Reverse engineering a wireless burglar alarm, part 7

So, where were we? We’ve worked out how several components of the alarm use the CC1150 to send out signals, and now I want to emulate the signal and then play with it.

By far the easiest way to do this is to use the same CC1150 chip as in the authentic transmitters. I can be absolutely sure the 2-FSK modulation with ~50kHz deviation will be reproduced exactly. There are many other RF transmitter chips out there that can do this, but we know that these work and we already have the correct settings.

So, the first challenge is – where do I get a board with a CC1150 on it? Well, we have plenty of alarm sensors with neat little CC1150 daughterboards on them!

Door contact RF board

Door contact RF board

I chose a door contact as my victim – they are the cheapest and simplest sensors.

The daughterboard has an 8-pin interface, with a 0.1″ pitch pin header connecting the two. I need to desolder the board to use it. Desoldering pin headers is always a pain – you can’t desolder all 8 pins at a time. My technique now is:

  1. Chop the pin header along it’s length, separating the two boards. I have a nice pair of snips for this, but a Dremel with cut-off wheel can do it if they don’t fit.
  2. Chop the plastic spacer away from the pins, leaving you with just half the pins stuck in the board.
  3. Desolder the pins one at a time.
DSCF7845

The daughterboard

Now I have a small CC1150 board. I soldered a new pin header onto it, and a pin socket onto the rest of the door contact. This allows me to easily reconnect it to the door contact if I need to.

You’ll notice in the picture above that there is a small bridge wire. I desoldered and resoldered the CC1150 QLP package (just to see if I could) and burned a track in the process.

DSCF7846

Testing testing 1-2

Now we need to drive this board using something. There are a plethora of options available to me:

  • An Arduino board
  • A mbed board
  • A Bus Pirate
  • A GoodFET
  • A CC1110 development board (this would skip using the CC1150 board, as it has a built-in transceiver)
  • One of the Ciseco CC11xx boards (again, this would skip the CC1150 board)
  • Any of the other development boards I have lying around…

I decided I would use an Arduino board – specifically the Seeeduino Mega.

Why the Arduino? In reality, I’ve stopped using the Arduino environment and now use AVRGCC, so this is really just a nice little AVR development platform.

It won out over the mbed as I have had SPI issues with the mbed before.

The Bus Pirate and GoodFET are very similar, but require a host PC. I would like this standalone.

It seemed silly to implement this on a CC1110 chip, and I have had problems in implementing proprietary encoding schemes on it before.

Why the Mega? I find myself often using the extra pins and RAM as compared to the ATmega328p used in the Uno

So, now I have a RF board and something to control it. Next, I need to connect the two and write some code!

Reverse engineering a wireless burglar alarm, part 6

Last time, we looked at the data the door contact was sending out over the airwaves. We arrived at a simple encoding system where 0 = 100 and 1 = 110. This might not be entirely correct, but we are finding 48 bit long packets containing the same data each time.

Now we need to try and work out what these bits represent.

As we worked out in part 4, all of the automated packet control in the CC1150 has been bypassed. This means that the microprocessor must deal with everything. What is everything? What does a normal packet look like in a simple RF system?

There can be a number of components sent. In approximate order, from start to finish:

  • Pre-amble – generally a series of 10101010. The purpose of this is to make the receiver aware that a transmission is happening, adjust the gain as required, and synchronise clocks. The average value of this signal is partway between 1 and 0, which will mean the gain is appropriately set to receive both 1s and 0s.
  • Sync-word – sometimes a sync word is sent immediately after the pre-amble. This is similar to an address or ID, but often it is system wide.
  • Packet length – if the packet length is variable, then the receiving system needs to know how long the packet should be. Even if packet length appears fixed, the protocol may accommodate for variable length packets.
  • ID – each device must be uniquely identifiable. We already know this is 20 bits long i.e. just over 1 million unique IDs. Sometimes other data is encoded in the ID, such as sensor type or manufacturer. This effectively reduces the keyspace, and makes guessing IDs easier.
  • Data – this is the data such as triggered/not-triggered, sensor type, battery state, tamper state and so on.
  • Checksum – often a checksum is calculated on the other other bits, so that the receiver can detect errors (and sometimes even correct them). On simple uni-directional RF systems used for safety that retransmit huge numbers of times, checksums become less useful.

Working out which piece of the data is which involves careful prodding of multiple components and observation of changes. Let’s get going!

It’s quite time consuming running a logic trace, exporting the data, running it through my parser, and interpreting the results. I should really learn to write analyser plugins for the Saleae Logic software, but my last attempt never quite worked right.

all_of_the_things

First thing I notice – there is no variation from packet to packet. There is no rolling code used here.

Door contact 1

The contact only transmits RF when the button is released (tamper) or the magnet removed (door open). There is therefore no indication to the rest of the system that a fault condition has been removed or a door closed. There appears to be no low-battery signal sent either.

These are the two transmissions

001100001100100011000000010100000000000000010000 - DC1 t
001100001100100011000000010100000000000000100000 - DC1 a

Notice only a couple of bits vary (shown in red)

Door contact 2

001100001101000000010000010100000000000000010001 - DC2 t
001100001101000000010000010100000000000000100001 - DC2 a

Again, only a couple of bits vary – the same bits as with door contact 1.

Let’s compare door contact 1 and 2:

001100001100100011000000010100000000000000010000 - DC1 t
001100001101000000010000010100000000000000010001 - DC2 t

The first 4 bits are the same between the two sensors. Is this the pre-amble and sync?

We then have a few bits that differ. This could be part of the ID.

The last bit also differs (green). Notice how 10 bits are high in the first packet, and only 9 in the second. This could mean that the last bit is a parity bit, a very simple checksum.

PIR 1

001100011101111101100000010000000000000000010000 - PIR1 t
001100011101111101100000010000000000000000100000 - PIR1 a

14 bits are high in the PIR packet, supporting the last bit being a parity bit.

Let’s compare this with the door contacts

001100001100100011000000010100000000000000010000 - DC1 t
001100001101000000010000010100000000000000010001 - DC2 t
001100011101111101100000010000000000000000010000 - PIR1 t
001100011101111101100000010000000000000000100000 - PIR1 a

It now looks like the pre-amble is shorter and the ID a bit more certain.

PIR 2

001100011101111100110000010000000000000000010000 - PIR2 t
001100011101111100110000010000000000000000100000 - PIR2 a

Let’s compare this to the other PIR

001100011101111101100000010000000000000000010000 - PIR1 t
001100011101111100110000010000000000000000010000 - PIR2 t

Wow – only a couple of bits differ. They are almost sequential!

Panel

This component is much more complex, so let’s just look at the simplest trigger – the tamper switch.

000010000001000000000000011100000000001000000000 - KP t

Notice how 6 bits are high, and the last bit is 0. It really does look like parity.

Let’s compare with the others:

001100001100100011000000010100000000000000010000 - DC1 t
001100001101000000010000010100000000000000010001 - DC2 t
001100011101111101100000010000000000000000010000 - PIR1 t
001100011101111100110000010000000000000000010000 - PIR2 t
000010000001000000000000011100000000001000000000 - KP t

Now we have a lot more information. The pre-amble has got shorter. Somewhere in the middle it looks like we have data indicating the sensor type.

Summary

A typical packet:

001100011101111100110000010000000000000000010000

We have :

  • Packet start (not shown). The encoded bits 111000 are sent. This is on the short side for a pre-amble.
  • Yellow – this could be a continuation of the pre-amble, which would now be 111000100100 – still really quite short!
  • Red – 18 bits of ID. Not sure which end the other two bits are at. Or are they using the 2 bits of sensor type to make it up to 20 bits?
  • Blue – likely sensor type; 00 – PIR, 01 – door contact, 11 – panel.
  • Purple – status of various switches and alarms.
  • Green – a simple odd-parity checksum bit

I’ve now run out of components to test. We’ve gleaned a fair bit of information about the format of the packet, most importantly that no rolling code is in use.

Where next? I know the format of genuine packets, so I should be able to build a system to transmit these sniffed packets. We’ll test to see if the receiver can pick these packets up. Then we can start modifying the packets bit-by-bit to see how the receiver responds.



			

Reverse engineering a wireless burglar alarm, part 5

Last time we worked out that data was being transferred from the microprocessor to the CC1150 chip using synchronous serial mode at 6.5kBaud. This time, we are going to look at that data using the logic analyser and try to interpret it.

This is what our data looks like – channel 1 is data, channel 3 is a clock. The Saleae Logic software can help to interpret this as plain synchronous serial.

DC_data6_5k

You might notice that the software doesn’t have an option for synchronous serial – only asynchronous. It does however have “Simple Parallel”. This takes a number of channels and a clock. Serial is just parallel with a single channel, so that is what we will  use.

Another plus of the Saleae software is that you can use multiple analysers against the same channels i.e. on our MISO/GDO1 line we can have an SPI and simple parallel decoder running.

Now we have successfully decoded a series of pulses, and the software has conveniently added little dots to show the data bits:

syncdata

You might quickly notice that the pulses are either 1, 2 or 3 bits long. Never 4 or more. This is the case along the entire stream of data. 1 and 2 bit pulses are common, and 3 bit pulses are at the beginning, end and at regular intervals. We could guess that 1 bit = 0, 2 bits = 1, and 3 bits signifies the start and end of a packet? Seems sensible to me.

As an aside, it is fairly common for RF systems to encode data so that there are frequent transitions between 1 and 0. This is for a few reasons:

  • To try and keep the average value of the signal midway between 1 and 0, allowing automatic gain controls and DC filters to work correctly.
  • To make sure any clock recovery or synchronisation has frequent edges to work on.
  • Representing 1 bit of data as multiple bits can provide redundancy and error checking.

Manchester encoding is very common, but there are a lot of proprietary and ad-hoc schemes in use. I have seen infrared protocols used on AM OOK systems before now – they kind of meet the requirements and allow the use of existing chips and code.

The entire data burst lasts about 1.20s. At a data rate of 6.5kBaud, that is 7.8k symbols. I don’t fancy manually transcribing or interpreting that much data. There is a high probability that the data repeats to a certain extent, but it can be hard to see the boundaries on a logic trace. Automating this process makes more sense.

Looking back at the data, and my initial observations, I can see:

  • 111 is always followed by 000, and I can see this happens relatively infrequently but regularly
  • 1 is always followed by 00
  • 11 is always followed by 0

So, let’s make some arbitrary choices:

  • 111000 is the start/end of a packet
  • 100 is a 0
  • 110 is a 1

Where to from here then? Python! Let’s read the data in, and try to process it using these simple rules.

Why am I using Python? In recent years I have found it is by far the quickest way to get simple data processing tasks like this done. It seems naturally suited to arrays of data and is tolerant of idiocy. I use Pycharm as a cross-platform IDE – it’s really useful.

I’ve knocked up a very simple program to read in a Saleae logic file, and then interpret the data as above.

python

It’s getting like a Daily Mail article on hacking in here.

With the input from my trace, I get the following repeating pattern:

001100011101111101100000010000000000000000010000
001100011101111101100000010000000000000000010000
001100011101111101100000010000000000000000010000

No change at all from packet to packet, 48 bits long. This encodes to 150 bits long, and re-transmits about 50 times in the 1.2s burst (retransmission is a common technique to ensure the receiver hears the transmission, even in noisy environments).

We know from the documentation the system uses 20 bit IDs. Just a gut feeling, but I would expect the address to have a lot of entropy, so might assume that the first 20 bits are the address – 001100011101111101 – and the rest is data. There may be a pre-amble and sync word before the ID, meaning it might be shifted a bit further on. To confirm this, I will need to put the sensor into different states (triggered/not triggered,tamper/safe,battery low etc.) and compare to other sensors.

Is the system rolling code? We can’t really say at this stage – we need to grab more traffic. I’d expect the code to roll in 50 retransmits though. It’s not looking good.

What is interesting is that to see this data, I didn’t actually need to look at any RF at all. In fact, I don’t even need the comparatively expensive Saleae Logic – a Bus Pirate acting as a logic analyser would be able to do this.

Where to from here? Let’s start sniffing data from the other door contact and start changing their states. For next time 🙂

Reverse engineering a wireless burglar alarm, part 4

In the last part, we looked at sniffing the SPI traffic between the Elan microprocessor and CC1150 RF chip in a door contact from a Friedland Response alarm system. We worked out which pin was which, and interpreted some of the SPI traffic to check our assumptions were correct.

Part of my general philosophy when reverse engineering products is to just get a good idea of what is going on, rather than rigorously explore each and every avenue. Generally this will give you an overall picture of the system far quicker, and allow you to identify weak points to look at in more detail. So, on the whole, I never have a 100% confidence level in my assumptions.

Let’s look at some other aspects of the sniffed traffic.

First, let’s look right at the beginning of the signals immediately after the sensor is triggered.

DC_GDO

We have worked out what channel 0, 3, 4 and 5 do. So what is going on with channel 1? It has an approximate 135kHz clock signal for a short period. Why is this?

Let’s go and look at the datasheet once again. Page 37 – we can see that general purpose I/O pin GDO0 defaults to output a 125-146kHz clock output – the main oscillator frequency over 192. We have a 26MHz crystal, giving us 135.4kHz – exactly as observed.

Why then does it stop suddenly. Maybe one of the registers we set just prior to it turning off – 0x01 or 0x02 – control this pin?

IOCFG0, 0x02, controls GDO0. The lowest 6 bits select what GDO0 should output. What does 0x0C correspond to? Page 38, table 24, shows 0x0C as “Reserved – defined on the transceiver version” – what’s going on here then? Is it a mistake? We’ll come back to this later.

Again, this is something that is really key in reverse engineering – read the datasheets, and read the manuals. They are full of useful information.

Moving further through the SPI packets sent, we get to the end:

Time [s] Packet ID MOSI MISO
0.0041055 28 0x2D 0x0F
0.00417875 28 0x35 0x0F
0.00424825 29 0x2E 0x0F
0.0043215 29 0x09 0x0F
0.00438775 30 0x7E 0x0F
0.004463 30 0x00 0x0F
0.00451425 30 0x0B 0x0F
0.00456675 30 0x25 0x0F
0.0046195 30 0x68 0x0F
0.00467225 30 0x60 0x0F
0.004725 30 0x86 0x0F
0.0047775 30 0xCC 0x0F
0.00483075 30 0xC3 0x0F
0.0049125 31 0x35 0x0F
0.01802275 32 0x36 0x2F

Why is packet 30 so long? 9 bytes instead of 1 or 2 as per the previous strobe commands and register writes.

Address 0x7E doesn’t seem to come up directly in the datasheet. If we refer to Table 28 though, we see that if we want to write to 0x3E in burst mode, we need to add 0x40 onto the address. Burst mode allows us to write multiple values in one go without incrementing the address. 0x3E is the PATABLE or power table, allowing the power of the radio signal to be modulated.

table28

Let’s zoom right back out on the logic trace:

DC_rightout

The small white blocks are bursts of SPI traffic as we have looked at already. What about the huge white blocks – let’s zoom in to take a look at them.

DC_synchronous

That looks like synchronous serial data to me with a clock on channel 3 and data on channel 1. Let’s scroll backwards to examine the SPI transfer immediately prior to this to see how the CC1150 is being configured.

We’ll start from the beginning and manually interpret the commands (I might skip or gloss a few of the really unimportant ones)

  • Strobe command SRES – reset the chip
  • IOCFG1 – GDO1 output pin configuration – set to 0x0B – Set GDO1 to “Serial Clock. Synchronous to the data in synchronous serial mode.
  • IOCFG0 – GDO0 output pin configuration – set to 0x0C – Reserved in the datasheet as it is for the transceiver, CC1101, only. If we look there it means “Serial Synchronous Data Output. Used for synchronous serial mode” So far it looks like these are being setup for some kind of synchronous serial data transfer.
  • SYNC1, SYNC0 – sync word – set to 0xD391. The sync word is a bit pattern that receivers can look out for, in a way people listen out for their name. Oddly, 0xD391 is the default used in the TI software (SmartRF Studio) and code examples. Keeping it as default would likely cause problems in a busy environment (these chips are becoming very common), so this might indicate they are not using the packet control built into the chip.
  • PKTLEN – packet length – set to 0xFF. This is the maximum – 255 packets. It can mean one of three things – fixed packets 255 long, variable length packets up to 255 long, or don’t use the packet control at all. Another sign they might not be using packet control!
  • PKTCTRL0 – Packet automation control – set to 0x12. this is made up of a number of smaller settings:
    • WHITE_DATA – data whitening – set to off.
    • PKT_FORMAT – set to 0b01 –   “Serial Synchronous mode, data in on GDO0“.
    • CRC_EN – enable CRC – set to off.
    • LENGTH_CONFIG – set to 0b10 –  “Infinite packet length packets” – again, bypassing the built in packet control
  • ADDR – address – set to 0x00. This can be used to filter packets down.
  • CHANNR – channel number – set to 0x00. A neat feature of the CC11xx chips is being able to use a number of channels – offsets from the frequency. This can be used for frequency hopping spread spectrum. Not used here though.
  • FREQ2, FREQ1, FREQ0 – frequency control – set to 0x21656a. This equates to 868,299,865kHz. As the channel is set to 0x00, this will be the frequency used.
  • MDMCFG4, MDMCFG3 – modulator configuration, data rate – set to 0x87, 0xF8. This is calculated in a similar way to the frequency using an exponent and mantissa, and gives us 6.24847kBaud. If we look up to MISO/GDO1 in the screenshot above – the clock is showing as 6.25kHz. It’s all starting to come together.
  • MDMCFG2, MDMCFG1, MDMCFG0 – modulator configuration, various. We can see:
    • MOD_FORMAT – modulation – set to 0b000 – 2-FSK.
    • SYNC_MODE – synchronisation mode – set to 0b000 –  “No preamble/sync word”. This means that the system is not using any of the inbuilt packet control. The microprocessor must deal with pre-amble, sync word and so on.
    • NUM_PREAMBLE – number of preamble bytes sent. This is set to 4, but because the SYNC_MODE is set to use no preamble, it is ignored.
    • CHANSPC – channel spacing. If the system was using multiple channels, this decides how far apart they are. This system isn’t so we’ll ignore this.
  • MCSM1, MCSM0 – main radio control state machine config. I’m not going to look in here as it’s unlikely to change how the data is handled.
  • FREND0 – front end TX config. Going to skip this for now.
  • FSCAL4, FSCAL3, FSCAL2, FSCAL1, FSCAL0 – again, RF related and we can skip.
  • FSTEST, PTEST, TEST2, TEST1, TEST0 – various test settings. These are usually defaulted, not explained or shouldn’t be set. Let’s keep it that way.

Immediately after this, the STX strobe command is issued, along with setting IOCFG1 and IOCFG0 again. The SPI stops, GDO0 becomes a clock at 6.5kBaud, and MOSI starts showing data. I don’t know which direction this data and clock are going in, but we can have a good guess.

It looks like the CC1150 is in a mode where it will accept synchronous serial data, generating a clock for the microprocessor to use. Pre-amble, sync, packet length and other features are implemented in the microprocessor. This is an interesting revelation – a huge advantage of the CC11xx chips is the automated packet control, and it has been thrown aside.

Why would this be done? We can only speculate. Asynchronous serial mode is often used by devices when the CC1150 is interfaced to legacy microprocessors – you can just send it raw data and it only does the RF side of things. Ancient 434MHz systems using AM OOK modulation can be changed into narrowband 868MHz products using 2-FSK easily.

Synchronous serial is a bit different – the microprocessor needs to listen to a clock and clock data out. Whilst this is trivial to implement afresh, it doesn’t really fit in with the idea of supporting a legacy application. Maybe Friedland used to use another module that used a similar data exchange.

Decoding an RF packet in a microprocessor isn’t hugely challenging (VirtualWire on the Arduino is a nice example, well implemented), but I have seen numerous systems with quirks and bugs in the packet handling. It’s sometimes even possible to crash receivers using malformed packets.

Now we know how the CC1150 is accepting data – so now we need to try and interpret that data. Next time!

Reverse engineering a wireless burglar alarm, part 3

In part 1, we used some simple tools available to us to look at the modulation and frequency the Response alarms use (868MHz, 2-FSK)

In part 2, we opened the alarm up and looked at the main components in the system (TI CC11xx RF chips with various microprocessors).

Now we are going to try and look at the communication between the microprocessors and the TI CC1150 chips. They have an SPI serial interface, allowing the user to set various registers to control the rich and complex feature set.

I have a number of tools available to me that can sniff SPI. The cheapest is the Bus Pirate. This has an SPI sniffer interface along with a basic logic analyzer. It works well, 90% of the time. If timings are curious or the protocol deviates slightly from normal, it tends to fall over.

I also have an oscilloscope. It is hard work decoding serial though – it doesn’t have any built in protocol analysers.

So I go to my good old friend, the Saleae Logic 8-channel logic analyser. I have had this a number of years and it has rarely let me down. It’s simply brilliant for dealing with embedded systems, and the software is very easy to use and cross-platform.

I’m going to work with the door sensor initially – they are the cheapest and simplest sensors. I was planning on selling unopened sensors, and the PIRs fetch decent prices on ebay (as an aside, the provenance of alarm detectors on eBay is questionable – could this be an attack vector?).

The RF daughterboard has a 8 pin header. We need to work out which is ground, and then we can safely connect the Saleae Logic. We do this using a continuity tester between the battery connector and pins. It looks like pin 1 is ground.

multimeter

Another pin will be the supply, but at this stage, it doesn’t really matter which. I just need to confirm it is <5V to avoid damaging the logic analyser. I connect the board to the power supply and confirm that no voltages are higher than 3V, regulated down from the two CR2032 batteries.

Small wires are soldered to the pin header to make connecting the logic analyser easier.

logic

We then start the logic analyser with no triggering and press the test button on the contact.

DC_initial

Excellent – this looks very much like we have data!

I could at this stage buzz out the pins to the CC1150 chip to work out what the pins do, but the daughterboard is soldered down so the chip is hard to access. I’d rather just have a guess at the pins – we know it is SPI after all.

SPI requires the following pins:

  • CS – chip select, generally active low.
  • SCLK – the clock for the data.
  • MOSI – master out, slave in data.
  • MISO – master in, slave out data.

CS is nearly always going to be the slowest changing pin – let’s zoom in to the beginning of the trace and see what we have:

Chip Select

From this, I’d wager that CS is channel 0.

Now, to look at this trace, it would be easy to assume that channel 3 is a clock – look how regular it is! However, in SPI, because we are transferring at least 8-bits of data, we need at least 8 transitions each time CS is asserted. Channel 3 isn’t nearly fast enough.

What about channel 4 being the clock? The pulses look to short (and on some traces, they are very irregular as well!):

DC_clock2

But if we look a little closer, we can clearly see 8 pulses per CS. There is no requirement for the clock pulses to be regular and they also don’t need to have a 50% duty cycle.

The two other channels with changes are 3 and 5. One will be MOSI, the other MISO – we aren’t really bothered which right now as it won’t have any impact on decoding the data.

I’ll now set up the Saleae Logic’s protocol decoder for SPI on these channels. There are a number of configuration settings, let’s leave them on the defaults and see what happens – it will throw errors or produce obviously squiffy data if incorrect.

data_mmm_mmm

The little orange and green boxes represent decoded data – we just need to zoom in to see what that data is now. I can then export this as CSV to examine in an external program. We have no errors, so we can check if the decoding has worked by examining the packets against the datasheet.

Time [s] Packet ID MOSI MISO
0 0 0x30 0xFF
0.0001085 1 0x01 0xFF
0.00018025 1 0x0B 0xFF
0.00024925 2 0x02 0x0F
0.00032075 2 0x0C 0x0F
0.00038925 3 0x03 0x0F
0.0004615 3 0x07 0x0F
0.0005305 4 0x04 0x0F
0.0006025 4 0xD3 0x0F
0.00067225 5 0x05 0x0F
0.00074475 5 0x91 0x0F
0.00081325 6 0x06 0x0F
0.000886 6 0xFF 0x0F
0.00096775 7 0x08 0x0F
0.00103925 7 0x12 0x0F
0.00110775 8 0x09 0x0F
0.00118 8 0x00 0x0F
0.00124725 9 0x0A 0x0F
0.0013195 9 0x00 0x0F
0.001408 10 0x0D 0x0F
0.00148075 10 0x21 0x0F
0.00154925 11 0x0E 0x0F
0.001622 11 0x65 0x0F
0.0016915 12 0x0F 0x0F
0.00176475 12 0x6A 0x0F
0.00183425 13 0x10 0x0F
0.00190625 13 0x87 0x0F
0.00197525 14 0x11 0x0F
0.002048 14 0xF8 0x0F
0.0021175 15 0x12 0x0F
0.00218975 15 0x00 0x0F
0.00225725 16 0x13 0x0F
0.00232975 16 0x22 0x0F
0.00239825 17 0x14 0x0F
0.002471 17 0xF8 0x0F
0.0025405 18 0x15 0x0F
0.00261325 18 0x50 0x0F
0.00269225 19 0x17 0x0F
0.0027655 19 0x30 0x0F
0.002834 20 0x18 0x0F
0.002906 20 0x18 0x0F
0.00306925 21 0x22 0x0F
0.0031415 21 0x15 0x0F
0.0032105 22 0x23 0x0F
0.00328375 22 0xE9 0x0F
0.00335325 23 0x24 0x0F
0.0034255 23 0x2A 0x0F
0.0034945 24 0x25 0x0F
0.00356725 24 0x00 0x0F
0.0036345 25 0x26 0x0F
0.00370725 25 0x1F 0x0F
0.00379825 26 0x29 0x0F
0.003871 26 0x59 0x0F
0.0039405 27 0x2A 0x0F
0.00401325 27 0x7F 0x0F
0.0041055 28 0x2D 0x0F
0.00417875 28 0x35 0x0F
0.00424825 29 0x2E 0x0F
0.0043215 29 0x09 0x0F
0.00438775 30 0x7E 0x0F
0.004463 30 0x00 0x0F
0.00451425 30 0x0B 0x0F
0.00456675 30 0x25 0x0F
0.0046195 30 0x68 0x0F
0.00467225 30 0x60 0x0F
0.004725 30 0x86 0x0F
0.0047775 30 0xCC 0x0F
0.00483075 30 0xC3 0x0F
0.0049125 31 0x35 0x0F
0.01802275 32 0x36 0x2F

This is exactly what I would expect to see when a micro is controlling a CC1150. Let’s work out what is going on.

We are just going to lock at MOSI – the packets the microcontroller is sending to the CC1150.

The first packet is an 1 byte packet, where 0x30 is sent. If we search for 0x30 in the datasheet, we find out that there are a series of 1 byte packets called “strobe commands” on page 42, table 25 . They all trigger changes in the internal state machine. 0x30, SRES, reset – fairly obvious meaning!

strobes

Next we have a series of 2 byte packets. You can see the first byte of each packet is generally just incrementing one by one. Again, we look through the datasheet and on page 43, table 26, we have a list of the configuration registers. Notice how we skip some numbers – 0x0C, 0x0D – this is because they are only used for reception, not transmission, and the CC1150 is a transmitter only.

I could go through these one by one, explaining how they are configuring the radio. But let’s just look at the most important ones for now, referring to the datasheet.

FREQ2, FREQ1, FREQ0 are stored in 0x0D, 0x0E, 0x0F and are set to 0x21, 0x65, 0x6A respectively. From page 47 of the data sheet, we need to concatenate these (0x21656a) and then use a simple formula to work out the frequency. This gives a result of 868,299,865Hz – almost exactly as we measured.

freq

MDMCFG2, 0x12, contains modulator settings. Bits 6-4 are the modulation format – so let’s look at them. The value written to 0x12 is 0x00,  so bits 6-4 are 0b000. This corresponds to 2-FSK, as we observed before.

DEVIATN, 0x15, tells us the deviation settings (i.e. how far apart the two frequencies will be in 2-FSK). A simple formula is used. Bits 6-4 give us the exponent, and 2-0 give us the mantissa. 0x15 is set to 0x50, so the exponent is 0b101 and the mantissa 0b000. From this we get 50781.25Hz – again, this corresponds to our ~100kHz gap between the two peaks from part 1.

We are now confident that we the SPI traffic we are looking at is correct. Now we need to work out how data is being sent between the two. There are so many different ways this can be done using the CC1150, so we will need to drill into the settings and sniffed traffic in more detail – which we will do in the next part.

Reverse engineering a wireless burglar alarm, part 2

So we have some idea of the modulation and frequency used by the alarm from our initial investigations. That’s only part of the picture really – but at least we know this isn’t using frequency hopping or anything too challenging.

Where to go from here? We take it apart! I’m not even going to power anything up in this instalment – just see what the system is made up of.

The alarm consists of several components…

SL2 official image frrom allaboutelectrics.co.uk

  • A solar powered bell box on the outside wall, with flashing LEDs, PP3 and 6V sealed lead-acid batteries, and a tamper switch.
  • A keypad that mounts inside. This has 3 indicator LEDs, a tamper switch and is powered by a PP3 battery.
  • PIR detectors. These have a single red indicator LED, tamper switch and are powered by a PP3 battery.
  • Door contacts. These have a single red indicator LED, tamper switch, auxialliary contacts, and are powered by two CR2032 lithium batteries.

All use double sided PCBs, which appear well designed and are well made. Quality control stickers are on each board, as are small stickers on microcontrollers that look like firmware versions.

PIR

PIR

What do we see in here?

  • An Elan EM78P418N microprocessor (PDF datasheet). These are essentially Chinese PIC clones that have one-time programmable (OTP) ROM in them. Generally OTP ROM is cheaper than EEPROM. I don’t expect I would have much luck reading the code out as. It might have in-circuit debugging, but the documentation is poor and I have had no luck with other Elan micros.
  • An empty space for the crystal (X1), that indicates the Elan microprocessor is using an internal RC oscillator. This means that the microprocessor is not going to be doing anything requiring accurate timing, whether than be fast asynchronous protocols or waking at specific times. It does mean that at some point they considered using one – why would that be?
  • An empty space for an 8-pin device, U1. There aren’t many 8 pin devices in use these days, only really serial EEPROMS. Pins 1-4 are common and likely ground. The Elan microprocessor has no EEPROM. Optional EEPROMs are interesting – usually the microprocessor will check for the presence of the chip, then check for a “programmed” flag. If the EEPROM is not programmed, it will write the default values and set the “programmed” flag. I might be able to add an EEPROM and see what it could store.
  • A small RF daughterboard, with a TI CC1150 sub-1GHz transmitter (PDF datasheet) and 26MHz crystal. This is one of the CC11xx family – another well known member being the CC1110 SoC transceiver used in the GirlTech IM-ME. They are incredibly versatile and configurable. Importantly, we know that the PIR can only transmit, and not recieve. Many devices used a daughterboard for RF as I believe this can pass certification independent of the whole product and be easily re-used.
  • The rest of the components are the power supply or PIR detector.

Door Contact

DC

  • Another Elan EM78P418N microprocessor. It makes sense to use the same technology across the range if possible.
  • An empty space for a 8-pin SOIC again.
  • No empty space for a crystal – it was never a consideration to use an external crystal for this board.
  • The same RF daughterboard as in the PIR.
  • The coloured wires are my addition!

Keypad

CP

  • Yet another Elan EM78P418N microprocessor.
  • An 8-pin SOIC! HO18 08B1 – not much info on this. Pins 1-4 are grounded so I expect this to be a serial EEPROM.
  • No empty space for a crystal.
  • The same RF daughterboard again. This means the panel can only transmit, not receive. It is not aware of the state of other components,
  • The pin headers and wires are my additions.

Bell box

BB

  • An ATmega88 10MU122 microprocessor (PDF datasheet) – much more exciting (and much more familiar)! These use EEPROM and if the fuses are set right, I can read the EEPROM easily. I always find it interesting when products contain different processor architectures – maintaining two sets of code is an extra burden, so this choice is not made lightly.
  • A cylindrical can crystal with no markings – often these are 32.768kHz crystals for timekeeping. The ATmega88 has a internal RC oscillator which can be quite accurately calibrated, but nowhere near as accurate as an external crystal. Interesting how this is the only component with an external crystal.
  • No EEPROM or space for an EEPROM – probably because the ATmega88 has it built in unlike the Elan micros.
  • A 6-pin populated pin header – Atmel’s in-circuit programming connector is 6-pin. I wouldn’t ever expect anyone to open this and reprogram it though – so why is the header on there?
  • An RF daughterboard that is very similar – expect this time it is a CC1101 transceiver rather than just a transmitter. Interesting! This means that the only component of the alarm system that can receive and transmit is the bell box. This may have implications later.

Summary

So, for the RF side of things, all of the components are using the TI CC11xx chips. These support 2-FSK, fitting in with the findings in part 1. This is nice – I have worked with other systems using two or even three different RF frontends, and it makes things much more complex. We are also quite lucky – the CC11xx chips are very capable of frequency hopping spread spectrum at a high rate. We’re also lucky these aren’t the SoC versions as these have an AES encryption engine which makes strong encryption almost trivial.

Like Adam, I’d rather avoid RF. Luckily, the interface between the CC1101 and CC1150 is by SPI – I can simply sniff the connection between the RF daughterboard and microprocessor to see both the configuration and data. This is a privilege you don’t have if the CC1110 SoC is used – the transceiver and microprocessor are integrated with no easy way to access the config.

Next time, I will look at sniffing the SPI traffic between the microprocessors and RF boards.

Reverse engineering a wireless burglar alarm, part 1

After Adam’s recent post on reverse engineering a wireless doorbell, I thought I would take you through a similar process, but with a different system.

This is a Response SL2 wireless burglar alarm system, purchased from Amazon in late 2011. They seem fairly popular and well-reviewed.

We start our research without even touching the alarm, by using google. Their product page:

Operates on the 868MHz frequency with 20 Bit ID code and 1 million unique codes for added security

 So we already have a hint to where to look in the spectrum. Interesting how they say both “20 Bit ID code” and “1 million unique codes” – it is redundant information, but “20 Bit” sounds technical, so they probably add it for impact.

Notice that a number of keywords haven’t been used here:

  • Narrowband
  • FHSS
  • Spread spectrum
  • Rolling code
  • KeeLoq
  • Encrypted
  • Bi-directional

It’s likely that if the alarm used any of these, they would be making it known.

(As an aside, Friedland did initially tell me the SL series of alarms used rolling code – being a bit free and loose with specs seems to be common in the alarm world…)

DSCF7863

Let’s start off looking at this as if we couldn’t access any of the components. I’ll use my RF Explorer spectrum analyser to take a look at what is going on. The RF Explorer can be used standalone, but if you are next to a PC, the Windows client is really great and much quicker to use.

RF Explorer (wide)

I start by tuning it to 868MHz with a span of 5MHz. This will be wide enough to receive the transmission if it uses spread spectrum, multiple channels, or if the frequency is out. I trigger the alarm, and as you can see I end up with a broad peak at around 868.3MHz. Let’s go in further.

SL2 RF explorer2

Now I can see that I have two peaks, spaced about 100kHz apart. From this static image, you can’t clearly see what is happening over time – is this 2-FSK modulation (where data is encoded as two frequencies), or is it AM on two frequencies (rubbish frequency hopping spread spectrum)? The RF Explorer can’t really tell me – so it’s about time I whipped out my software defined radio

DSCF7865

Why did I start with the RF Explorer? The amplitude measurements are far more accurate and it can show me a much wider range (600MHz) of spectrum all in one go.

This is a TV tuner dongle. Some rather clever people worked out that it has a wideband RF frontend and can be tuned from about 25MHz to about 1750MHz, presenting us with a ~2.8Mbps baseband signal to work with. It is essentially the same as the FunCube used by Adam, but a lot cheaper. It does have some quirks and limitations though – it can be very deaf in certain areas and you see spurious signals due to the super-heterodyne design of the receiver.

SDR#

I can now see the signal from the alarm in a piece of software called SDR# – this not only shows me a spectrum analyser view (amplitude vs frequency), but also a waterfall diagram (frequency vs time). I can see that the two peaks are nearly continuous – I am likely dealing with 2-FSK modulation.

I can record the baseband signal and look at it in an audio editor as well:

Audacity screenshot

This clearly looks like data now.

At this moment, I have several options:

  • Use gnuradio to build a software receiver for 2-FSK. I will still be none the wiser to the protocol, and it will be receive only.
  • Crack open the alarm and take a further look…

Part two will show how I opened the alarm and started to work out what the system was doing….