During the Hackaday superconference held during November 2017, Samy Kamkar presented a talk on how he reverse engineers devices, and in particular passive entry and start systems in vehicles. In the talk he also explains what tools he uses which includes SDRs like the HackRF One and RTL-SDR dongle and explains the methodology that he takes when looking at how to reverse engineer any new device. Samy is most famous for writing the Samy MySpace computer worm and also popularizing the "RollJam" wireless car door vulnerability. The talk blurb reads:

In this talk Samy Kamkar shares the exciting details on researching closed systems & creating attack tools to (demonstrate) wirelessly unlocking and starting cars with low-cost tools, home made PCBs, RFID/RF/SDR & more. He describes how to investigate an unknown system, especially when dealing with chips with no public datasheets and undisclosed protocols. Learn how vehicles communicate with keyfobs (LF & UHF), and ultimately how a device would work that can automatically detect the makes/models of keyfobs nearby. Once the keyfobs have been detected, an attacker could choose a vehicle and the device can wirelessly unlock & start the ignition. Like Tinder, but for cars.

The post Reverse Engineering for a Secure Future: Talk by Samy Kamkar appeared first on rtl-sdr.com.

Over on his blog "Foo-Manroot" has created a post where he shows us how he can control a wirelessly controlled powerplug with his HackRF. These power plugs can be used to turn electrically devices on or off remotely, and their wireless protocol is often simple On-Off Keying (OOK) with little to no security.

Foo-Manroot first explains how easily capture and replay a signal with the HackRF. If the signal is simple without any security like rolling codes then a simple replay attack like this will allow the HackRF to control the device quite easily. In the next section he goes on to explain how to actually analyze and synthesize the packets yourself using Python and GNU Radio. Finally he also shows that a brute force attack can be applied once you know how to synthesize the signal. Brute forcing runs over every possible packet combination in a short time and this can be pretty fast for simple protocols like those used in wireless remote controls. His post also includes all the GNU Radio files required so it is easy for someone to replicate his work easily.

If you are interested in controlling simple OOK devices like a wireless powerplug with replay attacks then we have a tutorial for doing this with a simple RTL-SDR and Raspberry Pi running RpiTX which might be useful for those who don't have a HackRF.

The post Reverse Engineering or Brute Forcing Wireless Powerplug Remote Controls with a HackRF One appeared first on rtl-sdr.com.

Micheal Ossmann @michaelossmann (famous for creating the HackRF SDR and various other projects) and Schuyler St. Leger @DocProfSky (a very talented young man) will soon be presenting their "Pseudo-Doppler Redux" talk at the Schmoocon 2018 conference at 3:30pm EST. The talk is available for all to watch live on Livestream.

Michael Ossmann and Schuyler St. Leger demonstrate their new take on Pseudo-Doppler direction finding techniques, using SDR to enhance direction finding capabilities.

The post Schmoocon 18: Live Stream of Micheal Ossmann and Schuyler St. Leger on Psuedo-Doppler begins in 15 minutes appeared first on rtl-sdr.com.

Last week we posted about Micheal Ossmann and Schuyler St. Leger's talk on Pseudo-Doppler direction finding with the HackRF. The talk was streamed live from Schmoocon 18, but there doesn't seem to be an recorded version of the talk available as of yet. However, Hackaday have written up a decent summary of their talk.

In their direction finding experiments they use the 'Opera Cake' add-on board for the HackRF, which is essentially an antenna switcher board. It allows you to connect multiple antennas to it, and choose which antenna you want to listen to. By connecting several of the same type of antennas to the Opera Cake and spacing them out in a square, pseudo-doppler measurements can be taken by quickly switching between each antenna. During the presentation they were able to demonstrate their setup by finding the direction of the microphone used in the talk.

If/when the talk is released for viewing we will be sure to post it on the blog for those who are interested.

The post Pseudo-Doppler Direction Finding with a HackRF and Opera Cake appeared first on rtl-sdr.com.

Unicorn team are information security researchers who often also dabble with wireless security research. Recently they have been promoting their upcoming text book titled "Inside Radio: An Attack and Defense Guide".

Judging from the blurb and released contents the book will be an excellent introduction to anyone interested in today's wireless security issues. They cover topics such as RFID, Bluetooh, ZigBee, GSM, LTE and GPS. In regards to SDRs, the book specifically covers SDRs like the RTL-SDR, HackRF, bladeRF and LimeSDR and their role in wireless security research. They also probably reference and show how to use those SDRs in the  chapters about replay attacks, ADS-B security risks, and GSM security.

The book is yet to be released and is currently available for pre-order on Amazon or Springer for US$59.99. The expected release date is May 9, 2018, and copies will also be for sale at the HITB SECCONF 2018 conference during 9 - 13 April in Amsterdam.

The blurb and released contents are pasted below. See their promo page for the full contents list:

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

Authors:
Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.

The post Upcoming Book “Inside Radio: An Attack and Defense Guide” appeared first on rtl-sdr.com.

Over on his YouTube channel user Andy Clarke has uploaded a video where he demonstrates his HackRF being used as a wideband spectrum analyzer with the HackRF Spectrum Analyzer software. About a year ago the HackRF team released a new firmware update which enabled the HackRF to be able to sweep through the frequency spectrum at a rate of up to 8 GHz per second. This allowed the HackRF to be used as a wideband spectrum analyzer which is able to display an arbitrarily large swath of spectrum. Shortly after the firmware update spectrum analyzer program by 'pavsa' was released on GitHub.

In the video Andy demonstrates the HackRF being used to view the WiFi band and show a 2.4 GHz WiFi connection between a drone and it's controller. He also shows it working with a handheld radio and the uplink of his mobile phone. Andy hopes to use the HackRF to avoid losing his drones due to interference.

The post Viewing Drone Signals with HackRF being used as a Wideband Spectrum Analyzer appeared first on rtl-sdr.com.

The Noise Figure (NF) is an important metric for low noise amplifiers and SDRs. It's a measure of how much components in the signal chain degrade the SNR of a signal, so a low noise figure metric indicates a more sensitive receiver. The Noise Figure of a radio system is almost entirely determined by the very first amplifier in the signal chain (the one closest to the antenna), which is why it can be very beneficial to have a low NF LNA placed right at the antenna

Over on his blog Rowetel has been attempting to measure the noise figure of his HackRF and Airspy, and also with the SDRs connected to an LNA. He's managed to come up with a method for measuring the noise figure of these devices in real time. The method involves using a GNU Octave script that he created and a calibrated signal generator.

It’s a GNU Octave script called nf_from_stdio.m that accepts a sample stream from stdio. It assumes the signal contains a sine wave test tone from a calibrated signal generator, and noise from the receiver under test. By sampling the test tone it can establish the gain of the receiver, and by sampling the noise spectrum an estimate of the noise power.

As expected, Rowetel found that the overall noise figure was significantly reduced with the LNA in place, with the Airspy's measuring a noise figure of 1.7/2.2 dB, and the HackRF measuring at 3.4 dB. Without the LNA in place, the Airspy's had a noise figure of 7/7.9 dB, whilst the HackRF measured at 11.1 dB.

Some very interesting sources of noise figure degradation were discovered during Rowetel's tests. For example the Airspy measured a NF 1 dB worse when used on a different USB port, and using a USB extension cable with ferrites helped too. He also found that lose connectors could make the NF a few dB's worse, and even the position of the SDR and other equipment on his desk had an effect.

The post Measuring the Noise Figure of Airspy and HackRF SDRs in Real Time appeared first on rtl-sdr.com.

The LA Times recently ran a story that discussed how vulnerable GPS is to malicious spoofing. This has been well known for a number of years now with researchers having been successful at diverting a 80-million dollar yacht off it's intended course 5 years ago. We've also seen GPS spoofing performed with low cost TX capable SDRs like the HackRF. For example we've seen researchers use GPS spoofing to cheat at "Pokemon Go" an augmented reality smartphone game and to bypass drone no-fly restrictions.

The article in the LA times also discusses how a group of researchers at Aerospace Corp. are testing GPS alternatives and/or augmentations, that improve resilience against spoofing. The system being developed is called 'Sextant', and it's basic idea is to use other sources of information to help in determining a location.

Other sources of information include signals sources like radio, TV and cell tower signals. It also includes taking data from other localization signals like LORAN (a long range HF based hyperbolic navigation system), and GPS augmentation satellites such as the Japanese QZSS which is a system used to improve GPS operation in areas with dense tall buildings, such as in many of Japans cities. More advanced Sextant algorithms will possibly also incorporate accelerometer/inertial data, and even a visual sensor that uses scenery to determine location.

Most likely a key component of Sextant will be the use of a software defined radio and from the photos in the article the team appear to be testing Sextant with a simple HackRF SDR. While we're unsure of the commercial/military nature of the software, and although probably unlikely, hopefully in the future we'll see some open source software released which will allow anyone to test Sextants localization features with a HackRF or similar SDR.

The post Developing an Alternative To GPS with a HackRF appeared first on rtl-sdr.com.

The PortaPack is a US$220 add-on for the HackRF software defined radio (HackRF + PortaPack + Accessory Amazon bundle) which allows you to go portable with the HackRF and a battery pack. It features a small touchscreen LCD and an iPod like control wheel that is used to control custom HackRF firmware which includes an audio receiver, several built in digital decoders and transmitters too. With the PortaPack no PC is required to receive or transmit with the HackRF.

Of course as you are fixed to custom firmware, it's not possible to run any software that has already been developed for Windows or Linux systems in the past. The official firmware created by the PortaPack developer Jared Boone has several decoders and transmitters built into it, but the third party 'Havoc' firmware by 'furrtek' is really what you'll want to use with it since it contains many more decoders and transmit options.

As of the time of this post the currently available decoders and transmit options can be seen in the screenshots below. The ones in green are almost fully implemented, the ones in yellow are working with some features missing, and the ones in grey are planned to be implemented in the future. Note that for the transmitter options, there are some there that could really land you in trouble with the law so be very careful to exercise caution and only transmit what you are legally allowed to.

Although the PortaPack was released several years ago we never did a review on it as the firmware was not developed very far beyond listening to audio and implementing a few transmitters. But over time the Havok firmware, as well as the official firmware has been developed further, opening up many new interesting applications for the PortaPack.

Testing the PortaPack with the Havoc Firmware

Capture and Replay

One of the best things about the PortaPack is that it makes capture and replay of wireless signals like those from ISM band remote controls extremely easy. To create a capture we just need to enter the "Capture" menu, set the frequency of the remote key, press the red 'R' Record button and then press the key on the remote. Then stop the recording to save it to the SD Card.

Now you can go into the Replay menu, select the file that you just recorded and hit play. The exact same signal will be transmitted over the air, effectively replacing your remote key.

We tested this using a simple remote alarm system and it worked flawlessly first time. The video below shows how easy the whole process is.

Microphone TX

Using the 3.5mm audio jack the Portapack can also be used as a standard Push to Talk or voice activated walkie talkie radio. With a microphone plugged into the audio jack simply hold down the right button to push to talk. If required you can also enable multiple CTCSS tone options, as well as tones that look like they enable transmission to wireless headphones.

Other Transmitters

We also briefly tried transmitting with the SSTV feature and we were easily able to receive the transmitted image on a PC using an RTL-SDR and SSTV decoding software. Other ham modes available for transmitting include APRS and Morse code.

There is also a generic OOK transmitter which can be programmed with custom data. This mode might be useful for experimenting with simple keyfobs, or things like home automatation switches.

What might be disturbing to some is that there are also numerous transmit modes implemented that are illegal in most countries and could get you into huge trouble. One obvious one is the signal jammer. To test the jammer we connected the PortaPack to a dummy load to prevent the signal from travelling more than a few centimeters away, and placed an RTL-SDR with antenna nearby. With that it was easy to see the jamming signal as shown in the image below.

There are also more niche troubling transmitters implemented such as the NTTworks burger pager transmitter, which presumably activates some of those small pagers that you receive at some restaurants to tell you when the food is ready. There is also a Keyfob transmitter which looks like it might possibly be able to lock and unlock certain models of older flawed Subaru vehicles. Then there's a BHT Xy/EP transmitter which we think might be able to turn on and off street lights in some European countries, and the implementation of TEDI/LCR which is possibly used for French electronic street signs. Also troubling is the implementation of an ADS-B and POCSAG transmitter.

If you are experimenting with the PortaPack and the aptly named 'Havoc' firmware be very careful not to activate these modes unless you have some legit purpose as they could indeed cause some serious trouble, possibly even landing you in jail.

Receivers

By connecting speakers to the Portapack's 3.5mm audio jack we were easily able to listen in on standard NFM and WFM audio signals. The displayed bandwidth is only as wide as the signals are, so it can be a bit hard to explore the frequency bands if you don't already known the frequencies, so we'd recommend having a frequency list handy first.

We also tested ADS-B reception with our ADS-B LNA. The bias tee on the HackRF can be easily enabled on the PortaPack by selecting the inductor and lightning symbol on the top right. With the bias tee enabled we were able to receive aircraft.

Conclusion

The PortaPack is a very handy partner to the HackRF. It allows you to experiment with, record, listen, decode and transmit RF signals out in the field, without the need for any computer. You do need to be responsible and careful with the device though, as there is the huge potential of getting in trouble with it if you start transmitting illegal things.

The biggest use that we see for the PortaPack is for testing capture and replay attacks, and perhaps for capturing IQ data out in the field, for later analysis back in the lab on a computer. But many of the receivers and transmitters implemented can be fun to play around with too.

The post A Review of the HackRF PortaPack (With Havoc Firmware) appeared first on rtl-sdr.com.

Over on the Wireless LAN Professional Podcast Keith and Blake Krone discuss the HackRF, PortaPack and the Havoc firmware in episode 138. The HackRF is a US$299 transmit capable SDR which has been very popular in the past as it was one of the first affordable TX capable SDRs to hit the market. The PortaPack is a US$220 add on which allows you to go portable with the HackRF. And finally Havoc is a third party firmware for the HackRF+PortaPack which enables multiple RX and TX capable features.

Recently we also released our own review of the HackRF, PortaPack and Havoc firmware too.

The post Wireless LAN Professionals Podcast: What is HackRF, PortaPack, and HAVOC? appeared first on rtl-sdr.com.

Over on YouTube Tech Minds has uploaded a new video where he shows how he can use his HackRF SDR with the SDRAngel software to easily transmit voice to a local ham radio repeater. If you are unfamiliar with ham radio, a ham repeater is simply a radio station that receives voice or other signals on a certain ham radio frequency, and re-transmits the signal with stronger power on another frequency. This allows communications to be receivable over a much larger distance.

SDRAngel is a very nice piece of SDR software that has controls for TX capable SDR's like the HackRF. In the video Tech Minds shows the HackRF being used as a transmitter, with it transmitting to a repeater at 145.137 MHz. An RTL-SDR is then used to listen to the repeater output at 145.737 MHz. With this set up he is able to contact a friend via the repeater easily.

It doesn't appear that Tech Minds is using any sort of external amplifier, so this shows that the HackRF is powerful enough to hit local repeaters just by itself.

The post Using a HackRF to Transmit To a Local Repeater appeared first on rtl-sdr.com.

A linear transponder is essentially a repeater that works on a range of frequencies instead of a fixed frequency. For example, a normal repeater may receive at 145 MHz, and repeat the signal at 435 MHz. However, a linear transponder would receive a wider bandwidth, and add a set frequency offset to the received signal. For example a signal received by a linear transponder that receives from 145 - 145.5 MHz, may receive a signal at 145.2 MHz and it would translate that up to 435.2 MHz. Another signal received at 145.4 MHz would translate up to 435.4 MHz. Hence the received frequency linearly translates to the transmitted frequency.

Over on his blog ZR6AIC has shown that it is possible to create a linear transponder using an RTL-SDR for receiving, a Raspberry Pi for processing the signal, and a HackRF for re-transmitting the signal. 2M and 70cm band bandpass filters are also used. For software he uses a GNU Radio flowchart that simply moves the IQ data from the RTL-SDR to the HackRF.

In the video below he demonstrates the linear transponder in action with two handheld radios.

Building a Linear Transponder with Gnu Radio, rtl dongle and hackRF module..

The post Creating a Linear Transponder with an RTL-SDR, HackRF and Raspberry Pi appeared first on rtl-sdr.com.

Over on YouTube The Thought Emporium channel has been working on creating a "WiFi Camera" over the past few weeks. The idea is to essentially create a small radio telescope that can "see" WiFi signals, by generating a heatmap of WiFi signal strength. This is done with a directional helical 2.4 GHz antenna and motorized rotator that incrementally steps the antenna through various angles. After each movement step a HackRF and Python script is used to measure WiFi signal strength for a brief moment, and then the rotator moves onto the next angle. The helical antenna and rotator that they created are made out of PVC pipe plastic and wood, and are designed to be built by anyone with basic workshop tools like a bandsaw.

The final results show that they've been able to successfully generate heatmaps that can be overlaid on top of a photo. The areas that show higher signal strength correlate with areas on the photo where WiFi routers are placed, so the results appear to be accurate. In the future they hope to expand this idea and create a skyward pointing radio telescope for generating images of the galactic hydrogen line, and of satellites.

The videos are split into three parts. The first two videos show the build process of the antennas and rotator, whilst the third video shows the final results.

DIY Radio Telescope Version 2: Wifi vision - Part 1

DIY Radio Telescope V2: Wifi Vision - Part 2

Building a Camera That Can See Wifi | Radio Telescope V2 - Part 3 SUCCESS!

The post Generating a WiFi Radio Heatmap with a Helical Antenna, Antenna Rotator and a HackRF appeared first on rtl-sdr.com.

Recently we've found that there are now cloned units of SDRplay RSP1 and Airspy R2 units appearing on Aliexpress and eBay. (We won't link them here to avoid improving the Google ranking of the clone listings). This post is just a warning and reminder that these are not official products of SDRplay or Airspy, and as such you would not receive any support if something went wrong with them. The performance and long term software support of the clones also isn't known. Buying clones also damages the original developers abilities to bring out exciting new products like we've seen so far constantly with Airspy and SDRplay.

SDRplay

We've been in contact with SDRplay for a statement and they believe that the unit is a clone of the older and now discontinued RSP1, and not the RSP1A, despite the listings advertising RSP1A features such as additional filtering. SDRplay note from the pictures of the circuit board that the cloned unit's circuit board looks like an RSP1, and that the listing description is probably just blindly copied directly from the official RSP1A description.

Currently given that the price of the cloned RSP1 is $139, which is higher than the $109 cost of an original and newer model RSP1A, we don't see many taking up the offer.

Airspy

The Airspy R2 has also recently been cloned and now appears on Aliexpress with the lowest price being US$139 without any metal enclosure. Given that the price of an original Airspy R2 with metal enclosure is US$169, we again don't see many taking up the offer of the clone with such a small price difference.

HackRF

The HackRF is a different story in respect to clones. The HackRF design and circuits are open source, so unlike the closed source designs of the SDRplay and Airspy, in a way HackRF clones are actually encouraged and are legal. For some time now it's been possible to find cloned HackRF's on Aliexpress for only US$120 at the lowest, and from $150 - $200 including antennas and TCXO upgrades. This is quite a saving on the $299+ cost of the original HackRF. Reports from buyers indicate that the HackRF clones are actually decent and work well. The advantage of buying the original version is that you support Michael Ossmann, the creator of the HackRF, and may potentially get a better performing unit.

We've also seen clones of the HackRF Portapack on Aliexpress, which is an add-on for the HackRF that allows you to go portable. The clones go for $139 vs $220 for the original. No word yet on the quality.

RTL-SDR V3

We also note that recently there have been several green color RTL-SDRs released on the market with some being advertised as "RTL-SDR Blog V3" units. These are not our units, and are not even actual clones of the V3. These green units appear to just be standard RTL-SDRs without any real improvements apart from a TCXO. Some listings even advertise the V3's bias tee and HF features, but they are not implemented. Real V3 units come in a silver enclosure branded with RTL-SDR.COM.

Final Words

If you know how China works, you'll understand that it's highly unlikely that there is any legal recourse for SDRplay and Airspy to remove these products from sale. Once a product is popular it is almost a given that it will be cloned. It's possible that the clones might be able to be gimped via blacklisting official software, but that the companies would implement this is a stretch, and would probably be easy to get around. In the end while not ethical in a business fairness sense, these clones may be good for the consumer as they force the original designers to lower their prices and improve added value services.

If readers are interested in a comparison between the clones and original units, please let us know as we may consider an article on it.

The post Cloned SDRPlay and Airspy Units Now Appearing on Aliexpress/eBay appeared first on rtl-sdr.com.

Researchers at Virginia Tech, the University of Electronic Science and Technology of China and Microsoft recently released a paper discussing how they were able to perform a GPS spoofing attack that was able to divert drivers to a wrong destination (pdf) without being noticed. The hardware they used to perform the attack was low cost and made from off the shelf hardware. It consisted of a Raspberry Pi 3, HackRF SDR, small whip antenna and a mobile battery pack, together forming a total cost of only $225. The HackRF is a transmit capable SDR.

The idea is to use the HackRF to create a fake GPS signal that causes Google Maps running on an Android phone to believe that it's current location is different. They use a clever algorithm that ensures that the spoofed GPS location remains consistent with the actual physical road networks, to avoid the driver noticing that anything is wrong.

The attack is limited in that it relies on the driver paying attention only to the turn by turn directions, and not looking closely at the map, or having knowledge of the roads already. For example, spoofing to a nearby location on another road can make the GPS give the wrong 'left/right' audio direction. However, in their real world tests they were able to show that 95% of test subjects followed the spoofed navigation to an incorrect destination.

In past posts we've seen the HackRF and other transmit capable SDRs used to spoof GPS in other situations too. For example some players of the once popular Pokemon Go augmented reality game were cheating by using a HackRF to spoof GPS. Others have used GPS spoofing to bypass drone no-fly restrictions, and divert a superyacht. It is also believed that the Iranian government used GPS spoofing to safely divert and capture an American stealth drone back in 2011.

Other researchers are working on making GPS more robust. Aerospace Corp. are using a HackRF to try and fuse GPS together with other localization methods, such as by using localizing signals from radio towers and other satellites.

[Also seen on Arstechnica]

The post Using a HackRF to Spoof GPS Navigation in Cars and Divert Drivers appeared first on rtl-sdr.com.

Recently Arstechnica ran a story about how during this August's Black Hat security conference, researchers Billy Rios and Jonathan Butts revealed that a HackRF software defined radio could be used to withhold a scheduled dose of insulin from a Medtronic Insulin Pump. An insulin pump is a device that attaches to the body of a diabetic person and deliveries short bursts of insulin throughout the day. The Medtronic Insulin Pump has a wireless remote control function that can be exploited with the HackRF. About the exploit MiniMed wrote in response:

In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.

This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.

As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.

In addition to this wireless hack they also revealed issues with Medtronic's pacemaker, where they found that they could hack it via compromised programming hardware, and cause it to deliver incorrect shock treatments.

Earlier in the year we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Thanks to Tony C who wrote in and wanted to share a method that he's found to listen to  multiple DMR digital voice channels in Linux. DSD+ is a Windows program that can be used to decode DMR. Although for Windows it is possible to use in Linux via the emulator known as Wine, and pipe the digital audio to it from GQRX. In the quote below, DSD+ "FL" is short for "Fast Lane" which is DSD+'s paid beta service that you can join to get  newer code with more features. Tony writes:

I believe that can bridge the gap between using Linux with the ease of use programs of windows. As I am sure we both can attest that setting up trunk tracking / anything SDR is not as easy on Linux as it is on windows. For example, DSDplus FL makes it extremely easy to identify/decode DMR networks. There are similar things that can be done on Linux, but as I stated, it isn’t as easy to setup.

So the method that I setup and have been using successfully, using Ubuntu and a HackRF, setting up DSDplus 2.98 on wine, that gets audio piped from GQRX using a virtual sink as outlined in https://www.hagensieker.com/wordpress/2018/04/29/dsd-in-ubuntu-18-04/. It was a great blog, but I felt that it was incomplete when trying to get all the voice traffic passed on a network, as it only works on 1 channel at a time.

So I found the control channel for the network and created 5 bookmarks in GQRX and gave them the tag “DMR”. From there I downloaded gqrx scanner https://github.com/neural75/gqrx-scanner followed the install and setup instructions. From there I activated the scanner and GQRX will cycle through the frequencies and when voice traffic is passed, it will stop, and DSDPLUS via wine will decode and record the audio.

[The screenshot] example was for P25, but it has worked in connect+ as well, the only thing is that you cannot bookmark the control channel. I know other options exist out there such as SDRtrunk / op25 which I have used, but I believe this provides a good alternative to those who have used windows and are comfortable with the ease of use of dsdplus FL but want to be on the Linux OS. 

Over on his blog author "netxing" has uploaded a post describing how he was able to use a Portapack to spoof mag-stripe info stored on credit/debit cards. The idea based around an old trick called magnetic stripe audio spoofing. This is essentially using an electromagnet and a music player like an iPod or smartphone to trick a magnetic card reader into thinking that you're swiping a card through it.

Netxing's idea was to use an FM transmitter connected to a computer to transmit known magnetic stripe card data via FM to the Portapack. The Portapack then receives and outputs this as FM audio to an electromagnet connected to the audio out jack, allowing it to activate the magnetic card reader.

Using this method it could be possible to make a payment by transmitting card data remotely over an FM signal. We're not sure on why you'd want to do this, but it is an interesting experiment regardless.

Airspy

Airspy is currently running a 15% Black Friday sale over on the manufacturers website iead.cc, and on their US distributor airspy.us. The coupon code is BF2018.

This results in an Airspy Mini costing only $84.15, an Airspy HF+ costing $169.15, an Airspy R2 costing $143.65 and a SpyVerter costing $41.65. This is the cheapest we've seen these products to date.  

Most of these sales are expected to run until Monday, or until stocks run out.

Over on YouTube SignalsEverywhere (aka Corrosive) has uploaded a new video where he shows a demonstration of him listening in to a DECT digital cordless phone with his HackRF. 

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his video Corrosive uses gr-dect2, a GNU Radio based program that can decode unencrypted DECT signals. In the video he shows it decoding a DECT call from his cordless phone in real time.