Tapping Data From Radio-Controlled Bus Stop Displays

jones_supa writes "A couple of weeks ago hacker Oona Räisänen told about finding a 16 kbps data stream on FM broadcast frequencies, and her suspicion was that it's being used by the public transit display system in Helsinki, Finland. Now it's time to find out the truth. She had the opportunity to observe a display stuck in the middle of its bootup sequence, displaying a version string. This revealed that the system is called IBus and it's made by the Swedish company Axentia. Sure enough, their website talks about DARC and how it requires no return channel, making it possible to use battery-powered displays in remote areas. Other than that, there are no public specs for the proprietary protocol. So she implemented the five-layer DARC protocol stack in Perl and was left with a stream of fully error-corrected packets on top of Layer 5, separated into hundreds of subchannels. Some of these contained human-readable strings with names of terminal stations. They seemed like an easy starting point for reverse engineering..."

wow, thanks Timothy

[Anonymous Coward]

An interesting article on Slashdot... that's amazing... it's like ARM chips running windows... well, ok... we thought that was going to be amazing... :P

Re:

[davester666]

Well, she is about to be arrested for releasing technology that can help terrorists with an attack.

Re: wow, thanks Timothy

[BESTouff]

She's in Europe. Have no fear (for her).

Re:

[gl4ss]

Should she be a Bond villain or one of Bond's squeezes?

why not both? that maximizes the screen time(watch the movies and you'll agree).

Re:

[PPH]

Now, Oona is cute, a hacker and is into Kung Fu.

[Sigh] And all US culture can produce is the Kardashians.

The roots of hacking

[Anonymous Coward]

This, my friends, is true hacking. While this sort of stuff has become less common over the years, it is people such as this that provide real value to the community in terms of improving security for the masses. I wish that I had more time (and equipment...and hand't forgotten so many of my skills) as there are a few projects like this that I'd like to dig into. For instance, I have a home security/automation system out at my farm. I am fully cognizant that the security provided by it is a joke, as any

Re:

[AK Marc]

It's all security through obscurity. Everything is security through obscurity (for differing definitions of obscurity). The lock on my house works because nobody "knows" the key, other than me, and I don't even know it because it's a physical token I don't understand. But if someone took an impression of the key, they they could gain access because the obscurity was lifted. Encryption works because your keys are obscured/hidden. So yes, likely your security system is grossly insecure, but won't be hacke

Re:

[diamondmagic]

You're blurring the definition of security and obscurity, which is already well defined. Obscurity refers to the logic of the system. Your system must be secure even if an attacker knows everything about how it works, because there is a separate part, the secret key, that is completely arbitrary and assumed to be kept secure. A key is only secret, arbitrary data; a cipher is only well-known logic; security though obscurity by definition means mixing your secret data with your public logic, a bad idea.

The bi

Re:

[AK Marc]

A home invader shouldn't be able to break into my house even if they know everything about my lock and door, what matters is that they don't have the key (which has no mechanical components - it's not part of the system until I want to unlock the door).

But your key is nothing but obscurity. I had a car. It was 30 years old (a classic). The keys I had for it were wearing out, and became more tempermental. So I looked for a way to get original keys cut. I called the dealer, and they said "no, can't be done" (yes, they knew I was a legitimate owner of the car). So I ended up emailing a picture of the key to an Australian company, who cut a key to the factory spec, not a duplicate of the ancient, worn keys. Worked much better. Soon after, my glove-box

Re:

[AK Marc]

So I'm always right, and always of a different opinion than you, so you find me annoying, but never can argue any specific points. Oh, and an A/C. Got it. Go ask momma to send more cheetos down, I think you are getting withdrawal again.

Re:

[diamondmagic]

If someone is using your VIN to make keys after, then the key isn't an arbitrary secret.

If someone has a picture of your key, then they know your secret outright, even if it is arbitrary.

What you describe is no better than me copying your passwords off a Post-It note you left on your monitor.

A proper key is not "obscurity" -- it is secret! No, those are not the same things, a key has no logic to obscure. This discussion is no longer at the point were we can employ layman's definitions and continue to talk s

Re:

[AK Marc]

The process of using a VIN to obtain your "Secret" is obscurity. Your secret isn't. It's stored openly at the manufacturer. It's available for $100 and a 1-week wait. How is that "secret"?

Obscurity: the state of being unknown, inconspicuous, or unimportant. Your "secret" is a "secret" because it's unknown, inconspicuous, or unimportant. What was the complaint again?

See, this is kinda what I meant

[50000BTU_barbecue]

when I said you don't need an oscilloscope anymore. Probably a SDR receiver that goes to a PC. What possible interest is there in looking at the raw RF at the antenna, which you won't see with an oscilloscope anyways (because I don't know any scopes with nV/cm settings yet), or the countless undocumented signals inside the receiver, which you won't access anyways because it's all on one chip?

You're better off just finding what's already done and buy it. I myself have looked at the FM band on my old analog spectrum analyzer to look for SCA signals. http://en.wikipedia.org/wiki/Subsidiary_Communications_Authority [wikipedia.org]

It's all wonderful fun, but when you can do the same with a 15$ USB receiver and some software, it all starts to look rather silly, no?

Re:

[50000BTU_barbecue]

1) That's exactly my point. Who needs an oscilloscope for that?

2) Did you miss the part where I said " I myself have looked at the FM band on my old analog spectrum analyzer ". I bolded the important part for you.

Re:See, this is kinda what I meant

[Desler]

when I said you don't need an oscilloscope anymore. Probably a SDR receiver that goes to a PC.

At what stage in this project would an oscilloscope have been needed anyway? Yes, she used an SDR for scanning radio frequencies.

What possible interest is there in looking at the raw RF at the antenna, which you won't see with an oscilloscope anyways (because I don't know any scopes with nV/cm settings yet), or the countless undocumented signals inside the receiver, which you won't access anyways because it's all on one chip?

What is all on one chip? How is this rambling statement even applicable to this article?

It's all wonderful fun, but when you can do the same with a 15$ USB receiver and some software, it all starts to look rather silly, no?

You can decode these IBus messages with a $15 USB receiver? Link please?

Re:

[Anonymous Coward]

You can decode these IBus messages with a $15 USB receiver? Link please?

OsmoSDR [osmocom.org]

Re:

[HarrySquatter]

On what planet does 180 Euro [sysmocom.de] translate into 15 USD?

Re:

[Anonymous Coward]

On what planet does 180 Euro [sysmocom.de] translate into 15 USD?

I'm poster of that link OsmoSDR, not anyone you have been discussing above or ever earlier. I genuinely have no idea what you are smoking, and how did you ended up referring to that sysmocom.de site and $180, device.

The blog refers to RTL-SDR which probably cheapest SDR you can get, even though since it was discovered that some DVB-T USB sticks can be used as SDR's, compatible can be hard to find these days any more as models have changed and what's still left usually have been priced higher obviously becau

FYI $10,- RTL-SDR available, link below

[Anonymous Coward]

Right, this RTL-SDR is sold at $10.

http://www.hamradioscience.com/10-ads-b-receiver-rtl2832u-r820t/

ps. I'm the guy who linked that OsmoSDR.

Re:

[ArchieBunker]

Its the RTL-SDR project. A Linux developer discovered that a digital TV receiver chip made by Realtek (used in $15 dongles) had the ability to receive the raw sampled RF data. The bandwidth is nearly 3Mhz so that means you can view a HUGE chunk of the RF spectrum at once and decode the signals via software. AM/FM/USB/LSB you name it. Dongles based on the R820T tuner receiver from 22Mhz to 1600Mhz! Pipe the output into some digital speech decoder programs and you have a police scanner that would normal cost

Now if only it could TRANSMIT. B-)

[Ungrounded Lightning]

Its the RTL-SDR project. A Linux developer discovered that a digital TV receiver chip made by Realtek (used in $15 dongles) had the ability to receive the raw sampled RF data. The bandwidth is nearly 3Mhz so that means you can view a HUGE chunk of the RF spectrum at once and decode the signals via software.

Now if only it could transmit.

Or if it could also convert digital signals into I/Q and we could feed that into the Rx mixer of the block downconverter, run backward. Then two $11 - $15 dongles, one of th

Re:

[Muad'Dave]

The dongle receivers are typically I/Q receivers.

Re:

[Ungrounded Lightning]

The dongle receivers are typically I/Q receivers.

Yes, I understand that. I guess I phrased it ambiguously.

What I meant is "convert data from the USB to I/Q OUTPUT, i.e. do the TRANSMIT side of a transceiver, too, not convert the receive side to I/Q from something else.

Then we need a local oscillator and mixer to boost it back UP to the desired frequency band (which might be done with the companion block downconverter chip if the appropriate signals are accessible or if it is actually also a transciever chi

Re:

[Muad'Dave]

Gotcha. Regulatory issues aside, there are chips that do I/Q upconverting [analog.com]. I've always wanted to get one and play with it. They're actually becoming commodity [hackaday.com] hardware [kickstarter.com], potentially illegal as they may be.

Re:

[dlgeek]

www.amazon.com/gp/product/B00C37AZXK is $11 with free 2-day shipping for prime members (US). It's a cheap DV-B TV dongle using a chipset that has a "debug mode" where it spits out the raw RF data, and wide ranging tuning chip that makes it usable as a general purpose SDR reciever (known as an RTL-SDR). Windy's mentioned using one on her blog in many of her other posts.

I just got one this week, and it's been awesome to play with. Check out rtlsdr.org for more information about how to set it up, and rtl-sd

Re:

[50000BTU_barbecue]

Go to eBay and do some shopping. The point is you play with electronics these days by reverse-engineering existing products and using software to re-purpose things. Which is my point. You don't need an oscilloscope to be working in electronics on a hobby level anymore.

What is all on one chip? Um, the SDR receiver is certainly NOT a sprawling set of discrete LC filters and transistors, is it?

Just another example of why an oscilloscope is not the "must have" instrument it once was.

Is that rambling and inco

Re:

[PPH]

How exactly is one supposed to gain knowledge if one never actually explores things?

Ask on Slashdot.

Re:

[50000BTU_barbecue]

I don't think you understood what I was saying. I was saying that having a spectrum analyzer, which has always been an expensive and complex instrument, is silly when all you wanted to do can be done with a 15$ dongle.

I have to ask: am I that unclear? I have the feeling I am.

Re:

[fizzer06]

Yes, SCA. http://www.fcc.gov/encyclopedia/broadcast-radio-subcarriers-or-subsidiary-communications-authority-sca/ [fcc.gov]

Re:

[NoMaster]

[See, this is kinda what I meant] when I said you don't need an oscilloscope anymore.

And, if you only consider the tiny sub-set of 'electronics' that is 'dicking around writing software for pre-built toys', you were right.

Fortunately, real electronics engineers and technicians are designing and building those toys for you. And, even more fortunately, they know when oscilloscopes are still useful.

Re:

[Agripa]

Oscilloscopes make very handy back end modulation analyzers when combined with a demodulator and would also be used in designing the demodulator itself. The common RF applications I see them used for are broadband envelope measurement and broadband RMS measurement where they can often be used to calibrate other instruments.

If you are buying turnkey solutions, then obviously an oscilloscope is of less use since even if you used it to diagnose a problem, you will be reliant on the vendor to fix it. Not ever

Encryption

[sunderland56]

Pity she couldn't break the text encryption - then she could have displayed the station names in English, instead of nonsense strings.

Re:Encryption

[Desler]

For anyone who is not an aspie they would have recognized that the GP's post is this new thing called a "joke". Maybe your side of the world hasn't yet been informed of their invention?

Re:

[rubycodez]

"Finnish"?? hah, what a silly name. is that what your imaginery fish friends spoke in your childhood?

Re:

[PPH]

It takes a long time to learn as well. Which is why everyone is Russian.

Re:

[rubycodez]

not everyone is Russian, some are real Slovene

Re:

[AK Marc]

Finnish? He never even starrted.

Re:

[MotorMachineMercenar]

As a Finn, I'm offended at your jingoism. How could anyone not understand this: http://www.youtube.com/watch?v=4om1rQKPijI [youtube.com]

Re:

[Deadstick]

Likewise the Denver light rail system...just a timetable expressed in a crude multiple-bulb display.

(Supposedly) Broken for only some buses

[Ungrounded Lightning]

One of the cited article talks about the system having two cases:
  - The buses with the tracking hardware are displayed based on the tracking.
  - the buses without the tracking hardware are displayed based on the schedule.

Now maybe the line you're on has buses without tracking. (Or maybe the tracking system doesn't work and it's all a crock.) But the anecdote that your particular line is just showing an automated schedule doesn't show that all others are doing the same.

A live map also available

[jones_supa]

As a sidenote, HSL has also set up a live map [wspgroup.fi] of the Helsinki trams buzzing around.

Developer community and open data

[tuukkah]

Cool reverse engineering indeed! For those who want it easier, the Helsinki Region Transport Authority HSL offers the arrival time predictions through a service called "Omat lähdöt", which has an open API too. However, the textual messages are not available so that's new. As the post mentions, the predictions are based on the GPS locations sent by the busses, which are not available to third parties (unlike the locations of the metro, trams and trains). For more information about the HSL Developer Community and open data at HSL, see dev.hsl.fi [dev.hsl.fi].

Any existing apps that give the same info?

[grimJester]

I'd like an app that shows the arrival predictions for the stop(s) nearest my current location.

Recieve only, do not transmit.

[VortexCortex]

That which can be received unsecured, can be broadcast as such. Only a matter of time now before the displays feature zombie attack warnings.

Re:

[foobar bazbot]

Not necessarily. Instead of script kiddie packages this requires actual electronics knowledge. No one apart Oona bothers these days.

No, not necessarily, but given that it's in the FM broadcast band, it sounds quite likely that it can be spoofed with an unmodified FM transmitter and a script generating an appropriate audio signal.

Of course in the grand /. tradition, I haven't RTFA yet, and they could be using a modulation scheme that can't be emulated with FM (IMO unlikely, as it's probably some flavor of FSK or PSK), or too wide a modulation range, and even if it's all doable off-the-shelf, range will be quite limited without at least a

Re:

[foobar bazbot]

Ignore above, I just RTFAed.

Turns out it's not a separate FM signal as I assumed, but an extra subcarrier (beyond the stereo and RDS signals) in an existing FM signal. This does indeed require electronics skills to generate, though it wouldn't be very hard to add in to a kit transmitter like the mpx-96 [northcountryradio.com] we built in my advanced electronics lab.

What is this magick you speak of?

[Applehu Akbar]

This couldn't happen in America because we don't have your fancy-dancy electronic bus annunciators. We believe that standing on a street corner in the rain builds character. Apparently, it also opens up new venues for hacking.

An article about the subject

[Cee]

There's an excellent article [google.com] about how the signs work in Stockholm with some technical details.