Back at home he pulled up the FCC filing for the device, which unveiled that it is OOK-PWM modulated, and operates at 433.92 MHz. The rest of the filing also had information noting that the implant transmits a 59-bit data packet every 12 seconds, and contained a nice breakdown of the packet structure, making it easy for decoding.
With all the information about the device's wireless transmissions now known, James grabbed his RTL-SDR and fired up SDR# to confirm that the signal was indeed transmitting every 12 seconds at 433.92 MHz. Next he was able to decode the data from the device by inputting the protocol information learned from the FCC filing into an rtl_433 command line string.
After a bit of further work James discovered that the pH data was actually two readings in one data string. At this stage he finally had the pH reading, however it was represented as an 8-bit ADC reading with a value between 0 to 255. James plotted the relationship between the 8-bit raw ADC reading, and the pH value shown on the official Medtronic receiver. With this he was able to determine a linear relationship between the ADC reading and real pH reading, but notes that there may be a more accurate calibration curve required for actual medical use.
Over on YouTube Adam Łoboda has uploaded a video showing the full steps that he's taken to reverse engineer and clone a wireless garage door key using an RTL-SDR and Arduino.
He starts by using the Universal Radio Hacker software to record a copy of the wireless signal generated by the garage key. Using the software he can then analyze the signal, and determine the preamble data, payload data and pulse width which he can then input into some Arduino code. The Arduino can then generate an identical signal, and transmit it via a cheap FS1000A 433 MHz RF module. Finally, at the end of the video Adam shows the cloned Arduino based garage key working as expected.
hacking & clonning my garage key with URH ( Universal radio Hacker ) and ARDUINO DIGISPARK + FS1000A
The CC1101 is a popular RF silicon chip as it can handle many common digital modulation modes such as OOK/ASK, FSK, GFSK, and MSK within it's hardware. It is not a software defined radio, but rather a hardware radio that can be easily software controlled. Over the years we've seen the CC1101 and it's cousin the CC1111 with embedded microcontroller used in several pentesting/RF reverse engineering tools such as the Flipper Zero, Yard Stick One and PandwaRF.
There is now a new open source CC1101 implementation called the "Evil Crow RF". This hardware marries two CC1101 modules with an ESP32 WiFi and Bluetooth microcontroller. It is capable of operating in the 300 MHz - 348 MHz, 387 MHz - 464 MHz and 779 MHz - 928 MHz bands. As it has two CC1101 modules it can receive or transmit on two different frequencies at the same time.
The firmware running on the ESP32 allows you to control the device via a simple web interface. Currently built in are interfaces for receiving, transmitting and brute forcing.
The device hardware is completely is open source so anyone can build it, however the creators are selling a ready to use version on Aliexpress, however at the time of this post it appears to be out of stock.
Over on Twitter creator @JoelSernaMoreno has uploaded a short video of it working.
Over on YouTube "River's Educational Channel" has uploaded a video showing how he was able to reverse engineer the wireless control signal from his ceiling fan remote, and use that information to create a new transmitter controlled via his smart home's Raspberry Pi.
In the video River uses an RTL-SDR and the Spektrum software to initially identify the remotes frequency, before moving on to record the signal in Universal Radio Hacker (URH). He then goes on to reverse engineer the signal and determine the binary control string for each button on the ceiling fan's remote control.
In part 2 which is yet to be released River will show how to transmit this signal via his Raspberry Pi 3B in order to integrate it with his smart home.
Hacking My Ceiling Fan Radio Signal With a $15 USB TV Tuner (RTL2832U)
To begin the investigation stdw first opened the case and looked for a serial UART port. After finding one he connected the UART up to a Raspberry Pi and was almost immediately able to connect to the device's terminal. From the information displayed during the boot process, stdw was able to determine that the modem was running the eCos operating system on a Broadcom BCM3383 SoC. Unfortunately after receiving that information the UART connection is dropped, preventing any further terminal investigation.
To get around this issue, stdw decided to dump the flash memory via an SPI memory chip he saw on the board. Again using the Raspberry Pi he was able to connect via SPI and use the flashrom tool to read the memory. Next using a tool called bcm2-utils, stdw was able to parse and actually modify the configuration information stored in the flash memory. With this he was able to modify the configuration so that the serial connection did not drop after boot.
With terminal access gained, stdw was now able to reverse engineer the firmware, and after a lot of searching eventually find a console command which would perform a bandpower measurement for a given frequency range. He found that IQ data for this scan was stored in a buffer which he could then stream out via a TCP connection. With the IQ data finally available on another PC he was then able to use Python libraries to compute an FFT and actually visualize the scanned spectrum. Some further investigation yielded actually demodulated FM audio, and the realization that the usable bandwidth is 7.5 MHz.
Unfortunately there were some limitations. There is only enough RAM to store less than a second of data at a time at max bandwidth and precision, which meant that a lot of data needed to be dropped in between captures. Further investigation yielded methods to reduce the sample rate down to 464 kHz which meant that only 12% of data was ever dropped - enough to stream a wideband FM radio signal.
If you wanted to try investigating the modem yourself, the Motorola MB7220 is available second hand on eBay for prices ranging between US$15 - US$40, and new on Amazon for $46.99. Although the usability of the modem for any real SDR applications may not be great, further investigation may yield better results. And if not, following along with the process stdw took looks to be a great reverse engineering learning experience. Other modems that use similar Broadcom chips may also be worth investigating.
Twitter user @d0tslash was watching news helicopter footage of the BLM protests on the 28th of May when he heard something that sounded like an RF telemetry feed in the background audio on the helicopter's video feed. Having seen this previous success at decoding similar helicopter telemetry, he contacted his friend proto17 who proceeded to reverse engineer and figure out how to decode the telemetry, in the end discovering that it was providing location data for the helicopter.
Finally he used some clever terminal tricks and a Python script to discover the bit pattern and convert the bits into ASCII characters which reveals the helicopter coordinates. The coordinates decoded indicate that the helicopter was indeed circling the protest area.
We looked into the news helicopters in use during the protests and found that Denver news stations all share one helicopter with registration N6UX. Plugging that into adsbexchange.com and looking at the helicopter ADS-B history on the 28th gives a good match to proto17's decoded data.
The ZIFON YT-500 is a pan-tilt tripod designed for mounting small cameras and smart phones. It also comes with an RF based 433 MHz wireless remote control that allows you to remotely control the positioning.
To do this he first used an RTL-SDR and SDR# to record the signals generated by each button press of the remote. He then opens the audio files in Audacity which allows him to inspect the signal's structure and determine some important information such as the preamble + payload timing and ON/OFF pattern.
Knowing this information he was then able to use an Arduino with a 433 MHz transmitter connected to replicate the signal exactly. His post contains the sample code that he used.
Over on YouTube Black Hills Information Security (aka Paul Clark) has uploaded a one hour long presentation that shows how to use a software defined radio to reverse engineer digital signals using GNU Radio.
One of the most common uses of Software Defined Radio in the InfoSec world is to take apart a radio signal and extract its underlying digital data. The resulting information is often used to build a transmitter that can compromise the original system. In this webcast, you'll walk through a live demo that illustrates the basic steps in the RF reverse engineering process, including:
- tuning - demodulation - decoding - determining bit function - building your own transmitter - and much, much more!