Share this page!

Kate Temkin Profile picture
Twitter logo
18 Nov, 13 tweets, 5 min read
okay; now that we have that remote black-box RE'd; let's cheat a little, and open the remote up! ^_^ Image
The remote's PCB is ultra-simple-- it's literally:

- a single EV1527 control IC
- four buttons
- four diodes
- a crystal
- a switching FET
- an LED
- a PCB antenna

We can guess a lot of this by looking; but it turns out we don't have to-- we can pretty easily grab a schematic!
If we take a moment to look up the part number on the main SO-8 IC, we'll find that it's an EV1527 "OTP Encoder", manufactured by Silvan Chip Electronics.

Looking just a bit further, we can find a short data brief, which happens to contain the schematic for a reference design! Image
This reference design matches our PCB pretty much exactly; the only minor difference being the 'encapsulation' of the resonating passives used in the transmit circuit in the nice little tin can that is X1.

We now have a very good idea of the circuit we're looking at!
This data brief also gives us a pretty good idea of how this device works: it reads the digital values of four pins, prefixes them with a "chip ID", and then repeatedly sends them out as RF signaling.

The data format we discovered earlier is spelled out right there, for us! Image
We also get a pretty good idea of how this chip is intended to be used: at some point, each transmitter IC has a unique 20-bit ID "burned in" to it; which uniquely pairs this remote with our lamp.

Ostensibly, at some point, the lamp is also programmed with the ID of its remote. Image
This is the same type of IC used in lots of little things with fobs -- most commonly in garage door openers.

In fact, with a teensy bit of searching, we can actually find a vendor for this exact remote, just waiting to be paired with a product! Image
This brings us to perhaps the most amusing fact about this particular lamp: it's vulnerable to an unmodified version of the OpenSesame attack [samy.pl/opensesame/], as implemented here by @samykamkar.

The layers of amusement here grow deeper, though:
This whole bit of post-RE 'poking' came about after I suggested to @michaelossmann that it might be neat for us (@GSGlabs) to blog a "lamp security" exploration.

Ironically, with a little surface-level poking, I quickly found that this lamp was just another OpenSesame target...
... an attack that had been initially implemented as part of @michaelossmann's work on reversing the behavior of his RF garage door opener.

Instead of yet another novel target to explore, we wound up with exactly the behaviors we've seen before -- but this time, in lamp form.
You might be tempted to take away some kind of infosec-y message about the Sisyphean progress of security, or how vulnerable everything is...

...but tbh, I think everything here has worked pretty much as it should. Risk acceptance is as much a part of security as mitigation.
In the end, I think the real message is that reverse engineering these things can be a lot more approachable than you think-- and chances are, the thing you're looking at really isn't that different from a lot of the things folks have worked to understand before. ^_^
In any case, I'm going to put this aside until a second lamp comes in a couple of days; at which point we can play a bit more with treating lamps like garage doors. :)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kate Temkin

Kate Temkin Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ktemkin

Kate Temkin Profile picture
17 Nov
Okay, as promised, it's time to live-tweet as I "quickly" reverse the RF protocols associated with this wonderfully-named JOOFOO floor lamp:

amazon.com/JOOFO-Torchier…

The lamp's pretty bright; but it's defining features are accessed via a small remote control.
The remote allows one to adjust the lamp’s brightness and color temperature— and despite having no FCC identifying label, seems to communicate over RF.

At a glance we can guess this slightly dopey looking remote uses a simple modulation in one of the ISM bands. ImageImage
When looking at a device like this, my instinct tends to be to check ~433.92MHz first; lots of these kinds of devices broadcast over little pulse-width modulations up there.

Sure enough, monitoring around 433MHz using gr-fosphor quickly shows us a signal on button presses: Image
Read 16 tweets
Kate Temkin Profile picture
15 Nov
so, my body doesn’t produce sex hormones on its own (and hasn’t, based on a long history of lab tests); and if I don’t inject synthetic ones myself, I’m super exhausted all the time

(this is probably related to an intersex condition, but I’m super hesitant to apply labels)
CW: consequences of bad politics

the bad political state of the US recently has made me increasingly worried that some of these meds would be less available, as they’re often used for birth control — and for trans care

i *really* don’t want to go back to being eternally tired
CW: consequences of bad politics

the thing is, for a lot of people, going without synthetic hormones is more than just a threat of perpetual tired

for lots of trans folks, this kind of thing can have much more dire consequences; & genuinely cause serious damage to mental health
Read 5 tweets
Kate Temkin Profile picture
5 Sep
a few years ago, at the virtualization company I worked at:

customer: ever since we installed your new GPU driver, excel has been coming up with... wrong answers
me: wait what
customer: here, watch
me: how the *fuck*

bonus points to the first person to guess how that happened
background:
- this was a Windows XP driver (XPDM)
- there was no GPU compute involved
- only excel showed any kind of weirdness at all; everything else was perfect
(I’ll be good and not give feedback on guesses until someone gets it reasonably exactly or a few hours pass. >:])
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @ktemkin