Inspectrum is a Linux and OSX based tool that can be used for analysing captured signals. It is compatible with the IQ files generated from SDRs, such as the RTL-SDR or HackRF.
Over on YouTube user Mike has uploaded a video that demo’s the latest version of Inspectrum. He shows how the tool can be used to quickly browse the waveforms in a captured signal and how it can be used to determine various digital binary signal properties through an overlay that can be dragged to match the bit frequency of the captured signal.
This program looks like it is shaping up to be a very useful tool for those interested in reverse engineering digital signals. The Inspectrum code and installation procedure can be found at https://github.com/miek/inspectrum.
If you were to try to simply spot a GPS signal at 1.575 GHz in the spectrum on a waterfall in a program like SDR# you would probably fail to see anything. This is because GPS signals are very weak, and operate below the thermal noise floor. Only through clever processing algorithms can the actual signal be recovered.
With real data passed through the fast autocorrelation block he is able to observe GPS signal peaks that occur every millisecond. E.p. explains the reason for this:
Why every millisecond? The coarse/acquisition code for GPS (C/A) has a period of 1023 chips which are transmitted at a rate of 1.023 MBit/s. This results in period of 1 millisecond. BAM!
Luke uses his own Trunk Recorder software and writes that he has modified it to support multiple SDR’s. His software has the following description:
Trunk Recorder is able to record the calls on a trunked radio system. It uses 1 or more Software Defined Radios (SDRs) to do. The SDRs capture large swatches of RF and then use software to process what was recieved. GNURadio is used to do this processing and provides lots of convienent RF blocks that can be pieced together to do complex RF processing. Right now it can only record one Trunked System at a time.
Trunk Recorder currently supports the following:
P25 & SmartNet Trunking Systems
SDRs that use the OsmoSDR source ( HackRF, RTL – TV Dongles, BladeRF, and more)
Ettus USRP
P25 Phase 1 & Analog voice
Luke also mentions that using three RTL-SDRs like this seems to be more efficient on the CPU than using a single SDR that has 8 MHz of bandwidth due to the amount of down sampling that needs to be done on larger bandwidth SDRs.
When I was using a single SDR, each Recorder had to take in the full 8MHz and pull out the small 12.5KHz that was interesting. The end results is that I could only record about 3 channels at once before the CPU got overloaded. Since that control channel was going at the same time, that was the equivalent of about 32MHz of bandwidth to process.
With the RTL-SDR, each Recorder only has to look at 2MHz, which puts a lot lighter load on the CPU. Roughly speaking, having 3 Recorders active, plus the control channel would mean that only a total of 8MHz was being processed. As you can see, this means that it scales much more efficiently.
Using three RTL-SDR’s to monitor a 6 MHz trunking system.
Look up the device frequency and listen to it with an RTL-SDR and SDR#.
Record the signal and visually study the waveform in Audacity.
Look up system part info and determine encoding type (e.g. ASK/OOK)
Determine the bit string and baud rate.
Program the RFcat to send the same disarm binary string.
Once again research like this shows that cheap home alarm systems have literally zero protections against wireless attacks. In a previous post we also showed how the popular Simplisafe wireless alarm system could be disarmed in a somewhat similar way.
$50 home alarm system broken by an RTL-SDR and RFcat.
AIS Share is an app for Android that allows you to turn an Android device into an AIS receiver by using an RTL-SDR. AIS stands for Automatic Identification System and is used by ships to broadcast their GPS locations, to help avoid collisions and aid with rescues. An RTL-SDR with the right software can be used to receive and decode these signals, and plot ship positions on a map.
AIS Share is a dual channel decoder that outputs decoded NMEA messages via UDP, so that plotting software like OpenCPN can be used to display the ships on a map. AIS Share had been around before in another form known as rtl_ais_android which we posted before, but this version of AIS Share is a newly updated and improved version that now includes a very nice GUI. The app costs about $2 and is available on the Google Play store, but there is a demo available that will work up until 1000 messages are received. You will need an RTL-SDR and a USB OTG cable to run the app.
In the future the author writes that he’d like to update the app to support things like the ability to change more dongle settings like bandwidth/sample rate and add the possibility of using the internal phone/tablet GPS. He is also open to any community suggestions.
AIS Share Receiver on the sailboat in a waterproof case.The back of the Android Tablet, showing the RTL-SDR and the antenna connection.The AIS Share main screen GUI.
https://www.youtube.com/watch?v=ApGk8P82THs (Unfortunately the video has been removed)
The ESP8266 is a $7 WiFi module that can be used to give any microcontroller access to a WiFi network. It is designed for creating Internet of Things (IoT) devices and has various features such as it’s ability to host it’s own web applications. The ESP8266 also has a I2S output with DMA support. By hooking up this I2S output pin to a short wire, YouTuber CNLohr has demonstrated that he is able to use the ESP to broadcast full color NTSC TV. This works in a similar way to how PiTX works, by using the pin to modulate a radio signal. CNLohrs code note only broadcasts color NTSC, but also provides a full web interface for controlling it.
In the first video CNLohr shows off his initial work at getting the NTSC output working and in the second video he shows color working. Later in the second video he also uses an RTL-SDR to check on the NTSC spectrum that is being output.
A while back we posted about Samy Kamkars popular “RollJam” device, which was a $32 home made device that was able to defeat rolling code based wireless security systems such as those used on modern cars.
Wireless security researcher Andrew Macpherson became interested in RollJam and has now written up a post showing how to create a similar device using the YardStickOne and RFcat wireless tools. In his post Andrew shows how he automates the replay attack side of things using a Python script and two RFcat devices. He also fully explains how rolling codes work and how to attack them using the CodeGrabbing/RollJam technique. Andrew explains the RollJam technique as follows:
Target parks their car, gets out the carAttacker launches a jammer that prevents the car from receiving the code from the remote
Target presses the remote, car does NOT lock and the attacker obtains the first keypress
Target presses the remote a second time and the attacker obtains the second keypress
Attacker then sends the first key press to lock the car, car locks as per normal
Target assumes all is well and carries on about their day
Attacker then sends the second keypress to the car, unlocking it
Profit.
Target returns to the vehicle and remote works as per normal
In the video below Andrew uses an SDR to help demonstrate the RollJam attack.
6. jam and replay rolling code rolljam codegrabbing
DSD+ (Digital Speech Decoder+) is a popular Windows tool that can be used together with an RTL-SDR to decode digital speech signals such as P25 and DMR. There is unfortunately no version for OSX.
However, recently on YouTube user Matthew Miller has uploaded a video showing DSD+ running with CubicSDR on OSX. To do this he used a utility called “Wine Skin” which creates a wrapper that allows Windows software to run on a MAC computer running OSX. This means that DSD+ can be run on directly OSX without the need to use a virtual machine with Windows installed on it.
