SDR Toolkit Bends Weather Station To Hacker’s Whims

We probably don’t have to tell most Hackaday readers why the current wave of low-cost software defined radios (SDRs) are such a big deal for hackers looking to explore the wide world of wireless signals. But if you do need a refresher as to what kind of SDR hardware and software should be in your bag of tricks, then this fantastically detailed account from [RK] about how he hacked his La Crosse WS-9611U-IT weather station is a perfect example.

Looking to brush up his radio hacking skills, [RK] set out to use the ADALM-PLUTO software defined radio from Analog Devices to intercept signals between the La Crosse base station and its assorted wireless sensors. He notes that a $20 USD RTL-SDR dongle could do just as well if you only wanted to receive, but since his ultimate goal was to spoof a temperature sensor and introduce spurious data into the system, he needed an SDR that had transmit capabilities.

No matter your hardware, Universal Radio Hacker (URH) is the software that’s going to be doing the heavy lifting. In his write-up, [RK] walks the reader through every step required to find, capture, and eventually decode the transmissions coming from a TX29U wireless temperature sensor. While the specifics will naturally change a bit depending on the device you’re personally looking to listen in on, the general workflow is going to be more or less the same.

In the end, [RK] is not only able to receive the data coming from the wireless sensors, but he can transmit his own spoofed data that the weather station accepts as legitimate. Getting there took some extra effort, as he had to figure out the proper CRC algorithm being used. But as luck would have it, he found a Hackaday article from a couple years back that talked about doing exactly that, which help put him on the right path. Now he can make the little animated guy on the weather station’s screen don a winter coat in the middle of July. Check out the video below for a demonstration of this particular piece of radio prestidigitation.

Demodulating the waveform in Universal Radio Hacker.

While we often see the power of tools like URH brought up in talks, nothing quite beats following along with a step-by-step account of how somebody used software and hardware from the modern hacker’s toolkit to achieve their goals. If reading this post doesn’t make you want to finally pull the trigger on a cheap RTL-SDR and start cruising the airwaves, maybe nothing will.

9 thoughts on “SDR Toolkit Bends Weather Station To Hacker’s Whims

    1. If speaking the truth is wrong I don’t want to be right.

      Nothing wrong with the article it’s the title that I take issue with, using tools someone else created and calling that hacking is misleading and an insult to genuine hackers.

      1. That’s hardly being a script kiddie. He decoded a protocol and replayed it after understanding it.
        Script kiddies use ready made scripts which they barely adapt nor understand. Big difference.

  1. As an Rtl SDR dongle user, and a weather station user I don’t know what to think.
    I don’t think I would be very happy with erroneous data transmitted to my weather receiver! 🤔

  2. Thanks for the encouragement. These weather stations are available in many levels of complexity. Higher end versions put data into the cloud. For example, ACURITE.com Access is a receiver module with an Ethernet connection. While you can keep your data to yourself, once into the Cloud, Wunderground is a useful crowd sourcing destination.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.