Sniffing Data From Radio-Controlled Bus Stop Displays

A few weeks ago in Finland [Oona] discovered a radio data stream centered around 76KHz in a FM broadcast and she recently managed to decode it. This 16,000bps stream uses level-controlled minimum-shift keying (L-MSK) which detection can be quite tricky to implement. She therefore decoded the stream by treating the received signal as non-coherent binary FSK, which as a side effect increased the bit error probability. [Oona] then understood that the stream she was getting was the data broadcast by Helsinky buses to the nearby bus stop timetable displays. She even got lucky when she observed a display stuck in the middle of its bootup sequence, displaying a version string. This revealed that the system is called IBus and made by the Swedish company Axentia. However their website didn’t provide the specs for their proprietary protocol. After many hours of sniffing and coding, [Oona] successfully implemented the five layer protocol stack in Perl and can now read the arrival times of the nearby buses from her apartment.

63 thoughts on “Sniffing Data From Radio-Controlled Bus Stop Displays

  1. I’m surprised it operates at such a low frequency; 76KHz is longwave. I wonder why it’s like that. Also, I wonder how hard it would be to spoof the signal to display wrong times (or zombie warnings). Not that I’d actually want to do it, but it would probably be easy enough.

      1. agreed. i was just about to post something similar regarding the city’s name. go to google and start typing “H..e..l..s..i..n..” and it’ll automatically finish it with the correct spelling..”Helsinki”.. I’d assume any software they’re writing this blog in would have some form of spell check too… oh well. at least we are here to correct, lol.

  2. The next step would obviously be to transmit signals and take over the displays. The list of possible pranks is endless (and most of which can be done without disruption Sweden’s public transport system).

    1. *Nothing* can be done without disrupting Sweden’s public the transport system, it runs on quantum logic: Three leaves on the tracks will cause the doors to fall off “Snapptoget” or something, somewhere will ;-) Snow is expected -> drivers will fail to turn up -> huge delays, even when the actual snow does not arrive, the expectation is enough to cause the effect.

  3. why would anyone want to read the communications to the display?
    unless the bus service uses the display to charge the bus rate like a taxi and by tampering with the signal to change the rate to get cheap or free rates

    1. So if you’re in your apartment, 5 minutes away from the bus stop, and you get a notification that the bus arrives in 8 minutes, you know that you need to leave within 3 minutes to make it.

    2. Because display shows arrival time based on realtime GPS position of bus. Sometimes bus could be late or early so you can’t trust premade timetables. For some reason this data is not available online, but only on those displays.

  4. In Sweden? Helsinki is the capital of Finland even though the system may have been designed by our neighbors.
    Would be using this if the bus stop were closer to my apartment, thankfully the real-time online tracking system is on its way.

  5. Not that it´d make a big difference but from the article: “Oona Räisänen
    A self-taught signals & electronics hacker from _Helsinki, Finland_. Fond of mysteries, codes and ciphers, and vintage tech.
    ( FI != SE )

    1. The boks looks a lot like the ones that are in bus shelters around Aalborg, Denmark. But often the timetable displayed is the same as the printed sign. So my gues would be that the GPS system is not incorporrated yet.

  6. Since the signal is on top of an FM broadcast could she make an app for a cellphone with an FM radio? Nice to know when the bus is coming when your waiting in the coffee shop during the Helsinki winter.

    1. Actually, it could be done. There is an Android app called “FM TwoO” that, with a Android phone/tablet with FM tuner capability, tune in FM stations to listen to *and* decode RDS data (which is transmitted at a 57 KHz subcarrier on an FM station’s main carrier, just like how the 76 KHz subcarrier of an existing FM station the bus data is transmitted on), as well as custom data sent in the RDS RT field (known as RT+). An app like FMTwoO could be re-written to decode the bus data instead….

  7. Anyone else find it hilarious how so many people are throwing themselves into the comments without reading them to point out the Finland/Sweden mistake? 47 minutes from the first to the last mention of it. Don’t you realise you look pretty silly pointing something out almost an hour after it has already been done?

    1. Apparently, people who know the difference between sweden and Finland don’t like to read comments prior posting. I saw that this post got 40 comments and was curious if it had a sparked discussion going on… nope. Just people repeating the same thing. Bummer.

      1. And I blame the commenting system where it takes ages before the comment actually appears on the page. When I (and I guess other swedes/finns) commented about FI != SE detail, there were but 5 comments visible in the thread.

    1. It’s a city government. I have no idea what the law in Finland is, but they probably have some kind of statutory provision or licensing for governmental use. Whatever the details, chances are this isn’t bus schedules by pirate radio.

    2. this, just like the traffic TMC (using RDS) is done in cooperation with FM radio station. Basically company pays radio station for ability to inject their signal on top of Audio.

      Radio station has all the permits and transmitting equipment.

    3. A long time ago I did something similar by transmitting slow morse using a subaudible tone on a transmitted audio signal…it worked pretty well. I also piggybacked a slow data signal by playing with the timing of another data transmission stream…the very slight timing variations had no effect on the main stream and could be decoded very easily.

      A similar use for using slight timing variations was engineered back in the 80’s and built into fax and modem boards so they could transmit a covert 2nd stream of data.

  8. I just want to know which software she’s using to generate that waterfall display. I’ve been using SDRsharp, but I’ve been having a hard time producing useful data like that with it (lack of expertise, mostly).

  9. Interesting! I believe Transport for London are using iBus to provide location and timetable info. There was a recent documentary which had some info about how it works. The buses have all got GPS tranmitters which report to a central control room. This info goes into a real time scheduling system which is iBus. Some of this info is then sent out to the bus stop displays. Would it make sense to use a low-frequency connection to send to the displays? More robust?

    During the last year the schedule info has also become available by SMS. Each bus stop has a small plate with a number. If you text this to a number which is also shown, you get an immediate reply with the buses expected in the next 20-30 minutes. It has also become available online, and there is an app for SmartPhones!

    I live in Kingston in SW London and since I am retired and have a Bus Pass, I regularly us buses. The Timetable displays are very useful to work out which route I can take.

  10. The IBus system used in London uses GPRS to relay the GPS data and other information from the buses to a central system which calculates predicted times to a certain stop and if a bus is running ahead of schedule or behind. This is then sent out via GPRS again to each Countdown sign at the bus stops. Every bus sends a message every 30 seconds unless an emergency situation occours.

    The system is backed up a PMR MPT radio system for use if the bus loses GPRS connectivity and for voice communication between the controllers and drivers.

    Other older systems then to use PMR radio to send data to the stops and from the buses to the central system, its all very low baud rate unencrypted data with basic checksums.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.