Emulating A Remote Control Ceiling Fan Transmitter In An FPGA

July 4, 2016 by Jenny List 7 Comments

[Joel] has a remote control ceiling fan. It’s nothing special, the controller has a low-power 350MHz transmitter and a Holtek encoder to send commands by keying the transmitter’s output. Desiring something a little better, he set about reverse engineering the device’s protocol and implementing it on a Lattice iCE40 FPGA.

To decode the device’s packets he reached for his RTL-SDR receiver and took a look at it in software. GQRX confirmed the presence of the carrier and allowed him to record a raw I/Q file, which he could then supply to Inspectrum to analyse the packet structure. He found it to be a simple on-off keying scheme, with bits expressed through differing pulse widths. He was then able to create a Gnu Radio project to read and decode them in real time.

Emulating the transmitter was then a fairly straightforward process of generating a 350MHz clock using the on-board PLL and gating it with his generated data stream to provide modulation. The result was able to control his fan with a short wire antenna, indeed he was worried that it might also be doing so for other similar fans in his apartment complex. You can take a look at his source code on GitHub if you would like to try something similar.

It’s worth pointing out that a transmitter like this will radiate a significant amount of harmonics at multiples of its base frequency, and thus without a filter on its output is likely to cause interference. It will also be breaking all the rules set out by whoever the spectrum regulator is where you live, despite its low power. However it’s an interesting project to read, with its reverse engineering and slightly novel use of an FPGA.

Wireless remote hacking seems to be a favorite pastime here in the Hackaday community. We’ve had 2.4GHz hacks and plenty of wireless mains outlet hacks.

The Terrible Devices Of The Internet Of Wrongs

June 15, 2016 by Brian Benchoff 22 Comments

Last week was Bsides London, and [Steve Lord] was able to give a talk about the devices that could pass for either a terrible, poorly planned, ill-conceived Internet of Things Kickstarter, or something straight out of the NSA toolkit. [Steve] built the Internet of Wrongs, devices that shouldn’t exist, but thanks to all this electronic stuff, does.

Continue reading “The Terrible Devices Of The Internet Of Wrongs” →

Identify Your Devices By Their Unintentional Radiation

May 22, 2016 by Elliot Williams 46 Comments

RFID was supposed to revolutionize asset tracking, replacing the barcode everywhere. Or at least that was the prediction once tags got under five cents apiece. They still cost seven to fifteen cents, even in bulk, and the barcode is still sitting pretty. [Chouchang (Jack) Yang] and [Alanson Sample] of Disney Research hope to change that.

Instead of tagging every electronic device, they use whatever electromagnetic emissions the device currently produces when it’s powered up. What’s surprising is not that they can tell an iPhone from a toy lightsaber, but that they can tell the toy lightsabers apart. But apparently there’s enough manufacturing and tolerance differences from piece to piece that they appear unique most of the time.

The paper (PDF) goes through the details and procedure. The coolest bit? The sensor they use is an RTL-SDR unit with the radio-mixer front end removed and replaced with a simple transformer. This lets them feed baseband (tuning from 0 to 28.8 MHz) straight into the ~~DAC~~ ADC and on to the computer which does the heavy math. Sawing off the frontend of a TV tuner is a hack, for those of you out there with empty bingo cards.

If you like statistics, you’ll want to read the paper for details about how they exactly do the classification of objects, but the overview is that they first start by figuring out what type of device they’re “hearing” and then focusing on which particular one it is. The measure that they use ends up being essentially a normalized correlation.

While we’re not sure how well this will scale to thousands of devices, they get remarkably good results (around 95%) for picking one device out of five. The method won’t be robust to overclocking or underclocking of the device’s CPU, so we’re concerned about temperature and battery-voltage effects. But it’s a novel idea, and one that’s ripe for the hacker-rebuild. And for the price of an RTL-SDR, and with no additional per-tag outlay as with an RFID system, it’s pretty neat.

Thanks [Static] for the tip! Via Engadget.

$25 Satellite Tracker Boasts “Usefulness Optional”

May 19, 2016 by Donald Papp 54 Comments

[Paul] is very up-front about the realities of his $25 Satellite Tracker, which aims a tape measure yagi antenna at a satellite of choice and keeps it tracking the satellite as it moves overhead. Does it work? Yes! Is it cheap? Of course! Is it useful? Well… did we mention it works and it’s cheap?

When [Paul] found himself wanting to see how cheaply he could make a satellite tracker he already had an RTL-SDR (which we have seen used for satellite communication before) and a yagi antenna made out of a tape measure, but wanted some way to automatically point the antenna at a satellite as it moved across the sky. He also wanted to see just how economically it could be done. Turns out that with some parts from China and code from SatNOGS (open-source satellite tracking network project and winner of the 2014 Hackaday Prize) you have most of what you need! A few modifications were still needed, and [Paul] describes them all in detail.

So is a $25 Satellite Tracker useful? As [Paul] says, “Probably not.” He explains, “Most people want satellite trackers so that they can put them outside and then control the antenna from inside, which someone probably can’t do with mine unless they live in a really nice place or build a radome. […] Driving somewhere, setting it up correctly (which involves reprogramming the Arduino for every satellite), and then sitting around is pretty much the opposite of useful.”

It might not be the most practical but it works, it’s cool, he learned a lot, and he wrote up the entire process for others to learn from or duplicate. If that’s not useful, we don’t know what is.

Satellite tracking is the focus of some interesting projects. We’ve even seen a project that points out satellite positions by shining a laser into the sky.

Improving The RTL-SDR

March 28, 2016 by Al Williams 29 Comments

The RTL-SDR dongle is a real workhorse for radio hacking. However, the 28.8 MHz oscillator onboard isn’t as stable as you might wish. It is fine for a lot of applications and, considering the price, you shouldn’t complain. However, there are some cases where you need a more stable reference frequency.

[Craig] wanted a stable solution and immediately thought of a TCXO (Temperature Compensated “Xtal” Oscillator). The problem is, finding these at 28.8 MHz is difficult and, if you can find them, they are relatively expensive. He decided to make an alternate oscillator using an easier-to-find 19.2 MHz crystal.

Continue reading “Improving The RTL-SDR” →

Triple Threat RTL-SDR System Reads Trunked Radio

March 7, 2016 by Al Williams 20 Comments

In the old days, if you wanted to listen to police, fire, or other two-way radio users, you didn’t need much more than a simple receiver. Today, you are more likely to need something a little more exotic thanks to the adoption of trunked radio systems. To pick up the control channels and all the threads of a talk group conversation, you might need a wide bandwidth receiver.

[Luke Berndt] found he needed 6 MHz to monitor the stations he wanted to hear. This is easily in the reach of dedicated software defined radios (SDR). However, [Luke] wanted to use cheap RTL-SDRs and their bandwidth is about 2 MHz. The obvious hacker solution? Use three of them!

If you haven’t looked at a trunked system before, it essentially allows a large number of users to share a relatively small number of channels. When someone wants to talk, they move to an unused channel just for that transmission. Suppose Alice asks Bob a question that happens to be on channel 12. Bob’s reply might be on channel 4. A follow up from Alice could be on channel 3.

In practice, this means that receiving the signal isn’t difficult to decode. It is just difficult to find (and follow as it jumps around). This is an excellent job for multiple SDRs and the approach even reduces the burden on the CPU, which doesn’t have to decode signals that aren’t essential to the conversation.

[Luke] includes source code and also notes how to change the serial numbers of the dongles since each has to be unique. We have seen so many great projects with the RTL-SDR that it is hard to choose our favorite. It is especially great knowing that the dongle was only meant to receive television, and all these projects are hacks in the best sense of the word.

Thanks [WA5RRior] for the tip.

Hacking The Internet Of Things: Decoding LoRa

January 31, 2016 by Elliot Williams 20 Comments

Getting software-defined radio (SDR) tools into the hands of the community has been great for the development and decoding of previously-cryptic, if not encrypted, radio signals the world over. As soon as there’s a new protocol or modulation method, it’s in everyone’s sights. A lot of people have been working on LoRa, and [bertrik] at RevSpace in The Hague has done some work of his own, and put together an amazing summary of the state of the art.

LoRa is a new(ish) modulation scheme for low-power radios. It’s patented, so there’s some information about it available. But it’s also proprietary, meaning that you need a license to produce a radio that uses the encoding. In keeping with today’s buzzwords, LoRa is marketed as a wide area network for the internet of things. HopeRF makes a LoRa module that’s fairly affordable, and naturally [bertrik] has already written an Arduino library for using it.

So with a LoRa radio in hand, and a $15 RTL-SDR dongle connected to a laptop, [bertrik] got some captures, converted the FM-modulated chirps down to audio, and did a bunch of hand analysis. He confirmed that an existing plugins for sdrangelove did (mostly) what they should, and he wrote it all up, complete with a fantastic set of links.

There’s more work to be done, so if you’re interested in hacking on LoRa, or just having a look under the hood of this new modulation scheme, you’ve now got a great starting place.