[Texane] is developing a system to monitor his garage door from his apartment. Being seven floors apart, running wires between the door and apartment wasn’t an option, so he turned to a wireless solution. Testing this wireless hardware in an apartment is no problem, but testing it in situ is a little more difficult. For that, he turned to software defined radio with an RTLSDR dongle.
The hardware for this project is based around a TI Stellaris board and a PTR8000 radio module. All the code for this project was written from scratch (Github here), making it questionable if the code worked on the first try. To test his code, [Texane] picked up one of those USB TV tuner dongles based around the RTL2832U chipset. This allowed him to monitor the frequencies around 433MHz for the packets his hardware should be sending.
After that, the only thing left to do was to write a frame decoder for his radio module. Luckily, the datasheet for the module made this task easy.
[Texane] has a frame decoder for the NRF905 radio module available in his Git. It’s not quite ready for serious applications, but for testing a simple radio link it’s more than enough.
Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.
Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.
The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of receiving a message.
From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.
[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.
Up on Kickstarter, [Michael Ossmann] is launching the HackRF, an inordinately cheap, exceedingly capable software defined radio tool that’s small enough to lose in your laptop bag.
The HackRF was the subject of a lot of interest last time it was on Hackaday – the ability to receive up to 6GHz allows the HackRF to do a lot of very interesting things, including listening in on Bluetooth, WiFi, and 4G networks. Also, the ability to transmit on these frequencies means a lot of very interesting, and quite possibly slightly evil applications are open to anyone with a HackRF. Like the RTL-SDR dongles, the HackRF works with GNU Radio out of the box, meaning all those cool SDR hacks we’ve seen so far will work with this new, more powerful board.
Compared to the USB TV tuner cards that were so popular a year ago, the HackRF has 10 times the bandwidth, is able to receive up to 6GHz, and is also able to transmit. It’s only half-duplex, so to receive and transmit simultaneously you’ll need two HackRFs, or maybe wait for a hardware revision that will hopefully come sooner rather than later.
Below you can check out [Michael]’s presentation at Toorcon where the HackRF was unleashed to the world.
Continue reading “HackRF, or playing from 30 MHz to 6 GHz”
Last summer in the heyday of software defined radio via USB TV tuners we asked hackaday readers a question: Is anyone using everyone’s favorite method of SDR for radio astronomy? It took nearly a year, but finally there’s an awesome project to turn a USB TV tuner into a radio telescope. It’s from the fruitful mind of [Marcus Leech] (PDF warning), and is good enough to detect the rotation of the galaxy with a three-foot satellite dish.
News of [Marcus]’ work comes to us from [Carl] over at RTL-SDR.com who has been keeping tabs on the advances of building a radio telescope in a backyard. He’s been collecting a lot of interesting tidbits including this gif showing an arm of the galaxy entering and leaving [Marcus]’ telescope’s field of view over the course of a few hours.
Not only can [Marcus]’ telescope record continium measurements – basically, a single-pixel camera sensitive to only one frequency – it can also produce spectral plots of the sky. Combine the ability to measure multiple frequencies at the same time with the Doppler effect, and [Marcus] can measure the rotation of the galaxy with a USB TV tuner. That’s just awesome in our humble opinion.
If you already have an RTL-SDR TV tuner and a largish satellite dish, [Marcus]’ project should be fairly inexpensive to replicate; the feed assembly is made out of a coffee can, the amplifiers are repurposed satellite television equipment, and all the software – [Marcus]’ own simple_ra tool for GNU Radio – is open source. Of course with a 3 foot diameter dish, it will be impossible to replicate the data from huge radio telescopes. Still, it’s an impressive piece of work that leaves us searching craigslist for an old C-band dish.
Last year’s big hack was software-defined radio; a small USB TV tuner that could listen in on radio broadcasts anywhere between 64 and 1200 MHz. This year, it’s all about the Raspberry Pi, so it’s surprising we’re only just now seeing a mashup of these two pieces of hardware. [Corq] is using a Raspi and RTLSDR TV tuner to listen in on aircraft transponders, and getting a whole bunch of data from aircraft flying overhead.
Even though the ADS-B decoder [Corq] is using is written for OS X, he’s reading the data coming from the USB TV tuner over the network with a program called Dump1090. This program allows [Corq] to attach his SDR to a Raspbery Pi and put it somewhere the antenna will get good reception – an attic, or an outdoor weatherproof case – and stream data to his desktop over a WiFi or network connection.
With a USB TV tuner and a Raspberry Pi, [Corq] is able read the tail numbers, altitude, latitude, longitude, speed, heading, and even the type of aircraft currently flying over his house. That’s cool enough, but the fact that he can effectively do this over the Internet makes it a brilliant hardware mashup.
Illegal, yet impressive
Want a soda? Just grab a robot, shove it in a vending machine, and grab yourself one. This video is incredibly French, but it looks like we’ve got a custom-built robot made out of old printers and other miscellaneous motors and gears here. It’s actually pretty impressive when you consider 16 ounce cans weigh a pound.
Okay, we got a lot of emails on our tip line for this one. It’s a group buy for a programmable oscillator over on Tindie. Why is this cool? Well, this chip (an SI570) is used in a lot of software defined radio designs. Also, it’s incredibly hard to come by if you’re not ordering thousands of these at a time. Here’s a datasheet, now show us some builds with this oscillator.
Chiptune/keygen music anywhere
[Huan] has a co-loco’d Raspi and wanted a media server that is available anywhere, on any device. What he came up with is a service that streams chiptune music from your favorite keygens. You can access it with Chrome (no, we’re not linking directly to a Raspberry Pi), and it’s extremely efficient – his RAM usage didn’t increase a bit.
Take it on an airplane. Or mail it.
[Alex]’s hackerspace just had a series of lightning talks, where people with 45-minute long presentations try to condense their talk into 10 minutes. Of course the hackerspace needed some way to keep everything on schedule. A simple countdown timer was too boring, so they went with a fake, Hollywood-style bomb. No, it doesn’t explode, but it still looks really, really fake. That’s a good thing.
Printers have speakers now?
[ddrboxman] thought his reprap needed a nice ‘print finished’ notification. After adding a piezo to his electronics board, he whipped up a firmware hack that plays those old Nokia ringtones. The ringtones play over Gcode, so it’s possible to have audible warnings and notifications. Now if it could only play Snake.
The cheap software defined radio platforms that can be built out of a USB TV tuner aren’t getting much love on the Hackaday tip line of late. Thankfully, [Adam] sent in a great guide to cracking sub-GHz wireless protocols wide open, and ringing doorbells, opening cars, and potentially setting houses on fire in the process.
The first wireless hack [Adam] managed to whip up is figuring out how a wireless doorbell transmitter communicates with its receiver. [Adam] connected a FUNcube software defined radio dongle (although any one of the many USB TV tuner dongles we’ve seen would also work) and used GNU Radio to send the radio signals received to a WAV file. When looking at this audio file in Audacity, [Adam] saw the tell-tale signs of digital data, leaving with a string of 1s and 0s that would trigger his wireless doorbell.
The FUNcube dongle doesn’t have the ability to transmit, though, so [Adam] needed a more capable software defined radio to emulate the inner workings of a doorbell transmitter. He found one in the Ettus Research USRP, a software designed radio that’s doing a good job of keeping [Balint], Hackaday SDR extraordinaire, very busy. By sending the data [Adam] decoded with the FUNcube dongle over the USRP, he was able to trigger his wireless doorbell using nothing but a few hundred dollars of radio equipment and software ingenuity.
Doorbells are a low-stakes game, so [Adam] decided to step things up a little and unlock his son’s car by capturing and replaying the signals from a key fob remote. Modern cars use a rolling code for their keyless entry, so that entire endeavour is just a party trick. Other RF-enabled appliances, such as a remote-controlled mains outlet, are a much larger threat to home and office security, but still one [Adam] managed to crack wide open.