Decoding NRSC-5 with SDR to Get In Your Car

NRSC-5 is a high-definition radio standard, used primarily in the United States. It allows for digital and analog transmissions to share the original FM bandwidth allocations. Theori are a cybersecurity research startup in the US, and have set out to build a receiver that can capture and decode these signals for research purposes, and documented it online.

Their research began on the NRSC website, where the NRSC-5 standard is documented, however the team notes that the audio compression details are conspicuously missing. They then step through the physical layer, multiplexing layer, and finally the application layer, taking apart the standard piece by piece. This all culminates in the group’s development of an open-source receiver for NRSC-5 that works with RTL-SDR – perhaps the most ubiquitous SDR platform in the world. 

The group’s primary interest in NRSC-5 is its presence in cars as a part of in-car entertainment systems. As NRSC-5 allows data to be transmitted in various formats, the group suspects there may be security implications for vehicles that do not securely process this data — getting inside your car through the entertainment system by sending bad ID3 tags, for instance. We look forward to seeing results of this ongoing research.

[Thanks to Gary McMaster for the tip!]

Long Range Wireless Internet

While most of you reading this have broadband in your home, there are still vast areas with little access to the Internet. Ham radio operator [emmynet] found himself in just such a situation recently, and needed to get a wireless connection over 1 km from his home. WiFi wouldn’t get the job done, so he turned to a 433 MHz serial link instead. (Alternate link)

[emmynet] used an inexpensive telemetry kit that operates in a frequency that travels long distances much more easily than WiFi can travel. The key here isn’t in the hardware, however, but in the software. He went old-school, implemending peer-to-peer TCP/IP connection using SLIP — serial line Internet protocol. All of the commands to set up the link are available on his project page. With higher gain antennas than came with the telemetry kit, a range much greater than 1 km could be achieved as well.

[Editor’s note: This is how we all got Internet, over phone lines, back in the early Nineties. Also, you kids get off my lawn! But also, seriously, SLIP is a good tool to have in your toolbox, especially for low-power devices where WiFi would burn up your batteries.]

While it didn’t suit [emmynet]’s needs, it is possible to achieve extremely long range with WiFi itself. However this generally requires directional antennas with very high gain and might not be as reliable as a lower-frequency connection. On the other hand, a WiFi link will (in theory) get a greater throughput, so it all depends on what your needs are. Also, be aware that using these frequencies outside of their intended use might require an amateur radio license.

Continue reading “Long Range Wireless Internet”

CPLD-Based Synchronization of Multiple Software Defined Radios

Forgive the click bait headline, but the latest work from [Marco Bartolucci] and [José A. del Peral-Rosado] is really great. They’re using multiple HackRFs, synchronized together, with hybrid positioning algorithms to derive more precise localization accuracy. (PDF)

Like all SDRs, the HackRF can be used to solve positioning problems using WIFi, Bluetooth, 3G, 4G, and GNSS. Multiple receivers can also be used, but this requires synchronization for time-based or frequency-based ranging. [Bartolucci] and [Peral-Rosado] present a novel solution for synchronizing these HackRFs using a few convenient ports available on the board, a bit of CPLD hacking, and a GNSS receiver with a 1 pps output.

This is technically two hacks in one, the first being a sort of master and slave setup between two HackRFs. Using the Xilinx XC2C64A CPLD on board the HackRF, [Bartolucci] and [Peral-Rosado] effectively chain two devices together. The synchronization error is below one sampling period, and more than two HackRFs can be chained together with the SYNC_IN port of each connected together in parallel. Read more about it in their pull request to the HackRF codebase.

This simplest technique will not work if the HackRF receivers must be separated, which brings us to the second hack. [Bartolucci] and [Peral-Rosado] present another option in that case: using the 1 pps output of a GNNS receiver for the synchronization pulse. As long as both HackRFs can see the sky, they can act as one. Very cool!

Automotive Radar and the Doppler Effect

With more and more cars driving themselves, there is an increasing demand for precise environment aware sensors. From collision avoidance to smooth driving, environmental awareness is a must have for any self-driving cars. Enter automotive radar: cool, precise and relatively cheap. Thanks to a donated automotive radar module, [Shahriar] gifts us with a “tutorial, experiment and teardown.”

Before digging into the PCB, [Shahriar] explains the theory. With just enough math for the mathmagically inclined and not too much for the math adverse, [Shahriar] goes into the details of how automotive radar is different from normal stationary radar.

Only after a brief overview of the Doppler effect, [Shahriar] digs into the PCB which reveals three die-on-PCB ASICs responsible for generating and receiving 77GHz FMCW signals coupled to a 2D array of antennas. Moreover, [Shahriar] points out the several microwave components such as “rat-race couplers” and “branchline couplers.” Additionally, [Shahriar] shows off his cool PCB rulers from SV1AFN Design Lab that he uses as a reference for these microwave components. Finally, a physical embodiment of the Doppler effect radar is demonstrated with a pair of Vivaldi horn antennas and a copper sheet.

We really like how [Shahriar] structures his video: theory, followed by a teardown and then a physical experiment to drive his lesson home. If he didn’t already have a job, we’d say he might want to consider teaching. If the video after the break isn’t enough radar for the day, we’ve got you covered.

Continue reading “Automotive Radar and the Doppler Effect”

Hackaday Prize Entry: Sub Gigahertz RF

For all the press WiFi and Bluetooth-connected Internet of Things toasters get, there’s still a lot of fun to be had below one Gigahertz. For his Hackaday Prize entry, [Adam] is working on an open source, extensible 915 and 433 MHz radio designed for robotics, drones, weather balloons, and all the other fun projects that sub-Gigaherts radio enables.

The design of this radio module is based around the ADF7023 RF transceiver, a very capable and very cheap chip that transmits in the usual ISM bands. The rest of the circuit is an STM32 ARM Cortex M0+, with USB, UART, and SPI connectivity, with support for a battery for those mobile projects.

Of course, you can just go out and buy an ISM radio, but that’s not really the point of this project. [Adam] has come up with an excellent board here, all designed in KiCad, all while flexing his RF muscle. There are RF shields here, too, so it’s far more than just a design challenge, this is an assembly and sourcing problem as well. It’s a great project, and an excellent example of what we’re looking for in The Hackaday Prize.

Exposing Dinosaur Phone Insecurity With Software Defined Radio

Long before everyone had a smartphone or two, the implementation of a telephone was much stranger than today. Most telephones had real, physical buttons. Even more bizarrely, these phones were connected to other phones through physical wires. Weird, right? These were called “landlines”, a technology that shuffled off this mortal coil three or four years ago.

It gets even more bizarre. some phones were wireless — just like your smartphone — but they couldn’t get a signal more than a few hundred feet away from your house for some reason. These were ‘cordless telephones’. [Corrosive] has been working on deconstructing the security behind these cordless phones for a few years now and found these cordless phones aren’t secure at all.

The phone in question for this exploit is a standard 5.8 GHz cordless phone from Vtech. Conventional wisdom says these phones are reasonably secure — at least more so than the cordless phones from the 80s and 90s — because very few people have a duplex microwave transceiver sitting around. The HackRF is just that, and it only costs $300. This was bound to happen eventually.

This is really just an exploration of the radio system inside these cordless phones. After taking a HackRF to a cordless phone, [Corrosive] found the phone technically didn’t operate in the 5.8 GHz band. Control signals, such as pairing a handset to a base station, happened at 900 MHz. Here, a simple replay attack is enough to get the handset to ring. It gets worse: simply by looking at the 5.8 GHz band with a HackRF, [Corrosive] found an FM-modulated voice channel when the handset was on. That’s right: this phone transmits your voice without any encryption whatsoever.

This isn’t the first time [Corrosive] found a complete lack of security in cordless phones. A while ago, he was exploring the DECT 6.0 standard, a European cordless phone standard for PBX and VOIP. There was no security here, either. It would be chilling if landlines existed anymore.

Continue reading “Exposing Dinosaur Phone Insecurity With Software Defined Radio”

A Tube AM Transmitter In A Soup Can

A standard early electronics project or kit has for many years been the construction of a small broadcast transmitter with enough power to reach the immediate area, but no further. These days that will almost certainly mean an FM broadcast band transmitter, but in earlier decades it might also have been for the AM broadcast band instead.

The construction of a small AM transmitter presents some interesting problems for an electronic designer. It is extremely easy to make an AM transmitter with a single transistor or tube, but it is rather more difficult to make a good one. The modulation has to be linear across the whole amplitude range, and its effect must not pull the frequency of the oscillator and cause FM distortion.

It’s a task [Joe Sousa] has tackled, with his one tube AM transmitter in a Campbell’s soup can. His write-up of the transmitter contains a full description of the problems he faced, and how his design overcomes them. His oscillator is a cathode follower, with the tube biased in class A mode to ensure as undistorted a sine wave oscillation as possible. Modulation is provided through the suppressor grid of the pentode tube he’s using.

The completed transmitter is mounted inside the iconic soup can, with the mains transformer mounted on a removable bottom plate. There is a provision for both loop and wire antennas to be connected.

It is probable that this transmitter falls under the so-called “Part 15” rules for unlicenced low-power broadcasting in the USA, however it should be borne in mind that not every territory has this provision. If you build this transmitter, make sure you’re not going to attract the interest of your local equivalent of the FCC.

This article should have whetted your appetite for tiny broadcast transmitters. How about comparing the one here with a full-sized model?

Thanks [2ftg] for the tip.