DragonOS: Installing Crocodile Hunter For Detecting Fake 4G Cell Sites

A few days ago we posted about two SDR related DEFCON talks which were recently released. One of the talks was about detecting fake 4G base stations with a bladeRF SDR and a tool they created called "Crocodile Hunter". It is currently compatible with the bladeRF x40 and USRP B200. The talk summary is posted below as it nicely summarizes what fake 4G base stations are and what Crocodile Hunter can do.

4G based IMSI catchers such as the Hailstorm are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. Until now IMSI catcher detection has focused on 2G IMSI catchers such as the Stingray which are quickly falling out of favor.

In this talk we will tell you how 4G IMSI Catchers might work to the best of our knowledge, and what they can and can't do. We demonstrate a brand new software project to detect fake 4G base stations, with open source software and relatively cheap hardware. And finally we will present a comprehensive plan to dramatically limit the capabilities of IMSI catchers (with the long term goal of making them useless once and for all).

The Crocodile Hunter software is apparently a little difficult to install and get running, so Aaron who runs DragonOS YouTube tutorial channel has uploaded a video documenting how to install and configure the software. The tutorial assumes that you are the running the latest DragonOS image which already includes a lot of the prerequisite software, and in his example he uses a USRP B205mini-i SDR.

DragonOS DEF CON 28 Crocodile Hunter Setup (DragonOS LTS PublicR4, srsLTE, USRP B205mini-i)

TechMinds: OpenWebRX Feature Overview And Raspberry Pi Setup

Over on YouTube TechMinds has posted his latest video which shows an overview of the features available in OpenWebRX, and also how to set it up on a Raspberry Pi. OpenWebRX is software which allows you to access your SDR remotely via the internet or local network through a web browser. All major SDRs are supported including RTL-SDRs. The software includes a waterfall display, all the standard demodulators, as well as several digital decoders for DMR, YSF, NXDN, D-Star, POCSAG, APRS, FT8, FT4, WSPR, JT65 and JT9.

In the video TechMinds first demonstrates OpenWebRX in action, showing reception of HF SSB amateur radio signals, decoding FT8 and plotting received grids on a map, decoding and plotting APRS on a map and decoding YSF/DSTAR/DMR digital voice. After this demonstration he goes on to show how to set up the OpenWebRX server on a Raspberry Pi via the installation image.

OpenWebRX Feature Overview And Raspberry Pi Setup

Sanchez: Create False Colour Images from GOES/Himawari/GK-2A Infrared

With an RTL-SDR, an appropriate satellite antenna and LNA it is possible to receive visible light images from geostationary satellites such as GOES/Himawari and GK-2A. However, in a 24 hour cycle there will only be one or two images that show the Earth fully illuminated by the sun. The rest of the day parts or all of the Earth will be dark with not even clouds visible. To get around this the satellites also use an Infrared (IR) camera which can see clouds at all times. However, these images are greyscale and not very visually appealing.

To fix this aesthetic issue there is now a recently released multiplatform tool called "Sanchez" which will combine a high resolution underlay image with the greyscale IR image in order to create a more beautiful image. The software is command line based and can run on a batch of collected images.

False colour satellite images made by Sanchez

Testing the Electrosense Up/Downconverter Expansion Board For 0 – 6 GHz

The Electrosense network is an open source project aiming to deploy radio spectrum sensors worldwide. The idea is to help analyze and understand radio spectrum usage across the globe. Each sensor consists of an RTL-SDR, Raspberry Pi and an optional downconverter to receive the higher bands. If you're interested we wrote an overview of the project in a previous post

Recently we received a sample of their Up/Downconverter expansion board which is used to expand the frequency range of the RTL-SDR to 0 MHz to 6 GHz. The converter board is entirely open source with the design files available on GitHub. The team note that they are also working on a V2 version which will be cheaper and smaller. The schematic and Firmware for the V2 is also available right now, but it is still under early testing and may change.

The board is not for sale, however you can apply to be considered for a free unit if you want to host your own Electrosense node and meet their criteria. If you do not you can still produce the board yourself. The team mention that the design is easily hand soldered, but there are a few difficult LGA components like the PLL, crystals and mixer which require a heat gun to solder. A the same time they also note that it is possible to get PCB manufacture and SMT assembly done for you for dirt cheap by PCB prototype companies like JLC PCB. 

The Expansion Up/Downconverter Board

The converter board has 4-input SMA ports (only 3 are used) and one output port which connects to the RTL-SDR. The first input port is for the HF antenna input. This input connects to the circuit which converts 0 - 30 MHz into a higher frequency which can be received by the RTL-SDR. The second port is simply a pass through for the standard 24 MHz - 1.766 GHz range of a normal SDR. The third port is unused, and the fourth port connects the antenna to the downconverter circuit which allows us to receive from 1.766 GHz to 6 GHz.

The Electrosense Converter Board

Continue reading

MySondy: Radiosonde Tracking Firmware for a TTGO ESP32 LORA Board

A radiosonde is a small sensor and radio package normally attached to a weather balloon. Meteorological agencies around the world typically launch two balloons a day from several locations to gather data for weather prediction. We have featured radiosondes several times on this blog as it is easy to use an RTL-SDR and computer to receive and decode their signals, which can used to hunt down the fallen sonde, or to receive the weather telemetry data.

Recently RTL-SDR.COM reader António submitted a link to an interesting project called "MySondy" which is created by Mirko Dalmonte (IZ4PNN). MySondy is custom firmware for TTGO Lora32 433 MHz boards which allows them to be turned into a radiosonde tracker. A TTGO is a cheap ~US$20 LoRa32 IoT dev board with an onboard WiFi + Bluetooth enabled ESP32 microcontroller and OLED display. Some of the slightly higher priced units come with a built in GPS receiver as well. With the custom firmware it is capable of receiving and decoding common radiosonde protocols such as RS41, M10, RS92 and DFM.

A TTGO ESP32 LoRa Board
A TTGO running MySondy firmware enclosed in a 3D Printed Case

There is also an Android App called MySondy Go and MySondy FINDER which connect to the TTGO via Bluetooth. This app plots the location of the radiosonde on a map, allowing you to easily follow and track down the balloon. You can also go to mysondy.altervista.org to see public MySondy stations. Clicking on a blinking dot will connect you with the MySondy server, allowing you to see tracked sondes.

MySondy Web Interface

The firmware and software appear to be fairly new, so there isn't much information about this that we could find just yet. Also we note that all manuals and information about the project is written in Italian, except for a French magazine article (pdf) that António sent us to upload.

We note that these TTGO ESP32 LoRa boards are quite interesting by themselves, with other custom firmware available to do things like create a Paxcounter which counts the number of mobile devices in an area via WiFi and Bluetooth signals, and the ability to use them as a GPS enabled Mesh network based text message radio.

Defcon 2020 Online Talks: Satellite Eavesdropping & Detecting Fake 4G Base Stations

DEFCON 2020 was held online this year in and the talks were released a few days ago on their website and on YouTube. If you weren't already aware Defcon is a major yearly conference all about information security, and some of the talks deal with wireless and SDR topics. We found two very interesting SDR and wireless related talks that we have highlighted below. The first talk investigates using commercial satellite TV receivers to eavesdrop on satellite internet communications. The second discusses using a bladeRF or USRP to detect fake 4G cellphone basestations. Slides for these talks are available on the Defcon Media server under the presentations folder.

DEF CON Safe Mode - James Pavur - Whispers Among the Stars

Space is changing. The number of satellites in orbit will increase from around 2,000 today to more than 15,000 by 2030. This briefing provides a practical look at the considerations an attacker may take when targeting satellite broadband communications networks. Using $300 of widely available home television equipment I show that it is possible to intercept deeply sensitive data transmitted on satellite links by some of the world's largest organizations.

The talk follows a series of case studies looking at satellite communications affecting three domains: air, land, and sea. From home satellite broadband customers, to wind farms, to oil tankers and aircraft, I show how satellite eavesdroppers can threaten privacy and communications security. Beyond eavesdropping, I also discuss how, under certain conditions, this inexpensive hardware can be used to hijack active sessions over the satellite link.

The talk concludes by presenting new open source tools we have developed to help researchers seeking to improve satellite communications security and individual satellite customers looking to encrypt their traffic.

The talk assumes no background in satellite communications or cryptography but will be most interesting to researchers interested in tackling further unsolved security challenges in outer space.

DEF CON Safe Mode - James Pavur - Whispers Among the Stars

DEF CON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time

4G based IMSI catchers such as the Hailstorm are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. Until now IMSI catcher detection has focused on 2G IMSI catchers such as the Stingray which are quickly falling out of favor.

In this talk we will tell you how 4G IMSI Catchers might work to the best of our knowledge, and what they can and can't do. We demonstrate a brand new software project to detect fake 4G base stations, with open source software and relatively cheap hardware. And finally we will present a comprehensive plan to dramatically limit the capabilities of IMSI catchers (with the long term goal of making them useless once and for all).

GitHub: https://github.com/EFForg/crocodilehunter

DEF CON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time

TechMinds: Using Public Online SDRs without SDR Hardware

This weeks video on the TechMinds channel explores the various online web SDRs that are available to access for free. Accessing these online SDRs does not require any hardware apart from a PC and internet connection, although of course you are then receiving signals from a different location to yourself. 

In the video he shows how to access the SDR# Spy Server Network which mostly consists of Airpsy and RTL-SDR units, the SDR-Console V3 Server network which consists of a wide array of different SDRs, the browser based WebSDR network which is mostly soundcard based SDRs but also RTL-SDR and other SDRs, and finally the KiwiSDR network which is made up of KiwiSDRs.

Using Software Defined Radio Without SDR Hardware - WebSDR

SignalsEverywhere: Setting up a Broadcastify Feed with SDRTrunk

In her last video Sarah from the SignalsEverywhere YouTube channel showed us how to set up SDRTrunk for reception of digital P25 Police and other services with two RTL-SDR dongles. On this weeks episode Sarah shows us how to set up Broadcastify with SDRTrunk. Broadcastify is a an online service that allows you to stream audio from your SDR or scanner radio to their website for anyone to listen to. We note that sharing audio or some talkgroups may not be legal in all countries so please do your research first.

In the video Sarah shows the full setup process involving setting up a Broadcastify account, creating an alias list, adding talkgroups to share and finally setting up the Icecast server for streaming to the Broadcastify servers.

SDRTrunk Broadcastify Feed Tutorial