Wednesday, January 20, 2016

Hacking the Z-Wave Protocol with a Hack-RF

More cool stuff for home automation and hacking:

I've been doing a lot with using rtl_433 and an rtl-sdr to receive temperature and humidity sensors, outdoor weather stations, and security system sensors (aka contacts).

So, I've been wondering about receiving and decoding home automation RF protocols like Z-Wave, Insteon, Zigbee which aren't terribly open.  The other day I saw this article on the blog, "Hacking the Z-Wave Protocol with a Hack-RF", about a Shmoocon talk.  Exactly what I've been waiting for.  I have a HackRF in that I haven't been doing much with ... yet.

I assumed it would be possible to receive Z-Wave with an RTL-SDR.   There are a number of USB Z-Wave sticks that are starting to get popular.  Many home automation controllers that have one of the protocols implemented are fairly expensive and somewhat closed.

So I'm excited to see this, quoting the post

Z-wave is a wireless protocol that is used often in applications like smart home and industrial automation. It essentially allows various wireless nodes to connect and talk to one another within your house, using 900 MHz wireless technology. Some common examples of Z-wave node products might be wireless controlled lights, door locks, thermostats and other security devices like motion detectors.

Recently at Shmoocon 2016 (a yearly hacking and security themed conference), presenters Joseph Hall and Ben Ramsey showed how they were able to use a HackRF software defined radio and some GNU Radio based software to not only sniff Z-wave packets, but to also control Z-wave devices. What’s also interesting is that they found that encryption on z-wave devices was rarely enabled, except for five out of nine door locks that they tested where it was enabled by default.

See the full story at Hackaday and have a look at their code on GitHub.
Unfortunately it looks like their stuff requires two HackRFs, one for transmitting and one for receiving. I unfortunately, only have one HackRF. There has been some work to enable better T/R (Transmit/Receive) switching into the HackRF libraries. I've seen the commits go by but haven't looked into them much yet.

Things are getting interesting, stay tuned for more...


Reverse Engineering Cheap Chinese Radio Firmware TyTera MD-380 (Shmoocon 2016 via Hackaday)

Cool Stuff:

For those who are interested in the intersection of microcontrollers, hacking, and radio, an interesting deep dive into the firmware of one of the Chinese DMR/mototrbo ($140) radios, the Tytera MD380.

Unlike the cheap analog Chinese radios (Wouxun, Baofeng) which can only be programmed once, this radio supports a firmware upgrade.  The bit that is interesting for people who aren't deep into digital electronics is that this hack produced a version of the firmware that turns the MD380 into the first (hardware) DMR scanner.  N2NOV has been pointing out the gap, that no scanners cover DMR for a while now.

Note: this exploration/hack is at the experimental stage, so I wouldn't consider this ready/usable/applicable to anyone but those that want to experiment and are willing to risk bricking their radio or worse.

I couldn't resist, so I ordered a Tytera MD-380 this morning. More details to come.  So now my To Do list includes, learning about DMR/MotoTRBO, programming NYC area DMR amateur radio repeaters, and finding/joining communities that are covering alternative firmware development for the MD-380.

Out of the box, this radio is supposed to allow field programming (aka front panel programming) of DMR talkgroups.

Travis GoodSpeed's github repo, has a package of command-line Python tools for the MD380. Looks like enough for reading and writing the radio on Linux and Mac OS.  Also there is the beginnings of a CHiRP driver for the MD380. It doesn't read/write the radio but can be used for maintaining the analog channels and banks.

Also, hack-a-day, has had some good radio articles lately that aren't that deep into digital electronics for a wider audience.

You might recognize the name Travis Goodspeed from other projects like the GoodFET, an open source JTAG adapter inspired by Dangerous Prototype's Bus Pirate.


Friday, January 15, 2016

More Yaesu VX-8 GPS implementation details.

4Z7DTF left a comment on my post "Another Yaesu VX-8DR external GPS with an Arduino/..." to let me know about his VX-8 Arduino GPS project on github.

There have been a number of projects that use either an Arduino or bare ATtmega microcontroller to turn the GPS module's NMEA sentences back into the a format the brain dead parser built into the VX-8's firmware can handle.

He has done some additional testing, actually fuzzing, showing the VX-8's parser does no error checking what so ever. 

Also, another interesting bit, in his work, he noted there is no need for the communication to be bi-directional. I don't know what, if anything the VX-8 tries to send to the GPS module, but it appears to be unnecessary. 

What is interesting about that is the microcontroller then really only needs a single serial port.  Most of the other projects are bi-directional using a software UART emulation for the second port.   So it might be possible to implement this project with something much smaller and even lower power.   It would be interesting to see if this can be done with the ATTiny85, using something like the Adafruit 3.3V trinket.  That is supposed to draw around 9 milliAmps at 8 Mhz, but 3 mA of that is just for the green power LED!  The ATTiny has no built in UART, so it would be all software serial. 

Thursday, January 14, 2016

Raspberry Pi (RPi) and Amateur Radio Resources

Here are a few resources you might find helpful for Linux and radio on PCs or RPis.
  • Ham radio software on CentOS Linux
  • Getting Started with Packet Radio
  • Raspberry Pi APRS and Packet Radio
  • APRS beginner's guide
  • Amateur Radio and Linux: Opening Doors without Windows

Raspberry Pi for Ham Radio Yahoo Group - a fairly active Yahoo Group. Yahoo Group Description:
This is a place for Amateur Radio Ops to discuss the Raspberry Pi and how it can be applied to Ham Radio.  This is a moderated Group. Please keep posts civil and on topic. (Any discussion of the RPi is welcome)

Info on Intel's AMT with an open source client.

Found this blog entry"Everything you need to know about Intel AMT and the Intel NUC with Ubuntu" on Dustin Kirkland's blog. AMT is vaguely related to IPMI, but is somewhat Intel proprietary. The key bit of info is there is a package available for Ubuntu, amtterm, that has a command, amttool that can be used for remote management of systems with AMT built-in (Intel VPro) and enabled.

Automate Cygwin package installation, search for packages from the command line, grep the list of installed packges.

Stumbled across two things for improving life when dealing with Cygwin.  (Cygwin is a port of Unix-like GNU tools for Windows.)

First, the standard Cygwin-setup utility takes command line arguments that will avoid all of the prompts, so you can have a single command to update a system without having to do a lot of clicking.   See this blog post from Cody Dunne.

Put this in a batch file, run it as administrator:

cd C:\cygwin
wget -N
setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode
Or if you are typing it by hand:
setup-x86 -nNdq
Second, there is a nice command link apt-get like utility, called apt-cyg. It's a neat, simple bash script. Nothing to really install. Provides command like search, and text access to the list of installed packages. apt-cyg is in Stephen Jungel's github repo.

Note: the key data is in the setup INI files stored in cygwin-pkgs/mirror-name/x86/setup.ini.

Hope this helps,