Skip to content

Dude, where is my car? (Geofencing) - Part 3

Posted by sqall on
In 2018 I started a project to be able to track my car in real time. Additionally, my idea was to use it as a car alarm system. I went through different iterations until I had a working system with which I was satisfied. This is the third part of a blog post series that describes how to track your car in real time and how to use it as a car alarm system.



The Current State of Affairs

I am now able to track my car in real-time and since I use an end-to-end encrypted GPS tracking service (ChasR), I am still able to protect my privacy. However, my goal was to build a car alarm system. At the moment, I need a hint or gut feeling that my car was stolen so I would check its location. This is obviously not a good alarm system. I have to build something that monitors the location of my car and then alerts me if something is off.

The Idea: Geofencing

The question is: how do I detect that my car is moved by someone that is not supposed to move it? Well, my first idea was to make an on/off switch for the car alarm system. However, I am pretty sure I would forget switching it on or off quite often (or my wife would) and thus would get a lot of false-positive alert messages which would in time lead to alarm fatigue.

My next thought was that my car usually drives around only in my town and the neighboring towns. A thief stealing my car would certainly not staying in town. How about monitoring if the car moves outside of these usual areas? Well, obviously I am not the first one who thought about it. This technique is called geofencing and I thought it is worth pursuing.

Here is an example to make it more visual (I used the following website to create the image). Let us say I live in Berlin and usually only drive around in center, west and south Berlin. Then I could use the following two geofences to determine that my car was stolen or not. If the car resides inside the geofences, everything is fine. If it goes outside, I get a notification.



However, since I use an end-to-end encrypted GPS tracking system, I am not able to integrate the monitoring mechanism into the GPS tracking system itself (no, I will not go down the rabbit hole called "homomorphic encryption"). Hence, the only viable solution is to have a small service running at home that periodically fetches the current location of my car from the GPS tracking service and then processes it. If my car is outside the geofence, this service has to notify me about it and then I can check and react accordingly.

The Implementation

For this to work, I needed to implement a small service that fetches the GPS data, processes it and sends me a notification. Sounds easy enough. However, I am lazy and do not want to build everything from ground up myself (yes, even if I built the whole end-to-end encrypted GPS tracking system because nothing like this existed). So I thought I could integrate this service into an existing monitoring system. I settled to integrate it into AlertR, because it has a modular build and already offers me notification capabilities (ok, this is quite a bad example of "I am lazy and do not want to do everything myself" because I am also the author of AlertR :/ ). I also added a tutorial to the AlertR wiki to set up the monitoring service. After I installed everything needed for the monitoring service on an old Raspberry Pi 2, every time my car leaves the geofence I get a push notification on my phone:



Furthermore, choosing AlertR gives me additional interesting possibilities. I could also use the geofencing for some kind of home automation. For example, I could check if the car gets parked in front of my house and then turn on the thermostats in winter.

Android (LineageOS 15.1) Execute Script on Start Up

Posted by sqall on
For a project I am currently working on I needed my old mobile phone (a Nexus 5X) to start a script directly after start up. I already did it for a Motorola Moto G 2014 running LineageOS 16. However, the hardware broke down because of old age. So I needed to do all the same for my next old mobile phone. Unfortunately, the steps I took on LineageOS 16 did not work for LineageOS 15.1 which is the only available for the Nexus 5X. Hence, here is a description how to do it on LineageOS 15.1.


Installing LineageOS 15.1

The first step is to install LineageOS 15.1 onto your mobile phone. I will not describe how this is done, because the LineageOS website has really good tutorials for this (here for the Nexus 5X). I used this to flash my mobile phone. Additionally, please install the LineageOS SU Addon to get root permissions on the phone. When everything is working, we can start our changes to the operating system.


Execute Script on Start Up

As I said, I tested a lot of different methods I found on the Internet. The one that worked for me is a combination of this forum thread and that forum thread. In a short description, we have to change the init.rc in the boot image to enable the init.d process to execute start scripts. However, for this we have to reflash the mobile phone. I tried to change the file directly via adb (getting write permissions to the file and editing it directly). However, after each reboot it changes back to the original file. So, we have to change it in the boot image itself.

Normally, I work on Linux. However, since there is a Windows tool that does all the packing and repacking (and I actually do not care about the Android image internals), I used Windows for this part. The steps we have to do are the following:


  1. Download Android Image Kitchen. I used version 3.5.

  2. Unzip our LineageOS file (the lineage-15.1-20200107-nightly-bullhead-signed.zip) and copy the boot.img into the Android Image Kitchen directory (next to unpackimg.bat and repackimg.bat).

  3. Open a command line in Windows into this directory and execute:



    4. unpackimg.bat boot.img
     


  4. Go into the directory ramdisk and edit the file init.rc. I would suggest to use Notepad++ for this, since the normal Windows editor could fuck up the charset (e.g., by using \r\n instead of \n).

  5. Go to the end of the file and add the following to enable init.d:



  6. Find the section that starts with on charger and change it to the following:



    7. #[...]

    service init_d /system/bin/sh /system/bin/sysinit
        user root
        group root
        disabled
        oneshot
        seclabel u:r:sudaemon:s0

    on property:sys.boot_completed=1 && property:sys.logbootcomplete=1
        start init_d
     


  7. Repack the image by open a command line into the Android Image Kitchen directory and execute repackimg.bat. You should now have a file that is called image-new.img. This is our new boot image.

  8. Copy the image-new.img to your phone (I used adb push for this, however, SD card also works).

  9. Start TWRP on your phone (you used it to flash your LineageOS onto your phone, so do the same steps to go into the recovery mode which uses TWRP).

  10. In TWRP, go to install, switch to install image and then select the image-new.img file you copied to your phone. Select the boot partition and swipe to install it. In short, do install -> install image -> select image-new.img -> select boot partition -> swipe to install.

  11. Reboot.

  12. Done.

  13. Now you can go into the directory /system/etc/init.d and create scripts that are executed on start up.



After this, the mobile phone should boot up as normally. If you want to check if your changes are now on the phone, you can use adb for it. Do the following if you want to check:


  1. Turn on the developer options on your mobile phone.

  2. Allow USB debugging.

  3. Allow adb to have root access.

  4. Use the command adb root on your computer to restart adb with root access.

  5. Use the command adb shell to get a shell on the phone.

  6. Output the file init.rc file via cat init.rc and see if your changes are there.



To give an example, I add a script that loops and checks if the mobile phone is charged. If it is not charged for more than 5 seconds, it shuts down the mobile phone. The following has to be done:


  1. Go to the directory /system/etc/init.d and execute:



    2. touch 99batteryshutdown
     


  2. Execute the following commands to give the correct permissions:



    3. chgrp shell 99batteryshutdown
    chmod 755 99batteryshutdown
     


  3. Place the following content into the file:


    #!/system/bin/sh

    # Start script in background
    /system/bin/batteryshutdown.sh &
     


  4. Now go to directory /system/bin and create the file batteryshutdown.sh with the correct permissions:



    5. touch batteryshutdown.sh
    chmod 755 batteryshutdown.sh
     


  5. Place the following content into the script file:


    #!/system/bin/sh

    CTR=0
    while true; do
        STATUS=$(cat /sys/class/power_supply/battery/status)

        # Observed states: Charging, Discharging, Full
        if [ $STATUS == "Discharging" ]; then
            let CTR=CTR+1
        else
            CTR=0
        fi

        # Tested: when on battery mode, after around 20 seconds the process
        # does not wake up from sleep until charger is plugged in again
        # or mobile phone is used by user.
        if [ $CTR -gt 1 ]; then
            # On Lineage 15 with 'su -c', the command returns
            # CANNOT LINK EXECUTABLE "su": cannot locate symbol
            svc power shutdown
            # On Lineage 16 without the 'su -c', the command returns just 'Killed'
            # (perhaps SELinux settings).
            #su -c 'svc power shutdown'
        fi

        sleep 5
    done
     



With this script, around 10 seconds after the charger has been removed from the mobile phone it gets shutdown. Please note, that the Android operating system optimizes the processes for the battery usage. This means as soon as the phone runs on battery, processes get suspended when the system goes to sleep. You can see my observations in the comments of the script above. Hopefully, this helps some of you to not spend hours on testing.

Thermostat Controlling System with Raspberry Pis

Posted by sqall on
TL;DR

I built a thermostat controlling system because we regularly forgot to turn off the heating when opening the window in the same room. The system turns off the heating in the room when the window is opened and turns it on again after the window is closed again. And since I was at it, I also added the feature to control each thermostat in the apartment with the mobile phone.


Introduction

The problem my family had was this: when ventilating the room in the morning (or when needed) more often we forgot to turn off the heating. And if it is cold outside, this is a really bad habit. Not only for the costs of the energy that is wasted, but in regards to our global heating crisis this definitely has to stop. We tried different stuff to get rid of this bad habit, however, this did not work for long. After a while, when your head is back in the "So, what is my TODO-list for today?"-mode in the morning, we forgot the heating again. So, a more clever solution is needed.


Planing

When planing this, I had to consider the network and things I already had installed at home. In every room in my apartment I have a Raspberry Pi running connected to the network. Additionally, I already have magnetic switches on each window as part of the alarm system. The switches are connected to the Raspberry Pis. Hence, I only need thermostats that can communicate with the Raspberry Pis. Since version 3 of the Pi has Bluetooth built-in, I searched for Bluetooth LE compatible thermostats which I can talk to. The only thermostats fitting this requirement were the Eqiva Bluetooth Smart Thermostats (model 141771E0). Furthermore, there is a Python library which can communicate with these thermostats. This makes life way easier. For all Raspberry Pis below version 3, I just bought a USB Bluetooth adapter.



So, the overall hardware requirements for this project were:


  • Raspberry Pi (lower than version 3 additional Bluetooth USB adapter)

  • Eqiva Bluetooth Smart Thermostats (model 141771E0)

  • Magnetic switches for each window



However, hardware alone does not help us much. We need software which glues together everything. Since I run an AlertR setup at home, it was an obvious choice to hijack this environment to control the thermostats. The AlertR infrastructure already monitors and communicates every sensor state in the apartment so I can use it to transfer the temperature of the thermostats. AlertR was not directly built for this purpose, however, its design allows us to easily integrate the thermostats into it. On a high-level, the infrastructure we want to build looks like the following:




Local Thermostat Controlling

Before we can start integrating the thermostats in the AlertR infrastructure, we have to build something that is able to talk to the thermostats. I implemented a small service that communicates with the thermostats (if we want to be fancy we can call it "micro service" ;-) ). This service takes commands via a local FIFO file such as changing the temperature or reacting to an open window. We can easily instrument this with AlertR by executing local scripts that write into this FIFO file on triggered events. However, somehow this service has to tell AlertR about the current state of the thermostat (such as temperature or battery state). For this, AlertR offers the possibility to take sensor readings via a local FIFO file. In short, the AlertR infrastructure and the thermostat service communicate with each other via FIFO files on the local host.


Infrastructure Design

AlertR groups events into AlertLevels. The setup we want to create has actually two types of events we have to react on: window open/close and set temperature. The AlertR infrastructure design looks like the following:



On first glance, this seems really complicated. But it is not. Let us go through it step by step.

First, we start with the window open/close event. The window sensor (top left in the image) gives the AlertR sensor client running on the Raspberry Pi the signal that the window was opened/closed. This sensor transmits the information to the AlertR server. The window open/close event is part of AlertLevel1 which then triggers the event. It is transmitted to the AlertR executer client which then writes into the FIFO file of the thermostat service that the window was opened/closed. The thermostat service then turns off/on the heating by setting the temperature accordingly. This is everything we need to react to an window open/close event.



Before we start to look into how the temperature is controlled, let us take a look at how the temperature of the thermostat is processed by AlertR. The thermostat service reads periodically the temperature from the thermostat and writes this information into a FIFO file of an AlertR sensor (bottom left in the image). This information is transfered to the AlertR server which stores it. AlertR uses manager clients to control it. One of these manager clients keeps a copy of the system data in a database to share it with external components. For example, a website can read this data and display it. In this case, a small website shows the temperatures of the thermostats.

Now let us take a look how the temperature is controlled. Since this website shows the current temperature of the thermostats, it is the best place to give the user the possibility to control the temperature. When the user changes the temperature, the website writes this new value into a FIFO file of an AlertR sensor (bottom right in the image). This sensor is part of AlertLevel2 which triggers an event. This set temperature event is transmitted to the AlertR executer client which then writes the new temperature into the FIFO file of the thermostat service. The thermostat service then sets the new temperature on the thermostat.


Website

It would be cooler if the website for the thermostat is easily controllable by a mobile phone. So I wrote the website with this goal in mind. Next to the thermostat data it also shows the data of separated temperature sensors which I have placed in the rooms as well as local weather data.


Source Code

If you are interested in building something similar, the source code for AlertR is available as Github repository. Since the code for the website and the thermostat service is rather specific for my needs, I did not publish it (though everything is configurable). However, if anyone is interested in it, just contact me. I am happy to share the code.


Security Concerns

One big problem remaining is the security of the thermostats. When you are using the official App for the thermostats, you have to pair your mobile phone with the thermostats by entering a PIN code that is displayed on the thermostats. However, it seems that this is just for show. Because when you are using the Python library, you can just access it without any pairing. And this is not just a read-only access, you can set any configuration available. Meaning everyone in Bluetooth LE distance can change settings on your thermostats. This is really bad and the reason I hesitated to build this. However, the attacker capability is as follows:


  • An attacker has to be in near distance (50-100m away) to access your thermostats,

  • and the attacker can only change the temperature in your rooms.



If an attacker changes the temperature in your rooms you will notice it after a while (since you either start sweating or it is getting too cold). Meaning no big harm is done here. However, this is still an annoying issue. One way I thought about to tackle this issue is to use the thermostat service as an intrusion detection system (IDS). The thermostat service can monitor the values of the thermostat and notify the user if they are changing unreasonable. Then the user can react accordingly. It can also act as an intrusion prevention system (IPS) by restoring the thermostat state to the intended state. Overall, this is an interesting topic since most IoT devices have security issues which will not be patched and you have to cope with it (the same problem exists for medical devices and is part of current security research).

Dude, where is my car? (Android Edition) - Part 2

Posted by sqall on
A year ago I started a project to be able to track my car in real time. Additionally, my idea was to use it as a car alarm system. I went through different iterations until I had a working system with which I was satisfied. This is the second part of a blog post series that describes how to track your car in real time and how to use it as a car alarm system.



The Problem: SD Card

The Raspberry Pi built into my car worked great. I got real-time location information about my car and was happy. However, after around half a year it stopped working sporadically. And then more often until it completely stopped. I hooked up the Raspberry Pi to a display and saw the problem: the SD card. Since the Raspberry Pi was directly connected to the power my car engine provided, it got power as soon as I started the car and lost it as soon as I turned off the engine. Because of all these abrupt power losses, the SD card was more heavily used than normally. Since it is a flash memory with only a certain number of read/write accesses, it died pretty early.

Now the easiest would be to just replace the SD card wit a new one. However, then I would run into this problem again. And since I am no hardware tinkerer, my skills in building a battery in front of the Raspberry Pi to provide it with enough power for a normal shutdown are limited. Furthermore, the Raspberry Pi needs some kind of signal that it should shutdown which means designing some kind of circuit for this. Also the Raspberry Pi has to start up again as soon as the engine starts. So, I was at a loss here first.


The Solution: Old Mobile Phone

I was thinking about the hardware problem I had and came to the realization: a mobile phone has exactly the hardware I need. Come to think of it, I do not know why I did not think about this in the first place. I need a GPS receiver for the GPS tracking. A mobile phone has one build in. I need a GSM/UMTS modem to transfer the data. A mobile phone has one build in. Now I need a battery to compensate abrupt power loss. A mobile phone has one build in. So, it has actually all the hardware I need and additionally needs less space. So I would call it a win-win situation. And since almost anyone has some old mobile phone lying around, there is no shortage on supply.

However, for this to work the mobile phone has to do two things it normally does not:


  1. Turn on as soon as it gets power from a power supply, and

  2. shutdown as soon as the power supply is turned off.



Since these are things I have to change in the operating system, I decided to give LineageOS a try. This Android based operating system gives me total access to the operating system and supports a wide range of mobile phones. I had an old mobile phone at home (a Motorola Moto G 2014) and started to tinker with it. After some searching in the Internet and some tinkering the mobile phone did what I wanted. I wrote two separated articles on how to modify your mobile phone for this:


  1. Android (LineageOS 15.1 and 16) Auto Boot on Charging

  2. Android (LineageOS 16) Shutdown when Power Supply Turned off

  3. Android (LineageOS 15.1) Shutdown when Power Supply Turned off



After that, the only missing piece was an Android App that gathers the GPS locations and transfers these to the server (basically the logger App for ChasR was missing). The source code for the Android logger is available on Github and it can be directly installed via Google Play. The App has to be configured to start automatically (just a checkbox in the App itself) and the power management of Android has to allow running the ChasR Logger in the background. This is just a setting in the power management options of Android one has to set. After that, everything works like a charm. The final setup in the car looked like this:



Again, I was able to track my car in real time either on my browser at home or via an Android App on my mobile phone:




Postscript

This setup runs now for over 3 months without any problems. The only shortcoming I could find so far is the long boot up time the mobile phone needs (around 40 seconds). I am thinking about trying to build a ChasR logger for a microcontroller. There are some controller boards that have exactly the hardware build in that I need for this. Then it should almost instantly track the GPS location. However, I never build something with a microcontroller. So it will be a steep learning curve for me :-)

The additional cool part about having written the logger Android App is that if car manufacturers should start shipping Android to their cars in the future, one can use this App directly in the car. Since a car will by then also have a GPS receiver and GSM/UMTS modem build in, it should work without any problems.

Dude, where is my car? (Raspberry Pi Edition) - Part 1

Posted by sqall on
A year ago I started a project to be able to track my car in real time. Additionally, my idea was to use it as a car alarm system. I went through different iterations until I had a working system with which I was satisfied. This is the first part of a blog post series that describes how to track your car in real time and how to use it as a car alarm system.



The Beginning: GPS Tracking System

The first idea I had was to put a Raspberry Pi into my car that gathers the GPS data and submits it to a server. So I started to look into GPS tracking systems usable with Linux. Unfortunately, all GPS tracking systems I found where either in a way that I had to host them myself by using MQTT or they were only available as a service. The self-hosting suited me fine, but the MQTT part not. Why not? Because I have to open a port to the Internet for a MQTT server which I do not know the code quality of. Being a security enthusiast, I would rather have the GPS tracking system using HTTPS via a standard web server which I know is tested a millionfold. The GPS tracking as a service would also be fine for me as long as it gives me access to the data via an API. Unfortunately, the data is stored unencrypted (no end-to-end encryption) by the services and therefore do not protect my privacy (I do not want some provider to know where my car is all the time). Also, some other GPS tracking services did not have an API to fetch the stored data.

So, I started to develop an end-to-end encrypted GPS tracking system myself, called ChasR. The complete source code is available on Github if you want to host it yourself or you can just use it as a service (since the data is stored encrypted, your privacy is protected).


The Raspberry Pi

In order to install the GPS tracking into my car, I bought a Raspberry Pi (version 1), a USB GPS receiver and an UMTS modem. Obviously, the GPS receiver is used to gather the current location. The UMTS modem is necessary so the Raspberry Pi can transfer the GPS location data to the server. With the help of the Linux client for ChasR, the Raspberry Pi is able to do that. An early test setup looked like this:



To not drain the battery of my car, I connected the Raspberry Pi to the ignition of my car. Meaning, every time I started the engine of my car, the Raspberry Pi got powered up. However, I had a problem. Every time I turned off the engine of my car, the Raspberry Pi lost also power. First I thought I do not care. However, the temporary files stored locally by the ChasR logger were corrupted by this. Therefore, I added code to the client that syncs the filesystem each time a file is touched by the logger. As a result, the loss of power did not corrupt the temporary files anymore.

Finally, I was able to track my car in real time either on my browser at home or via an Android App on my mobile phone: