Saturday, April 19, 2014

Baby Monitor and WiFi HackRF Collection

After breaking out my HackRF to check my DNT900 radio I thought it would be interesting to check out a system I wasn't very familiar with.

I own a couple Motorola Baby Monitors. They advertise as using FHSS, but this time in the 2.4 GHz range (vice my DNT900 that utilize the 900 MHz ISM band.)

Looking around the 2.4 - 2.5 GHz freq range with the HackRF using GQRX I could see there was alot of frequency contention (activity), so isolating the baby camera (& monitor handsets) could be a challenge. In a successful attempt to find some radio silence I powered off my cordless phone, WiFi (IEEE 802.11g) router, put all mobile phones in airplane mode.

Attaching an antenna for the wrong frequency band (co-locating the monitors near the HackRF) further eliminated interference from neighbors 2.4 GHz emissions. 

I also spent some time experimenting with the handset and monitors to see the RF activity in the various audio and video modes. 

Some observations: 
  • Sending audio and video (default) keeps these radios very active.
  • They only send data when the monitor is tuned to them. (I believe) which is interesting, since this may be a way to see if anyone else is snooping on your monitor. If you can set up a passive RF monitor like hack-rf or rtl-sdr.
  • I do not know if they can send to more then one monitor at a time.
  • Cameras and monitors are uniquely paired. (But like anything with security, if someone has access, that is trivial to establish.)
  • The radios use the entire range utilized by WiFi, Bluetooth and countless other commercial products available. (So they are a potential source for degrading WiFi, and from their activity levels I'd be shocked if that is not happening.) 
  • The data bursts are short (< 1-4 ms), and more narrowband than WiFi.

Below is a 20MHz collection via hackrf_transfer as follows:

hackrf_transfer -a 0 -r 2417MHz_motorola_hackrf_20MHz_20MS_8bit.iq -f 2417000000 -s 20000000

Since this is only 20MHz of the possible ~60 MHz the radios use not all data from this ~1 sec timeslice is shown.



And Motorola waveform zoomed (in time):





Look close (on the 1st image showing the larger time scale and you may see two, since two baby monitors in use. Thinking the other just announces its presence when not tuned to (for the scan option.)

Since the manual for these devices focuses on what parents need to know, and not those curious about how it works, alittle FCC database research was needed.

Here is the site for that:

The camera and monitor and manual all had FCC Id's listed (as do most legal equipment). For unknown reason, directly plugging that information in did not work.  I ended up just using the Grantee code (first 3 letters), and providing a frequency range.  That narrowed it down to 10 items easily reviewed.  Clicking "Display Grant" gives more summary information to find the device of interest.

Looks like Binatone Electrons actually makes the radio itself (not Motorola), and they are a big supplier to Motorola, as well as a wide range of other products that require some form of radio.

For example, Camera Unit FCC Grant:




It does seem for this equipment the manufacture requested confidentiality, which didn't seem to be honored (best I can tell.) But I'll at least not re-post anything from their reports and let you do your own exploring. Test Report being the most interesting for those wishing to understand the system in more detail.

Or maybe the internal photos to learn about the device without cracking one open

Finally, for comparison purposes. Here is a collection at the same frequency & Bandwidth that just shows alittle bit of WiFi activity, but baby monitor turned off.  (Off-tuned for WiFi, but I think it still is clear they are very different waveforms.)


And WiFi (IEEE 802.11g) waveform zoomed (in time):



Finally, here is the sample  of the Motorola Baby Monitor transmission if you want to take a look yourself:

2417MHz_motorola_hackrf_20MHz_20MS_8bit.iq

(To view in Baudline, decompression off, Initial byte 2, sample rate 20000000, channel 2 quadrature, 8 bit linear, unsigned) NOTE: these collects from older HackRF firmware, latest firmware creates signed 

No comments:

Post a Comment