The audio codec specifications are not public and is thus not implemented here, so this code has very little use outside of being a good learning tool. But Phil does write that if anyone if able to figure out how to decode the codec, then this code may be a good starting point.
I wrote this because I wanted to learn about digital broadcasts. Despite the fact that the audio codec used is iBiquity’s proprietary HDC codec, I decided that writing a receiver that could decode the air interface would be a great learning experience.
iBiquity’s HDC codec is supposedly based upon some of the same technologies as HE-AAC codec so it may be possible for some audio codec gurus, given access to the raw HDC audio packets, to write a decoder for the codec.
The receiver is somewhat limited. It only decodes FM MP1 profile transmissions (which happens to includes every IBOC FM transmitter in my area). It is also somewhat limited in the Layer2 packet demultiplexing. It likely needs a strong signal in order to decode signals reasonably well. However it is just enough to get access to the main program stream.
OpenHAB is an open source home automation software program which is designed to interface and manage all the various sensors and systems in an automated house. One problem however, is that many wireless sensors and actuators utilize a proprietary communications protocol that is not supported by OpenHAB.
In his home, Dan Englender had several Honeywell 5800 series 345 MHz wireless security door sensors, all of which interface using a proprietary protocol that is not yet implemented in OpenHAB. In order to get around this, Dan decided to reverse engineer the protocol and implement a decoder into OpenHAB himself.
Keith Maton (G6NHU) wrote in and wanted to share his new ready to go APRS RX iGate image for the Raspberry Pi. APRS stands for “Amateur Packet Reporting System”, and is a type of packet radio communications system used by Amateur Radio operators. They often use them to transmit short mail messages, weather sensor updates, track vehicles and for various other purposes. An iGate allows APRS messages to be transmitted over the all world via the internet via a signal chain such as: RF->iGate RX->Internet->iGate TX->RF. To run an iGate you should be a radio amateur with a callsign. A global aggregation of APRS broadcasts received by iGates can be seen at aprs.fi.
An RTL-SDR can be used to receive APRS packets easily and many amateur radio enthusiasts have been setting up APRS RX only iGates using the “direwolf” decoding software. Keith’s image simplifies the process of installing and configuring software significantly by proving a plug and play image that you just burn to an SDcard and plug into your Raspberry Pi. His post also explains how to configure the iGate correctly.
The existing thermostat wireless receiver is a Danfoss RX2. In order to reverse engineer the protocol Andy opened up an older that one he had and saw that it used an Infineon TDA5210 RF receiver chip. Armed with this part number he was able to look up the datasheet and determine the operating frequency. Then by using an RTL-SDR he captured some packets while pressing buttons on the thermostat transmitter and piped the audio file into audacity, where he was able to clearly see the digital waveform.
Andy then wrote a Python program using the ‘wave’ library, which allowed him to easily read binary values for a .wav file. With his code he was able to extract the data from the signal and determine the preamble, sync word, thermostat ID and the instruction code (on/off/learn).
In a future post Andy hopes to show us how he’ll use an RF69 module with an Arduino to actually control the thermostat using the reverse engineered packet knowledge.
WaveConverter is a tool that helps you extract digital data from RF transmissions that have been captured via Software Defined Radio (SDR). After the user defines the modulation parameters, framing and encoding, WaveConverter will process a stored I-Q file and extract the data from any transmissions that match this definition. Using programmable timing tolerances and glitch filters, WaveConverter is able to extract data from signals that would otherwise appear corrupted.
This software will make the process of reverse engineering signals easier and more error-proof. Because WaveConverter includes the ability to store and retrieve signal protocols (modulation + encoding parameters), we have been generating a database of protocols that we can quickly use to iteratively attack unknown signals.
This tool should be very useful for reverse engineering digital signals, such as those found in keyfobs, wireless doorbells, wireless temperature sensors and any other simple RF device. Simply use an SDR device like an RTL-SDR to capture a sample of the signal of interest and then open it up in WaveConverter to first easily analyze the signal and determine it’s properties, then to automatically demodulate any subsequent signal into a binary string. For more information the documentation can be found here (pdf).
WaveConverter seems to be quite similar in purpose to Inspectrum and DSpectrum which are two Linux tools that are also designed for reverse engineering digital signals.
Recently we heard about the PandwaRF Portable Analyzer (previously known as the GollumRF). This is not an SDR, but can probably be described as a programmable and computer controlled radio. It appears to be based on the Yardstick One design which is made by Micheal Ossmann, the creator of the HackRF. Both the Yardstick One and PandwaRF are based on the CC1111 sub-1 GHz RF transceiver chip. These types of pseudo-sdr’s can be very useful for reverse engineerin, analyzing and experimenting with simple digital signals.
For example it could be used to capture data from any ASK/OOK/MSK/2-FSK/GFSK modulation in the 300 – 928 MHz band. You can then easily analyze the data, and the restransmit the same or a modified signal. The same could be done with a TX capable SDR like the HackRF, but doing so tends to require a lot more work.
The difference between the Yardstick One and PandwaRF appears to be mainly in the connection interface. The PandwaRF is essentially the Yardstick One with a Bluetooth LE connectivity and an Android/iOS smartphone app. USB connectivity for Linux still exists. It also has an internal battery whereas the Yardstick One does not. They wrote a post comparing the RTL-SDR, Yardstick One and PandwaRF here.
The device seems to be new, as it just starting shipping in November and the first batch is still being sold. It costs 145 euros and appears to originate from the EU. There is also a ‘mini’ version in pre-order which also costs 145 euros. In comparison the Yardstick One costs about $99 – $145 USD depending on the shop you choose.
BY70-1 is a Chinese amateur Cubesat satellite which was recently launched on December 29, 2016. It is expected to stay in orbit for only 1 – 2 months due to a partial failure with the satellite releasing into an incorrect orbit. The purpose of the satellite is for education in schools and for amateur radio use. The receivable signals include an FM repeater and BPSK telemetry beacon both of which can be received at 436.2 MHz. The telemetry beacon is interesting because it also transmits images from an on board visible light camera. These signals can easily be received with an RTL-SDR or other SDR with an appropriate antenna.
Over on his blog Daneil Estevez has been posting about decoding these telemetry images. He’s been using telemetry data collected by other listeners, and the gr-satellites GNU Radio decoder which is capable of decoding the telemetry beacons on many amateur radio satellites. So far the decoded images haven’t been great, they’re just mostly black with nothing really discernible. Hopefully future decodes will show better images.
If you want to track the satellite and attempt a decode, the Satellite AR Android app has the satellite in its database.
Not many people seem to have gotten telemetry decodes or images yet, but below we show an image decoded by @bg2bhc on Twitter.