A Lesson in Blind Reverse Engineering – Signals Intelligence

spread sheet of binary data

In a fit of desperation, I turned to data mining tools and algorithms, but stepped back from the horror of that unspeakable knowledge before my mind was shattered. That way madness lies.

–[Rory O'hare]

Wise words. Wise words, indeed. Who among us hasn’t sat staring into the abyss of seemingly endless data without the slightest clue to what it means or even how to go about figuring out what it means? To literally feel the brain damage seeping in as you start to see ‘ones’ and ‘zeros’ reach out to you from every day electronic devices…like some ghost in the wires. But do not fear, wise hacker! For we have good news to report! [Rory O'hare] has dived into this very abyss, and has emerged successful.

While others were out and about playing games and doing whatever non-hackers do to entertain themselves, [Rory O'hare] decided to reach out and grab some random wireless signals for a little fun and excitement. And what he found was not just a strong, repeating signal at 433Mhz. Not just a signal that oozed with evidence of ASK. What he found was a challenge…a mystery that was begging to be solved. A way to test his skill set. Could he reverse engineer a signal by just looking at the signal alone? Read on, and find out.

 

 

 

20 thoughts on “A Lesson in Blind Reverse Engineering – Signals Intelligence

      1. i think iv’e seen something like that once, it was way too bright. Back into the hole then…

        Also, really good article. I were wandering if i could hack the frequency of my neighbors wireless doorbell.

    1. Unfortunately for my social skills i fall into the latter.
      Posting this message i have stepped into the deep end of social interaction.
      Please update me if we are any closer to total idiocracy.. :/

  1. The encoding method is the same as used by floppy disk drives. A block of 1′s lets the PLL in the controller chip sync to the data.

  2. Windytan (http://www.windytan.com/) likes to do stuff like this as well. She’ll just pick up some signal and think “oooh, what’s this?” and then figure it all out.
    She’s been featured here a couple of times at least. If you’ve seen that dialup modem connection breakdown graphic, that was her.

    SIGINT is all sorts of fun stuff, wish I had the time to devote to learning something like that.

    1. In reading Rory’s document I see that he does credit Oona for inspiration due to her similar signal work.
      Looking forward to reading what he’s done here, looks plenty interesting.

  3. Okay, you got me. I will try that too, I will try to find some cool signals with my SDR and try to figure it out. The pdf that the guy wrote was really motivating. I need to do that.

  4. @Bill Sweatman – You’ve got to be kidding us right? Data-Mining? The 1st thing in DM is to pre-format or index the data so it can be easily searched. If you don’t have some sort of standardized search method you may miss a lot of hits. That part becomes mind-numbing trying to make sure the data conforms to your search method or maybe vice versa.

    So you found a SIGINT signal at 433 MHz huh? Well guess what all you’ve found was those remote temperature transmitters for home weather displays. The FCC allows this frequency for low powered home telemetry gadgets. Your picking up your neighbors (or your) home gadget trying to phone home.

    If you really want to do something try SIGINT on POCSAG signals in cities where interesting stuff happens. You’d be surprised who’s still using it. You’ll need POCSAG decoder software for your PC soundcard.

    If you want some real SIGINT fun try capturing some old voice pagers still in use today (very rare). They invariably give out their callback telephone number (i.e. “Harry please call me back at 202-555-1212 right away!”). Try calling back before Harry does (to busy out the line) and say “Did you page me?” they say “No who is this?” you say “You must have paged me by accident… what number did you dial?” – the rest is academic… (social engineering at it’s worse? VERY TEMPORARY FREE PAGING?)

  5. If you really want a challenge, Decode the C&C channel communication of Geosynchronous Satellites. Or better yet write a ISS telemetry decoder.

  6. Seriously why is there always people on posts putting the people down? I think this guy documented his work really well, even his mistakes which are sometimes the most important part of a project! We can all learn from this post.

    Everyone starts somewhere, people don’t just jump straight into reverse engineering military grade encryptions!

    Rant off

  7. I’m not sure what’s up with all the comments here. He did a pretty nice job coming from nowhere, and he documented it properly. This actually made me want to grab my SDR stick again, and figure out some more.

    I’d really like to thank you for this document and the time you spent on it. Educating yourself and the community is great, no matter the level. People like me (who btw have an engineering degree and had wireless technologies) still learn stuff.

    1. “I’m not sure what’s up with all the comments here.”

      We’re preventing instability. Negative feedback’s a dirty job, but someone’s gotta do it.

      1. What a crock of ish. I applaud the guy too.. Now get to work on decoding QAM modulation so we can all hack cell phones easier!! >:)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s