From vacuum cleaner hacking to weather station reverse engineering

spectrum

[Spock] wanted to do a little reverse engineering of his Miele brand remote control vacuum cleaner, so he broke out his DVB-T SDR dongle to use as a spectrum analyser. Sure enough, he found a 433.83Mhz signal that his vacuum cleaner remote control was using, but to his surprise, he found a stray QAM256 signal when he expected an ASK  only one.

After a little detective work, [Spock] eventually tracked it down to a cheap weather station he had forgotten about. The protocol for the weather station was too compelling for him to go back to his vacuum cleaner, though. After downloading an rc-switch Arduino library and making a quick stop at his local radio shack to get a 433.92 radio receiver to decode the signal, he reverse engineered the weather station so he could digitally record the temperature output. The Arduino rc-switch library proved unable to decode the signal, but some Python work helped him get to the bottom of it.

With software defined radio becoming more accessible and common place, hacks like these are a nice reminder just how wired our houses are becoming.

Verifying A Wireless Protocol With RTLSDR

rtlsdr_nrf905_rtlizer

[Texane] is developing a system to monitor his garage door from his apartment. Being seven floors apart, running wires between the door and apartment wasn’t an option, so he turned to a wireless solution. Testing this wireless hardware in an apartment is no problem, but testing it in situ is a little more difficult. For that, he turned to software defined radio with an RTLSDR dongle.

The hardware for this project is based around a TI Stellaris board and a PTR8000 radio module. All the code for this project was written from scratch (Github here), making it questionable if the code worked on the first try. To test his code, [Texane] picked up one of those USB TV tuner dongles based around the RTL2832U chipset. This allowed him to monitor the frequencies around 433MHz for the packets his hardware should be sending.

After that, the only thing left to do was to write a frame decoder for his radio module. Luckily, the datasheet for the module made this task easy.

[Texane] has a frame decoder for the NRF905 radio module available in his Git. It’s not quite ready for serious applications, but for testing a simple radio link it’s more than enough.

Build a Cheap Airplane ADS-B Radio Receiving Tracking Station

airplane tracking with ADS-B radio receiving

Do you have commercial or general aviation flying over your home or near your home? Would you like to know more about these airplanes: identity, heading, speed, altitude and maybe GPS data along with even more information? Well then [Rich Osgood] has just the project for you and it’s not that expensive to set up. [Rick] demonstrates using a cheap USB dongle European TV tuner style SDR (software defined radio) tuner that you can get for under $30 to listen in on the Automatic Dependent Surveillance-Broadcast (ADS-B) 1090 MHz mode “S” or 978 MHz mode “UAT” signals being regularly transmitted from these aircraft.

He steps us through configuring the radio to use a better antenna for improved reception then walks through detailed software installation and set up to control the radio receiver as well as pushing the final decoded data to mapping software. This looks like a fascinating and fun project if you live near commercial airways. You won’t need a license for this hack because you’re only listening and not transmitting, plus these are open channels which are legal to receive.

There are some frequencies you are not legally allowed to eavesdrop on—private communications for residential wireless telephones and cellular frequencies to name just a few (Code of Federal Regulations Title 47, Part 15.9). So remember you do have to be careful and stay within legal frequencies even if your equipment is not restricted from such reception. Also note that just because you have a legal right to intercept conversations or data on some frequencies it could be illegal to publicly share the intercepted content or any details on the reception or decoding (just saying for the record).

We wonder if [Rick] could partner with [G. Eric Rogers] to upgrade [Eric’s] motorized telescope airplane tracking system to extrapolate the radio telemeter data into vector data so his Arduino can track without relying on a video feed. That merger might just get them both on a short TSA list.

Join us after the break for some extra informational links and to watch the video on setup, installation and usage of this cheap airplane tracking rig.

[Read more...]

Cracking GSM with RTL-SDR for Thirty Dollars

GSM

Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.

Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.

The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of   receiving a message.

From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.

[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.

An RTL-SDR Spectrum Analyzer

RTL

With the combination of small, powerful, and pocketable computers and cheap, off-the-shelf software defined radio receivers, it was only a matter of time before someone built a homebrew spectrum analyzer with these ingredients. This great build is the project of [Stephen Ong] and he’s even released all the softwares for you to build this on your own.

The two main components of this build are a BeagleBone Black and its 7″ Touchscreen cape. The BeagleBone is running Angstrom Linux, a blazingly fast Linux distro for small embedded devices. The radio hardware consists of only a USB TV tuner supported by RTL-SDR. In his demo video, [Stephen] shows off his project and by all accounts it is remarkable, with a UI better than most desktop-oriented SDR software suites.

You can grab the BeagleBone image [Stephen] is using over on his blog, but for more enterprising reader, he’s also put up the source of his ViewRF software up on GitHub.

A Comparison of Hacker Friendly SDRs

3 SDRs

In the market for a software defined radio? [Taylor Killian] wrote a comprehensive comparison of several models that are within the price range of amateurs and hobbyists.

You can get started with SDR using a $20 TV tuner card, but there’s a lot of limitations. These cards only work as receivers, are limited to a small chunk of the radio spectrum, and have limited bandwidth and sample rates. The new SDRs on the market, including the bladeRF, HackRF, and USRP offerings are purpose built for SDR experimentation. You might want an SDR to set up a cellular base station at Burning Man, scan Police and Fire radio channels, or to track ships.

[Taylor] breaks down the various specifications of each radio, and discusses the components used in each SDR in depth. In the end, the choice depends on what you want to do and how much you’re willing to spend. This breakdown should help you choose a hacker friendly SDR.

HackRF, or playing from 30 MHz to 6 GHz

hackrf

Up on Kickstarter, [Michael Ossmann] is launching the HackRF, an inordinately cheap, exceedingly capable software defined radio tool that’s small enough to lose in your laptop bag.

The HackRF was the subject of a lot of interest last time it was on Hackaday – the ability to receive up to 6GHz allows the HackRF to do a lot of very interesting things, including listening in on Bluetooth, WiFi, and 4G networks. Also, the ability to transmit on these frequencies means a lot of very interesting, and quite possibly slightly evil applications are open to anyone with a HackRF. Like the RTL-SDR dongles, the HackRF works with GNU Radio out of the box, meaning all those cool SDR hacks we’ve seen so far will work with this new, more powerful board.

Compared to the USB TV tuner cards that were so popular a year ago, the HackRF has 10 times the bandwidth, is able to receive up to 6GHz, and is also able to transmit. It’s only half-duplex, so to receive and transmit simultaneously you’ll need two HackRFs, or maybe wait for a hardware revision that will hopefully come sooner rather than later.

Below you can check out [Michael]‘s presentation at Toorcon where the HackRF was unleashed to the world.

[Read more...]

Follow

Get every new post delivered to your Inbox.

Join 93,990 other followers