Category: Other

Video Tutorial: Transmitting Signals with a Raspberry Pi

Over on YouTube Crazy Danish Hacker, who earlier brought us an excellent video tutorial series on GSM sniffing, has now uploaded a two part series that shows how to transmit signals with a Raspberry Pi and the PiFM and RPiTX software. We’ve featured RPiTX several times on this blog before as a cheap TX complement to the RTL-SDR. The software allows you to modulate a GPIO pin on your Raspberry Pi in such a way that it produces AM/FM/SSB etc radio signals at a frequency of choice.

Crazy Danish Hackers tutorial shows us how to set up RPiTX, starting from installing Raspbian and enabling SSH to installing the software and actually transmitting something. Some useful tips to get around common problems are also presented.

http://www.youtube.com/watch?v=mNCKwqKKxyQ
http://www.youtube.com/watch?v=9Vnu-Nl2cX4

A Visualization of Yearly Shortwave Activity with WebSDR

The WebSDR from the University of Twente, Netherlands is a wideband HF SDR that is accessible from all over the world via the internet. It was first activated in 2008 making it the very first WebSDR ever. The creator of the service Pieter-Tjerk de Boer PA3FWM has recently made available spectrum image archives which show the HF band conditions over the last two years.

Intrigued by this data, London Shortwave decided to make a timelapse animation of this image data. The results are shown in the videos below, and London Shortwave adds:

The X axis represents the frequency and the Y axis is the time of day, starting at the top. Conventional wisdom about band behaviour can be easily confirmed by watching this video: the 60m, 49m and 41m bands are mostly active after dark, with the 60m and the 49m bands being generally busier during the winter months. The 31m band is most active around sunset, but carries on all night until a few hours after sunrise. The 25m band is active during sunrise and for a few hours afterwards, and around sunset during the winter months, but carries on all night during the summer. Peak activity on the 22m and 19m bands is also clustered bi-modally around the morning and the evening hours, though somewhat closer to the middle of the day than on the 31m and the 25m bands. The 16m band is mostly active during the daylight hours and the 13m band is quiet throughout the year except for the occasional ham contest.

http://www.youtube.com/watch?v=VioW3bQsq0M

http://www.youtube.com/watch?v=Op3uE-hy9Vo

Showing the HF Interference Problem from Ethernet over Powerline Devices

Over on our YouTube channel we’ve uploaded a new video that shows how bad the interference from Ethernet over Power devices can be. Ethernet over Power, Powerline Networking, Powerline Communications or ‘HomePlug’ is a technology that allows you to use any of your household power outlets as an internet Ethernet port, completely eliminating the need for runs of Ethernet cabling. They are capable of high speeds and can be used anywhere in the house assuming the two plugs are on the same power circuit.

Unfortunately these devices tend to wipe out almost the entire HF spectrum for anyone listening nearby. As household powerline cables are not shielded for RF emissions they radiate in the HF spectrum quite heavily. In the video we demonstrate what the HF spectrum looks like with one of these devices used in the house. The particular device used was a TP-Link brand adapter, and a WellBrook Magnetic Loop antenna was used outdoors, with the null facing the house. An Airspy R2 with SpyVerter was used to view the spectrum.

The video shows that even when the network is idling there are several brief bursts of noise all over the spectrum. Then when a file is downloaded almost the entire spectrum is completely wiped out.

Interestingly from the video it appears that the amateur radio frequencies are actually carefully notched out and those frequencies remain relatively clean. Most manufacturers of these devices appear to have worked with the ARRL to please ham radio enthusiasts, but SWLers will likely be in trouble if any of these devices are used in your house or neighbors house.

http://www.youtube.com/watch?v=zMXRo5FKUIQ

An Update on the PatronX Titus II

Back in September 2016 we posted about the PatronX Titus II portable software defined radio which appears to currently be on its way to beginning production. It is a portable Android tablet based SDR, which we speculate is using similar chips to the SDRplay RSP with its 100 kHz to 2 GHz tuning range. The price goal is set to be under $100 USD.

Currently it is available for ‘pre-order’ on the HFCC website, although what they call a pre-order is actually just an expression of interest, and no payment is required.

Today over on the SWLing post blog we’ve seen an update. They write:

As you can imagine the response to Titus has almost been overwhelming! Pre-orders far exceeded our imagination and excitement from broadcasters has been very loud. DRM and digital broadcasting seems to be reinvigorated with Titus in 2017. I think we really broke the price barrier that most everyone has been dreaming of and provided the flexibility that has held back the cause.

As posted on http://hfcc.org/delivery/receivers.phtml

‘Update on availability received from PantronX: “We have been overwhelmed with the response to Titus with orders and request – coupled with an early Chinese New Year that the pre-production date has slipped a bit. Please be patient as we work with our suppliers and add more functions.” ‘

We are doing all we can to push – Chinese New Year is a crazy time – the factories are shut down for 3 to 4 weeks and as you can imagine the stress prior to and the performance after.

Hopefully in the next couple of weeks our http://titusradio.com/ website will undergo a much needed update. So much to do – but we are making good headway.

The Titus II Portable SDR
The Titus II Portable SDR

The PandwaRF RF Analysis Tool

Recently we heard about the PandwaRF Portable Analyzer (previously known as the GollumRF). This is not an SDR, but can probably be described as a programmable and computer controlled radio. It appears to be based on the Yardstick One design which is made by Micheal Ossmann, the creator of the HackRF. Both the Yardstick One and PandwaRF are based on the CC1111 sub-1 GHz RF transceiver chip. These types of pseudo-sdr’s can be very useful for reverse engineerin, analyzing and experimenting with simple digital signals.

For example it could be used to capture data from any ASK/OOK/MSK/2-FSK/GFSK modulation in the 300 – 928 MHz band. You can then easily analyze the data, and the restransmit the same or a modified signal. The same could be done with a TX capable SDR like the HackRF, but doing so tends to require a lot more work.

The difference between the Yardstick One and PandwaRF appears to be mainly in the connection interface. The PandwaRF is essentially the Yardstick One with a Bluetooth LE connectivity and an Android/iOS smartphone app. USB connectivity for Linux still exists. It also has an internal battery whereas the Yardstick One does not. They wrote a post comparing the RTL-SDR, Yardstick One and PandwaRF here.

The device seems to be new, as it just starting shipping in November and the first batch is still being sold. It costs 145 euros and appears to originate from the EU. There is also a ‘mini’ version in pre-order which also costs 145 euros. In comparison the Yardstick One costs about $99 – $145 USD depending on the shop you choose.

The PandwaRF
The PandwaRF
PandwaRF Android App
PandwaRF Android App

Building an SDR Transmitter using GPIO Pins on an FPGA

Recently an RTL-SDR.com reader named Jon wrote in and wanted to share his project called FPGA-TX. FPGA-TX is software that provides low-cost SDR transmit capabilities on an FPGA. It works in a similar way to RPiTX which is by simply turning the GPIO pins on and off very quickly in such as way that it generates any desired AM/FM/SSB transmission. These methods are crude and require external analog filtering, but can be used for creating almost any sort of RF transmission at a wide range of frequencies extremely cheaply. These sorts of cheap transmitters are great companions to low cost SDR dongles like the RTL-SDR.

Jon’s project runs on FPGA boards and currently supports the Digilent Nexys 4 and Digilent CMOD A7 ($75) FPGA boards. An FPGA is an integrated circuit that can be easily reconfigured to implement various different digital circuits.

FPGA-TX can transmit at frequencies of up to 400 MHz and current supports AM, FM, LSB, USB, Wideband FM and Wideband FM Stereo transmission modes. It runs on Linux. The FPGA transmitter has been tested combined together with an amplifier and filter. It can also interface with a GPS unit for clock calibration.

An FPGA Based Transmitter. In the photo: FPGA, Amplifier, Filter, Attenuator, TX/RX Switch.
An FPGA Based Transmitter. In the photo: FPGA, Amplifier, Filter, Attenuator, TX/RX Switch.
The FPGA-TX Ubuntu Interface.
The FPGA-TX Ubuntu Interface.

Talks from the 33rd Chaos Computer Club Conference

Videos from the 33rd Chaos Communication Congress [33c3] of the Chaos Computer Club have recently been uploaded to YouTube. This is a yearly European conference with a theme on hacking. This year several SDR and RF related talks were presented and here below is a sampling of our favorites. See their YouTube Channel for more interesting talks.

Reverse Engineering Outernet

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Currently, they broadcast an L-band signal from 3 Inmarsat satellites, giving them almost worldwide coverage. The bitrate of the signal is 2kbps (or 20MB of content per day), and they use the signal to broadcast Wikipedia pages, weather information and other information of public interest.

Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I think this is contrary to the goal of providing free worldwide access to internet contents. Therefore, I have worked to reverse engineer the protocols and build an open source receiver. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

In this talk, I’ll explain which modulation, coding and framing is used for the Outernet L-band signal, what are the ad-hoc network and transport layer used, how the file broadcasting system works, and some of the tools and techniques I have used to do reverse engineering.

PDF slides available [here].

https://www.youtube.com/watch?v=gPxdah4zAOg

Intercoms Hacking

To break into a building, several methods have already been discussed, such as trying to find the code paths of a digicode, clone RFID cards, use some social engineering attacks, or the use of archaic methods like lockpicking a door lock or breaking a window.

New methods are now possible with recent intercoms. Indeed, these intercoms are used to call the tenants to access the building. But little study has been performed on how these boxes communicate to request and grant access to the building.

In the past, they were connected with wires directly to apartments. Now, these are more practical and allow residents to open doors not only from their classic door phone, but to forward calls to their home or mobile phone. Private houses are now equipped with these new devices and its common to find these “connected” intercoms on recent and renovated buildings.

In this short paper we introduce the Intercoms and focus on one particular device that is commonly installed in buildings today. Then we present our analysis on an interesting attack vector, which already has its own history. After this analysis, we present our environment to test the intercoms, and show some practical attacks that could be performed on these devices. During this talks, the evolution of our mobile lab and some advances on the 3G intercoms, and M2M intercoms attacks will be also presented.

https://www.youtube.com/watch?v=pGq4raWvDtQ

Building a high throughput low-latency PCIe based SDR

Software Defined Radios (SDRs) became a mainstream tool for wireless engineers and security researches and there are plenty of them available on the market. Most if not all SDRs in the affordable price range are using USB2/USB3 as a transport, because of implementation simplicity. While being so popular, USB has limited bandwidth, high latency and is not really suitable for embedded applications. PCIe/miniPCIe is the only widespread bus which is embedded friendly, low latency and high bandwidth at the same time. But implementing PCIe/miniPCIe is not for the faint of heart – you have to write your own FPGA code, write your own Linux kernel driver and ensure compatibility with different chipsets, each with its own quirks. In this talk we will look at the requirements for a high performance SDR like XTRX, how this leads to certain design decisions and share pitfalls and gotchas we encountered (and solved).

We’ve been working with SDRs since 2008 and building own SDRs since 2011, focusing on embedded systems and mobile base stations. We created ClockTamer configurable clock source and UmTRX SDR and built a complete base station (UmSITE) to run OpenBTS and later Osmocom GSM stacks. This year we’ve started working on a new tiny high-performance SDR called XTRX which fits into the miniPCIe form-factor and using PCIe for the I/Q samples transfer.

We will talk about when to use PCIe and when not to use PCIe and why did we choose it for XTRX; FPGA implementation of PCIe with optimization for low latency and high throughput; Linux kernel driver for this PCIe device; integration with various SDR platforms; all the various issues we encountered and how you can avoid them.

https://www.youtube.com/watch?v=uf1EQOgBoEE

Designing a Remote SDR Station

Over on his blog w5fcx has posted an article that explains how he’s managed to set up a remote software defined radio based ham radio station. The article is more focused on high end ham equipment for RX and TX use, but similar principles could apply to a RX only station with SDRs like the RTL-SDR/Airspy/SDRplay.

He writes how he uses a VPN to remotely connect to his home computer and makes use of the SmartSDR app for Flex SDR radios which is available for iOS and Windows. Many of the apps he uses such as his antenna rotator software are also controlled over VPN via remote COM port software. He also notes requirements for having an internet controllable AC power supply in case TX needs to be shut down and a UPS for continuous power. For the actual radio side he uses a FlexRadio SDR, Elecraft Amplifier and Tuner, and antenna rotator and a Spiderbeam Yagi antenna.

The article explains in detail much of the equipment and software that he uses and is an excellent read for those wanting to get started in designing a remotely accessible SDR station.

Remote SDR Station Components
Remote SDR Station Components