Software defined radio talks from Defcon 23

Defcon is a yearly conference that focuses on computer security and hacking talks. In recent years they have included a “Wireless Village” section that includes talks about all things wireless. This year there were several interesting talks related to Software Defined Radio in some way. Recently some of these talks have been uploaded to YouTube and below we present the ones we have found – let us know if we missed any interesting ones.

Balint Seeber – SIGINT & Blind Signal Analysis w/ GNU Radio & SDR

The workshop will cover many common techniques used to reverse engineer the physical layer of a wireless communications system:

– Blind signal analysis on a signals re-broadcast from a satellite transponder: modulation type, order, symbol rate, error correction,scrambling, differential coding, visualization

– Applying auto-correlation to interesting signals on the HF band: RADAR, OFDM, symbol timing

– Frequency hopping: wide-band, real-time spectrum visualization

All with GNU Radio!

DEF CON 23 - Wireless Village - Balint Seeber - SIGINT & Blind Signal Analysis w/ GNU Radio & SDR

Tim Oshea – GNU Radio Tools for Radio Wrangling/Spectrum Domination

An overview of modern tools available in GNU Radio and the greater GNU Radio ecosystem for building, testing, inspecting and playing with radio system physical layers in gory detail.

DEF CON 23 - Wireless Village - Tim Oshea - GNU Radio Tools for Radio Wrangling/Spectrum Domination

Michael Calabro – Software Defined Radio Performance Trades & Tweaks

This workshop is targeted at new and experienced software defined radio (SDR) operators, developers, and enthusiasts seeking a better end-to-end system understanding, and anyone looking to maximize their SDR’s performance. Commercially available SDRs (e.g. USRPs, RTL-SDRs, BladeRFs, etc) are commonly used to fuzz wireless interfaces, deploy private cellular infrastructure, conduct spectrum surveys, and otherwise interact with a wide variety of custom and commercial devices. This workshop focuses on the key parameters and performance drivers in SDR setup and operation that elevate these common platforms to the level of fidelity required to interact seamlessly with commercial devices and networks.

The workshop will begin by surveying different SDR hardware architectures and summarizing the performance tradespaces of several of SDR applications (e.g. collection/survey/transmit). Then the workshop will break down into three main content focuses:

Understanding SDR Hardware: Breakdown common RF frontend and receiver architectures. Identify and derive key performance parameters, and when they will bound performance. Topics covered will include: Noise figure calculation, internal amplification, Frequency selectivity, external RF chains, and noise sources.

Understanding SDR Platform Objectives: Collection, transmission, surveying, and other applications, each present unique challenges to SDRs and will be limited by different dimensions of SDR processing and/or setup configuration. Topics covered include: real-time processing, host buffering, sampling, guard-intervals, framework selection (GRC vs REDHAWK vs MATLAB vs custom), and frequency and time domain signal representation.

Optimizing and Improving Performance: Now that the hardware and platform trade space have been characterized, how do attendees meet and exceed the performance requirements of their application? We will present specific examples for several common platforms (RTL-SDR and USRP). Topics covered will include clock selection, ADC dynamic range, FPGA/SoC offloading, RFIC configuration, CIC filters, sampling, DC biases, antenna selection & pointing, host buffering / processing, and cost-performance trades.

DEF CON 23 - Wireless Village - Michael Calabro - Software Defined Radio Performance Trades & Tweaks

Karl Koscher – DSP for SDR

The barrier to entry in software-defined radio is now almost non-existent. Wide band, receive-only hardware can be obtained for as little as $10, and tools like gqrx and SDR# make it extremely easy to get started listening to signals. However, there is a steep learning curve graduating from an SDR script kiddie to developing your own SDR tools. In this talk, I’ll cover the basic theory behind software-defined radios digital signal processing, and digital communication, including I/Q samples, FIR filters, timing and carrier recovery, and more.

DEF CON 23 - Wireless Village - Karl Koscher - DSP for SDR

In addition to these Wireless Village talks there was also an interesting talk by Samy Kamkar in which explains how he uses SDR in his vehicle security research.

Samy Kamkar – Drive it like you Hacked it: New Attacks and Tools to Wireles

Gary Numan said it best. Cars. They’re everywhere. You can hardly drive down a busy freeway without seeing one. But what about their security?

In this talk I’ll reveal new research and real attacks in the area of wirelessly controlled gates, garages, and cars. Many cars are now controlled from mobile devices over GSM, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy).

We will investigate how these features work, and of course, how they can be exploited. I will be releasing new tools and vulnerabilities in this area, such as key-space reduction attacks on fixed-codes, advanced “code grabbers” using RF attacks on encrypted and rolling codes, and how to protect yourself against such issues.

By the end of this talk you’ll understand not only how vehicles and the wirelessly-controlled physical access protecting them can be exploited, but also learn about various tools for car and RF research, as well as how to use and build your own inexpensive devices for such investigation.

Ladies and gentlemen, start your engines. And other people’s engines.

Samy Kamkar is a security researcher, best known for creating The MySpace Worm, one of the fastest spreading viruses of all time. He (attempts to) illustrate terrifying vulnerabilities with playfulness, and his exploits have been branded:

“Controversial”, -The Wall Street Journal
“Horrific”, -The New York Times
“Now I want to fill my USB ports up with cement”, -Gizmodo

He’s demonstrated usurping typical hardware for surreptitious means such as with KeySweeper, turning a standard USB wall charger into a covert, wireless keyboard sniffer, and SkyJack, a custom drone which takes over any other nearby drones allowing them to be controlled as a massive zombie swarm. He’s exposed issues around privacy, such as by developing the Evercookie which appeared in a top-secret NSA document revealed by Edward Snowden, exemplifying techniques used by governments and corporations for clandestine web tracking, and has discovered and released research around the illicit GPS and location tracking performed by Apple, Google and Microsoft mobile devices. He continues to produce new research and tools for the public as open source and open hardware.

DEF CON 23 - Samy Kamkar - Drive it like you Hacked it: New Attacks and Tools to Wireles

Tweet
Share
Reddit43
Vote
Email
43 Shares

An online Software Defined Radio training course

We’ve recently found what looks to be a new online video based course that uses the RTL-SDR to teach basic software defined radio topics. The course is not free, it is priced at $29.99, but the first three videos are free. Judging from the first three videos the content appears to be quite basic, but is presented in a very clear way that may be useful for beginners. Currently the lessons include:

  1. Course Overview 

    Welcome to the exciting world of Software Defined Radio. In this video, we’ll discuss what SDR is, and why it’s such a hot button topic right now.

  2. Setting up the environment

    In this module, we’ll setup our environment for development. If you’re already very comfortable with Ubuntu, you might want to just follow the guide below.

  3. Browsing the spectrum 

    In this module, we’ll cut our teeth on GRQX, and learn a little about the radio spectrum.

  4. Signals Intelligence

    In this module, we’ll learn how to find transmissions in the frequency domain, and capture them to disk for offline analysis.

  5. Modulations

    In this module, we’ll learn how to identify two types of basic digital transmissions, and talk a little about the history of radio.

  6. Demodulation – Part 1

    In this module, we’ll practice capturing signals in the wild, identifying the modulation, and demodulating the signal with GNU Radio.

  7. Demodulation – Part 2

    In this module, we’ll learn about clock recovery. And we’ll pull out packets from the garage door remote.

It also appears that they plan to have some live classes in the future.

We note that there are also alternative SDR training courses available such as Micheal Ossmanns lessons at greatscottgadgets.com/sdr.

sdrtrainingonline

Tweet
Share
Reddit
Vote
Email

rtl_power_fftw: An improved version of rtl_power designed for radio astronomy

As the RTL-SDR’s maximum usable bandwidth is about 2.8 MHz, programs like rtl_power were written to scan over wider bandwidths by quickly hopping between different swaths of the frequency spectrum and then stitching the data together.

Now a new improved version of rtl_power called rtl_power_fftw has recently been developed and released. This version is designed for radio astronomy use, but also overcomes several issues general users may encounter with rtl_power. One of the authors, Klemen wrote in to us with this information:

I would like to tell you about a program we have been developing at Astronomical Society Vega – Ljubljana, namely one for measuring power spectrum with rtl dongles.

It addresses several shortcomings of the rtl_power program shipped with librtlsdr. The most notable is that it uses a much faster FFT algorithm (from the fftw3 library) and separate threads for acquiring data and FFT processing. This means that even the lowly raspberry pi is capable of processing spectra of sizes up to ~1024 bins in real-time (no slower than data acquisition). This enables the user to sample spectrum continuously and more efficiently.

The other benefit is the output format: data is presented in a gnuplot-friendly way, so plotting is simple, and no data is mangled to make an illusion that spectral hopping is not needed: FFT of each frequency hop is output separately, and user can make and informed decision on how to process data – the program stays out of this, to preserve the accuracy of the gathered data.

The program was developed for use in radio astronomy where all these things matter. Code is available on Github:

https://github.com/AD-Vega/rtl-power-fftw

Tweet
Share
Reddit
Vote
Email

New Mini RTL-SDR Dongle Available from Nooelec

The Nooelec store have recently come out with a new small RTL-SDR model called the Nano 2, which appears to an improved version of the old tiny square dongles. These new ones are sized at 24mm x 21mm x 8mm and come in a new plastic case with vent holes to prevent overheating. They also come with the newer R820T2 tuner chip. This appears to be a good improvement over the older models which were reported to have overheating and thermal frequency drift issues.

These small dongles look to be great for embedded or mobile phone applications that have space restrictions.

The new dongle is currently selling for $24.95 USD + $1.99 shipping.

The Nano 2 with vent holes in the case.
The Nano 2 with vent holes in the case.
The Nano 2 circuit.
The Nano 2 circuit.

Tweet
Share
Reddit
Vote
Email

Hak5: Reverse Engineering Radio Protocols with SDR and the Yardstick One

Over on YouTube the popular security and hacking themed channel Hak5 have created two videos together with Mike Ossmann (creator of the HackRF and Yardstick One) that give a good introduction and overview on reverse engineering unknown radio protocols. In the video they show how to use a SDR like the RTL-SDR or HackRF to initially capture the radio signal, and then how to use the Yardstick One to reverse engineer and recreate the signal. Using this process they reverse engineer the radio protocol for a wireless liquor cabinet lock.

The Yardstick One is a computer controlled wireless transceiver (but it is not an SDR). The Yardstick One understands many radio protocols by default and can be programmed in Python, lowering the learning barrier for reverse engineering signals.

Mike Ossmann has also been slowly releasing very detailed video tutorials about DSP and radio related topics. If you are interested in reverse engineering radio signals it is a very helpful series to watch.

Radio Hacking: Reverse Engineering Protocols Part 1 - Hak5 1913

Radio Hacking: Reverse Engineering Protocols Part 2 - Hak5 1914

Tweet
Share
Reddit
Vote
Email

Using the RTL-SDR as a Panadapter for a Kenwood TS-570D

Over on YouTube user SA6 HAM has uploaded a video showing how to modify a Kenwood TS-570D so that an RTL-SDR dongle can be connected to its first IF stage in order to create a low cost panadapter. A panadapter is a device that allows you to visually view RF signals with an FFT or waterfall display on a regular analogue hardware radio. Some radios have IF output ports on the case, but older radios tend to need internal modification to expose the IF as a port.

In the video SA6 HAM opens up his Kenwood TS-570D radio and shows exactly where to connect the RTL-SDR dongle’s antenna connector on the inside.

Kenwood TS-570D Panadapter modification with an 820T2 RTL SDR dongle

Tweet
Share
Reddit
Vote
Email

ARM Radio: A Cheap SDR built out of an ARM Processor and not much more

A software defined radio can theoretically be made out of little more than a microprocessor with an onboard ADC and some DSP code. This is exactly what Alberto di Bene (I2PHD) achieved by connecting an antenna directly to the on board 12-bit ADC on a STM32F429 Discovery board.

To make it actually work as an SDR he also wrote some code to utilize the development board’s ARM processor which processes the ADC input into a radio signal, demodulates it and then turns it into audio via the boards DAC and speaker. The radio can tune from 8 kHz up to about 900 kHz.

The only real extra hardware in Alberto’s system is a low pass filter for anti-aliasing and impedance transformation, and a reconstruction filter to get sound to the speakers from the DAC. He also used the boards LCD screen to implement a full GUI tuning system.

A PDF document detailing his work can be downloaded here.

ARM Radio and its GUI interface.
ARM Radio and its GUI interface.
The ARM Radio with the low pass filter and reconstruction filter shown.
The ARM Radio with the low pass filter and reconstruction filter shown.

Tweet
Share
Reddit
Vote
Email

Raspberry Pi Docker Images for ADS-B and ACARS with the RTL-SDR

Docker is a Linux based platform which allows you to build and deploy complex applications into a self contained “container” package that contains all the needed applications and dependencies. The container is completely preconfigured to just work as soon as you install the application without the need for any extra configuration.

Over on his blog SysRun has been developing an ADS-B ready docker image for use with the RTL-SDR on a Raspberry Pi embedded computer. His post shows how he prepared and built the docker image on the Pi and how to run the docker image.

In addition he has also uploaded another post showing how to prepare, build and run an ACARS decoding based docker image on the Raspberry Pi.

In the future SysRun also hopes to upload an AIS Docker tutorial.

Raspberry Pi + Docker + RTL-SDR
Raspberry Pi + Docker + RTL-SDR
Tweet
Share
Reddit
Vote
Email