If you own one of the ubiquitous RTL-SDR software defined radio receivers derived from a USB digital TV receiver, one of the first things you may have done with it was to snoop on wide frequency bands using the waterfall view present in most SDR software. Since the VHF and UHF bands the RTL covers are sometimes a little devoid of signals, chances are you homed in upon one of the ISM bands as used by plenty of inexpensive wireless devices for all sorts of mundane control tasks. Unless you reside in the depths of the wilderness, ISM band sniffing will show a continuous procession of chirps; short bursts of digital data. It is surprising, the number of radio-controlled devices you weren’t aware were in your surroundings.
Some of these devices, such as car security keys, are protected by rolling encryption schemes to deter would-be attackers. But many of the more harmless devices simply send a command in the open without the barest of encryption. The folks at RTL-SDR.com put up a guide to recording these open data bursts on a Raspberry Pi and playing them back by transmitting them from the Pi itself.
It’s not the most refined of attack because all it does is take the recorded file and retransmit it with the [F5OEO] RPiTX software. But they do demonstrate it in action with a wireless lightbulb, a door bell, a wireless relay, and a remote-controlled switched socket. Since the data in question is transmitted as OOK, or on-off keying, the RPiTX AM mode stands in for the transmitter.
You can see it in action in the video below the break. Now, have you investigated the ISM band chirps in your locality?
This isn’t the first OOK packet cloning project we’ve brought you, perhaps you’d like instead to study the data the packets contain.
Thanks [Carl] for the tip.
Cool! I’m thinking: Cheap home automation system using whatever device you want to control. Not just a single brand of outlets, but everything on 433MHz…
lol just as I’m reading this I’m watching the last tutorial from great Scott gadgets on the hack Rf. All about capturing and replaying a signal
I built one of these to listen and ‘IoT’ anything on the 433mhz band near me-> https://www.hackster.io/markushaack/smart-home-433mhz-rf-mqtt-gateway-with-some-extras-bbb1ca
Expanded it with a wifi sniffer(MAC proximity) and bluetooth. Ran out of pins to add 315mhz radio though… Next iteration perhaps.
Now I can see who rang my doorbell via a push message when I’m not home.
that sounds insanely Cool can you share how you did this …I love to learn?
Um, this has been covered before, some where, probably here? RPiTX has been around for a while.
I’m really surprised the ham police squad hasn’t come and kicked down the door to this post with all the “buh-but the square waves and harmonics! – SPURIOUS EMISSIONS- WHAT ABOUT THE CHILDREN!!!!?” yet.
Having actually used RPiTX in a controlled environment I was actually surprised at how clean the output was, at least with only the GPIO pin itself acting as the antenna. There was nothing above the noise floor up or down in frequency that we saw that would register on an SA or on anything outside of an LNA amplified receiver sitting right on top of the thing and most of it was actually just noise from the pi itself (control test without the RPiTX code installed) – Now if you were to couple the GPIO to any kind of amplification or a wire antenna of the right wave length without filtering, I’m sure you would get the spurs.
The claim that it won’t work beyond a few cm without some kind of antenna attached is not true, at least not in a “clean” environment, an old radio shack police scanner used for more of a “real world” test would unsquelch and read loud and clear from a good 20 ft. away on frequency, but any adjacent frequencies or expected harmonic frequencies there was nothing. Again using no kind of antenna but the GPIO pin itself and at a frequency that wouldn’t match to that little antenna!
This was using an audio file transmitting NFM, none of the other modes were tested., so you make get a different result using a digital mode like OOK.