Reverse Engineering Linear DX Wireless Door Locks

Employees at the network data security company Duo recently had their interest piqued when they discovered that their office’s keycard based door system had a wireless remote which was used by reception to unlock and lock the door. The device was a DX model magnetic lock created by Linear.

After noting down the FCC ID printed on the device, they determined that the operating frequency was 315 MHz. They discovered from the documentation that each wireless DX device is encoded with a unique code that is precoded at the factory. Only remotes with the correct code programmed in can open the door.

The first attack they tried was a simple replay attack. They used a HackRF to record the signal, and then play it back again. This worked perfectly first time.

Next they decided to take this further and reverse engineer the protocol and see if a brute force attack could be applied. By doing some logic analysis on the circuit, they were able to figure out how to iterate over the entire key space. It turns out that the lock can be brute forced in at most 14.5 hours, or 7.25 hours on average.

The Linear DX Wireless Door Lock
The Linear DX Wireless Door Lock
Tweet
Share
Reddit
Vote
Email

Video Tutorial: Transmitting Signals with a Raspberry Pi

Over on YouTube Crazy Danish Hacker, who earlier brought us an excellent video tutorial series on GSM sniffing, has now uploaded a two part series that shows how to transmit signals with a Raspberry Pi and the PiFM and RPiTX software. We’ve featured RPiTX several times on this blog before as a cheap TX complement to the RTL-SDR. The software allows you to modulate a GPIO pin on your Raspberry Pi in such a way that it produces AM/FM/SSB etc radio signals at a frequency of choice.

Crazy Danish Hackers tutorial shows us how to set up RPiTX, starting from installing Raspbian and enabling SSH to installing the software and actually transmitting something. Some useful tips to get around common problems are also presented.

Transmit Radio Signals w/ Raspberry Pi (1/2) - Software Defined Radio Series #24

Transmit Radio Signals w/ Raspberry Pi (2/2) - Software Defined Radio Series #25

Tweet
Share
Reddit
Vote
Email

An RTL-SDR Based Wireless Backscatter Soil Moisture Sensor Network

Recently researcher Spyros Daskalakis wrote in to us and wanted to share his Masters thesis research which is titled ‘Environmental Scatter Radio Sensors with RF Energy Harvesting‘. The research involved creating a low cost, low power (200 microwatt) and yet long range (up to 250m) sensor network for monitoring soil moisture on farms. An RTL-SDR dongle is utilized to receive data from the sensors and MATLAB is used to decode the data.

One interesting innovation is that the sensors transmit data via a backscatter technique which is similar to how RFID tags are read. A carrier emitter is placed in the center of a cluster of sensors and the sensors receive RF bursts from it. The sensor antenna acts as a carrier reflector, and information is modulated onto the reflected signal by changing the antenna-load reflection coefficients according to the sensor reading. This method allows the sensors to only require extremely small amounts of power from a button battery or solar panel in order to transmit at distances of up to 250m. Spyros also proposes using wireless RF energy harvesting techniques which could harvest the electricity needed to power the circuit directly from the carrier emitters or powerful local FM stations.

Spyros’ thesis is available here, and a research paper here.

Backscatter Sensors and RTL-SDR. Received backscatter spectrum.
Backscatter Sensors and RTL-SDR (left). Received backscatter spectrum (right).

Technical University of Crete - Backscatter Radio Sensor Network Demo

Tweet
Share
Reddit
Vote
Email

Airspy HF+: An upcoming low cost yet high performance HF SDR

Over on the Airspy Yahoo forums and Twitter we’ve seen news of an upcoming new product from the developers of the Airspy SDR. The new product is called the Airspy HF+ and will be a low cost, yet extremely high performance HF specialty radio.

Preliminary specs:

  • HF coverage between DC .. 31 MHz
  • VHF coverage between 60 .. 260 MHz
  • -138 dBm MDS
  • -142 dBm MDS at 500Hz bandwidth in VHF
  • +26 dBm IIP3 on HF at maximum gain
  • +13 dBm IIP3 on VHF at maximum gain
  • 110 dB dynamic range in HF
  • 95 dB dynamic range in VHF
  • 120 dB Image Rejection
  • Very low phase noise PLL (-110 dBc/Hz @ 1kHz separation @ 100 MHz)
  • +10 dBm Maximum RF input
  • Wide Band RF filter bank
  • Tracking RF filters
  • Sharp IF filters
  • Smart AGC with real time optimization of the gain distribution
  • All RF inputs are matched to 50 ohms
  • 2 x High Dynamic Range Sigma Delta ADCs @ 36 MSPS
  • 600 kHz alias and image free output
  • 18 bit DDC
  • 0.5 ppm high precision, low phase noise clock
  • 4 x Programmable GPIO’s
  • No drivers required! 100% Plug-and-play on Windows Vista, Seven, 8, 8.1 and 10
  • Industrial Operating Temperature: -45°C to 85°C

Basically, this addresses the lack of affordable and good performing receivers for HF and VHF.
Target price < $200

As with all Airspy products the SDR focuses on achieving extremely high dynamic range. From the specs is seems that the dynamic range and image rejection will be high enough so that even extremely strong broadcast AM or FM stations will not require any filtering or attenuation. They are also confident enough to say that no gain sliders will need to ever be adjusted to avoid overload.

For SWLers and MW DXers this seems like the ideal SDR as it should perform as well as high end SDRs like the Perseus, RFSpace and Elad SDRs, but at a fraction of the price.

The product is still in development and no release date has been offered yet, but judging from the Twitter feed the prototype is already working.

Tweet
Share
Reddit
Vote
Email

Searching for giga-Jansky fast radio bursts from the Milky Way with a global array of low-cost radio receivers (RTL-SDRs)

A few days ago a University research paper titled “Searching for giga-Jansky fast radio bursts from the Milky Way with a global array of low-cost radio receivers” was uploaded to the Cornell University Library. In this paper authors Dan Maoz of Tel-Aviv University and Abraham Loeb of Harvard suggest that citizen science enabled mobile phones and RTL-SDR dongles placed around the world could be used to detect fast radio bursts (FRBs) originating from within our own galaxy. The abstract reads:

If fast radio bursts (FRBs) originate from galaxies at cosmological distances, then their all-sky rate implies that the Milky Way may host an FRB on average once every 30-1500 years. If FRBs repeat for decades or centuies, a local FRB could be active now. A typical Galactic FRB would produce a millisecond radio pulse with ~1 GHz flux density of ~3E10 Jy, comparable to the radio flux levels and frequencies of cellular communication devices (cell phones, Wi-Fi, GPS). We propose to search for Galactic FRBs using a global array of low-cost radio receivers. One possibility is to use the ~1GHz communication channel in cellular phones through a Citizens-Science downloadable application. Participating phones would continuously listen for and record candidate FRBs and would periodically upload information to a central data processing website, which correlates the incoming data from all participants, to identify the signature of a real, globe-encompassing, FRB from an astronomical distance. Triangulation of the GPS-based pulse arrival times reported from different locations will provide the FRB sky position, potentially to arc-second accuracy. Pulse arrival times from phones operating at diverse frequencies, or from an on-device de-dispersion search, will yield the dispersion measure (DM) which will indicate the FRB source distance within the Galaxy. A variant of this approach would be to use the built-in ~100 MHz FM-radio receivers present in cell phones for an FRB search at lower frequencies. Alternatively, numerous “software-defined radio” (SDR) devices, costing ~$10 US each, could be plugged into USB ports of personal computers around the world (particularly in radio quiet regions) to establish the global network of receivers.

‘Fast radio bursts’ or FRBs are very brief pulses of extremely strong radio waves which have the transmit power of 500 million suns, though by the time they reach the earth they can only be picked up by radio telescopes. Radio astronomers have so far been mystified by the cause of these FRBs, and research has been hampered by the fact that the source of FRBs is notoriously difficult to pinpoint because they are unpredictable, and their energy appears to originate from all over the sky and not from a single point. Many scientists think that most FRBs must originate from outside of our galaxy, and in 2016 one was finally pinpointed as coming from a dwarf galaxy 2.5 billion light years away from earth. But the authors of the paper speculate from the rate of how often FRBs are seen, that our Milky Way galaxy could host its own local FRB event once every 30 – 1500 years.

If an FRB occurs within our own galaxy then they speculate that the received power could be strong enough to be detected by consumer level mobile phones or RTL-SDR radios, meaning that no large radio telescope dish is required for detection. By continuously monitoring for FRBs on mobile phones and/or RTL-SDRs spread around the world, a local FRB source could one day be pinpointed thanks to the high resolving power of multiple detectors spread apart.

[Also discussed at cfa.harvard.edu/news/2017-07]

The Very Large Array in Mexico was used to pinpoint an FRB in 2016.
The Very Large Array in Mexico was used to pinpoint an FRB in 2016.
Illustration of an FRB. Certain frequencies arrive faster than others.
Illustration of an FRB. Certain frequencies arrive faster than others.

Tweet
Share
Reddit
Vote
Email

Soft66IP: Network Connected RTL-SDR with rtl_tcp

Previously from JA7TDO who is a RTL-SDR builder in Japan we’d seen the Soft66RTL and Soft66Q which are both modified RTL-SDR units that are capable of receiving HF as well. To receive HF the Soft66RTL used an upconverter circuit and the newer Soft66Q uses an implementation of the direct sampling mod. Both units come with a preselection filter for the HF bands.

Now JA7TDO has managed to come out with a new modified RTL-SDR which he calls the Soft66IP. The Soft66IP appears to have the same specifications at the Soft66Q except without the additional preselection filter. Instead, its defining feature is that it is built together which what we assume is a Linux enabled wireless router, or some other networked single board PC. This allows you to easily get set up with rtl_tcp for streaming the radio over your network, or the internet. It seems that the unit comes preloaded with the rtl_tcp software installed, making it almost plug and play. JA7TDO advertises the features as:

  • RTL-SDR based
  • 3kHz to 1.7GHz (15MHz to 24MHz is over sampling)
  • 10/100Mbps Ethernet
  • DHCP
  • Wifi(option)
  • cheap price

Streaming the radio over a network might be advantageous as it allows you to place the unit near the antenna, avoiding long coax or USB cable runs. But rtl_tcp is quite bandwidth heavy, so it can have trouble streaming at higher sample rates. However, whatever single board PC is used on the Soft66IP may also be capable of running other more efficient streaming software such as OpenWebRX, or more specialized applications such as networked ADS-B decoders as well.

JA7TDO is selling the Soft66IP for a pre-order price of $80 USD which includes worldwide shipping. Shipping starts on March 1. After the pre-order phase the price may rise to $96 USD.

The Soft66IP, networked RTL-SDR.
The Soft66IP, networked RTL-SDR.
Tweet
Share
Reddit
Vote
Email

Reverse Engineering Signals with the Universal Radio Hacker Software

Thanks to RTL-SDR.com reader M Kizan who notified us about a Python based digital signal reverse engineering software program called ‘Universal Radio Hacker’ which is developed by Johannes Pohl. The software supports hardware interfaces for SDRs such as the RTL-SDR and HackRF and can be run on Windows, MacOS and Linux.

The Universal Radio Hacker is a software for investigating unknown wireless protocols. Features include

  • hardware interfaces for common Software Defined Radios
  • easy demodulation of signals
  • assigning participants to keep overview of your data
  • customizable decodings to crack even sophisticated
  • encodings like CC1101 data whitening
  • assign labels to reveal the logic of the protocol
  • fuzzing component to find security leaks
  • modulation support to inject the data back into the system

Inspectrum and Waveconverter are two similar programs for analyzing digital signals, however Universal Radio Hacker seems to be the most advanced.

Johannes has also uploaded four tutorial videos to YouTube which show the software in action. In the videos he uses Universal Radio Hacker to reverse engineer a wirelessly controlled power socket, and then in the last video he uses the software to transmit the reverse engineered signals via a HackRF.

Universal Radio Hacker - 01: Record a signal

Tweet
Share
Reddit
Vote
Email

Listening to February 2017 HAARP Experiments with an HF Capable SDR

This year at the end of February HAARP (High Frequency Active Auroral Research Program) scientists are planning to run several experiments that involve transmission. HAARP is a high power ionospheric research radio transmitter in Alaska, which typically transmits in the 2.7 – 10 MHz frequency region. The transmissions are powerful enough to create artificial auroras in the sky. Due to a lack of funding HAARP research was shut down in May 2013, and then later given to the University of Alaska Fairbanks (UAF) in 2015.

UAF plans to activate HAARP again at the end of Feburary, so it seems that it would be interesting to receive the waveforms with an HF capable SDR such as the RTL-SDR v3, or with an upconverter like the SpyVerter. Under some conditions the signal could propagate all over the world. It seems that the researchers are also interested in reception reports from listeners and they plan to post updates closer to the dates of transmission. The full press release reads:

The University of Alaska Fairbanks Geophysical Institute is planning its first research campaign at the High Frequency Active Auroral Research Program facility in Gakona.

The High Frequency Active Auroral Research Program facility near Gakona includes a 40-acre grid of towers to conduct research on the ionosphere. The facility was built and operated by the U.S. Air Force until August 2015, when ownership was transferred to UAF’s Geophysical Institute.

At the end of February, scientists will use the HAARP research instrument to conduct multiple experiments, including a study of atmospheric effects on satellite-to-ground communications, optical measurements of artificial airglow and over-the-horizon radar experiments.

Members of the public can follow one of the experiments in real time. Chris Fallen, assistant research professor in space physics, will be conducting National Science Foundation-funded research to create an “artificial aurora” that can be photographed with a sensitive camera. Observers throughout Alaska will have an opportunity to photograph the phenomenon, which is sometimes created over HAARP during certain types of transmissions.

Under the right conditions, people can also listen to HAARP radio transmissions from virtually anywhere in the world using an inexpensive shortwave radio. Exact frequencies of the transmission will not be known until shortly before the experiment begins, so follow @UAFGI on Twitter for an announcement.

For more details on the dates and times of Fallen’s experiments, as well as information on how to observe, visit https://sites.google.com/alaska.edu/gakonahaarpoon/. Information is also available at the HAARP website, the UAF http://gi.alaska.edu/haarp-0 and the official UAF HAARP Facebook page, https://www.facebook.com/UAFHAARP/.

Operation of the HAARP research facility, including the world’s most capable high-power, high-frequency transmitter for study of the ionosphere, was transferred from the U.S. Air Force to UAF in August 2015.

On their Google sites page they write how to participate:

Anybody who wants to participate and follow HAARP experiments should follow the official and unofficial announcements linked at the top of this page. There are two main ways to participate in the campaign: by listening to the radio transmissions from HAARP itself or by photographing artificial auroras created by HAARP. Amateur (Ham) radio operators can also use temporary ionosphere irregularities created by HAARP to open new propagation modes for their own transmissions.

A shortwave radio and knowledge of the time and frequency of the HAARP transmissions provides opportunities to “listen in” since the radio wave energy often (but not always) propagates very large distances, sometimes worldwide! Shortwave radios capable of receiving frequencies in the same range that HAARP can transmit, between approximately 2.7 and 10 MHz (2700 and 10,000 kHz) allow anyone to hear HAARP transmissions provided long-distance radio propagation conditions are sufficient and the radio is tuned to one of the frequencies where HAARP is transmitting. Ham radio operators also have an opportunity to reflect (or “bounce”) their own transmissions, typically in the HF, VHF or UHF bands, off ionosphere irregularities created above HAARP during high-power experiments. This creates propagation modes that would normally only be possible during certain space weather events such as aurora.

The video below shows one of the last scheduled HAARP transmissions from when it was still under the control of the US Air Force.

Oddity Station, HAARP, multiple waveforms and frequencies, June 04, 2014

[First seen on swling.com]

 

Tweet8
Share
Reddit35
Vote
Email
43 Shares