Tagged: hackrf

Exploring Vulnerabilities in Tire Pressure Monitoring Systems (TPMS) with a HackRF

Over on YouTube the channel "Lead Cyber Solutions" has uploaded a video presentation for the Cyber Skills Competition. In the video Christopher Flatley, James Pak and Thomas Vaccaro discuss a man-in-the-middle attack that can be performed on vehicle Tire Pressure Monitoring Systems (TPMS) with a transmit capable SDR such as a HackRF.

A TPMS system consists of small battery powered wireless sensors placed on a vehicles wheels which automatically monitor tire pressure. An LCD basestation usually exists on the dashboard of the car indicating live tire pressure. Most modern cars come with this feature, and it is simple to retrofit an older car with an aftermarket TPMS system.

The idea behind the vulnerability is that a HackRF can be used to reverse engineer the TMPS signal, and then re-transmit a new fake signal that causes the base station to read the tire pressure as low. This can set off an alarm in the car and possibly cause someone to pull over. More alarmingly, they discuss how tractors have automatic tire inflation systems which work using similar sensors. A false low pressure reading could cause the tractor tires to over inflate and be damaged.

In the past we have also posted about Jared Boon's work on TPMS where he shows how privacy could be breached by monitoring and tracking TPMS identifiers.

Spectral Fusion with Sparrow-WiFi: SDR meets WiFi, Bluetooth, and drones in one new tool

Thanks to Mike (ghostop14) for submitting another interesting article this time about his work with spectral fusion on the WiFi and Bluetooth bands. In the article Mike describes his new Sparrow-WiFi tool, which is a tool that allows you to visualize the WiFi and Bluetooth signal spaces all in one spectral display. The hardware consists of a WiFi and Bluetooth dongle as well as optionally an SDR like the HackRF. The software displays all data simultaneously on the same display, so you can easily tell if there is some channel clashes occurring, or if there is some other source of interference. In Addition Sparrow-WiFi also works remotely and even with a Raspberry Pi mounted on a drone.

From the article he writes:

Thinking about the 2.4 and 5 GHz bands, my biggest issues with traditional wifi tools were always that apps such as inSSIDer which are great on the Windows side didn’t have a nice polished Linux GUI equivalent so I’d have to run a Windows system or virtual machine to visualize the signal space. On the flip side, some of the great Linux-only capabilities didn’t have a nice polished integrated UI and I’d have a lot of textual data, some of which the Windows tools didn’t provide, but it was harder to visualize. Then there’s the fact that wifi tools can’t “see” Bluetooth (and vice versa), and SDR historically didn’t have enough instantaneous bandwidth to show the whole 2.4 GHz or 5 GHz spectrum at one time. And, did I mention the tools don’t integrate or talk to each other so I can’t get a “single pane of glass” perspective of all the different ways to look at the same RF space simultaneously? It would be great if I could get one single view of the most common protocols and see the actual spectrum all in one place at the same time.

Now enter the era of the Internet-of-Things, new SDR receivers, and even drones and my old wifi tools seem to have been left a bit behind. Why do I say that? I can’t “see” all of the chatter from wireless networks, Bluetooth, ZigBee, NEST devices, remotes, etc. scattered all over my wireless bands in one view. Sure, I can run 3 or 4 tools independently to find the signals and try to see what they are, but it becomes tough to get a single integrated perspective. Especially when I can’t see my RF spectrum overlaid on top of the wifi SSID’s and Bluetooth advertisements to sort out what may be related to a a signal I know about and what may be something else. Ultimately, it means that I can’t clearly explain why I have poor wifi connections in one area versus another even though I may not have overlapping channels (I know, use 5 GHz and sparrow-wifi supports that too). The reason for this is simple; current tools don’t have true spectral awareness based on the most common possibilities in one integrated solution.

Now, let’s ask even harder questions. What if I want to step up my wifi “wardriving” and start “warflying”? Or, what if I need a mobile platform that can be sent into an area on a rover? Can I bring the same spectral awareness in a small enough platform to fly for example as an under-350-gram payload complete with power, wifi, spectral scans, and even pull GPS for anything we see? And, can I interact with it remotely for real-time visibility or have it work autonomously? Okay, now you’re just asking a lot. These were all goals of a new tool I just released called “Sparrow-wifi” which is now available on GitHub (https://github.com/ghostop14/sparrow-wifi.git). Sparrow-wifi has been purpose-built from the ground up to be the next generation 2.4 GHz and 5 GHz spectral awareness and visualization tool. At its most basic, it provides a more comprehensive GUI-based replacement for tools like inSSIDer and linssid and runs specifically on Linux. In its most comprehensive use cases, Sparrow-wifi integrates wifi, software- defined radio (HackRF), advanced Bluetooth tools (traditional and Ubertooth), GPS via gpsd, and drone/rover operations using a lightweight remote agent and GPS using the Mavlink protocol in one solution.

Sparrow-Wifi Spectral Fusion. Wifi & Bluetooth dongle data + Live spectrum from a HackRF.
Sparrow-Wifi Spectral Fusion. Wifi & Bluetooth dongle data + Live spectrum from a HackRF.

A full list of the possible scenarios that Sparrow-WiFi was designed for is pasted bleow.

  • Basic wifi SSID identification.
  • Wifi source hunt - Switch from normal to hunt mode to get multiple samples per second and use the telemetry windows to track a wifi source.
  • 2.4 GHz and 5 GHz spectrum view - Overlay spectrums from Ubertooth (2.4 GHz) or HackRF (2.4 GHz and 5 GHz) in real time on top of the wifi spectrum (invaluable in poor connectivity troubleshooting when overlapping wifi doesn't seem to be the cause).
  • Bluetooth identification - LE advertisement listening with standard Bluetooth, full promiscuous mode in LE and classic Bluetooth with Ubertooth.
  • Bluetooth source hunt - Track LE advertisement sources or iBeacons with the telemetry window.
  • iBeacon advertisement - Advertise your own iBeacons.
  • Remote operations - An agent is included that provides all of the GUI functionality via a remote agent the GUI can talk to.
  • Drone/Rover operations - The agent can be run on systems such as a Raspberry Pi and flown on a drone (it’s made several flights on a Solo 3DR), or attached to a rover in either GUI-controlled or autonomous scan/record modes. And yes, the spectrum output works over this connection as well.
  • The remote agent is HTTP JSON-based so it can be integrated with other applications
  • Import/Export - Ability to import and export to/from CSV and JSON for easy integration and revisualization. You can also just run 'iw dev <interface> scan' and save it to a file and import that as well.
  • Produce Google maps when GPS coordinates are available for both discovered SSID's / Bluetooth devices or to plot the wifi telemetry over time.
Sparrow WiFi running on a Raspberry Pi on a drone
Sparrow WiFi running on a Raspberry Pi on a drone

EOD Robots now packing USRP and HackRF Software Defined Radios

Thanks to the team of Robotics company Servosila for sharing the following press release with us which describes how their new EOD robot makes use of SDR technologies for electronic warfare.

We also wrote back to them and asked for a bit more information on the SDRs used. They wrote that there are two SDR options available for the EOD robot. Option one uses the Ettus Research USRP B205mini-i, and option two uses the HackRF One. This provides a good trade off between cost and functionality.

Servosila introduces Mobile Robots equipped with Software Defined Radio (SDR) payloads

Servosila introduces a new member of the family of Servosila “Engineer” robots, a UGV called “Radio Engineer”. This new variant of the well-known backpack-transportable robot features a Software Defined Radio (SDR) payload module integrated into the robotic vehicle.

“Several of our key customers had asked us to enable an Electronic Warfare (EW) or Cognitive Radio applications in our robots”, – says a spokesman for the company, “By integrating a Software Defined Radio (SDR) module into our robotic platforms we cater to both requirements. Radio spectrum analysis, radio signal detection, jamming, and radio relay are important features for EOD robots such as ours. Servosila continues to serve the customers by pushing the boundaries of what their Servosila robots can do. Our partners in the research world and academia shall also greatly benefit from the new functionality that gives them more means of achieving their research goals.”

Coupling a programmable mobile robot with a software-defined radio creates a powerful platform for developing innovative applications that mix mobility and artificial intelligence with modern radio technologies. The new robotic radio applications include localized frequency hopping pattern analysis, OFDM waveform recognition, outdoor signal triangulation, cognitive mesh networking, automatic area search for radio emitters, passive or active mobile robotic radars, mobile base stations, mobile radio scanners, and many others.

A rotating head of the robot with mounts for external antennae acts as a pan-and-tilt device thus enabling various scanning and tracking applications. The neck of the robotic head is equipped with a pair of highly accurate Servosila-made servos with a pointing precision of 3.0 angular minutes. This means that the robot can point its antennae with an unprecedented accuracy.

Researchers and academia can benefit from the platform’s support for GnuRadio, an open source software framework for developing SDR applications. An on-board Intel i7 computer capable of executing OpenCL code, is internally connected to the SDR payload module. This makes it possible to execute most existing GnuRadio applications directly on the robot’s on-board computer. Other sensors of the robot such as a GPS sensor, an IMU or a thermal vision camera contribute into sensor fusion algorithms.

Since Servosila “Engineer” mobile robots are primarily designed for outdoor use, the SDR module is fully enclosed into a hardened body of the robot which provides protection in case of dust, rain, snow or impacts with obstacles while the robot is on the move. The robot and its SDR payload module are both powered by an on-board battery thus making the entire robotic radio platform independent of external power supplies.

Servosila plans to start shipping the SDR-equipped robots to international customers in October, 2017.

Web: https://www.servosila.com
YouTube: https://www.youtube.com/user/servosila/videos

About the Company
Servosila is a robotics technology company that designs, produces and markets a range of mobile robots, robotic arms, servo drives, harmonic reduction gears, robotic control systems as well as software packages that make the robots intelligent. Servosila provides consulting, training and operations support services to various customers around the world. The company markets its products and services directly or through a network of partners who provide tailored and localized services that meet specific procurement, support or operational needs.

Servosila EOD Robot
Servosila EOD Robot

SDR Academy Talks: RPiTX TX for the Masses, Transmitter Localization with TDOA, HackRF as a Signal Generator and more

Over on YouTube the Software Defined Radio Academy channel has uploaded some new interesting SDR related conference talks, some of which may be of interest to readers. Some of our favorites are posted below. Other new interesting talks from channel include:

  • Derek Kozel, AG6PO, Ettus: Hardware Accelerated SDR: Using FPGAs for DSP (Link)
  • Mario Lorenz, DL5MLO: Across the Solar System – using SDRs for real long-distance communication (Link)
  • Andras Retzler, HA7ILM: Demodulators from scratch: BPSK31 and RTTY (Link)
  • Gerald Youngblood, K5SDR (President of FlexRadio): Direct Sampling and Benefits of the Architecture (Link)
  • Dr. Selmeczi Janos, HA5FT: A new lightweight data flow system (Link)
  • Chris Dindas, DG8DP: Standalone SDR-TRX, Highend – Lowcost – Homebrew (Link)
  • Erwin Rauh, DL1FY: Charly25 – SDR Transceiver Project – Community Development (Link)
  • Črt Valentinčič, S56GYC, Red Pitaya: HamLab (Link)

Evariste Courjaud, F5OEO: Rpitx : Raspberry Pi SDR transmitter for the masses

Low cost RTL-SDR democratize access to SDR reception, but is there an equivalent low cost solution for transmission : Rpitx is a software running on Raspberry Pi which use only GPIO to transmit HF. This presentation describes how to use it as a SDR sink but also describes details of how it is implemented using PLL available on the Raspberry Pi board. Warnings and limits of this simple SDR are also provided before going “on air”. Last paragraph shows what are potential evolutions of this system : low cost DAC and third party software integration.

Stefan Scholl, DC9ST: Introduction and Experiments on Transmitter Localization with TDOA

Time-Difference-of-Arrival (TDOA) is a well-known technique to localize transmitters using several distributed receivers. A TDOA system measures the arrival time of the received signal at the different receivers and calculates the transmitter’s position from the delays. The talk first introduces the basics of TDOA localization. It shows how to measure signal delay with correlation and how to determine the position using multilateration. It also covers further aspects and challenges, like the impact of signal bandwidth and errors in delay measurement, receiver placement and synchronization as well as the requirements on the network infrastructure. Furthermore, an experimental TDOA system consisting of three receivers is presented, that has been setup to localize signals in the city of Kaiserslautern, Germany. The three receivers are simple low-cost devices, each built from a Raspberry PI and a RTL/DVB-USB-Stick. They are connected via internet to a master PC, which performs the complete signal processing. The results demonstrate, that even with a simple system and non-ideal receiver placement, localization works remarkably well.

Frank Riedel, DJ3FR: The HackRF One as a Signal Generator

The usability and performance of the HackRF One SDR experimental platform as a signal generator up to 6 GHz is examined by means of an HPIB driven measurement system. The effective circuit of the HackRF One used in the CW TX mode is described and its components are linked to the parameters of the command line tool ‘hackrf_transfer’. The frequency accuracy of the HackRF One is measured against a frequency standard, output signal levels and spurious emissions are determined using a spectrum analyzer.

Video Tutorials: Setting up an RTL-SDR and HackRF with SDR-Console V3, Using the HackRF to find your Cellphone Signal and more

Over on his YouTube channel user Corrosive has uploaded a set of videos that show how to install and get started with an RTL-SDR or HackRF with SDR-Console V3.  The video series starts from the very beginning with installing the drivers via zadig, and then goes on to show how to download, install and use SDR-Console V3.

In one of his later videos Corrosive also shows how to optimally configure the settings in SDR-Console V3 and SDR# for optimal reception and viewing.

In a newer video he also shows how he uses the HackRF as a spectrum analyzer to find his cellphone signal. Regarding this video, Corrosive wrote in to us and said the following:

For a while now I’ve been trying to find the frequency of my cell phone, looking frequencies up online and trying to find an app that would tell me my current frequency. None of these things seem to work and scanning the band manually I always came up dry because I wasn’t 100% sure where I needed to look.

Further videos on his channel also show how to receive ADSB data with an RTL-SDR and Android phone, and how he repurposed a rabbit ears antenna into a V-dipole antenna for receiving Satcom pirates.

Corrosive has done a good job putting out SDR and radio related videos over the past couple of weeks so it may be a channel to subscribe to if you are interested in this type of content.

Receiving NOAA 19 HRPT with a HackRF, LNA4All and Cooking Pot Antenna

Over on his YouTube channel Adam 9A4QV has uploaded a video that shows him receiving the NOAA 19 HRPT signal at 1698 MHz with his HackRF, LNA4ALL and the simple circularly polarized cooking pot antenna that we saw in his last videos.

HRPT stands for High Resolution Picture Transmission and is a digital protocol that is used on some satellites to transmit much higher resolution weather images when compared to the APT signal that most people are familiar with receiving. The HRPT signal is available on NOAA19, which also transmits APT. However, unlike APT which is at 137 MHz, HRPT is at 1698 MHz, and is typically a much weaker signal requiring a higher gain motorized tracking antenna.

However in the video Adam shows that a simple cooking pot antenna used indoors is enough to receive the signal (weakly). The signal is probably not strong enough to achieve a decoded image, but perhaps some tweaks might improve the result.

Over on his Reddit thread about the video Adam mentions that a 90cm dish, with a proper feed and two LNA4ALLs should be able to receive the HRPT signal easily. User devnulling also gives some very useful comments on how the software side could be set up if you were able to achieve a high enough SNR.

GNU Radio has HRPT blocks in the main tree (gr-noaa) that work well for decoding and then David Taylor has HRPT reader which will generate an image from the decode GR output. http://www.satsignal.eu/software/hrpt.htm

http://usa-satcom.com has a paid HRPT decoder that runs on windows that has some improvements for lower SNR locking and works very well.

– devnulling

On a previous post we showed @uhf_satcom‘s HRPT results where he used a motorized tracking L-band antenna and HackRF to receive the signal. Some HRPT image examples can be found in that post.

Testing the HackRF and Portapack with an LNA4ALL

Over on YouTube Adam 9A4QV has been testing out his HackRF and Portapack with his LNA4ALL. The LNA4ALL is able to be powered inline via the bias tee on the HackRF. In the first video Adam shows that the HackRF and LNA4ALL is capable of receiving L-band satellites easily. The antenna he uses is a homemade circularly polarized antenna with a cooking pot being used as the reflector.

In the second video Adam shows the HackRF, Portapack and LNA4ALL receiving a telemetry signal on 442 MHz.

Finally in the last video Adam shows himself making a full QSO contact using the HackRF, Portapack and LNA4ALL. The software he uses on the Portapack is Furtek’s ‘Havoc’ firmware which has microphone to TX functionality. The LNA4ALL is able to work in transmit mode without trouble. Adam has written instructions for modifying the LNA4ALL so that it can transmit and use the HackRF’s bias tee power at the same time over on his website lna4all.blogspot.com.

Precisely Synchronizing Multiple HackRFs

Recently Marco Bartolucci & José A. del Peral-Rosado wrote in and wanted to let us know about their work in creating multiple precisely synchronized HackRF’s. They plan to use the synchronized HackRFs for solving at a low cost some interesting navigation problems which are described in detail in their academic paper (IEEE link). The abstract of the paper reads:

This paper describes a new method for the synchronisation of multiple low-cost open source software-defined radios (SDR). This solution enables the use of low-cost SDRs in interesting navigation applications, such as hybrid positioning algorithms, interference localisation, and cooperative positioning among others. Time synchronisation is achieved thanks to a time pulse that can be generated either by one of the SDRs or by an external source, such as a GNSS receiver providing 1PPS signal. Experimental results show that the proposed method effectively reduces the synchronisation offset between multiple SDRs, to less than one sampling period.

In simple terms, hybrid positioning is the process of using multiple signals such as WiFi, Bluetooth and cell phone signals etc together to get an accurate position of the receiver. By using several sources localization accuracy can be improved, but to do this each receiver much be precisely synchronized to the same clock source.

The system they created uses a 1PPS GNSS based time source connected to the SYNC_IN inputs on both HackRFs. The synchronization code is run in hardware on the HackRF’s onboard CPLD (complex programmable logic device). Furthermore they also write the following regarding the system and code which has been adopted into the HackRF repository:

A new time synchronization feature has been recently adopted in the HackRF official repository thanks to the collaboration between SPCOMNAV group, Università di Bologna, and the European Space Agency (ESA).

This contribution allows any user to precisely synchronize multiple HackRF devices below 50 ns, by means of a minor hardware modification and the firmware update. 

More information about the driver updates and instructions for use can be found in this Git pull request. The team also write that their work was presented at the NAVITEC 2016 conference.

HackRF Synchronization with a 1PPS GNSS Reference.
HackRF Synchronization with a 1PPS GNSS Reference.