Wireless Hacks

1047 Articles

Reverse Engineering The Nintendo Wavebird

December 14, 2017 by 21 Comments

Readers who were firmly on Team Nintendo in the early 2000’s or so can tell you that there was no accessory cooler for the Nintendo GameCube than the WaveBird. Previous attempts at wireless game controllers had generally either been sketchy third-party accessories or based around IR, and in both cases the end result was that the thing barely worked. The WaveBird on the other hand was not only an official product by Nintendo, but used 2.4 GHz to communicate with the system. Some concessions had to be made with the WaveBird; it lacked rumble, was a bit heavier than the stock controllers, and required a receiver “dongle”, but on the whole the WaveBird represented the shape of things to come for game controllers.

Finding the center frequency for the WaveBird

Given the immense popularity of the WaveBird, [Sam Edwards] was somewhat surprised to find very little information on how the controller actually worked. Looking for a project he could use his HackRF on, [Sam] decided to see if he could figure out how his beloved WaveBird communicated with the GameCube. This moment of curiosity on his part spawned an awesome 8 part series of guides that show the step by step process he used to unlock the wireless protocol of this venerable controller.

Even if you’ve never seen a GameCube or its somewhat pudgy wireless controller, you’re going to want to read though the incredible amount of information [Sam] has compiled in his GitHub repository for this project.

Starting with defining what a signal is to begin with, [Sam] walks the reader though Fourier transforms, the different types of modulations, decoding packets, and making sense of error correction. In the end, [Sam] presents a final summation of the wireless protocol, as well as a simple Python tool that let’s the HackRF impersonate a WaveBird and send button presses and stick inputs to an unmodified GameCube.

This amount of work is usually reserved for those looking to create their own controllers from the ground up, so we appreciate the effort [Sam] has gone through to come up with something that can be used on stock hardware. His research could have very interesting applications in the world of “tool-assisted speedruns” or even automating mindless stat-grinding.

Bluetooth Gun Safe Cracked By Researchers

December 13, 2017 by 64 Comments

Believe it or not, there are quite a few people out there who have purchased gun safes that can be remotely unlocked by Bluetooth. Now we can understand why somebody might think this was a good idea: the convenience of being able to hit a button on your phone and have your weapon available in the heat of the moment is arguably a big selling point for people who are purchasing something like this for home defense. But those with a more technical mind will likely wonder if the inherent risks of having your firearm (or other valuables) protected by a protocol that often relies on security by obscurity outweighs the convenience of not needing to enter in a combination on the keypad.

Well, you can wonder no more, as researchers at [Two Six Labs] have recently published a detailed document on how they managed to remotely unlock the Vaultek VT20i with nothing more exotic than an Ubertooth. In the end, even the Ubertooth wasn’t actually required, as this particular device turned out to be riddled with security issues.

[Two Six Labs] has not publicly released the complete source code of the software demonstrated in their YouTube video for very obvious reasons, but the page on their site does go into fantastic detail on how they uncovered the multiple vulnerabilities that allowed them to write it. Even if you’re not the kind of person who would ever need a gun safe, the information contained in their documentation about analyzing Bluetooth communications is fascinating reading.

It was discovered that the PIN for the safe was actually being transmitted by the accompanying smartphone application in plain-text, which would be bad enough normally. But after further analysis, it became clear that the safe wasn’t even bothering to check the PIN code anyway.

Scripting app interactions with ADB and Python

For extra style points, [Two Six Labs] also show a way to brute force the PIN using the Vaultek Android application by writing a Python script that punches in codes sequentially until it hits on the right one; the developers didn’t even bother to put in limits on failed attempts.

For a device that is ostensibly designed to contain a deadly weapon, the security flaws the team at [Two Six Labs] discovered are absolutely inexcusable. But there is a positive outcome, as the manufacturer has vowed to update the vulnerable safes and make a better effort in the future to more rigorously design and test their Bluetooth implementation. This is the goal of responsible disclosure, and we’re encouraged to see the manufacturer doing the right thing

The security concerns of Bluetooth controlled locks are well known, so it’s a bit disappointing that devices like this are still slipping through the cracks. We suggest you remain skeptical of any security device utilizing Bluetooth until the industry starts taking things a little more seriously.

Continue reading “Bluetooth Gun Safe Cracked By Researchers”

Spice Up Your Dice With Bluetooth

December 10, 2017 by 19 Comments

There’s no shortage of projects that replace your regular board game dice with an electronic version of them, bringing digital features into the real world. [Jean] however goes the other way around and brings the real world into the digital one with his Bluetooth equipped electronic dice.

These dice are built around a Simblee module that houses the Bluetooth LE stack and antenna along with an ARM Cortex-M0 on a single chip. Adding an accelerometer for side detection and a bunch of LEDs to indicate the detected side, [Jean] put it all on a flex PCB wrapped around the battery, and into a 3D printed case that is just slightly bigger than your standard die.

While they’ll work as simple LED lighted replacement for your regular dice as-is, their biggest value is obviously the added Bluetooth functionality. In his project introduction video placed after the break, [Jean] shows a proof-of-concept game of Yahtzee displaying the thrown dice values on his mobile phone. Taking it further, he also demonstrates scenarios to map special purposes and custom behavior to selected dice and talks about his additional ideas for the future.

After seeing the inside of the die, it seems evident that getting a Bluetooth powered D20 will unfortunately remain a dream for another while — unless, of course, you take this giant one as inspiration for the dimensions.

Continue reading “Spice Up Your Dice With Bluetooth”

Bluetooth Speaker In A Bag

December 8, 2017 by 10 Comments

[VanTourist] — irked by what he sees as complicated project videos — has demonstrated that you can build a high quality, multi-function Bluetooth speaker inside three hours.

Using simple hand tools — primarily a crimper, wire stripper, razor cutter and some glue — he’s packed this repurposed GoPro accessory bag with quite a bit of tech. The main components are a Bluetooth amplifier with a spiffy knob, and a pair of 15W speakers, but he’s also added a 1W LED flashlight, 1A and 2.1A charging ports, a battery charge monitor display, and pilot cover toggle switches for style points. Despite all that crammed into the bag, there’s still a bit of room left to pack in a few possessions! You can check out the build pictures here, or the video after the break.

Continue reading “Bluetooth Speaker In A Bag”

A Wireless Webcam Without A Cumbersome Cloud Service

December 8, 2017 by 42 Comments

After a friend bought a nannycam that required the use of a cloud service to make the device useful,  [Martin Caarels] thought to himself — as he puts it — ”I can probably do this with a Raspberry Pi!

Altogether, [Caarels] gathered together a 4000mAh battery, a Raspberry Pi 3 with a micro SD card for storage, a Logitech c270 webcam, and the critical component to bind this project together: an elastic band. Once he had downloaded and set up Raspbian Stretch Lite on the SD card, he popped it into the Pi and connected it to the network via a cable. From there, he had to ssh into the Pi to get its IP so he could have it hop onto the WiFi.

Now that he effectively had a wireless webcam, it was time to turn it into a proper security camera.

Continue reading “A Wireless Webcam Without A Cumbersome Cloud Service”

Measuring HF Signal Speeds In A DIY Coaxial Collinear Antenna

December 6, 2017 by 4 Comments

Air Traffic Controllers use Automatic Dependent Surveillance-Broadcast (ADS-B) as an alternative to secondary radar to track aircraft. The ADS-B is transmitted by the aircraft and contains information such as GPS position, pressure, altitude, and callsign among other things at a 1090 MHz frequency, which can be decoded using any of a number of software tools.

[Mike Field] lives near an airport, and decided he wanted to peek into the tracking signals for fun. He turned to an RTL-based TV Dongle. Since the stock antenna was not cutting it, he decided to make one specifically for the 1090 MHz signal. His design is based on Coaxial Collinear Antenna for ADS-B Receiver by [Dusan Balara] which uses pieces of the coaxial cable cut to the right length. There are a number of calculations involved in determining the size of the cable, however, the hack in this design is the way he uses a USB based oscilloscope to measure the speed of RF waves inside the line in question.

We reached out to [Mike], and this is what he had to say. The idea is to use a cable of half the size of the wavelength which is calculated as

lambda = c/f

For the best reception, the sections of coax need to be half a wavelength long – but the wavelength of the signal inside the coax, which is shorter than the wavelength in free space. As this was a generic cable he had no idea of the dielectric that separates the core from the shield, so the ‘velocity factor’ could be anything depending on the exact composition.

To determine the speed of the signal in the cable, his approach omits the more expensive equipment. A length of coax acts as a stub – any energy that is sent into the cable reaches the far end of the transmission line and is then reflected back to the source. When the cable is 1/4th of the wavelength long, the reflected signal arrives back at the start of the signal 180 degrees out of phase – in a perfect world it would completely null out the input signal. Continue reading “Measuring HF Signal Speeds In A DIY Coaxial Collinear Antenna”

Minimizing ESP8266 Battery Drain

December 3, 2017 by 49 Comments

[Alex Jensen] wanted to build a battery-powered weather station, using an ESP8266 breakout board to connect to WiFi. However, [Alex]’s research revealed that the ESP chip uses around 70mA per hour when the radio is on — meaning that he’d have to change batteries a lot more than he wanted to. He really wanted a low power rig such that he’d only have to change batteries every 2 years on a pair of AAs.

The two considerations would be, how often does the ESP get powered up for data transmissions — and how often the weather station’s ATtiny85 takes sensor readings. Waking up the ESP from sleep mode takes about 16mA — plus, once awake it takes about 3 seconds to reconnect, precious time at 70mA. However, by using a static IP address he was able to pare that down to half a second, with one more second to do the actual data transmission. In addition to the hourly WiFi connection, the Tiny85 must be powered, though its relatively modest 1.5mA per hour doesn’t amount to much, even with the chip awake for 36 hours during the year. All told, the various components came to around 500 mAh per year, so using a pair of AA batteries should keep the rig going for years.

We’re intrigued by stories of hackers eking out every last drop of power to make their projects work. We’ve posted about ESPs low-power mode before, and what can be more low-power than a watch running off a coin cell?