Caleb Madrigal

Programming, Hacking, Math, and Art

 

Digital Radio Signal Generation

Recently, I was curious if I could generate a digital radio signal from scratch just using math, and use that signal to control this radio-controlled outlet that I have.

Here's the Github source: https://github.com/calebmadrigal/radio-hacking-scripts/blob/master/radio_signal_generation.ipynb

Generating radio signals

I want to be able to generate modulated digital signals such as this one...

original radio signal

original radio signal

This is a binary signal coded with On-off keying (also known as Amplitude-shift keying).

I'm taking the long pulses to mean "1" and the short pulses to mean "0", so this signal is transmitting the digital code, "0110100010000000".

In [2]:
# Imports and boilerplate to make graphs look better
%matplotlib inline
import matplotlib.pyplot as plt
import numpy as np
import scipy
import wave
from ...

Hackers are the new lawyers

Hackers are the new Lawyers are the new Knights.

Back in the feudal days, Lords had Knights to protect them and their possessions from enemies (or to attack their neighbors and plunder their wealth).

In the business world today, lawyers are much like the knights of old. Companies can attack each other with the law, and lawyers are both the attacker and defenders.

In the increasingly computerized world, business are hacking each other to steal their Intellectual Property, understand their strategy, and sometimes, take them down all together (like what happened to HBGary, though that wasn't caused by another company). Today, these tactics are employed mostly by Chinese companies hacking competitors in other countries, but as multinational corporations continue to grow in power, this tactic might become ...

HackRF Replay Attack Jeep

I've recently been getting into Software-defined Radio (SDR), mostly using a HackRF - a radio tranceiver capable of operating from 1MHz to 6GHz (which is a huge range).

One of the most simple (and most interesting attacks) which can be done with SDR is what's called a Replay Attack. It works by simply recording a signal, and then rebroadcasting it. I was able to use this attack to lock and unlock my Jeep Patriot (2006) with my computer. Here's how...

First I recorded the "unlock" and "lock" signals from my keyless entry remote using this "flowgraph" in Gnu Radio Companion:

Record flowgraph

A couple things to note about this flow graph:

  • The frequency is 315 MHz (the frequency at which pretty much all keyless entry)
  • It records at ...

Editing radio signals with Audacity

You can capture radio signals with Software-defined Radios (SDR), such as the HackRF. Gnu Radio is the main software I use for receiving and transmitting radio signals, but I've found Audacity, a program meant primarily for editing sound files, to be a great program for viewing and editing radio signals.

So I had these remote-controlled outlets (which I bought at Home Depot):

Remote-controlled outlets

And I wanted to see what their wireless communication looked like...

So first I recorded the signals of the different outlets with this Gnu Radio Companion flowgraph:

Record flowgraph

A few things to note about this flowgraph:

  • It records at around 315 MHz, the frequency at which the remote transmits (which I found by looking up it's FCC ID code online)
  • It records 2 million samples ...

HackRF Setup OSX 2016

These are some pretty raw notes I took while installing the software for using a HackRF on OSX. This is the software I installed:

  • Gnu Radio (which comes with Gnu Radio Companion)
  • Osmocom Gnu Radio Blocks
  • gqrx

Gnu Radio Installation

Installed gnuradio via Homebrew

brew update

brew tap robotastic/homebrew-hackrf
brew install gnuradio --with-qt

brew install hackrf
brew install --HEAD rtlsdr
brew link --overwrite rtlsdr

This got GNU Radio and GNU Radio Companion installed, but then I needed to install the Osmocom Gnu Radio Blocks so that Gnu Radio could communicate with the HackRF.

Installing Osmocom Gnu Radio Blocks

This didn't work:

brew install --HEAD gr-osmosdr

Build with directions here: http://sdr.osmocom.org/trac/wiki/GrOsmoSDR

Had to add this to /Users/caleb/Documents/gnu_radio/repos ...

Raspberry Pi Home Security System

3 Years ago (2013), I built my own home security/automation system with a Raspberry Pi. Here's what it looks like:

Raspberry Pi Home Security System

What it does

  • Allows controlling a couple outlets via a mobile web app
  • Alarm system enabled/disabled via mobile web app
  • If alarm enabled, magnetic door sensor would trigger siren and turn on outlets

Hardware used

  • Raspberry Pi - $35
    • Edimax EW-7811Un 150Mbps 11n Wi-Fi USB Adapter - $10
  • Off-the-shelf remote controlled outlet kit - $20
  • Off-the-shelf wireless magnetic door sensor/outlet - $25
  • Car siren - $8
  • Breadboard, transistors, photoresistor, resistors, wires, soldering iron

Total cost of parts: ~$115

Software used

I wrote the controller software in Python (with ZeroMQ, Flask, Rpi.GPIO, and jQuery Mobile): https://github.com/calebmadrigal/rpi-home-automation.

It's made of up 3 components:

DNS Tunneling with Iodine

DNS Tunneling can be useful for getting out of a very restrictive corporate firewall (since almost nobody blocks DNS).

DNS Tunneling works by encoding IP protocol inside of DNS packets. Iodine is a cross-platform implementation of DNS Tunneling. This mini-guide will walk through the process of setting up a DNS Tunnel with Iodine.

Prerequisite: You will need a server with public IP and domain name

Setup DNS Tunnel

Setup DNS Records

Add 2 DNS records to your domain's DNS system:

* `A record`: tunnelhost -> your ip (maps tunnelhost.yourdomain.com to your server's ip)
* `NS record`: tunnel -> tunnelhost.yourdomain.com

Example:

DNS Setup

So now for me:

* `tunnelhost.calebmadrigal.com` now points to `104.236.122.169`
* `tunnel.calebmadrigal.com` now points to `tunnelhost.calebmadrigal.com`
    - **This is the ...

How to SSH Tunnel

When to use an SSH Tunnel?

An SSH Tunnel is perfect for the following scenarios:

  • You want to get to a website that a corporate network is blocking.
  • You want to encrypt the network traffic for a non-encrypted protocol.

What is an SSH Tunnel?

An SSH Tunnel is where you tell your local SSH Client to forward your local computer's traffic to a specified SSH Server (over the encrypted SSH protocol). The SSH Server will then act as a proxy for all requests you make on your local computer.

SSH Tunnel

How to set up an SSH Tunnel

There are 2 steps to set up an SSH Tunnel, and they both happen on your local computer (no configuration is needed on the SSH server which will be acting as ...