Thank you to Double A again for submitting a new video where he shows how to use a new SDR# plugin called "SCATuner" to listen to an SCA audio subcarrier embedded within a broadcast FM signal.
SCA short for Subsidiary communications authority, is a separate audio channel hidden within a broadcast FM signal. SCA is typically used for niche radio programs, elevator music, music for doctors offices, and niche services such as reading for the visually impaired. In the past you needed a special hardware SCA radio to receive these channels, however receiving these channels with an SDR is relatively simple. Not all broadcast FM stations will have an SCA service, but the video shown below explains how to find one.
In previous posts Double A and others have shown how to receive these SCA Subcarriers using two instances of SDR#. However, this new plugin makes the task much simpler one click job.
Double A's video goes over how to install and use the plugin, explains SCA and demonstrates it in action decoding a radio reading service for the blind.
SDR# Plugin for Tuning an FM SCA Subcarrier (Radio Reading Service for the Blind) (with RTL-SDR USB)
Over on YouTube Double A Labs has posted a new video demonstrating how to use an RTL-SDR and Android device to receive broadcast FM stations, and to decode any associated RDS data.
In the video Double A uses the SDR Touch Android app and the Advanced RDS function to show the RDS information. He goes on to explain the various pieces of information RDS data provides including clock time, active RDS groups and alternative frequencies.
Tune broadcast FM radio and decode Radio Data System (RDS) information using your Android phone and an RTL-SDR USB (see parts list below). RDS can include station identification, song name, the current time for a receiver to sync its clock, alternative frequencies the same program is on, and more!
Tuning FM Radio & Decoding RDS Data on ANDROID using RTL-SDR USB
Back in September 2021 we posted about Manahiyo's software that allows the RF spectrum and related graphs to be viewed in virtual reality, using a VR headset and an RTL-SDR. Back then the software was only demonstrated on YouTube, but not released.
A few days ago Manahiyo released the VR software on GitHub. The software requires a Oculus/Meta Quest2 VR headset, and the it is able to run directly on the headset's computing hardware. This makes it possible to have the RTL-SDR attached to the headset itself.
Over on his YouTube channel Frugal Radio, Rob has uploaded a new video whilst on holiday travelling through the USA. In the video he shows what sort of scanner radios, antennas and SDR gear he carries with him on his travels. His gear includes a Uniden SDS-100 scanner, a BCD325 scanner, a Radio-Tone RT4 internet network radio and of course an RTL-SDR Blog V3 and laptop.
He goes on to demonstrate the hardware in action from his Hotel room, decoding local digital audio.
A peek in Frugal's Travel Bag : SDR & Scanner gear on the road
A few months ago University student Ayyappan Rajesh and HackingIntoYourHeart reported cybersecurity vulnerability CVE-2022-27254. This vulnerability demonstrates how unsecure the remote keyless locking system on various Honda vehicles is, and how it is easily subject to very simple wireless replay attacks. A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR.
Most car manufacturers implement rolling code security on their wireless keyfobs which makes replay attacks significantly more difficult to implement. However, it appears that Honda Civic models (LX, EX, EX-L, Touring, Si, Type R) from years 2016-2020 come with zero rolling code security:
This is a proof of concept for CVE-2022-27254, wherein the remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start(if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack.
In the videos on the GitHub demonstration page they show a laptop with GNU Radio flowgraph and a HackRF SDR being used to turn the engine of a Honda civic on, and to lock and unlock doors.
Various news agencies reported on the story, with "The Record" and bleepingcomputer contacting Honda for comment. Honda spokesperson Chris Martin replied that it “is not a new discovery” and “doesn’t merit any further reporting.” further noting that "legacy technology utilized by multiple automakers” may be vulnerable to “determined and very technologically sophisticated thieves.”. Martin went on to further note that Honda has no plans to update their vehicles to fix this vulnerability at this time.
Laptop and HackRF used to turn on a Honda Civic Engine via simple Replay Attack.
In the past we've seen similar car hacks, but they have mostly been more advanced techniques aimed at getting around rolling code security, and have been difficult to actually implement in the field by real criminals. This Honda vulnerability means that opening a Honda Civic could be an extremely simple task achievable by almost anyone with a laptop and HackRF. It's possible that a HackRF and laptop is not even required. A simple RTL-SDR, and Raspberry Pi with the free RPiTX software may be enough to perform this attack for under $100.
Recording the "unlock" command from the target and replaying (this works on most if not all of Honda's produced FOBs) will allow me to unlock the vehicle whenever I'd like to, and it doesn't stop there at all On top of being able to start the vehicle's ENGINEWhenever I wished through recording the "remote start", it seems possible to actually (through Honda's "Smart Key" which uses FSK) demodulate any command, edit it, and retransmit in order to make the target vehicle do whatever you wish.
Tech YouTuber Lon.TV has recently uploaded a video demonstrating how to identify and decode various digital transmissions with an RTL-SDR dongle. In the video he explains how to use VB Cable to pipe audio from SDR# into various decoders, and then goes on to show DMR, APRS, POCSAG, L-Band AERO, FT8, and JS8/JS8CALL all being decoded via an RTL-SDR Blog V3 dongle.
Software Defined Radio Part 2 - Decoding Digital Transmissions with an RTL-SDR USB Radio
Over on his blog Radoslav has created a post showing how he has used a HackRF to wirelessly control a toy RC car by reverse engineering the wireless control protocol, and generating the control signals in a C++ program.
Having already created the rf-car HackRF RC car control software on GitHub a few years ago, Radoslav was easily able to modify it for a new RC car that his daughter received. The process was to simply look up the FCC data on it, finding that it operated with 2.4 GHz and used GFSK modulation. He then used the Inspectrum signal analysis tool to determine the bit strings used to control the car. Finally using, his C++ interface to the HackRF he implemented the new bit string and GFSK modulation.
The video below demonstrates Radoslav controlling the RC car with the keyboard on his laptop.
Thanks to all who submitted, we recently received some interesting tip offs about the Netflix TV Show Yakamoz S-245 featuring a scene with various hobbyist SDR and ham radio programs clearly visible. Yakamoz S-245 is a show about a submarine research mission, and the scene appears to depict military intelligence specialists using the programs.
