background preloader

Reverse engineering

Facebook Twitter

Reverse engineering (433.92 X10) Reverse engineering wireless pro studio lighting. Décodage des protocoles Oregon Scientific sur Arduino (1/3) Reverse Engineering Wireless Pro Studio Lighting. Introduction At Zoetrope we always want to make sure our photos look as good as possible, this means ensuring the lighting is perfect for every shot.

Reverse Engineering Wireless Pro Studio Lighting

We currently use a number of Lencarta UltraPro 300 studio strobes to light our photos but in some cases, the power of the flashes needs to be adjusted on the fly to improve the lighting on a particular object. Fortunately, there's a wireless remote which works with our flashes to adjust their power (amongst other things). Since we try to automate as much as possible, we decided to see if we could reverse engineer the remote and control the flashes from our hardware. The remote allows a number of parameters to be adjusted, and individual flash heads can be adjusted by setting the ID and Group to match those displayed on the head itself. The Radio First thing's first. Click and drag image to rotate in 3D The chip surrounded by passives sprouting a PCB antenna turned out to be the famous nRF24L01+. SPI Protocol Analysing The Protocol Commands. Reverse engineering a wireless burglar alarm. Hacking wireless radiator valves with GNU Radio. Decoding radio-controlled bus stop displays.

Oona Räisänen (a/k/a Windytan) is a self-taught signals and electronics hacker from Helsinki, Finland, who is fascinated by mysteries, codes and ciphers, and vintage tech.

Decoding radio-controlled bus stop displays

She’s previously written regarding the use of digital transmissions carried on FM broadcast subcarriers as a means of supplying data to digital information signs used at bus stops. Her research revealed that these remote controlled transit signs are on a system called IBus made by the Swedish company Axentia. The signals use a proprietary protocol known as Data Radio Channel or DARC. Her efforts have thusfar revealed that the data is sent “using a 16,000 bps data stream that uses level-controlled minimum-shift keying (L-MSK), which can be thought of as a kind of offset-quadrature phase-shift keying (O-QPSK) where consecutive bits are sent alternating between the in-phase and quadrature channels.”

It appears that some of the decoded data is human readable, containing a list of terminal stations and similar data. Reverse engineering a wireless soil moisture sensor. Reverse engineering the RF protocol on a Kambrook Power Point Controller - BeyondLogic. 433MHz remote control “power point controllers” are becoming more prevalent at bargain basement prices.

Reverse engineering the RF protocol on a Kambrook Power Point Controller - BeyondLogic

These units consist of a single power point adapter and a radio frequency (RF) remote control allowing the device plugged into the power point adapter to be turned on and off remotely from distances up to approximately 30 meters. By hacking and replaying the 433MHz protocol, these cheap adapters can be safely controlled by a microcontroller system such as an Arduino. Being radio frequency, there is no physical connection to potentially lethal mains voltages and having passed the mandatory compliance checks there should be no threat to safety or from fire. To demonstrate just how cheap these adapters are, you can pick up a three pack complete with remote control (Pictured above) from your local Bunnings Hardware store for $29.90 AUD. If $29.90 breaks the bank, a single outlet without remote control costs just $8.98 AUD.

The remote control consists of 10 buttons and a slider switch. » Reverse engineering a wireless burglar alarm, part 1. After Adam’s recent post on reverse engineering a wireless doorbell, I thought I would take you through a similar process, but with a different system.

» Reverse engineering a wireless burglar alarm, part 1

This is a Response SL2 wireless burglar alarm system, purchased from Amazon in late 2011. They seem fairly popular and well-reviewed. We start our research without even touching the alarm, by using google. Their product page: Operates on the 868MHz frequency with 20 Bit ID code and 1 million unique codes for added security So we already have a hint to where to look in the spectrum. Notice that a number of keywords haven’t been used here: NarrowbandFHSSSpread spectrumRolling codeKeeLoqEncryptedBi-directional It’s likely that if the alarm used any of these, they would be making it known.

(As an aside, Friedland did initially tell me the SL series of alarms used rolling code – being a bit free and loose with specs seems to be common in the alarm world…) Let’s start off looking at this as if we couldn’t access any of the components. Library for RF remote switches. @Morphor: I don't have a clue why it doesn't work.

Library for RF remote switches

If you happen to have a second arduino, you could use show_received_code to verify that the arduino-synthesized code is identical to the real remote.An digital oscilloscope or data logger is quite handy in this kind of situations, as you can monitor the actual inputs and outputs of the transmitter and receiver. @DARRELL: have a look at the Retransmitter-example, which simply retransmits a (recognized) received code.

For transmission you don't need special interrupts, other than the one Arduino uses for delay(). But that one is standard anyway. Relevant code sniplet, based on the example: #include <RemoteSwitch.h>...unsigned long code; code = receivedCode;code |= (unsigned long)period << 23;code |= 3L << 20;RemoteSwitch::sendTelegram(code,11); This will transmit a signal on pin 11, where receivedCode and period are the values you've already found. @Marlar: "device", "address" etc are arbitrary terms used by the remotes themselves.

Obviously a Major Malfunction...: You can ring my bell! Adventures in sub-GHz RF land... Dammit!

Obviously a Major Malfunction...: You can ring my bell! Adventures in sub-GHz RF land...

Now that song is stuck in my head and will be going around and around for the next three days... Thanks, Anita Ward! (and apologies if it's now stuck in yours too! :) But she's right: you can ring my bell. Speaking of hell, what the hell am I talking about???