If you live in a city, you’re constantly swimming in a thick soup of radio-frequency energy. FM radio stations put out hundreds of kilowatts each into the air. Students at the University of Washington, [Anran Wang] and [Vikram Iyer], asked themselves if they could harness this background radiation to transmit their own FM radio station, if only locally. The answer was an amazing yes.
The trailer video, embedded below, demos a couple of potential applications, but the paper (PDF) has more detail for the interested. Basically, they turn on and off an absorbing antenna at a frequency that’s picked so that it modulates a strong FM signal up to another adjacent channel. Frequency-modulating this backscatter carrier frequency adds audio (or data) to the product station.
One of the cooler tricks that they pull off with this system is to inject a second (stereo) channel into a mono FM station. Since FM radio is broadcast as a mono signal, with a left-minus-right signal sent alongside, they can make a two-channel stereo station by recreating the stereo pilot carrier and then adding in their own difference channel. Pretty slick. Of course, they could send data using this technique as well.
Why do this? A small radio station using backscatter doesn’t have to spend its power budget on the carrier. Instead, the device can operate on microwatts. Granted, it’s only for a few feet in any given direction, but the station broadcasts to existing FM radios, rather than requiring the purchase of an RFID reader or similar device. It’s a great hack that piggybacks on existing infrastructure in two ways. If this seems vaguely familiar, here’s a similar idea out of the very same lab that’s pulling off essentially the same trick indoors with WiFi signals.
So who’s up for local reflected pirate radio stations?
[Dan Englender] was working on implementing a home automation and security system, and while his house was teeming with sensors, they used a proprietary protocol which was not supported by the open source system he was trying to implement. The problem with home automation and security systems is the lack of standardization – or rather, the large number of (often incompatible) standards used to ensure consumers get tied in to one specific system. He has shared the result of his efforts at getting the two to talk to each other via his project decode345.
The result enabled him to receive signals from Honeywell’s 5800 series of wireless products and interface them with OpenHAB — a vendor and technology agnostic open source automation software. OpenHAB offers “bindings” that allow a wide variety of systems and hardware to be integrated. Unfortunately for [Dan], this exhaustive list does not yet include support for the (not very popular) 345MHz protocol used by the Honeywell 5800 system, hence his project. Continue reading “Using SDR to Take Control of Your Home Security System”→
If you want to eavesdrop on GSM phone conversations or data, it pays to have deep pockets, because you’re going to need to listen to a wide frequency range. Or, you can just use two cheap RTL-SDR units and some clever syncing software. [Piotr Krysik] presented his work on budget GSM hacking at Camp++ in August 2016, and the video of the presentation just came online now (embedded below). The punchline is a method of listening to both the uplink and downlink channels for a pittance.
[Piotr] knows his GSM phone tech, studying it by day and hacking on a GnuRadio GSM decoder by night. His presentation bears this out, and is a great overview of GSM hacking from 2007 to the present. The impetus for Multi-RTL comes out of this work as well. Although it was possible to hack into a cheap phone or use a single RTL-SDR to receive GSM signals, eavesdropping on both the uplink and downlink channels was still out of reach, because it required more bandwidth than the cheap RTL-SDR had. More like the bandwidth of two cheap RTL-SDR modules.
Getting two RTL-SDR modules to operate in phase is as easy as desoldering a crystal from one and slaving it to the other. Aligning the two absolutely in time required a very sweet hack. It turns out that the absolute timing is retained after a frequency switch, so both RTL-SDRs switch to the same channel, lock together on a single signal, and then switch back off, one to the uplink frequency and the other to the downlink. Multi-RTL is a GnuRadio source that takes care of this for you. Bam! Hundreds or thousands of dollar’s worth of gear replaced by commodity hardware you can buy anywhere for less than a fancy dinner. That’s a great hack, and a great presentation. Continue reading “GSM Sniffing on a Budget with Multi-RTL”→
Most old-school remote controlled cars broadcast their controls on 27 MHz. Some software-defined radio (SDR) units will go that low. The rest, as we hardware folks like to say, is a simple matter of coding.
So kudos to [watson] for actually doing the coding. His monster drift project starts with the basics — sine and cosine waves of the right frequency — and combines them in just the right durations to spit out to an SDR, in this case a HackRF. Watch the smile on his face as he hits the enter key and the car pulls off an epic office-table 180 (video embedded below).
[Chris D] noticed that the excellent software defined radio (SDR) software gqrx will run on the Raspberry Pi now. So he married a Raspberry Pi 3, a touchscreen, an RTL-SDR dongle, and an upconverter to make a very nice receiver setup. You can see the receiver in action below.
The video is a little light on build details, but there is a shot of the setup with the pieces labeled, and you should be able to figure it out from there. Of course, gqrx works with lots of different SDR devices so you might have to make adjustments depending on what you use (for example, many of the supported dongles won’t need the upconverter that [Chris] uses).
Building a software defined radio (SDR) involves many trades offs. But one of the most fundamental is should you use an FPGA or a CPU to do the processing. Of course, if you are piping data to a PC, the answer is probably a CPU. But if you are doing the whole system, it is a vexing choice. The FPGA can handle lots of data all at one time but is somewhat more difficult to develop and modify. CPUs using software are flexible–especially for coding user interfaces, networking connections, and the like) but don’t always have enough horsepower to cope with signal processing tasks (and, yes, it depends on the CPU).
[Eric Brombaugh] sidestepped that trade off. He used a board with both an ARM processor and an ICE FPGA at the heart of his SDR design. He uses three custom boards: one is the CPU/FPGA board, another is a 10-bit converter that can sample at 40 MSPS (sufficient to decode to 20 MHz), and an I2S DAC to produce audio. Each board has its own page linked from the main project.
Before Bluetooth, before the Internet of Things, and before network-connected everything, infrared was king. In the 90s, personal organizers, keyboards, Furbys, and critical infrastructure was built on infrared. Some of these devices are still around, hiding in plain sight. This means there’s a lot of opportunities for some very fun exploits. This was the focus of [Mike Ossmann] and [Dominic Spill]’s talk at this year’s Shmoocon, Exploring The Infrared World. What’s the hook? Using software-defined radio with terahertz frequencies.
Infrared communication hasn’t improved since the days of IrDA ports on laptops, and this means the hardware required to talk to these devices is exceptionally simple. The only thing you need is an IR phototransistor and a 4.7k resistor. This is enough to read signals, but overkill is the name of the game here leading to the development of the Gladiolus GreatFET neighbor. This add-on board for the GreatFET is effectively a software defined IR transceiver capable of playing with IrDA, 20 to 60 kHz IR remote control systems, and other less wholesome applications.
Demos are a necessity, but the world seems to have passed over IR in the last decade. That doesn’t mean there still aren’t interesting targets. A week before Shmoocon, [Mike Ossmann] put out the call on Twitter for a traffic light and the associated hardware. Yes, police cars and ambulances use infrared signaling to turn traffic lights green. You shouldn’t. You can, but you shouldn’t.
What was the takeaway from this talk? IR still exists, apparently. Yes, you can use it to send documents directly from your PalmPilot to a laser printer without any wires whatsoever. One of the more interesting applications for IR is an in-car wireless headphone unit that sends something almost, but not quite, like pulse coded audio over infrared. The demo that drew the most applause was an infrared device that changed traffic lights to green. The information to do that is freely available on the web, but you seriously don’t want to attempt that in the wild.