## Monday, 1 September 2014

### Coil Winding

One of the big improvements in the new design was increasing the sample volume. This means that large coils are needed. I decided to use 20 AWG wire for the pre-polarization coil, and 30 AWG wire for the T/R coil.

The left spool is about 3000 ft of 30 AWG, and the right spool is about 300 ft of 20 AWG. This wire was wound on to ABS plastic piping like this.

The pre-polarization coil was wound onto a 4'' ABS pipe, and the T/R coil was wound onto a 3'' ABS pipe. To keep the coil from spreading out along the length of the pipe, I used a threaded female fitting like this on the end of each pipe.

They are kept on the ends of the pipe by some ABS cement.

I am a patient guy, but thousands of feet of wire needs to be wound around this pipe. The solution was to construct a makeshift coil winder. I took threaded ABS caps.

And I drilled a hole down the middle such that it could be placed on threaded rod like this.

Since the cap is threaded, I was easily able to thread the coil form assembly onto the threaded rod as well. The result looks something like this.

I added a washer and bolt on each end. This immobilized the coil form on the threaded rod. Next I needed something on which this form could spin. I used a power drill on one end.

And on the other end I used a piece of copper pipe attached to a piece of wood with some plastic (Basically use whatever you have laying around).

To automate the turning of the coil, I hooked up the power drill  to the 5V line on my DIY power supply breakout board.

I then tied some rope around the power drill trigger so that if current is delivered to the drill, it will always turn. But this is not what we want, I wanted an easy way to control the coil winder. The solution was to create this foot pedal out of some scrap plastic and a pushbutton switch.

So we have a way of turning the coil, but where does the spool go? I mounted a hand drill sideways using a vice. I placed a rod in the hand drill. I wrapped a bunch of layers of tape around the rod, and the feeder was born!

The next problem to be solved was, how do I keep tension in the wire that is being fed? The solution was to use a friction based tension system. And by that I mean two pairs of garden gloves and a few hand tools:) The finger on each glove is wrapped around the wire, and then the vice grips are clamped on top to provide pressure on the wire. The result is that it is difficult to move the wire through the glove.

It took a few tries to master the art of coil winding, but the last coil I was able to wind in a matter of minutes!

### New Coil Design

Humbucking Configuration

One of the biggest problems in a system like this is noise. To try and cut down on noise, I will actually have two identical pairs of coils arranged in a humbucking configuration.

The idea is that you have two identical coils, one wound clockwise, and the other wound counter clockwise. When you connect them together, any external EMI that is induced in Coil A, is cancelled by the EMI that is induced in Coil B. This is great, but then how do we get the sample signal? The trick is to only put a sample in one of the coils. This would technically mean that I only need one pre-polarization coil, and two T/R coils. However the pre-polarization coil provides a certain level of EMI shielding to the sample coil, therefore we need a second pre-polarization coil to create the exact same environment for the bucking coil.

Pre-polarization Coils

Each pre-polarization coil was wound on 4'' ABS. I do not recommend ABS as it is a very expensive material compared to some of the PVC variants. I could probably go back and redo the entire build for half the price if I were to use cheap PVC instead.

The coil is actually two layers that will be connected in parallel, this keeps the resistance of the coil low, meaning that we can get higher currents at low voltages. The highest voltage that I have on my power supplies is 12V. The resistance of each layer of the coil is 2.1 Ohms. This means that we can expect a maximum current of.

I = V / R
I = 12V / 2.1 Ohms
I = 5.714 Amps

This is good, because the maximum current that 20 AWG wire can handle is about 7-11 Amps. In practice, I get about 4.6 Amps and the coil gets warm after a minute. The maximum current that the power supply can provide is 9 Amps on the 12V rail, so this will not work because we would exceed the specifications on the power supply. I could instead run the coil off of the 5V Rail as follows.

I = V / R
I = 5V / 2.1 Ohms
I = 2.38 Amps

In practice I get a current of about 2.17 Amps, and the coil does not heat up as fast, or as much.

What magnitude of a magnetic field do we get from each layer?

B = u N I / L

B = (4 * 3.1415926535 * 10 ^ -7 T / Amp m) * 167 Turns * 2.17 Amps / 0.1524 m

B = 2.988 mT

There are two layers, so we can expect double the magnetic field.

B = 5.976 mT

This isn't that great, but if we want to scale up, we could buy a better power supply, move to the 12V rail, and add two more layers. This would bring the total field strength up to.

B = 28.69 mT (Future Improvement)

Here is the first layer of the coil.

Here is the finished coil, wrapped in electrical tape. This picture shows my digital callipers that I use religiously.

The length of the pre-polarization is 6 inches.

Each T/R coil is wound on a 3'' diameter section of ABS. The length of the T/R coil is about 4.38 inches. I made the T/R coil shorter because there are fringe effects towards the end of the solenoid. That being said, this is only a pre-polarization coil, so the Bp field does not have to be too homogeneous.

In order for the hum bucking configuration to do it's job, each of the T/R coils must be identical. I have used my multimeter to ensure that both coils have the exact same resistance.

## Summary

Last month in the midst of procrastinating for exams, I thought to myself... What does the world need? And then it came to me... A twitter enabled microwave!

For the impatient, here is a video of it in action.

Here is a demo twitter account that I used to test the app:

## Details

Almost every microwave makes a beep sound when you press its buttons. Also, when the microwave is finished cooking, it usually beeps 2-5 times. The idea behind the app is that by listening to the beeps of the microwave, it can then infer what is going on within the microwave.

All of the work of the app is done within the frequency domain. When the app first boots up, it asks you to record the sound of your microwave beep. Then, the application performs a FFT on that beep to determine what it's characteristic frequency is. The app is then constantly performing an FFT on the input audio, looking for the target beep frequency.

When you put your food in the microwave, you press a few buttons to input the time, and the last button that you press is start. So if I am going to cook something for five minutes, I will press 5-0-0-start. Then five minutes after pressing start, the microwave will beep to indicate that it has completed cooking the food. All the app has to do is measure the length of time between the start beep and the first finish beep. From this it can determine how long the food was cooking for.

When you press the first button on the microwave, in this case five, the app takes a photo of you and your food. When the app decides that you are finished cooking the food, it posts the picture to twitter along with how long your food has been cooking for.

## Saturday, 14 June 2014

### Simple NMR Part 2

I had recently provided an overview of my Simple NMR project here. Since then, I have been busy prototyping and writing software for the project.

I am keeping all of the source code and PCB designs for my project on GitHub under the name SimpleNMR.

The current design is destined for failure as it is significantly under engineered in many ways. The purpose of this phase is really to master CAD PCB design and fabrication, as well as learn about dealing with the sources of noise in the system.

Here are the latest developments on each of the components.

Field

It is very important to know the strength and direction of the earths magnetic field in your location. Luckily, this data is provided by The National Geophysical Data Center. Today in Ottawa, the magnetic field strength was measured to be 54.4275 uT. From this data we can compute the Larmor frequency using the gyromagnetic ratio for hydrogen nuclei.

gamma = 42.5774806 Mhz / T
B0 = 54.4275 uT
f = gamma * B0
f=(42.5774806 Mhz / T) * (54.4275 uT)
f=2.31739 kHz



Most smart phones have a built in compass nowadays. They also have the ability to measure the exact magnetic field strength. The iPhone app "Teslameter" was used to align the coil along the axis of earths magnetic field and to compute the correct Larmour frequency to use.

Transmit/Receive Coil (T/R coil) and Polarizing Coil

T/R Coil

60m of 30-gauge copper wire was used. Purchased from The Source. The wire was simply be left on the spool and used as is. The receive coil should be tuned with a capacitor, however I did not do this  this as I would need a 250 nF capacitor. The next version of the instrument will be tuned with a capacitor.

The red and green wires coming off of the coil belong to the T/R coil. The entire coil was glued with generous amounts of hot glue to the base (A piece of rubber).

Polarization Coil

A polarization pulse will be generated to enhance the signal strength. 12m of 22-guage copper wire was used. The polarization coil was wound atop the T/R coil spool. This coil is hooked up to the black and white wires attached to the coil in the above figure.

Failures:

• The sample volume on this coil is only about 8mL. This is not nearly large enough to get a signal from. The signal to noise ratio is proportional to the sample volume. Next time I plan to use a 500mL sample volume. Go big or go home!
Power Supply

All of the electronics will be powered by an ATX power supply from an old computer. I have built a box that connects to the standard ATX connector and beaks it out into each of the voltages using binding posts.

Failures:

• It can only provide 0.8A on the -12V rail. This could be a problem as I increase the power of the transmitting amplifier. I could just go and buy a new power supply, however it is hard to find PC power supplies with a large current rating on their -12V rail. Most are about 1A.

Relay Board

The polarization coil will be turned on and off through a relay. The T/R coil will be switched between transmit and receive mode by way of a another relay.

This was the relay board that I designed in KiCad.

Failures:

• When I got it back from the fab house (http://smart-prototyping.com) I found that the pin headers didn't quite fit inside the traces on the board. The problem was that the fab house can only drill circular holes, I had designed the board using ovular/rectangular holes. The solution was to use the vice and force it.
• This board suffered from poor labelling, there is a power pin header on the right-middle. Any guess which one is ground and which one is positive?
• Mechanical relays were used on this board, they are very noisy (in a EMI sense). I will be using reed type relays for the T/R switch next time.
• The relays used were rated at 3 Amps, I was pushing 9 Amps through the relay for the polarization coil. They worked just fine, however this is bad practice. Next time I will use two low current relays for the transmit/receive switch, and then a high current relay for the polarization coil.
• The relays were only type SPDT, this meant that the transmitter and receiver had to have a common ground. This was a terrible idea as there was significant enough noise coming through the ground to the receiver to saturate the receiving amplifier during the transmit phase. Next time I will use DPDT relays, or perhaps more SPDT relays.
• When the transmit and receive process is happening, the polarization coil should really be grounded. Also, there should be a short period of time after the transmit process where the receive coil is grounded to allow the ringing to stop.
Transmit Electronics

The transmit signal will leave the sound card of the PC and go to a LF411 operational amplifier. The output of the amplifier will go to the relay and then to to the T/R coil. Here is the transmitter board that I designed in KiCad. I had this board manufactured by (https://oshpark.com).

Failures:

• This board is really low power, there is only one stage and it is about 670 mW. Next time I will probably move to multiple stages, and perhaps a higher power op amp.
• There is no adjustment on the gain because I made an incorrect connection in my schematic. The solution was to put a wire across the board (Seen on the bottom right) where the pot would have gone.

The received signal will leave the T/R coil and go through the relay, then to the LF1115 operational amplifier where the signal will be amplified tens of thousands of times. The output of this amplifier will go to a PC's sound card. Here is the receiver board that I designed in KiCad.

Failures:

• The pin headers on the board are poorly labeled. This was because I was trying to cram everything onto the smallest possible board. I will never do this again, it is more important to have a clear design, than a cheap design. It ended up not being so cheap, I fried a $6 op amp due to bad labels. • It has a gain of about 50,000 which is only adjustable to about 55,000. It would be nice to be able to adjust the gain in software. The pot is large and is very good at picking up EMI as well. • Right now I connect to the T/R coil using pin headers, in the next revision, I would like to use some sort of Coax to keep the noise down. • It would probably be a good idea to have some sort of enclosure around this amplifier. Software I am using the MSP430 micro controller to control the relay board. Right now the MSP430 simply listens for commands from the serial connection and does what it is told. I have written a simple C program that runs on the MSP430, however it just turns the chip into a serial to parallel converter. I chose the MSP430 because it costs only$4.99, shipping included, USB cable included, on board serial connection included.

On the other side of the serial connection, is a C++ program which controls the entire experiment. I am using GNURadio for all of the pulse generation, and digital signal processing. Right now timing is not a big deal. In the future, I may need to rethink my software design so that it can time the pulses more accurately. There are some options.

- Move the project to the raspberry pi
- Create a custom USB device, add a 23942342902342342334-Bit ADC to it, and a respectable micro controller
- Move more of the software onto a micro controller

Shielding

Originally I thought that it would be a good idea to use a large pot to shield the experiment from EMI, this turned out to be a bad idea because the pot was capable of causing inhomogeneity in the magnetic field. I am going to leave shielding out of the next design and focus on filtering out noise using either hardware or software, or by going to a remote location.

The polarization coil that I will be using in the next design is significantly larger than the previous, it should be able to provide a significant amount of shielding on its own.

I have no doubt that I will return shielding to the design some day.

## Wednesday, 16 April 2014

### Simple NMR Part 1

This post will outline the absolutely most basic NMR that will be built.

Field

The earths magnetic field will be used. Alignment with the field will be done with a compass.

60m of 30-gauge copper wire will be used. Purchased from The Source. The wire will simply be left on the spool and used as is. The receive coil will be tuned with a capacitor.

Polarizing Coil

A polarization pulse will be generated to enhance the signal strength. 12m of 22-guage copper wire will be used. The polarization coil will be wound atop the T/R coil spool.

Control Electronics

All of the electronics will be powered by an ATX power supply from an old computer. The polarization coil will be turned on and off through a relay. The T/R coil will be switched between transmit and receive mode by way of a another relay. Both relays will be controlled by a MSP 430 microcontroller and a some switching transistors. The MSP430 will be controlled by a PC through a serial connection.

In the earths magnetic field, the Larmor frequency is expected to be ~2kHz. This makes a PC's sound card the perfect device to record data.

The transmit signal will leave the sound card of the PC and go to a LF411 operational amplifier. The output of the amplifier will go to the relay and then to to the T/R coil.

The received signal will leave the T/R coil and go through the relay, then to the LF1115 operational amplifier where the signal will be amplified tens of thousands of times. The output of this amplifier will go to a PC's sound card.

Software

GNU Radio will be used as a function/pulse generator and for interpreting the receive signal. The relays will be controlled by a C++ program on the PC side. On the MSP 430 side of life, I will write a C program that runs on the MSP430 using the open toolchain.

Shielding

The coil of the experiment will be shielded by a large pot that is usually used for cooking corn. The relays should probably be kept away from the amplifiers and the amplifiers should also be shielded.

## Saturday, 15 March 2014

### Jam Intercept and Replay Attack against Rolling Code Key Fob Entry Systems using RTL-SDR

For the past 6 months I have been developing a proof of concept attack against rolling code key fob entry systems. Some examples of affected systems would be the key fob you use to unlock your car.

Or the key fob you use to disarm your home security system.

Or even open the garage door.

The oscillators used in these key fobs are typically low cost, meaning that they may not operate at exactly their design frequency throughout the full temperature range. For this reason, the receiver in the car, or home security system is designed to accept signals within a certain pass band. The trick of the attack is for the adversary to jam at some frequency within the receivers passband, but not too close to the frequency of the remote.

If you jam in this manor, when the victim presses the unlock button on their key fob, nothing will happen because the receiver is being jammed by an adversary. The adversary can then use a SDR such as the RTL-SDR, to record the whole transaction.

The following GNU Radio flow graph could be used in conjunction with the RTL-SDR.

GNURadio makes it easy to filter out the jamming signal and obtain the authorized remote signal.

The signal obtained is the Nth rolling code, it is still valid because the receiver has not yet received the Nth rolling code. Therefore the adversary can replay the signal at a later time and unlock the car. But how does one replay the signal on the cheap?

The system that was constructed looks as follows from a high level.

The signal in this case was ASK (Amplitude Shift Keying) encoded data which was decoded using GNU Radio's "AM Demod" block as follows.

The demodulated signal was then played back through the audio interface of the computer.

The signal was then fed into a LM386 op amp to bring the signal from line level (~1V), up to TTL (~3V). The TTL signal was then fed into an ASK RF module operating at the same frequency as the authorized remote. The schematic for the constructed circuit follows.

And the final product was soldered onto some prototyping board.

The board here is powered by USB, and has a switch on the back right portion of the board. This switch allows you to put the board in either "Jamming" mode, or "Signal Replay" mode. In "Jamming" mode, the RF module will continuously transmit bogus data at the carrier frequency. In "Signal Replay" mode, it will transmit the data provided through the audio jack as an ASK encoded signal at the carrier frequency. A 315 MHz ASK module was used, but this module is inexpensive and could easily be swapped out for say a 400 MHz FSK module. A list of the parts used in it's constructed follows.

Does this system actually work? Frighteningly, yes it does. I was able to test this attack against two economy cars and one van, all of which use rolling code security.

The attack was successful against all three rolling code secured automobiles. I will finish this post by describing a scenario that is of far greater concern.

In a rolling code garage door system, imagine the following sequence of events. The victim presses the button on the RF remote to initiate the closing of the garage door. The adversary jams and intercepts the signal. The garage door therefore does not close. The victim presses the button on the RF remote again. The adversary jams and intercepts the signal again, but then replays the first signal he/she intercepted. The garage door closes, and the victim leaves the area assuming that their garage door is secure. The adversary then replays the second signal he/she intercepted and the garage door opens again.