Software Defined Radio
Project SDR
editBegin using SDR software with sound cards. Then purchase super sound card kits. Move up to FPGA based kits that enable simulating GPS satellites, cell phone towers, RFID tag read/write, blue tooth scanners, wifi (adhoc), xbee, tire sensor scanner wireless receivers, etc.
Conceive
editThe diagram shows how a tire pressure monitoring system (TPMS) normally functions:
In newer cars with the TPMS coming pre-installed, the engine control unit (ECU) sends an activation transmission at 125 kHz to the TPMS sensor in the tire. After-market TPMS tend to be activated by the rotation of the tire after it gets to about 20-25 mph[1]. (An alternative method of activating the TPMS is to just stick a magnet to it[2]). The tire then transmits (normally at 315 MHz for American cars and 433 MHz for European cars) a packet containing:
- Preamble
- Sensor ID (normally 32 bit, but can be 28 bit or higher)
- Pressure
- Temperature
- Flags (This is the only part that will cause warning lights to go off in the vehicle)
- Checksums
Security Risks/Starting Points
edit- Spoofing The biggest flaw in security that can be taken advantage of is the complete lack of encryption for these transmissions. Because every packet is validated and goes directly to the ECU, this leaves the gates wide open for spoofing attacks like the students from University of South Carolina and Rutgers showed at the usenix conference in 2010.
- Tracking Any vehicle with TPMS can be tracked by recording its 4-5 distinct sensor IDs (which are not encrypted) then recording the times that they appear at different locations. (Note about tracking vehicles on the move: Because the sensor only transmits once per minute, an activation transmission would have to be sent out in advance based on transmission time and the vehicle's speed.)
The number of cars on the road susceptible to TPMS hacking is increasing due to the passing of the TREAD Act which required all American cars manufactured after 2008 to include TPMS.
Design
editMaterials
edit- Tire Pressure Monitoring System (specs to the right)
- The Universal Software Radio Peripheral (USRP) with GNU radio would be the optimal device to send transmissions seeing as: "Its sampling and synthesis bandwidth is a thousand times that of PC sound cards, which enables wideband operation" [w:Software-defined_radio#SDR_Projects] but they are between $650-$1,700
- Low Noise Amplifier (if the range of transmission needs to be increased) ~$100
- Frequency Mixer (depending on how signals are being generated)
- Computer
For Surveillance
editA setup like the one shown in the diagram can be used to record sensor IDs, tire pressure, and all the other information contained in data packets. The design basically swaps in a SDR to send and receive transmissions instead of the ECU. First, the SDR sends the 125 kHz activation signal to the tire sensor. Next, the tire sensor sends a data packet to the SDR which displays it on the computer. The Low Noise Amplifier (yellow box in the diagram) is not always necessary, but the students from USC and Rutgers found that it increased the receiver's range from 10 to 40 meters. [3] After capturing the RF transmission, the modulation scheme, encoding scheme, and message format must all be determined. The Rutgers team determined the modulation scheme to be ASK (amplitude-shift keying) and the encoding scheme to be Manchester.
For Transmitting
editThe message being sent must go through a packet generator which is based on the information gained from the surveillance step. After the message has been formatted, modulated, and encoded properly it is transmitted using the SDR. In the Rutgers study GNU radio and a USRP were used in place of the SDR and the frequency mixer was needed because separate daughterboards were used to generate the tone and to generate the data.
Implement
editProblem SDR
editDevelop/demonstrate ability to use tools that monitor, simulate all sorts of wireless communication.
Starting Point
editContinue working on the tire pressure monitoring system.
Outline of project
edit- Get wireless tire pressure monitoring system to work.
- Intercept and interpret the wireless signal.
Fake Tire Creation
editUse PVC pipe large enough to insert pressure transmitter.
-
Digital Caliper with Sensor
-
Drill Used
-
Fake Tire Drill Hole
-
Sensor in Fake Tire
-
Pipe Used
-
Complete Fake Tire
Why was the previous design scrapped? Where is the documentation of what went wrong?
Powering on Receiver
edit-
Exposed Power Adapter
-
not working
The transmitter comes with a car adapter power cable. Instead of using this, wires were connected to the adapter, and could then be used to connect to a 12-volt battery or device. Car Adapter
This did not work with multiple power supplies, so the power cable adapter was removed, exposing the inner cables. This was done in case the fuse or other wiring was faulty.
This still did not fix the transmitter. It will still not power on.
Next step is to try a new power cable. If this does not work, the transmitter will be hacked in a way which we can provide direct power to it.
Powering on Transmitter
editTransmitter was hacked by removing car adapter. Connected internal wires to power supply. Red and green wires to positive, black wire to negative. Transmitter now powers on.
-
connection to power on
Sensor to Transmitter
editFake tire is complete and was tested with 60-80 ppsi. Transmitter and sensor do not communicate. TPMS says it operates at 0-77 psi. This method seems flawed and is not working.
-
power on
If sensors are grey colored then it contains G-sensor. So to turn it into working mode not enough to inflate config pressure (14,5 psi), it need to rotate sensor at some minimal speed.
Lets look in a state graf here http://avtoprofi.ru/images/carax/Carax_TPMS_CRX-1001_dopnew_m.png
GNU Radio
editMust be run on Ubuntu. GNU Radio running in an Ubuntu virtual machine does not have a functional level of performance. It must be run in a native Ubuntu environment.
Immediate next steps
edit- Possible new starting points
- Keep trying fake tire.
- Try magnetic pulse to simulate 'wake-up' frequency.
- Try simulating RPM of car at 20mph.
This class is trash