Reverse Engineering a Different Kind of Bus

Radio enthusiasts have a long history of eavesdropping on non-broadcast stations–police, fire, and public transportation frequencies, for example. These days, though, a lot of interesting communications are digital. When [bastibl] wanted to read data displayed on bus stop signs, he turned to software defined radio. He used gr-fosphor to monitor the radio spectrum as buses drove by and discovered a strong signal near 151 MHz (see photo below).

That, however, was just the start. Using a variety of tools, he figured out the modulation scheme, how the data framing worked, and even the error correction scheme. Armed with all the information, he built a GNU Radio receiver to pick up the data. A little number crunching and programming and [bastibl] was able to recover data about  individual buses including their position and schedule.

bus1A little programming, and you wind up with live bus maps. Granted, if you don’t live in Paderborn Germany, this might not be directly useful to you. But it was a detective story worthy of a radio-version of CSI.

Apparently having an SDR is more fun if you have some native detective skills. It isn’t hard to get started with the basics, though.

19 thoughts on “Reverse Engineering a Different Kind of Bus

    1. As someone who worked on these systems. Don’t. While you might be able to confuse the system a bit, you are transmitting on a frequency that you are not allowed to use, single transmission will most likely be disregarded as a fluke, repeated use will result in cops at your door. As it’s not that hard to pinpoint the source of your signal.

      1. Thank you for pointing that out. I was already about to write that this is a true hack but bordering to the illegal. In order to use these frequencies you would have to register with the Bundesnetzagentur (Betriebsfunk). I doubt that anyone would care about receiving and decoding the messages but transmitting would be stupid and illegal.
        Oh, and may I point out that you have to pay fees for using these frequencies…

        1. I don’t think anyone cares if you receive the data. After all, there is no attempt made in obfuscating or hiding anything.
          Some codes however, are reserved for police, fire and ambulance vehicles. Which in some places can influence traffic lights as well. So perfect way to get the cops at your door.

          1. Many years ago, the underground competitor to hackaday; “fromtheshadows.com” now defunct, had a lot of fun with such a device operated by a masket guy, switching traffic lights in the Bay area.

      2. On the subject of locating: Just use a portable transmitter next to a official one. That way it’s triangulated to the original transmitter and will think they made a mistake in their trace.
        And seeing it transmits in burst it would be possible to get through in the pauses.

        But actually, yeah don’t mess up a non-harmful system for no reason. If you want to mess up things there are legitimate targets, nasty grey-illegal tracking done by cities and governments and such which they should not be doing.

  1. Please note two things:
    – The blog already points to windytan and the guys from CCC Munich.
    – DARC, i.e., the technology that windytan and CCC Munich are using is totally different and is used to transmit different data. In that sense, it’s not just the very same thing. With DARC you are usually only transmitting when a bus arrives, but no coordinates and stuff.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s