Welcome to Russells-World

Alarm System


After taking some inspiration from dragorn's blog post on identifying and recording his car's keyfob, I decided to poke around at some of the wireless items in the house. The most promising was a few wireless sensors that I have on the alarm system.

Tools Needed

  1. HackRF One or RTL-SDR
  2. hackrf_transfer
  3. http://www.fcc.gov
  4. Baudline
  5. GQRX/SDR#

    Let's get it on

Firstly, start with the manual of the device. In my case, it is here: http://www.smarthomeusa.com/Products/60-362N/manuals/60-362N–instructions.pdf. Within the manual, there are a few important tidbits of info: the FCC-ID, the IC ID, and of course, the frequency.
Recon... recon... recon... It was quite difficult in finding the device in the FCC database, but the Canadian database's entry was precise and provided a date. That was what made it very easy to then identify the transmitter's filings, which can be viewed here: https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&Reque%20stTimeout=500&calledFromFrame=N&application_id=735155&fcc_id=B4Z-914E-DWS.
These documents provided some additional intelligence about the transmitter, especially some info regarding how long it transmits for and an example transmission. Time to break out GQRX. INSERT GQRX PIC HERE
As you can see, once we tune to 321.5MHz, upon opening and closing doors, there's a blip at 319.5MHz! Huzzah! Next step is to consult dragorn's guide mentioned above to record the signal for later demodulation. Enter the command below to record some transmissions:

hackrf_transfer -r alarm.iq -f 321500000 -s 800

As noted by dragorn, the next tool that we'll use, baudline, has a limit of 50 MB per file. As such, we must chop the files up. You can either do this manually or via script, but to illustrate what it is we'll script, here's the manual method:

dd if=alarm.iq of=alarm-1.iq bs=1M count=50
dd if=alarm.iq of=alarm-2.iq bs=1M count=50 skip=50
dd if=alarm.iq of=alarm-3.iq bs=1M count=50 skip=100

See what's going on? We're just looping through the file making 50MB chunks. Easy. Now, continue in dragorns instructions by firing up baudline and opening the files. Take note in the settings you'll need. As dragorn states:

The magic settings here are:

"custom" sample rate of 8M (since we captured at 8MHz / 8M samples wide). If you captured at another rate, like 20MHz, put 20000000 here.

"channels" are 2, since hackrf logs I and Q data. Since we're logging IQ, turn on the "quadrature" checkbox, and since HackRF logs differently than baudline expects, turn on "flip complex".

Finally, since HackRF logs unsigned 8bit samples, click "8 bit linear (unsigned)".

Start opening the files, one by one, and you should eventually see some waveforms. Scroll in, and there they are! INSERT SCREENSHOT HEREAll nice and OOK like. As you can see, there is a clear bit stream there and it matches up to the previous info we saw from the FCC filings.

In over my head

Yup, the title says it all. I went on to using GnuRadio in an attempt to convert the file into a waveform that clearly would display 1's and 0's, and even output it to a file. Unfortunately, it wasn't as easy; the file would be mostly 0's until the waveform, where I would have 0's, 1's and 2's. Not fun. Time to consult the experts.

Dragorn was in town, and helped poke at the files with me; he confirmed where I was and made sure I was on the right path. He suggested I consult the other Mike.

The community already knows how amazing Mike Ossman is, how friendly, and supportive he is no matter what your skill level. I hearby demand that his name change to Mike Awesoman, as it more accurately reflects his character. So, I reached out to him via email and IRC, and was provided this advice from him (amongst a whole lot more): mossmann: The best way to nerd snipe me is to send me a waveform.. Noted.

Anyways, Mike shared some info and tradecraft regarding working with unknown signals and transmitters. Firstly, he converted the bitstream just by looking at the pictures (sigh). For the first one, he decoded it as:

00 11111111 ff
01 01010101 55
02 01010101 55
03 01010101 55
04 00101001 29
05 00100101 25
06 00100101 25
07 01010100 54
08 10100100 a4
09 10100101 a5
0a 00101010 2a
0b 01010010 52
0c 10010010 92
0d 10010010 92
0e 10010101 95
0f 01001010 4a
10 01010010 52
11 10111100 bc
12 10101001 a9

You can clearly see this similar bitstream in the screenshots. 0x00 I've nicknamed as being the morning fart. 0x01, 0x02 and 0x03 are the preambles. Data is 0x04 through 0x12. The next important thing to do is compare multiple packets from different transmitters against one another. The great thing about the alarm system is that it gives us three identifiers about the transmitters: a "TX ID", a "DL" ID and a "H ID". If you notice above, I've annotated those identifiers for each bitstream that was captured.

Thank You

I'd like to extend a warm, hearty and, eventually, beer supplemented thank you to dragorn and Mike Ossmann. Gents, you're great friends; thank you for you help, training and patience.