[Balint] has a bit of history in dealing with software defined radios and cheap USB TV tuners turned into what would have been very expensive hardware a few years ago. Now [Balint] is finally posting a few really great GNU Radio tutorials, aimed at getting software defined radio beginners up and running with some of the coolest hardware around today.
[Balint] is well-known around these parts for being the first person to create a GNU Radio source block for the implausibly inexpensive USB TV tuners, allowing anyone with $20 and enough patience to wait for a package from China to listen in on everything from 22 to 2200 MHz. There’s a lot of interesting stuff happening in that band, including the ACARS messages between airliners and traffic control, something that allowed [Balint] to play air traffic controller with a minimal amount of hardware.
Right now the tutorials are geared towards the absolute beginner, starting at the beginning with getting GNU Radio up and running. From there the tutorials continue to receiving FM radio, and with a small hardware investment, even transmitting over multiple frequencies.
It’s not much of an understatement to say software defined radio is one of the most versatile and fun projects out there. [Balint] even demonstrated triggering restaurant pagers with a simple SDR project, a fun project that is sure to annoy his coworkers.
Continue reading “[Balint]’s GNU Radio Tutorials”
Most keyfobs out there that open cars, garage doors, and gates use a rolling code for security. This works by transmitting a different key every time you press the button. If the keys line up, the signal is considered legitimate and the door opens.
[Spencer] took a look into hacking rolling code keyfobs using low cost software-defined radio equipment. There’s two pars of this attack. The first involves jamming the frequency the keyfob transmits on while recording using a RTL-SDR dongle. The jamming signal prevents the receiver from acknowledging the request, but it can be filtered out using GNU Radio to recover the key.
Since the receiver hasn’t seen this key yet, it will still be valid. By replaying the key, the receiver can be tricked. To pull off the replay, GNU Radio was used to demodulate the amplitude shift keying (ASK) signal used by the transmitter. This was played out of a computer sound card into a ASK transmitter module, which sent out a valid key.
It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.
He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface. After flashing the CC1111 with the RFCat firmware, the device was ready to use. Next up, [Gordon] goes into detail about replaying amplitude shift keying messages using the RFCat. He used an Arduino and the rc-switch library to generate signals that are compatible with the outlets.
In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle. By exporting the sniffed signal and analyzing it, the modulation could be determined. The final step was writing a Python script to replay the messages using the RFCat.
The hack is a good combination of software defined radio techniques, ending with a successful attack. Watch a video of the replay attack after the break.
Continue reading “Hacking Radio Controlled Outlets”
[BeMasher] was dissatisfied with the cost of other solutions to read his smart meter, so he made a project to read it himself using an rtl-sdr dongle.
Using his hacking and reverse engineering skills along with a $20 RTL-SDR dongle, [BeMasher] wrote rtlamr to automatically detect and report the consumption information reported by smart meters within range. Though designed for his Itron C1SR, [BeMasher] claims that any electronic receiver transmitter (ERT) capable smart meter should work.
[BeMasher]’s Itron C1SR smart meter broadcasts both interval data and standard consumption in the 915MHz ISM band using a Manchester encoded, frequency hopping spread spectrum protocol. [BeMasher] used the RTL-SDR dongle to do the signal capture and analysed the resulting signal in software afterwards. [BeMasher] did a great job of going through the theory and implementation of analysing the resulting data capture, so be sure to check it for an in-depth analysis.
If the RTL-SDR dongles are too limited for you taste, you might want to check out some hacker friendly SDRs with a little more punch.
[Spock] wanted to do a little reverse engineering of his Miele brand remote control vacuum cleaner, so he broke out his DVB-T SDR dongle to use as a spectrum analyser. Sure enough, he found a 433.83Mhz signal that his vacuum cleaner remote control was using, but to his surprise, he found a stray
QAM256 signal when he expected an ASK only one.
After a little detective work, [Spock] eventually tracked it down to a cheap weather station he had forgotten about. The protocol for the weather station was too compelling for him to go back to his vacuum cleaner, though. After
downloading an rc-switch Arduino library and making a quick stop at his local radio shack to get a 433.92 radio receiver to decode the signal, he reverse engineered the weather station so he could digitally record the temperature output. The Arduino rc-switch library proved unable to decode the signal, but some Python work helped him get to the bottom of it.
With software defined radio becoming more accessible and common place, hacks like these are a nice reminder just how wired our houses are becoming.
[Texane] is developing a system to monitor his garage door from his apartment. Being seven floors apart, running wires between the door and apartment wasn’t an option, so he turned to a wireless solution. Testing this wireless hardware in an apartment is no problem, but testing it in situ is a little more difficult. For that, he turned to software defined radio with an RTLSDR dongle.
The hardware for this project is based around a TI Stellaris board and a PTR8000 radio module. All the code for this project was written from scratch (Github here), making it questionable if the code worked on the first try. To test his code, [Texane] picked up one of those USB TV tuner dongles based around the RTL2832U chipset. This allowed him to monitor the frequencies around 433MHz for the packets his hardware should be sending.
After that, the only thing left to do was to write a frame decoder for his radio module. Luckily, the datasheet for the module made this task easy.
[Texane] has a frame decoder for the NRF905 radio module available in his Git. It’s not quite ready for serious applications, but for testing a simple radio link it’s more than enough.
Do you have commercial or general aviation flying over your home or near your home? Would you like to know more about these airplanes: identity, heading, speed, altitude and maybe GPS data along with even more information? Well then [Rich Osgood] has just the project for you and it’s not that expensive to set up. [Rick] demonstrates using a cheap USB dongle European TV tuner style SDR (software defined radio) tuner that you can get for under $30 to listen in on the Automatic Dependent Surveillance-Broadcast (ADS-B) 1090 MHz mode “S” or 978 MHz mode “UAT” signals being regularly transmitted from these aircraft.
He steps us through configuring the radio to use a better antenna for improved reception then walks through detailed software installation and set up to control the radio receiver as well as pushing the final decoded data to mapping software. This looks like a fascinating and fun project if you live near commercial airways. You won’t need a license for this hack because you’re only listening and not transmitting, plus these are open channels which are legal to receive.
There are some frequencies you are not legally allowed to eavesdrop on—private communications for residential wireless telephones and cellular frequencies to name just a few (Code of Federal Regulations Title 47, Part 15.9). So remember you do have to be careful and stay within legal frequencies even if your equipment is not restricted from such reception. Also note that just because you have a legal right to intercept conversations or data on some frequencies it could be illegal to publicly share the intercepted content or any details on the reception or decoding (just saying for the record).
We wonder if [Rick] could partner with [G. Eric Rogers] to upgrade [Eric’s] motorized telescope airplane tracking system to extrapolate the radio telemeter data into vector data so his Arduino can track without relying on a video feed. That merger might just get them both on a short TSA list.
Join us after the break for some extra informational links and to watch the video on setup, installation and usage of this cheap airplane tracking rig.
Continue reading “Build a Cheap Airplane ADS-B Radio Receiving Tracking Station”