the dongle developed by Marcel, with a USB-A plug on one end and an SMD antenna on the other

Hackaday Prize 2022: House Ventilation Reverse-Engineered And Automated

[Marcel] thought – what if he had more control over his house ventilation system? You could add some nifty features, such as automatically ventilating your house in the mornings when everyone’s away, only creating noise when nobody’s around to hear it. Sadly, most ventilation systems are not automation-friendly at all – he was lucky, however, as his system came with a wireless remote. [Marcel] reverse-engineered this remote, created a USB dongle speaking the same protocol, and tied it into his Home Assistant setup!

The remote in question is Orcon R15, with an Atmel MCU talking to a CC1101 chip through SPI. He sniffed the SPI communications when pressing different buttons, figured out the protocol by comparing the recordings, and built a test setup with a spare Arduino and CC1101 module. It worked, and he set out to design a separate dongle, using an ATMega32U4. The dongle looks pretty neat, and fits a Hammond enclosure – what’s not to like?

Then he set out to develop the firmware, and didn’t disappoint on that front either. His code doesn’t just imitate the original remote perfectly in terms of control, it also has user-friendly pairing flow, keeps track of the system’s current state, and still lets the original remote be used in parallel. Eagle files for the PCB are available on the project page, with the code and a PDF schematic available in the GitHub repo. This entire journey is described in the Hackaday.io page, and we would recommend you check it out for all the insights it provides!

Ventilation systems don’t tend to be designed for automation, and it’s endearing to see hackers working on conquering this frontier. Last time we’ve seen a ventilation system hack, it had the additional challenge of being landlord-friendly, and we think the hacker nailed it!

The Evil Crow Is Ready To Cause Some RF Mayhem

There’s no doubt that the RTL-SDR project has made radio hacking more accessible than ever, but there’s only so far you can go with a repurposed TV tuner. Obviously the biggest shortcoming is the fact that you can only listen to signals, and not transmit them. If you’re ready to reach out and touch someone, but don’t necessarily want to spend the money on something like the HackRF, the Evil Crow RF might be your ideal next step.

This Creative Commons licensed board combines two CC1101 radio transceivers and an ESP32 in one handy package. The radios give you access to frequencies between 300 and 928 MHz (with some gaps), and the fact that there are two of them means you can listen on one frequency while transmitting on another; opening up interesting possibilities for relaying signals. With the standard firmware you connect to a web interface running on the ESP32 to configure basic reception and transmission options, but there’s also a more advanced RFQuack firmware that allows you to control the hardware via Python running on the host computer.

Using the Evil Crow RF without a computer.

One particularly nice feature is the series of buttons located down the side of the Evil Crow RF. Since the device is compatible with the Arduino IDE, you can easily modify the firmware to assign various functions or actions to the buttons.

In a demonstration by lead developer [Joel Serna], the physical buttons are used to trigger a replay attack while the device is plugged into a standard USB power bank. There’s a lot of potential there for covert operation, which makes sense, as the device was designed with pentesters in mind.

As an open source project you’re free to spin up your own build of the Evil Crow RF, but those looking for a more turn-key experience can order an assembled board from AliExpress for $27 USD. This approach to hardware manufacturing seems to be getting popular among the open source crowd, with the Open-SmartWatch offering a similar option.

[Thanks to DJ Biohazard for the tip.]

TI EZ430-Chronos Turned Medical Alert Wearable

Long before the current smartwatch craze, Texas Instruments released the eZ430-Chronos. Even by 2010s standards, it was pretty clunky. Its simple LCD display and handful of buttons also limited what kind of “smart” tasks it could realistically perform. But it did have one thing going for it: its SDK allowed users to create a custom firmware tailored to their exact specifications.

It’s been nearly a decade since we’ve seen anyone dust off the eZ430-Chronos, but that didn’t stop [ogdento] from turning one into a custom alert device for a sick family member. A simple two-button procedure on the watch will fire off emails and text messages to a pre-defined list of contacts, all without involving a third party or have to pay for a service contract. Perhaps most importantly, the relatively energy efficient eZ430 doesn’t need to be recharged weekly or even daily as would be the case for a modern smartwatch.

To make the device as simple as possible, [ogdento] went through the source code for the stock firmware and commented out every function beyond the ability to show the time. With the watch’s menu stripped down to the minimum, a new alert function was introduced that can send out a message using the device’s 915 MHz CC1101 radio.

Messages and recipients can easily be modified.

The display even shows “HELP” next to the appropriate button so there’s no confusion. A second button press is required to send the alert, and there’s even a provision for canceling it should the button be pressed accidentally.

On the receiving side, [ogdento] is using a Raspberry Pi with its own CC1101 radio plugged into the USB port. When the Python scripts running on the Pi picks up the transmission coming from the eZ430 it starts working through a list of recipients to send messages to. A quick look at the source code shows it would be easy to provide your own contact list should you want to put together your own version of this system.

We’ve seen custom alert hardware before, but like [ogdento] points out, using the eZ430-Chronos provides a considerable advantage in that its a turn-key platform. It’s comfortable to wear, reliable, and fairly rugged. While some would argue against trusting independently developed code for such a vital task, at least the hardware is a solved problem.

A Spectrum Analyzer For The Smart Response XE

Remember the Girl Tech IM-me? It was a hot-pink clearance rack toy that suddenly became one of the hottest commodities in the hacking world when it was discovered they could be used for all sorts of radio frequency shenanigans. Now they go for triple digits on eBay, if you can even find one. Well, we’re probably about to see the same thing happen to the Smart Response XE.

Thanks to the work of a hacker named [ea], this cheap educational gadget is finally starting to live up to the potential we saw in it back when a teardown revealed it was powered by an Arduino-compatible ATmega128RF chip. With a big screen, a decent QWERTY keyboard, and integrated wireless hardware, it seemed obvious that the Smart Response XE was poised to be the next must-have repurposed piece of kit.

Though as it turns out, [ea] isn’t using the device’s built-in wireless hardware. Step one in this exceptionally well documented and photographed project is to tack a CC1101 transceiver module to the SPI pins on the ATmega128RF. Then with the appropriate firmware loaded up, that nice big screen will show you what’s happening on the 300 MHz, 400 Mhz and 900 MHz bands.

But the fun doesn’t stop there. With the CC1101-modified Smart Response XE, there’s a whole new world of radio hacks you can pull off. As a proof of concept, [ea] has also included a POCSAG pager decoder. Granted the RTL-SDR has already made pulling pager messages out of the air pretty easy, but there’s something to be said for being able to do it on something so small and unassuming.

If you can’t tell, we’re exceptionally interested in seeing what the community can do with the Smart Response XE. At the time of this writing, the going rate on eBay for a good condition unit looks to be about $10 USD, plus the $3 or so for the CC1101 module. But the prices went through the roof when we first posted about it, so get them cheap while you still can.

[Thanks to bburky for the tip.]

Using SDR To Take Control Of Your Home Security System

[Dan Englender] was working on implementing a home automation and security system, and while his house was teeming with sensors, they used a proprietary protocol which was not supported by the open source system he was trying to implement. The problem with home automation and security systems is the lack of standardization – or rather, the large number of (often incompatible) standards used to ensure consumers get tied in to one specific system. He has shared the result of his efforts at getting the two to talk to each other via his project decode345.

The result enabled him to receive signals from Honeywell’s 5800 series of wireless products and interface them with OpenHAB — a vendor and technology agnostic open source automation software. OpenHAB offers “bindings” that allow a wide variety of systems and hardware to be integrated. Unfortunately for [Dan], this exhaustive list does not yet include support for the (not very popular) 345MHz protocol used by the Honeywell 5800 system, hence his project. Continue reading “Using SDR To Take Control Of Your Home Security System”