Category: LimeSDR

Fissure: An Open Source RF Reverse Engineering Framework

FISSURE (Frequency Independent SDR-Based Signal Understanding and Reverse Engineering) is a recently released open source framework that runs on Linux, and includes a whole suite of previously existing software that is useful for analyzing and reverse engineering RF signals. On top of that it includes a custom GUI with a bunch of custom software that ties everything together in a full reverse engineering process.

Recently the developers spoke at this years Defcon conference, and the talk video is supplied at the end of this post. In their talk they explain the purpose of FISSURE, before going on to demonstrate it being used to reverse engineer a wireless X10 doorbell. FISSURE makes analyzing the signal easy, starting with spectrum analysis to find the signal, then signal recording, signal cropping, signal replay, crafting packets and crafting attacks.

News and developments about FISSURE can also be seen on their Twitter.

FISSURE is an open-source RF and reverse engineering framework designed for all skill levels with hooks for signal detection and classification, protocol discovery, attack execution, IQ manipulation, vulnerability analysis, automation, and AI/ML. The framework was built to promote the rapid integration of software modules, radios, protocols, signal data, scripts, flow graphs, reference material, and third-party tools. FISSURE is a workflow enabler that keeps software in one location and allows teams to effortlessly get up to speed while sharing the same proven baseline configuration for specific Linux distributions.

The framework and tools included with FISSURE are designed to detect the presence of RF energy, understand the characteristics of a signal, collect and analyze samples, develop transmit and/or injection techniques, and craft custom payloads or messages. FISSURE contains a growing library of protocol and signal information to assist in identification, packet crafting, and fuzzing. Online archive capabilities exist to download signal files and build playlists to simulate traffic and test systems.

The friendly Python codebase and user interface allows beginners to quickly learn about popular tools and techniques involving RF and reverse engineering. Educators in cybersecurity and engineering can take advantage of the built-in material or utilize the framework to demonstrate their own real-world applications. Developers and researchers can use FISSURE for their daily tasks or to expose their cutting-edge solutions to a wider audience. As awareness and usage of FISSURE grows in the community, so will the extent of its capabilities and the breadth of the technology it encompasses.

FISSURE RF Framework - Griffiss Institute & AIS Monthly Lecture + Education Series

LimeSDR 2.0 Mini Now Crowdfunding, Standard LimeSDR Discontinued

Back in March we posted about the LimeSDR Mini 1.0 becoming end of life due to component shortages, and a slightly upgraded LimeSDR Mini 2.0 was being planned. The LimeSDR Mini 2.0 has just been released for preorder over on the CrowdSupply crowdfunding website with a price of US$399 + shipping. The first 1000 units are expected to be ready within 14-weeks, with subsequent batches out at 32-weeks.

The new pricing is at quite a premium over the original LimeSDR Mini which released in 2017 for US$139, and the standard LimeSDR which released in 2016 for US$249. However we of course must to take into account the extreme inflation of electronic parts pricing that has occurred over the past few years.

Lime Micro have also noted that the standard LimeSDR has also now been discontinued due to the same supply shortages. The standard LimeSDR had 2x2 RX/TX channels and was capable of a bandwidth of up to 61.44 MHz. In comparison, both versions of the LimeSDR Mini are a 1x1 channel product with 40 MHz of bandwidth.

The LimeSDR Mini 2.0 is almost identical to the LimeSDR Mini 1.0, both still making use of the LMS7002 RF transceiver as the main chip and using the same overall design. The only change is an upgrade to the FPGA, which replaces the Intel MAX 10 16k logic gate FPGA with a significantly more capable Lattice ECP5 44k logic gate FPGA.

Given the new pricing, people on the lookout for a new hacker/research/experimenter SDR in this price range might want to consider this brief comparison to find the best suited SDR for your needs:

  • LimeSDR Mini 2.0 - US$399
    1x1 channels, 40 MHz bandwidth, 10 MHz to 3.5 GHz, 12-bits.
     
  • HackRF One - US$330 (~$150 clones)
    1x1 channels (half-duplex), 20 MHz bandwidth, 1 MHz to 6 GHz, 8-bits.
     
  • PlutoSDR - US$229.18
    1x1 channels, 20 MHz bandwidth, 325 MHz to 3.8 GHz, 12-bits.
     
  • bladeRF 2.0 Micro xA4 - US$540
    2x2 channels, 61.44 MHz bandwidth, 47 MHz to 6 GHz. 12-bits.
The LimeSDR Mini 2.0

Running GR-GSM and IMSI Catcher on a Raspberry Pi 4 with Dragon OS

DragonOS is a ready to use Ubuntu Linux image that comes preinstalled with multiple SDR software packages. The creator Aaron also runs a YouTube channel showing how to use the various packages installed. 

In his latest video Aaron tests his Pi64 image with GR-GSM and IMSI Catcher running with the GNU Radio 3.10 platform on a Raspberry Pi 4. He tests operation with an RTL-SDR and LimeSDR.

GR-GSM is a GNU Radio based program capable of receiving and analyzing mobile GSM data. We note that it cannot decode actual messages without additional information about the encryption key, but it can be interesting to investigate the metadata. GSM is mostly outdated these days, but still used in some areas by some older phones and devices. IMSI Catcher is a script that will record all detected GSM 'IMSI' numbers received by the mobile tower which can be used to uniquely identify devices.

Short video setting up and testing GR-GSM on DragonOS Pi64 w/ GNU Radio 3.10 and the RTL-SDR. The current DragonOS Pi64 build has GNU Radio 3.8 and all the necessary tools to accomplish what's shown in this video. If you'd like to test the build shown in this video, it's temporarily available here until I finish and put it on Source Forge.

https://drive.google.com/drive/u/1/fo...

A LimeSDR and DragonOS Focal's Osmo-NITB-Scripts was used to create the GSM900 lab environment. The RTL-SDR was able to see and decode the GSM900 network and although only briefly shown in the video, the IMSI Catcher script works.

Here's the fork used for this video and for testing. There's also a pull request on the main GR-GSM repo for this code to be added.

https://github.com/bkerler/gr-gsm

DragonOS Pi64 Testing GR-GSM + IMSI Catcher w/ GNU Radio 3.10 (RTLSDR, Pi4, LimeSDR, OSMO-NITB)

Lightweight Windows Software uSDR Updated to Version 1.5.0

Since 2021 we've posted about Viol Tailor's "uSDR" (microSDR) software a couple of times. uSDR is a lightweight general purpose multimode program for Windows that supports the RTL-SDR, Airspy, BladeRF, HackRF and LimeSDR radios. The software can be downloaded from SourceForce.

Viol notes that recently the project has been updated to V1.5.0 which brings the following new features and changes.

  • lock device frequency on zoom option
  • keep waterfall history – the very great option, do not lose any rare signals
  •  advanced passband IQ recorder
  • passband IQ TCP server for remote processing, C/C++ client source examples included
  • advanced audio player, auto selectable sample rate, separate left/right channels
  • CTCSS decoder
  • markers import option convenient for merge markers 
  • Ctrl+Shift+Drag Up/Down – change spectrum magnitude offset
  • Ctrl+Shift+Mouse Wheel – change spectrum magnitude range (vertical zoom)
  • Ctrl+Mouse Hover – highlight nearest marker
  • Ctrl+Double Click– tune to highlighted nearest marker
  • band plan visualization, simple text format
  • frontend interface improvements
  • GUI improvements
  • spectrum and waterfall popup menus improvements
  • a lot of bug fixes
uSDR aka microSDR. A lightweight SDR receiver program from Windows.

SignalsEverywhere: Setting up and using SDR++ Server

On this weeks SignalsEverywhere episode, Sarah demonstrates and shows us how to use the SDR++ Server, which was released as a beta earlier this year. SDR++ Server is similar to software like rtl_tcp, and Spyserver as it allows us to connect to a remote networked SDR like an RTL-SDR. Compared to rtl_tcp and Spyserver however, SDR++ Server has a huge advantage in that it is compatible with almost any SDR, and enables the full range of control options for RTL-SDRs.

In the video Sarah shows us how to activate the SDR++ server module and how to connect to a remote RTL-SDR running the SDR++ server on a Raspberry Pi. She goes on to show how to connect to other SDRs running on the Raspberry Pi as well, such as the SDRplay RSP Duo, LimeSDR, Airspy R2 and Airspy HF+ Discovery. Finally she goes on to show how to set up the server on Windows and a Raspberry Pi.

SDR++ Server | Remote RTL-SDR SDRPlay LimeSDR AirSpy and More! | Raspberry Pi and Windows Setup Tut

LimeSDR Mini 1.0 End of Life, and LimeSDR Mini 2.0 to be Released

The LimeSDR Mini is a sub $200 RX and TX capable SDR with 12-bit ADC, 10 MHz to 3.5 GHz tuning range and up to 40 MHz of live bandwidth. 

Due to supply chain difficulties sourcing the FPGA used on the LimeSDR Mini, an End of Life statement for the original LimeSDR Mini has now been released. However, the silver lining is that at the same time as this announcement Lime Microsystems have announced their plans to release the LimeSDR Mini 2.0.

Between the LimeSDR Mini 1.0 and the 2.0, there appear to be no major changes apart from the Intel Max 10 FPGA with 16k logic gates being replaced by the larger Lattice ECP5 FPGA with 44k logic gates. Lime Micro notes 

Not only is the ECP5 more readily available than the Intel MAX10 FPGA used in the previous design, but it has an extensive set of open source tools and a great community of developers.

The LimeSDR Mini 2.0 is in currently the 'coming soon' status on CrowdSupply and you can subscribe there to get updates on when it is released.

The LimeSDR Mini 2.0

Receiving X-Band Images from the Arktika-M1 Arctic Monitoring Satellite

Recently on Twitter @arvedviehweger (Arved) has tweeted that he has successfully received images from the Russian Arctic monitoring satellite known as ARKTIKA-M1, via it's X-band downlink at 7865 MHz. We've reached out to Arved and he's provided the following information on his setup and how he's receiving and decoding the images.

 

The Arktika-M1 satellite is a Russian weather satellite which operates in a HEO orbit. It was launched in February 2021 and has downlinks on multiple bands. The main payload downlink for the imagery is on 7865 MHz (which is also known as the lower X-Band). The satellite only transmits imagery on the X-Band at the moment, it is currently unknown whether it will ever transmit any image data on L-Band.

For Amateur reception that means having access to X-Band RF gear. It usually consists of a low noise pre-amplifier and a downconverter to convert 7865 MHz down to a lower frequency for easier reception with a high bandwidth SDR such as the LimeSDR, a USRP etc.

In my personal setup I use a surplus pre-amplifier made by MITEQ (around 36dB of gain, 1dB NF), my own self-made DK5AV compact X-Band downconverter and a LimeSDR-USB.

The L-Band gear is mounted on top (helix and the pre-amp behind it) and the X-Band gear is right below. From left to right you can see the feed, the downconverter (silver box) and the LNA (mounted to a heatsink and a fan). Recording is done with a LimeSDR-USB running at a sample rate of 50 MSPS. The satellite transmits every 15 minutes once it reaches its apogee, each transmission including the idle period lasts for about 10 minutes. Some pictures of the idle transmission and the actual data transmission can be found in this Tweet, [noting that Idle = more spikes, actual data looks weaker]:

Depending on the geographical location a rather large satellite dish is also required for Arktika-M1. Reception reports all over Europe clearly show that the satellite has a beamed antenna (similar to ELEKTRO-L2).

In my setup I can get away with a 2.4m prime focus dish (made by Channel Master) in North Eastern Germany. It produces around 9 - 10 dB of SNR in the demod of @aang254’s excellent SatDump software. Anything above 5dB will usually result in a decode but since the satellite does not have any FEC you will need more than that for a clean picture. (Image of SNR in Satdump)

SDRAngel Features Overview: ADS-B, APT, DVB-S, DAB+, AIS, VOR, APRS, and many more built-in apps

SDRAngel is a general purpose software defined radio program that is compatible with most SDRs including the RTL-SDR. We've posted about it several times before on the blog, however we did not realize how much progress has occurred with developing various built in plugins and decoders for it.

Thanks to Jon for writing in and sharing with us a demonstration video that the SDRAngel team have released on their YouTube channel. From the video we can see that SDRAngel now comes stock with a whole host of built in decoders and apps for various radio applications making it close to an all-in-one SDR platform. The built in applications include:

  • ADS-B Decoder: Decodes aircraft ADS-B data and plots aircraft positions on a map
  • NOAA APT Decoder: Decodes NOAA weather satellite images (in black and white only)
  • DVB-S: Decodes and plays Digital TV DVB-S and DVB-S2 video
  • AIS: Decodes marine AIS data and plots vessel positions on a map
  • VOR: Decodes VOR aircraft navigational beacons, and plots bearing lines on a map, allowing you to determine your receivers position.
  • DAB+: Decodes and plays DAB digital audio signals
  • Radio Astronomy Hydrogen Line: With an appropriate radio telescope connected to the SDR, integrates and displays the Hydrogen Line FFT with various settings, and a map of the galaxy showing where your dish is pointing. Can also control a dish rotator.
  • Radio Astronomy Solar Observations: Similar to the Hydrogen line app, allows you to make solar measurements.
  • Broadcast FM: Decoding and playback. Includes RDS decoding.
  • Noise Figure Measurements: Together with a noise source you can measure the noise figure of a SDR.
  • Airband Voice: Receive multiple Airband channels simultaneously
  • Graves Radar Tracker: For Europeans, track a satellite and watch for reflections in the spectrum from the French Graves space radar. 
  • Radio Clocks: Receive and decode accurate time from radio clocks such as MSF, DCF77, TDF and WWVB.
  • APRS: Decode APRS data, and plot APRS locations and moving APRS enabled vehicles on a map with speed plot.
  • Pagers: Decode POCSAG pagers
  • APRS/AX.25 Satellite: Decode APRS messages from the ISS and NO-84 satellites, via the built in decoder and satellite tracker.
  • Channel Analyzer: Analyze signals in the frequency and time domains
  • QSO Digital and Analog Voice: Decode digital and analog voice. Digital voice handled by the built in DSD demodulator, and includes DMR, dPMR and D-Star.
  • Beacons: Monitor propagation via amateur radio beacons, and plot them on a map.

We note that the video doesn't show the following additional features such as an analog TV decoder, the SDRAngel "ChirpChat" text mode, a FreeDV decoder and several other features.

SDRangel