 our next speaker literally hacked the planet. So please give a warm welcome to Carl Kosher. Hello, DEF CON. I am Carl Kosher, otherwise known online as SuperSat. This is a collaboration with another member of the Shadytail Cabal, Andrew Green, who unfortunately couldn't make it to DEF CON this year. And we're going to be talking about Hack the Hemisphere! All right. So this was done as a project under the Shadytail organization. And Shadytail sort of started out as a Twitter parody account, but now occasionally provides real service at events like TorCamp. And as part of our commitment to always be in your business, we're constantly looking to improve our revenue streams by expanding into exciting new areas such as offering triple play packages, including TV service. So this is a talk about how we explored offering TV service and legally broadcast hacker content to all of North America and a little bit beyond, tiny bit of Russia, using an end-of-life geostationary satellite and how you can set up your own event broadcast too. So to explain what an unprecedented opportunity we had, we first need to talk about some satellite basics. So when you think about satellites orbiting the Earth, you might picture something like this. But in reality these are only low-Earth orbit satellites. And these satellites can't really be used for broadcast communications. Because they're constantly going around the Earth, they're not in a fixed position in the sky. And for broadcast communications, you really want to be able to have a dish pointed at a particular point in the sky. And so if you were going to do 24-7 communications with low-Earth orbit satellites, you would need a whole constellation of satellites. And until recently that wasn't really feasible. And so sorry, Starlink, but Leo isn't cool. You know what's cool? Geo. All right. So what's geo? So that's short for geostationary Earth orbit, making sure the animation works here. So Elon's there. We're out here. So basically this animation is showing that the position of the satellite follows exactly the rotation of the Earth. But where are we going to get a geostationary satellite? Well, somewhat unfortunately, but fortunately for us, satellites have limited lifespans. And there are a bunch of reasons for this. So you can't get into quite perfect orbit and stay perfectly in sync. So you need a little bit of fuel to do some station keeping and fine tune your position. There are batteries on board. Batteries obviously wear out. There's space debris that might just blow a hole through your satellite. There's radiation that might cause bit flips or single event upsets or things like that. And so satellites are engineered for a specific lifespan. And once they are at their end of life, they are moved into what's known as the graveyard orbit, which is just beyond geo. They don't de-orbit it back to Earth because that actually takes a lot more fuel than just pushing it a bit further out into space where they can bump into each other. And so this leads us to this unprecedented opportunity that we had to use one of these end of life satellites. So this is ANNIC F1R. It was launched in 2005 with a design life of 15 years. So if you do the math, it's basically dead or beyond the end of its design life. This is the coverage map of ANNIC F1R. It's a Canadian satellite supporting Canadian broadcasters with excellent polar coverage. I've been told that satellite services can't be offered in Canada without covering the entire country. So that might be why back in like the late 90s, early 2000s, pirating direct TV dish network was kind of in a gray area. Anyway, coverage extends beyond the southern U.S. border, reaches Hawaii, and covers a little bit of Russia. All right. So how did we actually get on this bird? So to go into detail about how we actually sent a broadcast from this satellite, we need to first talk a little bit about how these broadcast satellite transponders work. And they're basically DOM analog systems, or sometimes they're called bent pipes. So they basically receive some signal from Earth, does some band pass filtering on it, translates that frequency, amplifies it out using a linear amplifier, and then sends it straight back to Earth. And so the fun thing about this is that it sends any RF signal it receives back to Earth as is. There's no demodulation, there's no authentication, there's no nothing. It's just analog in, frequency translation analog out. And the fun thing is that, so on these satellites, these transponders will have a bandwidth of like 36 megahertz or 27 megahertz, but you can actually pack multiple users into a single transponder. The only issue with that is that all the uplink power, all the users of that uplink or that transponder have to be at approximately the same power. Because you can overload these transponders and basically push them into clipping where you get distortion. You know distortion from like electric guitars where it's intentional, but basically that just splatters your frequency all over the spectrum. And so if you send a signal that is too powerful, you will actually cause interference with other users on that transponder. So this is the NEC F1R transponder configuration. There are 24 C-band transponders that are 36 megahertz each. In North America, TV channels use 6 megahertz of bandwidth so it can theoretically support 6 different channels there. There's also 32 KU band transponders at 27 megahertz each. And what's interesting here is that the frequencies of these transponders actually overlap. And the way that they're able to do that is by doing different polarization. So one transponder is horizontally polarized and one's vertically polarized where basically you can get some frequency reuse essentially for free as long as the uplink and downlink dishes are configured correctly. So with NEC F1R, these transponders were sold for the lifetime of the satellite. And then companies would buy a particular transponder allocation and then sublease that out to different companies. Either in time or frequency or both. And as it turned out, we had someone who had one of these subleases. Let's see. Yep. All right. Cool. So since we had one of these transponder leases, we also had a license to uplink at this unnamed facility. And they had moved off of NEC F1R because it was already end of life. So they were using alternate services or alternate satellites, also some IPTV services for their broadcasts. But they still had the lease. They still had the license for the uplink. And they wanted to make sure that this satellite or this link still worked in case they needed a backup. And what happened is Hurricane Ida came and hit this dish and knocked it out of position. And so they weren't receiving any signal. And so they wanted to have a way of testing this dish. Turns out it didn't work because the receiver, the antenna, the low-noise block was corroded to hell and back. Just a quick note on what an L and B is. That stands for low-noise block. It's an integrated antenna and low-noise amplifier. So basically it's at the focal point of the dish where there's an antenna. And then it has a specially designed amplifier to minimize the amount of noise it injects the signal. So we replaced the L and B and we started getting some kind of signal. But then there was the problem of the hurricane knocking the dish out of position. And so we weren't quite lined up in the right direction. But as it turns out, we didn't need to use the usual. So there's this peeking up method where you have these test tools where you get the signal strength and you adjust the satellite a little bit and you hone it in to get it perfectly placed. Turns out that was not necessary. All we did is move the satellite dish back to where the rust marks were. So that worked. So at this point we were locked on to a different transponder, one that was still active and had not been vacated. And so then it was time to test out the transponder that we actually had a lease on. So once we've verified that the satellite was still there, we needed to test the uplink facility using existing commercial equipment in there. So the way that basically works is they take in a video source, it goes into a DVBS encoder into a BUC, which is a combined upconverter and amplifier, which takes it from about 1.2 gigahertz up to 6 gigahertz, which is the uplink frequency for this satellite. And then that gets sent out to the dish. So what this looks like on a Spectrum analyzer. So there is a downlink on C-band. It's about at 3.8 gigahertz. So our transponder slot is about there. When we turn on the amplifier, we get a carrier there. And then when we turn on modulation, we get a nice wide 6 megahertz signal. And we received that test signal back without any problem. It was just the right power level. It was about the same as everyone else. Right amount of occupied bandwidth. So we basically just verified that everything was hunky dory there. But that wasn't the end of our story. So we wanted to do some custom content. And unfortunately at this uplink facility, we had this DVBS encoder, which was this Tanberg unit, which accepts this input known as ASI. And ASI is basically an impact to transport stream over a BNC connector that is 270 megabits serial. It's very weird. It's kind of designed to be compatible with another electrically compatible, at least with another video standard called SDI for doing digital video. But there was really no easy way to generate this ASI signal. I was lucky enough to be gifted a prototype of one of the great Scott gadgets, Luna, which is this USB multi-tool that they're coming out with. Unfortunately, chip shortage has delayed that a bit. But the idea there was to go from a USB interface to one of two ASI out of one of the coax ports that you could add on there. Unfortunately, with an FPGA. So it was designed to do this serialization and deserialization. Unfortunately, that's a lot of work. Also, maybe this encoder is old and we want to do something more modern. We also thought about buying a dedicated ASI interface card. Eventually we did later. But the problem with those is that ASI is kind of an old enough standard that you can only find them as PCI cards. And so that was a pain in the ass to implement. So we decided to bypass this Tanberg unit with something of our own. And it turns out that is very easy to do. So there is a DVBS2 encoder example in GNU radio using some of the GRDTV blocks in there. And this DVBS2 sample takes an impact to the transport stream in at a very precise bit rate that I will talk about in a minute. And generates a DVBS2 signal with the desired modulation parameters. And then we just fed that into a hacker ref which sends it out in an L bound frequency. So it's like 1.335 gigahertz, which the hacker ref can easily do. And then once it goes out there, it looks the same as the output from the Tanberg unit into the BUC, which up converts it and amplifies it and sends it to the satellite. So I mean, this is the sample graph in GNU radio companion. We didn't do anything in this. It just sort of worked as is. I guess we did change the sync from like a USRP to a hacker ref and the source from like a file to like a TCP socket. But it is basically pretty easy to do. So we got a test stream up and running pretty quickly with a hacker ref in a commercial IRD, which is an integrated receiver decoder. So an off the shelf satellite TV set top box connected via coax in the lab. Unfortunately, what these IRDs do is they send out power via the coax to power or they send out a DC bias to power the L and B and they actually change their voltage to change the polarization between horizontal and vertical or things like that. So we were sending 13 to 18 volts into the hacker ref front end and you know, that just blew it up immediately. And so we were able to bypass it with a sketchy amp shown on the right here where we basically bypass the final amplifier stage of the hacker ref, which is kind of notorious for being very, very delicate. So be careful when you're doing that. So we successfully replayed a test transport stream into a commercial receiver decoder box. There's a spectrum analyzer. This is one of the test videos from this site W6RZ.net. The bitrate wasn't perfect, but we got basically some choppy MTV video on there. But now the question was how do we generate our own impact to transport streams? So to talk about that, well, let's talk about what these impact to transport streams are in the first place. So they are designed to carry multiple programs or channels over a continuous stream. They're basically used everywhere. People might hear impact too and think, oh, well, that's dated and we're on like MP4 or MP5 or whatnot. But no, the impact to transport streams are still used pervasively. They're used in over-the-air TV with both DVB in the rest of the world and ATSC in North America. There is cable TV. There is for satellite broadcasts. And even your cable modem uses impact to transport streams. They actually take, well, except for DOCSIS 3.1, which does something else. But basically they take ethernet packets and they chunk it up into different impact transport stream packets and just send it as another video channel, which is very weird. Anyway, so what impact to transport streams do is they take these different elemental streams or ESs and they muck them together and they assign a program ID or packet ID to each one. And then there is some metadata which says, okay, a channel consists of this ES of the video and maybe two audio tracks. And in fact, you can actually do a program with multiple video tracks. Some DVDs used it to change like the perspective of a certain scene. It is not a popular feature. But basically impact to transport streams are codec agnostic. Originally you could do the impact to standard, video codec standard H262, but now you can do H264, 265. You can do AC3, which is an audio codec, all sorts of different audio codecs. The problem with impact to transport streams is that they are designed to be transmitted at extremely specific bit rates. And I'm talking like down to several decimal digits of precision. And the reason for that is that bit rate is derived from the modulation parameters of how you are transmitting the signal. So I'll show some demos or some diagrams of different ways of modulating signals. But you can have like a different number of bits per symbol that gets it. You can change the number of symbols per second. You can change the amount of bandwidth that you're sending your stream over. You can also add a bunch of error correction. And one simple way to think about this error correction, at least the very simple read Solomon error correction is you can sort of represent data as a what degree in minus one polynomial. And then if you have more than end points, you can precisely recover what the original polynomial was. So you basically just add some redundant data there. That's kind of an old way of doing error correction. There are some newer advanced forms that can take advantage of what's known as soft decoding. I'll show an example of that on the next screen. Where basically you're not sure if something is a zero or one, but it's more likely to be a zero. So you kind of use that to tune for or to do some advanced error correction. And then you're going to have some variable bit rate content coming in to your muxer. And so you need to actually pad that out with some null packets to keep the bit stream constant. And you know a lot of this is beyond the scope of this talk. So if you want to know more, you can search for it. Let's see. So I want to quickly talk about constellation diagrams because this relates to the different modulation schemes that I was talking about on the previous slide. And so at a very high level, when you send a symbol over dvbs, you are sending, you could send not just a single bit, but multiple bits. And without getting too much into the weeds, when you add more bits, they are sort of closer together. And so when you receive a symbol and it's kind of, it's not perfectly on one of these constellation points, you can, well, the more constellation points there are, the more uncertainty there is. And so basically the simpler the modulation scheme is the easier it is to receive. One thing that I will note here is that these diagrams on the top are a phase shift scheme where you basically change the phase of the carrier signal that you're sending. But since it's sort of in a unit circle, the amplitude of the signal is constant. And so you don't actually need a linear amplifier for that. The schemes on the bottom, some of the qualm schemes or APSDA schemes do need linear amplifiers. All right, so this is a depiction of what an impact to transport stream looks like when you play it in one of these test tools. So you can see a bunch of metadata there. So there's the program table that defines various channels and then each channel or program says these are all the associated video streams and things like that. All right, so this is basically what the complete broadcast chain looked like. So what we do is we take in some RTMP sources, real time media protocol or something like that, and that's generated by OBS, for example. And I'll get into how we did that in a second. We ingest those multiple RTMP streams into a program called Flusonic. Flusonic basically just altered the PIDs of the RTMP stream so that we could have multiple streams together. And then we sent this into a program called TSduck which was actually mentioned yesterday on one of the satellite talk yesterday. And basically that would mux all these different streams together into a very precise bit rate. Then we send it into GNU Radio either over a TCP socket or a UNIX pipe or something like that. And then it goes out, the hacker F goes through the up converter and out to the dish. All right, so we used OBS, Open Broadcast Studio to generate these RTMP data sources. I pointed this at a server running Nginx that basically just provided a sync for this and then on the uplink site they could connect to my Nginx server and pull down the same impact to transport stream. Yeah, went over this. All right, so now that we have something that might work, what do we actually put on this satellite? So why don't we do an entire conference? So this satellite was expected to be sent into the graveyard orbit in November 2021. And tour camp was happening in October 2021. So we approached them and we actually got permission to restream the entirety of Torcon San Diego that they were selling virtual passes for 50 bucks. But if you had a dish and you were to put it, you could get it for free. So this is what the OBS site looked like. So we logged into the content site with the browser embedded in OBS. We had some cool intermission content between talks and during the night we would like play hacker movies. Andrew also allocated, so because we can multiplex multiple programs onto the same transmission and we had extra bandwidth, we added more content on there. So the second video channel was more movies. The fifth channel was actually tied to a phone conference bridge. So there was a number that you could call and just have your voice broadcast to, well, North America and beyond. There were plans to include a number station in this as part of a long running ARG called OTP 22. Unfortunately one of the creators behind that unexpectedly passed away before we could do this. So we weren't able to do that. So this is a look of us testing our custom hacker transmission on there. There's the up converter. There's lots of cables there. On that screen there's the up converter status. On that screen we have the output of this Cisco decoder box. And when we tune into the channel, oh, yep, there we go. All right, we've got war games on there. Pulling that off the satellite, we can change channels to get different things on there. Unfortunately, I think the only thing that's on there is audio and I said there wasn't any audio in these videos, so oops. Anyway, that's showing. Oh, and we had this fun little shooty tail bug on our videos there that was done with an OBS overlay. Let's see, here's another test going between different channels on this decoder box. So we had this great movie antitrust on, which is very lulz-y. Then let's see, we can probably, I think we were going to switch channels and show, eh, whatever. All right, so how were people supposed to be able to receive this? So we sent out this very vague tweet from the ShadyTel account with this giant C-band dish just saying soon. And really the reason why you need this large of a dish is because of the wavelengths of C-band are relatively large, say to KU band, so 3 gigahertz or like 3.8 gigahertz versus like 11 or 12. So we did some rough figures to figure out if people actually needed one of these C-band dishes. So a little back of the envelope math, we figured there was about 37 decibels of gain in this C-band dish. If you got this 8 foot C-band dish, if you went down to 3, you went from 37 to 29. If you find one of those free repurposed direct TV dishes, you get somewhere between 23 and 26. So, you know, this is the proper way to actually receive the C-band signals. But we were curious if you could actually repurpose one of these other satellite dishes, like a direct TV dish or a dish network dish to pull these things in here. Unfortunately, the satellite went away before we could fully test this. So caution, there's some speculation below. If this was at Shmucon, I'd encourage you to throw Shmucon balls at me if there are some errors in this slide. So this is somewhat speculative. So we got about a 16 decibel carrier to noise ratio at the transmitter site. And that was way up in Canada and like Northern Canada. So in the continental US, you should probably get a better signal because it's more overhead. So going from one of those nice C-band dishes down to a direct TV dish would lose us about 14 decibels of signal. So that would give us a carrier to noise ratio of about 2. But luckily, we control the modulation parameter. So we can add more error correction. We can lower the bit rate. We can basically make this signal as easy as possible to receive. There's some stats on the various carrier to noise ratio requirements to receive various modulation schemes with different error correction overheads. So like if you did QPSK with like one fourth error correction, so you send like four symbols for every symbol that you actually want to send. You can actually get, you can send something below the noise floor and pick it up. And yeah, so if you do that at five mega symbols per second with pilot, you get about 2.4 megabits per second with about 4 dB of link margin there. So it's not going to be like perfectly receivable all the time. There will be some noise that will knock it off line, but it won't basically work. And I just looked at what the DEF CON documentary was at 1080p encoded with the H265 codec that averages about 1.6 megabits per second. Now kind of cheating here because that's the average and in practice it's a variable bit rate, so you would occasionally go over that 2.4 megabit per second, but you can set your encoding parameters to make sure you're always under that limit. All right. So we looked into doing this before the satellite got de-orbited or sent off to the graveyard orbit. Turns out you can buy these. So our plan was to repurpose some of these old dishes, not that one. It's too bent. Don't use that one. We could get these new C-band LNBs. This was like 42 bucks for the top of the end model off of Amazon. You could get one as low as 29 bucks depending on the quality. Unfortunately, you can't really do this anymore as of January because these are designed to pick up the old satellite L-band or C-band signals and the FCC just reallocated some of that for 5G. So you need a new LNB to basically filter those out. Otherwise, you're just going to have this antenna be bombarded with 5G noise. Unfortunately, these aren't sold anymore. Maybe they'll come out with better ones now. The second hurdle was that these direct TV dishes have these custom LNB mounts. I got a friend to 3D print an adapter for that. That was kind of lullsy. It was held together like a little clamp. All right. So where do you get? So that's the antenna. Where do you get the receiver box? Well, Amazon of course. This is a decoder box that runs Linux, supports H.264, H.265, is networkable, sits on the Wi-Fi, probably hackable. The firmware is in the clear, not encrypted. It's 31 bucks. So that actually worked well at least with some local tests. This was our initial attempt at putting up a dish. It kind of looks like the LNB there is not pointed at the right part of the dish. There is also, it's missing what's known as a conical scalar, which basically blinds part of the LNB so it doesn't pick up background radiation from beyond the dish. And we didn't really have any good idea of exactly where the focal point of this dish was. So I did this kind of hacky thing where I just added a bunch of reflective tape to the dish and had a distant light source to determine the focal point and basically adjusted the LNB to be right at that focal point. Unfortunately, I went home and we left this out and the sun came out and I guess we found the focal point because we melted the plastic of the LNB. So there's a proper way to do this, which is to actually go to one of these lovely satellite TV sites and you can get one of these KU band dishes and actually convert them to receiving a C band. So like one of these costs, I don't know, is like $150 or maybe up to $250. Basically, gets you a larger dish, gets you known parameters like where the focal point is. I was talking about this with someone recently and they said, oh, yeah, you did a mini bud. I'm like, what's a mini bud? And it turns out a mini bud is modifying one of these KU band dishes to receive C band transmissions. And so we got, you know, about 5 to 10 dB of carrier denoise off of one of these dishes that a friend brought and bought over. If you actually want to do a proper C band dish size, well, you can always go over to China and Alibaba and there's one for, I don't know, $150 or something like that. Once again, you need new LNBs because the FCC reallocated a bunch of those frequencies for 5G. And of course, well, all of this is moot now because the satellite's gone into life. But you might still be able to do this for your own events. So for, you know, for what we did, you need a very large dish. You need a way to up convert that to 6 GHz. Apparently the amplifier wasn't actually that powerful. The total power out of it was about 15 watts. There was a lot of gain in the antenna. Of course, you need permission to do this, like a transponder lease or an STA or something like that. You could do this with KU band satellites. Those uplink frequencies are more like 14 and a half GHz. So you need some more esoteric components and apparently you need a higher power amplifier. So maybe it's a bit more difficult to do there. But there are a lot of KU band satellite parts available on eBay because they're used for a lot of things, like Internet access and I don't know, like news gathering with those TV trucks and stuff like that. All right. So how feasible is this for some, all right, yeah. All right. What if you don't want to do something with a satellite? So almost nothing in this talk is actually specific to satellites. So there's a variation on DVB called DVBT, which is used for terrestrial broadcast. And as it turns out, almost everyone at a HackerCon has a DVBT receiver. It's one of those RTL-SDR dongles. That's what they were originally designed for. They have silicon to actually demodulate these DVBT terrestrial TV signals. So you need to change some of the modulation parameters in GNU radio and use the DVBT version instead of DVBS. But basically the rest of the chain is about the same. You still need to like amplify the signal to get it beyond a couple of feet or something like that. You could use some amateur TV amplifiers. Those for like NTSC, they are linear amplifiers. They will work just fine for DVBT as well. I found this lovely Russian LTE amp and it turns out that Russian cellular frequencies overlap with, or some Russian cellular frequencies overlap with some ham radio frequencies in the US. So theoretically you could use one of these devices and by applying proper filtering and monitoring what you're sending out, you could probably set this up. So this is what it looks like. It's basically RFN and a lot of RF out and a lot of RF porn there. So the final thing you need to do this is permission of course. So one creative way of interpreting the amateur radio rules is that normally you can't send broadcasts over the amateur service. They need to be either two-way communications or seeking two-way communications. But there is a special carve out for information bulletins directly only to amateur operators consisting solely of subject matter of direct interest to the amateur service like this talk. I could have broadcasted this talk live. Unfortunately I couldn't test that in time so never mind about that. The other way to do it is to get a special temporary authority from the FCC for testing in unused TV white space or actually any frequency that's unused. So Shadytail actually got an STA from the FCC to run a GSM network when you're at tour camp. Basically you send out, you apply to the FCC and you say here's this test that I want to do and here's what we said, the purpose of this test will be to use a verify the functionality of an open source GSM network design and an outdoor test range, blah, blah, blah, blah. You could do something like that similar if you were at hacker camp or Burning Man or something like that. So what's all this good for? So with a large enough audience these are broadcasts are a very efficient use of bandwidth. So like Defcon TV could be done over this and then if you're like in your hotel room trying to pull it up on Twitch or whatnot and you're not getting a good signal well you can just pull it over the air because it's broadcast. Also the range for these depending on your power level and what you're allowed to do can be significantly larger. Works if the internet is down. So if there's geopolitical conflicts maybe the internet gets cut. Maybe some sources of information are being censored. So like the EU decided to ban RT and so you can't actually get RT from these from like your cable company in the EU but you can pull it directly off the satellite. But you know in some places where reception, some places still like especially some countries regulate the reception of TV signals like that. So just be careful with that. And so that's the end of my talk. I am Carl, SuperSat Online from Shadytel Labs and we are always in your business and thank you.