Today, I released gr-keyfob, a GNU Radio out of tree module to decode and re-encode some wireless key fobs from Hella.
These keys are usually used in Audis, VWs, and Skodas, but not the brand new ones with a passive entry system.
I will give a short talk at the SDR Academy, co-located with HAM RADIO, where I describe the work flow and the tools I used to build a receiver.
To see what’s inside, I bought one on ebay and cracked it.
Here are some photos at different stages of the disassembly process.
  
read more 
      
      
    
    
      
        
        
            
    
Finally, our replacement units from Cohda Wireless arrived. 
Last year, we found that the MAC layer of the MK2 series devices had some bugs and did not behave standard compliant.
Cohda promised us to send some MK5 devices and today, 13 months later, they arrived.
Looking forward to test them.
  
        
      
      
    
    
      
        
        
            
    
I just came home from IEEE ICC 2015 in London where I presented our paper Protocol Design for Ultra-Low Power Wake-Up Systems for Tracking Bats in the Wild.
  
read more 
      
      
    
    
      
        
        
            
    
Cool, I just got my poster for the SRIF workshop at ACM MobiCom accepted.
The introduction reads like
These days the Internet of Things is about to come part of our everyday live. Already today we are surrounded by a vast amount of simple low data rate wireless systems. The applications for those systems are manifold and include weather stations, sensors in industrial automation, car key fobs, and alarm systems. Most recently, car and plane manufacturers started replacing wired sensors with wireless systems to save cabling and, thus, weight and fuel. Typically, frame-based single carrier systems are used. These rely on a preamble for synchronizing to the signal followed by a Start of Frame Delimiter (SFD) and the actual data. Due to short frames sizes, the preamble introduces considerable overhead regarding energy consumption and wireless channel occupancy. Using the IEEE 802.15.4 O-QPSK PHY as an example, the minimal preamble length is the equivalent of 4 B com- pared to an ACK size of 5 B or a maximum frame size of 127 B. Another example is a Binary Offset Carrier (BOC) transceiver that we developed in the BATS project [1]. In this project we work towards equipping bats with tiny 2g sensor motes that send 12 B frames, which can be used for combined data transmission and ranging. Since each frame includes a preamble of 2 B the overhead is significant. To avoid this overhead we propose mSync (from mirror sync), a frame format and decoding strategy that does not rely on preamble symbols, as it uses the data symbols instead.
See you in Paris!
        
      
      
    
    
      
        
        
            
    
I was hiking, when suddenly:
  
read more 
      
      
    
    
      
        
        
            
    
I was just invited to serve as a TPC Member of IEEE Vehicular Networking Conference (VNC) 2015.
I’m very excited as it’s the first time that I’m in any conference committee :-)
Really looking forward!
        
      
      
    
    
      
        
        
            
    
Currently, I’m in Hong Kong to present my demo Power Matters: Automatic Gain Control for a Software Defined Radio IEEE 802.11a/g/p Receiver at IEEE INFOCOM’15.
I took a projector with me to provide a good view on the outputs that visualize the WiFi signal at different stages of the decoding process.
The demo was setup on a small floor between the rooms where the technical sessions were held.
So I think it gained some good visibility, especially during the coffee break.
read more 
      
      
    
    
      
        
        
            
    
During the last week, I worked on the GNU Radio WiFi transceiver gr-ieee802-11 and implemented some features that were on my todo list for quite some time.
Since the performance is really good now, I wanted to share my excitement and give some details about the changes.
Interface for Channel Estimation Algorithms
The initial version only came with a proof-of-concept channel estimation algorithm, which interpolated linearly based on the comb pilots.
This algorithm is especially bad when using a N210 with a sampling rate of 20MHz as for IEEE 802.11a channels. The problem is that at this sampling rate the N210 has an uncompensated filter and the spectral shape is sinc like.
Linear interpolation obviously fails in this case.
Since I assume that channel estimation is the thing where most people want to play with, I implemented a generic interface where people can plugin their stuff.
Of course, it’s now also possible to use the long training sequence to get an initial estimate of the channel.
LMS Estimator
Having this generic interface, I implemented the LMS estimator as a first simple algorithm.
With LMS the performance increased considerably.
However, I also kept the linear interpolator to show how the algorithms can be changed on the fly.
To give an idea of the receivers current state, I made a small video in my office, where I receive frames from a Atheros card.
In the video I change the modulation and the channel bandwidth.
  
    
  
Long Frames
Andre Puschmann from Ilmenau worked on the maximum frame size.
The transceiver had some strange limitations, mainly since the buffers of GNU Radios Tagged Stream blocks were not adjusted properly.
Andre figured this out and now we can send and receive 1500 byte frames with any modulation. Very cool!
Short Frames
Initially, the receiver blindly copied a fixed number of samples into the flow graph once a frame was detected.
This caused problems with very short frames sent, right after the other, like for example with RTS/CTS.
In the current version, the synchronization block always looks for new frames and marks their start with a tag so that subsequent blocks can decode them.
I hope you give new version a try and let me know how it works for you.
Have fun!
        
      
      
    
    
      
        
        
            
    
Cool! I just got a talk for the Software Defined Radio Academy at HAMRADIO accepted.
HAMRADIO is a rather large annual amateur radio exhibition at Friedrichshafen in Germany.
Since more and more hams are interested in Software Defined Radio (SDR), there will be a sub-conference about SDR this year — the Software Defined Radio Academy.
According to my understanding, the idea is to have a mix of introductory and hands-on lesson as well as some more research oriented talks.
I applied for a talk about reverse engineering digital wireless signals.
Following is the abstract I submitted when applying for the talk.
read more 
      
      
    
    
      
        
        
            
    
Today, David presented our paper The Scrambler Attack: A Robust Physical Layer Attack on Location Privacy in Vehicular Networks at IEEE ICNC’15 in Anaheim, Canada.
In the paper we use the initial scrambler value as a feature to identify vehicles even though they might use pseudonyms or other potentially privacy preserving mechanisms.
What we did
According to the IEEE 802.11p standard, each data frame is scrambler by a pseudo random sequence generated by a Linear Feedback Shift Register (LFSR).
The LFSR is seeded by a random value that is transmitted at the very beginning of each frame, allowing the receiver to reproduce the scrambling sequence and, thus, to descramble the bits.
With regard to seeding the LFSR the standard states in Section 18.3.5.5 that
When transmitting, the initial state of the scrambler shall be set to a pseudo random nonzero state.
Reading this, we were curious how these pseudo random states are implemented in practice on real hardware.
Since normal WiFi cards don’t expose this information when receiving frames, we used our GNU Radio WiFi transceiver to log the initial scrambler states while decoding the frame.
read more