Category: Other

Building an SDR Transmitter using GPIO Pins on an FPGA

Recently an RTL-SDR.com reader named Jon wrote in and wanted to share his project called FPGA-TX. FPGA-TX is software that provides low-cost SDR transmit capabilities on an FPGA. It works in a similar way to RPiTX which is by simply turning the GPIO pins on and off very quickly in such as way that it generates any desired AM/FM/SSB transmission. These methods are crude and require external analog filtering, but can be used for creating almost any sort of RF transmission at a wide range of frequencies extremely cheaply. These sorts of cheap transmitters are great companions to low cost SDR dongles like the RTL-SDR.

Jon’s project runs on FPGA boards and currently supports the Digilent Nexys 4 and Digilent CMOD A7 ($75) FPGA boards. An FPGA is an integrated circuit that can be easily reconfigured to implement various different digital circuits.

FPGA-TX can transmit at frequencies of up to 400 MHz and current supports AM, FM, LSB, USB, Wideband FM and Wideband FM Stereo transmission modes. It runs on Linux. The FPGA transmitter has been tested combined together with an amplifier and filter. It can also interface with a GPS unit for clock calibration.

An FPGA Based Transmitter. In the photo: FPGA, Amplifier, Filter, Attenuator, TX/RX Switch.
An FPGA Based Transmitter. In the photo: FPGA, Amplifier, Filter, Attenuator, TX/RX Switch.
The FPGA-TX Ubuntu Interface.
The FPGA-TX Ubuntu Interface.

Talks from the 33rd Chaos Computer Club Conference

Videos from the 33rd Chaos Communication Congress [33c3] of the Chaos Computer Club have recently been uploaded to YouTube. This is a yearly European conference with a theme on hacking. This year several SDR and RF related talks were presented and here below is a sampling of our favorites. See their YouTube Channel for more interesting talks.

Reverse Engineering Outernet

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Currently, they broadcast an L-band signal from 3 Inmarsat satellites, giving them almost worldwide coverage. The bitrate of the signal is 2kbps (or 20MB of content per day), and they use the signal to broadcast Wikipedia pages, weather information and other information of public interest.

Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I think this is contrary to the goal of providing free worldwide access to internet contents. Therefore, I have worked to reverse engineer the protocols and build an open source receiver. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

In this talk, I’ll explain which modulation, coding and framing is used for the Outernet L-band signal, what are the ad-hoc network and transport layer used, how the file broadcasting system works, and some of the tools and techniques I have used to do reverse engineering.

PDF slides available [here].

Intercoms Hacking

To break into a building, several methods have already been discussed, such as trying to find the code paths of a digicode, clone RFID cards, use some social engineering attacks, or the use of archaic methods like lockpicking a door lock or breaking a window.

New methods are now possible with recent intercoms. Indeed, these intercoms are used to call the tenants to access the building. But little study has been performed on how these boxes communicate to request and grant access to the building.

In the past, they were connected with wires directly to apartments. Now, these are more practical and allow residents to open doors not only from their classic door phone, but to forward calls to their home or mobile phone. Private houses are now equipped with these new devices and its common to find these “connected” intercoms on recent and renovated buildings.

In this short paper we introduce the Intercoms and focus on one particular device that is commonly installed in buildings today. Then we present our analysis on an interesting attack vector, which already has its own history. After this analysis, we present our environment to test the intercoms, and show some practical attacks that could be performed on these devices. During this talks, the evolution of our mobile lab and some advances on the 3G intercoms, and M2M intercoms attacks will be also presented.

Building a high throughput low-latency PCIe based SDR

Software Defined Radios (SDRs) became a mainstream tool for wireless engineers and security researches and there are plenty of them available on the market. Most if not all SDRs in the affordable price range are using USB2/USB3 as a transport, because of implementation simplicity. While being so popular, USB has limited bandwidth, high latency and is not really suitable for embedded applications. PCIe/miniPCIe is the only widespread bus which is embedded friendly, low latency and high bandwidth at the same time. But implementing PCIe/miniPCIe is not for the faint of heart – you have to write your own FPGA code, write your own Linux kernel driver and ensure compatibility with different chipsets, each with its own quirks. In this talk we will look at the requirements for a high performance SDR like XTRX, how this leads to certain design decisions and share pitfalls and gotchas we encountered (and solved).

We’ve been working with SDRs since 2008 and building own SDRs since 2011, focusing on embedded systems and mobile base stations. We created ClockTamer configurable clock source and UmTRX SDR and built a complete base station (UmSITE) to run OpenBTS and later Osmocom GSM stacks. This year we’ve started working on a new tiny high-performance SDR called XTRX which fits into the miniPCIe form-factor and using PCIe for the I/Q samples transfer.

We will talk about when to use PCIe and when not to use PCIe and why did we choose it for XTRX; FPGA implementation of PCIe with optimization for low latency and high throughput; Linux kernel driver for this PCIe device; integration with various SDR platforms; all the various issues we encountered and how you can avoid them.

Designing a Remote SDR Station

Over on his blog w5fcx has posted an article that explains how he’s managed to set up a remote software defined radio based ham radio station. The article is more focused on high end ham equipment for RX and TX use, but similar principles could apply to a RX only station with SDRs like the RTL-SDR/Airspy/SDRplay.

He writes how he uses a VPN to remotely connect to his home computer and makes use of the SmartSDR app for Flex SDR radios which is available for iOS and Windows. Many of the apps he uses such as his antenna rotator software are also controlled over VPN via remote COM port software. He also notes requirements for having an internet controllable AC power supply in case TX needs to be shut down and a UPS for continuous power. For the actual radio side he uses a FlexRadio SDR, Elecraft Amplifier and Tuner, and antenna rotator and a Spiderbeam Yagi antenna.

The article explains in detail much of the equipment and software that he uses and is an excellent read for those wanting to get started in designing a remotely accessible SDR station.

Remote SDR Station Components
Remote SDR Station Components

Decapping the R820T and RTL2832U Chips

Over on YouTube the electronupdate channel has posted a video showing the decapping of the R820T and RTL2832U chips. Decapping is the process of removing the plastic packaging on integrated circuit chips, thus exposing the internal circuits printed on the silicon die for viewing. In the video he shows microscope images of each of the decapped chips and explains a bit about what each part of the chip does.

Over on his blog he’s also posted the full decapped images of the R820T and RTL2832U for viewing.

The decapped R820T tuner die.
The decapped R820T tuner die.
SOFTWARE DEFINED RADIO TEARDOWN: R820/RTL2832U DECAP

Remapping a Keyboard Volume Wheel for Knob Tuning in HDSDR

Earlier in the month we showed a post where Mile Kokotov hacked together a $3 SDR frequency tuning knob out of a mouse and cheap rotary encoder.

Now over on YouTube user m khanfar shows us another cheap solution. Instead of using a hacked mouse, m khanfar uses the volume wheel on his keyboard. Some keyboards have these extra multimedia action buttons and controls but not all. He simply uses a multimedia keyboard remapping program called MKey to map the volume wheel into a scroll wheel.

(HDSDR controller Tuning Knob)-Turn your keyboard volume scrolling button to Tuning Knob

GQRX-Ghostbox: Electronic Voice Phenomenon Paranormal Research Tool

With perfect Halloween timing, SDR enthusiast and ghost hunter Doug Haber has released his RTL-SDR compatible software called “gqrx-ghostbox”. This software supposedly turns your RTL-SDR into a electronic voice phenomenon (EVP) tool a.k.a a “Ghost Box”. Douglas explains what a Ghost Box is in the following blurb:

A ghost box is a device sometimes used by paranormal researchers to talk to spirits, the dead, disembodied entities, shape shifting lizard people, and other intra-dimensional fauna.

Some ghost boxes have electronics that give them distinct properties, and others are effectively radio scanners. This tool is of the radio scanning style.

Many examples of ghost box usage can be found on youtube. Generally, it involves asking questions and then listening for a response. Some people believe a medium or trance state is necessary in order for it to work. If you search for “ghost box” or “spirit box”, you will find information on different usage styles.

We’re not 100% sure if this is a late April fools joke, or a serious tool, but the code is real (it appears to just use GQRX to scan through frequencies), and at least these days when almost everything possible has already been tried with an RTL-SDR, this is something new!

ghostbox

KiwiSDR Soon to Accept General Orders

Back in April 2016 the KiwiSDR was successfully funded on Kickstarter. Since then almost all the rewards have been mailed out and the number of worldwide receivers available on sdr.hu has increased. KiwiSDR is an SDR cape (add on) for the BeagleBone Black/Green embedded computer which covers 0 – 30 MHz with 30 MHz bandwidth. It’s main purpose is to be used as a web based remote receiver which can be publicly accessed by many users.

Over on the Kickstarter updates page we see news that Seeed Studio is taking over the production and distribution of the KiwiSDR, and soon you’ll be able to order the KiwiSDR cape directly from their online Bazaar. Seeed studio is the same company that produces several other capes for the BeagleBone and they also produce the BeagleBone Green which is needed to run the KiwiSDR. They write:

We are very pleased to announce an agreement for Seeed Studio to take over production and distribution of the KiwiSDR going forward. What does this mean? Until now Seeed only had a contract with us to produce the Kickstarter rewards and pre-orders. Now Seeed will add the KiwiSDR to their family of BeagleBone capes they manufacture and distribute. Very soon you’ll be able to order the KiwiSDR directly from Seeed’s online Bazaar, pay directly with a credit card or Paypal and use their shipping system.

For us, and you as Kiwi owners, this is a very positive development. It means soon we’ll be able to devote the majority of our time to software development and providing you support. And as you probably know there is a large list of bugs, feature requests, extensions, distributed experiments and educational material we’d like to be working on instead of worrying about shipping and manufacturing issues. Improving the software is the best way to differentiate ourselves in a crowded SDR marketplace.

We would appreciate it if you would continue to purchase from us until our stock is depleted. Seeed has already manufactured a significant number of units alongside our prior build and will be able to meet the demand immediately. We thank everyone at Seeed for their fantastic effort in making KiwiSDR a reality.

seeed_kiwi

YouTube Tutorial about using the BladeRF for Several Experiments

On YouTube user CrazyDanishHacker has been uploading some tutorial videos showing how to perform several experiments with the BladeRF. Some things he shows are GPS spoofing, broadcasting digital TV, getting 124 MHz bandwidth, using spectrum painter and how to use the BladeRF on Windows 10, Kali Linux and Ubuntu.

You might remember CrazyDanishHacker from our previous post where we posted about his in depth YouTube tutorial on GSM sniffing and cracking. That series now appears to be complete ending on episode #16 of his software defined radio series. The BladeRF tutorials start on episode #17.

The bladeRF is a $420 software defined radio which is capable of transmit and receive. It uses a LimeMicro LMS6002D chip, which has a 12-bit ADC and a tuning range of 300 MHz – 3.8 GHz. Along with the HackRF we eventually expect that it will be superseded by the upcoming LimeSDR.

BladeRF + SDR# on Windows 10 - Software Defined Radio Series #17