Category: Applications

Rdio Scanner: A Web Based UI for Trunk Recorder

Trunk Recorder is an RTL-SDR compatible open source Linux app that records calls from Trunked P25 and SmartNet digital voice radio systems which are commonly used by Police and other emergency services in the USA. It can be used to set up a system that allows you to listen to previous calls at your leisure, however it does not have any UI for easy browsing.

Recently Chrystian Huot wrote in and wanted to share his new program called "Rdio Scanner", which is a nice looking UI for Trunk Recorder. Rdio Scanner uses the files generated by Trunk Recorder to create a web based interface that looks like a real hardware scanner radio. Some of the features include:

  • Built to act as a real police radio scanner
  • Listen to live calls queued to listen
  • Hold a single system or a single talkgroup
  • Select talkgroups to listen to when live feed is enabled
  • Search past calls stored in the database
  • Just upload Trunk Recorder files with Curl
Rdio Scanner Interface Screenshots
Rdio Scanner Interface Screenshots

Meteor M2 is Currently Experiencing Orientation Issues

Russian weather satellite Meteor M2 is a popular reception target for RTL-SDR radio enthusiasts, as it allows you to receive high resolution images of the Earth. However, currently it appears to be exhibiting orientation issues, causing off center and skewed images and sometimes poor/no reception. Russian blog "aboutspacejornal", writes that the orientation of the satellite can sometimes be restored presumably by a reset command from Earth, but shortly after goes back into uncontrolled rotation.

These sorts of off-axis images were commonly received from the older decommissioned Meteor-M1 satellite, which woke up from the dead in 2015. The resurrection was speculated to be from the batteries shorting out, allowing power to directly flow from the solar panels while in full sunlight. These days Meteor-M1 is no longer transmitting.

Meteor M2 proving the curvature of the earth due to it's orientation issues.
Meteor M2 proving the curvature of the earth due to it's orientation issues.  Image source aboutspacejornal.

Hopefully Meteor-M2 can be fixed, but if not, Meteor M2-2 is due to be launched on July 5 which should also have an LRPT signal that can be received easily with an RTL-SDR. Hopefully the launch is more successful than the November 2017 launch of Meteor M2-1 which unfortunately was a complete loss as it failed to separate from the rocket.

Hak5: Hacking Ford Key Fobs with a HackRF and Portapack

This weeks episode of Hak5 (an information security themed YouTube channel) features Dale Wooden (@TB69RR) who joins hosts Shannon and Darren to demonstrate a zero day vulnerability against Ford keyless entry/ignition. More details about the vulnerability will be presented at this years DEF CON 27 conference, which is due to be held on August 8 - 11.

In the video Dale first demonstrates how he uses a HackRF with Portapack to capture and then replay the signal from a Ford vehicle's keyfob. The result is that the original keyfob no longer functions, locking the owner out from the car. After performing a second process with another keyfob, Dale is now able to fully replicate a keyfob, and unlock the car from his HackRF.

Dale explains that unlike the well known jam-and-replay methods, his requires no jamming, and instead uses a vulnerability to trick the car into resetting the rolling code counter back to zero, allowing him to capture rolling codes that are always valid. Dale also notes that he could use any RX capable SDR like an RTL-SDR to automatically capture signals from over 100m away.

The vulnerability has been disclosed to Ford, and the full details and code to do the attack will only be released at DEF CON 27, giving Ford enough time to fix the vulnerability. It is known to affect 2019 Ford F-150 Raptors, Mustangs and 2017 Ford Expeditions, but other models are also likely to be vulnerable.

The video is split into three parts. In part 1 Dale demonstrates the vulnerability on a real vehicle and in part 2 he explains the story behind his discovery, how he responsibly disclosed the vulnerability to Ford and how to reset the keyfob yourself. Finally in part 3 Darren interviews Dale about his experiences in the RF security field.

Dales discovery has also been written up in an article by The Parallex which explains the exploit in more detail.

Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 3 - SDR Attacks with @TB69RR - Hak5 2525 [Cyber Security Education]

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

SignalsEverywhere: Decoding Inmarsat EGC and AERO ACARS

On his latest video Corrosive from the SignalsEverywhere YouTube channel discusses Inmarsat LES EGC and AERO ACARS decoding. Inmarsat is a satellite provider that has multiple geosynchronous satellites that can be received from almost anywhere in the world at around 1.5 GHz with an RTL-SDR and appropriate antenna + LNA. Inmarsat EGC and AERO are two channels on Inmarsat satellites that can easily be decoded.

The Enhanced Group Call (EGC) messages typically contain text information such as search and rescue (SAR) and coast guard messages as well as news, weather and incident reports. AERO messages on the other hand are a form of satellite ACARS, and typically contain short messages from aircraft. More interestingly with a bit of work compiling audio decoders, it is also possible to listen in to AERO C-Channel conversations, which is an emergency phone call service available on some aircraft.

In his video Corrosive gives an overview and demonstration of EGC and AERO reception.

Inmarsat LES EGC and AERO ACARS Decoding

A LimeSDR Mini Based Es’Hail-2 DATV Ground Station Uplink

Daniel Estévez has posted on the LimeSDR Mini CrowdSupply blog about his ground-station build for the Es'Hail-2 satellite. Es'Hail-2 is the first geostationary satellite with amateur radio transponders on board. The LimeSDR Mini is a $159 RX/TX capable SDR with 10 MHz to 3.5 GHz frequency range.

The Es'Hail-2 satellite is positioned at 25.5°E which is over Africa. It's reception footprint covers Africa, Europe, the Middle East, India, eastern Brazil and the west half of Russia/Asia. There are two amateur transponders on the satellite. One is a narrow band linear transponder which uplinks from 2400.050 - 2400.300 MHz and downlinks from 10489.550 - 10489.800 MHz. Another is a wide band digital transponder for digital amateur TV (DATV) which uplinks from 2401.500 - 2409.500 MHz and downlinks from 10491.000 - 10499.000 MHz.

Daniel's ground station uses a LimeSDR Mini running on a Beaglebone Black. A 2.4 GHz WiFi parabolic grid antenna is used to transmit to the satellites digital amateur TV uplink. In order to generate enough power for the uplink transmission a GALI-84 amplifier chip is cascaded with a 100W power amplifier. All the electronics are enclosed in a watertight box and placed outside.

A LimeSDR Mini Based Es'Hail-2 DATV Uplink Ground Station
A LimeSDR Mini Based Es'Hail-2 DATV Uplink Ground Station

Reverse Engineering and Controlling a Wireless Doorbell with an RTL-SDR and Arduino

Thank you to Shreyas Ubale for submitting his blog post about reverse engineering a wireless doorbell, and then performing a replay attack. Shreyas had purchased a wireless doorbell set containing one button transmitter and two bell receivers. However, his situation required two transmitters, one for visitors at the door, and one to be used by family within his house.

In order to create a second transmitter he decided to reverse engineer the doorbells wireless signal, and use that information to create an Arduino based transmitter. His process involves first using an RTL-SDR to determine the transmission frequency, then using the rtl_433 software to capture the raw waveform which he then analyzes manually using Audacity. Once the binary string, length and pulse width is known he is able to program an Arduino connected to a 433 MHz transmitter to replicate the signal.

In future posts Shreyas hopes to explore other ways to transmit the signal, and eventually design a simple but configurable 433 MHz push button that supports RF, WiFi, and can support the IFTTT web service.

If you're interested, check out some of our previous posts that highlight many other successful reverse engineering experiments with RF devices and SDR.

Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.
Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.

Tracking and Recovering A NWS Weather Balloon & Radiosonde with an RTL-SDR

Over on YouTube OLHZN High Altitude Balloons has posted a very entertaining video showing how to use an RTL-SDR and small grid dish antenna to track and recover a fallen weather balloon and its radiosonde. OLHZN writes:

The US National Weather Service (#NWS) launches over 200 weather balloons everyday carrying an LMS-6 #radiosonde / rawinsonde made by Lockheed Martin to an altitude of over 100,000 ft. and you can track & follow the flights from home and even find the landing site and pick them up! This is a fun #DIY project that you can do yourself from home and I'll show you how to do it here along with some tips so you can go find yourself a weather balloon & radiosonde!

How to track & recover a NWS weather balloon & radiosonde 🎈🎈 Ham Radio DIY