This course teaches you the principles of reverse engineering digital RF signals. I will guide you through the process of capturing mystery signals and then breaking them down to recover the digital data they contain. Then you’ll learn how to determine the function of each portion of this digital data and use this knowledge to build a transmitter capable of compromising the original system.
As with my first two SDR courses, I will continue to teach using gnuradio, and we will employ it for hands-on projects that illustrate each reverse engineering concept. This is not a lecture-based course, but one built on numerous projects.
You’ll learn the steps required to reverse engineer simple RF systems. This includes capturing, demodulating, synchronizing and decoding the signals to recover the digital data being transmitted. You’ll further learn how to determine the function of each bit of the digital data being sent, which will in turn enable you to build transmitters that mimic the function of the original system. You’ll also get a good deal of practice using these techniques on a variety of mystery signals.
You should be familiar with using gnuradio for building analog and digital radios, both transmitters and receivers, using OOK and FSK. You can acquire these SDR skills by taking my first two classes or by learning them on your own.
Additionally, we will be using Python to do some basic data processing. Familiarity with Python will be helpful for this portion of the course (1-2 hours), but it is not required.
You will not need to bring anything to the class. You will use our laptops and SDR hardware.
My brother and I co-authored the Field Expedient SDR book series and have taught SDR to students who possessed widely varying degrees of proficiency. Based on these experiences, we believe that it takes four days of training for a newcomer to become proficient building analog and digital radios with gnuradio and SDR. It then takes another two days to learn the basics of reverse engineering RF signals.
This course comprises the last two days of that sequence, and is for those who have taken my first two courses or have self-taught the basics of analog and digital SDR.
As with my book series, this class avoids highly mathematical engineering lectures and focuses on teaching through a number of practical, hands-on exercises. We won’t just talk about reverse engineering, we’ll actually reverse a number of different signals and physical systems. One of the most important factors in developing reverse engineering effectiveness is practice – and you’ll get plenty of that.
We start with a simple, but broad set of projects, covering all of the major steps in the reverse engineering process: capturing, demodulating, decoding, ID-ing payload function and building a takeover transmitter. Throughout the rest of the course, we tackle problems that increase the complexity of one or more of these steps.
We’ll also use some rudimentary Python code to streamline our gnuradio flowgraph as well as analyze large payload sets to determine the function of each payload bit.
Finally, we’ll work through some projects related to key practical reverse engineering issues such as capturing intermittent signals, reducing the size of large IQ files and implementing capture-replay exploits.
- Class goals and methods
- Reverse Engineering from 10,000 feet
- Finding signals – The Simple Case
- Capturing Raw IQ Data
- Project – Finding and Capturing the Mystery Fob Transmission
- Determining the Modulation Scheme
- Review of On-Off-Keying
- Project – Reversing the Fob’s Modulation
- Review of NRZ Encoding
- Project – Reversing the Fob’s Encoding
- Tips for Reversing Simple Protocols
- Project – Reversing the Fob’s Bit Function
- Methods for Building Baseband Waveforms
- Setting Baseband Timing Using Standardized Variables
- Review of OOK Transmission
- Project – Transmitting Fob Takeover Signal
- Recap of Reverse Engineering Steps
- Reversing Protocols with Incomplete Information
- Project – Reversing Fan Controller Modulation
- Project – Reversing Fan Controller Encoding
- Project – Reversing Fan Controller Bit Function
- Project – Build Fan Controller Takeover Transmitter
- Reversing Bits with Incomplete Information
- Project – Modify Fan Controller to Takeover Second Fan
- Review of FSK
- Project – Reversing FSK Signal
- Review of GFSK
- GFSK Quirks
- Project – Reversing GFSK Signal
- Modular Radio Design
- Clock Synchronization
- Review of Standard Symbol Timing Variables
- Preamble Detection
- Project – Identifying and Tagging Preambles
- Correlate Access Code – Tagged Stream – Fixed Length Block
- Project – Detecting Preambles and Extracting Raw Payloads
- Repacking Bits and Using PDUs for Simple Output
- Python and Reverse Engineering
- Project – Processing Raw Payloads
- Payload Encodings
- Decoding Payloads with Python
- Project – Identify Payload Encoding and Decode with Python
- Determining Bit Function – Less Simple Protocols
- Statistical Analysis of Payloads
- Likely Statistical Properties by Payload Type
- Project – Statistical Analysis of Bulk Payloads
- Error Checking
- Parity Bits and Arithmetic Checksums
- Project – Simple Error Checking
- Python CRC Library
- Project – Python Loops and List Processing
- Project – Bulk CRC Checking
- Break for Lunch
- Practical Reverse Engineering Issues
- Capturing Intermittent Transmissions
- Project – Capturing Intermittent Transmissions
- File Size Reduction – Frequency
- File Size Reduction – Time
- Project – Reducing the Size of a Huge IQ File
- Capture-Replay Exploits
- How Capture-Replay Exploits Work
- Project – Capture Replay with Simple Remote Controlled System
- Rolling Codes
- Capture-Replay with Man-In-The-Middle Exploit
- The FCC database
- Final Project – Full Reversing of Tire Pressure Management Sensors
Note that the syllabus above may change slightly based on the needs and interests of any particular class of students.