Hacking Radio Controlled Outlets

Decoding NRZ ASK

It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.

He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface. After flashing the CC1111 with the RFCat firmware, the device was ready to use. Next up, [Gordon] goes into detail about replaying amplitude shift keying messages using the RFCat. He used an Arduino and the rc-switch library to generate signals that are compatible with the outlets.

In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle. By exporting the sniffed signal and analyzing it, the modulation could be determined. The final step was writing a Python script to replay the messages using the RFCat.

The hack is a good combination of software defined radio techniques, ending with a successful attack. Watch a video of the replay attack after the break.

[Read more...]

Chipcon CC1110/CC1111 serial bootloader

[Joby Taffey] just rolled out a serial bootloader for the Chipcon CC1110/CC1111 processors. The project is called CCTL and aims to make prototyping with the Girltech IM-ME a bit less tedious. Up until now firmware for the device had to be pushed in with a GoodFET or TI proprietary programmer which was quite slow. But this bootloader makes it possible to push your code via the chip’s serial port at 115200 baud. But the pretty pink pager isn’t the only device using these chips and to prove it [Joby] send this picture of all the electronics he has on hand running this architecture.

Once the 1KB CCTL bootloader has been flashed to the chip, a serial port or USB to Serial converter can be used as a programmer. [Joby] warns that the Chipcon processors are not 5V tolerant so you need to either use a 3V serial converter or add a level converter into the mix.

CCTL provides the features you’d expect from a bootloader. It uses the chip’s watchdog timer to guard against failure due to broken code. And there is an upgrade mode available at power up. Instruction for use are included in the Github repo linked at the top.