Last week I was looking for new targets to test WHID Elite’s Radio Hacking capabilities and suddenly I found an interesting one: an Electrocuting Cock Ring. Yes, you read it correctly (What you cannot find on Amazon…).
Long-story short… Yesterday arrived home the new toy and guess what? No Rolling-Code, No MSK/FSK/GMSK or other strange modulations… Just a classic 433MHZ Amplitude Shifting Key modulation with On-Off Key. Which translated for the non-RF folks… easy to:
First of all, I have followed the usual Reverse Engineering approach I use for investigating new RF devices and turned on the winning combination LimeSDR/RTL-SDR + URH. (Disclaimer: since I was focusing on the RF side, I started with the RF analysis. If it wouldn’t have lead to any low-hanging fruit result, I would have started the HW Reverse Engineering approach: tear-down, BoM enumeration and fingerprinting, FCC ID hunting, etc. Luckily for my scarce spare time, I didn’t need it.)
As you can see the center Frequency is around 433MHz, which is a standard frequency for commercial consumer-grade RF devices.
From the Spectrogram we can clearly see that the modulation is ASK, despite some harmonics on the side (caused by the low-cost transmitter used by the manufacturer most-likely).
Now we need to decode the packets and see if we are really dealing with ASK and eventually confirm the sub-modulation type (i.e. OOK, in my assumption).
As you can see, URH successfully managed to decode the packets (with minor tweaking of the Error Tolerance and Bit Length parameters).
Now that we have the binary sequence, we clearly see the duty-cycle of this RF device, where a:
No preambles. No ACK packet from the receiving unit. Just a simple broadcast packet. Always repeating itself. Which allows us to eliminate the Rolling-Code assumption.
With all these
Now we are ready to give it a try with the Standalone Firmware of WHID Elite and see if it is able to decode them too.
As assumed, WHID Elite can perfectly sniff and decode the packets. In the image above you can see the two types of packets:
As you can easily spot the decimal distance between the two types of packets is just matter of few integers. Which means, we can easily fuzz and thus exhaust the space between them with the main WHID Elite Firmware.
Therefore no more text to read, enjoy the audio/video 🙂
Keep an eye on my Twitter https://twitter.com/WHID_Injector soon I will make GIVEAWAY for a full set of WHID Elite!
About the author: Luca Bongiorni
Luca is wo
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.