Mobile SIGINT Hacking On A Civilian’s Budget

Signals Intelligence (SIGINT) refers to performing electronic reconnaissance by eavesdropping on communications, and used to be the kind of thing that was only within the purview of the military or various three letter government agencies. But today, for better or for worse, the individual hacker is able to pull an incredible amount of information out of thin air with low-cost hardware and open source software. Now, thanks to [Josh Conway], all that capability can be harnessed with a slick all-in-one device: the RadioInstigator.

In his talk at the recent 2019 CircleCityCon, [Josh] (who also goes by the handle [CrankyLinuxUser]) presented the RadioInstigator as an affordable way to get into the world of wireless security research beyond the traditional WiFi and Bluetooth. None of the hardware inside the device is new exactly, it’s all stuff the hacking community has had access to for a while now, but this project brings them all together under one 3D printed “roof” as it were. The end result is a surprisingly practical looking device that can be used on the go to explore huge swaths of the RF spectrum at a cost of only around $150 USD.

So what has [Josh] packed into this wireless toybox? It will probably come as little surprise to find out that the star of the show is a Raspberry Pi 3 B+, combined with a touch screen display and portable keyboard so the user can interface with the various security tools installed.

To help the RadioInstigator surf the airwaves there’s an RTL-SDR and a 2.4 Ghz nRF24LU1+ “Crazyradio”, both broken out to external antenna connectors on the outside of the device. There’s even an external SMA connector hooked up to the Pi’s GPIO pin, which can be used for low-power transmissions from 5 KHz up to 1500 MHz with rpitx. Everything is powered by a beefy 10,000 mAh battery pack which should give you plenty of loiter time to perform your investigations.

[Josh] has also written several Bash scripts which will get a trove of radio hacking tools installed on the Pi automatically, either by pulling them in through the official repositories or downloading the source and compiling them. Getting the software environment into a known-good state can be a huge time sink, so even if you don’t build your own version of the RadioInstigator, his scripts are still worth checking out.

You can do some pretty incredible things with nothing more than a Pi and an RTL-SDR, but we can’t help but notice there’s still plenty of room inside the RadioInstigator for more gear. It could be the perfect home for a Mult-RTL setup, or maybe even a VGA adapter for spoofing cell networks.

Continue reading “Mobile SIGINT Hacking On A Civilian’s Budget”

Your Table Is Ready, Courtesy Of HackRF

Have you ever found yourself in a crowded restaurant on a Saturday night, holding onto one of those little gadgets that blinks and vibrates when it’s your turn to be seated? Next time, bust out the HackRF and follow along with [Tony Tiger] as he shows how it can be used to easily fire them off. Of course, there won’t actually be a table ready when you triumphantly show your blinking pager to the staff; but there’s only so much an SDR can do.

Even if you aren’t looking to jump the line at your favorite dining establishment, the video that [Tony] has put together serves as an excellent practical example of using software defined radio (SDR) to examine and ultimately replicate a wireless communications protocol. The same techniques demonstrated here could be applied to any number of devices out in the wild with little to no modification. Granted these “restaurant pagers” aren’t exactly high security devices to begin with, but you’d be horrified surprised how many other devices out there take a similarly cavalier attitude towards security.

[Tony] starts by using inspectrum to examine the Frequency-shift keying (FSK) modulation used by the 467.750 Mhz devices, and from there, uses Universal Radio Hacker to capture the actual binary data being sent over the air. Between studying the transmissions and the information he found online, he was eventually able to piece together the packet structure used by the restaurant’s base station.

Finally, he wrote a Python script which generates packets based on which pager he wants to set off. If he’s feeling particularly mischievous, he can even set them all off at once. The script outputs a binary file which is then loaded into GNU Radio for transmission via the HackRF. [Tony] says he’s not quite ready to release his script yet, but he gives enough information in the video that the intrepid hacker could probably get their own version up and running by the time he gets it posted up to GitHub anyway.

We saw some very similar techniques demonstrated at the recent WOPR Summit security conference, so once you’re done hacking the local restaurants, you can take these same lessons and apply them to the rest of the Internet of Things. If you’re wondering, it’s even easier to eavesdrop on the non-restaurant pagers.

Continue reading “Your Table Is Ready, Courtesy Of HackRF”

Solving The Final Part Of The IClicker Puzzle

The regular Hackaday reader might remember the iClicker from our previous coverage of the classroom quiz device, or perhaps you even had some first hand experience with it during your university days. A number of hackers have worked to reverse engineer the devices over the years, and on the whole, it’s a fairly well understood system. But there are still a few gaps in the hacker’s map of the iClicker, and for some folks, that just won’t do.

[Ammar Askar] took it upon himself to further the state of the art for iClicker hacking, and has put together a very detailed account on his blog. While most efforts have focused on documenting and eventually recreating how the student remotes send their responses to the teacher’s base station, he was curious about looking at the system from the other side. Specifically, he wanted to know how the base station was able to push teacher-supplied welcome messages to the student units, and how it informed the clients that their answers had been acknowledged.

He started by looking through the base station’s software update tool to find out where it was downloading the firmware files from, a trick we’ve seen used to great effect in the past. With the firmware in hand, [Ammar] disassembled the AVR code in IDA and got to work piecing together how the hardware works. He knew from previous group’s exploration of the hardware that the base station’s Semtech XE1203F radio is connected to the processor via SPI, so he started searching for code which was interacting with the SPI control registers.

This line of logic uncovered how the radio is configured over SPI, and ultimately where the data intended for transmission is stored in memory. He then moved over to running the firmware image in simavr. Just like Firmadyne allows you to run ARM or MIPS firmware with an attached debugger, this tool allowed [Ammar] to poke around in memory and do things such as simulate when student responses were coming in over the radio link.

At that point, all he had to do was capture the bytes being sent out and decode what they actually meant. This process was complicated slightly by the fact the system uses to use its own custom encoding rather than ASCII for the messages, but by that point, [Ammar] was too close to let something like that deter him. Nearly a decade after first hearing that hackers had started poking around inside of them, it looks like we can finally close the case on the iClicker.

Tracking Stolen Bikes With Narrowband IoT

For his entry into the 2019 Hackaday Prize, [Marin Vukosav] is working on an ambitious project to create a small GPS tracking device which utilizes Narrowband IoT (NB-IoT) for long range communications. Rather than using a GSM modem which would suck the batteries dry in short order, NB-IoT can theoretically maintain a connection within a 10 to 15 kilometer range while keeping the energy consumption low enough that the tracker could go up to a year before needing to be recharged.

At this point, the hardware is still in the proof of concept phase. [Marin] is using an Arduino with a GPS shield and a SIM7000 NB-IoT module to experiment with the concept, but ultimately says he wants to shrink the hardware down to the point it could fit inside of a bike light. Looking even farther ahead, he’d like to make deals with bike manufacturers so the module could be integrated into the frame itself, where a thief wouldn’t be able to access it at all.

Of course, nothing says this technology has to be limited to bikes. If [Marin] can get it small enough, and reach even half of his goal battery life, he’d have a very compelling product on his hands. Who wouldn’t want to add something like this to their long-range drone in case it gets lost?

There’s still a long way to go on this project, and it’s not all hardware. [Marin] will also have to create the software side of things, a site where you can register your tracker and be able to view its near real-time position on the map. It’s a lot of work, especially if you’re planning on turning it into a commercial product, and we’re very interested to follow along and see where the project goes throughout the year.

Perfecting The Open Source RC Controller

Over the last few months we’ve seen an influx of homebrew RC controllers come our way, and we’re certainly not complaining. While the prices of commercial RC transmitters are at an all-time low, and many of them can even run an open source firmware, there’s still nothing quite like building the thing yourself. How else are you going to get exactly what you want?

For this entry into the 2019 Hackaday Prize, [Vitor de Miranda Henrique] is working on his own version of the ultimate open source remote control. His design follows some of the trends we’ve already seen in terms of outward design and hardware expandability, but also branches off into some new territory with features such as dual integrated displays.

Why does your controller need two displays? The top 4.3 inch TFT is linked up to a 5.2 GHz video receiver, which makes it perfect for controlling vehicles in “first-person” view, such as drones. The lower screen is a 2.8 inch touch screen from Adafruit, which is intended to be used for navigating through menus and options once the firmware is fully fleshed out.

Powering the controller is a ESP32 and dual MCP23017 GPIO expanders to connect up to the array of input devices available to the user. The current iteration of the controller has ten switches, two encoders, some buttons, and a pair of scroll wheels for good measure. Oh, and of course there are a couple of joysticks in the mix as well. All the devices terminate at a custom PCB in the back of the controller which looks to make modifying and adding input devices simple and neat.

We’ve previously seen the Alpha V1, an open source controller with a fairly similar setup, albeit without the dual displays. If even that one is a bit more complex than you’d like, you can always just do it with an Arduino.

The Great Ohio Key Fob Mystery, Or “Honey, I Jammed The Neighborhood!”

Hack long enough and hard enough, and it’s a pretty safe bet that you’ll eventually cause unintentional RF emissions. Most of us will likely have our regulatory transgression go unnoticed. But for one unlucky hacker in Ohio, a simple project ended up with a knock at the door by local authorities and pointed questions to determine why key fobs and garage door remotes in his neighborhood and beyond had suddenly been rendered useless, and why his house seemed to be at the center of the disturbance.

Few of us want this level of scrutiny for our projects, so let’s take a more in-depth look at the Great Ohio Key Fob Mystery, along with a look at the Federal Communications Commission regulations that govern what you can and cannot do on the airwaves. As it turns out, it’s easy to break the law, and it’s easy to get caught.

Continue reading “The Great Ohio Key Fob Mystery, Or “Honey, I Jammed The Neighborhood!””

Open Hardware E-Ink Display Just Needs An Idea

Its taken awhile, but thanks to devices like the Amazon Kindle, the cost of e-ink displays are finally at the point where mere mortals such as us can actually start using them in our projects. Now we’ve just got to figure out how to utilize them properly. Sure you can just hook up an e-ink display to a Raspberry Pi to get started, but to truly realize the potential of the technology, you need hardware designed with it in mind.

To that end, [Mahesh Venkitachalam] has created Papyr, an open hardware wireless display built with the energy efficiency of e-ink in mind. This means not only offering support for low-energy communication protocols like BLE and Zigbee, but keeping the firmware as concise as possible. According to the documentation, the end result is that Papyr only draws 22 uA in its idle state.

So what do you do with this energy-sipping Bluetooth e-ink gadget? Well, that part is up to you. The obvious application is signage, but unless you’re operating a particularly well organized hackerspace, you probably don’t need wireless dynamic labels on your part bins (though please let us know if you actually do). More likely, you’d use Papyr as a general purpose display, showing sensor data or the status of your 3D printer.

The 1.54 inch 200×200 resolution e-ink panel is capable of showing red in addition to the standard grayscale, and the whole thing is powered by a Nordic nRF52840 SoC. Everything’s provided for you to build your own, but if you’d rather jump right in and get experimenting, you can buy the assembled version for $39 USD on Tindie.