Sniffing PH Sensor RF Signals For Feedback Re: Your Esophagus

March 31, 2014 by Mathieu Stephan 8 Comments

For about a week [Justin] had a wireless acidity level sensor in his esophagus and a pager-looking RF receiver in his pocket. So he naturally decided to use an RTL-SDR dongle to sniff the signals coming out of him. As most of our Hackaday readers know, these cheap RTL2382U-based DVB-T receivers are very handy when it comes to listening to anything between 50MHz and 1800MHz. [Justin] actually did a great job at listing all the things these receivers can be used for (aircraft traffic monitoring, weather images download, electric meter reading, pacemaker monitoring…).

After some Googling he managed to find his Bravo pH sensor user’s guide and therefore discovered its main frequency and modulation scheme (433.92MHz / ASK). [Justin] then used gqrx and Audacity to manually decode the packets before writing a browser-based tool which uses an audio file. Finally, a few additional hours of thinking allowed him to extract his dear esophagus’ pH value.

Build Your Own Radio Clock Transmitter

March 22, 2014 by Brian Benchoff 75 Comments

Deep in the Colorado foothills, there are two radio transmitters that control the time on millions of clocks all across North America. It’s WWVB, the NIST time signal radio station that sends the time from several atomic clocks over the airwaves to radio controlled clocks across the continent. You might think replicating a 70 kW, multi-million dollar radio transmitter to set your own clock might be out of reach, but with a single ATtiny45, just about everything is possible.

Even though WWVB has enough power to set clocks in LA, New York, and the far reaches of Canada, even a pitifully underpowered transmitter – such as a microcontroller with a long wire attached to a pin PWMing at 60kHz – will be more than enough to overpower the official signal and set a custom time on a WWVB-controlled clock. This signal must be modulated, of course, and the most common radio controlled clocks use an extremely simple amplitude modulation that can be easily replicated by changing the duty cycle of the carrier. After that, it’s a simple matter of encoding the time signal.

The end result of this build is an extremely small one-chip device that can change the time of any remote-controlled clock. We can guess this would be useful if your radio controlled clock isn’t receiving a signal for some reason, but the fact that April 1st is just a few days away gives us a much, much better idea.

Radar Imaging In Your Garage: Synthetic Aperture Radar

March 17, 2014 by Gregory L. Charvat 48 Comments

Learn why you were pulled over, quantify the stealthiness of your favorite model aircraft, or see what various household items look like at 10 GHz. In this post we will describe the basics of Synthetic Aperture Radar (SAR) imaging, beginning with a historical perspective, showing the state of the art, and describing what can be done in your garage laboratory. Lets image with microwaves!

Continue reading “Radar Imaging In Your Garage: Synthetic Aperture Radar” →

Hacking Rolling Code Keyfobs

March 17, 2014 by Eric Evenchick 39 Comments

Most keyfobs out there that open cars, garage doors, and gates use a rolling code for security. This works by transmitting a different key every time you press the button. If the keys line up, the signal is considered legitimate and the door opens.

[Spencer] took a look into hacking rolling code keyfobs using low cost software-defined radio equipment. There’s two pars of this attack. The first involves jamming the frequency the keyfob transmits on while recording using a RTL-SDR dongle. The jamming signal prevents the receiver from acknowledging the request, but it can be filtered out using GNU Radio to recover the key.

Since the receiver hasn’t seen this key yet, it will still be valid. By replaying the key, the receiver can be tricked. To pull off the replay, GNU Radio was used to demodulate the amplitude shift keying (ASK) signal used by the transmitter. This was played out of a computer sound card into a ASK transmitter module, which sent out a valid key.

ISEE-3: We Get Signal

March 10, 2014 by Brian Benchoff 35 Comments

ISSE-3

Out in the depths of space, more than 100 times the distance from the Earth to the moon, there’s a lonely spacecraft gracefully spinning towards an August encounter with our planet. It’s ICE/ISEE-3, a probe long-forgotten by official space agencies. Now, the team dedicated to repurposing this satellite has made contact with this probe using a 20-meter satellite dish in Germany.

When we first heard about the planned communication by volunteers, no one was certain the probe was still alive. It shouldn’t be a surprise this satellite was still functioning; it was launched in 1978, and most of the instruments were still functioning in 2008. Still, this is the first time amateurs – not NASA – had received a signal from the probe

ICEteam, the group of volunteers dedicated to reviving this spacecraft used the huge dish at Boshum observatory to detect the 5 Watt carrier signal coming from the spacecraft. That’s all the probe is sending out right now – no data was received – but this is a huge accomplishment and the first step towards directing ICE/ISEE-3 into an orbit around one of the Earth-Sun Lagrange points.

Side note: Looking at the ephemeris data (target -111) I *think* ICE/ISEE-3 will be above the night side of Earth at closest approach. Can anyone confirm that, and does that mean a future mission at L2?

Video from the ICEteam below.

Continue reading “ISEE-3: We Get Signal” →

Hacking Radio Controlled Outlets

March 10, 2014 by Eric Evenchick 5 Comments

It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.

He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface. After flashing the CC1111 with the RFCat firmware, the device was ready to use. Next up, [Gordon] goes into detail about replaying amplitude shift keying messages using the RFCat. He used an Arduino and the rc-switch library to generate signals that are compatible with the outlets.

In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle. By exporting the sniffed signal and analyzing it, the modulation could be determined. The final step was writing a Python script to replay the messages using the RFCat.

The hack is a good combination of software defined radio techniques, ending with a successful attack. Watch a video of the replay attack after the break.

Continue reading “Hacking Radio Controlled Outlets” →

TDOA (Time Difference Of Arrival) Directional Antenna

March 4, 2014 by Todd Harrison 34 Comments

tdoa-antenna-tutorial

We have posted articles in the past on directional antennas such as Yagi antennas used for transmitter hunting otherwise known as fox hunting. Those types of antennas and reception suffer from one major drawback, which is as you get close to the transmitter the S meter will go full scale. At which time the transmitted signal appears to be coming from all directions. To correct for this problem you need to use clever signal attenuators or change to a poor receiving antenna as well as tuning off frequency effectively making your receiver hard of hearing so that only the direct path to the transmitter is loudest.

There is another popular type of antenna that you can build yourself called a TDOA which stands for Time Difference of Arrival. [Byon Garrabrant N6BG] shared a short video tutorial on the functionality of his home built TDOA antenna. Effectively this is an active antenna that uses a 555 chip or, in [Byon’s] case, a PIC chip to quickly shift between two receiving dipole antennas at either end of a shortened yardstick. In his explanation you learn that as the antenna ends move closer or farther from the source a 640 Hz generated audio tone will go from loud to very soft as the antennas become equal distance from the source. This type of directional reception is not affected by signal strength. This means you can be very close to a powerful transmitter and it will still function as a good directional antenna.

The current circuit diagram, BOM and source code are all available on [Byon’s] TDOA page.

The reason [Byon] used a programmable PIC instead of the 555 for his design is because he wants to add a few more modifications such as feeding back the audio output to the PIC in order to programmatically turn on a left or right LED indicating the direction of the transmitter. Furthermore, he plans on adding a third antenna in a triangular configuration to programmatically control a circle of 6 LEDs indicating the exact direction of the signal. When he finishes the final modifications he can drive around with the antenna array on his vehicle and the circle of LEDs inside indicating the exact direction to navigate.

We look forward to seeing the rest of the development which might even become a kit someday. You can watch [Byon’s] TDOA video after the break.

Continue reading “TDOA (Time Difference Of Arrival) Directional Antenna” →