Spoofing Cell Networks with a USB to VGA Adapter

RTL-SDR brought cheap and ubiquitous Software Defined Radio (SDR) to the masses, opening up whole swaths of the RF spectrum which were simply unavailable to the average hacker previously. Because the RTL-SDR supported devices were designed as TV tuners, they had no capability to transmit. For the price they are still an absolutely fantastic deal, and deserve to be in any modern hacker’s toolkit, but sometimes you want to reach out and touch someone.

GSM network broadcast from a VGA adapter

Now you can. At OsmoDevCon [Steve Markgraf] released osmo-fl2k, a tool which allows transmit-only SDR through cheap USB 3.0 to VGA adapters based on the Fresco Logic FL2000 chip. Available through the usual overseas suppliers for as little has $5 USD, these devices can be used unmodified to transmit low-power FM, DAB, DVB-T, GSM, UMTS and GPS signals.

In a demonstration on the project page, one of these USB VGA adapters is used to broadcast a GSM cellular network which is picked up by the adjacent cell phones. Another example shows how it can be used to broadcast FM radio. A GitHub repository has been set up which includes more examples. The signals transmitted from the FL2000 chip are obviously quite weak, but the next step will logically be the hardware modifications necessary to boost transmission to more useful levels.

To say this is a big deal is something of an understatement. For a few bucks, you’ll be able to get a device to spoof cellular networks and GPS signals. This was possible before, of course, but took SDR hardware that was generally outside the budget of the casual experimenter. If you bought a HackRF or an Ettus Research rig, you were probably responsible enough not to get into trouble with it, but that’s not necessarily the case anymore. As exciting as this technology is, we would be wise to approach it with caution. In an increasingly automated world, GPS spoofing can have some pretty bad results.

Art Eavesdrops on Life and Pagers

Before cell phones, pagers were the way to communicate on the go. At first, they were almost a status symbol. Eventually, they became the mark of someone who couldn’t or wouldn’t carry a cell phone. However, apparently, there are still some users that clutch their pagers with a death grip, including medical professionals. In an art project called HolyPager, [Brannon Dorsey] intercepted all the pager messages in a city and printed them on a few old-style roll printers. The results were a little surprising. You can check out the video below.

Almost all the pages were medical and many of them had sensitive information. From a technical standpoint, [Brannon’s] page doesn’t shed much light, but an article about the project says that it and other art projects that show the hidden world or radio waves are using our old friend the RTL-SDR dongle.

Pagers use a protocol — POCSAG — that predates our modern (and well-founded) obsession with privacy and security. That isn’t surprising although the idea that private medical data is flying through the air like this is. Decoding POCSAG isn’t hard. GNU Radio, for example, can easily handle the task.

We’ve looked at pager hacking in the past. You can even run your own pager network, but don’t blame us if you get fined.

Continue reading “Art Eavesdrops on Life and Pagers”

Tiny Transmitter Tracks Targets

It is a staple of spy movies. The hero — or sometimes the bad guy — sticks a device never any bigger than an Alka Seltzer to a vehicle or a person and then tracks it anywhere it goes in the world. Real world physics makes it hard to imagine a device like that for a lot of reasons. Tiny power supplies mean tiny lifetime and low power. Tiny antennas and low power probably add up to short range. However, [Tom’s] Hackaday.io project maybe as close as you can get to a James Bond-style tracker. You can see a video of the device, below.

The little transmitter is smaller than a thumbnail — not counting the antenna and the battery — and draws very little current (180 uA). As you might expect, the range is not great, but [Tom] says with a Yagi and an RTL-SDR he can track the transmitter on 915 MHz for about 400 meters.

Continue reading “Tiny Transmitter Tracks Targets”

Read Home Power Meters With RTL-SDR

[k-roy] hates electricity. Especially the kind that can be lethal if you’re not careful. Annoyed by the constant advertisements for the popular Sense Home Energy monitors (which must be installed in the main breaker box by an electrician), [k-roy] set out to find a cheaper and easier way. He wondered how the power company monitored his meter, and guessed correctly that it must be transmitting the information wirelessly. Maybe he could just listen in?

Using a cheap RTL-SDR, it didn’t take long for [k-roy] to tap into this transmission and stumbled across the power readings for his entire neighborhood using a simple command:

~/gocode/bin/rtlamr -msgtype=idm --format=json -msgtype=scm+

Ironically, the hardest part wasn’t snooping on everyone’s power and water usage patterns in the neighborhood, it was trying to figure out which meter was his. In the end, he was able to make some nice graphical layouts of the data with PHP.

We’ve seen some righteous power meter hacks in our time, but this one stands out for its simplicity and elegance. Be sure to check out [k-roy’s] blog for more details, and [rtlamr’s] github for the program used to read the meters.

Thanks to [Jasper J] for the tip!

Grabbing Weather and Traffic Overlays from iHeartRadio

When the older of us think of radio, we think of dialing in an FM or AM station.  Giant broadcast towers strewn throughout the countryside radiated electromagnetic waves modulated with music, talk and sports across our great land. Youngsters out there might be surprised that such primitive technology still exists. Though the static of an untuned AM receiver might be equivalent to the dial tone of a 56K modem, it’s still a major part of our society.

Like all technology, radio has transitioned to faster and better ways of sending information. Today we have digital radio stations – one of the most popular being iHeartRadio. And because it’s digital, it can also send along info other than audio, such as weather and traffic information.

The guys over at [KYDronePilot] have made use of this to display real-time weather and traffic maps with an SDR and a little Python. They’re new to Python, so be sure to check out their GitHub, grab a copy of the code, and let them know if you see room for improvement.

This hack is based on recent work decoding the digital data, which is worth checking out if you’re interested in SDR, DSP, or any other radio-related acronyms.

Neural Network Learns SDR Ham Radio

Identifying ham radio signals used to be easy. Beeps were Morse code, voice was AM unless it sounded like Donald Duck in which case it was sideband. But there are dozens of modes in common use now including TV, digital data, digital voice, FM, and more coming on line every day. [Randaller] used CUDA to build a neural network that could interface with an RTL-SDR dongle and can classify the signals it hears. Since it is a neural network, it isn’t so much programmed to do it as it is trained. The proof of concept has training to distinguish FM, SECAM, and tetra. However, you can train it to recognize other modulation schemes if you want to invest the time into it.

Continue reading “Neural Network Learns SDR Ham Radio”

Slinky Walks Down Stairs and Picks up 80m Band

Originally intended as a way to stabilize sensitive instruments on ships during World War II, the Slinky is quite simply a helical spring with an unusually good sales pitch. But as millions of children have found out since the 1940’s, once you roll your Slinky down the stairs a few times, you’ve basically hit the wall in terms of entertainment value. So what if we told you there was yet another use for this classic toy that was also fun for a girl and a boy?

As it turns out, a cheap expandable metal coil just so happens to make for a pretty good antenna if you hook it up right. [Blake Hughes] recently took on this project and provided some detailed pictures and information for anyone else looking to hook a couple of Slinkies to their radio. [Blake] reports excellent results when paired to his RTL-SDR setup, but of course this will work with whatever kind of gear you might be using at these frequencies.

Before anyone gets out the pitchforks, admittedly this isn’t exactly a new idea. There are a few other write-ups online about people using a Slinky as a cheap antenna, such as this detailed analysis from a few years ago by [Frank Dörenberg]. There’s even rumors that soldiers used a Slinky from back home as a makeshift antenna during the Vietnam War. So this is something of an old school ham trick revived for the new generation of SDR enthusiasts.

Anyway, the setup is pretty simple. You simply solder the RF jack of your choice to two stretched out Slinkies: one to the center of the jack and one to outside. Then run a rope through them and stretch them out in opposite directions. The rope is required because the Slinky isn’t going to be strong enough when expanded to keep from laying on the ground.

One thing to keep in mind with a Slinky antenna is that these things are not exactly rated for outside use. Without some kind of treatment (like a spray on acrylic lacquer) , they’ll quickly corrode and fail. Though a better idea might simply to be to think of this as a temporary antenna that you put away when you’re done with. Thanks to the fact that the Slinky doesn’t get deformed even when stretching it out to maximum length, that’s relatively easy to accomplish.

If you’re looking for a good RTL-SDR to go along with your new Slinky antenna, check out this roundup of some of the options that are on the market as of 2017. You’ll probably need an upconverter to get down to the 80m band, so you might as well build that while you’re at it.