A Honda car behind a gate, with its turn signals shown blinking as it's being unlocked by a portable device implementing the hack in question. Text under the car says "Rolling Pwned".

Unlock Any (Honda) Car

July 8, 2022 by Arya Voronova 76 Comments

Honda cars have been found to be severely vulnerable to a newly published Rolling PWN attack, letting you remotely open the car doors or even start the engine. So far it’s only been proven on Hondas, but ten out of ten models that [kevin2600] tested were vulnerable, leading him to conclude that all Honda vehicles on the market can probably be opened in this way. We simply don’t know yet if it affects other vendors, but in principle it could. This vulnerability has been assigned the CVE-2021-46145.

[kevin2600] goes in depth on the implications of the attack but doesn’t publish many details. [Wesley Li], who discovered the same flaw independently, goes into more technical detail. The hack appears to replay a series of previously valid codes that resets the internal PRNG counter to an older state, allowing the attacker to reuse the known prior keys. Thus, it requires some eavesdropping on previous keyfob-car communication, but this should be easy to set up with a cheap SDR and an SBC of your choice.

If you have one of the models affected, that’s bad news, because Honda probably won’t respond anyway. The researcher contacted Honda customer support weeks ago, and hasn’t received a reply yet. Why customer support? Because Honda doesn’t have a security department to submit such an issue to. And even if they did, just a few months ago, Honda has said they will not be doing any kind of mitigation for “car unlock” vulnerabilities.

As it stands, all these Honda cars affected might just be out there for the taking. This is not the first time Honda is found botching a rolling code implementation – in fact, it’s the second time this year. Perhaps, this string of vulnerabilities is just karma for Honda striking down all those replacement part 3D models, but one thing is for sure – they had better create a proper department for handling security issues.

Shielding A Cheap RTL-SDR Stick

June 29, 2022 by Jenny List 22 Comments

Even though not every Hackaday reader is likely to be a radio enthusiast, it’s a fair guess that many of you will have experimented with an RTL-SDR USB dongle by now. These super-cheap devices are intended for digital TV reception and contain an RTL2832 chip, which with the proper software, can be pushed into service as a general purpose software defined radio receiver. For around $10 USD they’re fantastic value and a lot of fun to play with, even if they’re not the best radio ever. How to improve the lackluster performance? One of the easiest and cheapest ways is simply to shield it from RF noise, which [Alan R] has done with something as mundane as a tubular fizzy orange tablet container.

This is probably one of the simpler hacks you’ll see on this site, as all it involves is making an appropriate hole in the end of the tube and shielding the whole with some aluminium foil sticky tape. But the benefits can be seen immediately in the form of reduced FM broadcast band interference, something that plagues the cheaper dongles.

Perhaps the value in this hack aside from how easy it is on a cheap dongle is that it serves to remind us some of the benefits of paying a little extra for a better quality device. If you’d like to know more about RTL-SDR improvements, it’s a topic we covered in detail back in 2019 when we looked at seven years of RTL-hackery.

Homebrew Radio Telescope Bags Pulsar

May 25, 2022 by Dan Maloney 11 Comments

When one mulls the possibility of detecting pulsars, to the degree that one does, thoughts turn to large dish antennas and rack upon rack of sensitive receivers, filters, and digital signal processors. But there’s more than one way to catch the regular radio bursts from these celestial beacons, and if you know what you’re doing, a small satellite dish and an RTL-SDR dongle will suffice.

Granted, [Job Geheniau] has had a lot of experience exploring the radio universe. His website has a long list of observations and accomplishments achieved using his “JRT”, or “Job’s Radio Telescope.” The instrument looks like a homebrewer’s dream, with a 1.9-m satellite TV dish and precision azimuth-elevation rotator. Behind the feedhorn are a pair of low-noise amplifiers and bandpass filters to massage the 1,420 MHz signal that’s commonly used for radio astronomy, plus a Nooelec Smart SDR dongle and an Airspy Mini. Everything is run via remote control, as the interference is much lower with the antenna situated at his family’s farm, 50 km distant from his home in The Hague.

As for the pulsar, bloodlessly named PSR B0329+54, it’s a 5-million-year-old neutron star located in the constellation of Camelopardalis, about 3,500 light-years away. It’s a well-characterized pulsar and pulses at a regular 0.71452 seconds, but it’s generally observed with much, much larger antennas. [Job]’s write-up of the observation contains a lot of detail on the methods and software he used, and while the data is far from clear to the casual observer, it sure seems like he bagged it.

We’ve seen quite a few DIY radio astronomy projects before, both large and small, but this one really impresses with what it accomplished.

[via RTL-SDR.com]

VR Spectrum Analyzer

May 21, 2022 by Al Williams 5 Comments

At one point or another, we’ve probably all wished we had a VR headset that would allow us to fly around our designs. While not quite the same, thing, [manahiyo831] has something that might even be better: a VR spectrum analyzer. You can get an idea of what it looks like in the video below, although that is actually from an earlier version.

The video shows a remote PC using an RTL dongle to pick up signals. The newer version runs on the Quest 2 headset, so you can simply attach the dongle to the headset. Sure, you’d look like a space cadet with this on, but — honestly — if you are willing to be seen in the headset, it isn’t that much more hardware.

What we’d really like to see, though, is a directional antenna so you could see the signals in the direction you were looking. Now that would be something. As it is, this is undeniably cool, but we aren’t sure what its real utility is.

What other VR test gear would you like to see? A Tron-like logic analyzer? A function generator that lets you draw waveforms in the air? A headset oscilloscope? Or maybe just a giant workbench in VR?

A spectrum analyzer is a natural project for an SDR. Or things that have SDRs in them.

Continue reading “VR Spectrum Analyzer” →

Hacking Toy RC Cars With The HackRF One

April 30, 2022 by Ryan Flowers 3 Comments

The origin story for many who’d call themselves a member of the hacker community usually starts with taking things apart as a child just to see how they worked. For [Radoslav], that trend doesn’t seem to have slowed down, and he’s continued taking toys apart. Although since it’s his daughters little radio controlled car, he stuck to a non-destructive teardown. The result? He’s able to control the car with his laptop through a HackRF One SDR transceiver as shown in the video below the break.

[Radoslav] is no stranger to reverse engineering embedded devices, IoT gadgets, and probably more. So he started with what information was publicly available about the radio control interface in use. Many electronic devices sold in the US must be certified by the FCC (Federal Communications Commission) and prominently display their ID number, and this toy was no exception. The FCC database gave [Radoslav] enough information to know that the communication protocol is modulated with GFSK, a type of Frequency Shift Keying.

He fired up his favorite radio signal analysis tool and and got to work on the protocol itself. Along the way he found that communication between the car and controller is bidirectional but also very easy to get around. The result is that he can drive the car around with his laptop- definitely a cool hack, but for this one, the journey was surely the goal, not the destination.

If hacking on RC cars really gets your wheels turning, you might like this little RC car that can drive on the ceiling. Or if you’re feeling a bit hungry, check out how you can use the HackRF to nab a table at your local restaurant.

Continue reading “Hacking Toy RC Cars With The HackRF One” →

Just In Case You Want To Charge Your Neighbor’s Tesla

April 8, 2022 by Al Williams 67 Comments

Tesla vehicles have a charging port that is under a cover that only opens on command from a charging station. Well, maybe not only. [IfNotPike] reports that he was able to replay the 315MHz signal using a software defined radio and pop the port open on any Tesla he happened to be near.

Apparently, opening the charging port isn’t the end of the world since there isn’t much you can do with the charging port other than charging the car. At least, that we know of. If history shows anything, it is that anything you can get to will be exploited eventually.

Continue reading “Just In Case You Want To Charge Your Neighbor’s Tesla” →

The cluster of HackRFs described in the article, boards on top of each other, plugged into two 1x4 RF power splitters that are in turn plugged into a 1x2 RF power splitter. An LNA is connected to the input of the final splitter, and a cable goes off the frame from there.

A Gang Of HackRFs Makes For A Wideband SDR

April 1, 2022 by Arya Voronova 13 Comments

[Oleg Kutkov] decided to build a wideband SDR – for satellite communication research and monitoring, you know, the usual. He decided on a battery of HackRF boards – entire eight of them, in fact. Two 1×4 and one 1×2 RF splitters and an LNA on their combined RF input made for a good start to the project, and from there, it only got more complex.

HackRF boards can be synchronized with a separate clock source, but you can’t just pull a single clock line to all of them in a star configuration. Thus, he’s built a clock distribution and amplifier board, with 4 ns propagation delay at 1 PPS, and only 10 ns delay at 10 MHz. Then, he integrated that board with the HackRF setup, adding a case, wiring up a purpose-built cable and dealing with the reflections that occurred.

HackRF boards are USB 2.0 and able to generate a stream of data up to 320 MB/s, and there’d be no viable way to aggregate eight 2.0 links into one. To solve that, he’s used eight separate PCI-E to USB 3.0 cards, each of them with one HackRF plugged in, all connected to an AMD Ryzen 9-powered PC through PCI-E risers we typically see used for mining purposes. To tie it all together, he created a gnuradio flowgraph and patched the osmocom source block to enable the external clock synchronization mechanisms he decided to use.

Each HackRF is connected to its own PCIe USB card.

In the end, [Oleg] shows us some promising results – two DVB-S transceivers visible on the waterfall display of the spectrum capture. The work is not over here, to be clear – he’s ran into a few roadblocks. The gnuradio flowgraph doesn’t lend itself well to multi-threading, even on a Ryzen 9 machine, and [Oleg] pledged to rewrite the capture mechanisms in C++ which can be nicely allocated to separate physical CPU cores, something gnuradio is apparently not quite good at.

More importantly, the spectrum captured is not continuous, and [Oleg] questions whether it can be demodulated properly. He had to resort to frequency overlaps due to upsampling, and he’s not quite sure how to compensate for that. Overall frequency stability is also in question. However, from here, seems like most of the work towards building a wideband receiver is done!

[Oleg] is typically seen on Twitter, lately doing some heavy tinkering with Starlink – as Kyiv, the city he’s currently in, is under bombardment of Russian Armed Forces. We can only respect and appreciate the dedication. In January, we’ve covered his work on an USA-imported Tesla LTE modem replacement to fix LTE band incompatibilities in Ukraine, and his blog is a treasure trove of experiments that we are yet to properly comb through, from astrophysics and satellite work to RS485 networks and Linux driver writing.