Circle City Con is a yearly conference that focuses on information security talks. At this years conference Josh Conway presented an interesting talk titled "SigInt for the Masses Building and Using a Signals Intelligence Platform for Less than $150". Josh's talk introduces his "RadioInstigator" hardware which is a combination of a Raspberry Pi, CrazyRadio and an RTL-SDR all packaged into a 3D printed enclosure with LCD screen. The idea behind the RadioInstigator is to create a portable and low cost Signals Intelligence (SIGINT) device that can be used to investigate and manipulate the security of radio signals.
The RadioInstigator makes use of the RPiTX software which allows a Raspberry Pi to transmit an arbitrary radio signal from 5 kHz up to 1500 MHz without the use of any additional transmitting hardware - just connect an antenna directly to a GPIO pin. Connected to the Pi is a CrazyRadio, which is a nRF24LU1+ based radio that can be used to receive and transmit 2.4 GHz. And of course there is an RTL-SDR for receiving every other signal. Josh has made the plans for the RadioInstigator fully open source over on GitLab.
In his talk Josh introduces the RadioInstigator, then goes on to discuss other SDR hardware, antenna concepts and software installed on the RadioInstrigator like RPiTX, GNU Radio, Universal Radio Hacker, Salamandra, TempestSDR and more.
Over on his YouTube channel ModernHam has created a video showing him using an RTL-SDR and Raspberry Pi with RPiTX to record and replay the signal generated by the remote of a wireless power plug. A wireless power plug allows you to turn an AC wall outlet on/of remotely via a remote control. Controlling them with a Raspberry Pi can be a simple way to add home automation. One example ModernHam gives is that he hopes to use RPiTX and the wireless power plugs to create a smart coffee pot that will automatically turn on at 7 am, and turn off at 9 am.
In the past we have created a similar tutorial here, but new updates to RPiTX now make this process much easier and more reliable and ModernHam's video shows the new procedure. The new process is simply to look up the FCC frequency of the remote control transmitter, record an IQ file of the transmissions for the ON and OFF buttons, and then use the RPiTX sendiq command to replay the signal. You can then use simple Linux shell scripts to create automation.
Replay Attack with Remote Plugs for Home Automation with the Raspberry PI
Over on YouTube user ModernHam has uploaded a video showing how to perform a replay attack on a car key fob using a Raspberry Pi running RPiTX and an RTL-SDR. A replay attack consists of recording an RF signal, and then simply replaying it again with a transmit capable radio. RPiTX is a program that can turn a Raspberry Pi into a general purpose RF transmitter without the need for any additional hardware.
The process is to record a raw IQ file with the RTL-SDR, and then use RPiTX V2's "sendiq" command to transmit the exact same signal again whenever you want. With this set up he's able to unlock his 2006 Toyota Camry at will with RPiTX.
We note that this sort of simple replay attack will only work on older model cars that do not use rolling code security. Rolling code security works by ensuring that an unlock transmission can only be utilized once, rendering replays ineffective. However, modern rolling code security systems are still susceptible to 'rolljam' style attacks.
In the video below ModernHam goes through the process from the beginning, showing how to install the RTL-SDR drivers and RPiTX. Near the end of the video he shows the replay attack in action.
Unlock Cars with a Raspberry Pi And SDR - Replay attack
Over on YouTube channel Tech Minds has uploaded a video that shows how to install and use RPiTX version 2. RPiTX is software for the Raspberry Pi which can turn it into a 5 kHz to 1500 MHz transmitter which can transmit any arbitrary signal. RPiTX requires no additional hardware, but a filter is required for transmitting with any power or gain. Back in November RPiTX was updated to version 2 which brought with it a new GUI, and improved spectral purity.
In his video Tech Minds goes over the installation of RPiTX, and then goes on to demonstrate it in action with an RTL-SDR and SDRUno used as the receiver. He shows the several TX modes available such as the tone/chirp generator, spectrum painter FM with RDS, SSB and FreeDV.
RPiTX is software for the Raspberry Pi which can turn it into a 5 kHz to 1500 MHz transmitter which can transmit any arbitrary signal. In order to transmit the software does not require any additional hardware apart from a wire plugged into a GPIO pin on the expansion header. It works by modulating the GPIO pin with square waves in such a way that the desired signal is generated. However, although additional hardware isn't required, if RPiTX is to be used in any actual application a band-pass filter is highly recommended in order to remove any harmonics which could interfere and jam other radio systems.
Earlier this month RPiTX was upgraded to version 2. One of the changes is a new GUI for testing the various transmission modes. Currently it is possible to transmit a chirp, FM with RDS, USB, SSTV, Opera, Pocsag, SSTV, Freedv. There is also a spectrum painter which allows you to display an image on a SDR's waterfall.
The RPiTX v2 update also makes recording a signal with an RTL-SDR, and replaying that signal with RPiTX significantly easier. Previously it was necessary to go through a bunch of preprocessing steps (as described in our previous tutorial) in order to get a transmittable file, but now RPiTX is capable of transmitting a recorded IQ file directly. This makes copying things like 433 MHz ISM band remotes significantly easier. One application might be to use RPiTX as an internet connected home automation tool which could control all your wireless devices.
Finally, another application of the RPiTX and RTL-SDR combination is a live RF relay. The software is able to receive a signal at one frequency from the RTL-SDR, and then re-transmit it at another frequency in real time. Additionally, it is also capable of live transmodulation, where it receives an FM radio station, demodulates and then remodulates it as SSB to transmit on another frequency.
In the first test he uses RPiTX to generate a 2-FSK signal, which is then received and decoded by a RTL-SDR V3 connected to an attenuator and laptop. The Bit Error Rate (BER) is then measured while the attenuation is increased until the decoder fails. With this test he found a MDS somewhere between -115 dBm and -125 dBm, and a maximum input power of -30 dBm before clipping.
In another test he measures the RTL-SDR's ability to withstand a blocking CW signal. The results show that even with a 65 dB stronger signal just 7 kHz away, the 2-FSK modem system was able to continue working.
Finally he concludes:
So I figure for the lower HF bands this receivers performance is OK – the ADC quantisation noise isn’t likely to impact performance and the strong signal performance is good enough. An overload of -30dBm (S9+40dB) is also acceptable given the use case is remote communications where there is unlikely to be any nearby transmitters in the input filter passband.
In his tests he's been creating 100bit/s 2FSK test frames, transmitting them at 7.177 MHz, and receiving and decoding them on another PC with a hardware radio. The results show that the transmission is working perfectly, with only minor artefacts caused by RPiTX. Rowetel also notes that the narrow band spectral purity of the RPiTX output is remarkably clean. The only worry is the wide band harmonics which can easily be removed with filtering.
This shows that RPiTX could easily be used as a transmitter for amateur radio purposes, assuming proper external filtering is applied. Rowetel also mentions that he hopes that cheap radio technologies like RPiTX could one day be used to help reduce the cost and difficulty in covering the 'last 100 miles' of communications in the developing world.
CrowPi is a Raspberry Pi all-in-one experimenters kit that is currently crowd funding on Kickstarter. The idea behind CrowPi is to combine a touchscreen, various sensors, actuators and interfaces into a clutter free kit mounted on a PCB in an easy to carry hard shell case. It's mostly intended to be used in STEM learning environments, however it could also be used for rapid prototyping of Raspberry Pi based ideas, or simply as a portable computer.
The kit has 4 days left on Kickstarter and has already met its minimum goal. Pledging $1,169 HKD (~USD $150) gets you the basic kit which does not include a Raspberry Pi. Higher pledge levels (up to US$250) get you models that include a Raspberry Pi as well as extras such as a 5V power supplies, earphones, heatsinks, keyboards, game controllers etc. Shipping of the units is expected to commence in July.
Elecrow, the Shenzhen based company behind CrowPi kindly sent us a free kit for an honest review. While not directly related to RTL-SDR or RF, we thought that there might be several applications that might make the CrowPi kit useful for prototyping some simple low cost RF based ideas. For example:
Prototyping IoT based modules that use the RTL-SDR as a receiver. For example receiving a 433 MHz ISM signal and writing received information to the LCD/LED array or activating the relay.
Similarly, using FL2K-SDR or RPiTX to transmit a signal when a sensor is activated, or to transmit telemetry from that sensor (e.g. distance data from the ultrasonic sensor, humidity levels from the DH11 sensor, or light levels from the light sensor)
To get an idea of what's packed into the CrowPi, the kit includes the following modules:
1920 x 1080 Capable HDMI 7" Touch Screen
8x8 Matrix LED
4 character 7-seg LED
Step Motor Interface
DH11 Humidity Sensor
Matrix of buttons
With our kit we also received:
2x GPIO Flex Cables
1x Stepper Motor
1x IR diode
1x NFC Tag
1x Mini HDMI for the Raspberry Pi Zero
1x IR Remote control
Setup, Initial Testing and Thoughts
Setup: Setup was simple and consisted of downloading their customized Raspberry Pi image onto an SD card, connecting the Raspberry Pi to the HDMI, USB and GPIO pins, and then powering it up using the power jack on the CrowPi Board. A user manual is available for download.
Initial Testing: CrowPi provide a set of lessons that show how to use each of the modules on the board. All modules also have Python code examples that are ready to run as soon as you boot up. Immediately after booting up we were able to run their demo code which allowed us to test all the various sensors, print text to the LCD module, activate the 7-seg display, and actuate a servo and stepper motor.
The tutorials are easy to understand and provide a good basic rundown of the sensors. You will need to have some basic Python skills to understand the Python code however.
Thoughts: The CrowPi is built sturdy, and is definitely easy to use. The touch screen is bright and clear. It is capable of running in 1080P mode, but is a bit too small and hard on the eyes to use at this resolution. We kept the screen in 720P mode. In order to use the Raspberry Pi, you'll need to plug in a USB keyboard and mouse which is not included in the basic kit. A wireless keyboard/mouse combo is ideal. There appear to be speaker holes next to the monitor, but it seems that our demo model is the basic model which does not include built in speakers. The kit is impressive looking and appears to be priced reasonably for what you get.
RTL-SDR and RF Testing
Unfortunately when it came to run the RTL-SDR we instantly ran into a problem. With the one 5V 3A power supply running the Pi, HDMI Screen and modules, it seems that there just isn't enough power budget left over to run the RTL-SDR which draws about 270 - 290 mA current. The RTL-SDR connects fine, but when trying to run GQRX, the Pi 3 shuts down. To get around this problem we have to connect a second power supply directly to the Raspberry Pi 3's input. After doing this the board and kit runs smoothly with the RTL-SDR. Using a powered USB hub would also work.
RPiTX is software for the Raspberry Pi that allows you to transmit RF signals directly via PIN12 or PIN7 from the GPIO ports. On CrowPi PIN12 is already connected to the buzzer, and PIN7 is connected to the humidity sensor. Using PIN12 causes the buzzer to sound, so we tried PIN7. Even though it's connected to the humidity sensor, it doesn't seem to mind the GPIO bit flipping going on. The traces within the board and cable radiate sufficiently to transmit signals strongly enough to use within a room, so no external antenna is needed. Use of PIN7 can be activated in RPiTX by using the "-c 1" flag.
Using our Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX tutorial, we copied the signal from the remote control of a 433 MHz alarm/door bell, and used RPiTX to replay the signal. Then by modifying some of the supplied CrowPi Python code we were able to get the doorbell to sound on a touch of the touch sensor, activation of the sound sensor and via activation the RFID sensor. We could see the CrowPi being used as a general tool for learning how to prototype simple IoT or home automatic devices. The video below shows a brief demonstration.
It would have been nice if these RPiTX GPIO pins could have been exposed, and not connected to a sensor, but the developers of the board had probably not heard of RPiTX as the goal is for a more general classroom application.
If you're looking to get kids or STEM students/hobbyists interested in what Raspberry Pi's can do, then this kit couldn't make it simpler. The single board and briefcase design makes the whole thing very tidy and portable and the kit looks and feels sturdy and professional. If you know a kid interested in electronics, then this kit would make a great present.
You could probably purchase all the components cheaper individually, but at the end of the day an all-in-one kit just makes sense as it is a lot tidier, and much easier to get up and running quickly.
For RF experiments, it's possible to use the RTL-SDR with the minor annoyance of having to connect two power supplies or use a powered USB hub. RPiTX also functions fine on the device and can be used to transmit an RF signal on activation of any one of the sensor modules. This could easily be used to prototype simple home automation or IoT ideas.