Hello Factoria Labs readers! As you may know, Black Hat USA happened earlier this month in Las Vegas. As well as teaching an in-person SDR class, I was also honored to present a hands-on project at the Arsenal Labs – we had a great turnout, as you can see from the picture.
Black Hat 2022 – Arsenal Labs
My project was an end-to-end, RF reversal of a simple garage door protocol. Although the signal produced by the garage door remote was not terribly complicated, the project provided a full view of the reversing process, including:
scanning for the remote’s signal
capturing the signal to disk
tuning and demodulating to produce a digital baseband waveform
identifying the framing and encoding of the baseband waveform and then extracting the bits
building a simple transmitter to implement the reversed protocol
building a more complex transmitter to implement brute force attacks
If you caught my presentation and wanted to look at starter and solution projects, it’s all at:
All of these scripts build from source and install the resulting libraries and executables to a local target directory. One of the popular out-of-tree (OOT) add-ons to GNU Radio is fosphor. It’s a really neat visualization tool that allows you to much better see what’s going on in the frequency domain. It essentially combines a frequency plot with a waterfall plot. It’s an invaluable tool for exploring the RF spectrum.
In this example, you’re looking at an LTE channel in the center of the plot, and you can actually make out some of the traffic running through the frequency and time multiplexing. Note the increased detail relative to a simple frequency plot of the same swath of spectrum:
Great stuff, right? There’s just one catch to all this – foshpor relies on OpenCL, which usually relies on your system’s GPU. This makes installing gr-fosphor a little more complicated than your typical OOT module. We’ve had an install script available for Intel GPUs for a while, but our Nvidia GPU script was less well tested. Well, we’ve finally had an opportunity to do that testing and update the install script, so if you’ve got an NVidia-based Ubuntu 20.04 system, I encourage to to check it out!
Install GNU Radio from source (this takes 15-30 minutes depending on your system):
cd ~/install/grc-install/install_scripts
sudo ./grc_from_source.sh
Open a new terminal window (THIS IS IMPORTANT! You need the environment variables the script above creates to proceed) and install gr-fosphor:
cd ~/install/grc-install/install_scripts/fosphor
sudo -E ./fosphor_nvidia_gpu.sh
At this point, you can test that fosphor was correctly installed by plugging in your Ettus B2XX SDR (if you have one) and executing the following flowgraph:
(when the execution window comes up, you may need to stretch it to increase the window size to reveal the fosphor visualization)
If you have a different SDR, you’ll need to install support for that and swap out the USRP Source in the flowgraph for the appropriate SDR source (we do have install scripts for HackRF, Lime and Pluto as well).
If you have the latest NVidia drivers, fosphor should work. If however, you encounter an error, it is likely caused by an older GPU driver version. You can check and fix this by hitting the “Windows” key and typing “additional drivers”
Then click on the Additional Drivers icon. You should then see the driver options for your GPU:
If you don’t have the latest driver version selected (460 in the case of the image above), then select the latest version, apply changes and reboot.
If this helps, please let us know in the comments below. Good luck!
It’s been a long-time goal of ours to put our SDR training online in an on-demand format, so that people around the world could learn SDR at any time. That’s finally started happening! Our first class is online, and we’re working on the second right now. After that, are more to come.
We broke up our content into chunks roughly one day in length, though they will likely run a bit longer than that. Our first course, for example, has over 7 hours of video. Given the time it will take you to work through the projects, this will be more than a day for nearly everyone.
While the on-demand format is new, the material is very similar to what we’ve been teaching for years to private customers and at conferences such as BlackHat and the Wild West Hackin’ Fest. The main difference is that a few of the hardware projects required some changes so you can complete them in a virtual setting. We’ll do these projects in a simulation mode, but we’ll demonstrate all of the things you’ll need to do to make them work in the real world. We’ve also simplified the process of getting GNU Radio running on your system by providing you with a virtual machine containing all of the software and project files you’ll need.
We will also be offering a new in-person class consisting almost entirely of hardware projects, as a companion to these online classes. The companion class will provide hand-on training with SDR hardware and live signals, while the online classes will allow you to do most of your training at your own pace. Stay tuned for details on that.
We hope the chance to learn SDR in a more flexible (and distanced) way is useful to you. If so, please check us out!
As some of you have noted, the installation instructions for gnuradio and HackRF contained in our Field Expedient SDR series no longer work. To remedy this I’ve created a set of installation scripts that automate nearly all of the steps required, updated for newer versions of gnuradio/uhd/osmosdr and supporting the Ubuntu 18.04 LTS.
The scripts install from specific releases and commits of the source code, so they should be much more stable than previous iterations of the instructions.
TLDR
On an Ubuntu 18.04 installation perform the following:
Open a new terminal (Ctl+Alt+t) and type: sudo apt -y install git mkdir -p install cd install git clone https://github.com/paulgclark/grc-install cd grc-install/install_scripts sudo ./grc_from_source.sh (This will install both gnuradio and the UHD drivers. It will take between 0.5 to 1.5 hours.)
Open a new terminal and type: cd install/grc-install/install_scripts ./hackrf_from_source.sh (This will install the hackrf tools and the osmocom blocks. It will take only a few minutes.)
Open a third terminal and start gnuradio companion with: gnuradio-companion
Depending on the hardware you have available, you can open the following flowgraphs inside gnuradio-companion to test your setup: ~/install/grc-install/grc/hackrf-test/fm_receiver_hardware.grc ~/install/grc-install/grc/uhd-test/fm_receiver_hardware.grc
Installing gnuradio 3.8
By default the gnuradio install script installs version 3.7.13.5, the latest release before 3.8. If you want to try out the new version, simply type: sudo ./grc_from_source.sh 3.8
Note that the osmocom team hasn’t yet updated the blocks used for interfacing with the HackRF such that they work with version 3.8 of gnuradio. I’ve instead used Igor Freire‘s fork of their repository (actually, it’s his fork of Mickey Vänskä‘s fork of the osmocom repo). Thanks to both Igor and Mickey!
Installation Scheme
One of the big benefits of the PyBOMBS scheme we originally used in the book was the fact that it installs everything to a target directory under your home directory, rather than doing a global install to root-owned directories. The environment is then loaded with a simple call to a setup_env.sh script generated by the install process (which is automatically added to your ~/.bashrc).
This means if something goes wrong, you can just rm -r the target directory and delete a single line from your .bashrc file. You can then start over without worrying about the previous install polluting your environment.
I’ve preserved this scheme in the new scripts as well. By default the scripts will use the following directory for the target: ~/install/sdr
If you want to use a different target, simply run the script with the new target directory as the second argument. If installing 3.7 this would be: sudo ./grc_from_source.sh 3.7 ~/install2
For 3.8, it would be sudo ./grc_from_source.sh 3.8 ~/install2
This installation flow also allows you to easily keep multiple versions of gnuradio on disk. You simply install 3.7 to one target directory and 3.8 to another. You then enable the setup_env.sh file corresponding to the one you want to use at any given moment.
Conclusion
I’ve tested these scripts on numerous laptops and believe I’ve worked out all the issues with both Ettus and HackRF hardware. If you do have an issue, please let me know on GitHub or via email.
Hello readers! Until now, our schedule has only allowed time for SDR training at customer sites or at conferences such as Black Hat and the Wild West Hackinfest. After many requests, we’re finally able to offer an open class, where individual students can sign up and learn the ins and outs of Software Defined Radio.
As always, these are small class sizes full of intensive, hands-on learning. They’ll be held in the greater Seattle area (the suburb of Kirkland to be specific) from the 5th to the 8th of November. First will be our Intro to SDR class, then our Intermediate Digital class. If there’s enough demand, we’ll add on our Reverse Engineering and Python+gnuradio classes (email us if you’re interested).
You can register here, and if you sign up on or before the 3rd of October, you’ll get a discounted rate.
If you have any questions about the classes, please contact me at paul<at>factorialabs.com.
As I’ve mentioned, I’m teaching two SDR classes at Black Hat this August: an Introductory and an Intermediate class. Well, the latter has just sold out! The Introductory class still has a few seats left, though.
Thanks for your interest, and looking forward to seeing many of you in Vegas!
Just wanted to let you know that I’ll doing a webcast with the fine folks at Black Hills InfoSec next Thursday. I’ll be talking about a frequency hopping SDR system I built using Python and the gnuradio API. It was intended as a proof-of-concept RF exfiltration system, but you could use the framework for any number of things.
The host transmits requests for data downstream to the exfil device, along with the frequency at which the information should be sent back. The concept is fairly straightforward, but it’s not always clear how build these types of systems with gnuradio. Specifically, there are a number of complications to getting payload data out of gnuradio flowgraphs and into Python code where you can act on that data. I’ll show you how I did this, as well as some best practices for building code-only gnuradio systems (i.e. without using the gnuradio-companion GUI).
The webcast will be next Thursday (11-Apr) at 2pm EST aka 11am PDT. You can register here.
If you want more information about how to build radio applications with gnuradio, I do have a class that you might be interested in. Please contact me if you’d like more information.
I believe it takes 4 days to learn the basics of software defined radio, even if you’ve never done a single radio-related thing in your life. Less than a week.
If you lay that solid foundation in SDR and gnuradio, you’ll be far more effective in your future endeavors, whether that’s:
scanning for and intercepting signals
reverse engineering transmissions
building your own programmable RF systems for exfiltration
Join us this August at Black Hat to get started with SDR. We have a two-day introductory class that’s perfect for beginners. You don’t need to know a thing, and you don’t need to bring a thing. You’ll use our laptops and SDR hardware. No pre-class installation homework, just show up and sit down. You’ll learn the basics of gnuradio, RF theory and SDR operation – which will enable you to build analog transmitters and receivers.
You can then move on to our Intermediate Digital SDR class, where we’ll work through all the stuff you need to build digital radios:
OOK, FSK, GFSK and PSK modulation
handling preambles, payload encodings and CRCs
clock synchronization!
and much more
If you’ve already spent some time with SDR and know the basics of gnuradio, you can jump straight to the intermediate class. Feel free to contact us if you have any questions about this. We can also chat about our advanced classes in reverse engineering or gnuradio application development.
After learning to build analog and digital radios, a number of our customers had the perfectly reasonable question: “What next?” Over the last year, we’ve developed two additional SDR courses that provide an answer.
The first course focuses on reverse engineering RF devices with SDR, with a host of practical exercises and real hardware to attack.
The second shows you how to build SDR-based radio applications, focusing on the especially tricky part of programmatically extracting data from gnuradio flowgraph objects. Getting data out of flowgraphs is a problem that stymies a number of folks, but I’ll save you a ton of time by showing you powerful methods to get this done cleanly.
As with our previous courses, we first taught them to carefully chosen lead customers. Now, after numerous improvements and tweaks, they’re ready for primetime.
You can contact us at paul@factorialabs.com if you’d like to arrange a private training for your organization. We are also planning on two public training sessions this year: one in the greater DC area and a second in Seattle.
Yesterday, I had the privilege of giving a talk about a project I’d been working on to the Wild West Hackinfest in Deadwood, SD. Over the last year or two I’d been wanting to build a clean radio communication system using SDR and gnuradio. There were a number of not-so-obvious things I’d learned over the years, and I thought releasing some code that implemented such a system could help out folks that may have been struggling with some of the same things that I did.
The project I settled on was an RF exfiltration system, with a host laptop sending commands to a headless Raspberry Pi 3 B+. The twist, however, was that each time the host requested data, it also told the xfil box how to send the data: what frequency, modulation scheme, preamble, etc. The goal was to be able to communicate in a manner that was as flexible as possible, even capable of changing the RF parameters with each transmission.
The code is still at “proof-of-concept maturity” but it should help you see how to get digital payloads from external Python code into a flowgraph (on transmit) and vice versa (on receive). You can see it all here:
I’m incredibly grateful to John Strand and all the folks who made the conference happen. It’s an awesome event with great people both running and attending. If you haven’t been, you should definitely go in 2019.
PS There was a camera running, so I’ll provide an update post when the video is posted.
