 Okay. Hi. Thank you all for being here. Yeah. I'm Bastian Blössl, and I'm currently at Trinity College Dublin, where I work with vehicular networking, and some of these vehicles use Wi-Fi or Wi-Fi-like technology to communicate with each other. So, I looked a bit into these topics and also using software-defined radio as one of the main tools for my research. So, I have a computer science background, so I don't know much about all these fancy coding stuff. So, what I usually do is I build some out-of-tree modules with GNU radio, and usually they implement some particular technologies. So, I, for example, have a GNU radio wireless LAN transceiver, or I also have a SIG-B transceiver or 802.50.04 actually, because SIG-B is a brand name for the whole stack. So, if you are interested in this stuff, there's a website where you at least have some pointers to more information, so what it can do. And, yeah, so actually, this whole talk was a bit motivated because I had these different tools for digital communications, and this, when people were often asking me, like, okay, how do I now use it, or what can I do with it? Because GNU radio usually focuses on the physical layer part of the game, and so people wanted to see how an external application can use GNU radio from the outside to send data or do some security related stuff or all that kind of things. So, these questions about how to interact with GNU radio came a bit up also on GitHub, and so I thought I'd give a bit of an oven, so the goal is to give a bit of an overview about what you can do with GNU radio. So, and all these examples, they should, so as I said, I just talk about how to interact with GNU radio, and it's pretty independent, actually, if it's now a SIGB transceiver or a Wi-Fi transceiver or Bluetooth or Lora or whatever, it's more like the interface between GNU radio and the outside world that I wanna focus on. Yeah, so SIGB is the base for these technologies, but that's not so important. This is just some password because I have the feeling that not a lot of people know what 802.15.4 is, but a lot of people heard about SIGB, for example. Okay, and something that I put in because I've seen that now the Pluto has handed out and there are a lot of people now looking into the topic is if you wanna try GNU radio or if you wanna try my modules or whatever, then what I did is I worked on a virtual machine image for GNU radio that I pre-configured and I, for example, used it a lot in workshops or at university because it's pretty cool to get started. So if you now have a device and you just wanna play around with GNU radio or actually with a lot of SDR applications, you can download the virtual machine and just use it. And yeah, it comes with a lot of stuff pre-installed. So there is GNU radio, there is TQRX, which is very nice. Also GNU radio-based decoder, for example, for FMAM or also FMRDS. So some modes where you can use your SDR or you have the spectrum analyzer phosphor, which is very popular where all these nice images are from, where you can just scroll through the spectrum, see different technologies. Or you have in-spectrum where you can, for example, use for reverse engineering and stuff and a link to the GNU radio wiki. So I think if you, for example, don't have a Linux system or just wanna start something and play with it, then that might be an interesting option. What I, for example, so currently it comes with RTL, SDR, UHD and HACRF drivers pre-installed because that's the devices that I had access to, but now since I heard I get a Pluto, it will support Pluto from next week. And then you hopefully can just, so also, for example, for UHD, everything is downloaded so you don't need internet and stuff like that. So, and then this is how it looks like when it's running and it comes also with a bit of development environment. So, for example, you have editors, compilers and everything. It uses pybombs, everything is installed, so even the objects are still in there so you can go change something and it should be pretty quick to re-compile. One thing that I think is particularly interesting is it uses kind of a stage build with Packer. So Packer is just a tool that lets you kind of programmatically create a virtual machine. And what I did is I, you start basically from scratch. I have, I start Ubuntu-based, but then I still, how everything should be installed. So it's kind of a bit of an opinionated. You know, you've seen, I've used GNOME, for example. So you start with Ubuntu, then I have another layer which uses the virtual machine, the Ubuntu one, and just installs the SDR apps. And this is basically what you can download. But the cool thing is, for example, if you are working at university or if you wanna give a course or if you are interested in a particular technology that I didn't cover, is that you can just add another layer on top of it and use this as the base image. And for example, only install now some amateur radio software. Or if you are at university and giving a course, you can just use this as a base and re-brand it and maybe add, so have another desktop image or for example, add a link to the university course so that you just, the students has to click there and gets all the instructions and stuff like that. And yeah, that's a bit, the idea. And then when you have all these kind of environments set up and hopefully then it's easy to use because it's just importing a virtual machine appliance and start it up, then what I'm planning to do, but this is just currently only a placeholder is when 3.8 is out. I thought like having some tutorials out there which uses the virtual machine and then there are supposed to be some small module, or how do I do a replay attack? How do I do a decode FM, for example, so that you have some instructions that fit to this environment with this. But I don't know how far I will get with them. At least I plan to kind of do some of these stuff that I did as workshops, also as modules there and based on the VM image so that you can really just follow through it in the very same environment without going through a lot of hassles. Okay, so when you have this virtual machine or whatever, okay, we can actually go back to the initial topic. It's an easy way to play, for example, with some digital technologies. And what you get when you install new radio and, for example, my out-of-tree modules is you usually get mainly the file. So I usually always say you only get a physical layer. And then usually there's also a Mac block. So for example, I have a Wi-Fi block that is called a Mac. And this is where people get a bit irritated because it's not doing any CSMA and stuff like that because that wouldn't work really well out in radio on a normal PC because this is where you have to have very strict timings where you have to sense the channel and access that. So this is not gonna happen. Usually the Mac, in my case and in other modules, is usually only that you add the bare minimum a header to it. So that another Wi-Fi card then sees this as a regular Wi-Fi data frame, for example. And decodes it. So basically this is what the new radio module is doing. So the main contribution is the file and not the Mac. So then people wonder, okay, what do I wanna do with it? Because it says Wi-Fi transceiver and then they ask me, okay, and how can I send a Wi-Fi beacon? And I said, it's not really connected to the network stack. So the question is what can you do? And I hope in the talk I have some let's say ideas of how you can interface new radio not only for this Wi-Fi stuff. So how can you send data? How can I interact with another commercial device, for example? Okay, and so this is what you get when you have the Wi-Fi transceiver you downloaded. You have the physical layer. This is actually where all the interesting stuff happens about signal processing. But so this is what this talk is not really focusing on. In this case I have the file just connected to itself. So it's a loop back interface to sense frames and then decodes it itself, for example. And this is the Mac block where I just mentioned which doesn't have anything to do with CSMA. It's just adding a static constant header that I put here so you can say, okay, it's a Wi-Fi data frame for this BSS with this source and this destination Mac. And because the new radio example is supposed to be self-contained, just what I did is I just generate some hello world string messages and then they get wrapped in the Wi-Fi frame. So this is what's happening there. So if you would look in Wireshark and I hope we do this later a bit, you would only see, okay, so the physical header is extracted by the wireless LAN card so we don't see that. Actually, the physical layer header is just tells the receiver, hey, there are 500 bytes following and they are encoded with QPSK, one half or something like that. And this is the Mac header which is just a Mac data frame and then there's the string hello world in there. So this is what you get in there. And then here I feed it to Wireshark just so that we can easily see what's happening with the frames. Here I have a short video about the supposed to give an idea of how this looks and hopefully, so if everything works I'm a bit worried about my CPU if we can send wireless Wi-Fi frames but we'll see out in the demo later. So what's happening here is that you start it up and then it's just constantly sending Wi-Fi frames with hello world in there. So you can decode them with Wireshark, they are valid frames. But here is the question, okay, now I have some static setup and that is not really helpful. Okay, it's an example in GNU radio but now, okay, where to go from here. And one of the things you could for example do which is an easy extension to that is you cannot say, okay, I have a static message in there you can use the GNU radio socket PDU block which opens a network socket for you and this is then kind of your gateway into GNU radio. So you can have for example, any external application that sends UDP packets there and whatever is in the UDP packet then gets wrapped in a Wi-Fi frame and sent out through your SDR for example. So this is for example, it can be a bit interactive. What you can for example to, I don't know if maybe you already heard about NetCAD which is something, it's a console program that opens just where you can just type something and each line is then sent as a UDP frame. So for example, if you're into amateur radio let's say and you have let's say RTTI physical layer and wanna just type some text and send that out through your radio then this would for example be the easiest interface just connect to GNU radio with your program and then every line you type is then forwarded into the flow graph and could be sent out. So this is one of the easiest way to connect or here on the bottom I have an example in Python. So the only thing is just to show you that it is really, really easy to kind of set something up and then have something that you can do programmatically because if you're in Python world and know how to get in and out of GNU radio then you can do all your external logic from somewhere else and create your frames, see what you received and so on and so forth. So this is a simple example. I also have this here as a video so that you might have an idea of how this looks. Again, here it's not really interesting that it's Wi-Fi it's just any physical layer that you can interface and here at the bottom now I can type hello world. So on two lines, so for every it created a Wi-Fi frame and then the payload is hello and world and here on the bottom I just have a Python script that's just iterating and sending and sending again stuff. So this already I guess quite nice to extend the radio with something, connect something external to it. Then I have some other ideas so it's getting a bit more complex because the first thing that people think about when we do networking, okay, we wanna connect to the network stack so the TCP IP stack of Linux for example and that's also supported by new radio. There was this old script like tunnel pie I think it was called that I only heard bad things about but now there's this nice Tantab PDU blog and with this it's really easy to connect to the Linux network stack. You need a bit of script. I have that as part of my Wi-Fi module because you need some commands, okay, to set up IP and stuff like that but it's really doable. So here what it's doing, it's again just getting some, so I didn't tell you what a TAP device is. A TAP device is just a virtual Wi-Fi interface so it looks like it would be just an Ethernet card to the PC and it feeds data in there but you can then get them in user space so basically I also have a very short example from that one. So for example, if you connect, if you use the ping command the ping command will send this ICMP packet to your virtual network device and the virtual network device is connected into GNU radio with this Tantab blog and then here I'm pinging something and then you can see that these ping ICMP packets get through the Wi-Fi transceiver and then can be decoded with Wireshark. So here it's loop back but over the air it will just work the very same way so there is no kind of simplification or shop cut in there. It's really kind of then sending out a valid ICMP request for example. So there's already a bit more complicated but you also get a lot of benefit because if you have IP then you can do basically everything. Okay, so the next stage in it's getting complex is something that I wanted to include because I think it's very interesting but this is kind of a Wi-Fi thing only. So when you look at the Linux kernel then it looks roughly like that. You have your user space application like your browser. It's sending data through the network stack and then if you have a Wi-Fi device then you have for Wi-Fi the Mac layer and a configuration layer like in which Wi-Fi network am I and then they interface with the driver and then the driver uses the card to send it out basically. So this is what's happening with a real Wi-Fi card in your laptop. Now what you could do is you could use a virtual Wi-Fi interface and this is something that the Linux kernel already includes because it's called hard version module because when they implemented the wireless access points or host ABT for example they had a virtual interface that really shows up in your PC as a Wi-Fi card. So you can set channels, you can open access point all the kind of stuff and this is then rather easy or hopefully because to extend so that the virtual Wi-Fi device is now not just looping back but just uses GNU radio and then you could have GNU radio connected to this. So there was a guy who was doing that but then unfortunately he had like some issues with open source licensing and whatever so the implementation that's already there cannot be shared or whatever. So it's a bit unfortunate. So then with this configuration I just wanted to add it. I don't know if it's so interesting but it's really nice so you see it actually the SDR could be integrated really nicely as a real Wi-Fi device in that case. Okay, so then there was another thing that was also mentioned by came up in the Git commit because usually what I knew some months ago is that yeah when you wanna create some Mac headers for example this is a really tedious and annoying process and here I just have an example that shows you that the way you don't wanna do anything is like if you just for example in this case it's just a simple Ethernet frame when you wanna create it in Python it's already complicated. You have to look up the exact patterns and bits and have to care about network byte order and all that kind of stuff. So this is really something annoying and this is also the case why I have the Mac block only as one static frame that I once programmed and it's put just in front of every packet and don't do anything more because implementing for example wireless LAN headers like everything like the management frames, beacon frames, D-auth frames, QOS frames and all that kind of stuff you would have to do a lot of these complicated stuff and that's why I didn't look into this any further but some guy then asked can I connect Scapey to your wireless LAN transceiver for example and this is actually to be honest I didn't know about it so I also had to look it up and it turns out so Scapey is a really nice library that one thing it can do particularly well it's like crafting packets it's like a bit domain specific language that allows you to just create all types of network packets very easily and I thought the easiest way to see as to look at this is in example for example we have now an Ethernet frame and we just set some of the values we want and then this would be the whole Ethernet frame which was there in this complicated struct earlier and then you could for example add an IP on top of that and followed by UDP and the bailout for UDP is hello world so then you have your whole packet in there and this is just one line of code basically so this simplifies a lot and for example I have this example a bit more in detail it also shows advanced features that we don't really need but it tells you that how comprehensive it is like for example here we have the destination are two things so it will create one IP frame to new radio one IP frame to the bulk here we have something in parenthesis which means it's kind of creating a frame with TTL1, TTL2, TTL3 and so on and so forth and then it basically does everything for you and I think this is really nice because what it means is that instead of sending something through UDP port just some data payload you can this have kind of the one liner and create for example also WiFi or SIGP frames and then send really more complicated frames very easily out through the radio and one question here is why do you wanna do that? I mean one reason for this is because we can and the other is it has some minor advantages because so let's say you already have a WiFi card so you can send out anything with your WiFi card so that's not the problem but depending on what you wanna do I've seen that some drivers then starts to mangle with the frames or if you wanna send some invalid frames on purpose let's say then some drivers try to fix something for you or if you wanna for example some time-stamping in the driver and stuff like that and this is something you get around by using an SDR because the SDR doesn't know about anything the physical layer doesn't know about this stuff and it will just send out the frame guaranteed as it is so it won't touch it or anything so this is one of the advantages I think and another one is as I said for example wireless LAN is also used for vehicular networking and then there is a bit harder to get a prototype for this technology because it has a different bandwidth and sending on a different channel and then you can pay a lot of money or you can use for example the SDR with the SDR you can tune wherever with any bandwidth you want so this is for example one reason and then you can also do with SIGP I also think that it's pretty accessible doing it with a software defined radio yeah and so it's in that case really easier in my opinion also if you already have an SDR and most of you now have an SDR then you can just use it and play a bit with SIGP devices because then it just costs you anything because for example some killer B or whatever alternatives are there some USB devices for the PC they cost some of them at least cause quite some money okay so that's it how does that look like so we got rid of this strange Mac block and now can feed something in the Wi-Fi receiver directly for example and then we would connect SIGP here it sends a valid Wi-Fi frame through UDP and then we can send it out so to give you just some ideas of stuff you could do is you have a one liner that gives you a Wi-Fi beacon frame with a certain SSID so that is broadcasting or something else you can do is you can fuzz some packets and fuzzing just means that you just try fill the data in randomly basically and then you can see if the driver reacts to packets that are not standard compliant or just unusual or whatever and can see whether it crashes whether it works or whatever so if you want to for example fuzz this beacon you just wrap it and fuzz and for every parameter that's not explicitly set by you it will yeah then just insert whatever and another thing is for D-auth this was the guy who was asking on GitHub he wanted to de-authenticate some wireless LAN devices so you can create a de-authentication frame for example it's also just a one liner and other one that's fortunately also supported by SIGP is if you have for example SIGP devices in my case I have to have one of these devices at home the smart meter and it also has SIGP so you can for example so this is just a sniff of what the device was communicating and then the cool thing here is okay I have some sample data I know it's PAN ID and it's rough configuration and then I can just create some .15.4 frames myself and send them out through the SDR and see how the device reacts and since I already got the dump I can for example fill in the destination PAN ID which is something like the SSID of Wi-Fi or I can also fast the device and stuff like that and now I'm running a bit out of time but maybe it works fast is so here that's the virtual machine that I was talking about oh no it's freezing this is my whole laptop freezing no very sad okay yeah so actually what I wanted to show is that the live demo with sending some frames what's going on here yeah virtual box doesn't like yeah I'm sorry so yeah what I was actually wanted to show is just yeah just this in live where I have the script and can send it with the Hacker F to the Wi-Fi kite and monitor mode and see that everything looks also like it's supposed to be over the air and that really kind of this two lines basically are enough to really then send valid SIGP frames with new radios and valid Wi-Fi frames fuzzing Wi-Fi fuzzing SIGP and this kind of stuff but yeah I think yeah so then yeah okay yeah then let us ask questions do you have any questions yeah you're forced foreign GR stuff on do you have a recommendation what kind of resources you need and what kind of USB hardware your laptop should have so with you so the things with with virtual box you have the you really need an extension back for USB but then you get USB 2, 3 that works really well for me so I didn't have any problems with connecting a B210 through virtual box so USB controller is not a problem? no for me it I don't have a big sample so I just have three devices and for them it works so I can't tell more but yeah and then with hardware it's just about installing more so because new radio has this pipe arms installer it's just about adding new hardware drivers for example for the for the Pluto yeah that's what you showed for stake yeah so I am I think some people want to use it for pen testing so for example for the SIGP I think it's quite interesting because there is not too much hardware going around I mean there there is some SIGP USB devices for example that you can use but I think it's really pretty easy or I found it easier to do with the SDR I mean I ordered a SIGP device I have to see how it works and yeah and then it has some minor benefits depending on what you want to do so sometimes as I said wireless LAN driver kind of touches the frames does something to it but you get that to the drawback with lots of complex it's much more complex to do it with the SDR than if you just use air cracker whatever to do it with the wireless LAN chip so it's more complicated we need to switch over so thank you very much thanks thanks very much