Using SDR to Take Control of Your Home Security System

[Dan Englender] was working on implementing a home automation and security system, and while his house was teeming with sensors, they used a proprietary protocol which was not supported by the open source system he was trying to implement. The problem with home automation and security systems is the lack of standardization – or rather, the large number of (often incompatible) standards used to ensure consumers get tied in to one specific system. He has shared the result of his efforts at getting the two to talk to each other via his project decode345.

The result enabled him to receive signals from Honeywell’s 5800 series of wireless products and interface them with OpenHAB — a vendor and technology agnostic open source automation software. OpenHAB offers “bindings” that allow a wide variety of systems and hardware to be integrated. Unfortunately for [Dan], this exhaustive list does not yet include support for the (not very popular) 345MHz protocol used by the Honeywell 5800 system, hence his project. Continue reading “Using SDR to Take Control of Your Home Security System”

GSM Sniffing on a Budget with Multi-RTL

If you want to eavesdrop on GSM phone conversations or data, it pays to have deep pockets, because you’re going to need to listen to a wide frequency range. Or, you can just use two cheap RTL-SDR units and some clever syncing software. [Piotr Krysik] presented his work on budget GSM hacking at Camp++ in August 2016, and the video of the presentation just came online now (embedded below). The punchline is a method of listening to both the uplink and downlink channels for a pittance.

[Piotr] knows his GSM phone tech, studying it by day and hacking on a GnuRadio GSM decoder by night. His presentation bears this out, and is a great overview of GSM hacking from 2007 to the present. The impetus for Multi-RTL comes out of this work as well. Although it was possible to hack into a cheap phone or use a single RTL-SDR to receive GSM signals, eavesdropping on both the uplink and downlink channels was still out of reach, because it required more bandwidth than the cheap RTL-SDR had. More like the bandwidth of two cheap RTL-SDR modules.

Getting two RTL-SDR modules to operate in phase is as easy as desoldering a crystal from one and slaving it to the other. Aligning the two absolutely in time required a very sweet hack. It turns out that the absolute timing is retained after a frequency switch, so both RTL-SDRs switch to the same channel, lock together on a single signal, and then switch back off, one to the uplink frequency and the other to the downlink. Multi-RTL is a GnuRadio source that takes care of this for you. Bam! Hundreds or thousands of dollar’s worth of gear replaced by commodity hardware you can buy anywhere for less than a fancy dinner. That’s a great hack, and a great presentation.
Continue reading “GSM Sniffing on a Budget with Multi-RTL”

An Amateur Radio Repeater Using An RTL-SDR And A Raspberry Pi

An amateur radio repeater used to be a complex assemblage of equipment that would easily fill a 19″ rack. There would be a receiver and a separate transmitter, usually repurposed from commercial units, a home-made logic unit with a microprocessor to keep an eye on everything, and a hefty set of filters to stop the transmitter output swamping the receiver. Then there would have been an array of power supply units to provide continued working during power outages, probably with an associated bank of lead-acid cells.

More recent repeaters have been commercial repeater units. The big radio manufacturers have spotted a market in amateur radio, and particularly as they have each pursued their own digital standards there has been something of an effort to provide repeater equipment to drive sales of digital transceivers.

But what if you fancy setting up a simple repeater and you have neither a shed full of old radios or a hotline to the sales department of a large Japanese manufacturer? If you are [Anton Janovsky, ZR6AIC], you make your own low-powered repeater using an RTL-SDR, a low-pass filter, and a Raspberry Pi.

[Anton]’s repeater is a clever assemblage through pipes of rtl_sdr doing the receiving, csdr demodulating, and [F5OEO]’s rpitx doing the transmitting. As far as we can see it doesn’t have a toneburst detector or CTCSS to control its transmission so it is on air full-time, however we suspect that may be a feature that will be implemented in due course.

With only a 10 mW output this repeater is more of a toy than a useful device, and we’d suggest any licensed amateur wanting to have a go should read the small print in their licence schedule before doing so. But it’s a neat usage of a Pi and an RTL stick, and with luck it’ll inspire others in the same vein.

We’ve touched on the Pi as a transmitter before, from a straightforward broadcast FM unit to crossing continents with WSPR, and even transmitting digital TV in another [F5OEO] hack.

The Tiny Radio Telescope

Radio telescopes are one of the more high-profile pieces of scientific apparatus. There is an excitement to stories of radio astronomers of old probing the mysteries of the Universe on winter nights in frigid cabins atop massive parabolas, even if nowadays their somewhat more fortunate successors do the same work from the comfort of their labs using telescopes that may be on the other side of the world.

You might think if you look at the Arecibo Observatory, Lovell Telescope, or other famous pieces of apparatus, that this is Big Science, out of reach for mere mortals such as yourself without billion-dollar research programs. Maybe [Paul Scott] and [Allen Versfeld]’s Tiny Radio Telescope project will change that view.

The NRAO published a radio telescope design a few years ago for use mainly as an educational tool, the Itty Bitty Telescope. It used a satellite TV dish and LNB feeding a signal meter as a simple telescope to detect the Sun, and black body radiation from the surrounding objects. It’s a simple design for kids to get their heads around, and [Scott] and [Allen] have set out to turn it into something more useful with an RTL-SDR instead of a signal meter and a motorised mount for automated observations.

This is one of those projects on Hackaday.io that moves slowly but you know will eventually deliver on its promise. With a 1m dish and a consumer LNB it’s never going to make a discovery that will rock the world, but that’s not the point. It may be science that the astrophysicists moved on from decades ago, but it’s still quite an achievement that the radio sky can be imaged using such mundane equipment.

We’ve featured backyard radio astronomy before a few times, from this UHF school science project to another satellite TV based telescope. Keep them coming!

A thank you to Southgate ARC for the prod.

Emulating A Remote Control Ceiling Fan Transmitter In An FPGA

[Joel] has a remote control ceiling fan. It’s nothing special, the controller has a low-power 350MHz transmitter and a Holtek encoder to send commands by keying the transmitter’s output. Desiring something a little better, he set about reverse engineering the device’s protocol and implementing it on a Lattice iCE40 FPGA.

To decode the device’s packets he reached for his RTL-SDR receiver and took a look at it in software. GQRX confirmed the presence of the carrier and allowed him to record a raw I/Q file, which he could then supply to Inspectrum to analyse the packet structure. He found it to be a simple on-off keying scheme, with bits expressed through differing pulse widths. He was then able to create a Gnu Radio project to read and decode them in real time.

Emulating the transmitter was then a fairly straightforward process of generating a 350MHz clock using the on-board PLL and gating it with his generated data stream to provide modulation. The result was able to control his fan with a short wire antenna, indeed he was worried that it might also be doing so for other similar fans in his apartment complex. You can take a look at his source code on GitHub if you would like to try something similar.

It’s worth pointing out that a transmitter like this will radiate a significant amount of harmonics at multiples of its base frequency, and thus without a filter on its output is likely to cause interference. It will also be breaking all the rules set out by whoever the spectrum regulator is where you live, despite its low power. However it’s an interesting project to read, with its reverse engineering and slightly novel use of an FPGA.

Wireless remote hacking seems to be a favorite pastime here in the Hackaday community. We’ve had 2.4GHz hacks and plenty of wireless mains outlet hacks.

The Terrible Devices Of The Internet Of Wrongs

Last week was Bsides London, and [Steve Lord] was able to give a talk about the devices that could pass for either a terrible, poorly planned, ill-conceived Internet of Things Kickstarter, or something straight out of the NSA toolkit. [Steve] built the Internet of Wrongs, devices that shouldn’t exist, but thanks to all this electronic stuff, does.

Continue reading “The Terrible Devices Of The Internet Of Wrongs”

Identify Your Devices by Their Unintentional Radiation

RFID was supposed to revolutionize asset tracking, replacing the barcode everywhere. Or at least that was the prediction once tags got under five cents apiece. They still cost seven to fifteen cents, even in bulk, and the barcode is still sitting pretty. [Chouchang (Jack) Yang] and [Alanson Sample] of Disney Research hope to change that.

Instead of tagging every electronic device, they use whatever electromagnetic emissions the device currently produces when it’s powered up. What’s surprising is not that they can tell an iPhone from a toy lightsaber, but that they can tell the toy lightsabers apart. But apparently there’s enough manufacturing and tolerance differences from piece to piece that they appear unique most of the time.

The paper (PDF) goes through the details and procedure. The coolest bit? The sensor they use is an RTL-SDR unit with the radio-mixer front end removed and replaced with a simple transformer. This lets them feed baseband (tuning from 0 to 28.8 MHz) straight into the DAC ADC and on to the computer which does the heavy math. Sawing off the frontend of a TV tuner is a hack, for those of you out there with empty bingo cards.

If you like statistics, you’ll want to read the paper for details about how they exactly do the classification of objects, but the overview is that they first start by figuring out what type of device they’re “hearing” and then focusing on which particular one it is. The measure that they use ends up being essentially a normalized correlation.

While we’re not sure how well this will scale to thousands of devices, they get remarkably good results (around 95%) for picking one device out of five. The method won’t be robust to overclocking or underclocking of the device’s CPU, so we’re concerned about temperature and battery-voltage effects. But it’s a novel idea, and one that’s ripe for the hacker-rebuild. And for the price of an RTL-SDR, and with no additional per-tag outlay as with an RFID system, it’s pretty neat.

Thanks [Static] for the tip! Via Engadget.