Category: Digital Signals

Gypsum: A Software-Defined GPS Receiver written in Python + A Writeup on How it Was Made

Thank you to RTL-SDR.COM reader Lee. who found a recently released program called "gypsum" which enables an RTL-SDR or HackRF to be used as a GPS Receiver when combined with a GPS antenna. Phillip Tennen, the author of Gypsum notes that Gypsum can obtain a fix within 60 seconds from a cold start and that it has no dependencies apart from numpy. We want to note that it appears that Gpysum has no live decoding ability yet, as it works from pre-recorded GNU Radio IQ files.

In the past, we've shown in a tutorial how GPS can be received and decoded with GNSS-SDRLIB and RTKLIB on Windows. The new Gypsum software should work on Linux and MacOS too.

What's more, Phillip has written an incredible 4-part writeup on how Gypsum was implemented from scratch. In the write-up, Phillip introduces GPS and explains how it can even work with such weak signals that appear below the thermal noise floor. He then goes on to explain how the detected signal is decoded and turned into positional information, and how challenging it was to propagate the accurate timing information that calculating a solution requires. The write-up is presented with clear visualizations to help readers intuitively gain an understanding of the advanced concepts involved.

Gypsum GPS Satellite Tracking Dashboard GUI
Gypsum GPS Satellite Tracking Dashboard GUI

Using a LimeNET Micro to Implement an Amateur Radio DMR Tier III Trunked Radio Base Station

Thank you to Adrian Musceac (author of QRadioLink) for submitting his article about how he implemented an amateur radio DMR Tier III Trunked Radio Base Station with a LimeNet-Micro software-defined radio. DMR Tier III is a digital voice trunked radio system that employs Time Division Multiple Access (TDMA) technology. Tier III is largely based on Tier II, but adds trunking abilities which enable efficient channel access and resource allocation.

The LimeNET Micro is a software defined radio based on the LimeSDR, but it has some upgraded specifications such as an embedded Raspberry Pi Compute Module 3+ that make it easier to deploy as a base station.

Adrian writes:

The Tier III extension (trunked radio) to the DMR standard is defined and specified by the European Telecommunications Standards Insititute (ETSI) in the TS 102 361-4 document.

The project uses LimeNet-Micro, LimeSDR-mini or Ettus USRP hardware to set up  such a base station for experimental and amateur radio digital voice communications purposes. The core components of this project are MMDVM, MMDVMHost (both under the form of forks supporting communication via ZeroMQ and pseudo-TTY), GNU Radio, DMRGateway, QRadioLink and the DMR trunked radio controller GUI.

Since DMR trunked radio is not very well known and used in the amateur radio world, I hope this will bring some new information to amateurs interested in these digital voice communication technologies. All code used is available as free and open source software (FOSS). A demo of the project used with real world amateur radio communications can be found on the page.

DMR Tier III system software architecture
DMR Tier III system software architecture

RTL433 Plugin for SDRSharp Updated

Back in 2021 we posted about a SDR# plugin that allowed you to interface with rtl_433 from within SDR#. RTL433 (rtl_433) is a commonly used RTL-SDR command line program that provides decoders for a wide range of 433.92 MHz, 868 MHz, 315 MHz, 345 MHz, and 915 MHz ISM band devices. Examples of such devices include weather stations, alarm sensors, utility monitors, tire pressure monitors and more.

Recently there have been a few updates to the plugin after a years hiatus which probably meant that the older version was not compatible with newer versions of SDR#. But there are also several bugfixes and minor changes made to the plugin too which can be read about on the GitHub Readme.

To download the plugin we recommend clicking on the green <>Code button on the GitHub page and choosing Download Zip. You can then browse to the install/ folder. Copy the three .dll files into the Plugins folder in your SDR# directory. Then open SDR#, go to the main hamburger menu -> plugins -> RTL_433.

RTL433 Plugin for SDR# Updated
RTL433 Plugin for SDR# Updated

A Low Cost P25 Police Scanner with RTL-SDR, Raspberry Pi 5 and SDRTrunk

Thank you to Mike for writing in and sharing with us his video detailing how he makes use of a Raspberry Pi 5, touch LCD Screen and RTL-SDR to create a portable and low cost P25 police scanner. Mike notes that the cost of his system is $250, which is a lot cheaper than a comparable $600 P25 scanner. 

Here is my latest weekend project; a Raspberry Pi 5 with an RTL-SDR dongle running SDRTrunk software. It is configured to listen to the local LAPD channels and runs great! The chip gets a bit hot so I think I need to add a fan.

Building a $600 P25 Police Scanner for $250!!! (SDR-Pi)

Creating a Multicarrier Base Station Transceiver For DMR, YSF, M17 and more with MMDVM and LimeSDR

Thank you to Adrian, creator of the QRadioLink software for writing in and sharing with us his post about how he uses a LimeSDR as an Multi Mode Digital Voice Modem (MMDVM) for various modes including DMR, YSF and M17. 

A MMDVM is usually a computing device running multiple radios, each of which is used for a separate channel with it's own filters and power amplifier hardware. Each channel can run a separate protocol if desired. 

However in order to save on radio hardware, Adrian wanted to use his LimeSDR as the radio hardware in his MMDVM system. The LimeSDR is a transceiver which has enough bandwidth to implement several channels just by itself. To do this Adrian uses his MMDVM-SDR software.

His implementation runs multiple instances of MMDVM-SDR, one instance for each channel. Then a GNU Radio flowgraph with LimeSDR block connects to each of these instances, transferring data between GNU Radio and MMDVM-SDR via ZeroMQ or TCP sockets. The bulk of Adrian's post explains the architecture in detail. Adrian writes:

The setup can transmit 7 digital carriers in 200 kHz occupied spectrum, and each radio channel can be assigned to a different mode or digital voice network as configured in MMDVMHost.

This is based on the work of Jonathan Naylor G4KLX and Rakesh Peter (r4d10n).

Adrian also notes that this is still a work in progress and there are still several limitations including high latency and issues with filtering, overload and poor channel rejection. 

Multi-Channel MMVDM LimeSDR Architecture Overview

DragonOS: Decoding Train Telemetry with SoftEOT and RTL-SDR

Over on his YouTube channel Aaron who created and maintains the DragonOS SDR Linux distribution, has uploaded a video demonstrating how to use an RTL-SDR and SoftEOT/PyEOT to decode North American wireless train telemetry.

HOT (Head of Train), EOT (End of Train) and DPU (Distributed Power Unit) telemetry is sent from various parts of a train and contains information about things like voltages, brake line pressure and to monitor for accidental separation of the train.

In his video Aaron uses his DragonOS Linux distribution, SDR++ with an RTL-SDR Blog V4 dongle and the SoftEOT and SoftDPU decoders. SoftEOT and SoftDPU are both Windows programs, however Aaron shows how to use WINE to run them in Windows. Later he shows how to use an alterative decoder called PyEOT which is based on GNU Radio.

DragonOS FocalX Decoding Train Telemetry w/ SoftEOT/PyEOT (RTLSDR V4, WINE AppImage, GR 3.10)

Encryption on the TETRA Protocol has been broken

TETRA (Terrestrial Trunked Radio) is a digital voice and text radio communications protocol often used by authorities and industry in European and many countries other than the USA. A major advantage to a digital communications protocol like TETRA is it's ability to be secured via encryption.

Recently the security researchers at Midnight Blue in the Netherlands have discovered a collection of five vulnerabilities collectively called "TETRA:BURST" and most of the five vulnerabilities apply to almost every TETRA network in the world. These two most critical vulnerabilities allow TETRA to be easily decrypted or attacked by consumer hardware.

The first critical vulnerability is designated CVE-2022-24401 is described as decryption oracle attack.

The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.

The second vulnerability CVE-2022-24402 notes that a backdoor has been built into TEA1 encrypted TETRA, which allows for a very easy brute force decryption.

The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.

Midnight Blue are due to release more technical details about the vulnerabilities on August 9 during the BlackHat security conference. Due to the sensitivity of the findings, the team have also held back on their findings for over 1.5 years, notifying as many affected parties as possible, and releasing recommended mitigations. It's unclear at the moment how many TETRA providers have implemented mitigations already.

For more detail about the possible implications the team write:

The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.

The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.

The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.

Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.

Below is a demonstration of the TEA1 CVE-2022-24402 attack on TETRA, and if you are interested the Midnight Blue YouTube channel also contains a video demonstration for the CVE-2022-24401 decryption oracle attack.

Demo: TETRA TEA1 backdoor vulnerability (CVE-2022-24402)

Currently, it is possible to decode unencrypted TETRA using an RTL-SDR with software like TETRA-Kit, SDR# TETRA Plugin, WinTelive, and Telive. In the video the research team appear to use Telive as part of their work.

We also note that in the past we've run several stories about Dejan Ornig, a Slovenian researcher who was almost jailed because of his research into TETRA. Dejan's research was much simpler, as he simply discovered that many Police radios in his country had authentication turned off, when it should have been on.

TETRA Decoding (with telive on Linux)
TETRA Decoding (with telive on Linux)

Video showing Flipper Zero Smoking a Smart Meter may be Fake

A few days ago we posted a YouTube video by Peter Fairlie which shows him using a Flipper Zero to turn a smart meter on and off, eventually causing the smart meter to destroy itself by releasing the magic smoke.

The video has rightly gone viral as this could have serious implications for the security of the residential electricity infrastructure in America. However there has however been some skepticism from smart meter hacking expert "Hash", and over on his YouTube channel RECESSIM he has talked about his suspicions in his latest Reverse Engineering News episode.

In Peters video the description reads "Flipper Zero's attack on a new meter location results in the sudden destruction of the Smart Meter. Something clearly overloaded and caused the meter to self destruct. This might have been caused by switching the meter off and on under a heavy load.", and so it appears he is talking about Flipper Zero directly controlling a smart meter service disconnect feature wirelessly via some sort of RF interface.

However, Hash is an expert in hacking smart meters having done many experiments and videos on his channel about the topic. He raises suspicion on this video with the biggest point being that the Ameren meter brand and model number featured in the video actually does not have any ability to be switched on and off wirelessly. Hash instead believes that the smart meter may instead be connected to a custom wireless relay system created by Peter which is not shown in the video.

Secondly, Hash was able to track down Peters address via GPS coordinates Peter accidentally released in another video. This shows him in Ontario, Canada, outside of the Ameren meter service area, which is for Illinois and Missouri only. Hash speculates that the Ameren meter was purchased on eBay for his experiments.

So while the meter breaking and smoking may be real, other Ameren meters should be safe as the only reason it was able to be controlled wirelessly and insecurely was due to it being connected to a custom wireless relay system. 

It's not clear if Peter set out to purposely mislead to gain notoriety, or if its simply an experiment that he did not explain very well. Peters YouTube channel is full of other legitimate looking Flipper Zero and RF hacking videos so it's possible that it's just a case of Peter not explaining the full experiment that he was doing correctly.

(In the video below Hash talks about the Flipper Zero Meter story at timestamp 4:31)

Flipper Zero Kills Smart Meter?? - Reverse Engineering News - June 13th 2023