Radio Hacks

1315 Articles

Shmoocon 2016: Reverse Engineering Cheap Chinese Radio Firmware

January 19, 2016 by 128 Comments

Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Last weekend at Shmoocon, [Travis Goodspeed] presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.

Tytera
The Tytera MD-380 digital radio

The Tytera MD380 is a fairly basic radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.

The STM32 in the radio implements a USB Device Firmware Upgrade (DFU), probably because of some example code from ST. Dumping the memory from the standard DFU protocol just repeated the same binary string, but with a little bit of coaxing and investigating the terrible Windows-only official client application, [Travis] was able to find non-standard DFU commands, write a custom DFU client, and read and write the ‘codeplug’, an SPI Flash chip that stores radio settings, frequencies, and talk groups.

Further efforts to dump all the firmware on the radio were a success, and with that began the actual reverse engineering of the radio. It runs an ARM port of MicroC/OS-II, a real-time embedded operating system. This OS is very well documented, with slightly more effort new functions and patches can be written.

In Digital Mobile Radio, audio is sent through either a public talk group or a private contact. The radio is usually set to only one talk group, and so it’s not really possible to listen in on other talk groups without changing settings. A patch for promiscuous mode – a mode that puts all talk groups through the speaker – is just setting one JNE in the firmware to a NOP.

The Tytera MD-830 ships with a terrible Windows app used for programming the radio
The Tytera MD-380 ships with a terrible Windows app used for programming the radio

With the help of [DD4CR] and [W7PCH], the entire radio has been reverse engineered with rewritten firmware that works with the official tools, the first attempts of scratch-built firmware built around FreeRTOS, and the beginnings of a very active development community for a $140 radio. [Travis] is looking for people who can add support for P25, D-Star, System Fusion, a proper scanner, or the ability to send and receive DMR frames over USB. All these things are possible, making this one of the most exciting radio hacks in recent memory.

Before [Travis] presented this hack at the Shmoocon fire talks, intuition guided me to look up this radio on Amazon. It was $140 with Prime, and the top vendor had 18 in stock. Immediately after the talk – 20 minutes later – the same vendor had 14 in stock. [Travis] sold four radios to members of the audience, and there weren’t that many people in attendance. Two hours later, the same vendor had four in stock. If you’re looking for the best hardware hack of the con, this is the one.

Ham Radio Public Service Activities – Rewarding And Useful

January 15, 2016 by 19 Comments

“Hi! I’m Rud, Kilo Five Romeo Uniform Delta.” That’s me introducing myself at a ham meeting. Ham radio operators kid that we don’t have last names, we have call signs.

Becoming an Amateur Radio Operator (ARO), our more formal name, is not difficult and opens a world of interesting activities, including hacking. As with anything new, becoming actively involved with an existing club can be daunting. The other hams at a meeting are catching up with their buddies and often seem uninterested in the new guy standing nearby. Some groups will invite new members to stand and introduce themselves early in the meeting, which helps break the ice.

Regardless of how anyone else acts at the meeting there is one ham who is always looking for someone new – the ham who manages public service events, where amateur radio operators help establish communications for large public gatherings. These can be local bike rides, walks, or runs; I’ve even seen hams working an art show. In the nomenclature adopted since 9/11, these are “planned incidents” in contrast to “unplanned incidents” like hurricanes, tornadoes, forest fires, snow storms, and other natural or man made disasters. Working planned incidents is training for unplanned incidents when that need arises. The basic activities for AROs are the same.

Here in the Houston there are two very big events that enlist hundreds of hams. The big one in January is the Houston Marathon. The other large event is the Houston to Austin Multiple Sclerosis 150 (MS 150) mile bike ride in April. That event starts on Saturday morning, takes a break mid-way on Saturday evening, and finally wraps up late on Sunday evening. Starting in the fall there are warm-up events for the Marathon and in the late winter bike rides to prepare riders for the MS-150. There are also other marathons, Iron Man races, walks, runs, and races throughout the year. Wherever your are, there are probably events nearby and they can always make use of your radio capability.

landing-page-banners-51a

Continue reading “Ham Radio Public Service Activities – Rewarding And Useful”

Decoding Data Hiding In Star Trek IV

January 13, 2016 by 40 Comments

1986: The US and Russia signed arms agreements, Argentina won the world cup, and Star Trek IV: The Voyage Home hit the theaters. Trekkies and the general public alike enjoyed the film. Some astute hams though, noticed a strange phenomenon about halfway through the film. During a pivotal scene, Scotty attempts to beam Chekov and Uhura off the Enterprise, but has trouble with interference. The interference can be heard over the ubiquitous Star Trek comm link. To many it may sound like random radio noise. To the trained ear of a [Harold Price, NK6K] though, it sounded a heck of a lot like packet radio transmissions.

cray-2By 1989, the film was out on VHS and laser disc. With high quality audio available, [Harold] challenged his friend [Bob McGwier, N4HY] to decode the signal. [Bob] used the best computer he had available: His brain. He also had a bit of help from a Cray 2 supercomputer.

[Bob] didn’t own his own Cray 2 of course, this particular computer was property of the National Security Agency (NSA). He received permission to test Frequency Shift Keyed (FSK) decoder algorithms. Can you guess what his test dataset was?

The signal required a lot of cleanup: The original receiver was tuned 900 Hz below the transmission frequency. There also was a ton of noise. To make matters worse, Scotty kept speaking over the audio. Thankfully, AX.25 is a forgiving protocol. [Bob] persevered and was able to obtain some usable data. The signal turned out to be [Bill Harrigill, WA8ZCN] sending a Receive Ready (RR) packet to N6AEZ on 20 meters. An RR packet indicates that [Bill’s] station had received all previous packets and was ready for more.  [Bob] called to [Bill], who was able to verify that it was probably him transmitting in the 1985 or 1986, around the time the sound editors would have been looking for effects.

That’s a pretty amazing accomplishment, especially considering it was 1989. Today, we carry supercomputers around in our pockets. The Cray 2 is roughly equivalent to an iPhone 4 in processing power. Modern laptop and desktop machines easily out class Seymour Cray’s machine. We also have software like GNU Radio, which is designed to decode data. Our challenge to you, the best readers in the world, is to replicate [Bob McGwier’s] work, and share your results.

FM 101 And Transmitter Build With Afroman

January 9, 2016 by 18 Comments

One of our favorite purveyors of electronics knowledge is at it again. This time, [Afroman] explains how frequency modulation works while building up a short-range FM transmitter on a board he has available at OSH Park.

The design is based on a MAX2606 voltage-controlled oscillator (VCO) chip that can do 70-150MHz. [Afroman] sets it up to oscillate at about 100MHz using a 390nH inductor. He also put a potentiometer voltage divider on the 2606’s tuning pin. Voltage changes issued through the pot alter the transmitting frequency in small increments, making it easy to dial in a suitable channel for your broadcast. Add an electret mic and about a meter’s worth of solid-core wire and you have yourself an FM transmitter that is good for around 20 meters.

There are plenty of ways to build a small FM transmitter that allow for some experimentation and don’t involve placing SMD components. We covered a build last summer that uses a couple of 3904s and rides a 9V connector salvaged from a dead battery. The downside is that transistor-based transmitters tend to be less frequency-stable than a VCO chip.

Continue reading “FM 101 And Transmitter Build With Afroman”

Free Cell Data Transfer With Slowest Morse Code Ever

January 6, 2016 by 41 Comments

Readers of a certain age will remember the payphone trick of letting the phone ring once and then hanging up to get your quarter back. This technique was used with a pre-planned call time to let someone know you made it or you were okay without accruing the cost of a telephone call. As long as nobody answered you didn’t have to pay for the call, and that continues to be the case with some pay-per-minute cellphone plans.

This is the concept behind [Antonio Ospite’s] ringtone data transfer project called SaveMySugar. Don’t judge him, this work has been ongoing for around ten years and started back when cellphone minutes were a concern. We’re just excited to see that he got the excruciatingly slow thing to work.

Those wanting to dig down to the nitty-gritty of the protocol (and you should be one of them) will want to read through the main project page. The system works by dialing the cellphone, letting it ring once, then hanging up. The time between redials determines a Morse code dot, dash, or separation between characters. Because you can’t precisely determine how long it will take each connection to read, [Antonio] built ‘noise’ measurement into the system to normalize variations. The resulting data transfer works quite well. He was able to transfer the word “CODEX” in just six minutes and thirty seconds. But it is automatic, so what do you care? See the edge-of-your-seat-action play out in the video below.

If you can’t stomach that baud, here’s a faster Morse code data transmitter but it doesn’t use the phone.

Continue reading “Free Cell Data Transfer With Slowest Morse Code Ever”

Get Your Amateur Radio License Already!

January 5, 2016 by 81 Comments

We run a lot of posts on amateur radio here at Hackaday, and a majority of our writers and editors* are licensed hams. Why? Because playing around with radio electronics is fun, and because having a license makes a lot more experimentation legal. (*We’re sure you have good reasons for slacking, Szczys.)

So let’s say that you want to get your “ticket” (and you live in the USA). It’s easy: just study for an exam or two, and take them. How to study? We’re glad you asked, because we just found this incredibly long video that’ll prep you for the exam.

swr_powerAt six and a half hours, we’ll admit that we haven’t watched the whole thing, but what we did see looks great. Admittedly, we were a little bit unnerved by [John (KD65CY)]’s overdone enthusiasm. But the content is fundamental, broad-ranging, and relevant. Heck, even a bit entertaining.

Even if you’re not interested in taking the exam, but are just interested in some radio basics, it’s worth looking. If you give it a shot, and like what you see, let us know in the comments what times stamps you found interesting.

The other “secret” about the amateur radio exams is that all of the questions and their answers are drawn from a publicly available pool of questions. This means that you can just cram the right answers, pass the exam, and you’ll have your grey cells back good as new in no time. To help you along your path, here are all the current Technician questions with only the correct answer for each. (And here is the Python script that generated them.) Read through this, take a couple of practice exams, and you’ll be ready to go.

In our experience, the Technician exam is easy enough that it’s probably worth your while to study up for the General exam as well. You have to take the former before the latter, but there’s nothing stopping you from taking them all in one sitting. (General gets you a lot more international shortwave frequencies, so it’s at least worth a shot.)

But don’t let that slow you down. Just getting the Tech license is easily worth studying up for a couple of hours or so. You have no excuses now. Go do it!

Continue reading “Get Your Amateur Radio License Already!”

Art For Planespotters

December 31, 2015 by 6 Comments

We don’t know art, but we know what we like. And this gizmo by [Johan Kanflo] is right up our alley.

First, [Johan] gutted an old Macintosh Classic computer and stuffed a Raspberry Pi inside. Now this is not really a new idea, but [Johan] did a very nice job with the monitor and his attention to detail shows in the rebuilt floppy-drive eject mechanism. He gives it back that characteristic “schlurp” noise.

Then he outfitted the Raspberry Pi with an RTL dongle running dump1090 software to listen to the ADS-B radio signals. The data extracted from the SDR is piped off to an MQTT server with all sorts of data about the airplanes overhead. Another script subscribes to the MQTT topic and figures out which is the closest and runs an image search for the plane type in question, publishing the results back to another MQTT topic. One final script subscribes to this last topic and displays the relevant images on the screen. Pshwew!

The end result is a Macintosh Classic that’s continually updated with whatever planes are closest to being overhead. We’re not at all sure if this is fine art, or part of the useful arts, or maybe even none of the above. But we really like the nice case job and think that using MQTT as a back-end for coordinating multiple concurrent Python scripts (on the same computer) is pretty cool.