Category: Digital Signals

WaveConverter: An Open Source RF Reverse Engineering Tool

During the Schmoocon 2017 conference presenter Paul Clark introduced a new open source Linux tool called WaveConverter which he’s been working on for reverse engineering RF signals. Paul writes:

WaveConverter is a tool that helps you extract digital data from RF transmissions that have been captured via Software Defined Radio (SDR). After the user defines the modulation parameters, framing and encoding, WaveConverter will process a stored I-Q file and extract the data from any transmissions that match this definition. Using programmable timing tolerances and glitch filters, WaveConverter is able to extract data from signals that would otherwise appear corrupted.

This software will make the process of reverse engineering signals easier and more error-proof. Because WaveConverter includes the ability to store and retrieve signal protocols (modulation + encoding parameters), we have been generating a database of protocols that we can quickly use to iteratively attack unknown signals.

This tool should be very useful for reverse engineering digital signals, such as those found in keyfobs, wireless doorbells, wireless temperature sensors and any other simple RF device. Simply use an SDR device like an RTL-SDR to capture a sample of the signal of interest and then open it up in WaveConverter to first easily analyze the signal and determine it’s properties, then to automatically demodulate any subsequent signal into a binary string. For more information the documentation can be found here (pdf).

WaveConverter seems to be quite similar in purpose to Inspectrum and DSpectrum which are two Linux tools that are also designed for reverse engineering digital signals.

WaveConverter Screenshot
WaveConverter Screenshot
[First seen on Hackaday]

 

The PandwaRF RF Analysis Tool

Recently we heard about the PandwaRF Portable Analyzer (previously known as the GollumRF). This is not an SDR, but can probably be described as a programmable and computer controlled radio. It appears to be based on the Yardstick One design which is made by Micheal Ossmann, the creator of the HackRF. Both the Yardstick One and PandwaRF are based on the CC1111 sub-1 GHz RF transceiver chip. These types of pseudo-sdr’s can be very useful for reverse engineerin, analyzing and experimenting with simple digital signals.

For example it could be used to capture data from any ASK/OOK/MSK/2-FSK/GFSK modulation in the 300 – 928 MHz band. You can then easily analyze the data, and the restransmit the same or a modified signal. The same could be done with a TX capable SDR like the HackRF, but doing so tends to require a lot more work.

The difference between the Yardstick One and PandwaRF appears to be mainly in the connection interface. The PandwaRF is essentially the Yardstick One with a Bluetooth LE connectivity and an Android/iOS smartphone app. USB connectivity for Linux still exists. It also has an internal battery whereas the Yardstick One does not. They wrote a post comparing the RTL-SDR, Yardstick One and PandwaRF here.

The device seems to be new, as it just starting shipping in November and the first batch is still being sold. It costs 145 euros and appears to originate from the EU. There is also a ‘mini’ version in pre-order which also costs 145 euros. In comparison the Yardstick One costs about $99 – $145 USD depending on the shop you choose.

The PandwaRF
The PandwaRF
PandwaRF Android App
PandwaRF Android App

Receiving the Recently Launched BY70-1 Satellite

BY70-1 is a Chinese amateur Cubesat satellite which was recently launched on December 29, 2016. It is expected to stay in orbit for only 1 – 2 months due to a partial failure with the satellite releasing into an incorrect orbit. The purpose of the satellite is for education in schools and for amateur radio use. The receivable signals include an FM repeater and BPSK telemetry beacon both of which can be received at 436.2 MHz. The telemetry beacon is interesting because it also transmits images from an on board visible light camera. These signals can easily be received with an RTL-SDR or other SDR with an appropriate antenna.

Over on his blog Daneil Estevez has been posting about decoding these telemetry images. He’s been using telemetry data collected by other listeners, and the gr-satellites GNU Radio decoder which is capable of decoding the telemetry beacons on many amateur radio satellites. So far the decoded images haven’t been great, they’re just mostly black with nothing really discernible. Hopefully future decodes will show better images.

If you want to track the satellite and attempt a decode, the Satellite AR Android app has the satellite in its database.

Not many people seem to have gotten telemetry decodes or images yet, but below we show an image decoded by  on Twitter.

BY70-1 Image Decoded by @bg2bhc
BY70-1 Image Decoded by @bg2bhc

Wireless Analysis of 868 MHz Traffic with an RTL-SDR and the Traffic Detective Software

The Fraunhofer Institute for Integrated Circuits IIS has developed an Android app that allows you to analyze wireless traffic at 868 MHz using an RTL-SDR dongle. In Europe, many wireless IOT, metering and home automation radio standards operate in the 868 MHz band including ZigBee, M-Bus, KNX RF, EnOcean Radio Protocol and s-net.

The software can automatically detect and recognize the wireless protocol being received. It can then be used to catalog what protocols are operating in a network, what frequency they are on and how active they are. That information can then be used for frequency and spectrum planning for new network setups. It can also be used for error diagnosis, intrusion detection and detection of interference.

The Traffic Detective Tool
The Traffic Detective Tool

The promotional pamphlet (pdf) reads:

Numerous applications like smart metering, home automation, building automation, demand side management, ambient assisted living and industrial automation require reliable and cost effective technologies for wireless data transmission. For this purpose the license-free European 868 MHz Short Range Device (SRD) frequency band is prevalently used. Many different and incompatible communication standards and RF-protocols simultaneously occupy this part of the frequency spectrum. Possible negative effects could be interferences, over-occupancy, data collisions and as a result data loss. Special attention must be paid whenever wireless sensor networks are planned or operated. Therefore, network specialists need powerful and flexible tools that provide insights into the wireless data traffic for network planning, operation, fault detection and error diagnosis. The Traffic Detective is such a tool which is easy to use and does not need any knowledge of the different network protocols.

The 868 MHz Traffic Detective is a software-based solution with a user-friendly graphical user interface for monitoring wireless data traffic. A cost-effective and commercially available DVBT USB stick based on a Realtek RTL2832U receiver chip can be used as an analog frontend. In addition to a PC-based implementation, the monitoring software is also available as an app for Android-based mobile devices.

The researchers behind the software have also released an academic paper describing the technology used in the system.

Unfortunately it seems that the app is not actually available for public download yet as we could not see any download links, or find it on Google Play. If you are interested in the app your best bet may be to contact the researchers by email directly.

Reverse Engineering Traffic Lights with an RTL-SDR Part 2

Back in September 2015 we made a post about how Bastian Bloessl was able to use his RTL-SDR dongle to reverse engineer and decode the signals coming from portable wirelessly synchronized traffic lights which are commonly set up around road construction zones.

Recently Bastian noticed that a new set of wireless traffic lights had been set up at his University, so he got to work on trying to reverse engineer those. He found that these new lights use the same frequency band, but work using a different modulation and frame format scheme.

The reverse engineered wireless traffic lights.
The reverse engineered wireless traffic lights.

To reverse engineer these new lights he made a recording of the signals in GQRX and then opened them up in Inspectrum, which is a very nice tool for helping to reverse engineer digital signals. Thanks to Inspectrum he was easily able to extract the preamble and decode the data in GNU Radio.

Bastian has also uploaded a video that shows him reverse engineering the binary frame format in the Vim text editor which may be useful for those wishing to understand how it’s done.

https://www.youtube.com/watch?v=pupXnI2Hf4E

Once the frame format was reverse engineered, he was able to use the program he created last year which allows him to view the status of the lights remotely in real time.

Reverse Engineering and Reading Data from a Wireless Temperature Meter: Tutorial + Code

On GitHub user spenmcgee has uploaded a write up and Python software that decodes data from a Lacross TX29 wireless temperature meter. Spenmcgee’s write up goes into excellent detail about how he actually wrote the program and reversed engineered the transmitter.

First he explains how he used Python to extract the data from the RTL-SDR I/Q samples. From those samples he calculates the amplitude data, and plots it on a graph which shows the digital signal. He then decimates the signal to reduce the number of samples and figures out how to detect the preamble, data bits and packet repetitions. Then to decode the signal he explains how he does clock recovery, convolution and thresholding, and also the importance and meaning of those steps.

If you’re new to reverse engineering signals and don’t have a DSP background, then spenmcgee’s write up is an excellent starting point. It’s written in a way that even a layman should be able to understand with a little effort. If you have a Lacross TX29 wireless temperature meter that you just want to decode, then his code will also be of use.

Bits detected from the RTL-SDR data.
Bits detected from the RTL-SDR data.

Wintelive: Tutorial and Updates to the Windows Telive TETRA Decoder Implementation

Earlier this month we posted about “cURLy bOi”’s release of his Windows port of telive. Telive is a popular TETRA decoder created by SQ5BPF which until recently only ran on Linux systems. TETRA is a digital voice radio system used in many countries other than the USA.

Now cURLy bOi has just updated his software adding new Windows GUI features and simplifying the install process. The software and text install instructions can be downloaded from his web server, and the code can be found on GitHub.

In order to show the new features and how to use the software cURLy bOi has also created a tutorial video up on YouTube, which is shown below.

https://www.youtube.com/watch?v=OTKn1UwYMBI

Experimenting with Broadcast FM RDS (TMC, RT+) and SCA Audio

A typical broadcast FM station can sometimes contain “hidden” subcarriers embedded within the main signal. The subcarriers contain data or audio services.

An example of a data subcarrier hidden within broadcast FM is the “Traffic Message Channel” (TMC). The TMC contains traffic data, and is used on GPS devices that advertise as having live traffic capabilities. TMC data is encrypted so that it can be sold, but is very easily broken. Another data service is RDS-RT+ data which transmits song information, for radios that can display it.

An example of a voice subcarrier (SCA/ACS) might be niche radio stations, such as ethnic stations, elevator music, music for doctors offices etc. Usually a specialized radio is required to receive a SCA channel. In a previous post we showed how a user was able to receive SCA on Windows.

Over on his blog Gough Lui has been investigating the broadcast FM subcarriers in his home town of Sydney, Australia. In his post he looks at TMC, RDS-RT+ and SCA subcarriers and explains a bit about what they are and how they work. He also goes on to receive and decode the subcarriers with an RTL-SDR, gr-rds and GNU Radio. While Gough doesn’t bother to decrypt the TMC service, he can still see when an event occurs and what the even was. Without decryption he just doesn’t know where the location on the event is. For SCA he wrote a GNU Radio program to extract the audio subcarrier and was able to decode audio from a local Indian station for migrants.

SCA GNU Radio Decoder
SCA GNU Radio Decoder