Reverse Engineering An Obsolete Security System

[Veghead] recently went to a surplus warehouse filled with VHS editing studios, IBM keyboards, electronic paraphernalia from 40 years ago, and a lot of useless crap. His haul included a wooden keypad from an old alarm system that exuded 1980s futurism, and he figured it would be cool to hook this up to an alarm system from 2015. How did he do that? With software defined radio.

After pulling apart the alarm panel, [Veghead] found only a single-sided board with a 9V battery connector. There were no screw terminals for an alarm loop, meaning this entire system was wireless – an impressive achievement for the mid-80s hardware. A quick search of the FCC website showed this alarm panel was registered to two bands, 319MHz and 340MHz, well within the range of an RTL-SDR USB TV tuner dongle.

After capturing some of the raw data and playing it back in Audacity, [Veghead] found a simple OOK protocol that sends two identical binary patterns for each key. A simple program takes the raw bit patterns for each key press and codes them into a map for each of the twelve buttons.

Although the radio still works, [Veghead] found the waveforms captured by his RTL-SDR were an abomination to RF. All the components in this security system are more than 30 years old at this point, and surely some of the components must be out of spec by now. Still, [Veghead] was able to get the thing working again, a testament to the usefulness of a $20 USB TV tuner.

Thanks [Jose] for sending this one in

Decoding Satellite-based Text Messages with RTL-SDR and Hacked GPS Antenna

[Carl] just found a yet another use for the RTL-SDR. He’s been decoding Inmarsat STD-C EGC messages with it. Inmarsat is a British satellite telecommunications company. They provide communications all over the world to places that do not have a reliable terrestrial communications network. STD-C is a text message communications channel used mostly by maritime operators. This channel contains Enhanced Group Call (EGC) messages which include information such as search and rescue, coast guard, weather, and more.

Not much equipment is required for this, just the RTL-SDR dongle, an antenna, a computer, and the cables to hook them all up together. Once all of the gear was collected, [Carl] used an Android app called Satellite AR to locate his nearest Inmarsat satellite. Since these satellites are geostationary, he won’t have to move his antenna once it’s pointed in the right direction.

Hacked GPS antenna
Hacked GPS antenna

As far as antennas go, [Carl] recommends a dish or helix antenna. If you don’t want to fork over the money for something that fancy, he also explains how you can modify a $10 GPS antenna to work for this purpose. He admits that it’s not the best antenna for this, but it will get the job done. A typical GPS antenna will be tuned for 1575 MHz and will contain a band pass filter that prevents the antenna from picking up signals 1-2MHz away from that frequency.

To remove the filter, the plastic case must first be removed. Then a metal reflector needs to be removed from the bottom of the antenna using a soldering iron. The actual antenna circuit is hiding under the reflector. The filter is typically the largest component on the board. After desoldering, the IN and OUT pads are bridged together. The whole thing can then be put back together for use with this project.

Once everything was hooked up and the antenna was pointed in the right place, the audio output from the dongle was piped into the SDR# tuner software. After tuning to the correct frequency and setting all of the audio parameters, the audio was then decoded with another program called tdma-demo.exe. If everything is tuned just right, the software will be able to decode the audio signal and it will start to display messages. [Carl] posted some interesting examples including a couple of pirate warnings.

If you can’t get enough RTL-SDR hacks, be sure to check out some of the others we’ve featured in the past. And don’t forget to send in links to your own hacking!

Hackaday Links: Summer, 2015

[Elia] was experimenting with LNAs and RTL-SDR dongles. If you’re receiving very weak signals with one of these software defined radio dongles, you generally need an LNA to boost the signal. You can power an LNA though one of these dongles. You’ll need to remove a few diodes, and that means no ESD protection, and you might push the current consumption above the 500mA a USB port provides. It does, however, work.

We’ve seen people open up ICs with nitric acid, and look inside them with x-rays. How about a simpler approach? [steelcityelectronics] opened up a big power transistor with nothing but a file. The die is actually very small – just 1.8×1.8mm, and the emitter bond wire doesn’t even look like it’ll handle 10A.

Gigantic Connect Four. That’s what the Lansing Makers Network built for a Ann Arbor Maker Faire this year. It’s your standard Connect Four game, scaled up to eight feet tall and eight feet wide. The disks are foam insulation with magnets; an extension rod (with a magnet at the end) allows anyone to push the disks down the slots.

[Richard Sloan] of fame has a buddy running a Kickstarter right now. It’s a lanyard with a phone charger cable inside.

Facebook is well-known for the scientific literacy of its members. Here’s a perpetual motion machine. Comment gold here, people.

Here’s some Hackaday Prize business: We’re giving away stuff to people who use Atmel, Freescale, Microchip, and TI parts in their projects. This means we need to know you’re using these parts in your projects. Here’s how you let us know. Also, participate in the community voting rounds. Here are the video instructions on how to do that.

Measuring Filters and VSWR With RTL-SDR

Once again the ubiquitous USB TV tuner dongle has proved itself more than capable of doing far more than just receiving broadcast TV. Over on the RTL-SDR blog, there’s a tutorial covering the measurement of filter characteristics using a cheap eBay noise source and an RTL-SDR dongle.

For this tutorial, the key piece of equipment is a BG7TBL noise source, acquired from the usual online retailers. With a few connectors, a filter can be plugged in between this noise source and the RTL-SDR dongle. With the hardware out of the way, the only thing remaining is the software. That’s just rtl_power and this wonderful GUI. The tutorial is using a cheap FM filter, and the resulting plot shows a clear dip between 50 and 150 MHz. Of course this isn’t very accurate; there’s no comparison to the noise source and dongle without any attenuation. That’s just a simple matter of saving some scans as .csv files and plugging some numbers in Excel.

The same hardware can be used to determine the VSWR of an antenna, replacing the filter with a directional coupler; just put the coupler between the noise source and the dongle measure the attenuation through the range of the dongle. Repeat with the antenna connected, and jump back into Excel.

Using librtlsdr Over TCP

[Texane] built a low-cost software defined radio rig which could be remotely controlled. This allows the hardware to be placed outside for better reception, while being controlled from any PC that can connect over TCP. To do this, he created a fork of librtlsdr, the library used to turn cheap TV tuners into software defined radios.

The official release of rtl-sdr includes the rtl_tcp utility, which is meant for this purpose. Unfortunately, not all of the SDR tools for Linux support this. By modifying the library itself, remote devices interact with software in the same way as local devices. This means that any software that supports librtlsdr should work.

The outdoor rig contains a BeagleBone Black and the SDR hardware, sealed up in a weather-resistant box. This connects to [Texane]’s home network over ethernet, and allows SDR utilities to be run elsewhere.

This feature is quite experimental, but the source for the fork is provided for those who want to build the code and try it out.

Over-engineering Ding Dong Ditch

One day, [Samy]’s best friend [Matt] mentioned he had a wireless doorbell. Astonishing. Even more amazing is the fact that anyone can buy a software defined radio for $20, a small radio module from eBay for $4, and a GSM breakout board for $40. Connect these pieces together, and you have a device that can ring [Matt]’s doorbell from anywhere on the planet. Yes, it’s the ultimate over-engineered ding dong ditch, and a great example of how far you can take practical jokes if you know which end of a soldering iron to pick up.

Simply knowing [Matt] has a wireless doorbell is not enough; [Samy] needed to know the frequency, the modulation scheme, and what the doorbell was sending. Some of this information can be found by looking up the FCC ID, but [Samy] found a better way. When [Matt] was out of his house, [Samy] simply rang the doorbell a bunch of times while looking at the waterfall plot with an RTL-SDR TV tuner. There are a few common frequencies tiny, cheap remote controls will commonly use – 315 MHz, 433 MHz, and 900 MHz. Eventually, [Samy] found the frequency the doorbell was transmitting at – 433.8 MHz.

After capturing the radio signal from the doorbell, [Samy] looked at the audio waveform in Audacity. It looked like this doorbell used On-Off Keying, or just turning the radio on for a binary ‘1’ and off for a binary ‘0’. In Audacity, everything the doorbell transmits becomes crystal clear, and with a $4 434 MHz transmitter from SparkFun, [Samy] can replicate the output of the doorbell.

For the rest of the build, [Samy] is using a mini GSM cellular breakout board from Adafruit. This module listens for any text message containing the word ‘doorbell’ and sends a signal to an Arduino. The Arduino then sends out the doorbell code with the transmitter. It’s evil, and extraordinarily over-engineered.

Right now, the ding dong ditch project is set up somewhere across the street from [Matt]’s house. The device reportedly works great, and hopefully hasn’t been abused too much. Video below.

Continue reading “Over-engineering Ding Dong Ditch”

RTL SDR As A Spectrum Analyzer

RTL-SDR, the USB TV tuner turned software-defined radio is an amazing device, capable of listening to nearly anything from 25MHz to 1750MHz, fits in your pocket, and costs about $20. Even more astonishing is that it’s also a kinda-okay spectrum analyzer. [Kerry D. Wong] tested out one of these USB TV tuner, and the results are exactly what you would expect: it lacks a little precision, and sampling bandwidth is only a tiny bit terrible, but it does work.

A stock USB TV tuner doesn’t come with a connector that would normally be used for spectrum analysis. A BNC connector can be easily attached, as can a terminator to match the 75Ω impedance of the SDR. This isn’t really necessary; the frequencies being measured are low enough that you can get away without one.

As far as software goes, [Kerry] first pulled out the usual suspects of the SDR world; rtlsdr-scanner distorted the measured spectrum, as did a lot of other SDR receivers. Gqrx SDR was the first one that worked well, but the king of this repurposing of USB TV tuners was OSMOCOM. There’s a huge number of tools for spectrum analysis right out of the box with this package.

How did the RTL SDR fare as a spectrum analyzer? Feeding some stuff in from a signal generator, [Kerry] discovered the LO in the RTL SDR was off by a hair. Also, OSMOCOM only measures amplitude in dB, not the dBm found in every other spectrum analyzer ever made. By measuring a 0 dBm signal whatever value displayed can be shifted up or down.

So, does it work? Yes, it does. If, for some reason, you need a spectrum analyzer now, can you use this? Yep. Pretty cool.