Cyberspectrum Sydney 0x01 Introduction to SDR

Cyberspectrum SydneyTRÈS ACTON (NULLWOLF) | 0X01 INTRODUCTION TO SDR

CYBERSPECTRUM SYDNEY – 0X01 INTRO TO SDR

SPONSORSHIPHuge thank you to our sponsor Privasec!

For providing us with our venues, our initial set of technical gear, pizzas, and refreshments!


WHO IS THIS GUY?▸ Senior Security Consultant & Researcher @ Privasec▸ Passionate about Physical Security, Social Engineering, and

Software Defined Radio▸ SDR Projects & Hobbies:

▸ DSpectrum / DSpectrumGUI (available on GitHub: @tresacton)▸ Automating tedious tasks▸ Creating SDR challenges▸ Reverse Engineering all the RF devices I can get my hands on▸ Scanning the air-waves for ‘easter-eggs’


WHAT’S ALL THIS ABOUT..?▸ SDR / RF Community▸ Exchanging ideas, theories, experiences▸ Educating ourselves and others▸ Exploring the possibilities


WHY “CYBERSPECTRUM”?▸ Originally founded in San Francisco by Balint Seeber ▸ Founded in Melbourne by Pam (@0xsh_) ▸ Founded in Sydney by Très Acton (@nullwolf / @tresacton)

▸ Unified name helps establish a sense of global community▸ Potential for collaboration in future▸ Live streaming between meetups


WHAT IS SDR?▸ SDR == Software Defined Radio▸ Software driven▸ Transmitting / Receiving signals over the air, via your PC


SDR / RF IN THE REAL WORLD▸ Remote Keyless Entry (for vehicles, garages, etc)▸ Airplane monitoring▸ Communications (ham radio, walkie talkies, etc)▸ Controlling Un-manned Aerial Vehicles (UAVs / Drones)▸ Controlling or monitoring medical implants (e.g. pacemakers)▸ Traffic control appliances▸ Home & Office automation▸ Wireless alarm systems▸ Tyre Pressure Monitoring Systems


SDR / RF IN THE REAL WORLD▸ Doorbells▸ Pagers (yes, people still use these)▸ AM & FM radio▸ Digital TV▸ Weather Stations▸ Satellite Imaging▸ Earth to Space Communication▸ Access Control Systems▸ Christmas Decorations


HARDWARE (CORE)Name Mode Frequency

RangePrice S/

CRTL-SDR (R820T) RX Only ~ 25Mhz –

1750Mhz$20 USD 5

RTL-SDR (R820T2) RX Only ~ 25Mhz – 1750Mhz

$30 USD 5

RTL-SDR (E4000) RX Only ~ 55Mhz – 2300Mhz

$40 USD 5

Yard Stick One RX / TX (half duplex)

300Mhz – 928Mhz $100 USD 4

HackRF One RX / TX (half duplex)

1Mhz – 6Ghz $300 USD 3

HackRF Portapack RX / TX (half duplex)

1Mhz – 6Ghz $500 USD 3.5

Lime SDR RX / TX (full duplex) 100Khz – 3.8Ghz $300 USD 5?Blade RF RX / TX (full duplex) 300Mhz – 3.8Ghz $420 USD 3USRP RX / TX (full duplex) 70Mhz – 6Ghz $5,000

USD?

▸ The Yard Stick One is in blue because unlike everything else in the table… it’s technically not an SDR. It’s a wireless transceiver on a USB dongle. More on that topic after the next slide.


SOFTWARE

view spectrum

view waterfall

capture signals

visualise signals

analyse signals

replay attacks

automated decoding

listen to signals

pretty much anything

Linux / Mac

Windows

Any Platform*

RTL-SDR

HackRF

HackRF Portapack

Osmocom FFT x x x x x x xOsmocom FFT – Foshphor x x x x x x x xInspectrum x x n/

a n/an/an/aDspectrum / Dspectrum GUI x x n/

a n/an/an/aGQRX x x x x x x xSDR# x x x x x x x xRTL433 x x x HackRF Tools x x x x xHackRF Portapack x x x x xAudacity x x n/

a n/an/an/aGNU Radio Companion x x x x x x x x x x x x x x


ABOUT THE RTL-SDR▸ Some very smart people

took a deeper look at DVB-T tuners

▸ Found that they supported a larger range than necessary for Digital TV

▸ Interest in SDR started Skyrocketing as a result of affordable equipment


ABOUT THE IM-ME▸ Marketed as an instant

messaging toy for young girls

▸ Pretty nifty▸ Again… some very

clever people took a closer look and realised that…


ABOUT THE IM-ME▸ The firmware could be reprogrammed with

GoodFET


ABOUT THE IM-ME▸ This all led to the creation of a piece of software called

RFCat, and the creation of the Yardstick One


YARDSTICK ONE▸ GoodFET Programmable – just like the IM-ME… but you don’t really

need to▸ Works with RFCat – just like the IM-ME▸ Pretty handy for a dual SDR & Integrated Transceiver approach to

reverse engineering▸ Very easy to transmit signals via RFCat


… AND?▸ That’s all well and good… but…


WHAT CAN I ACTUALLY DO WITH SDR?▸ We’ll touch on some examples of things you can do

as a beginner to SDR▸ We’ll be covering all of these in some workshops in

future meetups – so it’ll be good to bring your PC and some gear along

▸ The short answer is: whatever you want to do! xD


SMART UTILITIES▸ [insert elevator pitch for an interconnected world

here]▸ Electricity companies are slowly transforming utility

meters▸ They can take readings via SDR/RF, instead of doing

it all manually▸ HackRF Portapack has a built-in module for this▸ Privacy implications?


REVERSE ALL THE THINGS!▸ The easiest device

I’ve ever reverse engineered:


REVERSE ALL THE THINGS!▸ The TL;DR version of

“how I hacked the doorbell”

▸ Remarkably simple

▸ The modulation here is Pulse-Width Modulation (PWM) 99/33


REVERSE ALL THE THINGS!▸ This device has a

series of dip-switches in the remote

▸ Their configuration determines the doorbell sound played

▸ Their configuration must affect the transmitted signal for this to work


REVERSE ALL THE THINGS!▸ Yup. It does

reliably change the signal.

▸ Mapped all the changes.

▸ Can now write a little code, and use a YardStick One (or Arduino) to control the doorbell from a PC


REVERSE ALL THE THINGS!▸ The toughest device I’ve ever reverse engineered:


REVERSE ALL THE THINGS!▸ The “TL;DR version of how I hacked the weather

station”▸ A whole lot of basic math, binary, logic, trial and

error, offsets, and conversions to translate the raw bits into human readable data.

▸ It was surprisingly complicated▸ Still a little bit of data towards the end of each

transmission that is yet to be reversed. ▸ Might be a CRC… but I’m yet to prove it…


FUN WITH ADS-B▸ ADS-B == Automatic Dependent Surveillance

Broadcast▸ Airplanes pull their current location from satalites▸ They then broadcast this data, over the radio

spectrum, to facilitate tracking▸ It’s entirely unencrypted▸ You can listen in, and even map flights in real time


FUN WITH ADS-B▸ ADS-B == Automatic Dependent Surveillance

Broadcast▸ Airplanes pull their current location from satalites▸ They then broadcast this data, over the radio

spectrum, to facilitate tracking▸ It’s entirely unencrypted▸ You can listen in, and even map flights in real time▸ Broadcasting your own flights is illegal..!


FUN WITH ADS-B$ git clone https://github.com/antirez/dump1090 && cd dump1090 && make

$ ./dump1090 --quiet --net --phase-enhance --net-http-port 8080


FUN WITH ADS-B“Dark Flight” tracking


UPCOMING MEETUPS▸ December (bring your PC & RTL-SDR):

▸ Install-fest!▸ The first half-hour will be dedicated to helping everyone

get up and running if they’re experiencing issues setting up their environment ▸ Please note that I am not all that familiar with Windows

based SDR environments – but perhaps someone else can help out with this…

▸ Decoding POCSAG Pager Messages▸ Signal Identification & Demodulation


SOCIAL MEDIA▸ Twitter: @sdr_sydney

▸ Slack: sdr_australia▸ Send a message to our

Twitter profile for an invite


NEED GEAR?▸ I’ve procured a bunch of:

▸ RTL-SDR dongles (w/ R820T Tuner)▸ Persistent USB drives (which I have pre-loaded with

Parrot OS & some popular SDR tools)They are up for grabs at cost, or you can buy your own online if you prefer.RTL-SDR Dongle: $2532GB Preconfigured Linux USB: $15

Date post:	17-Feb-2017
Category:	Technology
Upload:	sdrsydney
View:	258 times
Download:	0 times

Cyberspectrum Sydney 0x01 Introduction to SDR

Technology