Shmoocon 2017: A Simple Tool For Reverse Engineering RF

Anyone can hack a radio, but that doesn’t mean it’s easy: there’s a lot of mechanics that go into formatting a signal before you can decode the ones and zeros.

At his Shmoocon talk, [Paul Clark] introduced a great new tool for RF Reverse Engineering. It’s called WaveConverter, and it is possibly the single most interesting tool we’ve seen in radio in a long time.

If you wanted to hack an RF system — read the data from a tire pressure monitor, a car’s key fob, a garage door opener, or a signal from a home security system’s sensor — you’ll be doing the same thing for each attack. The first is to capture the signal, probably with a software defined radio. Take this data into GNU Radio, and you’ll have to figure out the modulation, the framing, the encoding, extract the data, and finally figure out what the ones and zeros mean. Only that last part, figuring out what the ones and zeros actually do, is the real hack. Everything before that is just a highly advanced form of data entry and manipulation.

[Paul]’s WaveConverter is the tool built for this data manipulation. Take WaveConverter, input an IQ file of the relevant radio sample you’d like to reverse engineer, and you have all the tools to turn a radio signal into ones and zeros at your disposal. Everything from determining the preamble of a signal, figuring out the encoding, to determining CRC checksums is right there.

All of this is great for reverse engineering a single radio protocol, but it gets even better. Once you’re able to decode a signal in WaveConverter, it’s set up to decode every other signal from that device. You can save your settings, too, which means this might be the beginnings of an open source library of protocol analyzers. If someone on the Internet has already decoded the signals from the keyfob of a 1995 Ford Taurus, they could share those settings to allow you to decode the same keyfob. This is the very beginnings of something very, very cool.

The Github repo for WaveConverter includes a few sample IQ files, and you can try it out for yourself right now. [Paul] admits there are a few problems with the app, but most of those are UI changes he has in mind. If you know your way around programming GUIs, [Paul] would appreciate your input.

Garage Door Opener Logs to Google Drive

A garage door opener is a pretty classic hack around these parts. IR, Bluetooth, WiFi, smartphone controlled, web interfaces — we’ve seen it all.  But if you want to keep track of people going in and out, you need some way of logging what’s happening. You could go ahead and roll up your own SQL based solution, tied into a custom web page. But there’s an easier way; you can build a garage door opener that logs events to Google Drive.

[WhiskeyTangoHotel] was looking for an ESP8266 project, and a garage door opener seemed just the ticket. It’s simple enough to code up, and control over WiFi comes in handy. Interfacing with the garage door was simple enough — the existing opener uses a simple push button, which is easily controlled by wiring up a relay to do the job. Logging is as simple as having the ESP8266 send requests to IFTTT which is set up to make posts to a Google Sheet with status updates.

The project is fairly basic, but there’s room for expansion. By using separate Maker Channel triggers on IFTTT, different users of the garage door could be tracked. It would also be easy to add some limit switches or other sensors to detect the door’s position, so it can be determined whether the door was opened or closed.

There’s always another take on the garage door opener — check out this hack that opens the garage door in response to flashing headlights.

Innocent TV Imprisoned Behind Mirror

After following along with all the Magic Mirror builds, [Troy Denton] finally caved in and started building one for his girlfriend for Christmas. These popular builds are all pretty much bespoke, and this one is no different.

mirror2His victim TV didn’t have the ability to be switched on and off by the Raspberry Pi using HDMI/CEC, so he came up with an alternative. He got a couple of opto-isolators and soldered one to the on/off button on the TV’s control board. The Pi didn’t know whether it was switching the TV on or off, it just knew it was switching it. To solve this, [Troy Denton] connected another opto-isolator to the TV’s LED, this one the other way around. When the TV is turned on, the Pi now detects it.

The enclosure is fabbed from 2×4 lumber, the mirror is one-way acrylic which runs somewhere in the $75-100 range for this 27-9/16″x15-1/2″ application. The top and bottom rails include lines of holes to encourage airflow to keep things cool. the face plate is picture framing which makes it easy to mount the mirror. An ultrasonic range finder finishes off the build and when someone stands in front of this magic mirror, the Pi senses it and turns the monitor on.

Included in [Troy]’s post are the Python code and shell scripts he wrote as well as a bunch of pictures of the build process. We’ve seen Magic Mirrors builds before, including some small ones. They’re a cool addition to the house and a fairly simple build.

Fixing Bugs In A 37 Year Old Apple II Game

Emulators are a great way to reminisce about games and software from yesteryear. [Jorj Bauer] found himself doing just that back in 2002, when they decided to boot up Three Mile Island for the Apple II. It played well enough, but for some reason, crashed instantly if you happened to press the ‘7’ key. This was a problem — the game takes hours to play, and ‘7’ is the key for saving and restoring your progress. In 2002, [Jorj] was content to put up with this. But finally, enough was enough – [Jorj] set out to fix the bug in Three Mile Island once and for all.

The project is written up in three parts — the history of how [Jorj] came to play Three Mile Island and learn about Apple IIs in the first place, the problem with the game, and finally the approach to finding a solution. After first discovering the problem, [Jorj] searched online to see if it was just a bad disk image causing the problem. But every copy they found was the same. There was nothing left for it to be but problem in the binary.

Continue reading “Fixing Bugs In A 37 Year Old Apple II Game”

Shmoocon 2017: So You Want To Hack RF

Far too much stuff is wireless these days. Home security systems have dozens of radios for door and window sensors, thermostats aren’t just a wire to the furnace anymore, and we are annoyed when we can’t start our cars from across a parking lot. This is a golden era for anyone who wants to hack RF. This year at Shmoocon, [Marc Newlin] and [Matt Knight] of Bastille Networks gave an overview of how to get into hacking RF. These are guys who know a few things about hacking RF; [Marc] is responsible for MouseJack and KeySniffer, and [Matt] reverse engineered the LoRa PHY.

In their talk, [Marc] and [Matt] outlined five steps to reverse engineering any RF signal. First, characterize the channel. Determine the modulation. Determine the symbol rate. Synchronize a receiver against the data. Finally, extract the symbols, or get the ones and zeros out of the analog soup.

From [Marc] and [Matt]’s experience, most of this process doesn’t require a radio, software or otherwise. Open source intelligence or information from regulatory databases can be a treasure trove of information regarding the operating frequency of the device, the modulation, and even the bit rate. The pertinent example from the talk was the FCC ID for a Z-wave module. A simple search revealed the frequency of the device. Since the stated symbol rate was twice the stated data rate, the device obviously used Manchester encoding. These sorts of insights become obvious once you know what you’re looking for.

In their demo, [Marc] and [Matt] went through the entire process of firing up GNU Radio, running a Z-wave decoder and receiving Z-wave frames. All of this was done with a minimum of hardware and required zero understanding of what radio actually is, imaginary numbers, or anything else a ham license will hopefully teach you. It’s a great introduction to RF hacking, and shows anyone how to do it.

Heavy Lift Electromagnet from Microwave Oven Transformers

It’s OK, you can admit it — from the time you first saw those huge electromagnetic cranes in scrap yards you’ve wanted to have one. While it may not fling around a car, parts donated from scrapped microwaves can let you build your own electromagnetic lifting device and make that dream finally come true.

We recently watched [MakeItExtreme] turn a couple of microwave oven transformers into a somewhat ill-advised wall-climbing rig. It looks like that may have been the inspiration for this build, and the finished product appears to be a tad more useful this time. The frames of three MOTs are cut open to remove the secondary coils and leave the cores exposed as poles for the future magnets. A shallow dish is fabricated out of steel and the magnets are welded in place.

With the primaries wired together, the magnets are epoxy potted, the business end is faced off cleanly, and the whole thing put to the test. [MakeItExtreme] doesn’t go into control details in the video below, but the website mentions the magnet being powered off a 24V 15A power supply with battery backup in case of mains failure.

They’ve lifted 200kg so far, and it looks like a pretty cool addition to a shop already packed with other builds, like their MOT spot welder and a propane tank sandblaster.

Continue reading “Heavy Lift Electromagnet from Microwave Oven Transformers”

Motorized Camera Dolly Rolls With the Changes

Over the last semester, Cornell student [Ope Oladipo] had the chance to combine two of his passions: engineering and photography. He and teammates [Sacheth Hegde] and [Jason Zhang] used their time in [Bruce Land]’s class to build a motorized camera dolly for shooting time-lapse sequences.

The camera, in this case the one from an iPhone 6, is mounted to an off-the-shelf robot chassis that tools around on a pair of DC motors. The camera mount uses a stepper motor to get just the right shot. A PIC32 on board the ‘bot takes Bluetooth commands from an iOS app that the team built. The dolly works two ways: it can be controlled manually in free mode, or it can follow a predetermined path at a set speed for a specified time in programmed mode.

Our favorite part of the build? The camera’s view is fed to a smart watch where [Ope] and his team can take still pictures using the watch-side interface. Check it out after the break, and stick around for a short time-lapse demo. We’ve featured a couple of dolly builds over the years. Here’s a more traditional dolly that rides a pair of malleable tubes.

Continue reading “Motorized Camera Dolly Rolls With the Changes”