Tagged: reverse engineering

WaveConverter: An Open Source RF Reverse Engineering Tool

During the Schmoocon 2017 conference presenter Paul Clark introduced a new open source Linux tool called WaveConverter which he’s been working on for reverse engineering RF signals. Paul writes:

WaveConverter is a tool that helps you extract digital data from RF transmissions that have been captured via Software Defined Radio (SDR). After the user defines the modulation parameters, framing and encoding, WaveConverter will process a stored I-Q file and extract the data from any transmissions that match this definition. Using programmable timing tolerances and glitch filters, WaveConverter is able to extract data from signals that would otherwise appear corrupted.

This software will make the process of reverse engineering signals easier and more error-proof. Because WaveConverter includes the ability to store and retrieve signal protocols (modulation + encoding parameters), we have been generating a database of protocols that we can quickly use to iteratively attack unknown signals.

This tool should be very useful for reverse engineering digital signals, such as those found in keyfobs, wireless doorbells, wireless temperature sensors and any other simple RF device. Simply use an SDR device like an RTL-SDR to capture a sample of the signal of interest and then open it up in WaveConverter to first easily analyze the signal and determine it’s properties, then to automatically demodulate any subsequent signal into a binary string. For more information the documentation can be found here (pdf).

WaveConverter seems to be quite similar in purpose to Inspectrum and DSpectrum which are two Linux tools that are also designed for reverse engineering digital signals.

WaveConverter Screenshot
WaveConverter Screenshot
[First seen on Hackaday]


A Guide to Using RPiTX and an RTL-SDR to Reverse Engineer and Control ASK/OOK Devices

Erhard E. has been experimenting with capturing, analyzing, reverse engineering and then transmitting new ASK/OOK signals with his RTL-SDR and Raspberry Pi running RPiTX. Erhard has written a very informative guide/tutorial (pdf) that explains how he did it for wireless doorbell and for remote control toy cars. RPiTX is software for the Raspberry Pi which allows it to transmit almost any signal via modulation of a GPIO pin. RPiTX related posts have been featured on this blog several times in the past.

First Erhard records a copy of the doorbell signal using his RTL-SDR and then views the waveform in Audacity. He then writes that you’ll need to find the waveform characteristics either manually using Audacity, or by using the rtl_433 decoder. In the tutorial he uses rtl_433 which automatically gives his the pulse width, gap width and pulse period.

Next in order to actually generate the signal using RPiTX he uses the waveform characteristics that he found out and manually creates a .ft hex file that describes the signal to be generated. Then using using the rpitx command, the .ft file can be transmitted.

Later in the tutorial he also shows how he performed the same reverse engineering process with a cheap RC car toy (forward/reverse commands only), which uses OOK encoding on the wireless controller.

The tutorial can be downloaded in PDF form here.

Showing the Pulse Width, Gap Width and Symbol Period of a signal in Audacity.
Showing the Pulse Width, Gap Width and Symbol Period of a signal in Audacity.

Reverse Engineering Traffic Lights with an RTL-SDR Part 2

Back in September 2015 we made a post about how Bastian Bloessl was able to use his RTL-SDR dongle to reverse engineer and decode the signals coming from portable wirelessly synchronized traffic lights which are commonly set up around road construction zones.

Recently Bastian noticed that a new set of wireless traffic lights had been set up at his University, so he got to work on trying to reverse engineer those. He found that these new lights use the same frequency band, but work using a different modulation and frame format scheme.

The reverse engineered wireless traffic lights.
The reverse engineered wireless traffic lights.

To reverse engineer these new lights he made a recording of the signals in GQRX and then opened them up in Inspectrum, which is a very nice tool for helping to reverse engineer digital signals. Thanks to Inspectrum he was easily able to extract the preamble and decode the data in GNU Radio.

Bastian has also uploaded a video that shows him reverse engineering the binary frame format in the Vim text editor which may be useful for those wishing to understand how it’s done.


Once the frame format was reverse engineered, he was able to use the program he created last year which allows him to view the status of the lights remotely in real time.

Reverse Engineering and Reading Data from a Wireless Temperature Meter: Tutorial + Code

On GitHub user spenmcgee has uploaded a write up and Python software that decodes data from a Lacross TX29 wireless temperature meter. Spenmcgee’s write up goes into excellent detail about how he actually wrote the program and reversed engineered the transmitter.

First he explains how he used Python to extract the data from the RTL-SDR I/Q samples. From those samples he calculates the amplitude data, and plots it on a graph which shows the digital signal. He then decimates the signal to reduce the number of samples and figures out how to detect the preamble, data bits and packet repetitions. Then to decode the signal he explains how he does clock recovery, convolution and thresholding, and also the importance and meaning of those steps.

If you’re new to reverse engineering signals and don’t have a DSP background, then spenmcgee’s write up is an excellent starting point. It’s written in a way that even a layman should be able to understand with a little effort. If you have a Lacross TX29 wireless temperature meter that you just want to decode, then his code will also be of use.

Bits detected from the RTL-SDR data.
Bits detected from the RTL-SDR data.

Reverse Engineering the Outernet Signal

Outernet is a satellite based file delivery service. Currently they’re beta testing their service and they are using RTL-SDR’s as the receiver. In previous posts we’ve seen that they’re now regularly transmitting weather updates, wikipedia files and more files like images and books. Over time the service is becoming more and more useful. If you’re interested in receiving their service we have a tutorial available here.

While most of the Outernet software is open sourced, the signal protocol itself is closed source, which ties you into needing to use the official Outernet software. Over on his blog, Daniel Estévez has been working on reverse engineering the Outernet signal with the goal of publishing the results and building a fully open source receiver.

So far he’s managed to fully reverse engineer the modulation, coding and framing. He’s also been able to build a GNU Radio program that receives the Outernet frames and a Python program called free-outernet which does the decoding. His post goes into greater details on how he reverse engineered the signal and what his finding are.

The Outernet Concept
The Outernet Concept

Reverse Engineering Digital RF Signals the Easy Way with DSpectrum

Recently nullwolf (T.J. Acton) wrote in to let us know about a very useful wrapper for Inspectrum that he has created, called DSpectrum. Inspectrum is a Linux/Mac based tool that makes it very easy to extract a binary string from a digital transmission which can be recorded with any SDR like an RTL-SDR. DSpectrum builds on Inspectrum and further automates the reverse engineering process. He writes:

The wrapper [DSpectrum] assesses the amplitude measurements, or frequency shifts, that are reported by Inspectrum. The wrapper uses the average of the provided values as a threshold. When a cell’s value falls below the threshold, the wrapper determines that the value is a binary ‘0’, and when it is above the threshold, it records the value as a ‘1’. It then returns this raw binary data as output, in addition to the binary’s hex and ascii translations.

Another two features were included: the semi-automatic comparison of two portions of a transmission in the same file, and the semi-automatic comparison of two signals in separate files.

Nullwolf notes that with DSpectrum the time taken for him to reverse engineer signals has dropped from 1 hour down to 5 minutes in some cases.

A comparison of two binary signals in DSpectrum
A comparison of two binary signals in DSpectrum

Performing a Replay Attack on a Wireless Doorbell with a USRP SDR

A replay attack consists of recording a signal, and then simply replaying it back at the same frequency at a later time. To do this a receive and transmit capable software defined radio like a USRP/HackRF/bladeRF can be used.

Over on his blog, the admin of the dxwxr group has posted a tutorial showing how he performs a replay attack on a simple wireless doorbell using a USRP, GNURadio and the audio editor Audacity. This is a very simple process and is a great tutorial for those looking to get started in reverse engineering signals. First he determines the frequency of the doorbell which turned out be be around 315 MHz. Then using GNURadio he records the signal emitted by the doorbell remote and opens up the audio file in Audacity. He then isolates a section of the signal and saves it as a raw aiff file. Finally, he uses GNURadio to transmit the isolated signal via the USRP.

Captured wireless doorbell signal.
Captured wireless doorbell signal.

Using a Yardstick One, HackRF and Inspectrum to Decode and Duplicate an OOK Signal

Over on his YouTube channel user Gareth has uploaded a video that shows a full tutorial on quickly decoding an On Off Keyed (OOK) signal with a HackRF (or RTL-SDR) and the Inspectrum software. Once decoded he then shows how to use a Yardstick One to duplicate the signal.

Inspectrum is a Linux based program that allows you to easily determine various parameters of a digital modulated signal by positioning an overlay over the waveform of a signal recorded with an SDR. Basically Gareth’s process is to first extract signal level values using Inspectrum, then secondly use a simple Python program to turn these values into binary bits, which gives him the data packet. He is then finally able to write another quick Python program to interface with the Yardstick One and retransmit the string.

The Yardstick One is a multipurpose radio (not a SDR) for transmitting modulated signals like OOK.