Last week we posted about Micheal Ossmann and Schuyler St. Leger's talk on Pseudo-Doppler direction finding with the HackRF. The talk was streamed live from Schmoocon 18, but there doesn't seem to be an recorded version of the talk available as of yet. However, Hackaday have written up a decent summary of their talk.
In their direction finding experiments they use the 'Opera Cake' add-on board for the HackRF, which is essentially an antenna switcher board. It allows you to connect multiple antennas to it, and choose which antenna you want to listen to. By connecting several of the same type of antennas to the Opera Cake and spacing them out in a square, pseudo-doppler measurements can be taken by quickly switching between each antenna. During the presentation they were able to demonstrate their setup by finding the direction of the microphone used in the talk.
If/when the talk is released for viewing we will be sure to post it on the blog for those who are interested.
Over on YouTube a video titled “Hunting Rogue WiFi Devices using the HackRF SDR” has been uploaded. The talk is given by Mike Davis at the OWASP (Open Web Application Security Project) Cape Town. The talk’s abstract reads:
Rogue WiFi Access Points are a serious security risk for today’s connected society. Devices such as the Hak5 Pineapple, ESP8266-based ‘throwies’, or someone with the right WiFi card and software can be used to intercept users’ traffic and grab all of their credentials. Finding these rogue devices is a very difficult thing to achieve without specialised equipment. In this talk Mike will discuss the work he has been doing over the past year, to use the HackRF SDR as a RF Direction-finding device, with the goal of hunting down various malicious RF devices, including car remote jammers.
The talk starts off with the basics, explaining what the problems with WiFi devices are, what the HackRF and SDR is, and then goes on to explain some direction finding methods that Mike has been using.
Hunting rogue WiFi devices using the HackRF SDR – Part 1 of 2
Hunting rogue WiFi devices using the HackRF SDR – Part 2 of 2
Over on YouTube user Tatu Peltola has uploaded a video showing his RTL-SDR based phase correlative direction finder in action. This set up uses three RTL-SDR dongles and three antennas to measure phase differences and thus determine the direction towards a signal source. All three RTL-SDR’s must be coherent, meaning that all three of their 28.8 MHz clock signals must come from the same source.
In the video Tatu walks around the three antennas with a handheld radio. An arrow on a laptop screen points in the direction of the transmitter.
A known problem with RTL-SDR’s is that even with the clock sources synchronized there is still an unknown cause of additional phase shift. To solve this problem Tatu writes:
Each rtl-sdr is fed from the same reference clock to make their phase shift remain constant. They still have unknown phase shifts and sampling time differences relative to each other. This is calibrated by disconnecting them from antennas and connecting every receiver to the same noise source. Cross correlation of the noise gives their time and phase differences so that it can be corrected.
Over on Reddit, user tautology2 has linked to his project which is software that can create a heatmap of signal strengths. His software uses the data that is output from RTLSDR Scanner which is a program that will collect signal strength data over any desired bandwidth and at the same time also record GPS coordinates using an external GPS receiver. RTLSDR Scanner can also create a heatmap by itself, but tautology2’s heatmap is much clearer and has good web controls for choosing the heatmap signal frequency.
The RTLSDR scanner software has been updated and now supports connection to an external GPS receiver. With a GPS receiver attached to a laptop, the RTL-SDR can be used to make signal strength maps by driving around in a car and monitoring the radio spectrum with RTLSDR Scanner running. The signal strength map can then be viewed in Google Earth, a GIS program or any image viewer.
After checking for local causes of interference and finding nothing, they decided that the interferer must be coming from further away. To find the location of the jamming signal they did some radio direction finding. This involved driving around with Yagi and magnetic loop antennas and RTL-SDR and USRP N200 SDRs and then measuring the signal strength at various points.
For the software they used a custom GNURadio block which calculated the power spectra using the FFTW C library, and averaged the results to disk. They then post processed the data to calculated the RFI power, and correlated the data with GPS coordinates recorded on his phone.
After all the data was processed, they discovered that the interference originated from an FM radio tower which had a faulty FSK telemetry link. They notified the engineer responsible who then replaced the link and the interference disappeared.