Tagged: TPMS

Receiving TPMS Tire Pressure Data from a Mazda CX 5 with an RTL-SDR

Over on YouTube Robert from the Robert Research Radios channel has uplaoded a video showing how he has been using an RTL-SDR and rtl_433 to measure his Mazda CX5's wireless tire pressure sensors. The Mazda CX5 comes with TPMS tire pressure sensors in each tire, however when there is a low pressure warning, it does not actually tell you which tire in particular is low.

Robert used his RTL-SDR, rtl_433 and a custom script to read the wireless TPMS data coming from his tires and then matched the ID from each reading to the correct tire.

To go along with the video, Robert has uploaded a blog post explaining his setup and script.

RTLSDR Mazda CX 5 TPMS

Testing Tire Pressure Monitoring System Sensors with RTL-SDR and rtl_433

Thank you to Ross for writing in and sharing with an articles that he's written about testing Tire Pressure Monitoring System (TPMS) sensors using an RTL-SDR and the rtl_433 decoder.

TPMS is a system installed on many modern cars (or retrofitted on older cars) that wirelessly monitors the tire pressure on vehicles in order to provide dashboard information that can improve safety and fuel economy. TPMS system typically transmit on license free bands, such as 315 MHz which can easily be received with an RTL-SDR.

Ross owns a 2008 Toyota Tacoma which has a built in TPMS system. Unfortunately he found that one of his sensors was broken as the TPMS warning light was consistently on, despite knowing that his tire pressure was correct.

Instead of purchasing an expensive TPMS diagnostic tool, Ross broke out his RTL-SDR and fired up rtl_433 which already contains a ready to use TPMS decoder. From the data received, Ross was able to determine that only three sensors were transmitting. Ross then goes on to use the RSSI signal power strength measurements provided by the rtl_433 output, while moving the antenna next to each wheel to determine exactly which wheel had the faulty sensor.

Ross's post goes into further details about his setup and the data he received from the sensors. He also created a follow up post, describing a bash script he wrote to automate the process.

TPMS Data Received

Using an RTL-SDR to Monitor A Tire Pressure Sensor used in Home Brewing

Over on YouTube Andreas Spiess has been helping his friend create a pressure monitoring system for his home brew beer bottles. In order to do this, Andreas uses an externally mounted after market wireless tire pressure sensor whose data can be received with an RTL-SDR and the rtl_433 decoder software. Modern vehicle tires contain a TPMS (tire pressure monitoring system) sensor, which keeps track of tire pressure, temperature and acceleration. The data is wirelessly transmitted via 433 or 315 MHz to the cars dashboard and computer for safety monitoring.

In the first video Andreas discusses tire pressure monitors and how they could be used for other non-tire applications, talks a bit about the wireless protocol used, and how to reverse engineer it. He notes that the author of rtl_433 was able to implement his particular tire pressure sensor brand's protocol into the rtl_433 database, so now anyone can decode them. Finally in this video he also shows that he can easily spoof a flat tire signal using a HackRF and GNU Radio which might cause a modern high end car to refuse to move.

The second video shows how to continuously monitor that TPMS data for the home brew set up. Andreas uses an RTL-SDR and Raspberry Pi running rtl_433, which outputs it's data into Mosquitto, Node-Red, InfluxDB and the Grafana. These programs help to read, manage, log and graph the data. The rtl_433 program is also monitored by Supervisord which automatically restarts rtl_433 if the program crashes.

If you are interested, there is a related video that was uploaded in between the two shown below which shows how he created a 3D printed cap to mount the valve and tire pressure sensor on the beer bottles.

#261 Measure Pressure Remotely (including TPMS Hacking / Attack) for Beer Brewing

#270 Safely Monitor and Alarm with Supervisord and Telegram

Exploring Vulnerabilities in Tire Pressure Monitoring Systems (TPMS) with a HackRF

Over on YouTube the channel "Lead Cyber Solutions" has uploaded a video presentation for the Cyber Skills Competition. In the video Christopher Flatley, James Pak and Thomas Vaccaro discuss a man-in-the-middle attack that can be performed on vehicle Tire Pressure Monitoring Systems (TPMS) with a transmit capable SDR such as a HackRF.

A TPMS system consists of small battery powered wireless sensors placed on a vehicles wheels which automatically monitor tire pressure. An LCD basestation usually exists on the dashboard of the car indicating live tire pressure. Most modern cars come with this feature, and it is simple to retrofit an older car with an aftermarket TPMS system.

The idea behind the vulnerability is that a HackRF can be used to reverse engineer the TMPS signal, and then re-transmit a new fake signal that causes the base station to read the tire pressure as low. This can set off an alarm in the car and possibly cause someone to pull over. More alarmingly, they discuss how tractors have automatic tire inflation systems which work using similar sensors. A false low pressure reading could cause the tractor tires to over inflate and be damaged.

Vulnerabilities in Vehicle TPMS (Exploit & Hacking)

In the past we have also posted about Jared Boon's work on TPMS where he shows how privacy could be breached by monitoring and tracking TPMS identifiers.

Receiving and Decoding Tire Pressure Monitor Systems using an RTL-SDR

Tire Pressure Monitoring Systems (TPMS) are comprised of sensors that are designed to measure the tire pressures on a vehicle and then wirelessly transmit the data to a monitoring computer, which will then alert the driver when the tire pressure is incorrectly set.

At the Toorcon conference, Jared Boon has given a talk showing how he used an RTL-SDR and a GNU Radio program that he developed to reverse engineer the TPMS wireless protocol, and read the data that is sent. Jarod also notes that TPMS is potentially a security risk that could be used to track cars. The talk has been uploaded to YouTube and is shown below.

Reversing Tire Pressure Monitors with a Software-Defined Radio