Сайт «»

DEF CON 27 SDR Talks: Antennas for Surveillance, Ford Keyfob Hack, Smart TV Wireless Side Channel Attack

Talks from this years DEF CON 27 conference which was held back in August are now available on YouTube. DEFCON is a yearly conference that a focuses on information security topics and often includes talks about SDRs and other wireless radio topics too. In particular we wanted to highlight the the DEF CON 27 Wireless Village playlist which contains numerous talks related to wireless, radio and SDRs.

Most talks from the wireless village relate to WiFi, but one talk with some very useful information that we really enjoyed was "Antennas for Surveillance" by Alex Zakhorov. 

We will cover the various kinds of antennas available to optimized your SDR radio for different types of spectrum monitoring. We will also explain why RF filters are necessary on most SDR's and when Low Noise Amplifiers help, and when Low Noise Amplifiers hurt reception.

DEF CON 27 Wireless Village - Alex Zakhorov - Antennas for Surveillance

Another interest talk was called "The Ford Hack Raptor Captor video" by Dale Wooden (Woody) where he shows how he used an RTL-SDR and HackRF to hack a Ford car key fob. If you're interested we wrote about the Hak5 videos on this hack in a previous post.

This talk will show flaws with development of security protocols in New Ford key fobs. This will exploit several areas. The ability for a denial of service to the keyfob WITHOUT jamming. How to trick the vehicle into resetting its rolling code count. How to lock, unlock, start, stop, and open the trunk of ford vehicles using a replay attacked after resetting rolling code count. How to find the master access code for Fords keypad to bypass security. This talk will also demonstrate how to reset your key fobs if they are attacked by a deauth attack. We will also demonstrate gnu-radio script to automate RF collection of Ford key fobs. As seen on HAK5 episodes 2523-2525

DEF CON 27 Wireless Village - Woody - The Ford Hack Raptor Captor video

Outside of the Wireless village there were also some interesting SDR topics including this talk titled "SDR Against Smart TVs URL Channel Injection Attacks" by Pedro Cabrera Camara. If you're interested we also wrote about Pedro's work in a previous post.

Software-defined-radio has revolutionized the state of the art in IoT security and especially one of the most widespread devices: Smart TV. This presentation will show in detail the HbbTV platform of Smart TV, to understand and demonstrate two attacks on these televisions using low cost SDR devices: TV channel and HbbTV server impersonation (channel and URL injection). This last attack will allow more sophisticated remote attacks: social engineering, keylogging, crypto-mining, and browser vulnerability assessment.

DEF CON 27 Conference - Pedro Cabrera Camara - SDR Against Smart TVs URL Channel Injection Attacks

New Magazine Reviews of the Airspy HF+ Discovery

Recently three new reviews of the Airspy HF+ Discovery have come out in various radio  enthusiast magazines from around the world. All three reviews have been released for free in PDF form over on the Airspy reviews page. Unsurprisingly each review praises the HF+ Discovery as it's clearly a great radio.

The first review comes from the September Edition of "The Spectrum Monitor" and is written by Larry Van Horn (N5FPW).

” Most the low-priced SDRs have never been preselected, mostly for cost reasons, and will suffer strong signal overload especially in high RF areas (urban/metro areas). Without exception, these devices usually have major problems with the antennas that radio hobbyist use. They overload very quickly, which makes serious reception on long, medium and shortwaves rather difficult. The HF+ Discovery is the big exception. Based on our testing, the Airspy HF+ Discovery has no equal at its price point. You will find world-class performance and an amazing piece of hardware wrapped up in a package smaller than a matchbox. The Airspy line has a very fine reputation in the radio hobby. In reviews published in Gayle Van Horn’s 2018 Global Radio Guide and the 2019 World Radio TV Handbook, the Airspy HF+ received high marks by the testers and a “Best Value” rating. ”

The second review is by Nils Schiffhauer (DK8OK) which was published in the October 2019 edition of "Radio User". For German readers, Nils also published a similar review written in German for the December edition of "Radio-Kurier".

Just another SDR? Wait, this beast is different – not only in size and price but also in terms of its concept and performance. In common with some former models of AirSpy SDRs, the new AirSpy HF+ Discovery model (henceforth: ‘Discovery’) is a joint venture of Youssef Touil and his team at the Chinese ITEAD studio and ST Microelectronics. This smart team has already developed, for example, the ground-breaking AirSpy HF+, which is widely considered to be the top performer in its class. The Discovery continues this success story.

The Discovery shines with less noise, and, astonishingly, less crackle. In at least 80% of these diffi cult cases, intelligibility with the Discovery is clearly better. With very few stations, this receiver will even make the difference between understanding the identification of a station and not copying it. In August, I also tested the Discovery with the most ‘demanding’ band, the Very Low Frequency range (VLF). Here most SDRs – and certainly the majority of budget SDRs – reach their limits, lacking sensitivity and filling up the band with internally-generated signals. Thanks to a newly developed input section to start at even 500Hz, this receiver shows outstanding strong and clean signals from as far as the US Navy in Australia.

Covers from the Spectrum Monitor and Radio User Airspy HF+ Discovery Reviews
Covers from the Spectrum Monitor and Radio User Airspy HF+ Discovery Reviews

The SWLing Post Reviews the SDRplay RSPdx

Thomas from the SWLing blog has been playing around with the recently announced SDRplay RSPdx and has come out with a comprehensive review of the unit. In the review he also provides some comparison videos on real signals between the RSPdx and other SDRs like the WinRadio Excalibur, and Airspy HF+ Discovery.

In the review Thomas notes that while having the advantage of being a wideband receiver, the predecessor to the SDRplay RSPdx (the SDRplay RSP2) was never able to compete with the similarly priced Airspy HF+ and Airspy HF+ Discovery units when it came to HF, MW and LW receiving performance.

But now with it's 0 to 2 MHz enhanced HDR mode activated, Thomas notes that the new RSPdx is majorly improved over the RSP2 in terms of sensitivity and selectivity on the medium wave bands. Thomas' tests also show substantial improvements in the shortwave bands.

The SDRplay RSPdx
The SDRplay RSPdx

Networked Radio Direction Finding with KerberosSDR and RDFMapper

We've just uploaded a short Python script to GitHub that allows radio direction bearings from a KerberosSDR to be used with the RDF Mapper software created by Jonathan Musther. RDF Mapper is a (~US$25) program that was initially written for the RDF42, a kit based doppler direction finding system. RDFMapper runs on Windows/MacOS and Linux.

KerberosSDR is our experimental 4-Tuner Coherent RTL-SDR product made in collaboration with Othernet. It can be used for applications such as radio direction finding and passive radar. Currently it's available for US$149 on the Othernet store.

The RDF Mapper software allows you to upload bearings from multiple devices distributed around a city to a public RDF server, and view all the bearings on any internet connected PC. This can allow you to quickly triangulate the location of a transmitter.

Normally you would use RDFMapper combined with an RDF42 to upload bearings, but we've written a simple script that can be used to upload bearings generated by a KerberosSDR onto the server. The RDFMapper software can then be used to visualize those bearings.

The script is based on Python, and can run directly on the Pi 3/4 or Tinkerboard that is running the KerberosSDR, or on another PC that can see the KerberosSDR bearing server if you prefer.

Instructions are available on the GitHub page. Simply set unique station names for each of your distributed units, entry your lat/lon and fixed direction bearing. Then on the RDF Mapper software open the 'Web upload/download' tab and add the unique station ID name. All the other tabs for connecting to a GPS and serial port can be ignored, as those are used for the RDF42.

This script will only work for stationary KerberosSDR units as the lat/lon is fixed. If you want to try radio direction finding in a vehicle, we recommend using our Android App for a better experience. If there is interest, we may also add support for the Android app to upload to an RDFMapper server for mobile bearing uploads. 

Notes: RDFMapper runs on the system's default browser and it needs to run in either Chrome or Firefox to work. IE does not work. It also appears that Jonathan processes orders manually, so we just want to note that there may be a delay between payment at receiving the software.

RDF Mapper Software. Data from networked units.
RDF Mapper Software. Plotting bearing data from networked units.

Preview: GNU Radio 3.8 Running on an Un-Rooted Android Smartphone

Over on Twitter and YouTube Bastian Bloessl (@bastibl) have been posting teaser shots and videos of GNU Radio 3.8 running on an un-rooted Android device. Unfortunately there doesn't yet seem to be any word yet on how he's been able to do this, but we guess  that the details will all be released in due time, possibly on his blog.

GNU Radio is an open source digital signal processing (DSP) toolkit which is often used in cutting edge radio applications and research, and to implement decoders, demodulators and various other SDR algorithms.

GNU Radio 3.8 on un-rooted Android receiving FM w/ HackRF (take 2)

Comparing Four Wideband Magnetic Loop Antennas on HF with an SDRplay RSPduo

Over on YouTube the Scanner and Sdr Radio channel has uploaded a video comparing four different brands of HF wideband loop antennas using an SDRplay RSPduo. The loops he tested include the cheap Chinese MLA-30 (~$40), the Cross Country Wireless (CCW) loop ($70), Bonito ML200 (~$442) and the Wellbrook 1530LN (~$305).

The MLA-30 was slightly modified with the cheap coax removed and a BNC connector added. Each of the antennas used a wire loop with diameter of approximately 1.6m, except for the Wellbrook which has a fixed size solid loop of 1m.

The tests compare each loop against the Wellbrook which is used as the reference antenna. In each test he checks each HF band with real signals on the RSPduo and compares SNR between the two antennas.

The results show that the two expensive antennas, the Bonito and Wellbrook, do generally perform the best with the lowest noise floors, but surprisingly the MLA-30 actually performs very well for it's price point, even outperforming the Wellbrook reference on SNR in some bands. We note that some of the improvement may be due to the larger 1.6m loop size used on the MLA-30, compared to the 1m loop on the Wellbrook.

Also we note that it can be hard to compare antennas in single tests, because the differences in antenna radiation patterns could be favorable for some signals, and less so for others, depending on the location.

Comparing 4 magnetic loops for hf

TechMinds Reviews our RTL-SDR Blog L-Band Patch Antenna + Horn & Dish Mod

Over on YouTube the TechMinds YouTube channel has uploaded a review of our RTL-SDR Blog L-Band patch antenna which we recently released. TechMinds tests the antenna on a STD-C Inmarsat channel with the Scytale-C decoder, and on various AERO ACARS transmissions with JAERO. Later in the video he also tests the patch antenna on Iridium reception using the Iridium Toolkit software. In all tests the patch is able to suitably receive the signal with either an RTL-SDR or Airspy SDR.

We also wanted to make a note about an additional tip regarding polarization that many people using the antenna seem to have missed. As Inmarsat signals are LHCP polarized, it is important to not only point the antenna towards the satellite, but also to rotate the antenna to match the polarization until maximum SNR is achieved. The rotation can make the difference between strong signals and nothing received at all.

RTL-SDR Active L-Band Patch Antenna For Inmarsat / Iridium / GPS

We've also recently seen a user 'Bert' who has needed to boost the signal strength as he was running the patch inside and at a location in northern Europe with poor reception of Inmarsat. To boost it he simply added a metal horn over the patch made from an old aluminum box, and also a back plate reflector. He notes that this improved his SNR on AERO 10500 from 8 - 9 dB, up to 12 - 14 dB. He also tested using the patch on a dish antenna, and found very good results too.

Aluminum Horn Added to L-Band Patch
Aluminum Horn Added to L-Band Patch
L-Band Patch Antenna on Dish
L-Band Patch Antenna on Dish

cuSignal: Easy CUDA GPU Acceleration for SDR DSP and Other Applications

The RAPIDS cuSignal project is billed as an ecosystem that makes enabling CUDA GPU acceleration in Python easy. Scipy is a Python library that is filled with many useful digital signal processing (DSP) algorithms. The cuSignal documentation notes that in some cases you can directly port Scipy signal functions over to cuSignal allowing you to leverage GPU acceleration.

In computing, most operations are performed on the CPU (central processing unit). However, GPU's (graphical processing units) have been gaining popularity for general computing as they can perform many more operations in parallel compared to CPUs. This can be used to significantly accelerate DSP code that is commonly used with SDRs.

In particular the developers have already created a notebook containing some examples of how cuSignal can be used with RTL-SDRs to accelerate an FFT graph. There are various other DSP examples in the list of notebooks too. According to the benchmarks in the notebooks, the GPU computation times are indeed much faster. In the benchmarks they appear to be using a high end NVIDIA P100 GPU, but other NVIDIA graphics cards should also show a good speedup. 

The cuSignal code is based on CUDA, so for any GPU acceleration code to work you'll need to have an NVIDIA based GPU (like a graphics card) with a Maxwell or newer core.

We note that in the future we'll be investigating how this could be used to speed up the passive radar algorithms that are used in the KerberosSDR. It may also be useful for running DSP code quickly on a $99 NVIDIA Jetson Nano single board computer.

NVIDIA Tesla P100. A high end $3000+ GPU.
NVIDIA Tesla P100. A high end $3000+ GPU.

Creating An Automated Raspberry Pi and RTL-SDR Based NOAA Weather Satellite Station

The nootropicdesign blog has recently uploaded a comprehensive tutorial showing how to create an automated NOAA Weather Satellite ground station using an RTL-SDR V3 and an Raspberry Pi 3. The project also makes use of an Amazon S3 bucket, which is a cheap web storage platform that allows you to store and access the downloaded images.

The tutorial starts by showing you how to set up your Amazon AWS credentials and bucket on the Raspberry Pi, and how to host a simple webpage that can be accessed publicly. The second stage shows how to set up the RTL-SDR drivers and wxtoimg which is used to decode the images. Finally, the third stage shows how to create the automation scripts that automatically schedule a decode, and upload images to the AWS bucket.

Flowgraph for an automated NOAA satellite weather image station.
Flowgraph for an automated NOAA satellite weather image station.

Using an RTL-SDR and Speech To Text to Create Alerts on Specific Phrases

Atlassian Opsgenie Engineer Fahri Yardımcı has recently written up an interesting post that details how he's using Opsgenie and Amazon Transcribe to automatically create alerts when specific voice phrases are mentioned on a radio channel. For example, if the words "blue team" are heard on the radio, the system can automatically issue an alert with the spoken words to members of the blue team in an organization. Amazon Transcribe is a cloud based speech to text service and Opsgenie is a platform that is used for managing and delegating alerts from multiple IT or other computer systems.

The system works by using an RTL-SDR and the ham2mon software to scan, receive and record voice from multiple voice channels. Fahri notes that he modified ham2mon slightly in order to allow it to upload the .wav files to an AWS S3 server which then runs the Amazon Transcribe service to convert the voice into a text file.

To make an interesting use case, we have imagined this scenario: When we detect a phrase in predefined words, like “Help”, “Execute Order 66”, “North outpost is compromised”, “Eggs are boiled”, we want to create an alert in Opsgenie. Opsgenie can send notifications to users via various ways such as push notifications and calls.

Amazon Transcribe uses advanced machine learning methodologies, to convert an audio stream to a text. As mentioned before, ham2mon uploads to .wav files to S3 and a Lambda is triggered from S3 Events. Lambda calls Transcribe API and depending on the result, Lambda creates an Opsgenie Alert through API.

Fahri writes that his system also filters out small files that may just be noise, and files with voice less than 3 second long. He's also added a custom vocabulary to Amazon Transcribe with words commonly heard on the radio, as this improves the transcription algorithm, especially in the presence of radio noise.

The rest of the post goes into further detail about the specific cloud services used and the flow of the system.

Flow Graph of the Radio to Transcription System
Flow Graph of the Radio to Transcription System
An example alert from Opsgenie when the phrase "red team" was heard.
An example alert from Opsgenie when the phrase "red team" was heard.
Ноябрь 2019
Пн Вт Ср Чт Пт Сб Вс
« Окт