Explaining the Dallas Siren Hack

If you’ve been paying attention to the news then you might have heard of the recent Dallas tornado siren hack. Earlier in the month a hacker took control of 156 tornado warning sirens placed all around the city of Dallas, Texas in the United States. The sirens are activated via an RF control signal, and the hacker transmitted the control signal, causing all the sirens to activate causing a city wide false alarm. The attack could have been performed with a transmit capable software defined radio like the HackRF, or any other transmit capable radio such as a handheld radio.

Bastille is a wireless security firm which specializes in RF, SDR and IoT. Over on their blog, employee Balint Seeber has uploaded a video and blog post that discusses some possibilities on how the hacker may have activated the sirens.

In the blog post and video first Balint discusses the difference between a single frequency network, and a repeated network. In a single frequency network, one powerful transmitter up on a hill would be used to activate all the sirens, whereas with a repeater network several dispersed transmitters might be used to repeat the signal over a wide area.

He then discusses the difference between an analog and digital command transmission system. In an analog command transmission a simple series of tones might be used to activate the sirens. In this case the hacker could simply listen for the tones when the siren is activated during the monthly test, and save them away for a future replay attack. In a digital system instead of tones an encrypted packet of data could be used instead. Depending on how the encryption is implemented this could prevent a replay attack.

Tweet25
Share
Reddit
Vote
Email
25 Shares

SpyServer 2.0 Released: More Efficient Streaming for Airspy and RTL-SDR

Back in March the team behind the Airspy SDR and SDRSharp software released the SpyServer, a piece of software that allows you to stream radio data from a remote Airspy receiver over a network. Then later in April they added full support for the RTL-SDR dongle as well.

This Easter the Airspy team have released SpyServer 2.0, which improves the streaming efficiency significantly (changelog). Now the full 8 MHz bandwidth of the Airspy should be easily streamable over an internet connection. With SpyServer 1.0 it was difficult to make use of the full bandwidth of the Airspy because the network data usage was very high, since it was streaming the full raw IQ data for the sampling rate/bandwidth selected. In SpyServer 2.0 the server does not stream the full raw data, and instead only streams the wideband FFT data (for displaying the waterfall and FFT graph), and the raw data from the currently selected IF bandwidth. Of course the full IQ data can still be streamed if desired by selecting the ‘Use full IQ’ checkbox.

This new efficiency means that WFM uses only about 1.3 MB/s, and narrow band modes like NFM/AM/SSB only use about 120 kB/s of network data which is easily achievable over a local network and internet. This data usage is almost independent of the sampling rate/bandwidth selected so you can stream the full 8 MHz offered by the Airspy without trouble. Normally streaming the full raw data for 8 MHz would use about 40 MB/s, which is difficult to achieve over a local network, and impossible over the internet.

We tested the new SpyServer over our local network and were able to stream the full 8 MHz of the Airspy with no problems. With the RTL-SDR we were also able to stream 2.4 MHz without issue. WFM and NFM modes worked clearly and no skips or significant lag was noticed over a local WiFi N connection. Hopefully in the future SpyServer will be developed further to enable compressed audio streaming as well for even lower network data usage.

SpyServer WFM Reception. About 1.3 MB/s network usage.
SpyServer WFM Reception. About 1.3 MB/s network usage.
SpyServer NFM Reception. About 120 kB/s network usage.
SpyServer NFM Reception. About 120 kB/s network usage.

Some Operational Notes:

  • To run SpyServer on Windows simply double click on spyserver.exe. On Linux extract “spyserver_linux_x86” and the config file, and then run “sudo chmod +x spyserver_linux_x86”. Then run it with “./spyserver_linux_x86”.
  • Connect to it on the remote PC in SDR# using the servers IP address which can be found by typing “ipconfig /all” in Windows command prompt, or “ifconfig” on Linux.
  • To select between using the Airspy and RTL-SDR for the SpyServer you will need to edit the spyserver.config file with a text editor and edit the “device_type” string.
  • SpyServer runs on Windows/Linux as well as small embedded computers such as Raspberry Pi’s and Odroids. Download the Raspberry Pi and Odroid servers separately from SDR# at http://airspy.com/download.
  • SpyServer is NOT compatible with software that expects an rtl_tcp server such as SDRTouch.

We have also seen Lucas Teske of the OpenSatellite project use the SpyServer for streaming a GOES16 downlink over a network connection with an Odroid C2. He writes that soon the OpenSatellite project software will directly support SpyServer.

Tweet24
Share
Reddit
Vote
Email
24 Shares

Comparing Two LNA’s for HRIT/LRIT (GOES) Reception

Over on his blog Lucas Teske has been comparing the LNA4ALL and an SPF5189 LNA from eBay on HRIT/LRIT reception from GOES satellites. SPF5189 LNA’s can be found on eBay for less than $8 USD, with free shipping from China, whereas the LNA4ALL costs 27 Euros shipped from Croatia. GOES is a geosynchronous orbit weather satellite which requires a satellite dish or other high gain antenna to receive. It downlinks at about 1.7 GHz, which means that a high quality LNA with low noise figure and good PCB design is needed for reception.

In his post Lucas mentions how he saw a review on eBay stating that the SPF5189 did not work at L-band. However, he found that odd as all of his SPF5189 LNA’s seemed to work just fine with L-band reception. So he did a benchmark comparing the SPF5189 to the PSA5043+ based LNA4ALL which is known to work well on L-band.

From his comparisons he found that the SPF5189 does indeed work well on L-band, and is comparable to the LNA4ALL. He concludes that the reviewer must have received a bad unit, or didn’t know what he was doing.

Lucas also makes an important note regarding the PCB design of these LNA’s. Even though the SPF5189 and PSA5043 chips have similar specs, with LNA’s the design of the PCB is crucial, as a poor design can significantly degrade performance. With the LNA4ALL you can be sure that the design is good, although the SPF5189 LNA’s currently on eBay look to be designed okay as well. Though with some eBay sellers there is no guarantee that you will receive a good board. We note that we have seen some really poor designs for PSA5043 LNA’s out there as well.

The eBay SPF5189 LNA vs the LNA4ALL from 9A4QV
The eBay SPF5189 LNA vs the LNA4ALL from 9A4QV
Tweet
Share
Reddit
Vote
Email

SDRplay RSP1 & RSP2 Now Support ADS-B Decoding on the Raspberry Pi 2 & 3

Over on the official SDRplay blog, head of marketing Jon has announced that the RSP1 & RSP2 is now compatible with their dump1090 ADS-B decoders for the Raspberry Pi 2 & 3. They write:

ADS-B for both RSP1 and RSP2 now available for the Raspberry Pi 2 & 3 – you can get the software from downloads – http://www.sdrplay.com/downloads

If you are an RSP2 user, make sure you use Antenna Port B.

The RSP2
The SDRplay RSP2

 

Tweet
Share
Reddit
Vote
Email

Italian Language RTL-SDR Book Now Available

For our Italian readers – recently we received a submission from Marco Cardelli (IZ5IOW) who wanted to let us know that he and his friend Andrea Possemato (IZ5TLU) have published a book in the Italian language about the RTL-SDR. He writes:

The main goal is to introduce the “newbie” in this interesting world of digital radios, demonstrating that SDR is not an expensive technology. Both are the authors also of one of the firsts books about Raspberry Pi in Italian. All books are available on on-line stores, or from the publisher: http://www.sanditlibri.it/sdr-rtl.html

For any other information, please use the contact forms published on Marco Cardelli’s website: http://www.marcocardelli.info.

The book costs 9,90€. We haven’t purchased the book ourselves as we cannot read Italian, so if you decide to purchase the book please leave a review of it in the comments section to inform others on it’s quality.

The Italian RTL-SDR Book Cover
The Italian RTL-SDR Book Cover
Tweet
Share
Reddit
Vote
Email

New Cross Country Wireless HF Preselector

A new reasonably priced 5-band HF preselector has been released by the company Cross Country Wireless, and it looks perfect for use with SDRs. The price is $56.95 GBP, which right now is about $72 USD. They write:

This can be used to provide additional front end selectivity for HF and medium wave receivers protecting the receiver from strong out of band transmissions, wideband noise and other transmitters on multi-station field days.

As the sunspot cycle declines and more listening is done on the lower HF bands with long wire antennas and strong NVIS signals then the HF Preselector is an ideal accessory to aid receiver performance.

It is invaluable when using simple conventional superhet or SDR receivers such as RTL-SDR dongles with upconverters or SDRPlay with large HF antennas.

It is an ideal tool to reduce ADC overload on the Icom IC-7300 with the new second receiver socket modification kit.

It can also be used with other transceivers that have sockets for a separate receiver input and receive antenna output.

It also covers the medium wave broadcast band for MW DXers.

The Preselector is a passive high Q design that does not use an additional amplifier or require external power.

  • Frequency tuning range: 0.5 to 52 MHz in five bands
  • Input impedance: 50 ohms
  • Output impedance: 50 ohms
  • Bypass option on switch
  • Galvanic isolation between input and output
  • Insertion loss: 2 dB
  • Selectivity: See HP network analyser plots below
  • Connectors: BNC female (RF in 50 ohms), BNC female (RF out)
  • Tough polycarbonate case
  • CCW Z Match
    Overall dimensions: 125 mm (L) x 85 mm (W) x 55 mm (H)
  • Weight: 192 g
The Cross Country Wireless HF Preselecter
The Cross Country Wireless HF Preselector
Tweet
Share
Reddit
Vote
Email

Titus II SDR Updates

Over on the swling.com blog we’ve seen news of an update regarding the PantronX Titus II SDR. The last update we had was in January. Swling.com contributor Richard Langley writes:

There was a segment on the latest episode of AWR’s Wavescan (9 April 2017) about the Titus II DRM receiver recorded during the recent HFCC meeting in Jordan. In it, it was stated that the shipment of the first 1500 units was expected at the end of March or by the first half of April. Included some discussion of added shielding to prevent digital noise and the high-sensitivity of the receiver compared to other DRM units. 

Head over to the swling.com post to listen to the Wavescan podcast announcement,

The Titus II is an Android Tablet + SDR combination that is due to be released in the near future. Its main purpose is for reception of Digital Radio Mondiale (DRM) which is a digital broadcasting medium used on the HF frequencies, which somewhat replaces standard short wave AM radio. The Titus II hopes to be one of the first low cost receiver solutions for this market and as a wideband SDR it should work for many other applications too. From the advertised frequency range of 100 kHz – 2 GHz we speculate that it will be using the Mirics SDR chipset, which is the same chipset as used in the SDRplay. The target price is under $100 USD.

The Titus II Portable SDR
The Titus II Portable SDR
Tweet
Share
Reddit
Vote
Email

Reverse Engineering and Controlling an RC Toy Tank with a HackRF and GNU Radio

Last year during a Russian wireless ‘capture the flag’ (CTF) competition one of the goals was to reverse engineer a remote controlled toy tank, and then to control it with a HackRF. One of the Russian CTF teams has posted a thorough write up on the reverse engineering process that was used on the toy tank (the link is in Russian, but Google Translate works okay).

The write up first shows the reception of the signal from the wireless controller, and then moves on to show how to receive it in GNU Radio and obtain a time domain graph of the digital signal. From the pulses it is simple to visually work out the binary string. Next an instruction decoder is created in GNU Radio which automatically obtains the binary string from the signal directly. Then once the codes for back, forward, left and right were obtained it was possible to write another GNU Radio program to transmit these codes to the RC toy tank from the HackRF.

HackRF used to control an RC toy tank
HackRF used to control an RC toy tank
Tweet92
Share
Reddit13
Vote
Email
105 Shares