Category: Other

Showing the HF Interference Problem from Ethernet over Powerline Devices

Over on our YouTube channel we’ve uploaded a new video that shows how bad the interference from Ethernet over Power devices can be. Ethernet over Power, Powerline Networking, Powerline Communications or ‘HomePlug’ is a technology that allows you to use any of your household power outlets as an internet Ethernet port, completely eliminating the need for runs of Ethernet cabling. They are capable of high speeds and can be used anywhere in the house assuming the two plugs are on the same power circuit.

Unfortunately these devices tend to wipe out almost the entire HF spectrum for anyone listening nearby. As household powerline cables are not shielded for RF emissions they radiate in the HF spectrum quite heavily. In the video we demonstrate what the HF spectrum looks like with one of these devices used in the house. The particular device used was a TP-Link brand adapter, and a WellBrook Magnetic Loop antenna was used outdoors, with the null facing the house. An Airspy R2 with SpyVerter was used to view the spectrum.

The video shows that even when the network is idling there are several brief bursts of noise all over the spectrum. Then when a file is downloaded almost the entire spectrum is completely wiped out.

Interestingly from the video it appears that the amateur radio frequencies are actually carefully notched out and those frequencies remain relatively clean. Most manufacturers of these devices appear to have worked with the ARRL to please ham radio enthusiasts, but SWLers will likely be in trouble if any of these devices are used in your house or neighbors house.

An Update on the PatronX Titus II

Back in September 2016 we posted about the PatronX Titus II portable software defined radio which appears to currently be on its way to beginning production. It is a portable Android tablet based SDR, which we speculate is using similar chips to the SDRplay RSP with its 100 kHz to 2 GHz tuning range. The price goal is set to be under $100 USD.

Currently it is available for ‘pre-order’ on the HFCC website, although what they call a pre-order is actually just an expression of interest, and no payment is required.

Today over on the SWLing post blog we’ve seen an update. They write:

As you can imagine the response to Titus has almost been overwhelming! Pre-orders far exceeded our imagination and excitement from broadcasters has been very loud. DRM and digital broadcasting seems to be reinvigorated with Titus in 2017. I think we really broke the price barrier that most everyone has been dreaming of and provided the flexibility that has held back the cause.

As posted on

‘Update on availability received from PantronX: “We have been overwhelmed with the response to Titus with orders and request – coupled with an early Chinese New Year that the pre-production date has slipped a bit. Please be patient as we work with our suppliers and add more functions.” ‘

We are doing all we can to push – Chinese New Year is a crazy time – the factories are shut down for 3 to 4 weeks and as you can imagine the stress prior to and the performance after.

Hopefully in the next couple of weeks our website will undergo a much needed update. So much to do – but we are making good headway.

The Titus II Portable SDR
The Titus II Portable SDR

The PandwaRF RF Analysis Tool

Recently we heard about the PandwaRF Portable Analyzer (previously known as the GollumRF). This is not an SDR, but can probably be described as a programmable and computer controlled radio. It appears to be based on the Yardstick One design which is made by Micheal Ossmann, the creator of the HackRF. Both the Yardstick One and PandwaRF are based on the CC1111 sub-1 GHz RF transceiver chip. These types of pseudo-sdr’s can be very useful for reverse engineerin, analyzing and experimenting with simple digital signals.

For example it could be used to capture data from any ASK/OOK/MSK/2-FSK/GFSK modulation in the 300 – 928 MHz band. You can then easily analyze the data, and the restransmit the same or a modified signal. The same could be done with a TX capable SDR like the HackRF, but doing so tends to require a lot more work.

The difference between the Yardstick One and PandwaRF appears to be mainly in the connection interface. The PandwaRF is essentially the Yardstick One with a Bluetooth LE connectivity and an Android/iOS smartphone app. USB connectivity for Linux still exists. It also has an internal battery whereas the Yardstick One does not. They wrote a post comparing the RTL-SDR, Yardstick One and PandwaRF here.

The device seems to be new, as it just starting shipping in November and the first batch is still being sold. It costs 145 euros and appears to originate from the EU. There is also a ‘mini’ version in pre-order which also costs 145 euros. In comparison the Yardstick One costs about $99 – $145 USD depending on the shop you choose.

The PandwaRF
The PandwaRF
PandwaRF Android App
PandwaRF Android App

Building an SDR Transmitter using GPIO Pins on an FPGA

Recently an reader named Jon wrote in and wanted to share his project called FPGA-TX. FPGA-TX is software that provides low-cost SDR transmit capabilities on an FPGA. It works in a similar way to RPiTX which is by simply turning the GPIO pins on and off very quickly in such as way that it generates any desired AM/FM/SSB transmission. These methods are crude and require external analog filtering, but can be used for creating almost any sort of RF transmission at a wide range of frequencies extremely cheaply. These sorts of cheap transmitters are great companions to low cost SDR dongles like the RTL-SDR.

Jon’s project runs on FPGA boards and currently supports the Digilent Nexys 4 and Digilent CMOD A7 ($75) FPGA boards. An FPGA is an integrated circuit that can be easily reconfigured to implement various different digital circuits.

FPGA-TX can transmit at frequencies of up to 400 MHz and current supports AM, FM, LSB, USB, Wideband FM and Wideband FM Stereo transmission modes. It runs on Linux. The FPGA transmitter has been tested combined together with an amplifier and filter. It can also interface with a GPS unit for clock calibration.

An FPGA Based Transmitter. In the photo: FPGA, Amplifier, Filter, Attenuator, TX/RX Switch.
An FPGA Based Transmitter. In the photo: FPGA, Amplifier, Filter, Attenuator, TX/RX Switch.
The FPGA-TX Ubuntu Interface.
The FPGA-TX Ubuntu Interface.

Talks from the 33rd Chaos Computer Club Conference

Videos from the 33rd Chaos Communication Congress [33c3] of the Chaos Computer Club have recently been uploaded to YouTube. This is a yearly European conference with a theme on hacking. This year several SDR and RF related talks were presented and here below is a sampling of our favorites. See their YouTube Channel for more interesting talks.

Reverse Engineering Outernet

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Currently, they broadcast an L-band signal from 3 Inmarsat satellites, giving them almost worldwide coverage. The bitrate of the signal is 2kbps (or 20MB of content per day), and they use the signal to broadcast Wikipedia pages, weather information and other information of public interest.

Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I think this is contrary to the goal of providing free worldwide access to internet contents. Therefore, I have worked to reverse engineer the protocols and build an open source receiver. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

In this talk, I’ll explain which modulation, coding and framing is used for the Outernet L-band signal, what are the ad-hoc network and transport layer used, how the file broadcasting system works, and some of the tools and techniques I have used to do reverse engineering.

PDF slides available [here].

Intercoms Hacking

To break into a building, several methods have already been discussed, such as trying to find the code paths of a digicode, clone RFID cards, use some social engineering attacks, or the use of archaic methods like lockpicking a door lock or breaking a window.

New methods are now possible with recent intercoms. Indeed, these intercoms are used to call the tenants to access the building. But little study has been performed on how these boxes communicate to request and grant access to the building.

In the past, they were connected with wires directly to apartments. Now, these are more practical and allow residents to open doors not only from their classic door phone, but to forward calls to their home or mobile phone. Private houses are now equipped with these new devices and its common to find these “connected” intercoms on recent and renovated buildings.

In this short paper we introduce the Intercoms and focus on one particular device that is commonly installed in buildings today. Then we present our analysis on an interesting attack vector, which already has its own history. After this analysis, we present our environment to test the intercoms, and show some practical attacks that could be performed on these devices. During this talks, the evolution of our mobile lab and some advances on the 3G intercoms, and M2M intercoms attacks will be also presented.

Building a high throughput low-latency PCIe based SDR

Software Defined Radios (SDRs) became a mainstream tool for wireless engineers and security researches and there are plenty of them available on the market. Most if not all SDRs in the affordable price range are using USB2/USB3 as a transport, because of implementation simplicity. While being so popular, USB has limited bandwidth, high latency and is not really suitable for embedded applications. PCIe/miniPCIe is the only widespread bus which is embedded friendly, low latency and high bandwidth at the same time. But implementing PCIe/miniPCIe is not for the faint of heart – you have to write your own FPGA code, write your own Linux kernel driver and ensure compatibility with different chipsets, each with its own quirks. In this talk we will look at the requirements for a high performance SDR like XTRX, how this leads to certain design decisions and share pitfalls and gotchas we encountered (and solved).

We’ve been working with SDRs since 2008 and building own SDRs since 2011, focusing on embedded systems and mobile base stations. We created ClockTamer configurable clock source and UmTRX SDR and built a complete base station (UmSITE) to run OpenBTS and later Osmocom GSM stacks. This year we’ve started working on a new tiny high-performance SDR called XTRX which fits into the miniPCIe form-factor and using PCIe for the I/Q samples transfer.

We will talk about when to use PCIe and when not to use PCIe and why did we choose it for XTRX; FPGA implementation of PCIe with optimization for low latency and high throughput; Linux kernel driver for this PCIe device; integration with various SDR platforms; all the various issues we encountered and how you can avoid them.

Designing a Remote SDR Station

Over on his blog w5fcx has posted an article that explains how he’s managed to set up a remote software defined radio based ham radio station. The article is more focused on high end ham equipment for RX and TX use, but similar principles could apply to a RX only station with SDRs like the RTL-SDR/Airspy/SDRplay.

He writes how he uses a VPN to remotely connect to his home computer and makes use of the SmartSDR app for Flex SDR radios which is available for iOS and Windows. Many of the apps he uses such as his antenna rotator software are also controlled over VPN via remote COM port software. He also notes requirements for having an internet controllable AC power supply in case TX needs to be shut down and a UPS for continuous power. For the actual radio side he uses a FlexRadio SDR, Elecraft Amplifier and Tuner, and antenna rotator and a Spiderbeam Yagi antenna.

The article explains in detail much of the equipment and software that he uses and is an excellent read for those wanting to get started in designing a remotely accessible SDR station.

Remote SDR Station Components
Remote SDR Station Components

Decapping the R820T and RTL2832U Chips

Over on YouTube the electronupdate channel has posted a video showing the decapping of the R820T and RTL2832U chips. Decapping is the process of removing the plastic packaging on integrated circuit chips, thus exposing the internal circuits printed on the silicon die for viewing. In the video he shows microscope images of each of the decapped chips and explains a bit about what each part of the chip does.

Over on his blog he’s also posted the full decapped images of the R820T and RTL2832U for viewing.

The decapped R820T tuner die.
The decapped R820T tuner die.

Remapping a Keyboard Volume Wheel for Knob Tuning in HDSDR

Earlier in the month we showed a post where Mile Kokotov hacked together a $3 SDR frequency tuning knob out of a mouse and cheap rotary encoder.

Now over on YouTube user m khanfar shows us another cheap solution. Instead of using a hacked mouse, m khanfar uses the volume wheel on his keyboard. Some keyboards have these extra multimedia action buttons and controls but not all. He simply uses a multimedia keyboard remapping program called MKey to map the volume wheel into a scroll wheel.