 Okay. So, hi, and welcome to my talk. It's about a small site project that I worked on, but I had a lot of fun doing it, and I think it's a very simple application of new radio and SDR in general, and it's something very accessible. I did it with hardware for 35 euros, so maybe it gives you an idea of what you can look at and what's out there, where you can start playing with software-defined radio. So, a bit about me, I'm Bastian and I work a lot with software-defined radio, a bit at university where I mainly work on Wi-Fi stuff, but also on sensor networking stuff when we have a project where we actually put sensor modes on beds, so that was fun. In my free time, I play around with different technologies, a bit with RDS and try to receive what's out there. Okay. So, these days a lot of people are actually talking about smart cities, smart power grids, smart lights, smart everything, and smart often means networked and embedded systems, the network often means wireless and yeah, but actually today I thought let's do the absolute opposite. Let's look at the absolute dumbest thing you could ever do, and in fact, when we in university have the course on embedded system, the kind of Hello World application is always let's turn an LED on and off, and basically that's what I want to look at today. So, let's turn some LEDs on and off. So, in Germany, we have some wireless traffic lights, there was a post on Hackaday about what I am just showing, and then I read the comments and it was a discussion like, what the hell is he talking about, and then somebody explained that they seemingly have these wireless traffic lights in Europe, so I don't know if they just are not there in the US or whatever, but yeah, so it's about mobile traffic lights. And I just wanted to give a very brief shout out to my friends from Inde Edwache because they just by chance found the same traffic lights in the GSM network, so they are usually scanning around in the internet and found that these wireless traffic lights actually have a GSM uplink. So, for monitoring and configuration and stuff like that, they are actually online, so they were able to log in and do some stuff, so this was covered in the news last year. And just very recently, Mike Osman and Dominic Spill, they triggered some traffic lights with infrared. So, today we want to look at this big antenna, and as you might guess, that doesn't look like GSM, so for the GSM uplink, they maybe didn't put this on the traffic light. So, yeah, I was looking into this and one friend of mine said, whenever he's close to this traffic light, his DAB, his digital audio radio just stops working, so. I thought, okay, let's look around in that area, and actually that's a band which is kind of to regional allocated. So, it's kind of land mobile radio. I'm not sure how the translation is in German, it's Betriebsfunk, and usually you have some FM modulations there. So, I use the RTL-SDR dongle that we've already seen today a lot, and I think all guys know it, and just started GQRX, and indeed there was a very strong signal when I was close to the traffic light. Okay, and usually on these bands, they are FM modulated and just tried it, and there were some, yeah, these signals look good, which came out of there. And my normal workflow when doing these things is there's now really some really great tooling. So, we have GQRX where you have seen where I could easily see the signal and filter the signal, and then I just did some recording to a wave file and had unloaded the wave file in Spectrum. I will, in a minute, show you the tool, and Spectrum is really nice if you just wanna see, get the signal parameters, see how it is modulated, bits per second, and stuff like that. And then after I know the signal parameters, I just do some simple decoding new radio. So, let's first look at in Spectrum. So, this is how the wave file loaded in Spectrum looks like. If there's no transmission with FM, then we have just some noise here, and then here you can see the traffic lights. So, there are always slots of one second, and in between we have six transmissions. So, the fact that they look a bit different basically tells you that there seems to be a different SNR. So, these are actually one traffic light and one is the other traffic light. So, they are not sending this just not one sending and the others only receiving, but they are sending back and forth. So, to assert that the other traffic light is still there. And they are sending different types of frames. So, basically we have some ones that are slightly longer, which we will later see is the kind of master, which tells the other one what to show. And the other one is basically just reporting back, or at some points it's also telling the master that there is, for example, a car. Some mobile traffic lights that actually have cameras to detect if there's a car ahead. So, they can maybe preempt the signal and give you priority and just not fall always a strict schedule. Okay, so this is a very, very rough. So, zoomed out version of the signal. So, let's have a bit closer look. So, this is also in spectrum still. It allows you to look at the signal and also have an overlay that helps you in finding the bit boundaries. And with this it was pretty obvious if you zoomed in that there's some FSK modulation inside there and the bit rate was 100 bit per second. So, this is always one bit and it's ordering between 1,200 and 1,800 hertz. So, you either have a complete cycle or one and a half cycle in there. So, this was basically the most important thing about the signal and with this I kind of manually decoded the preamble. Maybe I think in spectrum also has some possibility to decode the signal but I just manually wrote down the preamble because this is then what I needed in GNU radio. And so, with all knowing this I can basically come up with a simple GNU radio flow graph to decode this thing. Actually, now I'm still claiming that oh and then it's so simple and I just doing that step but I think that this is the step that might be the most challenging for several people. But the message is that maybe this is the most stupid way to decode the signal but it's just what I kind of came up with. And basically here in the last step it just looks for the preamble and then I have one custom block which is also just one line of code. It's just whenever it finds the preamble it's just outputting I guess 200 bits or something like that. So, I end up with a lot of bits on my console and I just piped it into a file and wanted to have a look at how to decode, how to make some sense out of the bits. And I played a bit around in WIM and because I like the workflow so much I thought I'd make a very, very brief video. So actually this is two and a half minutes of reverse engineering and it's now twice the speed. So you have two frame formats. Okay, now it's just selected one. If you scroll up and down you see very, very easily the boundaries where there's some information in there and basically what's in the frame is so now we get rid of that. If we now scroll up and down we already see some patterns in there and then I just split it. And from this it has some kind of timer or it seems to be a timer that's counting upwards whenever a new complete cycle begins. And then here I just found something which changes from time to time and this turned out to be actually the phases of the traffic light. And in the beginning I had some repeating pattern so I thought okay this seems to be the same thing if both show the same. Hopefully it's two times red. And then it started from there to make some sense out of it. So with this then I had at least an idea of how the signal could look and I created some easy interface. So for the web browser, I mean, GNU Radio we already had it in the file. I have some very shitty web GUI which was reading the file and then just showing the actual state of the traffic light then in a web browser. And then of course I had to go outside and hope you didn't drink too much beer because it's really shaky here. It was really cold. So I had two different types of traffic light. This one was directly in front of our university and so this was really convenient to work except that it was in the night and pretty cold. And then with another one where I also have a video on my website so if you wanna give it a try but here it was just with a lighter which is just much easier to see that it's kind of following the traffic light. Okay, so that was the, I actually can receive it and whenever, actually I was pretty happy with that and already kind of good enough but whenever I showed it to someone the obvious question was. Yeah. And I thought, okay, at least I should kind of include it in the talk a bit and say a word about it. Okay, I thought about, okay, how can I transmit? I have one of those but I'm very sure that it doesn't allow me to transmit out of the amateur radio bands. So maybe it can receive there but transmitting is limited. I looked on eBay, you can of course buy lots of these land mobile radios or however they are actually called but they are a bit expensive or a bit over 100 euros usually. Then I remember that at some point I bought this incredibly cheap shitty device from China and never actually used it and it turns out with this 25 euro it's kind of very nice because it's cheap and it's portable and even in the Lingon Amazon it was 172 megahertz. If you play around with it that yeah. Yeah, it turns out that can actually work or at least I wanted to give it a try. Good, what can you do? There is the obvious way like going beside the traffic light and just screaming in the radio and then you're basically jamming, disrupting the communication but it's pretty boring because it's always possible but when I had that on my blog there was immediately somebody who wrote me that he tried that obviously or for whatever reason he knew that when you just jam it it's just flashing orange which makes a lot of sense because this is the kind of fallback solution. What else can you do? So the actual question is like could you spoof transmission means like you could generate the signals yourself so that the traffic light would accept it so that you can actually trigger the traffic light? This is what most people seem to be interested in but as I said, most of them have cameras and you should not mess around and also with the GSM uplink they know probably if you're doing some shitty stuff with it so I thought but still I wanted to see if there is at least some I can come up with a proof of concept that maybe you could further investigate it so okay I did another Agui but this time obviously I wanted to trigger it then I again had a new radio flow graph where I wanted to when I kind of was generating the signal that I just showed you and this time it was just really playing new radio blocks so there's nothing where I had to code it was basically I have two signal sources which produce the 1,200 hertz signal and the 1,800 hertz signal and then I have some logic with the bits which is kind of turning one on and off that's in a high level overview of the thing so what this then does is this time it's not connected to SDR or software refined radio stuff but this time it's just outputting the signal into an audio sync and then it was kind of a no risk, no fun I could just connected it directly the line out of my PC to the radio actually when you look online they don't recommend doing that so I used a USB audio card because I was hoping maybe then just the USB version is broken and not directly my PC but at least for me it worked actually you should decouple them I guess but I'm not really good in circuits and stuff like that okay so the thing is if you enable Vox so I guess all the amateur radio like know it is you can switch between push to talk and that the radio just turns on whenever there is some signal so I enabled Vox on the radio connected it to the line in of the microphone and yeah there you basically then have your transceiver and I just have a very brief demo of the set up in on my desk at university so you see I have another GUI here then there is GNU radio stuff going on and it's then connected to the handheld radio here and on the other side there is the other GNU radio receiver that I just showed you that was working with the normal traffic light so it's the same frequency the very same thing everything's the same so I was really generating a signal just as the traffic light so yeah so much for the you can also maybe transmit at least in general so yeah so that's just from my side I hope yeah you find it a bit profoundly application and also I'm now motivated to play a bit around with this cheap technologies that are out there okay thanks is it half? oh I'm sorry actually I thought it's way too much content so now I was rushing around through the slides I'm sorry yeah so if you have any questions do you know if anyone would try it? no especially from the internet if you try it ask me if he knows that anyone would try it if he knows that anyone would try it yeah so usually exactly so that's usually what happens that if somebody does it then hey it done that five years ago or something like that but actually seriously knows that nobody wrote me so I wouldn't know if anybody I also tried different yeah I got emails from other guys who were looking into that but none of them were actually transmitting something yeah what? yeah this is the anechoic chamber of our university what? I'm using another frequency there was another all this has metalized windows where nothing gets out it's a parody page exactly yes so there seems to be the configuration always seems to be that the one is kind of the main the kind of the master of the communication and the other such as kind of reporting back periodically so that the master actually knows that what he was transmitting actually was received so not that the master turns green the other doesn't yeah and also on this frequency you don't have to space them that close because you're actually on one hundred seventy megahertz you get some range yeah so I don't know that particular tool but so if I already try if I tried another tool that was recently released a schmuckon which is called airwave I guess oh how did you say wave converter yeah I don't know that particular tool but today in the morning we had a panel where we said about it's sometimes really hard to get started with new radio and then when I had a look another look at my slides okay now I say from I have all signal parameters I know the preamble and now I just have to build the new radio receiver and then this is when I realized that this will be the tricky part for most of the people so that they really come from this now because in loading it in a spectrum it's pretty straightforward I would say and then also having some high level overview but then from that to the transmitter that might be the part where people draw off yeah and but maybe this is something where you maybe could come up with some default standard solution where you maybe can just plug in different values like one for on off keying one generic one one for FM and stuff like that for there are some out there but they are kind of distributed also you don't even need the parameters okay so these wave converters should I should have a look at it and see yes no because I think it's because so it is really a kind of really straightforward and I think it also doesn't make a lot of sense I had to look at two different traffic lights they all are slightly different also they might have different configurations so most likely that wouldn't work out of the box either way so you have to do some slight adaptations but the main point is actually that this is something very straightforward you can just have a look at it and also it shouldn't it shouldn't be just I just download compile and run a thing I guess yeah yeah you can just yeah the ones at university they actually rent and it looks like then the company is doing the monitoring of the traffic light and also most likely the configuration stuff everything remotely and you just put them there yeah reverse engineering yeah so when I look back actually then mainly I was always to do something with traffic even I actually didn't think about it so what my other projects were I received telemetry from buses so I had an open street map where you could see the buses in Paderborn driving around and I had a presentation two years ago with RDS TMC so this is the digital subcarrier on FM broadcast data so there's also some traffic information modulated on there so your GPS device gets it from the FM broadcast stations and also I have a project which is a way label this is decoding my car key fob for example then you get the 64 bit rolling rolling code out of it and yeah stuff like that so there's tons of this very very low hanging fruits out there where you can have some fun playing around with yeah so usually when you are close to it then it should be very dominant and clear that it's there I mean if you have absolutely no idea about the band so with this I really had an idea and also if I wouldn't have known that it kind of interferes with the DAB audio stuff then I would have started there so if you know or have a rough idea about the frequency allocation there are some spots to look but yeah in general if you just use GQRX and scroll through the band I guess you should see it very dominant for example with the buses also I had no clue where they are but when one drove by me very close it was just bam so you couldn't miss it yeah but for this small distances nobody don't even have to pull it out oh yeah yeah so this is a half lambda half yeah so what was it two meter band one meter antenna I don't know okay thanks