 So anyway, here you go, here's your speaker and Joy. Good morning. Thank you all very much for coming out for what I understand is an early Defcon morning. I would very much like to show you my slides, but as we can see, I think it might be a little bit of a technical glitch, and I would really honestly love to get started, but it's kind of crucial to have the slide. Maybe we could try the reverse and do a bit of Q&A. How many people are into radio? All right, cool. Who knows what a software-defined radio is? And how many people have actually played around with one? And how many people own one? How many people have a USRP? How many people have a real-tech TV dongle? Cool. And who knows GNU Radio? Excellent. It's very encouraging. A applause already. Pardon me, debugging across the room. Do you know whether you are actually receiving the signal from my laptop? Would it be possible to temporarily connect one projector or something? It's actually the multiplexer back there. Keep on going. By the way, the Q&A, times past, we used to have a Q&A where we'd get together and we'd go to the room to a Q&A. There's one big massive Q&A room back there, and if this gentleman over here wants to take beers and shots and whatever they talk to him at the bar, that's a good Q&A area. So this year the Q&A is pretty much going to be handled out in the hallway or wherever else that y'all need necessary. So at the end of the talk, we'll have to... I'm okay with that. Well, I guess I should also add that my name is Balint Siba. As you might gather, I'm not originally from around these parts. I moved to the States about the middle of last year. I had been sort of mucking around with Software Define Radio in my own time. I had been working on a PhD, but unfortunately for that, through a friend, I discovered what Software Define Radio was about and I just let the PhD slide. And I'd like to show you some of the things I did during that time. Since then, I actually joined Edis Research, so I'm an applications engineer there, and I guess one little bonus is that I get to play around with some cool new toys, one of which I'd like to sort of show you today. Do you want to check the... Yeah, no, that's the right range. Yeah, change it down to 1040. I mean, I haven't had a laptop. Do you want me to try that one? Yeah, it won't hurt, but don't... Any more questions? What's my... I'm actually not much of a drinker, you know. You will be after this. I was thinking that might be the case. I guess... I don't know... Do any of you recognize this or anything like it? It's a fast track tag that you normally affix to your car. It gets scanned when you go through the toll booths. This is a nice antenna that you can actually read these with. And I figured... I can't quite remember how I came across it, but I came across... I don't know if you've seen... There was a black hat talk in 2008 that I actually dealt with opening these up and reversing, decompiling the firmware. And that was quite a common vector where you go into the chip and extract the software. But I figured that I would try and implement the radio side of it. And so I just did it over two nights last week, but very simply it will read the ID, as it's not an encrypted protocol, out of one of these tags. You just hold it up there and it'll read it out. I would have some nice images to demonstrate that a little later on. But I guess I can sort of hand wave in the meantime. I don't know, I'm kind of giving you the summary of the entire thing. I don't know how are we doing back there. This is not quite the start that I was expecting. Is anybody doing any cool projects in SDR at the moment? Oh, I had a question there. Yes, I did. Okay, well, let me grab one. I carry one around with me. Thank you. All right then. So thanks for coming. Just wanted to tell you a little bit about me. I've always been obsessed with electronics and wireless. I think this is in the kindergarten or first grade. I don't know what the hell I was making, but it contained part of an old tape deck coming out the side there. It had a blinking light with a VU meter. That was really cool for me. But contraptions. Now obviously I'm trying to actually build it. This is on the top of a park back in Sydney with a friend of mine. We put together a very long wire antenna there because we were trying to pick up the Cherry Ripe number station that was supposedly broadcasting out of Guam. That was run by MI6, I believe. Unfortunately, we tried a couple of successive weekends and then realized that actually the station had already been shut down. So it was still fun to get the images, I guess. So I'll rush through the overview then. I'll do a little bit of basic RF101. My journey into software defined radio to sort of shape the talk. How I originally got into sort of decoding RF systems with hospital pager systems. One of my favorites, tracking aeroplanes. And then looking at how you can actually decode data that you know nothing about in this case coming down from satellites. A bit of direction finding and a little bit of fast track. So just to do a quick recap for those of you that aren't that experienced. The idea behind radio is that you have a carrier wave. This is of a particular single frequency. And if you were to view it like this on a graph with time going from left to right, you would see your sine wave and the amplitude obviously on the y-axis. And the idea is that you have your information, whether it be voice, for example, or digital bits. Can you hear me okay, by the way, is this good distance? It goes into a modulator and then you mix, which is that sort of circle with the x, you mix that with the carrier which puts it up to the frequency that you want to transmit at. So if you want to transmit FM radio, then you would dial that in on your radio. At the radio station, put in your music and then out comes the music on that particular frequency. So the most simplest kind of modulation is called on off king, which is literally where you turn on and off the carrier wave. And the simplest example of this is Morse code. Anyone good with the Morse code? Can you tell me what that means? Def gone, correct. And then it goes all the way up to the more complex stuff, which is pretty much used in all the modern digital modulations. So OFDM and it's used in a whole host of ones that we use pretty much every day. So if we look at AM and FM in the time domain, you have your carrier up the very top. You have your signal just below it. And then depending on what modulation you use, you either get an AMG modulated wave and you can see how the carrier's amplitude is now sort of matched with that of the signal or with the frequency modulated version, the carrier maintains the same amplitude, but the instantaneous frequency changes with the change in the signal. So that's kind of a sort of basic difference in some simple modulation schemes. So here's an example of a spectrum. This is a recording that I made of an automated broadcast from an airport regarding the state of the runways. I don't have any audio. Can I have the laptop audio back? How is it? With parallel runway operations in progress. Thank you. Independent departures in progress. So this is actually amplitude modulated. You have a carrier in the middle and then either side you have identical side bands that contain this voice. So the modulation will define what it will look like on that sort of spectrum. So we're looking at AM signal, so that's symmetric about the carrier there. FM, you have the notion of a carrier, but actually because it's being frequency modulated and the frequency is moving around all the time based upon the signal, it looks a little bit different. And finally you have a digital modulation scheme, C4 FM. Yeah, but of course that's not legal. I'll come back to more of that kind of thing later. Does anybody know about project P25? I was about to say Penium 25. P25, yes. So it's a digital voice standard that's used by first responders all around the world, both in America and in Australia and various other places. And it's maximum. And so because it's digital modulation, this one actually is sort of an FM variant but it contains four states and because data is moving through it very quickly, you get this sort of different look to it on the spectrum. So what I'm trying to emphasize to you is that originally there's sort of hardware and there's simple hardware like crystal sets that were used and it was made up of very simple components. What I noticed was that they're all sort of fixed, fixed personality. Nowadays they're more complicated, but our phones have microchips in them and these other equipment also are fixed personalities. So it's like a black box implementation. You can't get in there, you can't change it. It's not reconfigurable. Here we have an example of a satellite model that's used to actually send data up into a satellite. And keep that picture in mind because I'll come back to that. So the journey begins. I had this set up on my balcony back in Sydney and I heard this mysterious signal which will not play now but I'll do it manually. Does anybody recognize what that is? At the time I wasn't exactly sure what it was and I had actually tried to demod it with a free software out there that's available but none of it worked. So that's the time. And this was my setup at the time I had inherited these radios from my grandfather, a scanner, and other receivers and I interfaced it with that little board there to my 286 and had a network card running Minix and that would stream audio downstairs and I could control the radios remotely. So this was my sort of simple setup to do that. So I figured, well, I'll try looking at the signal and once again here we have a signal in the time domain and then if you look at it in the frequency domain you can see these two distinct levels coming out. And this introduces the idea just like in data transfer that you have the preamble and you have the payload. So you can see the preamble is very important because it establishes for bursty data the transmission so that the receiver can lock onto it. So there's that repeating pattern of ones and zeros. And then you have the payload after that. Because it's two level FSK you can simply draw a line through the middle and slice. Anything above it will be one, anything below it will be zero. And so that's what I started doing there. That's a visualization of that particular data stream. So you've got once and zero is great. Now what? Well, the idea is to turn it into information. This took on and off five years for me to actually figure out. And in the process I actually ended up writing this little bit of software that would take in this raw data and you can play around with different ways of, you know, line encoding and so forth. And, you know, I'd look at it every so often and come back to it. And then it just happened that I was reading Wikipedia and there was an article in there that mentioned these specific sync words. And I thought, well, hang on, I've seen them before. And I just happened to have the offset correct in this window and you can see that they match up. And so it turned out to be poxag. But it was weird because the software that I had tried previously hadn't been able to decode it. So I guess this was an example of security through obscurity because they changed their implementation slightly. But it turned out to be the pages for the hospital network back in Sydney. And so we confirmed this. I have a friend that works in the hospitals there and he called his friend and said, can you send a page out? And you can see what that test page is there. The only one that's legible. But bringing it up on this map that I created, it was actually part of the hospitals. You can see, I mean, I identified the frequency. So once you actually have a look at where that site radio-wise is linked to, you can see that it's connected to all of the other sort of hospitals in the area. So I let my decoder run for a little while. And it turned out to be some seriously sensitive information. And then finally... So that was for one of the secure systems, I believe. Anyway, a side note, I just show you that map. This is sort of more of an indirect call to the FCC to be more open about all the data they supposedly don't update on their website. But the Australian government has been very, very good and strict about maintaining all of this data in one place. So my mash-up also has these map overlays and this is a visualization of every single registered radio transmitter in Australia and all of the links between them. So you can see where the population concentrations obviously are because that's where all the radio sites are. And also I derive sort of radiation information. So these are mobile cell towers in my neighborhood. And if you look at various cell towers, there you have these sort of very sharp lines coming out and they're actually the microwave point-to-point links between the towers and the omnis are just sort of the panels. The government's database that I sort of imported contains information about the antennas and the orientation power and so forth. So it's quite rough, but you know, it still looks pretty, I guess. And somebody posted it to Reddit at one stage and it was very interesting to track what sites were popular. Not sure whether you can read that, but one is basically they're all the echelon sites in Australia. So there's an Earth station at Geraldton and Kojirina, I think. And as you can see, they're all covered with the radomes. But these were pretty popular. That's Pine Gap. There's a bit of joint U.S.-Australian action going on there, I think. And the very first day that I launched the site, I had visits from the U.S. Department of Justice, Federal Parliament and my state's Attorney General's Department. I have no idea how they happened upon it so quickly, but... I don't know. The other thing was I think people try and get in and hack the site and scrape everything up. I've been coming from a couple of IP addresses in Bolivia, so I just banned the entire country. So that was sort of my journey to decoding things. But let's move on to aviation now. I have in the past generally liked to take a GPS receiver with me and sticky-tack it to the window. And then when the... What's the politically correct way of saying now? Stewardess or flight attendant? I'm all fashioned. It comes up and says, is that often? I'm not and say, of course it's often. Actually, it's just got the display off. But it's kind of cool because as you take off into the air, you get some pretty interesting stats about how fast you're going and how high you actually are. I don't know, maybe it's just me geeking out, but I like the numbers. And then once you get back home, you can plug it into GPS visualizer and then into Google Earth and you get a pretty color-coded trail of where you've actually been. This was last year when I was going to Houston. And this was just screenshots from the GPS receiver. But if you're in the airplane and you're enjoying your ride, how do the skies remain safe from collisions? How do the planes get around? I'd like to tell you a little bit about primary radar and secondary radar. So you've probably seen these big rotating radars at airports. And it's part of the ATC radar beacon system. So the primary is the big one down the bottom there and the secondary is the one at the top. So the primary is the traditional radar where it sends out an enormously powerful pulse and then listens for returns of metallic objects because of course planes are just flying tin cans. And the range that was limited by the radar equation so you have full throttle loss. What's interesting though is that with the secondary system, the top is actually directional radio. And so that will actually broadcast and ping the transponders which are active on the aeroplanes which then reply back themselves. So that requires an active system whereas the primary does not. And because it's an active system and the transponder replies, you only have second order loss there. So you can get out further. But this is quite crucial because if you're sitting in front of an old-fashioned radar scoping, you have the big line going around. You wouldn't be able to ID individual planes. But with the secondary system augmenting that, you would actually have those anonymous blips now coded with the squawk code that would have been assigned when they would have taken to the skies in the first place. So how does the transponder system actually work? This is a basic transponder here. And there are different modes. A will simply reply with the squawk code. So when you take off, ATC will give you a squawk code like that one. And then every time your transponder is interrogated, it will send back some pulses that ID that particular code. There's another one which is C. And that will reply with the code and the current altitude, which obviously gives air traffic control more information about the airspace. And then the cool one is Mode S. Who's heard about Mode S and ADS-B and things like this? All right. So Mode S is another system that runs on top of this. And there's another cool thing that runs on top of that, which is ADS-B, which stands for automatic dependence surveillance broadcast, which means that the planes don't need to be interrogated. They will just continually broadcast this information out. And also part of that system is ACAS and TCAS, which are for collision avoidance. But the interesting thing is that ANC are part of the secondary surveillance system. And Mode S is not technically part of it, but it shares the same frequency, which obviously would reduce cost. But now the problem is that there are so many planes in the sky that the channel is becoming increasingly congested. I think Frankfurt has this problem the most, due just simply to the amount of planes in the sky there. So how does ADS-B, what does ADS-B send out rather? It's constantly sending out a plane's position, heading, altitude, vertical rate, flight ID, score code. So quite a lot of things, plus more, but they're the main ones. So if ATC has its antennas on the ground, then there can be transactions between ATC and the plane purely through the system. So ATC might send out a broadcast, which is called the all call, and then all the planes will reply with the downlink frame that identify the craft by its ID, much like a MAC address. Each airframe address is assigned to a single aeroplane. And then there's also ACAS and TCAS, where the planes will actually communicate with one another. One might send an altitude request to one, and then it'll respond, and this can be used to augment collision avoidance. Obviously, if they're traveling a little bit too close, then in one cockpit you might hear the automated voice say traffic, and then if they get really close, then there might be a pull-off and the other one to do an avoidance maneuver. This is technically called a resolution advisory. But there have been terrible incidents in the past where pilots have not followed the RAs, and actually the planes have collided. The one I've told in the past is the tragic one, I think, over Germany. There was a Russian flight with a lot of school children, and they collided, and they all died, and then one of the fathers actually went and killed the controller. So you've got to pay attention to the resolution advisories. I'd like to put big props out to Brad and Nick. They presented last year on looking into the vulnerabilities of NextGen, which is the FAA's sort of title for their next generation system that it sort of employs all this sort of stuff, and I don't know whether Brad's actually here, but if he here, it'd be great to catch up. So the interesting thing is that typical 747, this is according to a ham friend that actually is a 747 pilot, it has 31 radios. So lots of different things there, and of course that makes me pretty heavy. When I was flying over here, I took a photo of another Virgin aircraft just like the one I was on, and you can see that across the top of the aircraft there, there are a number of sort of bumps coming up. Don't quote me on these ones, because I've sort of mapped it from a 747. It's roughly right, but you've got a T-CAS antenna, the transponder, you've got high gain satellite communications on the top, you've got a low gain VHF. In the tail, you've actually got an HF antenna as well, and on the bottom you've got various VHF things, and then you can't see them, but there's the radar altimeter and the marker and direction finding measurement equipment too. Now, with MODES, how is that actually encoded in the air? I showed you before what a poxag signal might look like, which is frequency shift keying, but this is actually something called pulse position modulation, which is technically AM, but they send up pulses at very precise times, and when those pulses exist in a certain manner, then it might mean a 1 or a 0. So with MODES, there's a particular preamble sequence, and the pulses have to be in exactly those positions, and that indicates that it is in fact a MODES packet, and then that's also used to distinguish it from mode A and mode C, and then the actual payload then is determined by the positioning of what's called chips. So this is Manchester encoded, but you have an early chip and a late chip, and you can see that one will relate to being a 1, and the other one will relate to being a 0, and then the entire payload can be 56 or 112 bits long. So with Pulse Position Modulation at those sorts of rates, a pulse lasts an incredibly short amount of time. Now what this means is that you have to sample at a very minimum of 2 MHz, and that's assuming that you're going to synchronize throughout the entire payload, and it requires a bit of computing grunt to actually deal with that kind of data rate, and ideally you want to sample faster so that you can correct for any timing errors. So you couldn't be able to do this with your plain old radio, and so this is where software defined radio comes in, and this is where I kind of got into it, and this is my sort of first play around with SDR, because it's the perfect platform for this. So the idea is that SDR moves what was previously fixed in hardware, that sort of not the unconfigurable hardware into the software domain. So remember we had that simple crystal radio set. The expression of the AMD modulation in code, or maths in this case, is simply the magnitude of a complex vector. It's incredibly elegant and simple. FM is a little bit more complicated but similarly as elegant. So the idea is that it's completely reconfigurable now. So on the receive side, instead of having everything done in hardware, all you do is you pick the carrier frequency you want to listen to, mix it with your incoming signal, and then all the rest you end up doing in software. So the purpose of the SDR is simply to turn those analog values into digital and then supply the computer with the digital stream that you can process. So the continuous is then turned into discrete and quantized. Again, you have your wave that should look familiar, analog to digital converter to take it from the continuous into your number stream and the digital to analog converter going back the other way if you're going to transmit a signal. Naturally you're going to transmit legally because you have a license to transmit in that band. But this is what I started playing with first. This is the USRP-1. It is sort of, I guess, one of the first, if not the first, sort of low-cost SDR. You hook it up by USB. And then the old daughter board you got, you had a pretty amazing range to play with and the bandwidth was pretty incredible as well. This is a funcube dongle that came out a little while later. The range was pretty good, but unfortunately the actual bandwidth that you could sample was very narrow because cleverly they put an audio card in there. So the left channel would be the I channel and the right channel would be the Q channel and you wouldn't need to install any drivers because it would just appear as an audio card. But of course you would try to listen to it. You would need to have the software running on top of that to demodulate whatever you want to listen to. And then of course there's a real tech one. I don't know if anybody has used it under Windows with HTSDR or WinRide or the like. Yeah, a couple of people. I guess most people have used it under Linux. But for the price, it's pretty cool. I don't know if you're looking at the history, but one of the modes under which it operates is that it can demodulate normal analog FM. And the guy called Andy Palisari happened to figure out that it's actually streaming 8-bit samples to the computer and the whole community sort of swarmed and figured out how to make that available to the mainstream. Now this thing here, this is not an official announcement. So I haven't put any text up there. But I'm pretty excited about this. This is going to be very soon. Edis Research's new USB3 radio. It has quite a frequency range, 50 MHz to 6 gig, 56 MHz instantaneous bandwidth, bus-powered 2x2 MIMO. It's pretty sweet. And I've been having adventures with it around the Bay Area that I'll tell you about in a little bit. But the point is you can hook all of these things up to your computer and run GNU radio. And it has a very nice GUI front end where you can describe your flow graph that will do some demodulation or modulation in this sort of graphical environment. So this one here is actually a very simple demodulator for AM. You can see there that the USRP starts with the left-hand side. You have an FFT, so you can actually see graphically what your signal looks like. You have an AM demodulator and it goes out to your sound card. So it's a pretty simple thing. And here if you run a waterfall over 8 MHz, this is actually part of the 2G GSM band and you can see the broadcast control channels as well as some bursty traffic channels there. And then this is a pretty cool example of what you can do with this. There's actually 56 MHz. So what you're looking at in the middle there are two Wi-Fi channels plus extra space on the side. So you could simultaneously decode to Wi-Fi channels, for example. Over the years I guess components have become faster and smaller so it's pretty incredible how far technology has come in I guess quite a short period of time to enable you to sort of suck up that amount of bandwidth. This is another example, another program. Sorry, let me go back a little bit. There we go. So I was talking about pages back in Sydney. This is an example of pages in the States. It uses Flex, who's heard about Flex Protocol? So this is the Flex version of the page system and this is running a program I love called Board Line. It does FFTs very, very quickly. You can zoom right in there. And so I don't know if you can see, but the line where the cursor is, that's actually a single frequency that pager transmissions are sent on and I was able to zoom right in. And you know how before we saw the two levels of the pager one I showed you back in Sydney, this one actually has four levels, and if you don't know the properties of a signal, you can use this kind of analysis to figure out at the very basic level what kind of modulation they're using. So this is actually four level FSK. And then I'm sure you're all aware of smart meters and how they have a mesh network, often in the 900 MHz ISM band. You can see there how quickly and how short the bursts are coming from the meters. But you can use Board Line then to once again zoom in on that and you might not be able to originally tell what they are because the burst is so short, but if you zoom in, you can see that there's probably some sort of phase shift keyed one there, the sort of blurrier one, the wider one in the middle, and on the left and on the right of that, there are the narrow ones. And although they're quite weak and they only appear for a very short period of time, you can still have a look and identify that they're two level frequency shift keyed transmissions as well. Now let's say you wanted to discover patterns or repeating periodic components to a signal that otherwise just look like noise, like for example anything CDMA. So the examples here are that we would be listening to the GPS constellation or CDMA from the mobile phone network, for example. And there's a sync called the Fast Auto Correlation Sync. And what it does is it does some trickery with some FFTs to very quickly determine whether there's sort of repeating underlying component within a signal. So with CDMA, you have a whole bunch of signals that share the same frequency space but divided by what code they use. And so here, I don't know whether you can see, but there's a very distinct line that appears on the 10 millisecond grid line. So it's mostly black, but there's the green line that appears up there. And that's characteristic of the 10 millisecond repeating common pilot channel information in CDMA. So you could get a signal that you didn't know about, put it in here, see the peak and think, oh, it must be CDMA. And this is really interesting too because if you listen to the GPS constellation, if you look at the FFT, it's all just noise. There's no apparent signal like we saw before with the pages for instance because the signal is coming from the constellation which is very, very far away. The signal that arrives at our receiver is very weak. However, there's CDMA in there and there's a repeating pattern in there as well. And amazingly, doing this little bit of math that's able to draw out the one millisecond repeating cyclic code in the GPS signal. So some pretty powerful tools that you can just download and start using for free. Tetra is another sort of land mobile radio digital standard and it has this characteristic repeating pattern at about 14 milliseconds on an idle channel. So the cool thing is that you can take a USRP out and about. I put this in this old used Bosch case for some electric drill I had I think because I didn't get mine in the case. These are my amateur radio friends back in Sydney. Again, we set up a long wire and tried to listen to the world. The amazing thing here is that with SDR you can pretty much capture the entire amateur radio band which is what you're looking at there. That's 25 megahertz so it's not quite, but if you wanted to use this or something you could capture it and more. You can zoom right down there to demodulate hands or weather fax transmissions or clandestine military codes and so on. These are just a bunch of hands chatting in their allocated channel. You can have digital modes like RIDI and Morse code and Hellshraber and all sorts of interesting things. And if you don't like that then you can, the video was supposed to start playing there. You can just demodulate your local stereo FM station. But the cool thing is this is Sutro Tower in San Francisco. The cool thing is that often modern radio stations also have data transmitted as a subcarrier and RDS is one of the more popular ones. You can see there that's the baseband spectrum that you get. You have the decoder running in the background that's printing out all of the RDS information including traffic, the state of traffic on the highways there which is something that I'm very interested in. And then there you can see actually the demodulated FM so on the very left hand side you have the mono audio so the backward compatible with non-stereo receivers. You have the pilot tone which is 19 kHz and then you have the left minus right which is the stereo difference channel so that your receiver can then recreate the left and right channels independently you can listen to stereo audio. And then further along the last kind of peak there is the RDS subcarrier which encodes this information. Now one thing that really peeves me is that the location codes for the traffic information are not public in this country. Very European countries have made them public but it's just a 16 bit code that I need to find some segment of the highway. And of course if you buy a car with an inbuilt navigation system that comes with it but I don't know if you have any tips on that I've been looking into one way of finding out this information if you have any ideas then please come and find me afterwards. But if you want to do the reverse if you want to make your own FM radio station transmit stereo audio and transmit your own RDS information you can do that. There's a good new radio flow graph that does it and I had my little iPod Nano with the FM radio in it that decodes RDS and I was just transmitting it there and just above the frequency display it's printing out some string that was pre-programmed in the RDS XML definition. So you can do that too and I think there were I can't remember who I'm sorry to say but there was somebody that tested sort of RDS injection and they had a navigation display and a car and it was saying there was a terrorist threat or frogs falling from the sky or something really. But if you like just scanning around if you had a normal scanner you can do that too with GNU radio I have a list of frequencies down the bottom there it just steps through each one there's a squelch block that monitors the channel and as soon as it goes quiet it goes to the next channel. But the beauty about software defined radio is that you don't only have to look at a single channel at a time here this is a flow graph that I put together with this multi-channel decoder block that I created where you give it a list of frequencies and it will spin up that many decoders so if you look closely every time there's a vertical line it indicates that one of the channels has become active but of course you only have one sound card to listen to it the green one becomes the active one and the blue one the black ones rather simultaneously active so this was just voice but you might be listening to data transmissions and want to be able to decode them all at the same time or if you're listening to some trunked channel you can record all of them. SDL is also really cool because there's a free open source project to set up your very own 2G GSM base station I would have done that now I've done it once before during the talk where I set it up using this and I have my little phone here and then people can sort of text me but I thought it might be a bit distracting plus late last night I was trying to find a free channel and the spectrum here is so unbelievably crowded that I just gave up but it's kind of cool because it comes with the soft switch so for example I've set this up where I log on with my mobile phone and then I can dial the outside world and I allocated a number with our actual main office switch and then I was able to receive calls when they dialed that extension and it all just goes through using SIP over the network so it's kind of cool and it had a very big sort of popular debut at Burning Man and you can see that there was a bit of computation to be done so they put their laptop on an ice pack another cool thing you can do actually now there's a new radio blocks for decoding edit to 11a or read the OFDM version of Wi-Fi so I put this AP up unsecured at 5 gig there's a little flow graph there you set the gain and the frequency and then I made it so that it would pipe the data through to Wireshark and you can see there the beacon frames coming from the AP so this is just as if you had a dedicated wireless card running in monitor mode except that it's just being done through an SDR and in that picture in picture there another laptop is connecting to the network and you'll see the association frame coming through and then data frames coming through there you can see the coloured ones and then actually last week a colleague of mine thought he'd bring in his fancy antenna and we were trying to see pictures which are sent down from weather satellites so they orbit the Earth, take photos and then send them down and you have to track them manually because they're low Earth orbit but the B200 this guy's just hanging there by the USB cable and then you get these sort of pictures and you see that interference there doing the tracking manually and you can't see it so we're just kind of guesstimating where it would be and I guess we missed a spot but it's kind of cool because this is actually the west coast up here of the United States and some big cloud formations these pictures are taken with different sensors and you can combine them into sort of these false colour images to get an idea of what's happening, this is like I think sea temperature and there's another thermal one and they're happening all the time you can just get a program to tell you and decode that another one if you're looking for positional stuff on the water, most large or medium sized marine vessels now contain their own version of transponders so I went over to the bay in San Francisco and so that boat there just came around and you can see the kind of trail there and there are those other three boats with that very large cargo ship and they're all you know, sending out their information and I guess the thing to bear in mind during all of this is all unencrypted the thing about RF is that it's a shared channel it's like a human resource, anybody can do anything with it, it's only you know, our legal system with jurisdiction that dictates apparently how we're supposed to transmit or not within those frequencies so security is obviously a very very big point that hasn't been addressed in a lot of these systems so it's been used in radio astronomy passive radar, tracking people with their mobile phones through shopping malls and so on but let's come back to aviation and we were talking about that radar there's a radar turning right there this is the radar at Moffat Air Force Base in the Bay Area you can see that every time it points toward the camera where I have the radio there's a massive spike because of course the radio is directly in line with the big pulse that's coming out what's also kind of cool is that on the left hand side there are various other small spikes coming out they're actually reflections off large buildings so the radar signals hitting those buildings and then hitting back into the radio so and the other thing is that I couldn't figure out why I was seeing two peaks here this is showing the time in between the initial bang that's sent out, the initial pulse that's sent out by the radar and this is called the pulse repetition frequency and I couldn't figure out why there were two usually there's only one before I had an SDR that went up this high I actually who knows the ubiquity SR4C 8211A WiFi cards I sort of mucked around with the drivers a little bit it's got in the chipset a radar detection capability so I was using that to try and characterize the weather radar nearby but I only saw a single peak but here there were two and I did a little bit of research and actually these radars apart from monitoring aircraft can also be made to monitor weather and in this dual PRF mode there were some papers written about how they can be used to sort of monitor reflectivity and moisture in the air that was kind of cool so this is on the waterfall display anyway what transponder mode S transponders look like coming from aircraft just sort of come full circle now if you look at it after demodulating in AM then you can see we have the preamble at the front and then the payload after that and what does that actually look like all those dots represent a frame and if you would have run at real time you would see something like that and the amplitudes are obviously different all the time because you're receiving it from planes that are all sorts of distances away from your receiver so once you've done all that decoding what's next well this is a little project I've been working on now and then who's seeing sneakers yeah thought so one of my favorite bits in the film I'm not going to do an American accent but I'll get the diagnostics what's in the little black book and you can see there on the screen is actually a very sort of simple picture of the bay area with air trapping control and planes and I kind of put together my own system that does it that's San Francisco Apple right there and I just left it running and these are the planes that fly in and out of the area San Francisco San Jose and Oakland and so they leave nice trails behind and it's kind of cool then because you can see what the flight paths are now this is what I call the rainbow effect this is actually a bad transponder on an aircraft that's reporting false position information and you get nice sort of floral pictures like that floral motif but you can see how SFO is actually right in the center there and the color code is altitude so the yellow is just before it's about to land and this is the airport there with the various runways obviously we all know that there was a bit of an accident down there recently but I sort of went up the top of a car park nearby this is one runway and I had the B200 there receiving and I happened to catch these two planes coming in with parallel approach you can see that one just touched down as it turned from green to red and that one's about to turn red as well so I just hit the tarmac and then they will scoot across the screen as they taxi back to the terminal so landing is a cool takeoff so kind of cool too especially if you're just sitting there you can see all the planes at the holding point waiting to sort of take off I think this is a virgin flight there it goes and it's again kind of neat remember I had the GPS here and it does increase eventually when the wheel knows wheel lifts up turns green and off it goes into the sky but wouldn't it be cool if you could do it in 3D as well so that's the same plane now streaming in Google Earth through the internet you can see planes there in the background landing at Oakland that's a bay area there and wouldn't it also be cool if you could actually have a virtual cockpit mode so that you could be in the seat of the pilot and imagine what it would be like taking off into the sky so this is actually running permanently on my website for Sydney Australia and I've just set this up recently for the bay area as well so if you'd like to sort of help out with this project I'd love to hear from you but this was actually when I had one of these tucked away in the seat pocket in front of me without an antenna and I was receiving the transponder from probably 10 meters below my butt and this is a bit of a hard landing but it's kind of cool because as you taxi in you can see what looks to be the burnt out fuselages of planes I don't know what Google Earth tried to do there you know how it does the terrain exaggeration and they must have some sort of automatic mechanism to determine terrain elevation data but it's kind of a bit weird when you fly through a plane like that and then so if you do it in Google Earth then you get the same sort of effect here the trails don't persist so it doesn't get as crowded but you can kind of get a sense when there's a lot of traffic and you can see when how it didn't come in on the direct path there around the ocean it kind of does loops and see there was that loop there that's when ATC is backed up a little bit and I'm guessing they're asking the planes to hold for a single loop just to give them a reading room before they vector them in so what's this one oh yeah this is when the police came out hello Dan good thanks and you are you really watching airplanes I am really watching airplanes that's pretty cool do you have any idea? I do yes is it for like school or something? it wasn't quite for school but I have to say she was very very nice about it and that's not the first time but I've had encounters with the cops but usually they're pretty good so the software runs in a couple of different stages this is the desktop application that sort of does the tracking you've got the decoder that supplies the raw frames and then you take those frames and actually do the tracking this is the main runway in Sydney you can see the trails the planes are left behind when I initially got into this I have to thank my friend back in Australia Matt Robert he's worked on OP 25 but we went up I initially was using his USRP1 remotely and then we would go up to the park and test it out there because the airport would just be within visible distance there in the lights we went up a couple more times progressively taking more equipment we were quite excited this time because that grey plane there isn't actually a plane it's a vehicle equipped with a transponder you can see it's on the perimeter road the airport has equipped every single one of its cars with transponders so if you look you can see these little vehicles moving around and I actually need to change the icon now to something more like a car but we were very happy that evening we had quite a bit of equipment up there as well but you see interesting things like that was the queen when she came to visit the call sign is REGL1 Regal1 and then you see some weird things like I was in San Francisco and I saw that I don't know what that was about so this is when I without permission moved all of my equipment to the roof of the apartment block and I had everything stuffed in this sort of box I had gigabit ethernet and power running down inside of the building which I had sprayed the same colour as the building just to make it invisible and the software because you're using SDR this is the cool thing because you can get at the very lowest level of the signal you can extract information about the distribution of the strengths of the packets coming in and build up these sort of graphs to tell you how well your decoder is doing this is a graph of signal strength versus distance and you can see the way that it drops off this is altitude versus distance and because I live close to the airport they also come to a single point at the bottom left but you can see the standard flight altitudes out to the right that the planes will eventually ascend to and this is a weird one this is strength versus altitude and then you can see the standard flight paths coming out on the right hand side there but on the other axis this one is Sydney now Australia actually has a greater rollout of ADS-B in addition to listening to those messages you see how those balloons are popping up these are ACARS messages and ACARS is a system that is like text messaging for aircraft there's another rainbow effect but the text messages can be between the cockpit air traffic control which might send vibration reports back to Rolls Royce I saw once that there had been a rowdy passenger on the plane and they had asked for the federal police to come to the next airport to escort the person off the plane all sorts of messages most of it is clear text and this is again, pardon generally no this is once again looking down at Sydney airport and you can see when a message is actually sent it deposits a little sort of marker behind and most messages actually occur at the airport it's just the way the sort of diagnostic systems work so I've mentioned it already but I listened to the two primary frequencies back home and I'm sort of setting that up here as well but this is how the messages sort of printed out so the frequency the content, the flight ID, registration and so on what does it actually sound like there's a car's message there and once again the cool thing with SDR is that this is actually decoding all the three main channels here in the bay area simultaneously so whenever it receives one you can see that it'll just scroll on the side there and that can be fed into the main system to put spatially on the map where the aircraft was when it transmitted that information so it's also a very interesting sort of diagnostic tool for airline operations I guess or if you'd just like to be a plane spotter so you can see a whole bunch of engineering messages which have the H1 label were delivered as it was coming into land or pass through the airport again this is sort of sped up you saw a big blue dot there and I'll explain that but you can see all the dots appearing as they take off which is when the plane sends out a whole lot of information as it sends into the sky so here are some examples this is kind of a running joke I see probably just because I'm hyper sensitive to it now all I see are A-cars messages regarding block toilets on aircraft so here we have one toilet that's an operative and I'm guessing a lav hard means the lavatory has failed with a hard failure mode so the galley's flooded and lav hard and because I see them all the time I thought well I'll make an easter egg in Google Earth and unfortunately I think the waypoint that's been highlighted there is prawn the other thing is that they actually send out flight paths over A-cars using waypoints and I have a database of the waypoints so it actually will draw then the flight paths that the planes will should fly through I'm only receiving this small portion but you would expect the plane to fly through to Asia and to Perth and also sometimes you see nice things where I don't know why these planes appear in Google Earth as models maybe Qantas is paying Google I don't know I'm on top of the cockpit which is kind of neat and then we talked about the traffic so you saw that I put all that stuff up on the roof without asking the strata sent this message to everybody saying that several tradespeople had installed satellite dishes on the roof so it was just me that installed my home built VHF antenna and MODES antenna which is basically the top of a tin can or the timer or things sticking out I don't know what else about it but two nights before I left to move for the states I said stuff them I put everything in a box like this this was the night before I was supposed to be on the plane installing it at a height this is as I was taking off in the plane I took a photo of where the actual site was and this is with a little real tech dongle on the flight over here tracking my plane obviously I was in King of the Internet so I didn't have maps imagery so that's more recently in LA you can get some good range obviously when you're nice and high and some more recently when I'm setting up the new antennas instead of doing only MODES though you can use HF and we were able to receive the HF transmissions which work in a slightly different system extending all the way as you can see there into China and India so obviously with HF you have far greater propagation that is pretty incredible so that's more or less aviation remember it's all unencrypted so you can spoof you can jam, you can do all that kind of stuff and I'll talk a little bit more about that later am I doing that I haven't actually looked into that the question was there's another part of this called TISB traffic information that's also broadcast over the same sort of mechanism and that's used to augment the information that pilots can see but it's sort of a next step of the protocol and isn't really widespread but various sites are sort of bringing online but no I haven't looked at that myself I haven't done that but that's actually good for potentially doing multiliteration in the absence of MODES and ADSP so moving on to the next one this is blind school NASA so this is where you have no idea what you're actually dealing with so I was looking at satellites, happened to go over to a friend's place and hook my USRP up to his set top box that was connected to a satellite and there are two types of mainly two sorts of things to consider you got the purpose and the payload so you can have comms there were weather satellites, military satellites amateur radio satellites they were the lowest orbit ones, geostation ones and there are the intelligent ones and the dumb ones so the intelligent ones actually you communicate with them from the ground and instruct them to do things or there are the dumb ones that just relay information and it's like a big RF megaphone so you have a big dish that sends up your million satellite TV channels and then it broadcasts it back down from spot beams to the ground so that everyone with a little satellite TV antenna can watch TV and have a cable run now the Optus D1 satellite is just like that it operates in these ranges it's sort of bandwidth, it's mainly used for television with some other interesting narrow band things and I thought well let's have a look at what's going on there these are the publicly available frequencies how the transponders are broken up what the telemetry frequencies are what the uplink power control frequencies are and this is quite important because uplink power control is a constant power signal that comes down to inform the ground of how much power it should send back up because depending upon the amount of moisture in the atmosphere sort of how much cloud cover and so on you have to change the amount of transmit power on the ground so that the signal ends up hitting the satellite and that has security implications too so this is actually some publicly available images this is the earth station where they send the signals up the map contains all the sort of TV media agencies if you look at the photo that they took inside you can with a bit of research recognize remember that motor I showed you at the beginning that rack is full of them so you can look at the manual they have some various other sort of more or less well known antenna satellite control systems so what do you need to actually decode these sorts of signals you need a satellite, you need a dish or some sort of down converter and an SDR if you're going to be looking at narrow band stuff you have to get a down converter that has very high stability usually the ones for satellite TV are very cheap because they can drift quite a bit but that's okay because the satellite TV signals are very broadband it's not the case for the narrow band stuff if you actually do a search for the satellite it happens that the manufacturer of the transponder lists the satellites that the transponder is on board and then you can look at what kind of modulation would be used for the telemetry downlink this is actually one of the telemetry signals coming off that satellite you have the telemetry side bands you've got one pulse per second tones, you've got constant subcarrier and this is actually zooming into those telemetry signals you can demodulate that with gunu radio and then you can do some visualizations I didn't look much further than this but it's kind of cool when you create these raster plots you can tell me what these sort of triangular shapes indicate counters exactly so you can see that there's something going on there and that might be a starting point but there are a lot of other narrow band streams coming down from that satellite so the idea is that you sort of pick one, lock onto it and try and decode it the problem is that because you're going in blind when you initially send out the signal you have to specify all these parameters so if you're multiplying signals together you're differentially encoding them if you're doing error correction modulation and so on, you don't have any idea so then doing it in reverse you have to go through all the permutations and it can make your head explode if you do the most wrong bad so if you don't know basically you try the most common ones you try and automate it and try and script it and the idea is that you can sort of use some hints along the way to determine how successful you're being so most satellite signal is a phase shift key which means that instead of changing the frequency they change the phase for sort of each one and zero that's sent through, each symbol technically and so you need to determine what kind of modulation or what sort of order is being used for the phase shift key the symbol rate, how quickly they're sending it without it through and you can do this and you can do it quite easily so I saw these transmissions, I thought okay we'll pick one of those and then what you do is you can multiply or rather raise the signal itself to a power, so you just like square it or put it to the fourth power and as soon as you get these peaks on the FFT it actually is indicative of the fact that you've hit the right order of the modulation so this was actually order four so we actually have QPSK which means that in each symbol that's transmitted through this phase shift key stream there are two binary bits also we need to find out how quickly they're being sent through and so you can do this in simple what's called cyclostationary analysis where you multiply the signal by a lagged version of itself and that will reveal any sort of periodic components and here it turns out to be a good old 9600 board also it's forward error corrected and without figuring out what the convolutional decoder parameters are you're going to be left with noise so the idea is that you go through all of them and then until you find that the error rate from the actual vertebi decoder drops to zero so a vertebi decoder is designed to decode convolutional codes but there's this metric this sort of special count that it keeps inside and when you actually hit the right parameters that will drop to zero very close to and that's the hint that you've been able to identify the right parameters so you can see there that drops to zero which means that I've got the right you know code rate and so on this is a flow graph that kind of emulates that process but going through the permutations is going to be as cool because it's open source you can extend it any way you wish and instead of me having to click on all of those buttons and try everything out I made a little block that actually went through them automatically and then it would go through each permutation and then it would find that it was locked and it would just lock onto that and then I could proceed with the next stage so I've got now ones and zeros again looks like there's a lot of structure in there not but like it's been probably scrambled which is a common thing to do to sort of whiten the data in case there's sort of any repeating patterns you want to keep it as pseudo-random as you possibly can to send over an RF link but once you find a good descramble I just tried a couple of popular ones turns out that it's still not quite right because you have long runs and ones in zero so it's probably differentially encoded so if you differentially decode it, it looks much better you can see what appears to be repeating patterns and headers and payloads so now you've got that structure you can go through the individual bits and search for these repeating patterns and I discovered this sequence would be repeating all the time so it's probably going to be some sort of preamble and then once I would look at the preamble I was able to find what looked like packets and it turned out to be some ancient character oriented packet assembly so you have the synchronization bytes, start of header start of text, end of text CRC at the end and then a number of fixed length messages within these packets coming down from the satellite and each contains this ID so then I wrote a parser for that and it would parse them out and group them by ID and then I discovered these sort of patterns between each successive transmission and what looked like a header you would have varying numbers encoded as 16-bit signed integers, 8-bit signed and BCD and I thought hmm what could that possibly be well I have no idea but if you graph them they look pretty so I thought there are probably some sort of measurement maybe that's proceeding with time if you plot the x and y then they might move around like this there might be some sort of telemetry from various sensors placed around the country that are all being uplinked from remote locations to be collected at one central spot I really am sad that I wasn't able to record more data because I only recorded 2 minutes worth but if you would record it for say a week or a month you could then graph this and see how it would change with the time of day so if it's related to human activity or some sort of natural phenomenon so more data is always the key this is a sort of TDMA downlink so I think people with remote satellite terminals are using this sort of shared part of the satellite spectrum there this was another one that I just could not figure out it looked like there was something there you can see that hump there there might be a single modulated in there scratching my head I was running all of these sorts of tricks nothing came out of it and in the end I found some satellite frequency allocation for a US satellite and it turns out they actually put white noise channels through the satellites to do presumably some sort of RF measurement and testing so there's actually nothing encoded there it's just purely white noise so something to bear pardon? well if it was one time then it would be digital so there would still be some sort of digital artifact there but this was well and truly well as far as I can tell anyway white on back coming down to earth again terrestrial signals in HF Stanag is a military mode and it's well documented you can run the similar sort of analysis that runs a 2400 board you can see that peak coming out there which is indicative of the board rate again if you run the far sort of correlation then it matches exactly with the spec in terms of detecting the frame lengths and so this is a way once again if you have a blind signal and you have a database of known parameters you can sort of look at them and ID them it's actually 8 PSK this time so a change in the PSK phase will encode three bits and if you create the D mod in GNU radio you can see the eight sort of points coming out on the constellation there that encode the data DRM is a really cool digital mode for HF that sends near CD quality I think it's near CD audio over HF so you can get incredible distances but then have really nice digital audio coming out the other side and it's OFDM like we mentioned before this is a MATLAB code that I put together from a paper and you can obviously create some pretty plots but looking at the peaks will tell you information about the OFDM parameters so symbol durations and so on and then what's kind of cool is that it matches up exactly with class B encoding DRM because there are different classes A through E I think that are used for different protection classes depending upon how far you want to send the signal or how good you want the quality of the audio to be so once again it's a good way of sort of figuring things out instead of running MATLAB code though I just realized it was easy to create the simple flow graph in GNU radio where you run the auto correlation again of this OFDM signal you see a peak coming out there you change the lag amount remember with cyclistation analysis there's a lag you set that as a lag and then you see these additional peaks coming out of the additional FFT and again that matches up with those exact values that we got through the other way of doing it so that's sort of some simple techniques you can use with open source software to try and figure out what a signal is let's talk about Fast Track a little bit I've showed you what it looks like I've sort of told you about all this already during our pre-introduction but the interesting point here the last one is that these tags actually do not actively transmit back what happens is the toll reader will transmit an interrogation and then it will keep a carrier way basically an unmodulated carrier hitting the Fast Track tag and then the microcontroller inside will actually change the load on the internal antenna and what that means is that the internal antenna will kind of take a little bit of that energy and then when it modulates a one say and then a zero it won't actually absorb that energy and it will be reflected back to the original tag reader so it's kind of weird that you have the situation where you might have these sort of antennas pointed down and these are both transmitting and receiving at the same frequency at the same time I hadn't actually kind of played around with this before but it's pretty neat and it makes some things easier because you're using the single signal you don't have to worry about kind of transmitting back it takes more power from the Fast Track tag because these just contain long circadian batteries and also then you don't have to worry about synchronization because you don't have two different clocks that are running in different clock domains so apart from actually having antennas at the toll reading booths there are antennas that sit on street lamps and signposts on the highway and apparently they're useful 511 traffic information and so I thought well I'll go along and see what I pick up so that's the antenna 3200 there and I've got the spectrum coming out on the laptop and that is actually the constant interrogation pulse coming from the system so I recorded that and had a look at it this is actually on the side of the Golden Gate Bridge at the toll booths I went there and I only realized often that I actually parked in the authorities reserve parking spot but I was very quick and so I kind of pulled myself in this bust off and was pointing the Yagi at the toll tags just to see what I could find but this is the trick, this is the really cool key that makes it all happen it's this little device here that I managed to find on eBay and it's all about magnets so it's called a circulator and the idea is that you can send RF energy in one port it will circulate around to the next port and not continue around to the any subsequent port so the transmit energy from the interrogation transmitter would go in one go to two and then go out on the antenna anything coming back up the antenna i.e. anything reflected from say a toll tag will come into and then exit three and go to the receive side of your radio anything coming from the receive side doesn't matter because the receive side won't be transmitting but this was one little test set up there you've got the circulator connected to the Yagi that's being kindly supported by that stuff monkey and the the tag lent up against the cup so this is the signal that's being transmitted out as the interrogation signal and then this is looking at what's coming back in from the antenna now circulators aren't perfect they won't be able to suppress all of the energy sent through so there will be inevitably some that's passed on to another port if you don't have a matched antenna for example but here on the very left hand side you can see there are those lines jumping up and down this is the payload of the interrogation so it's identifying with an ID who the interrogator is and finally enough it uses exactly the same modulation as modus it's pulse position modulation and then after that you kind of have that slightly wavy line emanating out just imagine that was flat this is the constant carrier that should be backscutter modulated by the tag and so what happens is when I hold the tag up you can see now something has happened there on that line if I flip between them you can see that there is some additional activity very weak but there's definitely something there past that interrogation and then my toll tag has come up so that's the response if you use the good old way back machine you can find the department of transports spec on this and then you can implement it so this screen shows when the preamble is found in the response and there's this peak from the tuned filter for that preamble and when it detects a peak in the filter meaning that backscutter modulated response has been sent by tag it activates the decoder here and then once again we were talking about slicing the pager signal once again we're slicing the response so the top is one, zero is at the bottom and then we get binary art and we have a payload that we can then CRC check for validity and then again, completely unencrypted you have the tag ID and the flow graph is relatively simple there's a transmit chain in there or we'll see ok well I hit all of the really gruesome stuff but you know I like big flow graphs you can do them hierarchically as well there's a cool feature where you can encapsulate stuff and I get crap about it all the time but I never do I just like having it all flat and if you want to look into it more I highly recommend that black hat talk that was given I used quite a bit of that as inspiration in reference by Nate Lawson of Rootlabs ok so let's cover direction finding quickly we have direction so up till now we've been talking about the contents of signals trying to figure out what's actually inside them this is more about where they're coming from which can also be used as a bit of a key as to what's going on where somebody is it was originally used for radio navigation before radar it can be used for signals intelligence emergency aid you could find somebody lost somewhere with an emergency beacon, wildlife tracking obviously and reconnaissance and believe it or not it is actually a sport too so it was used in World War I and II the white stations along the British coastline the U-boats and that was quite a successful use of the technology they're much more primitive than what we can do now but still pretty cool and apart from just sort of VHF and UHF signals that we would normally use you can have some incredibly large arrays like the one here in Germany you can see for size comparison those are cars that are parked in the parking lot at the bottom of the image so that is an absolutely huge installation and this is used to to pinpoint transmissions from all over the globe that are transmitted on HF or long wave now in terms of the sport you actually have amateurs going out with Yagis and they have these little fox hunts where the transmitters are hidden in the forest or something and they have to try and find it so it's a highly directional antenna so that you can pinpoint where the signal is coming from and that's a crazy serious German ham so the first way that we played around with was called pseudo-doppler direction finding and the idea is that you use a Doppler effect to cause a perturbation in the radio waves and then exploit that to figure out where the signal is actually coming from so I'm sure you all know what the Doppler effect is as you move an object it changes the waves but what you can do is you can actually have you can see my highly technical and refined wave passing through the center of the circle the vertical line there on the circumference is actually the antenna so the idea would be that you rotate the antenna from point A around point B through to point C through the wave they're by compressing it in frequency and then as you come out the other way through D back to A it's moving the opposite direction and so you expand the wave a little bit so you end up with this Doppler shift that you can see there in the bottom diagram and that will change the frequency slightly of your signal and then FM frequency modulation relies on this very effect it will change your carrier wave in frequency depending upon the signal so what you're doing is you're just adding an extra tone adding an extra bit of modulation so this works really well with FM signals and it means that you can just use any old FM radio or SDR to do the determination of the direction so the problem is that once you take everything into account for a single gratuitous transition you would have to rotate that antenna at a ridiculously fast rate that would be physically impossible so what do you do instead well you do it electronically you have a fixed array of antennas that don't move but you actually switch in between them electronically using an antenna switch and what it means is that instead of having that continuous motion you do those discrete steps with the same sort of response and you can filter that a little bit to emulate the original continuous motion so this is kind of your classic homemade RDF it was a little box, you would hook it up to an existing FM receiver and the LEDs would then indicate the direction that the transmission was coming from and this is sort of the internal component or system diagram and the stuffing green is all clocked together which means that it's all synchronous which will mean that a certain frequency is introduced into this original signal and you need to focus in on that one frequency to figure out the direction this is the circuit diagram just for reference and then of course you're going to look like maybe a little bit weird driving around with all this stuff hanging out of your roof but hey that's exactly what I did so I went colour, I got an SDR and I wrote a bit of mapping software and I got the dark mobile happening so I made my home main antenna array there so if we recall this little diagram all that is done in software all that is what remains after doing all the rest in software so these are suction caps that you use to transport windows with I cut out the tin soldered some sort of tuned elements on top put it into the Santina switch that I got as a free sample from an RF company and then I applied the FPGA code that ran in the USRP-1 so that the clock that was controlling the actual SDR was also controlling the antenna switch and the beauty about that is that the frequency then that you get out that reaches the computer is exactly synced to the rate at which the antennas are rotating so you can narrow in on one specific FFT bin that is guaranteed to be the signal of interest the Doppler tone that you can then determine the phase from to determine your direction so this is the receiver I had two laptops in the car one doing the tracking one doing the mapping the flow graph I won't go into the details there but you've got the source coming in you generate your reference sine wave and then the Doppler tone you also extract from your incoming RF and what the trick is that you compare the phase between your reference sine wave and the sine wave that comes in from the Doppler signal the difference between those phases will actually give you the direction of your signal that's the trick so it's a phase comparison with a known reference wave so if you look at the FFT of your incoming signal you see how you have that peak there that's the Doppler tone and so what you do is you take a reference which might be the blue one I think and the green one is your Doppler tone that you've been able to filter out and then you determine the phase there and that literally is one of your signal so I thought we've got to test it we'll pick an obvious source like that big tower we'll look up a frequency that is at that tower, drive around X marks the spot for reference and every time we drive around stop we take a measurement and then after a while it kind of ends up sort of roughly matching up on the red the thing is you have to be really careful because RF is black magic through and through that area highlighted in green and then you come down from a hill into sort of a lower portion before another hill and the RF waves would bounce off the back of the hill behind me and creep up sneakily on my array on top of the car and so the direction that was reported by the system was actually behind me because that's where the wave front the main wave front was coming from and as soon as I came over the next hill I ended up having a black run because there was no obstructions so reflections are very important to deal with and to filter out from your measurements so I repeated it again this time in Mountain View that's where work formally was and you might know of a big company that is based in Mountain View and they have cars with all sorts of stuff attached to their roof so I thought I would pay them a visit with a car with stuff attached to its roof so I went for a drive down shoreline through Google trying to find pinpoint this particular radio transmission so that's the Doppler approach it has some drawbacks, it's okay but what you can do is you can actually use all the four antennas again and then instead of doing this kind of phase comparison you can get nitty-gritty down dirty with some serious math and one of the popular algorithms is called multiple signal classification music and the idea is that models incoming waves are sinusoids and then I won't go into math here but you have an array response that you compute from your array manifold which models your antenna setup and then the peaks there will determine the direction of arrival so you can imagine those points there on the x-axis of where the antennas are and as your wave front comes in they will all hit each antenna at a slightly different point in time and then you can determine that phase difference between each individual signal you can you can derp the phase turns I didn't say derp did I maybe I've been talking too long you can determine derp what this is pretty good you're welcome so this is finding that array response here I have I think I had just four antennas in a row you tell the model that you have four antennas in a row you just express it as a matrix and then what it does it'll go through 360 degrees and simulate what the array response would be and then when you get the incoming signal you run that through each particular degree and then so that goes from 0 to 360 across the bottom and then you have that peak that matches the exact array response the advantage is that you get much higher resolution but you need as many radios as antennas now before we only need one radio for four antennas this is a sort of higher end SDR that Edis Research has it's called the quad radio but I had a little bit of fun with it you know how you can get those nerf style USB missile launches so the idea here is that it acquires you and then locks on so if you look closely when I move the radio around it'll track it wait for it there was no fire but there was no audio maybe it was turned down I said fire and when it detects that it shoots you so I set it up there again you know this is not the cheapest SDR but I just chucked it in a boot with a big SLA battery to keep it powered while I was driving around and so here just to do a calibration test you can see that as I walk around so if I go for a little drive here then once again I've repeated that route through Google's campus but you know I pick some other frequency and I guess it's kind of keeping pretty good track of it except for there down below but you know as I said those arrows creeping because of reflections if you're an urban area with no line of sight to your transmitter then it'll reflect off other buildings like the reflections from that primary surveillance radar as well and this is the Gunnu radio block that you can download and if you have some sort of other setup where you might connect two of these together with a single reference you can create this sort of thing alright please checklist if you're going to be driving around like this make sure you have your radio paper amateur radio license helps I had some antenna structural redundancy by having a string that I put through each of the suction caps just in case one would fly off I can't really drive more than 40 miles an hour because then I get some serious vibrations in the tin it's kind of kind of scary it's good to be clean shaven I guess and if you have any radios that are in fact used by the police like the Motorola XTS radios it's always good to hide them because unfortunately many of them or some of them don't know that they can be used as legitimate ham radios so they get very suspicious when you see what are you listening to listening to the cops or what's going on and then because I had all these wires coming in I couldn't actually open the door because it was coming in through the window so if you sort of turn around and just try and disconnect all the wires in the back it looks a bit sus so take it from me alright so more security stuff do not try this wherever you are so with pages if you don't like a doctor I'll read the first bit and then here's your arch nemesis in hospital you need to distract security so these automated alerts were sent out I can't quite remember now but it was something to do with rotation of guards or shift changes something like that so in mode S do you want to reach cruising altitude a little quicker so as I said with all of these things they're all unencrypted it's illegal to transmit but all the protocols are there you can implement it with these sorts of tools do you think the pilot made the wrong choice in deciding to land do you want to display a message on everyone's radar screen you know there's ASCII art if you send out enough transponders with different IDs then you could probably spell something so this is ACARS now so this is the text messaging from the aircraft do you not want to fly on a particular aircraft so these things are automatically sent by the avionic systems they're incredibly complex and they're in their self-checks and it's really interesting to see the sort of reports that they send out was the flight that you were on a little bumpy RR's Rolls Royce do you want to message the cockpit privately so in the spec if I recall correctly there are four assigned labels that address the four supposed cockpit printers but I would be pretty certain that a message might be displayed on one of the displays so for satellites as I was saying there's that uplink power control that controls the amount of power that is sent up by the ground station so it's usually kept at a minimum because it costs a lot of power to send up kilowatts usually if the sky is clear you can just send a few watts and it's much cheaper for the part of the transmitter heavy rain and a few kilowatts cost more you want to keep the cost down so what you can do is you can turn your signal a little bit higher than theirs and it actually says this in the satellite manual that damn it I can't read it sorry a malfunctioning uplink power control system can interfere with other services and even damage a satellite traveling wave tube amplifier this is the fancy amplifier in the RF megaphone that amplifies the weak signal from Earth and sends it back down if you end up sending a higher power signal than what the amplifier can take it will probably bust and it's very unlikely they'll be able to go up and fix it so you can it's possible therefore to wipe out one of the complete transponders using that but you know you need some pretty serious equipment to do that so fast track you don't want to pay a toll again in your life you know this only goes over a short distance but if you potentially hooked up a 900 megahertz amplifier you could go over and over pass and then interrogate everyone in the past underneath you you want traffic management to think there's some sort of auto stampede happening on the highway can you just stand there and then basically respond with everyone everyone's tag do you want to keep tabs on someone just you know set up your reader wherever you want and see if they drive past privacy concerns I mean that's the thing right, you drive up the highway it says in fine print in the fast track thing that you will be read at other locations for other purposes like traffic monitoring and so on but I don't think anybody really knows that and how long do I keep the data for what's their retention policy with all that's been going on lately does it get aggregated into other databases probably so don't forget that you know if you ever get bored say if you get bored at the baseball there's always SDR to keep you company so yeah most important thing is be legal and be safe only transmit in the bands that you can you'll have mobile phones you automatically get a license to transmit in the cell bands you can get an amateur radio license and transmit in the amateur bands and do experimental stuff there but elsewhere is not a good idea so thank you very much and if you'd like to know any more information I put a lot of IRR stuff on my wiki my main websites and documents, my main projects a lot of things like the direction finding and additional blocks for new radio and stuff I keep on my github I'll be pushing the fast track stuff and if you want to email me personally or at my work address then my emails and my twitter handle yeah I sent a huge deck to Defcon so it should be on the CD I have an older version of these on my wiki the deck that I showed you today has been significantly upgraded but in time I'll post those as well as the videos and things like that and yeah if you have any questions please come and find me and talk to me