This week, Reza Hussein published his awesome research into hacking the TouchTunes jukebox remote. (UPDATE: Reza has been asked to take it down.) This is a project I’ve worked on for way too long and in some ways feel relieved that someone could do what I failed complete. What’s pretty funny to note is that Reza and I both attended Defcon and have been hacking on this for a while. I presented at Skytalks on the subject at this last Defcon 20 although my talk was split between the mobile app and the remote. It’s also funny that our tools are so similar. Salae Logic Analyzer, Arduino PoC, DigiKey to source the parts. We even like similar coffee tables. 

So, I’ve decided to stop being a pussy and publish everything since it really doesn’t matter any more and you mind as well look at Reza research. You can find the information related to the mobile app here (which I’ve already disclosed to the vendor and they’ve since updated) and the details about the remote here. I’ve included a part of my code for the mobile app which no one has seen before although I’ve taken out the dangerous bits. Sorry. It’s very easy to figure out where to fill in the blanks if you actually care. I’ve also included all the screenshots I have of the remote.

BackStory

This project started a long time ago when I wanted to get some practice on mobile apps and a bartender friend of mine showed me the new mobile app that hooked into his jukebox. The TouchTunes jukebox was a fun target since it seemed like some VP at the company said “We should have a mobile app!” and a developer went “Oh shit!”

I got bored of this and look for other attack vectors like the remote. This was pretty interesting because it was an RF remote unlike other juke boxes that are IR. This gave me an opportunity to get into some RF hacking and hardware hacking. The problem with this was that it was a _lot_ of fun to get into this and I don’t want to think about how many hours were spent on it. I didn’ t know anything about radio or reversing circuits so everything was new and shiny to me. Intrepidus Group has this annual meeting every year in Cancun where they like to do a friendly “Hack of the Year” competition. It’s a hilarious time to present projects you’ve been working on so even though it was in kind of a rough state, I submitted this. At this point I was able to do most of the mobile hacks and a little bit of the remote stuff. At least enough to show that I was using a HAM radio rig to try and play the signals.

BSidesDetroit

Fast forward to Kyle Kretes hitting me up for a presentation for his BSides in Detroit. I thought the TouchTunes stuff was pretty entertaining to present especially when I added in my favorite song to play on jukeboxes. So a friend of mine and I go to Detroit and @SecJames fuels my presentation with 8am Tequela. All goes well.

Defcon Skytalks

A few months later, @rossja godes me into submitting my presentation into Defcon Skytalks which I do mostly because I expect to be filtered out. I surprisingly get selected and bring in @JustBill to help me since he has a background in all things related to radio. Arriving to Vegas and getting a Skytalk badge, we find that the bade made by PyroDon opperates on 434MHz, basically the exact same as the remotes. So we furiously hack on these badges to turn them into, what we called a, “Juke-Box-B-Dong” – an ode to the 303 organizers. We didn’t have the tools  necessary to get into it but we did make code that would theoretically work once we were able to flash it onto the PIC.

Today

Four months from Defcon, six from BSides Detroit, 11 months from the Intrepidus Group annual meeting, and a long ass time since I started poking at the project, I’ve put the project down and Reza published his research that goes the next mile into creating a tool that will give you free credits, brute force the remote control PIN, and all in a tiny size. It’s perfect except I would have added a volume down option as well. :) I’m still hoping to learn how to program that PIC for the Juke-Box-B-Dong as it would be a cool feature to give to my 303 friends. Other research priorities at the moment though.

Late next week, JustBill and I will be presenting at Defcon/303 Skytalks in Las Vegas. The presentation, Jukebox Jacking, is a project I’ve been working on for longer than I want to admit. The short version is that I’ve been messing around with a jukebox in my spare time as a weird side project. It started out as just a mobile hacking project and then turned into RF and hardware hacking. Here’s the link: https://skytalks.info/talks.html#8

The good portion of this talk is that I think it’s funny how deep we went into this thing. The infosec in me feels a bit guilty because a few of the things I did, have no remediation path. There’s nothing they can do besides replacing the entire jukebox. Their original design was based on the thought that “Nobody would ever try this.” Sorry. :/

The talk is on Sunday at 10am. Yes, that DOES suck but I think it’s actually a correct slot for this talk. I’m not pretending that this is brilliant technical material nor is it interesting to everyone out there. Hopefully the take aways are that if you’ve ever wondered how this jukebox works, now you do, if you’ve wanted to get into RF and hardware hacking, these are some tools that could help, and if you want to get started with mobile hacking, this is how to do it.

I’ll be updating this page with the presentation and details of the project later.

UPDATE: changed link to project details.

I think it was less than a week after I announced my little Android Manifest auditor tool, Manitree, that Anthony Desnos, the developer of Androguard, sent me a message in the tone of “hey, why didn’t you use Androguard for that?” If nothing else, why didn’t I use Andoguard’s native AXML converter?

Andoguard is this immense Android app analysis project. If you take a look at the first page, you may get overwhelmed pretty quickly. I hope Anthony doesn’t take this the wrong way because it’s an impressive tool when I’ve seen it working, and it’s great for all kinds of things besides malware analysis. For instance it can analyze apks, diff binary apps, visualize the flow of an app between classes — fun stuff. But for my dinky project, most of the work was focused on the AndroidManifest.xml file. But the simplest feature was most impressive to me: a native python Android XML file format converter. As of writing this, I’ve not seen someone publicly do this.

Mandatory technical background: The AndroidManifest.xml file is stored in a format called the Android XML format or AXML. This is an optimized binary format and not a lot of fun to look through. So tools like AXMLPrinter, AXMLPrinter2, aapt, and apktool converted these files back to a standard XML format that it was originally created in. This format was created to link to the resources.arsc file without having to duplicate efforts. For instance instead of calling the name of a string value over and over in a Manifest, the resources.arsc file is linked to it so actually what you’ll see in the binary is the location of the value in this file.

For the reason above, this weekend, a few of us have started to extract Androguard’s AXML into a separate project that aims to be a native python library for parsing AXML files. It’s up on github and is still in progress but the goal is that it can be useful as a standalone python module without having to import all of Androguard. https://github.com/antitree/AxmlParserPY

Here’s a quick example that takes in AndroidManifest.xml in binary format and spits it out in xml: