Roundup of Software Defined Radios

New software defined radio (SDRs) products are popping up every few months these days so we thought we’d compile a list of some of the most popular ones as there are a few people looking to upgrade from an RTL-SDR.

For each SDR we compare the cost, frequency range, ADC resolution, maximum instantaneous bandwidth, whether or not it can TX and if it has any pre selectors built in. Here is a quick guide to what some of these metrics mean.

Frequency Range: The range of frequencies the SDR can tune to.
ADC Resolution: Higher is better. More resolution means more dynamic range, less signal imaging, a lower noise floor, more sensitivity when strong signals are present and better ability to discern weak signals.
Instantaneous Bandwidth: The size of the real time RF chunk available.
RX/TX: Can the radio receive and/or transmit.
Preselectors: Analogue filters on the front end to help reduce out of band interference and imaging.

General Use Software Defined Radios

We define general use SDRs as ones with a wide frequency range and with no focus on any specific frequency band.

R820T RTL2832U a.k.a RTL-SDR

rtlsdr-2

Cost: $10 – 22 USD
Frequency Range: approx. 24 MHz – 1766 MHz
ADC Resolution: 8 Bits
Max Bandwidth: 3.2 MHz / 2.4 or 2.8 MHz max stable.
TX/RX: RX Only
Preselectors: None

The RTL-SDR is still the best ‘bang for your buck’ software defined radio out there. While it was never designed to be used as a general purpose SDR in the first place, its performance is still surprisingly good. If you’re on a budget or are just starting out with SDR or radio this is the one to get. (Link)

Continue reading

Using an RTL-SDR as a Cheap Entropy Source

One of the many uses of the RTL-SDR is as a random number generator for generating entropy. Entropy is needed in computing for many application such as in encryption and security.

Noel Bourke has written an article on his blog about using the RTL-SDR as an entropy source on Linux. Noel uses RTL-Entropy and shows how to set up Linux to use the RTL-SDR as the entropy source for /dev/random.

Receiving NTSC Analogue TV with GNU Radio and an RTL-SDR

Over on GitHub user kik has uploaded a tutorial and code showing how to decode NTSC analogue TV in GNU Radio and an RTL-SDR. The tutorial is in Japanese, but Google translate should be good enough to understand the text. Kik shows us what GNU radio blocks to use and provides the python code needed to display the images on a simulated scope.

If you just want to receive analogue TV signals, try TVSharp.

gnuradiontsc
GNU Radio Decoding NTSC and showing images on a Scope

HackRF Initial Review

The HackRF One is a new software defined radio that has recently been shipped out to Kickstarter funders. It is a transmit and receive capable SDR with 8-Bit ADC, 10 MHz to 6 GHz operating range and up to 20 MHz of bandwidth. It can now be preordered for $299 USD. We just received ours from backing the Kickstarter and here’s a brief review of the product. We didn’t do any quantitative testing and this is just a first impressions review. So far we’ve only tested receive on Windows SDR#.

Unboxing

Inside the box is the HackRF unit in a quality protective plastic casing, a telescopic antenna and a USB cable. We show an RTL-SDR next to the HackRF for size comparison.

HackRF + Telescopic Antenna + USB Cable + Box (RTL-SDR Dongle Shown for Size Comparison)
HackRF + Telescopic Antenna + USB Cable + Box (RTL-SDR Dongle Shown for Size Comparison)
Back of the box
Back of the box

Continue reading

Reverse Engineering Wireless Wall Outlets And Automatically Cloning OOK Signals

Wireless wall outlets are electrical outlets that can be turned on or off by a wireless remote. Fabien is an experimenter who was looking for a way to control the power of his home devices from a remote location using HTTP. He thought of building his own from scratch, but quickly realized that the device would need to be certified for insurance purposes. Instead he bought a cheap commercially made certified wireless wall outlet and reverse engineered the protocol using an RTL-SDR.

To do that he used the existing OOK-Decoder software available on GitHub. From the analysis provided by OOK-Decoder, Fabien was able to successfully reimplement the transmission using an AVR microcontroller and 433 MHz transceiver circuit from Sparkfun.

After being successful with this, Fabien decided to take the project a step further and create the OOKLONE – a device that could automatically clone any 433.92 MHz OOK signal and replay it. The video below shows the OOKLONE in action.

Videos from DEFCON 22 Wireless Village Talks

Another security and hacking conference that recently finished is Defcon 2014. During this conference there was a “Wireless Village” were there were talks discussing all things related to radio frequency. During this conference there were many talks related to Software Defined Radio.

A list of all talks at the Defcon Wireless Village 2014 can be found on this page. The most interesting talks that we found related to SDR are shown below.

Hacking the Wireless World with Software Defined Radio

Presented by Balint Seeber, SDR Evangelist as Ettus Research. Balint presented a similar talk at Black Hat and the slides to go along with that can be found here.

Ever wanted to spoof a restaurant’s pager system? How about use an airport’s Primary Surveillance RADAR to build your own bistatic RADAR system and track moving objects? What sorts of RF transactions take place in RFID systems, such as toll booths, building security and vehicular keyless entry? Then there’s ‘printing’ steganographic images onto the radio spectrum…

Wireless systems, and their radio signals, are everywhere: consumer, corporate, government, amateur – widely deployed and often vulnerable. If you have ever wondered what sort of information is buzzing around you, this talk will introduce how you can dominate the RF spectrum by ‘blindly’ analysing any signal, and then begin reverse engineering it from the physical layer up. I will demonstrate how these techniques can be applied to dissect and hack RF communications systems, such as those above, using open source software and cheap radio hardware. In addition, I’ll show how long-term radio data gathering can be used to crack poorly-implemented encryption schemes, such as the Radio Data Service’s Traffic Message Channel. If you have any SDR equipment, bring it along!

14 Hacking theWireless world with software defined radio 2 0

So ya wanna get into SDR?

Not explained through erotic interpretive dance, though could be, this presentation will cover the essentials for getting into the software defined radio hobby. Hardware requirements, distributed nodes, architecture designs, tips/tricks, random projects and common mistakes will be explained. This will be a technical talk that will be open for harassment, jokes, interaction and presented in a way that everyone will be able to take something away from it; wait, this is Vegas… but we’re hackers…

01 so you want to sdr

SDR Tricks with HackRF

HackRF and some other Software Defined Radio platforms can be used in creative ways. I’ll show methods, including a dirty trick or two, for using HackRF outside the advertised frequency range. I’ll also show how the HackRF design lends itself to use as an oscilloscope or function generator suitable for many hardware hacking tasks.

18 SDR Tricks with the hackrf

PortaPack: Is that a HackRF in your Pocket?

The PortaPack H1 transforms the HackRF One software-defined radio into a hand-held radio exploration tool. Spectrum analysis, monitoring and logging, and demodulation and injection of simpler digital modes will be demonstrated by Jared Boone, a HackRF project contributor.

16 Porta pack is that a hackrf in your pocket

PHYs, MACs, and SDRs

The talk will touch on a variety of topics and projects that have been under development including YateBTS, PHYs, MACs, and GNURadio modules. The talk will deal with GSM/LTE/WiFi protocol stacks.

17 PHYs MACs and SDRs

SDR Unicorns

A panel with SDR Gurus Michael Ossmann, Balint Seeber and Robert Ghilduta.

Black Hat Software Defined Radio Talks

Black Hat, a large conference about information security related topics has recently finished and videos of some of the talks given have now been uploaded to YouTube. This year we have found three talks related to Software Defined Radio.

Breaking the Security of Physical Devices by Silvio Cesare

We posted about Silvio’s successful attempt at breaking into a car wirelessly earlier this month and now here is his presentation.

In this talk, I look at a number of household or common devices and things, including a popular model car and physical security measures such as home alarm systems. I then proceed to break the security of those devices. The keyless entry of a 2004/2005 popular make and widely used car is shown to be breakable with predictable rolling codes.

The actual analysis involved not only mathematics and software defined radio, but the building of a button pushing robot to press the keyless entry to capture data sets that enable the mathematical analysis.

Software defined radio is not only used in the kelyess entry attack, but in simple eavesdropping attacks against 40mhz analog baby monitors. But that’s an easy attack. A more concering set of attacks are against home alarm systems. Practically all home alarm systems that had an RF remote to enable and disable the system were shown to used fixed codes. This meant that a replay attack could disable the alarm.

I built an Arduino and Raspberry Pi based device for less than $50 dollars that could be trained to capture and replay those codes to defeat the alarms. I also show that by physically tampering with a home alarm system by connecting a device programmer, the eeprom data off the alarm’s microcontroller can be read. This means that an attacker can read the secret passcode that disables or enables the alarm.

In summary, these attacks are simple but effective in physical devices that are common in today’s world. I will talk about ways of mitigating these attacks, which essentially comes down to avoiding the bad and buying the good. But how do you know what’s the difference? Come to this talk to find out.

Breaking the Security of Physical Devices by Silvio Cesare

Bringing Software Defined Radio to the Penetration Testing Community

Online slides.

“The large adoption of wireless devices goes further than WiFi (smartmeters, wearable devices, Internet of Things, etc.).

The developers of these new types of devices may not have a deep security background and it can lead to security and privacy issues when the solution is stressed.

However, to assess those types of devices, the only solution would be a dedicated hardware component with an appropriate radio interface for each one of them.

That is why we developed an easy-to-use wireless monitor/injector tool based on Software Defined Radio using GNU Radio and the well-known scapy framework.

In this talk, we will introduce this tool we developed for a wide range of wireless security assessments: the main goal of our tool is to provide effective penetration testing capabilities for security auditors with little to no knowledge of radio communications.”

Bringing Software Defined Radio to the Penetration Testing Community

AIS Exposed. Understanding Vulnerabilities and Attacks 2.0

Attacking AIS using software defined radio.

AIS Exposed. Understanding Vulnerabilities and Attacks 2.0 by Marco Balduzzi

RTL-SDR Software Radio with CTypes

Thomas Winningham, author of the rtl_fm_python web application for the RTL-SDR has given a talk at the PyOhio 2014 conference. In Thomas’ presentation he gives an overview of the RTL-SDR dongle and then goes on to discuss his RTL-SDR Python library and software.

If you are interested in developing your own software for the RTL-SDR this talk may be of interest to you as he discusses several aspects of the code used in his RTL-SDR library.

Software Radio with CTypes

XiOne – A RTL2832U based Portable Software Defined Radio: Indigogo Funding Campaign

A new funding campaign for an RTL2832U based software defined radio has gone up on Indiegogo. The new SDR is called the XiOne and is intended to be the first SDR that is easy to use with smartphones and open to the maker community.

With its 100 kHz to 1.7 GHz receiving range, the XiOne has a similar tuning range to the standard RTL-SDR dongles when an upconverter or the direct sampling mod is used. What makes the XiOne different is that it will have a built in MIPS processor, an internal rechargeable battery for portability and it will connect directly through WiFi to a smart device. They are also developing SDR GUI software for mobile devices including decoders for things like ADS-B, AIS and NOAA Satellites.

The IndieGoGo backer price for a XiOne is $179 USD, but if you act fast there are 100 units available at the promotional price of $139 USD. At the moment they have a working prototype with completed firmware, portable Java based SDR GUI, iPhone demodulation software, a MacOS ADS-B receiver, an iPad AIS receiver and an iPad spectrum analyzer. The fundraiser is to help them begin serial production.

There is a Reddit thread discussing the project here.

XiOne Prototype Internals
XiOne Prototype Internals
XiOne Casing
XiOne Casing

Hak5: ToorCamp Finale And More Fun With SDR

In this episode of Hak5 amongst other things presenter Shannon explores yet another SDR GUI alternative at around the 14 minute mark. This time she shows SDR-RADIO which is an RTL-SDR compatible alternative to SDR# and HDSDR. She shows how to install SDR-RADIO and how to use it. If you are interested in SDR-RADIO we also have installation instructions available on our Quickstart Guide.

ToorCamp Finale And More Fun With SDR, Hak5 1625