The purpose of this section is to help you train at home to be able to compete in the Wireless Village’s SDR CTF Challenges. The notes here should be able to give you the broad strokes needed to be able to identify flags, meta data and other components used within the challenges.
If you plan on experimenting at home, please ensure you are properly licensed from the FCC and are operating safely and legally! This is important; if you choose the wrong frequency to experiment within you can have an adverse effect on the safety of yourself and other individuals around you. Get your ticket, get legal and be safe.
Download our most favorite of Linux distributions, Pentoo from http://www.pentoo.ch
For testing at home, you can use a RaspberryPi with PiFM installed for most of these challenges. Otherwise, you’ll need a BladeRF or HackRF to complete the more specific challenges; I don’t have any intention of making a how-to for those challenges as of yet.
Lesson 1 – Establish Your Baseline
Software : rtl_power
Procedure : From your hotel room, conduct a broad frequency sweep from approximately 30MHz to 1.7GHz.
rtl_power -f 30M:1.7G:1M -i 5m -1 base_survey1.csv |
From the conference floor, repeat the same survey.
rtl_power -f 30M:1.7G:1M -i 5m -1 base_survey2.csv |
From the competition space, repeat the same survey.
rtl_power -f 30M:1.7G:1M -i 5m -1 wctf.csv |
Create a graph that overlays the lines of each csv so that you can identify transmissions and voids.
Pre-game : From Step 1, create a script that will conduct multiple sweeps and average them. Identify the valleys and write a script that will “scan” the valleys looking for strong spurious signals.
Cheating : Look into a program called freqwatch, available at https://github.com/covertcodes/freqwatch
Lesson 2 – Establish Your Offset
Software : GQRX
Procedure : We will be providing a known and calibrated signal source at a specific frequency. Tune to that frequency throughout the day as you may have a shift as your equipment warms up.
Pre-game : At home, tune to a known signal source such as a National Weather Service transmitter (162.400MHz 162.425MHz 162.450MHz 162.475MHz 162.500MHz 162.525MHz 162.550MHz)
Cheating : Nope, not going to help anyone with this one.
Lesson 3 – Morse Code
Software : GQRX, Audacity
Procedure : Record the audio as a wav file and in AM mode. Open it in Audacity and look at the waveform over time; you should be able to identify dots and dits.
Pre-game : At home, tune to a known HAM radio repeater tower. About every 10 minutes or so, they’ll transmit their tower ID and other information in Morse code.
Cheating : morse2txt
Test File : Click here to test decoding this Morse code message.
The text should say “WHAT ARE THE IMMORTAL WORDS OF SOCRATES I DRANK WHAT”
Lesson 4 – AFSK
Software : rtl_fm, minimodem
Procedure : Once you’ve identified a potential AFSK transmission, attempt to demodulate it with a command similar to below:
rtl_fm -f 146.0M -M wbfm -s 200000 -r 48000 -o 6 | sox -traw -r48k -es -b16 -c1 -V1 - -twav - | minimodem --rx -8 1200 |
rtl_fm : Configure the frequency with “-f”, the mode with “-M”, samples per second with “-s”, the audio rate with “-r” and your oversampling rate with “-o”. Read the manual and help file to understand what these options (and others) mean.
sox : You’re going to be receiving a raw audio stream, sample it at 48k, conduct some other transforms and then convert it into a wav file.
minimodem : Finally, take in this wav file, sample it at 1200 baud and expect ASCII text with “-8”. Read the manpage and help file to better understand the other options within minimodem.
Pre-game : At home, use a RaspberryPi and PiFM to transmit the wav file linked below. Or if you’re not licensed, use sox to read that wav file into minimodem.
Cheating : Not many options for this.
Test File : Click here to test decoding the AFSK message.
Once decoded, you should see the following image:
Please, explore this image some more in a HEX editor; you might find some more things hidden within 🙂
If you dont have the means to transmit, and just want to test your command-fu, you can run:
minimodem -r -f pi2.wav -8 1200 > out.jpg |
Lesson 5 – RDS
Software : GQRX, GNURadio Compantion (gr-rds)
Procedure : Examine the FM carrier frequency to determine if there is an offset (sub-carrier). If you think you’ve found one, download gr-rds from https://github.com/bastibl/gr-rds.
Test this with your local FM radio stations.
Cheating : Watch these videos:
Lesson 6 – Numbers Station
Software : rtl_fm, minimodem, fldigi
Procedure : Once you’ve identified a potential AFSK transmission, attempt to demodulate it with a command similar to below:
rtl_fm -f 146.0M -M wbfm -s 200000 -r 48000 -o 6 | sox -traw -r48k -es -b16 -c1 -V1 - -twav - | minimodem --rx -8 1200 |
rtl_fm : Configure the frequency with “-f”, the mode with “-M”, samples per second with “-s”, the audio rate with “-r” and your oversampling rate with “-o”. Read the manual and help file to understand what these options (and others) mean.
sox : You’re going to be receiving a raw audio stream, sample it at 48k, conduct some other transforms and then convert it into a wav file.
minimodem : Finally, take in this wav file, sample it at 1200 baud and expect ASCII text with “-8”. Read the manpage and help file to better understand the other options within minimodem.
There can be other transmission types as well, such that THOR8. For this, you’ll have to experiment with fldigi which is available at http://www.w1hkj.com/Fldigi.html.
Once you’ve decoded the file, start experimenting with the file. Is it compressed? Encrypted? Dive in deep.
Pre-game : At home, use a RaspberryPi and PiFM to transmit the wav file linked below. Or if you’re not licensed, use sox to read that wav file into minimodem.
Test File : Click below to test decoding the different messages. Try the encryption keys of HINT, SHAKEN, AREYOUASPY.
THOR8
QPSK256
AFSK
Lesson 7 – ASK / OOK
Software : GQRX, baudline, audacity
Procedure : Once you’ve identified a potential ASK/OOK transmission, attempt to demodulate it by saving the audio to a wav file in AM mode and opening the recording in audacity.
Otherwise, you can record the file using rtl_fm and piping it with baudline.
rtl_fm -f 89000000 -M raw -s 1000000 -g 0 - | baudline -stdin -samplerate |
rtl_fm : Configure the frequency with “-f”, samples per second with “-s”, and the tuner gain with “-g” Read the manual and help file to understand what these options (and others) mean.
baudline : It is reading from standard input, matching the sample rate, setting the IQ matching for quadrature, flipping the complex numbers (because of rtl_fm), and setting for two input channels. Familiarize yourself with baudline in more detail if you can.
Pre-game : At home, use a RaspberryPi and PiFM to transmit the wav file linked below. Or if you’re not licensed, use sox to read that wav file into minimodem.
Lesson 8 – DVB-T
Software : GQRX, VLC
Procedure : Once you’ve identified a potential DVB-T transmission, count how wide the transmission is; this will be your hint for the bandwidth setting in VLC. Otherwise, you can just go by trial and error. Never the less, the command is below:
vlc dvb://frequency=730000000:bandwidth=6 |
Lesson 9 – POCSAG
Software : rtl_sdr, GNURadio Companion, gr-mixalot, gr-pocsag
Procedure : Once you’ve identified a potential POCSAG transmission, attempt to demodulate it with GNURadio Companion by following the documentation provided for the module of your choice.
Lesson 10 – MotoTurbo
Software : rtl_fm, minimodem
Procedure : Once you’ve identified a potential AFSK transmission, attempt to demodulate it with a command similar to below:
|
Tip of the hat to our student from DerbyCon 2014 for providing the detail hints within Pentoo.
https://code.google.com/p/pentoo/issues/detail?id=296
Lession 11 – SSTV
Software : GQRX, qsstv
Procedure : Record the audio as a wav file and in FM mode. Figure out the mode by trying different options.
Pre-game : At home, use a RaspberryPi and PiFM to transmit the wav file linked below. Or if you’re not licensed, either use the test file below or identify known HAM radio frequencies where SSTV is commonly transmitted.
Cheating : qsstv
Test File : Click below to test decoding this SSTV image. You should see something similar to the below image: