Call a Bike – Hack a Bike

 

Have a look inside the Call a Bike system. This Hack a Bike article is an interesting look into how the system was hacked.

"The whole board is dowsed in black silicone which had to be scraped off before we could continue exploring. Apart from the matchbox-sized logic board which incorporates an Atmel AT90S8535 (8-bit RISC Processor, 4×8 IO-Pins, 8KB flash, 512 bytes EEPROM and 512 bytes RAM), a few red, green and IR LEDs and an IR-receiver, the box also contains a few electrical components (motor, switches and a beeper). There is also a slope sensor, but it is never addressed in the code. With this simple setup, it became clear that the bike couldn’t possibly contain a device to track or locate us. We made a few pictures of it all, but then the hardware went into a corner for about two months before we managed to boot the bike. It took us a while to notice that the system had to be initialized by an IR-signal after booting. This discovery was more or less coincidence.

To transform a CallABike into a HackABike, we had to unscrew six screws on the inside of the box containing the display and plug the STK500 into the ISP-connector of the logic board. After that we started a script to read out the flash and the EEPROM area. The EEPROM is then again flashed with a reset counter and the code including our backdoor. To ensure that nobody could discover our tampering by reading out the firmware again, we set the lockbit. It took a practised hacker about 12 minutes to turn two CallABikes into two HackABikes at the same time. We flashed nearly 10% of the 1700 bikes which are distributed in the city of Berlin. "

16 Comments


  1. Is this legal? Should hacked gadgets really be promoting this?


  2. This may be legal. Hacked gadgets really *should* be promoting this!


  3. Yes, this would surly be considered illegal however the reverse engineering is the main reason this article is here.


  4. So, you’ve got a non-profit service that is losing money trying to trying to provide a useful public service and you’re screwing with them. I think that makes you an ass.


  5. Those bikes need to be rented for 6 eurocents/min. They are not free and I suspect the “Die Bahn” does NOT loose money by providing this service…


  6. You “suspect” they don’t lose money?! Are you absolutely sure? 6 eurocents/min is awful cheap compared to the cost of going a few blocks by taxi cab or even a bus.

    “Currently the call a bike service is not financially self sustaining. However, it is not the goal of DB to make a profit of the service. It is rather aimed at a break-even and at the attraction of rail customers that use the call a bike service in a trip chain.”

    Maybe we don’t see a lot of other financially risky public services like this because we live in a world where too many people are real good at self-justifying their reasons for pissing on them.


  7. I don’t need this kind of information. Hacked Gadgets promoting this is wrong, you should pull this article. There are enough good and honest projects that you don’t need the taint of this on you.


  8. I was enjoying this article and the idea of looking into the inner workings of this hardware right up until the last sentence where the hackers mention that they flashed 10% of the bikes in the city. Hacking this stuff to satisfy curiosity and perhaps even to gain a little edge in your own home town is one thing. Damaging private property so that any old asshat can use it is another thing. I agree with the above posts. HackedGadgets should pull this article.


  9. I second the general sentiment. This should be taken off, or at least, harshly condemned by Alan.


  10. First of all the whole article is about 5 years old and in between the firmware should be updated, if the Rental company isn’t so stupid and did not read the hack. I know that this hack was in everyones mouth at this time.
    And what i’ve to say about those people who doesn’t like this postings here at Alans page:
    close your eyes, go to the cellar and cry as loud as you can or do anything. If Alan decides to take up the documents he can do it. I don’t see any reason not do so, first of all here in germany the CCC is more than a “bad Hacker”



  11. Hi lixy,

    Of course I don’t condone any type of hacking that will hurt a companies profitability however many of the readers here develop equipment such as this and this article may solidify the requirements for robust security in all types of devices.

    If the developers of the CVS devices had read more of these types of articles their camera equipment may have been less hacker friendly.
    http://www.maushammer.com/systems/cvscamcorder/


  12. It is pretty apparent that most of the people complaining about this post didn’t read the full article… vis-a-vis Alan’s response, which I agree with, a quote from the last paragraph of the full article:

    “Finally, we have to admit that the technical design of the Call A Bike is very good. . . . The only thing that was missed was to set the lockbits that prevent the firmware from being read. Our attack is probably worth the purchase price of a few dozen of these CallABikes, seeing the time and manpower that went into accomplishing it.”

    If you’re viewing them as only thieves and free-loaders, you’re entirely missing the point.

    Regardless, these types of systems are being rolled out in a lot of places, and anyone who is working on designing or updating any such systems has just received, nearly free of charge, thousands and thousands of dollars worth of security consultation. System security design is an iterative process, always has been, always will be.


  13. You guys don’t get it. It’s not about theft of service. It’s about being able to grab a bike and flee when the bombs start dropping. 😉


  14. #14: But think to pedal a little more faster if it is an A-Bomb behind you


Comments are closed.