 Hello, I'm Nick, Exploiting Leamer. I've been doing IT for a long time. I've been coming to DEFCON for a long time. It's awesome to see, so this is going to sound weird. It's awesome to see people that were born when I first came to DEFCON, that are coming to DEFCON now. And I feel old. Playing with electronics and stuff forever, playing with SDR for a while. I've been a ham for about 20 years. So I like radios. I like listening to stuff and monitoring and seeing what fun I can hear. So how many radios do we have on aircrafts? A lot. We've got various systems for communication, telemetry systems, either just one-way or two-way ping response, navigation, as all kinds of stuff, and then, of course, on commercial aircraft, much in the way of passenger entertainment. So let's start with the easy ones, voice communication. Aircraft always needs to talk to air traffic control, ground traffic, each other. So there is VHF, which is typically used in kind of close in within, depending on the altitude of the aircraft, you can have about 100 miles or so of range, plus or minus, et cetera. And hang on. There we go. Spacebar wasn't working. The VHF voice comms are all AM, which is just amplitude modulation. It's very simple, has a carrier and two side lobes. The nifty thing about AM is from the control towers perspective, whoever is the closer aircraft is going to be louder. Actually, it will receive as louder in their receivers because the amplitude of that signal is going to be higher than anything other that's far away. If you have aircraft talking over each other, you can actually hear that there is doubling going on instead of with FM, where your receiver will capture a closer signal that is within a certain number of dB. I can't remember off the top of my head. Anyway, AM, you'll hear this fun squealing sound, which is the phase difference between the carriers of the two transmitters. But you can also hear the voices mixing somewhat. And that's going to be at 118 to 137 megahertz. AM being entirely analog, no encryption, no integrity checks, no authentication, et cetera. Which you will see as a theme throughout this talk. And it's approach, departure, and route, et cetera. Oh, yes, there are also the automated weather reports from the ground. So pilots can tune in and hear what's going on nearby. There is also HF for trans-oceanic flights that uses single sideband, which suppresses the carrier and one of the side lobes. It's more energy efficient. And that actually gives you an easier time hearing pilots talking over each other, because you don't have that carrier phase interaction. So that's 2.8 to 25 megahertz or so. That also has weather reports. There we go, I thought I had another thing. Weather reports, air traffic, et cetera. The fun thing about HF is it is entirely dependent on solar weather. So if there are any sunspots, solar flares, et cetera, where we are in the solar cycle. And the time of day and the frequency you're using, where the transmit and receive stations are, because at different times of day, the ionosphere will be doing different things. And different signals will bounce off it in different ways. So it's not nearly as predictable and predictable. I'll stick with that. I'm sorry, I am super out of it. So bear with me. So that's pretty much it for voice. Let's go on to data, which there is even more fun stuff. There's the VHF data link, which, again, just is on those same VHF channels. There we go, that's what I was looking for. Eight state differential phase shift keying modulation. It carries ACARS, which we'll get to shortly. There is also the HF data link, which is the same frequencies as the HF voice communications. Much lower bit rate, maxes out at 1,800 bits per second. Where's the VHF data link? I think it was 30 or so kilobits per second. This uses a variety of phase shift modulations, either two, four, or eight-way. Also carries ACARS. And then as for ACARS, it is the aircraft communication addressing and reporting system. It has telemetry status of various systems in the aircraft. Sometimes it'll carry position information. Also communications between ground controllers and the aircraft and ground controllers. I should be eating space more often. CPDLC is the controller pilot data link communications. It's basically cockpit to ground SMS used in commercial aircraft. They'll use it to get route clearances and such through their controllers and check in and do some various messaging in route. I'm saying, hey, I'd like to descend to flight level. Whatever, can I do that? Cool, yay. For position telemetry, sorry, we have a variety of systems. So the mode S transponder is the kind of predecessor to ADS-B. It's in use by the secondary surveillance radar systems. So air traffic control, think of those big spinning radar dishes. For the most part, all those that are doing is sending out a 1 gigahertz ping. And then they get back a slightly higher 1 gigahertz response at 1090 megahertz. And that includes the aircraft transponder ID, squat code, and altitude. It's a pretty limited subset of data. And then just through the spinning radar dish sending out that ping, it says, OK, the dish was pointing in this direction. It took this long for the response to come back. So I know that the aircraft is on that heading. And I know it's that far away because I can calculate based on the speed of light. Then ADS-B is the one that everyone's having fun with these days. It's a pulse position modulation signal and carries a lot more stuff. The transponder ID, squat code, flight or tail number, altitude, speed heading, location, climb rate, altitude. So that's essentially just the aircraft transmitting constantly. This is where I am. This is what I'm doing, et cetera, et cetera. ADS-B is automated dependent surveillance broadcast. So it's constantly broadcasting. It's automated. It's doing it whenever once. And it is a dependent surveillance system. So the air traffic control depends on the aircraft actually sending this, which is the dependent part. Whereas the mode S transponder is, I guess, a semi-independent system. And then primary surveillance or primary radar systems are really just I send out a ping. I get a response. I see there's something there, something on that heading. And that's all I know. Renderman is doing some ADS-B receiver workshops, or was, I don't know what the schedule is for that. If you had a chance to go to that, if they've happened, or if they haven't happened, see if you can get a chance to go to those, build your own ADS-B receiver, see what's in the air, it's pretty cool. Renderman also has a bunch of talks on ADS-B and the terribleness within. Again, unencrypted, unauthenticated. That one is super easy to just throw anything into the air and make stuff appear on people's screens. So it's not so great. There is also the universal access transceiver, which is a 978 megahertz system that is in the US only. It's utilized for general aviation craft that fly under 18,000 feet. So commercial aircraft, even though they, if they're in that zero to 18,000 foot window, they fly above 18,000 feet eventually, so they stick to ADS-B. The reason this is set up is just because of the sheer amount of general aviation traffic in the US. And ADS-B doesn't have any sort of carrier sense, so they are just constantly squawking and easily talk over each other in crowded areas. So as an incentive to get general aviation pilots to spend a bunch of money on these systems, the FAA said, okay, let's put some nifty stuff in here. So in addition to the transponder sending their telemetry data out, they can also receive from ground stations, weather, notams, TFRs, other en route data. And there's also a system that will, once a ground station receives a UAT packet from something in the area, it will start retransmitting ADS-B stuff that it receives that is in the vicinity of that aircraft. So it gets the benefit of seeing all of the ADS-B stuff, even though it's not on that frequency. And then also SiriusXM, really. They have a aircraft service that also gives them, it gives pilots notams and TFRs, et cetera, weather data. Their selling point, according to their website, is that it's higher resolution stuff and you get it more frequently. I haven't looked to confirm that, but I don't know how much is just marketing BS or not. So, but you also get music from their 180 channels of, you know, whatever. And then there's also data communications and telemetry systems. In Mar-Sat is one that is commonly seen in the news after the Malaysia Air Flight disappearance. So the Aero service carries, I'll get there, carries ACARS data and it's actually pretty easy to receive the ground station to aircraft transmissions. You just need a tiny patch antenna for about 1.6 gigahertz, circular polarized, an amplifier will help and then an SDR will let you pull that down. To get the other direction, which is aircraft to ground, you need a like eight foot or so dish to receive C-band transmissions. So it goes one way and then the other and that translation happens in the satellite itself. So that one is the more interesting one if you want to see aircraft location data off of the satellite. There's also, within that signal, there's ADSC, which is sort of a PubSub model. The ground station will send up a signal and say, hey, I would like this data from you and then the aircraft will say, okay, here I'll send it to you now and start beaconing it and that will include a variety of different things, not just location. It will also have, you can subscribe to other aircraft telemetry systems and get a bunch of data, engine, state, whatever. There's also digital voice. That one will make use of the AMB codec or LPC, which are just digital voice codecs, easy to find decoders for those. And then there's also Swift 64, which is, this one's fun, it's actually ISDN. So, for the old telecom people, yay. Navigation, satellites, GPS, clone-ass, Bidoo, Galileo, et cetera. This is magical relativistic atomic space clock, pixie dust. This works by every satellite carrying an atomic clock that is corrected for general relativistic differences where the higher you get from the Earth, the faster your clock runs, you can do some fun experiments. If you have a couple of nice like CZM time sources, you can set one down on the ground and then go up to like a 5,000 foot mountaintop and then come back down and the one that was on the mountaintop will be a little bit faster. You know, great, great outing for the kids. Anyway, so the satellites have that corrected signal, they send out there just the time beacon basically and your receiver gets that. It sees the difference in time on each of the received signals. It has its own internal almanac that is transmitted by the satellites that tell it where the satellites are at any given time in the sky. And so from that, it can calculate, okay, satellites are supposed to be here, I'm getting a time of this and this and this and this, I must be here. And yeah, that's how that fun magic pixie dust works. One that is, yeah, anyway, VOR, VHF omnidirectional ranging is a beacon system, 108 to 118 megahertz, encodes the station ID, other data. And there are two systems, there's the conventional VOR, which has a single or one omnidirectional carrier signal and then a secondary signal that's transmitted from a Fray's-Duray antenna and it has a phase delay of its signal in relation to the carrier signal that changes across the entire rotation of that antenna. So if you are, so if you get the main signal and then the secondary signal is 90 degrees out of phase with the first one, that means you're on a bearing of 90 degrees from that beacon. The 270 degrees out of phase, you're 270 degrees from that beacon. And that's, yeah, that just tells you basically where you are in relation to the beacon from zero degrees is gonna be north. And then there's also the Doppler VOR, which has an array of antennas that are spread much further apart. And those are, you rotate the carrier signal through those, either mechanically or electrically. The mechanically is literally just like a servo with a piece of coax that kind of spins around and vaguely goes next to the feed lines of all the other antennas. So it kind of, as it starts to couple with one, it'll slowly stop coupling with another, goes around, gives you a nice constant rotation instead of a stepped rotation. Electronically, you can do that with just RF switches. And then the redshift and blueshift of the signal as it rotates towards you and then away from you, you can tell at what point it is on center. And basically when the, so yeah. So as it is at this point and it's coming towards you, that's gonna be the maximum blueshift. And then it's going to hit a point where it's going to stop blue shifting and start redshifting away from you. Which is to say the frequencies that approaches you is gonna be a little bit higher. As it leaves you, it's gonna be a little bit lower. And then from there, you can tell, okay, I am on this bearing from it. DMA, sorry, DME, Distance Measuring Equipment is UHF, microwave-ish. It is literally just ping response. You send out a signal and say, hey, and the station receives it. It waits a set amount of time, which I think is typically 50 microseconds. Then it sends you the response back. And thanks to the wonders of knowing the constant speed of light, you can figure out how far away you are from it. The DME system, I'm playing with DOS computers at home, so DMA settings are stuck on my mind. Don't ask me why. It has to do a bit of math to understand where you are in relation to it from a ground distance perspective, because if you're up in the air here and the station is here, the distance is going to be this section of a triangle. And fortunately, you also know your altitude, which is this section of the triangle. So then you can easily solve for this section, a squared, plus b squared equals c squared. The Aepithegoras helps us know where we are. TACAN is a military VR DMA system. It can be co-located with civilian systems to provide DME service for civil aircraft. But the VR stuff is not available for civil use. Navigation, the ILS, that previous talk, if you were here for that, was fantastic for a guide on how ILS works. So basically you have two transponders, one VHF, one UHF, they send out two signals, one to the left of the runway, one to the right, one kind of low, one kind of high, and those are modulated at either 90 or 150 Hertz. And from the relative signal power of those two signals, you can tell if you are to one side or the other or on centerline, laterally and vertically, coming into your glideslope as far as passenger entertainment goes. You have all of your fun internet services. NRSAT provides the Swift broadband service. There's Viasat and GoGo. GoGo has some satellite service, but I believe most of it is actually ground-based. So they have ground stations that talk directly to the aircraft instead of through a satellite. Benefit of that, less ping time. Admiral Grace Hopper has this great little thing that she did, which was, she carried around a nanosecond with her. Just a piece of wire that was precisely one nanosecond long in terms of the speed of light. She would, when other generals would ask her why, because it takes so long to get stuff from a satellite back. She'd say, well, there are a lot of these between here and the satellite. The geo-synchronous ones are 25,000 miles up, 20 to 20, 22,000, thank you. So yeah, it takes a bit. So yes, those are all the fun passenger hand-made systems. So that was my fun super-fast, big run through all of the aircraft radio systems. I am going to put up this online. I'll show you the links in a minute. I also have information on how to receive all of these things if you want to. It's a lot of really cool stuff. For those that do have ADSB receive stations or want to set them up, I highly encourage you, if you're in the US, to get a second SDR dongle, set it up for 978 megahertz, because there's a lot more cool stuff there. Low-level, general or aviation stuff that you are not going to see from just ADSB transponders. So that is very nifty stuff. Anyway, after that, Chappelle, does anybody have any questions? Yes, I'm sorry, say that again. Okay, okay, I'll make a note. Any more? Okay, how much more time do you have? How much more time? Oh, you have more time. Okay, I'm going to do a quick spiel on ADSB and UAT systems then on how to optimize your system for RF performance. So high gain antennas on these systems actually can hurt you in some cases, especially for UAT. The higher gain in antenna goes, the lower the receive lobes are vertically. So with UAT stuff, there's a lot of low-level thing, low-level things flying pretty close to you above you and your antennas, we're just really not going to get that if it's a super high gain antenna. That can help you for ADSB stuff, if you're looking for things far off. But again, as commercial aircraft overfly you, you're just not going to see stuff straight up. Locating your receiver next to the antenna is the best thing you can do. You can also use an inline low-noise amplifier at your antenna and have your receiver located a little further away. Feed line matters, the thinner the feed line, usually the higher the loss per foot or meter of the feed line, especially at those higher frequencies. If you can manage to run it and you want to, you can use LMR 400, which is nearly half an inch in diameter, but it's pretty low loss at those microwave frequencies. Excuse me. Filters are good, filtering before your amplifier. You probably want to do that if you have a lot of really high-level local RF stuff so you don't overload your amplifier. However, having the filter before the amplifier means that you increase the overall noise floor of your system because the filter is going to introduce some loss. And so the signal that you're receiving is going to drop down a little. Noise floor is pretty constant here and then your LNA is just going to kind of raise everything up like that. So signal itself in relation to the noise floor is not gonna be, the ratio is not gonna be right. The signal noise ratio is gonna be worse. Let's see what else. Yeah, FlightAware sells 1090 and 978 megahertz antennas. They sell a 1090 filter. Oputronics sells 1090 and 978 megahertz filtered amplifiers. I actually have a reel of 100, 978 megahertz saw filters that I forgot to bring with me. They're in my room so I can grab this and bring it back. If anybody has really good soldering skills to solder a QFN three by three and a half millimeter surface mount device. So anyway, that's it. Thanks.