Dmitry 🌻 Janushkevich Profile picture
Apr 12, 2022 19 tweets 6 min read Read on X
Alright, you wanted me to do it, so here goes.
A real quick and dirty tutorial on how to use #Universal #Radio #Hacker or #URH to do something useful.
You can find the tool here: github.com/jopohl/urh
It's a bit flaky at times, but it appears to support capture and replay on most hardware out in the field today, which is GREAT
The tool comes in useful when you're confronted with a radio link and want to find out the details (modulation, bitrate, etc) when those aren't made public by the manufacturer. It's also handy when you just have a signal and no device in hand.
In my area, we have quite a lot of activity in the "IoT" bands. Here's what goes on around 433.925MHz. Remember energy at a particular freq is plotted horizontally while time flows (falls?) vertically.
Quite a few blips of energy there! But what do they mean? Who knows!
This is what URH may help us to investigate.
First and foremost, you can record right from URH, very handy. Lots of knobs to twiddle! They also provided a button to start over if the signal you wanted was not recorded for whatever reason -- most of them come at intervals.
Signal power is shown live when recording.
With any luck, you got your signal saved on your disk. It also gets added for the analysis -- this is what it looked like for me, about a minute of noise and blips. The tool tries to guesstimate the noise level for you (in red) but this often needs adjustment.
That's more like it. Most of noise is within the red while signal blips stick outside.
The noise level influences what the software takes as "signal" -- if the level is above, then it's processed. Which is exactly what we want.
As I have NO CLUE whatsoever as to what I'll be looking at, I just picked the thickest blip, which is probably the lowest bit rate too. Let's zoom in on that one.
Clearly, this is composed of three distinct elements: short pulse, long pulse, and a pause. So maybe this is a simple modulation scheme like on-off keying (OOK)? But it's a tad hard on the eyes, let's tweak things a bit.
Setting modulation to ASK (here same as OOK) and switching the signal view from "analog" to "demodulated" we get this image. The pattern is a bit more distinct; this view also shows that would be taken as 1 and 0 with color and this is adjustable.
Conveniently enough, you can also zoom in more and measure the features via click-and-drag selection method; selection is highlighted. The program reports how many samples got selected as well as converting that into a time interval.
After extremely precise measurement, I got the short pulse of 487us, the long pulse of 1463us, and the pause of 982us!
Completely useless at this point, but if the short pulse is 1 unit long, then the long pulse is 3 units and the pause is 2 units. Not random at all.
Setting the "samples/symbol" to our measures 487us and enabling the "show signal" thing, we get the "bits!" 1001001001001001001001110010011100111...
Of course, they are not real bits. At least, it's not what the device probably thinks it transmits. Why's that? Because there is too much redundancy. More likely than not, the device actually encodes a "0" as a short pulse + pause, and a "1" as a long pulse + pause.
But you can work around that using the analysis features the software provides! Specifically, decoding -- it is quite configurable. Switching to the "analysis" tab, here are our ASK messages (there are two identical copies)
You can configure the decoding via Edit -> Decoding menu and dialog box, and then apply the custom decoding via the "decoding" drop-down in the tab (where is says Non Return To Zero now).
Rummaging in the options, the "morse" base function fits well. Add it and test:
Oh wow, it did replace 100 with 0 and 11100 with 1, as expected! There is a chance it will actually work. Remember to "save as" your new decoding method and then apply:
Boom! Done. We figured out how to go from noise in the air to ones and zeros. We can go ahead and collect a few hundred of these and see if we can figure out what the bits mean! Maybe. Possibly.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dmitry 🌻 Janushkevich

Dmitry 🌻 Janushkevich Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @InfoSecDJ

Apr 15, 2022
Righto, the 3rd day of hacking came to an end, which means the 3rd thread of progress trace is incoming. Brace yourselves!
Yesterday I stopped at getting the femto to boot up and attempt to connect to a MNO's IPsec router.
For this to work, we need a IPsec router going. I took strongSwan 4.4.0 as it matched the version running on the femto itself and tried to hack it into submission.
The authnetication is performed via a funky standalone chip keeping auth "secrets" from our hands! It is actually the second chip that was covered in goop, close to the SPI Flash.
Read 34 tweets
Apr 14, 2022
So yesterday, I stopped at restoring console access to the Alcatel-Lucent 9361 Home Cell V2, at least to the U-Boot IPL part of it.
Tonight I'll work on getting the thing to boot Linux and enabling root access or equivalent.
As these devices get deployed in environments and in amounts where technician visits are totally impractical, they have to be rock solid. This is why they decided to implement a kind of A/B update system to allow for rolling back in case of a boo-boo.
The U-Boot IPL thing doesn't boot the Linux directly, no. It just selects which side to boot, authenticate it, and pass the control over to it. Supposedly, the next stage knows better what to do.
Read 23 tweets
Apr 13, 2022
Alright choombas, time to pop us some femtocells.
The thread will go about gaining some sort of a foothold on a "9361 Home Cell V2" made by Alcatel-Lucent. An old toy supporting 3G. Examples: ImageImage
Clearly says what it is on the back.
Any other hardware revision will be different; I have V1 and V4 currently, didn't see V3 in the wild yet. Image
Tools we'll need: SMD rework kit of your choice, SPI Flash programmer, NAND programmer. You need to be able to operate these tools.
Read 29 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(