Over on his YouTube channel ModernHam has created a video showing him using an RTL-SDR and Raspberry Pi with RPiTX to record and replay the signal generated by the remote of a wireless power plug. A wireless power plug allows you to turn an AC wall outlet on/of remotely via a remote control. Controlling them with a Raspberry Pi can be a simple way to add home automation. One example ModernHam gives is that he hopes to use RPiTX and the wireless power plugs to create a smart coffee pot that will automatically turn on at 7 am, and turn off at 9 am.
In the past we have created a similar tutorial here, but new updates to RPiTX now make this process much easier and more reliable and ModernHam's video shows the new procedure. The new process is simply to look up the FCC frequency of the remote control transmitter, record an IQ file of the transmissions for the ON and OFF buttons, and then use the RPiTX sendiq command to replay the signal. You can then use simple Linux shell scripts to create automation.
Replay Attack with Remote Plugs for Home Automation with the Raspberry PI
Over on YouTube user ModernHam has uploaded a video showing how to perform a replay attack on a car key fob using a Raspberry Pi running RPiTX and an RTL-SDR. A replay attack consists of recording an RF signal, and then simply replaying it again with a transmit capable radio. RPiTX is a program that can turn a Raspberry Pi into a general purpose RF transmitter without the need for any additional hardware.
The process is to record a raw IQ file with the RTL-SDR, and then use RPiTX V2's "sendiq" command to transmit the exact same signal again whenever you want. With this set up he's able to unlock his 2006 Toyota Camry at will with RPiTX.
We note that this sort of simple replay attack will only work on older model cars that do not use rolling code security. Rolling code security works by ensuring that an unlock transmission can only be utilized once, rendering replays ineffective. However, modern rolling code security systems are still susceptible to 'rolljam' style attacks.
In the video below ModernHam goes through the process from the beginning, showing how to install the RTL-SDR drivers and RPiTX. Near the end of the video he shows the replay attack in action.
Unlock Cars with a Raspberry Pi And SDR - Replay attack
Over on YouTube channel Tech Minds has uploaded a video that shows how to install and use RPiTX version 2. RPiTX is software for the Raspberry Pi which can turn it into a 5 kHz to 1500 MHz transmitter which can transmit any arbitrary signal. RPiTX requires no additional hardware, but a filter is required for transmitting with any power or gain. Back in November RPiTX was updated to version 2 which brought with it a new GUI, and improved spectral purity.
In his video Tech Minds goes over the installation of RPiTX, and then goes on to demonstrate it in action with an RTL-SDR and SDRUno used as the receiver. He shows the several TX modes available such as the tone/chirp generator, spectrum painter FM with RDS, SSB and FreeDV.
RPiTX is software for the Raspberry Pi which can turn it into a 5 kHz to 1500 MHz transmitter which can transmit any arbitrary signal. In order to transmit the software does not require any additional hardware apart from a wire plugged into a GPIO pin on the expansion header. It works by modulating the GPIO pin with square waves in such a way that the desired signal is generated. However, although additional hardware isn't required, if RPiTX is to be used in any actual application a band-pass filter is highly recommended in order to remove any harmonics which could interfere and jam other radio systems.
Earlier this month RPiTX was upgraded to version 2. One of the changes is a new GUI for testing the various transmission modes. Currently it is possible to transmit a chirp, FM with RDS, USB, SSTV, Opera, Pocsag, SSTV, Freedv. There is also a spectrum painter which allows you to display an image on a SDR's waterfall.
The RPiTX v2 update also makes recording a signal with an RTL-SDR, and replaying that signal with RPiTX significantly easier. Previously it was necessary to go through a bunch of preprocessing steps (as described in our previous tutorial) in order to get a transmittable file, but now RPiTX is capable of transmitting a recorded IQ file directly. This makes copying things like 433 MHz ISM band remotes significantly easier. One application might be to use RPiTX as an internet connected home automation tool which could control all your wireless devices.
Finally, another application of the RPiTX and RTL-SDR combination is a live RF relay. The software is able to receive a signal at one frequency from the RTL-SDR, and then re-transmit it at another frequency in real time. Additionally, it is also capable of live transmodulation, where it receives an FM radio station, demodulates and then remodulates it as SSB to transmit on another frequency.
In the first test he uses RPiTX to generate a 2-FSK signal, which is then received and decoded by a RTL-SDR V3 connected to an attenuator and laptop. The Bit Error Rate (BER) is then measured while the attenuation is increased until the decoder fails. With this test he found a MDS somewhere between -115 dBm and -125 dBm, and a maximum input power of -30 dBm before clipping.
In another test he measures the RTL-SDR's ability to withstand a blocking CW signal. The results show that even with a 65 dB stronger signal just 7 kHz away, the 2-FSK modem system was able to continue working.
Finally he concludes:
So I figure for the lower HF bands this receivers performance is OK – the ADC quantisation noise isn’t likely to impact performance and the strong signal performance is good enough. An overload of -30dBm (S9+40dB) is also acceptable given the use case is remote communications where there is unlikely to be any nearby transmitters in the input filter passband.
In his tests he's been creating 100bit/s 2FSK test frames, transmitting them at 7.177 MHz, and receiving and decoding them on another PC with a hardware radio. The results show that the transmission is working perfectly, with only minor artefacts caused by RPiTX. Rowetel also notes that the narrow band spectral purity of the RPiTX output is remarkably clean. The only worry is the wide band harmonics which can easily be removed with filtering.
This shows that RPiTX could easily be used as a transmitter for amateur radio purposes, assuming proper external filtering is applied. Rowetel also mentions that he hopes that cheap radio technologies like RPiTX could one day be used to help reduce the cost and difficulty in covering the 'last 100 miles' of communications in the developing world.
RPiTX is software that enables the Raspberry Pi to transmit any modulated signal over a wide range of frequencies using just a single GPIO pin. However, the transmission contains multiple harmonics and thus requires sufficient filtering in order to transmit legally within the 2M ham band. To solve this ZR6AIC uses a 2M Raspberry Pi Hat kit which he designed and created that contains two low pass filters as well at the option for an additional power amplifier.
The rest of ZR5AIC's post explains how his HAB telemetry system combines the Raspberry Pi 3, RPiTX 2M Hat, RTL-SDR, a GPS unit, battery, temperature sensor and optional camera into a full HAB transmitting system. He also explains the software and terminal commands that he uses which allows him to transmit via RPiTX a CW beacon and GPS and temperature sensor APRS telemetry data with the Direwolf software. Full instructions on setting up the alsa-loopback audio routing is also provided.
The attacker utilises a device with full-duplex RF capabilities (simultaneous transmit and receive) to produce a jamming signal, in order to prevent the car from receiving the valid code from the key fob. This is possible as RKEs are often designed with a receive band that is wider than the bandwidth of the key fob signal (refer Figure 3, right). The device simultaneously intercepts the rolling code by using a tighter receive band, and stores it for later use. When the user presses the key fob again, the device captures the second code, and transmits the first code, so that the user’s required action is performed (lock or unlock) (Kamkar, 2015). This results in the attacker possessing the next valid rolling code, providing them with access to the vehicle. The process can be repeated indefinitely by placing the device in the vicinity of the car. Note that if the user unlocks the car using the mechanical key after the first try, the second code capture is not required, and the first code can be used to unlock the vehicle.
In his demonstrating the attack he uses the RTL-SDR to initially find the frequency that they keyfob operates at and to analyze the signal and determine some of it's properties. He then uses a Raspberry Pi running RPiTX to generate a jamming signal, and the YardStick One to capture and replay the car keyfob signal.