Asia 15 Seeber Hacking The Wireless World With Software Defined Radio 2.0

HackingtheWirelessWorldwith
SoftwareDefinedRadio 2.0
BalintSeeber(ApplicationsSpecialist&SDREvangelist)
balint@ettus.com
balint@spench.net
@spenchdotnet
ISEE3
InternationalSun/Earth
Explorer3
Launched:August12,
1978
HeliocentricOrbit
Studyinteraction
betweensolarwind
and
Earthsmagneticfield
ISEE3
RenamedICE:
InternationalCometary
Explorer
Firstspacecraftinhalo
orbitatanEarthSunL1
(Lagrangepoint)
Firstspacecrafttopass
throughtailofacomet
(GiacobiniZinner)
OldTelemetryScreen
Overview
RestaurantPagers
RDSTMC
PrimarySurveillanceRADAR
RFID
ISEE3
50MHzBW
GSMBCCH&Traffic
Dialplan
101 Registration
Textback4to10digitnumbertoregister
411 Info
600 EchoTest
777 Time
778 ANI
2103 Me
400MHzBand
50MHz 250MHz(200Msps,120MHzRFBW)
SpectrumMonitoring
SpottheAntennas
SpottheAntennas
SpottheAntennas
SpottheUSRPs
StitchedFFTs
StitchedFFTs
USRPB200&B210
USB3.0(buspowered!)
56MHzbandwidth
70MHz 6GHz
2x2MIMO
RestaurantPagers
HackingtheWirelessWorldwith#sdr
@spenchdotnet
Yourfoodisready?
Pagersinformwaitingcustomertheycan
collecttheirorder
Assumingtheirorderisready
Order&collectionrateshouldbe~same
Unlesseveryoneispagedatonce
Step1:Frequency
Either:
Findfrequencylabelonthedevice
FindFCCIDondeviceandcheckonline
Scanspectruminlikelyranges(e.g.450470MHz)
Step1:Frequency
Step1:Frequency
Notehowoftentransitionsoccur
(nolongrunsof0or1).
Implieslineencodingisinuse
(helpsclockrecoveryatreceiver).
Flowgraph
Step2:ChannelSelection
Step3:FSKDeviation
Step4:Quadrature Demod
Step5:BaudRate
Step5:ClockRecovery
Step6:LineEncoding
ManchesterEncoding
ManchesterViolation
Step7:CompareChangingBits
Step8:FindingtheID
Modulator
Reversethedecodingprocess:
1. Constructpacket
a)
b)
c)
d)
2.
3.
4.
5.
Preamble(wakeupreceiver)
Magicheader(sync&systemID)
Pagernumber
Checksum
Interpolate(choosesamplesperbit)
FrequencyModulate
Applypulseshapingfilter(ideally)
Resamplefortransmitter
Modulator
ModulatorOutput
Modulator
RemoteControl
Slider
POCSAG
Otherrestaurantpagersystemsadopta
standard
Decodewithgrpocsag
Modifiedtoendframedecodingwhensquelch
closes
POCSAGDecode
POCSAGFrames
---[00] Address: 001dc168 function: 00000000
[01] (001dc168) Data: 05[5] 0c[ ] 03[3] 03[3] 03[3]
[02] (001dc168) Idle
=== SQUELCHED (residue: 5) ===
---[00] (ffffffff) Idle
[01] (ffffffff) Idle
[06] Address: 001dc15b function: 00000000
[07] (001dc15b) Data: 05[5] 0c[ ] 03[3] 03[3] 03[3]
[08] (001dc15b) Idle
[07] (001dc15b) Data: 05[5] 0c[ ] 03[3] 03[3] 03[3]
[08] (001dc15b) Idle
POCSAGFrame
5b=01011011
[07] (001dc15b) Data: 05[5] 0c[ ] 03[3] 03[3] 03[3]
[08] (001dc15b) Idle
PagerFrameConstruction
Preamble
SYNC
Address:System&Pager
Scheduleaddresstoappearincorrectslot
PadwithIDLEs beforehand
Pageraction
TrailingIDLE
ApplyBCH(31,21)ECCtoeachslot
POCASGModulator
ZigBee
Rolesreversed:pagerunittransmits
PagerunithasintegratedRFIDreader
RFIDchipstuckonunderside
ofeachtable
Placingpagerunitontable
transmitspager numberand
table number
2.4GHzISMband
Decodewithgrieee802154
ZigBee Transceiver
DecodedZigBee
Decoded
Pager
Pagers:
38=0x26
54=0x36
Table:
36=0x24
HostagePager
Pagersgetangrywhensystembroadcast
(beacon)isnotheardwithintimeout
Flash&vibrateuntiltheyarereturnedwithin
range
Takeapagerhostagebybroadcastingbeacon
RDSTMC
@spenchdotnet
FMBroadcastBand
FMBroadcastBand
RadioDataService
SubcarrieroncommercialFMstations
Notaudible(filteredout)
BPSK@1187.5bps
Listen&decodewithgrrds
StereoFMwithRDS:Receiver
RadioDataService
TrafficMessageChannel
Type8ARDSgroupmessage
Compactrepresentationvialookuptable:
Event
Location
Duration
Examples:
Congestion
Accidents
Roadwork
EncryptedLocationCodes
Locationcodes:
Encryptionkeys:
Schedule:
Receiverupdate:
16bitforagiven
geographicalarea
16bit
Onerandomlychosen
eachdayfrom31
standardkeys
KeyIDbroadcast
constantly
DailyKeyID
Patterns
Alwaysthreeuniquetemperaturereports
Key:EventID
Value:Location
GroupofthreeEventIDsalwaysthesame
EncryptedLocationIDsalwaysthesamefor
givenEncID
EventIDsidenticalforperiodofdays/weeks
Canvaryaftersometime,buthidden
(unobserved)valueisalwaysthesame
Temperatures
Patterns
Days
KeyID(random
eachday)
K1
K2
K2
K3
GroupPeriod
P1
P1
P2
P2
L1
evt(P1,L1):enc(K1, L1)
L2
L3
HiddenPlain
Location
Transmittedovertheair:
Event
= evt(period, plain location)
Location = enc(key of the day, plain location)
SecurityAnalysis
16bitisvery short
Identicalgroupoflocationcodesare
broadcastonadailybasis
Unknownbutreusedplaintext
Singulareventscanbecorrelatedfroma
trustedsource
Knownplaintext
SingularEventfromTrustedSource
InputData
PlainLocation
L1
L2
L3
K1
enc(K1, L1)
enc(K1, L2)
enc(K1, L3)
K2
enc(K2, L1)
enc(K2, L2)
enc(K2, L3)
K3
enc(K3, L1)
enc(K3, L2)
enc(K3, L3)
K4
enc(K4, L1)
enc(K4, L2)
enc(K4, L3)
K5
enc(K5, L1)
enc(K5, L2)
enc(K5, L3)
KeyID
1. Bootstrap:findallpossibleplainlocations&keysthatresultinenc(K1,L1)
2. Giventhosekeys,findallpossibleplainlocationsrecordedwiththatKeyK1(i.e.L2,L3)
RememberpoolofpossibleplainlocationsforeachL&poolofpossiblekeysforK
3. ForeachremainingK,repeatmaintainingpoolofpossiblekeysforeachK:
FindallpossiblekeysgivenpoolofpossibleplainlocationsforeachL
Repeat,filteringpoolsuntilonlyonematchremains
Removeitemfrompoolwhenenc(K,L)inputdata
Algorithm
PossiblePlainLocationPools
L1
K2
K1
L2
L3
Plain
Location
PossibleKeyPools
K4
L1
L2
L3
K1
enc(K1, L1)
enc(K1, L2)
enc(K1, L3)
K2
enc(K2, L1)
enc(K2, L2)
enc(K2, L3)
K3
enc(K3, L1)
enc(K3, L2)
enc(K3, L3)
K4
enc(K4, L1)
enc(K4, L2)
enc(K4, L3)
K5
enc(K5, L1)
enc(K5, L2)
enc(K5, L3)
KeyID
Iterate&
Filter
K5
K3
Despite16bits,
manypotential
keys/plainlocations
aregeneratedat
thestartdueto
natureofenc(K,L)
Results
Results
Convergenceexpeditedbyadditionofsingular
events
vehicle fire(s)
flooding
object(s) on roadway {something that
does not neccessarily block the road
or part of it}
EventhoughmultiplekeysexistforaKeyID,with
enoughdataplainlocationsearchyieldsone
match!
AviationRADAR
@spenchdotnet
ATCRBS,PSR&SSR
AirTrafficControlRadarBeaconSystem
PrimarySurveillanceRadar
SecondarySurveillanceRadar
Primary:
TraditionalRADAR
Paintsskinsandlistensforreturn
Identifiesandtracksprimarytargets,
whileignoringgroundclutter
1
RangelimitedbyRADARequation()
d
4
ATCRBS,PSR&SSR
AirTrafficControlRadarBeaconSystem
PrimarySurveillanceRadar
SecondarySurveillanceRadar
Secondary:
Directionalradio
Requirestransponder
Interrogatestransponders,which
replywithsquawkcode,altitude,etc.
1
Increasedrange()
d
2
Transmitsabang(themainpulse)
Listensforreturns(echoes)
Bang
TheModes
A:replywithsquawkcode
SSR
C:replywithaltitude
S:enablesAutomaticDependantSurveillance
Broadcast(ADSB),andtheAircraft/Traffic
CollisionAvoidanceSystem(ACAS/TCAS)
TheModes
A:replywithsquawkcode
SSR
C:replywithaltitude
S:enablesAutomaticDependant
SurveillanceBroadcast(ADSB),andthe
Aircraft/TrafficCollisionAvoidanceSystem
(ACAS/TCAS)
ModeSnotpartofATCRBS,butusessame
radiohardware(samefrequencies)
Increasingproblemofchannelcongestion
Position
Heading
Altitude
Verticalrate
FlightID
Squawkcode
ADSB
ATypical747has
31radios
2x400WvoiceHF
3x25Wvoice/dataVHF
2x100W9GHzRADARs
2xGPS,1.5GHz60Wvoice/dataSATCOM
2x75MHzmarkerbeacons
3xVHFLOClocaliser
3xUHFglideslope
2xLFADFautomaticdirectionfinder
2xVORVHFomnidirectionalrange
2x1GHz600Wtransponders
2x1GHz700WDMEdistancemeasuringequipment
3x500mW4.3GHzradaraltimeters
3x406MHzEPIRB
TCAS
Xpndr
Highgain
SATCOM
Lowgain
VHF
HF
VHF
DME
ADF
EPIRB
Marker
RADARAltimeter
ModeSResponseEncoding
Datablockiscreated&bitscontrolpositionof
pulsessentbytransmitter
Earlychip
Latechip
UsedtodifferentiateagainstotherModes
PulsePositionModulation(AM)
PulsePositionModulation
Pulselasts0.0000005seconds (0.5s)
Needtosamplesignalataminimumof2MHz
(assumingyoustartsamplingatpreciselythe
rightmomentandstaysynchronised)
Requireshighbandwidthhardwareand
increasedprocessingpower
Ideally,oversampletoincreaseaccuracy
ModeSFrame
ModeSResponse:AMsignal
PrimarySurveillance
RADAR
@spenchdotnet
MoffettFieldASR9
DualPRFMode:Weather
Bang
RADARReturns
MagnitudeHistogram
MagnitudeHistogram
AboveNoiseFloor
AboveNoiseFloor
PulseLengthHistogram
PulseEnvelope
PulseEnvelope
PulseEnvelope
StrongPulseSeparation
PRFHistogram
StrongPulsesvs.Time
StrongPulsesvs.Time(zoomed)
PulsePowervs.Time
PulsePowervs.Time(zoomed)
DistanceBetweenPulses
Pulseandechopowerovertime
RawRADARReturnPlot
Eachscanlineissynchronisedtoanemittedpulse
Scanlineisamplitudeofsamplesovertime(alsorangeofthereturn)
VirtualRADARScope
RADAR
LASASR9
Bistatic
Monostatic
Angle
DistortionMap
Distance
2DOffset
Multipath
@spenchdotnet
ATSC
PN511
CorrelationPeaks
RFID
@spenchdotnet
FasTrak
Traffictolltag
ContainsyourID
Interrogationsignalin900MHzISMband
Wakeupsignalactivatestag
PulsePositionModulatedpayload
Tagreplieswithbackscattermodulation
ReflectstransmittersRFenergy(tinyamount)
ModulatesreflectionwithFrequencyShiftKeying
InterrogationSignal
Payload
Backscattercarrier
Preamble
Wakeup
WakeUp/Preamble
InterrogationPayload
BackscatterCarrier
RFCirculation
ANT
2
TX
RX
InterrogationSignal
ReceivedSignal
Interrogation
CW
ReceivedSignal
Response
ReceivedSignal
Response
Title21Specification
PreambleDetection
PreambleDetection
MatchedPreambleFilterResponse
SlicerTime!
Samplebits
ReadingaTagOutside
FrequencydomainAmplitude(LF)
TimedomainAmplitude(LF)
TimedomainAmplitude(LF)
FrequencydomainAmplitude(UHF)
TimedomainAmplitude(UHF)
baudline Dual FFT
LF
UHF
GNURadio baudline
GNURadio+baudline
BuildingSecurityBadgeAuth
TimedomainAmplitude
TimedomainAmplitude
Reader Badge
TimedomainAmplitude
Reader
Badge
ISEE3RebootProject
@spenchdotnet
DeltaVLimit
AreciboRadioObservatory
Fun
Viewfromabove
Ionosphericheaters
Stillagoodstart
WeakSignal LowRBW
numpy&matplotlib
AfterImprovingPointing
~45dBC/N
MovingpeakbelowduetoDopplershift
VerifyingTransmittedSignal
B200receiving
leakagefromdish
MomentofFirstContact
HappyDance
DualChannelRecording
RawCapturedBaseband
PLLtrackingcarrier
PLLLock
PropulsionSystem
Telemetry:16bps
Telemetry:64bps
Telemetry:512bps
Telemetry:2048bps
TelemetryDuringThrusterFiring
NoThrust
HydrazinePropulsionSystem
NewOrbit
www.spacecraftforall.com
#cyberspectrum
http://wiki.spench.net/wiki/RF
http://spench.net/
GitHub:balint256
balint@spench.net
balint@ettus.com
@spenchdotnet
OtherApplications
@spenchdotnet
BlindSignalAnalysis
Whatyouneed
Dish+LNB+powerinjector+USRP+GNURadio
(settopboxwithLNBthru)
D1TLM1:12243.25MHz
MirrorofRHS*
Constantcarrierpower*
TLMsidebands
Constant
subcarrier
1PPS
BeaconwithPhaseModulation*(PM):1PPSandtwotelemetrystreams(sidebands)
Visualisation
Letstryone
FeedentirebasebandspectrumintoGR
Performchannelselectiontoisolatestreamofinterest
(createnewbaseband
centredonstream)
Frameanalysis
Header
SYNSYNSYN(EBCDIC)
Characterorientedencoding:
SOH
STX
ETX
CRC(CCITT16)
Numbersoffixedlengthmessages
EachcontainsanID
Unpack&findpatterns
8bitsigned
16bitsigned
Messageheader
BCD
#
0001
0034
0067
0101
0134
0167
0200
0233
0266
0299
0332
0365
0398
0431
0464
0497
0530
0563
0596
0630
0663
0696
0729
0762
0795
0828
0861
0894
0927
0960
0993
1026
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
049
051
053
055
057
059
060
062
064
066
068
070
071
073
075
077
079
081
083
084
086
088
090
092
094
095
097
099
101
103
105
107
200]
161]
121]
082]
043]
004]
221]
182]
142]
103]
064]
025]
242]
203]
164]
125]
086]
047]
008]
225]
187]
148]
109]
069]
030]
247]
208]
169]
130]
091]
052]
013]
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
e9
e9
e9
e9
e9
ea
ea
ea
ea
ea
ea
ea
ea
ea
ea
ea
ea
ea
eb
eb
eb
eb
eb
eb
eb
eb
eb
eb
eb
eb
eb
ec
ae
c7
d9
ee
ff
10
24
3b
4d
62
75
80
98
a7
bc
cf
e8
f7
06
1b
30
45
59
6b
7b
8e
a2
b7
ca
da
ef
03
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
26
24
2c
2f
36
40
43
44
4c
4f
54
62
64
6e
71
76
76
80
8a
8e
92
95
99
a1
a9
af
b3
b6
bd
c4
c9
cd
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
07
07
07
07
07
07
07
07
07
07
07
07
07
08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
03
03
03
03
03
03
03
03
03
03
03
03
03
03
03
02
03
03
03
03
03
03
03
03
03
03
03
03
03
03
03
03
02
02
02
02
03
02
02
02
03
03
04
03
02
00
00
99
00
01
01
01
01
01
03
03
03
03
02
03
03
03
03
03
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
72
72
71
71
72
72
73
72
74
71
70
6d
6b
6c
6c
6d
6b
69
66
67
6a
70
73
75
76
75
74
72
71
70
70
71
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
2e
2d
2d
2d
2e
2d
2d
2d
2c
2c
2c
2d
2d
2d
2d
2d
2b
2b
2b
2b
2c
2c
2c
2b
2b
2b
2b
2b
2b
2b
2b
2b
GraphingtheData
1660
6
4
2
1640
0
0
10
15
20
25
30
35
25
30
35
2
1620
4
6
8
1600
120
100
1580
80
60
1560
40
20
1540
980
970
960
950
940
930
0
920
10
15
20
SoftwareDefined
RadioDirectionFinding
SDRDirectionFinding
TwoWiFichannels,andthensome
FLEXPagers&Baudline
900MHzISM SmartMeters
3GWCDMA
SignatureofUMTS:repeatingdatainCPICHat10msintervals
Noapparentsignal
1ms
Cyclic1023bitcode@1.023MHzchiprate
gnsssdr:DecodingL1
EttusHQ
TETRA
Repeatingidlepattern
Frequencycorrectionburst
TheEntireHAMBand
OpenBTS
Opensource2GGSMstack
Asterix softswitch (PBX)
VoIPbackhaul
802.11agp(OFDM)Decoding
AutomaticPictureTransmission
AutomaticIdentificationSystem

Asia 15 Seeber Hacking The Wireless World With Software Defined Radio 2.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Asia 15 Seeber Hacking The Wireless World With Software Defined Radio 2.0

Uploaded by

Copyright:

Available Formats

HackingtheWirelessWorldwith

baudline Dual FFT

You might also like