Tagged: reverse engineering

Receiving pH Readings from a Wireless Medical Implant with RTL-SDR

Over on Hackaday we've learned about an interesting investigation by James Wu who was recently implanted with a stomach pH (acidity) monitoring device called the "Medtronic Bravo Reflux Capsule". Whilst inspecting the patient demo capsule James noted that the device transmitted data wirelessly via a very small low power transmitter, in particular noticing a telltale "433" written on a component on the device, indicating that it uses the 433 MHz ISM band.

Back at home he pulled up the FCC filing for the device, which unveiled that it is OOK-PWM modulated, and operates at 433.92 MHz. The rest of the filing also had information noting that the implant transmits a 59-bit data packet every 12 seconds, and contained a nice breakdown of the packet structure, making it easy for decoding.

With all the information about the device's wireless transmissions now known, James grabbed his RTL-SDR and fired up SDR# to confirm that the signal was indeed transmitting every 12 seconds at 433.92 MHz. Next he was able to decode the data from the device by inputting the protocol information learned from the FCC filing into an rtl_433 command line string.

After a bit of further work James discovered that the pH data was actually two readings in one data string. At this stage he finally had the pH reading, however it was represented as an 8-bit ADC reading with a value between 0 to 255. James plotted the relationship between the 8-bit raw ADC reading, and the pH value shown on the official Medtronic receiver. With this he was able to determine a linear relationship between the ADC reading and real pH reading, but notes that there may be a more accurate calibration curve required for actual medical use.

Decoding pH readings from a stomach implant with an RTL-SDR

If you're interested in wireless medical devices, in the past we've seen how SDRs could be used to not only receive data coming from Minimed Insulin pumps, but to maliciously control them with a HackRF too. We've also seen that data could possibly be received from implanted heart defibrillators as well.

Cloning A Garage Key with RTL-SDR, Universal Radio Hacker and an Arduino

Over on YouTube Adam Łoboda has uploaded a video showing the full steps that he's taken to reverse engineer and clone a wireless garage door key using an RTL-SDR and Arduino.

He starts by using the Universal Radio Hacker software to record a copy of the wireless signal generated by the garage key. Using the software he can then analyze the signal, and determine the preamble data, payload data and pulse width which he can then input into some Arduino code. The Arduino can then generate an identical signal, and transmit it via a cheap FS1000A 433 MHz RF module. Finally, at the end of the video Adam shows the cloned Arduino based garage key working as expected. 

hacking & clonning my garage key with URH ( Universal radio Hacker ) and ARDUINO DIGISPARK + FS1000A

Evil Crow RF: An Open Source CC1101 Based Device for Pentesting

The CC1101 is a popular RF silicon chip as it can handle many common digital modulation modes such as OOK/ASK, FSK, GFSK, and MSK within it's hardware. It is not a software defined radio, but rather a hardware radio that can be easily software controlled. Over the years we've seen the CC1101 and it's cousin the CC1111 with embedded microcontroller used in several pentesting/RF reverse engineering tools such as the Flipper Zero, Yard Stick One and PandwaRF.

There is now a new open source CC1101 implementation called the "Evil Crow RF". This hardware marries two CC1101 modules with an ESP32 WiFi and Bluetooth microcontroller. It is capable of operating in the 300 MHz - 348 MHz, 387 MHz - 464 MHz and 779 MHz - 928 MHz bands. As it has two CC1101 modules it can receive or transmit on two different frequencies at the same time. 

The firmware running on the ESP32 allows you to control the device via a simple web interface. Currently built in are interfaces for receiving, transmitting and brute forcing.

The device hardware is completely is open source so anyone can build it, however the creators are selling a ready to use version on Aliexpress, however at the time of this post it appears to be out of stock.

Over on Twitter creator @JoelSernaMoreno has uploaded a short video of it working.

The Evil Crow RF Open Source CC1101 Based Radio

Hacking a Ceiling Fan Radio Control Signal with an RTL-SDR

Over on YouTube "River's Educational Channel" has uploaded a video showing how he was able to reverse engineer the wireless control signal from his ceiling fan remote, and use that information to create a new transmitter controlled via his smart home's Raspberry Pi.

In the video River uses an RTL-SDR and the Spektrum software to initially identify the remotes frequency, before moving on to record the signal in Universal Radio Hacker (URH). He then goes on to reverse engineer the signal and determine the binary control string for each button on the ceiling fan's remote control.

In part 2 which is yet to be released River will show how to transmit this signal via his Raspberry Pi 3B in order to integrate it with his smart home.

Hacking My Ceiling Fan Radio Signal With a $15 USB TV Tuner (RTL2832U)

Converting an Old Cable Modem into an SDR

Over on his github blog, user stdw has uploaded a comprehensive post explaining how he investigated and turned an old Motorola MB7220 cable modem that was sitting in his closet into a fully functional software defined radio.

To begin the investigation stdw first opened the case and looked for a serial UART port. After finding one he connected the UART up to a Raspberry Pi and was almost immediately able to connect to the device's terminal. From the information displayed during the boot process, stdw was able to determine that the modem was running the eCos operating system on a Broadcom BCM3383 SoC. Unfortunately after receiving that information the UART connection is dropped, preventing any further terminal investigation.

To get around this issue, stdw decided to dump the flash memory via an SPI memory chip he saw on the board. Again using the Raspberry Pi he was able to connect via SPI and use the flashrom tool to read the memory. Next using a tool called bcm2-utils, stdw was able to parse and actually modify the configuration information stored in the flash memory. With this he was able to modify the configuration so that the serial connection did not drop after boot. 

With terminal access gained, stdw was now able to reverse engineer the firmware, and after a lot of searching eventually find a console command which would perform a bandpower measurement for a given frequency range. He found that IQ data for this scan was stored in a buffer which he could then stream out via a TCP connection. With the IQ data finally available on another PC he was then able to use Python libraries to compute an FFT and actually visualize the scanned spectrum. Some further investigation yielded actually demodulated FM audio, and the realization that the usable bandwidth is 7.5 MHz.

Unfortunately there were some limitations. There is only enough RAM to store less than a second of data at a time at max bandwidth and precision, which meant that a lot of data needed to be dropped in between captures. Further investigation yielded methods to reduce the sample rate down to 464 kHz which meant that only 12% of data was ever dropped - enough to stream a wideband FM radio signal.

If you wanted to try investigating the modem yourself, the Motorola MB7220 is available second hand on eBay for prices ranging between US$15 - US$40, and new on Amazon for $46.99. Although the usability of the modem for any real SDR applications may not be great, further investigation may yield better results. And if not, following along with the process stdw took looks to be a great reverse engineering learning experience. Other modems that use similar Broadcom chips may also be worth investigating.

The Motorola MB7220 connected to a Raspberry Pi for reverse engineering

Decoding Radio Telemetry Heard on News Helicopter Video Footage with GNU Radio

Twitter user @d0tslash was watching news helicopter footage of the BLM protests on the 28th of May when he heard something that sounded like an RF telemetry feed in the background audio on the helicopter's video feed. Having seen this previous success at decoding similar helicopter telemetry, he contacted his friend proto17 who proceeded to reverse engineer and figure out how to decode the telemetry, in the end discovering that it was providing location data for the helicopter.

Over on GitHub proto17 has documented the complete process that he took in reverse engineering the telemetry. He first explored the audio in Baudline discovering that there was a 1200 Hz wide FSK signal. Next he used GNU Radio to further analyze the signal, discovering it's baud rate, resampling the signal and then using a GFSK block to demodulate the signal into 1's and 0's.

Finally he used some clever terminal tricks and a Python script to discover the bit pattern and convert the bits into ASCII characters which reveals the helicopter coordinates. The coordinates decoded indicate that the helicopter was indeed circling the protest area.

We looked into the news helicopters in use during the protests and found that Denver news stations all share one helicopter with registration N6UX. Plugging that into adsbexchange.com and looking at the helicopter ADS-B history on the 28th gives a good match to proto17's decoded data. 

News helicopter telemetry audio vs ADS-B history
News helicopter telemetry audio vs ADS-B history

Reverse Engineering and Controlling a Pan-Tilt Camera Servo with an RTL-SDR and Arduino

The ZIFON YT-500 is a pan-tilt tripod designed for mounting small cameras and smart phones. It also comes with an RF based 433 MHz wireless remote control that allows you to remotely control the positioning.

However, Konstantin Dorohov wanted to be able to control the camera positioning from his PC rather than through the remote control, so he set out to reverse engineer and clone the 433 MHz wireless control signal.

To do this he first used an RTL-SDR and SDR# to record the signals generated by each button press of the remote. He then opens the audio files in Audacity which allows him to inspect the signal's structure and determine some important information such as the preamble + payload timing and ON/OFF pattern. 

Knowing this information he was then able to use an Arduino with a 433 MHz transmitter connected to replicate the signal exactly. His post contains the sample code that he used.

Reverse Engineering the Pan/Tilt Servo with an RTL-SDR, and replicating the signal with an Arduino.
Reverse Engineering the Pan/Tilt Servo with an RTL-SDR, and replicating the signal with an Arduino.

YouTube Video: Reverse Engineering with SDR

Over on YouTube Black Hills Information Security (aka Paul Clark) has uploaded a one hour long presentation that shows how to use a software defined radio to reverse engineer digital signals using GNU Radio.

One of the most common uses of Software Defined Radio in the InfoSec world is to take apart a radio signal and extract its underlying digital data. The resulting information is often used to build a transmitter that can compromise the original system. In this webcast, you'll walk through a live demo that illustrates the basic steps in the RF reverse engineering process, including:

- tuning
- demodulation
- decoding
- determining bit function
- building your own transmitter
- and much, much more!

Reverse Engineering with SDR