This webcast was originally published on September 11th, 2019.
In this video, Paul Clark discusses the process of reverse engineering using Software Defined Radio (SDR) technology. The presentation covers the essentials of SDR and how it can be utilized in reverse engineering projects, showcasing the steps involved through a practical example. Viewers gain insights into the technical flow of reverse engineering RF signals, including signal capturing, demodulation, and decoding techniques.
- SDR (Software Defined Radio) allows for the capture and manipulation of RF signals, facilitating iterative reverse engineering processes.
- The webinar demonstrates a complete reverse engineering workflow using SDR, from signal discovery to demodulation and decoding.
- Building custom SDR applications can significantly enhance the analysis and reverse engineering of RF signals.
Highlights
Full Video
Transcript
Paul Clark
All right, welcome everyone. This is basically a reverse engineering with SDR presentation. I’m going to spend the next 30, 40 minutes going over a kind of an example reverse engineering project.
It’ll be a little bit on the simple side, but hopefully you’ll get something out of it. And I’m going to start off just briefly talking about who I am. I’ve done this on webcasts in the past, so I’m not going to labor that point.
For those of you who have heard it before, I’m going to give a brief talk about why SDR helps in this reverse engineering process, which again, I want to focus on more of the doing in this middle step.
And kind of the third and fourth steps are kind of be melded together. I’m going to go through the reverse engineering flow, but rather than just talk about it, I’m going to show inside of GNU radio each step what that looks like.
So and then we’ll have time for Q and A at the end, I think. But we’ll definitely, Jason is going to feel free to interrupt me as well along the way.
So feel free to ask questions. I’m not going to get shaken or anything by going in and out of question and presentation mode. So this is like I say, the proof that I am an engineer.
Indeed, the thing that I do primarily is consult, teach, and publish books about SDR. You’ll see there’s a dot, dot, dot when it comes to the field experiential SDR series.
We are at three volumes right now. we promised a fourth volume a number of years ago and I’ve rewritten that a couple times. We are much closer to getting that out.
So my apologies for those who have been waiting. it is not an empty promise. You will see the book. It’s just a lot of things are conspiring to delay it.
But there’s also a. I hate to get all George RR Martin, but I’m thinking about a fifth book and it’s starting to crowd that out a little bit. I’m going to try to keep that from happening.
But I am seeing a fifth book materializing on really how to build good new radio applications and kind of the missing pieces that people really stumble over in trying to do that.
So, if you have any questions about anything you see, today, want to talk to me, you can always go to my website, factorialabs.com, which you can get contact links, you can read about what we do.
I’ve got a GitHub as well, which, will have some projects on it. I will upload the projects that we worked on today, to GitHub, so you’ll be able to see those as well. And just the instruction piece of things.
the Wild west hack and Fest was, been a great success every year, in my view. But in, 2017, there was some training, and there’s going to be some training again this year. And I’m doing SDR training.
just got done with some black, hat training, and I should say 2019, but, also do a lot of private and public training. That’s enough about me. You’re here for the SDR portion, for the reverse engineering flow.
and so those of you who haven’t had a chance to read up about SDR is what they are, what they do, how they help. Kind of an oversimplified explanation of SDR is that it’s a way of getting radio signals into your computer.
And, I mean, here’s a physical SDR right here, just so you can see it. it’s connected here via USB to the computer.
USB three in this case, and it’s got an antenna, can have multiple antennas because, this one has multiple ports. But essentially what’s going on here is this box is allowing us to convert the RF energy, the RF signals, into a form that the computer can use.
It’s also able to reverse that by generating signals mathematically on the computer and then transmitting them through the SDR hardware as well.
So why this is important, there’s three major benefits. The first two, field programmable rf and rapid prototyping. We won’t get into, but, the reverse engineering aspect is it’s really crucial to have the ability to work with your signals, not in a live sense, and you’ll see in the next slide, but to be able to capture signals on the disk and then be able to iteratively attack them, iteratively attempt, to demodulate, decode, and otherwise get at the digital data that is contained within those signals.
And so it’s not always clear why SDRs are so crucial and why this ability, to capture signals on a disk is so important.
But hopefully, by the end of this, you’ll have kind, of a little bit more of an experiential explanation, for that, but just in terms of the PowerPoint picture explanation.
Imagine that you have some kind of signal that you’re trying to reverse. maybe some sort of. If you imagine a situation where you’ve got coded transmissions back in the forties, individuals trying to reverse or break down those signals, they’ve got to work with those live.
Essentially, they have to propose a way to receive those signals, implement them, wait for the signal to come in, and it either works or it doesn’t. And if it doesn’t, that signal is gone.
When you’re dealing with an SDR, you’re able to capture the signal, any noise or any other signals that might be in the vicinity, just in case you’re mistaken about exactly where it’s located or exactly how much, bandwidth it takes up.
And then once you’ve got it on disk, you can try things indefinitely. really, capturing live rf is fundamentally, I think, the most powerful, feature, of SDR with respect to reverse engineering.
So without getting off into the weeds, I want to show us as much as I can about the actual process of doing this as opposed to marching through PowerPoint slides.
These are the six things that, in general, you’re going to be doing with reverse engineering. First are going to have to find a signal. You’re going to have to tune to it.
We’ll go through that, demodulation. that’s kind of the RF version of getting a waveform out of the radio wave.
then we’re going to, in this case, this will be much more simpler in our project, but you’re going to have to find a way to synchronize to the clock, which, that’s a whole ball of wax that I’m going to punt for another day, but I’ll talk about it a tiny bit, then deframing, essentially figuring out the preamble, if you’re familiar with that term, and then knowing what comes after, and then verifying error correction, which we won’t do today because our system is simple enough.
It doesn’t include that, but we’ll talk about it just a bit. And then mapping bits to functions, figuring out once you’ve actually got data bits, what do they do?
depending on the situation, that can be, the hardest step of all. But it also may be a step that you’re familiar with from having reverse engineered non rf devices.
So maybe easier, maybe harder. Depends on your, depends on your perspective. So, first of all, before you can reverse any kind of signal, you have to find it.
You have to know generally what frequency. When I talk about finding it, it’s kind of a two dimensional thing. You need to be able to find it with respect to frequency.
It could be transmitting at, all sorts of different frequencies. And until you can detect it, you, you aren’t going to know. and then it may transmit at all sorts of different timing, right.
some signals may just transmit constantly. Those are much easier to find. Some may transmit intermittently, but at a regular interval.
Your, for example, the flex paging systems that have been attached to a lot of utility systems, kind of just to send the meter readings off to the utility, companies for example, those aren’t transmitting all the time, but they do transmit regularly, which makes them a little easier to find.
In the case of the fob, that’s not a situation where you can expect the button presses and thereby the radio signals to come at any given time.
It’s completely irregular. So in some cases those can be the hardest ones to find. So that’s the search space. We got to figure out where the signal is in frequency when it happens in time.
And then that type of operation is really just, it’s kind of like a hunt, for example. You can make that hunt easier, sort of reduce the number of places that signal might be hiding by thinking about what kind of device it is, what kind of characteristics it has.
And if it’s something where ahead of time, you’re trying to find a car, key fob, or in this case just a remote control of another type, then it’s, you can actually go online and try to do searches via the FCC’s website or whatnot to narrow the solution space and figure out more about where that signal might be hiding.
And then once you’ve gotten your best guesses out of the way, you’ve got to do something like this, which is build a scanner.
What you’re looking at here is one of the simplest GNU radio flow graphs. And I won’t talk a lot about GNU radio and how to use it. I want you to primarily understand though that GNU radio is a way to get SDR data into the computer.
Manipulate that data mathematically such that we can visualize what kinds of radio operations are going on and how to break down those transmissions to get data out of them.
So in this particular case, we have a block called a USRP source, which is nothing more than an interface to the physical hardware SDR.
And then on the other side I have something called a frequency sync. And what this does is it provides a graphical display of the signal energy, with an x axis equal to frequency.
Now you’ll see in a second. I’ll talk about that file sync in just a moment. But if I run this flow graph, what we’re looking at here is the current RF energy in my lab between 312.5.
So if I were to press a button here, for example, you’ll see a little spike comes up. Now that spike isn’t always easy to see, so what I can do is select this max hold button and then restart it.
The max hold provides kind of an outline of the highest value that’s gone through there. And then if I hit this spike, or rather if I hit this button here, you can see that we get this spike coming up.
And if I hover my mouse over there, I can see that I’ve got a 315.023 event happening. 315.023 MHz.
Now, I don’t want to dwell on this, I won’t have time to go into every last aspect of these major steps, but the main thing to take away from this is two things really.
One, I know the frequency the signal is transmitting at, and I have a rough estimate of the bandwidth, how wide the signal is in terms of frequency.
Just by looking here, 315.055 and 315.985, I can get a real rough, kind of eyeball estimate that maybe I’m dealing with 60, kilohertz of bandwidth there.
That’s actually an overestimate, but we’ll get into that. if you meet me at the hack invest, we can get into any of the deep details on any of this stuff.
The reason that I’ve got this file sync grayed out is this is a way for me to take the data from the SDR and dump it into this file.
I’ve already done that, so I’m not going to do that again right now. But, well, I guess I can, there’s no reason I can’t. if I, well, that was different.
My screen just got a lot smaller. hopefully it is still visible. I’m running VNC to a Linux machine here, so every once in a while it does something a little squirrely.
so anyhow, if I run, and I’ll just change the file just in case. if I run this flow graph now, what’s going to happen is all of the RF energy that I see on this plot is being dumped to a file.
That means these button presses are going to the file as well as all of the other RF energy that’s not anywhere near the region of that button push.
Can be interesting if you’re curious about other extraneous things that might be going on. But what’s happened now is I have an ability to recreate on disk without any hardware.
Now, the RF signals generated by these buttons, or by the buttons that I happened to press while that was on to be more accurate.
So that’s essentially what scanning and finding the signal is all about. I’m going to go back to the keynote at this point and get to the next step, which is tuning.
One way to think about tuning is that it is isolating the signal that you want and throwing away all of the stuff that you don’t want. When we were looking at that frequency plot before, for example, I’m just going to disable this because captured files get really big, really fast and I don’t want to fill up my disk.
But when I press this button, I can see that I’ve got a signal in the vicinity of 315.
And there’s a whole lot of space to the left and to the right that does not contain my signal. All this stuff is essentially noise. It’s not essentially noise.
It is noise. it’s noise due to just the rf environment in here. It’s noise due to the imperfection of the analog and mixed signal components on the SDR.
So we can think of, and if I go back to the max, hold here and press a button just so we can have that nice picture.
You can think of tuning as essentially creating a little window like this and preserving everything in that window and then getting rid of everything on either side.
That means we need to know two things to create that. We need to know the frequency, the center of where that window is going to be. And then we need to know how wide that window is going to be, which is essentially the channel width of the tuner that we’re going to create.
Now we have the ability to very quickly and easily create tuners inside of GNU radio with a block called the frequency translating fir filter. That does a lot of things.
And I don’t want to go off into the weeds and do a dissertation on how to invoke the taps function. It’s also one of the better documented and better, explained blocks online.
Jason Blanchard
is a smaller spike around 313 significant?
Paul Clark
It is. What happens when you have really low quality electronics and you just get harmonics and random junk? It gets thrown out, but I haven’t played with it a lot. You might be able to find all of the information in the main signal from that.
But yeah, it’s definitely generated by this though. So whoever asked. Good eye. Cool. so what I want you to see from this particular flow graph is look, at that all of that stuff just totally, appeared.
All right, so here’s what I want you to see from this flow graph. I am taking information from the file source. And this is just, actually, I can use the file we just captured just to make sure you guys know I’m not cheating here.
this is going to take information from the file that we just captured. The throttle is a kind of a bookkeeping thing that we don’t have to get into right now.
First of all, before I do anything, I’m just going to run it into a frequency sync just to show you that I’m getting the same thing that I got before.
See that spike? And I’ll put the max. Hold on just in case. Sometimes see how the, I’m pointing at the screen like you guys can see me. you see the spike, that appears here is the same spike, at the same location that occurred previously when we were looking at the signals live.
I do have a recreation of the original waveform, which is good, or of the original rf environment. Tuning now becomes a matter of running it through this tuning block here.
Like I said, frequency translating Fir filter. It works in a couple different ways, but essentially it recenters the frequency data at a particular point that you tell it.
And then you are able to do a filter, a filtering operation that removes all of the noise and non useful data on either side of the channel that you’re interested in.
I don’t want to get too deeply into every aspect of this block, but I do want to point out that this frequency, that this frequency variable up here or this QTGUI entry is how I am choosing the center of this tuning channel.
And then the channel width is really just how wide that’s going to be. So I’m attempting to get data at 315 plus 21.
Then I’m trying to get the information centered there, 50k wide. Now if you’ve spent any time working with sample rates and decimation and all that business, you can also tell that I’m reducing the sample rate here to 100 khz because once I’m looking at a 50 khz bandwidth signal, I no longer need to oversample as bad as the 4 million samples, per second on the input.
If that doesn’t make sense, don’t worry about it.
Jason Blanchard
Christian, wanted to know. So if we want to replicate that signal always, will we be based on the highest spike? If so, how can we be sure that we are getting the right signal and not another that could cause noise on our records?
Paul Clark
Well, you don’t I mean, in a case in a laboratory environment where you’ve got the ability, oh, there’s a Linux side thing.
Interesting. Sorry. Trying to multitask here. But when you are in a laboratory environment and you’re essentially taking a signal and just shoving it down the SDR’s throat, you can be pretty sure of when the spikes that you see on the frequency plot are corresponding to the signal that you’re interested in.
If you’ve got a situation where you’re just scanning and monitoring and you don’t know exactly when the signal in question is being generated, then you’ve got to just essentially experiment with it and, try to see whether or not you’re getting what you expect or getting something of interest.
I don’t know if that was helpful, but it’s really a trial and error thing.
Jason Blanchard
Sure. what hardware would you suggest for someone starting to dabble in SDR?
Paul Clark
Dabbling? well, if you’ve got an employer who will spring for one of these, I would definitely recommend these Edis boards. but they’re also, unfortunately about $750. So I know that’s not going to be your kind, of price point where the average dabbler wants to start.
If it’s their own money, you kind of have some trade offs. If you really want to just spend a few bucks. you can get an RTL SDR dongle for about 25 or 30, and you can only receive with those.
You’re gonna have a really high noise floor, but you can get some stuff done. You can play around with things, look at some signals. If you want to go to the point where you’re gonna take, over some things, actually transmit some signals, you have a choice.
There’s a little bit of a fork in the road there. If you want something that’s just gonna work, you probably want to get a hack RF, which is gonna be around 300. If you are willing to struggle m with some drivers a, little bit, not a lot.
I think it’s gotten a lot better. the limestr is a lot cheaper. it’s a pretty high performing part. It’s just I’ve generally had more trouble getting it working than the Hackrf, which is pretty seamless.
Jason Blanchard
Yeah, we had a couple of questions about the hackrf and someone about the lime SDR site. I feel like you covered that.
Paul Clark
Okay.
Jason Blanchard
and then someone said, what was the dollar 700 device again?
Paul Clark
Oh, this is an EdiSb 200 mini. So there are a couple of the EDIs folks have been doing SDR forever. They are currently owned by national, but there’s still kind of a company within that or an organization within national, instruments.
And this device is nice because it’s small case. is pretty sturdy. I’ve never broken one, and I have, I have 16 of them.
I actually use them to teach my classes, and I used to use hackrfs. I decided to move to these, six months or so ago or a few months ago.
And they have multiple ports, so you’ve got two received ports, or one of the ports can be a transmit port, so you can actually do full duplex operation, which is transmitting at the same time you’re receiving, which can be helpful in certain kind of exploits.
but, yeah, highly recommended. But definitely it’s not as cheap as some folks would like, I’m sure. Not as cheap as I would like, honestly. But yeah.
All right, so I think VNC is back. My apologies for that hiccup. But what I was trying to show was, and I’m kind of reticent to stretch that window again because VNC really didn’t like it.
But what you can see here is in the bottom, I had the spike come up, which you can see on the max hold.
And you see it comes up around 315.02. And then the other side of the tuner has a, it’s now centered at 315.02, which hopefully is what we want.
And then you’ll see that the spike is, I like to say, making it through the tuner. The tuner is essentially a gate that is letting only a very small range of frequencies through and getting rid of everything else.
My apologies. That should be in do not disturb mode. the upper portion of this, display is showing us that we have gotten rid of most of the extraneous noise.
The regions of frequency that we aren’t interested in, are no longer there. And we can see the effects of the filter as this noise just sort of tails off on either side. So now I’ve got a situation where on the other side of the tuner, I’ve got much more of my signal relative to the noise than I did before, which is going to be helpful when it comes to the next step.
And that tuning stage, that’s done for analog radios, it’s done for digital radios. That’s going to be done for just about every radio under the sun, which is why in my classes, I really do like to focus on some analog techniques before we get into, digital stuff.
So, tuning, we found the signal we’ve tuned to it. Next question is, how do we convert that signal into something digital, something that we can recognize as ones and zeros?
There’s usually a couple stages to that, and I like to think of it from a reverse engineering perspective of you’ve just got one of those gag gifts at Christmas that has like ten boxes and they’re all wrapped up, one within another.
You really essentially are kind of undoing what was done on the transmit side. The transmitter has taken some bits and encoded it in some way and modulated in some way, send it out at a particular frequency.
And so the tuner kind of unwraps one stage of that. And then we’re going to build a demodulator that’s going to unwrap sort of the rf part of it. Then we’re going to not build a decoder, but we’ll decode the signal, in this case just by eyesight, and then we’ll work through the rest of it.
But it’s really just kind of a continual peeling back of layers until we can get it, those nice juicy bits in the middle. So the next stage of that unwrapping is to demodulate the signal, to take that signal that we’ve tuned and isolated and then get something that won’t be ones and zeros per se, but it will be something that looks digital coming out of it.
And so I’m going to use the same flow graph here because I’ve built the kind of the receiver all in one flow graph, and I’m just sort of progressively revealing stages of it here.
But I’m using this complex to mag block. There’s a couple different things that a person might do to generate a digital signal, in terms of the modulation schemes.
And the modulation schemes you’re going to run into are typically going to be things like on off keying or frequency shift keying or variations of those two.
It’s not impossible to run into a phase shift keyed system, but it’s.
Jason Blanchard
The.
Paul Clark
Systems that typically employ phase shift keying, or PSK, are oftentimes more complicated systems that you can attack with sdrs, but you’re typically not going to attack by building stuff from scratch.
You’re typically going to find, software online, whether it’s, GSM or LTE, sort of, tools that will run with your SDR, but they’re typically more complicated than flow graphs you’re going to put together yourself, if that makes sense.
What I want to show you is what happens when I take this signal and run it through this complex to mag block.
And all that’s doing is it’s performing a mathematical operation. It’s saying that I have some sort of Sy’s signal coming in and it is a signal that is complex valued.
And I am going to, Talking about signals being complex or not, that gets into a whole mathematical thing that we probably don’t want to talk about right now.
But what I’m going to show you is I’m going to zoom in because you probably can’t see anything yet. But if I zoom in like this, you see that tiny little signal.
This is sort of a raw digital waveform. It hasn’t been cleaned up. So if we look at it, we’re going to see little jagged pieces on it, top, and bottom.
But this is showing us that we’ve got something coming in that we’re able to convert from that complex rf waveform to kind of a simple magnitude.
And that simple magnitude essentially traces out what looks like a kind of a digital waveform. And when I say digital looking, what I mean is that it’s got regular timing to it and that it, I’m probably not going to be able to do a stop exactly on it, but I’ll capture it in a minute.
The point though is it’s got regular timing and it mostly goes between, two different values, a zero value and a higher value. In this case, that higher value is about, I don’t know, 0.002.
What I want to do is clean that up to where it looks like a nice zero to one valued digital waveform. And I’m going to do that by running it through this add constant followed by a binary slicer.
All this does is it adds a value to every sample coming through. So you can envision that waveform we were just looking at. If I am, for example, if I change this threshold value to put the insert on, that’s great.
To 0.01, all that’s going to do is subtract 0.001 from that waveform and then on the other side you’ll just be able to see that it’s shifted the whole waveform down.
It’s just a simple mathematical operation. And okay, there it is.
All I did was shift it around so it’s centered around zero. Now this binary slicer, all that does is take signals less than zero and make them zero, signals greater than zero and make them one.
It’s just a way to kind of create a binary waveform that’s much cleaner. And so I can show you what that looks like by, oh, I shouldn’t have clicked and dragged for some reason.
Clicking and dragging on that breaks the VNC connection. So let me, let me see if we have any questions again while I am fixing this.
Sure.
Jason Blanchard
this one m you may be able to answer. May not be able to answer. Is it true that in some countries the use of SDR is considered illegal, even if it’s just a receiver, like an RTL SDR?
Paul Clark
I am not aware of that. So typically where it becomes legal or illegal or has to do with licensing, and licensing has to do with a couple things.
It has to do with where you’re operating, what you’re doing, and primarily whether or not you’re transmitting.
So it is true. VNC viewer, the primary issue is going to be whether or not you are transmitting and then at what frequencies and what powers you’re transmitting.
So I haven’t heard of receive mode, only SDR as being illegal anywhere. That doesn’t, I mean, they’re not, I just haven’t heard of that. They’re, definitely not illegal in the US for using in receive mode.
Only if you’re using them in transmit mode, then you get into some interesting questions. And I want to start out, that picture was me in a Starfleet uniform, not as a JAG officer, but as an engineer. So I know, relatively little about the law.
I’ve looked at the FCC regs, and I’m comfortable enough with respect to how I understand them for my own use. I don’t want to get anyone else in trouble, though, and so I would consult, them yourself and verify.
But what typically, if you don’t have any kind of license, no amateur radio license or other commercial license to use a particular set of bandwidth, then you should be looking at the ISM band, the industrial, scientific and medical band, and there is license free usage of that band if and only if you follow a few, guidelines.
And those have to do with transmitting at sufficiently low power, making sure that you’re within the range of frequencies allowed, and transmitting with a sufficiently low duty cycle. And that just means you’re not transmitting all the time.
You’re, for lack of a better word, you’re sending out blips periodically. So familiar, so familiarize yourself with those if, and the laws governing those, whatever country you happen to be in.
and that’s probably as much guidance as I can safely give you, but I would be interested to hear if there’s a country where, sdrs are expressly prohibited, especially in a receive only mode.
That would be interesting.
Jason Blanchard
Everything back up and running.
Paul Clark
Yeah.
Jason Blanchard
All right, we’ll save some questions for the end then.
Paul Clark
so what I’m going to do, I’m actually going to operate this on the other, on the other, monitor. so what’s going on now is I’ve run through this kind of threshold detector and created a set of signals that are much cleaner.
They’re all going from zero to one. And if you look, the timing is very regular. I’m getting, I’m getting kind of a unit timing where the signal is low for a unit time and then it’s high.
And if I were to actually measure this, and I know because this is actually a critical thing that we’re going to talk about in a second, this 420 or so microsecond number just keeps repeating.
This is 420 microseconds, roughly. This is 420. This is about three times that. very close to three times that. So everything we see here is some multiple of 420 microseconds.
These are all big giveaways that we’re dealing with some kind of digital signal. And so the next thing we need to do is, and next thing we need to do is essentially skip a step because we’re going to deal with a signal that’s straightforward, enough that we’re not going to have to do a formal clock synchronization process, which is good because I usually have to spend a couple hours talking about how to do clock synchronization properly.
And it’s not an easy block to use. It involves pulse shaping filters and a lot of fun stuff that we’re going to skip past because my assertion is that we can take this signal apart and figure out what the bits do without resorting to that.
The next stage though, is going to be, well, where does a particular transmission, we have this nice digital waveform, but where does a particular transmission start and end? Fortunately for this signal, we can see these nice dead spaces in between each clumps of digital pulses.
What we’re going to want to look for is what kinds of.
Jason Blanchard
Sequences,
Paul Clark
Do we see that are common between all of the different button presses? That won’t necessarily be, the framing, the preambles, the tails, but it should give us an idea of what the signals are supposed to start with and maybe if they’re supposed to end with a common pattern.
So that’s really what we’re doing with this framing step, is figuring out what do the signals start and end with because that’s typically going to be how these signals are put together. In fact, you’re almost never going to run into a signal without a preamble, which is really just some pattern at the beginning of the waveform that tells you, hey, I’m starting something new.
And so let’s look at. And this time we’re going to look at a live version of the waveform and I’m going to press different buttons here.
And so that’s one button, there’s another button. And I don’t know if you can tell, but some parts of the waveform are changing.
The beginning is not. And if we were to, and this is a point where honestly, the easiest thing to do sometimes is just to, do a screen cap and print it out and then just start scribbling on the piece of paper.
But if we were to do that, what we would find is that there’s actually eight pairs of short pulses and long pulses that start every one of these transmissions, no matter which one of the four buttons I press on here.
So that is really all there is to detecting. The framing of the preamble is to figure out what common pattern is starting all of your different waveforms.
In this case, it’s that eight pairs of short long that we just saw. To go back here now.
And I know, this is a pretty simple system. And so I’m going through it, and I’m going through it at a pretty quick pace. the next step though is to figure out, okay, now that I’ve got the starting point of my transmission, the data that comes after it, how do I convert that into ones and zeros?
And you might just think, well, I’ll take all of those, highs and lows that I saw and just say, well, here’s a zero and that’s a longer high period. So I’ll just say that’s three ones, for example.
And you could do that oftentimes. In fact, most of the time what you’re going to find with these rf six systems though, is that they are encoding the data in some way, that they are using a scheme, that essentially takes a pattern and that pattern represents a one or a zero.
And those patterns most often fall into a subset of, a Manchester encoding or a PWM encoding, a pulse width modulated encoding where a couple of different periods, of this sort of short unit timing period, are grouped together to make up a single zero or one.
And so in the case of PWM, which I’m just going to shortcut and tell you that this, particular signal that we’re looking at is PWM. what you’re looking at is perhaps a longer pulse correlates to a zero and a shorter pulse correlates to a one.
Or it could be the other way. You don’t know. You kind of. Sometimes when you’re working with these systems, you either have to just try it both ways or sometimes it doesn’t even matter as long as you do your bookkeeping.
Right. so in this particular instance where we’ve got our zeros and ones, I am going to go back and rerun this and just show you again that my zeros.
And this is my definition, because I don’t have the spec that the engineer used to build this. So I’ve just got to go with something. My definition is that something that starts with a short pulse and then has four or has a period of, sort of a long, low period after it.
I’m going to call that a zero. And I’m going to call this thing that starts with a high pulse and ends with that little short, low period. I’m going to call that a one. So what that means is I’ve got a data bit that goes from here to here.
I’ve got a data bit that goes from here to here. I’ve got a data bit that goes from here to here. I’ve got specifically a, one. A, zero. A one, a zero. So this is what I’m seeing is a lot of alternating ones and zeros.
In fact, you can see that the preamble is essentially a bunch of alternating, longs and shorts which we shorts and longs, which we could express as a bunch of zeros and ones together.
So I’m still pressing the button. The next step in this process is to really make sense of things. We’ve got a bunch of ones and zeros.
We’re able, and we could, if we had the time, to just take those pieces of paper and scribble down all the ones and zeros and figure out what every, bit that was sent from every button is.
And then we could just have a nice bit string that corresponds to each button on here. We can do something a little simpler as well, though, in this case.
But as a general form, this is sort of the art portion of the art and science of reverse engineering. This is where you need to essentially look for patterns and look for commonalities and try to trace them over to the given functionality, that you’re observing in the real world that’s corresponding to those individual transmissions and then just try to figure out what’s that bit they’re doing.
And what about that one over there and do multiple bits? Do they work together to create certain behaviors? And so this is something that on a larger project could take you months.
on a shorter project, hopefully not. On this project, it will take even less. So what I want to do though is rather than do this more disciplined, print out four sheets of paper with four different button presses on it.
I’m going to kind of shortcut that a little bit and I just want you to see what happens as I press the a button. Notice how despite all this alternating stuff at the beginning, I do have a bunch of lows and then, a, couple of long periods and then a zero at the end.
And I’m just going to start calling the short pulse a zero and the long pulse is one. What I have is a bunch of zeros and a couple ones and then a zero at the end. If I press the b button, what you can see is I’ve still got the same number of zeros and ones, but the two ones just move to the left.
If I press the c button, they actually move to the left again, and then the d button, they move to the left again. It turns out that there is a technique in, digital engineering, called a, one hot encoding, where essentially you send four pieces of data and if you want one of the four items to be enabled, then you just simply turn on the corresponding bit.
This is something similar to that, only it’s using two bits at a time. You could call it too hot encoding, but essentially what that means is if you want to light up the a button, you turn both of these to ones and you leave the rest of them to zero.
If you want to light up the b button, you shift over and turn those two on, and then the C button is those two and the D button is those two.
That’s the sort of the quick and dirty explanation for what the bits do in this particular system. Like I said, this is a very simple system, but it’s the same flow for a more complicated system.
It’s just going to be more involved and a lot more painstaking and time consuming. Now, sometimes you want to stop there because you’re just interested in what data is coming out of the system.
In this case, I just want to take it over. I want to get into a situation where I don’t need this anymore and I can generate my own signals from my SDR to take over this device directly.
So do I even have this thing on? Let’s see. Okay, so I don’t even know if I showed this thing working. I should have done that earlier. But all this does is every time I press a button here, this board that I built turns on an led corresponding to the button.
So the a button turns on this light at the far, my right, the b button goes over, c button goes over next, and then the d button goes over there.
So, and interestingly enough, once you turn a light on, you actually can’t turn it off again. Like no combination of buttons or no button press or no multiple button presses at the same time will actually make the lights all go off.
It’s an interesting sort of characteristic. You just have to turn the power off. But we’ll actually see how that’s important in a second here. The last thing we’re going to do is build a transmitter to take over, the system without needing the Fob.
There’s a bunch of ways you can build transmitters that do this kind of thing. Probably the most elegant involves a Python GNU radio companion connection that’s beyond the scope of what we’re doing here today.
But you can actually do quite a bit of python inside of GNU radio. If you remember your list and tuple operations in Python. You can actually string them together and multiply them to stretch them out and concatenate them with pluses.
There’s a lot of cool things you can do that allow you to build transmitters reasonably powerfully, inside of GNU radio, especially for a system like this where we don’t need to do a whole lot.
You can see I’ve built a transmitter here that involves the creation of data. So these vector sources are simply lists or tuples of bits.
This repeat block creates the timing such that each one of those bits occupies 420 microseconds of time. This right here is essentially taking a sine wave and gating it on or off.
I haven’t really talked about what on off keying is, but essentially it’s a sine wave that either is on when you want to signal a one or it’s off when you want to signal a zero. And so this is essentially the transmit modulation.
And then I’m just sending it out to a USRp sync which basically tells the SDR to send that data. And that’s about it.
This is a relatively simple protocol and a relatively simple rf system. What I’ve done with all these variables here is I’ve created building blocks and then I’ve built my digital waveform out of them you can see I’ve created a variable called one that has a 1110 that’s a long high followed by a short low.
That’s simply the PWM, waveform that corresponds to a digital one in my assertion. And then a zero has the short high followed by the longer low period.
And so then I can sort of string them together. You might have remembered that I said earlier that the preamble was simply eight alternating zeros and ones. So python list manipulation lets me just create that with an eight times zero plus one, concatenating those lists and multiplying it by eight.
And then with the various payloads here I can. Now I’m just going to take this and put it off to the side, not touching it at all.
I won’t try to hang it on there. so just using this, I’m going to turn this on. And just by running this flow graph you can see that button a here is set.
if I run the flow graph and I might have to boost the gain because right now the rf gain is at zero, but I’ll just kind of boost the rf gain up. And once I get to a certain point that light comes on because I’ve now been transmitting the signal corresponding to the a button.
Now I can do that with any of these other buttons by disabling. Oh, that’s interesting how it does that. Disabling the a button, for example, and enabling the c button and then rerunning and then boosting it again.
Now I’m turning on the c button. What’s interesting though is because I have access to the protocol. Now at the most basic level, you recall how the pair of ones would shift along trying to denote whether or not I was pressing button a, b, c or d.
What if I just turn all of those off and make them all zero? And that’s what I do down here in this all off state is I just create.
And in this all off state, the payloads are just all zeros. They’re all those short pulses, they’re all pwm m instances of zeros.
And so if I run this, I probably should have just hard coded the RF gain. But if I do this now, I can actually do things that the little key fob won’t even let me do, which, for example, just turns all the lights off.
Or if I want to go and do the very last thing, I can turn off and on any combination of lights now simultaneously, as opposed to the limitations inherent in the fob itself.
so there you can see I got all the lights going off at once. Now that I know is a simple x sort of a simple demonstration, but hopefully you can see the basic flow.
Ultimately any RFN, device that you’re going to reverse engineer is going to follow those basic steps. You’re going to have to find some way to locate the signal in time and frequency, you’re going to have to tune it, you’re going to demodulate it, figure out the preamble, how the packets start and stop, figure out the encoding and then figure out what the bits do.
I believe, let me go back here. I believe that that is it. So with my technical glitches I went probably a couple minutes longer than I wanted to, but there is at least still some time for some questions.
like I said, I gave this information at the beginning or at my website. I do have a Twitter account, there’s not a ton of activity, but I do post every so often. there’s the intro class at the hack invest in October, doing some open classes in Seattle if you’re in the area and are interested.
but that’s pretty much it. Anyone have any questions about all of that?
Jason Blanchard
Sure, we got a couple. How do you detect an encrypted signal?
Paul Clark
How do you detect an encrypted, so if I understand that that’s probably, how do you determine if the signal that you’ve got is encrypted? And the best way to do that is to get a lot of different copies of that signal, or not copies, but a lot of different transmissions from a given signal, and then run some statistical analysis on that.
Most encryption algorithms will replace, will produce a set of data that looks pseudo random. So that means mathematically what that means is the bits that the encrypted bits over many, many different transmissions are going to look like they’re on half the time or off half the time.
That’s that encrypted data fields typically have what I would call a 50% bit probability. So if you have 1000 transmissions and then you just write some code to analyze what the probability of that bit being a one or a zero is, you’ll probably see something close to 50 for an encrypted field.
What’s tough though is CRCs also have a pseudo random capability. So if you have some error correction and a CRC is involved you could also see a 50% kind of situation.
So again trial and error.
Jason Blanchard
what exactly is modulation?
Paul Clark
Well modulation exactly is the modification of some physical characteristic to convey information.
So specifically what that means is, in the case that I showed you, for example, the, you can see the.
Now, I’m going to need a time sync for this. Let me just do this. Actually, this only takes a second.
If I were to, to drop this down here and just look at the output of my tuned signal, what I am going to see, hopefully, let’s see, it should be here.
I might have to zoom in to see it is these sinusoidal waveforms.
And I’m sorry to give people bad flashbacks to trigonometry, but these nice smooth up and down waveforms are kind of coming and going. In the simplest form, which is going to be this on off keying that we’re looking here, the modulation is going to take the form of changing the amplitude or modulating the amplitude such that it’s either on some value, let’s say one or off zero.
So you’re modulating the amplitude of that waveform. By amplitude, I just mean the size of it. Bigger waveforms in an amplitude modulation system or bigger input signals create a bigger output sinusoid, smaller input signals create a smaller output sinusoid.
And in the case of a digital signal, you just have the big and the non existent. And so you see, you either have the sine wave, sort of like the carrier with some caveats or nothing.
So that’s what modulation is here. There are other types of modulations where instead you change the frequency instead of the size of the waveform. And so the squiggles get faster or more compacted or stretched out, more slow, more low frequency.
So that’s. Yeah, the 25 sentence modulation description, if that helps. Next?
Jason Blanchard
let’s see. Are there any devices you’d recommend to start with for basic analysis? In your example, it’s been the key fob plus receiver.
Paul Clark
Yeah, I mean, start with what you’ve got lying around. I would say that if you play around with your car key fob, you’re going to see some, it’s not quite encryption, but it’s similar.
You’re going to see some rolling codes that make it hard to do every last, to really be able to tear it apart completely and then generate any kind of arbitrary unlock sequence for a car, that’s more of a complex problem than people realize.
But, just getting to the point where you can get a digital waveform from your car key fob is usually a fun task. Other things that you might do is you got little wireless weather stations in houses.
Those often use sort of open, fairly simple protocols that you can capture with yes, JR and play around with. And you’ll see examples of that online.
you can get into a little bit more complicated things like the flex pagers or the Poxag pagers, whether it’s the restaurant coasters or the utility stuff on the side of your house, that’s going to require either using code that somebody’s put together for SDR.
so it’s less of what we did today and more of using open source code to do the work. tire pressure monitor stuff is fun.
If you want to sit by the side of the road and build a system that scans the 315 or so megahertz signals coming off of TPM signals and see if you can fingerprint cars and whatnot, that could be fun.
Yeah, that’s a trickier one just because you’re not as close and those things only transmit every 30 seconds or so. But if enough cars are going through, you’ll get something.
Jason Blanchard
For the signal source. Does it have to be cosine or could it be constant or sine?
Paul Clark
it can’t be constant, but it could be sine, cosine, sine, in an amplitude modulated signal phase. Doesn’t really matter that much. and a cosine and a sine are just 90 degrees shifted from each other.
Again, sorry for the trigonometry flashbacks, but that’s kind of a really, a key point though is that all that’s going on in that GNU radio flow graph is a bunch of math operations. So it’s just this really cool fact that you can, we have so much ridiculous horsepower on our desktops now, almost every cycle of which just is not used because computers are almost never pushed to their limits anymore.
but we can just use them as a really overpowered DSP chip essentially. And we’re able to do all this cool stuff and it keeps getting easier every year.
Jason Blanchard
So we’re pretty much out of time. But I have one last question. can you recommend any tutorial guides on how to get started with a GNU radio where one will build something like you showed us with the LeD board?
Paul Clark
well, building the LeD board, I mean this is just something I got the fob off Adafruit. and I just kind of, I mean this is very simple. It’s just leds wired to the receiver board.
And that’s what Adafruit sends you is they send you a receiver board and they send you a fob. And then I just had to wire up the rest of it, which is just a power supply and resistors and leds.
the, in terms of, getting started with GNU radio, there are a lot of tutorials out there that will get you through building an FM radio transmitter or receiver.
I mean, and that’s good because it lets you see the basic components of a software based receiver. It shows you the tuner, it shows you the demodulator.
shows you how to mess with sample rates a little bit. That’s a good thing. Sometimes people get stuck after that because they don’t know how to go further. I mean, I do have three books out there.
I don’t want to. That’s not the only route. but the reason I wrote those books is because people kept getting stuck after that FM radio tutorial and they didn’t have anywhere to go. And it was either, it was either stay there and not go any further or take this huge leap off into the crazy complex world of constellation modulators and just high end stuff that takes a lot of time to figure out.
So I don’t, I don’t know of a great resource to bridge those gaps. that is why I wrote those books. But, there’s probably more out there every year.
It’s just, it’s slow going.
Jason Blanchard
All right, Paul, any final words as we end today?
Paul Clark
not that I can think of. Sorry, about the VNC folks, but, yeah, I hope it was helpful and hopefully people are interested in playing around with radio stuff.
Yep. Thank you all.
Jason Blanchard
And we appreciate you showing up. we try to do, a lot of times we do the regular hacking and things, but we love when Paul can come on and talk about SDR and when other people can come on and talk about their specialties too.
So thank you Paul, and thank you all for joining us today.
Paul Clark
All right, thanks everybody.