Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author has a fan that they wanted to reverse engineer the signal. Since they have fancy SDR equipment, this was a task they could take on. They use PyBOMBS, which is a package manager specifically for GNU Radio and related tools; this runs similar to virtualenv for Python, which is awesome.

Simply capturing and replaying the signal is easy. From looking at this in GQRX, you can clearly see it is a form of Amplitude Shift Keying. The author wrote a script in Gnu Radio Companion (GRC) to read in the file, make it louder then send it off. This did not have any rolling code or anything fancy in it.

They reviewed the signal in Inspectrum, a spectrum analyzer, to decode the data by hand. From this view, they found out that On-Off Keying (OOK) was being used.

Sending the data via OOK only requires a basic understanding of GNU radio. the block diagram is quite small but the baud rate is the important thing of note. Additionally, they use a vector source (just an array of values) for the OOK signal. Finally, the sample rate is derived from the baud rate as well.

Demodulating is a totally different story, in terms of complexity. The first magic block is Symbol Sync. This is used to do a timing recovery on the incoming signal since we do not know when a valid pulse begins or ends. The parameters feel like black magic to the author and myself.

Next, Grant converts the complex number into a float with an increased magnitude. Finally, they use a binary slicer block to create a stream of unsigned chars to be used for later processing. Prior to the binary slicer, the value is subtracted from, which I assume is for the binary slicer.

Now, having the data with valid 0s and 1s is not enough. How do we know if a string of inputs is valid or not? For this, the author grabbed on out of tree module to do some more heavy lifting. Essentially, the Sync and Create PDU block does a pattern match for a particular bit sequence. If this is found, then the byte stream is passed through to the final block.

The PDU part is counter-intuitive in GNU Radio. Most of the time, data is seen bit by bit. In this case, we only want a block though. The final block is custom written by the author, which is a small script that takes in the raw 0s and 1s then converts them further to his understanding. 100 is actually 0 and 110 is actually 1.

At this point, Grant can easily decode data on the fly. Now, it is super easy to reverse engineer the signal itself. With two remotes, he found that the first section was a remote ID, a separator then a command. These appeared to be quite redundant, in terms of the amount of bits used. They have further notes at Github.

Overall, a really awesmoe post with plenty of great diagrams and explanations for what was going on. I have always found GNU Radio hard to use; so, this breakdown made my life a bunch easier.