The Booths Of Hamvention

Hamvention was last weekend in Dayton, Ohio. Last weekend was also the Bay Area Maker Faire, and if you want tens of thousands of people who actually make stuff there’s really only one place to be. Bonus: you can also check out the US Air Force Museum at Wright-Patterson AFB. The ‘Space’ hangar was closed, so that’ll be another trip next year.

The biggest draw for Hamvention is the swap meet. Every year, thousands of cars pull up, set up a few tables and tents, and hock their wares. Everything from radios from the 1920s to computers from the 1980s can be found at the swap meet. This post is not about the swap meet; I still have several hundred pictures to go through, organize, label, and upload. Instead, this post is about the booths of Hamvention. Everything imaginable could be found at Hamvention, from the usual ARRL folks, to the preppers selling expired MREs, and even a few heros of Open Hardware.

SatNOGS

The elevation axis of a SatNOGS ground station
The elevation axis of a SatNOGS ground station

In 2014, Hackaday did something spectacular. We launched The Hackaday Prize, and gave everyone the opportunity to build Open Hardware with the chance to get paid for the same. The first grand prize winner of the Hackaday Prize was SatNOGS, a global network of satellite ground stations.

SatNOGS was founded after the realization that there are hundreds of cubesats and other amateur satellites being dumped into Low Earth Orbit. Most of these cubesats are from universities, with a few from high schools around the world. Getting data from these satellites requires a ground station, and if each cubesat only has one ground station, that satellite is only usable for a few minutes each day when it passes over home base.

SatNOGSSatNOGS is the solution to this problem. It’s a relatively simple device – just a few antennas mounted to a motorize platform, and connected to the Internet with a Raspberry Pi or BeagleBone. By connecting antennas around the globe to the Internet, the SatNOGS team can schedule observations for each individual ground station. This means more data and better science for every amateur cubesat.

While most of the SatNOGS team is busy with the Libre Space Foundation, the not-for-profit founded with Hackaday Prize money, there was enough cash to send a few SatNOGS enthusiasts out to Hamvention. [Corey], aka KB9JHU, from Bloomington, Indiana and SatNOGS station number two brought the team out. He’s been running his station for a while, and there are a few takeaways from his experiences in operating a 3D printed, robotic antenna for a few years. Printing parts in PLA works, surprisingly. There really isn’t much degradation of the 3D printed gears. Weatherproofing is relatively easy, but bug-proofing is not. There was talk of bees before I phased out of the conversation after realizing I don’t know if I’m allergic to bees. There are more SatNOGS stations coming online, and there should be reasonable coverage over most population centers by the time the Libre Space Foundation puts their satellite into orbit.

SDR Wizardry From Colorado

Electronic wizard and SDR hipster [Michael Ossman] was at Hamvention, showing off the latest of his SDR goodies.

The PortaPack for the HackRF One
The PortaPack for the HackRF One

[Ossmann] is famous around these part for the HackRF One, a software defined radio that’s good from 1MHz to 6GHz. Everything you could ever want is in this band, and the HackRF One transmits, too. He and his buddies were showing off the PortaPack, a ‘shield’, for lack of a better term, for the HackRF One that allows for portable control of the SDR. It’s a display, an old iPod scroll wheel thingy, and a shell to protect everything.

Sometimes you don’t need a good SDR that goes all the way into GHz territory, and for that [Ossmann] has the YARD Stick One. It’s sub-1GHz, based on the IM-Me radio circuit. For the booth demo, the Great Scott Gadgets crew connected a bicycle pump to an MDF box with an acrylic lid. Pop in a tire pressure monitor, and you have an excellent demo for receiving sub-GHz wireless transmissions.

$25 Satellite Tracker Boasts “Usefulness Optional”

[Paul] is very up-front about the realities of his $25 Satellite Tracker, which aims a tape measure yagi antenna at a satellite of choice and keeps it tracking the satellite as it moves overhead. Does it work? Yes! Is it cheap? Of course! Is it useful? Well… did we mention it works and it’s cheap?

When [Paul] found himself wanting to see how cheaply he could make a satellite tracker he already had an RTL-SDR (which we have seen used for satellite communication before) and a yagi antenna made out of a tape measure, but wanted some way to automatically point the antenna at a satellite as it moved across the sky. He also wanted to see just how economically it could be done. Turns out that with some parts from China and code from SatNOGS (open-source satellite tracking network project and winner of the 2014 Hackaday Prize) you have most of what you need! A few modifications were still needed, and [Paul] describes them all in detail.

Satellite Tracker In Parking Lot ThumbnailSo is a $25 Satellite Tracker useful? As [Paul] says, “Probably not.” He explains, “Most people want satellite trackers so that they can put them outside and then control the antenna from inside, which someone probably can’t do with mine unless they live in a really nice place or build a radome. […] Driving somewhere, setting it up correctly (which involves reprogramming the Arduino for every satellite), and then sitting around is pretty much the opposite of useful.”

It might not be the most practical but it works, it’s cool, he learned a lot, and he wrote up the entire process for others to learn from or duplicate. If that’s not useful, we don’t know what is.

Satellite tracking is the focus of some interesting projects. We’ve even seen a project that points out satellite positions by shining a laser into the sky.

Software Defined Radio App Store

Software defined radios (SDRs) can–in theory–do almost anything you need a radio to do. Voice? Data? Frequency hopping? Trunking? No problem, you just write the correct software, and you are in.

That’s the problem, though. You need to know how to write the software. LimeSDR is an open source SDR with a crowdfunding campaign. By itself, that’s not anything special. There are plenty of SDR devices available. What makes LimeSDR interesting is that it is using Snappy Ubuntu Core as a sort of app store. Developers can make code available, and end-users can easily download and install that code.

Continue reading “Software Defined Radio App Store”

Build Your Own GSM Base Station For Fun And Profit

Over the last few years, news that police, military, and intelligence organizations use portable cellular phone surveillance devices – colloquially known as the ‘Stingray’ – has gotten out, despite their best efforts to keep a lid on the practice. There are legitimate privacy and legal concerns, but there’s also some fun tech in mobile cell-phone stations.

Off-the-shelf Stingray devices cost somewhere between $16,000 and $125,000, far too rich for a poor hacker’s pocketbook. Of course, what the government can do for $100,000, anyone else can do for five hundred. Here’s how you build your own Stingray using off the shelf hardware.

[Simone] has been playing around with a brand new BladeRF x40, a USB 3.0 software defined radio that operates in full duplex. It costs $420. This, combined with two rubber duck antennas, a Raspberry Pi 3, and a USB power bank is all the hardware you need. Software is a little trickier, but [Simone] has all the instructions.

Of course, if you want to look at the less legitimate applications of this hardware, [Simone]’s build is only good at receiving/tapping/intercepting unencrypted GSM signals. It’s great if you want to set up a few base stations at Burning Man and hand out SIM cards like ecstasy, but GSM has encryption. You won’t be able to decrypt every GSM signal this system can see without a little bit of work.

Luckily, GSM is horribly, horribly broken. At CCCamp in 2007, [Steve Schear] and [David Hulton] started building a rainbow table of the A5 cyphers that is used on a GSM network between the handset and tower. GSM cracking is open source, and there are flaws in GPRS, the method GSM networks use to relay data transmissions to handsets. In case you haven’t noticed, GSM is completely broken.

Thanks [Justin] for the tip.

SDR Cape for BeagleBone

In the old days if you wanted to listen to shortwave you had to turn a dial. Later, you might have been able to tap in a frequency with a keypad. With modern software-defined radio (and the right hardware) you can just listen to the entire high-frequency spectrum at one time. That’s the idea behind KiwiSDR, an open source daughterboard (ok, cape) for the BeagleBone.

The front end covers 10 kHz to 30 MHz and has a 14-bit converter operating at 65 MHz. There is a Xilinx Artix-7 A35 FPGA onboard and a GPS, too. The design is open source and on GitHub.

The interface uses the OpenWebRX project for a powerful HTML 5 interface. You can see a video of its operation below or, if you can get one of the four available slots, you can listen online. From a network point of view, the demo station in Canada worked best for us. However, there are also stations in New Zealand and Sweden.

Continue reading “SDR Cape for BeagleBone”

RF Hacking: How-To Bypass Rolling Codes

The RF signal transmitted from a modern key fob and received by the associated vehicle is only used once. If the vehicle sees the same code again it rejects the command, however there is a loophole in those carefully chosen words. The code must be received by the vehicle’s computer before it can be added to the list of spent codes. [AndrewMohawk] goes through the process of intercepting a code sent from a key fob transmitter and preventing the vehicle from receiving it in a thorough post to his blog. You can see this attack working in his studio quality reenactment video after the break.

[Andrew] uses the YARD Stick One (YS1) which is a sub-GHz wireless tool that is controlled from a computer. The YS1 uses RfCat firmware, which is an interactive python shell that acts as the controller for the wireless transceiver.

This system is not without its problems: different frequencies are often used for different commands, [Andrew]’s scripts are designed to work with On-Off keying (OOK) leaving it useless when attacking a system that uses Frequency-Shift Keying (FSK). There is also the issue of rendering a target key fob non-functional but you’ll have to pop over to [Andrew]’s blog to read more about that.

Continue reading “RF Hacking: How-To Bypass Rolling Codes”

Breaking SimpliSafe Security Systems With Software Defined Radio

The SimpliSafe home security system is two basic components, a keyboard and a base station. Sensors such as smoke detectors, switches, and motion sensors can be added to this system, all without a wired installation. Yes, this security system is completely wireless. Yes, you can still buy a software defined radio for ten dollars. Yes, the device has both “simple” and “safe” in its name. We all know where this is going, right?

Last week, [Andrew Zonenberg] at IOActive published a security vulnerability for the SimpliSafe wireless home security system. As you would expect from an off-the-shelf, wireless, DIY security system, the keypad and base station use standard 433 MHz and 315 MHz ISM band transmitters and receivers. [Dr. Zonenberg]’s attack on the system didn’t use SDR; instead, test points on the transmitters were tapped and messages between the keypad and base station were received in cleartext. When the correct PIN is entered in the keypad, the base station replies with a ‘PIN entered’ packet. Replaying this packet with a 433 MHz transmitter will disable the security system.

[Michael Ossmann] took this one step further with a software defined radio. [Ossmann] used a HackRF One to monitor the transmissions from the keypad and turned to a cheap USB SDR dongle to capture packets. Replaying keypad transmissions were easy, but with a little bit more work new attacks can be found. The system can be commanded to enter test mode even when the system is armed bypassing notifications to the owner.

It’s a hilarious failure of wireless security, especially given the fact that this exploit can be performed by anyone with $100 in equipment. With a little more effort, an attacker can execute a PIN replay from a mile away. Sadly, failures of security of this magnitude are becoming increasingly common. There will assuredly be more attacks of this kind in the future, at least until hardware manufacturers start taking the security (of their security products) seriously.