After taking some inspiration from dragorn's blog post on identifying and recording his car's keyfob, I decided to poke around at some of the wireless items in the house. The most promising was a few wireless sensors that I have on the alarm system.
As noted by dragorn, the next tool that we'll use, baudline, has a limit of 50 MB per file. As such, we must chop the files up. You can either do this manually or via script, but to illustrate what it is we'll script, here's the manual method:
See what's going on? We're just looping through the file making 50MB chunks. Easy. Now, continue in dragorns instructions by firing up baudline and opening the files. Take note in the settings you'll need. As dragorn states:
The magic settings here are:
"custom" sample rate of 8M (since we captured at 8MHz / 8M samples wide). If you captured at another rate, like 20MHz, put 20000000 here.
"channels" are 2, since hackrf logs I and Q data. Since we're logging IQ, turn on the "quadrature" checkbox, and since HackRF logs differently than baudline expects, turn on "flip complex".
Finally, since HackRF logs unsigned 8bit samples, click "8 bit linear (unsigned)".
Start opening the files, one by one, and you should eventually see some waveforms. Scroll in, and there they are! INSERT SCREENSHOT HEREAll nice and OOK like. As you can see, there is a clear bit stream there and it matches up to the previous info we saw from the FCC filings.
In over my head
Yup, the title says it all. I went on to using GnuRadio in an attempt to convert the file into a waveform that clearly would display 1's and 0's, and even output it to a file. Unfortunately, it wasn't as easy; the file would be mostly 0's until the waveform, where I would have 0's, 1's and 2's. Not fun. Time to consult the experts.
Dragorn was in town, and helped poke at the files with me; he confirmed where I was and made sure I was on the right path. He suggested I consult the other Mike.
The community already knows how amazing Mike Ossman is, how friendly, and supportive he is no matter what your skill level. I hearby demand that his name change to Mike Awesoman, as it more accurately reflects his character. So, I reached out to him via email and IRC, and was provided this advice from him (amongst a whole lot more): mossmann: The best way to nerd snipe me is to send me a waveform.. Noted.
Anyways, Mike shared some info and tradecraft regarding working with unknown signals and transmitters. Firstly, he converted the bitstream just by looking at the pictures (sigh). For the first one, he decoded it as:
You can clearly see this similar bitstream in the screenshots. 0x00 I've nicknamed as being the morning fart. 0x01, 0x02 and 0x03 are the preambles. Data is 0x04 through 0x12. The next important thing to do is compare multiple packets from different transmitters against one another. The great thing about the alarm system is that it gives us three identifiers about the transmitters: a "TX ID", a "DL" ID and a "H ID". If you notice above, I've annotated those identifiers for each bitstream that was captured.
I'd like to extend a warm, hearty and, eventually, beer supplemented thank you to dragorn and Mike Ossmann. Gents, you're great friends; thank you for you help, training and patience.
Ⓒ 1997- Russell Handorf. All other copyrights and trademarks are the property of their respective owners.