Gold Cables Really Do Work The Best

As a writer, I have long harboured a dream that one day an editor will buy me a top-of-the-range audio analyser, and I can set up an audio test lab and write pieces debunking the spurious claims made by audiophiles, HiFi journalists, and the high-end audio industry about the quality of their products. Does that amp really lend an incisive sibilance to the broader soundstage, and can we back that up with some measurable figures rather than purple prose?

An Audio Playground You Didn’t Know You Had

An Audio Precision APx525 audio analyser.
An Audio Precision APx525 audio analyser. Bradp723 (CC-BY-SA 3.0)

Sadly Hackaday is not an audio magazine, and if Mike bought me an Audio Precision he’d have to satisfy all the other writers’ test equipment desires too, and who knows where that would end! So there will be no Hackaday audio lab — for now. But that doesn’t mean I can’t play around with audio analysis.

Last month we carried a write-up of a Supercon talk from Kate Temkin and Michael Ossmann, in which they reminded us that we have a cracking general purpose DSP playground right under our noses; GNU Radio isn’t just for radio. Once I’d seen the talk my audio analysis horizons were opened up considerably. Maybe that audio analyser wouldn’t be mine, but I could do some of the same job with GNU Radio.

It’s important to stress at this point that anything I can do on my bench will not remotely approach the quality of a professional audio analyser. But even if I can’t measure infinitesimal differences between very high-end audio circuitry, I can still measure enough to tell a good audio product from a bad one.

Continue reading “Gold Cables Really Do Work The Best”

Software Defined Everything With Mike Ossmann And Kate Temkin

Software defined radio has become a staple of the RF tinkerer, but it’s likely that very few of us have ever taken their software defined toolchain outside the bounds of radio. It’s an area explored by Mike Ossmann and Kate Temkin in their newly published Supercon talk as they use GNU Radio to do some things that you might find unexpected.

For most people, a software defined radio is a device. An RTL-SDR dongle perhaps, or the HackRF that a popular multi-tool for working in the radio frequency realm. But as they explain, the SDR hardware can be considered merely as the analogue front end, being just the minimal analogue circuitry coupled with a digitiser. The real software-defined part comes — as you might expect — in the software

Kate and Mike introduce GNU Radio Companion — the graphical UI for GNU Radio — as their tool of choice and praise it’s use as a general purpose digital signal processing system whether or not that includes radio. Taking their own Great Scott Gadgets GreatFET One USB hackers toolkit peripheral as an input device they demonstrate this by analysing the output from a light sensor. Instantly they can analyse the mains frequency in a frequency-domain plot, and the pulse frequency of the LEDs. But their bag of tricks goes much deeper, exploring multiple “atypical use cases” that unlock a whole new world through creative digital signal processing (DSP).

Continue reading “Software Defined Everything With Mike Ossmann And Kate Temkin”

Your Table Is Ready, Courtesy Of HackRF

Have you ever found yourself in a crowded restaurant on a Saturday night, holding onto one of those little gadgets that blinks and vibrates when it’s your turn to be seated? Next time, bust out the HackRF and follow along with [Tony Tiger] as he shows how it can be used to easily fire them off. Of course, there won’t actually be a table ready when you triumphantly show your blinking pager to the staff; but there’s only so much an SDR can do.

Even if you aren’t looking to jump the line at your favorite dining establishment, the video that [Tony] has put together serves as an excellent practical example of using software defined radio (SDR) to examine and ultimately replicate a wireless communications protocol. The same techniques demonstrated here could be applied to any number of devices out in the wild with little to no modification. Granted these “restaurant pagers” aren’t exactly high security devices to begin with, but you’d be horrified surprised how many other devices out there take a similarly cavalier attitude towards security.

[Tony] starts by using inspectrum to examine the Frequency-shift keying (FSK) modulation used by the 467.750 Mhz devices, and from there, uses Universal Radio Hacker to capture the actual binary data being sent over the air. Between studying the transmissions and the information he found online, he was eventually able to piece together the packet structure used by the restaurant’s base station.

Finally, he wrote a Python script which generates packets based on which pager he wants to set off. If he’s feeling particularly mischievous, he can even set them all off at once. The script outputs a binary file which is then loaded into GNU Radio for transmission via the HackRF. [Tony] says he’s not quite ready to release his script yet, but he gives enough information in the video that the intrepid hacker could probably get their own version up and running by the time he gets it posted up to GitHub anyway.

We saw some very similar techniques demonstrated at the recent WOPR Summit security conference, so once you’re done hacking the local restaurants, you can take these same lessons and apply them to the rest of the Internet of Things. If you’re wondering, it’s even easier to eavesdrop on the non-restaurant pagers.

Continue reading “Your Table Is Ready, Courtesy Of HackRF”

Radio Gets Ridiculous

There were plenty of great talks at this year’s Supercon, but we really liked the title of Dominic Spill’s talk: Ridiculous Radios. Let’s face it, it is one thing to make a radio or a computer or a drone the way you are supposed to. It is another thing altogether to make one out of things you shouldn’t be using. That’s [Dominic’s] approach. In a quick 30 minutes, he shows you two receivers and two transmitters. What makes them ridiculous? Consider one of the receivers. It is a software defined radio (SDR). How many bits should an SDR have? How about one bit? Ridiculous? Then you are getting the idea.

Dominic is pretty adept at taking a normal microcontroller and bending it to do strange RF things and the results are really entertaining. The breadboard SDR, for example, is a microcontroller with three components: an antenna, a diode, and a resistor. That’s it. If you missed the talk at Supercon, you can see the newly published video below, along with more highlights from Dominic’s talk.

Continue reading “Radio Gets Ridiculous”

Short Length Of Wire Turns STM32 Microcontroller Into Good-enough Wireless UART Blaster

Hackaday regular [befinitiv] wrote into the tip line to let us know about a hack you might enjoy, wireless UART output from a bare STM32 microcontroller. Desiring the full printf debugging experience, but constrained both by available space and expense, [befinitiv] was inspired to improvise by a similar hack that used the STM32 to send Morse code over standard FM frequencies.

In this case, [befinitiv]’s solution is both more useful and slightly more legal, as the software uses the 27 MHz ISM band to blast out ASK modulated serial data through a simple wire antenna attached to one of the microcontroller’s pins. The broadcast can then be picked up by an RTL-SDR receiver and interpreted back into a stream of data by GNU Radio.

The software for the STM32 and the GNU Radio Companion graph are both available on Bitbucket. The blog post goes into some detail explaining how the transmitter works and what all the GNU Radio components are doing to claw the serial data back from the ether.

[cover image cc by-sa licensed by Adam Greig, randomskk on Flickr]

Michael Ossmann Pulls DSSS Out Of Nowhere

[Michael Ossmann] spoke on Friday to a packed house in the wireless hacking village at DEF CON 25. There’s still a day and a half of talks remaining but it will be hard for anything to unseat his Reverse Engineering Direct Sequence Spread Spectrum (DSSS) talk as my favorite of the con.

DSSS is a technique used to transmit reliable data where low signal strength and high noise are likely. It’s used in GPS communications where the signal received from a satellite is often far too small for you to detect visually on a waterfall display. Yet we know that data is being received and decoded by every cell phone on the planet. It is also used for WiFi management packets, ZigBee, and found in proprietary systems especially any dealing with satellite communications.

[Michael] really pulled a rabbit out of a hat with his demos which detected the DSSS signal parameters in what appeared to be nothing but noise. You can see below the signal with and without noise; the latter is completely indiscernible as a signal at all to the eye, but can be detected using his techniques.

Detecting DSSS with Simple Math

[Michael] mentioned simple math tricks, and he wasn’t kidding. It’s easy to assume that someone as experienced in RF as he would have a different definition of ‘simple’ than we would. But truly, he’s using multiplication and subtraction to do an awful lot.

DSSS transmits binary values as a set called a chip. The chip for digital 1 might be 11100010010 with the digital 0 being the inverse of that. You can see this in the slide at the top of this article. Normal DSSS decoding compares the signal to expected values, using a correlation algorithm that multiplies the two and gives a score. If the score is high enough, 11 in this example, then a bit has been detected.

To reverse engineer this it is necessary to center on the correct frequency and then detect the chip encoding. GNU radio is the tool of choice for processing a DSSS capture from a SPOT Connect module designed to push simple messages to a satellite communication network. The first math trick is to multiply the signal by itself and then look at spectrum analysis to see if there is a noticeable spike indicating the center of the frequency. This can then be adjusted with an offset and smaller spikes on either side will be observed.

When visualized in a constellation view you begin to observe a center and two opposite clusters. The next math trick is to square the signal (multiply it by itself) and it will join those opposite clusters onto one side. What this accomplishes is a strong periodic component (the cycle from the center to the cluster and back again) which reveals the chip rate.

Detecting symbols within the chip is another math trick. Subtract each successive value in the signal from the last and you will mostly end up with zero (high signal minus high signal is zero, etc). But every time the signal spikes you’re looking at a transition point and the visualization begins to look like logic traced out on an oscilloscope. This technique can deal with small amounts of noise but becomes more robust with a bit of filtering.

This sort of exploration of the signal is both fun and interesting. But if you want to actually get some work done you need a tool. [Michael] built his own in the form of a python script that cobbles up a .cfile and spits out the frequency offset, chip rate, chip sequence length, and decoded chip sequence.

Running his sample file through with increasing levels of noise added, the script was rock solid on detecting the parameters of the signal. Interestingly, it is even measuring the 3 parts per million difference between the transmitter and receiver clocks in the detected chip rate value. What isn’t rock solid is the actual bit information, which begins to degrade as the noise is increased. But just establishing the parameters of the protocol being used is the biggest part of the battle and this is a dependable solution for doing that quickly and automatically.

You can give the script a try. It is part of [Michael’s] Clock Recovery repo. This talk was recorded and you should add it to your reminder list for after the con when talks begin to be published. To hold you over until then, we suggest you take a look at his RF Design workshop from the 2015 Hackaday Superconference.

Baofeng Handy Talkie Meets GNU Radio

There was a time when just about every ham had a pricey VHF or UHF transceiver in their vehicle or on their belt. It was great to talk to friends while driving. You could even make phone calls from anywhere thanks to automatic phone patches. In 1980 cell phones were uncommon, so making a call from your car was sure to get attention.

Today, ham radio gear isn’t as pricey thanks to a flood of imports from companies like Baofeng, Jingtong, and Anytone. While a handheld transceiver is more of an impulse buy, you don’t hear as much chat and phone calls, thanks to the widespread adoption of cell phones. Maybe that’s why [Bastian] had bought a cheap Baofeng radio but never used it.

He was working on a traffic light project and wanted to send an RF signal when the light changes. He realized the Baofeng radio was cheap and cheerful solution. He only needed a way to have the PC generate an audio signal to feed the radio. His answer was to design a UDP packet to audio flow graph in GNU Radio. GNU Radio then feeds the Baofeng. The radio’s built-in VOX function handles transmit switching. You can see a video demonstration, below.

Continue reading “Baofeng Handy Talkie Meets GNU Radio”