October 27, 2017

Using an RTL-SDR and RPiTX to Defeat the Rolling Code Scheme used on Some Subaru Cars

Over on GitHub Tom Wimmenhove has been experimenting with the car keyfob on his Subaru car, and has discovered that the rolling code scheme used is very weak and so can be easily exploited.

Most modern vehicles use some form of rolling code security on their wireless keyfobs to prevent unauthorized replay attacks. When the car owner presses a button on the keyfob, a unique rolling code is sent to the car. If it matches one of the codes currently stored in the car, the car will unlock and then invalidate that code so it can never be used again, thus preventing a replay attack. On the next press the keyfob sends a new code. In most designs when a code is used up, a new code is added to the list of valid codes via a random number generator based on a secure algorithm only known (presumably) to the engineers.

Essentially Tom found that instead of producing a randomly generated rolling code, the Subaru keyfob simply increments the rolling code number each time. This allows an attacker to perform a second key press simply recording an initial real key press, decoding the packet, increasing the decoded rolling code by one, then re-transmitting. It also means that the attacker could continually raise the rolling code value on the car himself, which would eventually make the real keyfob useless as the codes on the keyfob would be outdated and no longer match the same number range as the car.

The entire exploit was found on a super low budget. Tom used only an RTL-SDR and Raspberry Pi. The receive is obviously handled by the RTL-SDR, but the transmit side is handled by RPiTX which is software that allows the Raspberry Pi to transmit RF signals directly from a GPIO pin without the need for any additional transmitting hardware. Tom writes that the exploit probably affects the 2006 Subaru Baja, 2005 - 2010 Subaru Forester, 2004 - 2011 Subaru Impreza, 2005 - 2010 Subaru Legacy and the 2005 - 2010 Subaru Outback. Tom also writes that various dealers and spokes people have contacted him stating that the exploit probably only affects US models. If you have one of the affected models and are worried the only way to stay safe is to simply not use wireless entry on the keyfob, at least until/if Subaru fixes the issue with a recall. Although so far no statement from Subaru has been released.

Tom has also uploaded a demonstration video to YouTube which is shown below.

[Also seen on Hackaday, Bleeping Computer and The Register]

Subaru fobrob exploit

Watch this video on YouTube

Tweet23

Vote

23 Shares

October 27, 2017

Building your Own Cell Phone Network with a Raspberry Pi and BladeRF

As part of their senior project Matthew May & Brendan Harlow of Champlain College worked on a project that involved creating their own software defined radio based portable cell phone network. If you're interested their setup is nicely documented on their project page. Basically it consists of a bladeRF software defined radio and Raspberry Pi running the YateBTS base station software. This is nothing new in terms of work done before, but the clear documentation makes it a good starting point for anyone looking at building their own SDR based cell basestation.

A custom cell basestation may be useful for those in remote areas without commercial cell phone reception, during disasters or even just to create a type of secondary network in your home.

[Also seen on Hackaday and Motherboard]

A cell phone connected to their custom network

Tweet74

Vote

74 Shares

October 25, 2017

Testing a 16x RTL-SDR V3 WebSDR System for the Satcom Band

Over on Twitter Denis (@uhfsatcom) has recently been teasing us with photos of his 16 dongle RTL-SDR V3 setup. The system looks like it's designed to be a satcom band WebSDR receiver.

The satcom band is around 240 - 270 MHz and mostly consists of various military satellites that act as simple repeaters which are often hijacked by pirates. WebSDR is a piece of software that allows for online web streaming of SDR radios. Users from all over the world can listen in if made public. Denis has also uploaded a short video showing a test of 8 dongles running and receiving the satcom band on his WebSDR system.

We look forward to hearing more updates on this project!

8 rtlsdr websdr test

Watch this video on YouTube

first launch of the 16x rtl sdr v.3 websdr pic.twitter.com/gYKsqNt5Ap
— Denis (@uhfsatcom) October 14, 2017

native rtl dongle vs rtl-sdr v3. No preamp, little satcom antenna. So... native lossed ~ 3db SNR. pic.twitter.com/rOoQ7yBO86
— Denis (@uhfsatcom) September 23, 2017

Tweet12

Vote

12 Shares

October 24, 2017

SpyServer Updated: Very Efficient Network Usage with 8-Bit PCM Mode

Over the last month SDRSharp's SpyServer has been updated several times. SpyServer is a streaming server for SDR# which allows you to use Airspy and RTL-SDR radios remotely over a network connection.

The updates brought improvements such as IQ PCM compression at various bit depths including an efficient 8-bit mode, removing the DC spike residual in the 8-bit streaming mode, and recently improving the 8-bit mode to work like lossy compression for strong signals.

We tested the new 8-bit PCM streaming mode and found it to be extremely efficient with network usage. When streaming at 2 MHz with an RTL-SDR a WFM signal on the older SpyServer versions used to use about 1.2 MB/s without any compression modes, and now with 8-bit compression active it only uses 322 KB/s. A NFM signal used to require 120 KB/s, now only requiring about 38 KB/s. No DC spike is present and no degradation in reception quality is noticeable unless the signal requires over 70 dB of dynamic range, which is unlikely for most signals.

If you've had trouble with SpyServer or rtl_tcp not working well on your slow network connection, then the new updated SpyServer may be the solution for you.

Prog, the author of SDR# and SpySever writes about the update on the Airspy group:

This new development allows you to stream large signals over 8bit and reduce the network bandwidth.

The server will try to pack the useful signals into whatever bit depth you select ensuring optimal SNR for the transport. No manual scaling required.

Tweet21

Vote

21 Shares

October 24, 2017

Airspy HF+ Real World Performance Examples by the Author of GQRX up on YouTube & Twitter

Alexander Csete (OZ9AEC) is the programmer behind the popular GQRX software. Recently Alexander has received a review sample of the upcoming Airspy HF+ and has been uploading videos showing it in action to his YouTube channel.

The Airspy HF+ is a soon to be released low cost (expected price $149 USD) yet high performance HF/VHF receiver designed for DXing with exceptional performance in the presence of strong overloading signals. If you are interested we also have our own review of the HF+ available here.

In the video below Alexander demonstrates the HF+ on SSB and CW modes in his GQRX software. See his YouTube channel for the rest of the videos. Currently there are about 7 videos demonstrating the HF+ on his channel.

Over on his Twitter account @csete Alex has also been uploading several images of the HF+ in action as well as some screenshots of it being compared against the RFSpace Cloud-IQ which is a $629 USD SDR. So far his impressions of the HF+ seem very high.

Testing the Airspy HF+ with Gqrx, then a pirate comes by...

Watch this video on YouTube

Looks like the radar guys have learned to stay outside the amateur radio bands. Now we can study selective fading ? pic.twitter.com/8y8rDoXJh0
— Alexandru Csete (@csete) October 22, 2017

Side by side comparison of Cloud-IQ and Airspy HF+ on MW
Cloud-IQ: 370120 sps (RBW 22.6 Hz)
Airspy HF+: 768000 sps ↓2 (RBW 23.4 Hz) pic.twitter.com/uUUard2XmZ
— Alexandru Csete (@csete) October 18, 2017

Wow, I have never seen the timing signals around 1.8 MHz so strong with this antenna, which only goes down to 3.6 MHz. pic.twitter.com/qoj8fryXBZ
— Alexandru Csete (@csete) October 15, 2017

Tweet16

Vote

16 Shares

October 24, 2017

RadioForEveryone New Posts: Antenna Weatherproofing, NooElec Nano 3 Review, ADS-B Antenna Shootout

Over on his blog 'Radio for Everyone' author Akos has uploaded three new posts. The first shows how to cheaply weatherproof antenna connections by wrapping electrical/plumbing tape around the connection. He shows and example with the FlightAware ADS-B antenna.

The second post is a review of the relatively new NooElec Nano 3, which is a small form factor RTL-SDR that comes with a TCXO and metal case. Akos shows how the form factor is good for using it with Mobile phones. Akos opens the unit up and shows us how the unit is sandwiched inside the metal case with two thermal pads for improved heat dissipation. Later in the review he also discusses the MCX connector, TCXO and heat.

The third post compares three commercially sold antennas at ADS-B reception. The compared antennas are the FlightAware ($45) and Jetvision ($90) ADS-B antennas as well as our RTL-SDR Blog general purpose dipole ($10). The results show that the Jetvision antenna performs the best followed by the FlightAware and then the dipole. However we note that Akos has incorrectly used the dipole as he did not orient it as a vertical dipole.

Radio For Everyone: Nano 3 Size Comparison

Vote

October 18, 2017

LimeSDR Mini Updates: Demonstrations with Universal Radio Hacker, LattePanda, PothosSDR and GNU Radio

Over on their CrowdSupply crowdfunding site LimeSDR have been releasing several short tutorials and demonstrations showing their new LimeSDR Mini in action. The latest update shows a short tutorial on using the LimeSDR Mini together with Universal Radio Hacker (URH) to reverse engineer a 433 MHz remote control.

Other previous updates include showing how to use the LimeSDR Mini and Wireshark to analyze WiFi signals, using it with a LattePanda mini computer, creating an FM demodulator in PothosSDR and decoding a 433 MHz keyfob in GNU Radio.

The LimeSDR Mini is a smaller and cheaper version of their LimeSDR which has slightly reduced specifications. The main changes are the slightly restricted frequency range of 10 MHz – 3.5 GHz, and half the maximum bandwidth at 30.72 MHz. The mini also only has 1×1 TX/RX channels.

Recently the LimeSDR was released for crowdfunding on crowdsupply.com and already has raised $165,000 of it’s $100,000 threshold with 12 days remaining. Currently you can back the project for $139 with shipping expected on Dec 31.

Vote

October 18, 2017

RSP1 Metal Enclosure Price Reduced to $29.95

Recently we’ve reduced the price of our RSP1 Metal Enclosure upgrade kit from $39.95 down to $29.95 USD. You can purchase the kit from our store. The kit comes with:

1x Metal Enclosure
1x Carry case
1x BCFM Filter with SMA Male to Male Adapter
1x Accessory set including rubber feet, screws, grounding post.

On Amazon USA there are less than 16 units left, and shipped from China from our store there is less than 85. We won’t be restocking this item for a few months so please get in quick if you are interested.

We brought out this kit back in March and instructions for using the kit can be found on this post.

Vote