1 00:00:00,042 --> 00:00:02,792 So anyway, here you go. 2 00:00:02,792 --> 00:00:04,083 Here's your speaker, enjoy. 3 00:00:04,083 --> 00:00:06,459 (Applause) BALINT SEEBER: Good morning. 4 00:00:11,417 --> 00:00:14,459 Thank you all very much for coming out on what I understand 5 00:00:14,459 --> 00:00:16,959 is an early Defcon morning. 6 00:00:17,501 --> 00:00:20,375 I would very much like to show you my slides, 7 00:00:20,375 --> 00:00:25,542 but as you can see there might be a little of a technical glitch. 8 00:00:25,584 --> 00:00:28,918 And I would really honestly, love to get started, but it's kind of crucial 9 00:00:28,918 --> 00:00:30,876 to have the slides. 10 00:00:30,876 --> 00:00:35,209 So, I thought maybe we could try the reverse and do a bit of Q&A. 11 00:00:39,000 --> 00:00:43,667 (Laughter) BALINT SEEBER: How many people are into radio? 12 00:00:44,999 --> 00:00:46,626 All right, cool. 13 00:00:46,626 --> 00:00:51,667 How many people have-- who knows what a software defined radio is? 14 00:00:51,999 --> 00:00:53,459 Okay. 15 00:00:53,459 --> 00:00:56,417 And how many people have actually played around with one? 16 00:00:56,626 --> 00:00:58,999 How many people own one? 17 00:00:59,542 --> 00:01:03,292 How many people have USRB? 18 00:01:04,334 --> 00:01:07,751 How many people have a Realtek T.V. 19 00:01:07,751 --> 00:01:08,751 dongle? 20 00:01:09,334 --> 00:01:11,792 And who knows GNU radio? 21 00:01:12,375 --> 00:01:13,834 Excellent. 22 00:01:14,167 --> 00:01:16,209 That's very encouraging. 23 00:01:16,751 --> 00:01:18,751 Applause already. 24 00:01:18,751 --> 00:01:28,918 (Applause) BALINT SEEBER: If I-- if you pardon the debugging 25 00:01:28,918 --> 00:01:32,459 across the room. 26 00:01:32,459 --> 00:01:35,999 Do you know where you are actually receiving the signal from my laptop? 27 00:01:46,876 --> 00:01:49,542 (Off microphone) BALINT SEEBER: Would it be possible 28 00:01:49,542 --> 00:01:52,959 to temporarily connect one projector or something? 29 00:01:52,959 --> 00:01:55,375 It's actually the multiplexer back there. 30 00:01:55,375 --> 00:01:56,959 BALINT SEEBER: All right. 31 00:01:56,959 --> 00:01:58,375 Yeah, it's- no keep on going. 32 00:01:58,375 --> 00:02:01,209 By the way, the Q&A. 33 00:02:01,209 --> 00:02:02,999 Time has passed. 34 00:02:02,999 --> 00:02:05,334 We used to have a Q&A where we'd get together go 35 00:02:05,334 --> 00:02:07,709 to a room to a Q&A. 36 00:02:07,709 --> 00:02:09,959 There's one big mess of Q&A room back there. 37 00:02:09,959 --> 00:02:12,834 And if this gentleman wants to take beers and shots 38 00:02:12,834 --> 00:02:16,459 and whatever and talk to him at the bar. 39 00:02:16,459 --> 00:02:17,501 That's a Q&A area. 40 00:02:17,501 --> 00:02:19,626 So, this year the Q&A area is pretty much going to be handled 41 00:02:19,626 --> 00:02:23,626 out in the hallway or wherever else that you deem necessary. 42 00:02:23,626 --> 00:02:27,999 So, at the end of the talk I'll (Off microphone) 43 00:02:27,999 --> 00:02:32,125 BALINT SEEBER: I'm okay with that. 44 00:02:38,250 --> 00:02:40,083 (Laughter) So, why don't you get this guy 45 00:02:40,083 --> 00:02:41,876 up and running. 46 00:02:41,876 --> 00:02:43,375 BALINT SEEBER: Well, I guess I should also add that my name 47 00:02:43,375 --> 00:02:45,083 is Balint Seeber. 48 00:02:45,751 --> 00:02:47,876 As you might gather, I'm not originally 49 00:02:47,876 --> 00:02:50,083 from around these parts. 50 00:02:50,083 --> 00:02:53,417 I moved to the states about middle of last year. 51 00:02:53,501 --> 00:02:55,999 I had been sort of mucking around with software defined radio 52 00:02:55,999 --> 00:02:57,667 in my own time. 53 00:02:57,667 --> 00:02:59,792 I had been working on a Ph.D., but unfortunately, for that, 54 00:02:59,792 --> 00:03:02,417 through a friend I discovered what software radio was 55 00:03:02,417 --> 00:03:04,751 about and I let the Ph.D. 56 00:03:04,751 --> 00:03:10,876 slide (Applause.) I would like to show you the things I did 57 00:03:10,876 --> 00:03:13,876 during that time. 58 00:03:13,999 --> 00:03:15,751 Since then go? 59 00:03:15,792 --> 00:03:20,626 Keep on talking. 60 00:03:20,626 --> 00:03:23,501 BALINT SEEBER: I joined EDIS Research so I'm 61 00:03:23,501 --> 00:03:28,542 an applications engineer this, and I guess one bonus is I get 62 00:03:28,542 --> 00:03:32,417 to play around with cool, new toys. 63 00:03:32,834 --> 00:03:36,459 One of which I would like to sort of show you today. 64 00:03:36,999 --> 00:03:41,709 Did you want to check the Change it down. 65 00:03:46,501 --> 00:03:47,999 Okay, 1024. 66 00:03:47,999 --> 00:03:53,209 BALINT SEEBER: I have a laptop, did you want me to try that one? 67 00:03:53,999 --> 00:03:58,417 You can, won't hurt. 68 00:03:58,417 --> 00:03:59,667 BALINT SEEBER: Okay. 69 00:04:02,999 --> 00:04:05,584 (Laughter.) Anymore questions? 70 00:04:05,792 --> 00:04:09,125 (Laughter.) AUDIENCE MEMBER: What's your drink of choice? 71 00:04:09,125 --> 00:04:13,751 BALINT SEEBER: I'm actually not much of a drinker, you know? 72 00:04:16,501 --> 00:04:18,792 AUDIENCE MEMBER: You will be after this? 73 00:04:18,792 --> 00:04:21,542 BALINT SEEBER: I was thinking that might be the case. 74 00:04:21,626 --> 00:04:25,250 I guess I don't know, do any of you recognize this 75 00:04:25,250 --> 00:04:27,834 or anything like it? 76 00:04:28,125 --> 00:04:32,250 It's a fast track tag that you normally affix to your car, 77 00:04:32,250 --> 00:04:36,626 gets scanned when you go through the toll booths, this 78 00:04:36,626 --> 00:04:42,792 is an antenna that you can read these with and I figured I can't remember how 79 00:04:42,792 --> 00:04:46,459 I came across it but I came across I don't know 80 00:04:46,459 --> 00:04:50,334 if you seen there was a Black Hat talk that dealt 81 00:04:50,334 --> 00:04:54,417 with opening these up and reversing and decompiling 82 00:04:54,417 --> 00:04:58,999 the firm wear and that was nice and you go into the chip 83 00:04:58,999 --> 00:05:01,999 and extract the software. 84 00:05:02,125 --> 00:05:08,209 But I figured I would implement the radio side of it, so I just did it 85 00:05:08,209 --> 00:05:11,792 over two nights last week. 86 00:05:12,751 --> 00:05:16,999 Simply it will read the ID as it's not an encrypted protocol out of one 87 00:05:16,999 --> 00:05:21,751 of these tags, you hold it up there and it will read it out. 88 00:05:22,083 --> 00:05:24,792 I would have nice images to demonstrate that later 89 00:05:24,792 --> 00:05:28,709 on but I guess I can hand wave in the meantime! 90 00:05:29,542 --> 00:05:34,250 I'm kinda giving you the summary of the entire thing. 91 00:05:36,542 --> 00:05:38,626 How are we doing back there? 92 00:05:40,626 --> 00:05:44,667 (Laughter.) This is not quite the start that I was expecting. 93 00:05:46,999 --> 00:05:50,459 Is anybody doing any cool projects in SDR at the moment? 94 00:05:50,459 --> 00:05:51,626 I had a question there? 95 00:05:51,626 --> 00:05:54,167 AUDIENCE MEMBER: You mentioned 96 00:05:54,167 --> 00:05:58,209 the BALINT SEEBER: Yes, I do. 97 00:05:58,209 --> 00:05:59,209 Let me grab one. 98 00:05:59,209 --> 00:06:00,999 (Applause.) I carry one around! 99 00:06:02,999 --> 00:06:04,751 Thank you! 100 00:06:07,125 --> 00:06:08,792 All right, then. 101 00:06:10,918 --> 00:06:13,959 So thanks for coming! 102 00:06:13,959 --> 00:06:16,959 Just wanted to tell you a little bit about me, otherwise obsessed 103 00:06:16,959 --> 00:06:20,501 with electronics and wireless, I think this is in the kindergarten 104 00:06:20,501 --> 00:06:23,501 or first grade, I don't know what the hell I was making 105 00:06:23,501 --> 00:06:26,751 but it was a contained part of an old tape deck and it had 106 00:06:26,751 --> 00:06:30,751 a blinking light with a VU meter, that was cool for me. 107 00:06:34,167 --> 00:06:38,083 Contraptions, trying to build it, this is on top of a park back in Sidney 108 00:06:38,083 --> 00:06:40,209 with a friend of mine. 109 00:06:40,209 --> 00:06:41,999 We put together a long wire antenna 110 00:06:41,999 --> 00:06:47,417 because we were trying to pick up the cherry ripe numbers station that 111 00:06:47,417 --> 00:06:52,334 was broadcasting out of Guam run by MI6, I believe, and we tried 112 00:06:52,334 --> 00:06:56,542 a couple of successive weekends and then realized that 113 00:06:56,542 --> 00:07:02,999 the station has been shutdown (Laughter.) It was fun to get the images. 114 00:07:08,584 --> 00:07:13,375 My journey into software radio shaped the talk. 115 00:07:13,751 --> 00:07:15,709 How I originally got into decoding systems 116 00:07:15,709 --> 00:07:19,751 with hospital pager systems, one of my favorites, tracking airplanes 117 00:07:19,751 --> 00:07:22,542 and looking at how you can decode something that 118 00:07:22,542 --> 00:07:25,083 you know nothing about, in this case coming 119 00:07:25,083 --> 00:07:29,999 down from satellites with a little bit of direction and fast track. 120 00:07:31,999 --> 00:07:36,083 Just to do a recap for those of you that aren't that experienced, 121 00:07:36,083 --> 00:07:39,709 the idea behind radio is that you have a carrier wave, 122 00:07:39,709 --> 00:07:43,999 a single frequency and if you were to view it like this on a graph 123 00:07:43,999 --> 00:07:48,417 with time going from left to right, you would see your sign wave and 124 00:07:48,417 --> 00:07:52,959 the amplitude on a wire access and the idea is you have information, 125 00:07:52,959 --> 00:07:57,459 whether it be voice, digital bits can you hear me okay? 126 00:07:57,459 --> 00:07:58,709 Is this a good distance? 127 00:07:59,959 --> 00:08:02,167 AUDIENCE MEMBER: Yes! 128 00:08:02,709 --> 00:08:05,083 BALINT SEEBER: It goes into a modulator and you mix that 129 00:08:05,083 --> 00:08:08,417 with the carrier which puts it up to the frequency that you want 130 00:08:08,417 --> 00:08:10,584 to from time to time it at, so if you want 131 00:08:10,584 --> 00:08:13,709 to transmit FM radio then you would dial that in on the radio 132 00:08:13,709 --> 00:08:16,292 at the radio station, put in your music and outcomes 133 00:08:16,292 --> 00:08:18,834 the music on that frequency. 134 00:08:18,834 --> 00:08:22,918 So the simple modulation is on and off keying, where you turn on and 135 00:08:22,918 --> 00:08:26,334 off the carrier wave, and the simplest form of this 136 00:08:26,334 --> 00:08:30,542 is Morse Code can you tell me what that means? 137 00:08:33,417 --> 00:08:37,999 AUDIENCE MEMBER: DEF CON. 138 00:08:37,999 --> 00:08:39,918 BALINT SEEBER: DEF CON, correct! 139 00:08:39,999 --> 00:08:42,876 Which then it goes to more complicated stuff, RFD M 140 00:08:42,876 --> 00:08:48,167 and it's used in a whole host of those we use pretty much every day. 141 00:08:50,250 --> 00:08:54,334 So you have your carrier at the top, the signal just 142 00:08:54,334 --> 00:08:58,999 below it and depending on the modulation you use you either 143 00:08:58,999 --> 00:09:03,751 get a wave you can see how the carrier's amplitude is meshed 144 00:09:03,751 --> 00:09:08,501 with that of the signal or the frequency, much later version, 145 00:09:08,501 --> 00:09:11,667 the carrier maintains the same amplitude 146 00:09:11,667 --> 00:09:16,999 but the frequency changes with the change in the signal. 147 00:09:16,999 --> 00:09:23,292 So that's a basic difference in simple modulation games. 148 00:09:24,334 --> 00:09:29,083 Here is an example of a spectrum, this is a recording that I made 149 00:09:29,083 --> 00:09:33,501 of an automated broadcast from an airport regarding the state 150 00:09:33,501 --> 00:09:35,626 of the runways. 151 00:09:36,542 --> 00:09:38,209 I don't have any audio. 152 00:09:39,667 --> 00:09:42,417 Can I have the laptop audio pack? 153 00:09:44,209 --> 00:09:48,334 (Away from mic.) BALINT SEEBER: 154 00:09:48,334 --> 00:09:50,501 Thank you. 155 00:09:51,999 --> 00:09:54,999 So this is amplitude modulated, you have a carrier in the middle and 156 00:09:54,999 --> 00:09:57,584 on the side you have identical side backs that contain this 157 00:09:57,584 --> 00:09:59,334 voice information. 158 00:10:02,167 --> 00:10:05,751 So the modulation will define what it will look 159 00:10:05,751 --> 00:10:08,709 like on that spectrum so you are looking 160 00:10:08,709 --> 00:10:13,584 at IM signals so that's symmetric with the carrier and FM you have 161 00:10:13,584 --> 00:10:17,876 the notion of the carrier but because it's been modulated 162 00:10:17,876 --> 00:10:20,792 and the frequency is moving around based 163 00:10:20,792 --> 00:10:24,918 upon the signal it looks different and finally you have 164 00:10:24,918 --> 00:10:29,209 a digital modulation scheme, C4 FM AUDIENCE MEMBER: (Away 165 00:10:29,209 --> 00:10:32,876 from mic.) BALINT SEEBER: Yeah. 166 00:10:32,999 --> 00:10:34,542 Of course that's not legal! 167 00:10:35,918 --> 00:10:39,083 (Laughter.) I'll come back to more of that kind of thing later! 168 00:10:39,667 --> 00:10:43,125 Does anyone know about P25? 169 00:10:45,292 --> 00:10:48,167 It's a digital voice standard used by first responders 170 00:10:48,167 --> 00:10:50,999 all around the world here in America and in Australia 171 00:10:50,999 --> 00:10:53,375 and other various places. 172 00:10:53,375 --> 00:10:58,999 AUDIENCE MEMBER: (Away from mic.) BALINT SEEBER: 173 00:10:58,999 --> 00:11:01,626 It's maximum. 174 00:11:01,626 --> 00:11:03,999 So because it's digital modulation this is sort of a variant 175 00:11:03,999 --> 00:11:06,999 but it contains four states and because this is moving 176 00:11:06,999 --> 00:11:11,501 through quickly you get a different look to it on the spectrum. 177 00:11:12,959 --> 00:11:16,999 What I'm trying to emphasize to you is that originally there is sort 178 00:11:16,999 --> 00:11:19,167 of hardware and the simple hardware 179 00:11:19,167 --> 00:11:22,125 like crystal sets that were used and it was made 180 00:11:22,125 --> 00:11:25,083 up with very simple components. 181 00:11:25,083 --> 00:11:28,584 The point was that they're all sort of fixed, a fixed personality. 182 00:11:28,584 --> 00:11:31,959 Nowadays they're more complicated with microchips and these other 183 00:11:31,959 --> 00:11:35,542 equipment, they're also fixed personality. 184 00:11:35,542 --> 00:11:38,751 So it's like a black box, you can't get in there and change it's not 185 00:11:38,751 --> 00:11:40,584 recon figurable. 186 00:11:40,999 --> 00:11:43,751 Here we have a satellite modem and keep this picture in mind 187 00:11:43,751 --> 00:11:46,417 because I will come back to that. 188 00:11:48,167 --> 00:11:50,083 The journey begins. 189 00:11:50,334 --> 00:11:56,417 I had this set up on my balcony back in Sidney and I heard 190 00:11:56,417 --> 00:12:01,999 a mysterious signal which will not play now. 191 00:12:10,375 --> 00:12:12,209 I'll do it manually. 192 00:12:12,209 --> 00:12:14,167 (Tone) Anybody recognize what that is? 193 00:12:16,125 --> 00:12:19,667 (Laughter.) At the time I wasn't sure what it was 194 00:12:19,667 --> 00:12:22,999 and I had tried to demode it with free software 195 00:12:22,999 --> 00:12:26,999 out there available but none of it worked. 196 00:12:27,083 --> 00:12:29,918 There we go! 197 00:12:29,999 --> 00:12:32,667 (Laughter.) And this was my set up at the time, 198 00:12:32,667 --> 00:12:36,209 I inherited these radios from my grandfather, a scanner 199 00:12:36,209 --> 00:12:40,999 and other receivers and I interfaced it with that board there to any 286 200 00:12:40,999 --> 00:12:45,999 and had it running and would stream it downstairs and this was my simple set 201 00:12:45,999 --> 00:12:49,083 up to control the radio remotely. 202 00:12:49,083 --> 00:12:51,209 I thought I would try looking at the signal and once again we have 203 00:12:51,209 --> 00:12:53,375 the signal in the time domain and if you look 204 00:12:53,375 --> 00:12:57,834 in the frequency domain you can see the two distinct levels coming out. 205 00:12:58,083 --> 00:13:01,999 This introduces the idea just like in data transfer that you have 206 00:13:01,999 --> 00:13:04,751 the preamble and the payload so you can see 207 00:13:04,751 --> 00:13:08,083 the preamble is important because it establishes for data 208 00:13:08,083 --> 00:13:10,999 the transmission, so that the receiver can lock 209 00:13:10,999 --> 00:13:15,542 on to it so it's a repeating pattern of one's and zero's and then you have 210 00:13:15,542 --> 00:13:17,999 the payload after that. 211 00:13:17,999 --> 00:13:21,876 Because it's two level SFK you can draw the line through the middle 212 00:13:21,876 --> 00:13:26,626 and slash it, anybody above will be 1, anything below, 0, so you have 1's 213 00:13:26,626 --> 00:13:29,167 and 0's, great, now what? 214 00:13:32,959 --> 00:13:35,751 The idea is to turn it into information. 215 00:13:35,999 --> 00:13:39,999 This took on and off five years for me to actually figure out and 216 00:13:39,999 --> 00:13:42,876 in the process I ended up writing this bit 217 00:13:42,876 --> 00:13:46,999 of software that would take in this raw data and you could play 218 00:13:46,999 --> 00:13:51,334 around with ways of lining, coding, and so forth. 219 00:13:51,459 --> 00:13:54,167 I look at it every so often and come back 220 00:13:54,167 --> 00:13:58,999 to it and it just happened that I was reading Wikipedia and there was 221 00:13:58,999 --> 00:14:03,999 an article in there that mentioned these specific sync words and I thought, 222 00:14:03,999 --> 00:14:07,083 hang on, I've seen them before and you can see 223 00:14:07,083 --> 00:14:11,083 in the window they match up and it turned out to be pot sag 224 00:14:11,083 --> 00:14:14,751 but it was weird because what I had tried previously 225 00:14:14,751 --> 00:14:18,584 hadn't decoded, so this was an example of object security 226 00:14:18,584 --> 00:14:21,999 because I changed the implementation but it turned 227 00:14:21,999 --> 00:14:26,999 out to be the pages for the hospital network back in Sidney. 228 00:14:27,999 --> 00:14:30,667 We confirmed this I have a friend that works 229 00:14:30,667 --> 00:14:34,459 in the hospitals there and he called his friend and said can you 230 00:14:34,459 --> 00:14:37,542 send a page out and you can see what that test page 231 00:14:37,542 --> 00:14:40,501 is there, the one that's legible. 232 00:14:42,459 --> 00:14:45,417 Bringing it up on this map that I created, 233 00:14:45,417 --> 00:14:48,999 it was actually part of the hospital. 234 00:14:48,999 --> 00:14:51,083 You can see we identified the frequency. 235 00:14:51,626 --> 00:14:55,334 Once you have a look at where that site radiowise is linked to, 236 00:14:55,334 --> 00:15:00,792 you can see it's connected to all the other hospital in the area. 237 00:15:00,999 --> 00:15:06,459 So I let my decoder run for a little while and it turned 238 00:15:06,459 --> 00:15:12,083 out to be some seriously sensitive information. 239 00:15:14,167 --> 00:15:20,250 (Laughter.) And then finally (Laughter.) (Applause.) That was for one 240 00:15:20,250 --> 00:15:24,125 of the secure systems, I believe. 241 00:15:25,209 --> 00:15:28,834 A side note, I just showed you that map. 242 00:15:28,834 --> 00:15:31,250 This is a more indirect call to the FCC to be open 243 00:15:31,250 --> 00:15:34,999 about the data that they supposedly don't update their web 244 00:15:34,999 --> 00:15:38,626 site but the Australian government has been good and strict 245 00:15:38,626 --> 00:15:42,417 about maintaining all this data in one place. 246 00:15:42,417 --> 00:15:44,375 So my mash up also has these map overlays 247 00:15:44,375 --> 00:15:49,083 and this is a visualization of every registered radio transmitter 248 00:15:49,083 --> 00:15:53,501 in Australia and the links between them so you can see where 249 00:15:53,501 --> 00:15:57,375 the population concentrations are because that's where 250 00:15:57,375 --> 00:15:59,959 the radio sites are. 251 00:15:59,959 --> 00:16:03,334 And also I derived radiation information so these are mobile cell towers 252 00:16:03,334 --> 00:16:07,959 in my neighborhood and if you look at various cell towers there you have 253 00:16:07,959 --> 00:16:11,626 these sharp lines coming out and they're the microwave point 254 00:16:11,626 --> 00:16:14,792 to point links between the towers. 255 00:16:15,083 --> 00:16:18,542 AUDIENCE MEMBER: (Away from mic.) BALINT SEEBER: The 256 00:16:18,542 --> 00:16:24,250 government's database that I sort of imported contains the information. 257 00:16:26,918 --> 00:16:31,250 It's quite rough but it looks pretty, I guess. 258 00:16:31,959 --> 00:16:35,918 Somebody posted it at one stage and it was interesting 259 00:16:35,918 --> 00:16:40,626 to track what sites were popular, not sure that you can read that 260 00:16:40,626 --> 00:16:45,751 but they're all the echelon sites in Australia, so a station at Gerald 261 00:16:45,751 --> 00:16:50,999 to know and they're all covered with the radars, that's Pine Gap, there 262 00:16:50,999 --> 00:16:56,709 is a bit of joint U.S./Australian action going on there, I think. 263 00:16:58,709 --> 00:17:03,250 The first day I launched the sight I had visits from the U.S. 264 00:17:03,250 --> 00:17:05,667 Department of Justice, federal parliament and my state's 265 00:17:05,667 --> 00:17:08,334 Attorney General's department. 266 00:17:08,334 --> 00:17:11,083 I have no idea how they happened upon it so quickly 267 00:17:11,083 --> 00:17:14,584 but (Laughter.) People trying to get in and hack 268 00:17:14,584 --> 00:17:18,876 the sight and scrape everything out and it's mostly coming 269 00:17:18,876 --> 00:17:24,167 from a couple of IPs in Bolivia so I band the entire country! 270 00:17:26,125 --> 00:17:29,334 (Laughter.) That was my journey to decoding things. 271 00:17:29,959 --> 00:17:31,999 Let's move on to aviation now. 272 00:17:31,999 --> 00:17:36,959 I have in the past liked to take a GPS receiver with me and stick it 273 00:17:36,959 --> 00:17:40,667 to the window and what is the politically correct way 274 00:17:40,667 --> 00:17:44,459 of AUDIENCE MEMBER: Flight attendant! 275 00:17:44,459 --> 00:17:47,834 BALINT SEEBER: Flight attendant I'm old fashioned and she says 276 00:17:47,834 --> 00:17:49,501 is that off? 277 00:17:49,501 --> 00:17:52,167 And I said of course it is, it's just got the display 278 00:17:52,167 --> 00:17:57,918 off but it's cool because as you take off into the air you get interesting stats 279 00:17:57,918 --> 00:18:02,167 about how fast you're going and how high you are. 280 00:18:02,999 --> 00:18:06,083 Maybe it's me "geeking out" but I like the numbers. 281 00:18:06,959 --> 00:18:10,751 Once you get back home you can plug it into a GPS visualizer 282 00:18:10,751 --> 00:18:15,417 and Google Earth and you get a trail of where you've been. 283 00:18:15,459 --> 00:18:18,334 This was last year when I was going to Houston. 284 00:18:18,501 --> 00:18:22,334 These are screen shots from the GPS receiver. 285 00:18:22,959 --> 00:18:26,083 But if you're in the airplane and you're enjoying your ride, 286 00:18:26,083 --> 00:18:30,375 how do the skies remain safe and planes get around? 287 00:18:30,375 --> 00:18:34,501 I would like to tell you a little bit about primary and secondary radar. 288 00:18:34,999 --> 00:18:38,501 You've seen these big rotating radars at airports and it's part 289 00:18:38,501 --> 00:18:41,751 of the ATC radar being consistent. 290 00:18:41,959 --> 00:18:45,292 The primary is the big one on the bottom and the secondary 291 00:18:45,292 --> 00:18:47,667 is the one at the top. 292 00:18:47,667 --> 00:18:49,999 The primary is the traditional radar where it sends 293 00:18:49,999 --> 00:18:53,834 out a pulse and listens for returns off metallic objects, 294 00:18:53,834 --> 00:18:56,999 because planes are flying tin cans. 295 00:18:57,501 --> 00:19:00,876 The range is limited by the radar equation. 296 00:19:01,792 --> 00:19:06,292 What's interesting, though, is that with the secondary system, the top 297 00:19:06,292 --> 00:19:10,334 is directional radio so that will actually broadcast and ping 298 00:19:10,334 --> 00:19:14,542 the transponders which are active on the airplane and ping back 299 00:19:14,542 --> 00:19:17,999 themselves so that requires an active system whereas 300 00:19:17,999 --> 00:19:21,876 the primary does not and because it's an active system and 301 00:19:21,876 --> 00:19:26,417 the transponder replies you have only second modal loss there and this 302 00:19:26,417 --> 00:19:31,083 is crucial because if you're sitting in front of the scope and you have 303 00:19:31,083 --> 00:19:34,083 the big line going around you wouldn't be able 304 00:19:34,083 --> 00:19:37,999 to ID individual planes but with the secondary system you 305 00:19:37,999 --> 00:19:40,709 would have those anonymous blips now coded 306 00:19:40,709 --> 00:19:44,167 with the score code that would have been assigned when 307 00:19:44,167 --> 00:19:48,876 they would have taken to the skies in the first place. 308 00:19:49,667 --> 00:19:52,375 How does the transponder system work? 309 00:19:52,375 --> 00:19:55,667 This is a basic one here and there are different modes. 310 00:19:55,667 --> 00:19:58,167 A will reply with a score code so when you take 311 00:19:58,167 --> 00:20:03,209 off you will get a code like that one, and then every time your transponder 312 00:20:03,209 --> 00:20:07,000 is interrogated it will send back a pulse. 313 00:20:07,042 --> 00:20:11,667 There is another one which is C and that will reply with the code and 314 00:20:11,667 --> 00:20:16,042 the current altitude which gives air traffic control more information 315 00:20:16,042 --> 00:20:18,417 about the air space. 316 00:20:18,709 --> 00:20:20,417 The cool one is Mode S. 317 00:20:20,417 --> 00:20:23,209 Who has heard of Mode S? 318 00:20:23,292 --> 00:20:27,999 All right, so Mode S is another system that runs on top 319 00:20:27,999 --> 00:20:32,834 of this and there is something that runs on top of that, 320 00:20:32,834 --> 00:20:36,834 which is ADB, which means the planes don't need 321 00:20:36,834 --> 00:20:41,417 to be interrogated they will continually broadcast this 322 00:20:41,417 --> 00:20:46,667 information out also part of that system is A cast and T cast 323 00:20:46,667 --> 00:20:52,375 and the interesting thing is part of the secondary system and Mode S 324 00:20:52,375 --> 00:20:57,709 is not part of it but it shares the same frequency which would 325 00:20:57,709 --> 00:21:02,751 reduce cost but now the problem is there are so many planes 326 00:21:02,751 --> 00:21:07,999 in the sky that the channel is becoming congested. 327 00:21:07,999 --> 00:21:11,250 I think Frankfurt has this problem the most due simply to the amount 328 00:21:11,250 --> 00:21:13,999 of planes in the sky there. 329 00:21:16,125 --> 00:21:18,667 What does ADSB send out? 330 00:21:20,167 --> 00:21:24,542 It's constantly sending out a plane's position, hitting altitude, 331 00:21:24,542 --> 00:21:30,375 vertical rate, score code, quite a lot of things, those are the main ones. 332 00:21:30,918 --> 00:21:34,999 If ATC has antennas on the ground there can be 333 00:21:34,999 --> 00:21:41,834 transactions between ATC and the plane purely through the system. 334 00:21:41,834 --> 00:21:44,834 So ATC might send out a broadcast which is called 335 00:21:44,834 --> 00:21:50,083 the "all call" and all planes reply with the down link frame that identify 336 00:21:50,083 --> 00:21:52,626 the craft by its ID. 337 00:21:52,834 --> 00:21:54,999 Much like a mac address. 338 00:21:54,999 --> 00:21:59,417 Each air frame address is assigned to a single airplane. 339 00:21:59,792 --> 00:22:04,209 Then there is also ACAS and TCAS where the planes respond 340 00:22:04,209 --> 00:22:09,626 to one another and this can be used to augment collision avoidance, 341 00:22:09,626 --> 00:22:14,125 if they're traveling too close in one cockpit you may here 342 00:22:14,125 --> 00:22:20,292 the automated voice say "traffic" and if they get really close there might be 343 00:22:20,292 --> 00:22:25,292 a "pull off" and the other to do an avoidance maneuver and this 344 00:22:25,292 --> 00:22:30,999 is called a resolution advisory, but there have been terrible incidents 345 00:22:30,999 --> 00:22:34,667 in the past where the pilots have not followed 346 00:22:34,667 --> 00:22:38,584 the RAs and the planes have collided. 347 00:22:38,667 --> 00:22:41,459 The one I'm told in the past is the tragic one 348 00:22:41,459 --> 00:22:44,667 over Germany, there was a Russian flight with a lot 349 00:22:44,667 --> 00:22:48,667 of school children and they collide and had they all died and one 350 00:22:48,667 --> 00:22:52,584 of the father's went and killed the controller. 351 00:22:52,709 --> 00:22:56,999 So you got to pay attention to the resolution advisories! 352 00:22:58,083 --> 00:23:03,334 (Laughter.) I like to put big props out to Brad and Nick, 353 00:23:03,334 --> 00:23:08,709 they presented last year on looking to the vulnerabilities 354 00:23:08,709 --> 00:23:13,959 of Next Gen which employs all this stuff and I don't know 355 00:23:13,959 --> 00:23:19,083 whether Brad is here, but if you're here it would be great 356 00:23:19,083 --> 00:23:21,209 to catch up. 357 00:23:21,209 --> 00:23:25,999 The interesting thing is according to the 747, 358 00:23:25,999 --> 00:23:34,834 they have 31 radios so localities of things and that makes me happy! 359 00:23:36,999 --> 00:23:42,083 (Laughter.) When I was flying over here I took another photo 360 00:23:42,083 --> 00:23:47,501 of an aircraft like the one I was on and you can see there are 361 00:23:47,501 --> 00:23:51,584 a number of bumps coming out and don't quote me 362 00:23:51,584 --> 00:23:56,501 because I mapped it from a 747 I think it's roughly right 363 00:23:56,501 --> 00:24:01,209 but you've got the antenna, the transponder, high gain, 364 00:24:01,209 --> 00:24:07,292 satellite communications on the top, low gain VHF in the tail you have 365 00:24:07,292 --> 00:24:11,999 an HF antenna and on the bottom VHF things and radar, 366 00:24:11,999 --> 00:24:17,999 Al Tim meter and the marker and measurement equipment, too. 367 00:24:18,083 --> 00:24:22,751 Now with Mode S how is that encoded in the air? 368 00:24:22,751 --> 00:24:26,167 I showed you before what frequency shift might look 369 00:24:26,167 --> 00:24:30,167 like but this is called pulse position modulation 370 00:24:30,167 --> 00:24:33,999 which is technically AM but they send out pulls 371 00:24:33,999 --> 00:24:40,375 at precise times and when those pulses exist in a certain manner it might want 372 00:24:40,375 --> 00:24:42,751 mean a 1 or a 0. 373 00:24:42,999 --> 00:24:46,250 With Mode S there is a preamble sequence and 374 00:24:46,250 --> 00:24:50,918 the pulses have to be in most positions and it indicates it 375 00:24:50,918 --> 00:24:55,999 is a Mode S packet and that's used to distinguish it from Modi and 376 00:24:55,999 --> 00:25:01,083 the payload is determined by the position of the chips. 377 00:25:01,209 --> 00:25:06,959 So this is Manchester encoded, and you can see the chips and one 378 00:25:06,959 --> 00:25:14,083 will relate to being a 1 and one to 0, and then the entire payload can be 56 379 00:25:14,083 --> 00:25:16,834 or 112 bits long. 380 00:25:18,334 --> 00:25:21,751 With pulse position modulation at those rates, 381 00:25:21,751 --> 00:25:25,999 a pulse lasts incredibly short amount of time. 382 00:25:26,417 --> 00:25:30,375 Now what this means is that you have to sample 383 00:25:30,375 --> 00:25:35,250 a at a minimum of 2 megahertz and it requires a bit 384 00:25:35,250 --> 00:25:41,876 of computing grunt to deal with that data rate and ideally you want 385 00:25:41,876 --> 00:25:47,999 to sample fast so you can correct for any time errors. 386 00:25:47,999 --> 00:25:51,584 So you couldn't be able to do this with your plain old radio so this 387 00:25:51,584 --> 00:25:55,334 is where Software Defined Radio comes in and this is where I got 388 00:25:55,334 --> 00:25:58,999 into it and this is my first play around with SDR because it's 389 00:25:58,999 --> 00:26:01,959 the perfect platform for this. 390 00:26:02,501 --> 00:26:08,584 SDR moves what was previously fixed in hardware, that sort of not 391 00:26:08,584 --> 00:26:14,584 the unconfigureable hardware into the software domain. 392 00:26:14,584 --> 00:26:17,626 Remember we had that simple crystal radio set? 393 00:26:17,667 --> 00:26:21,459 The expression of the AMD modulation in code 394 00:26:21,459 --> 00:26:26,876 is simply the magnitude of a complex vector. 395 00:26:26,959 --> 00:26:29,083 It's elegant and simple. 396 00:26:29,250 --> 00:26:31,918 FM is more complicated but as elegant. 397 00:26:34,334 --> 00:26:37,876 So on the receive side instead of having everything done 398 00:26:37,876 --> 00:26:41,918 in hardware, all you do is you pick the carrier frequency you want 399 00:26:41,918 --> 00:26:44,999 to listen to, mix it with your incoming signal and 400 00:26:44,999 --> 00:26:48,459 all the rest you end up doing in software. 401 00:26:48,459 --> 00:26:51,584 So the purposes of SDR is to turn those values into digital 402 00:26:51,584 --> 00:26:56,292 and comply the computer with the stream that you can process. 403 00:26:56,417 --> 00:26:59,292 So the continuous turns into discrete. 404 00:26:59,999 --> 00:27:03,542 Again you have your wave, the converter to take it 405 00:27:03,542 --> 00:27:07,083 into the number stream and the converter going back 406 00:27:07,083 --> 00:27:11,792 the other way if you're going to transmit a signal. 407 00:27:11,792 --> 00:27:13,751 Naturally you're going to transmit legally 408 00:27:13,751 --> 00:27:17,876 because you have a license to transmit in that band. 409 00:27:17,876 --> 00:27:21,083 This is what I started playing with first, this is with the USRP1. 410 00:27:21,209 --> 00:27:26,999 It is sort of I guess one of the first if not the first low cost SDR, 411 00:27:26,999 --> 00:27:32,584 you hook it up by USB, depending on the data board you've got you had 412 00:27:32,584 --> 00:27:38,375 an amazing range and the bandwidth is incredible, this is one that came 413 00:27:38,375 --> 00:27:41,999 out later and the bandwidth here was narrow 414 00:27:41,999 --> 00:27:45,959 because cleverly they put an audio card in there 415 00:27:45,959 --> 00:27:50,375 because the left channel would be the right channel and 416 00:27:50,375 --> 00:27:55,667 the right channel would be the queue channel and it would appear 417 00:27:55,667 --> 00:27:57,999 as an audio card. 418 00:27:59,083 --> 00:28:01,501 But you needed to have the software running on top of that 419 00:28:01,501 --> 00:28:04,334 to demodulate whatever you wanted to listen to. 420 00:28:04,417 --> 00:28:07,999 And then, of course, there is the Real Tech one, 421 00:28:07,999 --> 00:28:11,959 anybody used it under Windows and ran it? 422 00:28:13,334 --> 00:28:15,999 I guess most people use it on the Linux? 423 00:28:16,584 --> 00:28:21,250 But for the price, it's pretty cool. 424 00:28:21,250 --> 00:28:25,167 I don't know if you're looking into the history but one of the modes 425 00:28:25,167 --> 00:28:29,334 in which it operates is that it can demodulate normal analog 426 00:28:29,334 --> 00:28:33,417 FM and it was figured out that it's streaming 8 bit samples 427 00:28:33,417 --> 00:28:36,209 to the computer and the community swarmed 428 00:28:36,209 --> 00:28:39,083 and figured out how to make that available 429 00:28:39,083 --> 00:28:41,375 to the mainstream. 430 00:28:41,667 --> 00:28:46,999 Now, this thing here, this is not an official announcement so I haven't 431 00:28:46,999 --> 00:28:49,626 put any text up there. 432 00:28:51,999 --> 00:28:53,918 Pretty excited about this. 433 00:28:53,918 --> 00:29:00,999 This is going to be very soon the new USB 3 radio. 434 00:29:00,999 --> 00:29:04,999 It has quite a frequency range, 50 megahertz, 56 megahertz 435 00:29:04,999 --> 00:29:09,834 of continuous bandwidth, it's pretty sweet and I've been having 436 00:29:09,834 --> 00:29:13,999 adventures with it around the Bay Area they'll tell you 437 00:29:13,999 --> 00:29:16,709 about in a little bit. 438 00:29:16,959 --> 00:29:20,999 The point is you can hook it up to your computer and run 439 00:29:20,999 --> 00:29:24,375 the radio and it as a GUI front end where you can 440 00:29:24,375 --> 00:29:28,999 describe the flow graph that would do modulation and demodulation 441 00:29:28,999 --> 00:29:31,999 in the graphic environment. 442 00:29:32,292 --> 00:29:39,959 This here is a demodulator for AM, you can see that the U.S. 443 00:29:39,959 --> 00:29:41,584 RP starts with the left hand side you have 444 00:29:41,584 --> 00:29:45,584 an FFT so you can see graphically what your signal looks like, 445 00:29:45,584 --> 00:29:51,083 an AMD modulate tore and it goes out to your sound card so it's simple. 446 00:29:53,375 --> 00:29:58,501 Here if you run a water fall over 8 megahertz this is part 447 00:29:58,501 --> 00:30:02,918 of the 2GSM band and you can see the channels and 448 00:30:02,918 --> 00:30:06,125 the traffic channels there. 449 00:30:08,999 --> 00:30:13,292 Then this is a pretty cool example of what you can do with this. 450 00:30:13,292 --> 00:30:15,999 This is actually 56 megahertz so what you're looking 451 00:30:15,999 --> 00:30:19,667 at in the middle are two wifi channels plus extra space 452 00:30:19,667 --> 00:30:23,999 on the side so you could decode to wifi channels. 453 00:30:25,417 --> 00:30:31,999 Over the years computers have become faster and smaller so it's cool how fast 454 00:30:31,999 --> 00:30:36,834 it's come to enable you to suck up bandwidth. 455 00:30:38,167 --> 00:30:46,209 This is another example, another program sorry, let me go back. 456 00:30:48,626 --> 00:30:53,000 There we go, so I was talking about pages back in Sidney, this 457 00:30:53,000 --> 00:30:58,375 is an example of pages in the states, uses Flex, this is the Flex version 458 00:30:58,375 --> 00:31:01,083 of the page system and this is running 459 00:31:01,083 --> 00:31:06,542 in a program called Board Line, you can zoom right in there. 460 00:31:06,918 --> 00:31:10,125 I don't know if you can see but the line where the curse sore is, 461 00:31:10,125 --> 00:31:13,751 that's a single frequency that pager transmissions are sent 462 00:31:13,751 --> 00:31:16,083 on and you know how we saw the two levels 463 00:31:16,083 --> 00:31:19,459 of the pager I showed you in Sidney this has four levels 464 00:31:19,459 --> 00:31:22,999 and you can zoom down and if you don't know the properties 465 00:31:22,999 --> 00:31:25,876 of the signal you can use this analysis to figure 466 00:31:25,876 --> 00:31:31,125 out at a basic level what modulation they're using this is four level FSK. 467 00:31:33,083 --> 00:31:36,083 I'm sure you're aware of smart meters and how 468 00:31:36,083 --> 00:31:40,083 they had a mesh network in the megahertz ISM band you can see 469 00:31:40,083 --> 00:31:42,999 how quickly and short the bursts are coming 470 00:31:42,999 --> 00:31:46,250 from the meters but you can use Board Line to zoom 471 00:31:46,250 --> 00:31:50,083 in on that and you might not be able to tell what they are 472 00:31:50,083 --> 00:31:54,167 because the bursts are so short but if you zoom in you can see 473 00:31:54,167 --> 00:31:58,417 a face shift key one, the blurry one, on the left and the right 474 00:31:58,417 --> 00:32:01,999 of that there are narrow ones and although they're weak 475 00:32:01,999 --> 00:32:06,584 and only appear for a short period of time you can still have a look 476 00:32:06,584 --> 00:32:11,083 and identify that they're two level frequency shift key transmissions 477 00:32:11,083 --> 00:32:12,709 as well. 478 00:32:12,999 --> 00:32:14,999 Let's say you wanted to discover patents 479 00:32:14,999 --> 00:32:18,918 or repeating components to a signal that otherwise looks 480 00:32:18,918 --> 00:32:22,918 like noise, like, for example, anything CDMA. 481 00:32:22,999 --> 00:32:29,751 The examples here are that we would be listening to the GPS constellation 482 00:32:29,751 --> 00:32:33,209 or CDMA from the mobile phone network, 483 00:32:33,209 --> 00:32:35,334 for example. 484 00:32:35,918 --> 00:32:39,999 There is a sync called the fast auto correlation sync 485 00:32:39,999 --> 00:32:42,999 and what it does is trickery to determine 486 00:32:42,999 --> 00:32:46,999 whether FFTs are repeating in a signal. 487 00:32:47,834 --> 00:32:53,542 With CDMA you have signals are that are sharing frequency space divided 488 00:32:53,542 --> 00:32:56,250 by what code they use. 489 00:32:57,999 --> 00:33:03,250 Here there is a distinct line that appears on the 10 millisecond grid line 490 00:33:03,250 --> 00:33:07,667 and it's mostly black but there is a green line that appears 491 00:33:07,667 --> 00:33:11,709 up there and that is the 10 millisecond repeating common 492 00:33:11,709 --> 00:33:15,918 pilot channel and you can set a signal that you don't know 493 00:33:15,918 --> 00:33:20,334 about and put it in here and oh, it must be CDMA. 494 00:33:20,999 --> 00:33:25,501 If you look at the constellation, it's all noise, there 495 00:33:25,501 --> 00:33:31,083 is no apparent signal like we saw before with the pager, for instance, 496 00:33:31,083 --> 00:33:36,626 because the signal is coming from the constellation, which is very, 497 00:33:36,626 --> 00:33:42,125 very far away and the signal is weak, however, there is CDMA in there 498 00:33:42,125 --> 00:33:47,667 and there is a repeating patent there as well and it's able to draw 499 00:33:47,667 --> 00:33:52,999 out the 1 millisecond repeating code in the GPS signal. 500 00:33:52,999 --> 00:33:57,292 So some pretty powerful tools that you can download and start using for free, 501 00:33:57,292 --> 00:34:00,751 Tetra is another land mobile radio digital standard 502 00:34:00,751 --> 00:34:03,751 and it has a characteristic repeating pattern 503 00:34:03,751 --> 00:34:07,125 at 14 milliseconds on an idle channel. 504 00:34:07,876 --> 00:34:11,959 The cool thing is you can take it out and about, I've put this 505 00:34:11,959 --> 00:34:14,709 in a used Bosch case of an electronic drill 506 00:34:14,709 --> 00:34:18,083 because I didn't have a case and these are my amateur 507 00:34:18,083 --> 00:34:22,375 friends back in Sidney, we set up a long wire and tried to listen 508 00:34:22,375 --> 00:34:27,083 to the world and you can pretty much capture the entire radio band which 509 00:34:27,083 --> 00:34:30,167 is what you're looking at there. 510 00:34:31,542 --> 00:34:36,834 It's not quiet but if you wanted to use this you can capture it 511 00:34:36,834 --> 00:34:42,209 and more and you can demodulate hands or weather fax transmissions 512 00:34:42,209 --> 00:34:46,626 or clandestine military codes and so on. 513 00:34:46,999 --> 00:34:52,834 These respect hands chatting in an allocated channel 514 00:34:52,834 --> 00:35:00,918 and you can have Morse Code and all sorts of interesting things and 515 00:35:00,918 --> 00:35:06,918 if you don't like that, you can video was supposed 516 00:35:06,918 --> 00:35:10,626 to start playing there. 517 00:35:17,876 --> 00:35:23,250 This is Citro Tower in San Francisco, and IDS is a popular carrier, 518 00:35:23,250 --> 00:35:26,667 and that's the base spectrum that you get 519 00:35:26,667 --> 00:35:32,959 and you have the decoder printing out all the information including traffic, 520 00:35:32,959 --> 00:35:36,876 the state of traffic on the highways there which 521 00:35:36,876 --> 00:35:41,959 is something that I'm very interested in and there you can see 522 00:35:41,959 --> 00:35:46,083 the demodulated FM so on the left hand side you have 523 00:35:46,083 --> 00:35:49,250 the mono audio, the backward compatible 524 00:35:49,250 --> 00:35:54,999 with nonstereo receivers which is 19 kill low heaters and then you can 525 00:35:54,999 --> 00:36:00,751 create the left and right channels and listen to the stereo and audio 526 00:36:00,751 --> 00:36:04,334 and you can see the sub carrier which encodes 527 00:36:04,334 --> 00:36:06,834 this information. 528 00:36:17,751 --> 00:36:22,459 Now it peeves me that the location codes are not given to you, 529 00:36:22,459 --> 00:36:26,834 and if you buy a car, that location system comes with it 530 00:36:26,834 --> 00:36:32,083 and I have been looking into one way of finding out this information, 531 00:36:32,083 --> 00:36:37,584 if you have any ideas, please, come and find me afterward. 532 00:36:37,918 --> 00:36:39,999 But if you want to do the reverse, if you want 533 00:36:39,999 --> 00:36:43,959 to make your own FM radio station and transmit your own information you 534 00:36:43,959 --> 00:36:45,542 can do that. 535 00:36:47,334 --> 00:36:53,626 I had my little iPod Nano with the FM radio in it that decodes 536 00:36:53,626 --> 00:37:00,083 and it's printing out a string that was preprinted out. 537 00:37:04,083 --> 00:37:06,959 I can't remember who I'm sorry to say 538 00:37:06,959 --> 00:37:12,125 but there was somebody that tested IDS injection and navigation display 539 00:37:12,125 --> 00:37:17,626 in a car and it was saying there was a terrorist threat of frogs falling 540 00:37:17,626 --> 00:37:21,125 from the sky or something (Laughter.) But if you 541 00:37:21,125 --> 00:37:26,542 like scanning around you can do that, too, I have a list of frequencies 542 00:37:26,542 --> 00:37:30,167 down the bottom, it steps through each one, there 543 00:37:30,167 --> 00:37:34,417 is a squelch block that monitors the channel and as soon 544 00:37:34,417 --> 00:37:38,959 as it goes quiet it goes to the next channel but the beauty 545 00:37:38,959 --> 00:37:43,792 of Software Defined Radio is you don't have to look at a channel, 546 00:37:43,792 --> 00:37:49,083 one single one at a time, there is a list I created that you can give it 547 00:37:49,083 --> 00:37:54,250 a spin and it will indicate that the channels that have become active 548 00:37:54,250 --> 00:37:58,083 and you have one sound card so the green one become 549 00:37:58,083 --> 00:38:01,999 the active one and the black ones are simultaneously 550 00:38:01,999 --> 00:38:05,876 active so this is voice but you might be listening 551 00:38:05,876 --> 00:38:09,083 to data codes and want to decode them all or 552 00:38:09,083 --> 00:38:13,334 if you're listening to one trunked channel you can record 553 00:38:13,334 --> 00:38:15,209 all of them. 554 00:38:15,209 --> 00:38:18,167 SDR is cool because there is an Open Source project to set 555 00:38:18,167 --> 00:38:20,999 up your own base station. 556 00:38:22,959 --> 00:38:27,999 I've done it once before, I set it up using this and I had my phone here 557 00:38:27,999 --> 00:38:32,167 and people can text me but I thought it might be distracting 558 00:38:32,167 --> 00:38:36,667 plus late last night I was trying to find a "free" channel and 559 00:38:36,667 --> 00:38:40,209 the spectrum is so unbelievably crowded that I gave 560 00:38:40,209 --> 00:38:44,626 up (Laughter.) It's cool because it comes with a soft switch, 561 00:38:44,626 --> 00:38:48,667 for example, I log on with my mobile phone and I can dial 562 00:38:48,667 --> 00:38:51,667 the outside world and I allocated a number 563 00:38:51,667 --> 00:38:55,709 with our main office switch and I'm able to receive calls 564 00:38:55,709 --> 00:39:00,250 and it goes through using the SIP over the network. 565 00:39:00,792 --> 00:39:04,999 So it had a big, popular debut at Burning Men and there was a bit 566 00:39:04,999 --> 00:39:10,209 of a computation to be done so they put the laptop on an ice pack. 567 00:39:11,375 --> 00:39:17,083 (Laughter.) Another cool thing you can do is there are blocks for decoding, 568 00:39:17,083 --> 00:39:22,292 RFD M version wifi so I put it up, I set the gain and the frequency 569 00:39:22,292 --> 00:39:27,834 and I made it so it will pass it through to Wire Shock and you can see 570 00:39:27,834 --> 00:39:31,167 the frames coming from the AP so this is just 571 00:39:31,167 --> 00:39:34,959 as if you had a dedicated wireless card running 572 00:39:34,959 --> 00:39:38,083 in monitor mode except that it's being done 573 00:39:38,083 --> 00:39:43,417 through an SDR and in that picture and picture there, another laptop 574 00:39:43,417 --> 00:39:46,918 is connecting to the network and you can see 575 00:39:46,918 --> 00:39:51,334 the association frame coming through and data frames coming 576 00:39:51,334 --> 00:39:55,834 through there, you can see the colored ones. 577 00:39:55,834 --> 00:39:59,083 Then actually last week a colleague of mine thought he would bring 578 00:39:59,083 --> 00:40:02,709 in his fancy antenna and we would receive pictures sent 579 00:40:02,709 --> 00:40:05,459 down from weather satellites, so they orbit 580 00:40:05,459 --> 00:40:09,459 the earth and then take photos and send them down and you have 581 00:40:09,459 --> 00:40:12,999 to track them manually but the B200, this guy is hanging 582 00:40:12,999 --> 00:40:17,083 out by the USB cable and you get these pictures. 583 00:40:17,167 --> 00:40:19,501 You see the interference there because doing 584 00:40:19,501 --> 00:40:23,083 the tracking manually you can't see it so we were guesstimating where it 585 00:40:23,083 --> 00:40:26,125 would be and I guessed we missed a spot! 586 00:40:26,626 --> 00:40:29,250 (Laughter.) But it's cool this is the west coast up here 587 00:40:29,250 --> 00:40:32,501 in fact United States and this is a big cloud formation, 588 00:40:32,501 --> 00:40:35,334 these pictures are taken with different sent sores 589 00:40:35,334 --> 00:40:38,584 and you can combine them into these false images, to get 590 00:40:38,584 --> 00:40:42,000 an idea of what's happening, this is sea temperature and there 591 00:40:42,000 --> 00:40:45,626 is a thermal one and they happen all the time and you can get 592 00:40:45,626 --> 00:40:50,250 a program to tell you when the next pass will be and decode that. 593 00:40:50,918 --> 00:40:54,959 Another one, if you're looking for positional stuff 594 00:40:54,959 --> 00:41:00,501 on the water most large or medium size marine vessels contain their own 595 00:41:00,501 --> 00:41:05,876 version of trance ponders so I went to the Bay in San Francisco and 596 00:41:05,876 --> 00:41:09,542 the boat came around and there were three boats 597 00:41:09,542 --> 00:41:14,334 with that large cargo ship and they're all, you know, sending 598 00:41:14,334 --> 00:41:18,999 out their information and I guess the thing to bear in mind 599 00:41:18,999 --> 00:41:24,292 during all of this is it's all unencrypted, it's a shared resource, 600 00:41:24,292 --> 00:41:27,959 anybody can do anything with it. 601 00:41:27,959 --> 00:41:31,083 It's only our legal system with jurisdiction that dictates, 602 00:41:31,083 --> 00:41:34,667 apparently, how we're supposed to transmit or not 603 00:41:34,667 --> 00:41:38,751 within those frequencies so security is obviously a very, 604 00:41:38,751 --> 00:41:44,542 very big point that hasn't been addressed in a lot of these systems. 605 00:41:45,334 --> 00:41:47,999 So radio astronomy, tracking people 606 00:41:47,999 --> 00:41:53,209 with their mobile phones through shopping malls and so on. 607 00:41:53,209 --> 00:41:56,292 Let's come back to aviation, there is radar turning, 608 00:41:56,292 --> 00:42:00,999 Moffett Air Force Base in the Bay Area and every time it points 609 00:42:00,999 --> 00:42:04,167 toward the camera, there is a massive spike 610 00:42:04,167 --> 00:42:09,999 because it's directly in line with the pulse that is coming out. 611 00:42:10,209 --> 00:42:15,250 On the left hand side you can see the other spikes coming out. 612 00:42:15,250 --> 00:42:17,999 Theory flexes off large buildings so the radar signal 613 00:42:17,999 --> 00:42:22,501 is hitting those buildings and hitting back into the radio. 614 00:42:24,834 --> 00:42:28,334 The other thing is I couldn't figure out why I was seeing two peaks here, 615 00:42:28,334 --> 00:42:31,083 this is showing the time in between the initial bang that 616 00:42:31,083 --> 00:42:34,584 is sent out, the initial pulse that is sent out by the radar and this 617 00:42:34,584 --> 00:42:37,626 is called the pulse repetition frequency and I couldn't figure 618 00:42:37,626 --> 00:42:40,999 out why there were two, usually there is only one. 619 00:42:41,083 --> 00:42:48,334 Before I had an SDR that went up this high, who knows the ubiquitous, 620 00:42:48,334 --> 00:42:52,250 4C, to 11K wifi cards, yeah? 621 00:42:54,083 --> 00:42:58,626 It's got in the chip set a radar detections capability so I was 622 00:42:58,626 --> 00:43:02,167 using that to characterize the weather radar nearby 623 00:43:02,167 --> 00:43:07,542 but here there were two and I did a little bit of research and these radars 624 00:43:07,542 --> 00:43:12,083 apart from monitoring aircraft can be made to monitor weather and 625 00:43:12,083 --> 00:43:16,834 in this mode there were papers written about how they can be used 626 00:43:16,834 --> 00:43:21,083 to monitor reflectivity and moisture in the air. 627 00:43:21,083 --> 00:43:22,125 That was kinda cool. 628 00:43:22,459 --> 00:43:28,083 On the Water Fall display this is what modes transponders look like. 629 00:43:34,999 --> 00:43:41,125 You can see wave the pay load and the FM, and what does that look like? 630 00:43:42,417 --> 00:43:45,999 All those dots represent a frame and if you run it realtime you would 631 00:43:45,999 --> 00:43:47,501 see that. 632 00:43:47,501 --> 00:43:48,375 The amplitudes are different all the time 633 00:43:48,375 --> 00:43:51,459 because you're seeing different planes that are different distances away 634 00:43:51,459 --> 00:43:53,209 from your receiver. 635 00:43:53,292 --> 00:43:57,999 Once you've done the decoding, what's next? 636 00:43:57,999 --> 00:43:59,999 This is a project I've been working on now and then, 637 00:43:59,999 --> 00:44:02,542 who has seen "Sneakers" ? 638 00:44:04,501 --> 00:44:05,918 Thought so. 639 00:44:05,999 --> 00:44:09,999 One of my favorite bits in the film I'm not doing to do 640 00:44:09,999 --> 00:44:13,375 an American accent but the diagnostics, what's 641 00:44:13,375 --> 00:44:18,083 in the black book and you can see on the screen a simple picture 642 00:44:18,083 --> 00:44:21,459 of the Bay Area with air photographic control 643 00:44:21,459 --> 00:44:25,751 and planes and I put together my own system that does it, 644 00:44:25,751 --> 00:44:31,292 that's San Francisco airport right there and I left it running and these are 645 00:44:31,292 --> 00:44:37,083 the planes that fly in and out of the air, San Francisco, San Jose and Oakland, 646 00:44:37,083 --> 00:44:42,709 so they leave trails behind and you can see the flight paths. 647 00:44:42,709 --> 00:44:46,709 This is the rainbow affect, this is a bad transponder 648 00:44:46,709 --> 00:44:51,125 on an aircraft that is transmitting false information 649 00:44:51,125 --> 00:44:56,417 and you can see how SFO is actually right in the center there 650 00:44:56,417 --> 00:45:02,417 and the color code indicates altitude so the yellow is just before its 651 00:45:02,417 --> 00:45:04,667 about to land. 652 00:45:04,667 --> 00:45:06,999 This is the airport there with the various runways, 653 00:45:06,999 --> 00:45:11,584 obviously we all know there was a bit of an accident down there recently. 654 00:45:12,626 --> 00:45:17,918 I went up on top of a car park nearby, this is the runway and I had 655 00:45:17,918 --> 00:45:22,999 the 800 receiving and you can see the parallel approaches, and this 656 00:45:22,999 --> 00:45:27,999 is about to turn red once the wheels at this time the tarmac and 657 00:45:27,999 --> 00:45:34,083 they will scoot across the screen as they taxi into the terminal. 658 00:45:35,999 --> 00:45:40,999 So landings are cool, take offs are kinda cool, too. 659 00:45:40,999 --> 00:45:44,709 Especially if you're just sitting there you can see the planes 660 00:45:44,709 --> 00:45:48,375 at the holding point waiting to take off. 661 00:45:48,792 --> 00:45:50,999 I think this is a Virgin flight. 662 00:45:54,999 --> 00:45:56,751 There it goes. 663 00:45:56,751 --> 00:46:01,125 Again, it's kinda neat, we have the GPS, watching the velocities increase 664 00:46:01,125 --> 00:46:05,999 and eventually when the nose and wheel lifts up, turns green and 665 00:46:05,999 --> 00:46:08,876 off it goes into the sky. 666 00:46:10,792 --> 00:46:13,709 Wouldn't it be cool if you could do it in 3D as well? 667 00:46:13,709 --> 00:46:15,918 That's the same plane now streaming in Google Earth 668 00:46:15,918 --> 00:46:18,876 through the internet (Laughter.) You can see planes 669 00:46:18,876 --> 00:46:22,250 in the background landing at Oakland there. 670 00:46:24,083 --> 00:46:26,834 That's the Bay Area there. 671 00:46:26,999 --> 00:46:30,083 Wouldn't it also be cool if you could actually have 672 00:46:30,083 --> 00:46:34,125 a virtual cockpit mode so that you can be in the seat of the pilot, 673 00:46:34,125 --> 00:46:38,459 imagine what it would be like taking off into the sky! 674 00:46:42,834 --> 00:46:46,334 (Laughter.) (Applause.) So this is actually running permanently 675 00:46:46,334 --> 00:46:50,334 on my web site for Sidney Australia and I've just set this up recently 676 00:46:50,334 --> 00:46:52,834 for the Bay Area as well. 677 00:46:52,918 --> 00:46:55,667 So if you would like to sort of help out with this project I would love 678 00:46:55,667 --> 00:46:57,250 to hear from you. 679 00:47:03,459 --> 00:47:06,792 This was actually when I had one of these tucked away 680 00:47:06,792 --> 00:47:11,083 in the seat pocket in front of me without an antenna and I was receiving 681 00:47:11,083 --> 00:47:14,959 the transponder from 10 meters below my butt, and it's a bit 682 00:47:14,959 --> 00:47:19,417 of a hard landing, but it's kinda cool, because as you taxi in you can see 683 00:47:19,417 --> 00:47:22,459 the burnt out fuselage of planes. 684 00:47:22,459 --> 00:47:24,999 I don't know what Google Earth tried to do there! 685 00:47:25,542 --> 00:47:28,999 (Laughter.) You know how it does the terrain exaggeration, 686 00:47:28,999 --> 00:47:32,999 they must have automatic mechanisms to determine terrain elevation, 687 00:47:32,999 --> 00:47:37,083 but it's weird when you're flying through like that. 688 00:47:38,375 --> 00:47:41,999 If you do it in Google Earth, you get the same affect, here 689 00:47:41,999 --> 00:47:45,083 the trails don't persist so it doesn't get as crowded 690 00:47:45,083 --> 00:47:48,834 but you can kinda get a sense when there is a lot of traffic, 691 00:47:48,834 --> 00:47:53,083 and you can see when see how it didn't come in on the direct path there, 692 00:47:53,083 --> 00:47:57,083 around the ocean it does loops, see that loop there, that's when ATC 693 00:47:57,083 --> 00:47:59,876 is backed up and I'm guessing they're asking 694 00:47:59,876 --> 00:48:03,667 the planes to hold for a single loop to give them breathing room 695 00:48:03,667 --> 00:48:06,209 before they vector them in. 696 00:48:08,334 --> 00:48:10,125 So what's this one? 697 00:48:10,125 --> 00:48:15,501 Oh, yeah, this is when the police came out! 698 00:48:15,501 --> 00:48:16,918 (Laughter.) Hello there. 699 00:48:16,918 --> 00:48:18,792 Are you really watching airplanes? 700 00:48:22,751 --> 00:48:24,292 BALINT SEEBER: I am. 701 00:48:24,292 --> 00:48:26,459 Do you have ID on you? 702 00:48:26,459 --> 00:48:30,999 BALINT SEEBER: Die. 703 00:48:30,999 --> 00:48:32,667 Is it for school or something? 704 00:48:32,667 --> 00:48:33,292 (Laughter.) BALINT SEEBER: It wasn't quite for school 705 00:48:33,292 --> 00:48:35,459 but she was very nice about it. 706 00:48:35,542 --> 00:48:39,083 That's not the first time that I've had encounters with the cops 707 00:48:39,083 --> 00:48:41,999 but usually they're pretty good. 708 00:48:42,375 --> 00:48:45,999 So the software runs in a couple of different stages this 709 00:48:45,999 --> 00:48:49,918 is the desktop application that does the tracking, you have 710 00:48:49,918 --> 00:48:53,209 the decoding and then do the tracking. 711 00:48:53,209 --> 00:48:57,999 This is the main runway at Sidney, you can see the trails and 712 00:48:57,999 --> 00:49:03,834 the planes left behind, I have to thank my deer friend, Matt Robert, 713 00:49:03,834 --> 00:49:08,918 he has worked on OP 25 and I was using his U.S. 714 00:49:08,918 --> 00:49:11,209 RP 1 remotely and we would go up to the park and test it 715 00:49:11,209 --> 00:49:13,250 out there because the airport was 716 00:49:13,250 --> 00:49:15,876 within visible distance. 717 00:49:16,125 --> 00:49:20,584 We went up a couple more times, progressively taking more equipment 718 00:49:20,584 --> 00:49:24,083 and we were excited because that gray plane there isn't 719 00:49:24,083 --> 00:49:26,792 actually a plane it's a vehicle equipped 720 00:49:26,792 --> 00:49:30,918 with April transponder it's on a perimeter road and now they're 721 00:49:30,918 --> 00:49:34,167 all equipped and you can see all the vehicles moving 722 00:49:34,167 --> 00:49:37,999 around and I need to change the eye con to something more 723 00:49:37,999 --> 00:49:40,709 like a car but we were happy that evening, 724 00:49:40,709 --> 00:49:44,959 we had quite a bit of equipment up there as well. 725 00:49:45,167 --> 00:49:49,959 But you see interesting things, that was the queen when she came 726 00:49:49,959 --> 00:49:55,250 to visit, the call sign is RGL1, Regal 1, and I was in San Francisco 727 00:49:55,250 --> 00:50:00,167 and I saw that, I don't know what that was about. 728 00:50:00,918 --> 00:50:04,417 And this is when I without permission moved my 729 00:50:04,417 --> 00:50:07,959 equipment to the roof of the apartment block 730 00:50:07,959 --> 00:50:13,000 and had everything stuffed in this box I had gigabyte and ether net 731 00:50:13,000 --> 00:50:18,667 in a box sprayed the same color of the building (Laughter.) And you can 732 00:50:18,667 --> 00:50:21,999 extract information about the distribution 733 00:50:21,999 --> 00:50:24,999 of the strengths of the packets coming 734 00:50:24,999 --> 00:50:29,999 in and you build up these graphs to tell you how well your decoder 735 00:50:29,999 --> 00:50:34,834 is doing, this is a graph of signal strength versus distance 736 00:50:34,834 --> 00:50:38,999 and you can see the way that it drops off. 737 00:50:39,167 --> 00:50:40,375 This is altitude versus distance 738 00:50:40,375 --> 00:50:43,999 because I live close to the airport they all come to a single point 739 00:50:43,999 --> 00:50:45,999 in the lot tomorrow left but you can see 740 00:50:45,999 --> 00:50:49,709 out to the right where the planes will descend to. 741 00:50:52,125 --> 00:50:55,792 And you can see them coming out on the right hand side there, 742 00:50:55,792 --> 00:50:57,999 but on the other axis. 743 00:50:58,375 --> 00:51:04,999 This one is Sidney, now, Australia has a greater roll out of ADSB. 744 00:51:05,459 --> 00:51:08,209 In addition to listen to go their messages see how 745 00:51:08,209 --> 00:51:11,999 the balloons are popping out these are aid car messages, 746 00:51:11,999 --> 00:51:16,125 and there is another rainbow affect but the text messages can be 747 00:51:16,125 --> 00:51:20,999 between the cockpit, air traffic control, messages back to Royals Royce, 748 00:51:20,999 --> 00:51:24,999 I saw once a rowdy person had been on the plane and they asked 749 00:51:24,999 --> 00:51:28,959 for an escort and most of it is clear text. 750 00:51:32,292 --> 00:51:38,999 AUDIENCE MEMBER: (Away from mic.) BALINT SEEBER: 751 00:51:38,999 --> 00:51:41,501 Generally no. 752 00:51:44,125 --> 00:51:48,459 Once again this is looking down at Sidney airport and you can see 753 00:51:48,459 --> 00:51:51,834 when a message is sent it deposits a little Marker 754 00:51:51,834 --> 00:51:54,125 behind and most of the messages occur 755 00:51:54,125 --> 00:51:57,999 at the airport it's the way that diagnostic symptoms work 756 00:51:57,999 --> 00:52:00,999 and I've mentioned that already. 757 00:52:02,999 --> 00:52:05,501 I listened to the two primary frequencies back 758 00:52:05,501 --> 00:52:09,125 home and I'm set that go up here as well but this is how the message 759 00:52:09,125 --> 00:52:12,501 is printed out, so the frequency, the content, the flight ID 760 00:52:12,501 --> 00:52:14,876 and registration, so on. 761 00:52:14,876 --> 00:52:24,125 What does it sound like, that's an aid car message, there. 762 00:52:24,125 --> 00:52:28,501 (Hissing noise) And this is decoding the main channels in the Bay Area 763 00:52:28,501 --> 00:52:32,459 and that can be fit into the main system to put spatially 764 00:52:32,459 --> 00:52:36,542 on the map where the aircraft was when it transmitted that 765 00:52:36,542 --> 00:52:40,501 information so it's interesting sort of a diagnostic tool 766 00:52:40,501 --> 00:52:46,250 for airplane operations I guess or if you like to be a plane spotter. 767 00:52:47,083 --> 00:52:51,375 So you can see a whole bunch of engineering messages which have 768 00:52:51,375 --> 00:52:55,083 the H1 label were delivered as it was coming into land 769 00:52:55,083 --> 00:52:57,999 or pass through the airport. 770 00:52:57,999 --> 00:53:02,417 This is sped up, you say a big blue dot, and I'll explain that but you can see 771 00:53:02,417 --> 00:53:06,999 the dots appearing as they take off which is when the plane sends 772 00:53:06,999 --> 00:53:11,584 out a lot of information as it ascends into the sky. 773 00:53:11,999 --> 00:53:15,167 So here are examples, this is a running joke. 774 00:53:15,876 --> 00:53:18,999 I see probably just because I'm hypersensitive 775 00:53:18,999 --> 00:53:24,709 to it now I see aid car messages regarding blocked toilets on aircraft. 776 00:53:25,083 --> 00:53:30,999 So here we have one toilet that's inoperative and I'm guessing LAV hard 777 00:53:30,999 --> 00:53:34,459 means it's failed and because I see them 778 00:53:34,459 --> 00:53:38,751 all the time I thought I would make a Easter egg 779 00:53:38,751 --> 00:53:42,999 in Google earth (Laughter.) Unfortunately I think 780 00:53:42,999 --> 00:53:48,999 the white point that's been highlighted there is Prawn. 781 00:53:50,959 --> 00:53:55,876 Now they send out flight paths over aid cars using white points 782 00:53:55,876 --> 00:53:59,751 and actually it will draw in the flight paths that 783 00:53:59,751 --> 00:54:02,999 the planes should fly through. 784 00:54:02,999 --> 00:54:06,542 I'm only receiving a small portion but you would expect the plane 785 00:54:06,542 --> 00:54:10,999 to fly through to Asia and Perth and also there are nice things I don't 786 00:54:10,999 --> 00:54:14,209 know why these planes appear in Google Earth as models, 787 00:54:14,209 --> 00:54:18,375 maybe Quantas is paying Google Earth, I don't know. 788 00:54:22,834 --> 00:54:28,250 You saw I put all that stuff up on the roof without asking 789 00:54:28,250 --> 00:54:33,083 and there was a message that several trades people 790 00:54:33,083 --> 00:54:39,250 installed things on the roof and it was just little old me, which 791 00:54:39,250 --> 00:54:46,083 is kind of a tin can thing and they made a big fuss about it. 792 00:54:46,626 --> 00:54:51,083 But two nights before I left for the states I said "stuff them" I put 793 00:54:51,083 --> 00:54:55,083 everything in a box, this was the night before I was supposed 794 00:54:55,083 --> 00:54:59,083 to get on the plane installing it at a this is as I was taking 795 00:54:59,083 --> 00:55:02,167 off in the plane I took a photo of the site and 796 00:55:02,167 --> 00:55:07,501 with a little real tech dongle over here, I didn't have internet so I didn't have 797 00:55:07,501 --> 00:55:11,834 maps and so forth but it was cool to pick up where the plane was, 798 00:55:11,834 --> 00:55:15,876 that's more recently in LA, you can get good range when you're 799 00:55:15,876 --> 00:55:19,459 nice and high and this is more recently when I'm sitting 800 00:55:19,459 --> 00:55:21,501 up new antennas. 801 00:55:21,584 --> 00:55:25,584 Instead of Mode S you can use HF, and we were able 802 00:55:25,584 --> 00:55:31,959 to receive HF transmissions which work on a slightly different system extending 803 00:55:31,959 --> 00:55:36,417 all the bay as you can see there into China and India, so 804 00:55:36,417 --> 00:55:39,959 with HF you have for greater propagation so 805 00:55:39,959 --> 00:55:42,834 the range is incredible. 806 00:55:43,999 --> 00:55:47,083 So that's more or less aviation. 807 00:55:48,167 --> 00:55:51,792 Remember it's all unencrypted so you can spoof, jam, 808 00:55:51,792 --> 00:55:56,959 all that kind of stuff and I will talk more about that later. 809 00:56:01,083 --> 00:56:04,209 AUDIENCE MEMBER: (Away from mic.) BALINT SEEBER: 810 00:56:04,209 --> 00:56:06,876 I haven't looked into this. 811 00:56:06,999 --> 00:56:10,459 AUDIENCE MEMBER: (Away from mic.) BALINT SEEBER: The 812 00:56:10,459 --> 00:56:14,751 question was there is another part of this called TISBE, that 813 00:56:14,751 --> 00:56:17,125 is broadcast over the same mechanism 814 00:56:17,125 --> 00:56:20,999 and that's used to augment information that pilots can 815 00:56:20,999 --> 00:56:25,334 see but it's a "next step" in the protocol and isn't widespread 816 00:56:25,334 --> 00:56:31,792 but various sites are bringing it online but I haven't looked at that myself. 817 00:56:35,999 --> 00:56:38,999 AUDIENCE MEMBER: (Away from mic.) BALINT SEEBER: 818 00:56:38,999 --> 00:56:41,709 I haven't done that, but that's actually good 819 00:56:41,709 --> 00:56:45,417 for potentially doing mach alliteration, in the absence of Mode S 820 00:56:45,417 --> 00:56:47,083 and maybe SP. 821 00:56:49,417 --> 00:56:54,626 Moving on, this is a blind spot here and you have no idea what you're doing 822 00:56:54,626 --> 00:56:59,959 and I was looking at satellites, going to a friend's place and hooking my USB 823 00:56:59,959 --> 00:57:04,792 up to his set top box connected to a satellite and there were two types 824 00:57:04,792 --> 00:57:07,542 of two things to consider. 825 00:57:08,375 --> 00:57:13,584 You got the purpose and the payload so we can have comms, 826 00:57:13,584 --> 00:57:20,792 amateur radio satellites and the intelligent ones and the dumb ones. 827 00:57:20,792 --> 00:57:24,542 The intelligent once you communicate with them from the ground 828 00:57:24,542 --> 00:57:27,834 and instruct them to do things or there are 829 00:57:27,834 --> 00:57:31,083 the dumb ones that relay information and it's 830 00:57:31,083 --> 00:57:35,999 like a big RF mega phone so you send up your million TV channels 831 00:57:35,999 --> 00:57:39,834 and it beams it back down to the ground so everyone 832 00:57:39,834 --> 00:57:44,834 with satellite TV can watch without having cable run. 833 00:57:45,999 --> 00:57:50,292 The satellite is just like that, it operates in these ranges and it's used 834 00:57:50,292 --> 00:57:52,999 for television with other interesting things 835 00:57:52,999 --> 00:57:57,792 and I thought, well, let's have a look at what's going on there. 836 00:57:57,792 --> 00:58:01,167 These are the publically available frequencies, 837 00:58:01,167 --> 00:58:06,709 how the transponders are broken up, the uplink power control frequencies, 838 00:58:06,709 --> 00:58:11,999 and this is a constant power signal that comes down to inform the ground 839 00:58:11,999 --> 00:58:16,999 of how much power it should send back up, depending on the amount 840 00:58:16,999 --> 00:58:21,542 of moisture in the atmosphere, cloud cover and so on they have 841 00:58:21,542 --> 00:58:25,292 to change the amount of power on the ground so that 842 00:58:25,292 --> 00:58:29,999 the signal ends up hitting the satellite and that has security 843 00:58:29,999 --> 00:58:32,250 implications, too. 844 00:58:35,083 --> 00:58:39,250 This is the earth station where they send the signals up. 845 00:58:39,250 --> 00:58:42,999 If you look on the map it contains the TV, media agencies, if you look 846 00:58:42,999 --> 00:58:46,751 at the photo they took inside you can with a bit of research, 847 00:58:46,751 --> 00:58:50,334 remember that modem I showed you at the beginning, that rack 848 00:58:50,334 --> 00:58:54,375 is if you feel them so you can look at the manual. 849 00:58:54,626 --> 00:58:59,542 They have various other sort of more or less well known antenna satellite 850 00:58:59,542 --> 00:59:04,626 control systems so what do you need to decode these signals? 851 00:59:04,999 --> 00:59:08,083 You need a satellite, a dish, you need a set top box, some sort 852 00:59:08,083 --> 00:59:10,834 of down converter and an SDR. 853 00:59:10,834 --> 00:59:13,417 If you're going to look at narrow band stuff you have 854 00:59:13,417 --> 00:59:16,959 to get a down converter that has high stability. 855 00:59:16,959 --> 00:59:18,959 Usually the ones for satellite TV are cheap 856 00:59:18,959 --> 00:59:21,709 because they can drift bought that's okay 857 00:59:21,709 --> 00:59:25,626 because the TV signals are broadband and it's not the case 858 00:59:25,626 --> 00:59:28,083 with narrow band stuff. 859 00:59:28,209 --> 00:59:31,334 If you do a search for the satellite the manufacturer 860 00:59:31,334 --> 00:59:35,375 of the transponder lists them and you can look up what kind 861 00:59:35,375 --> 00:59:38,250 of modulation would be used. 862 00:59:47,834 --> 00:59:53,584 This is a telemetry analyses coming down and this is actually zooming 863 00:59:53,584 --> 00:59:59,209 into the telemetry signals and you can do visualization. 864 00:59:59,209 --> 01:00:04,918 I didn't look much further from this, but who can tell me what these 865 01:00:04,918 --> 01:00:07,334 shapes indicate? 866 01:00:07,334 --> 01:00:08,999 AUDIENCE MEMBER: Counters. 867 01:00:08,999 --> 01:00:10,250 BALINT SEEBER: Exactly. 868 01:00:10,375 --> 01:00:13,292 You can see something going on there and that might be 869 01:00:13,292 --> 01:00:17,334 a starting point and there are other narrow band streams coming 870 01:00:17,334 --> 01:00:22,250 down and you pick one and lock on to it and try and decode it. 871 01:00:22,459 --> 01:00:26,999 The problem is because you're going in blind when you initially send 872 01:00:26,999 --> 01:00:30,542 out the signal you have to specify these parameters so 873 01:00:30,542 --> 01:00:34,834 if you are differentially encoding them, doing error correction, 874 01:00:34,834 --> 01:00:37,334 you don't have any idea. 875 01:00:37,792 --> 01:00:40,918 So doing it in reverse you have to go through all the permutations 876 01:00:40,918 --> 01:00:43,751 and it can make your head explode. 877 01:00:45,834 --> 01:00:47,999 So if you don't know, basically you try 878 01:00:47,999 --> 01:00:50,999 the most common ones, try and automate and script it and 879 01:00:50,999 --> 01:00:54,459 the idea is that you can sort of use some hints along the way 880 01:00:54,459 --> 01:00:57,667 to determine how successful your being. 881 01:00:57,918 --> 01:01:02,125 So most satellite signals are phase shift keyed, which means 882 01:01:02,125 --> 01:01:06,999 instead of changing the frequency they change the phase for each 1 883 01:01:06,999 --> 01:01:11,709 and 0 that's sent through, each symbol, technically and you need 884 01:01:11,709 --> 01:01:15,709 to determine the order being used, and the symbol rate, 885 01:01:15,709 --> 01:01:19,334 how they're sending the how quickly they're sending 886 01:01:19,334 --> 01:01:22,751 the data through and I saw these transmissions 887 01:01:22,751 --> 01:01:26,999 and I thought I would puck one of those and you can multiply 888 01:01:26,999 --> 01:01:32,375 or raise the signal itself to the power, raise it to the fourth power and 889 01:01:32,375 --> 01:01:35,709 as soon as you get the peaks, it's indicative 890 01:01:35,709 --> 01:01:38,876 of the fact that you've hit the right order 891 01:01:38,876 --> 01:01:42,209 of modulation so this was order 4. 892 01:01:42,542 --> 01:01:46,999 So we have QPSQ which means in each symbol transmitted 893 01:01:46,999 --> 01:01:51,209 through there are two binary bits. 894 01:01:51,792 --> 01:01:54,999 Also we need to find out how quickly they're being sent 895 01:01:54,999 --> 01:01:58,999 through and you can do this using what's called stationery analysis 896 01:01:58,999 --> 01:02:02,834 and you multiply the natural by a lagged version of its and that 897 01:02:02,834 --> 01:02:07,083 will reveal components and it turns out to be 9600 baud. 898 01:02:09,083 --> 01:02:13,292 And it's error corrected and without figuring out what 899 01:02:13,292 --> 01:02:19,209 the convolutional decoders are you're going to be left with noise so the idea 900 01:02:19,209 --> 01:02:23,918 is you go through all of them until you find the error rate 901 01:02:23,918 --> 01:02:26,999 from the decoder drops to 0. 902 01:02:26,999 --> 01:02:30,083 So if it's designed to decode convolutional codes, there 903 01:02:30,083 --> 01:02:34,083 is a metric count that it keeps inside, and when you hit 904 01:02:34,083 --> 01:02:38,083 the parameters that will drop to 0 or close to and that's 905 01:02:38,083 --> 01:02:43,209 the hint that you've been able to identify the parameters. 906 01:02:43,459 --> 01:02:47,834 So you can see he there, that drops to 0 which means I've got 907 01:02:47,834 --> 01:02:49,999 the right code. 908 01:02:50,209 --> 01:02:52,999 This is a flow graph that emulates that process. 909 01:02:53,834 --> 01:02:58,375 Going through the permutations, it's cool because it's Open Source 910 01:02:58,375 --> 01:03:02,876 and you can extend it any way you wish and instead of me trying 911 01:03:02,876 --> 01:03:06,083 all the buttons out I made a model that would go 912 01:03:06,083 --> 01:03:09,918 through each permutation and find where it was locked 913 01:03:09,918 --> 01:03:13,709 and I could proceed with the next stage so you have 1's 914 01:03:13,709 --> 01:03:17,876 and 0's again, looks like there is structure in there, not, 915 01:03:17,876 --> 01:03:20,999 but it looks like it's been probably scrambled, 916 01:03:20,999 --> 01:03:24,999 which is a common thing to do to sort of widen the data 917 01:03:24,999 --> 01:03:28,999 in case there are any pending patents, to keep it as pseudo 918 01:03:28,999 --> 01:03:32,542 as you can once you find an RF link. 919 01:03:33,667 --> 01:03:39,792 I found a couple of popular once and turns out it's still not quite right so 920 01:03:39,792 --> 01:03:45,542 it's probably differentially encode and had if you decode it you can see 921 01:03:45,542 --> 01:03:49,999 repeating patterns and headers and payloads. 922 01:03:50,292 --> 01:03:55,083 So now you have that structure and you can go through and search 923 01:03:55,083 --> 01:04:00,626 for the repeating patterns and I discovered this pattern that would 924 01:04:00,626 --> 01:04:04,876 be established and the preamble would indicate what 925 01:04:04,876 --> 01:04:10,542 looked like packets and it turned out to be ancient character oriented 926 01:04:10,542 --> 01:04:12,918 packet assembly. 927 01:04:13,918 --> 01:04:18,792 So you have synchronization, CIC, at the end, and a number 928 01:04:18,792 --> 01:04:23,083 of fixed length messages within these packets coming 929 01:04:23,083 --> 01:04:26,792 down from this satellite and each contains 930 01:04:26,792 --> 01:04:31,542 an ID and I wrote a pauser for that, and I wrote a patent 931 01:04:31,542 --> 01:04:37,167 between each successive transmission and what it looks like header, 932 01:04:37,167 --> 01:04:41,999 you have varying codes, and basically they and I thought, 933 01:04:41,999 --> 01:04:45,083 Hmmm what could that be? 934 01:04:45,083 --> 01:04:48,999 Well I have no idea but if you graph them they look pretty! 935 01:04:51,876 --> 01:04:55,542 (Laughter.) So I thought they're probably some sort 936 01:04:55,542 --> 01:04:59,999 of measurement maybe that's proceeding, time, if you plot XY, 937 01:04:59,999 --> 01:05:04,542 they might move around like this, they might be telemetry being 938 01:05:04,542 --> 01:05:08,709 uploaded, I am sad that I wasn't able to record more data 939 01:05:08,709 --> 01:05:13,876 because I only recorded 2 minutes worth but if you record it for a week 940 01:05:13,876 --> 01:05:18,542 or month you could graph this and see how it would change related 941 01:05:18,542 --> 01:05:23,999 to the time of day and if it's human activity or phenomenon. 942 01:05:28,542 --> 01:05:33,501 This is a downlink and I think people are using a part 943 01:05:33,501 --> 01:05:37,999 of a shared satellite spectrum there. 944 01:05:37,999 --> 01:05:41,999 This is one I could not figure out, you see ha hump there, 945 01:05:41,999 --> 01:05:47,792 there might be a signal moderator, I was running all sorts of tricks, 946 01:05:47,792 --> 01:05:53,083 nothing came out of it and in the end I found satellite frequency 947 01:05:53,083 --> 01:05:55,918 allocation for a U.S. 948 01:05:55,918 --> 01:05:58,751 satellite and it turns out they put white noise channels 949 01:05:58,751 --> 01:06:02,459 through the satellites to do presumably RF measurement 950 01:06:02,459 --> 01:06:06,667 and test being so there is nothing encoded there it's purely 951 01:06:06,667 --> 01:06:08,459 white noise. 952 01:06:08,459 --> 01:06:09,999 (Laughter.) AUDIENCE MEMBER: (Away 953 01:06:09,999 --> 01:06:14,876 from mic.) BALINT SEEBER: Well, if it was one time than it would be 954 01:06:14,876 --> 01:06:19,209 digital so there would be a digital artifact there. 955 01:06:19,626 --> 01:06:26,626 But this was well and truly as far as I could tell anyway, white. 956 01:06:26,999 --> 01:06:31,083 Back coming down to earth again, signals to earth, 957 01:06:31,083 --> 01:06:36,584 it's well documented and you can run an analysis that runs 958 01:06:36,584 --> 01:06:43,083 at 2400 baud which is indicative of the baud rate again and if you run 959 01:06:43,083 --> 01:06:49,542 the correlation it matches exactly with the detecting frame links and 960 01:06:49,542 --> 01:06:53,125 if you have a blind signal and you have 961 01:06:53,125 --> 01:06:59,209 a database you can look at them and ID them opinion if you create 962 01:06:59,209 --> 01:07:03,125 the radio, you can see the 8 points coming 963 01:07:03,125 --> 01:07:08,999 out on the constellation there that encode the data. 964 01:07:09,125 --> 01:07:12,709 DRM is a cool digital mode for HF that sends 965 01:07:12,709 --> 01:07:17,083 near CD quality audio over HF and you can get incredible 966 01:07:17,083 --> 01:07:23,417 distances and have nice digital audio coming out on the other side. 967 01:07:25,834 --> 01:07:29,417 It's RFD M, this is a code that I put together 968 01:07:29,417 --> 01:07:34,999 from a paper and you can put obviously create pretty plots but looking 969 01:07:34,999 --> 01:07:37,999 at the peaks will tell you information 970 01:07:37,999 --> 01:07:43,209 about the OFDM parameters, so symbol direction is on. 971 01:07:43,459 --> 01:07:45,999 Then what's kinda cool is that it matches 972 01:07:45,999 --> 01:07:50,292 up with the class B encoding DRM because there are different classes, 973 01:07:50,292 --> 01:07:54,459 A through E I think that are used for protection classes depending 974 01:07:54,459 --> 01:07:58,834 on how far you want to send a signal or how good you want the quality 975 01:07:58,834 --> 01:08:02,999 of your audio to be so it's a good way of figuring things out Instead 976 01:08:02,999 --> 01:08:07,584 of writing that code though I realized I could write a simple flow graph 977 01:08:07,584 --> 01:08:11,417 and run the auto correlation, you see a peak coming out there, 978 01:08:11,417 --> 01:08:15,125 change the lag amount, remember there is a lag, you set that 979 01:08:15,125 --> 01:08:18,417 as the lag and you see these additional peaks coming 980 01:08:18,417 --> 01:08:20,999 out of the additional FFT and that matches 981 01:08:20,999 --> 01:08:26,501 up with the exact values that we got through the other way of doing it. 982 01:08:26,709 --> 01:08:28,292 That's sort of simple techniques you can use 983 01:08:28,292 --> 01:08:32,375 with Open Source software to figure out what an open signal it. 984 01:08:32,999 --> 01:08:34,999 Let's talk about Fast Track. 985 01:08:35,083 --> 01:08:39,083 I told you what it was already, during the preintroduction. 986 01:08:43,918 --> 01:08:48,876 But the interesting point is these tags do not actively 987 01:08:48,876 --> 01:08:50,999 transmit back. 988 01:08:51,209 --> 01:08:56,667 What happens is the tall radar will transmit an interrogation and it 989 01:08:56,667 --> 01:09:01,626 will keep a carrier, basically unmodulated carrier hitting 990 01:09:01,626 --> 01:09:06,209 the fast track tag and the microcontroller will change 991 01:09:06,209 --> 01:09:10,083 the load on the internal antenna. 992 01:09:10,083 --> 01:09:14,209 What that means is that the internal antenna will take 993 01:09:14,209 --> 01:09:19,501 a little bit of that energy, then when it modulates a 1, say, 994 01:09:19,501 --> 01:09:23,834 and then a 0, it won't actually absorb that energy 995 01:09:23,834 --> 01:09:29,667 and it will be reflected back to the original tag reader. 996 01:09:29,667 --> 01:09:33,167 So it's kinda weird that you have the situation where you might have 997 01:09:33,167 --> 01:09:36,999 these antennas, pointed down, and these are both transmitting 998 01:09:36,999 --> 01:09:41,167 and receiving at the same frequency at the same time. 999 01:09:41,167 --> 01:09:44,417 I had not actually played around with this before but it's neat 1000 01:09:44,417 --> 01:09:48,792 and it makes some things easier because you're using the single signal, 1001 01:09:48,792 --> 01:09:51,709 you don't have to worry about transmitting back, 1002 01:09:51,709 --> 01:09:54,250 it takes more power from the fast track tag 1003 01:09:54,250 --> 01:09:58,334 because these contain lithium batteries and you don't have to worry 1004 01:09:58,334 --> 01:10:01,999 about synchronization because you don't have two different 1005 01:10:01,999 --> 01:10:05,999 clocks that are running in different clock domains. 1006 01:10:05,999 --> 01:10:10,250 So apart from the antennas at the toll reading booth there are 1007 01:10:10,250 --> 01:10:15,083 antennas that sit on the highway that give useful traffic 1008 01:10:15,083 --> 01:10:20,999 information and I thought, well, I will go along and see what I pick 1009 01:10:20,999 --> 01:10:25,876 up so that's the antenna, and that is the spectrum coming 1010 01:10:25,876 --> 01:10:29,792 out on the laptop and that is the pulse coming 1011 01:10:29,792 --> 01:10:35,459 from the system so I recorded that and had a look at it. 1012 01:10:35,459 --> 01:10:40,042 This is actually on the side of the Golden Gate Bridge, 1013 01:10:40,042 --> 01:10:45,667 on the toll booths and I realized that I parked in, like, 1014 01:10:45,667 --> 01:10:52,167 the authority's reserve parking spot but I was very quick! 1015 01:10:52,167 --> 01:10:56,834 So I nest he willed myself in this bus stop and was pointing 1016 01:10:56,834 --> 01:11:01,083 at the top to see what I could find. 1017 01:11:01,375 --> 01:11:03,334 This is the trick, this is the really cool key that makes it 1018 01:11:03,334 --> 01:11:04,876 all happen. 1019 01:11:17,999 --> 01:11:21,667 It's this device here that I managed to find eBay, and this 1020 01:11:21,667 --> 01:11:25,083 will circulate around to a port and the transmit energy 1021 01:11:25,083 --> 01:11:29,083 from the interrogation transmitter would go to 1, then 2 and go 1022 01:11:29,083 --> 01:11:31,083 out the antenna. 1023 01:11:31,292 --> 01:11:35,125 Anything coming back up from the antenna will come 1024 01:11:35,125 --> 01:11:41,083 into and exit 3 and go to the receive side of your radio. 1025 01:11:42,375 --> 01:11:46,209 Coming anything coming from the receive side doesn't matter 1026 01:11:46,209 --> 01:11:50,584 because it won't be transmitting but this is my test set up there, 1027 01:11:50,584 --> 01:11:54,751 you have the circulate tore connected there and the tag leaning 1028 01:11:54,751 --> 01:11:58,083 up against leaning up against the cup. 1029 01:12:00,999 --> 01:12:05,083 This is the interrogation signal and looking at what's coming back 1030 01:12:05,083 --> 01:12:07,375 in from the antenna. 1031 01:12:14,250 --> 01:12:18,999 Circulators aren't perfect, if you don't have a matched antenna, 1032 01:12:18,999 --> 01:12:23,083 for example, but here on the left hand side there are lines 1033 01:12:23,083 --> 01:12:26,918 jumping up and down, this is the payload identifying 1034 01:12:26,918 --> 01:12:30,999 with an ID who the interrogator is and sure enough it uses 1035 01:12:30,999 --> 01:12:35,334 the exact same modulation, pulse modulation and then you have 1036 01:12:35,334 --> 01:12:40,542 a slightly wavy line emanating out, imagine that was flat. 1037 01:12:40,542 --> 01:12:45,292 This is the constant carrier that should be back modulated by the tag. 1038 01:12:48,999 --> 01:12:52,876 You can see if I flip between the lines there 1039 01:12:52,876 --> 01:12:57,876 is additional activity, weak but definitely something there 1040 01:12:57,876 --> 01:13:01,626 and then my tall tag has come up. 1041 01:13:01,626 --> 01:13:02,876 So that's the response. 1042 01:13:02,876 --> 01:13:06,834 If you use the good 'ol way back machine you can 1043 01:13:06,834 --> 01:13:11,999 find the department of transport's machine and this 1044 01:13:11,999 --> 01:13:18,999 is the preamble and when it detects a peak in the filter, meaning that 1045 01:13:18,999 --> 01:13:26,709 a back scanned modulated response is being sent by the tag it activates here 1046 01:13:26,709 --> 01:13:32,417 and once again we were talking about slashing the signal, 1047 01:13:32,417 --> 01:13:35,667 we're slicing the top. 1048 01:13:36,375 --> 01:13:40,999 1 is at the top, 0 at the bottom and binary out and we have 1049 01:13:40,999 --> 01:13:45,667 a payload that we can check for validity and then completely 1050 01:13:45,667 --> 01:13:49,125 unencrypted, you have the tag ID. 1051 01:13:49,834 --> 01:13:52,792 And the flow graph is relatively simple. 1052 01:13:52,792 --> 01:13:58,999 (Laughter.) BALINT SEEBER: Okay I hit all the gruesome stuff but, 1053 01:13:58,999 --> 01:14:03,375 you know, I like big flow graphs. 1054 01:14:03,667 --> 01:14:07,459 You can do them hierarchal as well and I get crap 1055 01:14:07,459 --> 01:14:13,167 all the time that I should be using it but I never do. 1056 01:14:14,459 --> 01:14:19,083 I recommend Black Hat talk that was given I used quite a bit 1057 01:14:19,083 --> 01:14:24,999 of that talk that was given as an inspiration by Nate Wilson. 1058 01:14:25,999 --> 01:14:29,999 Okay let's cover direction finding quickly. 1059 01:14:30,083 --> 01:14:35,250 Up to now we have been talking about the contents of signals, trying 1060 01:14:35,250 --> 01:14:38,667 to figure out what's inside. 1061 01:14:38,667 --> 01:14:40,542 This is more about where they're coming from, 1062 01:14:40,542 --> 01:14:44,334 which can be used as a bit of a key as to what's going o where 1063 01:14:44,334 --> 01:14:46,083 somebody is. 1064 01:14:46,083 --> 01:14:52,999 It was originally radio navigation, radar, it can be emergency intelligence, 1065 01:14:52,999 --> 01:14:58,667 trying to find someone that might be lost and it was used 1066 01:14:58,667 --> 01:15:04,292 in World War 1 World War II, along the British coast line, 1067 01:15:04,292 --> 01:15:09,417 they were trying to find U Boats and apart from sort 1068 01:15:09,417 --> 01:15:15,417 of VHF and UHF signals you could have incredibly large arrays 1069 01:15:15,417 --> 01:15:21,417 like the ones here in Germany, those are cars that are parked 1070 01:15:21,417 --> 01:15:26,667 in the parking lot at the bottom of the image so that 1071 01:15:26,667 --> 01:15:33,083 is a huge installation, and this is used to pinpoint transmissions 1072 01:15:33,083 --> 01:15:39,250 from all over the globe that are transmitted on HF or long wave 1073 01:15:39,250 --> 01:15:41,999 around the globe. 1074 01:15:43,918 --> 01:15:46,667 Now you have the fox hunt where the transmitters are hidden 1075 01:15:46,667 --> 01:15:49,999 in the forest, and they have to try and find it. 1076 01:15:50,083 --> 01:15:53,667 It's a high directional antenna, so you can pinpoint where the signal 1077 01:15:53,667 --> 01:15:57,542 is coming from, and that's a crazy, serious, German ham! 1078 01:15:59,834 --> 01:16:03,667 (Laughter.) The first thing I played around with was pseudo Doppler 1079 01:16:03,667 --> 01:16:07,292 direction finding, and idea is you use a Doppler affect to cause 1080 01:16:07,292 --> 01:16:10,167 in the radio wave, and then exploit that to figure 1081 01:16:10,167 --> 01:16:13,918 out where the signal is actually coming from. 1082 01:16:13,999 --> 01:16:15,999 So I'm showing the Doppler affect. 1083 01:16:16,167 --> 01:16:18,959 As you move an object this changes the waves. 1084 01:16:19,125 --> 01:16:21,876 What you can do is have, and you can see my highly 1085 01:16:21,876 --> 01:16:26,999 and technical refined wave passing through the center of the circle. 1086 01:16:26,999 --> 01:16:33,334 The vertical line there on the circumference is the antenna. 1087 01:16:34,959 --> 01:16:38,999 So the idea is you rotate the antenna through the wave, there 1088 01:16:38,999 --> 01:16:43,417 by compress it go in frequency and as you come out the other way, 1089 01:16:43,417 --> 01:16:48,083 through D back to A it's moving the opposite direction and you expand 1090 01:16:48,083 --> 01:16:51,792 the wave and you end up with a Doppler shift and that 1091 01:16:51,792 --> 01:16:56,083 will change the frequency slightly of your signal. 1092 01:16:56,876 --> 01:17:00,667 The cool thing about it is FM, frequency modulation relies 1093 01:17:00,667 --> 01:17:02,459 on this fact. 1094 01:17:02,459 --> 01:17:05,501 It will change your carrier wave in frequency, depending 1095 01:17:05,501 --> 01:17:07,667 upon the signal. 1096 01:17:07,667 --> 01:17:09,999 So what you're doing is adding an extra tone, adding 1097 01:17:09,999 --> 01:17:12,125 a bit of modulation. 1098 01:17:12,334 --> 01:17:17,417 So this works well with ham signals and it means that you can use any old 1099 01:17:17,417 --> 01:17:22,250 FM radio or SDR to do determination of a direction. 1100 01:17:22,459 --> 01:17:24,250 So the problem is that once you take everything 1101 01:17:24,250 --> 01:17:26,250 into account, here we have microtuitous, 1102 01:17:26,250 --> 01:17:28,250 signal transduciton. 1103 01:17:29,876 --> 01:17:33,167 You would have to do it at a fast rate that would be 1104 01:17:33,167 --> 01:17:35,709 physically impossible. 1105 01:17:35,999 --> 01:17:38,542 (Laughter.) So what do you do instead? 1106 01:17:38,999 --> 01:17:42,834 Electronically you have a fixed array that don't move 1107 01:17:42,834 --> 01:17:46,083 but switch in between them electronically using 1108 01:17:46,083 --> 01:17:48,501 an antenna switch. 1109 01:17:48,501 --> 01:17:50,501 What it means is instead of having continuous motion 1110 01:17:50,501 --> 01:17:53,999 you do those secret steps and end up with the same response 1111 01:17:53,999 --> 01:17:58,626 and you can filter that a little bit to end up with the motion. 1112 01:17:59,083 --> 01:18:02,792 This is your classic, homemade IDF. 1113 01:18:02,792 --> 01:18:05,667 It's a box you would hook up to an FM receiver and 1114 01:18:05,667 --> 01:18:08,292 the LEDs would indicate the direction 1115 01:18:08,292 --> 01:18:11,292 the transmission was coming from and this 1116 01:18:11,292 --> 01:18:15,584 is the internal component or system diagram. 1117 01:18:15,999 --> 01:18:19,167 The stuff in green is all clocked together which means 1118 01:18:19,167 --> 01:18:24,292 that it's synchronous and it means that certain frequencies are introduced 1119 01:18:24,292 --> 01:18:28,626 into this signal and you need to focus in on the one to figure 1120 01:18:28,626 --> 01:18:30,918 out the direction. 1121 01:18:30,999 --> 01:18:33,459 This is the circuit diagram for reference and you're going 1122 01:18:33,459 --> 01:18:35,876 to look like maybe a little bit weird driving 1123 01:18:35,876 --> 01:18:38,751 around with all of this stuff hanging out of your roof, 1124 01:18:38,751 --> 01:18:41,459 but hey that's exactly what I did! 1125 01:18:41,459 --> 01:18:46,792 (Laughter.) I went color, I got an SDR, and I used mapping software 1126 01:18:46,792 --> 01:18:53,542 and I got the Dopplermobile happening, so I made an antenna there. 1127 01:18:53,667 --> 01:18:57,959 If you recall this diagram, all that is done in software and all that 1128 01:18:57,959 --> 01:19:01,959 is what remains after doing all this in software. 1129 01:19:01,999 --> 01:19:06,751 So this is what you use to transport windows with, I cutout 1130 01:19:06,751 --> 01:19:12,250 the tin, put elements on top, put it into an antenna switch that I got 1131 01:19:12,250 --> 01:19:15,292 as a free sample of from an RF company 1132 01:19:15,292 --> 01:19:19,459 and ran it through so the clock that was controlling 1133 01:19:19,459 --> 01:19:23,083 the SDR was controlling the antenna switch and 1134 01:19:23,083 --> 01:19:27,167 the beauty about that is the frequency that you get 1135 01:19:27,167 --> 01:19:31,999 out that reaches the computer is synced to the rate at which 1136 01:19:31,999 --> 01:19:37,834 the antennas are rotating so you can narrow in on one that is guaranteed 1137 01:19:37,834 --> 01:19:42,459 to be the signal of interest, the Doppler tone that you can 1138 01:19:42,459 --> 01:19:47,250 determine the phase from to determine direction. 1139 01:19:48,751 --> 01:19:53,250 This is the receiver, I had two laptops in the car, one doing the tracking, 1140 01:19:53,250 --> 01:19:57,834 one doing the mapping, flow graph, I won't go into details but you've got 1141 01:19:57,834 --> 01:20:01,375 the source coming in, you generate your reference sign wave 1142 01:20:01,375 --> 01:20:05,584 and the Doppler tone you extract from your incoming RF and the trick 1143 01:20:05,584 --> 01:20:09,334 is that you compare the phase between your reference sign wave 1144 01:20:09,334 --> 01:20:12,999 and the sign wave that comes in from the Doppler signal and 1145 01:20:12,999 --> 01:20:15,999 the difference between those phases will give you 1146 01:20:15,999 --> 01:20:19,250 the direction of your signal, that's the trick so it's 1147 01:20:19,250 --> 01:20:22,999 a phase comparison with a known reference. 1148 01:20:22,999 --> 01:20:26,083 So if you look at the FFT of your incoming signaling you see how 1149 01:20:26,083 --> 01:20:28,375 you have the peak there? 1150 01:20:28,375 --> 01:20:29,667 That's the Doppler tone. 1151 01:20:29,999 --> 01:20:33,125 So you take a reference, which might be the blue one and 1152 01:20:33,125 --> 01:20:35,999 the green one is the Doppler tone that you've been 1153 01:20:35,999 --> 01:20:39,876 able to filter out and determine the phase there and that literally 1154 01:20:39,876 --> 01:20:43,250 is your direction of arrival of your signal. 1155 01:20:43,834 --> 01:20:48,999 So I thought we would test it, we picked a big tower, drive around, 1156 01:20:48,999 --> 01:20:53,167 X marks the spot for reference and every time I drive 1157 01:20:53,167 --> 01:20:56,250 around and stop and take a measurement, 1158 01:20:56,250 --> 01:21:01,751 after a while it ends up roughly matching up on the red. 1159 01:21:01,751 --> 01:21:04,083 The thing is you have to be careful because RF 1160 01:21:04,083 --> 01:21:07,417 is black magic through and through. 1161 01:21:07,542 --> 01:21:10,876 The area highlighted in green was actually when I was 1162 01:21:10,876 --> 01:21:14,542 coming down from a hill into sort of a lower portion 1163 01:21:14,542 --> 01:21:17,999 before another hill and the RF waves would bounce 1164 01:21:17,999 --> 01:21:22,542 off the back of the hill behind me and creep up sneakily on top 1165 01:21:22,542 --> 01:21:26,999 of my array on top of the car so the direction was behind me, 1166 01:21:26,999 --> 01:21:31,999 because that's where the main wave front was coming from. 1167 01:21:31,999 --> 01:21:34,584 As soon as I came over the next hill, I ended up having 1168 01:21:34,584 --> 01:21:37,999 the direction coming from directly in front of me which was 1169 01:21:37,999 --> 01:21:40,999 the correct one because there were no obstructions so 1170 01:21:40,999 --> 01:21:43,834 reflexes are important to deal with and to filter 1171 01:21:43,834 --> 01:21:46,250 out from your measurements. 1172 01:21:46,667 --> 01:21:50,209 So I repeated it again, this time in Mountain View, 1173 01:21:50,209 --> 01:21:53,626 that's where work formerly was and you may know 1174 01:21:53,626 --> 01:21:57,999 of a big company based there and they have cars with all sorts 1175 01:21:57,999 --> 01:22:01,999 of stuff attached to their roof so I thought I would pay 1176 01:22:01,999 --> 01:22:05,375 them with a visit with a car with stuff attached 1177 01:22:05,375 --> 01:22:09,999 to its roof (Laughter.) So I went through a drive down Shoreline, 1178 01:22:09,999 --> 01:22:13,792 through Google to trying to pinpoint this particular 1179 01:22:13,792 --> 01:22:15,999 radio transmission. 1180 01:22:16,083 --> 01:22:18,167 That's the Doppler approach. 1181 01:22:18,167 --> 01:22:20,542 It has drawbacks, it's okay. 1182 01:22:21,083 --> 01:22:24,999 But you can use the four antennas again and 1183 01:22:24,999 --> 01:22:30,918 instead of doing this phase comparison you can get down and dirty 1184 01:22:30,918 --> 01:22:35,083 with math and the one of the popular algorithms, 1185 01:22:35,083 --> 01:22:41,209 and you use a modal and you have an array manifold which models your 1186 01:22:41,209 --> 01:22:47,375 antenna set up and the peaks will give you the direction of arrival, 1187 01:22:47,375 --> 01:22:52,417 so you can imagine those points there on the X axis, and 1188 01:22:52,417 --> 01:22:57,709 as your wave front comes in they will all hit each antenna 1189 01:22:57,709 --> 01:23:03,542 at a slightly different point in time, and then you can determine 1190 01:23:03,542 --> 01:23:07,125 the phase difference between the signals, 1191 01:23:07,125 --> 01:23:11,999 and you can durf I didn't say durf, did I? 1192 01:23:12,626 --> 01:23:13,999 (Laughing). 1193 01:23:14,584 --> 01:23:18,792 Maybe I've been talking too long, you can determine what? 1194 01:23:20,250 --> 01:23:21,999 This is pretty good! 1195 01:23:21,999 --> 01:23:23,167 (Laughter.) Thanks. 1196 01:23:23,167 --> 01:23:28,999 (Laughter.) BALINT SEEBER: You're welcome. 1197 01:23:29,083 --> 01:23:32,876 So this is finding that array response. 1198 01:23:33,083 --> 01:23:36,709 Here I think I had just four antennas in a row, you tell 1199 01:23:36,709 --> 01:23:41,999 the model that you have four antennas in a row, you express it as a matrix 1200 01:23:41,999 --> 01:23:45,751 and it will go through 360 degrees and simulate what 1201 01:23:45,751 --> 01:23:48,918 the array response would be and when you get 1202 01:23:48,918 --> 01:23:51,999 the incoming signal you run that through each 1203 01:23:51,999 --> 01:23:57,083 of the particular degrees and that goes from 0 to 360 across the bottom 1204 01:23:57,083 --> 01:24:01,125 and you have the peak that matches the array response and 1205 01:24:01,125 --> 01:24:04,125 the advantage is you get higher resolution 1206 01:24:04,125 --> 01:24:08,501 but you need as many radios as antenna is now. 1207 01:24:10,667 --> 01:24:14,918 This is sort of a higher end SDR that research has 1208 01:24:14,918 --> 01:24:18,999 that is called a quad radio but I had fun with it, 1209 01:24:18,999 --> 01:24:24,542 you get those missile launchings, and the idea is it acquires you 1210 01:24:24,542 --> 01:24:32,083 and locks on so if you look closely, I move the radio around it will track it. 1211 01:24:37,334 --> 01:24:39,334 (Laughter.) Wait for it! 1212 01:24:45,626 --> 01:24:46,417 I said "fire!" 1213 01:24:46,417 --> 01:24:50,417 But there was no audio, maybe it was turned down. 1214 01:24:50,417 --> 01:24:53,667 I said "fire" and when it detects that it shoots you! 1215 01:24:55,083 --> 01:24:59,083 (Laughter.) So I set it up there again. 1216 01:24:59,209 --> 01:25:03,083 This is not the cheapest SDR but I checked in the boot 1217 01:25:03,083 --> 01:25:07,375 with a big SLA battery to keep it powered while I was driving 1218 01:25:07,375 --> 01:25:11,250 around so here just to Testing BALINT SEEBER: You 1219 01:25:11,250 --> 01:25:16,999 can see as I walk around the car the compass traction my movement. 1220 01:25:17,125 --> 01:25:19,876 Testing, testing. 1221 01:25:19,999 --> 01:25:24,999 BALINT SEEBER: So if I go for a little drive here, 1222 01:25:24,999 --> 01:25:31,999 then once again I have repeated that route through Google's campus 1223 01:25:31,999 --> 01:25:39,999 but I picked some other frequency and I guess it's keeping good track of it, 1224 01:25:39,999 --> 01:25:46,999 except for the down below, but it will reflect that just as it would 1225 01:25:46,999 --> 01:25:52,501 from the primary direction and this is the radio and 1226 01:25:52,501 --> 01:25:57,542 if you have another set up you might connect two 1227 01:25:57,542 --> 01:26:01,918 of these together with a single reference 1228 01:26:01,918 --> 01:26:07,167 and you can create the same sort of thing. 1229 01:26:07,626 --> 01:26:12,209 All right, if you're going to be driving around like this, have 1230 01:26:12,209 --> 01:26:17,209 an amateur radio license, I had antenna structural redundancy 1231 01:26:17,209 --> 01:26:22,167 that I had a string, I can't drive more than 40 miles an hour 1232 01:26:22,167 --> 01:26:27,083 because I get serious vibrations and it's scary. 1233 01:26:27,334 --> 01:26:29,999 It's good to be clean shaven, I guess! 1234 01:26:30,417 --> 01:26:35,375 And if you have any radios that are used by the police like the Motorola, 1235 01:26:35,375 --> 01:26:38,999 it's good to hide them because unfortunately or some 1236 01:26:38,999 --> 01:26:43,125 of them don't know they can be used as legitimate ham radios so 1237 01:26:43,125 --> 01:26:48,209 they get suspicious when they see what are you listening to? 1238 01:26:48,209 --> 01:26:49,209 The cops? 1239 01:26:49,667 --> 01:26:50,667 What's going on? 1240 01:26:50,667 --> 01:26:55,083 And because I had the wires coming in through the window I couldn't open 1241 01:26:55,083 --> 01:26:59,584 the door so you have to turn around and disconnect the wires 1242 01:26:59,584 --> 01:27:02,751 in the back, take it from me! 1243 01:27:03,209 --> 01:27:06,125 (Laughter.) So more security stuff. 1244 01:27:06,125 --> 01:27:09,167 Do not try this wherever you are. 1245 01:27:09,167 --> 01:27:12,834 So pagers, like a doctor, I will read the first bit, and the you can read 1246 01:27:12,834 --> 01:27:14,501 the next bit. 1247 01:27:16,375 --> 01:27:19,709 Is your arch nemeses in the hospital? 1248 01:27:19,709 --> 01:27:23,167 "(Laughter.)" Need to distract security? 1249 01:27:23,167 --> 01:27:27,792 "All these were sent out I can't quite remember now 1250 01:27:27,792 --> 01:27:33,959 but it had to do with rotation of guards or shift changes. 1251 01:27:33,999 --> 01:27:39,584 So in Mode S" Do you want to reach cruising altitude quicker? 1252 01:27:39,584 --> 01:27:45,999 "(Laughter.) So as I said, all these things, they're all unencrypted, 1253 01:27:45,999 --> 01:27:50,834 it's illegal to transmit but the protocols are there, 1254 01:27:50,834 --> 01:27:56,334 and you can implement it with these sorts of ols." 1255 01:27:56,334 --> 01:28:01,292 Do you think the pilot made the wrong choice in deciding to land? 1256 01:28:01,292 --> 01:28:05,667 "(Laughter.)" Did you want to display a message 1257 01:28:05,667 --> 01:28:08,083 on everyone's radar screen? 1258 01:28:08,083 --> 01:28:11,876 "You know there is ASCII art. 1259 01:28:11,876 --> 01:28:12,667 If you send out enough transponders 1260 01:28:12,667 --> 01:28:14,584 with different IDs, then you could probably 1261 01:28:14,584 --> 01:28:16,250 spell something. 1262 01:28:18,459 --> 01:28:22,584 This is the aid car now, So this is the text messaging from the aircraft." 1263 01:28:22,584 --> 01:28:24,834 Do you not want to fly on a particular aircraft? 1264 01:28:24,834 --> 01:28:28,167 "These things are automatically sent. 1265 01:28:28,459 --> 01:28:34,667 They are incredibly complex and thorough in their self checks. 1266 01:28:34,751 --> 01:28:38,834 It's interesting to see the reports they send." 1267 01:28:38,834 --> 01:28:45,999 Was the flight you were on a little bumpy? 1268 01:28:45,999 --> 01:28:47,083 " 1269 01:28:47,083 --> 01:28:51,999 Do you want to message the cockpit privately?" 1270 01:28:51,999 --> 01:29:00,999 There are 4 assigned labels that address the cockpit printers. 1271 01:29:00,999 --> 01:29:05,334 I doubt they print anymore but the message might be set. 1272 01:29:10,709 --> 01:29:13,709 The uplink power control controls the amount of power sent 1273 01:29:13,709 --> 01:29:15,709 up by the ground, and it's usually kept 1274 01:29:15,709 --> 01:29:18,667 at a minimum because it's very costly. 1275 01:29:26,209 --> 01:29:28,792 Depends on the weather, as we established. 1276 01:29:29,083 --> 01:29:31,999 Heavy rain, costs more. 1277 01:29:33,999 --> 01:29:41,125 You can turn your signal a little bit higher than yours 1278 01:29:41,125 --> 01:29:48,999 and it actually says a malfunctioning uplink control system 1279 01:29:48,999 --> 01:29:54,999 can damage a satellite wave amplifier. 1280 01:29:56,999 --> 01:30:01,125 This is the signal from earth and sends it back down. 1281 01:30:01,459 --> 01:30:06,542 If you end up sending a higher signal than what it can take, 1282 01:30:06,542 --> 01:30:08,959 it could bust. 1283 01:30:11,501 --> 01:30:15,209 You can hot wire a complete transponder. 1284 01:30:19,626 --> 01:30:23,999 But you need serious equipment to dot hat. 1285 01:30:23,999 --> 01:30:26,999 FastTrak, you don't want to pay another toll in your life ... 1286 01:30:40,999 --> 01:30:43,999 You want traffic management to think there is some kind 1287 01:30:43,999 --> 01:30:45,999 of issue happening. 1288 01:30:47,542 --> 01:30:50,167 You could just stand there. 1289 01:30:50,167 --> 01:30:55,999 Do you want to keep tabs on someone? 1290 01:30:56,918 --> 01:31:02,918 Set up a reader and see if they drive past. 1291 01:31:03,626 --> 01:31:09,459 You drive up the highway, and you can be read. 1292 01:31:47,834 --> 01:31:49,999 You can get an amateur radio licenses 1293 01:31:49,999 --> 01:31:54,959 and do experimental stuff there but elsewhere it's not a good idea. 1294 01:31:56,751 --> 01:31:58,459 Thank you very much. 1295 01:32:09,876 --> 01:32:14,501 (Applause.) If you would like to know more information, 1296 01:32:14,501 --> 01:32:20,626 I put a lot of stuff on my Wiki, my main web site, documents, projects, 1297 01:32:20,626 --> 01:32:25,709 a lot of the things like direction finding and stuff I keep 1298 01:32:25,709 --> 01:32:30,999 on my GitHub, and if you want to email me, there are my e mails 1299 01:32:30,999 --> 01:32:33,751 and Twitter handle. 1300 01:32:34,083 --> 01:32:41,417 AUDIENCE MEMBER: (Away from mic.) BALINT SEEBER: I sent 1301 01:32:41,417 --> 01:32:45,375 a huge deck to DEF CON. 1302 01:32:50,125 --> 01:32:53,501 The deck that I showed you today has been significantly upgraded 1303 01:32:53,501 --> 01:32:58,083 but in time I'll post those as well as the videos and things like that. 1304 01:32:58,584 --> 01:33:00,083 AUDIENCE MEMBER: Thank you. 1305 01:33:00,083 --> 01:33:01,501 BALINT SEEBER: If you have questions come and find me 1306 01:33:01,501 --> 01:33:03,083 and talk to me.