Over on her YouTube channel, SignalsEverywhere, Sarah has uploaded a new video showing how she uses a PlutoSDR, HackRF and mixer to transmit DVB-S digital amateur TV to a standard satellite set top box. In this video the idea is to get a little more range by using the PlutoSDR to transmit in the 70cm band, then upconverting that to the 23cm band right at the satellite receiver. Transmitting at the lower frequency yields a higher power output from the PlutoSDR and less cable loss. The mixer consists of a passive mixer chip and a HackRF is used as the mixer LO signal source as a temporary test solution.
Digital TV Transmitter 70cm ATV to 23cm Satellite Receiver Using a Mixer/Upconverter
OpenWiFi is a Linux mac80211 compatible full-stack IEEE802.11/Wi-Fi design based on an FPGA and SDR (Software Defined Radio). It aims to be the first full open source implementation of the entire WiFi stack. While the current design does not provide any feature benefits over commercial closed source chips, it is beneficial from an education standpoint, and also from a security view as any open source FPGA code can be verified to not have backdoors. The SDRs used in the project are typically not ones seen on this blog as they mostly exist on research dev boards optimized for the 2.4 GHz band.
Recently the FOSDEM 2020 conference talks from February 2020 have been released on YouTube and a talk titled Opensource "Wi-Fi chip design" and Linux drivers by Xianjun Jiao was uploaded. The talk explains OpenWiFi in detail, and why or why not you might want to use it.
Individuals, SMEs, opensource communities and big companies have shown big interests on the openwifi project. They also asked many questions, such as MIMO support, CSI information support, roadmap and opensource license consideration. One new interesting message, which is not expected before, is that: People are willing to pay more for a WiFi chip not because the chip’s performance is better but just because they can check the chip silicon source code (Verilog/VHDL/C) on github if they have privacy/security concern. So far, not any commercial WiFi chip discloses their silicon source code. After the FOSDEM, the project has reached 545 stars on github.
RTLion is a software framework for RTL-SDR dongles that currently supports various features such as a power spectrum plot and frequency scanning. The software can run on a Raspberry Pi 3 and all features are intended to be accessed via an easy to use web browser interface, or via an Android app. The software can also be run with Docker, making it useful for IoT applications.
Over on YouTube M Khanfar has uploaded a comprehensive tutorial video explaining how to setup and run the RTLion server software on a Linux computer. He goes on to demonstrate and explain how to use the server via the web interface and also via the RTLion Android app.
The KerberosSDR is our 4-channel phase coherent capable RTL-SDR unit that we previously successfully crowdfunded back in 2018. With a 4-channel phase coherent RTL-SDR interesting applications like radio direction finding, passive radar and beam forming become possible. It can also be used as 4 separate RTL-SDRs for multichannel monitoring.
In one of our latest tests we've been able to track a weather balloon radiosonde via the direction finding ability of KerberosSDR. These balloons are launched twice daily by meteorological agencies around the world, and the radiosonde carried by the balloon transmits an RS-41 signal continuously throughout it's flight sending back telemetry such as weather information and GPS coordinates. The KerberosSDR tracks the bearing towards the balloon using only the raw signal - it does not decode. Having the actual GPS location from the RS41 data allows us to compare and confirm that the KerberosSDR is indeed tracking the bearing of the balloon.
In this test we used the excellent 4-element dipole array made by Arrow Antennas. In particular we used the 406 MHz element version as the RS-41 signal is broadcast at 403 MHz. The antenna array is mounted on the roof, the KerberosSDR is in the attic connected to a Raspberry Pi 4. Our KerberosSDR Android app is used to plot the bearings. A separate RTL-SDR running on the video recording PC is connected to it's own antenna and is used to receive and decode the RS41 signal. The free software RS41 Tracker is used to decode and map the balloon for location confirmation.
We are currently using the latest beta code in development (unreleased at the time of this post - it will be released within 1 to 2 months) which handles non-continuous intermittent signals better.
Arrow Antennas 4-Element Dipole Array Mounted on Roof
The short video below shows a timelapse of the RS41 decoder tracking a balloon which circled the south of our KerberosSDR. The red line indicates the zero degree direction of the antenna array, while the blue line indicates the estimated direction of the balloon determined via the MUSIC radio direction finding technique.
The GPS balloon map from RS41 tracker is overlayed on top of the KerberosSDR Android app map for clarity via video editing. We can see that it mostly tracks the balloon to within a few degrees. When the blue bearing line diverges this is due to the balloon's line of sight path to the antennas being obscured by terrain, buildings or trees. When this is the case a multipath signal reflecting off surrounding hills tends to become dominant.
In the second short video below the weather balloon tracked northwards. Towards the north, north west and north east we have antenna obstructions in the form of rising terrain, houses and hills, so the overall accuracy is poorer. However, it still tracks within a few degrees most of the time.
Finally the YouTube video below shows the same as the above, but in the second half includes the full screen including the KerberosSDR DoA graphs and SDR# waterfall showing signal strength.
KerberosSDR Tracking a Weather Balloon Radiosonde with Radio Direction Finding
In the future we hope to test with two or more KerberosSDR units producing multiple bearing lines on RDFMapper, hopefully resulting in cross points that can be used to estimate the actual location of the balloon.
Over on his YouTube channel "saveitforparts" has been working on creating a handheld scanner/sensor box on a budget. This is a simple and fun build which is attempting to create something like a real life Star Trek scifi tricorder that you might imagine taking with you to analyze systems on another planet. The box embeds a Raspberry Pi, USB hub, battery pack, RTL-SDR and thermal camera inside. In the video he shows how everything fits into the box and gives a quick demo of the RTL-SDR and thermal camera in action. In the future he plans to add more sensors as well.
Handheld Scanning Device with Raspberry Pi - Part 2
Ars Technica recently ran a story about how University researchers have been able to eavesdrop on LTE mobile phone calls using a USRP B210 software defined radio which runs the Airscope software. The technique exploits a flaw in how some LTE carriers are implementing their keystream. A keystream is a stream of random data combined with the actual voice data, resulting in encrypted data.
It turns out that many LTE carriers reuse the same keystream when two calls are made within a single radio connection. An attacker can then record an encrypted conversation, then immediately call the victim after that conversation. The attacker can now access the encrypted keystream, and as the keystream is identical to the first conversation, the first conversation can now be decoded.
The ReVoLTE attacks exploit the reuse of the same keystream for two subsequent calls within one radio connection. This weakness is caused by an implementation flaw of the base station (eNodeB). In order to determine how widespread the security gap was, we tested a number of randomly selected radio cells mainly across Germany but also other countries. The security gap affected 12 out of 15 base stations.
The ReVoLTE attack aims to eavesdrop the call between Alice and Bob. We will name this call the target or first call. To perform the attack, the attacker sniffs the encrypted radio traffic of Alice within the cell of a vulnerable base station. Shortly after the first call ends, the attacker calls Alice and engages her in a conversation. We name this second call, or keystream call. For this call, the attacker sniffs the encrypted radio traffic of Alice and records the unencrypted sound (known plaintext).
For decrypting the target call, the attacker must now compute the following: First, the attacker xors the known plaintext (recorded at the attacker's phone) with the ciphertext of the keystream call. Thus, the attacker computes the keystream of the keystream call. Due to the vulnerable base station, this keystream is the same as for the target (first) call. In a second step, the attacker decrypts the first call by xoring the keystream with the first call's ciphertext. It is important to note that the attacker has to engage the victim in a longer conversation. The longer he/she talked to the victim, the more content of the previous communication he/she can decrypt. For example, if the attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.
The ReVoLTE Attack
Demonstration of the ReVoLTE attack in a commerical LTE network.
A few days ago we posted about two SDR related DEFCON talks which were recently released. One of the talks was about detecting fake 4G base stations with a bladeRF SDR and a tool they created called "Crocodile Hunter". It is currently compatible with the bladeRF x40 and USRP B200. The talk summary is posted below as it nicely summarizes what fake 4G base stations are and what Crocodile Hunter can do.
4G based IMSI catchers such as the Hailstorm are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. Until now IMSI catcher detection has focused on 2G IMSI catchers such as the Stingray which are quickly falling out of favor.
In this talk we will tell you how 4G IMSI Catchers might work to the best of our knowledge, and what they can and can't do. We demonstrate a brand new software project to detect fake 4G base stations, with open source software and relatively cheap hardware. And finally we will present a comprehensive plan to dramatically limit the capabilities of IMSI catchers (with the long term goal of making them useless once and for all).
The Crocodile Hunter software is apparently a little difficult to install and get running, so Aaron who runs DragonOS YouTube tutorial channel has uploaded a video documenting how to install and configure the software. The tutorial assumes that you are the running the latest DragonOS image which already includes a lot of the prerequisite software, and in his example he uses a USRP B205mini-i SDR.
Over on YouTube TechMinds has posted his latest video which shows an overview of the features available in OpenWebRX, and also how to set it up on a Raspberry Pi. OpenWebRX is software which allows you to access your SDR remotely via the internet or local network through a web browser. All major SDRs are supported including RTL-SDRs. The software includes a waterfall display, all the standard demodulators, as well as several digital decoders for DMR, YSF, NXDN, D-Star, POCSAG, APRS, FT8, FT4, WSPR, JT65 and JT9.
In the video TechMinds first demonstrates OpenWebRX in action, showing reception of HF SSB amateur radio signals, decoding FT8 and plotting received grids on a map, decoding and plotting APRS on a map and decoding YSF/DSTAR/DMR digital voice. After this demonstration he goes on to show how to set up the OpenWebRX server on a Raspberry Pi via the installation image.
