Over on YouTube user Andreas Spiess has uploaded a video showing how to use an RTL-SDR to reverse engineer 433 MHz ISM band devices such as Internet of Things (IoT)/home automation sensors and actuators.
Andreas decided to do this because he has a 433 MHz remote controlled actuated outdoor awning which he wants to have automatically retract when the wind speed gets too high. To do this he wanted to use a wireless 433 MHz ISM band weather station with wind speed sensor. But unfortunately he discovered that it has a proprietary protocol that can't talk to his awning, which also has it's own proprietary protocol.
Andreas' solution is to use an RTL-SDR and Raspberry Pi running the rtl_433 decoder software to receive the weather station data. The rtl_433 software already contained a decoder for his weather station, so no further reverse engineering was required. The data is then converted into MQTT which is a common TCP/IP protocol for IoT devices. MQTT is then read by Node-RED which is a flowgraph based programming environment for IoT devices.
Next, unlike the weather station rtl_433 did not already have a decoder implemented for his awning. So Andreas had to reverse engineer the signal from scratch using the Universal Radio Hacker software. Using the reverse engineered signal information, Andreas then uses an ESP32 processor/WiFi chip and cheap 433 MHz transmitter to implement a clone of the awning's remote control signals. The ESP32 is programmed to understand the MQTT data sent from the Raspberry Pi via WiFi, so now the weather station can control the awning with a little bit of logic code in Node-RED.
How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)
LimeSDR have partnered with Seeed Studio to develop a low cost SDR starter kit for learning SDR basics and experimenting with IoT applications. The kit costs US$249 and includes a LimeSDR Mini and the Grove Starter Kit. The Grove kit is simply a set of various sensors such as temperature, sound, light, ultrasonic, touch, rotary as well as interface components like buzzers, an LCD screen, and LEDs. It also includes the GrovePi+ which is a board that allows you to easily interface the Grove sensors with a Raspberry Pi. Adding a LimeSDR Mini as well as the Grove kit to a Raspberry Pi could allow for easy wireless and IoT experimentation. To make it even easier the LimeSDR team have created a ScratchRadio extension that supports the LimeSDR and Grove kit combination. ScratchRadio is a kid friendly visual programming environment.
The kit packages a LimeSDR Mini with antennas optimised for 433/868/915 MHz unlicensed bands, plus a GrovePi+ and selection of incredibly useful Grove sensors and outputs, many of which are supported by a Scratch extension. When combined with our ScratchRadio extension, this will allow the creation of simple and fun applications that integrate SDR capabilities and peripheral I/O.
Of course, use is not limited to Scratch and educational environments, and we’ll also be putting together examples that demonstrate how the kit can be used to develop applications that integrate with existing off-the-shelf systems, such as wireless thermostats and remote controls.
1 x LimeSDR Mini
2 x Antennas optimised for 433/868/915MHz unlicensed bands use
1 x Acrylic base plate
1 x Short USB extension
1 x GrovePi+
1 x Grove - Ultrasonic Ranger
1 x Grove - Temp&Humi Sensor
1 x Grove - Temperature Sensor
1 x Grove - Rotary Angle Sensor
1 x Grove - Button
1 x Grove - Light Sensor v1.2
1 x Grove - 3-Axis Digital Accelerometer (±1.5 g)
1 x Grove - Relay
1 x Grove - Sound Sensor
1 x Grove - LCD RGB Backlight
1 x Grove - Buzzer
1 x Grove - Red LED
1 x Grove - LED Bar 2.0
1 x Grove - Touch Sensor
1 x Grove - Piezo Vibration Sensor
Just add your own Raspberry Pi, power supply, and microSD card!
The kit costs US$249 and is currently available for preorder on the LimeSDR Mini CrowdSupply page.
In his post he specifically attacks the iSmartAlarm (ISM). This is an IoT home alarm system that comes with several sensors, and can be controlled via an app on your smartphone. The unit uses the Texas Instruments CC1110 RF SoC, which implements the SimpliciTI low-power radio network protocol. Dayton notes that the majority of attacks not specific to a single manufacturer, and could be applied to other IoT devices as well.
Using a variety of hardware including a logic analyzer, Yardstick One, GoodFET, RFCat, USRP B210 software defined radio and several pieces of software including GNU Radio, GQRX, Baudline, Audacity, Dayton was able attack the alarm in the following ways:
Brute-force attack on the alarm system device source addresses.
Remotely clone authenticated devices used to interact with the alarm system security features.
Decryption of authenticated devices radio communications, allowing remote attackers to craft packets used to send arbitrary commands to the alarm system.
Assisted replay attack.
The post goes into deep detail on the methods he used to reverse engineer the device and is a great tutorial for anyone wanting to get into wireless IoT security research.
OpenHAB is an open source home automation software program which is designed to interface and manage all the various sensors and systems in an automated house. One problem however, is that many wireless sensors and actuators utilize a proprietary communications protocol that is not supported by OpenHAB.
In his home, Dan Englender had several Honeywell 5800 series 345 MHz wireless security door sensors, all of which interface using a proprietary protocol that is not yet implemented in OpenHAB. In order to get around this, Dan decided to reverse engineer the protocol and implement a decoder into OpenHAB himself.
Recently security researcher cnxroot wrote in to let us know about two of his posts that may be of interest to readers. The posts are written in Chinese, so please use Google Translate to read them in English – it translates okay to some extent.
The first post shows us how to run the RTL-SDR on an OpenWRT capable router server. OpenWRT is a Linux firmware/OS that can be installed on several compatible router devices which extends the usefulness and features of the router. Since it is running Linux the RTL-SDR drivers can be installed onto it, and then rtl_tcp can be run, providing a remote RTL-SDR.
The LimeSDR is a new transmit capable software defined radio with a 100 kHz – 3.8 GHz frequency range, 12-bit ADC and 61.44 MHz bandwidth which is currently seeking crowdfunding. At the time of this post there is about four days left to reach the $500k goal, and it is only 80% funded. To try and reach their funding goal they have released another batch of discounted units which cost only $249 USD. After the crowd funding campaign the price will rise to $289/$299 USD. If the LimeSDR is not funded in time, they write that the project will unfortunately be put on hold and it’s future may be uncertain. We believe that this product is shaping up to be a very good TX/RX capable SDR, like the HackRF and bladeRF, but much better overall and for the same or even lower price.
Recently they also released some new updates that show off some LimeSDR features. In a post previously featured on our blog beta tester Alexandru showed how he was able to get the LimeSDR to transmit DVB-S2 HDTV. In later updates they showed how the LimeSDR can be used to:
Create a Vector Network Analyzer. With the help of a directional coupler the LimeSDR can also be turned into a Vector Network Analyzer to measure parameters such as gain, insertion loss, return loss and VSWR.
Build a remote radio head. By mounting the LimeSDR near the antenna and streaming the data back over an IP link, coax feed losses can be eliminated.
The people behind this SDR are currently marketing SoDeRa as “the Arduino of the Telecom and Radio Engineer”. It appears to be designed mainly to implement IoT and other radio communications protocols, but it also sounds like it could find excellent use in the hobby and amateur market as well as have benefits for the average person. Interestingly, the developers also plan to implement an app store which would allow you to essentially download a radio and instantly configure the SoDeRa SDR for any desired protocol or application. They write:
This is the first time that a revolutionary device for which we are organising a joint crowd-funding campaign with Lime Microsystems is made public. The #SoDeRa is the cheapest software defined radio you can buy. The #SoDeRa will have an app store and will be able to provide any type of (bi-directional) radio communication going from LTE, Lora, WiFi, GPS, Bluetooth, radar, radio-controlled toys/robots/drone, digital radio, digital TV to even MRI scanners, satellite and air traffic communications by just installing an app. The #SoDeRa is the Arduino of the Telecom and Radio Engineer.
The SoDeRa is powerful enough to be a full MiMo LTE base station with long range coverage, provided you add the right antenna. You can via apps put other wireless communication protocols like LoRaWAN, Bluetooth, Zigbee, Z-Wave, GPS, Galileo, Airspace protocols, radar, MRI scanning RF, TV/Radio, any toy/robot/drone control, White Space, etc. But most importantly because of its price and ease of adding more protocols, the SoDeRa will enable anybody to define competing wireless communication protocols and put them into Github. Developers don’t like closed standards like LTE or complex standards like Bluetooth & Zigbee. The future will allow developers to compete against corporations and standardization bodies if they think current standards can be improved upon. The Internet has shown that this dynamic brought us easier standards through adoption like JSON and Yaml vs XML and EDI. Wireless, RF and telecom engineers never had an Arduino like the electronics engineers. The SoDeRa will plug this hole.
Development on SoDeRa is working towards a trend in radio systems where all radio devices are software defined, allowing for futuristic features like advanced spectrum control and the ability to change protocols on the fly. They write:
Including #SoDeRa in any type of smart device will greatly reduce the cost of deploying a mobile base station network because by open sourcing the hardware design it will become commodity. By including software defined radio in lots of devices, often with a completely different purpose, will allow these devices to become a smart cell via installing an extra app. In the future, support for software defined radio will likely be embedded directly in Intel and ARM chips. The foundational steps are already happening. This will likely reshape the telecom industry. Not only from a cost perspective but also from a perspective of who runs the network. Telecom operators that don’t deliver value will see their monopoly positions being put in danger. As soon as spectrum can be licensed on a per hour basis, just like any other resource in the cloud, any type of ad-hoc network can be setup. The question is not if but when. Open sourcing and crowdfunding will make that “when” be sooner than later. Smart operators that align with the innovators will win because they will get the app revenue, enormous cost reductions, sell surplus spectrum by the hour and lots of innovation. Other operators that don’t move or try to stop it will be disrupted. What do you want to be?
At first glance SoDeRa sounds like it will be an expensive device, but on their official website they are currently running a survey asking people what they would be willing to pay, and the lowest price given is $50 – $99. This makes it seem likely that in the future with enough volume SoDeRa could be sold at very low cost and become very popular.
I am willing to pay for 1 unit
$50 – $99 (lead time 9 months)
$100 – $199 (lead time 6 months)
$200 – $299 (lead time 3 months)
$300 – $399 (lead time 2 months)
$400 – $500 (lead time 1 month)
It sounds like the team behind SoDeRa are gearing up for a crowd funding campaign so we will be keeping an eye on this SDR.
Thanks to RTL-SDR.com reader Serdar (TA3AS) for submitting news about SoDeRa to us.
The ESP8266 is a $7 WiFi module that can be used to give any microcontroller access to a WiFi network. It is designed for creating Internet of Things (IoT) devices and has various features such as it’s ability to host it’s own web applications. The ESP8266 also has a I2S output with DMA support. By hooking up this I2S output pin to a short wire, YouTuber CNLohr has demonstrated that he is able to use the ESP to broadcast full color NTSC TV. This works in a similar way to how PiTX works, by using the pin to modulate a radio signal. CNLohrs code note only broadcasts color NTSC, but also provides a full web interface for controlling it.
In the first video CNLohr shows off his initial work at getting the NTSC output working and in the second video he shows color working. Later in the second video he also uses an RTL-SDR to check on the NTSC spectrum that is being output.