 welcome. I'm going to get up here and talk a little bit about some research I've been doing on LTE emissions. Not so much looking at protocol or data but just what can we see flying around in the air and I'm going to do it with RTL SDRs. A couple of people that have made this talk happen or this story happened a few years ago Melissa Elliott did a talk at Defcon 21 on crazy stuff in the noise floor that she was exploring with RTL SDRs and when I saw that talk that inspired me to take up that research on what fun bits of data are flying around there. Also you have Erin if you're here I'd love to talk to you and shake your hand. This guy has done a tremendous amount of research on fixing a lot of the clock drift problems when you're trying to synchronize to RTL SDRs. I used everything that he did to get to where this talk is. So we're going to go down this road. It's going to wind a lot of different places. Start with a little bit of history on direction finding on radio exploitation. Just straight RF out. Why do we care? I'm going to give you a quick primer on time of arrival direction finding. Then I'm going to talk about why the RTL SDR is a terrible radio. And then go over some of the processes I'm using to do direction finding with RTLs. So here we are. We have a boat in the water that's really hard to see. You're a 1940 battle of the Atlantic, World War II. How do we find the U boats? They have these antenna masks on the top that occasionally when they pop out of the water emit signals. Those signals are coded messages encrypted messages but they are still RF emissions. Anyone can pick them up. You don't have to be able to decrypt them to put up your antenna and receive that data. So then we get a whole lot of these guys. They put cans on their head and they turn a whole bunch of knobs and try to figure out what the position of that signal is through a few different kinds of techniques. Using very expensive, very large equipment. The wavelengths on these transmissions were huge. So to do direction finding you needed like national infrastructure or at least real estate to park lots and lots of antennas. Today we have this guy. He's on the Wikipedia page for fox hunting which has become the modern approach to direction finding. It's a really fun thing if you haven't gotten into it where somebody goes and puts a radio out in a state park and you get your antenna and your headphones and you go and try and find it. So there is and I guess you need a trendy headband. So it's going to get a little technical. This is how direction finding happens with time arrival. The principle here like the main piece of math that's going to happen is we're going to have two antennas or two antennae that are going to receive the same signal and then we're going to compare the time difference of that signal arriving at the antenna to get a line of bearing to the transmitter. So basically what happens is the transmitter fires off a signal. This is obviously something that you have to have a really bursty or discreet signal. If it's always transmitting you can't catch the time of arrival as easily. Receiver A has a time stamp for when the signal hits. Receiver B then has a slightly later time stamp and we have let's see an identical signal traveling at or the same signal traveling at the same speed through a constant atmosphere. So a lot of assumptions here to arrive at two known positions. Based on the distance between the receivers and the distance and the time of arrival or the difference in the time of arrival you can create a hyperbola that shows all the possible locations of the transmitter. We don't care about modeling the actual hyperbola I just want to know what the asymptotes are. So if you dig back into your high school trig if you just take the cosine of that angle of attack or that line of bearing it's going to be the time of arrival divided by the distance between the two points. So using that we can draw two possible lines that this transmitter can be from. If you only have two receivers you're always going to have two different places to guess and go look for it. So how do we solve that problem and get to position? This is classic triangulation. When people are saying I'm going to triangulate your signal three antennas a little bit of trigonometry and we get a shape that looks like this where we have three receivers they're all getting time of arrival measurements. We're going to take those same cosines of the angles to get six lines. Three of the lines are going to diverge off into space hopefully three of the lines are going to converge. If you've got clock drift in your radios if you have really terrible RTL-SDRs they're using as your receivers sometimes all six lines diverge and you just have to wait for everything to sync up. So we've talked about the history of direction finding I've given you a little bit on the math that's behind time of arrival. How many of you guys have heard of an RTL-SDR? Awesome. Okay. They're cheap. That's something that I really like about playing with them especially if I need three of them I'm not going to go out and get three blade IRFs to do a pet time of arrival project on a couple of weekends. It's a lot of budget for an entry level exercise. But the RTL-SDRs I was like alright they're like $16 on the internet so how bad can they be? I'm using the E4000s because I was interested in tracking LTE signals and I had to get up into the higher band. If you buy a brand new RTL-SDR like just straight off of Amazon it's a newer chip that doesn't tune all the way up to LTE 1900 which is what we have here in Las Vegas. So this project with newer radios you've got to find a place where they're using the 800 band LTE. This is the E4000 on the right. On the left is the stock terrible antenna that comes with the E4000. But that stock terrible antenna and the E4000 are able to pick up clean ADSB signals which is what's coming off the airplanes to the air traffic control to show they're heading and position and flight identifiers that kind of information. If you go on Reddit and you get in the RTL-SDR community and say I want to pick up ADSB everyone's going to tell you you've got to get a better antenna and you've got to run wires out to your house and get it high up in the air and throw away the antenna that comes with your chip. Don't do any of that. Just use the stock antenna when you're getting started playing. It lowers that initial investment and it works. This was live data from actually from here this morning. Yeah, it's not garbage. It's terrible but it's not garbage. So if you want to get started it will work. So this is my disclaimer. I have not a radio guy by trade. I've definitely done a lot of analysis of pre-collected signals but digital signal processing is not my formal education. So I'm about to do a lot of terrible things. Let's do direction finding with the RTL-SDR. So we said before that we need to have three antennas to do position direction finding. So I'm just going to buy three of these $16 things, hook them all up to my PC and this is just going to work, right? There's my RTL-SDR. I'm going to replace each of the transmitters in my original diagram or sorry, each of the receivers with RTLs. And it's just going to work. It's not going to work. One of the major problems with these is the oscillator is extremely sensitive to temperature. If you have like a fan blowing near your computer and you have two RTLs sitting next to each other and one is getting the fan more directly than the other, your center frequencies can start to drift very quickly, which breaks time of arrival. There's also issues with the clock. Because they're coming in over USB, if you try to sync two of these devices on the system with the CPU there's bus lag from the USB, there's clock drift across the devices, the temperature sensitive oscillator is just going to break down all your calculations. You're going to attempt to geolocate something and it's going to tell you that it's 25,000 miles away and it doesn't make any sense. So what do we do about clock synchronization? This is where US work came in. He had spent a lot of time trying to solve this problem. Turns out that the reference for the RTLs that have come out has a pin that you can use for a clock in. So all you've got to do is crack open your $16 radio and solder on the clock out from one of them onto the other two and now suddenly you're using the same system clock for all three devices. You're not trying to sync on the CPU and you can actually do a little bit of direction finding if you get a good signal. And there's a rig with three RTLs sharing a single clock. So like I said before it doesn't make the RTL a great radio. It's still bad but with a little bit of clock sync and math and good signals and that's what I'll get into next is what kind of signals does this work with? You can go and direction find devices using a couple of RTLs, three RTLs. Bursty digital comms. This is where it works and this is where we get into why I chose LTE. When I was surveying the space around where I live there are a lot of LTE uplinks and I thought hey that would be really cool if I could use my triangulation technique to track all the cell phones. And some of them are cars and some of them are other devices but basically I'm assuming if it's LTE and it's uplink and I can receive it, it's probably a phone. GSM is also good. It's pretty wide. It's not as loud. It's closer to the noise floor and the RTLs really struggle with that because everything looks like noise on one with the stock antenna. CB radio is pretty good too just because it's super loud. You get a very clear signal when you're trying to play with this. Walkie talkies are the same way. A lot of construction guys around us that I've been able to put very precise dots on where they're sitting in their yellow iron. One of the other things that's kind of exciting. This is a signal that I collected in the U.S. and you'll see that it's in the 900 uplink. Well maybe you can see. There's some numbers right there. That's not a licensed band for GSM in the U.S. that's a European channel. So this was a signal that I was interested in geolocating because obviously somebody is using a system that either is completely undocumented or they shouldn't be. And because the width of the signal is fairly wide unlike kind of the walkie talkie CB stuff that gets very narrow. If the clocks drift on the RTLs or the oscillators drift and my center frequencies get off, my time of arrival is still the same. I'm going to show that if I have one RTL where the true center frequency is slightly to the left of where I'm trying to tune it and another slightly to the right, I'm still going to get the same time of arrival. So that's why LTE is easy to track with three RTLs. And that's my research so far. I'm going to be hanging out at the wireless village tomorrow. If anybody wants to see this thing fly, my Kibana box does not plug into a VGA. So I'm not going to show it live in here, but yeah. Thanks for coming out.