Tagged: reverse engineering

Digital Ding Dong Ditch – Hacking wireless doorbells with Arduino and RTL-SDR

Over on YouTube user Samy Kamkar has uploaded a video showing how he was able to use an RTL-SDR to copy his friends wireless doorbell signal and prank him by replaying it using an Arduino and 433 MHz transmitter. His video goes through the entire reverse engineering process he used from recording the wireless doorbell signal with the RTL-SDR, to analyzing and understanding the signal and finally to programming the Arduino with the code to replicate the doorbell signal. If you don’t like video explanations, Samy has also done a write up of the same material on his website. 

Digital Ding Dong Ditch Prank - hacking wireless doorbells w/Arduino and RTL-SDR

Reverse Engineering a Wireless Alarm with the HackRF

Wireless alarms consist of multiples devices such as sensors and detectors which all communicate to a central control box via RF signals. Blogger “fun over ip” decided that he wanted to understand the design and security measures used by his Verisure wireless alarm by reverse engineering the system.

First, he took his HackRF software defined radio and monitored the 433 MHz and 868 MHz ISM bands whilst pushing keys on his alarms remote control. In the 868 MHz band he found a corresponding signal that had two spikes in the RF spectrum, indicating that it was likely a 2-FSK (frequency shift keyed) signal.

Next he created a GNU Radio program to demodulate the 2-FSK signal into a binary sequence. He then used Audacity to view and analyze the binary sequence, decoding it into 0’s and 1’s and determining the sync word (or access code). With further analysis he also determined the symbol rate and samples per symbol. With all this information gathered, he was then able to expand his GNU Radio program to automatically detect and decode packets sent by the various wireless devices connected to the alarm system.

His post goes into good detail about the steps that he took and is a great aide in understanding how to reverse engineer wireless protocols.

Decoding Wireless Alarms
Decoding Wireless Alarms

Blindly Reverse Engineering a Wireless Protocol

Hackaday has brought to attention a document written by a Rory O’Hare which discusses the journey Rory took in trying a decode an unknown 433 MHz signal received from his SDR dongle.

If you are interested in manually decoding some unknown signals you may be interested in this write up as it discusses his entire journey including the failures he encountered along the way. Basically he records some packets using his SDR dongle, works out their bit patterns manually and then attempts to find correlations between the packets in an attempt to discover their structure. In the end his efforts are successful as he discovers that he is receiving a temperature sensor and is able to decode the temperature readings.

Discovering Correlations in the Received Packets
Discovering Correlations in the Received Packets

Using an RTL-SDR to help open a Gated Community

Tomasz lives in a gated community, but as he doesn’t own a car he wasn’t given access to a gate remote control. This made it difficult for him to have friends who have cars visit him. So he decided to use an RTL-SDR to receive, capture, analyze the gate signal which is transmitted at 433 MHz and then copy the signal to use with his own homemade transmitter.

First Tomasz used his RTL-SDR with SDR# to capture a few sound files of the gate remote which transmits at 433 MHz. Then he viewed the sound waveform’s in Audacity, a free audio editing program. Just by looking at the waveform he was able to determine that the signal was On-Off Key (OOK) modulated and that each frame of the transmission was the same, meaning that no security scheme was used.

Next he wrote down the transmission parameters that he learned from his analysis and built a simple 433 MHz transmitter which he connected to a microcontroller. After programming his microcontroller to send a copied signal he was able to open the gate.

433 MHz Gate Remote Received on the RTL-SDR
433 MHz Gate Remote Received on the RTL-SDR

Reverse Engineering a RF Controlled Ceiling Fan with the RTL-SDR

Using an RTL-SDR Clayton Smith was able to reverse engineer his remote controlled ceiling fan. To do this he first used his BladeRF to determine that the remote control was transmitting a signal at 303.747 MHz. He then used a simple GNU Radio flow graph with the RTL-SDR to plot the amplitude of the signal over time which suggested that the signal was using on-off keying. From the plot he was then able to visually determine the bit pattern sent from each button on the ceiling fan remote.

Next he used his bladeRF and another GNU Radio flowgraph to replicate and transmit the the bit pattern which was able to control the ceiling fan from the PC.

Clayton notes that all this reverse engineering was done in half an hour, demonstrating the power of software defined radio.

Ceiling Fan Bit Pattern Recovered with an RTL-SDR and GNU Radio
Ceiling Fan Bit Pattern Recovered with an RTL-SDR and GNU Radio

Reverse Engineering Radio Controlled Power Outlets with Help from the RTL-SDR

Radio controlled electricity power outlets are outlets that can be turned on or off using a wireless radio controlled remote. Over on the blog leetupload.com the author has written an article showing how he was able to reverse engineer the wireless power outlets radio protocol.

The author used an RTL-SDR and SDR# to listen to the outlets wireless AM transmissions at 434 MHz. He then recorded the signal audio and then used audacity to view the waveform. By analyzing the audio output he discovered that the signal was a Non-Return-To-Zero (NRZ), pulse width modulated (PWM), Amplitude Shift Keying / On Off Keying (ASK/OOK) signal.

Later he was also able to use the RFCat USB dongle to transmit an on off signal from his computer. RFCat is an USB dongle that is capable of transmitting on 433 MHz.

RTL-SDR Software Radio used to Reverse Engineer the Wireless Power Outlet
RTL-SDR RTL2832U Software Radio Audio output Analyzed in Audacity for Reverse Engineering a Wireless Power Outlet
Remote Control Outlet Replay With RFCat

Source Hackaday

Reverse Engineering Radio Controlled Bus Stop Displays

Over on her blog www.windytan.com, Oona has shown how she was able to reverse engineer a radio controlled bus stop display using a receiver like the RTL-SDR. Radio bus stop displays are used by bus services to display GPS enhanced bus timetables and expected bus arrival times.

Oona discovered that the bus displays in her area use Data Radio Channel (DARC) encoding. Once she discovered that no DARC decoders exist online, she implemented the full five layer DARC protocol stack in Perl and was left with data packets that had some human readable strings containing information such as bus terminal stations. With some extra work she was able to also get more information such as expected waiting times and bus numbers as well.

Bus Terminal Packet
Bus Terminal Packet

Receiving and Decoding Tire Pressure Monitor Systems using an RTL-SDR

Tire Pressure Monitoring Systems (TPMS) are comprised of sensors that are designed to measure the tire pressures on a vehicle and then wirelessly transmit the data to a monitoring computer, which will then alert the driver when the tire pressure is incorrectly set.

At the Toorcon conference, Jared Boon has given a talk showing how he used an RTL-SDR and a GNU Radio program that he developed to reverse engineer the TPMS wireless protocol, and read the data that is sent. Jarod also notes that TPMS is potentially a security risk that could be used to track cars. The talk has been uploaded to YouTube and is shown below.

Reversing Tire Pressure Monitors with a Software-Defined Radio