Category: gnuradio

Setting up RTL-SDR on Raspberry Pi 3

This post presents the RTL-SDR setup on Raspberry Pi 3 with Raspbian

RTL-SDR on Raspberry Pi 3
RTL-SDR on Raspberry Pi 3

Setting up the environment

Open the terminal, then:

pi@raspberrypi:~ $ sudo apt-get install gnuradio % take some time to install all packages

pi@raspberrypi:~ $ gnuradio-companion % if it opens the gnuradio-companion, everything is ok

Installing RTL-SDR and gr-osmosdr packages

pi@raspberrypi:~ $ sudo apt-get install rtl-sdr gr-osmosdr

After successfully installing the packages, plug the RTL-SDR to the Raspberry Pi 3 USB Port, then list the USB devices connected to the Raspberry Pi 3:

pi@raspberrypi:~ $ lsusb

Look for Realtek device (RTL), in my case “Realtek Semiconductor Corp. RTL2838 DVB-T”:

lsusb on Raspberry Pi 3
lsusb on Raspberry Pi 3

Now it is time to check if RTL-SDR is working:

pi@raspberrypi:~ $ rtl_test

rtl_test on Raspberry Pi 3
rtl_test on Raspberry Pi 3

In my case it is working by the first time on Raspberry Pi 3, but there is a known issue (on Ubuntu) related to driver conflict (it uses the Digital TV Driver – dvb_usb_rtl28xxu), if this is your case, do the following:

pi@raspberrypi:~ $ sudo rmmod dvb_usb_rtl28xxu % to make this fix permanent, you have to move driver dvb_usb_rtl28xxu to blacklist

and, try again:

pi@raspberrypi:~ $ rtl_test

Testing time :)

Install the GQRX, through apt-get:

pi@raspberrypi:~ $ sudo apt-get install gqrx-sdr

Then run GQRX:

pi@raspberrypi:~ $ gqrx

If not asked to select I/O Device, go to “File” > “I/O Devices” then select Realtek RTL-SDR, now you can click “Power” button then you can hear noise and see FFT live graph (up) and waterfall live graph (bottom).

Pay attention:

Due to processing limitations from Raspberry Pi, to avoid crashes, you have to reduce the sample rate for GQRX, to do it go to: “File” > “I/O Devices” > “Sample Rate” or edit /home/pi/.config/gqrx/default.conf

RTL-SDR known to works up to 2.4 Msps on Raspberry Pi 3 and up to 1.44 Msps on Raspberry Pi 2.

In most cases you can reduce the CPU load further by reducing the window size, sample rate, FFT rate and FFT size (try 2048 at 10-15 Hz). If you are only interested in the FFT, set Mode to “Demod Off”. This will greatly reduce the CPU load.

 

GQRX on Raspberry Pi 3
GQRX on Raspberry Pi 3

Another option due to GQRX limitation on Raspberry Pi, you could try QTCSDR on GitHub that also allows TX through GPIO 18 (rpitx), but now just to check RX function:

  • git clone https://github.com/ha7ilm/qtcsdr
  • cd qtcsdr
  • ./rpi-install.sh
  • ./rpi-test.sh

If rpi-test.sh succeeds, then type qtcsdr on command line.

pi@raspberrypi:~ $ qtcsdr

qtcsdr on Raspberry Pi 3
qtcsdr on Raspberry Pi 3

Congratulations, your RTL-SDR is working on Raspberry Pi 3! Now you can use available SDR tools on Raspberry Pi 3.

Tags : , , ,

Replay Attack – Doorbell

Recently I bought a low cost wireless doorbell so I decided to analyze the RF communication and reproduce a replay attack.

To accomplish the attack I used an Ettus USRP2 N210 SDR (Software Defined Radio), a Voye wireless doorbell and GNU Radio.

The replay attack (also called as playback attack) is simple and very interesting attack, it works by simply recording a signal and then rebroadcasting it once it used a “fix code” signal to activate the doorbell.

(Ettus USRP2 N210 SDR (Software Defined Radio)

Voye DoorBell

(Voye wireless doorbell)

GNU Radio

GNU Radio Companion (GRC) is a graphical tool for creating signal flow graphs and generating flow-graph source code.

More info: http://gnuradio.org/redmine/projects/gnuradio/wiki/GNURadioCompanion

 

Identifying the signal

Usually doorbells operates at frequencies of 433Mhz (Europe) or 315Mhz (America), it was first noticed the frequency of 433Mhz in order to get signal but nothing was found. Analyzing the 315MHz frequency we found the signal from the doorbell transmitter.

We used GQRX to clearly identify the frequency:

GQRX

(GQRX – identify the frequency)

Capturing the signal

We recorded the signal from the doorbell transmitter in GNU Radio into a RAW file.

We’re using 2e6 (2M) as Sample Rate and this value should be used in every step.

GnuRadio-Receive

(flow-graph capturing the signal)

 

Opening this up in AUDACITY we can see groups of pulses making up a single button press and we can identify this is a OOK (On-Off Keying) Signal.

Audacity1

(Audacity – Raw File)

On zooming in to a button press, we can see these button presses are made up of similar looking groups.

Audacity2

(Audacity – Raw File – Zoom in)

 

Isolating the signal

Now we are going to export this slice of signal (4 sequences):

Audacity3

(Audacity – Isolating the signal)

Notice that we’ve exported 4 sequences because the receiver has a error rate and it needs to receive more than 1 package of bits.

We gonna export using the following configuration:

Audacity4

(Audacity – Export Configuration)

Transmitting the signal

Finally, the last step was to create a flow graph to transmit the raw signal isolated.

GnuRadio2

(flow-graph transmitting the signal)

After executing the doorbell will ring…

Video of replay attack:

 

 

Tags : , , , , , , , , ,