Hacking Rolling Code Keyfobs

 

hacking-rolling-code

Most keyfobs out there that open cars, garage doors, and gates use a rolling code for security. This works by transmitting a different key every time you press the button. If the keys line up, the signal is considered legitimate and the door opens.

[Spencer] took a look into hacking rolling code keyfobs using low cost software-defined radio equipment. There’s two pars of this attack. The first involves jamming the frequency the keyfob transmits on while recording using a RTL-SDR dongle. The jamming signal prevents the receiver from acknowledging the request, but it can be filtered out using GNU Radio to recover the key.

Since the receiver hasn’t seen this key yet, it will still be valid. By replaying the key, the receiver can be tricked. To pull off the replay, GNU Radio was used to demodulate the amplitude shift keying (ASK) signal used by the transmitter. This was played out of a computer sound card into a ASK transmitter module, which sent out a valid key.

ISEE-3: We Get Signal

ISSE-3

Out in the depths of space, more than 100 times the distance from the Earth to the moon, there’s a lonely spacecraft gracefully spinning towards an August encounter with our planet. It’s ICE/ISEE-3, a probe long-forgotten by official space agencies. Now, the team dedicated to repurposing this satellite has made contact with this probe using a 20-meter satellite dish in Germany.

When we first heard about the planned communication by volunteers, no one was certain the probe was still alive. It shouldn’t be a surprise this satellite was still functioning; it was launched in 1978, and most of the instruments were still functioning in 2008. Still, this is the first time amateurs – not NASA – had received a signal from the probe

ICEteam, the group of volunteers dedicated to reviving this spacecraft used the huge dish at Boshum observatory to detect the 5 Watt carrier signal coming from the spacecraft. That’s all the probe is sending out right now – no data was received – but this is a huge accomplishment and the first step towards directing ICE/ISEE-3 into an orbit around one of the Earth-Sun Lagrange points.

Side note: Looking at the ephemeris data (target -111) I *think* ICE/ISEE-3 will be above the night side of Earth at closest approach. Can anyone confirm that, and does that mean a future mission at L2?

Video from the ICEteam below.

[Read more...]

Hacking Radio Controlled Outlets

Decoding NRZ ASK

It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.

He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface. After flashing the CC1111 with the RFCat firmware, the device was ready to use. Next up, [Gordon] goes into detail about replaying amplitude shift keying messages using the RFCat. He used an Arduino and the rc-switch library to generate signals that are compatible with the outlets.

In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle. By exporting the sniffed signal and analyzing it, the modulation could be determined. The final step was writing a Python script to replay the messages using the RFCat.

The hack is a good combination of software defined radio techniques, ending with a successful attack. Watch a video of the replay attack after the break.

[Read more...]

TDOA (Time Difference of Arrival) Directional Antenna

tdoa-antenna-tutorial

We have posted articles in the past on directional antennas such as Yagi antennas used for transmitter hunting otherwise known as fox hunting. Those types of antennas and reception suffer from one major drawback, which is as you get close to the transmitter the S meter will go full scale. At which time the transmitted signal appears to be coming from all directions. To correct for this problem you need to use clever signal attenuators or change to a poor receiving antenna as well as tuning off frequency effectively making your receiver hard of hearing so that only the direct path to the transmitter is loudest.

There is another popular type of antenna that you can build yourself called a TDOA which stands for Time Difference of Arrival. [Byon Garrabrant N6BG]  shared a short video tutorial on the functionality of his home built TDOA antenna. Effectively this is an active antenna that uses a 555 chip or, in [Byon’s] case, a PIC chip to quickly shift between two receiving dipole antennas at either end of a shortened yardstick. In his explanation you learn that as the antenna ends move closer or farther from the source a 640 Hz generated audio tone will go from loud to very soft as the antennas become equal distance from the source. This type of directional reception is not affected by signal strength. This means you can be very close to a powerful transmitter and it will still function as a good directional antenna.

The current circuit diagram, BOM and source code are all available on [Byon’s] TDOA page.

The reason [Byon] used a programmable PIC instead of the 555 for his design is because he wants to add a few more modifications such as feeding back the audio output to the PIC in order to programmatically turn on a left or right LED indicating the direction of the transmitter. Furthermore, he plans on adding a third antenna in a triangular configuration to programmatically control a circle of 6 LEDs indicating the exact direction of the signal. When he finishes the final modifications he can drive around with the antenna array on his vehicle and the circle of LEDs inside indicating the exact direction to navigate.

We look forward to seeing the rest of the development which might even become a kit someday. You can watch [Byon’s] TDOA video after the break.

[Read more...]

Remote Control Anything With A PS3 Controller

back

When looking for a remote control for your next project, you might want to look in your living room. Wii controllers are a hacker’s favorite, but wagging an electronic wand around isn’t the greatest for remote control planes, cars, tanks, and multicopters. What you need for this is dual analog controls, something every playstation since the 90s has included.

[Marcel] created a replacement electronics board for the Sony DualShock 3 controller for just this purpose. With this board, an XBee, and an old controller, it’s easy to add dual analog control and a whole lot of buttons to any project using an XBee receiver.

The replacement board is based on the ATMega328p uC, includes a Lipo charge circuit and power supply, and inputs for the analog sticks and all the button boards inside the DualShock controller.

Yes, we have seen an earlier version of [Marcel]‘s project before, but this time he’s added a few new features – the rumble now works and thanks to multiple people unable or unwilling to spin a few boards, [Marcel] has put up an Indiegogo campaign.

Video below.
[Read more...]

Using SDR to Read Your Smart Meter

meter_read_wide

[BeMasher] was dissatisfied with the cost of other solutions to read his smart meter, so he made a project to read it himself using an rtl-sdr dongle.

Using his hacking and reverse engineering skills along with a $20 RTL-SDR dongle, [BeMasher] wrote rtlamr to automatically detect and report the consumption information reported by smart meters within range. Though designed for his Itron C1SR, [BeMasher] claims that any electronic receiver transmitter (ERT) capable smart meter should work.

[BeMasher]‘s Itron C1SR smart meter broadcasts both interval data and standard consumption in the 915MHz ISM band using a Manchester encoded, frequency hopping spread spectrum protocol. [BeMasher] used the RTL-SDR dongle to do the signal capture and analysed the resulting signal in software afterwards. [BeMasher] did a great job of going through the theory and implementation of analysing the resulting data capture, so be sure to check it for an in-depth analysis.

If the RTL-SDR dongles are too limited for you taste, you might want to check out some hacker friendly SDRs with a little more punch.

Guest Post: Try Radar for Your Next Project

greg_sar_radar

(photo taken by Matt Metts)

Sensors. The low-end stuff that we can get our hands on usually suffers from poor range, lack of sensitivity, and no way to characterize what the target is. But today we can use the good stuff that, until recently, was only available to military: radar. In this post we will discuss how radar works, commercially available small radar devices, and where to learn more to help make it easy to add radar to your next project. Reach out and sense something!
[Read more...]