As we use our computers, to watch YouTube videos of trucks hitting bridges, to have a Zoom call with our mothers, or even for some of us to write Hackaday articles, we’re unknowingly sharing a lot of what we are doing with the world. The RF emissions from our monitors, keyboards, and other peripherals can be harvested and reconstructed to give a third party a view into your work, and potentially have access to all your darkest secrets. It’s a technique with origins in Government agencies that would no doubt prefer to remain anonymous, but for a while now it has been available to all through the magic of software defined radio. Now it has reached the popular GNU Radio platform, with [Federico La Rocca]’s gr-tempest package.
He describes it as a re-implementation of [Martin Marinov]’s TempestSDR, which has a reputation as not being for the faint-hearted. The current version requires GNU Radio 3.7, but he promises a 3.8-compatible version in the works. A YouTube video that we’ve placed below the break has a range of examples running, though there seems to be little information on the type of antenna employed. Perhaps a log-periodic design would be most appropriate.
Many of the SDR projects we see use a cheap USB dongle. They are great, but sometimes you want more and — especially — sometimes you want to transmit. The Analog Devices ADALM-Pluto SDR is easily available for $200 and sometimes as low as $100 and it both transmits and receives using an Analog AD9363 and a Zynq FPGA. Although you normally use the device to pipe IQ signals to a host computer, you can run SDR applications on the device itself. That requires you to dig into the Zynq tools, which is fun but a topic for another time. In this post, I’m going to show you how you can use GNU Radio to make a simple Morse code beacon in the 2m ham band.
I’ve had one on my bench for quite a while and I’ve played with it a bit. There are several ways to use it with GNU Radio and it seems to work very well. You have to hack it to get the frequency range down a bit. Sure, it might not be “to spec” once you broaden the frequency range, but it seems to work fine. Instead of working from 325 MHz to 3,800 MHz with a 20 MHz bandwidth, the hacked device transceives 70 MHz to 6,000 MHz with 56 MHz bandwidth. It is a simple hack you only have to do once. It tells the device that it has a slightly better chip onboard and our guess is the chips are the same but sorted by performance. So while the specs might be a little off, you probably won’t notice.
As a writer, I have long harboured a dream that one day an editor will buy me a top-of-the-range audio analyser, and I can set up an audio test lab and write pieces debunking the spurious claims made by audiophiles, HiFi journalists, and the high-end audio industry about the quality of their products. Does that amp really lend an incisive sibilance to the broader soundstage, and can we back that up with some measurable figures rather than purple prose?
An Audio Playground You Didn’t Know You Had
Sadly Hackaday is not an audio magazine, and if Mike bought me an Audio Precision he’d have to satisfy all the other writers’ test equipment desires too, and who knows where that would end! So there will be no Hackaday audio lab — for now. But that doesn’t mean I can’t play around with audio analysis.
Last month we carried a write-up of a Supercon talk from Kate Temkin and Michael Ossmann, in which they reminded us that we have a cracking general purpose DSP playground right under our noses; GNU Radio isn’t just for radio. Once I’d seen the talk my audio analysis horizons were opened up considerably. Maybe that audio analyser wouldn’t be mine, but I could do some of the same job with GNU Radio.
It’s important to stress at this point that anything I can do on my bench will not remotely approach the quality of a professional audio analyser. But even if I can’t measure infinitesimal differences between very high-end audio circuitry, I can still measure enough to tell a good audio product from a bad one.
For most people, a software defined radio is a device. An RTL-SDR dongle perhaps, or the HackRF that a popular multi-tool for working in the radio frequency realm. But as they explain, the SDR hardware can be considered merely as the analogue front end, being just the minimal analogue circuitry coupled with a digitiser. The real software-defined part comes — as you might expect — in the software
Kate and Mike introduce GNU Radio Companion — the graphical UI for GNU Radio — as their tool of choice and praise it’s use as a general purpose digital signal processing system whether or not that includes radio. Taking their own Great Scott Gadgets GreatFET One USB hackers toolkit peripheral as an input device they demonstrate this by analysing the output from a light sensor. Instantly they can analyse the mains frequency in a frequency-domain plot, and the pulse frequency of the LEDs. But their bag of tricks goes much deeper, exploring multiple “atypical use cases” that unlock a whole new world through creative digital signal processing (DSP).
Have you ever found yourself in a crowded restaurant on a Saturday night, holding onto one of those little gadgets that blinks and vibrates when it’s your turn to be seated? Next time, bust out the HackRF and follow along with [Tony Tiger] as he shows how it can be used to easily fire them off. Of course, there won’t actually be a table ready when you triumphantly show your blinking pager to the staff; but there’s only so much an SDR can do.
Even if you aren’t looking to jump the line at your favorite dining establishment, the video that [Tony] has put together serves as an excellent practical example of using software defined radio (SDR) to examine and ultimately replicate a wireless communications protocol. The same techniques demonstrated here could be applied to any number of devices out in the wild with little to no modification. Granted these “restaurant pagers” aren’t exactly high security devices to begin with, but you’d be horrified surprised how many other devices out there take a similarly cavalier attitude towards security.
[Tony] starts by using inspectrum to examine the Frequency-shift keying (FSK) modulation used by the 467.750 Mhz devices, and from there, uses Universal Radio Hacker to capture the actual binary data being sent over the air. Between studying the transmissions and the information he found online, he was eventually able to piece together the packet structure used by the restaurant’s base station.
Finally, he wrote a Python script which generates packets based on which pager he wants to set off. If he’s feeling particularly mischievous, he can even set them all off at once. The script outputs a binary file which is then loaded into GNU Radio for transmission via the HackRF. [Tony] says he’s not quite ready to release his script yet, but he gives enough information in the video that the intrepid hacker could probably get their own version up and running by the time he gets it posted up to GitHub anyway.
There were plenty of great talks at this year’s Supercon, but we really liked the title of Dominic Spill’s talk: Ridiculous Radios. Let’s face it, it is one thing to make a radio or a computer or a drone the way you are supposed to. It is another thing altogether to make one out of things you shouldn’t be using. That’s [Dominic’s] approach. In a quick 30 minutes, he shows you two receivers and two transmitters. What makes them ridiculous? Consider one of the receivers. It is a software defined radio (SDR). How many bits should an SDR have? How about one bit? Ridiculous? Then you are getting the idea.
Dominic is pretty adept at taking a normal microcontroller and bending it to do strange RF things and the results are really entertaining. The breadboard SDR, for example, is a microcontroller with three components: an antenna, a diode, and a resistor. That’s it. If you missed the talk at Supercon, you can see the newly published video below, along with more highlights from Dominic’s talk.
Hackaday regular [befinitiv] wrote into the tip line to let us know about a hack you might enjoy, wireless UART output from a bare STM32 microcontroller. Desiring the full printf debugging experience, but constrained both by available space and expense, [befinitiv] was inspired to improvise by a similar hack that used the STM32 to send Morse code over standard FM frequencies.
In this case, [befinitiv]’s solution is both more useful and slightly more legal, as the software uses the 27 MHz ISM band to blast out ASK modulated serial data through a simple wire antenna attached to one of the microcontroller’s pins. The broadcast can then be picked up by an RTL-SDR receiver and interpreted back into a stream of data by GNU Radio.
The software for the STM32 and the GNU Radio Companion graph are both available on Bitbucket. The blog post goes into some detail explaining how the transmitter works and what all the GNU Radio components are doing to claw the serial data back from the ether.