Reversing Tire Pressure Monitors with a Software-Defined Radio
Рет қаралды 32,793
Күн бұрын
@petergamache5368 9 ай бұрын
Hello from the future! In ten years, this video has aged like wine. Regarding 23:30 - yes, we're there! HackRF Portapack with Mayhem firmware has a TPMS decoder that's pretty much flawless. For stationary use, a Raspberry Pi Zero W + cheap RTL-SDR dongle can get you a working receiver for under $50 hardware investment. Add a Pi camera pointed at your driveway (and the 'motion' package) and you should be able to correlate TPMS serial numbers with a photo of the vehicle!
@carpenterfamily6198 7 жыл бұрын
Great talk and good job responding to comments !
@samykamkar 7 жыл бұрын
Woot Jared rocks
@JediHagrid 8 жыл бұрын
Just bought an SDR and got GNU Radio setup on my Kali Linux Laptop. can't wait to mess around with this stuff.
@KandiKlover 9 жыл бұрын
haha imagine spoofing the signal to make someone think their tires are gonna explode
@aaronnpny 11 жыл бұрын
Great job! I thought about doing this, although I don't think I would have gotten as far as you did. One good way to get these for free is to go to your local tire shop. I was able to get 4 or 5 for free. They were happy to give me them and were perplexed to as why I would want them.. The batteries of course are the main things that go bad in these, so you will find that carefully removing the epoxy, you will be able to see if the battery was the problem and replace it. You could probably hack something for the tire pressure and temperature sensor parts of the circuit so you wouldn't have to put it back into a tire to test it. Keep up the good work.
@earfeast 11 жыл бұрын
aaronnpny Thanks! I have talked to a local tire shop, and had a similar experience. They were a bit puzzled, but when I explained what I was up to, they thought it was interesting. One gentleman was going to put some aside for me, I need to go back and check in and see if he's got any for me. The batteries are usually soldered-on lithium coin cells. It's trivial to cut off a bad battery and either replace it or hook up a separate power supply. I look forward to experimenting when I get a few in-hand.
@elafargue 11 жыл бұрын
Check out "reveng" for CRC attacks, works really well too. Nice job!
@mapleleaf4ever 8 жыл бұрын
Yes! I was hoping someone had done this. I'm trying to figure a small arduino sized transmitter to spoof the ECU and turn off that frigging light when I've got my winter tires on.
@sharebrained 8 жыл бұрын
You're not the first Northerner who I've heard complain about this. There's likely a business opportunity here. :-) With all the Arduino shields out there, somebody has to be producing one that has a TI CC1110 on it, which is (almost) what is used on the Yard Stick One. If you had that shield, you should be able to generate any of the myriad TPMS variants I've seen that occur in the 315 and 434MHz ISM bands.
@brianborell4469 5 жыл бұрын
Or you could just avoid breaking the law and loosing functionality by putting cloned sensors in your winter wheels. Any Firestone store should be able to do this for you. Or you can diy it. kzbin.info/www/bejne/hGfTZ6uMabWffsU
@mdevidograndpacificlumbera1539 5 жыл бұрын
@@brianborell4469 "breaking the Law" LOL!
@AN-kg4ei 5 жыл бұрын
@@sharebrained There's a UK company that designed a TX (www.tpmsbypass.com) used to spoof sensors (but I'd bet it's just as easy to stick them is a pressurized cylinder to shut the light off. I have an Autel scanner that disables some systems but not others - I think the PCM locks the input for control on some.
@SteveJones172pilot 11 жыл бұрын
This was a great presentation. I'm wondering if these transmitters could just be hidden somewhere in a car (maybe toss one in the glovebox of each of my cars) so that I could have something like a Raspberry Pi monitoring when each car comes and goes? In there one particular manufacturer that you've found that DOES transmit, even occasionally, when there's no movement? Even if it was once every 5 minutes or so, it would probably suit my "car inventory" purposes to know which cars are in the driveway at any particular time?
@sharebrained 11 жыл бұрын
I haven't found any yet. The one transmission I see regularly at my house, in the 315MHz band, turned out to be a temperature and humidity remote sensor. You could certainly build beacon devices like what you describe, from parts available at SparkFun or Adafruit. There might also be "mote" devices out there that would do the job. You might also be able to appropriate something like a weather station remote sensor (like the one I've seen transmitting in my neighborhood) and just stick it in your car... :-)
@SteveJones172pilot 11 жыл бұрын
Jared Boone Yeah.. I guess I'm "trying to hard" to take advantage of all your hard work.. Maybe when I get a car new enough to have the TPMS it would make sense to use that, but until then, it really is easier just to put something more generic in for this purpose! Thanks again - I learned a lot from the techniques you explained - the software out there these days is really incredible!
@brianborell4469 5 жыл бұрын
Tpms sensors have a reed switch. They don't transmit until the wheels are rotating @ 20mph or so. This is to conserve battery life. The sensors run on a non-replacable coin cell similar to a 2032.
@MindsEyeVisualGuitarMethods 5 жыл бұрын
Can one use a cheap $10 RF signal detector to just check for the signals, in an attempt to pinpoint the one with a dead battery?
@sharebrained 5 жыл бұрын
I would imagine so, if the signal detector is sensitive in the 315 - 434 MHz range. From a few inches away, it should be obvious you're seeing a transmission from the tire you're nearest. Be sure to leave your mobile phone far away when you do the tests. Also be aware that some TPMS transmitters only transmit when the wheel is turning, which could complicate things.
@MindsEyeVisualGuitarMethods 5 жыл бұрын
I thought about the rotation/activation hurdle... I think a good hard spin by hand with the wheel jacked up should get it up to speed.. I'll see if that will work... On another note, I have a hand held inductive amplifier, where I can "Hear" EMF... Is this essentially doing the same thing?
@gginnj 6 жыл бұрын
does anyone know if the aftermarket screw on transmitters work on the same frequency/packet layout as the internal tire transmitters?
@sharebrained 5 жыл бұрын
There's no reason to assume either way. If you have an FCC ID for one of these aftermarket devices, you could look it up on FCC.io and see if it's made by a vendor that makes OEM transmitters. If so, that's a good indication they might be compatible. But it's still no guarantee.
@unijabnx2000 9 жыл бұрын
If i got the yard stick one would that be equivalent to the hardware you used to capture the data?
@sharebrained 9 жыл бұрын
+unijabnx2000 It's not equivalent hardware. The YardStick One is more like the actual receiver hardware in a car. So it's entirely suitable, and might even do a better job than my SDR approach -- for *one* flavor of TPMS device at a time. The YardStick One can't receive multiple modulations and frequencies simultaneously, so you would need several of them to capture the various TPMS flavors. The SDR technique allows a single receiving device to demodulate and decode several flavors at once, given enough computing power. Regardless, you'd need two SDR receivers to cover the two TPMS spectrum bands -- 315MHz and 433.92MHz.
@unijabnx2000 9 жыл бұрын
+Jared Boone I thought the YardStick One was indeed an SDR. At least it was introduced that way in the Hak5 video. But I wasnt aware that it wouldnt listen to a wide spectrum of frequencies concurrently.
@sharebrained 9 жыл бұрын
+unijabnx2000 It's not an SDR, if you define an SDR as a device which captures a chunk of RF spectrum and performs demodulation and decoding on general-purpose hardware like a microprocessor and/or FPGA. I think most people would agree with that definition. The YS1 is built around a TI/ChipCon CC1111, which has complete demodulation and decoding hardware in-chip for various flavors of ASK and FSK. It's definitely very *configurable*. But last time I checked, there is no direct access to the I/Q RX or TX streams, which would prevent you from using it as an SDR, as defined above. For all the gory details: www.ti.com/product/cc1110-cc1111
@MeanHacker 6 жыл бұрын
Is there any way to retrieve the sensor ID using the jboone/tpms source files on github? Can someone point me to a tutorial?
@daveb5041 6 жыл бұрын
*But did you learn how mach air as in your tires? Wouldn't it be easier to just take one of those little pressure gauges and measure at the valve stem?*
@brianborell4469 5 жыл бұрын
It was determined by a joint research group of the DOT and the IIHS that Americans can't reliably maintain their tire pressures. Therefore Congress added tpms to the fmvss regulations.
@lezbriddon 10 жыл бұрын
why do the ones on ebay and dx.com say 433.920mhz? not 315mhz?
@KandiKlover 9 жыл бұрын
lez briddon it's both, 315 in america 433 in europe.
@qcorporation1234 11 жыл бұрын
good talk...
@BHMadMan 6 жыл бұрын
Hi Jared, Do you still have access to your email on GitHub? Brian
@sharebrained 5 жыл бұрын
I do, but I'm notoriously bad at following up. Too many projects and responsibilities... Try me again, if it's not too late?
@kalanadesilva9425 5 жыл бұрын
hi, I am an electrical engineering student , i am trying to do the same experiment. if anyone can help i really appreciate it. I get the TPMS signal to my hackRF but i do not know how to get the ID of the tire. How wuld i get the ID for the tire ? Do i have to demodulate the signal i received ? Thank you
OWASP Foundation
Рет қаралды 1,6 МЛН
The Thought Emporium
Рет қаралды 1,2 МЛН
driving 4 answers
Рет қаралды 1,9 МЛН