Category: Applications

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

SignalsEverywhere: Decoding Inmarsat EGC and AERO ACARS

On his latest video Corrosive from the SignalsEverywhere YouTube channel discusses Inmarsat LES EGC and AERO ACARS decoding. Inmarsat is a satellite provider that has multiple geosynchronous satellites that can be received from almost anywhere in the world at around 1.5 GHz with an RTL-SDR and appropriate antenna + LNA. Inmarsat EGC and AERO are two channels on Inmarsat satellites that can easily be decoded.

The Enhanced Group Call (EGC) messages typically contain text information such as search and rescue (SAR) and coast guard messages as well as news, weather and incident reports. AERO messages on the other hand are a form of satellite ACARS, and typically contain short messages from aircraft. More interestingly with a bit of work compiling audio decoders, it is also possible to listen in to AERO C-Channel conversations, which is an emergency phone call service available on some aircraft.

In his video Corrosive gives an overview and demonstration of EGC and AERO reception.

Inmarsat LES EGC and AERO ACARS Decoding

A LimeSDR Mini Based Es’Hail-2 DATV Ground Station Uplink

Daniel Estévez has posted on the LimeSDR Mini CrowdSupply blog about his ground-station build for the Es'Hail-2 satellite. Es'Hail-2 is the first geostationary satellite with amateur radio transponders on board. The LimeSDR Mini is a $159 RX/TX capable SDR with 10 MHz to 3.5 GHz frequency range.

The Es'Hail-2 satellite is positioned at 25.5°E which is over Africa. It's reception footprint covers Africa, Europe, the Middle East, India, eastern Brazil and the west half of Russia/Asia. There are two amateur transponders on the satellite. One is a narrow band linear transponder which uplinks from 2400.050 - 2400.300 MHz and downlinks from 10489.550 - 10489.800 MHz. Another is a wide band digital transponder for digital amateur TV (DATV) which uplinks from 2401.500 - 2409.500 MHz and downlinks from 10491.000 - 10499.000 MHz.

Daniel's ground station uses a LimeSDR Mini running on a Beaglebone Black. A 2.4 GHz WiFi parabolic grid antenna is used to transmit to the satellites digital amateur TV uplink. In order to generate enough power for the uplink transmission a GALI-84 amplifier chip is cascaded with a 100W power amplifier. All the electronics are enclosed in a watertight box and placed outside.

A LimeSDR Mini Based Es'Hail-2 DATV Uplink Ground Station
A LimeSDR Mini Based Es'Hail-2 DATV Uplink Ground Station

Reverse Engineering and Controlling a Wireless Doorbell with an RTL-SDR and Arduino

Thank you to Shreyas Ubale for submitting his blog post about reverse engineering a wireless doorbell, and then performing a replay attack. Shreyas had purchased a wireless doorbell set containing one button transmitter and two bell receivers. However, his situation required two transmitters, one for visitors at the door, and one to be used by family within his house.

In order to create a second transmitter he decided to reverse engineer the doorbells wireless signal, and use that information to create an Arduino based transmitter. His process involves first using an RTL-SDR to determine the transmission frequency, then using the rtl_433 software to capture the raw waveform which he then analyzes manually using Audacity. Once the binary string, length and pulse width is known he is able to program an Arduino connected to a 433 MHz transmitter to replicate the signal.

In future posts Shreyas hopes to explore other ways to transmit the signal, and eventually design a simple but configurable 433 MHz push button that supports RF, WiFi, and can support the IFTTT web service.

If you're interested, check out some of our previous posts that highlight many other successful reverse engineering experiments with RF devices and SDR.

Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.
Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.

Tracking and Recovering A NWS Weather Balloon & Radiosonde with an RTL-SDR

Over on YouTube OLHZN High Altitude Balloons has posted a very entertaining video showing how to use an RTL-SDR and small grid dish antenna to track and recover a fallen weather balloon and its radiosonde. OLHZN writes:

The US National Weather Service (#NWS) launches over 200 weather balloons everyday carrying an LMS-6 #radiosonde / rawinsonde made by Lockheed Martin to an altitude of over 100,000 ft. and you can track & follow the flights from home and even find the landing site and pick them up! This is a fun #DIY project that you can do yourself from home and I'll show you how to do it here along with some tips so you can go find yourself a weather balloon & radiosonde!

How to track & recover a NWS weather balloon & radiosonde 🎈🎈 DIY

An RTL-SDR and Pi 3 Based Ground Station for Simulated CubeSats

CubeSats are small and light satellites that can these days be built and launched into orbit by almost anyone with a small budget of roughly $40,000. They are a great way for schools and other organizations to get into a space based technology project. A "simulated" CubeSat is one that is not designed to be really launched into space, and is made from low cost hardware. The idea is that simulated CubeSats can be used as tools to help demystify the inner workings of satellites to the public and help CubeSat builders get experience and competence before building the real thing.

A Simulated CubeSat made from a Solar Panel board, Pi Zero, UPS and Tranceiver.
A Simulated CubeSat made from a Solar Panel board, Pi Zero, UPS and Transceiver.

A team from AMSAT have been working on creating open source CubeSat simulator hardware and software. In order to demonstrate the RF capabilities of the simulator a ground station simulator is also required. Recently the team have uploaded instructions on creating a Raspberry Pi and RTL-SDR based ground station.

If you're interested in the CubeSat simulator hardware itself, there was a presentation held back in 2018 that may be of interest to you. According to the presentation somewhere between 30% - 50% of CubeSats fail as soon as they're deployed, so building competence with simulated hardware is a good goal.

2018 AMSAT William A. Tynan W3XO Memorial Space Symposium - Saturday Sessions

Decoding FT8 with an RTL-SDR Blog V3 in Direct Sampling Mode

Over on YouTube user ModernHam has uploaded a useful tutorial showing how to use our RTL-SDR Blog V3 dongles for FT8 monitoring. The RTL-SDR Blog V3 has a built in direct sampling circuit which allows for reception of HF signals without the need for any upconverter. FT8 is an amateur radio weak signal digital communications mode which can be received all around the world even with low transmit power.

In his setup he uses SDR# and Virtual Audio Cable to pipe audio to the WSJT-X decoder. His video goes through all the steps and settings that need to be set and then shows a demo of some signals being received. ModernHam also has another video uploaded a few days earlier which is a more general introduction to FT8 decoding.

If you're interested we uploaded a tutorial last year that shows how to set up a Raspberry Pi 3 based FT8 decoding station with a V3 dongle.

Decoding FT8 with a RTL-SDR (Software defined Radio)

The RadioInstigator: A $150 Signals Intelligence Platform Consisting of a Raspberry Pi, RPiTX, 2.4 GHz Crazyradio and an RTL-SDR

Circle City Con is a yearly conference that focuses on information security talks. At this years conference Josh Conway presented an interesting talk titled "SigInt for the Masses Building and Using a Signals Intelligence Platform for Less than $150". Josh's talk introduces his "RadioInstigator" hardware which is a combination of a Raspberry Pi, CrazyRadio and an RTL-SDR all packaged into a 3D printed enclosure with LCD screen. The idea behind the RadioInstigator is to create a portable and low cost Signals Intelligence (SIGINT) device that can be used to investigate and manipulate the security of radio signals.

The RadioInstigator makes use of the RPiTX software which allows a Raspberry Pi to transmit an arbitrary radio signal from 5 kHz up to 1500 MHz without the use of any additional transmitting hardware - just connect an antenna directly to a GPIO pin. Connected to the Pi is a CrazyRadio, which is a nRF24LU1+ based radio that can be used to receive and transmit 2.4 GHz. And of course there is an RTL-SDR for receiving every other signal. Josh has made the plans for the RadioInstigator fully open source over on GitLab.

In his talk Josh introduces the RadioInstigator, then goes on to discuss other SDR hardware, antenna concepts and software installed on the RadioInstrigator like RPiTX, GNU Radio, Universal Radio Hacker, Salamandra, TempestSDR and more.

[First seen on Hackaday]

Track 3 07 SigInt for the Masses Building and Using a Signals Intelligence Platform for Less than 15