Tagged: bluetooth

WarDragon: Real-Time Drone Remote ID Tracking with Snifflee, TAR1090 and ATAK

Over on YouTube Aaron, creator of DragonOS and the WarDragon kit has uploaded a video showing how he was able to detect drone Remote ID with a Bluetooth dongle and plot it on a TAK map. Remote ID is an RF system regulated in many countries that broadcasts drone information, including GPS position, often over Bluetooth Long Range or Wi-Fi. Note that the Bluetooth dongle is not an SDR, but this story may still be interesting for many readers.

The setup uses Sniffle, which is an open-source Bluetooth sniffer program for TI CC1352/CC26x2 based Bluetooth hardware. Sniffle passes sniffed data packets into SniffleToTak which is open-source software that relays the drone ID packets into a TAK server, which can then be viewed in TAK software like ATAK.

Aaron tests the setup with his DJI drone flying nearby, and shows that the drone is successfully detected and plotted on the TAK map. He also plots the positions of nearby aircraft received via a second ADS-B receiver to show that drones and aircraft can be plotted on the same map.

WarDragon Enhancing Drone Remote ID Real-Time Tracking + ADS-B w/ ATAK (TAR1090, Sniffle) Part 3

A Low Cost 2.4 GHz Downconverter from off the Shelf Dev Boards

Over on GitHub Ian Wraith has released his design and microcontroller code for a low cost 2.4 GHz downconverter circuit. A downconverter is a hardware device that shifts the signals that it receives into a lower frequency band. This is useful in the case of RTL-SDRs and Airspy SDRs, as their maximum frequency range is only 1.7 GHz. Ian's 2.4 GHz downconverter reduces those 2.4 GHz signals down to 1 GHz, which can then be received with his Airspy.

Rather than designing a circuit from scratch, Ian's design makes use of several very cheap Chinese evaluation/development boards that he found on eBay. It costs of a mixer board, oscillator board, and an STM32 development board for controlling the oscillator board via SPI. The whole set of hardware cost him less than £30 (~37 USD).

After spending some time working through the difficulties in programming the SPI interface on the STM32 board, he was able to get the downconverter circuit fully working. He notes that he's been able to receive WiFi, Zigbee, Bluetooth and ISM band signals at 2.4 GHz, as well as 3G and 4G cellular signals at 2.6 GHz.

Ian Wraith's Downconverter consisting of three off the shelf cheap Chinese eBay boards.
Ian Wraith's Downconverter consisting of three off the shelf cheap Chinese eBay boards.

Upcoming Book “Inside Radio: An Attack and Defense Guide”

Unicorn team are information security researchers who often also dabble with wireless security research. Recently they have been promoting their upcoming text book titled "Inside Radio: An Attack and Defense Guide".

Judging from the blurb and released contents the book will be an excellent introduction to anyone interested in today's wireless security issues. They cover topics such as RFID, Bluetooh, ZigBee, GSM, LTE and GPS. In regards to SDRs, the book specifically covers SDRs like the RTL-SDR, HackRF, bladeRF and LimeSDR and their role in wireless security research. They also probably reference and show how to use those SDRs in the  chapters about replay attacks, ADS-B security risks, and GSM security.

The book is yet to be released and is currently available for pre-order on Amazon or Springer for US$59.99. The expected release date is May 9, 2018, and copies will also be for sale at the HITB SECCONF 2018 conference during 9 - 13 April in Amsterdam.

The blurb and released contents are pasted below. See their promo page for the full contents list:

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

Authors:
Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.

 

Spectral Fusion with Sparrow-WiFi: SDR meets WiFi, Bluetooth, and drones in one new tool

Thanks to Mike (ghostop14) for submitting another interesting article this time about his work with spectral fusion on the WiFi and Bluetooth bands. In the article Mike describes his new Sparrow-WiFi tool, which is a tool that allows you to visualize the WiFi and Bluetooth signal spaces all in one spectral display. The hardware consists of a WiFi and Bluetooth dongle as well as optionally an SDR like the HackRF. The software displays all data simultaneously on the same display, so you can easily tell if there is some channel clashes occurring, or if there is some other source of interference. In Addition Sparrow-WiFi also works remotely and even with a Raspberry Pi mounted on a drone.

From the article he writes:

Thinking about the 2.4 and 5 GHz bands, my biggest issues with traditional wifi tools were always that apps such as inSSIDer which are great on the Windows side didn’t have a nice polished Linux GUI equivalent so I’d have to run a Windows system or virtual machine to visualize the signal space. On the flip side, some of the great Linux-only capabilities didn’t have a nice polished integrated UI and I’d have a lot of textual data, some of which the Windows tools didn’t provide, but it was harder to visualize. Then there’s the fact that wifi tools can’t “see” Bluetooth (and vice versa), and SDR historically didn’t have enough instantaneous bandwidth to show the whole 2.4 GHz or 5 GHz spectrum at one time. And, did I mention the tools don’t integrate or talk to each other so I can’t get a “single pane of glass” perspective of all the different ways to look at the same RF space simultaneously? It would be great if I could get one single view of the most common protocols and see the actual spectrum all in one place at the same time.

Now enter the era of the Internet-of-Things, new SDR receivers, and even drones and my old wifi tools seem to have been left a bit behind. Why do I say that? I can’t “see” all of the chatter from wireless networks, Bluetooth, ZigBee, NEST devices, remotes, etc. scattered all over my wireless bands in one view. Sure, I can run 3 or 4 tools independently to find the signals and try to see what they are, but it becomes tough to get a single integrated perspective. Especially when I can’t see my RF spectrum overlaid on top of the wifi SSID’s and Bluetooth advertisements to sort out what may be related to a a signal I know about and what may be something else. Ultimately, it means that I can’t clearly explain why I have poor wifi connections in one area versus another even though I may not have overlapping channels (I know, use 5 GHz and sparrow-wifi supports that too). The reason for this is simple; current tools don’t have true spectral awareness based on the most common possibilities in one integrated solution.

Now, let’s ask even harder questions. What if I want to step up my wifi “wardriving” and start “warflying”? Or, what if I need a mobile platform that can be sent into an area on a rover? Can I bring the same spectral awareness in a small enough platform to fly for example as an under-350-gram payload complete with power, wifi, spectral scans, and even pull GPS for anything we see? And, can I interact with it remotely for real-time visibility or have it work autonomously? Okay, now you’re just asking a lot. These were all goals of a new tool I just released called “Sparrow-wifi” which is now available on GitHub (https://github.com/ghostop14/sparrow-wifi.git). Sparrow-wifi has been purpose-built from the ground up to be the next generation 2.4 GHz and 5 GHz spectral awareness and visualization tool. At its most basic, it provides a more comprehensive GUI-based replacement for tools like inSSIDer and linssid and runs specifically on Linux. In its most comprehensive use cases, Sparrow-wifi integrates wifi, software- defined radio (HackRF), advanced Bluetooth tools (traditional and Ubertooth), GPS via gpsd, and drone/rover operations using a lightweight remote agent and GPS using the Mavlink protocol in one solution.

Sparrow-Wifi Spectral Fusion. Wifi & Bluetooth dongle data + Live spectrum from a HackRF.
Sparrow-Wifi Spectral Fusion. Wifi & Bluetooth dongle data + Live spectrum from a HackRF.

A full list of the possible scenarios that Sparrow-WiFi was designed for is pasted bleow.

  • Basic wifi SSID identification.
  • Wifi source hunt - Switch from normal to hunt mode to get multiple samples per second and use the telemetry windows to track a wifi source.
  • 2.4 GHz and 5 GHz spectrum view - Overlay spectrums from Ubertooth (2.4 GHz) or HackRF (2.4 GHz and 5 GHz) in real time on top of the wifi spectrum (invaluable in poor connectivity troubleshooting when overlapping wifi doesn't seem to be the cause).
  • Bluetooth identification - LE advertisement listening with standard Bluetooth, full promiscuous mode in LE and classic Bluetooth with Ubertooth.
  • Bluetooth source hunt - Track LE advertisement sources or iBeacons with the telemetry window.
  • iBeacon advertisement - Advertise your own iBeacons.
  • Remote operations - An agent is included that provides all of the GUI functionality via a remote agent the GUI can talk to.
  • Drone/Rover operations - The agent can be run on systems such as a Raspberry Pi and flown on a drone (it’s made several flights on a Solo 3DR), or attached to a rover in either GUI-controlled or autonomous scan/record modes. And yes, the spectrum output works over this connection as well.
  • The remote agent is HTTP JSON-based so it can be integrated with other applications
  • Import/Export - Ability to import and export to/from CSV and JSON for easy integration and revisualization. You can also just run 'iw dev <interface> scan' and save it to a file and import that as well.
  • Produce Google maps when GPS coordinates are available for both discovered SSID's / Bluetooth devices or to plot the wifi telemetry over time.
Sparrow WiFi running on a Raspberry Pi on a drone
Sparrow WiFi running on a Raspberry Pi on a drone

Sniffing and Decoding NRF24L01+ and Bluetooth LE Packets with the RTL-SDR

Omri Iluz wrote in to us to let us know about his recent project which involves sniffing and decoding wireless packets at 2.4 GHz from NRF24L01+ and Bluetooth Low Energy (BTLE) transceivers. The NRF24L01+ is a popular wireless transceiver which is used in many common devices such as keyboards, mice, remote controls, toys and appliances.

Since 2.4 GHz is out of any of the RTL-SDR’s receivable range, Omri used a cheap downconverter which he was able to buy from China using Aliexpress. The downconverter converts the 2.4 GHz signal into a lower frequency at around 400 MHz which is in the receivable range of the RTL-SDR.

He was then able to use his NRF24-BTLE-Decoder software that he developed to convert the received data from the NRF24L01+ transceiver into a decoded packet by simply piping the output of RTL_FM into his program.

Since the NRF24L01+ uses hardware similar to the Bluetooth Low Energy (BTLE) protocol, Omri was able to modify his code to be able to also decode BTLE packets.

2.4GHz NRF24 packet received on the RTL-SDR from a Logitech mouse using a downconverter
2.4GHz packet received on the RTL-SDR + downconverter from a Logitech mouse
decodednrf
Decoded NRF24 Packets