 Hello everyone. This presentation will be an update on what we did in the last half a year regarding Iridium. I mean as many of you know probably we have been sidetracked by some other shiny new toy and which means that we had a few months in the beginning of this year to actually continue working on Iridium and then kind of had to quit to get this other thing done. So therefore this presentation I'll try to talk a bit more about the details we didn't talk about at Congress and we have a few new things actually in terms of hardware and software. Okay, so I'm going to skip quickly over the stuff we already covered at Congress. In general it's good. This talk is about the Iridium pager network was our main goal at the Congress to get some paging messages from Iridium decoded and that worked kind of okay. We just dissected the pager and had a look at it, but really was just special chips, nothing to find about them. One of them said calypso, which is kind of what you expect in the GSM handset from somewhere in the 2000s, but seems like the calypso chip inside this device doesn't have much to do with the GSM calypso. So what's kind of a dead end? Yeah, it's a calypso and Iridium satellite. Now the original idea about the Iridium network and why to look at it is it's a simplex system and the Iridium satellite just sends data down to you. You don't have an uplink, at least for the pager messages. So the Iridium system doesn't really know where you are and it just has to kind of guess where you are. You have to give it a rough estimate maybe and which is interesting if you want to receive messages and don't want to be tracked at the same time. It's 66 active satellites and low of orbit, which makes it nice to receive them because they have a rather strong signal because they're quite near to us. Think about 600 kilometers. So with rather inexpensive equipment, you can already receive them and we'll touch on that a little bit later in the presentation. Okay. Frequency-wise it's around 1.6 gigahertz, slightly below GSM in the frequency spectrum. Sorry. Yeah, back at the Congress. We told all of you, hey, this RF stuff, it's not that hard. It's really more kind of a myth that it's hard and we just got into it and we gave you the radios to basically dive into it also. So you're all satellite hackers by now. You have the equipment. Go have fun with it. Go have fun with our tool chain. And at the beginning we started with some RTLSDRs that doesn't work really well. We tried with a USRP that worked a little bit better, but we still didn't get anything with the antenna we had. We bought really expensive stuff to get something going and we spent like 200, 300 euros on things and we went to the roof and got our first signals in the FFT, which is nice. Cool. There's something to decode, at least something to work on. And if you look at the waterfall, we have the SCR challenge up right now. I think the website was broken, but in general you're also looking for signals, for example in the waterfall. Anyone maybe who has taken part of that has seen these signals crawling through in the waterfall. And we have some very slow signals going on here. But if you're ready, they're quite fast. And even if you zoom in a lot, I mean, you only have like eight milliseconds long signals and you have to spot them. That basically was what took us the most time. Here you have a packet. It's a preamble, just a carrier, just a pure tone in the signal. And that's quite nice because you can detect that easily and you can just look at the power in the signal and detect the signal. And then a part in the packet comes which is unique. And we trigger on that in our tool chain to continue decoding the stuff. And here you can see a little bit of the modulation. So here you have BPSK and you can see that the blue and the red line, they go together. And you can, an RF signal, you can decompose into two components to work with them easily. And of course the two components can go differently or they can go together. If they go together in this case, you can transmit less information, but it's easier to decode. So that's the unique word with iridium. And later on the two go into different directions and that's then, it contains a little bit more information. That's actually where the data section is located with iridium. At the congress, we showed you some setup and we just took an RTL-SDR, stepped on a low-noise amplifier and got some antenna from Mauser, which is some electronic distributor and put it onto a little metallic plate. And that kind of works okay. It's a lot of, you know, you have to get these components and you have to solder them together and it's like a big setup. So we have proved that stuff a little bit. If you take an RTL-SDR and just modify it a little bit and take a GPS antenna, active GPS antenna, it's the most cost-efficient setup you can have. We optimized the tool chain also a little bit. It's more efficient. Then you can actually run it on a Raspberry Pi. So if you take a Raspberry Pi version 2, put on an LCD display, add a battery and an RTL-SDR, you have your mobile pager system, pager receiver right there. On our wiki, let's see. Can you switch to the web browser? This is the wiki of the new CCC. And we have some comparisons of antennas, active versus passive, which you can get as commercial antennas or how to modify GPS antennas. It's actually quite easy. You basically just remove a filter from a GPS antenna. You just open it and then basically... There's just a big filter in the middle. And if you remove this filter, your GPS antenna suddenly becomes an active iridium antenna. And we have a slight modification on RTL-SDR, which is also documented in the wiki. It's basically just adding a little bit of data. You can get your RTL-SDR to supply some power to the GPS antenna, and you get a very good signal out of that stuff. So what you can build with just a little metal box and you put the RTL stick in there in a modified GPS antenna, is this thing. It's just a very small iridium receiver. You just put it in the wiki. It's basically just adding a small coil and adding an SMA connector on the side. It's just a very small iridium receiver. You just plug it into your notebook or plug it into an Raspberry Pi, and it will give you a quite good signal to receive iridium-pager messages. So the system is mobile, and... Actually, did you skip that? And you just add a battery and you have a mobile receiver set up. And right at camp now, like an hour ago, we tested different options for receivers. So we had the RTL-SDR with the active antenna, and we had a radio batch with a passive iridium antenna. So just take a radio batch, you saw Lauren as an SMA connector, and you get a passive antenna. It's just an off-the-shelf iridium antenna. You can get them at mouse or digi-key or something like that. You just screw this thing on, and you get a really nice reception. Actually, a quite good iridium receiver. And even with the onboard PCB antenna here, you can just use that and still receive satellites, iridium satellites, actually. And we tested it, we did let it run for half an hour, and with the PCB antenna, you get around 22% of all the packets that you can receive with a proper iridium antenna. And if you just look, for example, for the Ringalert channel, you get around 35% of the packets, which are decodable, but you can also get with a quite good RTL-SDR or the nice iridium patch antenna. And as the pager message channel is a little bit stronger, you get even like 50% of all the messages on the paging channel, just with your batch and the onboard antenna. So by now, you just load the software onto your PC, you attach the radio batch, and you can start receiving iridium pager messages or other kind of iridium messages. So happy hacking with that. And Zach later on is going to show you how to actually run the toolchain and get something out of that stuff. So I'll put you over to Zach, and he's going to talk a little bit more about the software. Yeah, about this picture, this is on a plane. You can even with the mobile Raspberry Pi version in a battery, receive anywhere in the world. So we're now going to talk about the software. This is also a quick rehash from the Congress talk. We tried to find stuff about the iridium information, and I think this slide is really, really great because it was on the internet without any... And it's marked as confidential, and it said iridium receiver is probably beyond the reach of all, but most are determined adversaries. I kind of like this. If I read something like this, I think, hmm, maybe I can do it. Yeah, this is the first packets we received on iridium where you can see the frequency shift as the satellite goes over your head. And as it goes towards you, you see that higher frequency, and as it goes away from you, you see that lower frequency. And this is part of the reason why the iridium slide talks about difficulty receiving, because when the iridium was built like 20 years ago, it was difficult to capture this, but with software-defined radio, just say, okay, give me all the frequencies at once, and just in the received signal, search for the iridium afterwards. The lines with less incline, which are less steep, are satellites that are not going directly over you, but like the plane next to you over the horizon. Hello. Yeah, this is when we were decoding stuff. You do the DPSK or QPSK demodulation and get lots of bits, and you spend quite some time staring at it, and you see some areas where mostly one and mostly zero, but that didn't help us, and we spent quite a lot of time trying to find out how the information is encoded, and this was what last year took us, I think, three months to find out that a lot of documentation on the Internet we found spoke about a codec of K equals 7, rate is 3 fourths, forward error correcting code, which was all wrong. Hand-sending messages with different messages to ourselves, we finally found out at one point that it's not that code, but just de-scrambling, just put the bits in a different order, and then you started to see, in this case we sent ourselves a message consisting of piece, and you can kind of spot them at the bottom in the message, and there's some stuff in between, and that is supposedly a checksum, and the first checksum we tried, which fits the amount of bits it takes as a BCH checksum, which needs a generator polynomial, which is, in this case, a 12-digit binary number, which you can just brute-force and skip all the math, and find out that, yes, the need, this is a BCH checksum with 1897 as generator polynomial, and if you know what it's used, you find, we found one document on the Internet talking about this kind of checksum. So each 32 bits are divided into payload and checksum, and on the Congress we showed more about the bits, separate bits, but we are further on, and the final tool in our tool chain tries to decode these messages as much as possible. These are the pager channel messages decoded, like the first line is statistics, which time it was received, and with what confidence our decoder, and at what frequency it received it, and then you see the LOK means that the lead out, the pager channel messages have a fixed bit string at the end of the message, which tells you that the packet is complete and you received it correctly and that it was okay, then there is another fixed string, which tells you, okay, this is a message on the pager channel, and there's not much information in it, there's like the cell and the spot beam of the satellite that is actually sending it to you, and then there is an increasing number, which has to do with the latitude of the satellite, how high above the equator it is. We did not reverse the number to back to the value, but it's not that interesting. The stuff we found out since Congress is we successfully decoded the ring alert channel, which is partly similar to what GSM does. Some people from OsmoCon helped us very much with that, and it contains all the usual information, so which satellite it is, which cell it is, the position where the satellite currently is, like latitude and longitude, and the altitude, but I don't know which unit this is in, the satellites also transmit in every other packet the position where its spot beam supposedly hits the Earth, so you could just use an iridium receiver to know where on the Earth you are, because it sends you, hey, I think you are here if you receive this, and then this is a paging message which pages one iridium phone with a Timsy of whatever and tells it, okay, I have a message for you, this phone, and then this phone, this is not for a pager, this is for a phone, and the phone connects back to the satellite, it says, okay, I'm here, I'm listening, give me your message, and then the satellite sends the message on a much narrower beam directly to the phone, so you will see lots of paging messages, but you will only see messages for that phone if you're really close to it, and there's a not fully decoded other packet format which we call data frames, and the only thing we know is that there is a link control word which is quite similar to GSM, and we can decode and verify that, check some correctly, and the rest is still bits that have not been decoded. We were trying to do that when we got sidetracked with the radio project, so why I skipped this? So you are probably all want to do it yourself with your radio badge, and I'm going to give a quick overview of the software we wrote. Basically, you just record the signal in your raw recording, you detect where your signal is, you cut it out into pieces, mix it down to the baseband, try the BPSK, QPSKW demodulation on it, get a bit stream, and then you need some parser decoder to make sense of all those bits to get the messages you saw in the previous slide. Just recording is depending on what kind of SDR you have, every SDR has some kind of command line utility to record streams. For the hacker, for the radio, you use the hacker transfer tool, if you have an RTL SDR, use that line, and the last thing is for us rps. We are all doing that to standard out in this case, because later on I'll show you the tool which just doesn't do it with temporary files, just do it in a pipe, so you just start it and at the end you get the messages that it just receives. The only interesting thing maybe is the USRP command line has a problem, because the USRP utility also writes some diagnostic messages to standard out and you need some file descriptor trickery to get rid of that. So the detector just searches the stream of samples from the SDR, it calculates a rough FFT each millisecond and tries to look at the FFT and says, okay, here is a signal, because the FFT is higher than the previous few samples, that code is all due to Schneider, and then it grabs that chunk of the signal and passes it on to the next utility. It also is able to detect that there is more than one peak at the same time and grab that chunk multiple times, so if there are two iridium signals at the same time at different frequencies, it can decode it that way. This is the sample picture. In the upper picture in the waterfall you see there are multiple signals at the same time. That's probably because you can see multiple satellites at the same time. If your setup is sensitive enough, you can see neighboring satellites also. And then the next utility, which grabs that, modulates it to the baseband and does a filtering step, so you have the signal clear in the middle and the other signals are on a lower level, so it can be decoded. That's the second utility, which uses a fine-grained FFT to find the exact start of the signal, because the other utilities further on really like to start at the signal start and don't have any noise in front of it, and mixes it down to the baseband. It also does something, which is in theory not necessary, it rotates the phase of the signal, so the signal also always starts at the same point in the phase space, which is if you use proper code for the demodulation it would not matter, but since I wrote it quickly it's necessary at this point. The demodulator is a homegrown QPSK demodulator, which just looks at the signal and tries to decode the signals. It also outputs a confidence rating for each signal, for each symbol it decodes, so at the end it can say, okay I think 99% of those symbols are correct, which is a good value, and if it starts to drop below 80%, you can probably just forget it and throw it away. All these utilities together, you don't have to call them by hand, you use the script called multi-processing, and it requires also the center frequency and the rate at which you recorded the samples, and then you need to tell it which format the samples are in, because the HACRF, the RTLSDR, and the USRP all use different types to represent the samples, the HACRF and RTLS use both 8 bits, but one uses signed and one uses unsigned. That doesn't really matter, but you need to do it correctly. And that outputs the bitstream of each packet it decodes. You could just pipe it to the next utility, the parser, which tries to make sense of the bits, but in reality you might want to just write it to a file so you can look at the bits multiple times if you want to see, oh, there was an interesting message, I want to look at it again. Yeah, so that's the parser, which does whatever we know, decodes whatever we already know about the protocol. If you want to add something about the protocol, you need to do it there. It has some special modes like dash O for output format message, which just parses the whole file for pager messages and tries to reassemble them because they are transmitted in parts of up to three parts and throws away all the others. There's also some statistics modes which tell you about the packet statistics and not decoding the rest. Yeah, so this is all the utilities. They're all in our GitHub repository. You can call them the two command lines to start the recording and to start the multiprocessing that I just showed you, will be in the readme file shortly after the talk because I had to change something there. I will add them there and then you can just use your radio, plug it in, start this command line and see what you get here. The timeline of our project was, we started about a year ago and it took us at least a month to find the signal in the FFT, so don't get, if you try to look at something in SDR, don't get discouraged too quickly if you can't even see the signal. We knew it had to be there and kept looking for it and our main problem was that it was so short and the radio, the FFT was too slow to reliably pick it up and then we spent quite some time finding the encoding and there was the talk. There was an OsmoCom Meetup in the end of March where we met some really nice people from OsmoCom and some of them helped us looking at more of the stuff. We spent quite some time trying to decode disassemble DSP chip which had parts of the Iridium firmware protocol implemented and I can tell you, looking at DSP disassembly is no fun. There's some kind of out-of-order execution that drives you mad and at May 1st some guy, what was his name? Dieter. Dieter? I'm Guy Dieter. I bought a RAKAL test set somewhere which is a test set to test Iridium handsets and we had a nice evening, a nice day playing with it, sending signals from an Iridium phone to the test set and back so we could get clean traces of the yard traffic and then look at the test set what it was supposed to send to the handset so we could decode the protocol just match it up and look for the point. He also looked at the firmware image of this thing and got even more information about the checksums for us which we are really grateful for that helped the decode process really fall on and I must admit since then we have kind of lingered a bit because we were busy with the radio which was totally secretly a project to get 4,500 Iridium receivers into the world we have some statistics about the pager messages same as in the congress the only changes, there was one guy in Germany who sent about 16% of all Iridium pager messages they stopped so if you now listen for pager messages you have to wait a bit longer because the amount of messages dropped by his share by 16% yeah, there's still more to do if anyone is interested in playing with it there's still more of the protocol to understand there's more services within the Iridium framework like short burst data and Rudix and some aircraft communication stuff which we haven't even touched yet that if anyone wants to join in we would be grateful there's still a lot to do there's a no that's I changed that slide, that's from congress I'm sorry the SDR workshop we do plan some kind of SDR workshop maybe later today but check the wiki for that we have some equipment if you want to play with SDR stuff like a network analyzer all the code is on GitHub check the link there's still there's a document called Iridium system specification which would answer a lot of our questions but it's restricted and we could not find it if anyone happens to come across this document we still want it and we will not ask questions and we have our GPG keys down there if you want to send it to us and that concludes my part of the talk but we have a live demo I want to just show you how easy it is to receive something and I have my my own badge with this Iridium antenna which Schneider bought where did you buy it? the G-Key some friendly person sold an SMA connector to my badge for me because I did not have time to do it and just a second where is it? I probably need a bigger font why doesn't this work? just use the command lines I showed you like get the hacker I need to turn it on first to get the samples and pipe it into there and then we start it and then hopefully the tent is not and then you can get your own signals so these are the first messages these are not decoded so I adjust the raw signals and I'm just writing it into a file we can use a second terminal window why? doesn't the resizing work on this desktop? really strange I think we were at F and that's we can grab out any error messages and these are whatever came down from the air which are just pager message channels telling the pagers that everything is okay and probably that no messages because you see all serials that no messages are there for any pagers currently going down did I have anything else? so this concludes our talk thank you we have some time for questions if you have any questions now would be the time okay if you have any questions go to the microphones ask your questions hello hello regarding finding very short signal bursts in the FFT have you tried a GR phosphor? no I have been told that I should try it but I did not at the time we started I did not know about it and at the moment I did not have the time to look into it but I was told it was very good for that you should try it you can see the carrier loading in LTE signals or stuff like that yes TNT did some very good work with GR phosphor it's a really great tool actually we have to thank a lot the OsmoCom guys TNT, Dieter, Horizon and Steve they are very helpful and a nice team I have to say I have to show you this nice antenna that Horizon built because the iridium is also circular polarized is a special made for iridium and I think it looks really nice and whoever was at the opening talk probably can think of a second use for this one some more questions your last chance to ask something be courageous come to the microphone about iridium then I hope you all have fun with that there is someone I have a very naive and trivial question because I do not know much about this satellite network so you told us there are 66 satellites up there what is their date of how many years they are supposed to exist basically how many could people use it in 10 years or 20 years what you presented here at the current point as far as I remember most of the satellites are actually past there we wanted to replace them date but as you maybe noticed that iridium went bank dropped some time a few years ago and got bought by some other company which is as far as I can tell the US Department of Defense and they have been talking about iridium next quite a lot which involves sending up new satellites to replace the failing ones but as far as I can tell they still have not sent up any new satellites but they are planning to replace them as they fail so if you look at some rendering of the satellites you see at least at one spot there are two satellites really close to each other which is because as far as we know both of the satellites have some kind of defect and they try to keep up the service by having two half functioning satellites next to each other so they are running out of satellites and have to replace them did that answer your question basically yes and so legally is it legal to use it you told it's DOD in the end but I mean do they care if people use it we are not using it we are just listening to it you can go out and buy a iridium phone and pay for it use it as a normal satellite phone that is of course legal I'm not sure if that was your question please make a new presentation with more interesting things at the congress right we skipped over some of the stuff because we assumed that maybe you already know that are you going to show even more stuff at the next congress? yeah we are planning to as we leave the camp but at least I am planning to look into more of the iridium stuff and if we find out more interesting stuff it will be presented at congress definitely excellent for iridium next they have been talking about it for a long time they are still talking about it and yeah we are still waiting for them to do anything about it it looks like they are doing some marketing PR and they simply want people to believe it's going to arrive like next year and next year and next year all the time as for internet usage you probably shouldn't spend too much time on it because it's really slow sorry it's really slow and pretty much no one uses it it's too slow to be used you get like a few kilobits per second so it's unusable for anything which is current okay it depends on your application if you want something which doesn't have a doesn't need a directional antenna the specific point in the sky works everywhere then iridium might be your choice or also it depends on there are bundling services where they bundle different channels together so you have a larger bandwidth and I guess it's more a question of the business model at that point and how you sell the stuff yeah definitely I simply meant that you might not see that many packets and you might be unable to reverse engineer them but it still might be interesting yeah definitely if you can there is data coming on oh please from the other side hi guys thank you for the great talk this might be a little bit of a naive question because I don't know anything about it but with the toolchain that you offer is it possible to read the iridium messages in clear text yes they are not encrypted okay so these are like these examples that you showed us in your live demo these are just normal these are just maintenance messages or informations to pages we did not show any page messages during this talk okay so basically I just have to wait a little bit more like longer so when a proper message occurs I can decode it right yes okay thanks guys please so now that you've distributed 4,000 iridium receivers to all the people here what is the mechanism by which we all set these up in our Hacker Spaces and you capture the majority of iridium traffic for the whole planet that's clearly the idea right you basically need an antenna and radio with an SMA connector and some computer to run the stuff on a Raspberry Pi 2 is just beefy enough to do it and are you going to be running something to collect all of these messages received from different locations I had put my email address on there if you send me an email we can coordinate we are really interested but we have not built a central collection thing yet because the radios are quite new we have one or two outposts but those are running manually at the point because with this many receivers distributed around the planet surely we could receive at least a large fraction so if you plan to set up like a receiver at your Hacker Space totally send us an email and we will coordinate the passing of the data and see what interesting things emerge in different regions of the world thank you please from this side hello, thank you very much now that we have all these badges that have a processor inside have you thought the idea of integrating your code here is it possible, does it have the processing power that's a good question so at that point you might be limited by the processing power on the badge to pick up or to pick up the little signals in a complete spectrum so what we do on the PC is number crunching the whole thing and just look at where is some activity and then just look at this part look at this part and obviously the original iridium receivers or pagers they track the satellites they track their frequency and they know exactly when to listen for them so if you create an algorithm to do that I'm pretty sure that the badge is powerful enough to be a stand-alone iridium pager thank you but not with the current tools please it's very clear that by basis of the iridium system they did not think about this being cracked at any point is there a realistic upgrade scenario for them that does not include replacing all hardware on earth the iridium pager system is kind of discontinued it's not that easy to get a new contract for an iridium pager they are kind of phasing it out there is the short burst data stuff it's much more complex and I suspect there might be some encryption on it we have not looked at it and modern pagers there are stand-alone things that do internet and paging stuff on it and they use short burst data for everything so they are migrating away from this but there are still a lot of pagers out there and I would still expect that any data transmitted over iridium is unencrypted unless the handset or the mobile terminal you are using is special and actually does some encryption but who knows okay thank you can I interject something if you want to play with your badges please if you look at the radio wiki you find the link to the contest which encourages you to try different things on your radio and run around to camp a little bit maybe after the sun goes down you just should all just look into it that's really fun I hope please I maybe can add a little bit of information that might help answer some of the previous questions regarding service life already behind their protected life cycles and since the leo system not the geo system unfortunately you can't replace them one by one we essentially have to replace the entire system next gen as correctly pointed out before is economically unfeasible at this point in time at least there is no commercial business case so the entire thing depends on whether the US DoD will fund it or not in the next in the very near future and at the moment it looks bad second you had the question about altitude from the numbers I've seen that should be the altitude in kilometers above the WGS 84 idealized earth model I think I tried this to plot this once and it did not completely match up but I don't really remember that should be around 780 kilometers the numbers had greater variation than I expected them to as the spears do of course fly higher or lower different topic and the last one was right data one of the previous guys here said correctly that hardly anyone uses the normal data service because it delivers only 2.4 kilowatt per second I just might add there are only two data services on the radios that are worth talking about at this point in time the merit team version where they use channel bundling to yield at least halfway acceptable data rates that you can use for anything if you have continuous stream of data and the other thing is of course SBD short burst data and that's really used for a lot of things especially flea tracking that I think would be something really interesting to look into for future research and about the aircraft traffic stuff we have to talk so the thing is that I mean you have to start somewhere and get some idea on how this stuff works and the protocol is working we started with pager messages I mean they are really the simplest thing to get into and they are quite strong and the further you look into such a system as iridium you get to know a little bit about more of its details and you start to make more sense about the stuff which made no sense before so you have to slowly go forward and poke a little bit around to see where you go and obviously interest is in SBD for sure and we will have to see where this will lead so if your question seems to be answered so if no one else wants to ask something or have a comment on it then I really would like to thank you guys for this excellent talk