Tagged: reverse engineering

Reverse Engineering and Controlling a Wireless Doorbell with an RTL-SDR and Arduino

Thank you to Shreyas Ubale for submitting his blog post about reverse engineering a wireless doorbell, and then performing a replay attack. Shreyas had purchased a wireless doorbell set containing one button transmitter and two bell receivers. However, his situation required two transmitters, one for visitors at the door, and one to be used by family within his house.

In order to create a second transmitter he decided to reverse engineer the doorbells wireless signal, and use that information to create an Arduino based transmitter. His process involves first using an RTL-SDR to determine the transmission frequency, then using the rtl_433 software to capture the raw waveform which he then analyzes manually using Audacity. Once the binary string, length and pulse width is known he is able to program an Arduino connected to a 433 MHz transmitter to replicate the signal.

In future posts Shreyas hopes to explore other ways to transmit the signal, and eventually design a simple but configurable 433 MHz push button that supports RF, WiFi, and can support the IFTTT web service.

If you're interested, check out some of our previous posts that highlight many other successful reverse engineering experiments with RF devices and SDR.

Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.
Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.

Using a HackRF to Reverse Engineer and Control Restaurant Pagers

Several years ago back in 2013 and 2014 we uploaded two posts showing how it was possible to use an SDR to listen in to restaurant pagers and collect data from them, and also to spoof their signal and activate them on demand. If you were unaware, restaurant pagers (aka burger pagers), are small RF controlled discs that some restaurants hand out to customers who are waiting for food. When the food is ready, the pager is remotely activated by the staff, and then flashes and buzzes, letting the customer know that their order can be picked up.

Over on YouTube user Tony Tiger has uploaded a video that shows an overview on how to reverse engineer the signal coming from a particular brand of restaurant pagers. The tools he uses include a HackRF SDR and the Inspectrum and Universal Radio Hacker software packages. If you're interested in reverse engineering signals, this is a good overview. Later in the video he shows a GNU Radio and Python program that he's created to control the pagers.

Hacking Restaurant Pagers with HackRF

Reverse Engineering Wireless Blinds with an RTL-SDR and Controlling them with Amazon Alexa

Amazon Alexa is a smart speaker that can be programmed to control home automation devices via voice commands. For example, Stuart Hinson wanted to be able to control his wirelessly controlled blinds simply by verbally asking Alexa to close or open them. Stuart's blinds could already be controlled via a 433 MHz remote control, so he decided to replicate the control signals on an ESP8266 with 433 MHz transmitter, and interface that with Alexa. The ESP8266 is a cheap and small WiFi capable microchip which many people are using to create IoT devices.

Fortunately replicating the signal was quite easily as all he had to do was record the signal from the remote control with his RTL-SDR, and use the Universal Radio Hacker software to determine the binary bit string and modulation details. Once he had these details, he was able to program the ESP8266 to replicate the signal and transmit it via the 433 MHz transmitter. The remaining steps were all related to setting up an HTTP interface that Alexa could interface with.

If you're interested, we've also previously posted about another Alexa + RTL-SDR mashup which allows Alexa to read out ADS-B information about aircraft flying in your vicinity.

[First seen on Hackaday]

The ESP8266 with 433 MHz Transmitter
The ESP8266 with 433 MHz Transmitter

Using RTL_433 to Decode SimpliSafe Home Security Systems

SimpliSafe is an American DIY home security system company that claims over 2 million customers. Their system relies on 433/315 MHz ISM band wireless radio communications between its various sensors, control panels and remote controls. Back in 2016 we already posted about research from Dr. Andrew Zonenberg and Micheal Ossmann who showed that the SimpliSafe wireless communications are unencrypted, and can easily be intercepted, decoded, and spoofed. SimpliSafe responded to those concerns by downplaying them and mentioning that sophisticated hardware was required.

However, now Adam of simpleorsecure.net has recently disclosed a security advisory and a blog post discussing how easy it is to decode SimpliSafe wireless communications with an RTL-SDR and the rtl_433 software. He also also released slides from a recent talk that he did that go over his entire process and findings.

Adam began with some initial manual RF analysis with an RTL-SDR, and then later worked with rtl_433 dev Christian Zuckschwerd to add PiWM demodulation capability, which is the modulation used by SimpliSafe systems. Now Adam is able to easily decode the serial number, pin codes, and status codes transmitted by SimpliSafe sensors and key pads in real time with just an RTL-SDR.

This is very concerning as not only could a burglar easily learn the alarm disarm pincode, but they could also profile your behavior to find an optimal time to break in. For example if you arm your alarm before bed, and disarm in the morning your sleep schedule is being broadcast. It is also possible to determine if a particular door or window has been left open. With a tuned Yagi antenna Adam was able to receive signals from 200+ feet (60m) in free space, and 115 feet (35m) through walls.

In addition to the lack of encryption, Adam also discovered that the SimpliSafe system was susceptible to jamming attacks, and that the tamper detection system can be easily compromised. Adam has disclosed all concerns and findings to SimpliSafe who are aware of the problems. They assure him that next generation systems will not suffer from these flaws. But unfortunately for current generation owners, the hardware will need to be eventually replaced as there is no over the air update capability. 

An RTL-SDR and SimpliSafe KeyPad
An RTL-SDR and SimpliSafe KeyPad

Reverse Engineering Weather Station RF Signals with an RTL-SDR

Johannes Smit wanted to be able to view the live data from his SWR WH2303 weather station and send it to a database. Whilst the weather data acquisition software that he paid for worked well, he thought that there must be a cheaper and more fun way to grab the data. But unfortunately the manufacturers would not respond to his request for the RF protocol specifications. So Johannes decided to reverse engineer the protocol using his RTL-SDR instead.

Johannes has submitted to us a document that very nicely details his every step taken when reverse engineering the weather station (Google docs document). He starts by confirming the signal frequency in GQRX, and then attempting to see is the rtl_433 could already recognise the signal. Whilst rtl_433 saw something, it was unable to decode the packet properly.

Next he fired up Universal Radio Hacker (URH) and captured a sample of the weather station signal. Using URH he was able to determine the modulation type (FSK) and the bit length parameter (150us). Johannes' next step was to open the weather station, find the RF chip, look up the RF chip information on the web and find the spec sheet. From the spec sheet and internet forum searches he was able to determine the properties of the packet including the sync word and preamble. With this data he was able to determine the packet structure.

Finally he captured a packet and recorded the exact data shown on the weather station at the time of the packet. With this he was able to search the binary data string for the data shown on the weather station, indicating the location of a particular piece of data within the string.

Johannes' tutorial shows just how powerful tools like Universal Radio Hacker can be, and his tutorial is an excellent start for those looking at reverse engineering any of their own local RF protocols.

The binary packet data in Universal Radio Hacker.
The binary packet data in Universal Radio Hacker.

Reverse Engineering or Brute Forcing Wireless Powerplug Remote Controls with a HackRF One

Over on his blog "Foo-Manroot" has created a post where he shows us how he can control a wirelessly controlled powerplug with his HackRF. These power plugs can be used to turn electrically devices on or off remotely, and their wireless protocol is often simple On-Off Keying (OOK) with little to no security.

Foo-Manroot first explains how easily capture and replay a signal with the HackRF. If the signal is simple without any security like rolling codes then a simple replay attack like this will allow the HackRF to control the device quite easily. In the next section he goes on to explain how to actually analyze and synthesize the packets yourself using Python and GNU Radio. Finally he also shows that a brute force attack can be applied once you know how to synthesize the signal. Brute forcing runs over every possible packet combination in a short time and this can be pretty fast for simple protocols like those used in wireless remote controls. His post also includes all the GNU Radio files required so it is easy for someone to replicate his work easily.

If you are interested in controlling simple OOK devices like a wireless powerplug with replay attacks then we have a tutorial for doing this with a simple RTL-SDR and Raspberry Pi running RpiTX which might be useful for those who don't have a HackRF.

HackRF Controlling the Wireless Power Outlet by Brute Forcing Packets
HackRF Controlling the Wireless Power Outlet by Brute Forcing Packets

 

Reverse Engineering for a Secure Future: Talk by Samy Kamkar

During the Hackaday superconference held during November 2017, Samy Kamkar presented a talk on how he reverse engineers devices, and in particular passive entry and start systems in vehicles. In the talk he also explains what tools he uses which includes SDRs like the HackRF One and RTL-SDR dongle and explains the methodology that he takes when looking at how to reverse engineer any new device. Samy is most famous for writing the Samy MySpace computer worm and also popularizing the "RollJam" wireless car door vulnerability. The talk blurb reads:

In this talk Samy Kamkar shares the exciting details on researching closed systems & creating attack tools to (demonstrate) wirelessly unlocking and starting cars with low-cost tools, home made PCBs, RFID/RF/SDR & more. He describes how to investigate an unknown system, especially when dealing with chips with no public datasheets and undisclosed protocols. Learn how vehicles communicate with keyfobs (LF & UHF), and ultimately how a device would work that can automatically detect the makes/models of keyfobs nearby. Once the keyfobs have been detected, an attacker could choose a vehicle and the device can wirelessly unlock & start the ignition. Like Tinder, but for cars.

Samy Kamkar: Creating Vehicle Reconnaissance & Attack Tools -- Hackaday Superconference 2017

Unknown Signal Reverse Engineering and Decoding AFSK Signals Tutorial

Over on his blog "ele y ciencia" has written up two very useful blog posts - one on how to decode AFSK signals from scratch and the other on how to reverse engineer any unknown digital signal. The blog is written entirely in Spanish, but Google translate does a decent enough job at getting the message across (in Chrome right click anywhere on the page and select Translate to English or use the Google translate webpage).

The first post is about decoding an AFSK protocol and explains that you need to record the signal with an RTL-SDR or other SDR, apply a low pass filter to obtain the signal envelope and then apply thresholding with the known baud rate to obtain the demodulated digital signal. The tutorial is high level and just explains the process, but doesn't show how to do it in any software. Later on in the post he goes on to show how he reverse engineered a train-land radiotelephone system and a TCM3105 modem chip which utilizes a FSK system.

In the second post he shows how to decode any unknown digital signal using just an RTL-SDR and Audacity. He starts off with finding and recording an unknown digital signal with an RTL-SDR and then reverse engineers it in a sort of manual fashion without using any tools like Universal Radio Hacker. The post goes through the full details and steps that he took, and in the end he gets data out of the signal discovering that it is data from a Fleet Management System used in his country for monitoring data such as speed and engine data from commercial vehicles like trucks and buses.

The two posts are very detailed and could be an excellent reference for those interested in reverse engineering some unknown digital signals in your area.

Decoding an Unknown "Fleet Management" signal from scratch.
Decoding an Unknown "Fleet Management" signal from scratch.