I have a problem. If I go to a swap meet , or even a particularly well stocked yard sale, I feel compelled to buy something. Especially if that something happens to be an oddball piece of electronics. While on the whole I’m a man of few vices, I simply can’t walk away from a good deal; doubly so if it has a bunch of buttons, LEDs, and antennas on it.
Which is exactly how I came into the possession of a Catel CPT300 restaurant paging system for just $20 a few months ago. I do not, as you may have guessed, operate a restaurant. In fact, as many of my meals take the form of military rations eaten in front of my computer, I’m about as far away from a restaurateur as is humanly possible. But I was so enamored with the rows of little plastic pagers neatly lined up in their combination charging dock and base station that I had to have it.
The man selling it swore the system worked perfectly. Even more so after he plugged it in and it didn’t do anything. But appearances can be deceiving, and his assurance that all the pagers needed was a good charge before they’d burst back to life seemed reasonable enough to me. Of course, it hardly mattered. The regular Hackaday reader at this point knows the fate of the CPT300 was to be the same whether or not it worked.
Incidentally, those cute little pagers would not burst back to life with a good charge. They may well have burst into something, but we’ll get to that in a moment. For now, let’s take a look at a gadget that most of us have used at one time or another, but few have had the opportunity to dissect.
If you wanted to name a few things that hackers love, you couldn’t go wrong by listing off vintage console controllers, the ESP system-on-chip platform, and pocket tools for signal capture and analysis. Combine all of these, and you get the ESP32Thang.
At its heart, the ESP32Thang is based around a simple concept – take an ESP32, wire up a bunch of interesting sensors and modules, add an LCD, and cram it all in a NES controller which helpfully provides some buttons for input. [Mighty Breadboard] shows off the device’s basic functionality by using an RFM69HW module to allow the recording and replay of simple OOK signals on the 433 MHz band. This is a band typically used by all sorts of unlicenced radio gear – think home IoT devices, wireless doorbells and the like. If you want to debug these systems when you’re out and about, this is the tool for you.
This is a fairly straightforward build at the lower end of complexity, but it gets the job done with style. The next natural step up is a Raspberry Pi with a full software defined radio attached, built into a Nintendo DS. If you build one, be sure to let us know. This project might serve as some inspiration.
With the wide availability of SPI and I2C modules these days, combined with the ease of programming provided by the Arduino environment, this is a project that just about any hacker could tackle after passing the blinking LED stage. The fact that integrating such hardware is so simple these days is truly a testament to the fact that we are standing on the shoulders of giants.
Most wireless OEM hardware traditionally use 433MHz OOK modules to exchange information. The encoding and encryption of this data stream is left as a task for the embedded software designer. In most cases, the system can be hacked using a replay attack where an RF packet is recorded and replayed to emulate a valid user. [Gilad Fride] hacked his parking gate using this technique but decided to go the extra mile of connecting it to the internet.
He used an RTL-SDR dongle and ook-decoder by [jimstudt] to sniff out the gate code and this code was tested using an Arduino. The final implementation was done around an Onion Omega which talks directly to the RF transmitter module using the fast-gpio binary. Internet connectivity was achieved using Onion Cloud API which is used to trigger the execution of code thereby sending the gate opening signal.
[Gilad Fride] uses the IFTTT Do button to provide a GUI and he demonstrates this in action using an iPhone in the video below. The project can be extended to open garage doors or turn off the lights of your room over the internet.
[Nick Touran] wanted to make two Raspberry Pi’s communicate wirelessly. There are lots of options, but [Nick] used a LASER and a photoresistor, along with Morse code. If you don’t find Morse code fancy enough, you could always refer to it as OOK (on/off keying). The circuit uses a common LASER module and an ordinary photoresistor that varies in resistance based on light. A resistor forms a voltage divider with the photoresistor and an external A/D reads the resulting voltage.
The circuit works, but we couldn’t help but notice a few items. Not all photoresistors are as sensitive to the same light wavelengths, so for the maximum range you’d want to pick a particular photoresistor. While the analog to digital converter is certainly workable, we couldn’t help but wonder if you couldn’t set up the divider to use the inherent threshold of the Raspberry Pi’s input pins for a simpler circuit. Of course, if you used the same technique with an Arduino, you could use the built-in A/D converter, and the A/D converter is probably easier to get working.
One day, [Samy]’s best friend [Matt] mentioned he had a wireless doorbell. Astonishing. Even more amazing is the fact that anyone can buy a software defined radio for $20, a small radio module from eBay for $4, and a GSM breakout board for $40. Connect these pieces together, and you have a device that can ring [Matt]’s doorbell from anywhere on the planet. Yes, it’s the ultimate over-engineered ding dong ditch, and a great example of how far you can take practical jokes if you know which end of a soldering iron to pick up.
Simply knowing [Matt] has a wireless doorbell is not enough; [Samy] needed to know the frequency, the modulation scheme, and what the doorbell was sending. Some of this information can be found by looking up the FCC ID, but [Samy] found a better way. When [Matt] was out of his house, [Samy] simply rang the doorbell a bunch of times while looking at the waterfall plot with an RTL-SDR TV tuner. There are a few common frequencies tiny, cheap remote controls will commonly use – 315 MHz, 433 MHz, and 900 MHz. Eventually, [Samy] found the frequency the doorbell was transmitting at – 433.8 MHz.
After capturing the radio signal from the doorbell, [Samy] looked at the audio waveform in Audacity. It looked like this doorbell used On-Off Keying, or just turning the radio on for a binary ‘1’ and off for a binary ‘0’. In Audacity, everything the doorbell transmits becomes crystal clear, and with a $4 434 MHz transmitter from SparkFun, [Samy] can replicate the output of the doorbell.
For the rest of the build, [Samy] is using a mini GSM cellular breakout board from Adafruit. This module listens for any text message containing the word ‘doorbell’ and sends a signal to an Arduino. The Arduino then sends out the doorbell code with the transmitter. It’s evil, and extraordinarily over-engineered.
Right now, the ding dong ditch project is set up somewhere across the street from [Matt]’s house. The device reportedly works great, and hopefully hasn’t been abused too much. Video below.
The first generation of The Internet Of Things™ and Home Automation devices are out in the wild, and if there’s one question we can ask it’s, “why hasn’t anyone built a simple cracking device for them”. Never fear, because [texane] has your back with his cheap 433MHz OOK frame cloner.
A surprising number of the IoT and Home Automation devices on the market today use 433MHz radios, and for simplicity’s sake, most of them use OOK encoding. [Texane]’s entry for THP is a simple device with two buttons: one to record OOK frames, and a second to play them back.
Yes, this project can be replicated with fancy software defined radios, but [Texane]’s OOKlone costs an order of magnitude less than the (actually very awesome) HackRF SDR. He says he can build it for less than $20, and with further refinements to the project it could serve as a record and play swiss army knife for anything around 433MHz. Video demo of the device in action below.