Back at it with the SDR

My latest SDR project is a simple idea- a universal handicap door opening fob. The idea came to me one day, watching a lady in a wheel chair struggle to open the handicap door. She had to wheel up to the door, hit the button, wheel back, and then wheel forward through the door. And it took a good 10-20 seconds in the Wisconsin cold to wait for the door to open as well.

After witnessing this, every time I went through a building entrance, I imagined how someone with a physical disability might interact with the doors. And every time I noticed something that would really make entry a whole ordeal. It’s something that I feel engineers, building architects, whatever, just hadn’t thought about.

After about a week of making these observations, I started to notice the button placement, many times this box would be affixed to the side of a brick wall. And that got me thinking, “Do they really drill and run a cord through a block of concrete??” It dawned on me that it is actually a wireless transmitter and receiver!

So I broke out my RTL-SDR module and started recording. I used SDR# software to record the transmissions of 12 transmitters all around the EMS and Physics buildings. I ended up finding that it was an On/Off keyed signal, pretty standard and easy to work with.

The transmitters themselves are centered around 434 MHz, just like a car fob or garage opener. I found the frequency by using the FCC website, which contains a datasheet of every wireless transceiver in the US with FCC compliance. The datasheet of the transmitter contains the output power, the frequency, and other aspects that are useful for reverse engineering.

Picture of the transmission signal
Two of the recorded transmission signals

So, with the SDR#, I was able to record the audio of the transmitted signal, decoded from the carrier wave. Since it is On/Off keyed, the signal resembles binary. I thought it would be very inconvenient to make sense of 12 different signals like this, so I wrote a script in Matlab found here:

//11// 330C30C30C061980CC30C30C30C066 186033000
//02// 330C30C30C066186030CC301986186 186033000

//09// 61980C330C061980CC301866186186 186033000
//03// CC30C30186603301980CC30C061866 186033000
//07// C1980C1983018330198301980CC0660C066033000
//08// 1866030CC3018660330C066030C330 1866033000

//05// 904104101208202410410120820820809000


So here were the different signals decoded into HEX. Using this I was able to re-transmit the data using my Hack-RF SDR transceiver. Transmitting this, I was able to open each individual door remotely. I am also working on finding a general pattern. For example, each different model seems to have a different transmission protocol. There seems to be a preamble determining the model, a unique identifier, then another section that seems to transmit the model again.

My next steps are to build a schematic with a half-duplex transceiver IC, a microcontroller, and then some sort of EEPROM chip to record and store transmissions. This way any models I don’t have access to will still be able to be opened by this fob I create.

I feel like this will greatly benefit those with physical disabilities, allowing such individuals to go through the door without having to wait outside while the door opens. I imagine this would greatly improve the quality of life for these individuals.

Leave a Reply

Your email address will not be published. Required fields are marked *