tag:blogger.com,1999:blog-41423116395892005182024-02-20T06:40:01.070-08:00[rsc]Unknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-4142311639589200518.post-36672788853636292842016-03-17T09:38:00.000-07:002016-05-12T01:45:55.973-07:00Hacking Polar Loop - Part 2<h2>
USB Communication</h2>
<div>
Please read first <a href="http://rm2084.blogspot.com/2015/11/hacking-polar-loop.html">post</a> first.</div>
Code can be found on <a href="https://github.com/rsc-dev/loophole">GitHub</a>.<br />
<div>
<br /></div>
<div>
Polar Loop is recognized as USB HID device. As it was described in previous post, it is using only one report:</div>
<ul>
<li>Report Type: Output</li>
<li>Report ID: 1</li>
<li>Report Length: 64</li>
</ul>
<div>
It is a request-response communication. Each response is raw byte array of length 64 (similar to input report). Communication is not encrypted.</div>
<div>
<br /></div>
<div>
Still, communication looks like binary data with some human-readable strings. Most of them seems to be paths:</div>
<div>
<ul>
<li>/</li>
<li>/DEVICE.BPB</li>
<li>/U/UDB.BPB</li>
<li>etc.</li>
</ul>
<div>
This information was enough to guess that Polar Loop is storing information in serialized way.</div>
<div>
BPB...PB...Protocol Buffers...<a href="https://developers.google.com/protocol-buffers/">Google Protocol Buffers</a> :)</div>
<div>
<br /></div>
<h3>
Google Protocol Buffers (PB)</h3>
"Protocol buffers are a language-neutral, platform-neutral extensible mechanism for serializing structured data."</div>
<div>
<br /></div>
<div>
Unfortunately, serialized data is not self-describing. Endpoints, however, have to know, how to serialize/deserialize data. PB compiler is used to generate language specific code from plain proto files. Code generated by PB compiler includes compiled proto file.<br />
<br />
Thesis: If Polar is using PB, it has to have compiled PB code included in applications.<br />
<br />
After few tries, I knew how it should look. Each compiled proto file string must have '.proto' substring. Not to much to search.<br />
<br />
First, I checked Polar FlowSync - fail. Hooking network traffic confirmed, that Polar Flow is just passing data retrieved via USB to remote location. It means, PB code is included in server applications.<br />
<br />
Second try - Android application - Polar Flow. Success! I found more than 50 compiled proto files descriptors.<br />
<br />
<h3>
Pbd</h3>
</div>
Pbd is a Python module to disassemble serialized protocol buffers descriptors. It was created specially for this project. Right now it is more popular than Loophole ;)<br />
<div>
<br /></div>
<div>
You can find code on <a href="https://github.com/rsc-dev/pbd">GitHub</a>.<br />
<div>
<br /></div>
</div>
<div>
At this point I had plain proto files!</div>
Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-4142311639589200518.post-34004804949845007192015-11-12T00:44:00.002-08:002016-02-27T04:41:08.763-08:00Hacking Polar Loop - Part 1This is a first post from a series about hacking Polar Loop activity tracker.<br />
<br />
Code can be found on <a href="https://github.com/rsc-dev/loophole">GitHub</a>.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://icdn4.digitaltrends.com/image/polar-loop-activity-monitor-band-iphone-ios-1500x1000.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://icdn4.digitaltrends.com/image/polar-loop-activity-monitor-band-iphone-ios-1500x1000.jpg" height="213" width="320" /></a></div>
<br />
<br />
<h2>
Introduction</h2>
Polar Loop is an activity tracker from <a href="http://www.polar.com/">Polar Electro</a>. Basically it is a wrist band, that monitors your activity (movement). Since I bought one, I was curius how it works.<br />
<br />
After few months of usage, I decide it is a time to hack it. So, let's go.<br />
<br />
<h2>
Gathering info</h2>
Polar enviroment contains:<br />
<div>
<ol>
<li>Device (Polar Loop)</li>
<li>Polar Web application (Polar Flow)</li>
<li>Windows sync application (Polar FlowSync)</li>
<li>Mobile application</li>
</ol>
<h3>
</h3>
<h2>
Device</h2>
</div>
Polar Loop is using BLE (Bluetooth Low Energy; Bluetooth Smart). It means, it had to be certified by FCC (Federal Communications Commission). It means, set of documents is publicly available.<br />
I used great FCC documents search engine: <a href="http://fcc.io/">https://fcc.io/</a>.<br />
<div>
FCC ID for Polar Loop is <a href="https://fcc.io/INW0C">INW0C</a>.<br />
<div>
<br /></div>
<div>
The most interesting one is <a href="https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=2040898">Internal Photos</a>.<br />
Now I knew what is inside: <br />
<br />
<ul>
<li><a href="http://www.st.com/web/catalog/mmc/FM141/SC1544/SS1374/LN1041/PF251638?sc=internet/mcu/product/251638.jsp">STM32L151QCH6 </a>- Ultra-low power ARM Cortex-M3 MCU, 256 Kb Flash, 32MHz CPU, USB </li>
<li><a href="http://simplelink%20bluetooth%20smart%20and%20proprietary%20wireless%20mcu/">CC2541 </a>- SimpleLink Bluetooth Smart and Proprietary Wireless MCU</li>
<li><a href="http://ams.com/eng/Products/Lighting-Management/LED-Driver-ICs/AS1130">AS1130 </a>- LED Driver IC</li>
<li><a href="http://www.alldatasheet.net/view.jsp?Searchword=25PX16VG%20Datasheet">25PX16VG </a>- Serial Flash memory</li>
<li>Y434 NS01 - ??? (let me know in comments if you know what is it)</li>
</ul>
<div>
<br /></div>
<h2>
Attack vector</h2>
<div>
There are three ways how to access device:</div>
<div>
<ol>
<li>Button - highly inlikely to hack it via single button (tried anyway ;p)</li>
<li>Bluetooth Smart - skipped.</li>
<li>USB - Winner!</li>
</ol>
<div>
I focused on USB. Polar Loop is recognized as <a href="https://en.wikipedia.org/wiki/USB_human_interface_device_class">USB HID device</a>. Obviously, it is the best place to start.</div>
</div>
<div>
<br /></div>
<h2>
USB communication</h2>
<div>
Quick USB HID class intro. USB HID drivers are included in most modern OS. </div>
<div>
Device describes how it will communicate. Communication is realized using Reports. Device can handle more than one report.</div>
<div>
Polar Loop is using only one report:</div>
<div>
<ul>
<li>Report Type: Output</li>
<li>Report ID: 1</li>
<li>Report Length: 64</li>
</ul>
<div>
It means, device is accepting raw byte array of size 64.</div>
</div>
<div>
Initial investigation was done using USBlyzer and Wireshark.</div>
</div>
<div>
<br /></div>
<br />
More soon...<br />
<br /></div>
Unknownnoreply@blogger.com0