Sniffing Data from Radio-Controlled Bus Stop Displays

A few weeks ago in Finland [Oona] discovered a radio data stream centered around 76KHz in a FM broadcast and she recently managed to decode it. This 16,000bps stream uses level-controlled minimum-shift keying (L-MSK) which detection can be quite tricky to implement. She therefore decoded the stream by treating the received signal as non-coherent binary FSK, which as a side effect increased the bit error probability. [Oona] then understood that the stream she was getting was the data broadcast by Helsinky buses to the nearby bus stop timetable displays. She even got lucky when she observed a display stuck in the middle of its bootup sequence, displaying a version string. This revealed that the system is called IBus and made by the Swedish company Axentia. However their website didn’t provide the specs for their proprietary protocol. After many hours of sniffing and coding, [Oona] successfully implemented the five layer protocol stack in Perl and can now read the arrival times of the nearby buses from her apartment.

Comments

  1. vpoko says:

    I’m surprised it operates at such a low frequency; 76KHz is longwave. I wonder why it’s like that. Also, I wonder how hard it would be to spoof the signal to display wrong times (or zombie warnings). Not that I’d actually want to do it, but it would probably be easy enough.

  2. ajr_ says:

    Why Sweden is mentioned even thought she is from Finland?

    • John U says:

      I don’t think there’s a ‘Helsinky’ in Finland, I might call my friend in Helsinki / Helsingfors to see if he’s ever heard of it.

      • cHRIS says:

        agreed. i was just about to post something similar regarding the city’s name. go to google and start typing “H..e..l..s..i..n..” and it’ll automatically finish it with the correct spelling..”Helsinki”.. I’d assume any software they’re writing this blog in would have some form of spell check too… oh well. at least we are here to correct, lol.

  3. gijsbertpeijs says:

    The next step would obviously be to transmit signals and take over the displays. The list of possible pranks is endless (and most of which can be done without disruption Sweden’s public transport system).

    • fajensen says:

      *Nothing* can be done without disrupting Sweden’s public the transport system, it runs on quantum logic: Three leaves on the tracks will cause the doors to fall off “Snapptoget” or something, somewhere will ;-) Snow is expected -> drivers will fail to turn up -> huge delays, even when the actual snow does not arrive, the expectation is enough to cause the effect.

  4. Timo Virkkala says:

    Finland, not Sweden. Helsinki, not Helsinky. However, Axentia really is Swedish :)

  5. Psod says:

    Oona is from Finland. The company which has supplied the displays is swedish.

  6. ejonesss says:

    why would anyone want to read the communications to the display?
    unless the bus service uses the display to charge the bus rate like a taxi and by tampering with the signal to change the rate to get cheap or free rates

  7. swedish non-chef says:

    Helsinki is in Finland. I would have been very surprised if the signal was picked up from Sweden all across the nordic sea :-)

  8. Pawni says:

    In Sweden? Helsinki is the capital of Finland even though the system may have been designed by our neighbors.
    Would be using this if the bus stop were closer to my apartment, thankfully the real-time online tracking system is on its way.

  9. tinppaviiva says:

    The town is Helsinki, and the country is Finland :)

  10. Oona4TehWin! says:

    Not that it´d make a big difference but from the article: “Oona Räisänen
    A self-taught signals & electronics hacker from _Helsinki, Finland_. Fond of mysteries, codes and ciphers, and vintage tech.
    ( FI != SE )

  11. S says:

    Sweden?
    “A self-taught signals & electronics hacker from Helsinki, Finland.”

  12. Elias says:

    FYI it is spelled Helsinki and it is in Finland :)

  13. Helsinki is in Finland, not Sweden. Just a small ‘joggraffy’ correction.

  14. wretch says:

    That’s a fantastic RE job.

    BTW, minor detail, is this in Finland or Sweden? Do bus stop signs in other Scandinavian and European countries work similarly?

    • Ivan says:

      The boks looks a lot like the ones that are in bus shelters around Aalborg, Denmark. But often the timetable displayed is the same as the printed sign. So my gues would be that the GPS system is not incorporrated yet.

  15. Anybodysguess says:

    Does she even ride the bus?

  16. Hirudinea says:

    Since the signal is on top of an FM broadcast could she make an app for a cellphone with an FM radio? Nice to know when the bus is coming when your waiting in the coffee shop during the Helsinki winter.

    • rasz says:

      no, signal is out of band, but you could make SDR app and plug in RTLSDR into your phone

    • Ryan says:

      Actually, it could be done. There is an Android app called “FM TwoO” that, with a Android phone/tablet with FM tuner capability, tune in FM stations to listen to *and* decode RDS data (which is transmitted at a 57 KHz subcarrier on an FM station’s main carrier, just like how the 76 KHz subcarrier of an existing FM station the bus data is transmitted on), as well as custom data sent in the RDS RT field (known as RT+). An app like FMTwoO could be re-written to decode the bus data instead….

  17. Hey! I’ve always wondered how these systems works. Anybody into the topic could lead me a few links to start researching?

  18. strider_mt2k says:

    This is an awesome hack no matter the origins!
    That is just some incredible work. It shows true talent.

  19. Gregg Levine says:

    Amazing. It certainly seems much better then the BusTime system that the MTA fabricated here. And it works strangely here, even sporadically. There are only a few locations in the City where it is even shown.

  20. sneakypoo says:

    Anyone else find it hilarious how so many people are throwing themselves into the comments without reading them to point out the Finland/Sweden mistake? 47 minutes from the first to the last mention of it. Don’t you realise you look pretty silly pointing something out almost an hour after it has already been done?

    • gregg4 says:

      Yes. (Idiot blog mechanism first it wants to log in and do it via G+ then it wants via the blog mechanism. Someone needs to make up its mind for it.)

    • Indyaner says:

      Apparently, people who know the difference between sweden and Finland don’t like to read comments prior posting. I saw that this post got 40 comments and was curious if it had a sparked discussion going on… nope. Just people repeating the same thing. Bummer.

      • Oona4TehWin! says:

        And I blame the commenting system where it takes ages before the comment actually appears on the page. When I (and I guess other swedes/finns) commented about FI != SE detail, there were but 5 comments visible in the thread.

  21. Miroslav says:

    So this is riding in 88-108 Mhz broadcast band? I thought you needed a broadcast permit to use that frequency range. Hmmm …

    • vpoko says:

      It’s a city government. I have no idea what the law in Finland is, but they probably have some kind of statutory provision or licensing for governmental use. Whatever the details, chances are this isn’t bus schedules by pirate radio.

    • baobrien says:

      It looks like they’re riding on a local commercial station.

    • rasz says:

      this, just like the traffic TMC (using RDS) is done in cooperation with FM radio station. Basically company pays radio station for ability to inject their signal on top of Audio.

      Radio station has all the permits and transmitting equipment.

    • bobfeg says:

      A long time ago I did something similar by transmitting slow morse using a subaudible tone on a transmitted audio signal…it worked pretty well. I also piggybacked a slow data signal by playing with the timing of another data transmission stream…the very slight timing variations had no effect on the main stream and could be decoded very easily.

      A similar use for using slight timing variations was engineered back in the 80′s and built into fax and modem boards so they could transmit a covert 2nd stream of data.

  22. DainBramage1991 says:

    I just want to know which software she’s using to generate that waterfall display. I’ve been using SDRsharp, but I’ve been having a hard time producing useful data like that with it (lack of expertise, mostly).

  23. Interesting! I believe Transport for London are using iBus to provide location and timetable info. There was a recent documentary which had some info about how it works. The buses have all got GPS tranmitters which report to a central control room. This info goes into a real time scheduling system which is iBus. Some of this info is then sent out to the bus stop displays. Would it make sense to use a low-frequency connection to send to the displays? More robust?

    During the last year the schedule info has also become available by SMS. Each bus stop has a small plate with a number. If you text this to a number which is also shown, you get an immediate reply with the buses expected in the next 20-30 minutes. It has also become available online, and there is an app for SmartPhones!

    I live in Kingston in SW London and since I am retired and have a Bus Pass, I regularly us buses. The Timetable displays are very useful to work out which route I can take.

  24. parko says:

    ALL YOUR BUS ARE BELONG TO US

  25. There where a Swedish article about this system in Stockholm, atleast I think it is the same system(same company at least).

    So for those that read Swedish they can read more here http://techworld.idg.se/2.2524/1.528860/nar-kommer-bussen–stadje-granskar-sl-s-teknik

  26. iommi says:

    The IBus system used in London uses GPRS to relay the GPS data and other information from the buses to a central system which calculates predicted times to a certain stop and if a bus is running ahead of schedule or behind. This is then sent out via GPRS again to each Countdown sign at the bus stops. Every bus sends a message every 30 seconds unless an emergency situation occours.

    The system is backed up a PMR MPT radio system for use if the bus loses GPRS connectivity and for voice communication between the controllers and drivers.

    Other older systems then to use PMR radio to send data to the stops and from the buses to the central system, its all very low baud rate unencrypted data with basic checksums.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s