GOMX-3 is a CubeSat with several payloads. One of them is a software defined radio configured to read ADS-B signals sent by commercial aircraft. The idea is that a satellite can monitor aircraft over oceans and other places where there no RADAR coverage. ADB-S transmits the aircraft’s ID, its position, altitude, and intent.
The problem is that ADS-B has a short-range (about 80 nautical miles). GOMX-1 proved that the signals can be captured from orbit. GOMX-3 has more capability. The satellite has a helical antenna and an FPGA.
In the old days, if you wanted to listen to police, fire, or other two-way radio users, you didn’t need much more than a simple receiver. Today, you are more likely to need something a little more exotic thanks to the adoption of trunked radio systems. To pick up the control channels and all the threads of a talk group conversation, you might need a wide bandwidth receiver.
[Luke Berndt] found he needed 6 MHz to monitor the stations he wanted to hear. This is easily in the reach of dedicated software defined radios (SDR). However, [Luke] wanted to use cheap RTL-SDRs and their bandwidth is about 2 MHz. The obvious hacker solution? Use three of them!
If you haven’t looked at a trunked system before, it essentially allows a large number of users to share a relatively small number of channels. When someone wants to talk, they move to an unused channel just for that transmission. Suppose Alice asks Bob a question that happens to be on channel 12. Bob’s reply might be on channel 4. A follow up from Alice could be on channel 3.
In practice, this means that receiving the signal isn’t difficult to decode. It is just difficult to find (and follow as it jumps around). This is an excellent job for multiple SDRs and the approach even reduces the burden on the CPU, which doesn’t have to decode signals that aren’t essential to the conversation.
[Luke] includes source code and also notes how to change the serial numbers of the dongles since each has to be unique. We have seen so many great projects with the RTL-SDR that it is hard to choose our favorite. It is especially great knowing that the dongle was only meant to receive television, and all these projects are hacks in the best sense of the word.
Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Last weekend at Shmoocon, [Travis Goodspeed] presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.
The Tytera MD-380 digital radio
The Tytera MD380 is a fairly basic radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.
The STM32 in the radio implements a USB Device Firmware Upgrade (DFU), probably because of some example code from ST. Dumping the memory from the standard DFU protocol just repeated the same binary string, but with a little bit of coaxing and investigating the terrible Windows-only official client application, [Travis] was able to find non-standard DFU commands, write a custom DFU client, and read and write the ‘codeplug’, an SPI Flash chip that stores radio settings, frequencies, and talk groups.
Further efforts to dump all the firmware on the radio were a success, and with that began the actual reverse engineering of the radio. It runs an ARM port of MicroC/OS-II, a real-time embedded operating system. This OS is very well documented, with slightly more effort new functions and patches can be written.
In Digital Mobile Radio, audio is sent through either a public talk group or a private contact. The radio is usually set to only one talk group, and so it’s not really possible to listen in on other talk groups without changing settings. A patch for promiscuous mode – a mode that puts all talk groups through the speaker – is just setting one JNE in the firmware to a NOP.
The Tytera MD-380 ships with a terrible Windows app used for programming the radio
With the help of [DD4CR] and [W7PCH], the entire radio has been reverse engineered with rewritten firmware that works with the official tools, the first attempts of scratch-built firmware built around FreeRTOS, and the beginnings of a very active development community for a $140 radio. [Travis] is looking for people who can add support for P25, D-Star, System Fusion, a proper scanner, or the ability to send and receive DMR frames over USB. All these things are possible, making this one of the most exciting radio hacks in recent memory.
Before [Travis] presented this hack at the Shmoocon fire talks, intuition guided me to look up this radio on Amazon. It was $140 with Prime, and the top vendor had 18 in stock. Immediately after the talk – 20 minutes later – the same vendor had 14 in stock. [Travis] sold four radios to members of the audience, and there weren’t that many people in attendance. Two hours later, the same vendor had four in stock. If you’re looking for the best hardware hack of the con, this is the one.
Although GRC (the GNU Radio Companion) uses the word radio, it is really a graphical tool for building DSP applications. In the last post, I showed you how you could experiment with it just by using a sound card (or even less). However, who can resist the lure of building an actual radio by dragging blocks around on a computer screen?
For this post and the accompanying video, I used an SDRPlay. This little black box has an antenna jack on one end and a USB port on the other. You can ask it to give you data about a certain area of the RF spectrum and it will send complex (IQ) data out in a form that GRC (or other DSP tools) can process.
The SDRPlay is a great deal (about $150) but if you don’t want to invest in one there are other options. Some are about the same price (like the HackRF or AirSpy) and have different features. However, you can also use cheap TV dongles, with some limitations. The repurposed dongles are not as sensitive and won’t work at lower frequencies without some external help. On the other hand, they are dirt cheap, so you can overlook a few little wrinkles. You just can’t expect the performance you’ll get out of a more expensive SDR box. Some people add amplifiers and converters to overcome these problems, but at some point it would be more cost effective to just spring for a more expensive converter.
Software Defined Radio (SDR)–the ability to process radio signals using software instead of electronics–is undeniably fascinating. However, there is a big gap from being able to use off-the-shelf SDR software and writing your own. After all, SDRs require lots of digital signal processing (DSP) at high speeds.
Not many people could build a modern PC from scratch, but nearly anyone can get a motherboard, some I/O cards, a power supply, and a case and put together a custom system. That’s the idea behind GNU Radio and SDR. GNU Radio provides a wealth of Python functions that you can use to create sophisticated SDR application (or, indeed, any DSP application).
If Python is still not up your alley (or even if it is), there’s an even easier way to use GNU Radio: The GNU Radio Companion (GRC). This is a mostly graphical approach, allowing you to thread together modules graphically and build simple GUIs to control you new radio.
Even though you usually think of GRC as being about radios, it is actually a good framework for building any kind of DSP application, and that’s what I’ll show you in the video below. GRC has a signal generator block and interfaces to your sound card. It even has the ability to read and write data to the file system, so you can use it to do many DSP applications or simulations with no additional hardware.
Since the discovery that some USB TV tuner dongles could be used to monitor radio waves across a huge amount of spectrum, the software-defined radio world has exploded with interest. The one limiting factor, though, has been that the dongles can only receive signals; they can’t transmit them. [Evariste Okcestbon, F5OEO] (if that is his real name! Ok c’est bon = Ok this is good) has written some software that will get you transmitting using SDR with only a Raspberry Pi and a wire.
There have been projects in the past that use a Pi to broadcast radio (PiFM), but this new software (RPiTX) takes it a couple steps further. Using just an appropriately-sized wire connected to one of the GPIO pins, the Raspberry Pi is capable of broadcasting using FM, AM, SSB, SSTV, or FSQ signals. This greatly increases the potential of this simple computer-turned-transmitter and anyone should be able to get a lot of use out of it. In the video demo below the break, [Evariste] records a wireless doorbell signal and then re-transmits it using just the Rasbperry Pi.
The RPiTX code is available on GitHub if you want to try it out. And it should go without saying that you will most likely need an amateur radio license of some sort to use most of these features, depending on your locale. If you don’t have a ham radio license yet, you don’t need one to listen if you want to get started in the world of SDR. But a ham license isn’t hard to get and at this point it shouldn’t take much convincing for you to get transmitting.
One thing has stayed with the James Bond movie franchise through the decades: Mr. Bond always has the most wonderful of gadgets. Be it handheld, car-based, or otherwise, there’s always something to thrill that is mostly believable.
The biggest problem with all of those gadgets is that they mark Commander Bond as an obvious spy. “So Mr. Bond, I see you have a book with many random five character groups. Nothing suspicious about that at all!” And we all know that import/export specialists often carry exploding cufflinks or briefcases full of unknown electronics in hidden compartments.
Just as steganography hides data in plain sight, the best spy gadgets are the ones that don’t seem to be a spy gadget. It is no wonder some old weapons are little more than sticks or farm implements. You can tell a peasant he can’t have a sword, but it is hard to ban sticks.
Imagine you were a cold war era spy living in a hostile country with a cover job with Universal Exports. Would you rather get caught with a sophisticated encryption machine or an ordinary consumer radio? I’m guessing you went with the radio. You aren’t the only one. That was one of the presumed purposes to the mysterious shortwave broadcasts known as number stations. These were very common during the cold war, but there are still a few of them operating. Continue reading “Secret Radio Stations By The Numbers”→
