A few weeks ago in Finland [Oona] discovered a radio data stream centered around 76KHz in a FM broadcast and she recently managed to decode it. This 16,000bps stream uses level-controlled minimum-shift keying (L-MSK) which detection can be quite tricky to implement. She therefore decoded the stream by treating the received signal as non-coherent binary FSK, which as a side effect increased the bit error probability. [Oona] then understood that the stream she was getting was the data broadcast by Helsinky buses to the nearby bus stop timetable displays. She even got lucky when she observed a display stuck in the middle of its bootup sequence, displaying a version string. This revealed that the system is called IBus and made by the Swedish company Axentia. However their website didn’t provide the specs for their proprietary protocol. After many hours of sniffing and coding, [Oona] successfully implemented the five layer protocol stack in Perl and can now read the arrival times of the nearby buses from her apartment.
63 thoughts on “Sniffing Data From Radio-Controlled Bus Stop Displays”
I’m surprised it operates at such a low frequency; 76KHz is longwave. I wonder why it’s like that. Also, I wonder how hard it would be to spoof the signal to display wrong times (or zombie warnings). Not that I’d actually want to do it, but it would probably be easy enough.
It’s not 76KHz RF, It’s 76Khz modulated on top of the broadcast FM.
Ahh, that makes a *lot* more sense.
Come on, admit it! You’d love to troll the passengers and prove your hacking skills…
The data stream is transmitted with 76 kHz carrier which is transmitted with added to normal audio stream which is broadcasted of broadcast FM band (88-108 MHz).
Similar to the way TDS is transmitted on a sideband of a commercial FM station (I believe the author has also decoded TDS)
thanks for clearing that up vpoko :)
(I meant baobrien…)
Why Sweden is mentioned even thought she is from Finland?
I don’t think there’s a ‘Helsinky’ in Finland, I might call my friend in Helsinki / Helsingfors to see if he’s ever heard of it.
agreed. i was just about to post something similar regarding the city’s name. go to google and start typing “H..e..l..s..i..n..” and it’ll automatically finish it with the correct spelling..”Helsinki”.. I’d assume any software they’re writing this blog in would have some form of spell check too… oh well. at least we are here to correct, lol.
The next step would obviously be to transmit signals and take over the displays. The list of possible pranks is endless (and most of which can be done without disruption Sweden’s public transport system).
*Nothing* can be done without disrupting Sweden’s public the transport system, it runs on quantum logic: Three leaves on the tracks will cause the doors to fall off “Snapptoget” or something, somewhere will ;-) Snow is expected -> drivers will fail to turn up -> huge delays, even when the actual snow does not arrive, the expectation is enough to cause the effect.
Finland, not Sweden. Helsinki, not Helsinky. However, Axentia really is Swedish :)
Oona is from Finland. The company which has supplied the displays is swedish.
why would anyone want to read the communications to the display?
unless the bus service uses the display to charge the bus rate like a taxi and by tampering with the signal to change the rate to get cheap or free rates
So if you’re in your apartment, 5 minutes away from the bus stop, and you get a notification that the bus arrives in 8 minutes, you know that you need to leave within 3 minutes to make it.
Because display shows arrival time based on realtime GPS position of bus. Sometimes bus could be late or early so you can’t trust premade timetables. For some reason this data is not available online, but only on those displays.
Yeah, Why isn’t this data freely available online and via text message? Crazy…
Well, if you usually take the bus and you live near the stop it’d be nice to know when it will be actually arriving.
“Because you can.” I think it’s pretty cool to “discover” a signal piggybacking on another, and reverse engineering it’s purpose. It’s like a crime novel to me….
you could display obligatory PENIS or ZOMBIE ATTACK on the buss stop LCD
It’s a nice challenge as well – the modulation used is not conventional at all.
Helsinki is in Finland. I would have been very surprised if the signal was picked up from Sweden all across the nordic sea :-)
In Sweden? Helsinki is the capital of Finland even though the system may have been designed by our neighbors.
Would be using this if the bus stop were closer to my apartment, thankfully the real-time online tracking system is on its way.
The town is Helsinki, and the country is Finland :)
Not that it´d make a big difference but from the article: “Oona Räisänen
A self-taught signals & electronics hacker from _Helsinki, Finland_. Fond of mysteries, codes and ciphers, and vintage tech.
( FI != SE )
“A self-taught signals & electronics hacker from Helsinki, Finland.”
I think someone was thinking helsinki-syndrome like the ancor man in Die Hard.
FYI it is spelled Helsinki and it is in Finland :)
thanks for the update guys… got mistaken by the swedish company
Helsinki is in Finland, not Sweden. Just a small ‘joggraffy’ correction.
That’s a fantastic RE job.
BTW, minor detail, is this in Finland or Sweden? Do bus stop signs in other Scandinavian and European countries work similarly?
The boks looks a lot like the ones that are in bus shelters around Aalborg, Denmark. But often the timetable displayed is the same as the printed sign. So my gues would be that the GPS system is not incorporrated yet.
Does she even ride the bus?
Since the signal is on top of an FM broadcast could she make an app for a cellphone with an FM radio? Nice to know when the bus is coming when your waiting in the coffee shop during the Helsinki winter.
no, signal is out of band, but you could make SDR app and plug in RTLSDR into your phone
Actually, it could be done. There is an Android app called “FM TwoO” that, with a Android phone/tablet with FM tuner capability, tune in FM stations to listen to *and* decode RDS data (which is transmitted at a 57 KHz subcarrier on an FM station’s main carrier, just like how the 76 KHz subcarrier of an existing FM station the bus data is transmitted on), as well as custom data sent in the RDS RT field (known as RT+). An app like FMTwoO could be re-written to decode the bus data instead….
Hey! I’ve always wondered how these systems works. Anybody into the topic could lead me a few links to start researching?
Here’s a pretty detailed (google translated) article about how the Axentia system works in Stockholm: http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.idg.se%2F2.1085%2F1.528860%2Fnar-kommer-bussen–stadje-granskar-sl-s-teknik%2F
This is an awesome hack no matter the origins!
That is just some incredible work. It shows true talent.
Amazing. It certainly seems much better then the BusTime system that the MTA fabricated here. And it works strangely here, even sporadically. There are only a few locations in the City where it is even shown.
Anyone else find it hilarious how so many people are throwing themselves into the comments without reading them to point out the Finland/Sweden mistake? 47 minutes from the first to the last mention of it. Don’t you realise you look pretty silly pointing something out almost an hour after it has already been done?
Yes. (Idiot blog mechanism first it wants to log in and do it via G+ then it wants via the blog mechanism. Someone needs to make up its mind for it.)
I don’t think it matters which one you connect to neutral.
Apparently, people who know the difference between sweden and Finland don’t like to read comments prior posting. I saw that this post got 40 comments and was curious if it had a sparked discussion going on… nope. Just people repeating the same thing. Bummer.
And I blame the commenting system where it takes ages before the comment actually appears on the page. When I (and I guess other swedes/finns) commented about FI != SE detail, there were but 5 comments visible in the thread.
So this is riding in 88-108 Mhz broadcast band? I thought you needed a broadcast permit to use that frequency range. Hmmm …
It’s a city government. I have no idea what the law in Finland is, but they probably have some kind of statutory provision or licensing for governmental use. Whatever the details, chances are this isn’t bus schedules by pirate radio.
It looks like they’re riding on a local commercial station.
this, just like the traffic TMC (using RDS) is done in cooperation with FM radio station. Basically company pays radio station for ability to inject their signal on top of Audio.
Radio station has all the permits and transmitting equipment.
A long time ago I did something similar by transmitting slow morse using a subaudible tone on a transmitted audio signal…it worked pretty well. I also piggybacked a slow data signal by playing with the timing of another data transmission stream…the very slight timing variations had no effect on the main stream and could be decoded very easily.
A similar use for using slight timing variations was engineered back in the 80’s and built into fax and modem boards so they could transmit a covert 2nd stream of data.
I just want to know which software she’s using to generate that waterfall display. I’ve been using SDRsharp, but I’ve been having a hard time producing useful data like that with it (lack of expertise, mostly).
Trying to figure that out too, SpecLab maybe?
she said Audacity, after filtering and downsampling it out of SDR stream
I’m pretty sure the waterfall display is Baudline.
Her mention of Audacity is about the top 2/3 of the picture shown on this page.
In her blog, she regularly uses Baudline.
Interesting! I believe Transport for London are using iBus to provide location and timetable info. There was a recent documentary which had some info about how it works. The buses have all got GPS tranmitters which report to a central control room. This info goes into a real time scheduling system which is iBus. Some of this info is then sent out to the bus stop displays. Would it make sense to use a low-frequency connection to send to the displays? More robust?
During the last year the schedule info has also become available by SMS. Each bus stop has a small plate with a number. If you text this to a number which is also shown, you get an immediate reply with the buses expected in the next 20-30 minutes. It has also become available online, and there is an app for SmartPhones!
I live in Kingston in SW London and since I am retired and have a Bus Pass, I regularly us buses. The Timetable displays are very useful to work out which route I can take.
ALL YOUR BUS ARE BELONG TO US
There where a Swedish article about this system in Stockholm, atleast I think it is the same system(same company at least).
So for those that read Swedish they can read more here http://techworld.idg.se/2.2524/1.528860/nar-kommer-bussen–stadje-granskar-sl-s-teknik
The IBus system used in London uses GPRS to relay the GPS data and other information from the buses to a central system which calculates predicted times to a certain stop and if a bus is running ahead of schedule or behind. This is then sent out via GPRS again to each Countdown sign at the bus stops. Every bus sends a message every 30 seconds unless an emergency situation occours.
The system is backed up a PMR MPT radio system for use if the bus loses GPRS connectivity and for voice communication between the controllers and drivers.
Other older systems then to use PMR radio to send data to the stops and from the buses to the central system, its all very low baud rate unencrypted data with basic checksums.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)