He first searched the FCC filing, finding that it transmitted in the ISM band at 433.050 to 434.790 MHz. Then using his HackRF he was able to capture the signal and determine that it used Gaussian frequency shift keying (GFSK) modulation.
While the HackRF got him this far, he decided to follow a new line of investigation next, instead now using a logic analyzer to probe the SPI bus which talks to an Si4431 RF transceiver on the remote control. From this he was able to determine the important properties of the signal such as the frequency, data rate, frequency deviation, channel mapping and packet structure.
With all this information Chris was in the end able to create a product called "Tempur Bridge" that he is now selling on Tindie. It consists of an ESP32 WiFi connected microcontroller and a Si4463 RF transceiver chip. With his product Chris is now able to control his bed through a WiFi connection in Home Assistant.
Over on YouTube Paul from "Tall Paul Tech" has uploaded a video showing how he was able to reverse engineer the wireless protocol used by a simple restaurant beeper (aka 'burger pager') notification system that is used to let customers know when their food is ready.
By reading the label on the base unit, Paul found that the beeper system transmits at 433 MHz. He was then able to record it's transmissions with an RTL-SDR. Then using Inspectrum, he was able to determine the bit string and the symbol period.
From there he was able to use a GNU Radio program to replicate the signal, allowing him to use a HackRF to activate the beepers on demand.
In the past we've posted similar stories .
Having already created the rf-car HackRF RC car control software on GitHub a few years ago, Radoslav was easily able to modify it for a new RC car that his daughter received. The process was to simply look up the FCC data on it, finding that it operated with 2.4 GHz and used GFSK modulation. He then used the Inspectrum signal analysis tool to determine the bit strings used to control the car. Finally using, his C++ interface to the HackRF he implemented the new bit string and GFSK modulation.
The video below demonstrates Radoslav controlling the RC car with the keyboard on his laptop.
His first steps were to search for the frequency which he found active at 390 MHz. He then moved on to analyzing the signal with Inspectrum, discovering the OOK modulation, then working his way towards the binary control strings. One thing that helped with his reverse engineering was the use of the 9-bit DIP switches on the remote that configure the security code that opens up a specific door as this allowed him to control the transmitted bits, and determine which bits were used for the security code. With this and a bit of GNU Radio code he was able to recreate the signal and transmit it with his HackRF.
Finally Maxwell wanted to see how vulnerable this door is to a brute force attack that simply transmits every possible security code. Through some calculations, he discovered that brute forcing every possible security code in the 9-bit search space would only take 104 minutes to open any garage using this opener.
The La Crosse weather station system consists of a LCD base station, and various wireless sensors. Ryan first discovered that the devices used the 915 MHz frequency band via details written on the device itself. His next step was to open up Universal Radio Hacker and use one of his SDRs to record a packet. URH then allowed him to convert that data into bits for packet analysis. The rest of his post goes into detail on how he set the symbol rate, discovered the preamble and reverse engineered the CRC code.
The next step he took was to generate a spoofed packet generated by URH and transmitted by the PlutoSDR. This allowed him to set the base station display to any temperature that he specified. But he ran into a problem where only the first packet he sent after power up was received. Eventually he discovered that the system sets a randomized interval for each of the transmitters at startup, and data outside of that interval is ignored.
Ryan's post explains his whole though process and progress in detail, so is an excellent study for anyone looking to get into reverse engineering wireless signals.
Back at home he pulled up the FCC filing for the device, which unveiled that it is OOK-PWM modulated, and operates at 433.92 MHz. The rest of the filing also had information noting that the implant transmits a 59-bit data packet every 12 seconds, and contained a nice breakdown of the packet structure, making it easy for decoding.
With all the information about the device's wireless transmissions now known, James grabbed his RTL-SDR and fired up SDR# to confirm that the signal was indeed transmitting every 12 seconds at 433.92 MHz. Next he was able to decode the data from the device by inputting the protocol information learned from the FCC filing into an rtl_433 command line string.
After a bit of further work James discovered that the pH data was actually two readings in one data string. At this stage he finally had the pH reading, however it was represented as an 8-bit ADC reading with a value between 0 to 255. James plotted the relationship between the 8-bit raw ADC reading, and the pH value shown on the official Medtronic receiver. With this he was able to determine a linear relationship between the ADC reading and real pH reading, but notes that there may be a more accurate calibration curve required for actual medical use.
Over on YouTube Adam Łoboda has uploaded a video showing the full steps that he's taken to reverse engineer and clone a wireless garage door key using an RTL-SDR and Arduino.
He starts by using the Universal Radio Hacker software to record a copy of the wireless signal generated by the garage key. Using the software he can then analyze the signal, and determine the preamble data, payload data and pulse width which he can then input into some Arduino code. The Arduino can then generate an identical signal, and transmit it via a cheap FS1000A 433 MHz RF module. Finally, at the end of the video Adam shows the cloned Arduino based garage key working as expected.
hacking & clonning my garage key with URH ( Universal radio Hacker ) and ARDUINO DIGISPARK + FS1000A
The CC1101 is a popular RF silicon chip as it can handle many common digital modulation modes such as OOK/ASK, FSK, GFSK, and MSK within it's hardware. It is not a software defined radio, but rather a hardware radio that can be easily software controlled. Over the years we've seen the CC1101 and it's cousin the CC1111 with embedded microcontroller used in several pentesting/RF reverse engineering tools such as the Flipper Zero, Yard Stick One and PandwaRF.
There is now a new open source CC1101 implementation called the "Evil Crow RF". This hardware marries two CC1101 modules with an ESP32 WiFi and Bluetooth microcontroller. It is capable of operating in the 300 MHz - 348 MHz, 387 MHz - 464 MHz and 779 MHz - 928 MHz bands. As it has two CC1101 modules it can receive or transmit on two different frequencies at the same time.
The firmware running on the ESP32 allows you to control the device via a simple web interface. Currently built in are interfaces for receiving, transmitting and brute forcing.
The device hardware is completely is open source so anyone can build it, however the creators are selling a ready to use version on Aliexpress, however at the time of this post it appears to be out of stock.
Over on Twitter creator @JoelSernaMoreno has uploaded a short video of it working.