Tagged: rtl-sdr

SignalsEverywhere: ADS-B Aircraft Tracking with RTL-SDR, dump1090 and Virtual Radar Server

Over on his YouTube channel Corrosive from the SignalsEverywhere YouTube channel has uploaded a tutorial that shows how to set up ADS-B aircraft tracking with an RTL-SDR, dump1090 and Virtual Radar Server. The decoder software is dump1090 which is a multiplatform command line tool, and Virtual Radar Server is a Windows and Linux compatible program that is used to display the data on Google maps.

ADS-B is used as a more accurate and modern replacement for traditional aircraft radar. Instead of relying on radar reflections, ADS-B simply transmits a radio signal containing plane data such as GPS location, speed, and identification codes. Other aircraft can use this data for collision avoidance, and ground control use it for traffic management. Setting up your own RTL-SDR based ADS-B receiver allows you to see and track on a map almost all the aircraft currently flying in your area.

ADS-B Receiver With RTL SDR | Tracking Aircraft In Real-time!

A Portable RTL-SDR Based ADS-B Receiver with Display and 3D Printed Enclosure

Over on Hackaday.io user nathan.matsuda has written about his RTL-SDR based hand held ADS-B aircraft receiver with display and 3D printed enclosure.

His initial idea was to create a flexible and open portable SDR device, however keeping the device open and built for general use meant increased complexity which quickly slowed his progress. Instead [Nathan] decided to focus on just ADS-B for his portable device as living near an airport he’d been interested in aircraft tracking since his first SDR arrived.

The device consists of a Raspberry Zero, RTL-SDR, 3.5″ IPS LCD and a battery pack for portability. For software he uses dump1090 with some custom code for the map plotting. Together with a 3D printed case and some buttons, the result is a very professional looking portable aircraft tracking device.

Hopefully Nathan will continue updating his project page so that others may replicate it on their own.

Raspberry Pi Zero and RTL-SDR Portable ADS-B Receiver
Raspberry Pi Zero and RTL-SDR Portable ADS-B Receiver

Next International Space Station SSTV Event on April 11 – 14

Thank you to Alex Happysat for writing in and letting us know about the next upcoming ISS SSTV event which will begin on 11 April at about 18:00 UTC and end on 14 April 2019 18:00 UTC. If you were unaware, the International Space Station (ISS) transmits SSTV images several times a year to commemorate special space related events. SSTV or Slow Scan Television is an amateur radio mode which is used to transmit small images over radio signals.

The images will be transmitted constantly at 145.8 MHz over the active period and they are expected to be in the PD-120 SSTV format. To receive the images you can use a simple RTL-SDR dongle and the MMSSTV software. A tuned satellite antenna like a QFH, turnstile, or tracking Yagi would be preferred, but many people have had good success before using simpler antennas like a V-Dipole. Software like Orbitron, GPredict, various Android apps or NASA's Spot the Station website can be used to determine where the ISS is and predict when it will be over your location.

Over on the ARISS SSTV blog, they write:

The next big event will be the ARISS SSTV event that starts Thursday, April 11 about 18:00 UTC and will be operational until about 18:00 UTC on Sunday, April 14. Since this event will run continuously for 72 hours, folks in the higher latitudes should have a pretty good chance to receive all 12 of the images. Operators in the mid latitudes should be able to get most of them depending on location. Good Luck and Enjoy!

Alex also mentions that for this and other ISS events AMSAT Argentina is handing out ARISS-SSTV Diplomas to amateur radio operators who receive, record and upload at least 15 images received from the ISS, in at least two different radio operation with a month or more in between then.

If you cannot set up a receiver, it is possible to use R4UAB's WebSDR which will be available directly at websdr.r4uab.ru. However, note that internet reception is not valid for the AMSAT Diploma. An example of WebSDR SSTV reception and decoding from a smaller ISS SSTV event held a few days ago is shown below.

ISS SSTV R4UAB WEBSDR 12.04.2016 14:00 UTC

Replicating A Rolljam Wireless Vehicle Entry Attack with a Yardstick One and RTL-SDR

Over on his hackaday.io blog, Gonçalo Nespral has written about his experiences in recreating Samy Kamkars now famous low cost rolljam attack. A rolljam attack allows an attacker break into a car by defeating the rolling code security offered by wireless keyfobs. Back at Defcon 2015, an information security conference, Samy Kamkar presented a method for creating a $32 Rolljam device that consisted of two 433 MHz transceiver modules controlled by an Arduino.

In his version, Gonçalo was able to recreate the attack using a Yardstick One and an RTL-SDR. The RTL-SDR receives the signal, whilst the Yardstick One performs the jamming and retransmit functions.

Actually using this attack in a real scenario would be difficult due to the need to properly jam and receive the keyfob signal, which could prove tricky in an uncontrolled environment. However, there have been reports of criminals entering high end cars with wireless devices before and this could be one such attack method in use.

The important thing to learn is to be suspicious if your car key fob doesn't work on the first press while you are definitely in range of the car. To mitigate the possibility of wireless keyfob attacks, always use a manual key and if you must use the wireless keyfob, only unlock the car when standing right next to it, so that the keyfob signal is strong enough to overcome the jammer. Although it is still plausible that an attacker could attach the rolljam device to the car itself for greater jamming power, and then retrieve it later.

[First seen on Hackaday]

How RollJam Works
How RollJam Works

RSA Conference Talks: IOT Hacking with SDR, Tracking Rogue RF Devices & Wireless Offense and Defense

RSA Conference is an information security event that was recently held on March 4 - 8 in San Francisco. The talks have been uploaded to YouTube and from what we see there are three interesting SDR/RF related talks that may be worth looking at, which we show below. The full list of videos can be found on their YouTube channel.

RF Exploitation: IoT and OT Hacking with Software-Defined Radio

Harshit Agrawal, Security Researcher, MIT Academy of Engineering, SPPU

Himanshu Mehta, Team Lead (Senior Threat Analysis Engineer), Symantec

Recent years have seen a flood of novel wireless exploits, from vulnerable medical devices to hacked OT devices, with exploitation moving beyond 802.11 and into more obscure standard and proprietary protocols. While other non-WiFi RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think. SDR is changing the game for both offense and defense.Learning Objectives:1: Become familiar with common security concerns and attack surfaces in a wireless communication system.2: Understand the ease and prevalence of wireless exploitation, with sophisticated examples.3: Learn to view IoT devices, security and privacy collectively.

RF Exploitation: IoT and OT Hacking with Software-Defined Radio

Hunting and Tracking Rogue Radio Frequency Devices

Eric Escobar, Principal Security Consultant, SecureWorks

Rogue radio frequencies pose a substantial and often overlooked threat to both organizations and targeted individuals. This talk will explore the dangers of rogue radio frequencies and highlight tactics, techniques and tools which can be used to identify and locate potential threats.Learning Objectives:1: Understand the major ways rogue wireless frequencies can impact an organization.2: Develop a basic understanding of how to locate a rogue wireless signal.3: Gain a conversational knowledge of ways to identify and track a wireless signal.Pre-Requisites:Basic understanding of security principles. Basic understanding of wireless communication. Basic understanding of computer networks.

Hunting and Tracking Rogue Radio Frequency Devices

Wireless Offense and Defense, Explained and Demonstrated!

Rick Farina, Senior Product Manager, WLAN Software Security, Aruba
Rick Mellendick, Chief Security Officer, Process Improvement Achievers LLC

This session will discuss the use of radio frequency, often overlooked for network enumeration and attack. The techniques to be discuss are used to identify authorized and unauthorized signals in an organization. Without understanding the offensive attacks an organization can’t perform effective defense. The talk will explain and demonstrate how to enumerate and gain access to resources through RF signals.Learning Objectives:1: Understand that wireless doesn’t just mean WiFi.2: Understand that the Bluetooth protocol can allow for direct attacks against phones, PCs and other devices.3: Learn that other RF attacks are very difficult to detect, and gain an understanding of what they look like.Pre-Requisites:The biggest prerequisite for our talk is an open mind and the ability to understand risk, and after the talk to better assess risk on your environment.

Wireless Offense and Defense, Explained and Demonstrated!

SignalsEverywhere: Using DSDPlus Fastlane for Listening to Phase 1 P25 Trunking

DSDPlus is a popular piece of software often used with RTL-SDR dongles to listen to unencrypted digital voice signals such as P25 and DMR. Digital voice is now commonly used by many Police and emergency services as well as business radio. DSDPlus fastlane is DSD's paid upgrade which allows subscribers to access to the latest releases of DSDPlus early.

Over on the SignalsEverywhere YouTube channel, Corrosive has uploaded a quick video guide that shows how to use DSDPlus Fastlane and two RTL-SDR dongles to set up a Phase 1 P25 voice decoder that automatically follows a P25 trunking channel. The basic process involves running two FMP instances which is a program in the DSDPlus suite that connects to the RTL-SDR's and receives the signal. One DSDPlus instance monitors the trunking channel, and this tunes the second FMP+DSD instance to the frequency currently active in the trunking system.

Corrosive also explains how people who are subscribed to RadioReference can download pre-populated data files that will allow the DSDPlus event log to display talkgroup information so that you can see who is talking to who.

Digital Radio Scanning With DSDPlus Setup Fastlane | Tracking Phase 1 P25 Trunking System Tutorial

Ghosts in the Air Glow HAARP Art Project: Transmitting Until March 28

The famous HAARP (High Frequency Active Auroral Research Program) antenna array will be transmitting again from March 25 - March 28, 2019. HAARP is an antenna array which is used to perform experiments on the Earth's ionosphere and thermosphere by transmitting HF RF energy into it. With an HF capable receiver like the RTL-SDR V3 it is often possible to receive these transmissions from some distance away. As HAARP only rarely transmits, it is an interesting signal to catch when it is transmitting.

HAARP (High Frequency Active Auroral Research Program)
HAARP (High Frequency Active Auroral Research Program)

The current set of experiments are being combined with an art project by artist Amanda Dawn Christie (@magnet_mountain). Amanda is an interdisciplinary artist working at Condordia University. On the project website she explains the project:

Ghosts in the Air Glow is an ionospheric transmission art project using the HAARP Ionospheric Research Instrument to play with the liminal boundaries of outer space.

Pairing air glow experiments in the ionosphere—false auroras creating soft, glowing spots in the sky—with SSTV images, audio and image signals articulated by artist Amanda Dawn Christie will be received and decoded via SDR (Software Defined Radio) equipment by amateur radio operators around the world, and streamed live online for audiences who do not have the equipment or expertise for reception.

She also talks about the project on a Concordia University article:

The first art transmission was sent earlier today, and if you missed it Amanda live streamed the signals being received on YouTube and the recording is available here. Future live streams will be available here. DK8OK has also posted about his reception on his blog.

Further transmissions are scheduled every day until March 28, and the transmissions schedule is available here. Each transmission consists of several 'movements', which consist of differing antenna array arrangements, frequencies being used, and signals being transmitted. If the text formatting of the movements is a bit difficult to read, Reddit user 
grink has formatted it into a nice table in his post. To follow the transmissions it would be also wise to follow Amanda on Twitter, where she is posting the most up to date transmission frequencies.

As to how the idea for this project came about, the Concordia University article writes:

The idea for the project came about when Christie met Christopher Fallen, the chief scientist at HAARP, at a hackers conference earlier this year. Fallen, who is an amateur radio operator, was intrigued by Christie’s proposition to use the IRI to create site-specific transmission art.

He agreed to open the facility to her, and when she gained backing from the Canada Council for the ArtsGhosts in the Air Glow officially became the first Canadian-funded project to take place at HAARP.

“Art and science are often seen as separate efforts but they actually share many of the same inspirations and techniques. I’m excited to see HAARP, a unique scientific instrument, used for a comparably unique artistic performance,” says Fallen.

“Amanda’s project will be a valuable contribution to the 50-year collection of scientific work in the field of ionosphere radio modification, and also to the brand new collection of artistic work using powerful high-frequency radio transmitters and the upper atmosphere — it’s art directed from the ground but created in space!”

Interdisciplinary artist Amanda Dawn Christie. Photo by Concordia University
Interdisciplinary artist Amanda Dawn Christie. Photo by Concordia University

If you prefer a video explanation of the project, YouTube user OfficialSWLchannel has prepared a video which is shown below.

HAARP tests and Ghost in the Air Glow from Amanda Dawn Christie

SigintOS: A Linux Distro for Signal Intelligence

Recently we've heard of a new Linux distribution called SigintOS becoming available for download. SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as RTL-SDRs and other TX capable SDRs like the HackRF, bladeRF and USRP radios.

The distro appears to be very well executed, with a built in GUI that grants easy access to the some common sigint tools like an FM and GPS transmitter, a jammer, a GSM base station search tool and an IMSI catcher. SigintOS also has various other preinstalled programs such as GNU Radio, gr-gsm, YatesBTS, wireshark and GQRX.

The OS also teases an LTE search and LTE decoder which to access requires that you get in contact with the creators, presumably for a licencing fee. Regarding an LTE IMSI catcher they write:

LTE IMSI Catcher is not myth!

Due to the nature of LTE base stations, the capture of IMSI numbers seems impossible. LTE stations use GUTI to communicate with users instead of IMSI. The GUTI contains the temporary IMSI number called T-IMSI. This allows the operator to find out who is at the corresponding LTE station who is authorized to query T-IMSI information.

Can the GUTI number be found?
Answer Yes!

How to find GUTI and T-IMSI numbers?
Can be found with the help of SigintOS …

For detailed information [email protected]

The image comes as a 2GB ISO file, and it's possible to run it in WMWare or VirtualBox.

SigintOS IMSI Catcher