Presented at REcon 2024:

The PowerG protocol for wireless security systems is proprietary and has no public specification or tooling for analysis. We will present our work on reverse engineering PowerG to understand the protocol, assess its security claims, and identify protocol-level issues. We will also release tooling for capturing PowerG packets with SDRs such as the HackRF, as well as decrypting and analyzing PowerG packets.

We reverse engineered firmware for a PowerG modem based on the CC13x0 chip and TI RTOS.

With this firmware we were able to determine how PowerG RF packets are transmitted, how the protocol’s channel hopping works, how different PowerG packet encryption modes work, the header format for RF packets, and the content of several RF message types.

Using a HackRF and GNU Radio we are able to capture and decode PowerG GFSK transmissions across all its 50 channels.

For example, we have reversed the pairing process between a PowerG panel and sensor device, and can read the content of all the relevant packets.