Over on YouTube a talk from the author of DSpectrum has been uploaded from his talk during the 13th Cyberspectrum Melbourne meetup. In his talk he goes through the full process of reverse engineering a wireless alarm system in DSpectrumGUI. DSpectrum is a reverse engineering tool that aims to make it trivial to demodulate digital RF transmissions using data captured from SDRs like an RTL-SDR or HackRF.
In the video he shows how to create a project, import a capture and create an overlay on Inspectrum and bring the waveform back into DSpectrum. DSpectrum was then able to automatically detect that the encoding used was PWM and convert it into a bit string. Then by importing multiple captures from various buttons on the alarm he shows how easy it is to see the differences in the bit strings from within DSpectrum. From these differences he uses DSpectrum to help identify what the function of each byte of the bitstring is. Finally he shows how to perform a replay attack with RFcat or similar hardware using the data gathered.
This is a really good talk to watch if you’re interested in getting started with reverse engineering simple digital signals, like those from ISM band devices.
Cyberspectrum Melbourne #13: Introduction to DSpectrum for reverse engineering signals
DSpectrum is a reverse engineering tool that aims to make it trivial to demodulate digital RF transmissions. It is built on top of the Inspectrum tool which makes it easy to visualize and manually turn a captured digital RF waveform into a string of bits for later analysis by providing a draggable visual overlay that helps with determining various digital signal properties. DSpectrum added features to Inspectrum like automatically converting the waveform into a binary string with thresholding. RF .wav files for these tools can be captured by any capable radio, such as an RTL-SDR or HackRF.
WaveConverter is a tool that helps you extract digital data from RF transmissions that have been captured via Software Defined Radio (SDR). After the user defines the modulation parameters, framing and encoding, WaveConverter will process a stored I-Q file and extract the data from any transmissions that match this definition. Using programmable timing tolerances and glitch filters, WaveConverter is able to extract data from signals that would otherwise appear corrupted.
This software will make the process of reverse engineering signals easier and more error-proof. Because WaveConverter includes the ability to store and retrieve signal protocols (modulation + encoding parameters), we have been generating a database of protocols that we can quickly use to iteratively attack unknown signals.
This tool should be very useful for reverse engineering digital signals, such as those found in keyfobs, wireless doorbells, wireless temperature sensors and any other simple RF device. Simply use an SDR device like an RTL-SDR to capture a sample of the signal of interest and then open it up in WaveConverter to first easily analyze the signal and determine it’s properties, then to automatically demodulate any subsequent signal into a binary string. For more information the documentation can be found here (pdf).
WaveConverter seems to be quite similar in purpose to Inspectrum and DSpectrum which are two Linux tools that are also designed for reverse engineering digital signals.
Recently nullwolf (T.J. Acton) wrote in to let us know about a very useful wrapper for Inspectrum that he has created, called DSpectrum. Inspectrum is a Linux/Mac based tool that makes it very easy to extract a binary string from a digital transmission which can be recorded with any SDR like an RTL-SDR. DSpectrum builds on Inspectrum and further automates the reverse engineering process. He writes:
The wrapper [DSpectrum] assesses the amplitude measurements, or frequency shifts, that are reported by Inspectrum. The wrapper uses the average of the provided values as a threshold. When a cell’s value falls below the threshold, the wrapper determines that the value is a binary ‘0’, and when it is above the threshold, it records the value as a ‘1’. It then returns this raw binary data as output, in addition to the binary’s hex and ascii translations.
Another two features were included: the semi-automatic comparison of two portions of a transmission in the same file, and the semi-automatic comparison of two signals in separate files.
Nullwolf notes that with DSpectrum the time taken for him to reverse engineer signals has dropped from 1 hour down to 5 minutes in some cases.