Project Logs

Collapse logs

• All your base are belong to us

  Henryk Plötz • 05/14/2015 at 15:27 • 8 comments

  So now that we have figured out all the puzzle pieces (do we?) we can go over to the last project phase and actually build something that extracts data from the sensor on its own initiative and feeds it into something with a purpose.

  Setting: Ubuntu 14.04 LTS, Linux 3.13.0-52-generic, Python 2.7.6. As we recall from one of the earliest logs we can initiate data transmission by issuing a HID SET_REPORT on the USB device. Luckily, Linux offers a very simple API to do just that by way of the hidraw device node we were using at the very beginning. Since we're not interested in any security (which the protocol doesn't offer anyway) we'll just use a static key.

  with file("/dev/hidraw0","a+b") as co2:
  	# Key retrieved from /dev/random, guaranteed to be random ;)
  	key = [0xc4, 0xc6, 0xc0, 0x92, 0x40, 0x23, 0xdc, 0x96]
  	co2.write( "\x00" + "".join(chr(e) for e in key) )
  	while True:
  		data = co2.read(8)
  		print " ".join("%02X" % e for e in data)
  

  If we run that code (after fixing permissions, we'll get to the part later) we get … nothing. Bummer.

  Read more »

• How are you, gentlemen

  Henryk Plötz • 04/26/2015 at 18:40 • 0 comments

  Now that I've had my breakthrough I can leisurely stroll around the rest of the code for completeness sake. This should show me how and what data is being sent to the device to initiate data reporting.

  Read more »

• It's you

  Henryk Plötz • 04/25/2015 at 01:01 • 0 comments

  Loading a new file into IDA for the second time was easier. Again, I had to prepare it with

  upx -d HIDApi.dll

  and this time all functions were already nicely labeled for me. And again I spent a lot of time being stupid, starting here:

  

  Read more »

• Main screen turn on

  Henryk Plötz • 04/25/2015 at 00:00 • 0 comments

  So, looking at the transmitted data wasn't that successful in figuring out the protocol. My normal approach now would be to 'spoof' the other side of the communication channel and see how the device under test changes behaviour. In this case I would've written a short piece of Python to send out this initial SET_REPORT packet and then vary contents and look at how the device responds differently. But that's some boring work I've done several times before with other devices, so I'd wanted to try something new and this would be the perfect chance. I've never reverse-engineered anything by looking at a disassembly, so let's dive in!

  Read more »

• What

  Henryk Plötz • 04/24/2015 at 22:13 • 0 comments

  In past projects I've had raging successes by just looking at the raw data, XORing stuff together, and maybe squinting my eyes a little. Spoiler: Not so this time. I'll walk you through the steps anyway.

  Read more »

• Somebody set up us the bomb

  Henryk Plötz • 04/17/2015 at 02:05 • 1 comment

  Luckily reverse engineering funky binary protocols is one of my specialities, so, let's see …

  Data seems to arrive in 8-byte packets always. Indeed, this appears to be a property of what they did with the HID spec (more on that in a moment). The timing between 8-byte packets is irregular. In each packet there seem to be two groups of 4 byte each. The second byte of each group is always the same.

  Getting more data by re-starting the Windows software makes things more confusing: The second byte of each group is still constant, but different now. It's numerically close though, so, time-based? This sucks.

  Read more »

• We get signal

  Henryk Plötz • 04/17/2015 at 01:27 • 0 comments

  Indeed, immediately after running the Windows software in a VM with the device connected I was getting a live data log of the CO₂ concentration! This screenshot shows me breathing into the vicinity of the sensor:

  

  Ok, time to disconnect the device from the virtual machine and look at the data on my Linux box. Since it's enumerated as a HID, there's /dev/hidrawX device node that would receive the raw data sent by the device.

  # hd < /dev/hidraw0
  00000000  be 9b 28 69 d0 a5 34 ba  cb 9b 90 68 4c a5 34 aa  |..(i..4....hL.4.|
  00000010  5f 9b 8e 68 de a5 34 c2  f3 9b b0 68 5c a5 34 82  |_..h..4....h\.4.|
  00000020  f2 9b b8 69 5c a5 34 8a  e2 9b c1 69 55 a5 34 3a  |...i\.4....iU.4:|
  00000030  52 9b c9 69 75 a5 34 d2  aa 9b 30 69 27 a5 34 42  |R..iu.4...0i'.4B|
  00000040  38 9b 20 69 89 a5 34 6a  8e 9b 28 69 d0 a5 34 ca  |8. i..4j..(i..4.|
  00000050  cb 9b 90 68 4c a5 34 aa  57 9b 8e 68 de a5 34 ba  |...hL.4.W..h..4.|
  00000060  fb 9b b0 68 5c a5 34 8a  fa 9b b8 69 5c a5 34 92  |...h\.4....i\.4.|
  00000070  35 9b 81 69 5d a5 34 52  d5 9b a9 69 72 a5 34 72  |5..i].4R...ir.4r|
  00000080  aa 9b 30 69 27 a5 34 42  00 9b 20 69 89 a5 34 72  |..0i'.4B.. i..4r|
  00000090  8e 9b 28 69 d0 a5 34 ca  c3 9b 90 68 4c a5 34 a2  |..(i..4....hL.4.|
  000000a0  57 9b 8e 68 de a5 34 ba  fb 9b b0 68 5c a5 34 8a  |W..h..4....h\.4.|
  000000b0  fa 9b b8 69 5c a5 34 92  12 9b c1 69 54 a5 34 2a  |...i\.4....iT.4*|

  Yeah \o/, there's data! Bummer, it's doesn't look at all like the protocol I was promised. But there does seem to be a structure to it, so there's hope, I guess.

• War was beginning

  Henryk Plötz • 04/17/2015 at 01:11 • 0 comments

  First thing I noticed after unpacking: While the included manual only talks about the USB connection in terms of providing power, the thing actually enumerates on the bus as a HID with vendor/product ID 04d9:a052.
  

  When researching this VID/PID combination, I found that the device appears to be sold in other markets, with different brand markings: http://habrahabr.ru/company/masterkit/blog/248403/. I don't speak any Russian, and Google Translate is rather weak here, but from the pictures it seems that someone was using an identically looking device to monitor some brewing process. And that there's software that reads the data from USB.

  Doing a Google image search for co2 meters and selecting a product photo that matches the physical appearance (with yet another different branding) lead me to this American company which had not only the Windows software to connect to the meter for download, but also a PDF documenting the protocol. Well, this should be a breeze …

View all 8 project logs