);
SPIRXTX(&0x1D);

//Data value
SPIRXTX(button);
}

The radio itself will append a 16-bit CRC; therefore, the full packet then becomes {u24 tmac, u24 smac, u8 button}.

To determine the value of the target MAC address, just grep the disassembly for "mov" and one of 0x1E, 0x1F, 0x20. The relevant instructions are as follows, setting the target MAC address to 0x123456. (In 8051 notation, the first instruction moves the immediate constant #0x12 into byte 0x1E of IRAM.)
mov 0x1E, #0x12
mov 0x1F, #0x34
mov 0x20, #0x56


As this point, it would be possible to scan each channel for a few seconds, listening for packets sent to that address, but it's classier to find the value by static analysis. Acting on the hunch that the configuration is held in EEPROM and looking for references to the SPIROMPEEK() function, the READIDFREQ() function can be found. As can be seen in the fragment below, EEPROM[6] holds the channel number while the MAC address is at EEPROM[3,4,5].
Clicker Config

As the EEPROM begins with "0b 07 0b 15 79 1b 29", it's clear that the MAC address of the unit from which it came is 0x15791B and that it is broadcasting on 2400+0x29=2441MHz. This can be double-checked by the serial number "15791B" being printed on the label.

Implementation


Knowing the modulation scheme, target address, and packet contents, it becomes possible to sniff traffic from a Clicker. This is performed by use of the GoodFET firmware on a Next Hope badge, my prior tutorial for which describes the process of packet sniffing.

The NHBadge board contains an nRF24L01+ radio, which differs dramatically from the nRF2401 in terms of how it is configured. Still, the radios are sufficiently compatible. The following hack of the goodfet.nrf client allows packets to be sniffed from the air with proper checksumming.
Sniffing TurningPoint Traffic

Sure enough, here are some packets of the 5 button being pressed on unit 1F8760. The keypress is the final byte in ASCII.
Clicker Sniffing

Response Codes



Now that it is clear how to receive and recognize button presses, it becomes necessary to reverse engineer the response codes which might be sent from the access point. Without hearing a reply of at least an ACK, the Clicker will continue to broadcast each message more than three hundred times. This takes more than ten seconds, during which all other key presses are ignored.

The broadcast loop within the MAIN() function would look a little like this in C.
for(count=0;count< MAXCOUNT && !reply;count++){
TXPACKET(button);
reply=RADIORX();
}
switch(reply){...}


This region is easy enough to find, but there's another command mode. An easier target is the channel hopping routine, which constantly broadcasts 0x3F while incrementing the channel, sticking with the last one on which a reply of 0x18 was received. Channels 1 through 83 are attempted; that is, 2,401 MHz to 2,483MHz at 1MHz steps.
Clicker SYN/ACK

Checking this code within the MAIN() function reveals that its effect is to blink the green LED (P1.1) six times, exiting the broadcast loop. Other commands include 0x04 (LED Off), 0x06 (LED Green), 0x15 (LED Red), 0x11 (Blink Green), 0x14 (Blink Red), and 0x18 (Blink Green, Channel Lock). All undefined opcodes set the red LED.

Conclusions


By sniffing traffic within a classroom, it is possible to watch votes as they are being cast by students. Similarly, packets could be broadcast by a reprogrammed Clicker or NHBadge to make a student in virtual attendance, automatically voting with the majority so as to gain perfect attendance and a solid C quiz average. Where instant feedback is available, this might even allow for a solid A quiz average. Without taking advantage of the masked-ROM option of the nRF24E1, the code cannot be even slightly protected from extraction and reverse engineering.

Less adventurous users can jam the network by running 'goodfet.nrf carrier 2441000000' to hold a carrier wave on the channel. The only attempt at a frequency change is made when pressing the GO button, at which point the new channel can be discovered and similarly jammed.

Since performing this work, it has come to my attention that a USRP plugin for doing this to the competing 900MHz iClicker product is available as http://gr-clicker.sourceforge.net/. Additionally, the infrared Clicker units were broken with a little tool called Survey Says. I have ordered more sophisticated Clicker models from CPS and Turning Point, and proper descriptions of them will soon follow.

231 comments:

«Oldest   ‹Older   201 – 231 of 231
isha spa said...

massage is a great way to relieve muscle pain, soreness, and tension. It doesn’t matter whether this pain was caused by physical or mental stress, the massage will work it out for you.

Visit Body to Body spa near me

Divya Agarwal said...

It is a nice post to keep sharing valuable information like this. Graphic design courses fees in delhi

Acelema It Solutions said...

thank you for sharing this information with us.

Web Designing Company in Delhi


lipikabri said...

Pressure point massage is a treatment that applies body massage spa near me pressure to specific points on the feet. These points correspond to all organs, glands and tissues in your body. It promotes relaxation, increases energy, and balances the body. The foot massage chair allows the recipient to relax and sit comfortably on it.

Roofing Sheet Manufactures in India said...

I read you blog and it was mind blowing. I write a blog on Color Coated Steel Roofing Sheet Manufactures

leenamonica said...

We have the perfect spa day for you if you want a relaxing spa experience in a tranquil environment with dimly lit aromatherapy
body massage in bangalore candles and soothing music.

leenamonica said...

The spas are designed to help you relax and B2B massage unwind.codella is a well-known Spa in Koramangala. We provides best spa services in Bangalore. 

Jacob Warner said...

Great, your blog was very nice. Thanks for sharing it if anyone wants Research Writing freelancer then Paperub is a platform where you get a skilled freelancer according to your requirement. Visit Paperub to get a freelancer in minutes.

Utkarsh Dhar Dwivedi said...

web designing course

web development course

digital marketing course

full stack development course

Appic Softwares said...

A very informative blog that almost solved all my doubts. I would like to appreciate the efforts put in by you to write it and help the readers. However, if you are looking a mobile app development company, then you should check Appic Softwares, visit our website at Automotive Mobile App Development.

nancysweety said...

The ayurvedic practitioner is therefore looking to
balance the body and mind, to ferret B2B spa in pune out health problems before they happen or to nip
them in the bud before they do any real harm.

tata spare parts said...

I love how your blog focuses on the needs of Tata Xenon owners and provides valuable information about Tata Xenon Spare Parts. It's a must-read for anyone looking to maintain their Xenon.

shanjanaarora said...

Then head to the lower back. Start with light feathery strokes for five minutes to warm it up. Then place your hand at the lower part b2b massage in chennai of the back and push upward toward the heart.

shanjanaarora said...

Using the same thumb, stroke the top of the body to body massage centres near me foot with a slow rhythmic stimulation from the toes to the ankle. Repeat this for a few times.

Vikram Singh said...

Best and one of the great articles. Happy to read this. Jal Supply Chain

izspa.net said...

spa near me Neuromuscular Junction: Delving into the intricate mechanisms of neuromuscular transmission and its significance in muscle contraction and relaxation.

Fahion said...

Sikaria Tech: Your go-to e-commerce website design company.best e-commerce website designing company in laxmi nagar We specialize in creating visually appealing online stores while implementing robust SEO strategies. Drive traffic, boost conversions, and amplify your brand's online presence with our expertly crafted designs and search engine optimized content."

lishasingh said...

The application of massage can produce spa in bangalore a number of physiological effects such as an increase in the release of endorphins, serotonin and dopamine, a decrease in cortisol levels and an increase in tissue temperature.

rennasweety said...

Reflexology uses hand, thumb, and finger spa in hyderabad techniques to stimulate certain areas of the feet.

rennasweety said...

These areas are believed to correspond to massage in hyderabad different parts of the body. The massage, then, is expected to promote health and well-being.

tata spare parts said...

Looking for top-quality Tata Ace Spare Parts? Look no further than BP Impex – your trusted source for premium products. Explore our extensive range of Tata Ace spare parts at the best prices. Shop now and experience the superior quality and performance of BP Impex.

Mobile app development company said...

Great article! I found your insights really informative. I would like to share information about the company. Introducing our cutting-edge Grocery App Development Company, where innovation meets convenience! Elevate your grocery shopping experience with our custom-built mobile applications that seamlessly blend technology and user-friendly interfaces.

Jewel Galore said...

Explore Jewelgalore's collection of earrings for girls . Discover elegantly designed pieces perfect for adding a touch of charm and grace to young girls' fashion.

Shalamar Hospital said...

Shalamar Hospital's dental clinic in Lahore is committed to providing top-notch dental services, combining expertise with a patient-focused approach for your complete satisfaction.

Nysingh said...

One of the most impressive aspects of shot blasting machines is their ability to achieve uniformity in surface finish across a wide range of materials. Whether we're working with stainless steel, aluminum, or concrete, we can rely on our shot blasting equipment to deliver consistent results with minimal variation. This level of precision not only enhances the aesthetic appeal of our products but also improves their performance and durability over time. It's this attention to detail that sets shot blasting apart as a superior surface treatment method.

Also Check: -
Shot Blasting Machine

Dermatologist In Jaipur | Skin Specialist In Jaipur said...

I Like!! Really appreciate you sharing this blog post. Really thank you! Keep writing.

best dermatologist in jaipur

YouDent Hospital said...

Thanks for provide great informatic blog

Best Dental Hospital In India

Asian Cancer Hospital said...

I really like your blog, the information you’ve provided on the website.

Best Cancer Hospital In Rajasthan

Dr Ashish Rana said...

Your blog provided us with valuable information thanks a lot for sharing this blog.
Orthopedic Surgeon In Jaipur

drdileepsingh3 said...

I really like your blog, the information you’ve provided on the website.

Heart Surgeon In Bhopal

DELLA SPA said...

For your optimal health, our massage parlour in chennai center uses white and clean cloths while providing spa services because after the service you will be clean like this white because white is the cleanest.

«Oldest ‹Older   201 – 231 of 231   Newer› Newest»