 I'm really big on teaching software-defined radio to people in the hacker community and I think that today having kind of an SDR first approach makes a lot of sense that you can get software-defined radio tools for very low cost and get started playing around and exploring the radio spectrum and learning about radio technology from a software standpoint first and then learn about hardware if that interests you whereas back in 1983 when I was a kid I used to, I would start to work on electronics and like the first radio I ever built was a crystal radio that was a little kit that was super simple really very few components but very unsophisticated and not really able to interface with kind of the modern radio systems that are more interesting maybe for kids to play with today and so I wanted to think, I wanted to kind of figure out a way for people today to kind of breadboard a very simple radio with few components and one of the things that we thought of is is that there are these microcontrollers in like high speed microcontrollers that are readily available to people and a lot of them have an analog to digital converter built in so putting this into the 1983 fictional perspective what if we're able to like reprogram the microcontroller or repurpose the microcontroller from some legitimate piece of equipment something we're allowed to have can we take a general purpose microcontroller that has a little analog to digital converter in it and build a radio receiver out of it who should be able to in theory take anything with an ADC and build some kind of a software to find radio out of it that we can use for general receiving purposes and so I came up with this breadboard SDR idea what's the smallest simplest thing that we can make out of a microcontroller with an ADC and as few components as possible and we have this circuit that we're about to demo that has actually one diode and one resistor and we have a plug into a great that which is a hardware platform that we've been working on for a while is our kind of our preferred platform for doing kind of general microcontroller things and we're using it in a number of these projects but really all that matters is that at some microcontroller that has an ADC and in this case it has an ADC and also has a USB port so we can stream samples from that analog to digital converter over to the computer that I'm demoing from really simple there's an antenna which is just a piece of wire plugged into a diode and there's a clock signal now this is the tricky part is that we're using this diode as a mixer it's a single diode mixer and I wanted to pick up a signal that's at a very high frequency compared to the things that were in that I was able to pick up when I was a kid I want to be able to pick up things like Dominic's car keys or this handheld radio things that are transmitting at hundreds of megahertz in some cases and we should be able to do that if we have a way to mix or translate the frequency shift the frequency that comes in on the antenna down to a low frequency that the analog to digital converter can tune to or can pick up and so we're doing that by mixing the signal between a clock and this antenna which is just a piece of wire and the clock is actually being generated by a clock generator on the microcontroller itself and this is pretty common like almost every microcontroller has some method for generating an internal clock because it has to clock its CPU or its peripherals and most of them will allow you to attach that to an output pin and bring that out and we'll show you a bit more of that in a minute but right now we're kind of bringing it out feeding it back into the diode along with our signal and then tapping it with an ADC. And Dominic is fond of pointing out the fact that like when I first put this circuit together and I was testing it I was like well you know it transmits as much as it receives but it does receive so it's messy it's not a really clean design but it does the job of showing you what the minimal circuit is that you need to build a mixer which accomplishes this this problem of shifting the frequency so I'm going to do a little demo here I'm going to actually receive a signal there we go everybody's radio speaks Mandarin right I'm just going to do a little narrow band FM transmission and one of the drawbacks of this design is that it has terrible performance in terms of received sensitivity but that doesn't really matter if you're transmitting from a fairly high-powered device nearby and so you can still demonstrate a functional mixing circuit with a single diode as long as you have a relatively high signal strength nearby so I'm going to do a little catcher here where I'm just streaming samples from the analog to digital converter on that great fat and then I will once it's up and running I'm going to do a little test transmission here we are testing from on stage breadboard SDR this is AD0NR and you really should have an amateur radio license to do stuff like this I highly recommend it there are ham exams going on here at Defcon and then I'm going to bring up a little flow graph and canoe radio I don't have time to go into it in detail but I'm taking this file that I just captured over the air and I'm going to see if I can recover audio from it and in software I should be able to do this. Can anyone else say that other than this? I think you could turn the volume up on your laptop. I could turn the volume up on my laptop I could also actually use the capture file I just made instead of the capture file I did earlier because that's kind of cheating right? Let's see if the new capture file actually works. We probably should have told speaker ops that we needed audio output and now we needed audio output for I can make a rule of myself once. Thank you very much. Sorry. That was our demo. So yeah when you build a radio in software you really don't need much hardware and that's one of the cool things about software defined radio technology you can actually use the power of software to overcome deficiencies in your hardware so you can demonstrate working circuits with extremely few components. All right. So Mike, what happened when we started the research for this is we divided up our ideas and Mike took the receivers and I being the one without an amateur radio license took the transmitters. Yeah, like a pro. So you won't be surprised to find we stuck to bands where we could transmit or I had Mike with me whenever I tested these things. But our scenario is that we've got inside an air gap network. We have an ally inside. We want to build a transmitter but we can't just carry a radio in there. Big brother probably wouldn't like hack RF so it's unlikely we can carry it into the build. I really wish I'd reread 1984 before this. So I could get my references right. But we couldn't carry it into the ministry and so what can we do with a microcontroller we find inside? Now previously we were talking about those clock signals. The clock signal that we were using to mix with the incoming transmission on the breadboard SDR. What if we and as we said it transmits as much as it receives. Well what if we intentionally try and transmit and see if it receives as much as it transmits. So a few people have done this before. Fontana was an interesting idea where you toggle a GPIO pin very quickly. Raspberry Pi FM does a similar thing and it toggles GPIO pin quickly and adjusts the frequency of that. And Mike Waters actually using great that previously did on off keying and so he would take that clock signal that we're using as a mixer and he'd just turn it on and off very quickly and he would generate on off keyed data. And so we wanted to kind of one up in a little bit because he's a friend of ours. And so we wanted to look at FSK data, frequency shift keyed things. And so what we did is we grabbed a great fit, stuck a, instead of having that mixer come back into the system we just stick a wire on it. And I very carefully tuned this antenna by reaching into a box of jumper wires pulling out one that was like kind of short and sticking it in the pin header and hoping that would work and it kind of does. Like if your radio is as rough as this, the antenna is not going to make the difference. So what we want to do is frequency shift keyed data and we have two options here. One is we can take those clock generators and we can very rapidly try and reconfigure them. And that's what Raspberry Pi FM does, but we can get it to make very clean jumps back and forward between our two frequencies that we needed. And we actually had inside great fit we happen to have multiple clock generators. There are three in there. There's one for audio, one for the CPU and one for USB. So if we just resign ourselves to the fact that we don't get to use two of those things then and specifically we need the CPU so we just don't use USB in the audio, we can repurpose both of those clock generators. So what we do is we set 1 to 315 megahertz, we set 1 to 315.1 and then the SCU here is a system control unit. All it does is decide which pins on the micro control, which functions of the processor get connected to which pins on output pins on the great fit. So all I do is I say this clock pin will be connected to this output pin. And then when I want to change to the other frequency I just reconfigure the SCU and switch which clock signal is going out and that's much, much quicker than waiting for a clock generator, a PLL to settle. And it is that simple. All we do is load in the FSK data into the firmware. I do it over USB but I've killed my USB by repurposing its clock. So I build a one-time firmware, load it onto the device and it immediately just repeatedly transmits my FSK signal. And so it's a super simple piece of, oh you need to tab out, yeah. That's right, videos don't work in PDF. So it's a super simple piece of code. We captured a signal. We actually used a hacker ref to capture the signal. And then we pulled the bits out using in spectrum, loaded it into the great fit and then retransmitted it. Now we have a piece of demo target for this but it was kind of large and Defcon were not super enthusiastic about us bringing it on stage so this is a video demo. I don't know why they didn't want us to bring our demo car. So I'm just pausing it for a moment. So yeah the first thing you saw was me hit a key on my keyboard and that was just loading the firmware into the, my single purpose firmware into the great fit. And then you probably want to watch the bottom, bottom in the middle to the left. Watch my lights. There they go. And we unlocked my car. So it turns out like cars use rolling codes. So to get this working correctly what we had to do was run up and down the road to get out of range of the car, capture a key press with the hacker ref, decode it, copy the bits over to the great fit, run back up the road, try it. And then the first time we tried it we thought it was going to be like there's no way this works first time. So I just ran it and I went oh I unlocked the car. And Mike's like I hadn't started recording yet. And so we both like grab all our equipment and run back down the road. We work opposite a dog park. So there's just a bunch of puppies following us as we went up and down. The most fun. And interestingly the target device, the actual key fob that we captured a signal from has pretty tight frequency deviations, plus or minus 25 kilohertz. And we had a little bit of difficulty with like configuring the clock generators exactly how we wanted. And we said well hey maybe this way will work and we don't have to go through the trouble of going to the more complicated configuration we were thinking about. Let's just try it this way and see what happens. And it turns out yes we actually had twice the frequency deviation and a considerable offset from the original target device's center frequency. And it still worked. Like we were within the received filter of the target device and we were able to replay those signals, well replay them. We were able to synthesize new signals from the captured signal that we had captured from the real original key fob. Right. And part of that is just power as well. We were like as you saw in the video I was like sat with the great fair on the, I was going to say bonnet of my car, hood of my car. And so I was like you know that far away from the receiver which is in the dash. So I'm so close to it that the power level I was transmitting at is probably going to go through the filter pretty well. Right. The closer you are the more you can get away with in terms of you know being off frequency or being out of the pass band of the filter of the receiver. There's nothing particularly subtle or delicate about any of these radios. So if it's like a radio and it's like a radio, it's a radio. And that's kind of a big part of the point of what we're doing today is trying to show that you can build radio circuits out of just about anything. Our next scenario is this idea that maybe you're not allowed to even have analog digital converters. Like we, in our first SDR receiver I repurposed a microcontroller that had an analog to digital converter in it. And an analog to digital converter is generally considered to be the core of any software-defined radio. And I wanted to see if we could build a software-defined radio receiver without an analog to digital converter. Specifically can we use a GPIO input, a general purpose digital input. So it's just a pin on a microcontroller that detects you know whether there's a high voltage or low voltage. And that's it. It only has one bit of dynamic range. And that we can kind of think of a GPIO pin as being a one bit ADC. And if we do, are we able to actually build a functional software-defined radio out of it? And back to kind of a real, real motivation of this too is like when we did the previous demo with a car, we captured a signal with a hack RF. And we kind of said, well, maybe that's cheating a little bit. Maybe we should actually have a demo in which we can build a radio and use it to capture the key press on the car key. And that's how we could, you know, find the code that we need to transmit. It would be nice to be able to do that without having something like a hack RF. So if you've got a hack RF, you don't need to build a PLL switching FSK transmitter. You just use the hack RF. Right. Like, like motivating the... So, but another, you know, getting back to this fictional idea that analog to digital converters are restricted. Like if you think that's far fetched in any way, here's something from ITAR that tells us about today, export controls on analog to digital converters in this country. And you can see that like, if you look on the right hand side of the page, you can see 10-bit ADCs are restricted at a certain speed and 12-bit ADCs are restricted at a certain speed and so forth. And you'll notice that there is no restriction for 1-bit ADCs. So 1-bit ADCs are totally allowed at any speed, which is pretty, until tomorrow. 1-bit ADCs are allowed by ITAR at any speed. So we should be able to implement a 1-bit ADC and, you know, if you restrict GPIO inputs, like you restrict all digital electronics. So if any digital electronics work, we should be able to improvise an ADC out of a GPIO pin. That's our thinking. So we've made a GPIO pin receiver and unfortunately, you know, one of the drawbacks of making a GPIO pin receiver is that we need a fairly strong signal that we pump into it. And so we actually decided to salvage an analog radio from something that's readily available, like a telescreen, for example. And so I made this little circuit that's using a TV tuner, and this is an old analog TV tuner, like you might pull out of a VCR. We had VCRs in 1983. And so this is not a digital receiver at all. This is just an analog radio tuner that shifts the frequency of a television signal down to a frequency that a television is able to decode. In an analog or digital way. And I connected this to a great fit, and I'm using a GPIO pin on the great fit to read the input from that tuner, that analog input. And I was able to do this with just one additional component. So I have the tuner and I have the great fit, and I have one capacitor in there. And this is a circuit diagram. You can see we're picking up 315 megahertz signal from Dominic's car key, and using this TV tuner that we can salvage out of some other equipment, like a telescreen, and that's getting converted down to about 44 megahertz. We need this one capacitor so that we can AC couple it to the GPIO input on the great fit. And the first time I made this work, I actually had a voltage divider there, so I had two additional resistors in the design to bias that GPIO pin. And there are kind of a number of tricks going on in this design. One of them is that we need to bias that GPIO pin. And the reason for that is like, if you give the GPIO pin a voltage near zero volts, it detects that as low. And if you give it a voltage that's near 3.3 volts, which is its power supply level, it detects that as high. But somewhere in between zero and 3.3 volts, there is this threshold where you can kind of twiddle the voltage by a small amount and make it and flip that bit. But finding that threshold is a little bit tricky business. And so the first time I did it, I played with different resistors to make a little voltage divider to bias it so that that pin would be at about the threshold that it needed to be. But then I realized I could eliminate those two resistors from the design just by using the digital to analog converter that's built into the microcontroller and use that to produce an arbitrary DC voltage that I use to bias that GPIO pin. And not only does that remove two resistors from the design, but it also gives me a flexible way to tune in software and find just the right threshold. Because that threshold may change over time, it may change with temperature, it may change from one microcontroller to another. It's not guaranteed by the data sheet to be at any particular voltage level. And so it's handy to be able to control that from software and dynamically find that particular threshold that I need. Now another trick that we're using in this, and this is fundamental to the concept of using a one bit ADC, is that we're oversampling and decimating. What does that mean? Oversampling means we're using a sample rate that is faster than you might expect that you need. And we're decimating, which means we're reducing the sample rate. We're throwing out some samples, but we're doing it in an intelligent way. So here's a little simulation where I have 16 random samples in this stem plot. The first one is zero, the second one is one, and so forth. They're all one bit samples. They're all one bit samples. I just have 16 random values. The first step in oversampling and decimating is to then combine some of those samples and reduce the sample rate. And ideally we use some kind of a good quality low pass filter, but as a kind of crude example, let's just say we average adjacent samples together. So those first two samples, zero and one, we combine those two samples into one sample that has a value that's the average of those two so it has a value of 0.5. And I'm going to do that with every pair of samples. If I do that, then I turn my sample stream into this in the digital domain. Instead of having zeros and ones, now I have zeros and ones and one halves, but I have half as many samples. But I've added more dynamic range. There's more nuance to the vertical scale. And I can keep going. I can do this again. I can combine two of these samples. And now I have only four samples left, but out of those original 16. But each one has several different values it could take on, not just a zero or one. So we're adding dynamic range by trading our excess sample rate. So the faster we can sample, the more ability we have to actually gain dynamic range and we gain a bit of dynamic range every time we divide the sample rate in half. And that allows us to take a low dynamic range ADC and turn it into a high dynamic range ADC at a lower speed in software. Which means ultimately we should be able to make things work with a one bit ADC like a GPIO pin. Now interestingly, Dominic, I think it was the first person to point out that not only are we over sampling in this demo, but we are also under sampling. That may be hard to wrap your head around, but we are in fact sampling at a sample rate that is lower than that 44 megahertz output of the TV tuner. We're sampling currently at 20 million samples per second, which is quite a bit lower than the 44 megahertz intermediate frequency that we have from that TV tuner. And it turns out that that works fine. We were thinking we could crank up our speed and actually sample that GPIO pin faster than that, but it turned out the way it didn't need to. So we actually ended up with a demo where we're simultaneously over sampling and under sampling. I think that's pretty cool. So let's do our demo. All right. I'm going to try and move this thing without dropping it. Good luck. Yeah. There you have it. All right. All right. These demos, I've broken like wires in these demos at least twice in the last 24 hours. So you know, we'll see how this goes. We have my favorite antenna, which is just a piece of wire stuck into the coax connector on the end of the TV tuner. And I'm going to, let's see, I have to tune the tuner, which was a little bit of, a little bit of configuration. There are some I squared C, there's a little I squared C bus on the tuner. And so we have the great Fed actually commanding it to tune into a certain frequency, which I just did. And then, what is the other command I do? I don't know. Logic analyzer. Logic. That's the one I want. We're using this logic analyzer command, which actually takes the state of multiple GPIO pins and throws them into this named pipe right now. But all the other GPIO pins that it talks to are unconnected, so they're all just at zero. And I'm going to run that while I turn on a new radio flow graph to actually process that information. And so now what you can see here are the one bit samples, that top plot that's moving rapidly left to right. Those are just one bit samples. See everything's a zero or one? And then Dominic is pressing the button, there he goes, on his key fob. And you can see that we're seeing a signal down here in our waterfall plot. And if you look at just the one bit samples, it's kind of hard to see that there's anything different going on. But if you look at the decimated samples, this is after we've down sampled with, and combined samples together with a filter that allows us to create more dynamic range. Now as he's pushing the button, you can see that sinusoidal stuff, it looks like a real radio signal that we should be able to analyze. And in fact, if we run it through an FSK demodulator, I just stopped this really quick. And you can see that in this, the left hand side of the screen here, you can clearly see the bits that are being transmitted. So sometimes it's low and sometimes it's high. And when the frequency is low, it's transmitting a zero and the frequency is high. It's transmitting a one or something like that, the other way around perhaps. But we can clearly see the digital bits that are being transmitted sufficient to decode it. And we've now taken a one capacitor circuit and used it to interface our general purpose microcontroller with a salvaged radio tuner and repurposed it. So instead of just being a TV tuner, it now is able to help us in software demodulate and decode arbitrary radio signals, including the digital signal from Dominic's key fob. All right. So moving on, yeah. So sometime, a number of people have asked us recently, we did some work earlier in the year and towards the end of last year, I guess, on direction finding. And a number of people are very interested in being able to track down the source of a radio transmitter. This is amateur radio enthusiasts want to find people who are interfering with their radios, who are people who are broadcasting illegally and so on and so forth. And we're saying here that Big Brother has deployed a pseudo Doppler technique to kind of do direction finding to track down illegal transmitters. And we have managed to somehow, given that we built it, steal one of these direction finding rigs. And can we do anything nefarious with it in a way that subverts what the authorities are attempting to do? So spoiler, yes. So pseudo Doppler direction finding is, do you know who we haven't got on this slide? And he sat in the front row as Balan. Oh yeah. That's because that's where I first learned about pseudo Doppler. So I'm sorry about that. Bouncy but also did some work maybe 10 years ago on this. Yeah. Well, he's cited in the talk that is on. There you go. Yeah. If you watch the talk that we're citing, you'll see the citation of his talk and then that's all fine. Apparently. So what you do is you have a set of antennas and you want and they're spatially separated from each other and you want to rotate very quickly between them and using that rotation, what you see is a shift in the phase of the signal, the incoming signal and that gives you some information about which direction it's coming as you change between them. I'm not going to go into the in depth of how that works now because that's about as much of it as I really understand and also you can look up those two talks that are referenced. But what you need for this is some hardware to rapidly switch antennas. So we built some. Now this is called opera cake. It connects to both Hacker F and great fit and it can be controlled from firmware. So you can do various things with it. One is you can do pseudo by attaching a number of antennas and very rapidly switching between those antennas. You can also do things like have an input and output attached and switch in different kind of filters or other things loop back between the two sides and just changing between different antennas based on which frequency you're receiving and things like that. That's what we usually use it for. But in our scenario big brothers using it to find where we're transmitting from and in doing so what they're looking for is our transmission and then they're inducing a or they're looking for a phase shift as they switch antennas. And so if we're able to somehow inject a phase shift then that will be a phase shift that they don't expect and therefore can't compensate for if it's for example pseudo random. Now I was going to explain phase shift. That's what I'm going to do. Okay. I was trying to work out what all of these slides were in. So a way to get a when we talk about phase shift what we talk about is the if you think of a wave. So this one this slide. If you think about it I drew this in my hotel room because I wanted better to better explain this concept and I'm not sure it's worked. But if you think about a wave traveling down a coax cable as you the one I've carefully drawn on the paper. If you think about it traveling down and you cut off the cable so that it's exposed and becomes a transmitter antenna. The difference in length between these two cables gives us a different section of that wave at the same time. If you inject the same wave into both of these cables simultaneously what you'll get at the antennas is a slightly different wave based on the length of the cable and the speed at which the signal propagates down them. So sometimes referred to as delay lines. So phase shift is that difference in where we are in the cycle of the wave relative to another wave. So in this instance what we're doing is we're taking those two cables and we're switching from a shorter cable to a longer cable and with our standard radio input signal coming in. And that's the signal from some arbitrary radio. It doesn't have to be we're not generating it. We're not creating a specific radio here. What we've got is a radio that we're allowed to transmit with or that we are transmitting with and we are adding this phase shift on top at the end to try and make it hidden from direction finding. And the radio we've chosen is a four dollar Bluetooth dongle that I got from ebay. And we just cracked the thing open and as you can see here we attached a coax cable so that we can hook it up to our radio system. And it's actually on the table at the front. You can get a look at it later. This took three attempts. Couple tries. Yeah. This one I think I did a really good soldering job on it. You can see in the lower right hand corner the I've nicely, you can't see it behind the cable, but I've nicely cut the original antenna trace and then I've soldered the wire onto it. And then afterwards it didn't work and we're like why doesn't it work? And if you look closely. Really closely where the mouse is right now you can see like melted the corner of it. Yeah, somehow I just destroyed the chunk of it is missing. And so then we went on to round two which survived long enough for us to work on this in the lab and then did not survive the journey to Vegas. And so thank you to the third one stayed up. Yeah, thank you to the Badgler folk who at nine o'clock this morning soldered me another one with their very precise machinery. And I want to point out that this isn't one of these sophisticated modern Bluetooth chips that knows how to do Bluetooth and FM radio and Wi-Fi and like Bluetooth low energy and all kinds of different protocols. This is like a 10 year old chip or more that like we were hacking on in the early days of Bluetooth hacking and like the reason we used it was because like what was it your first open source contribution? Yeah, one of the pieces of code I'm going to run in a minute in the demo. It was my first ever open source contribution which was to enable the radio test modes in these dongles. And when we were coming up with this project Mike was like do you have any 2.4 gigahertz like hardware kicking around that we can hack on just kind of open to draw. And I was like these because they're so cheap and so have loads of them hanging around. So that's why we picked this thing because it's pretty hackable and things like that. So what we're doing is we're taking the signal that comes out of this and we're using a direction finding technique to try and locate it and then we're going to enable our delay lines and switching back and forward between two different lengths of cable and that will produce a phase shift in the output that does not affect the signal. It makes no difference to our signal going through but it does affect the ability to direction find it. I'm not sure I'd say it does not affect our signal but it depends on the modulation of your original waveform. But for example if it's an amplitude modulation you should be able to just layer on arbitrary changes to the phase without actually affecting your ability to communicate. So I'm going to play you a video demo of this one and that's going to be the direction finding demo. Okay, so this is, I'm going to pause it a few times. This is just a demo we took on the table in our lab. So this is my directions finding set up here and you can see I've got like four, I've got four different 2.4 gigahertz antennas that are vertical and to support them structurally we are using a pint glass. Like everybody needs a glass full of antennas from time to time. And then this is my direction finding rig like I talked about with Skyler at Shmucon this year. So I have the opera cake with a hack RF and I'm using some software on my laptop to run some direction finding and I'm not finding anything right now. There isn't anything transmitting but Dominic over here is about to start transmitting with his Bluetooth dongle which you can see plugged into the USB cable that little blue blob plugged into the USB extender. That's actually a little tiny USB to Bluetooth adapter and that's plugged into his opera cake. His opera cake has four different wires in it. I think you're only using two of them but they're four different lengths of cable and he has the ability to from software control which cable is switched into the path between the Bluetooth dongle and the external antenna. So initially you can press play. So initially what we're gonna do is start transmitting from the Bluetooth dongle and we're gonna leave the path to be static. So if you pause now, you can see we've got a pretty reasonable, this is a polar, thank you, a polar plot and so you can see we've got a pretty reasonable direction from our antenna array to where this thing's transmitting. Like that's pretty, that blue dot is up to the right of the center of that plot and so that's indicating the direction of the transmitter that it's seeing. I'm gonna un-pause it here. And so what I do is I run a script that just slowly switches back and forth between two paths, just creating a little phase shift once in a while, I mean once in a while like every couple of milliseconds and you can see it just sends this, this becomes sporadic. We have such a wide range, like our bearing to our transmitter has gone from being kind of very narrow to being somewhere around 50% of the direction that we're looking in. And so that phase shift means that we now, it's now much more hard, much more harder, much more difficult to locate the transmitter than it previously was. So we're able to subvert our own, we're able to subvert our own pseudo Doppler direction finding code using our own pseudo Doppler direction finding hardware and other code that we wrote. So I'm gonna call that a win. Okay, since we can introduce those phase shifts, we thought as a final demo in the last couple of minutes that we have left, what we try and do is do a phase shift key transmission. So what we're gonna do is transmit something that is phase shift keyed by not by having a radio that transmits phase shift keyed, we're gonna have a clock source and then we're going to change the phase using those, using the delay lines on the, on the uppercase board. So, so this is a picture of those delay lines. I like to call this the swamp thing. This, so I'm just running it again from great fact because it's the microcontroller or board I have around and it uses GPO pins to rapidly switch which antenna path. Now I'm gonna do something that's BPSK, so binary PSK, so I actually only need two of those four paths that I'm using, but essentially what I do is I switch both sides simultaneously and switch in those various lengths and those lengths are off by half a wavelength from each other, so half a or a multiple of half a wavelength at the frequency that we're using. Now because we're using a Bluetooth dongle to feed this, our wavelength, our frequency is 2.4 gigahertz and we have a little 2.4 gigahertz band pass filter in between the uppercase and the antenna and that's actually one of the nice things about using 2.4 gigahertz band for this kind of a demo is that you can get readily available low cost and highly effective filters. This technique causes a lot of spectral splatter. It really is not being a very good neighbor on the spectrum so if we're able to filter the output from it before it goes over the air, that helps us be a better neighbor on the spectrum. And one of the things we're trying to do here is show that we could take one type of radio transmitter and then layer another modulation on top of it to have a covert channel. Regardless of what the modulation of the original system is, we should be able to, in some cases actually, still use the original system, the original modulation and then also add this covert channel on top of it that acts like some other type of radio device. If you're looking up these papers, I highly recommend you Google them rather than clicking on the links on our slides because we've put the same link for two different papers here. Oh yeah, how about that? Whoops. I just noticed some people taking pictures of the slides although with the URLs. I'll try to fix that before we hand our slides to the speaker ops. Oops. Okay, so when we add in the phase shift, we're able to then kind of capture it with another radio and look at it in spectrum and so this is how we work out whether or not our transmitter is working and in spectrum let's us do a phase plot at the bottom here so at the bottom of the screen what you can see is the phase shifts being created and they're at very regular intervals because they are when I have a timer firing on the device and it fires at regular intervals and we see a very quick phase jump. We're almost out of time. Yeah, I'm only running the demo. Are you running it already? I am running the demo. Okay, so we are actually now transmitting a binary phase shift keyed signal in the 2.4 gigahertz band and we were like what target device could we use that uses 2.4 gigahertz and has binary phase shift keying or QPSK and we said hey, Wi-Fi. So why not a front couple of rows anywhere near about here you might be able to pick up a Wi-Fi beacon that we're transmitting and it says is this revolting enough for you I believe is the network SSID? I'd be really interested if anyone can receive it because I can't receive on my phone here but I could when I ran this in my hotel room like mere hours ago it turns out doing 2.4 gigahertz Wi-Fi demos at a con is still as bad an idea as it was when we first started doing this. Yeah, but you know we're not transmitting at a particularly high power and there are a lot of different Wi-Fi networks in here that your phone or your laptop can see but probably some of you especially those who are sitting close can actually pick up this Wi-Fi beacon right now and actually see. Yeah, this tends to work somewhat better if you're using an iPhone apparently. Interestingly, we've just had better luck with it this morning for people receiving on an iPhone but I'm guessing no one can receive it which is incredibly disappointing to me but it is definitely running. Yeah, get it as close as you can to the transit text and see if you can pick up a network. There's, yeah, I don't see it on my phone I see a lot of other networks around those so that's potentially why but I'll happily run this maybe somewhere that's a little bit more RF silent for people to try it out later but yeah, essentially what we can do is we can take a radio test mode that transmits a just a pure carrier wave into this device, we can do binary phase shift keying and I really do promise if you do binary phase shift keying at 11 megabits you get a one megabit DSSS transmission out and that can be crafted to be a Wi-Fi beacon and you should be able to pick this up on your phone. So thank you to all these folks whose work we have built upon and most of this stuff is built on hardware that we've hardware designs that are in the Great Fet repo or the HackRF repo that's where the opera cake lives. Find us on Twitter and we will take questions in the hallway off yonder in a couple minutes. Thank you very much. Thank you.