Over on YouTube user hubmartin has uploaded a video showing how to use an RTL-SDR and the Universal Radio Hacker (URH) software to reverse engineer and clone a 433 MHz remote control. URH is used to extract the signal timing and modulation characteristics as well as the binary/hex code.
Then in order to clone the signal hubmartin uses a cheap IoT microcontroller with button and 433 MHz transmitter attachments. Some C code is then used to program the microcontroller and 433 MHz transmitter with the extracted signal information and to transmit on a press of the button. In his example hubmartin uses his cloned dongle to control a wireless power plug and a motorized projector screen.
Universal Radio Hacker SDR Tutorial on 433 MHz radio plugs
Vasilli has recently released the SDR# TETRA plugin on his website RTL-SDR.RU (note that the site is in Russian, but can be translated with the Google Translate option in the top right of the page). Previously it was only available via ever changing forum links, so it's good to see that it has a permanent home now for the latest version. This plugin allows you to listen to TETRA digital voice via SDR#, without needing to set up any complicated GNU Radio based receivers which were necessary in the past.
The features include (note Translated from Russian):
Receiving a signal from the BS band 25kHz and modulation Pi / 4-DQPSK;
Automatic adjustment of the reception frequency;
Displays information about the BS;
Displays ISSI, GSSI subscribers in the channels (for open channels only);
Displays a service exchange network (for open channels only);
It allows you to listen to the channels in manual or automatic mode selection (only open channels);
It allows to filter and distribute the listening priority specified for groups (GSSI);
It displays a message with the location (just a short message format)
The current features not yet implemented are:
And listen to correctly display any encoded information in a network;
Display SDS type 4 (short messages);
Record audio from the channels (menu added, but does not work);
We also note that as discussed in a previous post there is a companion program for this plugin called TETRA Trunk Tracker.
Recently, the RF research team at Trend Micro released a very nice illustrated report, technical paper and several videos demonstrating how they were able to take control of building cranes, excavators, scrapers and other large industrial machines with a simple bladeRF software defined radio. Trend Micro is a well known security company mostly known for their computer antivirus products.
Trend write that the main problem stems from the fact that these large industrial machines tend to rely on proprietary RF protocols, instead of utilizing modern standard secure protocols. It turns out that many of the proprietary RF commands used to control these machines have little to no security in place.
Five different kinds of attack were tested. They included: a replay attack, command injection, e-stop abuse, malicious re-pairing and malicious reprogramming. The replay attack sees the attackers simply record commands and send them again when they want. Command injection sees the hacker intercept and modify a command. E-stop abuse brings about an emergency stop, while malicious re-pairing sees a cloned controller take over the functions of the legitimate one. And malicious reprogramming places a permanent vulnerability at the heart of the controller so it can always be manipulated.
So straightforward were the first four types of attack, they could be carried out within minutes on a construction site and with minimal cost. The hackers only required PCs, the (free) code and RF equipment costing anywhere between $100 and $500. To deal with some of the idiosyncracies of the building site tech, they developed their own bespoke hardware and software to streamline the attacks, called RFQuack.
Being a responsible security firm, Trend Micro has already notified manufacturers of these vulnerabilities, and government level advisories (1, 2) and patches have already been rolled out over the last year. However the Forbes article states that some vulnerabilities still remain unpatched to this day. Of interest, the Forbes articles writes that for some of these vendors the simple idea of patching their system was completely new to them, with the firmware version for some controllers still reading 0.00A.
The videos showing the team taking control of a model crane, real crane and excavator are shown below. The video shows them using bladeRF 2.0 SDRs which are relatively low cost TX/RX capable software defined radios. We also recommend taking a look at Trends web article as it very nicely illustrates several different RF attack vectors which could apply to a number of different RF devices.
Last week we posted about some videos of talks from the 2018 GNU Radio Conference which had been release on YouTube. This week a few more videos have been released and we display a small selection below. The full collection of videos can be found on their YouTube channel.
RF Ranging with LoRa Leveraging RTL-SDRs and GNU Radio
Wil Myrick discusses the use of RTL-SDRs and GNU Radio to create a low cost LoRa RF ranging prototype, to aid in the localization of IoT transmitters.
GRCon18 - RF Ranging with LoRa Leveraging RTL SDRs and GNU Radio
Using GNU Radio and Red Pitaya for Citizen Science
Robert W McGwier discusses the use of Red Pitaya SDRs and GNU Radio for use in citizen science ionosphere measurement experiments.
GRCon18 - Using GNU Radio and Red Pitaya for Citizen Science
SETI Breakthrough Listen
Steve Croft discusses the Search for Extraterrestrial Intelligence (SETI) project and how software defined radio is being used in the search.
Over on YouTube Corrosive from channel SignalsEverywhere has uploaded a new video in his series on Digital Amateur Television (DATV). The new video shows us how to use a transmit capable SDR like a LimeSDR or PlutoSDR to transmit DATV with a free Windows program called DATV Express.
In the video he explains the various transmit and video encoding settings, and then demonstrates the signal being received on SDRAngel with an RTL-SDR (which he explained in his previous video)
DATV DVB-S Transmitter With a LimeSDR or Pluto SDR and DATV Express
Es'hail 2 was launched last November and it is the first geostationary satellite to contain an amateur radio transponder. The satellite is positioned at 25.5°E which is over Africa. It's reception footprint covers Africa, Europe, the Middle East, India, eastern Brazil and the west half of Russia/Asia.
Although the satellite was launched last year, turning on the amateur transponders has been slow because the commercial systems of the satellite have higher priority for testing and commissioning. However, within the last day the Es'hail 2 team have now begin testing the amateur transponder, and the test signal has been successfully received by several enthusiasts (just check out the Twitter feed). There also appears to have already been a suspected pirate CW signal broadcasting "WELCOME DE ES2HAIL". Actual uplink use of the satellite is not currently wanted, and from the Amsat forums one of the engineers writes:
Before the IOT starts there will be a TRR (test readyness review) in front of the customer. All the testplans and test-specifications will be reviewed. When the test is done there will be a TRB (test readyness board). In the TRB they have to show/present all the measurement results (e.g. inband performance like Gainflatness, Groupdelay... aso.) and compare these results with the specification in the contract. Each unwanted signal makes the measurement difficult and needs to be explained or leads to a so named NCR (non conformance report).
The IOT will be done in shifts/nightshifts and with unwanted signals (if not explain able) some measurements needs to start again and again and leads in addition to a delay for the handover and operation of the satellite.
Maybe that helps to understand why it is really important to have only the IOT uplink signal.
To measure the pattern of each antenna the satellite will be moved east/west by the propulsion system of the DS2000 Bus and the signal level is measured by the IOT station on ground (some cuts) .
The commercial beacon can maybe be switched from LEOP Omni antenna to on station antenna when the satellite is placed in the final slot. This should be the reason for the change of the commercial Ku Band beacon signal level the last days.
If you are interested in receiving Es'hail 2, but live outside the footprint, or don't have a receiver then you can use Zoltan's OpenwebRX live stream of the narrow band portion of the Es'hail 2 downlink. At the moment the beacon doesn't appear to be transmitting, but we expect it to be on and off during the next few days. In his set up he uses an RTL-SDR V3, Inverto LNB, 90cm dish, a DIY bias tee and a Raspberry Pi 3.
He also took a recording of the pirates CW transmission shown in the video below.
RadarBox24.com is a flight data aggregation service similar to sites like FlightAware.com and FlightRadar24.com. They aggregate ADS-B aircraft data obtained from (mostly) volunteer RTL-SDR based feeders based all over the world and use this to power their flight tracking map and flight information database.
Last year RadarBox24 came out with a specialty ADS-B RTL-SDR dongle. This is a custom RTL-SDR which contains a built in 1090 MHz tuned amplifier and filter. We have not tested this dongle yet, but we expect that the design and performance would be very similar to the FlightAware ADS-B dongles. A network analyzer report from RB24 is provided here.
These dongles can only receive 1090 MHz and do so better than a standard RTL-SDR due to the built in LNA and filter. The LNA reduces the noise figure of the dongle leading to greater sensitivity, and the filter removes any strong out of band signals that could overload and desensitize the dongle. This results in greater reception range, and more flights tracked. Please note that these dongles cannot be used as wideband general purpose RTL-SDRs due to the filtering.
ADS-B data can easily be shared to RadarBox24 with their Raspberry Pi image and RadarBox24 write that if you share data to their site, you will receive the following kickbacks:
Free Business Account while sharing (worth $39.95 /mo). This allows you to access RAW and historic flight data as well as enabling other features such as more advanced data filtering, and a weather layer.
Strong and enthusiastic Community on Whatsapp
Track your own station's flights in real-time not only on website but also on RadarBox apps
Thanks to "Lolo sdr" for submitting his videos that show his process for receiving and decoding Meteor M2 weather satellite images in Windows with an SDRplay and SDR-Console V3. Since the SDRplay is not supported by SDR#, it is not possible to use Vasilli's excellent Meteor Demodulator plugin (site in Russian, please use the Google Translate option) which is only available for SDR#.
Lolo's method gets around this limitation by initially recording an IQ file of the satellite pass in SDR-Console V3, then opening that IQ file in SDR# via the Fileplayer plugin, which is also by Vasilli and available here. The process is a bit of extra work, and the image isn't live, but the image comes out clearly in the end.
The videos are shown below, and subtitles are available in English, French and Italian via the YouTube player options.
Recibir y decodificar Satélite Meteor M2 con SDRplay, parte 1 de 2, grabar el pase, con subtitulos.
Recibir y decodificar Satélite Meteor M2 con SDRplay, parte 2 de 2, decodificar imagen y corrección.
