Random projects

These are smaller projects, or ones which I didn't bother making a menu entry for.

Reading a smart card through a tamper evident bag

Many Hardware Security Modules (HSMs) use smart cards to store cryptographic material, export the Storage Master Key (SMK), application keys, and authenticate Security Officers and Crypto Officers.

 

 IMG 7011

These smartcards are often stored in Tamper Evident Bags (TEB) to provide a chain of custody and prove that no-one has read or otherwise tampered with the card. Unfortunately this is not secure; it's trivial to read the card through the TEB in a way that is almost undetectable.

If you need to mail a smart card, or store it in a safe, it should be placed in a hard-shell case, which should be sealed with tamper evident seals, and then placed in a TEB. My standard suggestion for this was to use (clear) PCMCIA card holders and foil tamper evident seals, but it is increasingly hard to find the clear PCMCIA card holders - the Pelican 0915 SD Memory Card Case or Pelican 1040 Micro Case both look like they might work (the SD Card case doesn't have a clear front, which is unfortunate).

This is surprisingly easy to do. I had done this in 2010, but since I deleted the writeup, I am redoing it here.

An HSM smart card is just a "standard" smart card and the contact layout is almost exactly the same as an 8-pin DIP (dual in-line package). I took a cheap USB smart card reader ($20 on Amazon), and removed it from its packaging.

2020 0324 092903 002  2020 0324 092822 001  

I soldered a cheap 8-pin DIP socket onto the reader slide contacts (the "cheap" through-hole DIP sockets work better than the better quality milled ones, as the tips are sharper). Smart card readers have a switch which is activated when the card in inserted (bottom right of the second picture above) - I bridged across this with a small pushbutton, to allow me to activate it on demand.

2020 0324 091742 0012020 0324 093259 003

The "points" of the DIP socket can now be placed outside the bag, just above the contacts. Pressing down and "wiggling" the reader will make the points pierce the bag, and make contact with the smart card, allowing the card to be read through the bag - these holes are tiny, and difficult to see, especially if done carefully and above the bag label.

2020 0324 095316 005 2020 0324 095401 006

If you know where to look, this attack is detectable - a better resourced attacker could easily replace the (large) 8 pin DIP with something like 7X Tungsten Cat Whisker Fine Probes. I only have much larger die probes (and only a small number of these), but even with these the plastic seems to self-heal after poking them through. 

In summary, don't just trust a tamper evident bad - they are primarily designed for protecting deposits, or chain-of-custody of evidence, not protecting something like a smart card. Instead, seal the smart card in a hard-shell case, place numbered and signed tamper evident seals on all sides of the case, and then place this entire set in a (numbered and signed) tamper evident bag. 

 IMG 7015

I've put a video demonstrating reading the card here: https://www.youtube.com/watch?v=oMDpXdDU1G4&feature=youtu.be

Output:

Tue Mar 24 09:57:49 2020
Reader 0: Gemalto PC Twin Reader 00 00
Event number: 49
Card state: Card inserted,
ATR: 3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
ATR: 3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
+ TS = 3B --> Direct Convention
+ T0 = 2A, Y(1): 0010, K: 10 (historical bytes)
TB(1) = 00 --> VPP is not electrically connected
+ Historical bytes: 80 65 A2 01 02 01 31 72 D6 43
Category indicator byte: 80 (compact TLV data object)
Tag: 6, len: 5 (pre-issuing data)
Data: A2 01 02 01 31
Tag: 7, len: 2 (card capabilities)
Selection methods: D6
- DF selection by full DF name
- DF selection by partial DF name
- DF selection by file identifier
- Short EF identifier supported
- Record number supported
Data coding byte: 43
- Behaviour of write functions: write OR
- Value 'FF' for the first byte of BER-TLV tag fields: invalid
- Data unit in quartets: 8
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
3B 2A 00 80 65 A2 01 .. .. .. 72 D6 43
Gemplus MPCOS EMV 4 Byte sectors
3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
MPCOS-EMV 64K Functional Sample
THALES nShield Security World
THALES NCIPHER product line
Tue Mar 24 09:57:50 2020
Reader 0: Gemalto PC Twin Reader 00 00
Event number: 50
Card state: Card removed,
Tue Mar 24 09:57:51 2020
Reader 0: Gemalto PC Twin Reader 00 00
Event number: 51
Card state: Card inserted,
ATR: 3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
ATR: 3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
+ TS = 3B --> Direct Convention
+ T0 = 2A, Y(1): 0010, K: 10 (historical bytes)
TB(1) = 00 --> VPP is not electrically connected
+ Historical bytes: 80 65 A2 01 02 01 31 72 D6 43
Category indicator byte: 80 (compact TLV data object)
Tag: 6, len: 5 (pre-issuing data)
Data: A2 01 02 01 31
Tag: 7, len: 2 (card capabilities)
Selection methods: D6
- DF selection by full DF name
- DF selection by partial DF name
- DF selection by file identifier
- Short EF identifier supported
- Record number supported
Data coding byte: 43
- Behaviour of write functions: write OR
- Value 'FF' for the first byte of BER-TLV tag fields: invalid
- Data unit in quartets: 8
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
3B 2A 00 80 65 A2 01 .. .. .. 72 D6 43
Gemplus MPCOS EMV 4 Byte sectors
3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
MPCOS-EMV 64K Functional Sample
THALES nShield Security World
THALES NCIPHER product line
Tue Mar 24 09:57:51 2020
Reader 0: Gemalto PC Twin Reader 00 00
Event number: 52
Card state: Card removed

 

 

 

 

Westover P5000 scope: Making an awful device marginally less awful

I have a Westover Scientific P5000 fiber scope. I like the device itself, but the last time ThermoFisher released software for it was 2010, and it required Windows® XP or Vista Operating System (or, with much fighting, possibly Windows 2000). Based on the price of the device this is annoying, but ThermoFisher seems to often abandon their products.

Anyway, I haven't been able to find a nicer fiber-scope, and it was really annoying me that I could no longer use this one - it's basically just a camera and some funny optics, and so I decided to try and fix it (the other alternative was tidying my office,  and that sounded like less fun...) I ended up swapping out the sensor and electronics for a cheap webcam module. Here is my build journey in case anyone else wants to do the same...

IMG 7006  IMG 6980

 

It uses Torx screws (for some reason the optics module uses security Torx).

Inside is an optics package, a small sensor board, and a larger video to USB board. Connecting the two boards together is a flat-flex cable. It uses the same cable that the Raspberry Pi camera module uses; I was initially excited, hoping that this might be a standard pinout, and I could just slap a Raspberry Pi in intead, but no such luck. I pulled out the electronics, and then took apart a Logitech webcam, hoping that I could replace the sensor module with the guts from the Logitech - this almost worked, but like the fiber scope the webcam has two boards, and the connector on the sensor board faces "forward", which would get in the way of the optics package. The connector seems to be 0.2mm pitch, and so it wasn't really fesiable to desolder it and run nrew traces or move it to the back of the board.

Instead I found a small USB webcam module - ELP megapixel Super Mini 720p USB Camera Module with 120degree Lens and replaced the sensor and electronics with this. Unfortunatly it did require carving a way a little bit of the casing with a Dremel tool, and I got a  bit impatient and cut all the way through, but it still looks and works well.

 

Picture of the optics module. It is basically a microscope, and a blue illumination LED, with a 45-degree beamsplitter to allow the LED to illuminate the front surface of the fiber. The LED sits in the front, and seems to be powered by ~3.3V

IMG 6979 

 

The webcam module - this was $29USD from Amazon. The webcam module I chose has a 120 degree field of view, but this isn't really important, because I remove all of the optics and am only using the sensor. The module itself on a (I'm guessing?) standard size PCB, but has "slots" to allow the outer part of the board to be removed.

IMG 6984

Finding a handy 3.3V source to power the LED. There is a handly looking set of contacts (lower left), unfortunatly they are GND and USB 5V. Probing around I found a handy 3.3V supply

IMG 6986  IMG 6985

IMG 6993

Snipping off the "break away" outer board. I'm assuming that both the outside and inside boards are a standard size

IMG 6988 

Removing the original sensor mount from the sensor board. The adapter screws into the back of the optics package, and protects to sensor. I used a heat gun to heat up the mounting glue, and popped it off. After removing the lens assembly from the new webcam module, it slides nicely into this mount, and a dab of hotglue holds it nicely in position. The adapter has some slots to allow fine-tuning of the sensor position.

IMG 6989

In order to make this particular webcam module fit, I had to trim the case slightly with a Dremel tool - I'm sure I could have found a smaller camera module (I considered using an endoscope, but that seemed like more trouble than I wanted to deal with). I got somewhat impatient / over-enthusiastic, and ground through the edge of the case, but a smaller board or a bit more patience should solve this. I also added some pennies to give the unit a slightly nicer heft. 

IMG 7001

IMG 7006 IMG 7007

As it now contains a standard webcam, this now works perfectly on Linux and Apple macOS X devices without any sort of drivers

IMG 6980

 

Improving the Airconsole LE

I've long been a fan of the Airconsole portable Wifi / Bluetooth to Serial devices. They always work well, they connect to anything, and it is really nice to be able to have a console connection without having to ballanve your laptop on the edge of a rack / router / whatever.

 

They recently released the Airconsole LE - a portable, long battery life BLE based unit. Unfortunatly it is much larger than it needs to be - and I mainly carry a console server for emergency use. If it takes up too much space in my bag, I won't carry it, and then it is of no use.

Don't get me wrong - Get Console / Airconsole are still awesome, this particular prodict of theirs could just be even better!

IMG 5609

 

The huge majority of this size comes from the comically large RJ45 connector - I get that they built it ruggedly so that it would survive being knocked about / used as a handle for carrying switches around, etc, but this is taking it a bit far!!

IMG 5610

 

I ended up disassembling it and using a dremel tool to cut away the majority of the strain releif on the back of the connector.

IMG 5612

 

I then printed a 3D case out of glow-in-the-dark fillament. Partly this was because this was what was already loaded in my printer, but also so that it might be a little easier to find in the depths of my bag. It is now almost 1/2 as long, and much thiner and narrower as well (the new case slides competely inside the old one :-)

 

IMG 5613

IMG 5614

 

Fixing a Joule Sous Vide motor / seal

We have a Joule sous vide which recently developed an issue - the motor which drives the impeller started sounding like it was struggling, and then one day it just stopped in mid cook. 

Joule

We do not have particularly hard water, but I tried the standard "run it in a vinegar / water solution" - this made a tiny improvement, but not enough to make a useful difference. I looked some online, but wasn't able to find any repair instructions - there were a number of posts showing that bits are glued in, and so it cannot be disassembled easily. 

 Anyway, I was not happy throwing it away, so I decided to try fix it - this worked for me, it may or may not work for you as well. Obviously, do this at your own risk, I take no responsibility for, well, anything...

 Firstly, get some thin silicon oil - I use "Super Lube 56104 Silicone Oil 100 CST" - you are looking for something thin, silicone grease won't work for this.

 

Flip the Joule over, and use some tape to block off the water outlet - I used Kapton tape because it was handy, and knew that the adhesive would survive the oil.

 

Remove the impeller - it has a small hole in it specifically for using a fork to pop the impeller off.

Image of impeller

Squirt a little bit of the oil in (another advantage of Kapton tape is that you can see the liquid level) - I filled it to around 1/2 way up the water exit hole. Now, leave it to sit for a few hours. Every now and then wiggle the shaft - it is remarkably stiff, and so can take a fair bit of force, but don't push too hard or you might bend it. Basically, you want to try get some of the oil to slide down the shaft so it lubricates the seal.

After a few hours I was getting impatient, and so I bent a paperclip into a small hook, chucked it in a drill, and used this to spin the impeller for a while. After I'd done this the shaft was noticeably easier to turn, so I flipped it over and tested it -- and it now runs like new...

 

 

Repairing a Haas Rotary Table controller

A friend of mine has a Haas 4th axis / rotary table, which he wants to drive from a Matsuura CNC mill. Unfortunately, no matter parameters and options what we tried we were unable to talk to the HAAS controller over the RS-232 port. 

This is a fairly common device, and so I figured I'd provide some information on repairing it.

I recently ran into an issue with a "Datum PRS-50 Cesium Beam Primary Reference Source" which I couldn't talk to using any of my USB to Serial converters - after some debugging I figured out that this was because all the USB->Serial devices I tried seem to only output 0V to +8-10V, while the spec calls for -5-25V to  +5-25V. This works for "modern" devices, but not for some older ones, and so needed to use a machine with a "real" serial port for the PRS-50 (as a side note, if anyone knows of a USB to RS-232 which actually does full voltages, please let me know!). I figured that this might be the same issue with the HAAS controller, and so tried with a desktop with a known good serial port, but this didn't help, and so I decided to dig a bit deeper.

Being made in 1995, this Haas controller is all through-hole DIP construction.

 

The controller has 2 serial ports, one Upstream (to the CNC machine / PC), and one Downstream (for daisy-chaining controllers). I opened it and first checked the connectivity from the serial port to all of the pins on the ribbon cable, and then to the rear of the board -- the IDF connector was slightly loose but seemed to make good enough connectivity. I then ran it on a workbench and hooked it up to an oscilloscope and traced the serial signal. The input goes through an MC1489P Quad Line EIA-232D Receivers, which then hands the signal off to an NEC PD71051 Serial Control Unit (which receives serial data streams and converts them into parallel data characters) which finally hands this to a Z80 series CPU. Return traffic (which only seems to come in response to "xP" commands) goes through the PD71051 and then an MC1488P Quad Line EIA-232D Driver

Tracing the serial signal showed that it wasn't arriving at the PD71051. The obvious culprit here is the MC1489, and so I desoldered this and the MC1488, installed sockets (so future replacements are easier) and installed new ones.

Removed MC1489  Removed chips 

Fixed

Removed both Socketed 

 After testing this on the workbench and checking the signal with a scope I could now see the serial signal arriving at the MC1489P, but didn't bother hooking up a protocol analyzer to check the output - instead, I just sent an XP command, got back "01" as the response, buttoned it al up and tested it -- and now it works.