Tagged: rtl-sdr

Using RTL_433 to Decode SimpliSafe Home Security Systems

SimpliSafe is an American DIY home security system company that claims over 2 million customers. Their system relies on 433/315 MHz ISM band wireless radio communications between its various sensors, control panels and remote controls. Back in 2016 we already posted about research from Dr. Andrew Zonenberg and Micheal Ossmann who showed that the SimpliSafe wireless communications are unencrypted, and can easily be intercepted, decoded, and spoofed. SimpliSafe responded to those concerns by downplaying them and mentioning that sophisticated hardware was required.

However, now Adam of simpleorsecure.net has recently disclosed a security advisory and a blog post discussing how easy it is to decode SimpliSafe wireless communications with an RTL-SDR and the rtl_433 software. He also also released slides from a recent talk that he did that go over his entire process and findings.

Adam began with some initial manual RF analysis with an RTL-SDR, and then later worked with rtl_433 dev Christian Zuckschwerd to add PiWM demodulation capability, which is the modulation used by SimpliSafe systems. Now Adam is able to easily decode the serial number, pin codes, and status codes transmitted by SimpliSafe sensors and key pads in real time with just an RTL-SDR.

This is very concerning as not only could a burglar easily learn the alarm disarm pincode, but they could also profile your behavior to find an optimal time to break in. For example if you arm your alarm before bed, and disarm in the morning your sleep schedule is being broadcast. It is also possible to determine if a particular door or window has been left open. With a tuned Yagi antenna Adam was able to receive signals from 200+ feet (60m) in free space, and 115 feet (35m) through walls.

In addition to the lack of encryption, Adam also discovered that the SimpliSafe system was susceptible to jamming attacks, and that the tamper detection system can be easily compromised. Adam has disclosed all concerns and findings to SimpliSafe who are aware of the problems. They assure him that next generation systems will not suffer from these flaws. But unfortunately for current generation owners, the hardware will need to be eventually replaced as there is no over the air update capability. 

An RTL-SDR and SimpliSafe KeyPad
An RTL-SDR and SimpliSafe KeyPad

A Lightweight Meteor M2 Demodulator

Over on GitHub dbdexter-dev has released a new lightweight and open source Meteor M2 demodulator. Meteor M2 is a Russian weather satellite that transmits images down in the digital LRPT format. This provides much higher resolution images compared to the NOAA APT signals. With an RTL-SDR, appropriate satellite antenna and decoding software it is possible to receive these images.

This new lightweight demodulator may be especially useful for single board PCs like the Raspberry Pi. Previously, on Linux GNU Radio based demodulators have been used, and GNU Radio isn't exactly a light weight piece of software. To use the software you first need to record an IQ file of the Meteor M2 LRPT signal, downsample the IQ file to 140 kHz (if required), then pass it into the demodulator. This will spit out an 8-bit soft-QPSK file which can be used with LRPTofflinedecoder (now known as M2_LRPT_Decoder) on Windows or meteor_decoder on Linux to generate an image.

An Example LRPT Image Received with an RTL-SDR from the Meteor-2 M2.
An Example LRPT Image Received with an RTL-SDR from Meteor-2 M2.

Chasing Cubesats on a $25 Budget with an RTL-SDR and Homemade Antenna

Cubesats are small shoebox sized satellites that are usually designed by universities or amateur radio organizations for basic space experiments or amateur radio communications. Typically they have an orbit lifespan of only 3-6 months.

Cubesats typically transmit signals at around 435 MHz, and they are powerful enough to be received with a simple home made antenna and an RTL-SDR. To help with this Thomas N1SPY has created a YouTube video where he shows exactly how to construct a cheap eggbeater antenna made out of a few pieces of copper wire and an SO-239 UHF connector. Later in the video he demonstrates some Cubesats being received with his antenna, an RTL-SDR and the SDR-Console V3 software.

2018: Thomas N1SPY chases mini satellites on a budget

Tzumi MagicTV WiFi TV Tuner Device contains an RTL-SDR, OpenWRT board and Battery for only $13

The Tzumi MagicTV is a device that allows users in the USA to watch TV on an Android phone via free over the air digital ATSC signals. It receives and decodes TV on the device,  then streams decoded TV to an Android phone via a WiFi connection.

Over on Reddit user meowTheKat has alerted everyone to the fact that 'Tzumi MagicTV' devices contain not only an R828D RTL-SDR inside them, but also an AR9331 OpenWRT board and a 3000 mAh battery pack. This means that the device could potentially be used as a portable RTL-SDR server over a WiFi connection without any additional required hardware. And right now is a particularly good time for this discovery to come out, as the device is reportedly selling at a clearance sale price of only $13 at Walmarts across the USA.

OpenWRT is custom open source firmware that is intended to be installed on compatible internet routers. It extends the functionality and stability of many routers. Since OpenWRT is based on Linux, it is possible to use the RTL-SDR on routers running OpenWRT and we have several previous posts about people doing this.

Currently meowTheKat reports that the MagicTV is indeed running OpenWRT, and that  SSH is available. The SSH password is unknown but a colleague of his is currently working on cracking the password. Once cracked it should become possible to install RTL-SDR software on to it. However, there is no word yet on if the front end has additional filtering specifically for TV signals or not. If there is additional filtering those circuits would need to be removed to restore wideband tuning to the RTL-SDR.

Update: From discussion on the Reddit thread it appears that the tuner chip used is not an R828D as first thought, but instead a MXL603/608. This tuner is currently not supported in the RTL-SDR code, but support could probably be added by a developer.

Update 2: Unfortunately it seems that this won't end up going anywhere. In the librtlsdr GitHub issues forum Hoernchen commented:

The tuner is connected to a demod ic, which is connected to the TS input of the rtl2832p, so code is not going to fix the fact that the device is unusable without quite a bit of tricky soldering to reroute the tuner output to the rtl.

The "Tzumi MagicTv" contains an RTL-SDR, OpenWRT Board and Battery Pack.
The "Tzumi MagicTv" contains an RTL-SDR, OpenWRT Board and Battery Pack.

QuestaSDR Android App now with Remote Network Streaming: RTL-SDR, Airspy, SDRplay Supported

Back in April we posted about QuestaSDR, which had just released the Android version of its SDR software. Recently QuestaSDR programmer 'hOne' wrote in and noted that a new update has enabled remote streaming in QuestaSDR.

To get set up, just run the Windows version of QuestaSDR on a PC, and open the "SDR Server" app. Once the server is running, you can connect to it via the Android version of QuestaSDR over a network connection. The server supports the RTL-SDR, Airspy and any ExtIO compatible device such as SDRplay units. As far as we're aware, this is the only Android app that currently supports streaming from non rtl_tcp compatible units such as the Airspy and SDRplay.

hOne has been able to run an Airspy at the maximum bandwidth of 10 MSPS through his network connection. He also notes that you can now zoom into the IF spectrum in detail by using the new "IF Spectrum" plugin.

hOne also notes that the streaming feature is currently in beta, and any bugs/suggestions or feedback are welcome.

QuestaSDR Streaming over a network connection with an Airspy
QuestaSDR Streaming over a network connection with an Airspy
AirSpy windows server, android client LAN Remote

YouTube Talk: Investigating RF Controls with RTL-SDR

During the SANS Pen Test HackFest which was held back in 2017, speaker Katie Knowles who is a security consultant at MWR Infosecurity did a very informative talk on how an RTL-SDR can be used to investigate RF signals. The video has recently been uploaded to YouTube and is shown below. In the talk she goes over how to reverse engineer and understand simple RF protocols, like those used by common RF remote controls found in the home. She then goes on to talk about the basics of software like GNU Radio and rtl_433. The talk blurb reads:

Cranes, trains, theme park rides, sirens, and …ceiling fans? Modern RF protocols have made secure wireless communications easier to implement, but there’s still a horde of simpler RF control systems in the wireless world around us.

Lucky for us, the onset of affordable Software Defined Radios (SDRs) means that exploring these devices is easier than ever! In this talk, Katie examines capturing and understanding basic RF control signals from a common household controller with the affordable RTL-SDR so you can start your own investigations.

With a little knowledge of these protocols we can better explain what makes them risky to the environments we assess, practice thinking in the offensive mindset, and have some fun examining the signals around us.

Slides available here.

Signal Safari: Investigating RF Controls with RTL-SDR – SANS Pen Test HackFest 2017

Video Demonstrating C-Band AERO Aircraft Tracking

AERO is essentially the satellite based version of aircraft ACARS. AERO's L-band signals contains short ground to air messages with things like weather reports and flight plans. The C-band signals are the air to ground portion of AERO and more difficult to receive as they require an LNB and large dish. However they are much more interesting as they contain flight position data, like ADS-B.

Over on YouTube Tomasz Haddad has uploaded a video of C-band AERO being received from the Inmarsat 3 F2 (Atlantic Ocean Region – East (AOR-E) 15W satellite. He uses a 1.80m motorized satellite dish with Kaonsat KS-N201G C-band LNB, a Prof 7301 PCI satellite card (to power the LNB) and an RTL-SDR V3. The C-band LNB translates the high C-band frequencies down to L-band which is receivable with an RTL-SDR. He notes that the LNB drifts quite a lot as it is not frequency stabilized.

With the signals received by his setup he's able to use the JAERO decoding software together with Virtual Radar Server to plot aircraft positional data using Virtual Radar Server. The plotted aircraft are mostly all in the middle of the ocean or in remote areas, which is where C-band AERO is normally used due to the lack of ground ADS-B stations.

Inmarsat 3 F2 15W C Band AERO Reception Using Jaero And Virtual Radar

Creating a Linear Transponder with an RTL-SDR, HackRF and Raspberry Pi

A linear transponder is essentially a repeater that works on a range of frequencies instead of a fixed frequency. For example, a normal repeater may receive at 145 MHz, and repeat the signal at 435 MHz. However, a linear transponder would receive a wider bandwidth, and add a set frequency offset to the received signal. For example a signal received by a linear transponder that receives from 145 - 145.5 MHz, may receive a signal at 145.2 MHz and it would translate that up to 435.2 MHz. Another signal received at 145.4 MHz would translate up to 435.4 MHz. Hence the received frequency linearly translates to the transmitted frequency.

Over on his blog ZR6AIC has shown that it is possible to create a linear transponder using an RTL-SDR for receiving, a Raspberry Pi for processing the signal, and a HackRF for re-transmitting the signal. 2M and 70cm band bandpass filters are also used. For software he uses a GNU Radio flowchart that simply moves the IQ data from the RTL-SDR to the HackRF.

In the video below he demonstrates the linear transponder in action with two handheld radios.

A Linear Transponder made with HackRF, Raspberry Pi and RTL-SDR.
A Linear Transponder made with HackRF, Raspberry Pi and RTL-SDR.
Building a Linear Transponder with Gnu Radio, rtl dongle and hackRF module..