How To Run A First-Generation Cell Phone Network

June 2, 2021 by Zach Zeman 21 Comments

Retro tech is cool. Retro tech that works is even cooler. When we can see technology working, hold it in our hand, and use it as though we’ve been transported back in time; that’s when we feel truly connected to history. To help others create small time anomalies of their own, [Dmitrii Eliuseev] put together a quick how-to for creating your own Advanced Mobile Phone System (AMPS) network which can bring some of the classic cellular heroes of yesterday back to life.

Few readers will be surprised to learn that this project is built on software defined radio (SDR) and the Osmocom-Analog project, which we’ve seen before used to create a more modern GSM network at EMF Camp. Past projects were based on LimeSDR, but here we see that USRP is just as easily supported. [Dmitrii] also provides a brief history of AMPS, including some of the reasons it persisted so long, until 2007! The system features a very large coverage area with relatively few towers and has surprisingly good audio quality. He also discusses its disadvantages, primarily that anyone with a scanner and the right know-how could tune to the analog voice frequencies and eavesdrop on conversations. That alone, we must admit, is a pretty strong case for retiring the system.

The article does note that there may be legal issues with running your own cell network, so be sure to check your local regulations. He also points out that AMPS is robust enough to work short-range with a dummy load instead of an antenna, which may help avoid regulatory issues. That being said, SDRs have opened up so many possibilities for what hackers can do with old wireless protocols. You can even go back to the time when pagers were king. Alternatively, if wired is more your thing, we can always recommend becoming your own dial-up ISP.

ESP8266 Adds WiFi To A 433 MHz Weather Station

May 26, 2021 by Tom Nardi 7 Comments

There’s no shortage of cheap weather stations on the market that pull in data from several wireless sensors running in the 433 to 900 MHz range and present you with a slick little desktop display, but that’s usually where the flow of information stops. Looking to bridge the gap and bring all that local climate data onto the Internet, [Jonathan Diamond] decided to reverse engineer how his weather station worked.

The first phase of this project involved an RTL-SDR receiver, GNURadio, and a sprinkling of Python. [Jonathan] was able to lock onto the signal and piece together the data packets that reported variables such as temperature, wind speed, and rainfall. Each one of these was a small puzzle in itself, and in the end, there’s still a few bits which he hasn’t quite figured out. But he at least had enough to move onto the next step.

Now at this point, he could have pulled the data right out of the air with his RTL-SDR. But looking to push his skills to the next level, [Jonathan] decided to open up the base station and isolate its receiver. Since he already decoded the packets on the RF side, he knew exactly what he was looking for with his oscilloscope and logic analyzer. Once he was tapped into the feed coming from the radio, the final step was writing some code for the ESP8266 that could listen on the line, interpret the data packets, and push the resulting variables out over the network.

In this case, [Jonathan] decided to funnel all the data into Weather Underground by way of the Personal Weather Station API. This not only let him view the data through their web interface and smartphone application, but brought their hyperlocal forecasting technology into the mix at no extra charge. If you’re not interested in sharing your info with the public, it would be a trivial matter to change the firmware so the data is published to a local MQTT broker, or whatever else floats your proverbial boat.

If you’re really lucky, your own weather station may already have an ESP8266 onboard and is dumping all its collected data to the serial port. But if not, projects like this one that break down how to reverse engineer a wireless signal can be a great source of inspiration and guidance should you decide to try and crack the code.

Historical Hackers: Emergency Antennas Launched By Kite

May 12, 2021 by Al Williams 24 Comments

Your airplane has crashed at sea. You are perched in a lifeboat and you need to call for help. Today you might reach for a satellite phone, but in World War II you would more likely turn a crank on a special survival radio.

These radios originated in Germany but were soon copied by the British and the United States. In addition to just being a bit of history, we can learn a few lessons from these radios. The designers clearly thought about the challenges stranded personnel would face and came up with novel solutions. For example, how do you loft a 300-foot wire up to use as an antenna? Would you believe a kite or even a balloon?

Continue reading “Historical Hackers: Emergency Antennas Launched By Kite” →

The Russian Woodpecker: Official Bird Of The Cold War Nests In Giant Antenna

May 11, 2021 by Kristina Panos 44 Comments

On July 4th, 1976, as Americans celebrated the country’s bicentennial with beer and bottle rockets, a strong signal began disrupting shortwave, maritime, aeronautical, and telecommunications signals all over the world. The signal was a rapid 10 Hz tapping that sounded like a woodpecker or a helicopter thup-thupping on the roof. It had a wide bandwidth of 40 kHz and sometimes exceeded 10 MW.

This was during the Cold War, and plenty of people rushed to the conclusion that it was some sort of Soviet mind control scheme or weather control experiment. But amateur radio operators traced the mysterious signal to an over-the-horizon radar antenna near Chernobyl, Ukraine (then part of the USSR) and they named it the Russian Woodpecker. Here’s a clip of the sound.

The frequency-hopping Woodpecker signal was so strong that it made communication impossible on certain channels and could even be heard across telephone lines when conditions were right. Several countries filed official complaints with the USSR through the UN, but there was no stopping the Russian Woodpecker. Russia wouldn’t even own up to the signal’s existence, which has since been traced to an immense antenna structure that is nearly half a mile long and at 490 feet, stands slightly taller than the Great Pyramid at Giza.

This imposing steel structure stands within the irradiated forest near Pripyat, an idyllic town founded in 1970 to house the Chernobyl nuclear plant workers. Pictured above is the transmitter, also known as Duga-1, Chernobyl-2, or Duga-3 depending on who you ask. Located 30 miles northeast of Chernobyl, on old Soviet maps the area is simply labeled Boy Scout Camp. Today, it’s all within the Chernobyl Exclusion Zone.

It was such a secret that the government denied it’s existence, yet was being heard all over the world. What was this mammoth installation used for?

Continue reading “The Russian Woodpecker: Official Bird Of The Cold War Nests In Giant Antenna” →

Calibrating A VNA The Proper Way

May 8, 2021 by Jenny List 16 Comments

Those of us who have bought cheap TinyVNA devices for our RF experimentation will be used to the calibration procedure involving short-circuit, 50 Ω, and open terminations, followed by a direct connection between ports. We do this with a kit of parts supplied with the device, and it makes it ready for our measurements. What we may not fully appreciate at the level of owning such a basic instrument though, is that the calibration process for much higher-quality instruments requires parts made to a much higher specification than the cheap ones from our TinyVNA. Building a set of these high-quality parts is a path that [James Wilson] has taken, and in doing so he presents a fascinating discussion of VNA calibration and the construction of standard RF transmission line components.

We particularly like the way that after constructing his short, load and open circuit terminations using high-quality SMA sockets, he put a custom brass fitting 3D printed by Shapeways on the end of each to make them easier to handle while preserving their RF integrity. If we’d bought a set of terminations looking like these ones as commercial products we would be happy with their quality, but the real test lay in their performance. Thanks to a friend he was able to get them tested on instruments with much heftier price tags, and found them to be not far short of the simulation and certainly acceptable within his 3 GHz range.

Curious about VNAs at the affordable end of the spectrum? We took a look at the TinyVNA, which while it is something of a toy is still good enough for lower frequency measurements.

Finally An Inexpensive Route To Digital Radio Listening

May 8, 2021 by Jenny List 30 Comments

An inexorable trend over the last decade or more has been the exodus of AM radio stations from the low frequency and HF broadcast bands. The bandwidth and thus audio quality at these frequencies puts them at a disadvantage against FM and internet streamed services, and the long-distance advantage of HF has been reduced by easy online access to overseas content. The world has largely moved on from these early-20th-century technologies, leaving them ever more a niche service.

Happily for medium- and long-wave enthusiasts there is a solution to their decline, in the form of DRM, or Digital Radio Mondiale, a digital scheme that delivers cleaner audio and a range of other services in the same space as a standard-sized AM channel. DRM receivers are somewhat rare and usually not cheap though, so news of an Android app DRM receiver from Starwaves is very interesting indeed.

DRM uses a licensed encoding scheme from the Fraunhofer Institute, and this product follows on from a line of hardware DRM receivers that Starwave have developed using their technology. It uses the Android device as a front-end for any of a number of SDR receivers, including the popular RTL-SDR series. It supports the VHF variant of DRM, though we’re guessing that since the best chance of finding a DRM channel for experimentation is on HF that an RTL-SDR with the HF modification will be required. We think it’s an interesting development because the growth of DRM is a chicken-and-egg situation where there must be enough receivers in the wild for broadcasters to consider it viable.

The Evil Crow Is Ready To Cause Some RF Mayhem

April 27, 2021 by Tom Nardi 34 Comments

There’s no doubt that the RTL-SDR project has made radio hacking more accessible than ever, but there’s only so far you can go with a repurposed TV tuner. Obviously the biggest shortcoming is the fact that you can only listen to signals, and not transmit them. If you’re ready to reach out and touch someone, but don’t necessarily want to spend the money on something like the HackRF, the Evil Crow RF might be your ideal next step.

This Creative Commons licensed board combines two CC1101 radio transceivers and an ESP32 in one handy package. The radios give you access to frequencies between 300 and 928 MHz (with some gaps), and the fact that there are two of them means you can listen on one frequency while transmitting on another; opening up interesting possibilities for relaying signals. With the standard firmware you connect to a web interface running on the ESP32 to configure basic reception and transmission options, but there’s also a more advanced RFQuack firmware that allows you to control the hardware via Python running on the host computer.

Using the Evil Crow RF without a computer.

One particularly nice feature is the series of buttons located down the side of the Evil Crow RF. Since the device is compatible with the Arduino IDE, you can easily modify the firmware to assign various functions or actions to the buttons.

In a demonstration by lead developer [Joel Serna], the physical buttons are used to trigger a replay attack while the device is plugged into a standard USB power bank. There’s a lot of potential there for covert operation, which makes sense, as the device was designed with pentesters in mind.

As an open source project you’re free to spin up your own build of the Evil Crow RF, but those looking for a more turn-key experience can order an assembled board from AliExpress for $27 USD. This approach to hardware manufacturing seems to be getting popular among the open source crowd, with the Open-SmartWatch offering a similar option.

[Thanks to DJ Biohazard for the tip.]