Tagged: bladerf

DragonOS: BladeRF-wiphy Demonstration

Recently we posted about bladeRF-wiphy which is open source code that can turn a bladeRF software defined radio into a software defined WiFi access point. The bladeRF 2.0 is a relatively low cost SDR which costs $420 for the low end version. It is capable of both transmit and receive (2x2 MIMO) with a 47 MHz to 6 GHz frequency range and 61.44 MHz sampling rate.

Over on YouTube Aaron who created DragonOS has uploaded a video demonstrating bladeRF-wiphy in action. He writes:

This video demonstrates Nuand’s new open source 802.11 modem/FPGA available for the bladeRFxA9. Everything will be Pre included in DragonOS Focal to setup an open AP and hopefully whatever’s required for use within Kismet.

Minor configuration is needed for the open AP, while Kismet integration should be pretty straight forward.

This is an awesome addition to the bladeRF and I look forward to seeing what else is possible with this new open source 802.11 compatible modem!

DragonOS Focal BladeRF-wiphy w/ Open Wi-Fi AP and Splash page (bladeRFxA9)

bladeRF-wiphy: Open Source WiFi Access Point on a BladeRF

Back in August 2020 we posted about OpenWiFi , an open source implementation of the full IEEE802.11/Wi-Fi stack for FPGA and SDR combo board. Recently the team at Nuand have released their own WiFi implementation called "bladeRF-wiphy" for their bladeRF 2.0 software defined radio. The code is implemented in VHDL, which runs directly on the bladeRF's on board micro xA9 FPGA.

The bladeRF-wiphy project is an open-source IEEE 802.11 compatible software defined radio VHDL modem. The modem is able to modulate and demodulate 802.11 packets (the protocol WiFi is based on), and run directly on the bladeRF 2.0 micro xA9’s FPGA.

The bladeRF-wiphy coupled with Linux mac80211 allows the bladeRF 2.0 micro xA9 to become a software defined radio 802.11 access point! 802.11 packets (PDUs) are modulated and demodulated directly on the FPGA, so only 802.11 packets are transferred between the FPGA and libbladeRF.

Defcon 2020 Online Talks: Satellite Eavesdropping & Detecting Fake 4G Base Stations

DEFCON 2020 was held online this year in and the talks were released a few days ago on their website and on YouTube. If you weren't already aware Defcon is a major yearly conference all about information security, and some of the talks deal with wireless and SDR topics. We found two very interesting SDR and wireless related talks that we have highlighted below. The first talk investigates using commercial satellite TV receivers to eavesdrop on satellite internet communications. The second discusses using a bladeRF or USRP to detect fake 4G cellphone basestations. Slides for these talks are available on the Defcon Media server under the presentations folder.

DEF CON Safe Mode - James Pavur - Whispers Among the Stars

Space is changing. The number of satellites in orbit will increase from around 2,000 today to more than 15,000 by 2030. This briefing provides a practical look at the considerations an attacker may take when targeting satellite broadband communications networks. Using $300 of widely available home television equipment I show that it is possible to intercept deeply sensitive data transmitted on satellite links by some of the world's largest organizations.

The talk follows a series of case studies looking at satellite communications affecting three domains: air, land, and sea. From home satellite broadband customers, to wind farms, to oil tankers and aircraft, I show how satellite eavesdroppers can threaten privacy and communications security. Beyond eavesdropping, I also discuss how, under certain conditions, this inexpensive hardware can be used to hijack active sessions over the satellite link.

The talk concludes by presenting new open source tools we have developed to help researchers seeking to improve satellite communications security and individual satellite customers looking to encrypt their traffic.

The talk assumes no background in satellite communications or cryptography but will be most interesting to researchers interested in tackling further unsolved security challenges in outer space.

DEF CON Safe Mode - James Pavur - Whispers Among the Stars

DEF CON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time

4G based IMSI catchers such as the Hailstorm are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. Until now IMSI catcher detection has focused on 2G IMSI catchers such as the Stingray which are quickly falling out of favor.

In this talk we will tell you how 4G IMSI Catchers might work to the best of our knowledge, and what they can and can't do. We demonstrate a brand new software project to detect fake 4G base stations, with open source software and relatively cheap hardware. And finally we will present a comprehensive plan to dramatically limit the capabilities of IMSI catchers (with the long term goal of making them useless once and for all).

GitHub: https://github.com/EFForg/crocodilehunter

DEF CON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time

DragonOS Updated: Now with OP25 Installed and many new YouTube Tutorials

Last month we posted about Aaron's "DragonOS" project, which is a ready to install Linux ISO aimed to make getting started with SDR software easy by providing several programs preinstalled, as well as providing multiple video tutorials. Recently he's updated the build, this time basing it on Lubuntu 18.04 allowing for Legacy and UEFI support, along with disk encryption. The OS supports RTL-SDRs as well as the HackRF and bladeRF and probably supports most other SDRs via the SoapySDR interface.

In terms of software he's also added OP25 and bladeRF support. Other programs pre-installed include rtl_433, Universal Radio Hacker, GNU Radio, Aircrack-ng, GQRX, Kalibrate, hackrf, wireshare, gr-gsm, rtl-sdr, HackRF, IMSI-catcher, Zenmap, inspectrum, qspectrumanalyzer, LTE-Cell-Scanner, CubicSDR, Limesuite, ShinySDR, SDRAngel, SDRTrunk, Kismet, BladeRF.

His DragonOS YouTube tutorial channel is also growing fast, with several tutorials showing you how to use DragonOS to perform tasks like listen to trunked mobile radios, use QSpectrumAnalyzer with a HackRF, receive NOAA APT weather satellite images, retrieve cellular network information via a rooted Samsung Galaxy S5, create a ShinySDR server with rtl_433 and how to capture and replay with a HackRF.

DragonOS running CubicSDR
DragonOS running CubicSDR

A Comprehensive Lab Comparison between Multiple Software Defined Radios

Librespace, who are the people behind the open hardware/source SatNOGS satellite ground station project have recently released a comprehensive paper (pdf) that compares multiple software defined radios available on the market in a realistic laboratory based signal environment. The testing was performed by Alexandru Csete (@csete) who is the programmer behind GQRX and Gpredict and Sheila Christiansen (@astro_sheila) who is a Space Systems Engineer at Alexandru's company AC Satcom. Their goal was to evaluate multiple SDRs for use in SatNOGS ground stations and other satellite receiving applications. 

The SDRs tested include the RTL-SDR Blog V3, Airspy Mini, SDRplay RSPduo, LimeSDR Mini, BladeRF 2.0 Micro, Ettus USRP B210 and the PlutoSDR. In their tests they measure the noise figure, dynamic range, RX/TX spectral purity, TX power output and transmitter modulation error ratio of each SDR in various satellite bands from VHF to C-band.

The paper is an excellent read, however the results are summarized below. In terms of noise figure, the SDRplay RSPduo with it's built in LNA performed the best, with all other SDRs apart from the LimeSDR being similar. The LimeSDR had the worst noise figure by a large margin.

In terms of dynamic range, the graphs below show the maximum input power of a blocking signal that the receivers can tolerate vs. different noise figures at 437 MHz. They write that this gives a good indication of which devices have the highest dynamic range at any given noise figure. The results show that when the blocking signal is at the smallest 5 kHz spacing the RSPduo has poorest dynamic range by a significant margin, but improves significantly at the 100 kHz and 1 MHz spacings. The other SDRs all varied in performance between the different blocking signal separation spacings.

Overall the PlutoSDR seems to perform quite well, with the LimeSDR performing rather poorly in most tests among other problems like the NF being sensitive to touching the enclosure, and the matching network suspected as being broken on both their test units. The owner of Airspy noted that performance may look poor in these tests as the testers used non-optimized Linux drivers, instead of the optimized Windows drivers and software, so there is no oversampling, HDR or IF Filtering enabled. The RSPduo performs very well in most tests, but very poorly in the 5 kHz spacing test.

The rest of the paper covers the TX parameters, and we highly recommend going through and comparing the individual result graphs from each SDR test if you want more information and results from tests at different frequencies. The code and recorded data can also be found on the projects Gitlab page at https://gitlab.com/librespacefoundation/sdrmakerspace/sdreval.

RTL-SDR and HackRF Used in Mr. Robot – A TV Drama About Hacking

A few readers have written in to let us know the role SDRs played in the last season of "Mr. Robot". The show which is available on Amazon Prime is about "Mr. Robot", a young cyber-security engineer by day and a vigilante hacker by night. The show has actual cyber security experts on the team, so whilst still embellished for drama, the hacks performed in the show are fairly accurate, at least when compared to other TV shows.

Spoilers of the technical SDR hacks performed in the show are described below, but no story is revealed.

In the recently aired season 4 episode 9, a character uses a smartphone running an SSH connection to connect to a HackRF running on a Raspberry Pi. The HackRF is then used to jam a garage door keyfob operating at 315 MHz, thus preventing people from leaving a parking lot. 

Shortly after she can be seen using the HackRF again with Simple IMSI Catcher. Presumably they were running a fake cellphone basestation as they use the IMSI information to try and determine someones phone number which leads to being able to hack their text messages. The SDR used in the fake basestation appears to have been a bladeRF.

HackRF Used on Mr Robot
HackRF Used on Mr Robot

In season 4 episode 4 GQRX and Audacity can be seen on screen being used to monitor a wiretap via rtl_tcp and an E4000 RTL-SDR dongle.

E4000 RTL-SDR Being used for Wiretap Monitoring
E4000 RTL-SDR Being used for Wiretap Monitoring

Did we miss any other instances of SDRs being used in the show? Or have you seen SDRs in use on other TV shows? Let us know in the comments.

Exploring the Limits of General Purpose SDR Devices

Back in August 2019 the Chaos Communication Camp was held in Germany. This is a 5 day conference that covers a variety of hacker topics, sometimes including SDR. At the conference Osmocom developer Harald Welte (aka @LaF0rge) presented a talk titled "The Limits of General Purpose SDR devices". The talk explains how general purpose TX capable SDRs like HackRFs and LimeSDRs have their limitations when it comes to implementing advanced communications systems like cellular base stations.

If you prefer, the talk can be watched directly on the CCC website instead of YouTube.

Why an SDR board like a USRP or LimeSDR is not a cellular base station

It's tempting to buy a SDR device like a LimeSDR or USRP family member in the expectation of operating any wireless communications system out there from pure software. In reality, however, the SDR board is really only one building block. Know the limitations and constraints of your SDR board and what you need around it to build a proper transceiver.

For many years, there's an expectation that general purpose SDR devices like the Ettus USRP families, HackRF, bladeRF, LimeSDR, etc. can implement virtually any wireless system.

While that is true in principle, it is equally important to understand the limitations and constraints.

People with deep understanding of SDR and/or wireless communications systems will likely know all of those. However, SDRs are increasingly used by software developers and IT security experts. They often acquire an SDR board without understanding that this SDR board is only one building block, but by far not enough to e.g. operate a cellular base station. After investing a lot of time, some discover that they're unable to get it to work at all, or at the very least unable to get it to work reliably. This can easily lead to frustration on both the user side, as well as on the side of the authors of software used with those SDRs.

The talk will particularly focus on using General Purpose SDRs in the context of cellular technologies from GSM to LTE. It will cover aspects such as band filters, channel filters, clock stability, harmonics as well as Rx and Tx power level calibration.

The talk contains the essence of a decade of witnessing struggling SDR users (not only) with running Osmocom software with them. Let's share that with the next generation of SDR users, to prevent them falling into the same traps.

The Limits of General Purpose SDR devices

Running a Tesla Model 3 on Autopilot off the Road with GPS Spoofing

Regulus is a company that deals with sensor security issues. In one of their latest experiments they've performed GPS spoofing with several SDRs to show how easy it is to divert a Tesla Model 3 driving on autopilot away from it's intended path. Autopilot is Tesla's semi-autonomous driving feature, which allows the car to decide it's own turns and lane changes using information from the car's cameras, Google Maps and it's Global Navigation Satellite System (GNSS) sensors. Previously drivers had to confirm upcoming lane changes manually, but a recent update allows this confirmation to be waived.

The Regulus researchers noted that the Tesla is highly dependent on GNSS reliability, and thus were able to use an SDR to spoof GNSS signals causing the Model 3 to perform dangerous maneuvers like "extreme deceleration and acceleration, rapid lane changing suggestions, unnecessary signaling, multiple attempts to exit the highway at incorrect locations and extreme driving instability". Regarding exiting at the wrong location they write:

Although the car was a few miles away from the planned exit when the spoofing attack began, the car reacted as if the exit was just 500 feet away— slowing down from 60 MPH to 24 KPH, activating the right turn signal, and making a right turn off the main road into the emergency pit stop. During the sudden turn the driver was with his hands on his lap since he was not prepared for this turn to happen so fast and by the time he grabbed the wheel and regained manual control, it was too late to attempt to maneuver back to the highway safely.

In addition, they also tested spoofing on a Model S and found there to be a link between the car's navigation system and the automatically adjustable air suspension system. It appears that the Tesla adjusts it's suspension depending on the type of road it's on which is recorded in it's map database.

In their work they used a ADALM PLUTO SDR ($150) for their jamming tests, and a bladeRF SDR ($400) for their spoofing tests. Their photos also show a HackRF.

Regulus are also advertising that they are hosting a Webinar on July 11, 2019 at 09:00PM Jerusalen time. During the webinar they plan to talk about their Tesla 3 spoofing work and release previously unseen footage.

GPS/GNSS spoofing is not a new technique. In the past we've posted several times about it, including stories about using GPS spoofing to cheat at Pokémon Go, misdirect drivers using Google Maps for navigation, and even a story about how the Russian government uses GPS spoofing extensively.

Some SDR tools used to spoof the Tesla Model 3.
Some SDR tools used to spoof the Tesla Model 3.