A Spicy Regenerative Reciever

We recently posted a three-part series about using LTSpice to simulate electronic circuits (one, two, three). You might have found yourself wondering: Can you really simulate practical designs with the program? This quick analysis of [QRP Gaijin’s] minimalist regenerative receiver says “yes”.

Continue reading “A Spicy Regenerative Reciever”

Google Is Building A 100kW Radio Transmitter At A Spaceport And No One Knows Why

You can find the funniest things in public government documents. There’s always ample evidence your local congress critter is working against the interests of their constituency, nation, and industry controlled by the commission they’re chairperson of. Rarely, though, do you find something surprising, and rarer still does it portend some sort of experiments conducted by Google at a spaceport in New Mexico.

In a publication released last week, Google asked the FCC to treat some information relating to radio experiments as confidential. These experiments involve highly directional and therefore high power transmissions at 2.5 GHz, 5.8GHz, 24GHz, 71-76GHz, and 81-86GHz. These experiments will take place at Spaceport America, a 12,000 foot runway in the middle of New Mexico occasionally used by SpaceX, Virgin Galactic, and now Google.

For the most part, this document only tells the FCC that Google won’t be causing harmful interference in their radio experiments. There few other details, save for what bands and transmitters Google will be using and an experimental radio license call sign (WI9XZE) that doesn’t show up in the FCC database.

Of the few details listed in the documents, one thing does pop out as exceptionally odd: a 70-80 GHz transmitter with an effective radiated power (ERP) 96,411 W. That’s close enough to 100 kilowatts to call it as such. This is the maximum effective radiated power of the highest power FM stations in the US, but radio stations are omnidirectional, whereas Google is using very high gain antennas with a beam width of less than half a degree. The actual power output of this transmitter is a mere half watt.

The best guess for what Google is doing out in the New Mexico desert is Project Skybender, a project to use millimeter waves to bring faster Internet to everyone. There aren’t many details, but there is a lot of speculation ranging from application in low Earth orbit to something with Google Loon.

Retrotechtacular: Transmission Lines

This great old video (embedded below the break) from Tektronix in the mid-60s covers a topic that seems to confuse folks more than it should — transmission lines. We found it on Paul Carbone’s blog, a great site for aficionados of old analog scopes in its own right.

As with many of these older videos, the pacing is a bit slow by today’s standards, but the quality of the material eventually presented more than makes it worth the effort to reign in your ADHD. For a preview, you can skip to the end where they do a review of all the material.

They start off 5:31 with a pulse travelling down a wire pair, and take a very real-world approach to figuring out the characteristic impedance of the line: if the pulse was created by a battery of 9V, how much current is flowing? If the DC resistance of the wire is zero then there should be an infinite current by Ohm’s law, and that’s clearly not happening. This motivates the standard analysis where you break the wire down into distributed inductance and capacitance.

Of course they do the experiment where you inject a pulse into a long loop of coaxial cable and play around with the termination at the other end of the line. They also measure the velocity factor of the line. Our only gripe is that they don’t tap the line in different places to demonstrate standing waves. The good news is that we’ve got YouTube (and [w3aew]) for that.

If you’ve got 23 minutes to spare, and are curious about transmission lines or just enjoy the soothing voice of a trained radio announcer reading out values of various termination resistors, this old gem is just the ticket. Enjoy!

Continue reading “Retrotechtacular: Transmission Lines”

A Geek’s Revenge For Loud Neighbors

It seems [Kevin] has particularly bad luck with neighbors. His first apartment had upstairs neighbors who were apparently a dance troupe specializing in tap. His second apartment was a town house, which had a TV mounted on the opposite wall blaring American Idol with someone singing along very loudly. The people next to [Kevin]’s third apartment liked music, usually with a lot of bass, and frequently at seven in the morning. This happened every day until [Kevin] found a solution (Patreon, but only people who have adblock disabled may complain).

In a hangover-induced rage that began with thumping bass at 7AM on a Sunday, [Kevin] tore through his box of electronic scrap for every capacitor and inductor in his collection. An EMP was the only way to find any amount of peace in his life, and the electronics in his own apartment would be sacrificed for the greater good. In his fury, [Kevin] saw a Yaesu handheld radio sitting on his desk. Maybe, just maybe, if he pressed the transmit button on the right frequency, the speakers would click. The results turned out even better than expected.

With a car mount antenna pointed directly at the neighbor’s stereo, [Kevin] could transmit on a specific, obscure frequency and silence the speakers. How? At seven in the morning on a Sunday, you don’t ask questions. That’s a matter for when you tell everyone on the Internet.

Needless to say, using a radio to kill your neighbor’s electronics is illegal, and it might be a good idea for [Kevin] to take any references to this escapade off of the Internet. It would be an even better idea to not put his call sign online in the future.

That said, this is a wonderful tale of revenge. It’s not an uncommon occurrence, either. Wikihow, Yahoo Answers and Quora – the web pages ‘normies’ use for the questions troubling their soul – are sometimes unbelievably literate when it comes to unintentional electromagnetic interference, and some of the answers correctly point out grounding a stereo and putting a few ferrite beads on the speaker cables is the way to go. Getting this answer relies entirely on asking the right question, something I suspect 90% of the population is completely incapable of doing.

While [Kevin]’s tale is a grin-inducing two-minute read, You shouldn’t, under any circumstances, do anything like this. Polluting the airwaves is much worse than polluting your neighbor’s eardrums; one of them violates municipal noise codes and another is breaking federal law. It’s a good story, but don’t do it yourself.

Editor’s Note: Soon after publishing our article [Kevin] took down his post and sent us an email. He realized that what he had done wasn’t a good idea. People make mistakes and sometimes do things without thinking. But talking about why this was a bad idea is one way to help educate more people about responsible behavior. Knowing you shouldn’t do something even though you know how is one paving stone on the path to wisdom.
–Mike Szczys

Hacking the Internet of Things: Decoding LoRa

Getting software-defined radio (SDR) tools into the hands of the community has been great for the development and decoding of previously-cryptic, if not encrypted, radio signals the world over. As soon as there’s a new protocol or modulation method, it’s in everyone’s sights. A lot of people have been working on LoRa, and [bertrik] at RevSpace in The Hague has done some work of his own, and put together an amazing summary of the state of the art.

LoRa is a new(ish) modulation scheme for low-power radios. It’s patented, so there’s some information about it available. But it’s also proprietary, meaning that you need a license to produce a radio that uses the encoding. In keeping with today’s buzzwords, LoRa is marketed as a wide area network for the internet of things. HopeRF makes a LoRa module that’s fairly affordable, and naturally [bertrik] has already written an Arduino library for using it.

So with a LoRa radio in hand, and a $15 RTL-SDR dongle connected to a laptop, [bertrik] got some captures, converted the FM-modulated chirps down to audio, and did a bunch of hand analysis. He confirmed that an existing plugins for sdrangelove did (mostly) what they should, and he wrote it all up, complete with a fantastic set of links.

There’s more work to be done, so if you’re interested in hacking on LoRa, or just having a look under the hood of this new modulation scheme, you’ve now got a great starting place.

Shmoocon 2016: Reverse Engineering Cheap Chinese Radio Firmware

Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Last weekend at Shmoocon, [Travis Goodspeed] presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.

The Tytera MD-380 digital radio

The Tytera MD380 is a fairly basic radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.

The STM32 in the radio implements a USB Device Firmware Upgrade (DFU), probably because of some example code from ST. Dumping the memory from the standard DFU protocol just repeated the same binary string, but with a little bit of coaxing and investigating the terrible Windows-only official client application, [Travis] was able to find non-standard DFU commands, write a custom DFU client, and read and write the ‘codeplug’, an SPI Flash chip that stores radio settings, frequencies, and talk groups.

Further efforts to dump all the firmware on the radio were a success, and with that began the actual reverse engineering of the radio. It runs an ARM port of MicroC/OS-II, a real-time embedded operating system. This OS is very well documented, with slightly more effort new functions and patches can be written.

In Digital Mobile Radio, audio is sent through either a public talk group or a private contact. The radio is usually set to only one talk group, and so it’s not really possible to listen in on other talk groups without changing settings. A patch for promiscuous mode – a mode that puts all talk groups through the speaker – is just setting one JNE in the firmware to a NOP.

The Tytera MD-830 ships with a terrible Windows app used for programming the radio
The Tytera MD-380 ships with a terrible Windows app used for programming the radio

With the help of [DD4CR] and [W7PCH], the entire radio has been reverse engineered with rewritten firmware that works with the official tools, the first attempts of scratch-built firmware built around FreeRTOS, and the beginnings of a very active development community for a $140 radio. [Travis] is looking for people who can add support for P25, D-Star, System Fusion, a proper scanner, or the ability to send and receive DMR frames over USB. All these things are possible, making this one of the most exciting radio hacks in recent memory.

Before [Travis] presented this hack at the Shmoocon fire talks, intuition guided me to look up this radio on Amazon. It was $140 with Prime, and the top vendor had 18 in stock. Immediately after the talk – 20 minutes later – the same vendor had 14 in stock. [Travis] sold four radios to members of the audience, and there weren’t that many people in attendance. Two hours later, the same vendor had four in stock. If you’re looking for the best hardware hack of the con, this is the one.

Decoding data hiding in Star Trek IV

1986: The US and Russia signed arms agreements, Argentina won the world cup, and Star Trek IV: The Voyage Home hit the theaters. Trekkies and the general public alike enjoyed the film. Some astute hams though, noticed a strange phenomenon about halfway through the film. During a pivotal scene, Scotty attempts to beam Chekov and Uhura off the Enterprise, but has trouble with interference. The interference can be heard over the ubiquitous Star Trek comm link. To many it may sound like random radio noise. To the trained ear of a [Harold Price, NK6K] though, it sounded a heck of a lot like packet radio transmissions.

cray-2By 1989, the film was out on VHS and laser disc. With high quality audio available, [Harold] challenged his friend [Bob McGwier, N4HY] to decode the signal. [Bob] used the best computer he had available: His brain. He also had a bit of help from a Cray 2 supercomputer.

[Bob] didn’t own his own Cray 2 of course, this particular computer was property of the National Security Agency (NSA). He received permission to test Frequency Shift Keyed (FSK) decoder algorithms. Can you guess what his test dataset was?

The signal required a lot of cleanup: The original receiver was tuned 900 Hz below the transmission frequency. There also was a ton of noise. To make matters worse, Scotty kept speaking over the audio. Thankfully, AX.25 is a forgiving protocol. [Bob] persevered and was able to obtain some usable data. The signal turned out to be [Bill Harrigill, WA8ZCN] sending a Receive Ready (RR) packet to N6AEZ on 20 meters. An RR packet indicates that [Bill’s] station had received all previous packets and was ready for more.  [Bob] called to [Bill], who was able to verify that it was probably him transmitting in the 1985 or 1986, around the time the sound editors would have been looking for effects.

That’s a pretty amazing accomplishment, especially considering it was 1989. Today, we carry supercomputers around in our pockets. The Cray 2 is roughly equivalent to an iPhone 4 in processing power. Modern laptop and desktop machines easily out class Seymour Cray’s machine. We also have software like GNU Radio, which is designed to decode data. Our challenge to you, the best readers in the world, is to replicate [Bob McGwier’s] work, and share your results.