The write up first shows the reception of the signal from the wireless controller, and then moves on to show how to receive it in GNU Radio and obtain a time domain graph of the digital signal. From the pulses it is simple to visually work out the binary string. Next an instruction decoder is created in GNU Radio which automatically obtains the binary string from the signal directly. Then once the codes for back, forward, left and right were obtained it was possible to write another GNU Radio program to transmit these codes to the RC toy tank from the HackRF.
After noting down the FCC ID printed on the device, they determined that the operating frequency was 315 MHz. They discovered from the documentation that each wireless DX device is encoded with a unique code that is precoded at the factory. Only remotes with the correct code programmed in can open the door.
The first attack they tried was a simple replay attack. They used a HackRF to record the signal, and then play it back again. This worked perfectly first time.
Next they decided to take this further and reverse engineer the protocol and see if a brute force attack could be applied. By doing some logic analysis on the circuit, they were able to figure out how to iterate over the entire key space. It turns out that the lock can be brute forced in at most 14.5 hours, or 7.25 hours on average.
The Universal Radio Hacker is a software for investigating unknown wireless protocols. Features include
hardware interfaces for common Software Defined Radios
easy demodulation of signals
assigning participants to keep overview of your data
customizable decodings to crack even sophisticated
encodings like CC1101 data whitening
assign labels to reveal the logic of the protocol
fuzzing component to find security leaks
modulation support to inject the data back into the system
Inspectrum and Waveconverter are two similar programs for analyzing digital signals, however Universal Radio Hacker seems to be the most advanced.
Johannes has also uploaded four tutorial videos to YouTube which show the software in action. In the videos he uses Universal Radio Hacker to reverse engineer a wirelessly controlled power socket, and then in the last video he uses the software to transmit the reverse engineered signals via a HackRF.
OpenHAB is an open source home automation software program which is designed to interface and manage all the various sensors and systems in an automated house. One problem however, is that many wireless sensors and actuators utilize a proprietary communications protocol that is not supported by OpenHAB.
In his home, Dan Englender had several Honeywell 5800 series 345 MHz wireless security door sensors, all of which interface using a proprietary protocol that is not yet implemented in OpenHAB. In order to get around this, Dan decided to reverse engineer the protocol and implement a decoder into OpenHAB himself.
The existing thermostat wireless receiver is a Danfoss RX2. In order to reverse engineer the protocol Andy opened up an older that one he had and saw that it used an Infineon TDA5210 RF receiver chip. Armed with this part number he was able to look up the datasheet and determine the operating frequency. Then by using an RTL-SDR he captured some packets while pressing buttons on the thermostat transmitter and piped the audio file into audacity, where he was able to clearly see the digital waveform.
Andy then wrote a Python program using the ‘wave’ library, which allowed him to easily read binary values for a .wav file. With his code he was able to extract the data from the signal and determine the preamble, sync word, thermostat ID and the instruction code (on/off/learn).
In a future post Andy hopes to show us how he’ll use an RF69 module with an Arduino to actually control the thermostat using the reverse engineered packet knowledge.
WaveConverter is a tool that helps you extract digital data from RF transmissions that have been captured via Software Defined Radio (SDR). After the user defines the modulation parameters, framing and encoding, WaveConverter will process a stored I-Q file and extract the data from any transmissions that match this definition. Using programmable timing tolerances and glitch filters, WaveConverter is able to extract data from signals that would otherwise appear corrupted.
This software will make the process of reverse engineering signals easier and more error-proof. Because WaveConverter includes the ability to store and retrieve signal protocols (modulation + encoding parameters), we have been generating a database of protocols that we can quickly use to iteratively attack unknown signals.
This tool should be very useful for reverse engineering digital signals, such as those found in keyfobs, wireless doorbells, wireless temperature sensors and any other simple RF device. Simply use an SDR device like an RTL-SDR to capture a sample of the signal of interest and then open it up in WaveConverter to first easily analyze the signal and determine it’s properties, then to automatically demodulate any subsequent signal into a binary string. For more information the documentation can be found here (pdf).
WaveConverter seems to be quite similar in purpose to Inspectrum and DSpectrum which are two Linux tools that are also designed for reverse engineering digital signals.
Erhard E. has been experimenting with capturing, analyzing, reverse engineering and then transmitting new ASK/OOK signals with his RTL-SDR and Raspberry Pi running RPiTX. Erhard has written a very informative guide/tutorial (pdf) that explains how he did it for wireless doorbell and for remote control toy cars. RPiTX is software for the Raspberry Pi which allows it to transmit almost any signal via modulation of a GPIO pin. RPiTX related posts have been featured on this blog several times in the past.
First Erhard records a copy of the doorbell signal using his RTL-SDR and then views the waveform in Audacity. He then writes that you’ll need to find the waveform characteristics either manually using Audacity, or by using the rtl_433 decoder. In the tutorial he uses rtl_433 which automatically gives his the pulse width, gap width and pulse period.
Next in order to actually generate the signal using RPiTX he uses the waveform characteristics that he found out and manually creates a .ft hex file that describes the signal to be generated. Then using using the rpitx command, the .ft file can be transmitted.
Later in the tutorial he also shows how he performed the same reverse engineering process with a cheap RC car toy (forward/reverse commands only), which uses OOK encoding on the wireless controller.
Back in September 2015 we made a post about how Bastian Bloessl was able to use his RTL-SDR dongle to reverse engineer and decode the signals coming from portable wirelessly synchronized traffic lights which are commonly set up around road construction zones.
To reverse engineer these new lights he made a recording of the signals in GQRX and then opened them up in Inspectrum, which is a very nice tool for helping to reverse engineer digital signals. Thanks to Inspectrum he was easily able to extract the preamble and decode the data in GNU Radio.
Bastian has also uploaded a video that shows him reverse engineering the binary frame format in the Vim text editor which may be useful for those wishing to understand how it’s done.