Derpcon is a COVID-19 inspired information security conference that was held virtually between April 30 - May 1 2020. Recently the talks have been uploaded to their YouTube channel. One interesting SDR talk we've seen was by Kelly Albrink and it is titled "Ham Hacks: Breaking into the World of Software Defined Radio". The talk starts by giving a very clear introduction to software defined radio, and then moves on to more a complex topic where Kelly shows how to analyze and reverse engineer digital signals using a HackRF and Universal Radio Hacker.
RF Signals are basically magic. They unlock our cars, power our phones, and transmit our memes. You’re probably familiar with Wifi and Bluetooth, but what happens when you encounter a more obscure radio protocol? If you’re a hacker who has always been too afraid of RF protocols to try getting into SDRs, or you have a HackRF collecting dust in your closet, this talk will show you the ropes. This content is for penetration testers and security researchers to introduce you to finding, capturing, and reverse engineering RF signals. I’ll cover the basics of RF so you’re familiar with the terminology and concepts needed to navigate the wireless world. We’ll compare SDR hardware from the $20 RTLSDR all the way up to the higher end radios, so you get the equipment that you need without wasting money. I’ll introduce some of the software you’ll need to interact with and analyze RF signals. And then we’ll tie it all together with a step by step demonstration of locating, capturing, and reverse engineering a car key fob signal.
Ham Hacks: Breaking into the World of Software Defined Radio - Kelly Albrink
Over on his YouTube channel Aaron has uploaded a video showing how we can SigDigger to decode analog NTSC video from a drone camera which is transmitted at 5.7 GHz. SigDigger is a rapidly evolving SDR program for Linux and MacOS that has a lot of built in functionality for inspecting signals in more depth. Although not specifically designed for it, the Symbol Stream viewer in SigDigger can be used to display NTSC Analog Video. Aaron writes:
For the most part, the older an analog modulation is, the easier it is to get basic results when decoding. TV receivers were rather dumb back in the day, basically fast fax machines glued to an off-band FM radio receiver. Receiver circuits were also slow, and the signal had lots of invisible blank spaces in the borders so that the cheapest TVs could switch to the next line in time. The invention of Teletext leveraged those blanks in order to carry digital information and color information was embedded as an additional narrowband signal in the gaps in the spectrum.With this in mind I wanted to take a look at decoding analog video transmissions from drones. While some drones have moved to more effective digital compression and channel transmission technologies allowing for high definition video, there’s still drones using RC-like communications and the FPV video link is pure FM-modulated NTSC.
Searching the internet provided few results on how I could go about using low cost equipment, such as the HackRF One, to decode drone feeds. After an extensive search I decided to start looking at Linux based software defined radio applications I was already familiar with. By chance I happened to be working with SigDigger, a free digital signal analyzer. It has been discussed on RTL-SDR.com and more recently on Signal Lounge (https://signal-lounge.com/2020/05/05/sigdigger-for-signal-analysis/). It is also included in my own creation, DragonOS (https://sourceforge.net/projects/dragonos-lts/)
After a brief email exchange with the developer it was brought to my attention that visualizing analog video transmission is possible in SigDigger (although with no color information, of course). Since SigDigger supports the HackRF and the HackRF provides coverage in the 5ghz band, it was now possible for me to try to decode a 5ghz drone video feed. I’ve documented the process and my results on my YouTube channel. I should point out that this is currently a side feature of SigDigger and currently lacks synchronization. The symbol view area I used in the video is not made for this. It is meant to display symbols and symbols patterns which, due to its behavior, can incidentally show the contents of analog TV and weather faxes with lots of manual adjustments.
While the SigDigger developer makes mention of plans to include an embedded generic analog TV viewer and possibly add the ability to automatically sync video, there’s currently no timeframe on when that might become available.
DragonOS LTS SigDigger demodulating a 5 GHz analog video/FPV drone link (HackRF One, SigDigger)
We note that if you're interested in PAL/NTSC decoding, there is also the excellent TVSharp plugin for SDR# available.
Over on YouTube TechMinds has uploaded a video where he explores the QT-DAB software (formerly known as SDR-J), which is a program capable of decoding Digital Audio Broadcast (DAB) signals. QT-DAB is compatible with several SDRs including the RTL-SDR, HackRF, Airspy and SDRplay units.
DAB stands for Digital Audio Broadcast and is a digital broadcast radio signal that is available in many countries outside of the USA. The digital signal encodes several radio stations, and it is considered a modern alternative or future replacement for standard analog broadcast FM.
In the video TechMinds explains how to download, install and use the software on a Windows machine. He goes on to demonstrate some DAB decoding in action with various SDRs and then shows how to connect QT-DAB to a remote RTL-SDR via rtl_tcp.
DAB Radio Decoder For SDR (RTL_SDR - HACKRF - AIRSPY)
Thank you to Aaron for submitting news about his latest project called "DragonOS" which he's been working on while in COVID-19 lock down. DragonOS is a Debian Linux based operating system which comes with many open source software defined radio programs pre-installed. It supports SDRs like the RTL-SDR, HackRF and LimeSDR.
Aaron's video below shows how to set up DragonOS in a VirtualBox, and he has two other videos on his channel showing how to set up ADS-B reception with Kismet, and how to run GR-RDS in GNURadio. He aims to continue with more tutorial videos that make use of the software installed on DragonOS in the near future.
Over on YouTube user kwon lee has uploaded a video demonstrating a replay attack against a parking barrier arm. The tools he uses are a HackRF and Portapack running the Havok firmware. A replay attack involves recording a control signal with the HackRF+Portapack, and then replaying it later with the transmit function of the HackRF. If no wireless security mechanism like rolling-codes are used, simply replaying the signal will result in the transmission being accepted by the controller receiver.
As he has access to the remote control he records the transmission that is sent when the open button is pressed on the remote. Later once outside he shows how transmitting with the HackRF+Portapack results in the barrier arm opening.
This reminds us of a previous post where we noted how a HackRF was used to jam a garage door keyfob to prevent people from leaving in the TV show "Mr. Robot".
RF Replay Attack _ Parking-Breaker with HackRFone+Portapack+havoc
At the Hackaday Supercon Michael Ossmann & Kate Temkin presented a talk called "Software-Defined Everything" where they demonstrated some applications of the "GreatFET One" interface board. Michael Ossmann is best known for creating the HackRF software defined radio which is a highly versatile and low cost open hardware/software SDR transceiver. His company Great Scott Gadgets also employs Kate Temkin who is the lead software developer who worked on their latest product called the GreatFET One.
The GreatFET One is a multi-purpose digital interface board that plugs into a PC via USB. It contains multiple digital IO pins, supports SPI, I2C, UART and JTAG serial protocols, can do logic analysis, and also has a built in ADC and DAC.
In the talk Michael and Kate show how a simple light sensor can be plugged into the GreatFET's ADC, allowing the sensor's data to be digitized and processed in GNU Radio. This results in a software defined light sensor. By analyzing the light data in the frequency domain via an FFT graph they're able to determine the refresh rate of the ceiling lights.
Later they also show how GreatFET can be combined with i2C sensors and GNU Radio to do creative things like use an accelerometer as a microphone for a guitar pickup, with audio effects like guitar clipping controlled by GNU Radio blocks.
Michael Ossmann & Kate Temkin - Software-Defined Everything
Over on YouTube SignalsEverywhere has just uploaded his latest video about using a HackRF and Airspy R2/Mini to explore the signals coming out of an internet cable modem's coax cable. In the video he performs a wideband scan with his Airspy R2 and the SpectrumSpy software which shows not only his, but the downstream signals from other users in his neighborhood on the cable network too.
Next using his HackRF with Spectrum Analyzer and the hackrf_sweep fast sweeping software, he was able to determine the uplink portion of his cable modem. By running an internet speed test in the background he was also able to visualize the increased cable data activity on the spectrum waterfall display.
The Secret Signals Hiding In Your Cable Modem | SDR Used to Sniff Cable Internet Modem Coax
A ground penetrating radar (GPR) is a system that uses RF pulses between 10 to 2.6 GHz to image up to a few meters below the ground. A typical GPR system consists of a transmitting radio and antenna that generates the radar pulse aimed towards the ground, and a receiving radio that receives the reflected pulse.
GPR is typically used for detecting buried objects, determining transitions in ground material and detecting voids and cracks. For example, in construction it can be used to determine rebar locations in concrete, and in the military it can be used to detect non-metallic landmines and hidden underground areas.
Their system uses a step-frequency continuous waveform (SFCW) signal which scans over multiple frequencies over time, and the software was written in GNU Radio. In their tests they were able to detect a dry block of sand buried 6 cm below the ground, and a wet block 20 cm below.