Classifying Crystals With An SDR Dongle

June 6, 2018 by Dan Maloney 4 Comments

When it comes to radio frequency oscillators, crystal controlled is the way to go when you want frequency precision. But not every slab of quartz in a tiny silver case is created equal, so crystals need to be characterized before using them. That’s generally a job for an oscilloscope, but if you’re clever, an SDR dongle can make a dandy crystal checker too.

The back story on [OM0ET]’s little hack is interesting, and one we hope to follow up on. The Slovakian ham is building what looks to be a pretty sophisticated homebrew single-sideband transceiver for the HF bands. Needed for such a rig are good intermediate frequency (IF) filters, which require matched sets of crystals. He wanted a quick and easy way to go through his collection of crystals and get a precise reading of the resonant frequency, so he turned to his cheap little RTL-SDR dongle. Plugged into a PC with SDRSharp running, the dongle’s antenna input is connected to the output of a simple one-transistor crystal oscillator. No schematics are given, but a look at the layout in the video below suggests it’s just a Colpitts oscillator. With the crystal under test plugged in, the oscillator produces a huge spike on the SDRSharp spectrum analyzer display, and [OM0ET] can quickly determine the center frequency. We’d suggest an attenuator to change the clipped plateau into a sharper peak, but other than that it worked like a charm, and he even found a few dud crystals with it.

Fascinated by the electromechanics of quartz crystals? We are too, which is why [Jenny]’s crystal oscillator primer is a good first stop for the curious.

Continue reading “Classifying Crystals With An SDR Dongle” →

DRM Workarounds Save Arcade Cabinet

December 19, 2017 by Bryan Cockfield 31 Comments

DRM has become a four-letter word of late, with even media companies themselves abandoning the practice because of how ineffective it was. DRM wasn’t invented in the early 2000s for music, though. It’s been a practice on virtually everything where software is involved, including arcade cabinets. This is a problem for people who restore arcade machines, and [mon] has taken a swing at unraveling the DRM for a specific type of Konami cabinet.

The game in question, Reflec Beat, is a rhythm-based game released in 2010, and the security is pretty modern. Since the game comes with a HDD, a replacement drive can be ordered with a security dongle which acts to decrypt some of the contents on the HDD, including the game file and some other information. It’s not over yet, though. [mon] still needs to fuss with Windows DLL files and a few levels of decryption and filename obfuscation before getting the cabinet functional again.

The writeup on this cabinet is very detailed, and if you’re used to restoring older games, it’s a bit of a different animal to deal with than the embedded hardware security that older cabinets typically have. If you’ve ever wanted to own one of these more modern games, or you’re interested in security, be sure to check out the documentation on the project page. If your tastes are more Capcom and less Konami, check out an article on their security system in general, or in de-suiciding boards with failing backup batteries.

A TEMPEST In A Dongle

November 26, 2017 by Dan Maloney 27 Comments

If a couple of generations of spy movies have taught us anything, it’s that secret agents get the best toys. And although it may not be as cool as a radar-equipped Aston Martin or a wire-flying rig for impossible vault heists, this DIY TEMPEST system lets you snoop on computers using secondary RF emissions.

If the term TEMPEST sounds familiar, it’s because we’ve covered it before. [Elliot Williams] gave an introduction to the many modalities that fall under the TEMPEST umbrella, the US National Security Agency’s catch-all codename for bridging air gaps by monitoring the unintended RF, light, or even audio emissions of computers. And more recently, [Brian Benchoff] discussed a TEMPEST hack that avoided the need for thousands of dollars of RF gear, reducing the rig down to an SDR dongle and a simple antenna. There’s even an app for that now: TempestSDR, a multiplatform Java app that lets you screen scrape a monitor based on its RF signature. Trouble is, getting the app running on Windows machines has been a challenge, but RTL-SDR.com reader [flatfishfly] solved some of the major problems and kindly shared the magic. The video below shows TempestSDR results; it’s clear that high-contrast images at easiest to snoop on, but it shows that a $20 dongle and some open-source software can bridge an air gap. Makes you wonder what’s possible with deeper pockets.

RF sniffing is only one of many ways to exfiltrate data from an air-gapped system. From power cords to security cameras, there seems to be no end to the ways to breach systems.

Continue reading “A TEMPEST In A Dongle” →

Fail Of The Week: Tracking Meteors With Weather Radio

June 24, 2017 by Dan Maloney 22 Comments

It’s not hard to detect meteors: go outside on a clear night in a dark place and you’re bound to see one eventually. But visible light detection is limiting, and knowing that meteors leave a trail of ions means radio detection is possible. That’s what’s behind this attempt to map meteor trails using broadcast signals, which so far hasn’t yielded great results.

The fact that meteor trails reflect radio signals is well-known; hams use “meteor bounce” to make long-distance contacts all the time. And using commercial FM broadcast signals to map meteor activity isn’t new, either — we’ve covered the “forward scattering” technique before. The technique requires tuning into a frequency used by a distant station but not a local one and waiting for a passing meteor to bounce the distant signal back to your SDR dongle. Capturing the waterfall display for later analysis should show characteristic patterns and give you an idea of where and when the meteor passed.

[Dave Venne] is an amateur astronomer who turns his eyes and ears to the heavens just to see what he can find. [Dave]’s problem is that the commercial FM band in the Minneapolis area that he calls home is crowded, to say the least. He hit upon the idea of using the National Weather Service weather radio broadcasts at around 160 MHz as a substitute. Sadly, all he managed to capture were passing airplanes with their characteristic Doppler shift; pretty cool in its own right, but not the desired result.

The comments in the RTL-SDR.com post on [Dave]’s attempt had a few ideas on where this went wrong and how to improve it, including the intriguing idea of using 60-meter ham band propagation beacons. Now it’s Hackaday’s turn: any ideas on how to fix [Dave]’s problem? Sound off in the comments below.

Cheap WiFi Devices Are Hardware Hacker Gold

January 27, 2016 by Elliot Williams 51 Comments

Cheap consumer WiFi devices are great for at least three reasons. First, they almost all run an embedded Linux distribution. Second, they’re cheap. If you’re going to break a couple devices in the process of breaking into the things, it’s nice to be able to do so without financial fears. And third, they’re often produced on such low margins that security is an expense that the manufacturers just can’t stomach — meaning they’re often trivially easy to get into.

Case in point: [q3k] sent in this hack of a tiny WiFi-enabled SD card reader device that he and his compatriots [emeryth] and [informatic] worked out with the help of some early work by [Benjamin Henrion]. The device in question is USB bus-powered, and sports an SD card reader and an AR9331 WiFi SOC inside. It’s intended to supply wireless SD card support to a cell phone that doesn’t have enough on-board storage.

The hack begins with [Benajmin] finding a telnet prompt on port 11880 and simply logging in as root, with the same password that’s used across all Zsun devices: zsun1188. It’s like they want to you get in. (If you speak Chinese, you’ll recognize the numbers as being a sound-alike for “want to get rich”. So we’ve got the company name and a cliché pun. This is basically the Chinese equivalent of “password1234”.) Along the way, [Benjamin] also notes that the device executes arbitrary code typed into its web interface. Configure it to use the ESSID “reboot”, for instance, and the device reboots. Oh my!

From here [q3k] and co. took over and ported OpenWRT to the device and documented where its serial port and GPIOs are broken out on the physical board. But that’s not all. They’ve also documented how and where to attach a wired Ethernet adapter, should you want to put this thing on a non-wireless network, or use it as a bridge, or whatever. In short, it’s a tiny WiFi router and Linux box in a package that’s about the size of a (Euro coin | US quarter) and costs less than a good dinner out. Just add USB power and you’re good to go.

Nice hack!

RPiTX Turns Rasberry Pi Into Versatile Radio Transmitter

November 4, 2015 by Bryan Cockfield 64 Comments

Since the discovery that some USB TV tuner dongles could be used to monitor radio waves across a huge amount of spectrum, the software-defined radio world has exploded with interest. The one limiting factor, though, has been that the dongles can only receive signals; they can’t transmit them. [Evariste Okcestbon, F5OEO] (if that is his real name! Ok c’est bon = Ok this is good) has written some software that will get you transmitting using SDR with only a Raspberry Pi and a wire.

There have been projects in the past that use a Pi to broadcast radio (PiFM), but this new software (RPiTX) takes it a couple steps further. Using just an appropriately-sized wire connected to one of the GPIO pins, the Raspberry Pi is capable of broadcasting using FM, AM, SSB, SSTV, or FSQ signals. This greatly increases the potential of this simple computer-turned-transmitter and anyone should be able to get a lot of use out of it. In the video demo below the break, [Evariste] records a wireless doorbell signal and then re-transmits it using just the Rasbperry Pi.

The RPiTX code is available on GitHub if you want to try it out. And it should go without saying that you will most likely need an amateur radio license of some sort to use most of these features, depending on your locale. If you don’t have a ham radio license yet, you don’t need one to listen if you want to get started in the world of SDR. But a ham license isn’t hard to get and at this point it shouldn’t take much convincing for you to get transmitting.

Continue reading “RPiTX Turns Rasberry Pi Into Versatile Radio Transmitter” →

Measuring Filters And VSWR With RTL-SDR

March 14, 2015 by Brian Benchoff 5 Comments

Once again the ubiquitous USB TV tuner dongle has proved itself more than capable of doing far more than just receiving broadcast TV. Over on the RTL-SDR blog, there’s a tutorial covering the measurement of filter characteristics using a cheap eBay noise source and an RTL-SDR dongle.

For this tutorial, the key piece of equipment is a BG7TBL noise source, acquired from the usual online retailers. With a few connectors, a filter can be plugged in between this noise source and the RTL-SDR dongle. With the hardware out of the way, the only thing remaining is the software. That’s just rtl_power and this wonderful GUI. The tutorial is using a cheap FM filter, and the resulting plot shows a clear dip between 50 and 150 MHz. Of course this isn’t very accurate; there’s no comparison to the noise source and dongle without any attenuation. That’s just a simple matter of saving some scans as .csv files and plugging some numbers in Excel.

The same hardware can be used to determine the VSWR of an antenna, replacing the filter with a directional coupler; just put the coupler between the noise source and the dongle measure the attenuation through the range of the dongle. Repeat with the antenna connected, and jump back into Excel.