The Roflocator: My Journey into Product Development


I want to use this page to convey my thought and build process when building the Roflocator. The reason why I developed this device was because I once lost my quadcopter over an interstate and somehow found it in a parking lot across the highway by guessing its trajectory. I figured that there would be a market for some type of locator that does not rely on the pay-as-you-go model, such as the GSM GPS locators. Breadboard Version My first rendition consisted of the below pictures where I had a full arduino uno board and a 433MHz antenna that communicated the GPS coordinates to the other arduino and displayed them on an LCD screen. At this stage, I did not consider too much about the capabilities of the current 433MHz radios. After testing it out in the field, I quickly learned that this would not work (I could only walk down … Continue reading

The Roflocator – Now Taking Pre-Orders

IMG_20140913_182046 - Copy

Note: For international orders, please contact me for the exact cost of shipping. Customization w/ 9V Battery Cable $75.00 USDw/ LiPo Battery Cable $75.00 USDw/ GPS Case $80.00 USD Have you ever lost your quadcopter? Do you lack the means of tracking your quadcopter? The Roflocator is the solution to your problems. This device tracks your quadcopter and constantly notifies you of its current coordinates. It’s simple to install, cost effective, and easy to use. How does it work? The Roflocator has two transceivers that can transmit and receive data over a large range. One of the transceivers sits on the quadcopter while the other is kept on your person. Once a GPS connection is locked with enough satellites (typically under 10 seconds in optimal conditions), the transceiver will begin to beacon the coordinates specifically to your transceiver. The coordinates will then be displayed on the LCD screen and you … Continue reading

How to Mount a Nexus 7 Tablet

I wanted to mount a Nexus 7 tablet in my vehicle after seeing posts on Could be fun, right? Well, here are some things to consider: Tablets are not made for this environment, especially considering the operating temperature of a lithium ion battery is 130F, and the internal cabin of a vehicle can reach extreme temperatures, certainly above 130F. Yes, it can be stolen. So can my stereo. Keeping it docked 24/7 will introduce a charging issue. I will address these later. Benefits Large screen Navigation sync’d with Google Maps Streaming music and all sounds via bluetooth Pandora The Internets Torque (OBD2 information streamed in real-time) Potential for streaming reverse backup camera Here is what you will need: Nexus 7 tablet 2 part epoxy Shower door catches 10′ micro USB 2.0 cable Round sticky feet Tablet case (any will honestly do) Some battery pack with fast input, such as … Continue reading

Analyze and Crack GSM Downlink with a USRP


A fairly-well documented article has already been written about this for RTL-SDRs. But what about the USRP folks out there? The article’s cited files to use are even RTL-SDR geared. The easy response to that would be to suck it up, and purchase an RTL-SDR dongle. Well, you would be mistaken. Not every location has GSM bands that fall under 1.7GHz (specifically 850MHz for AT&T and T-Mobile). In some locations, CDMA rides on these bands. This can be a bit frustrating. Well, look no further than here. Fire up your USRP (read: HackRF, BladeRF, USRP, etc.) and follow the directions for the RTL-SDR here and stop at the point where it asks you to load their cfile for testing. From here on out, follow these directions. Find out where GSM is transmitting on a non-hopping frequency. For me, this is 1.9826GHz. Now, determine your gain necessary to receive GSM correctly. This depends … Continue reading

GNU Radio Companion: Blind Replay Attack with a USRP


Replay attacks are probably the most rewarding tests to perform with a software defined radio — instant gratification (that is, if it works). No need to know the modulation, baud rate, deviation, frequency — well, you definitely need to know the frequency. You get the idea. From a post I submitted a while back with replaying a wireless outlet switch, it took a bit of work. But this is not always necessary, especially if your end-goal is simple replay, and not crafting of custom packets. Given the aforementioned blog post, I was able to replay the signal for the wireless outlet switch and execute a simple “on” and “off” command (replaying the same command while the device is off, turns it on, and vice-versa). With the power of a USRP (if you can manage to buy one and make it stably work with GNU Radio, good for you), one is … Continue reading

X Gon’ Give it to Ya: Transmitting FM Radio Over the Air Waves


Who out there misses all of the dog barking, grunting, and terms of endearment toward women provided by our beloved DMX? Something tells me that he is missed on our radio waves. With this brief entry, I will quickly breeze through showing how you can broadcast DMX one more time in your neighborhood (if your country allows for this, of course — this experiment was done at low db…). I’m still learning how to use GnuRadio Companion (GRC), but I thought it would be of use to share this with the community, those that wish to have a bit of instant gratification with their newly acquired [HackRF, BladeRF, Ettus, etc.] and freshly compiled GRC on their nix VM. Below is a screenshot of my GRC setup along with the GRC file thereafter. The file source (as you can see in the screenshot below) had to be down-sampled at a rate of … Continue reading

Replay Attack: Remote Control Outlets and RFCat

In my previous post, I discussed the possibility of controlling one of those handy remote controlled outlets. Well, I got a hold of one, and decided to put my previous post to the test. I’ve even included a video, along with the code that I used. What more could you ask for? In the video, I attach my monitor to the remote control outlet switch and use my RFCat device flashed in my previous previous post to send a custom packet of data via 433.925MHz to the device. As you can see, the same signal is sent each time, turning the device on and off via its relay. To better understand what is going on in this code, refer to my previous post that I have mentioned numerous times already. #!/usr/bin/env python import sys import time from rflib import * from struct import * import argparse import pprint import bitstring keyLen = … Continue reading

Non-Return-to-Zero ASK/OOK Signal Replay


Radios have been around for a long time. Security has not played a very long role within this realm. Consequently, precautions such as CRC, encryption, etc. are not always considered during the transmission of a radio signal. The below tutorial will highlight a replay of a modulated ASK/OOK signal that is non-return-to-zero (NRZ) encoded. The 433.925MHz band is commonly used across many devices found all over our surroundings. From wireless doorbells to garage door openers, this band is fairly active in our daily lives. The demonstration of replay we will be covering will be wireless RC switches that are common in European households. These devices can be controlled wirelessly to turn on and off any electrical device connected. Naturally, this is an interesting device to investigate. Below is a picture of the device mentioned. In short, signals are sent as NRZ encoded in the signal as it is sent to … Continue reading

You know how to send my signal — Setting up RFCat from scratch


What is RFCat? RFCat is firmware/python-client combination written by “atlas”. This software takes the once-limited TI CC1111EMK and broadens its abilities. Taken from the GrrCon page (where you can buy it for $110 pre-flashed and ready for you to use out of the box) describes RFCat as: @Signed, flashed RfCat USB Radio Dongle (based on Chipcon CC1111EMK-868-900), making the opacity of Proprietary protocols into transparency and capacity for attack Capable of transmitting/receiving/snooping/SpectrumAnalysis on frequencies between 300-928MHz and more (officially 315, 433, 868, 915MHz ranges, but we’ve seen more than that) using modulations 2FSK, GFSK, MSK, ASK, and OOK and baud rates 0 – 250kbaud Why would I use this? Good question. Well, if you are a Software Defined Radio enthusiast like me, this is an excellent tool for testing the robustness of radio protocols on various embedded devices. Since this piece of hardware transceiver with the modulation, etc. taken care … Continue reading

BlackBerry Acknowledgement


I received an acknowledgement from BlackBerry for my finding from a few months back. Hooray! BlackBerry Security Collaborations – US