Tagged: reverse engineering

Decoding Radio Telemetry Heard on News Helicopter Video Footage with GNU Radio

Twitter user @d0tslash was watching news helicopter footage of the BLM protests on the 28th of May when he heard something that sounded like an RF telemetry feed in the background audio on the helicopter's video feed. Having seen this previous success at decoding similar helicopter telemetry, he contacted his friend proto17 who proceeded to reverse engineer and figure out how to decode the telemetry, in the end discovering that it was providing location data for the helicopter.

Over on GitHub proto17 has documented the complete process that he took in reverse engineering the telemetry. He first explored the audio in Baudline discovering that there was a 1200 Hz wide FSK signal. Next he used GNU Radio to further analyze the signal, discovering it's baud rate, resampling the signal and then using a GFSK block to demodulate the signal into 1's and 0's.

Finally he used some clever terminal tricks and a Python script to discover the bit pattern and convert the bits into ASCII characters which reveals the helicopter coordinates. The coordinates decoded indicate that the helicopter was indeed circling the protest area.

We looked into the news helicopters in use during the protests and found that Denver news stations all share one helicopter with registration N6UX. Plugging that into adsbexchange.com and looking at the helicopter ADS-B history on the 28th gives a good match to proto17's decoded data. 

News helicopter telemetry audio vs ADS-B history
News helicopter telemetry audio vs ADS-B history

Reverse Engineering and Controlling a Pan-Tilt Camera Servo with an RTL-SDR and Arduino

The ZIFON YT-500 is a pan-tilt tripod designed for mounting small cameras and smart phones. It also comes with an RF based 433 MHz wireless remote control that allows you to remotely control the positioning.

However, Konstantin Dorohov wanted to be able to control the camera positioning from his PC rather than through the remote control, so he set out to reverse engineer and clone the 433 MHz wireless control signal.

To do this he first used an RTL-SDR and SDR# to record the signals generated by each button press of the remote. He then opens the audio files in Audacity which allows him to inspect the signal's structure and determine some important information such as the preamble + payload timing and ON/OFF pattern. 

Knowing this information he was then able to use an Arduino with a 433 MHz transmitter connected to replicate the signal exactly. His post contains the sample code that he used.

Reverse Engineering the Pan/Tilt Servo with an RTL-SDR, and replicating the signal with an Arduino.
Reverse Engineering the Pan/Tilt Servo with an RTL-SDR, and replicating the signal with an Arduino.

YouTube Video: Reverse Engineering with SDR

Over on YouTube Black Hills Information Security (aka Paul Clark) has uploaded a one hour long presentation that shows how to use a software defined radio to reverse engineer digital signals using GNU Radio.

One of the most common uses of Software Defined Radio in the InfoSec world is to take apart a radio signal and extract its underlying digital data. The resulting information is often used to build a transmitter that can compromise the original system. In this webcast, you'll walk through a live demo that illustrates the basic steps in the RF reverse engineering process, including:

- tuning
- demodulation
- decoding
- determining bit function
- building your own transmitter
- and much, much more!

Reverse Engineering with SDR

SigDigger: A Graphical Digital Signal Analyzer for Linux

Recently a new open source Linux based SDR application called SigDigger was released by programmer BatchDrake (Gonzalo J. Carracedo). It is based on his own DSP libraries called Sigutils and Suscan which can take advantage of multi-core CPUs. SigDigger also makes use of the SoapySDR interface, so it is compatible with almost all software defined radios including the RTL-SDR.

SigDigger Screenshot
SigDigger Screenshot

Like other general purpose SDR applications, SigDigger has your typical AM/FM/LSB/USB demodulation and audio playback features. However, it also has some key additional features that make it worth taking a look at if you're interested in reverse engineering, or taking a closer look at digital signals. The features include:

  • Both realtime and replay analysis modes
  • Analog audio playback (AM, FM, LSB and USB)
  • Baseband recording (full spectrum and per-channel)
  • Per-device gain presents
  • Dynamic spectrum browsing
  • ASK, FSK and PSK inspection
  • Gradient-descent SNR calculation
  • Different spectrum sources (cyclostarionary analysis, signal power…)
  • Symbol recording and visualization
  • Transition analysis

Planned features already implemented and just waiting to be exposed to the UI:

  • Parameter estimation (baudrate, constellation order…)
  • Fast symbol autocorrelation analysis
  • Automatic calculation of scrambling polynomials
  • Symbol stream codecs

Possible future features coming soon:

  • Symbol tagging (correspondence between symbols and groups of bits)
  • Automatic symbol tagging guessing
  • Automatic convolutional code detection
  • Viterbi decoding

We note that while the UI looks like GQRX, it is not based on GQRX at all. Rather BatchDrake just liked the minimal UI of GQRX. Also unlike GQRX, SigDigger is not based on GNU Radio, so it may be a bit more efficient and lightweight.

Below we've embedded a video that BatchDrake uploaded his YouTube channel which demonstrates SigDigger being used to inspect a PSK channel.

Using SigDigger to inspect a PSK channel

This software looks great, and we think it deserves some serious attention and testing, so check it out on the GitHub. Binary releases are also available, although BatchDrake notes that they are minimally tested, for x64 Linux only, and preferably for Debian-like distros. Alternatively, it can be installed from source, after installing the Sigutils and Suscan DSP library dependencies.

Reverse Engineering and Controlling a Wireless Doorbell with an RTL-SDR and Arduino

Thank you to Shreyas Ubale for submitting his blog post about reverse engineering a wireless doorbell, and then performing a replay attack. Shreyas had purchased a wireless doorbell set containing one button transmitter and two bell receivers. However, his situation required two transmitters, one for visitors at the door, and one to be used by family within his house.

In order to create a second transmitter he decided to reverse engineer the doorbells wireless signal, and use that information to create an Arduino based transmitter. His process involves first using an RTL-SDR to determine the transmission frequency, then using the rtl_433 software to capture the raw waveform which he then analyzes manually using Audacity. Once the binary string, length and pulse width is known he is able to program an Arduino connected to a 433 MHz transmitter to replicate the signal.

In future posts Shreyas hopes to explore other ways to transmit the signal, and eventually design a simple but configurable 433 MHz push button that supports RF, WiFi, and can support the IFTTT web service.

If you're interested, check out some of our previous posts that highlight many other successful reverse engineering experiments with RF devices and SDR.

Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.
Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.

Using a HackRF to Reverse Engineer and Control Restaurant Pagers

Several years ago back in 2013 and 2014 we uploaded two posts showing how it was possible to use an SDR to listen in to restaurant pagers and collect data from them, and also to spoof their signal and activate them on demand. If you were unaware, restaurant pagers (aka burger pagers), are small RF controlled discs that some restaurants hand out to customers who are waiting for food. When the food is ready, the pager is remotely activated by the staff, and then flashes and buzzes, letting the customer know that their order can be picked up.

Over on YouTube user Tony Tiger has uploaded a video that shows an overview on how to reverse engineer the signal coming from a particular brand of restaurant pagers. The tools he uses include a HackRF SDR and the Inspectrum and Universal Radio Hacker software packages. If you're interested in reverse engineering signals, this is a good overview. Later in the video he shows a GNU Radio and Python program that he's created to control the pagers.

Hacking Restaurant Pagers with HackRF

Reverse Engineering Wireless Blinds with an RTL-SDR and Controlling them with Amazon Alexa

Amazon Alexa is a smart speaker that can be programmed to control home automation devices via voice commands. For example, Stuart Hinson wanted to be able to control his wirelessly controlled blinds simply by verbally asking Alexa to close or open them. Stuart's blinds could already be controlled via a 433 MHz remote control, so he decided to replicate the control signals on an ESP8266 with 433 MHz transmitter, and interface that with Alexa. The ESP8266 is a cheap and small WiFi capable microchip which many people are using to create IoT devices.

Fortunately replicating the signal was quite easily as all he had to do was record the signal from the remote control with his RTL-SDR, and use the Universal Radio Hacker software to determine the binary bit string and modulation details. Once he had these details, he was able to program the ESP8266 to replicate the signal and transmit it via the 433 MHz transmitter. The remaining steps were all related to setting up an HTTP interface that Alexa could interface with.

If you're interested, we've also previously posted about another Alexa + RTL-SDR mashup which allows Alexa to read out ADS-B information about aircraft flying in your vicinity.

[First seen on Hackaday]

The ESP8266 with 433 MHz Transmitter
The ESP8266 with 433 MHz Transmitter

Using RTL_433 to Decode SimpliSafe Home Security Systems

SimpliSafe is an American DIY home security system company that claims over 2 million customers. Their system relies on 433/315 MHz ISM band wireless radio communications between its various sensors, control panels and remote controls. Back in 2016 we already posted about research from Dr. Andrew Zonenberg and Micheal Ossmann who showed that the SimpliSafe wireless communications are unencrypted, and can easily be intercepted, decoded, and spoofed. SimpliSafe responded to those concerns by downplaying them and mentioning that sophisticated hardware was required.

However, now Adam of simpleorsecure.net has recently disclosed a security advisory and a blog post discussing how easy it is to decode SimpliSafe wireless communications with an RTL-SDR and the rtl_433 software. He also also released slides from a recent talk that he did that go over his entire process and findings.

Adam began with some initial manual RF analysis with an RTL-SDR, and then later worked with rtl_433 dev Christian Zuckschwerd to add PiWM demodulation capability, which is the modulation used by SimpliSafe systems. Now Adam is able to easily decode the serial number, pin codes, and status codes transmitted by SimpliSafe sensors and key pads in real time with just an RTL-SDR.

This is very concerning as not only could a burglar easily learn the alarm disarm pincode, but they could also profile your behavior to find an optimal time to break in. For example if you arm your alarm before bed, and disarm in the morning your sleep schedule is being broadcast. It is also possible to determine if a particular door or window has been left open. With a tuned Yagi antenna Adam was able to receive signals from 200+ feet (60m) in free space, and 115 feet (35m) through walls.

In addition to the lack of encryption, Adam also discovered that the SimpliSafe system was susceptible to jamming attacks, and that the tamper detection system can be easily compromised. Adam has disclosed all concerns and findings to SimpliSafe who are aware of the problems. They assure him that next generation systems will not suffer from these flaws. But unfortunately for current generation owners, the hardware will need to be eventually replaced as there is no over the air update capability. 

An RTL-SDR and SimpliSafe KeyPad
An RTL-SDR and SimpliSafe KeyPad