Monthly Archives: December 2014
同時通訳機詳細/Translation Receiver.

毎回、セミナーで同時通訳レシーバーを持って帰る人がいる。前回もやっぱり、数台が不明に。参加者は、「お、これ面白そう、持って帰って見よう。」という軽い気持ちだろうが、実はこのレシーバーはとてもコストが高い。1台でパソコンが買えるぐらいのコスト。

無くなった台数分の費用をイベント主催側は払わなければいけない。当然この費用は運用費用や参加費へ反映される。また、送信元となるシステム無しではこのレシーバーは全く役に立たない上、個体単価が高い割には質屋での引き取りもしてくれない。

個人的には1台も無くならない日が来る事を待ち望む、その道のりとして今回はよく使われる同時通訳レシーバーに関する情報をここで紹介する事にした。基本的には魔法の無線を使ってる訳ではなく、赤外線レシーバー。だからこそ配信元の赤外線配信システムが無いと役に立たない。だから、持って帰っても何もできない。

Every conference I have worked on , somebody decides to take home the translation receiver. The last con I worked once again somebody decided to take one home. Ok I can see the temptation , you paid for the con and there is a sexy piece of hardware , you think “Hey its a security hacker con, this looks like fun let me take it home.”

However these devices are EXTREMELY expensive, if I told you how much they cost you would go “WTF?? I can buy a bunch of PCs for that price!!” yes they are that expensive. So for every one that gets lost during a con, the organizing body has to pay for them .

Did I mention they are INSANELY expensive?

Yes so your fun time is gonna costs the organizers and operating costs for the con and at the end toward the ticket price. Also without the basic transmitter these receivers are useless, trust me no pawn shop will buy them.

So rather than me yelling every time about not taking the receivers I decided to put this post up that lists documents for you to read to learn about them. Its an infrared receiver, not wireless , not radio INFRARED so without the infrared transceiver the receiver is useless.

I have also added a link to ebay , however the price listed here is not what the organizers pay, its way more than the price listed.

DO NOT TAKE THE RECEIVER. IF YOU DO YOU ARE NOT A HACKER, YOU ARE JUST A JACKASS (持ち帰るなよ、持ち帰るヤツはハッカーではなくウンコ野郎。)

Here is my challenge to you:

  • If you build one with raspberry or arduino or whatever and prove to me it works, I will buy you a beer.
  • raspberryやarduinoとかを使って実働するレシーバーを作って俺に見せたらビールを奢ります。

製品情報:Product Information

Bosch Integrus System

Screen Shot 2014-12-11 at 1.23.30 PM

 

Product Page/製品ページ: Bosch Integrus

 

日本語資料:Japanese Documents

LBB 4540 ポケットレシーバー(データシート日本語/Datasheet Japanese)

 

英語資料:English Documents

インストール/運用マニュアル(English/Install and operations manual)

ユーザーマニュアル (User Manual)

 

入手方法/Get one

ebay: Bosh Integrus

Raspberry Pi. Eth->Wlan connection

I needed to configure the network in reverse what others were doing, run a dhcpd server on eth0 then allow access from the eth0 to the internet via the wlan interface. If you struggled to do this here is a simple script:

Prerequisites:

1.Wlan gets IP via wpa_supplicant from upstream.
2.Eth0 distributes dhcp-leases to stuff connected to the eth0 interface.

 

#!/bin/sh
#get the ip assigned by the upstream dhcpd server to wlan interface (in my case wlan3) 
MYIP="$(/sbin/ifconfig wlan3 | grep 'inet addr' | cut -d: -f2 | awk '{print $1}')"

dhcpd &&
IPT=/sbin/iptables
LOCAL_IFACE=eth0
INET_IFACE=wlan3
INET_ADDRESS=$MYIP

# clean out all the tables
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

# Allow forwarding packets:
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Packet masquerading
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS

Posted on 2014年12月8日, 7:29 PM By
Categories: MannaPi, stuff, WBDM
Point and shoot wifi scanner

So my adventures in Wifi land continues.

As seen in a previous post I build the WBDM wifi pod. The pod is great but I live in Tokyo a highly urbanized city with wifi everywhere, it seems that everybody and their cat have their own wifi network. This poses an interesting challenge in locating a specific AP when you don’t know what the essid or bssid is.

One of those times when too much wifi is a bad thing.

I needed something like an old skool frequency counter, you know the ones you see in old spy movies where you click a button and it shows the strongest frequency in the vicinity.

I needed a better solution to pinpoint a wifi spot. I realized that earlier this year I build a wifi Pineapple Mark IV clone. If you don’t know what a wifi Pineapple is then head over to https://wifipineapple.com and check it out , basically is a wifi pen testing kit in a box. The current version is Mark V , and Mark IV is the previous version.

The Mark V is a completely new platform and runs in a unique hardware environment.

However the previous version Mark IV is based of an access point called Alfa AP121U. Its a regular wifi access point , well sort of. Getting this AP in Japan is nearly impossible so I needed to find one online, there are vendors who sell this however many of them will not ship them to Japan.

So time to ebay, sure enough I found a vendor in Hong Kong that would send me one. So off I go, first I needed a burner credit card thankfully my online bank gives me a debit/cc card number that is different that my regular cc number. So ordered it and waited, the unit arrive in a couple of days. Now I needed to flash the rom with the Pineapple ROM,

Step 1. Flash ROM.

Equipment needed:
1. Alfa AP121U. Make sure its the U version which has an USB port.
2. USB to TTL serial Cable. Could also be the Alfa Console board but this cable is easier to get.

3. A computer with a tftp server running. I decided to use my mac with TftpsServer which is graphical front end to the internal tftpserver of Mac OS X.

Connect the USB/TTL cable to AP121U. You need to hook up the TX,RX,GND to the cable. DO NOT CONNECT THE VDD IT WILL BRICK YOUR AP.

USB to TTL serial cable connectors:
1 - Black:GND 
2 - Blue:CTS 
3 - Red:5V 
4 - Green:TXD 
5 - White:RXD 
6 - Yellow:RTS 

So you connect the cable’s TXD to the AP121U’s RXD and visa versa. and the GND to the GND.

connections

connections (click to see actual image)

OH YEA DID I MENTION: DO NOT CONNECT THE VDD!

Also connect an ethernet cable to the PoE/LAN port of the AP and your computer (TFTP server ) and set your computer eth interface to 192.168.2.7 or something.

Now connect to the AP via the USB/TTL cable( 115200 baud, 8 data bits, no parity, 1 stop bit, no flow control.) execute the next commands:

setenv bootargs "board=ALFA console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd"
saveenv
tftp 0x80600000 kernel.bin
erase 0x9f650000 +0x190000
cp.b 0x80600000 0x9f650000 d695a
tftp 0x80600000 rootfs.bin
erase 0x9f050000 +0x600000
cp.b 0x80600000 0x9f050000 23d004
bootm 0x9f650000
reboot

Once you are inside issue the passwd command to change the password then start dropbear (/etc/init.d/dropbear start)
Now scp the firmware to /tmp inside the AP.

From the AP’s console issue:

scp firmware.bin [email protected]:/tmp/
(192.168.2.1 is the IP of the AP21U)

then issue a system upgrade call

sysupgrade -n -v /tmp/firmware.bin

And now you have your own WIFI Pineapple Mark IV clone!!

We gotz zie pineapple

We gotz zie pineapple

Theoretically you can now build the rest however there is one caveat the AP121U was never meant to host something more complex than a basic operating system its internal flash is a whooping 8MB. So we need to give it a bigger storage space. So I grabbed a 8GB thumb drive .

Here is a link to Darren’s post on formatting a drive to be used with the Pineapple:

https://forums.hak5.org/index.php?/topic/25882-how-to-enable-usb-mass-storage-with-swap-partition/

Now thats all on building the basics. In the pineapple configuration you can set the WPS button to execute a script I decided to use the WPS infusion cause it would add a bit more scripting capabilities to the button.

WPS infusion config screen

WPS infusion config screen

Initially I installed a kismet server to take the dump but then I realized that it would be a bit of overkill for basic wardriving since especially this one was more to locate an access point.

I also needed a way to figure out by looking at the Pineapple to see if I was capturing or not so I added the led control commands to the script.

If it was capturing all leds would light up , if not just the power and wlan would light up. The following is the actual script:

#!/bin/sh
#Custom Script 1
export LD_LIBRARY_PATH='/lib:/usr/lib:/usb/lib:/usb/usr/lib'
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usb/usr/bin:/usb/usr/sbin

if [ ! -f /tmp/kissing.touch ]; then
ifconfig wlan0 down
ledcontrol lan off
ledcontrol usb off
ledcontrol wan off
wait
iwconfig wlan0 mode monitor
wait
ifconfig wlan0 up
wait
filename=$(date '+%d_%b_%Y_%H_%M_%S')
airodump-ng -c 1 -w /usb/tcpdump/$filename wlan0 >/dev/null 2>/dev/null &

#above I'm suppressing all output of airodump-ng to the screen captures are all written to a file with a date prefix
touch /tmp/kissing.touch
# I named the file kissing.touch cause initially I was using kismet server.
ledcontrol lan on
ledcontrol usb on
ledcontrol wan on
else
#if [ -f /tmp/kissing.touch ]; then
iwconfig wlan0 txpower 20
pkill airodump-ng &&
rm /tmp/kissing.touch
ledcontrol lan off
ledcontrol usb off
ledcontrol wan off
fi

 

LEDs galore

LEDs galore

So now the AP is ready for deployment but I still need a mobile power source, I love my Anker Astro Pro 2 batteries but I wanted a more narrow solution. So I picked up a RAVPower 158000mAh mobile battery. Which has a 12v dc output , perfect for the Wifi Pineapple also the DC power cable that comes with the RAVPower battery fits perfectly to the Pineapple so no need to hack together some zombie DC cable. Some industrial velcro binds both of them together like they were meant to be together.

After some initial tests I realized that the omni directional antenna still was picking up way too much wifi AP noise, so digging through my box of “wifi shit I collected” I dug up a 8dbi wifi panel antenna. Now the setup is truly a point-and-shoot wifi scanner.

Compare the following : clearly the panel antenna reduces noise coming from the back of the device.

Click to see larger image

Click to see larger image

 

The point and shoot wifi scanner:

IMG_2746

 

it totally looks like I’m just texting on my smartphone…well sort of….

 

texting

Posted on 2014年12月3日, 2:00 PM By
Categories: stuff, WBDM