Category: Digital Signals

Investigating Problems with the Tesla HomeLink RF Signal with a HackRF and GNU Radio

Tesla vehicles have a feature where they can copy and mimic a garage door remote via a built in transmitter on the car itself. This frees you from having to carry around a garage door key fob, and you can simply open your garage door by pressing a button on the car's LCD screen.

However, some people have reportedly been having a little trouble with this feature as in some cases the garage door would begin opening, and then suddenly stop opening as if the keyfob button had been pressed twice.

Over on YouTube CWNE88 decided to investigate this problem using his HackRF and GNU Radio. From a simple waterfall he was able to determine that the Tesla actually transmits the mimic'd garage door signal for a full two seconds.

As a keypress from the original keyfob would typically result in a much shorter transmission, CWNE88 believes that the long two second transmission could in some cases be seen as two transmissions by the garage door, resulting in an open, and then close command being detected. 

Tesla HomeLink RF Signal

Tutorial on Performing a Replay Attack with a HackRF and Universal Radio Hacker

Over on YouTube channel Tech Minds has uploaded a short tutorial video that shows how to perform a replay attack with a HackRF and the Universal Radio Hacker software. A replay attack is when you record a control signal from a keyfob or other transmitter, and replay that signal using your recording and a TX capable radio. This allows you to take control of a wireless device without the original keyfob/transmitter. This is easy to do with simple wireless devices like doorbells, but not so easy with any system with rolling codes or more advanced security like most car key fobs.

In the video Tech Minds uses the Universal Radio Hacker software to record a signal from a wireless doorbell, save the recording, replay it with the HackRF, and also analyze it.

Universal Radio Hacker - Replay Attack With HackRF

Dash Mounted ADS-B With an RTL-SDR Blog V3

Reddit user [Bobcalamarie] recently [posted] about how he uses his car dash mounted Android tablet along with an RTL-SDR Blog V3 and a magnetic mount antenna while sitting in traffic to track aircraft overhead.

We’ve seen something similar to this once before when [Signals Everywhere] uploaded a video showing off ADS-B reception (among other things) to a dash-mounted Windows tablet and an Android head unit.

The software used by Bobcalamarie is the Android [Avare ADS-B] software which can be found in the Google Play Store. However, other applications exist for Windows, Linux, and other operating systems as well. Some software such as [Virtual Radar Server] even allows you to set-up alerts for specific types of aircraft. Which while we wouldn’t condone it, it might come in handy for someone in traffic.

What would you do if you had an SDR installed in your vehicle? We would love to hear what you have to say in the comments below.

Dash Mounted ADS-B Reception

Using a LimeSDR and RTL-SDR to Transfer a Text File Over the Air

Over on his blog nuclearrambo has been working on a project that uses a LimeSDR and RTL-SDR to transfer a small CSV text file over the air.

The transmitting side consists of a GNU Radio flowchart that encodes the text file into a binary string, modulates that binary string with Binary Phase Shift Keying (BPSK), and then transmits it using the LimeSDR.

The receiving side uses an RTL-SDR, and is based on another GNU Radio flowgraph that uses a polyphase clock sync block to synchronize the sampling time, a costas loop for fine frequency correction, an LMS DD equalizer block to compensate for multipath effects, and finally demodulation blocks that recover the bits and text file from the BPSK signal.

His results showed that he can almost recover the entire file except for the first few bytes of data which is always lost since it takes time for the clock sync and costas loop block to converge. The post goes into further detail about what each of the blocks do and some of the signal theory math behind everything. The GNU Radio GRC file is also provided if you want to try it out yourself.

LimeSDR Transmitting a CSV file to a RTL-SDR with BPSK modulation.
LimeSDR Transmitting a CSV file to a RTL-SDR with BPSK modulation.

An Introduction to Pagers with the HackRF PortaPack and an RTL-SDR

Over on YouTube user HackedExistence has uploaded a video explaining how POCSAG pager signals work, and he also shows some experiments that he's been performing with his HackRF PortaPack and an old pager.

The Portapack is an add on for the HackRF SDR that allows the HackRF to be used without the need for a PC. If you're interested in the past we reviewed the PortaPack with the Havok Firmware, which enables many TX features such as POCSAG transmissions.

POCSAG is a common RF protocol used by pagers. Pagers have been under the scrutiny of information security experts for some time now as it is common for hospital pagers to spew out unencrypted patient data [1][2][3] into the air for anyone with a radio and computer to decode.

In the video HackedExistence first shows that he can easily transmit to his pager with the HackRF PortaPack and view the signals on the spectrum with an RTL-SDR. Later in the video he explains the different types of pager signals that you might encounter on the spectrum, and goes on to dissect and explain how the POCSAG protocol works.

Intro to Pagers - POCSAG with HackRF

SignalsEverywhere: Decoding HD Radio with an RTL-SDR

Corrosive (KR0SIV) from the SignalsEverywhere YouTube channel has uploaded a new video that explains and shows HD radio being decoded with an RTL-SDR.

If you are in the USA, you might recognize HD (Hybrid Digital) Radio (aka NRSC-5) signals as the rectangular looking bars on the frequency spectrum that surround common broadcast FM radio signals. These signals only exist in the USA and they carry digital audio data which can be received by special HD Radio receivers. Back in June 2017 we posted about how [Theori] was able to piece together a full HD Radio software audio decoder that works in real time. Later developments saw additional data such as traffic data and weather info extracted from HD Radio too.

Corrosive's video also shows a comparison between analog and HD Radio audio. We note that the "HD" doesn't stand for high definition, so audio quality is not really better than the analog stream. He also notes that the HD Radio data stream can contain multiple audio channels, and often they are not the same as the analog station it surrounds. One example he shows is a Simulcast AM radio station being rebroadcast via HD Radio.

HD Radio RTL-SDR Decoding vs Analog Radio

Decoding the ARES Train Protocol with an RTL-SDR

Over on YouTube user JellyImages has uploaded a video demonstrating his Windows based ARESrcvr software. ARES is a railway control communications protocol used by some trains in the USA. His code connects to an RTL-SDR dongle, and demodulates the ARES protocol, providing decoded packets to ATSCMon via UDP on localhost.

ATSCMon allows you to view train telemetry data, and see on a rail map where that control indication came from. It appears that ATSCMon actually already supports ARES decoding via audio piping, but the decoder by JellyImages is a cleaner solution that doesn't require audio piping. In the past we've posted about one other YouTube user whose uploaded videos on using ATSCMon to monitor trains [Post 1][Post 2].

JellyImages also notes that his software only supports the ARES protocol which is used mostly around former Burlington Northern (BN) territory in the USA.

Introducing ARESrcvr

YouTube Video: Reverse Engineering with SDR

Over on YouTube Black Hills Information Security (aka Paul Clark) has uploaded a one hour long presentation that shows how to use a software defined radio to reverse engineer digital signals using GNU Radio.

One of the most common uses of Software Defined Radio in the InfoSec world is to take apart a radio signal and extract its underlying digital data. The resulting information is often used to build a transmitter that can compromise the original system. In this webcast, you'll walk through a live demo that illustrates the basic steps in the RF reverse engineering process, including:

- tuning
- demodulation
- decoding
- determining bit function
- building your own transmitter
- and much, much more!

Reverse Engineering with SDR