reverse engineering outernet
play

Reverse Engineering Outernet Daniel Estvez 27 December 2016 33rd - PowerPoint PPT Presentation

Sep 07, 2023 •218 likes •673 views

Reverse Engineering Outernet Daniel Estvez 27 December 2016 33rd Chaos Communication Congress, Hamburg Daniel Estvez Reverse Engineering Outernet 33C3 1 / 40 Brief info about speaker Currently finishing a PhD in pure Mathematics Also

  1. Reverse Engineering Outernet Daniel Estévez 27 December 2016 33rd Chaos Communication Congress, Hamburg Daniel Estévez Reverse Engineering Outernet 33C3 1 / 40

  2. Brief info about speaker Currently finishing a PhD in pure Mathematics Also have a background in Computer Science Amateur Radio operator since 2.5 years. Callsign: EA4GPZ / M0HXM Started decoding Amateur satellites a year ago. Daniel Estévez Reverse Engineering Outernet 33C3 2 / 40

  3. Outline What is Outernet? 1 From RF to bits (or frames) 2 From frames to files 3 Some other fun stuff we can do now 4 Daniel Estévez Reverse Engineering Outernet 33C3 3 / 40

  4. Outline What is Outernet? 1 From RF to bits (or frames) 2 From frames to files 3 Some other fun stuff we can do now 4 Daniel Estévez Reverse Engineering Outernet 33C3 4 / 40

  5. What is Outernet? Startup company with goal of easing worldwide Internet access by broadcasting content from satellites Started broadcasting on Ku-band DTH satellites using DVB-S Ku-band no longer in use Currently broadcasts on L-band (around 1.5GHz) through 3 Inmarsat satellites (Americas, Europe/Africa, Asia/Pacific) Almost worldwide coverage Daniel Estévez Reverse Engineering Outernet 33C3 5 / 40

  6. Receiving equipment Hardware: L-band antenna. Tipically a patch antenna, can also use a dish LNA (preamplifier) RTL-SDR dongle Single board ARM computer: C.H.I.P . or Raspberry Pi 3 Outernet sells a kit with these items Software: rxOS: A Linux image for ARM that does everything for you Most of the software is open-source Key parts of the receiver are closed-source binary only GPL libraries ( librtlsdr and libmirisdr ) are used in the closed-source receiver. Possible GPL violation The protocols, modulation and format of the signal are secret Daniel Estévez Reverse Engineering Outernet 33C3 6 / 40

  7. Receiving equipment Hardware: L-band antenna. Tipically a patch antenna, can also use a dish LNA (preamplifier) RTL-SDR dongle Single board ARM computer: C.H.I.P . or Raspberry Pi 3 Outernet sells a kit with these items Software: rxOS: A Linux image for ARM that does everything for you Most of the software is open-source Key parts of the receiver are closed-source binary only GPL libraries ( librtlsdr and libmirisdr ) are used in the closed-source receiver. Possible GPL violation The protocols, modulation and format of the signal are secret Daniel Estévez Reverse Engineering Outernet 33C3 6 / 40

  8. Why reverse engineer Outernet? A secret protocol and closed-source software don’t serve well the goal of easing worldwide Internet access Amateur Radio operators started playing with Outernet. Closed-source and secret protocols detrimental for Amateur Radio Things I knew before starting: RF goes in, files come out. About 2kbps bitrate or 20MB of content per day outernet-linux-lband closed-source software (Older version for Linux x86_64. Now everything is for ARM): sdr100-1.0.4 , SDR receiver for RTL-SDR; ondd-2.2.0 , does everything else IQ recordings by Scott Chapman K4KDR Daniel Estévez Reverse Engineering Outernet 33C3 7 / 40

  9. Outline What is Outernet? 1 From RF to bits (or frames) 2 From frames to files 3 Some other fun stuff we can do now 4 Daniel Estévez Reverse Engineering Outernet 33C3 8 / 40

  10. Waterfall in Linrad Daniel Estévez Reverse Engineering Outernet 33C3 9 / 40

  11. Modulation 4.8kHz wide Looks like a hump in the noise floor “Any sufficiently advanced communication scheme is indistinguishable from noise” — Phil Karn KA9Q. We suspect PSK modulation. BPSK and QPSK are good candidates We use GNU Radio for signal processing. First step: find out PSK order and baudrate Daniel Estévez Reverse Engineering Outernet 33C3 10 / 40

  12. Modulation 4.8kHz wide Looks like a hump in the noise floor “Any sufficiently advanced communication scheme is indistinguishable from noise” — Phil Karn KA9Q. We suspect PSK modulation. BPSK and QPSK are good candidates We use GNU Radio for signal processing. First step: find out PSK order and baudrate Daniel Estévez Reverse Engineering Outernet 33C3 10 / 40

  13. Reading from IQ wav file in GNU Radio Daniel Estévez Reverse Engineering Outernet 33C3 11 / 40

  14. PSK order Raise the signal to integer powers Power 2 of the signal has DC spike ⇒ BPSK For QPSK, we would need to go to 4th power Daniel Estévez Reverse Engineering Outernet 33C3 12 / 40

  15. Baudrate Cyclostationary analysis Baudrate is 4200baud Daniel Estévez Reverse Engineering Outernet 33C3 13 / 40

  16. BPSK demodulation Daniel Estévez Reverse Engineering Outernet 33C3 14 / 40

  17. Coding Baudrate is 4200baud but bitrate is only about 2kbps We suspect r = 1 / 2 FEC in use Most popular choice: r = 1 / 2 , k = 7 convolutional code with CCSDS polynomials We use Balint Seeber’s AutoFEC to find FEC parameters Standard CCSDS convolutional code, but with the two polynomials swapped We use GNU Radio Viterbi decoder to decode FEC Daniel Estévez Reverse Engineering Outernet 33C3 15 / 40

  18. Coding Baudrate is 4200baud but bitrate is only about 2kbps We suspect r = 1 / 2 FEC in use Most popular choice: r = 1 / 2 , k = 7 convolutional code with CCSDS polynomials We use Balint Seeber’s AutoFEC to find FEC parameters Standard CCSDS convolutional code, but with the two polynomials swapped We use GNU Radio Viterbi decoder to decode FEC Daniel Estévez Reverse Engineering Outernet 33C3 15 / 40

  19. Viterbi decoding Output looks random ⇒ we need a descrambler Daniel Estévez Reverse Engineering Outernet 33C3 16 / 40

  20. Descrambler The most popular descramblers I knew of didn’t work Reverse engineer the assembler code for the descrambler in sdr100 Daniel Estévez Reverse Engineering Outernet 33C3 17 / 40

  21. IESS-308 scrambler It turns out the scrambler is the IESS-308, very popular in GEO satellite comms, but unheard of in Amateur LEO satellites Daniel Estévez Reverse Engineering Outernet 33C3 18 / 40

  22. Descrambling Now we can see some structure in the output Daniel Estévez Reverse Engineering Outernet 33C3 19 / 40

  23. Framing Several functions in the sdr100 binary have “HDLC” in them We suspect HDLC framing We use the HDLC deframer from gr-kiss (there’s also a stock deframer in GNU Radio) Daniel Estévez Reverse Engineering Outernet 33C3 20 / 40

  24. HDLC deframing Daniel Estévez Reverse Engineering Outernet 33C3 21 / 40

  25. Outline What is Outernet? 1 From RF to bits (or frames) 2 From frames to files 3 Some other fun stuff we can do now 4 Daniel Estévez Reverse Engineering Outernet 33C3 22 / 40

  26. Reverse engineering frames Techniques used: Look at hex dumps of the frames ondd usually gets frames from sdr100 via Unix socket. Inject frames into ondd and see what happens Outernet uses custom network protocols ⇒ I get to name them as I like! Daniel Estévez Reverse Engineering Outernet 33C3 23 / 40

  27. A typical frame 0000: ff ff ff ff ff ff 00 30 18 c1 dc a8 8f ff 01 04 0010: 3c 02 00 00 18 00 01 00 00 00 08 11 10 e5 21 4b 0020: 48 2c e0 77 00 86 4d 14 06 3c 24 f7 30 e7 19 4c 0030: ed 60 d4 44 94 6a 4a 18 34 ad b2 b5 92 01 b7 87 0040: 06 ba 80 61 a5 87 06 80 f6 04 12 f6 d9 12 13 02 0050: 64 0b 68 94 21 36 01 ab af 01 50 d0 13 4b dc b6 0060: 92 90 6b f4 76 27 73 3d 91 f5 84 3d 75 d9 77 90 0070: d2 74 15 49 66 e5 9a 57 df df 72 28 32 48 97 ed 0080: 9a 46 6e 68 8e 72 b3 54 5f 52 ce f6 f5 de c1 fd 0090: e4 e6 f8 a2 bd bb bb 65 cf 9e d0 ed 80 1e ad 8c 00a0: 0c b8 59 28 41 cf 27 d3 cf a9 9e 28 06 8e c0 c8 00b0: 42 7a bd ea da ae 7e 41 ee 24 c2 f9 28 b7 35 f6 00c0: 8b 12 13 23 1f fb 0d 3e 32 49 b9 75 4b 31 d3 29 00d0: 11 c1 48 a2 3b d4 8b 40 e6 2c 69 02 59 f2 f8 c8 00e0: d2 ea aa ce 63 57 ed f7 25 42 8e 9b 21 d4 64 07 00f0: 89 59 d0 47 d6 7b c7 3c c7 11 2c 91 d3 ca b1 52 0100: ea ba be e3 00 39 fb be 6a 02 52 e3 8f ac ba 30 0110: b7 d1 c2 3f Daniel Estévez Reverse Engineering Outernet 33C3 24 / 40

  28. A typical frame 0000: ff ff ff ff ff ff 00 30 18 c1 dc a8 8f ff 01 04 0010: 3c 02 00 00 18 00 01 00 00 00 08 11 10 e5 21 4b 0020: 48 2c e0 77 00 86 4d 14 06 3c 24 f7 30 e7 19 4c 0030: ed 60 d4 44 94 6a 4a 18 34 ad b2 b5 92 01 b7 87 Ethernet frame: 0040: 06 ba 80 61 a5 87 06 80 f6 04 12 f6 d9 12 13 02 Broadcast 0050: 64 0b 68 94 21 36 01 ab af 01 50 d0 13 4b dc b6 destination 0060: 92 90 6b f4 76 27 73 3d 91 f5 84 3d 75 d9 77 90 Source MAC 0070: d2 74 15 49 66 e5 9a 57 df df 72 28 32 48 97 ed 0080: 9a 46 6e 68 8e 72 b3 54 5f 52 ce f6 f5 de c1 fd Custom ethertype 0090: e4 e6 f8 a2 bd bb bb 65 cf 9e d0 ed 80 1e ad 8c Length: 276 bytes ⇒ 00a0: 0c b8 59 28 41 cf 27 d3 cf a9 9e 28 06 8e c0 c8 aprox. 1 second over 00b0: 42 7a bd ea da ae 7e 41 ee 24 c2 f9 28 b7 35 f6 the air (this is 00c0: 8b 12 13 23 1f fb 0d 3e 32 49 b9 75 4b 31 d3 29 00d0: 11 c1 48 a2 3b d4 8b 40 e6 2c 69 02 59 f2 f8 c8 Outernet’s MTU) 00e0: d2 ea aa ce 63 57 ed f7 25 42 8e 9b 21 d4 64 07 00f0: 89 59 d0 47 d6 7b c7 3c c7 11 2c 91 d3 ca b1 52 0100: ea ba be e3 00 39 fb be 6a 02 52 e3 8f ac ba 30 0110: b7 d1 c2 3f Daniel Estévez Reverse Engineering Outernet 33C3 25 / 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
The Outernet A novel satellite communication relay constellation Increased number of CubeSat

The Outernet A novel satellite communication relay constellation Increased number of CubeSat

The Outernet A novel satellite communication relay constellation Increased number of CubeSat Launches Most using UHF/VHF frequencies Why a similar groundstation for each? Introduction Concept/Proposition Altitude of 900km

1.08k views • 19 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Pierre Surply Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP Controller Scan Chain Pierre Surply Boundary Scan UC3 JTAG EPITA 2016 Reverse engineering Jul

968 views • 72 slides
Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap W44 Introduction V.Zaytsev W45 Metaprogramming J.Vinju W46 Reverse Engineering V.Zaytsev W47 Software Analytics M.Bruntink W48 Clone

751 views • 31 slides
Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion delroth@lse.epita.fr http://lse.epita.fr February 12, 2013 Context Reverse

856 views • 18 slides
Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for .NET are easy to reverse engineer. This is not in any way a fault in the design of .NET; it is simply a reality of modern, intermediate-compiled

132 views • 10 slides
Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach

Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach

Overview Evidence Model Calibration Quantitative Results Reverse Engineered Shocks Conclusion Extras Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach Paolo Gelain Kevin J. Lansing Gisle J.

717 views • 50 slides
Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume Bouffard Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19

779 views • 40 slides
Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief -

Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief -

Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief - Unreal games Gears of War 4 - D3D12 multi-GPU support on UWP Other, more exotic D3D12 multi-GPU stuff Sony - PS4 graphics dev support

744 views • 49 slides
REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using

REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using

REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using distributed RTLSDR receivers & open source software PRESENTED BY GAVIN ROZZI Cyberspectrum #23 @ DEF CON 2018 August 9th, 2018 SDR HAS THE

985 views • 22 slides
Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami)

Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami)

Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami) Red Team @ Snap Former Wireless Security Researcher @ Bastille Networks Wireless CVEs in products from 21 vendors Radios

755 views • 64 slides
(01204423) Sensor Node Programming II (UART and Radio) Chaiporn Jaikaeo chaiporn.j@ku.ac.th

(01204423) Sensor Node Programming II (UART and Radio) Chaiporn Jaikaeo chaiporn.j@ku.ac.th

Network Kernel Architectures and Implementation (01204423) Sensor Node Programming II (UART and Radio) Chaiporn Jaikaeo chaiporn.j@ku.ac.th Department of Computer Engineering Kasetsart University Outline UART communication Single-hop

410 views • 19 slides
Chapter 1 Welcome to Linux Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State

Chapter 1 Welcome to Linux Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State

Chapter 1 Welcome to Linux Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State University, Shreveport, LA 71115 Introducing Shells History of UNIX and GNU-Linux Heritage of Linux: UNIX What Is So Good About Linux? Overview

336 views • 15 slides
RUNNING SvSAN ON THE NEW CISCO ISR 4461 AND UCS E-SERIES With Craig Collier and Ian McLaughlin

RUNNING SvSAN ON THE NEW CISCO ISR 4461 AND UCS E-SERIES With Craig Collier and Ian McLaughlin

RUNNING SvSAN ON THE NEW CISCO ISR 4461 AND UCS E-SERIES With Craig Collier and Ian McLaughlin Hosted by Kelynn Renals MAKING THE COMPLEX SIMPLE CONFIDENTIAL ENTERPRISES FACE DIFFICULTIES IN EDGE DEPLOYMENT 2 CONFIDENTIAL CISCO AND STORMAGIC

366 views • 8 slides
FMC (Fixed Mobile Convergence) Wh t Ab What About Security? t S it ? Vancouver June 2008

FMC (Fixed Mobile Convergence) Wh t Ab What About Security? t S it ? Vancouver June 2008

FMC (Fixed Mobile Convergence) Wh t Ab What About Security? t S it ? Vancouver June 2008 Vancouver June 2008 Franck Veysset, Orange Labs Firstname.lastname at orange-ftgroup dot com research & development Agenda Introduction

463 views • 30 slides

More recommend