Category: Digital Signals

Creating a Multicarrier Base Station Transceiver For DMR, YSF, M17 and more with MMDVM and LimeSDR

Thank you to Adrian, creator of the QRadioLink software for writing in and sharing with us his post about how he uses a LimeSDR as an Multi Mode Digital Voice Modem (MMDVM) for various modes including DMR, YSF and M17. 

A MMDVM is usually a computing device running multiple radios, each of which is used for a separate channel with it's own filters and power amplifier hardware. Each channel can run a separate protocol if desired. 

However in order to save on radio hardware, Adrian wanted to use his LimeSDR as the radio hardware in his MMDVM system. The LimeSDR is a transceiver which has enough bandwidth to implement several channels just by itself. To do this Adrian uses his MMDVM-SDR software.

His implementation runs multiple instances of MMDVM-SDR, one instance for each channel. Then a GNU Radio flowgraph with LimeSDR block connects to each of these instances, transferring data between GNU Radio and MMDVM-SDR via ZeroMQ or TCP sockets. The bulk of Adrian's post explains the architecture in detail. Adrian writes:

The setup can transmit 7 digital carriers in 200 kHz occupied spectrum, and each radio channel can be assigned to a different mode or digital voice network as configured in MMDVMHost.

This is based on the work of Jonathan Naylor G4KLX and Rakesh Peter (r4d10n).

Adrian also notes that this is still a work in progress and there are still several limitations including high latency and issues with filtering, overload and poor channel rejection. 

Multi-Channel MMVDM LimeSDR Architecture Overview

DragonOS: Decoding Train Telemetry with SoftEOT and RTL-SDR

Over on his YouTube channel Aaron who created and maintains the DragonOS SDR Linux distribution, has uploaded a video demonstrating how to use an RTL-SDR and SoftEOT/PyEOT to decode North American wireless train telemetry.

HOT (Head of Train), EOT (End of Train) and DPU (Distributed Power Unit) telemetry is sent from various parts of a train and contains information about things like voltages, brake line pressure and to monitor for accidental separation of the train.

In his video Aaron uses his DragonOS Linux distribution, SDR++ with an RTL-SDR Blog V4 dongle and the SoftEOT and SoftDPU decoders. SoftEOT and SoftDPU are both Windows programs, however Aaron shows how to use WINE to run them in Windows. Later he shows how to use an alterative decoder called PyEOT which is based on GNU Radio.

DragonOS FocalX Decoding Train Telemetry w/ SoftEOT/PyEOT (RTLSDR V4, WINE AppImage, GR 3.10)

Encryption on the TETRA Protocol has been broken

TETRA (Terrestrial Trunked Radio) is a digital voice and text radio communications protocol often used by authorities and industry in European and many countries other than the USA. A major advantage to a digital communications protocol like TETRA is it's ability to be secured via encryption.

Recently the security researchers at Midnight Blue in the Netherlands have discovered a collection of five vulnerabilities collectively called "TETRA:BURST" and most of the five vulnerabilities apply to almost every TETRA network in the world. These two most critical vulnerabilities allow TETRA to be easily decrypted or attacked by consumer hardware.

The first critical vulnerability is designated CVE-2022-24401 is described as decryption oracle attack.

The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.

The second vulnerability CVE-2022-24402 notes that a backdoor has been built into TEA1 encrypted TETRA, which allows for a very easy brute force decryption.

The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.

Midnight Blue are due to release more technical details about the vulnerabilities on August 9 during the BlackHat security conference. Due to the sensitivity of the findings, the team have also held back on their findings for over 1.5 years, notifying as many affected parties as possible, and releasing recommended mitigations. It's unclear at the moment how many TETRA providers have implemented mitigations already.

For more detail about the possible implications the team write:

The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.

The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.

The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.

Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.

Below is a demonstration of the TEA1 CVE-2022-24402 attack on TETRA, and if you are interested the Midnight Blue YouTube channel also contains a video demonstration for the CVE-2022-24401 decryption oracle attack.

Demo: TETRA TEA1 backdoor vulnerability (CVE-2022-24402)

Currently, it is possible to decode unencrypted TETRA using an RTL-SDR with software like TETRA-Kit, SDR# TETRA Plugin, WinTelive, and Telive. In the video the research team appear to use Telive as part of their work.

We also note that in the past we've run several stories about Dejan Ornig, a Slovenian researcher who was almost jailed because of his research into TETRA. Dejan's research was much simpler, as he simply discovered that many Police radios in his country had authentication turned off, when it should have been on.

TETRA Decoding (with telive on Linux)
TETRA Decoding (with telive on Linux)

Video showing Flipper Zero Smoking a Smart Meter may be Fake

A few days ago we posted a YouTube video by Peter Fairlie which shows him using a Flipper Zero to turn a smart meter on and off, eventually causing the smart meter to destroy itself by releasing the magic smoke.

The video has rightly gone viral as this could have serious implications for the security of the residential electricity infrastructure in America. However there has however been some skepticism from smart meter hacking expert "Hash", and over on his YouTube channel RECESSIM he has talked about his suspicions in his latest Reverse Engineering News episode.

In Peters video the description reads "Flipper Zero's attack on a new meter location results in the sudden destruction of the Smart Meter. Something clearly overloaded and caused the meter to self destruct. This might have been caused by switching the meter off and on under a heavy load.", and so it appears he is talking about Flipper Zero directly controlling a smart meter service disconnect feature wirelessly via some sort of RF interface.

However, Hash is an expert in hacking smart meters having done many experiments and videos on his channel about the topic. He raises suspicion on this video with the biggest point being that the Ameren meter brand and model number featured in the video actually does not have any ability to be switched on and off wirelessly. Hash instead believes that the smart meter may instead be connected to a custom wireless relay system created by Peter which is not shown in the video.

Secondly, Hash was able to track down Peters address via GPS coordinates Peter accidentally released in another video. This shows him in Ontario, Canada, outside of the Ameren meter service area, which is for Illinois and Missouri only. Hash speculates that the Ameren meter was purchased on eBay for his experiments.

So while the meter breaking and smoking may be real, other Ameren meters should be safe as the only reason it was able to be controlled wirelessly and insecurely was due to it being connected to a custom wireless relay system. 

It's not clear if Peter set out to purposely mislead to gain notoriety, or if its simply an experiment that he did not explain very well. Peters YouTube channel is full of other legitimate looking Flipper Zero and RF hacking videos so it's possible that it's just a case of Peter not explaining the full experiment that he was doing correctly.

(In the video below Hash talks about the Flipper Zero Meter story at timestamp 4:31)

Flipper Zero Kills Smart Meter?? - Reverse Engineering News - June 13th 2023

Flipper Zero Self Destructs an Electricity Smart Meter

Flipper Zero is an affordable handheld RF device for pentesters and hackers. It is not based on SDR technology, however it uses a CC1101 chip, a digitally controlled RX/TX radio that is capable of demodulating and modulating many common digital modulations such as OOK/ASK/FSK/GFSK/MSK at frequencies below 1 GHz. 

We've posted about the Flipper Zero a few times before on this blog, especially given that it is now a famously known device, having found popularity on TikTok and having been reviewed by famous Tech YouTubers like Linus Tech Tips

Recently a video on YouTube by Peter Fairlie has shown the destructive power of the Flipper Zero. In the video it appears that Peter was using the Flipper Zero to wirelessly turn the power meter on and off, which also controlled the power to a large AC unit. Eventually switching the meter on and off while under a heavy load resulted in the meter self destructing and releasing the magic smoke.

Reverse Engineering a Wirelessly Controlled Adjustable Bed with a HackRF and Logic Analyzer

Over on his blog Chris Laplante has written up a post showing how he was able to reverse engineer his wirelessly controlled adjustable "TEMPUR-Contour Elite Breeze" bed. Originally the bed did have an Android App for smartphone control, however it was never updated since 2014 and so it no longer works on his modern Google Pixel device. So in order to have it controllable by his home automation system Chris decided to reverse engineer the wireless signal used by the bed's remote control. 

He first searched the FCC filing, finding that it transmitted in the ISM band at 433.050 to 434.790 MHz. Then using his HackRF he was able to capture the signal and determine that it used Gaussian frequency shift keying (GFSK) modulation.

The GFSK signal from the Tempur Pedic wireless remote control.

While the HackRF got him this far, he decided to follow a new line of investigation next, instead now using a logic analyzer to probe the SPI bus which talks to an Si4431 RF transceiver on the remote control. From this he was able to determine the important properties of the signal such as the frequency, data rate, frequency deviation, channel mapping and packet structure.

With all this information Chris was in the end able to create a product called "Tempur Bridge" that he is now selling on Tindie. It consists of an ESP32 WiFi connected microcontroller and a Si4463 RF transceiver chip. With his product Chris is now able to control his bed through a WiFi connection in Home Assistant.

Chris's TemperBridge product for WiFi control of a Tempur Pedic adjustable bed.

[This story was also seen on Hackaday]

Maverick-603 Project Suspended Indefinitely

Back in December 2022 we posted about the Maverick-603 which was at that stage Crowd Funding on Crowd Supply.

It was to be a US$149 FT8 receiver based on an open source RF chip design, capable of acquiring signals between 7 MHz and 70 MHz (technically 1 MHz to 100 MHz). Shipments were expected to begin in April 2023.

Unfortunately the Maverick team just released today that the project will be suspended indefinitely due to logistical issues. Backers of the project will receive a full refund.

The Maverick-603 project has been indefinitely suspended due to unforeseen logistical obstacles. No funds have yet been spent and all backers will receive full refunds. If you backed this project, your refund will be issued within the next week to the credit card you originally used. If your credit card is no longer valid, please contact Crowd Supply support before midnight UTC on Friday, April 28, 2023 to arrange your refund. If the Maverick-603 project is revived, we will post another update. Thank you for your support and patience.

The Maverick-603 FT8 Receiver
The Maverick-603 FT8 Receiver

Receiving TPMS Tire Pressure Data from a Mazda CX 5 with an RTL-SDR

Over on YouTube Robert from the Robert Research Radios channel has uplaoded a video showing how he has been using an RTL-SDR and rtl_433 to measure his Mazda CX5's wireless tire pressure sensors. The Mazda CX5 comes with TPMS tire pressure sensors in each tire, however when there is a low pressure warning, it does not actually tell you which tire in particular is low.

Robert used his RTL-SDR, rtl_433 and a custom script to read the wireless TPMS data coming from his tires and then matched the ID from each reading to the correct tire.

To go along with the video, Robert has uploaded a blog post explaining his setup and script.