How to Reverse Engineer, Sniff & Fuzz Vulnerable RF Adult Toys with WHID Elite
As you may know, I am close to release WHID Elite. And as pedantic hardware developer I wanna be sure everything works, even the smallest details. Last week I was looking for new targets to test WHID Elite’s Radio Hacking capabilities and suddenly I found an interesting one: an Electrocuting Cock Ring. Yes, you read it correctly (What you cannot find on Amazon…).
Long-story short… Yesterday arrived home the new toy and guess what? No Rolling-Code, No MSK/FSK/GMSK or other strange modulations… Just a classic 433MHZ Amplitude Shifting Key modulation with On-Off Key. Which translated for the non-RF folks… easy to:
And of course… Fuzz.
First of all, I have followed the usual Reverse Engineering approach I use for investigating new RF devices and turned on the winning combination LimeSDR/RTL-SDR + URH. (Disclaimer: since I was focusing on the RF side, I started with the RF analysis. If it wouldn’t have lead to any low-hanging fruit result, I would have started the HW Reverse Engineering approach: tear-down, BoM enumeration and fingerprinting, FCC ID hunting, etc. Luckily for my scarce spare time, I didn’t need it.) As you can see the center Frequency is around 433MHz, which is a standard frequency for commercial consumer-grade RF devices.
From the Spectrogram we can clearly see that the modulation is ASK, despite some harmonics on the side (caused by the low-cost transmitter used by the manufacturer most-likely). Now we need to decode the packets and see if we are really dealing with ASK and eventually confirm the sub-modulation type (i.e. OOK, in my assumption).
As you can see, URH successfully managed to decode the packets (with minor tweaking of the Error Tolerance and Bit Length parameters). Now that we have the binary sequence, we clearly see the duty-cycle of this RF device, where a:
1 is encoded as 1110
0 is encoded as 1000
No preambles. No ACK packet from the receiving unit. Just a simple broadcast packet. Always repeating itself. Which allows us to eliminate the Rolling-Code assumption. With all these data we can finally compose the packet that is transmitted to trigger the Vibration mode:
Now we are ready to give it a try with the Standalone Firmware of WHID Elite and see if it is able to decode them too.
As assumed, WHID Elite can perfectly sniff and decode the packets. In the image above you can see the two types of packets:
14656516 Vibration Mode
14656520 Electroshock Mode
As you can easily spot the decimal distance between the two types of packets is just matter of few integers. Which means, we can easily fuzz and thus exhaust the space between them with the main WHID Elite Firmware. Therefore no more text to read, enjoy the audio/video :)
Keep an eye on my Twitter https://twitter.com/WHID_Injector soon I will make GIVEAWAY for a full set of WHID Elite!
For sake of information though, the internal TX is a SYN470R. According to its datasheet: is a single chip ASK/OOK (ON-OFF Keyed) RF receiver IC. Which once again confirms the whole RF analysis.