Tagged: usrp

Notes on Observing Pulsars with an SDR from CCERA

A pulsar is a rotating neutron star that emits a beam of electromagnetic radiation. If this beam points towards the earth, it can then be observed with a large dish or directional antenna and a software defined radio. In the past we've posted a few times about Pulsars, and how the HawkRAO amateur radio telescope run by Steve Olney in Australia has observed Pulsar "Glitches" with his RTL-SDR based radio telescope.

Over in Canada, Marcus Leech has also set up a Pulsar radio telescope at the Canadian Centre for Experimental Radio Astronomy (CCERA). Marcus has been featured several times on this blog for his various amateur radio experiments involving SDRs like the RTL-SDR. In one of his latest memos Marcus documents his Pulsar observing capabilities at CCERA (pdf). His memo describes what Pulsars are and how observations are performed, explaining important concepts for observation like de-dispersion and epoch folding.

The rest of the memo shows the antenna dish and feed, the SDR hardware which is a USRP B210 SDR, the reference clock which is a laboratory 0.01PPB rubidium atomic clock and the GNU Radio software created called "stupid_simple_pulsar". The software DSP process is then explained in greater detail. If you're thinking about getting involved in more advanced amateur radio astronomy this document is a good starting point.

Dish Antenna + Feed used for receiving Pulsars

Setting up a GSM Basestation in minutes with a USRP and DragonOS

DragonOS is a ready to use Linux OS image that includes many SDR programs preinstalled and ready to use. The creator Aaron also runs a YouTube channel that has multiple tutorial videos demonstrating software built into DragonOS.

In a recent video Aaron shows how you can set up a GSM basestation within minutes by using the latest DragonOS version together with a USRP b205mini-i software defined radio. As the required software (osmo-BTS, osmo-bts, osmo-bts-trx) is all preinstalled, setting up the basestation is a simple matter of opening three terminal windows and running a few commands. We note that this latest DragonOS version is due to be released this Thursday.

In a previous video Aaron also shows a more detailed setup procedure showing how all the software was installed.

DragonOS Focal Running a GSM network in minutes (osmo-bts, osmo-bsc, osmo-bts-trx, USRP b205mini-i)

Tracking Wild Bats with SDRs – Featured in Science Magazine

Recently research from Tel-Aviv University by Sivan Toledo et al. involving the use of USRP SDRs to track wild bats was published in Science.  The Journal Science (aka Science Magazine) is one of the world's top peer reviewed academic journals.

Sivan and his collaborators developed inexpensive 434 MHz band tracking tags for bats that emit radio pings every few seconds. These pings do not contain any location data, however the location is accurately tracked by several USRP SDRs with high accuracy GPSDO oscillators set up around the target tracking area. A radio direction finding technique known as "time difference of arrival" or TDoA is used to pinpoint the location of each tag. Sivan writes:

A wildlife tracking system called ATLAS, developed by Sivan Toledo from Tel-Aviv University in collaboration with Ran Nathan from the Hebrew university, enabled a science breakthrough reported in an article in Science that was published yesterday.

The system uses miniature tracking tags that transmit radio pings in the 434 MHz bands and SDR receivers (Ettus USRP N200 or B200). Software processes the samples from receivers to detect the pings and to estimate their time of arrival. The overall system is a "reverse-GPS" system, in the sense that the principles and math are similar to GPS, but the role of transmitters and receivers is reversed. A youtube video explains how the system works. SDR-RTL dongles can certainly detect the pings, but their oscillators are not stable enough to accurately localize the tags.

The system has been used to track 172 wild bats (in batches, some consisting of 60 simultaneously-tagged bats). The results showed that bats can make novel shortcuts, which indicates that they navigate using a cognitive map, like humans. The system, and other ATLAS systems in the Netherlands, England, Germany, and Israel are also tracking many different animals, mostly small birds and bats.

The video below shows the bats being tracked on a map accelerated to 100x.

434 MHz Tracking Devices that Attach to Wild Bats
434 MHz Tracking Devices that Attach to Wild Bats

The Science article itself is mostly about the discoveries on bat behaviour that were made by the system. However the YouTube video embedded below explains a bit more about how the technical radio side works. 

A Technical Overview of the ATLAS Wildlife Tracking System

A Comprehensive Lab Comparison between Multiple Software Defined Radios

Librespace, who are the people behind the open hardware/source SatNOGS satellite ground station project have recently released a comprehensive paper (pdf) that compares multiple software defined radios available on the market in a realistic laboratory based signal environment. The testing was performed by Alexandru Csete (@csete) who is the programmer behind GQRX and Gpredict and Sheila Christiansen (@astro_sheila) who is a Space Systems Engineer at Alexandru's company AC Satcom. Their goal was to evaluate multiple SDRs for use in SatNOGS ground stations and other satellite receiving applications. 

The SDRs tested include the RTL-SDR Blog V3, Airspy Mini, SDRplay RSPduo, LimeSDR Mini, BladeRF 2.0 Micro, Ettus USRP B210 and the PlutoSDR. In their tests they measure the noise figure, dynamic range, RX/TX spectral purity, TX power output and transmitter modulation error ratio of each SDR in various satellite bands from VHF to C-band.

The paper is an excellent read, however the results are summarized below. In terms of noise figure, the SDRplay RSPduo with it's built in LNA performed the best, with all other SDRs apart from the LimeSDR being similar. The LimeSDR had the worst noise figure by a large margin.

In terms of dynamic range, the graphs below show the maximum input power of a blocking signal that the receivers can tolerate vs. different noise figures at 437 MHz. They write that this gives a good indication of which devices have the highest dynamic range at any given noise figure. The results show that when the blocking signal is at the smallest 5 kHz spacing the RSPduo has poorest dynamic range by a significant margin, but improves significantly at the 100 kHz and 1 MHz spacings. The other SDRs all varied in performance between the different blocking signal separation spacings.

Overall the PlutoSDR seems to perform quite well, with the LimeSDR performing rather poorly in most tests among other problems like the NF being sensitive to touching the enclosure, and the matching network suspected as being broken on both their test units. The owner of Airspy noted that performance may look poor in these tests as the testers used non-optimized Linux drivers, instead of the optimized Windows drivers and software, so there is no oversampling, HDR or IF Filtering enabled. The RSPduo performs very well in most tests, but very poorly in the 5 kHz spacing test.

The rest of the paper covers the TX parameters, and we highly recommend going through and comparing the individual result graphs from each SDR test if you want more information and results from tests at different frequencies. The code and recorded data can also be found on the projects Gitlab page at https://gitlab.com/librespacefoundation/sdrmakerspace/sdreval.

Exploring the Limits of General Purpose SDR Devices

Back in August 2019 the Chaos Communication Camp was held in Germany. This is a 5 day conference that covers a variety of hacker topics, sometimes including SDR. At the conference Osmocom developer Harald Welte (aka @LaF0rge) presented a talk titled "The Limits of General Purpose SDR devices". The talk explains how general purpose TX capable SDRs like HackRFs and LimeSDRs have their limitations when it comes to implementing advanced communications systems like cellular base stations.

If you prefer, the talk can be watched directly on the CCC website instead of YouTube.

Why an SDR board like a USRP or LimeSDR is not a cellular base station

It's tempting to buy a SDR device like a LimeSDR or USRP family member in the expectation of operating any wireless communications system out there from pure software. In reality, however, the SDR board is really only one building block. Know the limitations and constraints of your SDR board and what you need around it to build a proper transceiver.

For many years, there's an expectation that general purpose SDR devices like the Ettus USRP families, HackRF, bladeRF, LimeSDR, etc. can implement virtually any wireless system.

While that is true in principle, it is equally important to understand the limitations and constraints.

People with deep understanding of SDR and/or wireless communications systems will likely know all of those. However, SDRs are increasingly used by software developers and IT security experts. They often acquire an SDR board without understanding that this SDR board is only one building block, but by far not enough to e.g. operate a cellular base station. After investing a lot of time, some discover that they're unable to get it to work at all, or at the very least unable to get it to work reliably. This can easily lead to frustration on both the user side, as well as on the side of the authors of software used with those SDRs.

The talk will particularly focus on using General Purpose SDRs in the context of cellular technologies from GSM to LTE. It will cover aspects such as band filters, channel filters, clock stability, harmonics as well as Rx and Tx power level calibration.

The talk contains the essence of a decade of witnessing struggling SDR users (not only) with running Osmocom software with them. Let's share that with the next generation of SDR users, to prevent them falling into the same traps.

The Limits of General Purpose SDR devices

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

Spoofing Aircraft Instrument Landing Systems with an SDR

Recently Arstechnica ran an in depth story about how a $600 USRP software defined radio could be used to trick an aircraft that is making use of the Instrument Landing System (ILS). ILS is a radio based system that has been used as far back as 1938 and earlier. It's a very simple system consisting of an array of transmitter antennas at the end of a runway and a radio receiver in the aircraft. Depending on the horizontal and vertical position of the aircraft, the ILS system can help the pilot to center the aircraft on the runway, and descend at the correct rate. Although it is an old technology, it is still in use to this day as a key instrument to help pilots land especially when optical visibility is poor such as at night or during bad weather/fog.

Researchers from Northeastern University in Boston have pointed out in their latest research that due to their age, ILS systems are inherently insecure and can easily be spoofed by anyone with a TX capable radio. Such a spoofing attack could be used to cause a plane to land incorrectly. In the past ILS failures involving distorted signals have already caused near catastrophic incidents.

However, to carry out the attack the attacker would require a fairly strong power amplifier and directional antenna lined up with the runway. Also as most airports monitor for interference the attack would probably be discovered. They write that the attack could also be carried out from within the aircraft, but the requirements for a strong signal and thus large power amplifier and directional antenna would still be required, making the operation too suspicious to carry out onboard.

Wireless Attacks on Aircraft Landing Systems

USRP SDRs used to Break 3G to 5G Mobile Phone Security

According to researchers at the International Association for Cryptologic Research it is possible to snoop on 3G to 5G mobile users using a fake base station created by an SDR. It has been well known for several years now that 2G mobile phone security has been broken, but 3G to 5G remained secure. However, the researchers have now determined that lack of randomness and the use of XOR operations used in the Authentication and Key Agreement (AKA) cryptographic algorithm's sequence numbering (SQN) allows them to beat the encryption.

In their research they used a USRP B210 SDR which costs about US$1300, but it's likely that cheaper TX/RX capable SDRs such as the US$299 LimeSDR could also be used. In their testing they used a laptop, but note that a cheap Raspberry Pi could replace it too.

Theregister.co.uk writes:

"We show that partly learning SQN leads to a new class of privacy attacks," the researchers wrote, and although the attacker needs to start with a fake base station, the attack can continue "even when subscribers move away from the attack area."

Though the attack is limited to subscriber activity monitoring – number of calls, SMSs, location, and so on – rather than snooping on the contents of calls, the researchers believe it's worse than previous AKA issues like StingRay, because those are only effective only when the user is within reach of a fake base station.

The full paper is available here in pdf form.

Tools used including a laptop, USRP B210 and a sim card reader.
Tools used including a laptop, USRP B210 and a sim card reader.