Play along with NSA: The RAFTER unintentional radio emissions how-to.


The revelations of secret techniques and procedures of the intelligence services are not new. Long before Snowden the written account of former spies brought to light the most secret surveillance means. These include  Philip Agee (CIA) and  Peter Wright (MI5). The latter the more similar to Snowden since before his counterintelligence work he developed his career as an MI5 scientific officer attached to the Marconi Company.

Peter Wright is noted for writing the controversial book Spycatcher: The Candid Autobiography of a Senior Intelligence Officer. Spycatcher was part memoir, part exposé of what Wright claimed were serious institutional failings in MI5 and his subsequent investigations into those.




According to Wright, he then was either responsible for MI5/GCHQ, or intimately involved with, the development of some advanced techniques of Signal Intelligence, then shared with their counterparts from the NSA for example:

  • SATYR (MI5/CIA): Forensic examination of The Thing, also known as the Great Seal bug, was one of the first covert listening devices (or "bugs") to use passive retroreflector techniques to transmit an audio signal. It was concealed inside a gift given by the Soviets to the US Ambassador to Moscow. Wright's reverse engineering led to development of a similar British system codenamed SATYR, used throughout by the British, Americans, Canadians and Australians.



  • SPECIAL FACILITY (MI5). Electronic device deployed by MI5 that was installed in a telephone to enable it to transmit sounds in the room whilst on-hook.


  • ENGULF (MI5): acoustic "TEMPEST" cryptanalysis—recording the sound of the settings of Egyptian Hagelin cipher machines allowed later decryption.


  • STOCKADE (MI5/GCHQ): analysis of compromising emanation from French cipher machine cables in 1960. They used broad band radio detection of the cables, and were actually able to read the original plain text along the low-grade cipher sequence. Surprisingly, murmurs of high-grade ciphers could sometimes be read from the same cable, which after comparison to the cable fed signal, gave a path to even that cipher's plain text leakage. From 1960 to 1963 the MI5 and GCHQ could read cipher traffic to and from the French Embassy in London.


  • RAFTER (MI5): remote detection of passive radio receivers. First used to prove beyond any doubt that the Russians were listening to MI5 Watcher (Officers of MI5's A Branch charged with visual surveillance and identification of persons presenting a security risk.) radio frequencies.


By using RAFTER Wright could also detect which broadcasts from Moscow to illegal agents in the field were being monitored.  The program eventually expanded into airborne operations, where receivers were detected from planes above london, thus giving the general area where mobile ground detection could be initiated. This was done by flooding the vicinity with vans that at best could pinpoint buildings or blocks.

Replicating RAFTER technique today is practically a child play as recently published by rtl-sdr.com blog. Léo Poughon a High School student and his friend Thomas Daniel  tried to do, with the help of amateur radio near Toulouse (F6GUS) the same thing as the “RAFTER"  did  hearing at unintentional electromagnetic emissions coming from a widely-used consumer superhet receiver.

Unintentional Radio Emissions was also the subject of security researcher Melissa Elliott "Noise Floor: Exploring the world of unintentional radio emissions" talk at DEF CON security conference.




Any superheterodyne receiver (almost all consumer radio is of the superhet design i.e. listening at FM broadcast) spreads some unintentional radiations due to the local oscillator mixer. anybody with a suitable receiver (for example any rtl-sdr based dongle) can receive these emissions. Because of design in most FM radio the local oscillator (that is what the user actually tune) is tuned at the frequency he wants to listen plus 10.7 MHz. So if somebody in the close neighborhood is listening at a broadcast at 100 MHz, you will be able to “receive” its local oscillator at 110.7 MHz.

Leó also found that the LO frequency isn’t stable on most of the time the frequency of the local oscillator “follows” what the superhet receiver demodulates. Then, listening at the radio receiver local oscillator with GQRX and a $15 RTL-SDR dongle, demodulating it with “narrow FM” demodulation and adapted parameters, he could hear with the PC (and obviously with poorer quality) what the radio receiver was listening at.



Theoretically this technique also can be used against radio transceivers as used by police, EMS, taxis, etc, as the receiver part of these also often have an IF of 10.7 MHz, but thanks to be better design and electronics shielding can make their unintentional emissions more difficult to detect.

With the RTL-SDR stock antenna Léo Poughon could hear a cheap radio a dozen meters away, but with a homemade very low quality discone antenna he could receive it on another building, 60 meters away of our antenna. So using this technique you could (more or less depending on the previously cited parameters) know what a radio receiver in the neighbourhood was listening to using a cheap RTL-SDR receiver.

How to analog scan with MD380 digital radio.

In the previous post related cheap digital walkie-talkie Tytera/Tyt/Retevis MD380 we managed to turn it in a DMR digital scanner using Jailbreak firmware.

In the following post, we will focus on Analog Scanning. Analog are still used by  public safety of small cities and rural areas. FRS/GMRS frequencies used by small companies, security, hotels, etc are also analog. "Scan" allows your Radio to run through your preset memory channels, stopping on any channel that is active. So you do not have to wait on a frequency that is empty while the next channel is producing all the action.


The nice thing in MD380 is you can program all frequencies using your PC , then set the top but to as a scan button. When you press scan. It scans all the frequencies but if you press the button again it sits on your manual. Radiosification youtube user recently created a scan programming guide on how to set up scanning and enable it on your radio. This guide should work for the Beihaidao, TYT, Retevis MD-380 clones


I am using it right. Now as a fire department scanner. I create a zone then create 11 receive only channels and program the dpl tones for the channels. Add the channels to the zone and a scan group. The audio is punchy and very nice and clear. This is so much nicer than typical scanner audio.

P25 digital voice decoding with GNU-radio OP25 project.

Just as TV went digital some years ago, the FCC desires that public safety agencies gradually migrate to digital radio systems as well. A great many cities, counties and states in the U.S. and Canada now use digital public safety radio systems. The most common digital protocol, or format, is called APCO Project 25 Digital Voice Modulation, often referred to simply as APCO-25. Digital protocols like APCO-25 may be used with either conventional or trunked radio systems. Before the RTL-SDR, $~400 uniden or radioshack scanners were typically used to monitor P25 radio systems. But nowdays an inexpensive SDR (software defined radio) that can be used to receive police, fire, federal, and other digital radio transmissions.
Recently YouTube user Rob Fissel has uploaded a video showing a comparison between a cheap RTL-SDR receiver using the GNU-Radio APCO-25 software decoder (OP25 project) and a old school Uniden BCD996T.



While both setups can used to decode P25 Phase 1 LSM signal OP25 does a better job at decoding a weak signal and producing voice, whereas the Uniden BCD996T doesn’t even manage to hear the control channel.

Using cheap RTL-SDR dongles with software like DSD+ can also be used, but OP25 can decode more systems and show you low level information, even decrypt encrypted traffic when the key is known and log traffic to disk for later analysis.

Even if there is no P25 signals around you a dongle sdr can be used to receive analog signals from walky talkies used by business (MURS/GMRS) to air traffic controllers.

ESA offering prizes for first report of Cubesats radio reception

Arianespace’s Soyuz is scheduled with a multi-mission satellite payload. Designated Flight VS14 in Arianespace's launcher family numbering system, the medium-lift Soyuz carries a mixed payload of the Sentinel-1B C-band radar observation platform, a trio of "Fly Your Satellite!" technology demonstrator CubeSats, and the Microscope scientific satellite.

The three "Fly Your Satellite!" CubeSats are to be released in the mission's second deployment phase, with a perigee of 453 km. and an apogee of 665 km. Fly Your Satellite! is an ESA initiative to offer European university students practical experience in key phases of a challenging, real satellite project.

To celebrate the upcoming Fly Your Satellite! launch into low Earth orbit, ESA’s Education office challenges to listen out for the tiny satellites. The first three radio amateurs to send a recorded signal from either AAUSAT4, E-st@r-II or OUFTI-1 will receive a prize from ESA's Education Office. UPDATE: On the night of 24 April Arianespace has halted the Guiana Space Center launch countdown for Soyuz Flight VS14 due to an anomaly that occurred during the final chronology. A new launch date will be announced after the results of an initial analysis. At the time of writing the page ESA challenge page still says 24nd.

Even if you don't win a prize, you could earn a nice "QSL card" from the European Space Agency. A QSL card is a written confirmation of radiocommunication between two amateur radio stations or a one-way reception of a signal from an AM radio, FM radio, television or shortwave broadcasting station.  A typical QSL card is the same size and made from the same material as a typical postcard, and most are sent through the mail as such.




Fly Your Satellites will transmit in ham radio bands

AAUSAT4 Downlink frequency 437.425 MHz
E-st@r-II Downlink frequency 437.485 MHz
OUFTI-1 Downlink frequency 145.980 MHz

Listening to satellites is now easy thanks to cheap SDR dongles. You could even receive digital satellite weather images from Russian Satellites. It’s pretty amazing that a $20 dongle which is ordinarily limited to about 30-40 miles, depending on your terrain, can hear a clear signal coming from a tiny satellite in space orbiting over a hundred miles overhead. Many of the satellites aren’t much bigger than a milk bottle.

The trick is line-of-sight. With most radio signals you have to be able to “see” the transmitter (the exception is short-wave signals which bounce off of the ionosphere and other over-the-horizon phenomena). But if satellite is above you have a perfect line of sight , even chep provided antenna can catch signal from the more powerfull satellites. To know when the sallite will be above you the NY2O website has real-time tracking of many different satellites.
In this video PY4ZBZ shows communications with the FO-29 amateur satellite using his RTL-SDR. The Fuji-OSCAR-29  is an amateur radio satellite that allows voice communication via single side band, and has a voice downlink frequency of 435.8 MHz and uplink frequency of 145.9 MHz. PY4ZBZ show how the RTL-SDR was used as the satellite receiver, and a conventional FT857 radio with 4 element VHF Yagi was used to transmit to the satellite uplink.

Ethernet Connected Remote Wifi Sniffing Station with an ESP8266 Module

There was a guy on reddit (/u/cnlohr) recently who built and documented a small remote wifi sniffing station using a cheap ESP8266 Module.

The ESP8266 is a low-cost Wi-Fi chip with full TCP/IP stack and microcontroller capability produced by Shanghai-based Chinese manufacturer, Espressif Systems. The chip first came to the attention of western makers in 2014 when Espressif released a SDK that allowed the chip to be programmed, removing the need for a separate microcontroller. Thanks to the Arduino-compatible firmware for the ESP8266 which makes accessing low level WiFi functionality easy.



The cnlohr video show you can use ESPthernet to turn an ESP8266 into a remote Wireshark wifi sniffing station. So, the ESP is essentially running as a monitor mode wifi adapter over ethernet.



cnlohr has also developed the ESP8266 Ethernet driver. It only uses two pins on the ESP, the I2S pins, but does provide Ethernet which will prove useful for further experimenting. So to get started here is your shopping list:
Source Code:

SDR Radio Academy: Reverse engineering a wireless car key fob.

Today DARC made the recordings of the last Software Defined Radio Academy (SDRA) available online.

Last year the Deutscher Amateur Radio Club (DARC e.V.) decided to host a SDR radio sub-conference to the annual main venue, HAMRADIO. The Software Defined Radio Academy has the goals of attract Radio Amateurs to modern radio technology and show paths into SDR. Bastian Bloessl(DD1BBL) talked about reverse engineering wireless system using a wireless car key fob as an example. Bastian used open source tools like gqrx, audacity and baudline along with an SDR receiver. Nowadays SDR receivers can be found as low as $14 shipped. We have previously posted an introductory how-to DIY radio scanner with RTL-SDR.



Also be sure to check out other videos from Software Defined Radio Academy: Marcus Mueller’s introduction to GNU Radio and the reverse engineering talk from the guys from CCC Munich, who found public transportation signals on a digital subcarrier of FM broadcast radio.

EMI shielding a RTL-SDR dongle.

One problem with the cheap RTL-SDR dongles is that it comes in an unshielded plastic enclosure. This means that nearby strong interfering signals can pass through the enclosure and cause interference, making any filtering done on the antenna less effective. Recently MelihKarakelle wrote a blog entry about how he has been experimenting with a simple fix that involves shielding his RTL-SDR with adhesive copper tape. EMI shielding tape it is very cheap and really useful for RF equipment. Also solderable. He simply wraps the plastic enclosure with conductive copper tape, making sure that electrical contact is made between the copper shielding and RTL ground (e.g. making sure the USB and SMA ports make electrical contact with the copper tape).


After shielding the RTL-SDR, he tested the shielding effectiveness by using his shielded dongle with no antenna connected to try and pick up an interfering tones. The results clearly show that the shielded RTL does not pick up interfering signals.

Review & Teardown of a cheap GPS Jammer

Generally, “jammers” — which are also commonly called signal blockers, GPS jammers, cell phone jammers, wifi jammers, etc. are radio frequency transmitters that are designed to block, jam, or otherwise interfere with radio communications.

A jammer can block radio communications on devices that operates on a given radio frequencies within its range (i.e., within a certain distance of the jammer) by emitting a noise radio carrier. A GPS jammer generates a 1575.42 Mhz interference to prevent your GPS unit from receiving correct positioning signals. The GPS jammer is typically a small, self-contained, battery powered and transmit signal over a small radius. Though illegal to use, these low-tech devices can be bought on the internet for as little as $25. Since they can block devices that record a vehicle’s movements, they’re popular with truck drivers who don’t want an electronic spy in their cabs. They can also block GPS-based road tolls that are levied via an on-board receiver. GPS jamming technology will also disable autopilot in drones to protect individuals' privacy.
In the US federal law prohibits the sale or use of a transmitter (e.g., a jammer) designed to block, jam, or interfere with wireless communications. For this reason some jammer retailers now label jammers as “signal generator kit” so it will just slip through customs and them is to purchaser  sole responsibility for ensuring that the operation complies with the applicable laws. One of these “GPS signal generator kit” is the Dealextreme QH-1 Professional GPS Signal Generator Module.  I’ve always wondered what’s inside these jammers, given their cost, so i purchased one “signal generator module” and put under test with RF laboratory equiment, disassembled and photographed them for all to enjoy.
The PCB is named NBC-Q101A\A101B\QH2. All components except LEDs are surface mount, with some integrated circuits used throughout the design.  A pair of NE555 & NE556 generate a low frequency noise signal that is feed to a Murata MQK301-1528 voltage-controlled oscillator or VCO. These Murata VCO are normally used as 1st LO in Wireless Local Loop and has a 1466.0-1590.0 frequency range. The VCO output signal is then amplified with a unknown RF Transistor,  a semiconductor device which is used in order to amplify radiowaves.

  •  


You can compare this jammer design with previously published one by the Phrack hacker magazine how to make a low-cost GPS jammer. Phrack design uses a different noise generator made from a diode and LM386 audio amplifier, and a PLL oscillator instead of a VCO.


We did spectral tests on the QH-1 Module and this simple design have surprisingly almost no excessive spurious emissions or harmonics, that is outside jamming the GPS L1 Signal. So this jammer will not disable your cellphone or wifi, only your GPS receiver.


After measuring output power with lab equipment and considering the provided quarter wave antenna the estimated range of this unit is 15-30 meters in the open. When using GPS receivers in city urban canyons with tall buildings, the shadowing and multi-path effects results in poor GPS signal reception and jammer range can be even hundreds of meters at street level.

It must be noted again that the use of jammers is not only unethical but is also illegal and potentially dangerous. In one case, a New Jersey driver used a powerfull jamming device to disable a tracking device in his work truck.  He was working on a job inside the Newark Liberty International Airport when his jamming signal interrupted air traffic control. An FCC investigator was able to locate the jammer using radio monitoring equipment and prove that it was causing interference. The offending driver was fined.

Warwalking WiFi networks with ESP8266 IoT Module

The term wardriving generally covers the practice of discovering and mapping the wireless networks available in a particular area. Useful statistics are gathered from this activity, including statistics on the encryption used in discovered networks. Wardriving does not include the unethical activity of unauthorised connection to wifi networks (encrypted or unencrypted).

Warwalking, or warjogging, is similar to wardriving, but is done on foot rather than from a moving vehicle. Today you could just use Wardriving Apps on your smartphone.  But using inexpensive ESP8266-based modules you can make yourself a much smaller device that fits in the palm of your hand thanks to Ray Burnette.

The ESP8266 is a low-cost Wi-Fi chip with full TCP/IP stack and microcontroller capability produced by Shanghai-based Chinese manufacturer, Espressif Systems. The chip first came to the attention of western makers in 2014 when Espressif released a SDK that allowed the chip to be programmed, removing the need for a separate microcontroller. Thanks to the Arduino-compatible firmware for the ESP8266 which makes accessing the WiFi functionality easy - along with controlling inexpensive OLED displays. The combination of the two and a power supply rounds the device off which will scan for open networks and display their SSID, for example:



Furthermore Ray has also documented a basic framework for Arduino-compatible WiFi projects using the ESP8266 which will prove useful for further experimenting. So to get started, head over to the Warwalking project on hackster.io. And if you're interested in making your own version here is your shopping list:
Ray took this project a step further and put it all into a small 2x AA plastic battery case that has a little switch. To make room for the ESP8266, he is using a 3.3V LiFePO4 "AA" rechargeable cell. That leaves 50% of the interior space.

Originally ray's code "latched" onto the open access point and requested an IP address just to prove the WiFi was truly open; but various laws govern connecting anonymously to private WiFi networks, so the project was changed to simply identify their presence. Galvanizado!

Android EAS NOAA Weather Alert Decoder

The National Oceanic and Atmospheric Administration is responsible for broadcasting the signals used in weather radios. Transmitting from more than 1,000 antennas across the United States and its territories, each National Weather Service office operates its own radio station that sends out updated weather information on a constant loop, interrupting regular programming when they issue an urgent alert like a severe weather watch or warning. NOAA Weather Radio broadcasts around 162 Mhz can generally be heard within 50 miles of the nearest NOAA Weather Radio station/transmitter. The seven frequencies on which they operate are collectively known as the “weather band,” and devices that pick up these frequencies are widely available at a pretty reasonable cost. When programmed properly, modern weather radios are able to signal a loud tone and play audio from the radio station in time for the computerized voice to read the alert out loud. This is accomplished through a cool technology called SAME, or Specific Area Messaging Encoding.



The number of weather apps available for smartphones grows by the day, but only a handful of them are worth your trust. Even if you have a smartphone app that you swear by for hazardous weather alerts, having a physical weather radio is a great idea. You can’t always rely on smartphone apps to alert you in a prompt manner low cell network or wifi signal can be a significant delay between the time the alert is issued and the time the app pushes it to your phone. Keith Conger recently published Android app lets you listen directly to weather radio and decode the SAME message packets.



Weather Radio and EAS Alert Reader App (play store download) uses rtl_fm to demodulate FM from a supported rtl_sdr device and multimon-ng to decode EAS Messages. This will only work in the United States and Canada.

Requires:

  • A supported rtl_sdr device, like this $12 RTL-SDR Dongle

  • Android device and OTG Cable

  • Root access

  • busybox installed

Current Features:

  • Listen to weather radio in the US/Canada.

  • Decode EAS Alerts US/Canada

  • Selectable Pre-defined Frequencies

  • Alert Notifications

  • Widget to display alerts

  • Option to unmute audio when alert recieved

  • FIPS and CLC Location Code Databases

  • Event Code Database

  • No internet connection required