DEFCON 21 Balint Seeber All Your RFZ Are Belong To Me

NotesandlinksinPDFcommentsoneachslide
AllYourRFzAreBelongtoMe:
HackingtheWirelessWorldwith
SoftwareDefinedRadio
BalintSeeber
balint@spench.net
@spenchdotnet
ApplicationsEngineer
balint@ettus.com
Overview
RF101
ThejourneyintoSoftwareDefinedRadio
Hospitalpagersystems
Trackingplanes
Decodingsatellitedownlinktraffic
DirectionFinding
TheElectromagnetic
Spectrum
Electromagnetism:oneoffour
universalforces
Radiowaveexistsdueto
energybeingpropagatedata
particularfrequency
Cancreateandreceiveradio
wavesusingelectronics
TransmittingData
Amplitude
Radio(carrier)wavemustbemodulatedto
conveyinformation
Time
TransmittingData
Radio(carrier)wavemustbemodulatedto
conveyinformation
OOK(OnOffKeying)
Presence/absenceofasignal
COFDM(CodedOrthogonalFrequency
DivisionMultiplexing)
WiFi,DVB,DAB,WiMAX,UWB,4G,ADSL,PLC
TransmittingData
Information
Modulator
RFHardware
Carrier
AM&FM:IntheTimeDomain
Analogor
digital
information
Constant
amplitude
Constant
frequency
Time
IntheFrequencyDomain
Amplitudefor
eachfrequency
Frequency
Modulation
Modulationtechniquedefineshowthesignal
willlookonthespectrum
Frequency
Frequency
Frequency
FM
Time
AM
Time
Carrier
C4FM
Hardware
Crystalsetreceiver
PowerfulAMtransmissions
Hardware
Crystalsetreceiver
Hardware
Crystalsetreceiver
Moreadvancedhardwaretohandle
increasinglycomplexmodulationschemes
FM,stereoFM,microwave,digital
ModulationinHardware
MOdulationandDEModulationtraditionally
performedinhardware
Blackboximplementation
Notreconfigurable
Moderndigitalhardwareallowsmore
flexibility
RadyneComstream
DMD15SatelliteModem
Thejourneybegins
GenesisofRFMap
GSM+Gammu+Wireshark
FieldTestMode
<1983>MDI:d2m/RSSI_RESULTSt=0afenr=73:D83:
0000b1b10065aba3b1a0a0a69da180a480808080808080aa
GeolocationwithGSM
RFNetMapper
Determineaccuracybycomparingtogroundtruth:
wherearethebasestations?
ACMARadComWebInterface
EnterRFMap
TheRFMapwebinterface
Allsites,pointtopointlinks&
elevationdata
RegisteredTXSites
RegisteredTXSites
RegisteredTXSites
NASASRTM
ElevationData
Sitedetails:frequencyassignments
Antennaradiationpattern*
Antenna
Radiation
Envelope
RadiationHeatmap
AmateurRadio
Operators(HAMs)
Mostpopularsites
Defence&ECHELON
JointSpaceDefenceResearch
UpsetADIRUofQF68/71/72&JQ7?
Sidenote
Bolivia
TheMysterySignal
Rateatwhichmessagesweretransmitted
variedthroughouttheday:
correlateswithincreaseddaytimeactivity.
ReceivedRFsignal audio sampledbysoundcard streamedacrossnetwork
StepOne:Lookatthesignal
RadioisalreadysettoreceiveNFM(narrowbandfrequencymodulatedsignal)
Signalinthetimedomain(voltagevs.time):
Preamble
Payload
Signalinthefrequencydomain(intensityoffrequencybinsvs.time):
ITSSLICERTIME!
Frequencyanalysis(FFT)ofsignal:
Twofrequenciesofinterest
AudioDataDecoder
Payload
Preamble
Untrained
Runningstateofdecoder
StepTwo:FFTof2FSK Bitstream
Lockontwofrequencies(FrequencyShiftKeying)
Sampleintensityofeachatregularinterval(baudrate)
Pickwhichisthestrongest:
low= 0bit,high= 1bit
StepThree:Data Information
Themostdifficultpart,sotryallcombinations
Wikipediasays:
POCSAG!
PostOfficeCodeStandardizationAdvisoryGroup
Standarddecodingsoftwaredidntwork
Key:recognisablesequenceofbitswhenidle
Lookforknowncodewords/repeatedbitstrings
HospitalPagerSystems
Highpower,betterpenetrationthanmobiles
Personnelcarrysmallpagers,eachwithID
mappedtoRadioIdentityCode
Mostlynumericpageswithphoneextension
Sentviasoftwareonanycomputerathospital
Addresstomultiplerecipients,automatically
senttoeachonce
Deliverynotguaranteed
Frequencies
Sharedfrequency:148.1375MHz(standard)
Privatesystemsin800/900MHzband:
NonstandardFSKignoredbydecoders
Testing
OnRFMap
SydneyWestAreaHealthService
HospitalIDPostfix
Gosford
NorthShore
PrinceofWales:38,etc.
SensitiveInformation
AviationMapper
ImagebyOscarDeLellis
10706ft
590km/h
YSSY YMML
YSSY YMML
ATCRBS,PSP&SSR
AirTrafficControlRadarBeaconSystem
PrimarySurveillanceRadar
SecondarySurveillanceRadar
Primary:
TraditionalRADAR
Paintsskinsandlistensforreturn
Identifiesandtracksprimarytargets,
whileignoringgroundclutter
1
RangelimitedbyRADARequation()
d
4
ATCRBS,PSP&SSR
AirTrafficControlRadarBeaconSystem
PrimarySurveillanceRadar
SecondarySurveillanceRadar
Secondary:
Directionalradio
Requirestransponder
Interrogatestransponders,which
replywithsquawkcode,altitude,etc.
1
Increasedrange()
d
2
TheModes
A:replywithsquawkcode
SSR
C:replywithaltitude
S:enablesAutomaticDependantSurveillance
Broadcast(ADSB),andtheAircraft/Traffic
CollisionAvoidanceSystem(ACAS/TCAS)
ModeSnotpartofATCRBS,butusessame
radiohardware(samefrequencies)
Increasingproblemofchannelcongestion
TheModes
A:replywithsquawkcode
SSR
C:replywithaltitude
S:enablesAutomaticDependantSurveillance
Broadcast(ADSB),andtheAircraft/Traffic
CollisionAvoidanceSystem(ACAS/TCAS)
Position
Heading
Altitude
Verticalrate
FlightID
Squawkcode
ADSB
ATC
Uplink:
Allcall/Altituderequest
Downlink:
AirframeID/Altituderesponse(airtoground)
ModeSTX/RX:LinkedtoATC(canbeatairport,orremote)
ACAS/TCAS
TRAFFIC
PULLUP
Altituderequest
Altituderesponse(airtoair)
ModeSsites
Uplink: 1.03GHz
Downlink: 1.09GHz
ModeSsites
Uplink: 1.03GHz
Downlink: 1.09GHz
ResponseEncoding
Datablockiscreated&bitscontrolpositionof
pulsessentbytransmitter
Latechip
Earlychip
UsedtodifferentiateagainstotherModes
PulsePositionModulation(AM)
PulsePositionModulation
Pulselasts0.0000005seconds(0.5s)
Needtosamplesignalataminimumof2MHz
(assumingyoustartsamplingatpreciselythe
rightmomentandstaysynchronised)
Requireshighbandwidthhardwareand
increasedprocessingpower
Ideally,oversampletoincreaseaccuracy
EnterSoftwareDefinedRadio
SDR:Digitisethebaseband
Hardwareissophisticated,butpurposeis
simple:captureachunkoftheRFspectrum
andstreamittoyourcomputer
Computerisresponsiblefordoingsomething
usefulwithbasebanddata
InsteadofdesigningRFhardware,writeitin
software!
Increasedcomplexity/bandwidthrequires
moreCPUpower(prettycheap)
Hardware softwarerepresentation
Completelyreconfigurable
OnlyRFfrontendkeptashardware
I +Q
2
Baseband
demodulator
Carrier
RFHardware
Software
Information
Continuousprocess discrete&quantised
Digitalsamplingproduces
voltagelevels
7,9,11,12,13,14,14,15,15,
15,14,14,13,12,10,9,7,
DAC
ADC
Sampling
NyquistShannonSamplingTheorem:
Sampleattwicethehighestrequiredfrequency
Avoidaliasingofsignal
Sampling
AnalogtoDigitalConverter(RX)
DigitaltoAnalogConverter(TX)
ADC
DAC
7,9,11,12,13,14,14,15,15,
15,14,14,13,12,10,9,7,
Sampling
AnalogtoDigitalConverter(RX)
DigitaltoAnalogConverter(TX)
ADC/DACratedeterminesbandwidth*
Reception
RFfrontenddownconvertssignalto
baseband
ZeroIFreceiver
Sample&quantisebasebandsignal
Simpleapproachwouldbetosamplevoltage
level(amplitude)
Soundcard
Realvs.AnalyticSignals
Realsignal:
Amplitudeforeachsample
Onerealnumber
Analyticsignal:
Amplitudeandphase
Realandimaginarycomponents(negative
frequency)
Encodemoreinformation
QuadratureModulation
Analyticsignalscanbesampledbyhavingtwo
ADCs
Basebandmustfirstbeseparatedinto
quadraturecomponents(realandimaginary
parts)
Mixbasebandwith:
Inphaselocaloscillator(Ichannel)
QuadraturephaseLO(Qchannel)
SampleRate
Analyticsignalhastwocomponents
I&Qsamplespersampletime
Negativefrequency
Doublethebandwidth
ReapplyShannonssamplingtheorem:
Samplingratedirectlydeterminesbandwidth
Produceastreamofcomplexstream(I/Q
samplespairs)atsamplerate
SDR(De)modulation
Complexstreampassedthroughmathematical
functionsandstatemachines
The
Universal
Software
Radio
Peripheral
(USRP1)
Samplerate=bandwidth
0.25 16MHz
WithWBXdaughterboard:
RX/TX:50MHz 2.2GHz
TheFUNcube Dongle
RTL
HostSoftware
Receive/transmitbasebandsamples
Analyse&display
(De)modulate
Encode/decode(extractinformation)
Wellknownplatforms/programs:
LabVIEW
MATLABSimulink
Opensource? No.
GNURadio
Opensourcesignalprocessingtoolkit
Dataflowparadigm
Signalsflowfromsourcestosinks
Intermediaryblocksoperateonsignals
Sources&sinks:USRP,soundcard,file,network
Visualisation:FFT,waterfall,scope
Signaltypes:complex,float,integers
Filters:traditionalbuildingblocksusedinanalogand
digitalRFhardware
Completelyextensible(Python:highlevel,C++:
grunt)
GNURadioCompanion
2GGSMWaterfall
8MHzwide(8Msps)
Trafficchannel
Broadcast
controlchannel
CDMADetectionwithGRC
2.1GHz3G
850MHzNextG
L1GPS
Visualiseintensity
offrequency
components
overtime
Visualise
instantaneous
frequencyspectrum
Findrepeating
patternsburied
withinasignal
3GWCDMA
SignatureofUMTS:repeatingdatainCPICHat10msintervals
Noapparentsignal
1ms
Cyclic1023bitcode@1.023MHzchiprate
TETRA
Repeatingidlepattern
Frequencycorrectionburst
TETRA
/4DQPSK
USRPoutandabout
AmateurDigitalModes
TheEntireHAMBand
StereoFMwithRDS:Receiver
StereoFMwithRDS:Transmitter
Sequential
Scanning
ParallelDecoding
ParallelDecoding:1
ParallelDecoding:N
OpenBTS
Opensource2GGSMstack
Asterix softswitch (PBX)
VoIPbackhaul
802.11agpdecoding
10/20MHzOFDM
grieee80211
BPSK&QPSK
OtherApplicationsofSDR
Radioastronomy
Passiveradar
DVBSdecoder
Trackingpedestrianfoottrafficin
shoppingmalls
Muchmore
ModeSWaterfall
TimeDomain
Preamble
Frame
TimeDomain
Preamble
Frame
Databitsfromearly/latechips
StartingPoints
grairbyEricCottrell
SeparatesprocessingintoseveraldifferentGRblocks
whichdetect/decode:
1.
2.
3.
4.
Pulses
ModeSpreamble
Framelength
PPMchips/bits
grairmodesbyNickFoster
Lesscomplex(fewersteps) betterperformance
LessoverheadbyusingPMTs insteadofpassingstate
structs assamplesthroughGRruntime
ModeSResponse:AMsignal
Payload
Preamble
Decodervisualisation
ModeSDecoderStructure
Pulse
detect
Preamble
detect
Frame
length
detect
PPM
demod
,0,1,
Frameparser
Errorcorrection
Sanitycheck
ModeSFrameTypes
SeveralDownlinkFormats(DF)
Short/longframes(56/112bits)
ContainsAirframeAddress(AA)
24bittransponderaddressallocatedbyICAO
AppendedCRC
Normalmode(syndrome=0)
Addressoverlaidmode(syndrome=AA)
DF11:Allcall,5/20:Identity(squawkcode),
0/4/16/20:Altitude
ADSB:ExtendedSquitter
SeveralEStypes(DF17):
Standard:position,altitude,heading,verticalrate,
flightID,transpondercode
Systeminformation
Aircraftcapabilities/status(e.g.autopilotenabled)
Aircraftintent
Trafficinformation
TCASresolutionadvisories(Pullup!)
MakinguseofADSBdata
MakinguseofADSBdata
MakinguseofADSBdata
MakinguseofADSBdata
AviationMapper
ConnectstoModeSdecoderserver
Tracks&plotsairframes,collectsstatistics
Providesstateserverforwebstreaming
Live,smoothweb
streamingin
ModezMkI
ModezMkIIpoint5
ModezMkIII
GroundvehiclewithModeS!
(inspectingperimeter?)
NextLevelModez
BorIP
AllowsUSRP1andcomputertobeseparated
byLAN
ControlradioviaTCP
StreambasebandviaUDP
SeamlessdropinforGR
Ifitcantfindalocaldevice,tryremote
Everythingjustworks(USRPSource,GR,etc)
BorIP
AllowsUSRP1andcomputertobeseparated
byLAN
ControlradioviaTCP
StreambasebandviaUDP
SeamlessdropinforGR
Ifitcantfindalocaldevice,tryremote
Everythingjustworks(USRPSource,GR,etc)
AntennatoGoogleEarth
Capture&Control(USRP)
BorIP
ModeSDecoder(GR)
TCPServer
Tracking(AvMap)
JSONServer
WebApp
HTTP
Gateway
AJAX
WebClient(GoogleEarth)
ModezEvolution
GoalistoincreaseSNR
Increasegain:tunedantenna
Dropnoisefloor:frontendfilter(GSMisnearby)
&optimalsampleratetoavoidartifacts (spurs)
SignalStrengthDistribution
Evaluatehowwelldecoderisdoing
SNRvs.Gain
Makeuseoffixed(ground)transponders
Noisefloor
ChangeUSRP/WBXgain
Strengthvs.Distance
Altitudevs.Distance
Helpstoliveclosetotheairport
Strengthvs.Altitude
ACARS
AircraftCommunicationandReportingSystem
Textmessagingforaircraft
Widereachingnetwork
VHFgroundstations
HFdatalink
SATCOM
Manualandautomatedmessagesbetween:
Cockpit,ATC,airlineops&airportgroundstaff
Avionics/engines,airlinemaintenance&equipment
(engine)manufactures
Streaming
Listeningto
primary&
secondary
frequencies
Decoded,
combined,
JSONified &
served
AMACARSburst
Examples
Time:
2011-11-16 09:12:24.073000
Station:
Home
Frequency: 131.55 MHz
Mode:
s (uplink, LCN: 19)
Address:
9M-MPO
Ack:
NAK
Label:
31: Airline Defined Message
Block:
W
S
1. TOILET CC1-INOP
2. ROW 30-31 DEFG-CARPET FLOOR VERY WET
2. GALLEY 3-CART LIFT FLOODED
Examples
Time:
2011-11-16 09:49:00.255000
Station:
Home
Mode:
2 (either)
Address:
VN-A375
Ack:
NAK
Label:
H1: System and engineering data (downlink)
Block:
4
Message #: C12A
Flight ID: VN0773
#CFB.1/MPF/ANVN-A375/FIHVN773
/DM111115224900NOV1514042244PFR1/DAVVTS/DSYSSY/FR383141VSC
1,,,,,,,LAV 37,HARD,140505;237346CIDS1 1,,,,,,,DEU A
(200RH2),HARD,140505;383141VSC
1,,,,,,,LAV 53,HARD,174906;
Examples
Time:
2011-11-16 09:49:06.844000
Station:
Home
Mode:
2 (either)
Address:
VN-A375
Ack:
NAK
Label:
H1: System and engineering data (downlink)
Block:
5
Message #: C12B
Flight ID: VN0773
#CFB383141VSC
1,,,,,,,LAV 61,HARD,202806;344137WXR2
1,,,,,,,WXR MOUNTING TRAY (5SQ),INTERMITTENT,203506,EOR
HFDL
PCHFDL
WhataboutnoADSB?
Nopositionreports
Signalishighbandwidth
MultipleremoteUSRPs canbesyncd with
GPSDO
Performmultilateration onnonADSB(plain
oldModeS)
CalculatepositionfromTDOA
BlindSignalAnalysis
Recap
Lotsofdifferenttypesofsatellites
Variables:
Purpose:comms,weather,MIL,amateur
Payload:transponders,cameras/sensors
Orbit:LowEarthOrbit,geostationary(geosync)
Frequencies:uplink,downlink,beacon,command
Twocategories:
Intelligent:communicationwithonboardsystems
Dumb:relayinformationwithlineartransponders
Widearearebroadcast
RFmegaphone(e.g.satelliteTV)
Singledishsendsbeamonuplinktosatellite
Widearearebroadcast
LineartranspondershiftsrawRFtodownlink
frequency,retransmittedviaspotbeams
Widearearebroadcast
Coveranyentirecountry
Widearearebroadcast
Coveranyentirecountry
Lineartranspondersaredumb:rebroadcast
anythingontocoveragearea
TT&CandUPC
Telemetry,TrackingandCommand
Needtobeabletosendcommandstosatellite
Changepayloadconfiguration
Multiplexing
Switchbetweenredundantsystems
Orbit
Checkonhealthofsatellite/payload
Beacon+telemetry
Measureaffectofweather(combatrainfade)
UplinkPowerControl
Turnuptransmitterpower(keepatmin.=save$$$)
OptusD1
24Kubandtransponders
MultiplexedspotbeamsserviceAusandNZ
Uplink:
14.0 14.5GHz
Downlink:
12.25 12.75GHz
Bandwidth: 54MHz
MainlyTV(widebandDVBS)
ABC,SBS,Se7en,Nin9,SkyNZ
Someother(narrowband)things
FNABeamCoverage
EffectiveIsotropicRadiatedPower(EIRP)
D1ChannelFrequencies
Uplink
Downlink
OptusEarthStation
Belrose,Sydney
Spotthe
satellite
modem
RadyneComstream
SatelliteModem
DMD15
RedundantSystemController
DigitalTrackingReceiver
C1UPC
AntennaControlSystem
Whatyouneed
Dish+LNB+powerinjector+USRP+GNURadio
(settopboxwithLNBthru)
LowNoiseBlockdownconverter
Subtract11.3GHzfromdownlinkfrequency:950 1450MHz
D1TLM1:12243.25MHz
MirrorofRHS*
Constantcarrierpower*
TLMsidebands
Constant
subcarrier
1PPS
BeaconwithPhaseModulation*(PM):1PPSandtwotelemetrystreams(sidebands)
Visualisation
PSKDebugOutput
DataStreams
Allsortsofcontinuousstreamsofvarying
bandwidth
Streamscreatedbymanipulatingrawdatato
optimisefortransmissionoverlongdistance
Receivermustbeabletolockonanddecode
Modulation:pickyourparameters
Supportmultipledatastreams,
dropandinsert
Encodechangesindata
(receivercanbenoncoherent)
Makedataappearrandom
(increaseentropyofstructureddata)
Createsignal
suitableforuplink
Turnbinaryintosymbols
forbasebandRF
(0/1 combinationsofwaves)
Protectintegrityofdata
(corruptionfromnoiseonchannel)
Demodulation:easywhenyouknow
Aretheremultiplestreams?
Howaretheymultiplexed?
Isitdifferential,or
whatdefinesa0/1?
Possibletodetermineifitisscrambled
(calculatestats),butwhatisthescrambler?
Isitadditiveormultiplicative?
Howisitsynchronised?
Whatisthemodulation?
Symbolrate?Requirecoherence?
Whatisthephasedifference?
Needtoconjugatecomplexplane?
WhichFEC(s)isused?
Isitaconcatenatedcode?
Whatisthecoderate?
Whatistheblocksize?
Howisitsynchronised?
Ifyoudontknow
Trythemostcommon/defaultoptions(RTFMM):
Modulation:PhaseShiftKeying(BPSK,QPSK)
Convolutionalcode:NASA,K=7(VoyagerProbe)
Scrambler:IESS803(IntelsatBusinessService)
Stillneedtotryeachcombinationof:
Differentialdecoding,synchronisationoffset,symbol
mapping
Bestoptionistotryeverypermutation
automatically
AssumingdecentSNR,lowBitErrorRateisan
indicatoryoureheadingtherightway!
Aside:PSK,Symbols&Bits
PSKuseschangesinphaseofasignal(carrier)to
conveydata
Demodulatordetectsphasechangesandoutputs
symbols
OrderofPSKdetermines#bitsin1symbol
Manybits/symbolthankstoimaginarynumbers(I/Q)
Rawbitrate=symbolratex(#bits/symbol)
BinaryPSK(BPSK):
1bit/symbol
QuaternaryPSK(QPSK): 2bits/symbol
8PSK:
3bits/symbol,etc
Determiningmodulation&rate
AssumingPSK,easytodetermine:
Modulationorder:multiplythesignalbyitself
Symbolrate:multiplythesignalbyalagged
versionofitself(cyclostationaryanalysis)
OnlyafewGRblocksrequireddothis
Letstryone
FeedentirebasebandspectrumintoGR
Performchannelselectiontoisolatestreamofinterest
(createnewbaseband
centredonstream)
DeterminePSKorder
Startat2andgoup
Stopwhenspikeappears
DeterminePSKorder
Startat2andgoup
Stopwhenspikeappears
QPSK:2bits/symbol
DetermineSymbolRate
Findfirstpeak
9.6kHz=9600symbols/sec
Trysynchronisation&FEC
Trysynchronisation&FEC
FECRate:
Not differential
Nophaseshift
(dependsonwhenyou
switchonreceiver)
FindPreciseSymbolRate
Creating Auto-FEC:
sample_rate:
ber_threshold:
ber_smoothing:
ber_duration:
ber_sample_decimation:
settling_period: 4096
pre_lock_duration:
800000
2048
0.01
8192
1
AutoFEC
8192
De-puncturer relative rate: 1.000000

==> Using throttle at sample rate: 800000
==> Using lock throttle rate: 50000
Auto-FEC thread started: Thread-1
Skipping initial samples while MPSK receiver locks: 4096
Reached excess BER limit: 11437.1352901 , locked: False , current puncture matrix: 0 , total samples
received: 12289
Applying lock value: 0
Beginning search...
Applying rotation: 1j
Reached excess BER limit: 11870.4144919 , locked: False , current puncture matrix: 0 , total samples
received: 24586
Applying rotation: 1
Applying conjugation: 0
Locking current XForm
=========================================================
FEC locked: 1/2

=========================================================
Applying lock value: 1
Demodulated&errorcorrected
Symbolrate
=9600symbols/sec
PreFECrawbitrate =19200bits/sec
PostFECrawbitrate =9600bits/sec(rate)
Visualisedata:lookforadditionalclues
Differentialencoding
Scrambling
Structure
QPSKPhaseDebug
Visualisation
Rawdata(0:black,1:white)
Descramblingtime!
Descrambled
Better,butlongrunsof0sand1s(notideal)
Differentialdecodingtime!
Diff.decoded&descrambled
Structured,asynchronouspacketsofdata!
Repeatingstructure
PatternSearch
Searchforrepeating
stringsofbits
Trytofindframeheader
Clue:suddenincreasein
#ofoccurrences
Preceding1sarejustpartofidle
streamwhennodataisbeingsent
Frameanalysis
Header
SYNSYNSYN(EBCDIC)
Characterorientedencoding:
SOH
STX
ETX
CRC(CCITT16)
Numbersoffixedlengthmessages
EachcontainsanID
Unpack&findpatterns
8bitsigned
16bitsigned
Messageheader
BCD
#
0001
0034
0067
0101
0134
0167
0200
0233
0266
0299
0332
0365
0398
0431
0464
0497
0530
0563
0596
0630
0663
0696
0729
0762
0795
0828
0861
0894
0927
0960
0993
1026
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
[20
049
051
053
055
057
059
060
062
064
066
068
070
071
073
075
077
079
081
083
084
086
088
090
092
094
095
097
099
101
103
105
107
200]
161]
121]
082]
043]
004]
221]
182]
142]
103]
064]
025]
242]
203]
164]
125]
086]
047]
008]
225]
187]
148]
109]
069]
030]
247]
208]
169]
130]
091]
052]
013]
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
(1/1)
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
ff
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
80
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
70
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
24
e9
e9
e9
e9
e9
ea
ea
ea
ea
ea
ea
ea
ea
ea
ea
ea
ea
ea
eb
eb
eb
eb
eb
eb
eb
eb
eb
eb
eb
eb
eb
ec
ae
c7
d9
ee
ff
10
24
3b
4d
62
75
80
98
a7
bc
cf
e8
f7
06
1b
30
45
59
6b
7b
8e
a2
b7
ca
da
ef
03
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
ed
26
24
2c
2f
36
40
43
44
4c
4f
54
62
64
6e
71
76
76
80
8a
8e
92
95
99
a1
a9
af
b3
b6
bd
c4
c9
cd
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
1a
07
07
07
07
07
07
07
07
07
07
07
07
07
08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
fa
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
03
03
03
03
03
03
03
03
03
03
03
03
03
03
03
02
03
03
03
03
03
03
03
03
03
03
03
03
03
03
03
03
02
02
02
02
03
02
02
02
03
03
04
03
02
00
00
99
00
01
01
01
01
01
03
03
03
03
02
03
03
03
03
03
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
72
72
71
71
72
72
73
72
74
71
70
6d
6b
6c
6c
6d
6b
69
66
67
6a
70
73
75
76
75
74
72
71
70
70
71
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
e9
2e
2d
2d
2d
2e
2d
2d
2d
2c
2c
2c
2d
2d
2d
2d
2d
2b
2b
2b
2b
2c
2c
2c
2b
2b
2b
2b
2b
2b
2b
2b
2b
GraphingtheData
1660
6
4
2
1640
0
0
10
15
20
25
30
35
25
30
35
2
1620
4
6
8
1600
120
100
1580
80
60
1560
40
20
1540
980
970
960
950
940
930
0
920
10
15
20
GraphingtheData
4320
14.5
14
4315
13.5
4310
13
12.5
4305
12
4300
4295
11.5
0
10
15
20
25
30
35
10
15
20
25
30
35
156
154
4290
152
150
148
4285
146
144
4280
142
140
4275
1700
1650
1600
1550
1500
1450
1400
1350
138
STANAG4285
STANAG4285
2400baud
80(preamble)+
4x32(data)+
3x16(channelprobe)
@2400bps
=106.66ms
Digital
Radio
Mondiale
CyclicAutocorrelationFunction
Han,Sohn&Moung,"ABlindOFDMDetectionandIdentificationMethod
BasedonCyclostationarityforCognitiveRadioApplication"
Totalsymbol
periodicity
Unguarded
symboltime
UnguardedSymbolTime
21.33ms
TotalSymbolDuration
~37.48Hz=26.6ms
TopdownDRMSymmetry
DRMClassB
Modulationproperty
Unguardedsymboltime
Subcarrierspacing
Guardinterval
Totalsymbolduration
Guardintervalratio
Symbolsperframe
Value
21.33ms
467/8Hz
5.33ms
26.66ms
1/4
15
1/(21.33ms)
21.33ms
(1Msps/50)x21.33ms=426.6
26.66ms
DUFF DUFF
SoftwareDefined
RadioDirectionFinding
DFUsage
Radionavigation
PredecessortoRADAR
SIGINT
Emergencyaid
Avalancherescue
Wildlifetracking
Reconnaissance
Trajectorytracking
Sport?!
Rotatable
loopantenna
History
WWI&II
Ystationsalongthe
Britishcoastline
Findbearingto
UboatsinAtlantic
UAdcocksystem
Four10mhighvertical
aerialsaroundhut
DFgoniometer
(anglemeasurement)&
radio
DFforHF
HF:330MHz
longwavelengths largedistances
HF/DF=HUFFDUFF!
UsedforSIGINT
Largeinstallations:
AN/FLR9arraynear
Augsburg,Germany
AmateurRDF
Foxhunts
Competitoron
2meterband
ARDFcourse
HighlydirectionalYagiantenna
CrazyseriousGermanHAM
(Pseudo)DopplerDF
ExploitDopplershiftingofradiowavescaused
bymotionofanantenna
Measuretheshiftindetectedsignal
Determinedirectionoftransmission
Recap:DopplerEffect
Aside:SirenMisconception
theobserved frequencyincreases asthe
objectapproachesanobserverandthen
decreases onlyastheobjectpassesthe
observer.
Highersoundpressurelevelsmakefora
smalldecreaseinperceivedpitchinlow
frequencysounds,andforasmallincreasein
perceivedpitchforhighfrequencysounds.
ASwan
Doppler
Effect
CosmologicalRedshift
Expansionofspace,notmotionofradiatingobject!
FrequencyModulation101
Main
transmission
frequency
(e.g.105.7MHz)
Analogordigital
Informationto
betransmitted
Frequencymodulationchangesthecarriersfrequency
Movesthecarrierslightlyleft/rightofits
originalpositiononfrequencyplot
PhysicallyRotatedAntenna
JosephMoell,
TransmitterHunting:
RadioDirection
FindingSimplified,
1987(McGrawHill)
DopplerShift
Dopplershiftofreceivedsignalusedto
calculateangleoftransmitter
EasywithanFMradio!
FrequencyModulation:
Shiftsthecentre(carrier)frequencyaboutbased
ontheoriginalmodulatingsignal
Dopplershiftjustmovesitaroundsomemore
FMreceiverdetectsDopplerasanextratone!
Extratone:sinewave
http://silcom.com/~pelican2/PicoDopp/ABOUT_DOPP.html
MechanicalRotationRate
Dopplerequationrelates:
Dopplershift
Radiusofantenna
Angularvelocity(rotationrate)
Frequencyofsignal
Forasmallantennasetuptunedto2m
wavelength(~150MHz),requires:
38600
RPM
~643rot/sec
PseudoDoppler
Arrayoffixed antennas
Switchelectronically betweenthem
Simulatephysicalrotation
ElectronicallyRotatedAntenna
HomemadeRDF
RoanokeDoppler
Fourantennas
Controlbox
Pluginanystandard
FMradio
LEDsindicatedirection
JosephMoell,
TransmitterHunting:
RadioDirectionFindingSimplified,
1987(McGrawHill)
BlockDiagram
CircuitDiagram
MobileRoanoke
Timetogocolour
SoftwareDefinedRDF
Doitinsoftware!
SoftwareDefinedRDF
Antenna
Array
AntennaSwitch
FPGAModification
UseUSRPclock
controlantenna
array
Mapsamplecounters
bitstounusedGPIO
ModificationBonuses
UsingFPGAclockensuresantennaswitchingis
inlockstepwithsamplesarrivingathost
Sameclockdomain hostsidejustworks
Usehostgeneratedsinewaveasreference
FPGAssamplecounterbeginsatzeroforeach
streamstart
Calibratearrayorientationjustonce
Receiver
Processing&Display
Switchingaffectingspectrum
SignalProcessing
Tricks
Onlyneedtoknow:
1. Samplerate(FPGAclock/decimation)
2. WhichbitofsamplecounterisMSBofswitch
(64MHz/256)=250ksps
31st and32nd bitsused
250k/32=7.8125kHztone
ForXlatedecim5 &1024FFTbins,tonesitsin:
((250ksps/5)/1024)*7812.5=160exactly
MagicofSDR
FM(quadrature)demodulation:
Multiplycurrentsignalsamplebycomplexconjugateof
previousoneandfindtheargument(angle)
for (int i = 0; i < noutput_items; i++) {
gr_complex product = in[i] * conj(in[i-1]);
out[i] = d_gain * arg (product);
}
Dopplersinewave
Frequencyplot(FFT)ofFMdemodulatedsignal
Dopplersinewave
PureDopplersinewaveafterfiltering
Reference
Measured
Findatarget
TelstraToweronCouncilSt
KnownTransmitter
Start
Drive
DirectionMeasurement
Complications
LineOfSight
Bewareofreflections
Descendingintovalley
Reflectionsinurbanareas
MultiplewavefrontswillconfuseFMdetector
Doppler
Complications:Coogee
Lineofsight
Listen:Multipath
Multiplereflections
confusingFMdetector
DC
Phase(range)
Strength
Inchforwarduntilaudioclearsup
Done
Closerto(mynew)home
Method2:Superresolutionalgorithms
Simultaneouslyreceivemultiplestreams
Onestreamperantenna antennaarray
Applyamathematicalmodel
Linear(farfield)wavefrontapproachingantennaarray
Model/calibrateforantennaresponse
MUSIC:MUltiple SIgnal Classification

Samplesignalateachantenna(assumingsinusoids)
Maths(samplecorrelationmatrix,eigenvector
decomposition,orthogonalsignal/noisesubspaces)
Searchthrougharrayresponsetofindpeak DOA
Wavefrontimpingingonantennaarray
Findmaximalarrayresponse
Advantages
Muchhigherresolution
Assumingmodeliscorrect&systemiscalibrated
Detect&processmultiplesignalsofinterest
simultaneously!
However
youneedmore(coherent)radios.
GNURadioMUSICDOAblock
Calibration
UsesharedLocalOscillator
Injectsharedtoneineachchannel
Calculateperchannelphasedifferences
w.r.t.referencechannel
Applycorrections
Periodicallyrecalibrate
Flowgraph
PoliceChecklist
Carsregopaper
AmateurRadiolicence
Antennastructuralredundancy
Dresscode
Cleanshaven
HideMotorolaXTSradios
Avoidturningaroundandtryingtodesperately
disconnectantennas
Gedanken:TX
DONOTTRYTHISAT
WHEREVER!
Gedanken:Pagers
Dontlikeadoctor/nurse?
Sendthemonmanyawildgoosechase
Isyourarchnemesisinhospital?
Tellthemtoremovetheother ********
Needtodistractsecurity?
Issueanautomatedalert
Gedanken:ModeS
Wanttoreachcruisingaltitudealittlequicker?
Putaplaneheadingtowardsyou(ataslightly
loweraltitude)
Thinkthepilotmadethewrongchoiceindecidingto
land?
Putaplaneontherunway
Wanttodisplayamessageoneveryonesradar
screen?
Spelloneusingaircraftmarkerart
Gedanken:ACARS
Dontwanttoflyonaparticularaircraft?
Sendaseverefaultreport
Wastheflightalittlebumpy?
SendanengineperformancereporttoRRwith
largevibrationvalues
Needtomessagethecockpitprivately?
Addressthemessagetocockpitprinter#1
Gedanken:Satellite
Uplinkpowerisgenerallykeptattheminimumlevel
tosavemoney
Dependsontheweather:
Clearsky:
afewW
Heavyrain: afewkW
Turnyoursupto(theirs+1)
amalfunctioningUPCsystemcaninterferewith
otherservicesandevendamageasatelliteTravelling
WaveTubeAmplifier
Remember:belegalandbe.
http://wiki.spench.net/wiki/RF
http://spench.net/
balint@spench.net
@spenchdotnet

DEFCON 21 Balint Seeber All Your RFZ Are Belong To Me

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

DEFCON 21 Balint Seeber All Your RFZ Are Belong To Me

Hochgeladen von

Copyright:

Verfügbare Formate

NotesandlinksinPDFcommentsoneachslide

De-puncturer relative rate: 1.000000

FEC locked: 1/2

MUSIC:MUltiple SIgnal Classification

Das könnte Ihnen auch gefallen