Drone Hacking Part 1: Dumping Firmware and Bruteforcing ECC
neodyme.ioGreat work.
Seems like a typo when covering inversion. They claim parity(0) = 0 but still use the equation with != from before.
It's nice to see that they, like me, subscribe to "an hour of experimenting can save 5 minutes of reading the documentation." Of course what people often fail to realize is that until you've found the answer, you often don't realize what the documentation was saying, such as the 16-bit thing. Management may ask "was that not in the manual?" But it's more nebulous than that.
I bet you that one hour was full of excitement, where’s the fun in reading the documentation :P
Another great to look at it is possibly as a TDD approach vs analyzing the problem at a deeper level.
For anyone else who got a little too excited at the title, ECC here is error correction codes, not elliptic curve crypto.
Very cool writeup, thanks for digging into all those data sheets and sharing it with us! I feel like the hands-on electronics stuff has always been a little bit inaccessible to me, but posts like these always make me a little more excited to start doing little projects myself. So thanks for posting.
Thanks very much for this awesome write up! It’s detailed labor-of-love work like this that helps others (like me!) make great jumps in learning. So appreciated.
Fantastic and inspiring write up, big thanks!
Here is to hoping someone will do something similar for DRM'ed BOSCH ebike motors.
Be the change you want to see in the world.
We do it at https://infinite-battery.com :) our battery is compatible with Gen2/Gen3/Gen4 (we haven't yet tested on smart systems though)
I started doing some research over the holidays and the smart system seems to be designed to prevent reversing - fuses blown both ways, so didn't even manage to read the firmware, and communication with the client software relies on what seems to be decent encryption. And from the design of the hardware bypasses it seems that the firmware does not trust its own peripheries. Good design, no doubt - will try to take it apart when i switch bikes and won't mind bricking my unit.
> Here is to hoping someone will do something similar for DRM'ed BOSCH ebike motors.
Please not. Bike thieves are already annoying as they are (a ring in the rural city I live in managed to steal over 400 k€ worth of bikes in a matter of months, in my case they only stole the control unit), and so are people modding their bikes to run (way) faster than the legal limit, leading to more and more calls for them being banned off of normal bike tracks.
[1] https://www.idowa.de/regionen/landshut/landkreis-landshut/se...
I am not interested in either, I just want to have control over the hardware I purchased with my own money.
As for thieves, they apparently have ways of bypassing bosch drm via hardware - bosch bikes get stolen all the time. As for speed unlocks, they are trivially possible with hardware bypasses. I doubt open source firmware would do harm.
Is people stealing bikes and parts a technological problem or a people problem?
you could compare with apple locking down iphones and parts, which I understand significantly reduced theft
I seriously doubt any kind of DRM is going to dissuade bike thieves. It hasn't really worked for phones has it?
It has. Yes people still steal iPhones but not even close to levels pre-Activation Lock.
If you can't fence the product then there's no motivation to steal it in the first place.
Naturally, this is why we should add GPS and a network connection to every device in existence. /s
> If you can't fence the product then there's no motivation to steal it in the first place.
Couple of big problems with this thought:
* You have to know you can't fence it. Do you think bike thieves are following exactly which e-bike models have DRM, whether it has been broken etc? I doubt it.
* It assumes that the DRM is so amazing that nobody figures out how to defeat it.
So it might be true, but it also might not.
Fun read! How long does the script take to run? I’m curious if you would have noticed any performance increase if you wrote it in C++.
What a beautiful write-up! This is such a lovely resource for anyone who ever has the curiosity of "I'm interested in getting a firmware dump".
Damn, I really enjoyed reading this. Great writeup!
Drane Hacking next: bypassing Radio Electronic Warfare.
Dead Reckoning + Physical Media + Return to Base
What a laugher, of course it is not like that. Especially funny sounds the return to base function.
Multi-frequency communication, a lot of retranslators making you to be able to fly inside of caves, refusing to use Starlink in the areas having a bleeding-edge anti-starlink antennas deployed. Or just receiving Netflix-grade picture from the optical cable while reducing to zero anything emitting radio-signals.
And as usual... something that looks like it uses Linux, but has absolutely zero Google search results on how to obtain the GPL sources.
We desperately need some large ass legal fund that takes the GPL violators to court.
If they use unmodified Linux, then they only have to provide (a link to) the source code to that kernel on request. No source code is required for proprietary add-ons, unless they are kernel modifications.
The GPL also does not state that the source code should be easy to find. In the early days, one had to write a letter, send it by mail, in hopes of getting a tape or CD-ROM with the source code. For which you then had to pay as well.
What could be the potential risk of not being compliant to the software license at hand e.g. let us say we would sue a GPL violator?
There have been several trials, all of them won, I think
Now do DJI next
Bruteforcing ecc is the Services may subject to the contrary. My vision of brutforcing is droning below sea levels, .