Hacking the Internet of Things: Decoding LoRa

Getting software-defined radio (SDR) tools into the hands of the community has been great for the development and decoding of previously-cryptic, if not encrypted, radio signals the world over. As soon as there’s a new protocol or modulation method, it’s in everyone’s sights. A lot of people have been working on LoRa, and [bertrik] at RevSpace in The Hague has done some work of his own, and put together an amazing summary of the state of the art.

LoRa is a new(ish) modulation scheme for low-power radios. It’s patented, so there’s some information about it available. But it’s also proprietary, meaning that you need a license to produce a radio that uses the encoding. In keeping with today’s buzzwords, LoRa is marketed as a wide area network for the internet of things. HopeRF makes a LoRa module that’s fairly affordable, and naturally [bertrik] has already written an Arduino library for using it.

So with a LoRa radio in hand, and a $15 RTL-SDR dongle connected to a laptop, [bertrik] got some captures, converted the FM-modulated chirps down to audio, and did a bunch of hand analysis. He confirmed that an existing plugins for sdrangelove did (mostly) what they should, and he wrote it all up, complete with a fantastic set of links.

There’s more work to be done, so if you’re interested in hacking on LoRa, or just having a look under the hood of this new modulation scheme, you’ve now got a great starting place.

SDR Pan Adapter

Ham radio operators have a long history of using pan adapters to visualize an entire range of the radio spectrum. Traditionally, an adapter was essentially a spectrum analyzer that shows a trace where the X-axis is the frequency, and the Y-axis shows the signal strength at any particular frequency. You can quickly find either busy frequencies or empty frequencies at a glance.

Although the pan adapter has been around since the 1930’s, they aren’t as common as you’d think with regular analog radios. However, if you’ve used an SDR (Software Defined Radio), a spectrum display is par for the course. [Mehdi Asgari] did what a lot of hams have been doing lately: he married an SDR and his traditional receiver to provide a great pan adapter with very little effort.

Continue reading “SDR Pan Adapter”

Low Parts Count ARM SDR

[Alberto di Bene] wanted to build an SDR for relatively low frequencies. Usually, you’d start with some front end to get the radio frequency signal down where you can work with it. But [Alberto] practically just fed an antenna into an STM32F429 Discovery board and did all the radio processing in the onboard ARM chip.

There is a little more to it than that, but only a little. If you open the PDF file on [Alberto’s] site, you’ll see there is a simple front end filter (a transformer, along with a few capacitors and inductors). This low pass filter prevents high frequencies from reaching the ARM processor’s analog to digital converter. In addition, a capacitor and a couple of resistors ensure the converter only sees positive voltages.

The CPU digitizes the incoming signal and processes it, demodulating several different types of radio transmission. The recovered audio is sent through the onboard digital to analog converter.

In addition to an input filter, the output also needs a filter to prevent high frequencies from reaching the speaker. Unlike the input filter, this one is a bit more complicated. The inductors needed for a passive filter were too large to be practical, so the output filter is an active one with a few transistors. The only other external circuitry is the power supply for the Discovery board.

The document does a great job of explaining the rationale behind the design choices and how the whole system works. It also includes simulations of both analog and digital filters used in the design.

This is really bare metal SDR and reading the code is educational. However, if you want to start with something simpler, consider GNU Radio and either an SDRPlay or a cheap RTL-SDR dongle.

 

Your First GNU Radio Receiver with SDRPlay

Although GRC (the GNU Radio Companion) uses the word radio, it is really a graphical tool for building DSP applications. In the last post, I showed you how you could experiment with it just by using a sound card (or even less). However, who can resist the lure of building an actual radio by dragging blocks around on a computer screen?

For this post and the accompanying video, I used an SDRPlay. This little black box has an antenna jack on one end and a USB port on the other. You can ask it to give you data about a certain area of the RF spectrum and it will send complex (IQ) data out in a form that GRC (or other DSP tools) can process.

The SDRPlay is a great deal (about $150) but if you don’t want to invest in one there are other options. Some are about the same price (like the HackRF or AirSpy) and have different features. However, you can also use cheap TV dongles, with some limitations. The repurposed dongles are not as sensitive and won’t work at lower frequencies without some external help. On the other hand, they are dirt cheap, so you can overlook a few little wrinkles. You just can’t expect the performance you’ll get out of a more expensive SDR box. Some people add amplifiers and converters to overcome these problems, but at some point it would be more cost effective to just spring for a more expensive converter.

Continue reading “Your First GNU Radio Receiver with SDRPlay”

Getting Started with GNU Radio

Software Defined Radio (SDR)–the ability to process radio signals using software instead of electronics–is undeniably fascinating. However, there is a big gap from being able to use off-the-shelf SDR software and writing your own. After all, SDRs require lots of digital signal processing (DSP) at high speeds.

Not many people could build a modern PC from scratch, but nearly anyone can get a motherboard, some I/O cards, a power supply, and a case and put together a custom system. That’s the idea behind GNU Radio and SDR. GNU Radio provides a wealth of Python functions that you can use to create sophisticated SDR application (or, indeed, any DSP application).

If Python is still not up your alley (or even if it is), there’s an even easier way to use GNU Radio: The GNU Radio Companion (GRC). This is a mostly graphical approach, allowing you to thread together modules graphically and build simple GUIs to control you new radio.

Even though you usually think of GRC as being about radios, it is actually a good framework for building any kind of DSP application, and that’s what I’ll show you in the video below. GRC has a signal generator block and interfaces to your sound card. It even has the ability to read and write data to the file system, so you can use it to do many DSP applications or simulations with no additional hardware.

UPDATE: Don’t miss the follow-up post that uses SDRPlay to build a GNU Radio based receiver.

Continue reading “Getting Started with GNU Radio”

RPiTX Turns Rasberry Pi into Versatile Radio Transmitter

Since the discovery that some USB TV tuner dongles could be used to monitor radio waves across a huge amount of spectrum, the software-defined radio world has exploded with interest. The one limiting factor, though, has been that the dongles can only receive signals; they can’t transmit them. [Evariste Okcestbon, F5OEO] (if that is his real name! Ok c’est bon = Ok this is good) has written some software that will get you transmitting using SDR with only a Raspberry Pi and a wire.

There have been projects in the past that use a Pi to broadcast radio (PiFM), but this new software (RPiTX) takes it a couple steps further. Using just an appropriately-sized wire connected to one of the GPIO pins, the Raspberry Pi is capable of broadcasting using FM, AM, SSB, SSTV, or FSQ signals. This greatly increases the potential of this simple computer-turned-transmitter and anyone should be able to get a lot of use out of it. In the video demo below the break, [Evariste] records a wireless doorbell signal and then re-transmits it using just the Rasbperry Pi.

The RPiTX code is available on GitHub if you want to try it out. And it should go without saying that you will most likely need an amateur radio license of some sort to use most of these features, depending on your locale. If you don’t have a ham radio license yet, you don’t need one to listen if you want to get started in the world of SDR. But a ham license isn’t hard to get and at this point it shouldn’t take much convincing for you to get transmitting.

Continue reading “RPiTX Turns Rasberry Pi into Versatile Radio Transmitter”

How To Control Siri Through Headphone Wires

Last week saw the revelation that you can control Siri and Google Now from a distance, using high power transmitters and software defined radios. Is this a risk? No, it’s security theatre, the fine art of performing an impractical technical achievement while disclosing these technical vulnerabilities to the media to pad a CV. Like most security vulnerabilities it is very, very cool and enough details have surfaced that this build can be replicated.

The original research paper, published by researchers [Chaouki Kasmi] and [Jose Lopes Esteves] attacks the latest and greatest thing to come to smartphones, voice commands. iPhones and Androids and Windows Phones come with Siri and Google Now and Cortana, and all of these voice services can place phone calls, post something to social media, or launch an application. The trick to this hack is sending audio to the microphone without being heard.

googleThe ubiquitous Apple earbuds have a single wire for a microphone input, and this is the attack vector used by the researchers. With a 50 Watt VHF power amplifier (available for under $100, if you know where to look), a software defined radio with Tx capability ($300), and a highly directional antenna (free clothes hangers with your dry cleaning), a specially crafted radio message can be transmitted to the headphone wire, picked up through the audio in of the phone, and understood by Siri, Cortana, or Google Now.

There is of course a difference between a security vulnerability and a practical and safe security vulnerability. Yes, for under $400 and the right know-how, anyone could perform this technological feat on any cell phone. This feat comes at the cost of discovery; because of the way the earbud cable is arranged, the most efficient frequency varies between 80 and 108 MHz. This means a successful attack would sweep through the band at various frequencies; not exactly precision work. The power required for this attack is also intense – about 25-30 V/m, about the limit for human safety. But in the world of security theatre, someone with a backpack, carrying around a long Yagi antenna, pointing it at people, and having FM radios cut out is expected.

Of course, the countermeasures to this attack are simple: don’t use Siri or Google Now. Leaving Siri enabled on a lock screen is a security risk, and most Androids disable Google Now on the lock screen by default. Of course, any decent set of headphones would have shielding in the cable, making inducing a current in the microphone wire even harder. The researchers are at the limits of what is acceptable for human safety with the stock Apple earbuds. Anything more would be seriously, seriously dumb.