Michael Ossmann Pulls DSSS Out of Nowhere

[Michael Ossmann] spoke on Friday to a packed house in the wireless hacking village at DEF CON 25. There’s still a day and a half of talks remaining but it will be hard for anything to unseat his Reverse Engineering Direct Sequence Spread Spectrum (DSSS) talk as my favorite of the con.

DSSS is a technique used to transmit reliable data where low signal strength and high noise are likely. It’s used in GPS communications where the signal received from a satellite is often far too small for you to detect visually on a waterfall display. Yet we know that data is being received and decoded by every cell phone on the planet. It is also used for WiFi management packets, ZigBee, and found in proprietary systems especially any dealing with satellite communications.

[Michael] really pulled a rabbit out of a hat with his demos which detected the DSSS signal parameters in what appeared to be nothing but noise. You can see below the signal with and without noise; the latter is completely indiscernible as a signal at all to the eye, but can be detected using his techniques.

Detecting DSSS with Simple Math

[Michael] mentioned simple math tricks, and he wasn’t kidding. It’s easy to assume that someone as experienced in RF as he would have a different definition of ‘simple’ than we would. But truly, he’s using multiplication and subtraction to do an awful lot.

DSSS transmits binary values as a set called a chip. The chip for digital 1 might be 11100010010 with the digital 0 being the inverse of that. You can see this in the slide at the top of this article. Normal DSSS decoding compares the signal to expected values, using a correlation algorithm that multiplies the two and gives a score. If the score is high enough, 11 in this example, then a bit has been detected.

To reverse engineer this it is necessary to center on the correct frequency and then detect the chip encoding. GNU radio is the tool of choice for processing a DSSS capture from a SPOT Connect module designed to push simple messages to a satellite communication network. The first math trick is to multiply the signal by itself and then look at spectrum analysis to see if there is a noticeable spike indicating the center of the frequency. This can then be adjusted with an offset and smaller spikes on either side will be observed.

When visualized in a constellation view you begin to observe a center and two opposite clusters. The next math trick is to square the signal (multiply it by itself) and it will join those opposite clusters onto one side. What this accomplishes is a strong periodic component (the cycle from the center to the cluster and back again) which reveals the chip rate.

Detecting symbols within the chip is another math trick. Subtract each successive value in the signal from the last and you will mostly end up with zero (high signal minus high signal is zero, etc). But every time the signal spikes you’re looking at a transition point and the visualization begins to look like logic traced out on an oscilloscope. This technique can deal with small amounts of noise but becomes more robust with a bit of filtering.

This sort of exploration of the signal is both fun and interesting. But if you want to actually get some work done you need a tool. [Michael] built his own in the form of a python script that cobbles up a .cfile and spits out the frequency offset, chip rate, chip sequence length, and decoded chip sequence.

Running his sample file through with increasing levels of noise added, the script was rock solid on detecting the parameters of the signal. Interestingly, it is even measuring the 3 parts per million difference between the transmitter and receiver clocks in the detected chip rate value. What isn’t rock solid is the actual bit information, which begins to degrade as the noise is increased. But just establishing the parameters of the protocol being used is the biggest part of the battle and this is a dependable solution for doing that quickly and automatically.

You can give the script a try. It is part of [Michael’s] Clock Recovery repo. This talk was recorded and you should add it to your reminder list for after the con when talks begin to be published. To hold you over until then, we suggest you take a look at his RF Design workshop from the 2015 Hackaday Superconference.

OpenEMS Makes Electromagnetic Field Solving… Merely Difficult

To ordinary people electronics is electronics. However, we know that the guy you want wiring your industrial furnace isn’t the guy you want designing a CPU. Neither of those guys are likely to be the ones you want building an instrumentation amplifier. However, one of the darkest arts of the electronic sects is dealing with electromagnetic fields. Not only is it a rare specialty, but it requires a lot of high-powered math. Enter OpenEMS, a free and open electromagnetic field solver.

We would like to tell you that OpenEMS makes doing things like antenna analysis easy. But that’s like saying Microsoft Word makes it easy to write a novel. In one sense, yes, but you still need to know what you are doing. In fairness, though, the project does provide a good set of tutorials, ranging from a simple wave guide to a sophisticated phased array of patch antennas. Our advice? Start with the waveguide and work your way up from there.

The software uses Octave or MATLAB for scripting, plotting, and support. You can download it for Windows or Linux.

If you want to start with something more intuitive for electromagnetic field visualization, this might help. If you prefer your models more concrete and less abstract, perhaps you should work at Lincoln Lab.

Rapidly Prototyping RF Filters

RF filters are really just a handful of strategically placed inductors and capacitors. Yes, you can make a 1 GHz filter out of through-hole components, but the leads on the parts turn into inductors at those frequencies, completely ruining the expected results in a design.

The solution to this is microstrip antennas, or carefully arranged tracks and pads on a PCB. Anyone can build one of these with Eagle or KiCad, but that means waiting for an order from a board house to verify your design. [VK2SEB] has a better idea for prototyping PCB filters: use copper tape on blank FR4 sheets.

The first, and simplest, filter demonstrated is a simple bandstop filter. This is really just a piece of fiberglass with copper laminated to one side. Two RF connectors are soldered to the edges and a strip of copper tape strung between them. Somewhere around the middle of this copper tape, [VK2SEB] put another strip of copper tape in a ‘T’ configuration. This is the simplest bandstop filter you can make, and the beauty of this construction is that it can be tuned with a razor blade.

Of course, a filter can only be built with copper tape if you can design them, and for that [SEB] is turning to software. The Qucs project is a software tool for designing and simulating these microstrip filters, and after inputting the correct parameters, [SEB] got a nice diagram of what the filter should look like. A bit of taping, razor blading, and soldering and [SEB] had a working filter connected to a spectrum analyzer. Did it work? To a limited extent; the PCB material probably wasn’t right, and board houses are more accurate than a razor blade, but [SEB] did manage to create a 10 GHz filter out of fiberglass and copper tape.

You can check out the video for this experiment below.

Continue reading “Rapidly Prototyping RF Filters”

Smart Gun Beaten by Dumb Magnets

[Plore], a hacker with an interest in safe cracking, read a vehemently anti-smart-gun thread in 2015. With the words “Could you imagine what the guys at DEF CON could do with this?” [Plore] knew what he had to do: hack some smart guns. Watch the video below the break.

Armed with the Armatix IP1, [Plore] started with one of the oldest tricks in the book: an RF relay attack. The Armatix IP1 is designed to fire only when a corresponding watch is nearby, indicating that a trusted individual is the one holding the gun. However, by using a custom-built $20 amplifier to extend the range of the watch, [Plore] is able to fire the gun more than ten feet away, which is more than enough distance to be dangerous and certainly more than the few inches the manufacturers intended.

Not stopping there, [Plore] went to the other extreme, creating what he calls an “electromagnetic compatibility tester” (in other words, a jammer) that jams the signal from the watch, effectively preventing a legitimate gun owner from firing their gun at 10 to 20 feet!

Not one to call it quits, [Plore] realised that the gun prevented illicit firing with a simple metal pin which it moved out of the way once it sensed the watch nearby. However, this metal just happened to be ferrous, and you know what that means: [Plore], with the help of some strong magnets, was able to move the pin without any electrical trickery.

Now, we’ve already covered the many hurdles that smart guns face, and this specific investigation of the state of smart gun technology doesn’t make the picture look any brighter. We’re aware that hindsight is always 20/20, so let us know in the comments how you would fix the problems with the Armatix IP1.
Continue reading “Smart Gun Beaten by Dumb Magnets”

Robot: Do My Bidding!

Remote control robots are nothing new. Using Bluetooth isn’t all that unusual, either. What [SayantanM4] did was make a Bluetooth robot that accepts voice commands via his phone. The robot itself isn’t very remarkable. An Arduino and an HC05 module make up most of the electronics. A standard motor driver runs the two wheels.

The Arduino doesn’t usually do much voice processing, and the trick is–of course–in the phone application. BT Voice Control for Arduino is a free download that simply sends strings to a host computer via Bluetooth. If you say “Hello” into your phone, the robot receives *Hello# and that string could be processed by any computer that can receive Bluetooth data.

Continue reading “Robot: Do My Bidding!”

ISM Communications for Arduino

If you want to wirelessly communicate between devices, WiFi and Bluetooth are obvious choices. But there’s also the ISM (industrial, scientific, and medical) band that you use. There are inexpensive modules like the SX1278 that can handle this for you using LoRa modulation, but they haven’t been handy to use with an Arduino. [Jan] noticed the same thing and set out to build a shield that allowed an Arduino to communicate using LoRa. You can find the design data on GitHub. [Jan] calls it the LoRenz shield.

According to [Jan], the boards cost about $20 to $30 each to make, and most of that cost was in having PC boards shipped. LoRa lets you trade data rate for bandwidth, but typical data rates are fairly modest. As for range, that depends on a lot of factors, too, but we’ve seen ranges quoted in terms of miles.

Depending on where you live, there may be legal restrictions on how you use a radio like the SX1278. You should understand your local laws before you buy into using the ISM bands. We aren’t sure it would be wise, but the board can coexist with three other similar shields. So you could get 4 radios going on one Arduino if you had too and could manage the power, RF, and other issues involved. The breakout board the module uses has an antenna connector, so depending on your local laws, you could get a good bit of range out of one of these.

[Jan] promises a post on the library that makes it all work shortly, but you can find the code on GitHub now. If you look at the code in the examples directory, it seems pretty easy. You’d have to sling some software, but the SX1278 can support other modes in addition to LoRA including FSK and other data modulation techniques.

We’ve seen other LoRa shields, but not many. If you are interested in other wireless technologies, we’ve talked about them quite a bit. If you want a basic introduction to LoRa, [Andreas Spiess’] video below is a good place to start.

Continue reading “ISM Communications for Arduino”

ESP to Wireshark

Everyone’s favorite packet sniffing tool, Wireshark, has been around for almost two decades now. It’s one of the most popular network analysis tools available, partially due to it being free and open source. Its popularity guaranteed that it would eventually be paired with the ESP32/8266, the rising star of the wireless hardware world, and [spacehuhn] has finally brought these two tools together to sniff WiFi packets.

The library that [spacehuhn] created uses the ESP chip to save Pcap files (the default Wireshark filetype) onto an SD card or send the data over a serial connection. The program runs once every 30 seconds, creating a new Pcap file each time. There are many example scripts for the various hardware you might be using, and since this is written for the ESP platform it’s also Arduino compatible. [spacehuhn] has written this as a proof-of-concept, so there are some rough edges still, but this looks very promising as a network analysis tool.

[spacehuhn] is no stranger to wireless networks, either. His YouTube channel is full of interesting videos of him exploring various exploits and testing other pieces of hardware. He’s also been featured here before for using an ESP8266 as a WiFi jammer.

Continue reading “ESP to Wireshark”