OSHUG #15 Hacking Commodity Wireless

Paul Tanner@paul_tanner

slideshare.net/paul_tanner

Background

● Why make what you can buy?

● Proprietary tech but with benefits

● Very limited doc● Not easy without

sophisticated tools● Let's mess around

Approach

● Observe the protocol● Increase the doc● Deduce the protocol● Code and test

● Transmitter (easy)● Receiver (hard)

● Iterate (potentially for ever :)

Nah! El-cheapo version

● Some of these devices use 433Mhz signalling

● In which case use audio recording

● PC or Mac + softwaree.g. Audacity

● Otherwise start saving up

RF-to-audio etc

● Ard. shield makes for convenient mounting

● Receiver has digital output and no embedded protocol

● Transmitter likewise● Alternatives available● Could add switches to

power down when not in use.

Some Results

Somewhat inconsistent snapshots but you get the idea

Get Measurements

● Simple program can capture pulse widths

● Inevitably there's noise – shield?

● Triggering needed for infrequent transmissions

● Then add decoder

Magic happens here

● Look for clues e.gBlogs etc

● Expect e.g. Manchester encoding

● Expect redundancy, e.g. checksums

● Hope for inspiration● Test and iterate

Conclusion

● It can be done● Most successful with

output devices● Very hard with

devices that send infrequently

● Online help limited but does exist