Oliver’s GNU Radio program is now capable of combining four RTL-SDR dongles and is now also capable of piping the output via a FIFO to GQRX. With four RTL-SDR dongles you can get a total bandwidth of 8.4 MHz. He also writes that it is even possible to listen to analog signals that are in overlapping areas.
Four RTL-SDRs producing a total of 8.4 MHz of bandwidth in GQRX.
Some more SDR and RF related talks from Defcon 23. See our previous posts [1][2] for other talks that we posted previously.
Colby Moore – Spread Spectrum Satcom Hacking
Recently there have been several highly publicized talks about satellite hacking. However, most only touch on the theoretical rather than demonstrate actual vulnerabilities and real world attack scenarios. This talk will demystify some of the technologies behind satellite communications and do what no one has done before – take the audience step-by-step from reverse engineering to exploitation of the GlobalStar simplex satcom protocol and demonstrate a full blown signals intelligence collection and spoofing capability. I will also demonstrate how an attacker might simulate critical conditions in satellite connected SCADA systems.
In recent years, Globalstar has gained popularity with the introduction of its consumer focused SPOT asset-tracking solutions. During the session, I’ll deconstruct the transmitters used in these (and commercial) solutions and reveal design and implementation flaws that result in the ability to intercept, spoof, falsify, and intelligently jam communications. Due to design tradeoffs these vulnerabilities are realistically unpatchable and put millions of devices, critical infrastructure, emergency services, and high value assets at risk.
DEF CON 23 - Colby Moore - Spread Spectrum Satcom Hacking
DaKahuna and satanklawz – Introduction to SDR and the Wireless Village
In many circumstances, we all have to wear different hats when pursuing hobbies, jobs and research. This session will discuss the exploration and use of software defined radio from two perspectives; that of a security researcher and Ham Radio operator. We will cover common uses and abuses of hardware to make them work like transceivers that the Ham crowed is use too, as well as extending the same hardware for other research applications. Additionally we will highlight some of the application of this knowledge for use at The Wireless Village! Come and join this interactive session; audience participation is encouraged.
DEF CON 23 - DaKahuna and satanklawz - Introduction to SDR and the Wireless Village
Lin Huang and Qing Yang – Low cost GPS simulator: GPS spoofing by SDR
It is known that GPS L1 signal is unencrypted so that someone can produce or replay the fake GPS signal to make GPS receivers get wrong positioning results. There are many companies provide commercial GPS emulators, which can be used for the GPS spoofing, but the commercial emulators are quite expensive, or at least not free. Now we found by integrating some open source projects related to GPS we can produce GPS signal through SDR tools, e.g. USRP / bladeRF. This makes the attack cost very low. It may influence all the civilian use GPS chipset. In this presentation, the basic GPS system principle, signal structure, mathematical models of pseudo-range and Doppler effect will be introduced. The useful open source projects on Internet will be shared with attendees.
DEF CON 23 - Lin Huang and Qing Yang - Low cost GPS simulator: GPS spoofing by SDR
Over on his blog Andrew has posted a good writeup where he determines the QRM (interference) effects of a PLT (power line transmission) device. PLTs are also known as ethernet/internet over powerline devices and they are devices that plug into an electricity socket and use household electricity wires to create a computer network, thus eliminating the need for ethernet cables or WiFi. However, many hams and radio hobbyists hate these devices because they believe that they can cause significant amount of radio interference, especially on HF.
In his investigation Andrew bought a pair of Netgear Powerline 500 PLTs. He then plugged the PLTs in and started streaming a movie over the powerline network connection to cause maximum radiation. Then using his Funcube dongle and SDR# he investigated ham bands to see if these devices brought any noise.
In his results Andrew writes that he barely saw any interference caused by these devices. Some interference was noticed at 17 meters and 12 meters, but he notes that the amateur portion was left relatively unaffected. Many hams believe these devices can completely wipe out HF, but it seems that this is untrue, at least for this particular PLT model.
Back in November 2015 we posted about the ARM Radio, a minimalist direct sampling software defined radio that runs almost entirely on an ARM processor on a STM32F429 discovery board. It can tune from about 8 kHz up to 900 kHz, which covers the VLF, LF and some of the MF bands.
Now over on YouTube amateur radio hobbyist W9RAN has uploaded a video where he demonstrates an ARM Radio that he built. He shows the radio in operation with it clearly receiving some NDB’s and some AM broadcast stations.
The author of hamradioscience.com has posted a review of his thoughts on the SDRplay RSP software defined radio. The SDRplay is a SDR that is a $150 USD software defined radio that can be considered as a next stage level up from the RTL-SDR dongle. We consider it somewhat of a competitor to the Airspy SDR ($199 USD).
The review goes over the marketed specs, what you get in the box, software, support and its real world performance. The review is positive and the author concludes:
At the $150 price point there just isn’t much to complain about. The SDRPlay represents an excellent value in a low cost wideband SDR receiver. If you are currently considering getting involved with SDR radio, or want to trade up from the RTL dongle world, then the SDR Play should definitely be on your short list.
If you are interested in mid level SDR’s like the SDRplay then keep an eye out for our own review on RTL-SDR.com coming out in the next few weeks. We will be doing an in depth review and comparison of the Airspy, SDRplay and HackRF.
The maximum usable and stable bandwidth of an RTL-SDR is about 2.4 MHz. In order to get larger bandwidths it is possible to combine two or more dongles, although doing so comes with a big limitation – since the clocks and signal phases between separate dongles would not be synchronised, it would be impossible to decode a wideband signal this way. However, combining dongles for larger bandwidths is still useful for visualizing the spectrum through an FFT plot, or perhaps for decoding various separate narrowband signals. Although creating a wide band FFT plot with multiple dongles is fairly simple, we haven’t seen much software do this before.
However now RTL-SDR.com reader Oliver wrote in to show us the GNU Radio script he’s been using to combine the bandwidths of two RTL-SDR dongles together to get a 4.4 MHz FFT display. The script can be used to get a combined 4.4 MHz spectrum visualization without a center dip from roll off, or a 4.8 MHz spectrum with rolloff. Oliver writes:
I simply took two RTL-SDR dongles at their max. band width of 2.4 MHz, resampled the signals to 4.8 MHz, then shifted the first signal down by 1MHz, the other one 1 MHz up, added them together, divided the combined signal by 2 and finally feed it into a FFT plot.
At first, I tried shifting the signals by 1.2 MHz to get full 4.8 MHz, but I realized, that I had a notch in the center, so I reduced the frequency shift until I had no notch anymore.
I walked out to my car from Bunnings, and there was a new HSW Maloo parked in front of me with the owner staring at his key fob and shaking his head.
I said “let me guess, car won’t open?” and he said yeah, and he’d been trying for about 5 minutes. I said that I’d had the same thing happen to me a few months back in the same spot, and then went to open my car.
Nothing. No beep, door stayed locked. Looked around and there was another couple trying to get into their car as well (late model C Class).
It took about 5 minutes of me trying the door every 20 seconds or so before it opened. HSV owner was still there when I left. The only thing he and I could think of causing it was the mobile phone tower in front of Aldi.
After reading the post, user u/riumplus decided to go out to the same spot with his Funcube dongle SDR and see if there was any interference that might explain the issues. But he found no such interference. However, when he pressed the wireless entry on his own keyfob he noticed reflections from the main transmission that were coming from the buildings walls. He wrote:
Toorcon is a yearly conference that focusus on information security related topics. At the 2015 Toorcon conference Micheal Ossmann (inventor of the HackRF SDR) gave an interesting talk about reverse engineering wireless systems using software defined radio.
Back in November Micheal gave a bit of a quick tutorial on reverse engineering in a November edition of the YouTube web series Hak5. Now his full conference talk has been released over on his website. In his talk he uses a HackRF and a Yardstick One to show how to reverse engineer a wireless cabinet lock.
