Shmoocon 2017: Dig Out Your Old Brick Phone

The 90s were a wonderful time for portable communications devices. Cell phones had mass, real buttons, and thick batteries – everything you want in next year’s flagship phone. Unfortunately, Zach Morris’ phone hasn’t been able to find a tower for the last decade, but that doesn’t mean these phones are dead. This weekend at Shmoocon, [Brandon Creighton] brought these phones back to life. The Motorola DynaTAC lives again.

[Brandon] has a history of building ad-hoc cell phone networks. A few years ago, he was part of Ninja Tel, the group that set up their own cell phone network at DEF CON. That was a GSM network, and brickphones are so much cooler, so for the last few months he’s set his sights on building out a 1G network. All the code is up on GitHub, and the hardware requirements for building a 1G tower are pretty light; you can roll your own 1G network for about $400.

The first step in building a 1G network, properly referred to as an AMPS network, is simply reading the documentation. The entire spec is only 136 pages, it’s simple enough for a single person to wrap their head around, and the concept of a ‘call’ really doesn’t exist. AMPS looks more like a trunking system, and the voice channels are just FM. All of this info was translated into GNU Radio blocks, and [Brandon] could place a call to an old Motorola flip phone.

As far as hardware is concerned, AMPS is pretty lightweight when compared to the capabilities of modern SDR hardware. The live demo setup used an Ettus Research USRP N210, but this is overkill. These phones operate around 824-849 MHz with minimal bandwidth, so a base station could easily be assembled from a single HackRF and an RTL-SDR dongle.

Yes, the phones are old, but there is one great bonus concerning AMPS. Nobody is really using these frequencies anymore in the US. That’s not to say building your own unlicensed 1G tower in the US is legally permissible, but if nobody reports you, you can probably get away with it.

Shmoocon 2017: A Simple Tool For Reverse Engineering RF

Anyone can hack a radio, but that doesn’t mean it’s easy: there’s a lot of mechanics that go into formatting a signal before you can decode the ones and zeros.

At his Shmoocon talk, [Paul Clark] introduced a great new tool for RF Reverse Engineering. It’s called WaveConverter, and it is possibly the single most interesting tool we’ve seen in radio in a long time.

If you wanted to hack an RF system — read the data from a tire pressure monitor, a car’s key fob, a garage door opener, or a signal from a home security system’s sensor — you’ll be doing the same thing for each attack. The first is to capture the signal, probably with a software defined radio. Take this data into GNU Radio, and you’ll have to figure out the modulation, the framing, the encoding, extract the data, and finally figure out what the ones and zeros mean. Only that last part, figuring out what the ones and zeros actually do, is the real hack. Everything before that is just a highly advanced form of data entry and manipulation.

[Paul]’s WaveConverter is the tool built for this data manipulation. Take WaveConverter, input an IQ file of the relevant radio sample you’d like to reverse engineer, and you have all the tools to turn a radio signal into ones and zeros at your disposal. Everything from determining the preamble of a signal, figuring out the encoding, to determining CRC checksums is right there.

All of this is great for reverse engineering a single radio protocol, but it gets even better. Once you’re able to decode a signal in WaveConverter, it’s set up to decode every other signal from that device. You can save your settings, too, which means this might be the beginnings of an open source library of protocol analyzers. If someone on the Internet has already decoded the signals from the keyfob of a 1995 Ford Taurus, they could share those settings to allow you to decode the same keyfob. This is the very beginnings of something very, very cool.

The Github repo for WaveConverter includes a few sample IQ files, and you can try it out for yourself right now. [Paul] admits there are a few problems with the app, but most of those are UI changes he has in mind. If you know your way around programming GUIs, [Paul] would appreciate your input.

Shmoocon 2017: So You Want To Hack RF

Far too much stuff is wireless these days. Home security systems have dozens of radios for door and window sensors, thermostats aren’t just a wire to the furnace anymore, and we are annoyed when we can’t start our cars from across a parking lot. This is a golden era for anyone who wants to hack RF. This year at Shmoocon, [Marc Newlin] and [Matt Knight] of Bastille Networks gave an overview of how to get into hacking RF. These are guys who know a few things about hacking RF; [Marc] is responsible for MouseJack and KeySniffer, and [Matt] reverse engineered the LoRa PHY.

In their talk, [Marc] and [Matt] outlined five steps to reverse engineering any RF signal. First, characterize the channel. Determine the modulation. Determine the symbol rate. Synchronize a receiver against the data. Finally, extract the symbols, or get the ones and zeros out of the analog soup.

From [Marc] and [Matt]’s experience, most of this process doesn’t require a radio, software or otherwise. Open source intelligence or information from regulatory databases can be a treasure trove of information regarding the operating frequency of the device, the modulation, and even the bit rate. The pertinent example from the talk was the FCC ID for a Z-wave module. A simple search revealed the frequency of the device. Since the stated symbol rate was twice the stated data rate, the device obviously used Manchester encoding. These sorts of insights become obvious once you know what you’re looking for.

In their demo, [Marc] and [Matt] went through the entire process of firing up GNU Radio, running a Z-wave decoder and receiving Z-wave frames. All of this was done with a minimum of hardware and required zero understanding of what radio actually is, imaginary numbers, or anything else a ham license will hopefully teach you. It’s a great introduction to RF hacking, and shows anyone how to do it.

Pumping Up An Antenna From A Stream Of Sea Water

Our Hackaday readership represent a huge breadth of engineering experience and knowledge, and we get a significant number of our story tips from you. For instance, today we are indebted to [sonofthunderboanerges] for delivering us a tip in the comment stream of one of our posts, detailing an antenna created by coupling RF into a jet of sea water created with a pump. It’s a few years old so we’re presenting it as an object of interest rather than as a news story, but it remains a no less fascinating project for that.

The antenna relies on the conductivity of sea water to view a jet of water as simply another conductor to which RF can be coupled. The jet is simply adjusted by altering the flow rate until it is a quarter wavelength long at the desired frequency, at which point it is a good analogue of a metal whip antenna. The RF is coupled at the base by a ferrite cored transformer that clips around the nozzle ejecting the water, and a bandwidth from 2MHz to 400MHz is claimed. If you work with RF you will probably wince at the sight of salt water coming near the RF connector, as we did.

The advantage of the system is that it allows antennas of multiple frequencies to be created at very short notice and using very little space or weight when not in use. The creator of the antenna at the US Navy’s SPAWAR technology organization points to its obvious application on Navy warships. Whether or not the sailors are using these antennas now isn’t clear, but one thing’s for certain, the idea hasn’t gone away. Early last year Popular Mechanics reported on a similar project under way courtesy of Mitsubishi, in Japan.

Continue reading “Pumping Up An Antenna From A Stream Of Sea Water”

Anatomy Of A Digital Broadcast Radio System

What does a Hackaday writer do when a couple of days after Christmas she’s having a beer or two with a long-term friend from her university days who’s made a career in the technical side of digital broadcasting? Pick his brains about the transmission scheme and write it all down of course, for behind the consumer’s shiny digital radio lies a wealth of interesting technology to try to squeeze the most from the available resources.

In the UK, our digital broadcast radio uses a system called DAB, for Digital Audio Broadcasting. There are a variety of standards used around the world for digital radio, and it’s fair to say that DAB as one of the older ones is not necessarily the best in today’s marketplace. This aside there is still a lot to be learned from its transmission scheme, and from how some of its shortcomings were addressed in later standards. Continue reading “Anatomy Of A Digital Broadcast Radio System”

Did a Russian Physicist Invent Radio?

It is said that “success has many fathers, but failure is an orphan.” Given the world-changing success of radio in the late 19th and early 20th centuries, it’s no wonder that so many scientists, physicists, and engineers have been credited with its invention. The fact that electromagnetic radiation is a natural phenomenon that no one can reasonably claim to have invented sometimes seems lost in the shuffle to claim the prize.

But it was exactly through the study of natural phenomena that one of the earliest pioneers in radio research came to have a reasonable claim to at least be the inventor of the radio receiver, well before anyone had learned how to reliably produce electromagnetic waves. This is the story of how a Russian physicist harnessed the power of lightning and became one of the many fathers of radio.

Continue reading “Did a Russian Physicist Invent Radio?”

The Poynting Vector Antenna

Radio amateurs are inventive people, and though not all of them choose to follow it there is a healthy culture of buildng radio equipment among them. In particular the field of antennas is where you’ll find a lot of their work, because the barrier to entry can be as low as the cost of a reel of wire.

Over the years a number of innovative antenna designs have come from radio amateurs’ experimentation, and it’s one of the more recent we’d like to share with you today following a [Southgate ARC] story about a book describing its theory (Here’s an Amazon link to the book itself). The Poynting Vector antenna has been one of those novel designs on the fringes for a while now, it has been variously described as the “Super-T”, or the “flute”. Its party piece is tiny dimensions, a fraction of the size of a conventional dipole, and it achieves that by the interaction between a magnetic field across the plates of a capacitor in a tuned circuit and the electric field between a very short pair of dipole radiators. The trade-off is that it has an extremely high Q and thus a narrow bandwidth, and since its feeder can become part of its resonant circuit it is notoriously difficult to match to a transmitter. [Alan MacDonald, VE3TET] and [Paul Birke, VE3PVB] have a detailed page on the development of their Poynting antenna which takes the reader through the details of its theory and the development of their practical version.

In the roof space above the room in which this is being written there hangs a traditional dipole for the 20m amateur band. Though it is a very effective antenna given that it is made from a couple of pieces of wire and a ferrite core it takes most of the length of the space, and as we’re sure Hackaday readers with callsigns will agree a relatively tiny alternative is always very welcome.

If antennas are a mystery to you then we’d suggest you read an introduction to antenna basics to get you started.