Ezek a személyes életem apró szösszenetei :)


So today I had a little bit of time to check out Pytacle. I knew from the beginning that it is alpha-quality software, but I still had some expectations. Many times people in the open-source community “advertise” their software as “alpha, as-is, no guarantees” and then it turns out that the code is pretty functional and does the stuff it is supposed to do. Very humble folks, really appealing.

However with Pytacle this was different: it promised a lot of things to do (“ It automates the task of sniffing GSM frames of the air, extracting the key exchange, feeding kraken with the key material and finally decode/decrypt the voice data. “) but it failed to achieve anything like that. First of all I looked at the code, which was surprisingly simple compared to the feature list (for example GSM Analyzer tries to do around 2/3 of the stuff Pytacle promises and it has a large codebase consisting of many classes and files) and however I would never judge a program based on its source code’s size (that would truly be horrible) I was still getting skeptical of the single .py file containing mostly GUI definitions.

So after reviewing the source-code I discovered some things:
1. It tries to script together the procedure already known to GSM hackers (capture stuff, then run it through, crack the key, decode the conversation), so you still need to have all the tools, but Pytacle tries to figure out a way for you to run them
2. and sadly it doesn’t do very well. It has magic numbers in it hardcoded (“0B” always for Configuration, “06 3f” for Immediate Assignment) which not seem to perform well (or to be honest: at all) in my environment.

I actually tried changing the configuration to 0C, which is the way mobile carriers operate in my country, and fed Pytacle a file with 5 different Immediate Assignments. It told me “No immediate assignments found, sorry…” and it exited.

So, to come to a conclusion: I really appreciate the effort David put into this script, but right now it is useless. It goes through the whole GSM cracking procedure, but it naturally lacks the human intelligence currently needed to distinguish between different Immediate Assignments, cell configurations etc. so it’s almost always destined to fail on you. It is possible to create such input files (basically cleaning out junk from a real-world file, or run a test-network and capture its traffic) which it can interpret and work on, but that is not going to help someone who would like to try stuff on a real network.

My Camp0 presentation

In case you missed Camp0 or dnet’s tweet about it here is my Camp0 presentation video. It is not perfect at all, it has some inaccuracies in it, also demo effect is kicking in hard, but to save myself I need to say that I was preparing to get this done for Hacktivity (2 weeks after Camp0) so this is a semi-finished thing.
I still hope you like it 😉

How to handle if the car you manufacture catches on fire and your company starts going down rather quickly? – by Elon Musk

I am quite a fan of Tesla cars. They are showing a quite probable future which I think is a good way. Actually I really like what Elon Musk does in general.
So when all the newspapers today were filled with the story of a Model S catching on fire and burning out I was quite certain we will hear from Elon especially because the story had a horrifying twist in it: the firemen didn’t have any training about how to handle such a situation.

As a side note I would like to mention that the Hungarian firemen just recently received special training from Toyota and Nissan about handling fires which involve electric/hybrid cars.

But to cut to the point I just received the following email from Tesla, signed by Elon Musk himself:

October 4, 2013
About the Model S fire
By Elon Musk, Chairman, Product Architect & CEO


Earlier this week, a Model S traveling at highway speed struck a large metal object, causing significant damage to the vehicle. A curved section that fell off a semi-trailer was recovered from the roadway near where the accident occurred and, according to the road crew that was on the scene, appears to be the culprit. The geometry of the object caused a powerful lever action as it went under the car, punching upward and impaling the Model S with a peak force on the order of 25 tons. Only a force of this magnitude would be strong enough to punch a 3 inch diameter hole through the quarter inch armor plate protecting the base of the vehicle. The Model S owner was nonetheless able to exit the highway as instructed by the onboard alert system, bring the car to a stop and depart the vehicle without injury. A fire caused by the impact began in the front battery module – the battery pack has a total of 16 modules – but was contained to the front section of the car by internal firewalls within the pack. Vents built into the battery pack directed the flames down towards the road and away from the vehicle. When the fire department arrived, they observed standard procedure, which was to gain access to the source of the fire by puncturing holes in the top of the battery’s protective metal plate and applying water. For the Model S lithium-ion battery, it was correct to apply water (vs. dry chemical extinguisher), but not to puncture the metal firewall, as the newly created holes allowed the flames to then vent upwards into the front trunk section of the Model S. Nonetheless, a combination of water followed by dry chemical extinguisher quickly brought the fire to an end.

It is important to note that the fire in the battery was contained to a small section near the front by the internal firewalls built into the pack structure. At no point did fire enter the passenger compartment.

Had a conventional gasoline car encountered the same object on the highway, the result could have been far worse. A typical gasoline car only has a thin metal sheet protecting the underbody, leaving it vulnerable to destruction of the fuel supply lines or fuel tank, which causes a pool of gasoline to form and often burn the entire car to the ground. In contrast, the combustion energy of our battery pack is only about 10% of the energy contained in a gasoline tank and is divided into 16 modules with firewalls in between. As a consequence, the effective combustion potential is only about 1% that of the fuel in a comparable gasoline sedan.

The nationwide driving statistics make this very clear: there are 150,000 car fires per year according to the National Fire Protection Association, and Americans drive about 3 trillion miles per year according to the Department of Transportation. That equates to 1 vehicle fire for every 20 million miles driven, compared to 1 fire in over 100 million miles for Tesla. This means you are 5 times more likely to experience a fire in a conventional gasoline car than a Tesla!

For consumers concerned about fire risk, there should be absolutely zero doubt that it is safer to power a car with a battery than a large tank of highly flammable liquid.

— Elon


  Below is our email correspondence with the Model S owner that experienced the fire, reprinted with his permission: From: robert Carlson
Sent: Thursday, October 03, 2013 12:53 PM
To: Jerome Guillen
Subject: carlson 0389 Mr. Guillen,

Thanks for the support. I completely agree with the assessment to date. I guess you can test for everything, but some other celestial bullet comes along and challenges your design. I agree that the car performed very well under such an extreme test. The batteries went through a controlled burn which the internet images really exaggerates. Anyway, I am still a big fan of your car and look forward to getting back into one. Justin offered a white loaner–thanks. I am also an investor and have to say that the response I am observing is really supportive of the future for electric vehicles. I was thinking this was bound to happen, just not to me. But now it is out there and probably gets a sigh of relief as a test and risk issue-this “doomsday” event has now been tested, and the design and engineering works.

rob carlson


  On Oct 3, 2013, at 12:29 PM, Jerome Guillen wrote: Dear Mr. Carlson: I am the VP of sales and service for Tesla, reporting directly to Elon Musk, Tesla’s CEO.

I am sorry to hear that you experienced a collision in your Model S 2 days ago. We are happy that the Model S performed in such a way that you were not injured in the accident and that nobody else was hurt.

I believe you have been in contact with Justin Samson, our service manager, since the accident. We are following this case extremely closely and we have sent a team of experts to review your vehicle. All indications are that your Model S drove over large, oddly-shaped metal object which impacted the leading edge of the vehicle’s undercarriage and rotated into the underside of the vehicle (“pole vault” effect). This is a highly uncommon occurrence.

Based on our review thus far, we believe that the Model S performed as designed by limiting the resulting fire to the affected zones only. Given the significant intensity of the impact, which managed to pierce the 1/4 inch bottom plate (something that is extremely hard to do), the Model S energy containment functions operated correctly. In particular, the top cover of the battery provided a strong barrier and there was no apparent propagation of the fire into the cabin. This ensured cabin integrity and occupant safety, which remains our most important goal.

We very much appreciate your support, patience and understanding while we proceed with the investigation. Justin keeps me closely informed. Please feel free to contact me directly, if you have any question or concern.

Best regards,
Jerome Guillen I VP, WW sales and service

All right, what do we have? Facts which seem to be legit – check, a little bit of background from a guy who actually designed and engineered the car – check, excerpts from a quite probable email conversation between Tesla and the customer-check. I think this is a perfect way to handle such a situation.

Well done Mr Musk, well done.

Napi kis örömöm

Mai nap megérkezett a plusz 4 GB RAM a laptopomba. Sajnos már az örgedő Windows telepítés + a sok virtuális gép, na meg a Firefox és a FlashPlayer illetve a háttérben futó Eclipse összesen képes volt megenni 4 GB RAM-ot. Kihasználtam hát a szabad slotot és vettem bele még egyszer 4 GBot, így kellemes 8-al tudok gazdálkodni.

Az öröm azonban nem az, hogy beraktam a memóriát és azonnal működött, plusz a memtest is egyelőre tökéletesnek mutatja, hanem a gép szétszerelése: ez a HP gép ugyanis szépen van összerakva. Egyszerűen érződik rajta, hogy amikor vettem prémium gépnek szánták. Alapból a szétszedése: egy mozdulattal lepattan az akksi fedél és instant cserélhető az akkumulátor és a HDD. Ezek után 5 db könnyű keresztfejes csavarka kicsavarásával és egy határozott csúsztatással le tudjuk oldani a fenéklap másik felét. Azért jó, hogy csúsztatni is kell, mint az asztali gépek oldallapját anno, mert emiatt az 5 kis csavar is elég arra, hogy stabilan tartsa a fedőt, még így 3 évesen is.

Utána pedig elénk tárul a gép, minden alkotóelem látható, könnyen hozzáférhető és szerelhető:


Figyeljük meg az asszimmetrikus lapátokat, 2 évvel az Apple előtt!

I am still in love with those Chinese cables….

I jsut bought some really old data cables for my Nokia 3410 and I must tell you they suck really bad. Let me tell you a little bit about the background:

I am currently really into everything that is security & GSM, therefore I thought it would be great to have a data cable which I can use with my old Nokia 3410 to enable the so called “Network Monitor” mode. In this mode the phone shows you a lot of useful information like the frequency it is using (ARFCN) or the current temporary ID of the SIM card (TMSI).
So, as a normal user would do I went to my friend Google and asked him about this cable. He quickly showed me some results which were quite funny: some Hungarian webshops still have these cables in stock! I was quite happy because the price was really low and I thought it would be great to buy from a shop and not from some random person.

So the cables came like two days later, and I tried to connect them to my phone. None of the cables seemed to fit. I was really angry, and thought about calling the shop telling them they are selling junk (which wouldn’t be surprising at all sadly) but then I found an archive website that shows you how to connect the cable properly.
The secret is quite easy once you know it: you need to get rid of the nice soft protecting foam that is glued all around the pins of the cable (who would have thought…). After that I connected the phone to my computer and I was able to turn on the Network Monitor – yeah, let’s all be happy.

But how is this related to poor quality Chinese cables?

Let me finish the story:
As time went on I wanted to get more information out of the phone and I already found the tool for this, naturally it is part of the Osmocom-family, it is called dct3-gsmtap. It can use the serial connection to your phone to actually capture GSM and SIM-card data and then forward it to Wireshark for later analysis. Sweet, just what I wanted to try out.
I installed it, tried to run it, and it says something like “no answer from the phone”. What the ****? I just communicated with the phone, and turned on the Network Monitor!

So I went back to Google and tried to research this, and finally found the cause:
Apparently for Nokia phones you can have 2 kind of cables, one is called MBUS (M2BUS) the other one is called FBUS. They differ in speed, baudrate and also capabilities. MBUS is an older simpler implementation of a serial line – it only uses GND and MBUS_PIN (data pin) to communicate. It is slow, and not really useful, that’s why Nokia decided to introduce FBUS which uses GND, RX_PIN and TX_PIN so it is a lot faster and more reliable serial connection.
Guess which connection is supported by pretty much all of the tools available. Yes, FBUS.
Guess what kind of cable do I have? Yes, MBUS. Sweet…

But I didn’t stop there, I wanted to see, if there were truly only 2 pins connected in my cable, or what was going on (because the interface facing the phone actually has all 4 pins). It turned out, that I do have 4 pins connected, but if I trace the whole cable it turns out that one of the magic plastic boxes on the cable (you know those little plastic boxes that are  on some cables for noise-cancelling or something like that) has all 4 cables coming in and only 2 cables going out.
So, I have an awesome cable which has all of its capabilities limited because some retard thought ‘yeah, why don’t we cut these two wires right at the middle of the cable?’.


Fortunately Google is still my friend and I found a random guy on the Internet who is Hungarian and has one perfectly fine FBUS cable for Nokia 3310/3410 which he is willing to sell. Ironic.

How to ‘bing’ something?

I just came across again Samy Kamkar’s great DEFCON 18 talk – How I met your girlfriend? and I really liked when he explained how to ‘bing’ something, so here is the part of his presentation in a separate video:

Dat feeling…

…when you didn’t do anything special, moreover what you did is lame and simple, but still the whole thing just breaks right in front of your eyes 🙂

Gotta love hacking! 😉