Tagged: usrp

Fissure: An Open Source RF Reverse Engineering Framework

FISSURE (Frequency Independent SDR-Based Signal Understanding and Reverse Engineering) is a recently released open source framework that runs on Linux, and includes a whole suite of previously existing software that is useful for analyzing and reverse engineering RF signals. On top of that it includes a custom GUI with a bunch of custom software that ties everything together in a full reverse engineering process.

Recently the developers spoke at this years Defcon conference, and the talk video is supplied at the end of this post. In their talk they explain the purpose of FISSURE, before going on to demonstrate it being used to reverse engineer a wireless X10 doorbell. FISSURE makes analyzing the signal easy, starting with spectrum analysis to find the signal, then signal recording, signal cropping, signal replay, crafting packets and crafting attacks.

News and developments about FISSURE can also be seen on their Twitter.

FISSURE is an open-source RF and reverse engineering framework designed for all skill levels with hooks for signal detection and classification, protocol discovery, attack execution, IQ manipulation, vulnerability analysis, automation, and AI/ML. The framework was built to promote the rapid integration of software modules, radios, protocols, signal data, scripts, flow graphs, reference material, and third-party tools. FISSURE is a workflow enabler that keeps software in one location and allows teams to effortlessly get up to speed while sharing the same proven baseline configuration for specific Linux distributions.

The framework and tools included with FISSURE are designed to detect the presence of RF energy, understand the characteristics of a signal, collect and analyze samples, develop transmit and/or injection techniques, and craft custom payloads or messages. FISSURE contains a growing library of protocol and signal information to assist in identification, packet crafting, and fuzzing. Online archive capabilities exist to download signal files and build playlists to simulate traffic and test systems.

The friendly Python codebase and user interface allows beginners to quickly learn about popular tools and techniques involving RF and reverse engineering. Educators in cybersecurity and engineering can take advantage of the built-in material or utilize the framework to demonstrate their own real-world applications. Developers and researchers can use FISSURE for their daily tasks or to expose their cutting-edge solutions to a wider audience. As awareness and usage of FISSURE grows in the community, so will the extent of its capabilities and the breadth of the technology it encompasses.

FISSURE RF Framework - Griffiss Institute & AIS Monthly Lecture + Education Series

Remoticon 2021: Smart Meter Hacking Talk

Remoticon 2021 was an online conference held in November 2021 and videos of presentations have recently been uploaded to the Hackaday YouTube channel this month. One very interesting talk was the presentation by Hash Salehi (RECESSIM) on reverse engineering electricity smart meters that are used to remotely monitor and bill home electricity usage in some neighborhoods.

In the past we've posted about Hash (RECESSIM)'s series on smart meter hacking a few times before. In this latest talk Hash summarizes his smart meter hacking experience, talking about how he went from reverse engineering the firmware, to using an SDR to capture and decode information from all the smart meters in his neighborhood, and finally to determining how to actually transmit data to his own smart meter network.

Hackaday have also posted a full writeup on his talk. This is a very in depth reverse engineering project so it is a great talk to learn from.

Remoticon 2021 // Hash Salehi Outsmarts His Smart Meter

Decoding and Logging GPS Coordinates From Wireless Smart Meters

Back in April we posted about "Hash's" RECESSIM YouTube series on hacking electricity smart meters using a software defined radio. Recently his series continues with a video on decoding and logging the GPS coordinates sent by the smart meters used in his area. Using a car, SDR and laptop he was able to drive down the freeway collecting smart meter data as he travelled, decode the data, and plot it on a map. In his video Hash explains why there is GPS data in the signal, and how he was able to reverse engineer and determine the GPS data.

Smart Meter Hacking - Decoding GPS Coordinates

Reverse Engineering Wireless Mesh Smart Meters with Software Defined Radio

Over on YouTube channel RECESSIM has uploaded a three part series on reverse engineering smart utility meters. In many locations wireless mesh smart electricity meters are installed in houses allowing for completely wireless monitoring. These mesh network devices pass the wireless data from meter to meter until the data reaches a router that is typically placed on a neighborhood power pole.

In the first video Recessim explains how a smart meter mesh network works, and demonstrates signal reception in the 900 MHz band with a USRP B200 software defined radio.

In the second video he demonstrates how he can see meter ID and power outage information from Oncor meters, explains his GNU Radio flowgraph setup and goes on to explain how he reverse engineered the data packets.

Finally in the third video he performs a few teardowns of smart meters he found on eBay, and shows his reverse engineering setup with a faraday cage. More videos are likely to be on the way, so you might want to consider subscribing to his channel for updates. Recessim is also diligently recording all the information he's discovered about the meters on his Wiki.

Playlist: Smart Meter Hacking

Notes on Observing Pulsars with an SDR from CCERA

A pulsar is a rotating neutron star that emits a beam of electromagnetic radiation. If this beam points towards the earth, it can then be observed with a large dish or directional antenna and a software defined radio. In the past we've posted a few times about Pulsars, and how the HawkRAO amateur radio telescope run by Steve Olney in Australia has observed Pulsar "Glitches" with his RTL-SDR based radio telescope.

Over in Canada, Marcus Leech has also set up a Pulsar radio telescope at the Canadian Centre for Experimental Radio Astronomy (CCERA). Marcus has been featured several times on this blog for his various amateur radio experiments involving SDRs like the RTL-SDR. In one of his latest memos Marcus documents his Pulsar observing capabilities at CCERA (pdf). His memo describes what Pulsars are and how observations are performed, explaining important concepts for observation like de-dispersion and epoch folding.

The rest of the memo shows the antenna dish and feed, the SDR hardware which is a USRP B210 SDR, the reference clock which is a laboratory 0.01PPB rubidium atomic clock and the GNU Radio software created called "stupid_simple_pulsar". The software DSP process is then explained in greater detail. If you're thinking about getting involved in more advanced amateur radio astronomy this document is a good starting point.

Dish Antenna + Feed used for receiving Pulsars

Setting up a GSM Basestation in minutes with a USRP and DragonOS

DragonOS is a ready to use Linux OS image that includes many SDR programs preinstalled and ready to use. The creator Aaron also runs a YouTube channel that has multiple tutorial videos demonstrating software built into DragonOS.

In a recent video Aaron shows how you can set up a GSM basestation within minutes by using the latest DragonOS version together with a USRP b205mini-i software defined radio. As the required software (osmo-BTS, osmo-bts, osmo-bts-trx) is all preinstalled, setting up the basestation is a simple matter of opening three terminal windows and running a few commands. We note that this latest DragonOS version is due to be released this Thursday.

In a previous video Aaron also shows a more detailed setup procedure showing how all the software was installed.

DragonOS Focal Running a GSM network in minutes (osmo-bts, osmo-bsc, osmo-bts-trx, USRP b205mini-i)

Tracking Wild Bats with SDRs – Featured in Science Magazine

Recently research from Tel-Aviv University by Sivan Toledo et al. involving the use of USRP SDRs to track wild bats was published in Science.  The Journal Science (aka Science Magazine) is one of the world's top peer reviewed academic journals.

Sivan and his collaborators developed inexpensive 434 MHz band tracking tags for bats that emit radio pings every few seconds. These pings do not contain any location data, however the location is accurately tracked by several USRP SDRs with high accuracy GPSDO oscillators set up around the target tracking area. A radio direction finding technique known as "time difference of arrival" or TDoA is used to pinpoint the location of each tag. Sivan writes:

A wildlife tracking system called ATLAS, developed by Sivan Toledo from Tel-Aviv University in collaboration with Ran Nathan from the Hebrew university, enabled a science breakthrough reported in an article in Science that was published yesterday.

The system uses miniature tracking tags that transmit radio pings in the 434 MHz bands and SDR receivers (Ettus USRP N200 or B200). Software processes the samples from receivers to detect the pings and to estimate their time of arrival. The overall system is a "reverse-GPS" system, in the sense that the principles and math are similar to GPS, but the role of transmitters and receivers is reversed. A youtube video explains how the system works. SDR-RTL dongles can certainly detect the pings, but their oscillators are not stable enough to accurately localize the tags.

The system has been used to track 172 wild bats (in batches, some consisting of 60 simultaneously-tagged bats). The results showed that bats can make novel shortcuts, which indicates that they navigate using a cognitive map, like humans. The system, and other ATLAS systems in the Netherlands, England, Germany, and Israel are also tracking many different animals, mostly small birds and bats.

The video below shows the bats being tracked on a map accelerated to 100x.

434 MHz Tracking Devices that Attach to Wild Bats
434 MHz Tracking Devices that Attach to Wild Bats

The Science article itself is mostly about the discoveries on bat behaviour that were made by the system. However the YouTube video embedded below explains a bit more about how the technical radio side works. 

A Technical Overview of the ATLAS Wildlife Tracking System

A Comprehensive Lab Comparison between Multiple Software Defined Radios

Librespace, who are the people behind the open hardware/source SatNOGS satellite ground station project have recently released a comprehensive paper (pdf) that compares multiple software defined radios available on the market in a realistic laboratory based signal environment. The testing was performed by Alexandru Csete (@csete) who is the programmer behind GQRX and Gpredict and Sheila Christiansen (@astro_sheila) who is a Space Systems Engineer at Alexandru's company AC Satcom. Their goal was to evaluate multiple SDRs for use in SatNOGS ground stations and other satellite receiving applications. 

The SDRs tested include the RTL-SDR Blog V3, Airspy Mini, SDRplay RSPduo, LimeSDR Mini, BladeRF 2.0 Micro, Ettus USRP B210 and the PlutoSDR. In their tests they measure the noise figure, dynamic range, RX/TX spectral purity, TX power output and transmitter modulation error ratio of each SDR in various satellite bands from VHF to C-band.

The paper is an excellent read, however the results are summarized below. In terms of noise figure, the SDRplay RSPduo with it's built in LNA performed the best, with all other SDRs apart from the LimeSDR being similar. The LimeSDR had the worst noise figure by a large margin.

In terms of dynamic range, the graphs below show the maximum input power of a blocking signal that the receivers can tolerate vs. different noise figures at 437 MHz. They write that this gives a good indication of which devices have the highest dynamic range at any given noise figure. The results show that when the blocking signal is at the smallest 5 kHz spacing the RSPduo has poorest dynamic range by a significant margin, but improves significantly at the 100 kHz and 1 MHz spacings. The other SDRs all varied in performance between the different blocking signal separation spacings.

Overall the PlutoSDR seems to perform quite well, with the LimeSDR performing rather poorly in most tests among other problems like the NF being sensitive to touching the enclosure, and the matching network suspected as being broken on both their test units. The owner of Airspy noted that performance may look poor in these tests as the testers used non-optimized Linux drivers, instead of the optimized Windows drivers and software, so there is no oversampling, HDR or IF Filtering enabled. The RSPduo performs very well in most tests, but very poorly in the 5 kHz spacing test.

The rest of the paper covers the TX parameters, and we highly recommend going through and comparing the individual result graphs from each SDR test if you want more information and results from tests at different frequencies. The code and recorded data can also be found on the projects Gitlab page at https://gitlab.com/librespacefoundation/sdrmakerspace/sdreval.