Hacking Radio Controlled Outlets

Decoding NRZ ASK

It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.

He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface. After flashing the CC1111 with the RFCat firmware, the device was ready to use. Next up, [Gordon] goes into detail about replaying amplitude shift keying messages using the RFCat. He used an Arduino and the rc-switch library to generate signals that are compatible with the outlets.

In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle. By exporting the sniffed signal and analyzing it, the modulation could be determined. The final step was writing a Python script to replay the messages using the RFCat.

The hack is a good combination of software defined radio techniques, ending with a successful attack. Watch a video of the replay attack after the break.

[Read more...]

Verifying A Wireless Protocol With RTLSDR

rtlsdr_nrf905_rtlizer

[Texane] is developing a system to monitor his garage door from his apartment. Being seven floors apart, running wires between the door and apartment wasn’t an option, so he turned to a wireless solution. Testing this wireless hardware in an apartment is no problem, but testing it in situ is a little more difficult. For that, he turned to software defined radio with an RTLSDR dongle.

The hardware for this project is based around a TI Stellaris board and a PTR8000 radio module. All the code for this project was written from scratch (Github here), making it questionable if the code worked on the first try. To test his code, [Texane] picked up one of those USB TV tuner dongles based around the RTL2832U chipset. This allowed him to monitor the frequencies around 433MHz for the packets his hardware should be sending.

After that, the only thing left to do was to write a frame decoder for his radio module. Luckily, the datasheet for the module made this task easy.

[Texane] has a frame decoder for the NRF905 radio module available in his Git. It’s not quite ready for serious applications, but for testing a simple radio link it’s more than enough.

Cracking GSM with RTL-SDR for Thirty Dollars

GSM

Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.

Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.

The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of   receiving a message.

From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.

[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.

HackRF, or playing from 30 MHz to 6 GHz

hackrf

Up on Kickstarter, [Michael Ossmann] is launching the HackRF, an inordinately cheap, exceedingly capable software defined radio tool that’s small enough to lose in your laptop bag.

The HackRF was the subject of a lot of interest last time it was on Hackaday – the ability to receive up to 6GHz allows the HackRF to do a lot of very interesting things, including listening in on Bluetooth, WiFi, and 4G networks. Also, the ability to transmit on these frequencies means a lot of very interesting, and quite possibly slightly evil applications are open to anyone with a HackRF. Like the RTL-SDR dongles, the HackRF works with GNU Radio out of the box, meaning all those cool SDR hacks we’ve seen so far will work with this new, more powerful board.

Compared to the USB TV tuner cards that were so popular a year ago, the HackRF has 10 times the bandwidth, is able to receive up to 6GHz, and is also able to transmit. It’s only half-duplex, so to receive and transmit simultaneously you’ll need two HackRFs, or maybe wait for a hardware revision that will hopefully come sooner rather than later.

Below you can check out [Michael]‘s presentation at Toorcon where the HackRF was unleashed to the world.

[Read more...]

Detecting galactic rotation with software defined radio

dish

Last summer in the heyday of software defined radio via USB TV tuners we asked hackaday readers a question: Is anyone using everyone’s favorite method of SDR for radio astronomy? It took nearly a year, but finally there’s an awesome project to turn a USB TV tuner into a radio telescope. It’s from the fruitful mind of [Marcus Leech] (PDF warning), and is good enough to detect the rotation of the galaxy with a three-foot satellite dish.

News of [Marcus]‘ work comes to us from [Carl] over at RTL-SDR.com who has been keeping tabs on the advances of building a radio telescope in a backyard. He’s been collecting a lot of interesting tidbits including this gif showing an arm of the galaxy entering and leaving [Marcus]‘ telescope’s field of view over the course of a few hours.

Not only can [Marcus]‘ telescope record continium measurements – basically, a single-pixel camera sensitive to only one frequency – it can also produce spectral plots of the sky. Combine the ability to measure multiple frequencies at the same time with the Doppler effect, and [Marcus] can measure the rotation of the galaxy with a USB TV tuner. That’s just awesome in our humble opinion.

If you already have an RTL-SDR TV tuner and a largish satellite dish, [Marcus]‘ project should be fairly inexpensive to replicate; the feed assembly is made out of a coffee can, the amplifiers are repurposed satellite television equipment, and all the software – [Marcus]‘ own simple_ra tool for GNU Radio – is open source. Of course with a 3 foot diameter dish, it will be impossible to replicate the data from huge radio telescopes. Still, it’s an impressive piece of work that leaves us searching craigslist for an old C-band dish.

Listening to aircraft transponders with a Raspberry Pi

flight

Last year’s big hack was software-defined radio; a small USB TV tuner that could listen in on radio broadcasts anywhere between 64 and 1200 MHz. This year, it’s all about the Raspberry Pi, so it’s surprising we’re only just now seeing a mashup of these two pieces of hardware. [Corq] is using a Raspi and RTLSDR TV tuner to listen in on aircraft transponders, and getting a whole bunch of data from aircraft flying overhead.

Even though the ADS-B decoder [Corq] is using is written for OS X, he’s reading the data coming from the USB TV tuner over the network with a program called Dump1090. This program allows [Corq] to attach his SDR to a Raspbery Pi and put it somewhere the antenna will get good reception – an attic, or an outdoor weatherproof case – and stream data to his desktop over a WiFi or network connection.

With a USB TV tuner and a Raspberry Pi, [Corq] is able read the tail numbers, altitude, latitude, longitude, speed, heading, and even the type of aircraft currently flying over his house. That’s cool enough, but the fact that he can effectively do this over the Internet makes it a brilliant hardware mashup.

Hackaday Links: March 25, 2013

Illegal, yet impressive

cans

Want a soda? Just grab a robot, shove it in a vending machine, and grab yourself one. This video is incredibly French, but it looks like we’ve got a custom-built robot made out of old printers and other miscellaneous motors and gears here. It’s actually pretty impressive when you consider 16 ounce cans weigh a pound.

UNOBTANIUM

chip

Okay, we got a lot of emails on our tip line for this one. It’s a group buy for a programmable oscillator over on Tindie. Why is this cool? Well, this chip (an SI570) is used in a lot of software defined radio designs. Also, it’s incredibly hard to come by if you’re not ordering thousands of these at a time. Here’s a datasheet, now show us some builds with this oscillator.

Chiptune/keygen music anywhere

keygen

[Huan] has a co-loco’d Raspi and wanted a media server that is available anywhere, on any device. What he came up with is a service that streams chiptune music from your favorite keygens. You can access it with Chrome (no, we’re not linking directly to a Raspberry Pi), and it’s extremely efficient – his RAM usage didn’t increase a bit.

Take it on an airplane. Or mail it.

bomb

[Alex]‘s hackerspace just had a series of lightning talks, where people with 45-minute long presentations try to condense their talk into 10 minutes. Of course the hackerspace needed some way to keep everything on schedule. A simple countdown timer was too boring, so they went with a fake, Hollywood-style bomb. No, it doesn’t explode, but it still looks really, really fake. That’s a good thing.

Printers have speakers now?

nokia

[ddrboxman] thought his reprap needed a nice ‘print finished’ notification. After adding a piezo to his electronics board, he whipped up a firmware hack that plays those old Nokia ringtones. The ringtones play over Gcode, so it’s possible to have audible warnings and notifications. Now if it could only play Snake.

Follow

Get every new post delivered to your Inbox.

Join 92,165 other followers