Accidental Satellite Hijacks Can Rebroadcast Cell Towers

A lot of us will use satellite communications without thinking much about the satellite itself. It’s tempting to imagine that up there in orbit is a communications hub and distribution node of breathtaking complexity and ingenuity, but it might come as a surprise to some people that most communications satellites are simple transponders. They listen on one frequency band, and shift what they hear to another upon which they rebroadcast it.

This simplicity is not without weakness, for example the phenomenon of satellite hijacking has a history stretching back decades. In the 1980s for example there were stories abroad of illicit trans-atlantic serial links nestling as unobtrusive single carriers among the broad swathe of a broadcast satellite TX carrier.

Just sometimes, this phenomenon happens unintentionally. Our attention was drawn to a piece by [Harald Welte] on the unintended rebroadcast of GSM base station traffic over a satellite transponder, and of particular interest is the presentation from a conference in 2012 that it links to. The engineers show how they identified their interference as GSM by its timing frames, and then how they narrowed down its source to Nigeria. This didn’t give them the uplink in question though, for that they had to make a downconverter from an LNB, the output of which they coupled to an aged Nokia mobile phone with a wire antenna placed into an RF connector. The Nokia was able to decode the cell tower identification data, allowing them to home in on the culprit.

There was no fault on the part of the GSM operator, instead an unterminated port on the uplink equipment was enough to pick up the GSM signal and introduce it into the transponder as a parasitic signal for the whole of Europe and Africa to hear. Meanwhile the tale of how the engineers identified it contains enough detective work and outright hardware hacking that we’re sure the Hackaday readership will find it of interest.

If satellite hacks interest you, how about reading our thread of posts on the recapture of ISEE-3, or maybe you’d like to listen for a lost satellite from the 1960s.

Thanks [Kia] for the tip.

Military Satellite Goes Civilian

Space may be the final frontier, but that doesn’t mean we all get to explore it. Except, perhaps by radio, as the US Air Force has just demobbed a satellite and handed it over to the public to use. FalconSAT-3 was built and used by students at the US Air Force Academy (USAFA) as part of their training, then launched into orbit in 2007. It’s still going 10 years later, but the USAFA is building and launching more satellites, so they don’t need FalconSAT-3. Rather than trash it, they have turned off the military bits and and are allowing radio amateurs to use it.

Continue reading “Military Satellite Goes Civilian”

Cuban Embassy Attacks and The Microwave Auditory Effect

If you’ve been paying attention to the news, you may have seen a series of articles coming out about US staffers in Cuba. It seems that 21 staffers have suffered a bizarre array of injuries ranging from hearing loss to dizziness to concussion-like traumatic brain injuries. Some staffers have reported hearing incapacitating sounds in the embassy and in their hotel rooms. The reports range from clicking to grinding, humming, or even blaring sounds. One staffer described being awoken to a horrifically loud sound, only to have it disappear as soon as he moved away from his bed. When he got back into bed, the mysterious sound came back.

Cuba has denied any wrongdoing. However, the US has already started to take action – expelling two Cuban diplomats from the US in May. The question though is what exactly could have caused these injuries. The press has gone wild with theories of sonic weaponry, hidden bugs, and electronic devices, poisons, you name it. Even Julian Assange has weighed in, stating “The diversity of symptoms suggests that this is a pathogen combined with paranoia in an isolated diplomatic corps.”

So what’s going on? Bizarre accidents? Cloak and dagger gone awry? Mass hysteria among the US state department, or something else entirely? Continue reading “Cuban Embassy Attacks and The Microwave Auditory Effect”

Cheap, Full-Duplex Software Defined Radio With The LimeSDR

A few years ago, we saw the rise of software-defined radios with the HackRF One and the extraordinarily popular RTL-SDR USB TV tuner dongle. It’s been a few years, and technology is on a never-ending upwards crawl to smaller, cheaper, and more powerful widgets. Now, some of that innovation is making it to the world of software-defined radio. The LimeSDR Mini is out, and it’s the cheapest and most capable software defined radio yet. It’s available through a Crowd Supply campaign, with units shipping around the beginning of next year.

The specs for the LimeSDR mini are quite good, even when compared to kilobuck units from Ettus Research. The frequency range for the LimeSDR Mini is 10 MHz – 3.5 GHz, bandwidth is 30.72 MHz, with a 12-bit sample depth and 30.72 MSPS sample rate. The interface is USB 3.0 (the connector is male, and soldered to the board, but USB extension cables exist), and the LimeSDR is full duplex. That last bit is huge — the RTL-SDR can’t transmit at all, and even the HackRF is only half duplex. This enormous capability is thanks to the field programmable RF transceiver found in all of the LimeSDR boards. We first saw these a year or so ago, and now these boards are heading into the hands of hackers. Someone’s even building a femtocell out of a Lime board.

The major selling point for the LimeSDR is, of course, the price. The ‘early bird’ rewards for the Crowd Supply campaign disappeared quickly at $99, but there are still plenty available at $139. This is very inexpensive and very fun — on the Crowd Supply page, you can see a demo of a LimeSDR mini set up as an LTE base station, streaming video between two mobile phones. These are the golden days of hobbyist SDR.

An Unconference Badge That’s Never Gonna Give You Up

When your publication is about to hold a major event on your side of the world, and there will be a bring-a-hack, you abruptly realise that you have to do just that. Bring a hack. With the Hackaday London Unconference in the works this was the problem I faced, and I’d run out of time to put together an amazing PCB with beautiful artwork and software-driven functionality to amuse and delight other attendees. It was time to come up with something that would gain me a few Brownie points while remaining within the time I had at my disposal alongside my Hackaday work.

Since I am a radio enthusiast at heart, I came up with the idea of a badge that the curious would identify as an FM transmitter before tuning a portable radio to the frequency on its display and listening to what it was sending. The joke would be of course that they would end up listening to a chiptune version of [Rick Astley]’s “Never gonna give you up”, so yes, it was going to be a radio Rickroll.

The badge internals.
The badge internals.

I evaluated a few options, and ended up with a Raspberry Pi Zero as an MP3 player through its PWM lines, feeding through a simple RC low-pass filter into a commercial super-low-power FM transmitter module of the type you can legally use with an iPod or similar to listen on a car radio. To give it a little bit of individuality I gave the module an antenna, a fractal design made from a quarter wavelength of galvanised fence wire with a cut-off pin from a broken British mains plug as a terminal. The whole I enclosed in a surplus 8mm video cassette case with holes Dremmeled for cables, with the FM module using its own little cell and the Pi powered from a mobile phone booster battery clipped to its back. This probably gave me a transmitted field strength above what it should have been, but the power of those modules is so low that I am guessing the sin against the radio spectrum must have been minor.

At the event, a lot of people were intrigued by the badge, and a few of them were even Rickrolled by it. But for me the most interesting aspect lay not in the badge itself but in its components. First I looked at making a PCB with MP3 and radio chips, but decided against it when the budget edged towards £20 ($27). Then I looked at a Raspberry Pi running PiFM as an all-in-one solution with a little display HAT, but yet again ran out of budget. An MP3 module, Arduino clone, and display similarly became too expensive. Displays, surprisingly, are dear. So my cheapest option became a consumer FM module at £2.50 ($3.37) which already had an LCD display, and a little £5 ($6.74) computer running Linux that was far more powerful than the job in hand demanded. These economics would have been markedly different had I been manufacturing a million badges, but made a mockery of the notion that the simplest MCU and MP3 module would also be the cheapest.

Rickrolling never gets old, it seems, but evidently it has. Its heyday in Hackaday projects like this prank IR repeater seems to have been in 2012.

Hybrid Technique Breaks Backscatter Distance Barrier

Low cost, long range, or low power — when it comes to wireless connectivity, historically you’ve only been able to pick two. But a group at the University of Washington appears to have made a breakthrough in backscatter communications that allows reliable data transfer over 2.8 kilometers using only microwatts, and for pennies apiece.

For those unfamiliar with backscatter, it’s a very cool technology that modulates data onto RF energy incident from some local source, like an FM broadcast station or nearby WiFi router. Since the backscatter device doesn’t need to power local oscillators or other hungry components, it has negligible power requirements. Traditionally, though, that has given backscatter devices a range of a few hundred meters at most. The UW team, led by [Shyamnath Gollokota], describe a new backscatter technique (PDF link) that blows away previous records. By combining the spread-spectrum modulation of LoRa with the switched attenuation of incident RF energy that forms the basis for backscatter, the UW team was able to cover 2800 meters for under 10 microwatts. What’s more, with printable batteries or cheap button cells, the backscatter tags can be made for as little as 10 cents a piece. The possibilities for cheap agricultural sensors, ultracompact and low power wearable sensors, or even just deploy-and-forget IoT devices are endless.

We’ve covered backscatter before, both for agricultural uses and for pirate broadcasting stations. Backscatter also has also seen more cloak and dagger duty.

Continue reading “Hybrid Technique Breaks Backscatter Distance Barrier”

A Fully Featured, Fifty Dollar QRP Radio

QRP radio operators try to get maximum range out of minimal power. This term comes from the QRP Q-code, which means “reduce power.” For years, people have built some very low-cost radios for this purpose. Perhaps the best known QRP kit is the Pixie, which can be found for less than $3 on eBay.

The QCX is a new DIY QRP radio kit from QRP Labs. Unlike the Pixie, it has a long list of features. The QCX operates on the 80, 60, 40, 30, 20, or 17 meter bands at up to 5W output power. The display provides tuning information, an S-meter, and a CW decoder. An on-board microswitch functions as a basic Morse key, and external Iambic or straight keys are also supported. An optional GPS can be used as a frequency reference.

The radio is based around the Silicon Labs Si5351A Clock Generator, a PLL chip with three clock outputs ranging from 2.5 kHz to 200 MHz. The system is controlled by an Atmel ATmega328P.

Demand for the kit has been quite high, and unfortunately you’ll have to wait for one. However, you can put down your $49 and learn Morse code while waiting for it to ship. While the project does not appear to be open source, the assembly instructions [PDF warning] provide a full schematic.