Hacking Wifi into a Twingo of the 98

Almost everyone has seen the Corsa Advert... And I felt like... this could happen to me. I am the proud owner of an old Renault Twingo of the 98, which consumes more OIL, than Petrol (Maybe a new hack, on the motor?) Obviously, My Twingo didn't have those fancy modern things like Wifi. But...  the car was already quite modern at the time. It had a car remote key (Infrared key), electronic controlled mirrors, motor controlled windows and WFS, also called immobilizer.
So... What is the immo...bi..liser?
It is a fancy thing that was set as mandatory in cars the year 1998. What does it do? It blocks the car so, the car cant move if the keys "don't activate the car", the car doesn't start... That is the idea.
In my case, one of the keys I had, got broken. The key was ok, but the Infrared Circuit didn't work anymore.
I had a problem. If the other key got lost or broke down, I wouldn´t be able to start the car anymore.
My first attempt was to try to replicate, the code of the Infrared emitter. That didn't work so well... It seemed like they putted in the key a rolling encryption.
So... what do I do, if I cant attack my car from the front? Well... I attack it from behind.

I had seen on the internet that some people were selling a microprocessor that somehow made the car believe it had gotten the code. But they were selling the microprocessor for 70€.

I knew there was somewhere I could attack, and make the car believe it had the code, but I didn't know where. And I didn't have enough tools to find it out. So I bought it. When I got it, I got the instructions to install it... They wanted me to desolder an EEPROM, to write on the file 66, a byte 0x00, and solder it back to the board computer... WTF? They were selling it like something that you would just connect and it would work, without any problems. Obviously, I gave it back and asked for a refund. The plan I had, had been a waste of time because I had bought something that was too complicated for what I wanted, it was risky, and the instructions didn't match with what I wanted to do.
 I kept searching in the internet, and found out that someone had found out the cable that carried the signal from one of the peripherals to the main computer (I already knew that one of the 20 cables had to carry the signal, but I didn't know which one) I took one Arduino pro nano(??), and made a program whose function was to send over serial the time since the last falling edge

So with first the help of the Arduino, and then with an oscilloscope my father had lying there (and didn't tell me until I explained to him what I was doing) I got a signal that looked something like this:

The signal of the car

So, in every project, there is a fail, and this project didn't have an exception to the rule. As i didn't want to desolder the cables that where hanging from the receiver, i decided to keep driving with the cables hanging. I went down to a city near where I lived, to buy groceries. As I came back and wanted to start again the car, to go back to my house, the car didn't want to start. Why? 

Well, if you put a microchip without powering it properly, just using ground and the signal cable, the port registers won't put the pin in a state where it doesn't interfere with the signal. Let's say, the signal cable was put to the ground. And without a  way to power the Arduino, there would be no way that the signal would get to the computer board of the car and start the car.

The next thing I decided to do, was probably the dumbest thing to do. I took a metal scissor I had in the car and cut the cables that connected the Arduino to the receiver. While doing it, I made a shortcircuit with the 12V line and the microprocessor. A lot of smoke came out, some fuses burned, and a trace of the PCB almost disappeared.

As u can see a trace is almost burned out.

Anyway, I had a bit of luck, because the car decided to start again. So the microchip wasn't burned, and the most important things still worked fine. I went back home, and I already had a signal, I could hardcode somewhere and push it over the same cable. I decided to hardcode it into an attiny85, and test it over a week, to see if it gave any problems. After a week passed, and I saw it didn't give any problems, I decided to put it on an esp8266 I had lying around. 

Before you all see the next pictures, I have to tell you, that I made this in my summer holidays, in the house of my grandmother. In Germany. I live in Spain. I didn't have propper tools, resistors, protoboard... I literally had a bare ESP8266, a soldering Iron, One Arduino Nano, one attiny85, one ISP Programmer and one Serial Programmer. I had to get components from somewhere, and the only place I could get them was from an old TV receiver.

First I made the ESP8266 connections

 Front ESP12E. See the reset button and the GPIO0 programing button?

If you zoom in, u can barely see the 0402 SMD resistors I saved from the TV receiver. Yep... I soldered that.

So the next part was to make something that would still let me use my old keys to open and start the car, and wouldn't interfere with the signal made by the car. The easiest solution? One multiplexer. Did I have multiplexers? NOPE. But I had one TV receiver. Searching I found 3 Quad NAND Chips. I made one karnaugh Diagram, to see how I could make one multiplexer from 4 NANDs. The result? 

See by yourself:

I forgot to mention, they were also SMD chips. I superglued them to a little sheet of aluminum so they wouldn't move while I was soldering them. I decided to make two multiplexers because I also wanted to control a led that was connected to the signal panel.
It was time to put it all together and start putting it in the car. I decided to put the NAND gates into a blob of silicone. I would have preferred epoxy but I didn't have any by hand. I think it was a very bad idea because when I tested it, the multiplexer of the led worked half as I wanted. it did cut the signal of the receiver but didn't put the signal of the esp8266. I couldn't repair it anymore because it was behind a blob of silicone, but i didn't care that much. It was just a led after all.

The final result:

I made a sweet webpage to open the car and let it start, or stop it from starting, tested it and worked quite well. I made space in the plastic cover that held before the receiver circuit and put it everything there together. I guess I had the luck that while squeezing everything inside the tiny space I had there, nothing broke down.
Later in Spain, I changed the regulator, from one linear regulator to one switching regulator, that brought down the 100mA that wasted the system to 18mA.

Now that I had two keys that would work perfectly, one with any phone and the wifi password, and another normal key, I cut the key and put it into a screwdriver. Just to make it more... Hacker-friendly? Or for the lols...

Yeah, I drive with that key.

A few months later, i lost my keys, so i guess this hack saved my car from being useless, because I still drive it with the screwdriver.

Raspberry Pi zero OTG, ethernet. Not working? Solved

So i am working right now on a proyect, and a week ago i decided i would make it with a raspberry pi. I had 2 raspberry pis lying in my house, an raspberry pi b revision 1 (the first raspbery pi b) and a raspberry pi zero. I decided to use the raspberry pi zero because i wanted that my proyect wouldnt cost to much (5€, isnt that much or?) and i knew i could program it over usb OTG, even if i didnt had it tested before. There are plenty of guides to set the raspberry pi zero OTG as an ethernet conection, so i followed one of those.
So the first thing i did was to install the latest version of raspbian on the microsd card of my raspberry pi zero. I just formated  the microSD card with SDFormatter and then installed with  Win32Diskimager the latest  Raspbian Image. After installing it, i opened the boot partition of the SDcard, opened the file CONFIG.TXT and added at the very bottom dtoverlay=dwc2.

Then i closed it and opened the file CMDLINE.TXT and added after rootwait with just one space the comand modules-load=dwc2,g_ether i would recomend adding it with the notepad++
This way you can see u arent adding a new line. It is very important not adding a new line. The comand must be separated with just one space.

So after this i have read that u must create in the boot folder a folder named SSH so the conection works to your computer. Well... i think that is just witchcraft... i dont think it works that way. I mean... i tested it out and didnt work for me. At last i bought an OTG-Keyboard cable and an MiniHDMI cable to enable SSH. That didnt also work. But i found the reason. Anyway... after enabling the SSH via console in the raspi-config comand in my television, i saw that in my boot partion in the SDcard, was no SSH file or Folder. Test first my way, if it works, fine, if my way doesnt work, then test the other way. If it still doesnt work, then go buy an OTG cable to Keyboard and an MiniHDMI cable.

So, lets continue. After modifing the config.txt and cmdline.txt, install Bonjour, itunes or QuickTime to windows and then put the microSD in the raspberry pi ZERO, and connect the USB OTG port of the Raspbery pi Zero to your computer. Before u do this, u should open the device administrator of your computer.

Sorry it is in spanish

So now we have to see if the raspberry connects to the computer as a Serial Port or as an ethernet device.  In my case it was conecting as a Serial Port but i didnt know it and i couldnt find information about it.

If it conects as an RNDIS device, you should be able to connect yourself via putty as raspberrypi.local, anyway, lets continue.

As you can see, my laptop doesnt know it is actually a ethernet device. But dont worry...

There is a solution, even if you cant find it in internet. First download this file: RPI OTG DRIVER  and unzip it

Then do right click on Serial device and click the first option. It will open something like this:

Click what i have marked with the blue pencil, and search the file that you have unziped before

And press next. Windows will install the driver, and now it should appear in the device manager as a RNDIS Device

Now open putty and try to enter as raspberrypi.local, if it conects GREAT, if it doesnt, maybe you have to enable SSH

Digispark, reset disable

A few weeks ago i bought some chinese digisparks, 3 for 6 bucks. Everything worked fine and i started playing with them. But there was a problem. I couldnt get a signal out of Pb5, and the analog converter ADC0 in Pb5, couldnt go under 2,45V because the attiny85 would reset.
It seems that chinese digisparks dont have the reset fuse disabled. So i started searching a way to set the fuses right. This is what i got:
First we need to install arduino ISP, on an arduino uno, or similar. You can get Arduino ISP on examples

     Arduino ISP program

Now you will need to conect the arduino to the digispark, with this configuration: 

GND-->GND

5v-->5v

10-->p5

11-->p0

12-->p1

13-->p2 

And you will need to connect  a 10uF capacitor to the reset of an arduino and to ground

Next step is to install AVRDUDESS.

Now you have to open it and set everything as it is on the image below

 

 AVRDUDESS

Now you have to press first "Detect" and if it recognises the attiny85, then you have to press in the box of "Fuses & lock bits"the first Read. You will get 3 hexadecimal values.

 

Then you have to take this values and put them in this Calculator. Put attiny85 as AVR, and put the values in their places

 

Later you have to press the bit 7 RSTDISBL, and put it to high, and recalculate.

 

There  will come new hexadecimal values, You have to copy them into the AVRDUDESS console, and press Write. After that your fake digispark will became a real digispark. Just try it, loading a blink program on Pb5