 One announcement from our friends from VOC here. Please, as this is the radio talk, please switch off all radios that you should have in your hands. Please switch them off. We have interferences with our microphones here and we cannot start the talk. So please switch them off just as a matter of safety. Before we start the usual announcements, be nice to the people of Zigeli. We want to be welcomed here again. Take away your trash. Save water wherever you can, except when drinking it, drink more water. Lower the noise for midnight. We are more than 4,000 guests, 180 villages, 1,000 active angels, thousands of hours already worked. One more announcement. You will see a phone number on the slides for the translation. If you want a translation on decked, you must dial 8012-8012, not the number that is displayed on the slides as this is wrong. So it goes. Welcome to our speakers. We will also have a special guest. We all got these famous radio devices and many of us are keen to get more of them. We will have a talk that will last approximately 45 minutes. Thereafter we will have 15 minutes of Q&A and then I will announce a special procedure regarding all of us who want to get their radio. We will have a special procedure that ensures that everyone gets one and that we don't have accidents or manslaughter when going to the point of access. All right. Welcome to Sek, AlfGuy and Schneider from CCC Munich. Thank you. All right, thanks a lot. Thanks a lot. As many of you might guess, we have been under an immense amount of pressure the last week, so please forgive us if we forget what our slides contain and what we're talking about. We have prepared this presentation today, like a few hours ago. Okay. Many of you, I guess, were at the CCC camp four years ago in Finnofort and at this camp we had, I guess, the first large-scale rollout of an electronic name batch at a CCC conference. It was the rocket and was actually also done by a team of the CCC Munich. And I think many people had a lot of fun with it and we still see that thing around on international conferences when we travel the world. Every now and then someone has one around their neck and that's really great because the goal of the rocket was to have a conference batch which gives people the opportunity to play with microcontrollers, play with embedded systems and still use it after the conference. That's why we did put on a rechargeable battery and a nice display so you can play with it and have some fun afterwards. Now, four years later, we're here and there's another batch. But the fact that there's another batch isn't just a given. I mean, one year ago we were thinking about, hey, shall we do something for camp again an electronic name batch? Yeah, probably, but not a rocket again, not the same thing again because we would turn in a circle and do the same thing again and again. We wanted to raise the bar a little bit higher still and have something which has an actual use still after the conference and harvest the opportunity we have to do something like that at the camp. And we are thinking about different stuff but none of it was really that good. We didn't think that we can come up with a concept which really satisfies us also in learning something and producing a batch which is useful. But thankfully, at the same time, second me, we were working on the Iridium satellite stuff and we came in contact with SDR. And so we got into that in the beginning of 2014 and worked our way to receiving some satellite data in summer of 2014 and we got hooked. We really thought that SDR is a thing that everyone should play with and it's not actually that hard to do anything with it. And we came to the idea that maybe it would be a nice thing to have an SDR in the form of a camp batch which sounded interesting but also it's a huge challenge. I mean, it's high frequency stuff and all that black magic which is involved. So we started looking around, hey, maybe there are designs which are open source or which are at least somehow accessible and not that complicated and do something with them. And what we came up with is, okay, so there's the Hacker F and I guess the most prominent member of the Hacker F team is Mike Osman and it's open source which makes it very accessible but it's also a quite complex design with lots of parts, lots of also expensive parts and huge capability though on the other hand. Then you have these RTL-SDR sticks. They're simple in terms of circuitry but also very limited in terms of frequency range and you can't transmit with them. And back around in 2014 there was also the portable SDR on Kickstarter. I think it can also transmit but it's limited to I think the lower part of the spectrum and us as to be satellite hackers wanted to something which can also go on to higher frequencies so we can play with satellites using the badge. So we had a look at the different designs and we also reached out to the members of our local Hacker space what kind of contacts they have to chip vendors because obviously that stuff is expensive and you have to get support from the chip vendors to somehow donate parts and we realized, okay, we have a very good contact to Maxim which is chip vendor and NXP which is a number chip vendor and the HackerF is actually using lots of chips from them or at least we can replace some of the chips on the HackerF by parts from Maxim for example. So we contacted them and it took some time but we got a very positive feedback from both of them and so we continued onwards and started to modify the HackerF design a little bit to make it into a badge and of course that's only possible because the HackerF design is open source and it's accessible and you can look at the schematics you can look at the artwork of the PCB and you're actually free to manufacture it, modify it, do something new with it and that's what we wanted to do and now actually Mike Osman is here, he came to camp after he heard about the radio badge and he's one of the core members of the HackerF team and I think he wants to talk to you for a few minutes. I think it's on, oh it's definitely on. Thank you so much, thanks guys. This is HackerF1 and it was something that I spent years of my life working on. When I first learned software defined radio some years ago, I started using it for wireless security research and I immediately had the thought that more people in the hacker community need to know about this kind of tool and how to use software defined radio for all kinds of wireless security research and experimentation and just developing new radio systems, the sky's the limit literally and early on I started trying to give talks at conferences and I started developing a training program and to this day I still teach very often a two day, very intense course on SDR that I teach at information security conferences and I try to help people in our community learn more about SDR and how to use the power of such a flexible radio system for whatever you wanna do and at some point I started working on the HackerF project and one of the big motivators for me was to have a platform to use for my class and to have a platform that people could use to teach themselves how to use software defined radio and how to do creative things with radio that people have never done before and I made it open source hardware, I make everything that I do open source whether it's hardware or software or the content like I'm currently producing a video series that is based on my two day class and I'm putting it online under an open content license and everything I do is open source and I wanna tell one little story before I hand it back over to these guys. When I designed HackerF I was able to get some funding to work on the project early on and a big part of that funding was a beta run and does anybody out here have a HackerF job breaker? Nobody? A few? There's a hand? A couple. HackerF job breaker was the beta board of the HackerF project. It predated HackerF one but it's very similar and the original concept for HackerF job breaker was that we would make several hundred of them and give them away at tour camp, the US hacker camp and I was so excited about giving away hundreds of these to a bunch of hackers in a field and see what they could do with them and then that didn't happen because the project fell behind schedule and I was so disappointed that we didn't get to distribute them all the beta boards to a whole bunch of people who are all present in the same place and talk about SDR and see what people could do with them and now years later, thanks to the fact that everything I've done has been open source, this team has been able to take the design and provide you with the radio badge which is an amazing adaptation and I couldn't be happier. I am so excited to actually be here when my dream is realized that we are giving now not just hundreds but thousands of hackers, SDR platform in a field and I can't wait to see what you all come up with and before I hand it over, I just wanna say because I brought too many of these and they're really heavy, I have throwing star land to business cards and I have a lot of them so if you see me tonight or anytime through the weekend be sure you grab one of these from me so I have less to carry in my backpack back with me to the airport, thanks guys. Thanks Mike, we're really happy to distribute that stuff and now comes the part where we actually wanna thank someone and that's the CCC for supporting us and covering the remaining cost of what was left after we got an enormous amount of donated parts from the chip vendors so lots of RF parts from Maxim, the main CPU from NXP, some transformers and coils from CallCraft and Infineon is providing the RF switches on the badges. I mean it's at least for example 60,000 RF switches which is quite a number. Now we are a team in Munich who has done the rocket batch so we have a little bit of experience in doing larger runs of electronics or with large I mean like a few thousand which for some people is like nothing but for us it's a lot and I wanna talk a little bit about the timeline. So last summer we thought about the project and it took us until winter that we started talking to people about it and then it took another like one or two months for people to make decisions about if they wanna support us or not. Which led to an insane timeline which led to the fact that on Saturday our transporter was leaving from Munich and on Friday everything was finished. I mean the last PCBs were falling out of the factory. It was like just in time, it was a very stressful time but we somehow managed it, I'm still not sure how but it worked. So we on the way had all obviously some fails in the prototypes and we were running so fast that almost any failure at the first prototype would have stopped the whole project right there because we wouldn't have any time to spend a second prototype before the production starts and but the thing was the first prototypes came back and nothing worked, nothing at all and after debugging for like two hours we realized hey, looks like the pinout in that eagle symbol which is our design program for the PCB has a problem. There are a few pins swapped and we didn't know why and what but in the end we realized okay if we drill a 0.25 millimeter hole at the right point of the PCB by hand through to the other side on the backside of the PCB of the chip we can open up a connection and make it work and thankfully that worked and the first prototype started to working somehow which was almost a miracle so some advice, read the latest version of the data sheet because for some reason NXP decided in February 2015 hey, maybe there's a problem in our data sheet we have to swap some pins in there but they didn't update the library and eagle and we just used that so we had to redo that but yeah, word of advice, look at the latest version of your data sheets. Now after the first prototypes worked we had to do a lot of modifications on them and time was so critical that we had to send off that PCB to the fab house which was going to produce them and the lead time was around four weeks and we didn't have any time anymore for a second prototype so we shipped them off, they were going to be manufactured the same time we started to do another prototype though still to verify the layout and make sure that we don't populate bad stuff. Of course the second prototypes didn't work either. Now there's a special part in the design and it connects these two big blue ground planes, this is one ground plane, this is one ground plane and there's a little piece of copper in the middle of the PCB you can't see it, it's inside the PCB which connects these two parts. Now in the prototypes they were missing somehow the board house managed to delete it from the data set and we were going crazy we were thinking that we have to fix four and a half thousand PCBs to make this thing work, it was quite a stressful night and I was in the US at that point, driving in the car having phone conference with Germany and trying to figure out what's going on, almost going nuts but it turned out it's a problem with the prototypes not with the final PCB so everything well. Now therefore some advice start earlier than us it led to crazy stunts to get this thing going and the lead times for PCBs and components can be really long and you get pressed hard to make this thing happen. We had to resort to like over same day shipments of prototypes starts to squeeze out one or two days to get the fab house happy with the deadlines it was not good, the stress level it's peaked above any sustainable limit. Then another thing, now okay everything worked first prototypes somehow worked we shipped off the PCBs to the manufacturer did some second type round prototypes and then the manufacturer of the second prototype says hey by the way your pads for the small components are way too big you need to change that to get this thing done, what but the first one didn't and now you what's going on and we realized okay our layout tool has wrong footprints for the small components there and you can see that in the picture in the final board now we had to reorder some components in the bigger layout package therefore some advice check all your footprints every single footprint even if you think it's so simple that it can't be wrong and your cat package has it right probably it doesn't and that's what happened to us. Now that was a little overview I had took part in basically every little aspect of the project and managing stuff but our F guy knows the RF parts of our hardware in and out so he is going to take over and explain a little bit about the hardware. Yes. So first one as far as the idea for me so I know to make a heck of it's easy to lay out you make a very similar design first one I use another layout tool as Mike do so I have put the complete schematic at new and also we use another controller to ask any space or we need a controller first one we try to use the same controller as a hack af and he told us yeah you can get this controller if you're end of this year something like this we don't have how many in stock and then we ask yeah we can have another controller and now we have four, three, three, three this 180 pins so first of them we have more eye-opens so thus we make additional parts you don't use only a software defined radio although we like to have a batch so you need a display was also very nice to get ones this reassembled uses Nokia 6100 displays from a shiny factory was Schneider tried to get them when we get prototypes was also very interesting story to get this display by the way we have the same five buttons like the rocket on this part and also other controller have two USB ports so maybe this is also a nice part so we add an additional USB port this is our schematic of our radio batch we look at the components from the hack af and see there's a chip that's have inside a mixer and a voltage controlled oscillator and a PLL this is think very expensive this I mean is about 60 dollars so the chip are cost and we have this very nice apart from Maxim's you have also a Fouse CEO PLL by controller so he tried to use this and also I tried to find and mixer this have a very wide frequency range this is from linear they have about one megahertz about six gigahertz so we redesigned with another people this is called next called Feldwig we this meet together we designed a completely RF card in you we look over sides what you can get so we have exchange a low noise amplifiers to a Maxim type we have exchange arrow switches also we need the transformers you have all the look this transformers is on USB three transformer was also very works very nice in the application here so you start the layout and then when I think this is the layout with an 100 pin BGA to try to lay out this is the pain absolutely the first one say okay layout is easy I make many layouts also in my job and say it's no problem overall to make a layout at this and so we done okay it tried to make six weeks as one was three months aligned to get this very nice design as far where we hope now we got finally get this finished a second thing was so the second prototype see ask our supplier I can make a second run of prototype oh yes we are on holiday and within three days I get a new manufacturer many thanks to them that you get this prototype very fast or many thanks to them they say okay you have a problem with your footprints this is not zero four or three or two so this is a zero three six is a zero three all done it's a very nice design cost me a lot of time but it's working we think we have some errors inside we have now 40, 4500 developers try to play with the device and here's a basic error specs so we have Eric's and takes range about 50 megahertz to four gigahertz we have started okay we make a final measurement of this so we get a very nice spec to you but the time running absolutely out I'm here on the campsite August two to get the camp running many thanks to people from unique they get this project to run without me you have an eight bit ADC this is the same and deck this is about 40 DB dynamic range and the maximum output power depends on the frequency range is about five to 10 dBm we have some a little harmonics problem from the PLL at frequency above 2.7 gigahertz and yes you have to do with our measurement and with an inverted inverse EQ demodulation so maybe we can shift out some harmonics so onboard antenna is hope fuel each unit it doesn't measure and met at the moment at around 2.5 gigahertz we'll do it here at the camp we make a measurement on the antenna and this will be around 2.5 gigahertz what is easy come out and standard SME connector and move a resistor and we also make an antenna workshop that is not terminated at the moment so I give to Zach he makes something with usage and about Q-Radio and we make a live demonstration here as I many times our team hope to check okay I'm more the software guy so I'm talking about the software there's the batch has basically two modes the one is the camp application which starts when you turn it on when you get it the first time it's quite similar to the rocket firmware actually we did reuse quite a bit of code it can display your nick you can choose your font and animation as same as with the rocket also we have now a color display so you can choose the color you can also display graphics there are scripts in the git repository to convert any image to the format that this thing needs we are working on a web app so you don't have to do it yourself but it's not finished yet unfortunately we were running out of time a bit the second thing is you can use it as an SDR that's the main thing you want to play with all the frequency stuff have fun with it to get into the bootloader menu hold the joystick to the left while you turn it on then you get a selection of the applications on the badge one is the camp and the other one is the hackrf firmware there are two versions on it hackrf and hackrf old the device identifies over USB with a unique ID and we got a new one but if you have GNU radio installed from your linux distribution it is too old to know about this so it won't work with that ID so we have the hackrf old which fakes and says I am a hackrf one and so all the tools work with it but maybe in a few months the other one will start to work properly yeah, we have two little demos prepared one is like radio transmission and receiving so you just put your badge into the hackrf mode which I already did and then you use a standard GNU radio companion FM receiver so Schneider, do you want to show the other side of the setup? okay as you can see as you can maybe here move this up alright so what we have here is just a Raspberry Pi and it's attached to this radio here and we're just looping a file of music for a Raspberry Pi onto the radio and we're using the integrated antenna and it's right now running at 2.495 GHz and we're declaring this in a scientific experiment so therefore it's in ISM, no problem and some little advice, don't forget when you use to play with a SDR when you use a frequency from 2.3 to 2.7 you use a lot of little power than this mixer so for experiment it's a very nice idea okay, yes, and the radio on Sak's side is receiving the same signal it's an analog FM signal and he's demo-relating it on his PC right now this is one of the things that you can do and the other thing is just you can do like nearly every protocol if you know what to do so we have this remote-controlled power plug and you can of course, if you know the sequence it sends you can even turn it on in fact it's just a five-bit address and I think four bits for the four different power sockets and one bit for, if you want to turn it on or off it's a really simple protocol and of course it's not documented very well but you can also listen to it and just press the buttons on the remote control you get when you buy those and it's really easy to figure out so that concludes our live demo and can we have the slides back? thank you now it's the call for your participation we kind of, as you heard from Schneider ran nearly out of time and produced those at the last minute and also the software is working but not very full-featured we would be very happy if any of you wants to contribute or play with it so if you do something nice with it just send us a pull request on GitHub and we will gladly merge them some easy things to do is like you can write loadables and nick animations for the camp firmware there's this optional RGB LEDs on the badge that you can populate yourself there's still no ready-made software to turn them on besides some test pattern I think or you could write some games at least with the rocket people did that you can also modify the firmware itself we planned to, that's why there are two more holes we planned, you should be able to keep your badge this way but someone needs to write software to turn the display and there is some potential to make this badge safe power by powering down the CPU when it's not needed that much then your battery would last even longer if anyone wants to look in this the other part is with the SDR stuff as this badge has a display and a battery you could can do SDR stuff on the badge we did not have time to do this we have a branch in our Git repository which is called Porta which tries to do FMD code but we didn't quite finish it doesn't really work if anyone is knowledgeable enough and wants to take over or continue there is a thing called PortaPack which is an add-on module for the HackerF which contains a display to plug into the HackerF which then makes it like a more improved version of our badge you can probably steal code from them and implement it on our badge so there is FM receive, transmit, spectrogram batch to batch communication or even like video streaming to the thing you can do like 25 frames per second on this display you just need to get the data to the badge somehow after this talk, after the Q&A we are going to give out the radio badges to those who did not get them yesterday we will have a person next to the exit which will be the start of the line so there's no point in racing to our village right now because if you arrive early you will just get sent away follow this person and you will be fine if you receive it, please read the included instructions on assembling it check the wiki if you have any problems if you find any problems that are not documented go ahead and edit the wiki, it's a wiki tomorrow we will start with something we call the SDR Stokes Avenger Hunt because we want everyone to actually use this thing we've prepared a few challenges where you need to use it and solve some problems or find some stuff we will use our Twitter account to get updates to you there are really easy challenges at the beginning so everyone can join up if you are scared, team up with someone and use of search engines is heavily encouraged you don't have to reinvent the wheel every time the starting location will be at our village you need a radio and some SDR-copable device like your laptop or an Android with an USB on the go adapter the end of the challenge will be on day 4 after dark and the winner will receive some prize and also on day 4 at 9pm there will be the radio meet-up if you do any cool software modification or hardware modification we will give out prizes to the coolest of them and we will also make a photo session so we can document all the cool hardware modifications that people make and last but not least we have to spread out the thanks because people from the Munich CCC really helped out in assembling all the things, getting the stuff here in time and a lot of angels helped in flashing them so they all have software on them and you can just turn them on two days ago and a lot of other friends helped out here and there you know who you are, if you haven't helped us it would not have happened thank you Thank you all very much for the thundering applause you have really deserved it, thank you very much for this nice, kind and good effort to bring us further in our mission before I do more announcements on the radio handover procedure we want to have about a quarter of an hour Q&A we have two microphones on the top of the ails here my guess is we will be able to take two or three questions from each mic so if you want to ask questions please queue up in front of the two microphones now I see people arriving okay we have the first question here hi, my question is just in your estimation is it possible to turn the badge into a decked phone? I think so we don't know enough about the protocol really and you have to always remember that the badge is half duplex so it can either send or receive at a certain time and you have a certain bandwidth limit of 20 megahertz but I don't think that decked will use that much unless it's frequency hopping so it really depends on the specifics of the protocol and I don't think we're qualified at the moment to answer this question definitely so that's the challenge for the congress then I guess so in general I mean you have a headset port on the badge it has support for Apple style headsets so you have a microphone and some audio output if you can manage to get the protocol done you can certainly send or receive decked calls okay next question here okay thank you for all the work really nice I get one and it's very cool and now I'm really interested in where I can find Scott I want to help him with the luggage you know sorry I didn't get that okay where can I find Scott I'm really interested in one of the uh... HRFs Mike Osmond? yes sorry I don't know if he's down now okay so maybe have a deck phone you call him okay okay ah there he is so yes when everybody's waiting in line to get their badge tonight I'm gonna go walk along the line and hand everybody who's waiting some some swag so everybody gets something okay so we have solved that problem thank you next question hi I appreciate your very well-made SDR badge and I'm interested in how software-defined radio will proliferate in consumer and professional electronics over the course of in the future like what possible applications you don't understand you what possible future applications of SDR and consumer electronics do you see yes many of currently uh... devices that you use uh... using SDR just in a cellular phone have a multi-protocol chip that was a real SDR so software-defined radios and many applications will be every more like you can switch radio communication just by a software update will be the future and most of our devices to interject I think in the end software-defined radio will take over most of the radio stuff but uh... from from a hacker viewpoint you can play with everything you see and that's what interested us the most not the commercial applications hi go next question thank you for making this device and giving it to camp attendance my first question is I imagine making this device into an approach sensor of sorts is it capable of doing rather like stuff or measuring approach and outputting those values to a computer or another device and one point is that this device probably does not have the output power to actually do some radar like stuff and the second thing is I'm not sure I think the fact that it's half-duplex will make it very hard to do you would probably need two devices to to do something like radar was it but we have not experimented in that direction so I'm not really qualified to answer this uh... that's also saying the uh... lost uh... you have don't have a clock input design you have to make a hardware modification you have an clock output so you need a uh... small hardware modification to synchronize two of the radio badges so we will publish this in near future I have to interject some of the badges have a clock input yes we have uh... we have a really problem to get the clock generator uh... we have three different versions of this uh... chip on the badges so we have a lucky F1 is half an clock input okay next question hi uh... do you have any idea how the hacker of uh... one compares to the batch in terms of uh... low-frequency applications like for example thirty megahertz RFID is nothing okay uh... there the hacker is most likely much better than our uh... device because first of all our uh... RF switches are specified from a hundred megahertz upwards and also the uh... low noise amplifiers are specified from forty megahertz upwards and also the transformers are more starting at a hundred so I'm pretty sure that the hacker will have a better performance if you go lower in frequency yeah even beyond this uh... switch to stop uh... other at four gigahertz even the power uh... the low noise amplifiers also only four gigahertz you may be working up for a gigahertz but you have just try it as a hacking device okay thank you okay this is probably a million ways wrong but could you technically hook up uh... ESP8266 chip it's a two dollar wifi serial module and uh... communicate with our computer with this maybe send the video you were talking before because this chip can handle up to 320 kilobit second audio streaming maybe you can figure something out with video or other commands what do you think it's extremely hard to understand the what I'm sorry uh... ESP8266 wifi chip two dollars connect to it you can stream 320 kilobit second audio maybe you can stream your video for the board or some other cool things you can certainly hook up such a chip to the radio uh... I don't see any problem doing that I'm not sure if it's the point of adding another radio to the radio to stream something but you I mean at that point it's basically a display driver so most geeks only have one badge at a time that's true uh... oh so that's a good point so many of you get a badge and uh... maybe even after the camp you don't have an immediate use for that but if you're part of a hacker space I'm pretty sure people will come up with the use for these things so we would suggest that you share the radios with your fellow geeks and come up with projects maybe you need two of them but rather have them do something and work on a project than them sitting in your drawer that would be really great last question I wonder if it's probably also possible to watch TV with it like receive a TVBT yes it's already done as some people told me yes uh... already uh... receive TVBT with snu radio okay uh... another thing when we go outside and you get to grab your radio badge please have your entrance tickets ready you need your ticket again as you get your wristband and your wristband uh... to get your radio on only one wristband one ticket one radio thank you very very much