Decoding Satellite-based Text Messages with RTL-SDR and Hacked GPS Antenna

[Carl] just found a yet another use for the RTL-SDR. He’s been decoding Inmarsat STD-C EGC messages with it. Inmarsat is a British satellite telecommunications company. They provide communications all over the world to places that do not have a reliable terrestrial communications network. STD-C is a text message communications channel used mostly by maritime operators. This channel contains Enhanced Group Call (EGC) messages which include information such as search and rescue, coast guard, weather, and more.

Not much equipment is required for this, just the RTL-SDR dongle, an antenna, a computer, and the cables to hook them all up together. Once all of the gear was collected, [Carl] used an Android app called Satellite AR to locate his nearest Inmarsat satellite. Since these satellites are geostationary, he won’t have to move his antenna once it’s pointed in the right direction.

Hacked GPS antenna
Hacked GPS antenna

As far as antennas go, [Carl] recommends a dish or helix antenna. If you don’t want to fork over the money for something that fancy, he also explains how you can modify a $10 GPS antenna to work for this purpose. He admits that it’s not the best antenna for this, but it will get the job done. A typical GPS antenna will be tuned for 1575 MHz and will contain a band pass filter that prevents the antenna from picking up signals 1-2MHz away from that frequency.

To remove the filter, the plastic case must first be removed. Then a metal reflector needs to be removed from the bottom of the antenna using a soldering iron. The actual antenna circuit is hiding under the reflector. The filter is typically the largest component on the board. After desoldering, the IN and OUT pads are bridged together. The whole thing can then be put back together for use with this project.

Once everything was hooked up and the antenna was pointed in the right place, the audio output from the dongle was piped into the SDR# tuner software. After tuning to the correct frequency and setting all of the audio parameters, the audio was then decoded with another program called tdma-demo.exe. If everything is tuned just right, the software will be able to decode the audio signal and it will start to display messages. [Carl] posted some interesting examples including a couple of pirate warnings.

If you can’t get enough RTL-SDR hacks, be sure to check out some of the others we’ve featured in the past. And don’t forget to send in links to your own hacking!

DEF CON: The Proxy for ProxyHam

Two weeks ago, news broke of an incredible abuse of power from the National Security Agency. A DEF CON talk was cancelled, and speculation raged that information was not free. This was the ProxyHam, a device that puts you miles away from any agency hunting down your IP address.

Of course, as with just about every DEF CON talk picked up by the press, ProxyHam is an ill-conceived, terrible idea. You can replicate it with parts bought from newegg, and despite using a highly directional antenna the FCC – or any other government agency – can still track you down.

In lieu of a talk on using off-the-shelf networking hardware in the way it was intended, [Dave Maynor] and [Robert Graham] of Errata Security gave a talk at DEF CON that is the proxy to the ProxyHam. They completely debunked the outrageous speculation surrounding the cancellation of the DEF CON talk and managed to introduce a new version of Internet over radio that is actually useful for the security-minded individual.

The ‘debunking’ part of the Errata Security talk was exactly what anyone would expect; the talk was probably cancelled because the creator of ProxyHam exceeded radiated power limits, the FCC caught him, or simply because of ‘advice from counsel’. No big deal; someone was doing something illegal – encryption over ISM bands – and the things you would expect to happen in fact happened.

In the last two weeks, the guys replicated the ProxyHam build, but found a few major shortcomings. Even with a highly directional antenna, interested parties could still track you down. This led the guys at Errata Security to make this system better. They managed to do it in two weeks.

The Errata Security relies on JT65A – a radio mode made for very weak signals – to hide signals underneath the noise floor. By multiplexing data across multiple channels, this system has about the same bandwidth as a 56kbps modem from 1999. It’s not much, but it is possible to use this proxy for ProxyHam over 20 miles away from where you’re stealing WiFi from. That’s far better than ProxyHam could ever manage, and all the transmissions stay below the noise floor. The FCC and similarly equipped agencies might be able to find you, but no one with a $20 SDR dongle will.

There are no releases yet, but Errata Security plan to make the software that allows this multiplex transmissions available soon, and hope to have a Raspberry Pi-based hardware solution for this technique coming shortly. It’s a radio proxy solution that’s actually somewhat secure, and won’t immediately draw the ire of the FCC.

Saving an Alarm System Remote and $100

[Simon] has been using his home alarm system for over six years now. The system originally came with a small RF remote control, but after years of use and abuse it was finally falling apart. After searching for replacement parts online, he found that his alarm system is the “old” model and remotes are no longer available for purchase. The new system had similar RF remotes, but supposedly they were not compatible. He decided to dig in and fix his remote himself.

He cracked open the remote’s case and found an 8-pin chip labeled HCS300. This chip handles all of the remote’s functions, including reading the buttons, flashing the LED, and providing encoded output to the 433MHz transmitter. The HCS300 also uses KeeLoq technology to protect the data transmission with a rolling code. [Simon] did some research online and found the thew new alarm system’s remotes also use the same KeeLoq technology. On a hunch, he went ahead and ordered two of the newer model remotes.

He tried pairing them up with his receiver but of course it couldn’t be that simple. After opening up the new remote he found that it also used the HCS300 chip. That was a good sign. The manufacturer states that each remote is programmed with a secret 64-bit manufacturer’s code. This acts as the encryption key, so [Simon] would have to somehow crack the key on his original chip and re-program the new chip with the old key. Or he could take the simpler path and swap chips.

A hot air gun made short work of the de-soldering and soon enough the chips were in place. Unfortunately, the chips have different pinouts, so [Simon] had to cut a few traces and fix them with jumper wire. With the case back together and the buttons in place, he gave it a test. It worked. Who needs to upgrade their entire alarm system when you can just hack the remote?

Hackaday Links: July 19, 2015

Everybody needs an external USB drive at some time or another. If you’re looking for something with the nerd cred you so desperately need, build a 5 1/4″ half height external drive. That’s a mod to an old Quantum Bigfoot drive, and also serves as a pretty good teardown video for this piece of old tech.

The Woxun KG-UV2D and KG-UV3D are pretty good radios, but a lot of amateur radio operators have found these little handheld radios eventually wear out. The faulty part is always a 24C64 Flash chip, and [Shane] is here to show you the repair.

Last year there was a hackathon to build a breast pump that doesn’t suck in both the literal and figurative sense. The winner of the hackathon created a compression-based pump that is completely different from the traditional suction-based mechanism. Now they’re ready for clinical trials, and that means money. A lot of money. For that, they’re turning to Kickstarter.

What you really need is head mounted controls for Battlefield 4. According to [outgoingbot] it’s a hacked Dualshock 4 controller taped to a bike helmet. The helmet-mounted controller has a few leads going to another Dualshock 4 controller with analog sticks. This video starts off by showing the setup.

[Jan] built a modeling MIDI synth around a tiny 8-pin ARM microcontroller.  Despite the low part count, it sounds pretty good. Now he’s turned his attention to the Arduino. This is a much harder programming problem, but it’s still possible to build a good synth with no DAC or PWM.

Transmitting MIDI Signals With XBEE

What do you do when you want to rock out on your keytar without the constraints of cables and wires? You make your own wireless keytar of course! In order to get the job done, [kr1st0f] built a logic translator circuit. This allows him to transmit MIDI signals directly from a MIDI keyboard to a remote system using XBEE.

[kr1st0f] started with a MIDI keyboard that had the old style MIDI interface with a 5 pin DIN connector. Many new keyboards only have a USB interface, and that would have complicated things. The main circuit uses an optoisolator and a logic converter to get the job done. The MIDI signals are converted from the standard 5V logic to 3.3V in order to work with the XBEE.

The XBEE itself also needed to be configured in order for this circuit to work properly. MIDI signals operate at a rate of 31,250 bits per second. The XBEE, on the other hand, works by default at 9,600 bps. [kr1st0f] first had to reconfigure the XBEE to run at the MIDI bit rate. He did this by connecting to the XBEE over a Serial interface and using a series of AT commands. He also had to configure proper ID numbers into the XBEE modules. When all is said and done, his new transmitter circuit can transmit the MIDI signals wirelessly to a receiver circuit which is hooked up to a computer.

Dewalt Radio Repair

We’re suckers for repair videos and this Dewalt worksite radio repair (YouTube Link) from Hackaday alum [Todd Harrison] is no exception. Like a detective story, we’re always trying to guess who did it.

In his first video [Todd] traced the issue down to a faulty 6 volt regulator which was pushing out 8 volts. He fixed that by hacking a LM317 into the circuit to replace the original non-adjustable part. That helped but after a few days the radio failed again. So here he traced out the voltages to find the second culprit. Along the way, we get to see some of the nicer features of his Fluke 87 and 289 meters. As well as puzzling over the some of the design decisions in the radios construction, before identifying the final issue.

We won’t spoil the surprise, but find out how Todd solves this riddle, wrapped in a mystery, inside an enigma in the video below!

Continue reading “Dewalt Radio Repair”

Retrotechtacular: The Omega Navigational System

In 1971, the United States Navy launched the Omega navigational system for submarines and surface ships. The system used radio frequencies and phase difference calculations to determine global position. A network of eight (VLF) transmitter sites spread around the globe made up the system, which required the cooperation of six other nations.

Omega’s fix accuracy was somewhere between one and two nautical miles. Her eight transmitter stations were positioned around the Earth such that any single point on the planet could receive a usable signal from at least five stations. All of the transmitters were synchronized to a Cesium clock and emitted signals on a time-shared schedule.

LOP-thumbA ship’s receiving equipment performed navigation by comparing the phase difference between detected signals. This calculation was based around “lanes” that served to divvy up the distance between stations into equal divisions. A grid of these lanes formed by eight stations’ worth of overlapping signals provides intersecting lines of position (LOP) that give the sailor his fix.

In order for the lane numbers to have meaning, the sailor has to dial in his starting lane number in port based on the maps. He would then select the pair of stations nearest him, which were designated with the letters A to H. He would consult the skywave correction tables and make small adjustments for atmospheric conditions and other variances. Finally, he would set his lane number manually and set sail.

Continue reading “Retrotechtacular: The Omega Navigational System”