Shmoocon 2017: Software Defined Radio for Terahertz Frequencies

Before Bluetooth, before the Internet of Things, and before network-connected everything, infrared was king. In the 90s, personal organizers, keyboards, Furbys, and critical infrastructure was built on infrared. Some of these devices are still around, hiding in plain sight. This means there’s a lot of opportunities for some very fun exploits. This was the focus of [Mike Ossmann] and [Dominic Spill]’s talk at this year’s Shmoocon, Exploring The Infrared World. What’s the hook? Using software-defined radio with terahertz frequencies.

irtra
[Dominic]’s infrared detector
Infrared communication hasn’t improved since the days of IrDA ports on laptops, and this means the hardware required to talk to these devices is exceptionally simple. The only thing you need is an IR phototransistor and a 4.7k resistor. This is enough to read signals, but overkill is the name of the game here leading to the development of the Gladiolus GreatFET neighbor. This add-on board for the GreatFET is effectively a software defined IR transceiver capable of playing with IrDA, 20 to 60 kHz IR remote control systems, and other less wholesome applications.

Demos are a necessity, but the world seems to have passed over IR in the last decade. That doesn’t mean there still aren’t interesting targets. A week before Shmoocon, [Mike Ossmann] put out the call on Twitter for a traffic light and the associated hardware. Yes, police cars and ambulances use infrared signaling to turn traffic lights green. You shouldn’t. You can, but you shouldn’t.

What was the takeaway from this talk? IR still exists, apparently. Yes, you can use it to send documents directly from your PalmPilot to a laser printer without any wires whatsoever. One of the more interesting applications for IR is an in-car wireless headphone unit that sends something almost, but not quite, like pulse coded audio over infrared. The demo that drew the most applause was an infrared device that changed traffic lights to green. The information to do that is freely available on the web, but you seriously don’t want to attempt that in the wild.

Shmoocon 2017: A Simple Tool For Reverse Engineering RF

Anyone can hack a radio, but that doesn’t mean it’s easy: there’s a lot of mechanics that go into formatting a signal before you can decode the ones and zeros.

At his Shmoocon talk, [Paul Clark] introduced a great new tool for RF Reverse Engineering. It’s called WaveConverter, and it is possibly the single most interesting tool we’ve seen in radio in a long time.

If you wanted to hack an RF system — read the data from a tire pressure monitor, a car’s key fob, a garage door opener, or a signal from a home security system’s sensor — you’ll be doing the same thing for each attack. The first is to capture the signal, probably with a software defined radio. Take this data into GNU Radio, and you’ll have to figure out the modulation, the framing, the encoding, extract the data, and finally figure out what the ones and zeros mean. Only that last part, figuring out what the ones and zeros actually do, is the real hack. Everything before that is just a highly advanced form of data entry and manipulation.

[Paul]’s WaveConverter is the tool built for this data manipulation. Take WaveConverter, input an IQ file of the relevant radio sample you’d like to reverse engineer, and you have all the tools to turn a radio signal into ones and zeros at your disposal. Everything from determining the preamble of a signal, figuring out the encoding, to determining CRC checksums is right there.

All of this is great for reverse engineering a single radio protocol, but it gets even better. Once you’re able to decode a signal in WaveConverter, it’s set up to decode every other signal from that device. You can save your settings, too, which means this might be the beginnings of an open source library of protocol analyzers. If someone on the Internet has already decoded the signals from the keyfob of a 1995 Ford Taurus, they could share those settings to allow you to decode the same keyfob. This is the very beginnings of something very, very cool.

The Github repo for WaveConverter includes a few sample IQ files, and you can try it out for yourself right now. [Paul] admits there are a few problems with the app, but most of those are UI changes he has in mind. If you know your way around programming GUIs, [Paul] would appreciate your input.

Shmoocon 2017: So You Want To Hack RF

Far too much stuff is wireless these days. Home security systems have dozens of radios for door and window sensors, thermostats aren’t just a wire to the furnace anymore, and we are annoyed when we can’t start our cars from across a parking lot. This is a golden era for anyone who wants to hack RF. This year at Shmoocon, [Marc Newlin] and [Matt Knight] of Bastille Networks gave an overview of how to get into hacking RF. These are guys who know a few things about hacking RF; [Marc] is responsible for MouseJack and KeySniffer, and [Matt] reverse engineered the LoRa PHY.

In their talk, [Marc] and [Matt] outlined five steps to reverse engineering any RF signal. First, characterize the channel. Determine the modulation. Determine the symbol rate. Synchronize a receiver against the data. Finally, extract the symbols, or get the ones and zeros out of the analog soup.

From [Marc] and [Matt]’s experience, most of this process doesn’t require a radio, software or otherwise. Open source intelligence or information from regulatory databases can be a treasure trove of information regarding the operating frequency of the device, the modulation, and even the bit rate. The pertinent example from the talk was the FCC ID for a Z-wave module. A simple search revealed the frequency of the device. Since the stated symbol rate was twice the stated data rate, the device obviously used Manchester encoding. These sorts of insights become obvious once you know what you’re looking for.

In their demo, [Marc] and [Matt] went through the entire process of firing up GNU Radio, running a Z-wave decoder and receiving Z-wave frames. All of this was done with a minimum of hardware and required zero understanding of what radio actually is, imaginary numbers, or anything else a ham license will hopefully teach you. It’s a great introduction to RF hacking, and shows anyone how to do it.

Portable Classroom Upgrade: Smaller, Cheaper, Faster

[Eric] at MkMe Lab has a dream: to build a cheap, portable system that provides the electronic infrastructure needed to educate kids anywhere in the world. He’s been working on the system for quite a while, and has recently managed to shrink the suitcase-sized system down to a cheaper, smaller form-factor.

The last time we discussed [Eric]’s EduCase project was as part of his Hackaday Prize 2016 entry. There was a lot of skepticism from our readers on the goals of the project, but whatever you think of [Eric]’s motivation, the fact remains that the build is pretty cool. The previous version of the EduCase relied on a Ku-band downlink to receive content from Outernet, and as such needed to stuff a large antenna into the box. That dictated a case in the carry-on luggage size range. The current EduCase is a much slimmed-down affair that relies on an L-band link from the Inmarsat satellites, with a much smaller patch antenna. A low-noise amp and SDR receiver complete the downlink, and a Raspberry Pi provides the UI. [Eric]’s build is just a prototype at this point, but we’re looking forward to seeing everything stuffed into that small Pelican case.

Yes, Outernet is curated content, and so it’s not at all the same experience as the web. But for the right use case, this little package might just do the job. And with a BOM that rings up at $100, the price is right for experimenting.

Continue reading “Portable Classroom Upgrade: Smaller, Cheaper, Faster”

Five-Watt SDR Transceiver for Hams

The availability of cheap SDR hardware created a flourishing ecosystem for SDR software, but a lot of the hardware driving the revolution was still “cheap”. In the last few years, we’ve seen quality gear replacing the TV dongles in many setups, and down-converters designed for them to allow them to work on the ham bands.

But something that’s purpose-built might be a better option if ham radio, particularly the shortwave portion thereof, is your goal. First off, you might want to transmit, which none of the TV dongles allow. Then, you might want a bit of power. Finally, if you’re serious about short-wave, you care more about the audio quality than you do immense bandwidth, so you’re going to want some good filters on the receiving end to help you pull the signal out of all the noise.

rs-hfiq_block_diagram_featuredThe RS-HFIQ 5 W SDR transceiver might be for you. It’s up on Kickstarter right now, and it’s worth looking at if you want a fully open source (schematics, firmware, and software) shortwave SDR rig. It’s also compatible with various open frontends.

The single-board radio isn’t really a full SDR in our mind — it demodulates the radio signal and sends a 96 kHz IQ signal across to your computer’s soundcard where it gets sampled and fully decoded. The advantage of this is that purpose-built audio rate DACs have comparatively high resolution for the money, but the disadvantage is that you’re limited to 96 kHz of spectrum into the computer. That’s great for voice and code transmissions, but won’t cut it for high-bandwidth data or frequency hopping applications. But that’s a reasonable design tradeoff for a shortwave.

Still, an SDR like this is a far cry from how simple a shortwave radio can be. But if you’re looking to build up your own SDR-based shortwave setup, and you’d like to hack on the controls more than on the radio itself, this looks like a good start.

Cache Shortwave Signals for Later with this SDR Spectrum Grabber

Shortwave listening has always been a mainly nocturnal hobby. To get the real DX, one had to wait for favorable ionospheric conditions after sunset and spend hours twisting knobs while straining to pick voices from half a planet away out of the noise. But who has time for that in today’s world? And what of the poor city-dwelling SWL, with antenna limitations and often elevated noise floor in the urban jungle?
Continue reading “Cache Shortwave Signals for Later with this SDR Spectrum Grabber”

Building A LoRa PHY With SDR

The Internet of Things is terrible when it’s your toaster. The real fun happens when you have hundreds or thousands of sensors sending data back to a base station every day. That requires low power, and that means LPWAN, the Low Power Wide Area Network.

There are a lot of options for LPWAN, but few are a perfect fit. LoRa is one of the rare exceptions, offering years of operation on a single AA cell, and range measured in miles. Layers two and three of LoRa are available as public documentation, but until now layer one has been patented and proprietary. At the GNU Radio Conference, [Matt Knight] gave a talk on reverse engineering the LoRa PHY with a software defined radio. Now, LoRa is open to everyone, and anyone can decode the chirps transmitted from these tiny, low power devices.

Continue reading “Building A LoRa PHY With SDR”