Recently we received an email from RTL-SDR.com reader @Ivoidwarranties about his latest project which involved using a HackRF to reverse engineer the RF protocol used by a public parking electronic display. Once reverse engineered @Ivoidwarranties used a XR-2206 monolithic function generator, hybrid RF amplifier and an Arduino to create a device that overrides the public parking display and plays a game of Tetris on it.

We don’t have any details on the HackRF reverse engineering side of things, but he has uploaded a video to YouTube showing the hack in action.

The post Reverse engineering a public parking electronic display to play Tetris appeared first on rtl-sdr.com.

When Tom Taylors home heating boiler was replaced the builders also replaced the old wired rotary thermostat with a digital wireless one. It sounds good, but Tom soon discovered that the thermostat UI was terrible and that the buttons were horrible to press, making him prefer to shiver in the cold. So Tom decided to see if there was a smarter way to control the heating.

When Tom investigated the thermostat, he discovered that the wireless unit transmitted in the unlicensed 433 MHz band and that the thermostat only transmitted two commands, turn on or turn off. By using his RTL-SDR and the CubicSDR software on his Mac he was able to detect the short blip of the thermostat wireless signal. Next he recorded the on and off signals and opened the sound files in Audacity, an audio processing software tool. In Audacity he was able to compare the sound waveforms of the on and off signals.

From his analysis he discovered that each signal consisted of a preamble and then an on or off command which is repeated twice, presumably to reduce the likelihood of interference. Tom also discovered that the commands were encoded with pulse width modulation.

From this knowledge Tom was then able to use a cheap 433 MHz transmitter together with an Arduino microcontroller board and a short script to create identical on or off transmissions that control the boiler. Tom writes that his next steps are now to create a heating schedule based on his families shared calender, make a thermostat control loop and create a web connected interface with a Raspberry Pi.

The post Reverse engineering a wireless thermostat with an RTL-SDR appeared first on rtl-sdr.com.

Over on YouTube the popular security and hacking themed channel Hak5 have created two videos together with Mike Ossmann (creator of the HackRF and Yardstick One) that give a good introduction and overview on reverse engineering unknown radio protocols. In the video they show how to use a SDR like the RTL-SDR or HackRF to initially capture the radio signal, and then how to use the Yardstick One to reverse engineer and recreate the signal. Using this process they reverse engineer the radio protocol for a wireless liquor cabinet lock.

The Yardstick One is a computer controlled wireless transceiver (but it is not an SDR). The Yardstick One understands many radio protocols by default and can be programmed in Python, lowering the learning barrier for reverse engineering signals.

Mike Ossmann has also been slowly releasing very detailed video tutorials about DSP and radio related topics. If you are interested in reverse engineering radio signals it is a very helpful series to watch.

The post Hak5: Reverse Engineering Radio Protocols with SDR and the Yardstick One appeared first on rtl-sdr.com.

Toorcon is a yearly conference that focusus on information security related topics. At the 2015 Toorcon conference Micheal Ossmann (inventor of the HackRF SDR) gave an interesting talk about reverse engineering wireless systems using software defined radio.

Back in November Micheal gave a bit of a quick tutorial on reverse engineering in a November edition of the YouTube web series Hak5. Now his full conference talk has been released over on his website. In his talk he uses a HackRF and a Yardstick One to show how to reverse engineer a wireless cabinet lock.

The video can be viewed below or over on Micheal’s site greatscottgadgets.

The post Talk by Micheal Ossmann at Toorcon 2015: Rapid Radio Reversing appeared first on rtl-sdr.com.

The Nest thermostat is a smart thermostat that learns your schedule and automatically adjusts the heat in your house for optimal energy savings.  Tristan didn’t want to buy a Nest, but wanted to replicate the Nest thermostat’s functionality by using an Arduino to automatically regulate his apartments central heating boiler. To do this he needed to find a way to turn the heating on and off programatically.

Fortunately Tristan’s current thermostat is wireless, so he decided to use his RTL-SDR to sniff the data it sends to try and find the on and off signals. By using SDR# he was able to discover the radio traffic stream in the ISM band at 433 MHz. After simply recording the signal audio, he passed the audio file into Audacity to analyze the messages. He discovered that the ON and OFF signals were on-off key (OOK) modulated, and he was able to discover the binary control string and pulse timings.

With this information at hand, Tristan was then able to use a cheap 433 MHz radio transmitter together with his Arduino to replicate the ON/OFF boiler control signals. In the future Tristan plans to add a temperature sensor and web interface to monitor everything.

In the past we’ve also posted about a similar project by Tom Taylor where he reverse engineers his thermostat with an RTL-SDR and controls it with an Arduino.

The post Building a NEST Thermostat with Arduino and an RTL-SDR appeared first on rtl-sdr.com.

SimpliSafe is a home security system that relies on wireless radio communications between its various sensors and control panels. They claim that their system is installed in over 300,000 homes in North America. Unfortunately for SimpliSafe, earlier this week Dr. Andrew Zonenberg of IOActive Labs published an article showing how easy it is for an attacker to remotely disable their system. By using a logic analyser he was able to fairly easily reverse engineer enough of the protocol to discover which packets were the “PIN entered” packets. He then created a small electronic device out of a microcontroller that would passively listen for the PIN entered packet, save the packet into RAM, and then replay it on demand, disarming the alarm.

A few days later Micheal Ossmann (wireless security researcher and creator of the HackRF SDR and YardStick One) decided to have a go at this himself, using a YARD Stick One and a HackRF SDR. First he used the HackRF to record some packets to analyze the transmission. From the analysis he determined that the protocol was an Amplitude Shift Keying (ASK) encoded signal. With this and some other information he got from the recorded signal, he could then use his Yardstick One to instantly decode the raw symbols transmitted by the keypad and perform a replay attack if he wanted to.

Next, instead of doing a capture and replay attack like Andrew did, Micheal decided to take it further and actually decode the packets. This took him a few hours but it turned out to not be too difficult. Now he is able to recover the actual PIN number entered by a home owner from a distance without having to do any transmitting. With the right antenna someone could be gathering 100’s of PINs over a distance of many miles. Also, an expensive radio is not required, Micheal notes that the gathering of PIN numbers could just as easily be done on a cheap $10-$20 RTL-SDR dongle.

Micheal notes that the SimpliSafe alarm seems to lack even the most basic cryptographic protection, and that this is a problem that is seen all too often in wireless alarm systems. Rightly so, Micheal and Andrew are not publishing their code, although it seems that anyone with some basic knowledge could repeat their results.

The post Reverse Engineering the SimpliSafe Wireless Burglar Alarm appeared first on rtl-sdr.com.

Back in 2014 the author of boredhackerblog.blogspot.com did a final year project for his wireless security class on hacking home alarm systems. His presentation was titled “How we broke into your house”. In his research the author used both an RTL-SDR and a simple RFcat wireless transmitter and performs a simple replay attack on a cheap $50 alarm system. His process for reverse engineering the alarm was essentially:

1. Look up the device frequency and listen to it with an RTL-SDR and SDR#.
2. Record the signal and visually study the waveform in Audacity.
3. Look up system part info and determine encoding type (e.g. ASK/OOK)
4. Determine the bit string and baud rate.
5. Program the RFcat to send the same disarm binary string.

Once again research like this shows that cheap home alarm systems have literally zero protections against wireless attacks. In a previous post we also showed how the popular Simplisafe wireless alarm system could be disarmed in a somewhat similar way.

The post Hacking Alarm Systems with an RTL-SDR and RFcat appeared first on rtl-sdr.com.

Inspectrum is a Linux and OSX based tool that can be used for analysing captured signals. It is compatible with the IQ files generated from SDRs, such as the RTL-SDR or HackRF.

Over on YouTube user Mike has uploaded a video that demo’s the latest version of Inspectrum. He shows how the tool can be used to quickly browse the waveforms in a captured signal and how it can be used to determine various digital binary signal properties through an overlay that can be dragged to match the bit frequency of the captured signal.

This program looks like it is shaping up to be a very useful tool for those interested in reverse engineering digital signals. The Inspectrum code and installation procedure can be found at https://github.com/miek/inspectrum.

The post Inspectrum: A New Tool for Analysing Captured Signals appeared first on rtl-sdr.com.

Over on Hackaday a team are attempting to reverse engineer the RF data logging portion of an implanted cardiac defibrillator (ICD) as their Hackaday prize entry. An ICD defibrillator works by monitoring heart condition and automatically applying gentle shocks to put the heart back into a stable rhythm if an abnormal rhythm is detected. Modern implanted defibrillators log heart data and transmit the log daily to a base station, which is then forwarded to the doctor for analysis.

Unfortunately patients who are interested in taking a more active approach to their health (such as one member of the team who herself has an implanted defibrillator) do not get to see this data. The team are hoping to use an RTL-SDR to sniff this data which is transmitted in the 402 – 405 MHz ISM band, and then implement a decoder. So far they have successfully been able to capture some signals, and are working on decoding them into data.

By reverse engineering the signal they hope to draw attention to the fact that healthcare providers are not providing real time body data to the patient, preventing them from making their own informed decisions about their health. They write:

It’s all about making informed decisions. A patient knowing about arrhytmias episodes that occured to him/her has the power to change his lifestyle accordingly, by deducing the factors that have influenced his recent attacks and eliminating them – i.e. observing his/her heart condition according to his/her sleep schedule, work rhythm, food choices and participation in sports. As for now, the patients can only hope to get some information on ICD-prevented arrhytmias on scheduled appointments with their doctor, which often occur once a year or even less often. This eliminates any possibility of making informed choices by using patient’s lifestyle data for future arrhythmia episode prevention.

The post Sniffing Data from an Implanted Heart Defibrillator appeared first on rtl-sdr.com.

PHDays (Positive Hack Days) is a yearly forum with a focus on ethical hacking and security. During this years forum which took place in June, the organizers set up a competition where the goal was to “steal” or take control of a Syma X8C quadcopter drone. The drone runs on the nRF24L01 module, which from previous posts we have seen can easily be sniffed and decoded with an RTL-SDR or other SDR.

To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. The post goes into further detail on the specifics of the reverse engineering.

The post Stealing a Drone with Software Defined Radio appeared first on rtl-sdr.com.

After listening to dock workers with his RTL-SDR for a few days, RTL-SDR.com reader Eoin decided that he wanted to try a more practical experiment. He decided to see if he could reverse engineering the wireless protocol on his garage door opener. Upon opening his remote he discovered a bunch of DIP switches, which are presumably used to program the remote to a particular garage door. Eoin’s next step was to determine at what frequency the garage door opener was transmitting at. He made an assumption that it would be in the 433 MHz unlicenced ISM band as this is where many handheld remotes transmit at. He was right, and found the signal.

His next step was then to record the signal audio in Audacity. From the audio waveform he could see a square wave which looked just like binary bits. By manually eyballing the waveform and translating the high/low squarewave into bits he was able to get the binary data. He then confirmed this data with the dipswitch positions and discovered that a 010 binary code matched with the UP position on the dip switch and 011 matched with the DOWN position.

Having decoded the signal manually fairly easily, Eoin decided his next challenge would be to automate the whole decoding in GNU Radio. In the end he was successful and managed to create a program that automatically determines the position of the DIP switches from the signal. His post goes into detail about his algorithm and GNU Radio program.

The post Decoding a Garage Door Opener with an RTL-SDR appeared first on rtl-sdr.com.

Over on his YouTube channel user Gareth has uploaded a video that shows a full tutorial on quickly decoding an On Off Keyed (OOK) signal with a HackRF (or RTL-SDR) and the Inspectrum software. Once decoded he then shows how to use a Yardstick One to duplicate the signal.

Inspectrum is a Linux based program that allows you to easily determine various parameters of a digital modulated signal by positioning an overlay over the waveform of a signal recorded with an SDR. Basically Gareth’s process is to first extract signal level values using Inspectrum, then secondly use a simple Python program to turn these values into binary bits, which gives him the data packet. He is then finally able to write another quick Python program to interface with the Yardstick One and retransmit the string.

The Yardstick One is a multipurpose radio (not a SDR) for transmitting modulated signals like OOK.

The post Using a Yardstick One, HackRF and Inspectrum to Decode and Duplicate an OOK Signal appeared first on rtl-sdr.com.

A replay attack consists of recording a signal, and then simply replaying it back at the same frequency at a later time. To do this a receive and transmit capable software defined radio like a USRP/HackRF/bladeRF can be used.

Over on his blog, the admin of the dxwxr group has posted a tutorial showing how he performs a replay attack on a simple wireless doorbell using a USRP, GNURadio and the audio editor Audacity. This is a very simple process and is a great tutorial for those looking to get started in reverse engineering signals. First he determines the frequency of the doorbell which turned out be be around 315 MHz. Then using GNURadio he records the signal emitted by the doorbell remote and opens up the audio file in Audacity. He then isolates a section of the signal and saves it as a raw aiff file. Finally, he uses GNURadio to transmit the isolated signal via the USRP.

The post Performing a Replay Attack on a Wireless Doorbell with a USRP SDR appeared first on rtl-sdr.com.

Recently nullwolf (T.J. Acton) wrote in to let us know about a very useful wrapper for Inspectrum that he has created, called DSpectrum. Inspectrum is a Linux based tool that makes it very easy to extract a binary string from a digital transmission which can be recorded with any SDR like an RTL-SDR. DSpectrum builds on Inspectrum and further automates the reverse engineering process. He writes:

The wrapper [DSpectrum] assesses the amplitude measurements, or frequency shifts, that are reported by Inspectrum. The wrapper uses the average of the provided values as a threshold. When a cell’s value falls below the threshold, the wrapper determines that the value is a binary ‘0’, and when it is above the threshold, it records the value as a ‘1’. It then returns this raw binary data as output, in addition to the binary’s hex and ascii translations.

…

Another two features were included: the semi-automatic comparison of two portions of a transmission in the same file, and the semi-automatic comparison of two signals in separate files.

Nullwolf notes that with DSpectrum the time taken for him to reverse engineer signals has dropped from 1 hour down to 5 minutes in some cases.

The post Reverse Engineering Digital RF Signals the Easy Way with DSpectrum appeared first on rtl-sdr.com.

Outernet is a satellite based file delivery service. Currently they’re beta testing their service and they are using RTL-SDR’s as the receiver. In previous posts we’ve seen that they’re now regularly transmitting weather updates, wikipedia files and more files like images and books. Over time the service is becoming more and more useful. If you’re interested in receiving their service we have a tutorial available here.

While most of the Outernet software is open sourced, the signal protocol itself is closed source, which ties you into needing to use the official Outernet software. Over on his blog, Daniel Estévez has been working on reverse engineering the Outernet signal with the goal of publishing the results and building a fully open source receiver.

So far he’s managed to fully reverse engineer the modulation, coding and framing. He’s also been able to build a GNU Radio program that receives the Outernet frames and a Python program called free-outernet which does the decoding. His post goes into greater details on how he reverse engineered the signal and what his finding are.

The post Reverse Engineering the Outernet Signal appeared first on rtl-sdr.com.

On GitHub user spenmcgee has uploaded a write up and Python software that decodes data from a Lacross TX29 wireless temperature meter. Spenmcgee’s write up goes into excellent detail about how he actually wrote the program and reversed engineered the transmitter.

First he explains how he used Python to extract the data from the RTL-SDR I/Q samples. From those samples he calculates the amplitude data, and plots it on a graph which shows the digital signal. He then decimates the signal to reduce the number of samples and figures out how to detect the preamble, data bits and packet repetitions. Then to decode the signal he explains how he does clock recovery, convolution and thresholding, and also the importance and meaning of those steps.

If you’re new to reverse engineering signals and don’t have a DSP background, then spenmcgee’s write up is an excellent starting point. It’s written in a way that even a layman should be able to understand with a little effort. If you have a Lacross TX29 wireless temperature meter that you just want to decode, then his code will also be of use.

The post Reverse Engineering and Reading Data from a Wireless Temperature Meter: Tutorial + Code appeared first on rtl-sdr.com.

Back in September 2015 we made a post about how Bastian Bloessl was able to use his RTL-SDR dongle to reverse engineer and decode the signals coming from portable wirelessly synchronized traffic lights which are commonly set up around road construction zones.

Recently Bastian noticed that a new set of wireless traffic lights had been set up at his University, so he got to work on trying to reverse engineer those. He found that these new lights use the same frequency band, but work using a different modulation and frame format scheme.

To reverse engineer these new lights he made a recording of the signals in GQRX and then opened them up in Inspectrum, which is a very nice tool for helping to reverse engineer digital signals. Thanks to Inspectrum he was easily able to extract the preamble and decode the data in GNU Radio.

Bastian has also uploaded a video that shows him reverse engineering the binary frame format in the Vim text editor which may be useful for those wishing to understand how it’s done.

Once the frame format was reverse engineered, he was able to use the program he created last year which allows him to view the status of the lights remotely in real time.

The post Reverse Engineering Traffic Lights with an RTL-SDR Part 2 appeared first on rtl-sdr.com.

Erhard E. has been experimenting with capturing, analyzing, reverse engineering and then transmitting new ASK/OOK signals with his RTL-SDR and Raspberry Pi running RPiTX. Erhard has written a very informative guide/tutorial (pdf) that explains how he did it for wireless doorbell and for remote control toy cars. RPiTX is software for the Raspberry Pi which allows it to transmit almost any signal via modulation of a GPIO pin. RPiTX related posts have been featured on this blog several times in the past.

First Erhard records a copy of the doorbell signal using his RTL-SDR and then views the waveform in Audacity. He then writes that you’ll need to find the waveform characteristics either manually using Audacity, or by using the rtl_433 decoder. In the tutorial he uses rtl_433 which automatically gives his the pulse width, gap width and pulse period.

Next in order to actually generate the signal using RPiTX he uses the waveform characteristics that he found out and manually creates a .ft hex file that describes the signal to be generated. Then using using the rpitx command, the .ft file can be transmitted.

Later in the tutorial he also shows how he performed the same reverse engineering process with a cheap RC car toy (forward/reverse commands only), which uses OOK encoding on the wireless controller.

The tutorial can be downloaded in PDF form here.

The post A Guide to Using RPiTX and an RTL-SDR to Reverse Engineer and Control ASK/OOK Devices appeared first on rtl-sdr.com.

During the Schmoocon 2017 conference presenter Paul Clark introduced a new open source Linux tool called WaveConverter which he’s been working on for reverse engineering RF signals. Paul writes:

WaveConverter is a tool that helps you extract digital data from RF transmissions that have been captured via Software Defined Radio (SDR). After the user defines the modulation parameters, framing and encoding, WaveConverter will process a stored I-Q file and extract the data from any transmissions that match this definition. Using programmable timing tolerances and glitch filters, WaveConverter is able to extract data from signals that would otherwise appear corrupted.

This software will make the process of reverse engineering signals easier and more error-proof. Because WaveConverter includes the ability to store and retrieve signal protocols (modulation + encoding parameters), we have been generating a database of protocols that we can quickly use to iteratively attack unknown signals.

This tool should be very useful for reverse engineering digital signals, such as those found in keyfobs, wireless doorbells, wireless temperature sensors and any other simple RF device. Simply use an SDR device like an RTL-SDR to capture a sample of the signal of interest and then open it up in WaveConverter to first easily analyze the signal and determine it’s properties, then to automatically demodulate any subsequent signal into a binary string. For more information the documentation can be found here (pdf).

WaveConverter seems to be quite similar in purpose to Inspectrum and DSpectrum which are two Linux tools that are also designed for reverse engineering digital signals.

The post WaveConverter: An Open Source RF Reverse Engineering Tool appeared first on rtl-sdr.com.

Over on his blog Andy writes how he wanted a smart way to control his central heating system with a Raspberry Pi and Arduino microcontroller. He discovered that if he could reverse engineer his existing wireless thermostat then he would have an easy way to control the boiler in his house and with that a smart controller could be made. By reverse engineering the thermostat he also avoids the need to rig up his own control system.

The existing thermostat wireless receiver is a Danfoss RX2. In order to reverse engineer the protocol Andy opened up an older that one he had and saw that it used an Infineon TDA5210 RF receiver chip. Armed with this part number he was able to look up the datasheet and determine the operating frequency. Then by using an RTL-SDR he captured some packets while pressing buttons on the thermostat transmitter and piped the audio file into audacity, where he was able to clearly see the digital waveform.

Andy then wrote a Python program using the ‘wave’ library, which allowed him to easily read binary values for a .wav file. With his code he was able to extract the data from the signal and determine the preamble, sync word, thermostat ID and the instruction code (on/off/learn).

In a future post Andy hopes to show us how he’ll use an RF69 module with an Arduino to actually control the thermostat using the reverse engineered packet knowledge.

The post Hacking a Danfoss Wireless Thermostat with an RTL-SDR appeared first on rtl-sdr.com.