NotPike

Ahh thank you! <3

Update V0.8! Faster Brute Forcing Added a Electronic Warfare Mode (tactical jamming) *Illegal don't use this, POC only* https://github.com/notpike/The-Fonz

No clue! Threw me for a loop when I first got the remote.

-=UPDATE=- V0.4 has been released. https://github.com/notpike/The-Fonz TX all commands as you would with the remote Passive PIN discovery Brute Force a command, loops threw all 256 PINs for a single command. Dank ass meme's! Booze, Chicks/Dudes and more!

Thank you :3

#Late20sProblems :3

V0.4 has been released! https://github.com/notpike/The-Fonz TX all commands as you would with the remote! Passive PIN discovery! Brute Force a command, loops threw all 256 PINs for a single command! Dank ass meme's! Booze, Chicks/Dudes and more! No piratical application but here's a script that uses the YSO (or any other CC1111 radio that uses RfCat) to emulate, brute force, and listen for the TouchTunes Jukebox remote transmissions. With this power you could skip songs, turn up/down the volume, or possibly add promotion credits for free songs. For research purposes only of course :D. -=Here's the quick and dirty on how I reversed this remote=- So… This project all started 2 years ago when my wife and I dropped $20 at the local gay bar to listen to some filthy Dubstep, rad ass EDM, and Beck. After inserting that Jackson, I realized my grand idea of saving money isn’t working out… (We spent $120 that night… $40 on the jukebox…) Next morning, hung over and sad, I made it my mission to figure out how to get free music out of this Jukebox. This is how I started, and here’s how I bumbled my way to to figure out an IoT Jukebox known as TouchTunes. -=Reading=- I would just say research but TBH what I did wasn’t that sexy. Armed with my skill of “Google Fu” I found various manuals about the device. I found some good information in these manuals and it gave me a few ideas on how to score free jams. http://productwarranty.touchtunes.com/download/attachments/655383/900475-001-Virtuo Installation and Setup Guide-Rev08.pdf?api=v2 http://productwarranty.touchtunes.com/download/attachments/1572899/900203-002-Dashboard User Guide-Rev00.pdf?version=1 http://www.touchtunes.com/media/marketing_resources/Remote_Control_Users_Guide_1.pdf -=I called random strangers and sat at a bar=- I made a few phone calls to random TouchTunes Techs who specialize in repairing these devices and got a lot of good info for them. I learned it was Linux box, everything is encrypted, It costs money to own the key, everything is locked down, and you need to own ~10 of them to get true admin rights. I wanted a way to experiment with a VM of the OS to figure out how it ticked. Because I don’t have $5000 laying around I’m kinda forced to black box this device. Thanks to a few local bars who had their IoT Juke box on the public WiFi, I was able to take a quick gander. Sadly the techs where right… It’s locked down... I’ll revisit this approach latter when I can save up for my own personal Jukebox lol. You can also add credits via the Internet BTW. Try to see if there’s a way to make the Jukebox believe I’m god and make it sing and dance. -=Three things I learned=- 1.) You can fill the queue with music to play with out paying for it. This was a marketing plan to make people more committed to pay for music if they made a queue first. 2.) If configured, the jukebox can be set up to receive “promotional credit”. Bar tenders and or managers can add to the balance so more music could be played. This is added by pressing the ‘P1’ button the wireless remote… 3.) There is a wireless remote! It, transmits on 433.92 MHz and it can be found for $50 on ebay! -=My plan of attack=- Add music to the queue Add promotion points Get free music! -=I spent money=- Because I’m cheap, I picked up a after market remote that works with all TouchTunes Jukebox’s Gen 2 and above. The plan was to reverse this remote with my Yard Stick One and HackRF and try to figure out how it works. The remote only has 256 PIN provabilities to keep neighboring bars from walking on each other so I could just hand jam all 256 PIN’s (000-255) to figure out which one they are using. 9 times out of 10, it was 000. So yah, nothing complex here. -=Reversing… Kinda…=- The first thing I did was find the FCC data, not a lot of useful info here but I at least figured out it existed. https://fccid.io/2AHXI-T1 I used a HackRF with the 'osmocom_fft' to monitor and record the wireless remotes transmissions. I then took a look of the raw IQ data with 'inspectrum' to see what I was dealing with. Below is what the On/Off command looks like with a 000 PIN. With this I know I'm working with ASK/OOK. The message in raw binary is... 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, In Hex it would be... FFFF00A2888A2AAAA8888AA2AA2220 I found this by right clicking and added an 'Amplitude Plot in 'inspectrum', moved the bar over the transmission, added a 'Threshold Plot', clicked 'Enable cursors' to count out how many symbols are being used (also tells you the Symbol Rate) and then right clicked to 'Extract Symbols' and the values where outputted in the terminal. -=RfCat=- At this point I switched from using an SDR to RfCat and the YSO. After figuring out the preamble was 1111111111111111 or FFFF in hex, Modulation (ASK/OOK), and symbol rate (~1766) I was able to create a script based off Michael Ossmann's work to help me record the data. https://github.com/mossmann/stealthlock/blob/master/sl.py After a lot of beer and recording every PIN possibility for the On/Off a few patterns emerged. If you want to look threw all my data you can check out the paste bin below but here's what I believe how the transmission is formated. ==Preamble== ==key== ==Mesage== ==?== ffff00a2888a2 aaaa 8888aa2aa22 20 I still no idea what the last 2 hex values are about (I noticed that their where 2 possible messages for each command depending on what PIN was. The last 2 where either 02 or 88... I couldn't figure out the pattern so I just hard coded when which command was used vs the other depending on what PIN in my final script) -=After that=- I expand the original script I used to record all the transmissions of the remote and added a passive PIN discovery feature to it. I then recorded all the message's (All the buttons) the remote would send (Both potabilities) and added the ability to determine which command was used. A week later I figured out how to TX the decoded values and I made a working TouchTunes remote for the YSO. And it's been tested. :D http://pastebin.com/Ue7UYAPg http://www.pressonproducts.com/t1-jukebox-remote-touchtunes-compatible/

Cool stuff Foxtrot! I'm trying to figure out something here. I'm trying to see if it's possible to TX a GPS-SDR-SIM bin file to spoof a GPS receiver using the Pineapple Nano. The problem I'm having is that when I TX the SD card (where the bin is located) becomes unreachable for a while and then it self correctors. Here's the HackRF log when I selected the "Repeat transmission" option. I shortened log because the, "Input file end reached. Rewind to beginning." repeated 100 or so times. call hackrf_sample_rate_set(2600000 Hz/2.600 MHz) call hackrf_baseband_filter_bandwidth_set(2500000 Hz/2.500 MHz) call hackrf_set_freq(1575420000 Hz/1575.420 MHz) Stop with Ctrl-C 5.2 MiB / 1.005 sec = 5.2 MiB/second 5.0 MiB / 1.000 sec = 5.0 MiB/second 5.2 MiB / 1.000 sec = 5.2 MiB/second 5.2 MiB / 1.000 sec = 5.2 MiB/second 5.2 MiB / 1.000 sec = 5.2 MiB/second 5.2 MiB / 1.000 sec = 5.2 MiB/second Input file end reached. Rewind to beginning. Input file end reached. Rewind to beginning. Input file end reached. Rewind to beginning. Input file end reached. Rewind to beginning. Input file end reached. Rewind to beginning. Input file end reached. Rewind to beginning. Input file end reached. Rewind to beginning. 5.2 MiB / 1.189 sec = 4.4 MiB/second 5.2 MiB / 1.005 sec = 5.2 MiB/second 5.0 MiB / 1.003 sec = 5.0 MiB/second 5.2 MiB / 1.000 sec = 5.2 MiB/second 5.2 MiB / 1.000 sec = 5.2 MiB/second 5.2 MiB / 1.000 sec = 5.2 MiB/second 5.2 MiB / 1.000 sec = 5.2 MiB/second The bin file should last for 300s but it stops after 6s. It isn't consistent either. Some times it will TX a little longer or a little shorter then 6sec. Also when I SSH into the pineapple to take a look at /SD, I can't see whats in the directory while the HackRF is TX the bin. I think this might be a power restraint issue with the Nano but I'm open to your thoughts. Now when I try to TX with out the "Repeat Transmission" option I get this error. call hackrf_sample_rate_set(2600000 Hz/2.600 MHz) call hackrf_baseband_filter_bandwidth_set(2500000 Hz/2.500 MHz) call hackrf_set_freq(1575420000 Hz/1575.420 MHz) Stop with Ctrl-C 0.8 MiB / 1.000 sec = 0.8 MiB/second Exiting... hackrf_is_streaming() result: HACKRF_ERROR_STREAMING_EXIT_CALLED (-1004) Total time: 1.00063 s hackrf_stop_tx() done hackrf_close() done hackrf_exit() done fclose(fd) done exit

So... Because Foxtrot ported the HackRF library's over to the Pineapple I think we can all guess what's going to happen next .

Cool!

TBH I learned about finding your offset using Kal or comparing your signal to a known source after I bought the oscillator lol. (I'm dumb some times). I got it anyway just to save myself the trouble in the future. The original writer of the GPS-SDR-SIM software stated that it can be done with out the TCXO. I'll give it a try again and see if I can do this with out the extra oscillator. :)

-=UPDATE=- Success! I'm now a Bond villain! So here's what I did. I bought myself an external oscillator from Ebay (link below) that advertised 0.5 PPM. No idea if it's actually 0.5 PPM but I'll find out latter when a buddy of mine lends me his frequency counter. This board attaches to the P22 GPIO header on the Hackrf making it act as the external clock. You can check the external clock by running... hackrf_si5351c -n 0 -r If it works, it will return "[ 0] -> 0x01" If no external clock is detected, it will return "[ 0] -> 0x51" To generate the signal file, I used a bit rate of 8 and download an updated GPS broadcast ephemeris file(brdc1280.16n). You can download these files here. ./gps-sdr-sim -b 8 -e brdc1280.16n -l 40.712800,-74.005900,100 To transmit. sudo hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0 Being a good "citizen" I made a closed circuit with an USRP1 to use as my GPS receiver. I'm also using 51db worth of attenuator's to keep the load from braking the USRP1. Ebay TCXO clock PPM 0.1-PPM 0.5 for hackrf one

So, besides tricking the Sea Shadow from 007 Tomorrow Never Dies to sail into Chinese waters to obtain broadcasting rights in China... Has anyone else tried spoofing a GPS reserver? (BTW Mil GPS sats and receivers use encryption which makes it a bit tricky to spoof, they can downgrade to a non encrypted link just in case you where woundering.) https://github.com/osqzss/gps-sdr-sim Currently I'm failing at this TBH. I'm using the Hackrf as my SDR platform and after doing some research I found that the oscillator has a torrence of 20 PPM. This means while I'm transmitting at 1.57542Ghz my frequency deviates +- 31508.4Hz. This makes it a bit tricky finding the sweet spot to transmit on. I found that others had success with the Hackrf when they added an external oscillator to set the timing to at least 1 PPM. While I wait for my oscillator to come in the mail I wanted to know if anyone else tried doing this. -=Disclaimer=- Don't be a jerk and keep it legal. Use a dead load or create a close circuit to prevent interfering with other's GPS receivers.

Cool! I'm learning Java on the fly now and I was curious. Is there an easy way to import the value of the IP address of 'br-lan'? IE like a global variable that's normal for OpenWrt systems. Or would you suggest I create a function to pull the IP address from the system or from the config file it's self? Thanks!

Okay, so I found some conflicts with some of the modules when I changed the Pineapple's IP. This is only a temp fix and I'll try to find a way to make change with the system's IP address. (I don't know how to code in Java) DWall has the default IP address hard coded in /pineapple/modules/DWall/js/module.js. I just commented out what defined the WebSocket and coped it with the updated IP address. $scope.startWS = (function() { $scope.throbber = true; // $scope.ws = new WebSocket("ws://172.16.42.1:9999/"); $scope.ws = new WebSocket("ws://10.0.0.1:9999/"); $scope.ws.onerror = (function() { $scope.ws.onclose = (function() {}); $scope.startWS(); If there's a better way please let me know. Hope this helps!