A Video Demonstration on Cracking a GSM Capture File

Over on YouTube Rob VK8FOES has been uploading some fairly comprehensive demonstrations and tutorials showing how to crack a GSM capture file which can be recorded with any SDR.

It's well known now that GSM aka 2G communications are insecure, with the encryption having been breakable on a standard PC for a long time now. It is for this reason that GSM is now mostly phased out, however in many regions the GSM system is still operational in reduced capacity due to some legacy users who are mostly industrial.

In his video Rob makes use of the opensource Airpobe GSM decoder tool, as well as the opensource Kraken tool (not to be confused with KrakenSDR) which is a brute force password cracking tool.

We want to note that doing this is only legal if it is your own communication that has been recorded, or you have permission from the communicating parties.

My GSM cracking content has been getting quite a lot of attention lately. Previous videos of mine relating to this topic were only boring screen recordings with no real explanation on what steps are required to crack the A5/1 stream cipher and decrypt GSM traffic by obtaining the Kc value.

I was bored one day and decided to present a live-style workflow of how hackers and security researchers 'crack' 2G cellular communications in real-time. Be warned that if you don't have an interest in cryptography or cellular network security, you might find this video rather boring.

The GSM capture file used in this video, to my knowledge, has never been publicly cracked before. 'capture_941.8M_112.cfile' was recorded and uploaded with permission by the owner of the data themselves as a decoding example for testing Airprobe.

I make a few mistakes in the video that I can't be bothered editing out. But they are not critical, just myself misreading a number at the 10 minute mark somewhere, and saying the wrong name of a software tool at 17 minutes.

Additionally, l am not a GSM technology engineer, nor a cryptography expert. I do my best to explain these concepts in a simple and easy to understand way. But due to my limited knowledge of these subjects, it's possible that some of this information may be incorrect or lacking context.

However, this video will still allow you to crack a real GSM capture file if you are able to follow along with my flip-flopping style of presentation. Haha. But please, only replicate this tutorial on GSM data that originated from YOUR OWN mobile phone. Do not attempt to decrypt private telecommunications from any other cellular subscriber, EVER.

Tweet
Share
Reddit
Vote
Email

Video Demonstrating Hydrogen Line Detection with an RTL-SDR and WiFi Dish

Back in January 2020 we posted a tutorial showing how it's possible to detect and measure the galactic Hydrogen line using a simple 2.4 GHz WiFi dish, RTL-SDR Blog V3 and a filtered LNA. Since then many people have used the same setup with great results.

Over on YouTube user stoppi who is one such person who is using the same steps from our tutorial, and he has uploaded a video showing his setup and results. If you're thinking of getting started with Hydrogen Line reception, his video slide show tutorial would be a good complimentary overview to go along with our text tutorial.

Detection of the galactic hydrogen - the 21 cm radiation - Wasserstoffstrahlung der Milchstrasse

Tweet
Share
Reddit
Vote
Email

TechMinds: Receiving and Decoding Packets from the GreenCube Cubesat Digipeater

GreenCube is a CubeSat by the Sapienza University of Rome, and it is designed to demonstrate an autonomous biological laboratory for cultivating plants onboard a CubeSat.

While this is an interesting mission in itself, for amateur radio operators there is another interesting facet to the satellite. Unlike most CubeSats which are launched in Low Earth Orbit (LEO), GreenCube was launched higher in Medium Earth Orbit (MEO) which provides a larger radio reception footprint over the earth. The satellite also contains a digital repeater (digipeater) at 435.310 MHz, which allows amateur radio operators to transmit digital radio packets up, and have the satellite repeat the packet back over a wide area footprint on earth. 

Over on his latest video, Matt, from the TechMinds YouTube channel shows us how to receive and decode the packets from the GreenCube digipeater. In his demonstration Matt uses an SDRPlay RSPdx as the receiver, SDR++ as the receiver software, SoundModem as the packet decoder, GreenCube Terminal for displaying the messages, and GPredict for tracking the satellite and compensating for the doppler effect. He also notes that while a directional antenna on a motorized tracker is recommended, he was able to still receive packets with his omnidirectional terrestrial antennas without much issue.

RECEIVING AND DECODING GREENCUBE CUBESAT

Tweet
Share
Reddit
Vote
Email

Building an OpenWebRX Server with an RTL-SDR Blog V3 for HF Monitoring

Thank you to Ramadhan (YD1RUH) who has put together a brief set of commands showing how to quickly get setup with OpenWebRX and an RTL-SDR Blog V3. OpenWebRX is a web based SDR program that allows users to use their SDR over a network or internet connector. It is compatible with several SDRs including the RTL-SDR.

 The installation is based on Ubuntu, and uses docker for the install. He also shows how to set up the OpenWebRX configuration file so that it will use the Q-branch direct sampling mode in RTL-SDR Blog V3 dongles for HF reception.

A demonstration of the result can be seen on Ramadhan's public OpenWebRX page. You can select between the various enabled HF bands in the lower left.

OpenWebRX HF reception running on an RTL-SDR Blog V3 dongle.
Tweet
Share
Reddit
Vote
Email

uSDR: A TX/RX 300-3700 MHz, 30.72 MSPS Capable SDR with M.2 Interface and Web Browser Control

Over on CrowdSupply a new SDR called "uSDR" created by Wavelet SDR has been announced (not to be confused with the uSDR software). uSDR is a tiny SDR that interfaces via an M.2 slot on a PC/laptop motherboard. Typically M.2 slots are what you would use to connect a solid-state drives (SSD), but can also be used for adding expansion cards. However, a simple M.2 to USB adapter could be used to convert it into dongle form.

The uSDR is advertised of being a duplex TX & RX capable SDR, with a frequency range of 300-3700 MHz, and up to 30.72 Msps of sampling rate. It also has a 0.5 PPM TCXO. To keep it's tiny form factor, it uses small MHF4 antenna connectors.

The device appears to be based on the AMD Xilinx ARTIX-7 FPGA and the LimeMicro LMS6002 transceiver IC.

One interesting differentiating feature of the uSDR is that it is designed to be operated via it's web interface which can be accessed through Chrome. They make use of WebUSB technology, which allows Chrome to directly connect to USB devices. This should help eliminate installation and compatibility issues, and allow the SDR to easily be used over a network. Apart from the web interface it is also compatible with SoapySDR and GNU Radio. Sergey, one of the creators of uSDR wrote:

During development we focused on ease of use, thus it supports WebUSB interface. Meaning you can view Spectrogram, record or playback IQ data, do some signal analysis and even share your device over the internet to get others access to it. And all this doesn’t require any software or specific drivers and works in Linux/Windows/Mac OS/Android and more. One can even extend these applications and run their own.

The device is single channel covering a range ~230MHz-3.7GHz for TX / RX and we’re making it affordable. Last but not least you still can use this device with SoapySDR as a regular SDR.

The project is currently in it's early stages, with Crowd Funding expected to begin soon. Pricing is still unknown, however Sergey did mention that it will be affordable. Subscribe for announcements via their CrowdSupply page.

uSDR: A tiny, single-sided M.2 SDR board that you can operate easily using your web browser
uSDR web platform. FM Receiver showcase

Tweet
Share
Reddit
Vote
Email

RFinder P10 – An Android Tablet with a built in Two Way Radio and RTL-SDR

Recently we came across a company called RFinder / AndroidDMR who are a shop selling custom made two way radios and Android Tablets with built in radio hardware. One of their new tablets that is currently in pre-order is being advertised with a built in RTL-SDR. The preorder status notes that they should be shipping within less than a months time.

The "RFinder Android Radio 10 Inch Tablet - 136-174mhz, 400-490mhz DMR/FM - Embedded RTL-SDR" is able to be pre-ordered for $1,499.95 USD + shipping. It is a ruggedized 10 inch Android tablet with a built in two way 4W VHF/UHF DMR/RF radio as well as an additional built in RTL-SDR. In terms of computing hardware, it comes with an Octa-Core 2.3 GHz CPU, 4GB RAM, 64GB ROM, and it supports cellular connectivity.

In their manual they share the following slide showing the built in RTL-SDR running the RF Analyzer Android app.

Various reviews of the RFinder P10 have been showing up on YouTube. Here is one review by Ham Radio 2.0 where the RFinder P10 is demonstrated at the Huntsville Hamfest.

New RFinder P10 Tablet with Dual Band DMR and RTL-SDR Receiver - Huntsville Hamfest

Tweet
Share
Reddit
Vote
Email

Bouncing LoRa Signals off the Moon with a HackRF

One part of the amateur radio hobby is 'EME', or Earth-Moon-Earth. The idea is to bounce radio signals off the surface of the moon, and have them received over a vast distance. Typically weak signal amateur radio modulation schemes such as JT65 are used due to their ability to be decoded even with the very weak signals that come back from the moon bounce.

Recently a group of students from the College of New Jersey are attempting to bounce signals off the moon using the LoRa modulation scheme. LoRa is a modulation scheme designed to be used with IoT devices, however it also has great performance when signals are weak so it's a good candidate for moon bounce.

The students are using a HackRF and the SDR-Angel software with the signal being transmitted in the amateur radio bands at 1296 MHz. The antenna hardware consists of an 1296 MHz feedhorn attached to an 8-meter dish. They hope that the use of LoRa modulation can reduce the power requirements for EME.

The main goal of this project is to establish Earth-Moon-Earth communication with LoRa modulated signals. There are three main goals that this project is trying to accomplish. The three goals of our project are to reflect a signal off the Moon and receive it back here in New Jersey, transmit a signal from here in New Jersey, bounce it off of the Moon, and then receive the signal on a dish located in Alaska, and our final goal for this project is to establish two way communication between New Jersey and Alaska.

Our initial approach to this project is to use SDRAngel to modulate and demodulate our signal. SDRAngel is a free, open-source software that we can use to transmit and receive signals via SDR (Software Defined Radio).

Our modulation technique, LoRa, uses Chirp Spread Spectrum modulation that allows for low power, long range transmissions at the cost of a low data rate.

The peripheral of choice for this project is the HackRF One, a SDR peripheral that allows us to send and receive signals.

This story was also presented on Hackaday.

Bouncing LoRa Signals Off the Moon - TCF 2023, track 5, TCNJ student presentations

Tweet
Share
Reddit
Vote
Email

IQEngine: A Web-Based Toolkit for Sharing and Analyzing RF IQ Recordings

Thank you to Marc for submitting news of his new project called IQEngine. IQEngine is a free open source web project that allows users to upload IQ recordings of various signals, and share them. The idea is to over time build up a huge database of signals based on IQ data which may be useful for identifying unknown signals, testing decoders and training machine learning databases.

IQ data is essentially the raw radio data from software defined radios before any demodulation or decoding is done. By recording IQ data any demodulation method can be applied to it later. However IQ data does not contain any metadata about the signal itself. To solve this, IQ Engine are using the Signal Metadata Format (SigMF) which allows for information about the IQ recording to be encapsulated along with the IQ recording itself. 

The IQEngine web interface includes an easy way to rapidly view and analyze huge IQ recordings, and allows users to annotate them too. At the moment the project is still in the early stages and looking for interested contributors to the FOSS project.

Marc writes:

We're hoping for it to become like a SigIDWiki on steroids, where people can share and learn about different signals using an interactive spectrogram (inspired by Inspectrum), all in the browser so that there's nothing to install. We are putting a lot of emphasis on education and ease-of-use.

There will also be plugins that allow for running signal detection/classification implementations on the signal recordings, to facilitate RFML research, although these plugins could also be used for demod/decoding/etc.

The tool builds off the SigMF standard for metadata, and it works with binary IQ files.

There's a canonical instance of the site hosted at www.iqengine.org, the source code can be found at https://github.com/iqengine/iqengine and we have a Discord (https://discord.com/invite/k7C8kp3b76).

Right now we're mainly looking for more folks to help out with early development, it's really fun working on a FOSS project in the early stages because there are so many design decisions to be made and anyone has potential to step in and make huge contributions and impact the direction the project goes. The code is mostly javascript and python. Anyone interested can join the discord or email [email protected].

IQEngine Display Cellular Downlinks with Annotations
Tweet
Share
Reddit
Vote
Email