Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

How to Reverse Engineer, Sniff & Bruteforce Vulnerable RF Adult Toys with WHID Elite

Expert Luca Bongiorni was looking for new targets to test WHID Elite’s Radio Hacking capabilities and found an interesting one: Electrocuting Cock Ring Last week I was looking for new targets to test WHID Elite’s Radio Hacking capabilities and suddenly I found an interesting one: an Electrocuting Cock Ring. Yes, you read it correctly (What you cannot find […]

Adult Toys WHID Elite

Expert Luca Bongiorni was looking for new targets to test WHID Elite’s Radio Hacking capabilities and found an interesting one: Electrocuting Cock Ring

Last week I was looking for new targets to test WHID Elite’s Radio Hacking capabilities and suddenly I found an interesting one: an Electrocuting Cock Ring. Yes, you read it correctly (What you cannot find on Amazon…).

Adult Toys WHID Elite

Long-story short… Yesterday arrived home the new toy and guess what? No Rolling-Code, No MSK/FSK/GMSK or other strange modulations… Just a classic 433MHZ Amplitude Shifting Key modulation with On-Off Key. Which translated for the non-RF folks… easy to:

  • Sniff
  • Replay
  • And of course… Fuzz.

First of all, I have followed the usual Reverse Engineering approach I use for investigating new RF devices and turned on the winning combination LimeSDR/RTL-SDR + URH. (Disclaimer: since I was focusing on the RF side, I started with the RF analysis. If it wouldn’t have lead to any low-hanging fruit result, I would have started the HW Reverse Engineering approach: tear-down, BoM enumeration and fingerprinting, FCC ID hunting, etc. Luckily for my scarce spare time, I didn’t need it.)

As you can see the center Frequency is around 433MHz, which is a standard frequency for commercial consumer-grade RF devices.

From the Spectrogram we can clearly see that the modulation is ASK, despite some harmonics on the side (caused by the low-cost transmitter used by the manufacturer most-likely).

Now we need to decode the packets and see if we are really dealing with ASK and eventually confirm the sub-modulation type (i.e. OOK, in my assumption).

Adult Toys WHID Elite

As you can see, URH successfully managed to decode the packets (with minor tweaking of the Error Tolerance and Bit Length parameters).

Now that we have the binary sequence, we clearly see the duty-cycle of this RF device, where a:

  • 1 is encoded as 1110
  • 0 is encoded as 1000

No preambles. No ACK packet from the receiving unit. Just a simple broadcast packet. Always repeating itself. Which allows us to eliminate the Rolling-Code assumption.

With all these data we can finally compose the packet that is transmitted to trigger the Vibration mode:

Adult Toys WHID Elite

Now we are ready to give it a try with the Standalone Firmware of WHID Elite and see if it is able to decode them too.

As assumed, WHID Elite can perfectly sniff and decode the packets. In the image above you can see the two types of packets:

  • 14656516 Vibration Mode
  • 14656520 Electroshock Mode

As you can easily spot the decimal distance between the two types of packets is just matter of few integers. Which means, we can easily fuzz and thus exhaust the space between them with the main WHID Elite Firmware.

Therefore no more text to read, enjoy the audio/video 🙂

Keep an eye on my Twitter https://twitter.com/WHID_Injector soon I will make GIVEAWAY for a full set of WHID Elite!

For sake of information though, the internal TX is a SYN470R. According to its datasheetis a single chip ASK/OOK (ON-OFF Keyed) RF receiver IC. Which once again confirms the whole RF analysis.

About the author: Luca Bongiorni

Luca is working as Principal Offensive Security Engineer and in his spare time is involved in InfoSec where the main fields of research are: Radio Networks, Hardware Reverse Engineering, Hardware Hacking, Internet of Things and Physical Security. He also loves to share his knowledge and present some cool projects at security conferences around the globe. At the moment is focusing his researches on bypassing biometric access control systems, ICS Security and Air-Gapped Environments.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Adult Toys, WHID Elite)

[adrotate banner=”5″]

[adrotate banner=”13″]