Michael Ossmann Pulls DSSS Out of Nowhere

[Michael Ossmann] spoke on Friday to a packed house in the wireless hacking village at DEF CON 25. There’s still a day and a half of talks remaining but it will be hard for anything to unseat his Reverse Engineering Direct Sequence Spread Spectrum (DSSS) talk as my favorite of the con.

DSSS is a technique used to transmit reliable data where low signal strength and high noise are likely. It’s used in GPS communications where the signal received from a satellite is often far too small for you to detect visually on a waterfall display. Yet we know that data is being received and decoded by every cell phone on the planet. It is also used for WiFi management packets, ZigBee, and found in proprietary systems especially any dealing with satellite communications.

[Michael] really pulled a rabbit out of a hat with his demos which detected the DSSS signal parameters in what appeared to be nothing but noise. You can see below the signal with and without noise; the latter is completely indiscernible as a signal at all to the eye, but can be detected using his techniques.

Detecting DSSS with Simple Math

[Michael] mentioned simple math tricks, and he wasn’t kidding. It’s easy to assume that someone as experienced in RF as he would have a different definition of ‘simple’ than we would. But truly, he’s using multiplication and subtraction to do an awful lot.

DSSS transmits binary values as a set called a chip. The chip for digital 1 might be 11100010010 with the digital 0 being the inverse of that. You can see this in the slide at the top of this article. Normal DSSS decoding compares the signal to expected values, using a correlation algorithm that multiplies the two and gives a score. If the score is high enough, 11 in this example, then a bit has been detected.

To reverse engineer this it is necessary to center on the correct frequency and then detect the chip encoding. GNU radio is the tool of choice for processing a DSSS capture from a SPOT Connect module designed to push simple messages to a satellite communication network. The first math trick is to multiply the signal by itself and then look at spectrum analysis to see if there is a noticeable spike indicating the center of the frequency. This can then be adjusted with an offset and smaller spikes on either side will be observed.

When visualized in a constellation view you begin to observe a center and two opposite clusters. The next math trick is to square the signal (multiply it by itself) and it will join those opposite clusters onto one side. What this accomplishes is a strong periodic component (the cycle from the center to the cluster and back again) which reveals the chip rate.

Detecting symbols within the chip is another math trick. Subtract each successive value in the signal from the last and you will mostly end up with zero (high signal minus high signal is zero, etc). But every time the signal spikes you’re looking at a transition point and the visualization begins to look like logic traced out on an oscilloscope. This technique can deal with small amounts of noise but becomes more robust with a bit of filtering.

This sort of exploration of the signal is both fun and interesting. But if you want to actually get some work done you need a tool. [Michael] built his own in the form of a python script that cobbles up a .cfile and spits out the frequency offset, chip rate, chip sequence length, and decoded chip sequence.

Running his sample file through with increasing levels of noise added, the script was rock solid on detecting the parameters of the signal. Interestingly, it is even measuring the 3 parts per million difference between the transmitter and receiver clocks in the detected chip rate value. What isn’t rock solid is the actual bit information, which begins to degrade as the noise is increased. But just establishing the parameters of the protocol being used is the biggest part of the battle and this is a dependable solution for doing that quickly and automatically.

You can give the script a try. It is part of [Michael’s] Clock Recovery repo. This talk was recorded and you should add it to your reminder list for after the con when talks begin to be published. To hold you over until then, we suggest you take a look at his RF Design workshop from the 2015 Hackaday Superconference.

Baofeng Handy Talkie Meets GNU Radio

There was a time when just about every ham had a pricey VHF or UHF transceiver in their vehicle or on their belt. It was great to talk to friends while driving. You could even make phone calls from anywhere thanks to automatic phone patches. In 1980 cell phones were uncommon, so making a call from your car was sure to get attention.

Today, ham radio gear isn’t as pricey thanks to a flood of imports from companies like Baofeng, Jingtong, and Anytone. While a handheld transceiver is more of an impulse buy, you don’t hear as much chat and phone calls, thanks to the widespread adoption of cell phones. Maybe that’s why [Bastian] had bought a cheap Baofeng radio but never used it.

He was working on a traffic light project and wanted to send an RF signal when the light changes. He realized the Baofeng radio was cheap and cheerful solution. He only needed a way to have the PC generate an audio signal to feed the radio. His answer was to design a UDP packet to audio flow graph in GNU Radio. GNU Radio then feeds the Baofeng. The radio’s built-in VOX function handles transmit switching. You can see a video demonstration, below.

Continue reading “Baofeng Handy Talkie Meets GNU Radio”

GSM Sniffing on a Budget with Multi-RTL

If you want to eavesdrop on GSM phone conversations or data, it pays to have deep pockets, because you’re going to need to listen to a wide frequency range. Or, you can just use two cheap RTL-SDR units and some clever syncing software. [Piotr Krysik] presented his work on budget GSM hacking at Camp++ in August 2016, and the video of the presentation just came online now (embedded below). The punchline is a method of listening to both the uplink and downlink channels for a pittance.

[Piotr] knows his GSM phone tech, studying it by day and hacking on a GnuRadio GSM decoder by night. His presentation bears this out, and is a great overview of GSM hacking from 2007 to the present. The impetus for Multi-RTL comes out of this work as well. Although it was possible to hack into a cheap phone or use a single RTL-SDR to receive GSM signals, eavesdropping on both the uplink and downlink channels was still out of reach, because it required more bandwidth than the cheap RTL-SDR had. More like the bandwidth of two cheap RTL-SDR modules.

Getting two RTL-SDR modules to operate in phase is as easy as desoldering a crystal from one and slaving it to the other. Aligning the two absolutely in time required a very sweet hack. It turns out that the absolute timing is retained after a frequency switch, so both RTL-SDRs switch to the same channel, lock together on a single signal, and then switch back off, one to the uplink frequency and the other to the downlink. Multi-RTL is a GnuRadio source that takes care of this for you. Bam! Hundreds or thousands of dollar’s worth of gear replaced by commodity hardware you can buy anywhere for less than a fancy dinner. That’s a great hack, and a great presentation.
Continue reading “GSM Sniffing on a Budget with Multi-RTL”

Shmoocon 2017: Software Defined Radio for Terahertz Frequencies

Before Bluetooth, before the Internet of Things, and before network-connected everything, infrared was king. In the 90s, personal organizers, keyboards, Furbys, and critical infrastructure was built on infrared. Some of these devices are still around, hiding in plain sight. This means there’s a lot of opportunities for some very fun exploits. This was the focus of [Mike Ossmann] and [Dominic Spill]’s talk at this year’s Shmoocon, Exploring The Infrared World. What’s the hook? Using software-defined radio with terahertz frequencies.

[Dominic]’s infrared detector
Infrared communication hasn’t improved since the days of IrDA ports on laptops, and this means the hardware required to talk to these devices is exceptionally simple. The only thing you need is an IR phototransistor and a 4.7k resistor. This is enough to read signals, but overkill is the name of the game here leading to the development of the Gladiolus GreatFET neighbor. This add-on board for the GreatFET is effectively a software defined IR transceiver capable of playing with IrDA, 20 to 60 kHz IR remote control systems, and other less wholesome applications.

Demos are a necessity, but the world seems to have passed over IR in the last decade. That doesn’t mean there still aren’t interesting targets. A week before Shmoocon, [Mike Ossmann] put out the call on Twitter for a traffic light and the associated hardware. Yes, police cars and ambulances use infrared signaling to turn traffic lights green. You shouldn’t. You can, but you shouldn’t.

What was the takeaway from this talk? IR still exists, apparently. Yes, you can use it to send documents directly from your PalmPilot to a laser printer without any wires whatsoever. One of the more interesting applications for IR is an in-car wireless headphone unit that sends something almost, but not quite, like pulse coded audio over infrared. The demo that drew the most applause was an infrared device that changed traffic lights to green. The information to do that is freely available on the web, but you seriously don’t want to attempt that in the wild.

Emulating A Remote Control Ceiling Fan Transmitter In An FPGA

[Joel] has a remote control ceiling fan. It’s nothing special, the controller has a low-power 350MHz transmitter and a Holtek encoder to send commands by keying the transmitter’s output. Desiring something a little better, he set about reverse engineering the device’s protocol and implementing it on a Lattice iCE40 FPGA.

To decode the device’s packets he reached for his RTL-SDR receiver and took a look at it in software. GQRX confirmed the presence of the carrier and allowed him to record a raw I/Q file, which he could then supply to Inspectrum to analyse the packet structure. He found it to be a simple on-off keying scheme, with bits expressed through differing pulse widths. He was then able to create a Gnu Radio project to read and decode them in real time.

Emulating the transmitter was then a fairly straightforward process of generating a 350MHz clock using the on-board PLL and gating it with his generated data stream to provide modulation. The result was able to control his fan with a short wire antenna, indeed he was worried that it might also be doing so for other similar fans in his apartment complex. You can take a look at his source code on GitHub if you would like to try something similar.

It’s worth pointing out that a transmitter like this will radiate a significant amount of harmonics at multiples of its base frequency, and thus without a filter on its output is likely to cause interference. It will also be breaking all the rules set out by whoever the spectrum regulator is where you live, despite its low power. However it’s an interesting project to read, with its reverse engineering and slightly novel use of an FPGA.

Wireless remote hacking seems to be a favorite pastime here in the Hackaday community. We’ve had 2.4GHz hacks and plenty of wireless mains outlet hacks.

Hackaday Dictionary: Ultrasonic Communications

Say you’ve got a neat gadget you are building. You need to send data to it, but you want to keep it simple. You could add a WiFi interface, but that sucks up power. Bluetooth Low Energy uses less power, but it can get complicated, and it’s overkill if you are just looking to send a small amount of data. If your device has a microphone, there is another way that you might not have considered: ultrasonic communications. Continue reading “Hackaday Dictionary: Ultrasonic Communications”

GNU Radio Drives Oscilloscope

These days we are spoiled with a lot of cheap test equipment. However, you can do a lot of measurements with nothing more than an oscilloscope. Add something like a signal generator and you can do even more. One classic technique for frequency measurement, for example, is using a scope to display a Lissajous pattern. [Franz Schaefer] has a video showing how to generate these useful curves with GNU Radio.

As we pointed out earlier, GNU Radio doesn’t have to be about radio–it is really just a Python-based signal processing laboratory. [Franz] uses GNU Radio Companion to create blocks which in turn create the patterns on an old analog scope.

Continue reading “GNU Radio Drives Oscilloscope”