Hacking my lights with a Software Defined Radio – RTL-SDR Explained!
|I’m gonna hack my lights to come on with a single button press in home assistant, instead of a physical remote, using THIS! This little thing is an RTL-SDR, or software-defined-radio, and it’s one of the coolest nerdy gadgets you can buy with your pocket money. This specific one is a clone of the “official” RTL-SDR project, which itself is based on the AirSpy. These were originally digital TV tuners – a way to watch TV on a computer without needing a big set-top box – but the Realtek chip inside was quickly found to be a rather powerful bit of kit.
See most radio frequency chips are hard-coded to run a specific frequencies, or at least within very limited bands. The WiFi radio in your phone ONLY operates at 2.4GHz or 5GHz, give or take a few megahertz anyway. The little radio in my lighting remote runs at the very common 433MHz band, again give or take a few kilohertz, and you’d be surprised how much of our everyday wireless tech actually runs at one of those lower frequencies. Car key fobs and TPMS sensors, for one, but things like RF and TV remotes – if they aren’t infrared based anyway – air conditioning remotes, temperature sensors, FM radio, and so, so much more. It’s all invisible to us, unless you have one of these bad boys.
It’s actually pretty easy to use too – you’ll need to use a program called Zadig to install the WinUSB driver, then you can use a program called SDR# to start listening to the airwaves. You will need to tune into a specific frequency, so for FM radio in the UK that’s between 88 and 108 MHz, for remotes that might be around 300 MHz, 433 MHz or 868 MHz. There’s actually a pretty easy way to find out what the device you want to listen to is using. Go to the FCC’s database website and search for the device or manufacturer. In my case that’s GODOX, and the 2ABYNRC-A5, where you can see it’s listed as using 433.92MHz. So now I can tune to that frequency and start listening. Pressing the on button immediately shows a spike, and a code. Switching the lights off shows a different code. Being able to see this is really cool, and you’ll want to have a play around with this – listen to some radio stations, try out all the RF stuff in your house, it’s a lot of nerdy fun.
Of course, if you want to make use of this new tool, you’ll need a few extra steps. These dongles can’t transmit at all, and even if they could, with SDR# you aren’t recording anything you can replay. Instead I’d recommend you use a different bit of software called Universal Radio Hacker. You’ll need to know as close to an exact frequency as possible – hence why I used SDR# to pin it down to 433.879MHz on the channel I’m using – then you can record a signal. Once it starts recording, trigger a signal, then hit stop, save it, and open it in the main window. You can then see the bytecode of the signal – in my case to turn the lights off it’s the same signal repeated 5 times, with about 30 milliseconds between each.
Once you’ve got the code you need to broadcast, this is where I need to give you a bit of a disclaimer. The way radio frequencies work, especially square wave frequencies we will be generating, well they are really just sine waves, that all add together to give you a complex wave. The key word here is “harmonics” and basically that means that you have repeated spikes at multiples of the fundamental frequency – in this case that is 433.879MHz. Now the harmonic peaks aren’t as strong, but you should always use a low pass filter when broadcasting to cull these higher frequencies out, and you should also check your local laws to see if you’re even allowed to broadcast on your given frequency.
Right, disclaimer done, let me show you the coolest thing here. It turns out that a raspberry pi and a very clever bit of software called rpitx can bit-bash a GPIO header into a freaking radio transmitter! You just hook up a single bit of wire to act as an antenna to GPIO 4 and it will actually transmit with enough power to reach a few metres – enough to control your electronics in the same room. Again, you should use a low pass filter on this, but for local testing a wire will suffice. Now rpitx can actually do the signal capturing itself – if you plug the SDR into the pi and run rtl_sdr with the frequency you want and give it a file name, it can capture whatever signal you want, save it to an iq file, and then you can broadcast that. Now for me that didn’t work reliably, but it might for you so feel free to give it a try. For me though I’ll be using the sendook command instead, where you’ll set the frequency, in my case I had to tweak the timings, set how many times to repeat with -r, then paste the bytecode from URH and hit enter, and as if by magic my lights turn off!
Turning the lights on is actually a little more complicated as there are two different codes, but I’ll get that working too. All that leave us to do is integrate that into Home Assistant. Thanks to an excellent guide on Github, which will be linked in the description alongside a link to the SDR dongle and the other guides and software I’m talking about here, it’s actually pretty easy. You basically just have Home Assistant SSH into the pi, run the command, and that’s it. It doesn’t technically know what state the switch is in which isn’t amazing, but it works and that’s enough for me!
Having access to a software defined radio is really cool. Being able to reverse engineer and remake stuff like this remote is something I absolutely love. It’s an incredibly versatile tool, and I was genuinely blown away by the ability to bodge a radio out of a pi and a single wire. This is why I love open source projects, and considering these dongles are only £30 or so, it’s something I’d highly recommend you pick up and have a play with. Just try not to get into too much trouble, yeah?