in , ,

Cyber dolphin. How Flipper was creating

Although hacking and penetration testing are associated with sitting at a computer, they are not at all limited to them: you can only get to some devices or wireless networks in person. At such moments you think: if only there was a kind of hacker multitool, which will always be at hand and will allow you to work in the field! And while some are dreaming, others are making just such a device and are preparing to produce it in series. This miracle device is called Flipper .

If there are still portable devices to intercept Wi-Fi, then working with hardware in the field now looks like this. You take with you a laptop, a suitable debug board with firmware for all occasions, several antennas, adapters, expansion cards and an external battery for autonomy. And don’t forget about the whole heap of wires to connect all of the above. Add an organizer for storing small items and homemade cases to protect fragile components while on the move. Sound familiar?

For information on what tools are useful when working with hardware, read the article Hacker ‘s Suitcase 2020 .

Pavel Zhovner – a geek, nerd and praying mantis (as he appears in his profile on “Habrahabr”) – is familiar with this situation even too well. Organizing a CTF competition at the St. Petersburg ZeroNights 2018, he developed from scratch a kind of vending machine with a cash register that worked on RFID cards. He then solved the problem of unreliable mounting of the boards radically: he filled the textolite with the components with an even layer of transparent epoxy resin. It was his first experience of creating his own gadgets, which fanned the passion for such homemade products.

Later, another important event for the history of Flipper happened. Security researchers turned their attention to Apple’s file sharing protocol ( AirDrop ) and became interested in its security . There was an open source implementation called OpenDrop , and it became possible to send files to iPhones from any device, not just Apple gadgets. Raspberry Pi is enough to start sending pictures to all passers-by on their iPhones, provided that they have allowed the reception “from everyone.”

Prior to iOS 13, when you AirDrop a picture, a preview of it was shown on the phone screen before the recipient pressed “accept” or “reject.” I made a device from a Raspberry Pi Zero W with a battery that sent out such pictures, and my friend wrote a bot for Telegram @AirTrollBot to generate a picture on the fly with a signature and the desired aspect ratio. Often the phone is called “Sveta iPhone” or “Julia iPhone”, which I used, referring to the owners of devices by name right in the picture.

I just sat in the subway and sometimes saw ten people at once. He bombarded everyone with personalized pictures. Through this thing, I met a bunch of people and went on express dates on the way from the subway to work. The bot can add a nickname to the picture in the telegram, and many guessed to write to me. Well, boys can be anonymously sent different jokes. For example, you see that this is Vadim’s phone, and you send him “Vadim is a sucker!” Then you watch him look around in bewilderment. Very funny.

Flipper developer interview

However, the Raspberry Pi does not have its own display, it is not clear what is happening on the device, the bare PCB board tears the lining of the pockets, and it is very easy to damage it, and the cases printed on a 3D printer look pathetic and inconvenient to use. Every time you try to assemble something suitable from ready-made modules and components, you get a shapeless “sandwich” of circuit boards that falls apart from any sneeze.

The pwnagotchi project gave a push in the right direction. This adorable virtual pet needs the handshakes that the wireless controllers send when they create a new connection. In active mode, collecting packets with hashes for WPA keys is accompanied by de-authorization of users and forced disconnection to speed up the process. And don’t let the good looks of the digital animal fool you – inside it work with neural networks based on short-term memory and deep reinforcement learning methods. All this helps the device to flexibly configure the optimal parameters for intercepting and analyzing network traffic.

However, Flipper is not inspired by Tamagotchi alone. Old comrades will surely remember the Cybiko personal communicator project, which allowed its owners in the early 2000s to create dynamic wireless networks on their own. And various add-on modules opened up new possibilities, such as MP3 playback and SmartMedia card reading. Together with a solid (at that time) library of programs and games, this helped create a community of enthusiastic users around the device.

This is how the main features of the future device were formed: a hacker’s universal pocket tool for exploring wireless networks. The most open project, so that everyone can modify the gadget to suit their needs. And a cute tamagotchi that would give this thing individuality.

Appearance

It took the Flipper team a long time to find the right shape and design the hull. Firstly, it was important to create a complete design that would stand out favorably against the background of other hacking devices (some of them are available only as a bare PCB with components). Secondly, the device must be compact, durable and convenient at the same time so that it can be used on the go.

Finally, it was in the case that all the internal antennas for wireless interfaces (more on them later), as well as several connectors, were to be placed. In fact, this turned out to be not an easy task: the set of available peripherals changed several times, the size and shape of the PCB also underwent more than one iteration. All this had to be taken into account every time and the body itself had to be adapted accordingly.

As you probably already noticed, Flipper has an unusual design. The mascot of the project (and the character of the Tamagotchi) is the cyber dolphin. It is both a reference to the story ” Johnny Mnemonic ” by William Gibson (the iconic author of the cyberpunk genre, if you are not aware), and a hint of the natural curiosity of dolphins and their sonar, which allows you to perceive the world around us using waves. By the way, it is the shape of the fin (flipper is “fin” in English) that is played out in the bends of the body.

By the way, the fashionable appearance of Flipper is a merit of the guys from the DesignHeroes industrial design studio , whom Pavel Zhovner met in the Neuron hackspace. They already had extensive experience in the design and manufacture of housings for electronic devices from a wide variety of materials. It was they who helped with sketches of the future product, 3D models and the first printed prototypes.

Screen

Pavel Zhovner considers the screen to be one of the key components of the future device and is ready to spend hours telling everyone about the advantages and disadvantages of different technologies. It is not surprising that he approached the choice of the screen for Flipper with all the details. For portable devices that use battery power, the power consumption of the display backlight is very important, and if it consumes too much, it will greatly reduce the battery life.

The most economical screens are E Ink, and the aforementioned pwnagotchi uses just such a screen. Alas, they have a low – about a second – refresh rate, and even trivial navigation through the tabs in the menu can take a long time. If we resort to partial updating, without redrawing the entire contents of the frame, then a visible trace of the previous image remains on the screen (the so-called image ghosting).

As a result, the good old graphic LCD display with a resolution of 128 x 64 pixels and a diagonal of 1.4 inches was chosen for the Flipper. The monochrome image has good contrast, so that it can be seen even in the bright sun outdoors, and the low power consumption (about 400 μA without backlight) allows you to always display relevant information on the display.

Of course, the best option for a hacker device would be a screen based on Sharp memory technology, which allows the picture to be refreshed only once every few seconds in standby mode, sending the rest of the device entirely to sleep. The image itself does not disappear anywhere. These displays are used in modern smartwatches and fitness bracelets. However, they still have an inhuman cost (about $ 20), which does not fit into Flipper’s budget.

Processor selection

The choice of the chip is a defining moment, and many parameters of the future device will depend on it.

Raspberry Pi

The Flipper project was originally built around the cheap ($ 10) Raspberry Pi Zero W single board. Released in 2017, this microcomputer combined a single-core ARM processor, 512MB of RAM, GPIO pins, USB, and Wi-Fi and Bluetooth wireless interfaces. A friendly community of amateurs and professionals has formed around this device. Against the background of these advantages, low performance and problems with overheating of the microcircuit seemed bearable.

And when enthusiasts found a way to start monitor mode with packet injection on the Wi-Fi adapter ( nexmon patches ), then the Kali developers got involved and announced the official support of the “raspberry” in their Linux builds. As a result, through joint efforts, it turned out to be an almost ideal tool for a hacker and a pentester. All that was missing was a circuitry for battery power, a sleep mode function, and some peripherals to work with the rest of the wireless options.

As conceived by the authors of Flipper, a separate low-power microcontroller was supposed to be responsible for all this, which was supposed to be combined with the RPi central processor. This would allow keeping the microcontroller constantly on for attacks in the most simple scenarios, and connecting the CPU for really serious things.

However, later the “Raspberry” had to be abandoned altogether. It turned out that none of the Raspberry Pi Zero suppliers are ready to sell lots of thousands of pieces at once. From the outside, it looks like this: an extremely cheap single-board device is produced in factories, distributed between large distributors, but only a few pieces fall into the hands of the “people”. It seems that the “raspberry” (or at least its budget version) is sold at a price close to the cost price, and only pays for itself and is not aimed at making a profit. For industrial and mainstream use, the Raspberry Pi Foundation website recommends using the Compute Module . But it also costs completely different money – $ 40.

i.MX6

When it turned out that Raspberry was not an option, the Flipper team made the difficult decision to make the device virtually from scratch, based on the existing SoC ( System-on-Chip ). The choice was limited by the fact that not all manufacturers are ready to work with a small company purchasing only a few thousand microcircuits.

As a result of searches, a new basis for the Flipper was selected – the i.MX6 ULZ . This is a stripped-down version of the single-core Cortex-A7 processor, without a video core and some interfaces. In terms of performance, they are on par with the “raspberry”, but the i.MX6 wins significantly in energy efficiency.

Unfortunately, the Flipper developers have not yet been able to find an equally successful alternative Wi-Fi adapter. The potential candidate has serious requirements: to support modern wireless network standards, be able to work in the 2.4 GHz and 5 GHz bands, and allow unlocking of the monitor mode with third-party patches. And while still being quite cheap in large quantities (less than $ 10). If you have a suitable module in mind – feel free to write to the guys on the forum .

STM32

While the hardware part of the project, associated with the “large” components – the processor and wireless adapter, stalled, the rest of the circuit with the harness and microcontroller was implemented step by step in code and hardware. Here, the basis was the STM32L412 MK with a clock frequency of 80 MHz, 128 KB of flash and 40 KB of RAM. Compared to the well-known F4 series, these microcontrollers have appeared relatively recently, but have already gained popularity for their low power consumption and a good set of modern peripherals.

In Flipper, the microcontroller not only responds to button presses in order to relay them to the central processor: it is he who interacts with low-speed wireless interfaces and the screen. Moreover, the tamagotchi dolphin that settled in the device also works on a microcontroller in order to always be ready to respond to the call of the owner. Seeing all this in action, the Flipper team decided: why is this not a full-fledged device?

This is how Flipper Zero was born.

Flipper Zero

The first device that Pavel Zhovner and his team will present to the world will be the Flipper Zero – a version of Flipper on a microcontroller. The version with a full-fledged computer and Wi-Fi module will be called Flipper One, and so far it is only in the plans.

433 MHz

Several microcircuits are responsible for wireless communication in the device. One of them, the Texas Instruments CC1101 , allows Flipper to operate at 433 MHz with several modulation types at once: 2FSK, 4FSK, GFSK and MSK. Basically, the most primitive devices work at this frequency: sensors, bells, barriers, etc.

In this case, as a rule, one of the common information exchange protocols is used: KeeLoq, Came or DoorHan. The analyzer built into Flipper will tell you exactly what you are dealing with at a particular moment. And even if it was not possible to find out the exact protocol, the device will always be able to at least repeat the previously recorded response.

Finally, like most Tamagotchi, Flipper is able to communicate with others like that on this frequency. You will be able to play and interact with other owners of the gadget nearby.

RFID

The next wireless interface is aimed at access cards with an NFC antenna, such as, for example, the EM-4100. They have a primitive storage format, so with Flipper you can easily read, copy and emulate existing instances. If desired, the received card ID can be sent to another Flipper.

Infrared port

You won’t find an infrared port in modern gadgets, but there are still a lot of equipment in the world that works with this type of signal – televisions, air conditioners, audio systems. Flipper’s memory contains basic commands for controlling such devices for the most common models. At the same time, it is very simple to teach the device to work with your equipment: just bring the original remote control and press the necessary buttons in sequence. Flipper will remember new combinations and play them back at your command.

GPIO pins

For those who like a lower-level interaction with hardware, the Flipper developers brought the GPIO pins from the microcontroller directly to one of the side faces. In addition to power and basic digital signals, a variety of peripherals are also available on them: ADC, SPI, UART, I2C, PWM and much more. Thus, you can connect other components to the device and expand the capabilities of Flipper. True, it is not yet clear whether the concept of expansion boards, like the Arduino or the Raspberry Pi, will receive development – after all, the device is positioned as a complete device.

USB-C

Initially, RPi Zero-based Flipper had many connectors on the case: several USB, MicroHDMI and a memory card slot. In the STM32 version, only one USB port was left for charging and reprogramming (the corresponding bootloader is already flashed on the microcontroller itself). In 2020, Type-C is finally starting to look almost like a standard, so if you already have a power supply for the fourth raspberry, you can charge the Flipper with it too.

However, something else is much more important: the STMF412 microcontroller can work as a USB Device, so that with a suitable Flipper firmware, when connected to a computer, it will look like a HID device, a flash drive, and a COM port (but hardly all at once, of course) …

Crowdfunding

Today Flipper still exists in prototype form. Until mid-spring, new working versions were regularly produced in China and sent to developers in Russia. However, the coronavirus made its own adjustments, and the authors had to revise many of the deadlines. 

What do you think?

11 Points
Upvote Downvote
Black Hat Professional

Written by Admin

NewbieAvatar uploadFirst contentFirst commentPublishing content 3 times

Comments

Leave a Reply

Loading…

0

Data recovering from “dead” USB flash drive in Linux

Mozilla Firefox. Put all useful plugins together