by Joe Grand
OpticSpy provide a platform to explore, evaluate, and experiment with optical data transmissions. It captures, amplifies, and converts optical signals into digital form that can be analyzed or decoded with a computer.
With OpticSpy, electronics hobbyists and hardware hackers can search for covert channels existing on modern devices, add optical data transfer functionality to a project, or capture and decode signals from remote controls and other consumer electronics that intentionally send information through light waves.
Video Presentation by Joe Grand (Author of OpticSpy)
- Here's some of the ways in which you can use OpticSpy as:
- Search for optical covert channels that may exist in modern devices
- Add data exfiltration/transfer functionality into a project
- Capture/decode/demodulate IR signals from remote controls
- Discover Li-Fi networks or Visible Light Communication (VLC) systems
- Demonstrations and Example Code
The following demonstrations transmit printable ASCII data with NRZ (Non-Return-to-Zero) encoding to emulate a standard UART interface.
- Arduino w/ external LED
- Parallax Propeller-based Hackable Electronic Badge
- TP-Link TL-WR841N router
All OpticSpy design documentation (including schematics, PCB/Gerber plots, and bill-of-materials) and code for the above examples are available on my Optical Covert Channels project page.
- Additional Notes
OpticSpy is powered from the host computer’s USB port and uses an FTDI FT231X USB-to-Serial IC to provide the USB connectivity (drivers available directly from FTDI). When connected to a computer, OpticSpy will appear as a Virtual COM port and will have a COM port number automatically assigned to it. You can then use a terminal program (such as HyperTerminal, PuTTY, CoolTerm, minicom, or screen) to communicate with OpticSpy. Communication settings will vary depending on the type of optical transmission and encoding/modulation used.
In the event that the device sending optical data is using a different encoding or modulation scheme not supported by a standard terminal program, you can preempt the FT231X interface by connecting a logic analyzer, Arduino, or any other tool capable of processing raw digital signals to the OpticSpy’s TP5 (Comparator Output) test point.
- Key Features:
- Easily converts light transmissions into digital signals
- Gain and threshold adjustment via potentiometers for fine-tuning of a particular target
- Supports both visible and near IR light emissions
- On-board switch to select normal or inverted polarity data streams
- USB interface for direct connection to host computer
- Bandwidth and Range:
OpticSpy supports signals up to 800 kbps per the application note on which this design is based. I haven’t fully characterized the lower and upper speeds, but my experiments have ranged from 2400 to 115.2 kbps with no loss of data.
We’re using a Vishay Semiconductors BPW21R photodiode for the front end, which has an ideal spectral response from 420 to 675 nm. As opposed to typical photodiodes, which have a peak response for near IR, the BPW21R approximates the human eye making it more suitable for visible light. It is still quite sensitive to IR, allowing us to support a wider range of wavelengths.
OpticSpy is designed for higher bandwidth at the expense of sensitivity. The brighter the transmitting signal, the better the receive range will be. For my visible light transmission experiments, I’ve achieved ~1 inch with Tomu, which has a very bright LED, and directly on the surface with a TP-Link router, which has a not-so-bright LED shining through a lightpipe.
For near IR signals, like those from a TV remote control, distance is greater. With the Parallax Hackable Electronic Badge, which has a 1608-sized IR LED, I’ve gotten to ~3 inches. Depending on the OpticSpy gain settings, you can also use it to filter out the IR carrier/modulation (typically 30-56 kHz), killing two birds (capture and demodulation) with one stone. This is due to the high gain of the amplifiers reducing frequency response of the unit.