Remote ADS-B Install Listens In On All The Aircraft Transmissions With RTL-SDR Trio, Phones Home On Cellular

August 14, 2019 by Dan Maloney 18 Comments

When installing almost any kind of radio gear, the three factors that matter most are the same as in real estate: location, location, location. An unobstructed location at the highest possible elevation gives the antenna the furthest radio horizon as well as the biggest bang for the installation buck. But remote installations create problems, too, particularly with maintenance, which can be a chore.

So when [tsimota] got a chance to relocate one of his Automatic Dependent Surveillance-Broadcast (ADS-B) receivers to a remote site, he made sure the remote gear was as bulletproof as possible. In a detailed write up with a ton of pictures, [tsimota] shows the impressive amount of effort he put into the build.

The system has a Raspberry Pi 3 with solid-state drive running the ADS-B software, a powered USB hub for three separate RTL-SDR dongles for various aircraft monitoring channels, a remote FlightAware dongle to monitor ADS-B, and both internal and external temperature sensors. Everything is snuggled into a weatherproof case that has filtered ventilation fans to keep things cool, and even sports a magnetic reed tamper switch to let him know if the box is opened. An LTE modem pipes the data back to the Inter, a GSM-controlled outlet allows remote reboots, and a UPS keeps the whole thing running if the power blips atop the 15-m building the system now lives on.

Nobody appreciates a quality remote installation as much as we do, and this is a great example of doing it right. Our only quibble would be the use of a breadboard for the sensors, but in a low-vibration location, it should work fine. If you’ve got the itch to build an ADS-B ground station but don’t want to jump in with both feet quite yet, this beginner’s guide from a few years back is a great place to start.

Non-Nefarious Raspberry Pi Only Looks Like A Hack

November 13, 2018 by Dan Maloney 50 Comments

We’re going to warn you right up front that this is not a hack. Or at least that’s how it turned out after [LiveOverflow] did some digital forensics on a mysterious device found lurking in a college library. The path he took to come to the conclusion that nothing untoward was going on was interesting and informative, though, as is the ultimate purpose of the unknown artifacts.

As [LiveOverflow] tells us in the video below, he came upon a Reddit thread – of which we can now find no trace – describing a bunch of odd-looking devices stashed behind garbage cans, vending machines, and desks in a college library. [LiveOverflow] recognized the posted pictures as Raspberry Pi Zeroes with USB WiFi dongles attached; curiosity piqued, he reached out to the OP and offered to help solve the mystery.

The video below tells the tale of the forensic fun that ensued, including some questionable practices like sticking the device’s SD card into the finder’s PC. What looked very “hackerish” to the finder turned out to be quite innocuous after [LiveOverflow] went down a remote-diagnosis rabbit hole to discern the purpose of these devices. We won’t spoil the reveal, but suffice it to say they’re part of a pretty clever system with an entirely non-nefarious purpose.

We thought this was a fun infosec romp, and instructive on a couple of levels, not least of which is keeping in mind how “civilians” might see gear like this in the wild. Hardware and software that we deal with every day might look threatening to the general public. Maybe the university should spring for some labels describing the gear next time.

Continue reading “Non-Nefarious Raspberry Pi Only Looks Like A Hack” →

Classifying Crystals With An SDR Dongle

June 6, 2018 by Dan Maloney 4 Comments

When it comes to radio frequency oscillators, crystal controlled is the way to go when you want frequency precision. But not every slab of quartz in a tiny silver case is created equal, so crystals need to be characterized before using them. That’s generally a job for an oscilloscope, but if you’re clever, an SDR dongle can make a dandy crystal checker too.

The back story on [OM0ET]’s little hack is interesting, and one we hope to follow up on. The Slovakian ham is building what looks to be a pretty sophisticated homebrew single-sideband transceiver for the HF bands. Needed for such a rig are good intermediate frequency (IF) filters, which require matched sets of crystals. He wanted a quick and easy way to go through his collection of crystals and get a precise reading of the resonant frequency, so he turned to his cheap little RTL-SDR dongle. Plugged into a PC with SDRSharp running, the dongle’s antenna input is connected to the output of a simple one-transistor crystal oscillator. No schematics are given, but a look at the layout in the video below suggests it’s just a Colpitts oscillator. With the crystal under test plugged in, the oscillator produces a huge spike on the SDRSharp spectrum analyzer display, and [OM0ET] can quickly determine the center frequency. We’d suggest an attenuator to change the clipped plateau into a sharper peak, but other than that it worked like a charm, and he even found a few dud crystals with it.

Fascinated by the electromechanics of quartz crystals? We are too, which is why [Jenny]’s crystal oscillator primer is a good first stop for the curious.

Continue reading “Classifying Crystals With An SDR Dongle” →

DRM Workarounds Save Arcade Cabinet

December 19, 2017 by Bryan Cockfield 31 Comments

DRM has become a four-letter word of late, with even media companies themselves abandoning the practice because of how ineffective it was. DRM wasn’t invented in the early 2000s for music, though. It’s been a practice on virtually everything where software is involved, including arcade cabinets. This is a problem for people who restore arcade machines, and [mon] has taken a swing at unraveling the DRM for a specific type of Konami cabinet.

The game in question, Reflec Beat, is a rhythm-based game released in 2010, and the security is pretty modern. Since the game comes with a HDD, a replacement drive can be ordered with a security dongle which acts to decrypt some of the contents on the HDD, including the game file and some other information. It’s not over yet, though. [mon] still needs to fuss with Windows DLL files and a few levels of decryption and filename obfuscation before getting the cabinet functional again.

The writeup on this cabinet is very detailed, and if you’re used to restoring older games, it’s a bit of a different animal to deal with than the embedded hardware security that older cabinets typically have. If you’ve ever wanted to own one of these more modern games, or you’re interested in security, be sure to check out the documentation on the project page. If your tastes are more Capcom and less Konami, check out an article on their security system in general, or in de-suiciding boards with failing backup batteries.

A TEMPEST In A Dongle

November 26, 2017 by Dan Maloney 27 Comments

If a couple of generations of spy movies have taught us anything, it’s that secret agents get the best toys. And although it may not be as cool as a radar-equipped Aston Martin or a wire-flying rig for impossible vault heists, this DIY TEMPEST system lets you snoop on computers using secondary RF emissions.

If the term TEMPEST sounds familiar, it’s because we’ve covered it before. [Elliot Williams] gave an introduction to the many modalities that fall under the TEMPEST umbrella, the US National Security Agency’s catch-all codename for bridging air gaps by monitoring the unintended RF, light, or even audio emissions of computers. And more recently, [Brian Benchoff] discussed a TEMPEST hack that avoided the need for thousands of dollars of RF gear, reducing the rig down to an SDR dongle and a simple antenna. There’s even an app for that now: TempestSDR, a multiplatform Java app that lets you screen scrape a monitor based on its RF signature. Trouble is, getting the app running on Windows machines has been a challenge, but RTL-SDR.com reader [flatfishfly] solved some of the major problems and kindly shared the magic. The video below shows TempestSDR results; it’s clear that high-contrast images at easiest to snoop on, but it shows that a $20 dongle and some open-source software can bridge an air gap. Makes you wonder what’s possible with deeper pockets.

RF sniffing is only one of many ways to exfiltrate data from an air-gapped system. From power cords to security cameras, there seems to be no end to the ways to breach systems.

Continue reading “A TEMPEST In A Dongle” →

Fail Of The Week: Tracking Meteors With Weather Radio

June 24, 2017 by Dan Maloney 22 Comments

It’s not hard to detect meteors: go outside on a clear night in a dark place and you’re bound to see one eventually. But visible light detection is limiting, and knowing that meteors leave a trail of ions means radio detection is possible. That’s what’s behind this attempt to map meteor trails using broadcast signals, which so far hasn’t yielded great results.

The fact that meteor trails reflect radio signals is well-known; hams use “meteor bounce” to make long-distance contacts all the time. And using commercial FM broadcast signals to map meteor activity isn’t new, either — we’ve covered the “forward scattering” technique before. The technique requires tuning into a frequency used by a distant station but not a local one and waiting for a passing meteor to bounce the distant signal back to your SDR dongle. Capturing the waterfall display for later analysis should show characteristic patterns and give you an idea of where and when the meteor passed.

[Dave Venne] is an amateur astronomer who turns his eyes and ears to the heavens just to see what he can find. [Dave]’s problem is that the commercial FM band in the Minneapolis area that he calls home is crowded, to say the least. He hit upon the idea of using the National Weather Service weather radio broadcasts at around 160 MHz as a substitute. Sadly, all he managed to capture were passing airplanes with their characteristic Doppler shift; pretty cool in its own right, but not the desired result.

The comments in the RTL-SDR.com post on [Dave]’s attempt had a few ideas on where this went wrong and how to improve it, including the intriguing idea of using 60-meter ham band propagation beacons. Now it’s Hackaday’s turn: any ideas on how to fix [Dave]’s problem? Sound off in the comments below.

Cheap WiFi Devices Are Hardware Hacker Gold

January 27, 2016 by Elliot Williams 51 Comments

Cheap consumer WiFi devices are great for at least three reasons. First, they almost all run an embedded Linux distribution. Second, they’re cheap. If you’re going to break a couple devices in the process of breaking into the things, it’s nice to be able to do so without financial fears. And third, they’re often produced on such low margins that security is an expense that the manufacturers just can’t stomach — meaning they’re often trivially easy to get into.

Case in point: [q3k] sent in this hack of a tiny WiFi-enabled SD card reader device that he and his compatriots [emeryth] and [informatic] worked out with the help of some early work by [Benjamin Henrion]. The device in question is USB bus-powered, and sports an SD card reader and an AR9331 WiFi SOC inside. It’s intended to supply wireless SD card support to a cell phone that doesn’t have enough on-board storage.

The hack begins with [Benajmin] finding a telnet prompt on port 11880 and simply logging in as root, with the same password that’s used across all Zsun devices: zsun1188. It’s like they want to you get in. (If you speak Chinese, you’ll recognize the numbers as being a sound-alike for “want to get rich”. So we’ve got the company name and a cliché pun. This is basically the Chinese equivalent of “password1234”.) Along the way, [Benjamin] also notes that the device executes arbitrary code typed into its web interface. Configure it to use the ESSID “reboot”, for instance, and the device reboots. Oh my!

From here [q3k] and co. took over and ported OpenWRT to the device and documented where its serial port and GPIOs are broken out on the physical board. But that’s not all. They’ve also documented how and where to attach a wired Ethernet adapter, should you want to put this thing on a non-wireless network, or use it as a bridge, or whatever. In short, it’s a tiny WiFi router and Linux box in a package that’s about the size of a (Euro coin | US quarter) and costs less than a good dinner out. Just add USB power and you’re good to go.