While driving to work I have seen the advertisement of a Fireworks Festival that’s going to happen in the city. And, as usual, my curiosity brought me to one question: “How they trigger the fireworks?”
Back when I was a contractor I have worked for a company which the main business was demolition with explosives. To give you an idea…
And guess what? They were using a similar method to trigger remotely the charges. But let’s continue this topic later. Now let’s focus on the RF Blasting System.
A quick search on internet returned many products related to the topic. On Amazon I managed to find one for an acceptable price.
Though, before spending 300+ EUR I have asked the seller to send me the manual. And that’s where the challenge started.
While reading it, the sentence #5 hit my curiosity: looks like they are declaring the RF system is using Rolling Code and the likelihood of a potential threat actor to take over the control is pretty low…. “but also maybe appear”. WTF :D
Long-story short… it arrived home the new toy and guess what? No Rolling-Code, No MSK/FSK/GMSK or other strange modulations… Yet another classic 433MHZ Amplitude Shifting Key modulation with On-Off Key. Which translated for the non-RF folks… easy to:
- And of course… Bruteforce.
First of all, I have followed the usual Reverse Engineering approach I use for investigating new RF devices and turned on the winning combination LimeSDR/RTL-SDR + URH. (Disclaimer: since I was focusing on the RF side, I started with the RF analysis. If it wouldn’t have lead to any low-hanging fruit result, I would have started the HW Reverse Engineering approach: tear-down, BoM enumeration and fingerprinting, FCC ID hunting, etc. Luckily for my scarce spare time, I didn’t need it.)
As you can see the center Frequency is around 433MHz, which is a standard frequency for commercial consumer-grade RF devices.
From the Spectrogram we can clearly see that the modulation is ASK.
Now we need to decode the packets and see if we are really dealing with ASK and eventually confirm the sub-modulation type (i.e. OOK, in my assumption).
As you can see, URH successfully managed to decode the packets (with minor tweaking of the Error Tolerance and Bit Length parameters).
Now that we have the binary sequence, we clearly see the duty-cycle of this RF device, where a:
- 1 is encoded as 1110
- 0 is encoded as 1000
No preambles. No ACK packet from the receiving unit. Just a simple broadcast packet. Always repeating itself. Which allows us to eliminate the Rolling-Code assumption. The vendor lied! OR “maybe” not! :D
With all these data we can finally compose the packet that is transmitted to trigger the 1st charge on Area 01:
Now we are ready to give it a try with the Standalone Firmware of WHID Elite and see if it is able to decode them too.
As assumed, WHID Elite can perfectly sniff and decode the packets. In the image above you can see the bit sequences for triggering all charges of Area 01 (the default one of this RF Blasting System), other Areas and the FireAll and RapidFire commands.
- 15532481 Area01 Charge1
- 15532482 Area01 Charge2
- 15532483 Area01 Charge3
- 15532238 All Fire
As you can easily spot the decimal distance between the packets is just matter of few integers. Which means, we can easily bruteforce and thus exhaust the space between them with the main WHID Elite Firmware.
Therefore no more text to read, enjoy the audio/video PoC!
Keep also an eye on my Twitter https://twitter.com/WHID_Injector soon I will make GIVEAWAY for a full set of WHID Elite!
P.S. This is just the beginning. Since ASK/OOK without Rolling Code is not satisfactory enough from challenge point of view… I already started looking for other RF Blasting Systems. As little Teaser, here below some cool stuff I have found. Stay tuned folks!
Yes, you read it right! Is using Bluetooth Low Energy! (I can already smell fun times)!
This is so far my favorite! In the FCC application they left public even the Schematics! :D
As you can see, FCC database is full of these RF Blasting Systems. And space from low frequency (i.e. 40MHz), passing through 160MHz until Bluetooth Low Energy.
I will try my best to find some used ones at an affordable price (since I am doing it in my spare time and without any external funding). If it happens you have one or you know someone that could borrow me for some radio analysis… I owe you a beer and a WHID Elite. ;)