This is more simple than that. They’re sending a malicious payload to the target numbers which causes the pager to heat up the battery and explode. Nothing manufacturing related.
I would love to see a detailed technical explanation for how this would be possible.
I design battery-powered electronics for a living and I can’t think of any design that would let a battery explode with the violence these did, let alone on command. Unless it were deliberate.
Best I can get is figuring out a way to reuse some pins on the uc to isolate two or three caps to use as voltage pumps and then dump the whole thing at once into the battery.
I somehow suspect Electroboom is going to get a lot of new viewers in the next few days
Reading a bit more into it, seems all of them were Motorola Apollo Gold pagers (I stand corrected), so they had to have exploited the li-on charging pins to either create a loop causing thermal runaway, or spam different voltage discharging signals via their payload. Regardless, it’s a truly impressive exploit.
The newer gapollo ALA25v6 by Apollo is in Farsi and I am having trouble translating from pdf, but I found an older one for the ala25v4 in English here:
Here’s your detailed tech possible explanation with citations:
Pagers known used in the attack were Apollo Gold AP-700, AP-900 and AP-924, which all use the same ALA25 programmable logic chip.
If you google the Gold Apollo AL-A25 Programming Manual and look for battery gauge inputs, you can see it is possible to program the voltage ranges.
By setting the battery gauge level-high to an invalid selection that is also greater than the low level it creates a bridge between the anode and cathode, resulting in thermal runaway which will in fact cause the battery to overload and explode due to the increased temperatures.
We’ve done this using similar batteries on battery backed write cache controllers sitting in a nema-3 enclosure just to see what the tolerances are.
Being in IT and having worked on asics, breadboard design, lsf, dgx and others for a storage chip design company, it’s not exactly rocket science to overload a small battery so much it heats up above 140’'F/60’C that it combusts.
This is more simple than that. They’re sending a malicious payload to the target numbers which causes the pager to heat up the battery and explode. Nothing manufacturing related.
I would love to see a detailed technical explanation for how this would be possible.
I design battery-powered electronics for a living and I can’t think of any design that would let a battery explode with the violence these did, let alone on command. Unless it were deliberate.
Best I can get is figuring out a way to reuse some pins on the uc to isolate two or three caps to use as voltage pumps and then dump the whole thing at once into the battery.
I somehow suspect Electroboom is going to get a lot of new viewers in the next few days
Reading a bit more into it, seems all of them were
MotorolaApollo Gold pagers (I stand corrected), so they had to have exploited the li-on charging pins to either create a loop causing thermal runaway, or spam different voltage discharging signals via their payload. Regardless, it’s a truly impressive exploit.You must have read that wrong - this was clearly committed by Israeli super spy Moty Rola.
Seriously though - they were all from a single Iranian supplier, not Motorola (at least according to every source I can find)
Yeah, news still coming in, hard to make sense of it all. I am now seeing models in the attack as being: Apollo Gold AP-700, AP-900 and AR-924.
Ap-900 Battery electrical specs: 10-30VDC or 8-18VAC Input 3-40VDC/25VAC Standby <10mA Active <100mA Tolerance -10’C ~ +50’C
Ah. So the G_Apollo AL-A25 logic chip used in these models is programmable and unlocked by default lol.
Programmable chip responsible:
GAPOLLO AL-A25_6 RA5794.1 chip = AP-900 and AR-924 models
Do you have a datasheet link for that chip? I get results for a different pager module when I include “AL-A25_6” and zero results with only “RA5794.1”
The original is down now or being flooded:
https://www.apollopagers.com/support/al-a25-gold-pc-programming-manual/
The newer gapollo ALA25v6 by Apollo is in Farsi and I am having trouble translating from pdf, but I found an older one for the ala25v4 in English here:
https://www.manualslib.com/manual/1198103/Gold-Apollo-Al-A25.html?page=23&term=voltage&selected=1#manual
Here’s your detailed tech possible explanation with citations:
Pagers known used in the attack were Apollo Gold AP-700, AP-900 and AP-924, which all use the same ALA25 programmable logic chip.
If you google the Gold Apollo AL-A25 Programming Manual and look for battery gauge inputs, you can see it is possible to program the voltage ranges.
By setting the battery gauge level-high to an invalid selection that is also greater than the low level it creates a bridge between the anode and cathode, resulting in thermal runaway which will in fact cause the battery to overload and explode due to the increased temperatures.
We’ve done this using similar batteries on battery backed write cache controllers sitting in a nema-3 enclosure just to see what the tolerances are.
Edit Citations:
https://www.mitsubishicritical.com/resources/blog/thermal-runaway/
https://www.apollopagers.com/support/al-a25-gold-pc-programming-manual/
https://www.manualslib.com/manual/1198103/Gold-Apollo-Al-A25.html?page=23&term=voltage&selected=1#manual
Programmable chip responsible:
GAPOLLO AL-A25_6 RA5794.1 chip = AP-900 and AR-924 models
Being in IT and having worked on asics, breadboard design, lsf, dgx and others for a storage chip design company, it’s not exactly rocket science to overload a small battery so much it heats up above 140’'F/60’C that it combusts.
Here’s the initial report:
https://www.lbcgroup.tv/news/lebanon-news/796406/understanding-the-pager-and-how-it-can-explode/en