SDR WCTF

The purpose of this section is to help you train at home to be able to compete in the Wireless Village’s SDR CTF Challenges. The notes here should be able to give you the broad strokes needed to be able to identify flags, meta data and other components used within the challenges.

If you plan on experimenting at home, please ensure you are properly licensed from the FCC and are operating safely and legally! This is important; if you choose the wrong frequency to experiment within you can have an adverse effect on the safety of yourself and other individuals around you. Get your ticket, get legal and be safe.

Download our most favorite of Linux distributions, Pentoo from http://www.pentoo.ch

For testing at home, you can use a RaspberryPi with PiFM installed for most of these challenges. Otherwise, you’ll need a BladeRF or HackRF to complete the more specific challenges; I don’t have any intention of making a how-to for those challenges as of yet.

Lesson 1 – Establish Your Baseline

Software : rtl_power

Procedure : From your hotel room, conduct a broad frequency sweep from approximately 30MHz to 1.7GHz.

rtl_power -f 30M:1.7G:1M -i 5m -1 base_survey1.csv

From the conference floor, repeat the same survey.

rtl_power -f 30M:1.7G:1M -i 5m -1 base_survey2.csv

From the competition space, repeat the same survey.

rtl_power -f 30M:1.7G:1M -i 5m -1 wctf.csv

Create a graph that overlays the lines of each csv so that you can identify transmissions and voids.

Pre-game : From Step 1, create a script that will conduct multiple sweeps and average them. Identify the valleys and write a script that will “scan” the valleys looking for strong spurious signals.

Cheating : Look into a program called freqwatch, available at https://github.com/covertcodes/freqwatch

Lesson 2 – Establish Your Offset

Software : GQRX

Procedure : We will be providing a known and calibrated signal source at a specific frequency. Tune to that frequency throughout the day as you may have a shift as your equipment warms up.

Pre-game : At home, tune to a known signal source such as a National Weather Service transmitter (162.400MHz 162.425MHz 162.450MHz 162.475MHz 162.500MHz 162.525MHz 162.550MHz)

Cheating : Nope, not going to help anyone with this one.

Lesson 3 – Morse Code

Software : GQRX, Audacity

Procedure : Record the audio as a wav file and in AM mode. Open it in Audacity and look at the waveform over time; you should be able to identify dots and dits.

Pre-game : At home, tune to a known HAM radio repeater tower. About every 10 minutes or so, they’ll transmit their tower ID and other information in Morse code.

Cheating : morse2txt

Test File :  Click here to test decoding this Morse code message.

The text should say “WHAT ARE THE IMMORTAL WORDS OF SOCRATES I DRANK WHAT”

Audio File

Lesson 4 – AFSK

Software : rtl_fm, minimodem

Procedure : Once you’ve identified a potential AFSK transmission, attempt to demodulate it with a command similar to below:

rtl_fm -f 146.0M -M wbfm -s 200000 -r 48000 -o 6 | sox -traw -r48k -es -b16 -c1 -V1 - -twav - | minimodem --rx -8 1200

rtl_fm : Configure the frequency with “-f”, the mode with “-M”, samples per second with “-s”, the audio rate with “-r” and your oversampling rate with “-o”. Read the manual and help file to understand what these options (and others) mean.

sox : You’re going to be receiving a raw audio stream, sample it at 48k, conduct some other transforms and then convert it into a wav file.

minimodem : Finally, take in this wav file, sample it at 1200 baud and expect ASCII text with “-8”. Read the manpage and help file to better understand the other options within minimodem.

Pre-game : At home, use a RaspberryPi and PiFM to transmit the wav file linked below. Or if you’re not licensed, use sox to read that wav file into minimodem.

Cheating : Not many options for this.

Test File :  Click here to test decoding the AFSK message.

pi2.wav

Once decoded, you should see the following image:

val-kilmer-and-kelly-lebrock-pi2-final

Please, explore this image some more in a HEX editor; you might find some more things hidden within 🙂

If you dont have the means to transmit, and just want to test your command-fu, you can run:

minimodem -r -f pi2.wav -8 1200 > out.jpg

Lesson 5 – RDS

Software : GQRX, GNURadio Compantion (gr-rds)

Procedure : Examine the FM carrier frequency to determine if there is an offset (sub-carrier).  If you think you’ve found one, download gr-rds from https://github.com/bastibl/gr-rds.

Test this with your local FM radio stations.

Cheating : Watch these videos:

Lesson 6 – Numbers Station

Software : rtl_fm, minimodem, fldigi

Procedure : Once you’ve identified a potential AFSK transmission, attempt to demodulate it with a command similar to below:

rtl_fm -f 146.0M -M wbfm -s 200000 -r 48000 -o 6 | sox -traw -r48k -es -b16 -c1 -V1 - -twav - | minimodem --rx -8 1200

rtl_fm : Configure the frequency with “-f”, the mode with “-M”, samples per second with “-s”, the audio rate with “-r” and your oversampling rate with “-o”. Read the manual and help file to understand what these options (and others) mean.

sox : You’re going to be receiving a raw audio stream, sample it at 48k, conduct some other transforms and then convert it into a wav file.

minimodem : Finally, take in this wav file, sample it at 1200 baud and expect ASCII text with “-8”. Read the manpage and help file to better understand the other options within minimodem.

There can be other transmission types as well, such that THOR8. For this, you’ll have to experiment with fldigi which is available at http://www.w1hkj.com/Fldigi.html.

Once you’ve decoded the file, start experimenting with the file. Is it compressed? Encrypted? Dive in deep.

Pre-game : At home, use a RaspberryPi and PiFM to transmit the wav file linked below. Or if you’re not licensed, use sox to read that wav file into minimodem.

Test File :  Click below to test decoding the different messages. Try the encryption keys of HINT, SHAKEN, AREYOUASPY.

THOR8

Audio File

QPSK256

Audio File

AFSK

Audio File

Lesson 7 – ASK / OOK

Software : GQRX, baudline, audacity

Procedure : Once you’ve identified a potential ASK/OOK transmission, attempt to demodulate it by saving the audio to a wav file in AM mode and opening the recording in audacity.

Otherwise, you can record the file using rtl_fm and piping it with baudline.

rtl_fm -f 89000000 -M raw -s 1000000 -g 0 - | baudline -stdin -samplerate
1000000 -quadrature -flipcomplex -channels 2 -format le16

rtl_fm : Configure the frequency with “-f”, samples per second with “-s”, and the tuner gain with “-g”  Read the manual and help file to understand what these options (and others) mean.

baudline : It is reading from standard input, matching the sample rate, setting the IQ matching for quadrature, flipping the complex numbers (because of rtl_fm), and setting for two input channels.  Familiarize yourself with baudline in more detail if you can.

Pre-game : At home, use a RaspberryPi and PiFM to transmit the wav file linked below. Or if you’re not licensed, use sox to read that wav file into minimodem.

Lesson 8 – DVB-T

Software : GQRX, VLC

Procedure : Once you’ve identified a potential DVB-T transmission, count how wide the transmission is; this will be your hint for the bandwidth setting in VLC. Otherwise, you can just go by trial and error. Never the less, the command is below:

vlc dvb://frequency=730000000:bandwidth=6

Lesson 9 – POCSAG

Software : rtl_sdr, GNURadio Companion, gr-mixalot, gr-pocsag

Procedure : Once you’ve identified a potential POCSAG transmission, attempt to demodulate it with GNURadio Companion by following the documentation provided for the module of your choice.

Lesson 10 – MotoTurbo

Software : rtl_fm, minimodem

Procedure : Once you’ve identified a potential AFSK transmission, attempt to demodulate it with a command similar to below:

mkfifo /tmp/pipe
env LD_PRELOAD=/usr/lib64/pulseaudio/libpulsedsp.so dsd -i /tmp/pipe -n -w out.wav

Tip of the hat to our student from DerbyCon 2014 for providing the detail hints within Pentoo.

https://code.google.com/p/pentoo/issues/detail?id=296

Lession 11 – SSTV

Software : GQRX, qsstv

Procedure : Record the audio as a wav file and in FM mode. Figure out the mode by trying different options.

Pre-game : At home, use a RaspberryPi and PiFM to transmit the wav file linked below. Or if you’re not licensed, either use the test file below or identify known HAM radio frequencies where SSTV is commonly transmitted.

Cheating : qsstv

Test File :  Click below to test decoding this SSTV image. You should see something similar to the below image:

Audio File

bman

Software Defined Radio Knowledge Base