Foo-Manroot first explains how easily capture and replay a signal with the HackRF. If the signal is simple without any security like rolling codes then a simple replay attack like this will allow the HackRF to control the device quite easily. In the next section he goes on to explain how to actually analyze and synthesize the packets yourself using Python and GNU Radio. Finally he also shows that a brute force attack can be applied once you know how to synthesize the signal. Brute forcing runs over every possible packet combination in a short time and this can be pretty fast for simple protocols like those used in wireless remote controls. His post also includes all the GNU Radio files required so it is easy for someone to replicate his work easily.
If you are interested in controlling simple OOK devices like a wireless powerplug with replay attacks then we have a tutorial for doing this with a simple RTL-SDR and Raspberry Pi running RpiTX which might be useful for those who don't have a HackRF.
In this talk Samy Kamkar shares the exciting details on researching closed systems & creating attack tools to (demonstrate) wirelessly unlocking and starting cars with low-cost tools, home made PCBs, RFID/RF/SDR & more. He describes how to investigate an unknown system, especially when dealing with chips with no public datasheets and undisclosed protocols. Learn how vehicles communicate with keyfobs (LF & UHF), and ultimately how a device would work that can automatically detect the makes/models of keyfobs nearby. Once the keyfobs have been detected, an attacker could choose a vehicle and the device can wirelessly unlock & start the ignition. Like Tinder, but for cars.
Over on his blog "ele y ciencia" has written up two very useful blog posts - one on how to decode AFSK signals from scratch and the other on how to reverse engineer any unknown digital signal. The blog is written entirely in Spanish, but Google translate does a decent enough job at getting the message across (in Chrome right click anywhere on the page and select Translate to English or use the Google translate webpage).
The first post is about decoding an AFSK protocol and explains that you need to record the signal with an RTL-SDR or other SDR, apply a low pass filter to obtain the signal envelope and then apply thresholding with the known baud rate to obtain the demodulated digital signal. The tutorial is high level and just explains the process, but doesn't show how to do it in any software. Later on in the post he goes on to show how he reverse engineered a train-land radiotelephone system and a TCM3105 modem chip which utilizes a FSK system.
In the second post he shows how to decode any unknown digital signal using just an RTL-SDR and Audacity. He starts off with finding and recording an unknown digital signal with an RTL-SDR and then reverse engineers it in a sort of manual fashion without using any tools like Universal Radio Hacker. The post goes through the full details and steps that he took, and in the end he gets data out of the signal discovering that it is data from a Fleet Management System used in his country for monitoring data such as speed and engine data from commercial vehicles like trucks and buses.
The two posts are very detailed and could be an excellent reference for those interested in reverse engineering some unknown digital signals in your area.
Over on YouTube a talk from the author of DSpectrum has been uploaded from his talk during the 13th Cyberspectrum Melbourne meetup. In his talk he goes through the full process of reverse engineering a wireless alarm system in DSpectrumGUI. DSpectrum is a reverse engineering tool that aims to make it trivial to demodulate digital RF transmissions using data captured from SDRs like an RTL-SDR or HackRF.
In the video he shows how to create a project, import a capture and create an overlay on Inspectrum and bring the waveform back into DSpectrum. DSpectrum was then able to automatically detect that the encoding used was PWM and convert it into a bit string. Then by importing multiple captures from various buttons on the alarm he shows how easy it is to see the differences in the bit strings from within DSpectrum. From these differences he uses DSpectrum to help identify what the function of each byte of the bitstring is. Finally he shows how to perform a replay attack with RFcat or similar hardware using the data gathered.
This is a really good talk to watch if you’re interested in getting started with reverse engineering simple digital signals, like those from ISM band devices.
Cyberspectrum Melbourne #13: Introduction to DSpectrum for reverse engineering signals
DSpectrum is a reverse engineering tool that aims to make it trivial to demodulate digital RF transmissions. It is built on top of the Inspectrum tool which makes it easy to visualize and manually turn a captured digital RF waveform into a string of bits for later analysis by providing a draggable visual overlay that helps with determining various digital signal properties. DSpectrum added features to Inspectrum like automatically converting the waveform into a binary string with thresholding. RF .wav files for these tools can be captured by any capable radio, such as an RTL-SDR or HackRF.
The write up first shows the reception of the signal from the wireless controller, and then moves on to show how to receive it in GNU Radio and obtain a time domain graph of the digital signal. From the pulses it is simple to visually work out the binary string. Next an instruction decoder is created in GNU Radio which automatically obtains the binary string from the signal directly. Then once the codes for back, forward, left and right were obtained it was possible to write another GNU Radio program to transmit these codes to the RC toy tank from the HackRF.
After noting down the FCC ID printed on the device, they determined that the operating frequency was 315 MHz. They discovered from the documentation that each wireless DX device is encoded with a unique code that is precoded at the factory. Only remotes with the correct code programmed in can open the door.
The first attack they tried was a simple replay attack. They used a HackRF to record the signal, and then play it back again. This worked perfectly first time.
Next they decided to take this further and reverse engineer the protocol and see if a brute force attack could be applied. By doing some logic analysis on the circuit, they were able to figure out how to iterate over the entire key space. It turns out that the lock can be brute forced in at most 14.5 hours, or 7.25 hours on average.
The Universal Radio Hacker is a software for investigating unknown wireless protocols. Features include
hardware interfaces for common Software Defined Radios
easy demodulation of signals
assigning participants to keep overview of your data
customizable decodings to crack even sophisticated
encodings like CC1101 data whitening
assign labels to reveal the logic of the protocol
fuzzing component to find security leaks
modulation support to inject the data back into the system
Inspectrum and Waveconverter are two similar programs for analyzing digital signals, however Universal Radio Hacker seems to be the most advanced.
Johannes has also uploaded four tutorial videos to YouTube which show the software in action. In the videos he uses Universal Radio Hacker to reverse engineer a wirelessly controlled power socket, and then in the last video he uses the software to transmit the reverse engineered signals via a HackRF.