RTL-SDR brought cheap and ubiquitous Software Defined Radio (SDR) to the masses, opening up whole swaths of the RF spectrum which were simply unavailable to the average hacker previously. Because the RTL-SDR supported devices were designed as TV tuners, they had no capability to transmit. For the price they are still an absolutely fantastic deal, and deserve to be in any modern hacker’s toolkit, but sometimes you want to reach out and touch someone.
Now you can. At OsmoDevCon [Steve Markgraf] released osmo-fl2k, a tool which allows transmit-only SDR through cheap USB 3.0 to VGA adapters based on the Fresco Logic FL2000 chip. Available through the usual overseas suppliers for as little has $5 USD, these devices can be used unmodified to transmit low-power FM, DAB, DVB-T, GSM, UMTS and GPS signals.
In a demonstration on the project page, one of these USB VGA adapters is used to broadcast a GSM cellular network which is picked up by the adjacent cell phones. Another example shows how it can be used to broadcast FM radio. A GitHub repository has been set up which includes more examples. The signals transmitted from the FL2000 chip are obviously quite weak, but the next step will logically be the hardware modifications necessary to boost transmission to more useful levels.
To say this is a big deal is something of an understatement. For a few bucks, you’ll be able to get a device to spoof cellular networks and GPS signals. This was possible before, of course, but took SDR hardware that was generally outside the budget of the casual experimenter. If you bought a HackRF or an Ettus Research rig, you were probably responsible enough not to get into trouble with it, but that’s not necessarily the case anymore. As exciting as this technology is, we would be wise to approach it with caution. In an increasingly automated world, GPS spoofing can have some pretty bad results.
As things like this become more widespread. Security of online transactions becomes impossible for the average user. Will people stop using online services and go back to face to face transactions – is the openess of the internet the very thing that will kill it?
I’m not sure why you’d identify this as the mechanism that breaks transaction security.
In non-doomed systems the authentication and encryption have treated the network connection as untrusted and potentially hostile for ages now; and any implementation that doesn’t is toast the minute it hits an open wifi hotspot.
I suppose this makes grabbing SMS ‘two factor’ jokes slightly easier(at least for systems that will accept being downgraded to one of the old, vulnerable, cell standards, which is a bad idea though a common one); but those have always been bad practice and vulnerable via SS7 if not other means.
People already ignore much more serious threats to the integrity of a transaction to buy stuff online, this seems unlikely to deter them.
I couldn’t agree more than I do.
I don’t see this as THE mechanism to “break” the internet but another mechanism to further reduce trust. Are we happy to continually chase our tails or just accept that we are just pawns in some global game… what we have is not ours to keep
You’re saying you could perhaps intercept someone’s SMSes with this? How so? Doesn’t the network only transmit an SMS from the cell tower the destination phone is logged on to? So you’d have to be in the same (nowadays quite small) physical area. And you’d need to spoof both the phone and the mast. Or would you log on to any old tower, impersonating the victim’s phone?
Sounds hard. Unless I’ve not understood it fully, which is pretty likely, so please tell more if there is more.
Anyway neat bit of hardware. If radio goes fully cognitive though, this probably won’t matter, EVERYONE will have full SDR. Cracks involving SDR might even hurry cognitive radio up a bit.
Backing up what Fuzzyfuzzyfungus said:-
https://www.schneier.com/blog/archives/2018/04/subverting_back.html
The internet is already tapped. Fortunately the heavy-hitters of the internet are pushing for encryption as default for everything.
I don’t think the world is ready to pack up and go home. but we are in for a world of new wireless exploit discoveries for systems that operate in this devices extensive freq range. good time for researchers and repair technicians to replace all this insecure shit.
Honestly I could run secure transactions through unencrypted email if I wanted to. The physical layer network is not normally trustworthy, especially if it is wireless, and most reasonable protocols don’t make too many assumptions about a link that can’t be authenticated.
Until the classic Alice and Bob model presented by R.S.A. the industry was generally ignorant about the importance and capabilities of cryptographic protocols and authentication. Avoiding the man-in-the-middle attack has been a think for about 40 years now. Even if we don’t always get it implemented right :-)
Anyone know of a dongle that has the correct chip in?
“Anyone know of a dongle that has the correct chip in?”
I’ve bet my “about five bucks” on this one -> https://www.ebay.co.uk/itm/USB-3-0-to-VGA-Multi-display-Adapter-Converter-External-Video-Graphic-Cards-ED/132205650482?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649
… based on nothing more than the description, price, and pictures.
I could of course be wrong. If so, you will still have an extra head for your laptop, so don’t come back to me to complain.
This one should. The linked rar with driver files exe shows as fl2000
https://www.aliexpress.com/item/-/32806848832.html
I recently bought this one so that I could have a 3rd screen. I can confirm it is a FL2000 .
https://www.ebay.co.uk/itm/3-0-USB-to-VGA-Display-Cable-Video-Graphic-Adapter-For-Windows-7-8-10/132414331526?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2060353.m2749.l2649
You guys are awesome, thanks for the links.
Is this a quirk of this particular interface, or is it “the nature of the beast” due to a VGA interface requiring 3 high-speed DACs to produce high resolution graphics?
Perhaps a little of both.
Some of both. Any implementation of VGA requires the pretty-impressive-for-the-money DACs; but ‘smarter’ implementations are more likely to include (normally helpful) features like framebuffers and automatic handling of vertical and horizontal blanking intervals that reduce your control over the output of the DACs. It will likely be as good or better for VGA, and with less effort on the software side(in this case, it looks like the fancy Displaylink stuff can handle markedly higher resolutions at equivalent bandwidth; and is actually somewhat useful on USB2, while the FL2000 just sneaks 1920×1080 in on USB3) ; but if you are trying to generate a signal that doesn’t have horizontal and vertical blanks dumber is better, since the hardware won’t even notice that you are blatantly violating the expectations of VGA in order to get what you want.
From a quick read, this chipset is useful because it doesn’t have a local framebuffer, and streams direct from the host over USB (with associated problems…). It also allows VGA configs without H/V pulses, so can effectively spew a high speed raw datastream from host out the DACs.
I always wondered if Pee DPI parallel Video interface allowed 0 length blanking period, it seemed perfect for pumping data out at high speed, but this, this is even better!
8MB SPI chip on the pcb suggests FL2000DX to be programmable with a micro-controller inside :o Imagine what treasures lie there.
Wonder if its possible to wiggle H/V sync IO at 150MHz too. There is also provision for one more digital IO with missing Q3 on the board.
Universal triple >100 MS/s DAC at $5 is INSANE. Holy shit, $5 10MHz signal generators for everyone!
Are there any more chips like this in the wild? FX2LP was pretty revolutionary in its day, started out in USB 2.0 HDD enclosures, Cameras, digital tuners, ended up enabling low cost logic analyzer revolution.
I know of one more, quite old by now design from 2011, genesyslogic GL3220 used in multiple USB 3.0 multi card readers, capable of >100MB/s 8bit parallel transfers over its buildin UDMA7 CF interface. Available in $15 readers. Internally 8051.
If I have understood correctly that SPI flash is for the drivers.
So that you don’t need to ship a CD with the dongle.
Still interesting, as is the VGA I2C interface.
I do expect tons of interesting projects to rise from this.
Yes, I found this out hour later while reading sources :(
still 3x 8bit (at least in theory) >100MHz DACs!
Cant wait for some tests with fast scope (jitter and actual number of bits).
Found adapter entirely missing SPI flash, now Im 100% certain there is no firmware there :(
http://g01.a.alicdn.com/kf/HTB1PdQzJVXXXXXFXXXXq6xXFXXXd/202425401/HTB1PdQzJVXXXXXFXXXXq6xXFXXXd.jpg
http://g01.a.alicdn.com/kf/HTB1JNT7JVXXXXbSXVXXq6xXFXXXh/202425401/HTB1JNT7JVXXXXbSXVXXq6xXFXXXh.jpg
My guess is a delta sigma modulator. Because there is mention of the fundamental frequency, 3rd, 5th, 7th, 9th harmonics, this would suggest to me that it is high speed on/off switching which is in effect generating square waves and all their associated harmonics.
https://www.allaboutcircuits.com/uploads/articles/SineAndSquareHarmonicsThumb.jpg
At these speeds, that’s pretty unlikely. They probably just brute-forced it with 3 8-bit flash DACs.
Any DAC will generate harmonics without a reconstruction filter, although they’re usually Nyquist aliases rather than harmonics of the generated frequency.
I was thinking that as well until they explicitly mentioned 3rd, 5th and 7th harmonics. Well it will be easy enough to see with an actual device, create a carrier at 100MHz and check signal power at various frequencies. If the 3rd harmonic is ~9.5 dB down from the fundamental, the 5th harmonic is ~14dB down from the fundamental, the 7th is ~17dB down from the fundamental and the 9th is ~19dB down it would imply fast switching.
Nice.. nest time that noisy reaper drone flies over the house and wakes up the cat, its getting planted straight into the local sewage farm. ;¬)
/s/nest/next – … Actually on reflection, I might keep the reaper drone, I’m sure there must be a few useful bits and pieces in it.
Likely the poor schmuck who’s flying a 182 in slow circles around your city (while watching movies on his iPad), at least until the FAA approves UAVs in class B/C airspace.
https://www.buzzfeed.com/peteraldhous/spies-in-the-skies?utm_term=.gtNWzW1B6#.tik0D0mz5
Anyone got a link to the datasheet? A custom PCB with SMA connectors and amplifiers in is my future
Datasheet for the Fresco Logic FL2000
“Datasheet for the Fresco Logic FL2000”
I’ve not found the FL2000 datasheet yet, but this might also be of interest -> https://github.com/FrescoLogic/FL2000
Not much on the company web site…
Marketing blurb -> http://www.frescologic.com/product/single/fl2000
Support -> https://support.frescologic.com/portal/home
I’ll do some more digging.
“Anyone got a link to the datasheet? A custom PCB with SMA connectors and amplifiers in is my future”
For initial prototyping, or if the datasheet is not available, you could of course treat the FL2000 dongle as a “module” remove the VGA and USB connectors and solder it piggy back style to your custom board.
It’s probably going to follow the same evolutionary path as the RTL-SDR.
I’m not so sure. I imagine that in a lot of jurisdictions it would be very difficult to sell something that could broadcast on restricted frequencies.
So you also want to control the sell of transistors, ferrite rods and magnet wire? This chip is not intended to broadcast. The reason the companys often keep the datasheet secret is first to avoid opening their know how (trade secrets) and often to avoid too much support calls from hobbyists.
Honestly you could probably use the connector as-is. VGA signals are 75ohm and with a small matching pad you could easily break out the red+gnd signals to a 50ohm sma connector. That’s what I’m planning on doing anyway.
Why not use the 75 ohm signals directly? All the digi TV coax is 75 ohm (lower losses and cheaper than 50 ohm coax here), dipoles are better matched to 75 ohms, BNCs are readily available for 75 ohms as well. In fact, most of my radio stuff is 75 ohms, because the power handling is not an issue for me.
Of course you can do that, if it fits your equipment. Probably even the mismatch is acceptable, if you use your 50 Ohm equipment. The 15pin sub D connector is not impedance controlled anyway.
The boxy one seems to match this model:
https://www.aliexpress.com/item/2colors-1080P-USB-3-0-to-VGA-Multi-Display-Video-Graphic-External-Cable-Adapter-Wire-for/32750625943.html
So are we entering an era of homebrewed “Stingray” systems – this could get ugly.
Qui decipit spoofers?
Those have been reality for more than a decade.
And this is just a transmitter without any return channel.
I’m unsure if it is even possible to make a GSM basestation with one of these and rtl-sdr.
That has not been possible even with two hackRF’s and those are built to be SDR transceivers.
So the title is a bit clickbaity even if technically true.
You can basically force the phone to use the lower frequencies with this one, you don’t need to be listening with this device. Most phones are happy to fall back to lower freq which you can more easily listen/talk on with a piece of different gear.
Does anybody know, what the effective frequency range of this chip is?
I’m thinking of using it simply as a frequency generator, maybe with some additional functions like wobbling, comb generation, etc.
“Does anybody know, what the effective frequency range of this chip is?
I’m thinking of using it simply as a frequency generator, maybe with some additional functions like wobbling, comb generation, etc.”
“A typical 1920×1080@60 Hz requires 1920 * 1080 * 24bpp * 60 = 373,248,000 bytes/sec of traffic over the USB bus.”
So we can be sure that the bandwidth is of that order of magnitude. i.e. 373.248MHz however since you can spoof cell phones, it must be greater than that, or at lest there is some clever trickery going on that makes it appear to be greater than that.
For more info, you will need to read the article linked above.
I didn’t find what I was looking for at first, but this presentation shows how it’s done:
http://people.osmocom.org/steve-m/fl2k_slides/osmo-fl2k.html#(1)
The basic frequency is 150MHz, and things like GSM, GPS, DVB-T use the harmonics.
fl2k_tcp streams samples form e.g. GnuRadio, so this can be used to transmit arbitrary waveforms.
Nice!
There are even plans to synchronize it with a rtl-sdr, to get an ultra cheap SDR transceiver.
Well you get harmonics and as it’s a DAC, you also get aliases at higher frequencies.
The GPS spoofing example is done with harmonics.
DVB VHF or UHF ?
btw : last year STM produced an STB with 2 WAYS communication with a satellite : i.e. satellite sends (ip ?) packets to the transponder on the actual satellite; they used the usual digital to analog converter and added an RF amplification stage instead of the RGB interface, kind of similar to what has been done here
i.e. STB* sends …
So looks like it is finally time where we can brew up a nice all in one poor ham full SDR; a preamp to an RTL and linear output from the FL with some good bandpass filtering.
We can start by prototyping it at low power with our Linux laptops but should quickly move to a cool does everything big handheld run by a capable ARM SCB with USB-3.0.
Imagine bringing well beyond the capabilities of those schmancy >$20K unobtanium Harris military radios into our hands for under $100!
Probably want some FPGAs to get fast encoding/decoding, change FPGA modes on the fly to change modes because we can with that tech.
It’s really going to cost you a good bit more than $5, because you need a fast enough computer to do the job (plus it needs USB-C, though that’s becoming available on cheap laptops by now. My work laptop doesn’t have USB-C yet or I’d have to get one of these.)
Duh, cancel that – USB3 will do it even without USB-C. Now I have to go buy one, instead of just using the VGA connector on the docking station :-)
Slightly twisted interpretation of what makes a responsible citizen, but then many will have been conditioned to agree.
responsible citizens do what they want so long as they do not restrict the freedom of others
How many people immediately ordered one after reading the original article, I certainly did.
One? I ordered fifty! There will be profit to be made here, for sure!
What is the point of this if you can only intercept outgoing calls/texts there is no way to intercept incoming calls/texts so this is pretty much useless because even if your target is making a call it won’t connect him to the people he is calling.
This is just for show.
It’s not the call but the connection. Once you have the phone connecting. Not making a call just network traffic a new attack vector has just been opened
GPS spoofing…
I live near a river, could be very funny
This is kind of exciting but… I wonder how practical it is.
Is it likely that one could build a diy filter to bring the harmonics and other spurious signals down low enough to be legal? Could it be done for little enough money and effort that it is worth it over just getting a purpose-made SDR chip?
I don’t know about part15 or other services but here in the US for the ham bands that means that all spurious signals must be 43db down from the desired one if the desired signal is below 30MHz. From 30MHz up to 225MHz its 60 db and above that it’s 40db. If I remember right, I might be just a little off.
It should not be too difficult to design some “band select” filters to bring down the unwanted harmonics. Frequency multiplication was done long before the invention of PLL synthesizers by generation of harmonics (often 2nd or 3rd) and filtering.
I once built an oscillator for something like 2,3GHz with several multiplication stages, even the crystal was running at the 5th or 7th overtone because the fundamental of a crystal is hardly possible above 30MHz. But tuning this device was very difficult. There were transistor stages between the tuned circuits, or better: the LC circuits were part of the amplifiers to make them resonant. And anything interacted with anything due to parasitic capacitances of the transistors.
From a quick read of the project, I’m thinking it could even be matched up with 3 different matching networks to filter the signal to a specific set of bands, with one on the Red, one on the Green, and one on the Blue. All being bands of choice, then have the signal amplified. I’m wondering if there could even be a little control signal put out on any of pins 12-13 to enable even more possibilities with a small microcontroller… I see there’s already a +5V signal that could be purposed as an enable line for other logic, so there isn’t noise activating an amplified circuit when the computer isn’t connected.
We have I2C, and drivers for it, so communication with an external micro is a piece of cake.
Can somebody explain to me what will be the use of this one since it is transmit only? Are there any projects that this can be used? I’m interested in this stuff but I’m a beginner. Regards
Some limited uses are transmit only, but it could easily be paired with one of the RX only SDR projects for a full (or half) duplex solution. Basically like the old days. Originally, there were no transceivers, just discreet transmitters and receivers. To switch back and forth, you’d literally switch the antenna between the two, and bring up the power on the transmitter when you want to transmit.
There’s plenty of one-way protocols of interest. GPS spoofing is arguably the biggest one, probably some interesting applications of DVB-T as well. But ideally this would be paired with an RTL-SDR device to get two way SDR for easily a 10th of what the HackRF costs (and that was already very cheap compared to what was already on the market).
Is usability and performance going to be amazing? Probably not. But at those kind of prices, people will put up with some fiddling.
Transmit RF signals that can: open car garage, turn on lights remotely, or just simply sending audio from your ipod to your car FM radio?
It would be interested to know at which distance the FM transmission can work.
Anyone who reproduced can tell this ?
Very short range, but amplifiers are cheap
People seem to be very interested in the spoofing LTE part, but… What about making completely open-source phones that use this + the RTL-SDR chips (RTL2832U)?
Instead of using it to fool the phones of others, it could be used to keep one’s one phone (including the one in the car (e.g. OnSt*r) ) or a hidden tracking device, from sending out updates on your position.
“Just because you’re paranoid, doesn’t mean someone isn’t out to get you!”
B^)
How hard would it be to use this to run XY arcade monitors?
How hard would it be to use this to run an XY arcade monitor?
Maybe your looking for something like this
https://trmm.net/V.st
Anyone knows how the following parameter translated to 95MHz FM?
fl2k_fm – -s 130e6 -c 35e6 -i 44100
When I try different sample rate, the main output frequency is different and is not 95MHz any more.
130 adc clock, 35 carrier
I got that. But how does that translate to the 95MHz that I can tune the radio to? Says I want to transmit on 108MHz, what do I change? Thanks
Ah, 130-35 = 95?
yes, and I think on top of that you get reflected signal at 165MHz + at all the harmonics, so 390, 640, 910 etc…
Steve Markgraf gave a talk with slightly more detail, a slide at 18:30 covers this
https://www.youtube.com/watch?v=VRvLVjLQSaw
Thanks very much Ras. I think I understand it now. Best regards
Some cheap “blue” no-brand dongles don’t have USB 3.0 traces:
http://tinyhack.com/2018/05/05/fixing-osmo-fl2k-dongle-that-only-works-in-usb-2-0/
Maiwo KCB003 dongle contains FL2K chip and have USB 3.0 ($15)
https://www.gearbest.com/cables-connectors/pp_1238337.html?wid=1433363&lkid=13956227
Source: https://hackernoon.com/osmo-fl2k-a-15-dtv-transmitter-fm-radio-hijack-and-gps-spoofing-device-68ac08ba7d76
This one is confirmed to be compatible: https://www.aliexpress.com/item/USB-3-0-to-VGA-Multi-display-Adapter-Converter-External-Video-Graphic-Card-for-Win-7/32839690586.html
Picture of the PCB: https://i.imgur.com/NhuQh6H.jpg
Carl at RTL-SDR Blog told me they are solving filtering and some other problems to bring us nice cheap RTL-FL2k transceiver. That’d be great because it gives another boost to ham community around the globe.
I don’t understand how nobody yet mentioned tempest for eliza:
https://hackaday.com/2005/12/25/tempest-for-eliza/
http://www.erikyyy.de/tempest/