ARDUINO: HYGROMETER FOR SENSING SOIL MOISTURE - Layout for this exercise:
- The goal of this exercise is to build an Arduino circuit able to detect moisture levels, for instance it could be used for a pot of plants. - The circuit will trigger a couple of alarms (buzzer sound and red LED) whenever the moisture level is under a moisture threshold specified at the Arduino sketch. - There are several moisture sensor available in the market, for instance the HL-69, YL-69, FC-28, ..., all of them compatible with the Arduino board. - A moisture sensor consists of two parts: a prong sensor and a controller. - On one side the controller is directly connected to the sensor, on the other side it is connected to the Arduino board:
AO (Analog Output) -> A0
DO (Digital Output) -> not used
GND (Ground) -> GND
VCC -> +5 V
- Code:
- Let's analyze the code. - First of all, the readings are taken from the analog A0 pin connected to the controller: - Because the range of digital conversion at the analog input A0 is from 0 to 1023, let's calibrate the reading so that 0 corresponds to 100% and 1023 to 0% of moisture: - When moisture is below 20% the two alarms are triggered: a buzzer produces a sound of 2000 Hz and a red LED blinks:
- Also, the serial ouput prints the moisture level on the screen every 2 seconds, whenever a new reading is made. In this picture the % of moisture varies abruptly when the sensor detects water:
- Testing the circuit, when the sensor is touching dry soil the buzzer beeps and the red LED blinks. However, if water is added to the soil both the beep and red light stop. Also, a message is printed through the serial monitor displaying the increase in humidity level:
- Layout for this exercise: 1 - Introduction - The goal of this exercise is to trigger 3 alarms when a temperature threshold is exceeded. - For that purpose an Arduino microcontroller is connected to 4 electronic devices: a) TMP36: precision temperature sensor that measures the temperature of the environment b) red LED: blinks when the temperature goes above a limit c) serial monitor: prints messages on the serial terminal d) buzzer or piezo element: beeps when the temperature goes above a limit 2 - Code - This is the code used in this exercise: 3 - Analysis of the code - The temperature sensor is connected to the input analog A0 pin which converts the voltage output of the sensor to digital values, and finally translating into Farenheit degrees:
- Setting a temperature threshold, three events happen if the threshold is exceeded: a) a beep of 2000 Hz and 500 ms:
b) a red LED blinks:
c) a warning message is printed at the serial monitor:
- The serial monitor is initialized to 9600 bauds: - The series of Farenheit temperatures is normally displayed at the monitor, until a warning message (WARNING, VERY HOT !!) is triggered when the temperature goes above 100.00 F:
4 - Testing the circuit - In this video it can be checked how the 3 alarms (red LED, buzzer beep and monitor message) go off when a hot air jet from a hair dryer is blown over the circuit, increasing the temperature above 100 F:
ARDUINO: PIEZOELECTRIC BUZZER PLAYING JINGLE BELLS 1 - Introduction - A buzzer is an electromechanical component that can be used to make noise or even play music. - Inside the buzzer there is a coil of wire and a small magnet. When current flows through the coil it becomes magnetized and pulls towards the magnet creating a tiny "click". When the click is played thousands of times per second tones are created. - The Arduino has a built-in command called tone() which clicks the buzzer at a certain frequency. - Frequencies used in this exercise and their corresponding notes: x (g for a lower octave) = 196 Hz y (a for a lower octave) = 220 Hz c = 261 Hz d = 293 Hz e = 329 Hz f = 349 Hz g = 392 Hz a = 440 Hz 2 - Layout schematics - The buzzer has two pins, one positive (marked by a "+" symbol) and the other negative. - In this example the positive pin is connected to Arduino digital pin 9 (optionally through a resistor of 330 Ohms), and the negative pin is connected to GND.
3 - Running the Arduino sketch - The code used in this Arduino sketch:
- Running the code over the circuit (the resistor of the previous schematics has been removed to obtain louder sound from the buzzer):
ARDUINO: SERVO AND DC SPINNING MOTORS 1 - Servomotor - Layout for this exercise: - The goal of this exercise is to make rotate a servo motor back and forth through the full range of motion, what is 180 degrees. - A servo motor include feedback circuitry that allows it to be commanded to specific positions, what makes it very useful in robotics. - The servo has got 3 wires that can be connected with jumper wires: black goes to ground, red goes to 5 V and yellow goes to the Arduino 6 digital pin.
- Code: - Let's analysis the code. - First of all the servo library is included, so that all servo functions can be easily accessed. Also, a servo object called "s" is defined: - Now, the servo object is attached to the Arduino 6 digital pin: - The movement goes from 0 to 180 degrees: - The first rotation takes 100 ms delay between each move, stepping 1 degree: - 1 second of delay between the two rotations: - The second rotation is faster because there is just 20 milliseconds between each move: - Testing the circuit:
2 - DC Spinning Motor - Layout for this exercise:
- The goal of this exercise is to connect a DC motor to an Arduino circuit so that the motor starts spinning and accelerating up to a maximum speed and then decelerates until stopping. - Two electronic components are used: a) Transistor: it helps to run the DC motor, because the motor needs more current (even 100 or 250 mA) than provided by the Arduino pins (40 mA). The transistor has 3 pins (Collector: connected to the motor, Base: connected to the resistor, Emitter: connected to GND). b) Diode: when the motor is spinning and suddenly turned off, the magnetic field inside it collapses, generating a voltage spike that can damage the transistor. To prevent this, a diode is used, diverting the voltage spike away from the transistor. The diode has 2 pins (Cathode: connected to 5 V, Anode: connected to the transistor) - Code: - Let's analyse the code. - The 10 pin is assigned as the motorPin and oputput mode. Also, the serial monitor is initialized with 9600 bauds, inviting the user to enter a speed inside the 0 to 255 interval:
- The analogWrite() function pulses the motorPin using the PWM(Pulse Width Modulation) technique, varying the width of the pulse from 0% to 100%. - The motor accelerates with 10 milliseconds delay between each move: - Same thing for the decelerating process: - Once uploaded the sketch to the board the user enters the rotation speed through the serial monitor interface:
- Testing the circuit:
HACKING THE KANKUN SMART PLUG - Layout for this exercise:
- In this exercise we will use a Phyton script written by 0x00string. It is available here: https://github.com/0x00string/kankuncontroller/blob/master/kkeps_controller.py - The Python script allows to control the Kankun Smart Plug form a computer connected to the same network (OK_SP3) created by the plug. - The script takes advantage of the AES key used by Kankun and discovered in the previous post. - Let's open the script kkeps_controller.py:
- For the purpose of hacking the plug we need its MAC address: - That MAC address must be introduced into the script as the variable RMAC: - The usage of the script requires the parameter -a --action:
- Now, lets use kkeps_controller.py with -a on: - The red light goes on and the connected lamp turns on:
- Using kkeps_controller.py with -a off: - The red light goes off and the connected lamp turns off:
- Let's go to the application smartwifi.apk: - Unzipping the application:
- Updating the internal database of Ubuntu: - Locating the native ARM code of the application (shared object library libNDK_03.so) inside the unzipped folder:
- Determining the type of the file, it is an ARM architecture intended application:
- Reading the headers, we also notice that it uses little endian format:
2 - Using the "strings" command to find the hardcoded key - One of the problems of hardcoding a key and storing it as a string is that it can be easily discovered. - For instance, applying the command strings over the shared object library libNDK_03.so several strings starting with AES are discovered, giving us a hint that the AES encryption is used. For instance, aes_set_key or aes_encrypt: ... ...
- Redirecting the output of the command strings to a text file:
- Now, using a Python script we can detect up to four strings starting with AES inside the text file, meaning that the AES algorithm encryption is very probably used:
- The AES algorithm uses three possible different key lengths: 128, 192 and 256 bits (16, 24 and 32 Bytes). https://en.wikipedia.org/wiki/Advanced_Encryption_Standard - So, the possible AES keys must be of either 16, 24, or 32 Bytes length. Let's use a Python script for finding strings of those sizes (plus 1, because in the text file the strings end up with a return line character). - First, let's suppose that the key is of 256 bits (32 Bytes = 33 characters including the last return line). Two strings of that length are discovered. The first one is just a system string, so the second one could be a good candidate to be the AES key:
- Using the same Python scripts for sizes of 16 Bytes and 24 Bytes, the result is that all the discovered strings are system strings, so we can conclude that the 32 Bytes key discovered before is being used (fdsl;mewrjope4...) - An attacker could use this key to intercept the communication between the Kankun Smart Plug and a wirelessly connected device (as we will do in the next post).
3 - Disassembling and analyzing with IDA - Now, let's disassemble the application with IDA, using its evaluation version for Linux: - Once extracted to Ubuntu:
- Launching IDA with ./idaq:
- Selecting libNDK_03.so: - The processor to be set is ARM Little-endian: - Going to the function aes_set_key: - Searching for strings:
- Again, the same string than before is discovered: - However, let's explore in a deeper way the application.
- The Java Native Interface (JNI) is a programming framework that enables Java code running in a Java Virtual Machine (JVM) to call and be called by[1] native applications (programs specific to a hardware and operating system platform) and libraries written in other languages such as C, C++ and assembly. https://en.wikipedia.org/wiki/Java_Native_Interface - Going to the package of the application (hangzhou, see previous posts), let's find everything related with the pattern 'jni', using the command grep (-i = ignore case distinctions, -R = recursively, -n = line numbering): - Disassembling with IDA the encoding function Java_hangzhou_kankun_WifiJniC_encode: - At address 0x000039B8 there is a function called EncryptData: - Clicking the function EncryptData, IDA opens its code: - Because we are dealing with ARM assembly language, it is important to remember that R0, R1, R2, R3 are the registers where the parameters are loaded before calling a subroutine. - Checking the content of R3, IDA offers the option of calculating it directly, just clicking over the instruction: - So, 0x3E96 is the content of R3 at this point: - Then, PC (Program Counter, next instruction to be fetched, in this case 0x384E) is loaded over R3, and finally adding 0x28: - Eventually, the content of R3 will be 0x3E96 + 0x384E + 0x28:
- The result of the sum is 0x770C:
- Jumping to 0x770C, the AES key is again discovered there:
- Now, let's explore the function aes_set_key:
- The signature of the function indicates that 3 parameters are passed. The first is the AES context (loaded into R0), the second is the AES key itself (loaded into R1), and the third is the size of the AES key (loaded into R2):
- Let's see what happens with the size of the AES key, examining the final content of R2. - The initial value loaded into R2 is (0x80 = 128). However, the instruction LSLS (Logical Shift Left) shifts 1 bit to the left, meaning multiplying by 2:
- From 0x80 (128 decimal) to 0x100 (256 decimal):
- The LSLS bitwise operation just shift the bits one position to the left. From the binary 10000000 (128 decimal) to 100000000 (256 decimal)
- Again, we can conclude that the AES key size used by the Kakun Smart Plug is of 256 bits.
