software-defined radio

122 Articles

[Balint]’s GNU Radio Tutorials

April 22, 2014 by 15 Comments

Waterfall

[Balint] has a bit of history in dealing with software defined radios and cheap USB TV tuners turned into what would have been very expensive hardware a few years ago. Now [Balint] is finally posting a few really great GNU Radio tutorials, aimed at getting software defined radio beginners up and running with some of the coolest hardware around today.

[Balint] is well-known around these parts for being the first person to create a GNU Radio source block for the implausibly inexpensive USB TV tuners, allowing anyone with $20 and enough patience to wait for a package from China to listen in on everything from 22 to 2200 MHz. There’s a lot of interesting stuff happening in that band, including the ACARS messages between airliners and traffic control, something that allowed [Balint] to play air traffic controller with a minimal amount of hardware.

Right now the tutorials are geared towards the absolute beginner, starting at the beginning with getting GNU Radio up and running. From there the tutorials continue to receiving FM radio, and with a small hardware investment, even transmitting over multiple frequencies.

It’s not much of an understatement to say software defined radio is one of the most versatile and fun projects out there. [Balint] even demonstrated triggering restaurant pagers with a simple SDR project, a fun project that is sure to annoy his coworkers.

Continue reading “[Balint]’s GNU Radio Tutorials”

Hacking Radio Controlled Outlets

March 10, 2014 by 5 Comments

It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.

He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface. After flashing the CC1111 with the RFCat firmware, the device was ready to use. Next up, [Gordon] goes into detail about replaying amplitude shift keying messages using the RFCat. He used an Arduino and the rc-switch library to generate signals that are compatible with the outlets.

In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle. By exporting the sniffed signal and analyzing it, the modulation could be determined. The final step was writing a Python script to replay the messages using the RFCat.

The hack is a good combination of software defined radio techniques, ending with a successful attack. Watch a video of the replay attack after the break.

Continue reading “Hacking Radio Controlled Outlets”

Verifying A Wireless Protocol With RTLSDR

January 31, 2014 by 1 Comment

rtlsdr_nrf905_rtlizer

[Texane] is developing a system to monitor his garage door from his apartment. Being seven floors apart, running wires between the door and apartment wasn’t an option, so he turned to a wireless solution. Testing this wireless hardware in an apartment is no problem, but testing it in situ is a little more difficult. For that, he turned to software defined radio with an RTLSDR dongle.

The hardware for this project is based around a TI Stellaris board and a PTR8000 radio module. All the code for this project was written from scratch (Github here), making it questionable if the code worked on the first try. To test his code, [Texane] picked up one of those USB TV tuner dongles based around the RTL2832U chipset. This allowed him to monitor the frequencies around 433MHz for the packets his hardware should be sending.

After that, the only thing left to do was to write a frame decoder for his radio module. Luckily, the datasheet for the module made this task easy.

[Texane] has a frame decoder for the NRF905 radio module available in his Git. It’s not quite ready for serious applications, but for testing a simple radio link it’s more than enough.

Cracking GSM With RTL-SDR For Thirty Dollars

October 22, 2013 by 60 Comments

Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.

Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.

The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of   receiving a message.

From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.

[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.

HackRF, Or Playing From 30 MHz To 6 GHz

August 1, 2013 by 49 Comments

Up on Kickstarter, [Michael Ossmann] is launching the HackRF, an inordinately cheap, exceedingly capable software defined radio tool that’s small enough to lose in your laptop bag.

The HackRF was the subject of a lot of interest last time it was on Hackaday – the ability to receive up to 6GHz allows the HackRF to do a lot of very interesting things, including listening in on Bluetooth, WiFi, and 4G networks. Also, the ability to transmit on these frequencies means a lot of very interesting, and quite possibly slightly evil applications are open to anyone with a HackRF. Like the RTL-SDR dongles, the HackRF works with GNU Radio out of the box, meaning all those cool SDR hacks we’ve seen so far will work with this new, more powerful board.

Compared to the USB TV tuner cards that were so popular a year ago, the HackRF has 10 times the bandwidth, is able to receive up to 6GHz, and is also able to transmit. It’s only half-duplex, so to receive and transmit simultaneously you’ll need two HackRFs, or maybe wait for a hardware revision that will hopefully come sooner rather than later.

Below you can check out [Michael]’s presentation at Toorcon where the HackRF was unleashed to the world.

Continue reading “HackRF, Or Playing From 30 MHz To 6 GHz”

Detecting Galactic Rotation With Software Defined Radio

May 26, 2013 by 27 Comments

Last summer in the heyday of software defined radio via USB TV tuners we asked hackaday readers a question: Is anyone using everyone’s favorite method of SDR for radio astronomy? It took nearly a year, but finally there’s an awesome project to turn a USB TV tuner into a radio telescope. It’s from the fruitful mind of [Marcus Leech] (PDF warning), and is good enough to detect the rotation of the galaxy with a three-foot satellite dish.

News of [Marcus]’ work comes to us from [Carl] over at RTL-SDR.com who has been keeping tabs on the advances of building a radio telescope in a backyard. He’s been collecting a lot of interesting tidbits including this gif showing an arm of the galaxy entering and leaving [Marcus]’ telescope’s field of view over the course of a few hours.

Not only can [Marcus]’ telescope record continium measurements – basically, a single-pixel camera sensitive to only one frequency – it can also produce spectral plots of the sky. Combine the ability to measure multiple frequencies at the same time with the Doppler effect, and [Marcus] can measure the rotation of the galaxy with a USB TV tuner. That’s just awesome in our humble opinion.

If you already have an RTL-SDR TV tuner and a largish satellite dish, [Marcus]’ project should be fairly inexpensive to replicate; the feed assembly is made out of a coffee can, the amplifiers are repurposed satellite television equipment, and all the software – [Marcus]’ own simple_ra tool for GNU Radio – is open source. Of course with a 3 foot diameter dish, it will be impossible to replicate the data from huge radio telescopes. Still, it’s an impressive piece of work that leaves us searching craigslist for an old C-band dish.

Listening To Aircraft Transponders With A Raspberry Pi

May 23, 2013 by 31 Comments

Last year’s big hack was software-defined radio; a small USB TV tuner that could listen in on radio broadcasts anywhere between 64 and 1200 MHz. This year, it’s all about the Raspberry Pi, so it’s surprising we’re only just now seeing a mashup of these two pieces of hardware. [Corq] is using a Raspi and RTLSDR TV tuner to listen in on aircraft transponders, and getting a whole bunch of data from aircraft flying overhead.

Even though the ADS-B decoder [Corq] is using is written for OS X, he’s reading the data coming from the USB TV tuner over the network with a program called Dump1090. This program allows [Corq] to attach his SDR to a Raspbery Pi and put it somewhere the antenna will get good reception – an attic, or an outdoor weatherproof case – and stream data to his desktop over a WiFi or network connection.

With a USB TV tuner and a Raspberry Pi, [Corq] is able read the tail numbers, altitude, latitude, longitude, speed, heading, and even the type of aircraft currently flying over his house. That’s cool enough, but the fact that he can effectively do this over the Internet makes it a brilliant hardware mashup.