Reverse Engineering a Missile Launcher Toy's Interface

nitro writes "A fairly in-depth technical report by the security researchers at TippingPoint was released on how to reverse engineer the proprietary protocol for controlling a USB missile-launching toy system. They develop an iPhone application to control the device. 'The hardware is coupled with a simple GUI controller written in Delphi (MissileLauncher.exe) and a USB Human Interface Device (HID) interface written in C++ (USBHID.dll). The toys lost their allure within minutes of harassing my team with a barrage of soft missile shots. That same night I thought I would be able to extend the fun factor by coding up a programmatic interface to the launchers in Python. ... One interesting thing is that we have a lot more granular control of the turret movement now than we did with the original GUI. I wrote two simple loops to count the number of possible horizontal and vertical ticks and the results were 947 horizontal and 91 vertical versus 54 and 10 from the original GUI respectively. Granular control allows you to slowly and quietly reposition the turret for stealthy attacks.'"

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Chih]

Iran already has styro nukes. We can't let this tech get into the hands of the terrorists. We'll have to confiscate all models under the guise of national security. Now all you guys have to do is slashdot the site.

Re:

[skiphoppotamus]

isn't iran's new satellite called Nerf I?

Re:

[mc1138]

If only when we had gone into Iraq we thought to raid the coffee counters for any Weapons of Mass Flotation.

Re:

[John Hasler]

The US munitions regulations that Zimmermann was arguing with were repealed many years ago.

Re:DIADS

[Tiger4]

Not such a joke. Look up DIADS, Digital integrated Air Defense (amazingly, not in Wikipedia!). This guy has just hacked the rudiments of Fire Control system. Which is approximately half of a DIADS. The other half being the radar and sensor integration. Which is handled by the many Open projects on sonar and video camera applications. Put them all together, and Our Sandbox Conquering Overlords will have all the tools they need to take them to Playground Domination.

Re:

[GaryOlson]

You are just an alarmist. Counting ticks on microcontrollers is a basic part of any modern CNC(computer numerical control) manufacturing system. Are you saying this software [linuxcnc.org] is a modified air defense software platform?

Re:

[amori]

Wonder if our missile defense system can handle this ?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Good work.

[curtinparloe]

Now you need to incorporate webcam target recognition and create an automated firing application.

You could call it "Skynet".

Re:Good work.

[drinkypoo]

Actually, this seems like an almost ideal platform for sentry gun research. It's small, cheap, relatively harmless, can be operated in an office environment, and is probably wildly inaccurate which means that if you can make this work, actually shooting targets with some kind of accurate weapon will be trivial. I'd very much like a sentry gun that would squirt the @#$%@#@ deer with water (at least) when they come to eat the plants on the front porch.

Re:Good work.

[diskis]

Why go for the complex solution?
A motion sensor connected to a air horn should do the trick.

Re:Good work.

[drinkypoo]

That sounds fantastic. I'd love to jump out of bed at 3 am wondering where the iceberg is. And I won't need to squirt the deer with water, either; I just sleep on the porch, and when I fucking piss myself I can hose them down, too.

Re:

[Dunbal]

I'd love to jump out of bed at 3 am wondering where the iceberg is.

      Thanks to global warming, there are no icebergs anymore. Oh, wait-

Re:Good work.

[Anonymous Coward]

I'd love to jump out of bed at 3 am wondering where the iceberg is.

      Thanks to global warming, there are no icebergs anymore. Oh, wait-

Shit, an iceberg got him!

Re:

[im_thatoneguy]

Wouldn't an ultrasonic loud speaker be more effective and less likely to miss?

Or perhaps a pop up scarecrow.

Problem is deer are usually smart enough to figure out what is and is not dangerous. If they get squired a few times they'll just assume they're setting off your sprinkler system. And I've seen deer walk right through sprinklers without a care in the world.

Re:

[wisty]

Who says the squirt gun has to use water?

Re:

[glittalogik]

I recommend tiger urine.

Squirting deer...

[Firethorn]

It also depends on how hungry a deer is and the relative quality of the food. A stuffed deer can afford to be very, very skittish. One that hasn't eaten it's fill in a couple days/weeks is going to start taking chances - including eating the plants off your back porch, especially if they're tasty to the deer.

That's why we need hunters to actually reduce the deer population. If all everybody does is scare them off, eventually there will be so many deer that the non-scary food sources are exhausted and the

Re:Squirting deer...

[Sir_Lewk]

Personally, I don't see why we need any more justification for shooting deer than how damn good they taste. :)

Re:

[BoothbyTCD]

What we need is wolves. Unfortunately we can't have those though.

Re:

[Tycho]

Perhaps pepper spray sprayed a wide arc would work. Or maybe one could lob miniature tear gas canisters at the deer. Or just use VX nerve gas on them, those deer really do deserve it. If disposing of deer carcasses in order to avoid uncomfortable questions from game wardens, or even disposing of dead wardens is an issue, gas the deer with either Chlorine Trifluoride or Hydrogen Fluoride from lawn sprinklers. The deer will wander off, but will die in a couple of hours. Seal your house well and spraypain

Re:

[Anonymous Coward]

Those are already commercially available. Search for motion-activated sprinkler.

Re:Good work.

[Ihmhi]

Aren't there more than a few "Paintball turrets" floating around on the 'net that basically do this already? I recall seeing one that was already for sale as a package.

I'd love to have one of these to get rid of the animals that poop in my backyard. Better biodegradable paint than cat shit.

And with a little hacking into an alarm system and replacing paintballs with ball bearings...

"Get the HELL out of my house! You have FIVE seconds to comply. FIVE. FOUR. ONE." *bam* *bam* *bam*

Re:

[Cowmonaut]

Wasn't that in a movie with a robot?

Re:

[Jerry Smith]

Wasn't that in a movie with a robot?

sigh Robocop.
Motiondetection, bionic arms, waving aluminium foil: wouldn't that scare the animals away?

Re:

[Ihmhi]

Yes, but it'd be boring when I put the video up on YouTube.

And as for a counter to home invasion, what do you expect me to do? Hook up a bunch of cardboard cutouts to a model train set?

Re:

[attackc0de]

Increase your venison consumption. Studies show that increased hunting decreases deer trying to each your porch plants. Some good recipes to get you started: http://allrecipes.com/Recipes/Meat-and-Poultry/Game-Meats/Venison/Main.aspx [allrecipes.com] :P

Re:

[drinkypoo]

Do you have any idea what it costs to get hunting licenses in California? It's cheaper to buy meat.

Re:

[Hanyin]

What kind of geek are you? Just make a project [xkcd.com] out of it ;-)

Re:

[DerekLyons]

http://www.aimergard.com/Products.aspx [aimergard.com]

Re:

[mmontour]

I'd very much like a sentry gun that would squirt the @#$%@#@ deer with water (at least) when they come to eat the plants on the front porch.

You can get something like that here [contech-inc.com], although it's just a simple motion sensor rather than an active tracking platform.

Re:

[mweather]

I'd very much like a sentry gun that would squirt the @#$%@#@ deer with water (at least) when they come to eat the plants on the front porch.

Like this? [contech-inc.com]

Re:

[Tubal-Cain]

Surely your laser isn't so busy keeping squirrels off the bird feeder that it doesn't have time to shoot the occasional deer near the porch.

Re:

[Kozz]

Go buy yourself a cheap, bulk container of cayenne pepper. Sprinkle liberally on plants. That may deter the deer as well as rabbits, etc).

Re:Good work.

[Cyberax]

I recommend landmines. Just don't forget where you put them :)

Re:

[swb]

Your solution is called a compound bow.

Totally silent and you will solve the problem.

Re:

[mk_is_here]

And knocking it down the speaker attached from it should say "I don't hate you".

Re:

[enFi]

You mean the automatic pellet turret [slashdot.org]?

Done that

[Space cowboy]

Get a 'Striker' laser-target-enabled missile launcher ($40, I think). Then get a webcam or IP-enabled camera (I got one of these from Ebay for ~$70).

Use the camera to detect motion and generate a centroid of motion; use the (high-intensity of red) laser-spot to detect where the missile is pointed (again from the camera image), and move the missile to make the centroid and laser-spot coincident.

It's actually pretty trivial, but it looks pretty cool to have people walk into the office and have two missile-launchers automatically track them.

I also have the think-geek big-red-button [thinkgeek.com] box, which I modified to allow the button to control a USB port. Now I can fire the (auto-targetting :) missiles by hitting the big-red-button :)

It's actually only slightly harder to get the system to track two independent targets... The next step is to build in target-recognition by accessing the company's person-directory (we all have pictures)... Don't shoot the VP. Only directors and below are valid targets :)

Simon

Re:

[Space cowboy]

I've lost count of the number of times I've been asked that.... Hmmm....

For the record: not related to Simon T. Perhaps there's something in the name-thing though [grin] ...

Simon.

Cops and Robbers or Global Armageddon ?

[mc1138]

Seriously, what kid wants to play a cop when they can play Leader of a Rouge nation bent on sending missiles against their uh, playmates? Attach a diaper to it and you have a playful way to play "Biological Warfare"

Re:

[paulmac84]

Leader of a Rouge nation

Our kids want to play at being Communists? Or worse Canadians?

Mein Gott, who will think of the children?

Re:Cops and Robbers or Global Armageddon ?

[drinkypoo]

I was thinking of some joke a little more limp-wristed, which is what I always thought when I saw some kid talking about "Rouge Squadron". They fly the pink X-Wings, right?

Re:

[mc1138]

No no, just Pink highlights...

Re:Cops and Robbers or Global Armageddon ?

[cleatsupkeep]

I was thinking of some joke a little more limp-wristed, which is what I always thought when I saw some kid talking about "Rouge Squadron". They fly the pink X-Wings, right?

Pink 5 standing by... And FABULOUS

Re:

[mc1138]

Blame Canada... Seriously though, I always mix up those two words...

Re:

[H0p313ss]

Our kids want to play at being Communists? Or worse Canadians?

Nous sommes plutot mauve que rouge voyons.

Re:

[Jarik C-Bol]

i was more concerned that they wanted to play as nations made up of makeup for the cheeks... Rouge is not Rogue. still.

What happens next....

[SGDarkKnight]

Nigan: He does fit the profile perfectly. He's intelligent, but an under-achiever; alienated from his parents; has few friends. Classic case for recruitment by the Soviets.

Arthur Cabot: Now what does this say about the state of our country, hmm? I mean have you got any insight as to why a bright boy like this would jeopardize the lives of millions.
[the General rolls his eyes]

Nigan: No sir. He says he does this sort of thing for fun.

Arthur Cabot: What!

Re:

[iluvcapra]

God damn it John I want answers and I want 'em now!

Re:Python?

[Clueless Moron]

His python code is here [tippingpoint.com]. It implements a HTTP web server (as well as a command line and direct socket server mode) that directly invokes a DLL to control the unit. And so in the video he can control the thing using the web browser in his cellphone.

All the code is only 283 lines and easy to understand. I don't see anything awkward about it.

In what way exactly would Lua be better at doing that?

Re:

[wisty]

283 lines for a web-based missile control system? I wonder how that compares to the average defense project.

Re:

[mobby_6kl]

Yeah, but this is Python. I'm sure they could cut at least 280 lines if they only used perl. As for the defense projects, I'm convinced they're all just a bunch of shell scripts.

Re:Python?

[Jurily]

Oblig. [xkcd.com]

Re:

[Anonymous Coward]

283 lines... plus the Python runtime, including modules to implement the HTTP server.

...plus the various C libraries, video drivers, operating system, etc. Wtf? The point is that 283 lines of new code makes for a web controlled nerfgun where previously there was none.

You can't neglect the overhead of the runtime when you deploy something like this.

Yes, you can.

It's running on his desktop PC, which already has python on it. Just like my PC, which also has java, perl and various other languages sitting around. As far as he's concerned, an extra 9k of python script is all it took to make his pet project happen. And if I had one of those USB nerfguns, that same extra 9

Re:

[TheRaven64]

283 lines seems a bit too much. The pymissile package, which provides a Python interface to this kind of missile launcher, was released back in 2006. Connecting this up to a web interface shouldn't be more than a dozen lines. Unless you're going to 'reverse engineer' it by using a random proprietary DLL to interface with the missile launcher instead of the well-documented USB control interface...

Re:

[TheRaven64]

Actually, in this case, it's easier in Python. Just install the pymissile package on your OS of choice (I saw the USB missile launcher was imported into OpenBSD a few releases ago, and I'm fairly sure Linux and Net/FreeBSD have similar drivers). After doing this, you have a Python interface to your USB missile launcher without having to write a single line of code.

Reverse engineering is fun and all, but I can't help think that it's a bit more of a challenge when you aren't reverse engineering something

Re:

[Lennie]

That was my thought exactly.

Pft.

[Spatial]

No wireless. Less ammunition than an AH-64. Lame.

Rememer Robot Wars?

[anorlunda]

Oh wow. I was one of the enthusiastic fans of Muse Software's Robot Wars for the Apple ][ [mobygames.com]. It sounds to me like Soulskill has invented a way to re-create Robot Wars in a more real and more fun way.

Here's a description of the original game.

Create code for a robot using the provided programing language, limited to 256 lines of code. Test your robot on the test bench by examining the code line by line and determining whether the bot performs as intended. Then put your finished robot in the arena with up to four other bots, set the number of battles, and watch them fight it out in a top-down view. Computer Gaming world had annual contests for several years in which readers could send their bots on disk to participate in the match, with results and prizes reported in the magazine.

Re:

[Anonymous Coward]

I thought I was the only one that loved this game.

Re:

[kramulous]

Me and a work mate have a battle every couple of months with Robocode [sourceforge.net]. Winner gets bragging rights.

It is as difficult or as easy as you want to make it. There are also world wide comps with 256 byte codes. Makes you also brush up on your high school trig. Awesome fun.

Re:

[Rich0]

Sounds like this game [wikipedia.org] which I loved as a kid.

It is really a timeless concept - it could probably be successful if it were launched again on a more modern platform.

Re:

[Anonymous Coward]

Looks like someone did launch it again on a more modern platform... :)

http://www.mindrover.com/ [mindrover.com]

Re:

[Rich0]

I've tried it - haven't been impressed. It is a bit limited, and I don't like the fact that it doesn't really allow for procedural programming. It is more of a stimulus-response feedback loop design.

Re:

[Thelasko]

It sounds to me like Soulskill has invented a way to re-create Robot Wars in a more real and more fun way.

I was thinking of getting two launchers and recreating Scorched Earth. [wikipedia.org] To each his own.

iPhone this. iPhone that

[Anonymous Coward]

I don't Phone anyone so I stopped reading at "iPhone"

Cheap Toys

[Anonymous Coward]

I watch Woot on pretty much a daily basis and as a result I frequently end up purchasing toys that I really don't need. Most recently I picked up this silly pair of USB Missile Launchers for just under 40$ shipped.

Presumably this is how the guy ended up with an iPhone.

Hiring?

[Anonymous Coward]

It must be fun to reverse engineer toys at a computer security company and get paid.

Hello? Hak5

[Anonymous Coward]

Hak5 [hak5.org] did this a while back. They also did a few videos about it [hak5.org]. The code [cynox.ch] has been around for a while.

You can even control it yourself from the web [hakhouse.com], if it's not Slashdotted, over at the Hak House [hakhouse.com].

*Warning!*

[Anachragnome]

timestamp:Feb. 14 2009 14:47:32
sender:DOD
return: false

THIS THREAD HAS BEEN LOCKED BY THE UNITED STATES DEPARTMENT OF DEFENSE.stop
UNITED STATES LAW DOES NOT REQUIRE DISCLOSURE FOR THIS ACTION, AS SAID DISCLOSURE MAY BE A THREAT TO NATIONAL SECURITY.stop
REFER ALL ENQUIRIES REGARDING THIS ACTION TO:stop
http://www.defenselinks.mil/faq/comment.html [defenselinks.mil] stop

end

How about:

[caincarter]

If you really wanted to be slick, you'd use the webcam to capture where the projectile landed. Then create an algorithm to adjust the targeting system based on previous attacks.

Alternatively

[phoebe]

You can just download the developers guide from the manufacturer: http://www.dreamcheeky.com/dream/forum/viewtopic.php?f=13&t=102 [dreamcheeky.com]

Re:

[TheRaven64]

The first thing a good developer does when confronted with a new problem is ask 'is there an appropriately-licensed library I can use to solve this?' The answer in this case would be 'yes, pymissile is BSD licensed'. Unfortunately, it's difficult to write an article explaining how great you are for buying some off-the-shelf hardware and used some off-the-shelf software to control it.

For continuos integration servers!

[ciryon]

I am seriously considering to hook up one of these USB Missile Launchers to our continuos integration server at work. When someone checks in code that doesn't compile or breaks tests the launcher targets the offending developer (using pre-determined login aiming mapping) and fires a couple of rounds at him. That'll certainly increase code quality!

I need help

[duckInferno]

Wouldn't it be so awesome if Iran developed an Intercontinental Ballistic Nerf Missile?

One day the US gets an ICBM alert and they're going oh shit oh shit oh shit! Then it lands on the White House lawn and smashes a garden gnome or something. And then President Amjsnfsjfmed from Iran calls up Obama and tells him to look outside onto the front lawn, giggling, so Obama looks out, sees the nerf missile, replies with "ahhhhh you little terrorists!" with a big smile and maybe pointing a finger fonz-style.

Re:Hacking somethign that did not need a hack.

[woolpert]

These have been "hacked" for years now. I had one running under linux in my cubicle 4 years ago using a webcam for auto targeting coworkers.

The code. Put up or shut up, AC.

Re:Hacking somethign that did not need a hack.

[kostmo]

It's true. http://code.google.com/p/pyrocket/wiki/RelatedWork [google.com] I hacked the thing about a year ago and started this google code project [googlecode.com]. You will be able to apt-get this package in Ubuntu Jaunty.

Re:

[james2vegas]

lots of reinventing the wheel I see. http://web.archive.org/web/20060820072349/http://scott.weston.id.au/software/pymissile-20060126/ [archive.org] http://code.google.com/p/pyrocket/ [google.com] and now this article.

Re:

[TheRaven64]

Reimplementing a BSD licensed package (pymissile) with a more restrictive license (GPLv3)? The Free Software Foundation must be so proud of you...

Re:

[kostmo]

They're complimentary packages, actually, in the hardware that they support. Besides, where does the FSF endorse BSD over GPL?

Re:

[kostmo]

Hmm.. maybe I deserve a *whoosh*

Re:

[vux984]

If we're going to argue about the meaning of the word...

When something is granular, it is made up of chunks.

When something is granular it is made of granules, or 'grains'. Typically something granular is made of numerous grains that form a larger unit.

When something is more granular, the chunks are larger, it has more of the characteristics of being grainy.

That doesn't really follow. The characteristic of being granular is that it has granules or grains. "More granular" is actually ambiguous.

It could mean:

Re:

[pz]

More granular control is ambiguous.

No, it is not. It means that the quanta of control are larger.

More granular means more grain like (not more grains), which means the grains are more evident. Because they are ... LARGER. You are making exactly the same mistake as the OP: more granular does not mean there are more grains, but it is more grain-like. For a fixed parameter range more granular means the quanta are larger, and higher resolution means they are smaller.

Granular and continuous are antonyms.

Re:

[vux984]

No, it is not. It means that the quanta of control are larger.

That's one meaning. Its not the only one.

More granular means more grain like (not more grains)

No. "granular" doesn't mean "grain like". So "more granular" doesn't mean "more 'grain like'"

Granular means "made up of grains"; so "more granular" means "more 'made up of grains'" and that's ambiguous. The more could refer to the number of grains, or it could refer to to more pronounced grains.

Same goes for "spikey". If I tell my stylist I want my hair

Re:

[Hurricane78]

Nah. Haskell for high level stuff, Python for scripting, and Assembler instead of C.

Of course, written to disk with the butterfly-effect technique.

Re:

[2.7182]

Oh yeah how do you like Haskell? I know some ML and OCaml, and I've been looking for a functional language to switch to from C/C++. I can't bring myself to switch to a programming language named after a cigarette brand. How is the Haskell support? Is there a decent compiler?