Asia 15 Seeber Hacking The Wireless World With Software Defined Radio 2.0 PDF

HackingtheWirelessWorldwith
SoftwareDefinedRadio 2.0
BalintSeeber(ApplicationsSpecialist&SDREvangelist)
balint@ettus.com
balint@spench.net
@spenchdotnet
ISEE3
InternationalSun/Earth
Explorer3
Launched:August12,
1978
HeliocentricOrbit
Studyinteraction
betweensolarwind
and
Earthsmagneticfield
ISEE3
RenamedICE:
InternationalCometary
Explorer
Firstspacecraftinhalo
orbitatanEarthSunL1
(Lagrangepoint)
Firstspacecrafttopass
throughtailofacomet
(GiacobiniZinner)
OldTelemetryScreen
Overview
RestaurantPagers
RDSTMC
PrimarySurveillanceRADAR
RFID
ISEE3
50MHzBW
GSMBCCH&Traffic
Dialplan
101 Registration
Textback4to10digitnumbertoregister
411 Info
600 EchoTest
777 Time
778 ANI
2103 Me
400MHzBand
50MHz 250MHz(200Msps,120MHzRFBW)
SpectrumMonitoring
SpottheAntennas
SpottheAntennas
SpottheAntennas
SpottheUSRPs
StitchedFFTs
StitchedFFTs
USRPB200&B210
USB3.0(buspowered!)
56MHzbandwidth
70MHz 6GHz
2x2MIMO
RestaurantPagers
HackingtheWirelessWorldwith#sdr @spenchdotnet
Yourfoodisready?
Pagersinformwaitingcustomertheycan
collecttheirorder
Assumingtheirorderisready
Order&collectionrateshouldbe~same
Unlesseveryoneispagedatonce
Step1:Frequency
Either:
Findfrequencylabelonthedevice
FindFCCIDondeviceandcheckonline
Scanspectruminlikelyranges(e.g.450470MHz)
Step1:Frequency
Step1:Frequency
Notehowoftentransitionsoccur
(nolongrunsof0or1).
Implieslineencodingisinuse
(helpsclockrecoveryatreceiver).
Flowgraph
Step2:ChannelSelection
Step3:FSKDeviation
Step4:Quadrature Demod
Step5:BaudRate
Step5:ClockRecovery
Step6:LineEncoding
ManchesterEncoding
ManchesterViolation
Step7:CompareChangingBits
Step8:FindingtheID
Modulator
Reversethedecodingprocess:
1. Constructpacket
a) Preamble(wakeupreceiver)
b) Magicheader(sync&systemID)
c) Pagernumber
d) Checksum
2. Interpolate(choosesamplesperbit)
3. FrequencyModulate
4. Applypulseshapingfilter(ideally)
5. Resamplefortransmitter
Modulator
ModulatorOutput
Modulator
RemoteControl
Slider
POCSAG
Otherrestaurantpagersystemsadopta
standard
Decodewithgrpocsag
Modifiedtoendframedecodingwhensquelch
closes
POCSAGDecode
POCSAGFrames
----
[00] Address: 001dc168 function: 00000000
[01] (001dc168) Data: 05[5] 0c[ ] 03[3] 03[3] 03[3]
[02] (001dc168) Idle
=== SQUELCHED (residue: 5) ===
----
[00] (ffffffff) Idle
[06] Address: 001dc15b function: 00000000
[07] (001dc15b) Data: 05[5] 0c[ ] 03[3] 03[3] 03[3]
[08] (001dc15b) Idle
----
[07] (001dc15b) Data: 05[5] 0c[ ] 03[3] 03[3] 03[3]
[08] (001dc15b) Idle
POCSAGFrame
----
[01] (ffffffff) Idle 5b=01011011
[07] (001dc15b) Data: 05[5] 0c[ ] 03[3] 03[3] 03[3]
[08] (001dc15b) Idle
PagerFrameConstruction
Preamble
SYNC
Address:System&Pager
Scheduleaddresstoappearincorrectslot
PadwithIDLEs beforehand
Pageraction
TrailingIDLE
ApplyBCH(31,21)ECCtoeachslot
POCASGModulator
ZigBee
Rolesreversed:pagerunittransmits
PagerunithasintegratedRFIDreader
RFIDchipstuckonunderside
ofeachtable
Placingpagerunitontable
transmitspager numberand
table number
2.4GHzISMband
Decodewithgrieee802154
ZigBee Transceiver
DecodedZigBee
Decoded
Pager
Pagers:
38=0x26
54=0x36
Table:
36=0x24
HostagePager
Pagersgetangrywhensystembroadcast
(beacon)isnotheardwithintimeout
Flash&vibrateuntiltheyarereturnedwithin
range
Takeapagerhostagebybroadcastingbeacon
RDSTMC
FMBroadcastBand
FMBroadcastBand
RadioDataService
SubcarrieroncommercialFMstations
Notaudible(filteredout)
BPSK@1187.5bps
Listen&decodewithgrrds
StereoFMwithRDS:Receiver
RadioDataService
TrafficMessageChannel
Type8ARDSgroupmessage
Compactrepresentationvialookuptable:
Event
Location
Duration
Examples:
Congestion
Accidents
Roadwork
EncryptedLocationCodes
Locationcodes: 16bitforagiven
geographicalarea
Encryptionkeys: 16bit
Schedule: Onerandomlychosen
eachdayfrom31
standardkeys
Receiverupdate: KeyIDbroadcast
constantly
DailyKeyID
Patterns
Alwaysthreeuniquetemperaturereports
Key:EventID
Value:Location
GroupofthreeEventIDsalwaysthesame
EncryptedLocationIDsalwaysthesamefor
givenEncID
EventIDsidenticalforperiodofdays/weeks
Canvaryaftersometime,buthidden
(unobserved)valueisalwaysthesame
Temperatures
Patterns
Days
KeyID(random
K1 K2 K2 K3
eachday)
GroupPeriod P1 P1 P2 P2
HiddenPlain
Location
L1 evt(P1,L1):enc(K1, L1) evt(P1,L1):enc(K2, L1) evt(P2,L1):enc(K2, L1) evt(P2,L1):enc(K3, L1)
Transmittedovertheair:
Event = evt(period, plain location)
Location = enc(key of the day, plain location)
SecurityAnalysis
16bitisvery short
Identicalgroupoflocationcodesare
broadcastonadailybasis
Unknownbutreusedplaintext
Singulareventscanbecorrelatedfroma
trustedsource
Knownplaintext
SingularEventfromTrustedSource
InputData
PlainLocation L1 L2 L3
KeyID
K1 enc(K1, L1) enc(K1, L2) enc(K1, L3)

1. Bootstrap:findallpossibleplainlocations&keysthatresultinenc(K1,L1)
2. Giventhosekeys,findallpossibleplainlocationsrecordedwiththatKeyK1(i.e.L2,L3)
RememberpoolofpossibleplainlocationsforeachL&poolofpossiblekeysforK
3. ForeachremainingK,repeatmaintainingpoolofpossiblekeysforeachK:
FindallpossiblekeysgivenpoolofpossibleplainlocationsforeachL
Repeat,filteringpoolsuntilonlyonematchremains
Removeitemfrompoolwhenenc(K,L)inputdata
Algorithm
PossiblePlainLocationPools PossibleKeyPools
K2
L1 K1
L2
K3
L3 K4 K5
Plain
L1 L2 L3
Location Despite16bits,
KeyID manypotential
K1 enc(K1, L1) enc(K1, L2) enc(K1, L3) Iterate& keys/plainlocations
Filter aregeneratedat
thestartdueto
natureofenc(K,L)

Results
Results
Convergenceexpeditedbyadditionofsingular
events
vehicle fire(s)
flooding
object(s) on roadway {something that
does not neccessarily block the road
or part of it}
EventhoughmultiplekeysexistforaKeyID,with
enoughdataplainlocationsearchyieldsone
match!
AviationRADAR
ATCRBS,PSR&SSR
AirTrafficControlRadarBeaconSystem
PrimarySurveillanceRadar
SecondarySurveillanceRadar
Primary:
TraditionalRADAR
Paintsskinsandlistensforreturn
Identifiesandtracksprimarytargets,
whileignoringgroundclutter
1
RangelimitedbyRADARequation() 4
d
ATCRBS,PSR&SSR
AirTrafficControlRadarBeaconSystem
PrimarySurveillanceRadar
SecondarySurveillanceRadar
Secondary:
Directionalradio
Requirestransponder
Interrogatestransponders,which
replywithsquawkcode,altitude,etc.
1
Increasedrange()
2
d
Transmitsabang(themainpulse)
Listensforreturns(echoes)
Bang
TheModes
A:replywithsquawkcode
SSR
C:replywithaltitude
S:enablesAutomaticDependantSurveillance
Broadcast(ADSB),andtheAircraft/Traffic
CollisionAvoidanceSystem(ACAS/TCAS)
TheModes
A:replywithsquawkcode
SSR
C:replywithaltitude
S:enablesAutomaticDependant
SurveillanceBroadcast(ADSB),andthe
Aircraft/TrafficCollisionAvoidanceSystem
(ACAS/TCAS)
ModeSnotpartofATCRBS,butusessame
radiohardware(samefrequencies)
Increasingproblemofchannelcongestion
Position
ADSB
Heading
Altitude
Verticalrate
FlightID
Squawkcode
ATypical747has
2x400WvoiceHF
3x25Wvoice/dataVHF
2x100W9GHzRADARs
31radios
2xGPS,1.5GHz60Wvoice/dataSATCOM
2x75MHzmarkerbeacons
3xVHFLOClocaliser
3xUHFglideslope
2xLFADFautomaticdirectionfinder
2xVORVHFomnidirectionalrange
2x1GHz600Wtransponders
2x1GHz700WDMEdistancemeasuringequipment
3x500mW4.3GHzradaraltimeters
3x406MHzEPIRB
TCAS
Highgain Lowgain
SATCOM VHF
Xpndr
HF
DME
ADF
EPIRB
VHF Marker
RADARAltimeter
ModeSResponseEncoding
Datablockiscreated&bitscontrolpositionof
pulsessentbytransmitter
Earlychip
Latechip
UsedtodifferentiateagainstotherModes
PulsePositionModulation(AM)
PulsePositionModulation
Pulselasts0.0000005seconds (0.5s)
Needtosamplesignalataminimumof2MHz
(assumingyoustartsamplingatpreciselythe
rightmomentandstaysynchronised)
Requireshighbandwidthhardwareand
increasedprocessingpower
Ideally,oversampletoincreaseaccuracy
ModeSFrame
ModeSResponse:AMsignal
PrimarySurveillance
RADAR
MoffettFieldASR9
DualPRFMode:Weather
Bang RADARReturns
MagnitudeHistogram
MagnitudeHistogram
AboveNoiseFloor
AboveNoiseFloor
PulseLengthHistogram
PulseEnvelope
PulseEnvelope
PulseEnvelope
StrongPulseSeparation
PRFHistogram
StrongPulsesvs.Time
StrongPulsesvs.Time(zoomed)
PulsePowervs.Time
PulsePowervs.Time(zoomed)
DistanceBetweenPulses
Pulseandechopowerovertime
RawRADARReturnPlot
Eachscanlineissynchronisedtoanemittedpulse
Scanlineisamplitudeofsamplesovertime(alsorangeofthereturn)
VirtualRADARScope
RADAR
LASASR9
DistortionMap
Angle Distance 2DOffset
Monostatic
Bistatic
Multipath
ATSC
PN511
CorrelationPeaks
RFID
FasTrak
Traffictolltag
ContainsyourID
Interrogationsignalin900MHzISMband
Wakeupsignalactivatestag
PulsePositionModulatedpayload
Tagreplieswithbackscattermodulation
ReflectstransmittersRFenergy(tinyamount)
ModulatesreflectionwithFrequencyShiftKeying
InterrogationSignal
Payload
Wakeup Backscattercarrier
Preamble
WakeUp/Preamble
InterrogationPayload
BackscatterCarrier
RFCirculation ANT
2
TX 1 3 RX
InterrogationSignal
ReceivedSignal
Interrogation
CW
ReceivedSignal
Response
ReceivedSignal
Response
Title21Specification
PreambleDetection
PreambleDetection
MatchedPreambleFilterResponse
SlicerTime!
Samplebits
ReadingaTagOutside
FrequencydomainAmplitude(LF)
TimedomainAmplitude(LF)
TimedomainAmplitude(LF)
FrequencydomainAmplitude(UHF)
TimedomainAmplitude(UHF)
baudline Dual FFT
LF
UHF
GNURadio baudline
GNURadio+baudline
BuildingSecurityBadgeAuth
TimedomainAmplitude
TimedomainAmplitude
Reader Badge
TimedomainAmplitude
Reader Badge
ISEE3RebootProject
DeltaVLimit
AreciboRadioObservatory
Fun
Viewfromabove
Ionosphericheaters
Stillagoodstart
WeakSignal LowRBW
numpy&matplotlib
AfterImprovingPointing
~45dBC/N
MovingpeakbelowduetoDopplershift
VerifyingTransmittedSignal
B200receiving
leakagefromdish
MomentofFirstContact
HappyDance
DualChannelRecording
RawCapturedBaseband
PLLtrackingcarrier
PLLLock
PropulsionSystem
Telemetry:16bps
Telemetry:64bps
Telemetry:512bps
Telemetry:2048bps
TelemetryDuringThrusterFiring
NoThrust
HydrazinePropulsionSystem
NewOrbit
www.spacecraftforall.com
#cyberspectrum
http://wiki.spench.net/wiki/RF
http://spench.net/
GitHub:balint256
balint@spench.net
balint@ettus.com @spenchdotnet
OtherApplications
BlindSignalAnalysis
Whatyouneed
Dish+LNB+powerinjector+USRP+GNURadio
(settopboxwithLNBthru)
D1TLM1:12243.25MHz
MirrorofRHS* Constantcarrierpower*
TLMsidebands
Constant
subcarrier
1PPS
BeaconwithPhaseModulation*(PM):1PPSandtwotelemetrystreams(sidebands)
Visualisation
Letstryone
FeedentirebasebandspectrumintoGR
Performchannelselectiontoisolatestreamofinterest
(createnewbaseband
centredonstream)
Frameanalysis
Header
SYNSYNSYN(EBCDIC)
Characterorientedencoding:
SOH
STX
ETX
CRC(CCITT16)
Numbersoffixedlengthmessages
EachcontainsanID
Unpack&findpatterns
8bitsigned
16bitsigned
Messageheader BCD
#
0001 [20 049 200] (1/1) ff 18 80 70 01 24 e9 ae ed 26 1a 07 31 90 19 fa 00 00 03 02 00 72 e9 2e
0034 [20 051 161] (1/1) ff 18 80 70 01 24 e9 c7 ed 24 1a 07 31 90 19 fa 00 00 03 02 00 72 e9 2d
0067 [20 053 121] (1/1) ff 18 80 70 01 24 e9 d9 ed 2c 1a 07 31 90 19 fa 00 00 03 02 00 71 e9 2d
0101 [20 055 082] (1/1) ff 18 80 70 01 24 e9 ee ed 2f 1a 07 31 90 19 fa 00 00 03 02 00 71 e9 2d
0134 [20 057 043] (1/1) ff 18 80 70 01 24 e9 ff ed 36 1a 07 31 90 19 fa 00 00 03 03 00 72 e9 2e
0167 [20 059 004] (1/1) ff 18 80 70 01 24 ea 10 ed 40 1a 07 31 90 19 fa 00 00 03 02 00 72 e9 2d
0200 [20 060 221] (1/1) ff 18 80 70 01 24 ea 24 ed 43 1a 07 31 90 19 fa 00 00 03 02 00 73 e9 2d
0233 [20 062 182] (1/1) ff 18 80 70 01 24 ea 3b ed 44 1a 07 31 90 19 fa 00 00 03 02 00 72 e9 2d
0266 [20 064 142] (1/1) ff 18 80 70 01 24 ea 4d ed 4c 1a 07 31 90 19 fa 00 00 03 03 00 74 e9 2c
0299 [20 066 103] (1/1) ff 18 80 70 01 24 ea 62 ed 4f 1a 07 31 90 19 fa 00 00 03 03 00 71 e9 2c
0332 [20 068 064] (1/1) ff 18 80 70 01 24 ea 75 ed 54 1a 07 31 90 19 fa 00 00 03 04 00 70 e9 2c
0365 [20 070 025] (1/1) ff 18 80 70 01 24 ea 80 ed 62 1a 07 31 90 19 fa 00 00 03 03 00 6d e9 2d
0398 [20 071 242] (1/1) ff 18 80 70 01 24 ea 98 ed 64 1a 07 31 90 19 fa 00 00 03 02 00 6b e9 2d
0431 [20 073 203] (1/1) ff 18 80 70 01 24 ea a7 ed 6e 1a 08 31 90 19 fa 00 00 03 00 00 6c e9 2d
0464 [20 075 164] (1/1) ff 18 80 70 01 24 ea bc ed 71 1a 08 31 90 19 fa 00 00 03 00 00 6c e9 2d
0497 [20 077 125] (1/1) ff 18 80 70 01 24 ea cf ed 76 1a 08 31 90 19 fa 00 00 02 99 00 6d e9 2d
0530 [20 079 086] (1/1) ff 18 80 70 01 24 ea e8 ed 76 1a 08 31 90 19 fa 00 00 03 00 00 6b e9 2b
0563 [20 081 047] (1/1) ff 18 80 70 01 24 ea f7 ed 80 1a 08 31 90 19 fa 00 00 03 01 00 69 e9 2b
0596 [20 083 008] (1/1) ff 18 80 70 01 24 eb 06 ed 8a 1a 08 31 90 19 fa 00 00 03 01 00 66 e9 2b
0630 [20 084 225] (1/1) ff 18 80 70 01 24 eb 1b ed 8e 1a 08 31 90 19 fa 00 00 03 01 00 67 e9 2b
0663 [20 086 187] (1/1) ff 18 80 70 01 24 eb 30 ed 92 1a 08 31 90 19 fa 00 00 03 01 00 6a e9 2c
0696 [20 088 148] (1/1) ff 18 80 70 01 24 eb 45 ed 95 1a 08 31 90 19 fa 00 00 03 01 00 70 e9 2c
0729 [20 090 109] (1/1) ff 18 80 70 01 24 eb 59 ed 99 1a 08 31 90 19 fa 00 00 03 03 00 73 e9 2c
0762 [20 092 069] (1/1) ff 18 80 70 01 24 eb 6b ed a1 1a 08 31 90 19 fa 00 00 03 03 00 75 e9 2b
0795 [20 094 030] (1/1) ff 18 80 70 01 24 eb 7b ed a9 1a 08 31 90 19 fa 00 00 03 03 00 76 e9 2b
0828 [20 095 247] (1/1) ff 18 80 70 01 24 eb 8e ed af 1a 08 31 90 19 fa 00 00 03 03 00 75 e9 2b
0861 [20 097 208] (1/1) ff 18 80 70 01 24 eb a2 ed b3 1a 08 31 90 19 fa 00 00 03 02 00 74 e9 2b
0894 [20 099 169] (1/1) ff 18 80 70 01 24 eb b7 ed b6 1a 08 31 90 19 fa 00 00 03 03 00 72 e9 2b
0927 [20 101 130] (1/1) ff 18 80 70 01 24 eb ca ed bd 1a 08 31 90 19 fa 00 00 03 03 00 71 e9 2b
0960 [20 103 091] (1/1) ff 18 80 70 01 24 eb da ed c4 1a 08 31 90 19 fa 00 00 03 03 00 70 e9 2b
0993 [20 105 052] (1/1) ff 18 80 70 01 24 eb ef ed c9 1a 08 31 90 19 fa 00 00 03 03 00 70 e9 2b
1026 [20 107 013] (1/1) ff 18 80 70 01 24 ec 03 ed cd 1a 08 31 90 19 fa 00 00 03 03 00 71 e9 2b
GraphingtheData
1660 6
2
1640
0
0 5 10 15 20 25 30 35
2
1620
4
1600 8
120
100
1580
80
60
1560 40
20
1540 0
980 970 960 950 940 930 920 0 5 10 15 20 25 30 35
SoftwareDefined
RadioDirectionFinding
SDRDirectionFinding
TwoWiFichannels,andthensome
FLEXPagers&Baudline
900MHzISM SmartMeters
3GWCDMA
SignatureofUMTS:repeatingdatainCPICHat10msintervals
Noapparentsignal
1ms
Cyclic1023bitcode@1.023MHzchiprate
gnsssdr:DecodingL1
EttusHQ
TETRA
Repeatingidlepattern
Frequencycorrectionburst
TheEntireHAMBand
OpenBTS
Opensource2GGSMstack
Asterix softswitch (PBX)
VoIPbackhaul
802.11agp(OFDM)Decoding
AutomaticPictureTransmission
AutomaticIdentificationSystem

Asia 15 Seeber Hacking The Wireless World With Software Defined Radio 2.0 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Asia 15 Seeber Hacking The Wireless World With Software Defined Radio 2.0 PDF

Uploaded by

Copyright:

Available Formats

HackingtheWirelessWorldwith

L1 evt(P1,L1):enc(K1, L1) evt(P1,L1):enc(K2, L1) evt(P2,L1):enc(K2, L1) evt(P2,L1):enc(K3, L1)

L2 evt(P1,L2):enc(K1, L2) evt(P1,L2):enc(K2, L2) evt(P2,L2):enc(K2, L2) evt(P2,L2):enc(K3, L2)

L3 evt(P1,L3):enc(K1, L3) evt(P1,L3):enc(K2, L3) evt(P2,L3):enc(K2, L3) evt(P2,L3):enc(K3, L3)

You might also like