Tagged: reverse engineering

Reverse Engineering a Wirelessly Controlled Adjustable Bed with a HackRF and Logic Analyzer

Over on his blog Chris Laplante has written up a post showing how he was able to reverse engineer his wirelessly controlled adjustable "TEMPUR-Contour Elite Breeze" bed. Originally the bed did have an Android App for smartphone control, however it was never updated since 2014 and so it no longer works on his modern Google Pixel device. So in order to have it controllable by his home automation system Chris decided to reverse engineer the wireless signal used by the bed's remote control. 

He first searched the FCC filing, finding that it transmitted in the ISM band at 433.050 to 434.790 MHz. Then using his HackRF he was able to capture the signal and determine that it used Gaussian frequency shift keying (GFSK) modulation.

The GFSK signal from the Tempur Pedic wireless remote control.

While the HackRF got him this far, he decided to follow a new line of investigation next, instead now using a logic analyzer to probe the SPI bus which talks to an Si4431 RF transceiver on the remote control. From this he was able to determine the important properties of the signal such as the frequency, data rate, frequency deviation, channel mapping and packet structure.

With all this information Chris was in the end able to create a product called "Tempur Bridge" that he is now selling on Tindie. It consists of an ESP32 WiFi connected microcontroller and a Si4463 RF transceiver chip. With his product Chris is now able to control his bed through a WiFi connection in Home Assistant.

Chris's TemperBridge product for WiFi control of a Tempur Pedic adjustable bed.

[This story was also seen on Hackaday]

Hacking Beepers at a Fish & Chip Shop with an RTL-SDR and HackRF

Over on YouTube Paul from "Tall Paul Tech" has uploaded a video showing how he was able to reverse engineer the wireless protocol used by a simple restaurant beeper (aka 'burger pager') notification system that is used to let customers know when their food is ready.

By reading the label on the base unit, Paul found that the beeper system transmits at 433 MHz. He was then able to record it's transmissions with an RTL-SDR. Then using Inspectrum, he was able to determine the bit string and the symbol period.

From there he was able to use a GNU Radio program to replicate the signal, allowing him to use a HackRF to activate the beepers on demand.

In the past we've posted similar stories [1][2][3].

Hacking A Fish & Chip Shop

Controlling a Toy RC Car with a HackRF

Over on his blog Radoslav has created a post showing how he has used a HackRF to wirelessly control a toy RC car by reverse engineering the wireless control protocol, and generating the control signals in a C++ program.

Having already created the rf-car HackRF RC car control software on GitHub a few years ago, Radoslav was easily able to modify it for a new RC car that his daughter received. The process was to simply look up the FCC data on it, finding that it operated with 2.4 GHz and used GFSK modulation. He then used the Inspectrum signal analysis tool to determine the bit strings used to control the car. Finally using, his C++ interface to the HackRF he implemented the new bit string and GFSK modulation.

The video below demonstrates Radoslav controlling the RC car with the keyboard on his laptop.

Controlling 2.4GHz FSK car with HackRF

In the past we've posted about another project that also used a HackRF and computer to control a RC drift car, and another project that used the RPiTX software to control an RC toy car with GNU Radio and a Raspberry Pi.

[Project also seen on Hackaday]

Reverse Engineering a 30 Year Old Wireless Garage Door Opener with a HackRF and GNU Radio

At his childhood home Maxwell Dulin discovered that his garage door was controlled by a 30 year old system called the "Sears Craftsman 139.53708 Garage Door Remote". Being interested in SDRs Maxwell decided to see if he could reverse engineer the remote using his HackRF.

His first steps were to search for the frequency which he found active at 390 MHz. He then moved on to analyzing the signal with Inspectrum, discovering the OOK modulation, then working his way towards the binary control strings. One thing that helped with his reverse engineering was the use of the 9-bit DIP switches on the remote that configure the security code that opens up a specific door as this allowed him to control the transmitted bits, and determine which bits were used for the security code. With this and a bit of GNU Radio code he was able to recreate the signal and transmit it with his HackRF.

Finally Maxwell wanted to see how vulnerable this door is to a brute force attack that simply transmits every possible security code. Through some calculations, he discovered that brute forcing every possible security code in the 9-bit search space would only take 104 minutes to open any garage using this opener.

GNU Radio replaces a 30 year old garage door remote

Hacking a La Crosse Weather Station with an RTL-SDR, PlutoSDR and Universal Radio Hacker

Thank you to Ryan K for submitting his latest blog post where he gives an in depth explanation of how he reverse engineered his La Crosse weather station using an RTL-SDR, PlutoSDR and the Universal Radio Hacker (URH) software.

The La Crosse weather station system consists of a LCD base station, and various wireless sensors. Ryan first discovered that the devices used the 915 MHz frequency band via details written on the device itself. His next step was to open up Universal Radio Hacker and use one of his SDRs to record a packet.  URH then allowed him to convert that data into bits for packet analysis. The rest of his post goes into detail on how he set the symbol rate, discovered the preamble and reverse engineered the CRC code. 

The next step he took was to generate a spoofed packet generated by URH and transmitted by the PlutoSDR. This allowed him to set the base station display to any temperature that he specified. But he ran into a problem where only the first packet he sent after power up was received. Eventually he discovered that the system sets a randomized interval for each of the transmitters at startup, and data outside of that interval is ignored.

Ryan's post explains his whole though process and progress in detail, so is an excellent study for anyone looking to get into reverse engineering wireless signals.

Reverse Engineering a La Crosse Weather Station with a PlutoSDR and RTL-SDR

Receiving pH Readings from a Wireless Medical Implant with RTL-SDR

Over on Hackaday we've learned about an interesting investigation by James Wu who was recently implanted with a stomach pH (acidity) monitoring device called the "Medtronic Bravo Reflux Capsule". Whilst inspecting the patient demo capsule James noted that the device transmitted data wirelessly via a very small low power transmitter, in particular noticing a telltale "433" written on a component on the device, indicating that it uses the 433 MHz ISM band.

Back at home he pulled up the FCC filing for the device, which unveiled that it is OOK-PWM modulated, and operates at 433.92 MHz. The rest of the filing also had information noting that the implant transmits a 59-bit data packet every 12 seconds, and contained a nice breakdown of the packet structure, making it easy for decoding.

With all the information about the device's wireless transmissions now known, James grabbed his RTL-SDR and fired up SDR# to confirm that the signal was indeed transmitting every 12 seconds at 433.92 MHz. Next he was able to decode the data from the device by inputting the protocol information learned from the FCC filing into an rtl_433 command line string.

After a bit of further work James discovered that the pH data was actually two readings in one data string. At this stage he finally had the pH reading, however it was represented as an 8-bit ADC reading with a value between 0 to 255. James plotted the relationship between the 8-bit raw ADC reading, and the pH value shown on the official Medtronic receiver. With this he was able to determine a linear relationship between the ADC reading and real pH reading, but notes that there may be a more accurate calibration curve required for actual medical use.

Decoding pH readings from a stomach implant with an RTL-SDR

If you're interested in wireless medical devices, in the past we've seen how SDRs could be used to not only receive data coming from Minimed Insulin pumps, but to maliciously control them with a HackRF too. We've also seen that data could possibly be received from implanted heart defibrillators as well.

Cloning A Garage Key with RTL-SDR, Universal Radio Hacker and an Arduino

Over on YouTube Adam Łoboda has uploaded a video showing the full steps that he's taken to reverse engineer and clone a wireless garage door key using an RTL-SDR and Arduino.

He starts by using the Universal Radio Hacker software to record a copy of the wireless signal generated by the garage key. Using the software he can then analyze the signal, and determine the preamble data, payload data and pulse width which he can then input into some Arduino code. The Arduino can then generate an identical signal, and transmit it via a cheap FS1000A 433 MHz RF module. Finally, at the end of the video Adam shows the cloned Arduino based garage key working as expected. 

hacking & clonning my garage key with URH ( Universal radio Hacker ) and ARDUINO DIGISPARK + FS1000A

Evil Crow RF: An Open Source CC1101 Based Device for Pentesting

The CC1101 is a popular RF silicon chip as it can handle many common digital modulation modes such as OOK/ASK, FSK, GFSK, and MSK within it's hardware. It is not a software defined radio, but rather a hardware radio that can be easily software controlled. Over the years we've seen the CC1101 and it's cousin the CC1111 with embedded microcontroller used in several pentesting/RF reverse engineering tools such as the Flipper Zero, Yard Stick One and PandwaRF.

There is now a new open source CC1101 implementation called the "Evil Crow RF". This hardware marries two CC1101 modules with an ESP32 WiFi and Bluetooth microcontroller. It is capable of operating in the 300 MHz - 348 MHz, 387 MHz - 464 MHz and 779 MHz - 928 MHz bands. As it has two CC1101 modules it can receive or transmit on two different frequencies at the same time. 

The firmware running on the ESP32 allows you to control the device via a simple web interface. Currently built in are interfaces for receiving, transmitting and brute forcing.

The device hardware is completely is open source so anyone can build it, however the creators are selling a ready to use version on Aliexpress, however at the time of this post it appears to be out of stock.

Over on Twitter creator @JoelSernaMoreno has uploaded a short video of it working.

The Evil Crow RF Open Source CC1101 Based Radio