Cracking GSM With RTL-SDR For Thirty Dollars

October 22, 2013 by Brian Benchoff 60 Comments

Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.

Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.

The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of receiving a message.

From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.

[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.

SSTV Beacon Based On A Raspberry Pi

October 6, 2013 by Mathieu Stephan 17 Comments

The Budapest hackerspace did some joint work with a local ham radio club and created an SSTV beacon housed inside a CCTV case that takes an image of its environment and transmits it using slow-scan television over ham bands.

As the title says, the build uses a Raspberry Pi to process the image taken from its camera and then transmits it over the air using a Ricofunk UHF transceiver with a main frequency of 433.425MHz. On the software side, PySSTV is used to convert images to frequency/time tuples, UNIXSSTV then creates the actual audio file and finally sox plays it. To avoid screwing up the Raspberry SD card, every part of the filsystem is either mounted in read-only mode (things like /home and /usr) or uses a ramdisk (things like /tmp and logs).

The plans, schematics and source code are available, so they hope that other hackerspaces will join the ranks!

Homebuilt Ultra Wideband Impulse Radar

October 5, 2013 by Todd Harrison 7 Comments

[Dr. Gregory Charvat] tipped us off to a video demonstration of his ultra-wideband impulse radar he built using some of his existing radar gear and a few bits purchased off eBay. The homebuilt radar system worked well in his backyard but not much is covered about the build. [Greg] is promising a new book on practical approaches to developing and using small radar devices titled “Small and Short Range Radar Systems“. He told us that the draft is finished and covers radar systems like doppler, linear FM, synthetic aperture, phase array and also UWB impulse radar. It sounds like an interesting book, which can be pre-ordered on Amazon, and will include schematics and bill of materials so you too could build a UWB impulse radar or other small radar systems. Some of the advantages of a UWB impulse radar system are that it produces sub-nanosecond pulses good for tracking moving objects as well as imaging stationery objects. Such radar technology can even image buried objects like metallic and nonmetallic landmines.

Join us after the break for a little background on [Dr. Gregory Charvat] and to watch his demonstration video.

Continue reading “Homebuilt Ultra Wideband Impulse Radar” →

An Atmega328-based Radioteletype XY Scope Display

September 30, 2013 by Mathieu Stephan 5 Comments

[Jack] tipped us about a Crossed Bananas Display (CBD) he just designed. A CBD is a tuning aid for frequency-shift keyed (FSK) modes and is basically an oscilloscope in X-Y mode. At one time, radioteletype operators used binary FSK to transmit text over radio waves. In this scheme, the “1” is called the mark frequency and the “0” is called the space frequency. If both frequencies were perfectly tuned (correct phase) the resulting display would look like the one shown above, explaining the origin of the “crossed banana” name.

The build is based on an ATmega328 and a 1.8″ ST7735R display which has a 128×160 resolution. The MC33204PG operational amplifier is used in conjunction with a potentiometer to scale the input in the microcontroller ADC’s range. Another potentiometer sets the refresh rate of the graph. The whole project is enclosed in a painted cast-aluminium bud box and all the sources for this project can be found here.

Guest Rant: Ham Radio — Hackers’ Paradise

September 23, 2013 by Mike Szczys 157 Comments

Editor’s Note: This is a guest post written by [Bill Meara]

The suits at Hack-a-Day reached out to SolderSmoke HQ and asked me to send in a few words about why their readers should take a fresh look at ham radio. Here goes:

First, realize that today’s ham radio represents a tremendous opportunity for technical exploration and adventure. How about building a station (and software) that will allow you to communicate by bouncing digital signals off the moon? How about developing a new modulation scheme to send packets not down the fiber optic network, but around the world via the ionosphere, or via ham radio’s fleet of satellites? How about bouncing your packets off the trails left by meteors? This is not your grandfather’s ham radio.

You can meet some amazing people in this hobby: Using a very hacked-together radio station (my antenna was made from scrap lumber and copper refrigerator tubing) I’ve spoken to astronaut hams on space stations. Our “low power, slow signal” group includes a ham named Joe Taylor. Joe is a radio astronomer who won the Nobel Prize for Physics. He’s now putting his software skills to use in the development of below-the-noise receiving systems for ham radio. Join me after the break for more on the topic. Continue reading “Guest Rant: Ham Radio — Hackers’ Paradise” →

Visually Tune Your HF Antenna Using An Oscilloscope And Signal Generator

September 20, 2013 by Todd Harrison 15 Comments

Lots of readers are into toying around with RF and ham radios. One thing that is always of concern is tuning the antenna. New equipment is never cheap, so whenever another option comes along that uses existing test gear it gets our attention. [Alan Wolke] aka [w2aew] covers a process he uses to tune his HF antenna using a signal generator and oscilloscope.

The process is more of a teaching aid than a practical replacement for commercial equipment mostly because proper signal generators and oscilloscopes are large items and sometimes not available or affordable. That said, if you do have such test gear you only need build a simple breakout board containing a form of wheatstone bridge where the unknown Rx is the antenna. Two oscilloscope probes are connected across the bridge balance nodes. Some special care needs to be taken matching probe cable length and 50 ohm input impedance to the oscilloscope. A couple of 1K probe coupling resistors are also needed to prevent affecting the impendence at the hookup points. Once the selected signal is injected you can adjust an antenna tuner until the two voltage waveforms match on the oscilloscope indicating your antenna network is tuned to 50 ohm impedance with no reactance.

Being able to tune your antenna visually can really help you understand what is going on in the turning process; matching not only input impedance but also phase shift indicating inductive or capacitive reactance. Join us after the break to see the video and for information on what’s presented in the second part of [Alan’s] presentation.

Continue reading “Visually Tune Your HF Antenna Using An Oscilloscope And Signal Generator” →

Aux-in On A 30 Year Old Boombox

September 17, 2013 by James Hobson 26 Comments

finished

[Michael] just sent us this nice example of some good ol’ fashioned radio hacking.

He originally received the radio from his grandmother, and while he doesn’t listen to the radio much, he felt he couldn’t just let it go to waste. So like any good hacker he cracked open the case and took a look inside.

The beauty with radios from the 80’s is the simplicity of it all. They typically have single layer PCBs and nice big components which makes it so much easier to tinker with.

He used a bench power supply to bypass the main transformer for safety’s sake, and began probing the various points. The cassettes audio output was the easiest to find, but unfortunately it required the play button to be activated. Not wanting to lose functionality (or have an annoying rattling cassette mechanism), he continued probing and eventually found similar wires coming from the radio part of the PCB. Upon further probing he discovered he could trick the radio band button so that the radio would be off, but the output could still be used. After that it was just a matter of wiring, soldering, and adding an auxiliary plug to the case.

We’ve covered lots of auxiliary port hacks in the past, but this one is a great example of saving old technology from the dump.

[Thanks Michael!]