Course 3 – Basic Reverse Engineering

Summary

This course teaches you the principles of reverse engineering digital RF signals. I will guide you through the process of capturing mystery signals and then breaking them down to recover the digital data they contain. Then you’ll learn how to determine the function of each portion of this digital data and use this knowledge to build a transmitter capable of compromising the original system.

As with my first two SDR courses, I will continue to teach using gnuradio, and we will employ it for hands-on projects that illustrate each reverse engineering concept. This is not a lecture-based course, but one built on numerous projects.

Course Result

You’ll learn the steps required to reverse engineer simple RF systems. This includes capturing, demodulating, synchronizing and decoding the signals to recover the digital data being transmitted. You’ll further learn how to determine the function of each bit of the digital data being sent, which will in turn enable you to build transmitters that mimic the function of the original system. You’ll also get a good deal of practice using these techniques on a variety of mystery signals.

Prerequisites

You should be familiar with using gnuradio for building analog and digital radios, both transmitters and receivers, using OOK and FSK. You can acquire these SDR skills by taking my first two classes or by learning them on your own.

Additionally, we will be using Python to do some basic data processing. Familiarity with Python will be helpful for this portion of the course (1-2 hours), but it is not required.

You will not need to bring anything to the class. You will use our laptops and SDR hardware.

Description

My brother and I co-authored the Field Expedient SDR book series and have taught SDR to students who possessed widely varying degrees of proficiency. Based on these experiences, we believe that it takes four days of training for a newcomer to become proficient building analog and digital radios with gnuradio and SDR. It then takes another two days to learn the basics of reverse engineering RF signals.

This course comprises the last two days of that sequence, and is for those who have taken my first two courses or have self-taught the basics of analog and digital SDR.

As with my book series, this class avoids highly mathematical engineering lectures and focuses on teaching through a number of practical, hands-on exercises. We won’t just talk about reverse engineering, we’ll actually reverse a number of different signals and physical systems. One of the most important factors in developing reverse engineering effectiveness is practice – and you’ll get plenty of that.

We start with a simple, but broad set of projects, covering all of the major steps in the reverse engineering process: capturing, demodulating, decoding, ID-ing payload function and building a takeover transmitter. Throughout the rest of the course, we tackle problems that increase the complexity of one or more of these steps.

We’ll also use some rudimentary Python code to streamline our gnuradio flowgraph as well as analyze large payload sets to determine the function of each payload bit.

Finally, we’ll work through some projects related to key practical reverse engineering issues such as capturing intermittent signals, reducing the size of large IQ files and implementing capture-replay exploits.

Outline

Day 1
  1. Class goals and methods
  2. Reverse Engineering from 10,000 feet
  3. Finding signals – The Simple Case
  4. Capturing Raw IQ Data
  5. Project – Finding and Capturing the Mystery Fob Transmission
  6. Determining the Modulation Scheme
  7. Review of On-Off-Keying
  8. Project – Reversing the Fob’s Modulation
  9. Review of NRZ Encoding
  10. Project – Reversing the Fob’s Encoding
  11. Tips for Reversing Simple Protocols
  12. Project – Reversing the Fob’s Bit Function
  13. Methods for Building Baseband Waveforms
  14. Setting Baseband Timing Using Standardized Variables
  15. Review of OOK Transmission
  16. Project – Transmitting Fob Takeover Signal
  17. Recap of Reverse Engineering Steps
  18. Reversing Protocols with Incomplete Information
  19. Project – Reversing Fan Controller Modulation
  20. Project – Reversing Fan Controller Encoding
  21. Project – Reversing Fan Controller Bit Function
  22. Project – Build Fan Controller Takeover Transmitter
  23. Lunch
  24. Reversing Bits with Incomplete Information
  25. Project – Modify Fan Controller to Takeover Second Fan
  26. Review of FSK
  27. Project – Reversing FSK Signal
  28. Review of GFSK
  29. GFSK Quirks
  30. Project – Reversing GFSK Signal
  31. Modular Radio Design
  32. Clock Synchronization
  33. Review of Standard Symbol Timing Variables
  34. Preamble Detection
  35. Project – Identifying and Tagging Preambles
  36. Correlate Access Code – Tagged Stream – Fixed Length Block
  37. Project – Detecting Preambles and Extracting Raw Payloads
  38. Repacking Bits and Using PDUs for Simple Output
Day 2
  1. Python and Reverse Engineering
  2. Project – Processing Raw Payloads
  3. Payload Encodings
  4. Decoding Payloads with Python
  5. Project – Identify Payload Encoding and Decode with Python
  6. Determining Bit Function – Less Simple Protocols
  7. Statistical Analysis of Payloads
  8. Likely Statistical Properties by Payload Type
  9. Project – Statistical Analysis of Bulk Payloads
  10. Error Checking
  11. Parity Bits and Arithmetic Checksums
  12. Project – Simple Error Checking
  13. CRCs
  14. Python CRC Library
  15. Project – Python Loops and List Processing
  16. Project – Bulk CRC Checking
  17. Break for Lunch
  18. Practical Reverse Engineering Issues
  19. Capturing Intermittent Transmissions
  20. Project – Capturing Intermittent Transmissions
  21. File Size Reduction – Frequency
  22. File Size Reduction – Time
  23. Project – Reducing the Size of a Huge IQ File
  24. Capture-Replay Exploits
  25. How Capture-Replay Exploits Work
  26. Project – Capture Replay with Simple Remote Controlled System
  27. Rolling Codes
  28. Capture-Replay with Man-In-The-Middle Exploit
  29. The FCC database
  30. Recap

Note that the syllabus above may change slightly based on the needs and interests of any particular class of students.