Hacking Radio Controlled Outlets

Decoding NRZ ASK

It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.

He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface. After flashing the CC1111 with the RFCat firmware, the device was ready to use. Next up, [Gordon] goes into detail about replaying amplitude shift keying messages using the RFCat. He used an Arduino and the rc-switch library to generate signals that are compatible with the outlets.

In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle. By exporting the sniffed signal and analyzing it, the modulation could be determined. The final step was writing a Python script to replay the messages using the RFCat.

The hack is a good combination of software defined radio techniques, ending with a successful attack. Watch a video of the replay attack after the break.

[Read more...]

Using SDR to Read Your Smart Meter

meter_read_wide

[BeMasher] was dissatisfied with the cost of other solutions to read his smart meter, so he made a project to read it himself using an rtl-sdr dongle.

Using his hacking and reverse engineering skills along with a $20 RTL-SDR dongle, [BeMasher] wrote rtlamr to automatically detect and report the consumption information reported by smart meters within range. Though designed for his Itron C1SR, [BeMasher] claims that any electronic receiver transmitter (ERT) capable smart meter should work.

[BeMasher]‘s Itron C1SR smart meter broadcasts both interval data and standard consumption in the 915MHz ISM band using a Manchester encoded, frequency hopping spread spectrum protocol. [BeMasher] used the RTL-SDR dongle to do the signal capture and analysed the resulting signal in software afterwards. [BeMasher] did a great job of going through the theory and implementation of analysing the resulting data capture, so be sure to check it for an in-depth analysis.

If the RTL-SDR dongles are too limited for you taste, you might want to check out some hacker friendly SDRs with a little more punch.

Sniffing and Decoding Bluetooth LE Advertising Packets and NRF24L01+ Comms. for under $30

[Omri] just documented his journey to sniff and decode the protocol used by the popular NRF24L01+ transceiver off the air for very cheap. As he was designing a mesh network code and needed a way to monitor/debug the overall network performance, [Omri] decided to look for some RF hardware.

We’re sure that most of our readers are familiar with Software Defined Radio (SDR), which not so long ago became popular when some engineer discovered hidden registers inside Realtek RTL2832U chip, allowing many DVB-T dongles to be converted into RF listening devices. Unfortunately for [Omri], most of them have a maximum listening frequency of 2.2GHz, while the NRF24L01+ emits at 2.4GHz. The solution? Buy a 2.2-2.4GHz antenna from Aliexpress with a low-noise block downconverter (LNB), used for a Multichannel Multipoint Distribution Service (MMDS). The LNB therefore takes the 2.2-2.4GHz signal and downconverts it to around 400MHz, allowing any RTL-SDR-compatible DVB-T dongle to listen to the NRF communications. A program was then written to decode the RF signal and output the sniffed data in realtime.

Transmitting data with a Pi and RTL-SDR

radio

Sometimes the best builds aren’t anything new, but rather combining two well-developed hacks. [Marc] was familiar with RTL-SDR, the $30 USB TV tuner come software defined radio, but was surprised no one had yet combined this cheap radio dongle with the ability to transmit radio from a Raspberry Pi. [Marc] combined these two builds and came up with the cheapest portable radio modem for the Raspberry Pi.

Turning the Raspi into a transmitter isn’t really that hard; it only requires a 20cm wire inserted into a GPIO pin, then toggling this pin at about 100 MHz. This resulting signal can be picked up fifty meters away, and through walls, even.

[Marc] combined this radio transmitter with minimodem, a program that generates audio modem tones at the required baud rate. Data is encoded in this audio stream, sent over the air, and decoded again with an RTL-SDR dongle.

It’s nothing new, per se, but if you’re looking for a short-range, low-bandwidth wireless connection between a computer and a Raspberry Pi, this is most certainly the easiest and cheapest method.

Cracking GSM with RTL-SDR for Thirty Dollars

GSM

Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.

Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.

The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of   receiving a message.

From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.

[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.

Detecting galactic rotation with software defined radio

dish

Last summer in the heyday of software defined radio via USB TV tuners we asked hackaday readers a question: Is anyone using everyone’s favorite method of SDR for radio astronomy? It took nearly a year, but finally there’s an awesome project to turn a USB TV tuner into a radio telescope. It’s from the fruitful mind of [Marcus Leech] (PDF warning), and is good enough to detect the rotation of the galaxy with a three-foot satellite dish.

News of [Marcus]‘ work comes to us from [Carl] over at RTL-SDR.com who has been keeping tabs on the advances of building a radio telescope in a backyard. He’s been collecting a lot of interesting tidbits including this gif showing an arm of the galaxy entering and leaving [Marcus]‘ telescope’s field of view over the course of a few hours.

Not only can [Marcus]‘ telescope record continium measurements – basically, a single-pixel camera sensitive to only one frequency – it can also produce spectral plots of the sky. Combine the ability to measure multiple frequencies at the same time with the Doppler effect, and [Marcus] can measure the rotation of the galaxy with a USB TV tuner. That’s just awesome in our humble opinion.

If you already have an RTL-SDR TV tuner and a largish satellite dish, [Marcus]‘ project should be fairly inexpensive to replicate; the feed assembly is made out of a coffee can, the amplifiers are repurposed satellite television equipment, and all the software – [Marcus]‘ own simple_ra tool for GNU Radio – is open source. Of course with a 3 foot diameter dish, it will be impossible to replicate the data from huge radio telescopes. Still, it’s an impressive piece of work that leaves us searching craigslist for an old C-band dish.

Tracking ships using software-defined radio (SDR)

tracking-ships-using-sdr

When we first started hearing about software-defined radio hacks (which often use USB dongles that ring it at under $20) we didn’t fully grasp the scope of that flexibility. But now we’ve seen several real-life examples that drive the concept home. For instance, did you know that SDR can be used to track ships? Ships large and small are required by may countries to use an Automatic Identification System (AIS) transponder. The protocol was originally developed to prevent collisions on large ships, but when the cost of the hardware became affordable the system was also brought to smaller vessels.

[Carl] wrote in to share his project (which is linked above). Just like the police scanner project from April this makes use of RTL-SDR in the form of a TV tuner dongle. He uses the SDRSharp software along with a Yagi-UDA. The captured data is then decoded and plotted on a map using ShipPlotter.

Follow

Get every new post delivered to your Inbox.

Join 96,659 other followers