Wireless Door Bell 433 MHz ASK Signal Analysis with a HackRF
Paul Rascagneres, an RF experimenter has recently uploaded a document detailing his efforts at reverse engineering a wireless doorbell (pdf file) with a 433 MHz Amplitude Shift Keyed (ASK) signal with his HackRF software defined radio. The HackRF is a SDR similar to the RTL-SDR, but with a wider available bandwidth and transmit capabilities.
To reverse engineer the doorbell, Paul used GNU Radio with the Complex to Mag decoder block to receive and demodulate the ASK signal. Once demodulated he was able to visually see the binary modulated waveform, and manually obtain the serial bit stream. From there he went on to create a GNU Radio program that can automatically obtain the binary strings from the ASK waveform.
In order to replay the signal, Paul found that the simplest way was to use the hackrf_transfer program, which simply records a signal, and then replays it via the HackRF transmitter on demand. With this method Paul was able to ring his doorbell via the HackRF.
Paul also confirmed his SDR results with an Arduino and 433 MHz transceiver. He then took it a step further and used the Arduino to create a system that could automatically receive and replay signals at 433 MHz and 315 MHz.
My replay attacks on wireless devices such as a doorbell, https://www.youtube.com/watch?v=AcH6VGdqCio
Really awesome reverse engineering. I’d like to get to ring a doorbell via the HackRF.