Tagged: reverse engineering

October 6, 2015

Reverse engineering a wireless thermostat with an RTL-SDR

When Tom Taylors home heating boiler was replaced the builders also replaced the old wired rotary thermostat with a digital wireless one. It sounds good, but Tom soon discovered that the thermostat UI was terrible and that the buttons were horrible to press, making him prefer to shiver in the cold. So Tom decided to see if there was a smarter way to control the heating.

When Tom investigated the thermostat, he discovered that the wireless unit transmitted in the unlicensed 433 MHz band and that the thermostat only transmitted two commands, turn on or turn off. By using his RTL-SDR and the CubicSDR software on his Mac he was able to detect the short blip of the thermostat wireless signal. Next he recorded the on and off signals and opened the sound files in Audacity, an audio processing software tool. In Audacity he was able to compare the sound waveforms of the on and off signals.

From his analysis he discovered that each signal consisted of a preamble and then an on or off command which is repeated twice, presumably to reduce the likelihood of interference. Tom also discovered that the commands were encoded with pulse width modulation.

From this knowledge Tom was then able to use a cheap 433 MHz transmitter together with an Arduino microcontroller board and a short script to create identical on or off transmissions that control the boiler. Tom writes that his next steps are now to create a heating schedule based on his families shared calender, make a thermostat control loop and create a web connected interface with a Raspberry Pi.

The 433 MHz thermostat on/off signal detected with an RTL-SDR in the CubicSDR software

October 5, 2015

Reverse engineering a public parking electronic display to play Tetris

Recently we received an email from RTL-SDR.com reader @Ivoidwarranties about his latest project which involved using a HackRF to reverse engineer the RF protocol used by a public parking electronic display. Once reverse engineered @Ivoidwarranties used a XR-2206 monolithic function generator, hybrid RF amplifier and an Arduino to create a device that overrides the public parking display and plays a game of Tetris on it.

We don’t have any details on the HackRF reverse engineering side of things, but he has uploaded a video to YouTube showing the hack in action.

Real hacking of public parking electronic display

Watch this video on YouTube

September 22, 2015

Reverse Engineering Wireless Mobile Traffic Lights with an RTL-SDR

When roadworks suddenly appeared on Bastian Bloessl’s girlfriends street the workers put up a set of automated wireless traffic lights to control the flow of traffic during the works. Seeing these lights, Bastian quickly grabbed his RTL-SDR dongle and got to work on reverse engineering the status telemetry signals transmitted by these lights.

Wireless traffic lights reverse engineered with an RTL-SDR

Bastian discovered two signals at around 170 MHz which corresponded to two pairs of lights. By analyzing the signal in Baudline and Audacity he discovered that the signal was AFSK1200 modulated between 1200Hz and 2400Hz. He then created a simple GNU Radio program which was able to output the frame bit data. After some analysis he was able to make sense of the structure and create a simple web interface that visualized the data as virtual traffic lights on his PC. The YouTube video below shows the signal and his RTL-SDR decoding software in action.

It seems that the telemetry is unencrypted, however we would assume that the control signals are encrypted.

Traffic Lights + GNU Radio + RTL SDR

Watch this video on YouTube

September 22, 2015

Reverse Engineering a Vintage Wireless Keypad with an RTL-SDR

Over on his blog, Veghead has posted about how he was able to reverse engineer a wireless alarm panel keypad from 1986 with an RTL-SDR dongle. The goal of his reverse engineering was to be able to eventually hook it up to a modern alarm system.

By first looking at the old FCC label on the keypad, Veghead discovered that the device transmitted between 319 MHz and 340 MHz. He then used his RTL-SDR dongle to take a recording of the transmitted signals, before opening them up in Audacity – a free audio processing program.

By analyzing the waveform in Audacity, Veghead discovered that the alarm panel uses simple ON-OFF Keying (OOK) modulation. Although the frequency of the signal drifted a lot (probably due to aged components), he was able to write a decoder that he called cletus which converts the recorded complex I/Q signal into a real signal and then uses a state machine to turn the waveform into 1’s and 0’s. Finally the program then outputs the correct button that was pressed to the terminal.

Vintage wireless alarm keypad reverse engineered with an RTL-SDR

August 25, 2015

Reverse Engineering Bus Telemetry Data with an RTL-SDR

Bastian recently wrote into us at RTL-SDR.com to let us know that he’s been working on reverse engineering the bus telemetry system used in his hometown of Paderborn, Germany. Bus telemetry is often used to update live signs at bus stops that indicate based on GPS data how long a bus user needs to wait for the next bus.

Bus sign: Wireless bus telemetry updates this sign.

A similar reverse engineering of bus telemetry was performed before by Oona Raissan in Helsinki, Finland. Oona found that in Helsinki bus telemetry was transmitted as a DARC subcarrier embedded in regular broadcast FM radio. In many countries bus telemetry runs through GSM or TETRA communications as well, which are encrypted and would be very difficult to decode.

However in Paderborn, Germany Bastian discovered that the bus telemetry system used a different protocol which he discovered by noticing that some very strong signals appeared on his spectrum at 150.9 MHz whenever a bus drove by his flat.

After making a recording of this signal in GQRX, bastian analysed it in Audacity and discovered that the binary data bits were encoded by the presence or absence of a half sine wave. After discovering the encoding he was then able to determine the bit rate and build a decoder in GNU Radio. His post goes into further detail about concepts he used in his GNU Radio program such as frame detection, bit stuffing and error detection.

Finally, with all his decoder program written he was able to gather lots of data from each packet such as the bus ID, line, bus stop, distance from last bus stop, delay, position and even the orientation of the bus. Bastian has also uploaded a video showing everything in action, which we have embedded below.

Bus position heatmap from data obtained via the RTL-SDR

Buses Everywhere

Watch this video on YouTube

May 15, 2015

Wireless Door Bell 433 MHz ASK Signal Analysis with a HackRF

Paul Rascagneres, an RF experimenter has recently uploaded a document detailing his efforts at reverse engineering a wireless doorbell (pdf file) with a 433 MHz Amplitude Shift Keyed (ASK) signal with his HackRF software defined radio. The HackRF is a SDR similar to the RTL-SDR, but with a wider available bandwidth and transmit capabilities.

To reverse engineer the doorbell, Paul used GNU Radio with the Complex to Mag decoder block to receive and demodulate the ASK signal. Once demodulated he was able to visually see the binary modulated waveform, and manually obtain the serial bit stream. From there he went on to create a GNU Radio program that can automatically obtain the binary strings from the ASK waveform.

In order to replay the signal, Paul found that the simplest way was to use the hackrf_transfer program, which simply records a signal, and then replays it via the HackRF transmitter on demand. With this method Paul was able to ring his doorbell via the HackRF.

Paul also confirmed his SDR results with an Arduino and 433 MHz transceiver. He then took it a step further and used the Arduino to create a system that could automatically receive and replay signals at 433 MHz and 315 MHz.

May 5, 2015

Reverse Engineering a Radio Weather Station with an RTL-SDR

On his blog Josef Gajdysek has posted about his experience with using an RTL-SDR to reverse engineer the radio protocol used by his home weather station. Josef’s weather station is an ISM band device and transmits at 433 MHz. First he opened up GQRX and tuned to his weather station’s transmit frequency of 433.6 MHz and recorded some audio in AM mode. Josef initially assumed that the device would use on-off-keying (OOK) to encode the data. However, when he opened the sound file in Audacity and looked at it’s waveform he found that the weather station instead used Differential Pulse Position Modulation. In this modulation scheme the distance between pulses determines whether or not the binary bit is high or low.

Differential Pulse Position Modulation in Audacity

To decode this Josef then wrote a python script to measure the distance between pulses and thus convert the pulses into a binary string. Then by decoding and analyzing the captured packets he was able to isolate the checksum, temperature, channel, and status flags. Knowing all this information finally allowed him to create a real time decoder that uses rtl_fm. The python script can be downloaded from his post.

January 6, 2015

Decoding Oregon Scientific Weatherstation Messages using Gnuradio

Recently a reader of rtl-sdr.com, DO2BJK wrote in to let us know about his project where he used GNU Radio to decode Oregon Scientific V1 and V2 weather station messages. To receive the weather station messages which are sent in the ISM band at 433 MHz, DO2BJK used a USRP B210, but he writes that other SDRs such as an RTL-SDR or HackRF will also work. To decode the signal, DO2BJK took the usual steps of recording the signal and looking at the audio waveform in Audacity. From the waveform he was able to determine the bit string and discover the preamble, sync and data parts of a packet. He then used GNU Radio and wrote a Python program to receive the signal and automatically detect the preamble and extract the temperate data. His code is available on GitHub at https://github.com/bkerler/OregonDecoder/.