Tagged: IoT

Video on Hacking 433 MHz Devices with an RTL-SDR and Raspberry Pi

Over on YouTube user Andreas Spiess has uploaded a video showing how to use an RTL-SDR to reverse engineer 433 MHz ISM band devices such as Internet of Things (IoT)/home automation sensors and actuators. 

Andreas decided to do this because he has a 433 MHz remote controlled actuated outdoor awning which he wants to have automatically retract when the wind speed gets too high. To do this he wanted to use a wireless 433 MHz ISM band weather station with wind speed sensor. But unfortunately he discovered that it has a proprietary protocol that can't talk to his awning, which also has it's own proprietary protocol.

Andreas' solution is to use an RTL-SDR and Raspberry Pi running the rtl_433 decoder software to receive the weather station data. The rtl_433 software already contained a decoder for his weather station, so no further reverse engineering was required. The data is then converted into MQTT which is a common TCP/IP protocol for IoT devices. MQTT is then read by Node-RED which is a flowgraph based programming environment for IoT devices.

Next, unlike the weather station rtl_433 did not already have a decoder implemented for his awning. So Andreas had to reverse engineer the signal from scratch using the Universal Radio Hacker software. Using the reverse engineered signal information, Andreas then uses an ESP32 processor/WiFi chip and cheap 433 MHz transmitter to implement a clone of the awning's remote control signals. The ESP32 is programmed to understand the MQTT data sent from the Raspberry Pi via WiFi, so now the weather station can control the awning with a little bit of logic code in Node-RED.

How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)
How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)

The LimeSDR Mini Grove Starter Kit

LimeSDR have partnered with Seeed Studio to develop a low cost SDR starter kit for learning SDR basics and experimenting with IoT applications. The kit costs US$249 and includes a LimeSDR Mini and the Grove Starter Kit. The Grove kit is simply a set of various sensors such as temperature, sound, light, ultrasonic, touch, rotary as well as interface components like buzzers, an LCD screen, and LEDs. It also includes the GrovePi+ which is a board that allows you to easily interface the Grove sensors with a Raspberry Pi. Adding a LimeSDR Mini as well as the Grove kit to a Raspberry Pi could allow for easy wireless and IoT experimentation. To make it even easier the LimeSDR team have created a ScratchRadio extension that supports the LimeSDR and Grove kit combination. ScratchRadio is a kid friendly visual programming environment.

The kit packages a LimeSDR Mini with antennas optimised for 433/868/915 MHz unlicensed bands, plus a GrovePi+ and selection of incredibly useful Grove sensors and outputs, many of which are supported by a Scratch extension. When combined with our ScratchRadio extension, this will allow the creation of simple and fun applications that integrate SDR capabilities and peripheral I/O.

Of course, use is not limited to Scratch and educational environments, and we’ll also be putting together examples that demonstrate how the kit can be used to develop applications that integrate with existing off-the-shelf systems, such as wireless thermostats and remote controls.

Kit Contents

  • 1 x LimeSDR Mini
  • 2 x Antennas optimised for 433/868/915MHz unlicensed bands use
  • 1 x Acrylic base plate
  • 1 x Short USB extension
  • 1 x GrovePi+
  • 1 x Grove - Ultrasonic Ranger
  • 1 x Grove - Temp&Humi Sensor
  • 1 x Grove - Temperature Sensor
  • 1 x Grove - Rotary Angle Sensor
  • 1 x Grove - Button
  • 1 x Grove - Light Sensor v1.2
  • 1 x Grove - 3-Axis Digital Accelerometer (±1.5 g)
  • 1 x Grove - Relay
  • 1 x Grove - Sound Sensor
  • 1 x Grove - LCD RGB Backlight
  • 1 x Grove - Buzzer
  • 1 x Grove - Red LED
  • 1 x Grove - LED Bar 2.0
  • 1 x Grove - Touch Sensor
  • 1 x Grove - Piezo Vibration Sensor

Just add your own Raspberry Pi, power supply, and microSD card!

The kit costs US$249 and is currently available for preorder on the LimeSDR Mini CrowdSupply page.

The Grove Starter Kit with LimeSDR.
The Grove Starter Kit with LimeSDR.

Identifying Issues that can be used to Disable IoT Alarms

Seekintoo cybersecurity researcher Dayton Pidhirney has been investigating security flaws in wireless IoT (Internet of Things) based alarm systems, and has identified six issues that can be used to bypass or disable an alarm. Five attack the RF portion of the IoT device, and one through the traditional IP network.

In his post he specifically attacks the iSmartAlarm (ISM). This is an IoT home alarm system that comes with several sensors, and can be controlled via an app on your smartphone. The unit uses the Texas Instruments CC1110 RF SoC, which implements the SimpliciTI low-power radio network protocol. Dayton notes that the majority of attacks not specific to a single manufacturer, and could be applied to other IoT devices as well.

Using a variety of hardware including a logic analyzer, Yardstick One, GoodFET, RFCat, USRP B210 software defined radio and several pieces of software including GNU Radio, GQRX, Baudline, Audacity, Dayton was able attack the alarm in the following ways:

  • Brute-force attack on the alarm system device source addresses.
  • Remotely clone authenticated devices used to interact with the alarm system security features.
  • Decryption of authenticated devices radio communications, allowing remote attackers to craft packets used to send arbitrary commands to the alarm system.
  • RF Jamming.
  • Assisted replay attack.

The post goes into deep detail on the methods he used to reverse engineer the device and is a great tutorial for anyone wanting to get into wireless IoT security research.

The iSmartAlarm IoT wireless alarm system
The iSmartAlarm IoT wireless alarm system

Reverse Engineering Honeywell 345 MHz Home Automation Sensors with an RTL-SDR

OpenHAB is an open source home automation software program which is designed to interface and manage all the various sensors and systems in an automated house. One problem however, is that many wireless sensors and actuators utilize a proprietary communications protocol that is not supported by OpenHAB.

In his home, Dan Englender had several Honeywell 5800 series 345 MHz wireless security door sensors, all of which interface using a proprietary protocol that is not yet implemented in OpenHAB. In order to get around this, Dan decided to reverse engineer the protocol and implement a decoder into OpenHAB himself. 

Dan’s four part write up covers the RF capture & demodulation, protocol reverse engineering and implementation into OpenHAB. First he looked up the frequency and bandwidth of the signal via the FCC filing information on fcc.io. Then he captured some packets from a door sensor using his RTL-SDR and GNU Radio, and then wrote a short Python program to decode the protocol and transmit the door open/closed information to OpenHAB. In the future he hopes to optimize the decoder so that it can comfortably run on a Raspberry Pi as the GNU Radio script uses quite a bit of computing power.

The final project is called decode345 and the code is available over on his GitHub.

Honeywell 345 MHz Door Sensor
Honeywell 345 MHz Door Sensor
Custom Door Sensor Status in OpenHAB
Custom Door Sensor Status in OpenHAB

[Also seen on Hackaday]


CNxROOT Two Posts: How to Build an RTL-SDR Server with OpenWRT, Creating a GSM BaseStation with OpenBTS and a USRP

Recently security researcher cnxroot wrote in to let us know about two of his posts that may be of interest to readers. The posts are written in Chinese, so please use Google Translate to read them in English – it translates okay to some extent.

The first post shows us how to run the RTL-SDR on an OpenWRT capable router server. OpenWRT is a Linux firmware/OS that can be installed on several compatible router devices which extends the usefulness and features of the router. Since it is running Linux the RTL-SDR drivers can be installed onto it, and then rtl_tcp can be run, providing a remote RTL-SDR.

The second post is a bit more advanced. It is about creating a pseudo GSM base station with a USRP SDR and intercepting IoT devices which connect over GSM/GPRS. The post shows how to set up OpenBTS which can be used to create a base station.

RTL-SDR running on an internet router with OpenWRT.
RTL-SDR running on an internet router with OpenWRT.

LimeSDR CrowdFunding Closing in Four Days: 80% Funded

The LimeSDR is a new transmit capable software defined radio with a 100 kHz – 3.8 GHz frequency range, 12-bit ADC and 61.44 MHz bandwidth which is currently seeking crowdfunding. At the time of this post there is about four days left to reach the $500k goal, and it is only 80% funded. To try and reach their funding goal they have released another batch of discounted units which cost only $249 USD. After the crowd funding campaign the price will rise to $289/$299 USD. If the LimeSDR is not funded in time, they write that the project will unfortunately be put on hold and it’s future may be uncertain. We believe that this product is shaping up to be a very good TX/RX capable SDR, like the HackRF and bladeRF, but much better overall and for the same or even lower price.

Recently they also released some new updates that show off some LimeSDR features. In a post previously featured on our blog beta tester Alexandru showed how he was able to get the LimeSDR to transmit DVB-S2 HDTV. In later updates they showed how the LimeSDR can be used to:

The LimeSDR Board
The LimeSDR Board

SoDeRa: An upcoming low cost app-enabled open-source 100 kHz to 3.8 GHz SDR Transceiver

A new software defined radio called SoDeRa (SOftware DEfined RAdio) is currently under joint development by companies Canonical (the company behind the Ubuntu OS) and Lime Micro. SoDeRa is based on the new Lime Microsystems LMS7002M Transceiver chip which has a 100 kHz – 3.8 GHz range. The transceiver chip interfaces with an Altera Cyclone IV FPGA with 256 MB of RAM and a USB3 controller, and the whole radio will have 4x TX outputs and 6x RX inputs.

SoDeRa Block Diagram
SoDeRa Block Diagram

The people behind this SDR are currently marketing SoDeRa as “the Arduino of the Telecom and Radio Engineer”. It appears to be designed mainly to implement IoT and other radio communications protocols, but it also sounds like it could find excellent use in the hobby and amateur market as well as have benefits for the average person. Interestingly, the developers also plan to implement an app store which would allow you to essentially download a radio and instantly configure the SoDeRa SDR for any desired protocol or application. They write:

This is the first time that a revolutionary device for which we are organising a joint crowd-funding campaign with Lime Microsystems is made public. The #SoDeRa is the cheapest software defined radio you can buy. The #SoDeRa will have an app store and will be able to provide any type of (bi-directional) radio communication going from LTE, Lora, WiFi, GPS, Bluetooth, radar, radio-controlled toys/robots/drone, digital radio, digital TV to even MRI scanners, satellite and air traffic communications by just installing an app. The #SoDeRa is the Arduino of the Telecom and Radio Engineer.

The VP of IoT at Canonical also writes:

The SoDeRa is powerful enough to be a full MiMo LTE base station with long range coverage, provided you add the right antenna. You can via apps put other wireless communication protocols like LoRaWAN, Bluetooth, Zigbee, Z-Wave, GPS, Galileo, Airspace protocols, radar, MRI scanning RF, TV/Radio, any toy/robot/drone control, White Space, etc. But most importantly because of its price and ease of adding more protocols, the SoDeRa will enable anybody to define competing wireless communication protocols and put them into Github. Developers don’t like closed standards like LTE or complex standards like Bluetooth & Zigbee. The future will allow developers to compete against corporations and standardization bodies if they think current standards can be improved upon. The Internet has shown that this dynamic brought us easier standards through adoption like JSON and Yaml vs XML and EDI. Wireless, RF and telecom engineers never had an Arduino like the electronics engineers. The SoDeRa will plug this hole.

Development on SoDeRa is working towards a trend in radio systems where all radio devices are software defined, allowing for futuristic features like advanced spectrum control and the ability to change protocols on the fly. They write:

Including #SoDeRa in any type of smart device will greatly reduce the cost of deploying a mobile base station network because by open sourcing the hardware design it will become commodity. By including software defined radio in lots of devices, often with a completely different purpose, will allow these devices to become a smart cell via installing an extra app. In the future, support for software defined radio will likely be embedded directly in Intel and ARM chips. The foundational steps are already happening. This will likely reshape the telecom industry. Not only from a cost perspective but also from a perspective of who runs the network. Telecom operators that don’t deliver value will see their monopoly positions being put in danger. As soon as spectrum can be licensed on a per hour basis, just like any other resource in the cloud, any type of ad-hoc network can be setup. The question is not if but when. Open sourcing and crowdfunding will make that “when” be sooner than later. Smart operators that align with the innovators will win because they will get the app revenue, enormous cost reductions, sell surplus spectrum by the hour and lots of innovation. Other operators that don’t move or try to stop it will be disrupted. What do you want to be?

At first glance SoDeRa sounds like it will be an expensive device, but on their official website they are currently running a survey asking people what they would be willing to pay, and the lowest price given is $50 – $99. This makes it seem likely that in the future with enough volume SoDeRa could be sold at very low cost and become very popular.

I am willing to pay for 1 unit

  • $50 – $99 (lead time 9 months)
  • $100 – $199 (lead time 6 months)
  • $200 – $299 (lead time 3 months)
  • $300 – $399 (lead time 2 months)
  • $400 – $500 (lead time 1 month)

It sounds like the team behind SoDeRa are gearing up for a crowd funding campaign so we will be keeping an eye on this SDR.

Thanks to RTL-SDR.com reader Serdar (TA3AS) for submitting news about SoDeRa to us.

The SoDeRa SDR
The SoDeRa SDR
The SoDeRa PCB
The SoDeRa PCB

Broadcasting Analgoue NTSC TV with a $7 ESP8266

The ESP8266 is a $7 WiFi module that can be used to give any microcontroller access to a WiFi network. It is designed for creating Internet of Things (IoT) devices and has various features such as it’s ability to host it’s own web applications. The ESP8266 also has a I2S output with DMA support. By hooking up this I2S output pin to a short wire, YouTuber CNLohr has demonstrated that he is able to use the ESP to broadcast full color NTSC TV.  This works in a similar way to how PiTX works, by using the pin to modulate a radio signal. CNLohrs code note only broadcasts color NTSC, but also provides a full web interface for controlling it.

In the first video CNLohr shows off his initial work at getting the NTSC output working and in the second video he shows color working. Later in the second video he also uses an RTL-SDR to check on the NTSC spectrum that is being output.

Broadcasting Analog TV on an ESP8266!

Broadcasting Analog TV on an ESP8266!

Broadcasting COLOR Channel 3 on an ESP

Broadcasting  COLOR Channel 3 on an ESP