SDR Sniffing Electric Gates

Most wireless OEM hardware traditionally use 433MHz OOK modules to exchange information. The encoding and encryption of this data stream is left as a task for the embedded software designer. In most cases, the system can be hacked using a replay attack where an RF packet is recorded and replayed to emulate a valid user. [Gilad Fride] hacked his parking gate using this technique but decided to go the extra mile of connecting it to the internet.

He used an RTL-SDR dongle and ook-decoder by [jimstudt] to sniff out the gate code and this code was tested using an Arduino. The final implementation was done around an Onion Omega which talks directly to the RF transmitter module using the fast-gpio binary. Internet connectivity was achieved using Onion Cloud API which is used to trigger the execution of code thereby sending the gate opening signal.

[Gilad Fride] uses the IFTTT Do button to provide a GUI and he demonstrates this in action using an iPhone in the video below. The project can be extended to open garage doors or turn off the lights of your room over the internet.

If you are looking to hack your home security system, look no further as SDRs have be used to communicate with wireless products effectively in the past. We are hoping manufacturers take a hint and start using better encryption.  Continue reading “SDR Sniffing Electric Gates”

Measuring Gait Speed Passively to Diagnose Diseases

You may not realize it, but how fast a person walks is an important indicator of overall health. We all instinctively know that we lag noticeably when a cold or the flu hits, but monitoring gait speed can help diagnose a plethora of chronic diseases and conditions. Wearables like Fitbit would be one way to monitor gait speed, but the Computer Science and Artificial Intelligence Lab at MIT thinks there’s a better way:  a wireless appliance that measures gait speed passively.

CSAIL’s sensor, dubbed WiTrack (PDF), is a wall-mounted plaque that could be easily concealed as a picture or mirror. It sends out low-power RF signals between about 5- and 7-GHz to perform 3D motion tracking in real time. The WiTrack sensor has a resolution of about 8 cm at those frequencies. With their WiGait algorithms (PDF), the CSAIL team led by [Chen-Yu Hsu] is able to measure not only overall walking speed, but also stride length. That turns out to be critical to predicting the onset of such diseases as Parkinson’s, which has a very characteristic shuffling gait in the early phase of the disease. Mobility impairments from other diseases, like ALS and multiple sclerosis, could also be identified.

WiTrack builds on [Hsu]’s previous work with through-wall RF tracking. It’s nice to see a novel technique coming closer to a useful product, and we’ll be watching to see where this one goes.

Continue reading “Measuring Gait Speed Passively to Diagnose Diseases”

4.4 GHz Frequency Synthesis Made Easy

How hard is it to create a synthesizer to generate frequencies between 35 MHz to 4.4 GHz? [OpenTechLab] noticed a rash of boards based on the ADF4351 that could do just that priced at under $30. He decided to get one and try it out and you can find his video results below.

At that price point, he didn’t expect much from it, but he did want to experiment with it to see if he could use it as an inexpensive piece of test gear. The video is quite comprehensive (and weighs in at nearly an hour and a half). It covers not just the device from a software and output perspective but also talks about the theory behind these devices.  [OpenTechLab] even sniffed the USB connection to find the protocol used to talk to the device. He wasn’t overly impressed with the performance of the board but was happy enough with the results at the price and he plans to make some projects with it.

Continue reading “4.4 GHz Frequency Synthesis Made Easy”

An Overview Of The Dreaded EMC Tests

There is one man whose hour-long sessions in my company give me days of stress and worry. He can be found in a soundless and windowless room deep in the bowels of an anonymous building in a town on the outskirts of London. You’ve probably driven past it or others like it worldwide, without being aware of the sinister instruments  that lie within.

The man in question is sometimes there to please the demands of the State, but there’s nothing too scary about him. Instead he’s an engineer and expert in electromagnetic compatibility, and the windowless room is a metal-walled and RF-proof EMC lab lined with ferrite tiles and conductive foam spikes. I’m there with the friend on whose work I lend a hand from time to time, and we’re about to discover whether all our efforts have been in vain as the piece of equipment over which we’ve toiled faces a battery of RF-related tests. As before when I’ve described working on products of this nature the specifics are subject to NDAs and in this case there is a strict no-cameras policy at the EMC lab, so yet again my apologies as any pictures and specifics will be generic.

There are two broadly different sets of tests which our equipment will face: RF radiation, and RF injection. In simple terms: what RF does it emit, and what happens when you push RF into it through its connectors and cables? We’ll look at each in turn as a broad overview pitched at those who’ve never seen inside an EMC lab, sadly there simply isn’t enough space in a Hackaday article to cover every nuance.

Continue reading “An Overview Of The Dreaded EMC Tests”

LTSpice for Radio Amateurs (and Others)

We don’t think [VK4FFAB] did himself a favor by calling his seven-part LTSpice tutorial LTSpice for Radio Amateurs. Sure, the posts do focus on radio frequency analysis, but these days lots of people are involved in radio work that aren’t necessarily hams.

Either way, if you are interested in simulating RF amplifiers and filters, you ought to check these posts out. Of course, the first few cover simple things like voltage dividers just to get your feet wet. The final part even covers a double-balanced mixer with some transformers, so there’s quite a range of material.

Continue reading “LTSpice for Radio Amateurs (and Others)”

No-Etch: The Proof in the Bluetooth Pudding

In a previous episode of Hackaday, [Rich Olson] came up with a new no-etch circuit board fabrication method. And now, he’s put it to the test: building an nRF52 Bluetooth reference design, complete with video, embedded below.

The quick overview of [Rich]’s method: print out the circuit with a laser printer, bake a silver-containing glue onto the surface, repeat a few times to get thick traces, glue the paper to a substrate, and use low-temperature solder to put parts together. A potential drawback is the non-negligible resistance for the traces, but a lot of the time that doesn’t matter and the nRF52 reference design proves it.

The one problem here may be the trace antenna. [Rich] reports that it sends out a weaker-than-expected signal. Any RF design folks want to speculate wildly about the cause?

Continue reading “No-Etch: The Proof in the Bluetooth Pudding”

Shmoocon 2017: So You Want To Hack RF

Far too much stuff is wireless these days. Home security systems have dozens of radios for door and window sensors, thermostats aren’t just a wire to the furnace anymore, and we are annoyed when we can’t start our cars from across a parking lot. This is a golden era for anyone who wants to hack RF. This year at Shmoocon, [Marc Newlin] and [Matt Knight] of Bastille Networks gave an overview of how to get into hacking RF. These are guys who know a few things about hacking RF; [Marc] is responsible for MouseJack and KeySniffer, and [Matt] reverse engineered the LoRa PHY.

In their talk, [Marc] and [Matt] outlined five steps to reverse engineering any RF signal. First, characterize the channel. Determine the modulation. Determine the symbol rate. Synchronize a receiver against the data. Finally, extract the symbols, or get the ones and zeros out of the analog soup.

From [Marc] and [Matt]’s experience, most of this process doesn’t require a radio, software or otherwise. Open source intelligence or information from regulatory databases can be a treasure trove of information regarding the operating frequency of the device, the modulation, and even the bit rate. The pertinent example from the talk was the FCC ID for a Z-wave module. A simple search revealed the frequency of the device. Since the stated symbol rate was twice the stated data rate, the device obviously used Manchester encoding. These sorts of insights become obvious once you know what you’re looking for.

In their demo, [Marc] and [Matt] went through the entire process of firing up GNU Radio, running a Z-wave decoder and receiving Z-wave frames. All of this was done with a minimum of hardware and required zero understanding of what radio actually is, imaginary numbers, or anything else a ham license will hopefully teach you. It’s a great introduction to RF hacking, and shows anyone how to do it.