Category: Digital Signals

Broadcasting Analgoue NTSC TV with a $7 ESP8266

The ESP8266 is a $7 WiFi module that can be used to give any microcontroller access to a WiFi network. It is designed for creating Internet of Things (IoT) devices and has various features such as it’s ability to host it’s own web applications. The ESP8266 also has a I2S output with DMA support. By hooking up this I2S output pin to a short wire, YouTuber CNLohr has demonstrated that he is able to use the ESP to broadcast full color NTSC TV.  This works in a similar way to how PiTX works, by using the pin to modulate a radio signal. CNLohrs code note only broadcasts color NTSC, but also provides a full web interface for controlling it.

In the first video CNLohr shows off his initial work at getting the NTSC output working and in the second video he shows color working. Later in the second video he also uses an RTL-SDR to check on the NTSC spectrum that is being output.

Broadcasting Analog TV on an ESP8266!

Broadcasting COLOR Channel 3 on an ESP

Bypassing Rolling Code Systems – CodeGrabbing/RollJam

A while back we posted about Samy Kamkars popular “RollJam” device, which was a $32 home made device that was able to defeat rolling code based wireless security systems such as those used on modern cars.

Wireless security researcher Andrew Macpherson became interested in RollJam and has now written up a post showing how to create a similar device using the YardStickOne and RFcat wireless tools. In his post Andrew shows how he automates the replay attack side of things using a Python script and two RFcat devices. He also fully explains how rolling codes work and how to attack them using the CodeGrabbing/RollJam technique. Andrew explains the RollJam technique as follows:

  1. Target parks their car, gets out the carAttacker launches a jammer that prevents the car from receiving the code from the remote
  2. Target presses the remote, car does NOT lock and the attacker obtains the first keypress
  3. Target presses the remote a second time and the attacker obtains the second keypress
  4. Attacker then sends the first key press to lock the car, car locks as per normal
  5. Target assumes all is well and carries on about their day
  6. Attacker then sends the second keypress to the car, unlocking it
  7. Profit.
  8. Target returns to the vehicle and remote works as per normal

In the video below Andrew uses an SDR to help demonstrate the RollJam attack.

6. jam and replay rolling code rolljam codegrabbing

Showing how the RollJam attack works.
Showing how the RollJam attack works.

Decoding DMR on OSX using a RTL SDR and DSD Plus

DSD+ (Digital Speech Decoder+) is a popular Windows tool that can be used together with an RTL-SDR to decode digital speech signals such as P25 and DMR. There is unfortunately no version for OSX.

However, recently on YouTube user Matthew Miller has uploaded a video showing DSD+ running with CubicSDR on OSX. To do this he used a utility called “Wine Skin” which creates a wrapper that allows Windows software to run on a MAC computer running OSX. This means that DSD+ can be run on directly OSX without the need to use a virtual machine with Windows installed on it.

Decoding DMR on OSX using a RTL SDR and DSD Plus

Decoding the LoRa IoT Protocol with an RTL-SDR

The internet of things is set to become the next big thing in technology. The IoT consists of multiple networked devices such as sensors and computers connected in various ways such as via wireless communication protocols. LoRa is an abbreviation of “Long Range” and is one such wireless protocol that is being used in IoT devices. 

[LoRa] is a radio modulation format that gives longer range than straight FSK modulation. This is achieved by a combination of methods: it uses a spread spectrum technique called Chirp Spread Spectrum (CSS) and it uses forward error coding (in combination with whitening and interleaving).

Over at the RevSpace hackerspace, a hardware hacker called bertrik has been working with his RTL-SDR to try and reverse engineer the LoRa protocol. His goal is to make it so that anyone can receive and decode LoRa signals without needing to purchase specific hardware that supports the modulation. The reverse engineering work is not yet finished, but bertrik has already determined many parts of the protocol by looking at the signals in Audacity. He also writes that there is currently a ready made LoRa decoder available for sdrangelove, a Linux based SDR receiver application similar to GQRX and SDR#.

You might also be interested in this previous article we posted about the Z-Wave wireless networking protocol being hacked with a HackRF.

LoRa signals received in the frequency spectrum.
LoRa signals received in the frequency spectrum.

Receiving AERO-H on L-Band with an RTL-SDR

Over on YouTube Adam Alicajic (9A4QV – creator of the LNA4ALL and upcoming MIX4ALL) has uploaded a video showing his reception of AERO-H signals from an Inmarsat satellite. A few days ago we posted about how the JAERO decoder had recently been updated to be able to decode these AERO-H signals. These signals contain various messages meant for airplanes, but also sometimes contain news messages.

In the video Adam uses a satellite dish antenna together with his MIX4ALL, an RTL-SDR dongle and the JAERO software. With decent reception he is able to easily decode the AERO-H messages.

Receiving AERO-H on L-band (Inmarsat AOR-W)

Hacking the Z-Wave Protocol with a HackRF

Z-wave is a wireless protocol that is used often in applications like smart home and industrial automation. It essentially allows various wireless nodes to connect and talk to one another within your house, using 900 MHz wireless technology. Some common examples of Z-wave node products might be wireless controlled lights, door locks, thermostats and other security devices like motion detectors.

Recently at Shmoocon 2016 (a yearly hacking and security themed conference), presenters Joseph Hall and Ben Ramsey showed how they were able to use a HackRF software defined radio and some GNU Radio based software to not only sniff Z-wave packets, but to also control Z-wave devices. What’s also interesting is that they found that encryption on z-wave devices was rarely enabled, except for five out of nine door locks that they tested where it was enabled by default.

See the full story at Hackaday and have a look at their code on GitHub.

Joseph and Ben holding a HackRF and z-wave controlled light.
Presenters Joseph and Ben holding a HackRF and z-wave controlled light.

JAERO Updated: Now supports 10.5k Aero-H and Aero-H+

The JAERO decoder for AERO signals on Inmarsat satellites has recently been updated to version 1.03. This new version supports the decoding of 10.5k Aero-H and Aero-H+ signals. The author of JAERO Jonti writes that on these channels he’s seeing significantly more traffic than on the narrowband signals and that he was suprised to see that other non-aircraft messages such news was broadcast on this 10.5k signal. Jonti writes about his experience in developing the 10.5k decoder and his experience with receiving the messages in this post.

AERO is a system similar to VHF ACARS, but instead of running over terrestrial VHF it uses an L-band Inmarsat satellite link. Our first post about the JAERO decoder explains a bit about AERO, and this previous tutorial about decoding Inmarsat EGC messages may help you get set up with decoding Inmarsat signals in general.

Jonti discovered that news updates are also broadcast on 10.5k AERO.
Jonti discovered that news updates are also broadcast on 10.5k AERO.
What the 10.5k signals look like compared to the 600 signals.
What the 10.5k signals look like compared to the 600 signals.

If you like Jonti’s apps, then please remember to donate a small amount to him so that he can continue to work on them more. His PayPal donate button can be at the bottom of his main page.

Building a NEST Thermostat with Arduino and an RTL-SDR

The Nest thermostat is a smart thermostat that learns your schedule and automatically adjusts the heat in your house for optimal energy savings.  Tristan didn’t want to buy a Nest, but wanted to replicate the Nest thermostat’s functionality by using an Arduino to automatically regulate his apartments central heating boiler. To do this he needed to find a way to turn the heating on and off programatically.

Fortunately Tristan’s current thermostat is wireless, so he decided to use his RTL-SDR to sniff the data it sends to try and find the on and off signals. By using SDR# he was able to discover the radio traffic stream in the ISM band at 433 MHz. After simply recording the signal audio, he passed the audio file into Audacity to analyze the messages. He discovered that the ON and OFF signals were on-off key (OOK) modulated, and he was able to discover the binary control string and pulse timings.

With this information at hand, Tristan was then able to use a cheap 433 MHz radio transmitter together with his Arduino to replicate the ON/OFF boiler control signals. In the future Tristan plans to add a temperature sensor and web interface to monitor everything.

In the past we’ve also posted about a similar project by Tom Taylor where he reverse engineers his thermostat with an RTL-SDR and controls it with an Arduino.

thermostat_bits