Tagged: reverse engineering

YouTube Talk: Introduction to DSpectrum for Reverse Engineering Signals

Over on YouTube a talk from the author of DSpectrum has been uploaded from his talk during the 13th Cyberspectrum Melbourne meetup. In his talk he goes through the full process of reverse engineering a wireless alarm system in DSpectrumGUI. DSpectrum is a reverse engineering tool that aims to make it trivial to demodulate digital RF transmissions using data captured from SDRs like an RTL-SDR or HackRF.

In the video he shows how to create a project, import a capture and create an overlay on Inspectrum and bring the waveform back into DSpectrum. DSpectrum was then able to automatically detect that the encoding used was PWM and convert it into a bit string. Then by importing multiple captures from various buttons on the alarm he shows how easy it is to see the differences in the bit strings from within DSpectrum. From these differences he uses DSpectrum to help identify what the function of each byte of the bitstring is. Finally he shows how to perform a replay attack with RFcat or similar hardware using the data gathered.

This is a really good talk to watch if you’re interested in getting started with reverse engineering simple digital signals, like those from ISM band devices.

Signal Reverse Engineering Tool DSpectrum Upgraded to DSpectrumGUI

DSpectrum is a reverse engineering tool that aims to make it trivial to demodulate digital RF transmissions. It is built on top of the Inspectrum tool which makes it easy to visualize and manually turn a captured digital RF waveform into a string of bits for later analysis by providing a draggable visual overlay that helps with determining various digital signal properties. DSpectrum added features to Inspectrum like automatically converting the waveform into a binary string with thresholding. RF .wav files for these tools can be captured by any capable radio, such as an RTL-SDR or HackRF.

DSpectrum has recently been depreciated in favor of the new DSpectrumGUI which builds on the success of DSpectrum by providing a full interactive GUI that helps with the reverse engineering workflow. Some interesting new features include things like automatic analysis of the binary to determine the modulation and encoding types, the ability to submit/download reverse engineering worksheet templates to/from the community and binary generation for transmitting with a RFCat.

A similar tool is Universal Radio Hacker.

DSpectrumGUI
DSpectrumGUI

Reverse Engineering and Controlling an RC Toy Tank with a HackRF and GNU Radio

Last year during a Russian wireless ‘capture the flag’ (CTF) competition one of the goals was to reverse engineer a remote controlled toy tank, and then to control it with a HackRF. One of the Russian CTF teams has posted a thorough write up on the reverse engineering process that was used on the toy tank (the link is in Russian, but Google Translate works okay).

The write up first shows the reception of the signal from the wireless controller, and then moves on to show how to receive it in GNU Radio and obtain a time domain graph of the digital signal. From the pulses it is simple to visually work out the binary string. Next an instruction decoder is created in GNU Radio which automatically obtains the binary string from the signal directly. Then once the codes for back, forward, left and right were obtained it was possible to write another GNU Radio program to transmit these codes to the RC toy tank from the HackRF.

HackRF used to control an RC toy tank
HackRF used to control an RC toy tank

Reverse Engineering Linear DX Wireless Door Locks

Employees at the network data security company Duo recently had their interest piqued when they discovered that their office’s keycard based door system had a wireless remote which was used by reception to unlock and lock the door. The device was a DX model magnetic lock created by Linear.

After noting down the FCC ID printed on the device, they determined that the operating frequency was 315 MHz. They discovered from the documentation that each wireless DX device is encoded with a unique code that is precoded at the factory. Only remotes with the correct code programmed in can open the door.

The first attack they tried was a simple replay attack. They used a HackRF to record the signal, and then play it back again. This worked perfectly first time.

Next they decided to take this further and reverse engineer the protocol and see if a brute force attack could be applied. By doing some logic analysis on the circuit, they were able to figure out how to iterate over the entire key space. It turns out that the lock can be brute forced in at most 14.5 hours, or 7.25 hours on average.

The Linear DX Wireless Door Lock
The Linear DX Wireless Door Lock

Reverse Engineering Signals with the Universal Radio Hacker Software

Thanks to RTL-SDR.com reader M Kizan who notified us about a Python based digital signal reverse engineering software program called ‘Universal Radio Hacker’ which is developed by Johannes Pohl. The software supports hardware interfaces for SDRs such as the RTL-SDR and HackRF and can be run on Windows, MacOS and Linux.

The Universal Radio Hacker is a software for investigating unknown wireless protocols. Features include

  • hardware interfaces for common Software Defined Radios
  • easy demodulation of signals
  • assigning participants to keep overview of your data
  • customizable decodings to crack even sophisticated
  • encodings like CC1101 data whitening
  • assign labels to reveal the logic of the protocol
  • fuzzing component to find security leaks
  • modulation support to inject the data back into the system

Inspectrum and Waveconverter are two similar programs for analyzing digital signals, however Universal Radio Hacker seems to be the most advanced.

Johannes has also uploaded four tutorial videos to YouTube which show the software in action. In the videos he uses Universal Radio Hacker to reverse engineer a wirelessly controlled power socket, and then in the last video he uses the software to transmit the reverse engineered signals via a HackRF.

Reverse Engineering Honeywell 345 MHz Home Automation Sensors with an RTL-SDR

OpenHAB is an open source home automation software program which is designed to interface and manage all the various sensors and systems in an automated house. One problem however, is that many wireless sensors and actuators utilize a proprietary communications protocol that is not supported by OpenHAB.

In his home, Dan Englender had several Honeywell 5800 series 345 MHz wireless security door sensors, all of which interface using a proprietary protocol that is not yet implemented in OpenHAB. In order to get around this, Dan decided to reverse engineer the protocol and implement a decoder into OpenHAB himself. 

Dan’s four part write up covers the RF capture & demodulation, protocol reverse engineering and implementation into OpenHAB. First he looked up the frequency and bandwidth of the signal via the FCC filing information on fcc.io. Then he captured some packets from a door sensor using his RTL-SDR and GNU Radio, and then wrote a short Python program to decode the protocol and transmit the door open/closed information to OpenHAB. In the future he hopes to optimize the decoder so that it can comfortably run on a Raspberry Pi as the GNU Radio script uses quite a bit of computing power.

The final project is called decode345 and the code is available over on his GitHub.

Honeywell 345 MHz Door Sensor
Honeywell 345 MHz Door Sensor
Custom Door Sensor Status in OpenHAB
Custom Door Sensor Status in OpenHAB
[Also seen on Hackaday]

 

Hacking a Danfoss Wireless Thermostat with an RTL-SDR

Over on his blog Andy writes how he wanted a smart way to control his central heating system with a Raspberry Pi and Arduino microcontroller. He discovered that if he could reverse engineer his existing wireless thermostat then he would have an easy way to control the boiler in his house and with that a smart controller could be made. By reverse engineering the thermostat he also avoids the need to rig up his own control system.

The existing thermostat wireless receiver is a Danfoss RX2. In order to reverse engineer the protocol Andy opened up an older that one he had and saw that it used an Infineon TDA5210 RF receiver chip. Armed with this part number he was able to look up the datasheet and determine the operating frequency. Then by using an RTL-SDR he captured some packets while pressing buttons on the thermostat transmitter and piped the audio file into audacity, where he was able to clearly see the digital waveform.

Andy then wrote a Python program using the ‘wave’ library, which allowed him to easily read binary values for a .wav file. With his code he was able to extract the data from the signal and determine the preamble, sync word, thermostat ID and the instruction code (on/off/learn).

In a future post Andy hopes to show us how he’ll use an RF69 module with an Arduino to actually control the thermostat using the reverse engineered packet knowledge.

Danfoss Wireless Thermostat and a Received Binary Waveform in Audacity
Danfoss Wireless Thermostat and a Received Binary Waveform in Audacity

WaveConverter: An Open Source RF Reverse Engineering Tool

During the Schmoocon 2017 conference presenter Paul Clark introduced a new open source Linux tool called WaveConverter which he’s been working on for reverse engineering RF signals. Paul writes:

WaveConverter is a tool that helps you extract digital data from RF transmissions that have been captured via Software Defined Radio (SDR). After the user defines the modulation parameters, framing and encoding, WaveConverter will process a stored I-Q file and extract the data from any transmissions that match this definition. Using programmable timing tolerances and glitch filters, WaveConverter is able to extract data from signals that would otherwise appear corrupted.

This software will make the process of reverse engineering signals easier and more error-proof. Because WaveConverter includes the ability to store and retrieve signal protocols (modulation + encoding parameters), we have been generating a database of protocols that we can quickly use to iteratively attack unknown signals.

This tool should be very useful for reverse engineering digital signals, such as those found in keyfobs, wireless doorbells, wireless temperature sensors and any other simple RF device. Simply use an SDR device like an RTL-SDR to capture a sample of the signal of interest and then open it up in WaveConverter to first easily analyze the signal and determine it’s properties, then to automatically demodulate any subsequent signal into a binary string. For more information the documentation can be found here (pdf).

WaveConverter seems to be quite similar in purpose to Inspectrum and DSpectrum which are two Linux tools that are also designed for reverse engineering digital signals.

WaveConverter Screenshot
WaveConverter Screenshot
[First seen on Hackaday]