Go to Post I had a few jokes about the illness and germs at some of the competitions, but I don't want to spread them around. - tsaksa [more]
Home
Go Back   Chief Delphi > Technical > Programming
CD-Media   CD-Spy  
portal register members calendar search Today's Posts Mark Forums Read FAQ rules

 
Closed Thread
Thread Tools Rate Thread Display Modes
  #1   Spotlight this post!  
Unread 06-04-2004, 16:55
phrontist's Avatar
phrontist phrontist is offline
Proto-Engineer
AKA: Bjorn Westergard
FRC #1418 (Vae Victus)
Team Role: College Student
 
Join Date: Feb 2004
Rookie Year: 2004
Location: Falls Church, VA
Posts: 828
phrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond repute
Send a message via AIM to phrontist
Malicous RC Code?

An interesting thought just occurred to me. I was thinking about the VCU regional, all those microcontrollers with radio links sitting around, and the (obvious?) issue came to mind. Would it be possible for a program to replicate via radio link, perhaps through some clever buffer overflow? I'm guessing the answer is no, but it's worth looking in to because:

1) It's technically interesting
2) You'd want to patch that before someone else has a similar thought

NOTE: Yes, I know this would be horrible, I don't advocate this kind of thing. Yada, Yada, Yada...
__________________

University of Kentucky - Radio Free Lexington

"I would rather have a really big success or a really spectacular crash and failure then live out the warm eventual death of mediocrity" - Dean Kamen

Last edited by phrontist : 06-04-2004 at 16:57.
  #2   Spotlight this post!  
Unread 06-04-2004, 16:56
Ryan M. Ryan M. is offline
Programming User
FRC #1317 (Digital Fusion)
Team Role: Programmer
 
Join Date: Jan 2004
Rookie Year: 2004
Location: Ohio
Posts: 1,508
Ryan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud of
Re: Malicous RC Code?

Quote:
Originally Posted by phrontist
An interesting thought just occurred to me. I was thinking about the VCU regional, all those microcontrollers with radio links sitting around, and the (obvious?) issue came to mind. Would it be possible for a program to replicate via radio link, perhaps through some clever buffer overflow? I'm guessing the answer is no, but it's worth looking in to because:

1) It's technically interesting
2) You'd want to patch that before someone else has a similar thought
I'm gonna find out now...

Thanks for the treasure hunt.

--EDIT--
Or maybe not repicate like a virus. Maybe you could just imitate the OI radio (with a stronger signal, so that you override the real one) and make it appear that the OI is missing, effectively disabling the RC.
__________________

  #3   Spotlight this post!  
Unread 06-04-2004, 16:59
dez250 dez250 is offline
54... What a good number!
no team
 
Join Date: Dec 2002
Rookie Year: 2000
Location: Upstate NY / Manchester, NH
Posts: 1,721
dez250 has a reputation beyond reputedez250 has a reputation beyond reputedez250 has a reputation beyond reputedez250 has a reputation beyond reputedez250 has a reputation beyond reputedez250 has a reputation beyond reputedez250 has a reputation beyond reputedez250 has a reputation beyond reputedez250 has a reputation beyond reputedez250 has a reputation beyond reputedez250 has a reputation beyond repute
Send a message via AIM to dez250
Re: Malicous RC Code?

The FRC is designed to only download code via the prog port. Though i bet that there could be someway a program could be written to beable to download via radio link. Now the biggest issue is the manual control of a download. Prior to any code being able to be downloaded or stored into the memory, you must first manually press the program button, this activates the firmware for a download. So i do not know if it is possible to force a download via the radio link with people not knowing...
__________________
#5

-Michael Dessingue
  #4   Spotlight this post!  
Unread 06-04-2004, 17:00
phrontist's Avatar
phrontist phrontist is offline
Proto-Engineer
AKA: Bjorn Westergard
FRC #1418 (Vae Victus)
Team Role: College Student
 
Join Date: Feb 2004
Rookie Year: 2004
Location: Falls Church, VA
Posts: 828
phrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond repute
Send a message via AIM to phrontist
Re: Malicous RC Code?

Man Texan! You're quick on the draw! I hadn't even fixed my spelling mistakes and, BAM!, you'd replied :-)

I'm on vacation right now, but I REALLY want to look at the code all of the sudden!

Must... find... loophole...
__________________

University of Kentucky - Radio Free Lexington

"I would rather have a really big success or a really spectacular crash and failure then live out the warm eventual death of mediocrity" - Dean Kamen
  #5   Spotlight this post!  
Unread 06-04-2004, 17:02
phrontist's Avatar
phrontist phrontist is offline
Proto-Engineer
AKA: Bjorn Westergard
FRC #1418 (Vae Victus)
Team Role: College Student
 
Join Date: Feb 2004
Rookie Year: 2004
Location: Falls Church, VA
Posts: 828
phrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond repute
Send a message via AIM to phrontist
Re: Malicous RC Code?

Quote:
Originally Posted by dez250
The FRC is designed to only download code via the prog port. Though i bet that there could be someway a program could be written to beable to download via radio link. Now the biggest issue is the manual control of a download. Prior to any code being able to be downloaded or stored into the memory, you must first manually press the program button, this activates the firmware for a download. So i do not know if it is possible to force a download via the radio link with people not knowing...
Ah but your missing the key idea here! You don't NEED to download the code! You just need to find a point in the code at which you can overflow a buffer which would allow you to dump arbitrary machine code onto the stack. Thats the idea anyway
__________________

University of Kentucky - Radio Free Lexington

"I would rather have a really big success or a really spectacular crash and failure then live out the warm eventual death of mediocrity" - Dean Kamen
  #6   Spotlight this post!  
Unread 06-04-2004, 17:03
Ryan M. Ryan M. is offline
Programming User
FRC #1317 (Digital Fusion)
Team Role: Programmer
 
Join Date: Jan 2004
Rookie Year: 2004
Location: Ohio
Posts: 1,508
Ryan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud of
Re: Malicous RC Code?

Quote:
Originally Posted by phrontist
Ah but your missing the key idea here! You don't NEED to download the code! You just need to find a point in the code at which you can overflow a buffer which would allow you to dump arbitrary machine code onto the stack. Thats the idea anyway
Plus, not all computers require you to press the prgm button. If you can find out why, you can overcome that.
__________________

  #7   Spotlight this post!  
Unread 06-04-2004, 17:06
Bongle's Avatar
Bongle Bongle is offline
Registered User
FRC #2702 (REBotics)
Team Role: Mentor
 
Join Date: Feb 2004
Rookie Year: 2002
Location: Waterloo
Posts: 1,069
Bongle has a reputation beyond reputeBongle has a reputation beyond reputeBongle has a reputation beyond reputeBongle has a reputation beyond reputeBongle has a reputation beyond reputeBongle has a reputation beyond reputeBongle has a reputation beyond reputeBongle has a reputation beyond reputeBongle has a reputation beyond reputeBongle has a reputation beyond reputeBongle has a reputation beyond repute
Send a message via MSN to Bongle
Re: Malicous RC Code?

Quote:
Originally Posted by dez250
The FRC is designed to only download code via the prog port. Though i bet that there could be someway a program could be written to beable to download via radio link. Now the biggest issue is the manual control of a download. Prior to any code being able to be downloaded or stored into the memory, you must first manually press the program button, this activates the firmware for a download. So i do not know if it is possible to force a download via the radio link with people not knowing...
There was about a 50/50 split between times we had to press the program button, and times where we didn't. Sometimes we'd just fire up the robot and IFI_LOADER, and the program would go, and sometimes we'd have to hit the program button first. I think the bigger problem is that the RC has its radio channel set in hardware with the little switches, so you wouldn't be able to communicate with any other RC's.
  #8   Spotlight this post!  
Unread 06-04-2004, 17:08
phrontist's Avatar
phrontist phrontist is offline
Proto-Engineer
AKA: Bjorn Westergard
FRC #1418 (Vae Victus)
Team Role: College Student
 
Join Date: Feb 2004
Rookie Year: 2004
Location: Falls Church, VA
Posts: 828
phrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond repute
Send a message via AIM to phrontist
Re: Malicous RC Code?

Quote:
Originally Posted by Bongle
There was about a 50/50 split between times we had to press the program button, and times where we didn't. Sometimes we'd just fire up the robot and IFI_LOADER, and the program would go, and sometimes we'd have to hit the program button first. I think the bigger problem is that the RC has its radio channel set in hardware with the little switches, so you wouldn't be able to communicate with any other RC's.
Is that REALLY set in hardware? I was under the impression that it was under code control, and that the code simply set it according to those DIP switches. That would be really easy to abuse.
__________________

University of Kentucky - Radio Free Lexington

"I would rather have a really big success or a really spectacular crash and failure then live out the warm eventual death of mediocrity" - Dean Kamen
  #9   Spotlight this post!  
Unread 06-04-2004, 17:09
Ryan M. Ryan M. is offline
Programming User
FRC #1317 (Digital Fusion)
Team Role: Programmer
 
Join Date: Jan 2004
Rookie Year: 2004
Location: Ohio
Posts: 1,508
Ryan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud ofRyan M. has much to be proud of
Re: Malicous RC Code?

Quote:
Originally Posted by Bongle
There was about a 50/50 split between times we had to press the program button, and times where we didn't. Sometimes we'd just fire up the robot and IFI_LOADER, and the program would go, and sometimes we'd have to hit the program button first. I think the bigger problem is that the RC has its radio channel set in hardware with the little switches, so you wouldn't be able to communicate with any other RC's.
But say you had a radio. You could set it to just scan all the channels that the radios could possibly be on. It isn't that many!
__________________

  #10   Spotlight this post!  
Unread 06-04-2004, 17:12
phrontist's Avatar
phrontist phrontist is offline
Proto-Engineer
AKA: Bjorn Westergard
FRC #1418 (Vae Victus)
Team Role: College Student
 
Join Date: Feb 2004
Rookie Year: 2004
Location: Falls Church, VA
Posts: 828
phrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond repute
Send a message via AIM to phrontist
Re: Malicous RC Code?

Quote:
Originally Posted by Texan
But say you had a radio. You could set it to just scan all the channels that the radios could possibly be on. It isn't that many!
Yeah, the possibility of being able to screw up the RC's via radio seems good, but it's really not THAT horrible. What would be far more interesting would be if it actually spread from controller to controller.
__________________

University of Kentucky - Radio Free Lexington

"I would rather have a really big success or a really spectacular crash and failure then live out the warm eventual death of mediocrity" - Dean Kamen
  #11   Spotlight this post!  
Unread 06-04-2004, 17:16
phrontist's Avatar
phrontist phrontist is offline
Proto-Engineer
AKA: Bjorn Westergard
FRC #1418 (Vae Victus)
Team Role: College Student
 
Join Date: Feb 2004
Rookie Year: 2004
Location: Falls Church, VA
Posts: 828
phrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond repute
Send a message via AIM to phrontist
Re: Malicous RC Code?

Quote:
Originally Posted by Innovation First
The new 2004 FRC Robot Controller (RC) takes the collected data from both the 2004 Operator Interface and the on-board sensors and then processes it using its internal microcontrollers. There are two Microchip 18F8520 PICmicro® microcontrollers inside the Robot Controller. The first is the Master processor which handles radio communications, generates most of the PWM output signals, and oversees the general operations of the Robot Controller. The second microcontrollers is the User processor, and is programmable by the user. The user’s program takes the input data, determines what to do with the outputs to make the robot behave as desired, and sets the PWM and Relay outputs to the appropriate states.
It really comes down to the "Master Processor." Is that programmable? More importantly, is the code that drives it available?
__________________

University of Kentucky - Radio Free Lexington

"I would rather have a really big success or a really spectacular crash and failure then live out the warm eventual death of mediocrity" - Dean Kamen
  #12   Spotlight this post!  
Unread 06-04-2004, 17:17
Venkatesh Venkatesh is offline
Registered User
FRC #0030
 
Join Date: Jan 2003
Rookie Year: 2002
Location: USA
Posts: 260
Venkatesh is a splendid one to beholdVenkatesh is a splendid one to beholdVenkatesh is a splendid one to beholdVenkatesh is a splendid one to beholdVenkatesh is a splendid one to beholdVenkatesh is a splendid one to beholdVenkatesh is a splendid one to beholdVenkatesh is a splendid one to behold
Re: Malicous RC Code?

Hello,

To actually program the robot controller is a little bit complicated task. The processors are PICs and don't lend themselves to easy programming. I would love to dissect one of these controllers to see how the programming circuit is wired.

This idea, to try and overrun a buffer in the RC to execute code, not a bad idea. It is a greater possibility. However think about the sequence for data from the radio. The PIC reads the output from the radio (very small packets) and splits it into even smaller packets. Fitting malicious code in tiny packets will be very difficult, at least.

I don't remember if the PIC is a Harvard or von Neumann (sp?) system. However if it cannot execute stuff from the data parts of the processor, overflows will be very hard indeed.

Good luck with your experimenting.

However, I will stay away from u at competetion... =)

btw, the master processor is not normally programmable. And its code is not readily available. I have asked IFI before, and they have refuse, citing the possibility of ignoring competetion commands.
__________________
-- vs, me@acm.jhu.edu
Mentor, Team 1719, 2007
Team 30, 2002-2005
  #13   Spotlight this post!  
Unread 06-04-2004, 17:27
phrontist's Avatar
phrontist phrontist is offline
Proto-Engineer
AKA: Bjorn Westergard
FRC #1418 (Vae Victus)
Team Role: College Student
 
Join Date: Feb 2004
Rookie Year: 2004
Location: Falls Church, VA
Posts: 828
phrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond reputephrontist has a reputation beyond repute
Send a message via AIM to phrontist
Re: Malicous RC Code?

Quote:
Originally Posted by Venkatesh
btw, the master processor is not normally programmable. And its code is not readily available. I have asked IFI before, and they have refuse, citing the possibility of ignoring competetion commands.
I figured they wouldn't give that up, and thats probably a good thing. The question remains however, whether the "proprietary radio system," could be reverse engineered. I'm (fairly) certain it's impossible to get the actual code from the microcontroller.
__________________

University of Kentucky - Radio Free Lexington

"I would rather have a really big success or a really spectacular crash and failure then live out the warm eventual death of mediocrity" - Dean Kamen
  #14   Spotlight this post!  
Unread 06-04-2004, 18:20
Astronouth7303's Avatar
Astronouth7303 Astronouth7303 is offline
Why did I come back?
AKA: Jamie Bliss
FRC #4967 (That ONE Team)
Team Role: Mentor
 
Join Date: Jan 2004
Rookie Year: 2004
Location: Grand Rapids, MI
Posts: 2,071
Astronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud of
Re: Malicous RC Code?

Quote:
Originally Posted by dez250
The FRC is designed to only download code via the prog port. Though i bet that there could be someway a program could be written to beable to download via radio link. Now the biggest issue is the manual control of a download. Prior to any code being able to be downloaded or stored into the memory, you must first manually press the program button, this activates the firmware for a download. So i do not know if it is possible to force a download via the radio link with people not knowing...
That's only on some systems. In my case, if it doesn't work the first time it's having a bad day: try again. If it still doesn't work, check cables.
  #15   Spotlight this post!  
Unread 06-04-2004, 18:41
Astronouth7303's Avatar
Astronouth7303 Astronouth7303 is offline
Why did I come back?
AKA: Jamie Bliss
FRC #4967 (That ONE Team)
Team Role: Mentor
 
Join Date: Jan 2004
Rookie Year: 2004
Location: Grand Rapids, MI
Posts: 2,071
Astronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud ofAstronouth7303 has much to be proud of
Re: Malicous RC Code?

Quote:
Originally Posted by Bongle
I think the bigger problem is that the RC has its radio channel set in hardware with the little switches, so you wouldn't be able to communicate with any other RC's.
That's on the OI. The Controller scans radio channels until it finds one with its Team number (which is set when you tether it). After that, it stays on that channel.
Quote:
Originally Posted by phrontist
It really comes down to the "Master Processor." Is that programmable? More importantly, is the code that drives it available?
It's as programmable as the user proc. but it's code is on non-volatile ram (Flash, eeprom, etc.). The code that runs it is the firmware update. So if you can decompile it, find a loop hole, and exploit it, you'll be able to make the first FIRST virus!
Quote:
Originally Posted by phrontist
I figured they wouldn't give that up, and thats probably a good thing. The question remains however, whether the "proprietary radio system," could be reverse engineered.
Yes. It's RS-422. You make a spy cable similar to the one found on BeyondLogic.org.
Quote:
Originally Posted by phrontist
I'm (fairly) certain it's impossible to get the actual code from the microcontroller.
From not For. Decompile the firmware and the libs.
Quote:
Originally Posted by Venkatesh
I don't remember if the PIC is a Harvard or von Neumann (sp?) system. However if it cannot execute stuff from the data parts of the processor, overflows will be very hard indeed.
Remember, the controllers themselves are from Microchip, not IFI. They are probably more forthcoming on info than IFI is.

Of course, the packets are continuous, so it delimits them. This nature makes it very dificult to create a buffer overflow.

And above all, if they catch you, you didn't hear it from me.
Closed Thread


Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
What is your most prefered programming language? Hailfire Programming 156 19-01-2005 21:42
heres the code. y this not working omega Programming 16 31-03-2004 15:18
Interrupt timer, executing code asap? SeanCassidy Programming 10 07-03-2004 01:47
Inserting Naviagation code into Default code? actorindp Programming 3 28-01-2004 18:12
Does your team use the Default code. Jeff McCune General Forum 2 09-01-2003 14:46


All times are GMT -5. The time now is 03:09.

The Chief Delphi Forums are sponsored by Innovation First International, Inc.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © Chief Delphi