Hacking A Solar Inverter RF Interface

June 4, 2021 by Danie Conradie 4 Comments

One of the main advantages of cheap wireless modules is that they get used in consumer electronics, so if you know what’s being used you can build your own compatible hardware. While investigating the RF interface used in a series of cheap “smart” solar inverters [Aaron Christophel], created an Arduino library to receive inverter telemetry using a $2 RF module. See the demonstration after the break.

[Aaron] bought the inverter and ~40 euro USB “Data Box” that allows the user to wirelessly monitor the status of the inverter. Upon opening the two units, he found that they used LC12S 2.4Ghz modules, which create a wireless UART link. With a bit of reverse engineering, he was able to figure out the settings for the RF modules and the serial commands required to request the status of the inverter. He doesn’t delve into the possible security implications, but there doesn’t appear to be any form of encryption in the link. It should be possible for anyone with a module to sniff the messages, extract the ID of the inverter, and hijack the link. Just knowing the status of the inverter shouldn’t be all that dangerous, but he doesn’t mention what other commands can be sent to the module. Any others could have more severe implications.

Sniffing the wireless signal flashing through the air around us is a regular topic here on Hackaday. From testing the security of WiFi networks with an ESP32 to monitoring SpaceX launches with an SDR, the possibilities are infinite.

Continue reading “Hacking A Solar Inverter RF Interface” →

Touch Anything And Everything

September 19, 2018 by Brian McEvoy 10 Comments

Powering IoT devices is often a question of batteries or mains power, but in rare exceptions to this rule there is no power supply (PDF Warning). At the University of Wisconsin-Madison and the University of California, San Diego, researchers have gone the extra mile to make advanced backscatter devices, and these new tags don’t need the discrete components we have seen in previous versions. They are calling it LiveTag, and it doesn’t need anything aside from a layer of foil printed or etched on a flexible ceramic-PTFE laminate. PTFE is mostly seen in the RF sector as a substrate for circuit boards.

We have seen some of the wild creations with wifi backscatter that range from dials to pushbuttons. RF backscatter works by modulating the RF signals in which we are continuously swimming. Those radio waves power the device and disrupt the ambient signals, which disruption can be detected by a receiver. With a BOM that looks like a statement more than a list, integration with many devices becomes a cost-effective reality. Do not however broadcast important data because you cannot expect great security from backscatter.

[Via IEEE Spectrum]

Classroom Gadget Turned Arduino Compatible

July 22, 2018 by Tom Nardi 25 Comments

Cheap second-hand hardware is usually a fertile ground for hacking, and by looks of this project, the digital classroom aids that were all the rage a few years back are no exception. [is0-mick] writes in to tell us how he managed to hack one of these devices, a SMART Reponse XE, into an Arduboy compatible game system. As it turns out, this particular gadget is powered by an ATmega128RFA, which is essentially an Arduino-compatible AVR microcontroller with a 2.4GHz RF transceiver tacked on. This makes it an extremely interesting platform for hacking, especially since they are going for as little as $3 USD on eBay.

There’s no USB-Serial converter built into the SMART Response XE, so you’ll need to provide your own external programmer to flash the device. But luckily there’s a labeled ISP connector right on the board which makes it pretty straightforward to get everything wired up.

Of course, getting the hardware working was slightly more complicated than just flashing an Arduino Sketch onto the thing. [is0-mick] has provided his bootloader and modified libraries to get the device’s QWERTY keyboard and ST7586S controlled 384×160 LCD working.

Playing games is fun, but when his friend [en4rab] sent him the SMART Response XE to fiddle with, the goal was actually to turn them into cheap 2.4 GHz analyzers similar to what was done with the IM-ME. It seems they’re well on their way, and [is0-mick] invites anyone who might be interested in filling in some of the blanks on the RF side to get involved.

Continue reading “Classroom Gadget Turned Arduino Compatible” →

Reverse Engineering Quadcopter Protocols

June 28, 2016 by Brian Benchoff 21 Comments

Necessity is the mother of invention, but cheap crap from China is the mother of reverse engineering. [Michael] found a very, very cheap toy quadcopter in his local shop, and issued a challenge to himself. He would reverse engineer this quadcopter’s radio protocol. His four-post series of exploits covers finding the right frequency for the radio, figuring out the protocol, and building his own remote for this cheap toy.

[Michael] was already familiar with the capabilities of these cheap toys after reading a Hackaday post, and the 75-page, four language manual cleared a few things up for him. The ‘Quadro-Copter’ operated on 2.4GHz, but did not give any further information. [Michael] didn’t know what channel the toy was receiving on, what data rate, or what the header for the transmission was. SDR would be a good tool for figuring this out, but thanks to Travis Goodspeed, there’s a really neat trick that will put a 2.4GHz nRF24L01+ radio into promiscuous mode, allowing [Michael] to read the transmissions between the transmitter and quadcopter. This code is available on [Michael]’s github.

A needle in an electromagnetic haystack was found and [Michael] could listen in on the quadcopter commands. The next step was interpreting the ones and zeros, and with the help of a small breakout board and soldering directly to the SPI bus on the transmitter, [Michael] was able to do just that. By going through the nRF24 documentation, he was able to suss out the pairing protocol and read the stream of bytes that commanded the quadcopter.

What [Michael] was left with is a series of eight bytes sent in a continuous stream from the transmitter to the toy. These bytes contained the throttle, yaw, pitch, roll, and a ‘flip’ settings, along with three bytes of ‘counters’ that didn’t seem to do anything. With that info in hand, [Michael] took an Arduino Nano, an nRF04L01+ transceiver, and a Wii nunchuck to build his own transmitter. If you’re looking for a ‘how to reverse engineer’ guide, it generally doesn’t get better than this.

You can check out a video of [Michael] flying his Wiimoted quadcopter below.

Continue reading “Reverse Engineering Quadcopter Protocols” →

Reading 2.4GHz Transmitters With An Arduino

May 10, 2014 by Brian Benchoff 11 Comments

Quad There are a lot of cheap quadcopter kits out there, sold ready to fly with a transmitter and battery for right around $50 USD. One of the more popular of these micro quads is the V2X2 series. They are, unfortunately not compatible with any other radio protocol out there, but [Alexandre] has managed to use the transmitter included with his V202 quad to send data to an Arduino.

Like most quads, the transmitter that came with [Alexandre]’s V202 operates on 2.4GHz. Listening in on that band required a little bit of hardware, in this case a nordic Semiconductors nRF24L01p. Attached to this chip is a regular ‘ol Arduino running a bit of code that includes [Alexandre]’s V202 library.

Right now, the build can detect if the quad is bound or not, and read the current position of the throttle, yaw, pitch, and roll, as well as all the associated trims. It’s just the beginnings of [Alexandre]’s project, but his eventual goal is to build an Arduino bot based on the code, complete with RC servos. Not bad for a transmitter that will be utterly useless when the microquad eventually breaks.

Continue reading “Reading 2.4GHz Transmitters With An Arduino” →

Viewing CCTV On Every Street Corner

July 20, 2012 by Brian Benchoff 27 Comments

2.4 GHz video transmitters are everywhere these days, in many, many products ranging from baby monitors to CCTV setups. Surprisingly, most owners of these video devices don’t realize they’re transmitting an unencrypted video signal, a belief [Benjamin] hopes to rectify.

[Ben]’s project started with him driving around cities recording unencrypted 2.4GHz video feeds. His idea has since expanded to include building metal boxes with an LCD display and attaching them to light poles. Think of it as an education via technology; most people don’t know these devices are receivable by everybody, and showing them it is possible is the first step in learning.

If you’re looking for something a little more creepy than a metal box attached to a lamp-post, [Ben] is also the brainchild behind the Surveillance Video Entertainment Network, an installation (also in van form) that exposes unencrypted 2.4 GHz video transmissions in cities around the world.

You can check out a few intercepted surveillance videos after the break.

Continue reading “Viewing CCTV On Every Street Corner” →

PCB Trace Antenna

August 5, 2010 by Jakob Griffith 19 Comments

If you’re working on a device that includes RF wireless, [Colin’s] Guide to PCB Trace Antenna Design might clear some headaches when sending off for PCBs. While it is directed at devices transmitting at 2.4GHz, the techniques and recommended equipment (read: espresso smith charts and network analyzers) should work for almost any frequency. While trace antennas aren’t as easy to implement as a measured wire, the space benefits make up for the difficulty. Unless you don’t mind how larger your project is, did someone say cantenna?