Derpcon 2020 Talk: Breaking into the World of Software Defined Radio

Derpcon is a COVID-19 inspired information security conference that was held virtually between April 30 - May 1 2020. Recently the talks have been uploaded to their YouTube channel. One interesting SDR talk we've seen was by Kelly Albrink and it is titled "Ham Hacks: Breaking into the World of Software Defined Radio". The talk starts by giving a very clear introduction to software defined radio, and then moves on to more a complex topic where Kelly shows how to analyze and reverse engineer digital signals using a HackRF and Universal Radio Hacker.

RF Signals are basically magic. They unlock our cars, power our phones, and transmit our memes. You’re probably familiar with Wifi and Bluetooth, but what happens when you encounter a more obscure radio protocol? If you’re a hacker who has always been too afraid of RF protocols to try getting into SDRs, or you have a HackRF collecting dust in your closet, this talk will show you the ropes. This content is for penetration testers and security researchers to introduce you to finding, capturing, and reverse engineering RF signals. I’ll cover the basics of RF so you’re familiar with the terminology and concepts needed to navigate the wireless world. We’ll compare SDR hardware from the $20 RTLSDR all the way up to the higher end radios, so you get the equipment that you need without wasting money. I’ll introduce some of the software you’ll need to interact with and analyze RF signals. And then we’ll tie it all together with a step by step demonstration of locating, capturing, and reverse engineering a car key fob signal.

Ham Hacks: Breaking into the World of Software Defined Radio - Kelly Albrink

Tweet
Share
Reddit
Vote
Email

TechMinds: Performing the Frequency Expansion and CPU Core Mod on the PlutoSDR

The PlutoSDR is a low cost RX/TX capable SDR with up to 56 MHz of bandwidth and 70 MHz to 6 GHz frequency range. It is typically priced at US$149. By default the PlutoSDR ships with a tuning range of  325 – 3800 MHz and bandwidth of 20 MHz. However a simple software hack allows you to expand this tuning range to 70 MHz to 6 GHz with a maximum bandwidth of 56 MHz.

The reason this is possible is possibly because the AD9363 SDR transceiver chip used in the PlutoSDR is nearly identical to more expensive AD9364 which has the higher specs. The software hack tricks the PlutoSDR firmware into believing that the AD9393 is a AD9364. Mileage may vary as we speculate that the AD9363 might be produced on lower grade silicon or could be failed AD9364 chips with lower performance at the edge frequencies. But so far most users have reported acceptable performance.

TechMinds' video shows how to apply the hack, which is a simple matter of opening a terminal connection to the SDR and running a few commands. He also shows how to enable an extra CPU core on the processor. Finally he demonstrates that it's possible to transmit in the extended tuning range via SDRangel.

ADALM PLUTO Frequency Expansion Modification Plus CPU Cores

Tweet13
Share
Reddit
Vote
Email
13 Shares

Decoding 5GHz NTSC Video from Drones with a HackRF, DragonOS and SigDigger

Over on his YouTube channel Aaron has uploaded a video showing how we can SigDigger to decode analog NTSC video from a drone camera which is transmitted at 5.7 GHz. SigDigger is a rapidly evolving SDR program for Linux and MacOS that has a lot of built in functionality for inspecting signals in more depth. Although not specifically designed for it, the Symbol Stream viewer in SigDigger can be used to display NTSC Analog Video. Aaron writes:

For the most part, the older an analog modulation is, the easier it is to get basic results when decoding. TV receivers were rather dumb back in the day, basically fast fax machines glued to an off-band FM radio receiver. Receiver circuits were also slow, and the signal had lots of invisible blank spaces in the borders so that the cheapest TVs could switch to the next line in time. The invention of Teletext leveraged those blanks in order to carry digital information and color information was embedded as an additional narrowband signal in the gaps in the spectrum.With this in mind I wanted to take a look at decoding analog video transmissions from drones. While some drones have moved to more effective digital compression and channel transmission technologies allowing for high definition video, there’s still drones using RC-like communications and the FPV video link is pure FM-modulated NTSC.

Searching the internet provided few results on how I could go about using low cost equipment, such as the HackRF One, to decode drone feeds. After an extensive search I decided to start looking at Linux based software defined radio applications I was already familiar with. By chance I happened to be working with SigDigger, a free digital signal analyzer. It has been discussed on RTL-SDR.com and more recently on Signal Lounge (https://signal-lounge.com/2020/05/05/sigdigger-for-signal-analysis/). It is also included in my own creation, DragonOS (https://sourceforge.net/projects/dragonos-lts/)

After a brief email exchange with the developer it was brought to my attention that visualizing analog video transmission is possible in SigDigger (although with no color information, of course). Since SigDigger supports the HackRF and the HackRF provides coverage in the 5ghz band, it was now possible for me to try to decode a 5ghz drone video feed. I’ve documented the process and my results on my YouTube channel. I should point out that this is currently a side feature of SigDigger and currently lacks synchronization. The symbol view area I used in the video is not made for this. It is meant to display symbols and symbols patterns which, due to its behavior, can incidentally show the contents of analog TV and weather faxes with lots of manual adjustments.

While the SigDigger developer makes mention of plans to include an embedded generic analog TV viewer and possibly add the ability to automatically sync video, there’s currently no timeframe on when that might become available.

SigDigger Decoding NTSC Video from a Drone Camera
SigDigger Decoding NTSC Video from a Drone Camera
DragonOS LTS SigDigger demodulating a 5 GHz analog video/FPV drone link (HackRF One, SigDigger)

We note that if you're interested in PAL/NTSC decoding, there is also the excellent TVSharp plugin for SDR# available.

Tweet2
Share
Reddit9
Vote
Email
11 Shares

Tutorial on Using xrit-rx to Receive Weather Images from Geostationary Satellite GK-2A

Over on his website VKSDR has recently released a tutorial about his Linux based xirt-rx software which allows RTL-SDR and other SDR owners receive weather images from the geostationary satellite known as GEO-KOMPSAT-2A (GK-2A). GK-2A is a Korean satellite, hence it is positioned over the Asia-Pacific region, covering Asia, Eastern Russia, Australia and New Zealand. 

To receive images from GK-2A you'll need an RTL-SDR, 2.4 GHz WiFi grid antenna and an L-band LNA. We have an earlier tutorial about receiving GK-2A and GOES geostationary L-band satellites that goes into more detail about the hardware required. 

VKSDR's xrit-rx software decodes the Low Rate Information Transmission (LRIT) signal from GK-2A which provides a 64kbps data stream and full disk images of the earth every 10 minutes. His tutorial explains the various image types that are transmitted, shows a few example images, and shows that some smooth animations can be created with the 144 images received over a day. The rest of the tutorial goes into the software setup, and explains the installation and configuration procedure.

We note that the latest version of xrit-rx now also comes with a nice web based dashboard that allows you to view the latest image, as well as the upcoming image schedule.

Full Disk Images Received from GK-2A via XRIT-RX
Full Disk Images Received from GK-2A via xrit-rxThe new web based dashboard for xrit-rx

The new web based dashboard for xrit-rx

Tweet
Share
Reddit
Vote
Email

ARM Radio Code Ported to Free Toolchain

Several years ago in 2015 we posted about the "ARM Radio" by Alberto I2PHD which is a minimalist SDR implementation based on the ARM processor on the STM32F429 discovery board. It was implemented with nothing more than a basic low pass front end, a reconstruction filter for the audio output and some DSP code. With it's low cost ADC it's only able to tune from 8 kHz to 900 kHz, but this is enough to get broadcast AM signals and NDBs. While it may not have the best specs, it's an excellent learning project for SDR DSP and microcontroller programming, and the code is completely open source, although a non-free toolchain is required.

Recently Alberto Garlassi wrote in and wanted to share a re-implementation of the code on a free toolchain. He writes:

Unfortunately the author used the Keil MDK toolchain, this means that it is not possible to change the code without paying for a license. The free version is limited to 32K and this is not enough.

I ported it to the free (don't know how much, certainly GCC + Eclipse) System Workbench, now it is easy for everybody to start where I2PHD left.

I did this several years ago and in the meantime ST and ARM changed many things in their tools and libraries, but it still works ok, I checked.

The complete project is on Github, it should be a matter of downloading the IDE, the libraries and press the debug icon. I'm in touch with Alberto Di Bene I2PHD, he has no objections and told me he's happy about this.

Tweet
Share
Reddit
Vote
Email

GNU Radio TEMPEST Implementation Now Available

TEMPEST refers to a technique that is used to eavesdrop on electronic equipment via their unintentional radio emissions (as well as via sounds and vibrations). All electronics emit some sort of unintentional RF signals, and by capturing and processing those signals some data can be recovered. For example the unintentional signals from a computer screen can be captured, and converted back into a live image of what the screen is displaying.

Until recently we have relied on an open source program by Martin Marinov called TempestSDR which has allowed RTL-SDR and other SDR owners perform interesting TEMPEST experiments with computer and TV monitors. We have a tutorial and demo on  TempestSDR available on a previous post of ours. However, TempestSDR has always been a little difficult to set up and use.

More recently a GNU Radio re-implementation of TempestSDR called gr-tempest has been released. Currently the implementation requires the older GNU Radio 3.7, but they note that a 3.8 compatible version is on the way.

The GNU Radio implementation is a good starting point for further experimentation, and we hope to see more developments in the future. They request that the GitHub repo be starred as it will help them get funding for future work on the project.

The creators have also released a video shown below that demonstrates the code with some recorded data. They have also released the recorded data, with links available on the GitHub. It's not clear which SDR they used, but we assume they used a wide bandwidth SDR as the recovered image is quite clear.

Examples using gr-tempest

GR-TEMPEST: GNU Radio TEMPEST Implementation
GR-TEMPEST: GNU Radio TEMPEST Implementation
Tweet
Share
Reddit
Vote
Email

Black Hat USA 2020 will be a Virtual Event

Black Hat is a yearly conference about information security related topics. Whilst not as common as in other RF focused conferences, there are often talks related to software defined radio and RF in general. For example, recently they have uploaded videos of talks from their 2018 event and one talk titled "Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers" shows how a HackRF SDR can be used to help break the cryptography of bluetooth AES encryption via RF noise unintentionally emitted by components in the transmitter.

Due to the current global pandemic, the conference organizers have decided that the 2020 conference to be held in Las Vegas during August 1-6 will instead be held virtually. They write:

MAY 8, 2020
We have been continuously reviewing the best ways to serve the information security community over the past few months as the global health situation continues to develop. While we will not be meeting in person, we are moving forward with a plan to transform Black Hat USA into an all-virtual event in order to best serve our community.

We're inspired to adapt Black Hat USA in a virtual format that will be available to our entire global community. Our team is working hard to deliver the same level of high-quality Briefings, Trainings and Business Hall programs that Black Hat attendees have come to expect every year.

We believe in the power of gathering our community to share, inspire, and strengthen our industry and are committed to providing that opportunity in August. We look forward to sharing more information about Black Hat’s virtual event soon.

Steve Wylie, Black Hat General Manager

We note that the GNU Radio conference which will be held on September 14 will also be held virtually

Tweet
Share
Reddit
Vote
Email

Tech Minds: Upgrading to the latest Airspy R2/Mini Firmware

Over on YouTube Tech Minds has uploaded his latest video that shows how to easily update the firmware on Airspy R2 and Mini units. The Airspy R2 ($169) and Airspy Mini ($99) are two software defined radios that can be considered a step up from an RTL-SDR in terms of performance and price. Recently the Airspy developer updated the firmware, and we show the changelog below.

This release improves the overall phase noise, tuning accuracy, dynamic range and spur responses.

What changed:

  • More accurate R820T/2 tuning.
  • Fast R820T/2 register update by only sending the actual changes. Useful for fast scanning.
  • The R820T/2 reference clock is now fed directly from the 25 MHz TCXO. No noise contribution from PLL_A at all when using the internal TCXO.
  • The MCU and ADC reference clock is now using PLL_B of Si5351 in Integer mode with power of two dividers.
  • EXT_CLK now feeds PLL_A for the R820T/2 and PLL_B for the LPC4370 with optimal Integer Mode and power of two dividers.
  • Drive level reduced to 2mA per clock. This significantly reduces the spurs.

Tech Mind's YouTube video shows us how to check the current firmware installed, how to download the latest firmware, and finally how to actually flash the new firmware.

AIRSPY R2 & MINI Software Defined Radio Firmware Update Procedure

Tweet
Share
Reddit
Vote
Email