Long before everyone had a smartphone or two, the implementation of a telephone was much stranger than today. Most telephones had real, physical buttons. Even more bizarrely, these phones were connected to other phones through physical wires. Weird, right? These were called “landlines”, a technology that shuffled off this mortal coil three or four years ago.
It gets even more bizarre. some phones were wireless — just like your smartphone — but they couldn’t get a signal more than a few hundred feet away from your house for some reason. These were ‘cordless telephones’. [Corrosive] has been working on deconstructing the security behind these cordless phones for a few years now and found these cordless phones aren’t secure at all.
The phone in question for this exploit is a standard 5.8 GHz cordless phone from Vtech. Conventional wisdom says these phones are reasonably secure — at least more so than the cordless phones from the 80s and 90s — because very few people have a duplex microwave transceiver sitting around. The HackRF is just that, and it only costs $300. This was bound to happen eventually.
This is really just an exploration of the radio system inside these cordless phones. After taking a HackRF to a cordless phone, [Corrosive] found the phone technically didn’t operate in the 5.8 GHz band. Control signals, such as pairing a handset to a base station, happened at 900 MHz. Here, a simple replay attack is enough to get the handset to ring. It gets worse: simply by looking at the 5.8 GHz band with a HackRF, [Corrosive] found an FM-modulated voice channel when the handset was on. That’s right: this phone transmits your voice without any encryption whatsoever.
This isn’t the first time [Corrosive] found a complete lack of security in cordless phones. A while ago, he was exploring the DECT 6.0 standard, a European cordless phone standard for PBX and VOIP. There was no security here, either. It would be chilling if landlines existed anymore.
A standard early electronics project or kit has for many years been the construction of a small broadcast transmitter with enough power to reach the immediate area, but no further. These days that will almost certainly mean an FM broadcast band transmitter, but in earlier decades it might also have been for the AM broadcast band instead.
The construction of a small AM transmitter presents some interesting problems for an electronic designer. It is extremely easy to make an AM transmitter with a single transistor or tube, but it is rather more difficult to make a good one. The modulation has to be linear across the whole amplitude range, and its effect must not pull the frequency of the oscillator and cause FM distortion.
It’s a task [Joe Sousa] has tackled, with his one tube AM transmitter in a Campbell’s soup can. His write-up of the transmitter contains a full description of the problems he faced, and how his design overcomes them. His oscillator is a cathode follower, with the tube biased in class A mode to ensure as undistorted a sine wave oscillation as possible. Modulation is provided through the suppressor grid of the pentode tube he’s using.
The completed transmitter is mounted inside the iconic soup can, with the mains transformer mounted on a removable bottom plate. There is a provision for both loop and wire antennas to be connected.
It is probable that this transmitter falls under the so-called “Part 15” rules for unlicenced low-power broadcasting in the USA, however it should be borne in mind that not every territory has this provision. If you build this transmitter, make sure you’re not going to attract the interest of your local equivalent of the FCC.
This article should have whetted your appetite for tiny broadcast transmitters. How about comparing the one here with a full-sized model?
For those of us whose interests lie in radio, encountering our first software defined radio must have universally seemed like a miracle. Here is a surprisingly simple device, essentially a clever mixer and a set of analogue-to-digital or digital-to-analogue converters, that can import all the complex and tricky-to-set-up parts of a traditional radio to a computer, in which all signal procession can be done using software.
When your curiosity gets the better of you and you start to peer into the workings of a software defined radio though, you encounter something you won’t have seen before in a traditional radio. There are two mixers fed by a two local oscillators on the same frequency but with a 90 degree phase shift, and in a receiver the resulting mixer products are fed into two separate ADCs. You encounter the letters I and Q in relation to these two signal paths, and wonder what on earth all that means.
For a Hackaday Prize entry, [TegwynTwmffat] is building a cell phone signal repeater. This sort of device is commercially available, but the options are either expensive or, as with some units available for $30 on DealExtreme, obviously noncompliant with RF regulations. This project intends to create a cost-effective, hackable device that works properly and conforms to the right regulations.
The core of this system is a LimeSDR transceiver. This is a board we’ve seen before, and it has a few interesting features. Basically, the core of the LimeSDR is a programmable RF transceiver with coverage from 100kHz to 3.8GHz. There’s also on-chip signal processing and USB 3.0 bandwidth to get the signals to and from a computer.
Right now, [TegwynTwmffat]’s focus is getting his LimeSDR up and working and figuring out how to set up a few radio blocks to do what is needed. There’s a great update to the project that showcases Pothos, and so far [Tegwyn] has a full-duplex repeater working. This is great work, and really showcases the capabilities of what software-defined radio can do.
The usual way of adding GPS capabilities to a project is grabbing an off-the-shelf GPS module, plugging it into a UART, and reading the stream of NMEA sentences coming out of a serial port. Depending on how much you spend on a GPS module, this is fine: the best modules out there start up quickly, and a lot of them recognize the logical AND in ITAR regulations.
For [Mike], grabbing an off-the-shelf module is out of the question. He’s building his own GPS receiver from the ground up using a bit of hardware and FPGA hacking. Already he’s getting good results, and he doesn’t have to futz around with those messy, ‘don’t build ballistic missiles’ laws.
The hardware for this build includes a Kiwi SDR ‘cape’ for the BeagleBone and a Digilent Nexus-2 FPGA board. The SDR board captures raw 1-bit samples taken at 16.268 MHz, and requires a full minute’s worth of data to be captured. That’s at least 120 Megabytes of data for the FPGA to sort through.
The software for this project first acquires the GPS signal by finding the approximate frequency and phase. The software then locks on to the carrier, figures out the phase, and receives the 50bps ‘NAV’ message that’s required to find a position solution for the antenna’s location. The first version of this software was exceptionally slow, taking over 6 hours to process 200 seconds of data. Now, [Mike] has improved the channel tracking code and made it 300 times faster. That’s real-time processing of GPS data, using commodity off-the-shelf hardware. All the software is available on the Gits, making this a project that can very easily be replicated by anyone. We would expect the US State Department or DOD to pay [Mike] a visit shortly.
If you are a radio amateur, you may be familiar with the magnetic loop antenna. It’s different from most conventional wire antennas, taking the form of a tuned circuit with a very large single-turn coil and a tuning capacitor. Magnetic loops have the advantage of extreme selectivity and good directionality, but the danger of a high voltage induced across that tuning capacitor and the annoyance of needing to retune every time there is a frequency change.
[Oleg Borisov, RL5D] has a magnetic loop, and soon tired of the constant retuning. His solution is an elegant one, he’s made a remote retuning setup using a stepper motor, an Arduino, and a Bluetooth module (translated here). The stepper is connected to the capacitor via a short flexible coupling, and tuning is performed with the help of a custom Android app. We’d be interested to know what the effect of a high RF field is on these components, but he doesn’t report any problems so it must be working.
He’s posted a video of the unit in operation which we’ve posted below the break, if you’ve ever had to constantly retune a magnetic loop you will appreciate the convenience.
There are two radio modulation schemes everyone should know. Amplitude modulation changes the amplitude — or ‘volume’, if you will — of a carrier frequency and turns all radio into channels owned and operated by a church. Frequency modulation changes the pitch of a carrier frequency and is completely run by Clear Channel. Amateurradio operators are familiar with dozens of other modulation schemes, but there’s one hardly anyone touches. Phase modulation is weird and almost unheard of, but that doesn’t mean you can’t implement it on an FPGA. [nckm] is transmitting audio using phase modulation on an FPGA (Russian, here’s the Google Translatrix).
This hardware is just an Altera MAX10 board, with a single input used for serial data of the audio to be transmitted, and two outputs, each connected to a few bits of wire for a quarter-wave antenna. No, there’s no output filter or anything else except for a few bits of wire. It’s an experiment, chillax.
The Verilog for this project receives an audio signal as serial data in mono, 22050 BPS, 8-bit unsigned samples. These samples are fed into a dynamic PLL with phase shift in the FPGA. Shifting the phases also changes the frequency, so [nckm] can receive this audio signal with the FM transmitter on his phone.
Is this really phase modulation if it’s being received by an FM radio? Eh, maybe. PM and FM are closely related, but certainly distinguishable as modulation schemes in their own right. You can grab [nckm]’s code over on the gits, or check out the video demo below.