2014年7月7日 星期一

使用 RTL-SDR 與 TI eZ430 運動手錶 ( eZ430-Chronos Watch ) 破解停車場閘門遙控器訊號

露天賣場訂購 

Source:http://www.ontarioparking.com

兩位來自特拉維夫 ( Tel Aviv ) 大學的學生 Ido Livneh 和 Gil Freidlin,使用軟體無線電裝置 ( RTL-SDR, Software Defined Software ) 負責接收及破解閘門遙控器的訊號,再將遙控器的訊號解碼後複製到 TI eZ430 運動手錶裡,當手錶的按鈕被按下後就會發出跟閘門遙控器相對應的控制訊號出去,此時閘門就會很容易地被開啟或是關閉。

整個過程被分解為兩個步驟:

第一個步驟是使用 HDSDR ( High Definition Software Defined Radio ) 硬體及軟體接收來自遙控器的訊號,在經由 Windows 裡的無線電軟體解出訊號,然後將訊號編碼下載到 TI eZ430 運動手錶裡。

訊號解碼及複製階段

我們看一下遙控器發射與接收裝置外型與它內部所使用編解碼晶片後不難了解,就是去破解發射晶片的發射編碼,而接收端並不需要去管它。
遙控器發射器 ( 右 ) 與接收器 ( 左 )
近看遙控器的發射 ( 右, PT2260 encoder ) 與接收 ( 左, PT2272 decoder ) 的晶片

如果看過部落格裡的 "[ Wireless-RF] 使用樹莓派模擬 HT12E 遙控器編碼晶片的編碼格式" 就會發現兩者最終目的是相同的,只不過差別在所使用的發射端接收裝置與所要破解的晶片,觀念上是可以相通的。

訊號傳送階段

相關軟硬體的需求,可以參考下面的說明以及文字上所提供的連結網址下載所需要的東西。

硬體需求:
  1. A standard PC running windows.
  2. TI ez430 Chronos watch kit, along with its RF access point and, and reprogramming dongle. It costs 58$ (as of May 2014) directly from the TI e-store, or 99$ from amazon.
  3. RTL-SDR USB Radio kit. We specifically used RTL2832+R820. It can be bought for about $10-$15 at eBay.
  4. The remote control that you wish to copy. 

軟體需求:
  1. TI Chronos Control Center. It installs the drivers for the access point as well. Installing the 3rd party drivers on windows8 might be problematic. If so, follow these instructions to proceed. 
  2. TI Code Composer Studio V5. Use this IDE in order to compile and upload the code to the watch platform. Watch this for good initial tips for working with the IDE. You can otherwise use the control center to update the code on the watch without connecting it directly to the computer. This is a slower process and much more costly as per the watch's battery life. 
  3. The code of our Chronos project. You can find it here
  4. Aiding python scripts. You can find them here. In there you will find:
    a. configure_chronos.py – our configuration tool that connects to the watch through its RF access point.
    b. chronic.py – library needed for communication with the Chronos watch.
    c. analyze_signal.py - our analysis tool that will analyze the original RF signal, and output the needed configuration for the watch.
    d. gilido_params.txt - this is the parameters file output for our remote control. You don't need it, but it can be used as reference. 
  5. Be sure to be running python2.7. You also need to download the pyserial python library. We recommend using pip tool that finds, downloads and installs the correct version of python libraries. 
  6. The HDSDR software and other necessary tools, as well as a practical "how to" guide can be found here. A good and comprehensive installation guide can be found here. Higher permissions are required for the installation process. 
  7. You can visually analyze the wave file outputs using the open-source audacity platform which we recommend. It's not needed in order to complete the task, but it's nice and it helped us in debug. If you have access to MATLAB environment, it can be easily done through it as well. 

整份文件 ( 23頁 ) 可由此下載:Copy2GO: Low cost copy lab for simple remote controls using TI-Chronos platform .pdf


更多詳細關於複製訊號到手錶上去的資料,請再參閱該份文件,所有資料都在上面。


<< eZ430-Chronos-Watch 賣場部落格系列文章 >>

沒有留言:

張貼留言