A Geek’s Revenge For Loud Neighbors

It seems [Kevin] has particularly bad luck with neighbors. His first apartment had upstairs neighbors who were apparently a dance troupe specializing in tap. His second apartment was a town house, which had a TV mounted on the opposite wall blaring American Idol with someone singing along very loudly. The people next to [Kevin]’s third apartment liked music, usually with a lot of bass, and frequently at seven in the morning. This happened every day until [Kevin] found a solution (Patreon, but only people who have adblock disabled may complain).

In a hangover-induced rage that began with thumping bass at 7AM on a Sunday, [Kevin] tore through his box of electronic scrap for every capacitor and inductor in his collection. An EMP was the only way to find any amount of peace in his life, and the electronics in his own apartment would be sacrificed for the greater good. In his fury, [Kevin] saw a Yaesu handheld radio sitting on his desk. Maybe, just maybe, if he pressed the transmit button on the right frequency, the speakers would click. The results turned out even better than expected.

With a car mount antenna pointed directly at the neighbor’s stereo, [Kevin] could transmit on a specific, obscure frequency and silence the speakers. How? At seven in the morning on a Sunday, you don’t ask questions. That’s a matter for when you tell everyone on the Internet.

Needless to say, using a radio to kill your neighbor’s electronics is illegal, and it might be a good idea for [Kevin] to take any references to this escapade off of the Internet. It would be an even better idea to not put his call sign online in the future.

That said, this is a wonderful tale of revenge. It’s not an uncommon occurrence, either. Wikihow, Yahoo Answers and Quora – the web pages ‘normies’ use for the questions troubling their soul – are sometimes unbelievably literate when it comes to unintentional electromagnetic interference, and some of the answers correctly point out grounding a stereo and putting a few ferrite beads on the speaker cables is the way to go. Getting this answer relies entirely on asking the right question, something I suspect 90% of the population is completely incapable of doing.

While [Kevin]’s tale is a grin-inducing two-minute read, You shouldn’t, under any circumstances, do anything like this. Polluting the airwaves is much worse than polluting your neighbor’s eardrums; one of them violates municipal noise codes and another is breaking federal law. It’s a good story, but don’t do it yourself.

Editor’s Note: Soon after publishing our article [Kevin] took down his post and sent us an email. He realized that what he had done wasn’t a good idea. People make mistakes and sometimes do things without thinking. But talking about why this was a bad idea is one way to help educate more people about responsible behavior. Knowing you shouldn’t do something even though you know how is one paving stone on the path to wisdom.
–Mike Szczys

Hacking the Internet of Things: Decoding LoRa

Getting software-defined radio (SDR) tools into the hands of the community has been great for the development and decoding of previously-cryptic, if not encrypted, radio signals the world over. As soon as there’s a new protocol or modulation method, it’s in everyone’s sights. A lot of people have been working on LoRa, and [bertrik] at RevSpace in The Hague has done some work of his own, and put together an amazing summary of the state of the art.

LoRa is a new(ish) modulation scheme for low-power radios. It’s patented, so there’s some information about it available. But it’s also proprietary, meaning that you need a license to produce a radio that uses the encoding. In keeping with today’s buzzwords, LoRa is marketed as a wide area network for the internet of things. HopeRF makes a LoRa module that’s fairly affordable, and naturally [bertrik] has already written an Arduino library for using it.

So with a LoRa radio in hand, and a $15 RTL-SDR dongle connected to a laptop, [bertrik] got some captures, converted the FM-modulated chirps down to audio, and did a bunch of hand analysis. He confirmed that an existing plugins for sdrangelove did (mostly) what they should, and he wrote it all up, complete with a fantastic set of links.

There’s more work to be done, so if you’re interested in hacking on LoRa, or just having a look under the hood of this new modulation scheme, you’ve now got a great starting place.

Shmoocon 2016: Reverse Engineering Cheap Chinese Radio Firmware

Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Last weekend at Shmoocon, [Travis Goodspeed] presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.

Tytera
The Tytera MD-380 digital radio

The Tytera MD380 is a fairly basic radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.

The STM32 in the radio implements a USB Device Firmware Upgrade (DFU), probably because of some example code from ST. Dumping the memory from the standard DFU protocol just repeated the same binary string, but with a little bit of coaxing and investigating the terrible Windows-only official client application, [Travis] was able to find non-standard DFU commands, write a custom DFU client, and read and write the ‘codeplug’, an SPI Flash chip that stores radio settings, frequencies, and talk groups.

Further efforts to dump all the firmware on the radio were a success, and with that began the actual reverse engineering of the radio. It runs an ARM port of MicroC/OS-II, a real-time embedded operating system. This OS is very well documented, with slightly more effort new functions and patches can be written.

In Digital Mobile Radio, audio is sent through either a public talk group or a private contact. The radio is usually set to only one talk group, and so it’s not really possible to listen in on other talk groups without changing settings. A patch for promiscuous mode – a mode that puts all talk groups through the speaker – is just setting one JNE in the firmware to a NOP.

The Tytera MD-830 ships with a terrible Windows app used for programming the radio
The Tytera MD-380 ships with a terrible Windows app used for programming the radio

With the help of [DD4CR] and [W7PCH], the entire radio has been reverse engineered with rewritten firmware that works with the official tools, the first attempts of scratch-built firmware built around FreeRTOS, and the beginnings of a very active development community for a $140 radio. [Travis] is looking for people who can add support for P25, D-Star, System Fusion, a proper scanner, or the ability to send and receive DMR frames over USB. All these things are possible, making this one of the most exciting radio hacks in recent memory.

Before [Travis] presented this hack at the Shmoocon fire talks, intuition guided me to look up this radio on Amazon. It was $140 with Prime, and the top vendor had 18 in stock. Immediately after the talk – 20 minutes later – the same vendor had 14 in stock. [Travis] sold four radios to members of the audience, and there weren’t that many people in attendance. Two hours later, the same vendor had four in stock. If you’re looking for the best hardware hack of the con, this is the one.

Decoding data hiding in Star Trek IV

1986: The US and Russia signed arms agreements, Argentina won the world cup, and Star Trek IV: The Voyage Home hit the theaters. Trekkies and the general public alike enjoyed the film. Some astute hams though, noticed a strange phenomenon about halfway through the film. During a pivotal scene, Scotty attempts to beam Chekov and Uhura off the Enterprise, but has trouble with interference. The interference can be heard over the ubiquitous Star Trek comm link. To many it may sound like random radio noise. To the trained ear of a [Harold Price, NK6K] though, it sounded a heck of a lot like packet radio transmissions.

cray-2By 1989, the film was out on VHS and laser disc. With high quality audio available, [Harold] challenged his friend [Bob McGwier, N4HY] to decode the signal. [Bob] used the best computer he had available: His brain. He also had a bit of help from a Cray 2 supercomputer.

[Bob] didn’t own his own Cray 2 of course, this particular computer was property of the National Security Agency (NSA). He received permission to test Frequency Shift Keyed (FSK) decoder algorithms. Can you guess what his test dataset was?

The signal required a lot of cleanup: The original receiver was tuned 900 Hz below the transmission frequency. There also was a ton of noise. To make matters worse, Scotty kept speaking over the audio. Thankfully, AX.25 is a forgiving protocol. [Bob] persevered and was able to obtain some usable data. The signal turned out to be [Bill Harrigill, WA8ZCN] sending a Receive Ready (RR) packet to N6AEZ on 20 meters. An RR packet indicates that [Bill’s] station had received all previous packets and was ready for more.  [Bob] called to [Bill], who was able to verify that it was probably him transmitting in the 1985 or 1986, around the time the sound editors would have been looking for effects.

That’s a pretty amazing accomplishment, especially considering it was 1989. Today, we carry supercomputers around in our pockets. The Cray 2 is roughly equivalent to an iPhone 4 in processing power. Modern laptop and desktop machines easily out class Seymour Cray’s machine. We also have software like GNU Radio, which is designed to decode data. Our challenge to you, the best readers in the world, is to replicate [Bob McGwier’s] work, and share your results.

Weightless IoT Hardware Virtually Unavailable

It has been over 2 years since we last mentioned the Weightless SIG and their claims of an IoT open standard chip with a 10 year battery life and 10km wireless range, all at a jaw dropping price of $2 per chip. There was a planned production run of the 3rd gen chips which I would suspect went to beta testers or didn’t make it into production since we didn’t hear anything else, for years.

Recently, a company called nwave began producing dev-kits using the Weightless Technology which you can see in the banner image up top. Although the hardware exists it is a very small run and only available to members of the development team. If you happen to have been on the Weightless mailing list when the Weightless-N SDK was announced there was an offer to get a “free” development board to the first 100 development members. I use bunny ears on free because in order to become a member of the developer team you have to pay a yearly fee of £900. Don’t abrasively “pffffft” just yet, if you happened to be one first 100 there was an offer for developers that came up with a product and submitted it back for certification to get their £900 refunded to them. It’s not the best deal going, but the incentive to follow through with a product is an interesting take.

Continue reading “Weightless IoT Hardware Virtually Unavailable”

SDR Pan Adapter

Ham radio operators have a long history of using pan adapters to visualize an entire range of the radio spectrum. Traditionally, an adapter was essentially a spectrum analyzer that shows a trace where the X-axis is the frequency, and the Y-axis shows the signal strength at any particular frequency. You can quickly find either busy frequencies or empty frequencies at a glance.

Although the pan adapter has been around since the 1930’s, they aren’t as common as you’d think with regular analog radios. However, if you’ve used an SDR (Software Defined Radio), a spectrum display is par for the course. [Mehdi Asgari] did what a lot of hams have been doing lately: he married an SDR and his traditional receiver to provide a great pan adapter with very little effort.

Continue reading “SDR Pan Adapter”

Alfred P. Morgan: A Generation’s Radio Hacker

I was surfing the web looking for interesting projects the other day when I ran into [SkyKing’s] exquisite transistor demodulator radio builds. He mentioned that they were “Alfred P. Morgan-style” and that brought back a flood of memories about a man who introduced a whole generation to electronics and radio.

[Morgan] was born in 1889 and in the early part of the twentieth century, he was excited to build and fly an airplane. Apparently, there wasn’t a successful flight. However, he eventually succeeded and wrote his first book: “How to Build a 20-foot Bi-Plane Glider.” In 1910, he and a partner formed the Adams Morgan company to distribute radio construction kits. We probably wouldn’t remember [Morgan] for his airplanes, but we do recognize him for his work with radio.

By 1913, he published a book “The Boy Electrician” which covered the fundamentals of electricity and magnetism (at a time when these subjects were far more mysterious than they are today). [Morgan] predicted the hacker in the preface to the 1947 edition. After describing how a boy was frustrated that his model train automated to the point that he had nothing actually to do, [Morgan] observed:

The prime instinct of almost any boy at play is to make and to create. He will make things of such materials as he has at hand, and use the whole force of dream and fancy to create something out of nothing.

Of course, we know this applies to girls too, but [Morgan] wrote this in 1913, so you have to fill in the blanks. I think we can all identify with that sentiment, though.

Continue reading “Alfred P. Morgan: A Generation’s Radio Hacker”