
System Bus Radio: Transmits AM radio on computers without transmitting hardware - yarapavan
https://github.com/fulldecent/system-bus-radio
======
kabdib
I debugged a boot issue on the Apple Newton this way. The latest flash image
was a brick on production hardware (no available LEDs, GPIOs, etc.) but not on
development hardware. But I _could_ flash a new OS image.

So I wrote some small loops that did different stuff on the bus (so that they
sounded different) and salted the boot path with them, then listened in on my
portable AM radio. Found the problem inside of an hour by moving the loops
further down the path.

There were probably other ways to do this (could have coaxed a hardware tech
in the lab to solder in a GPIO), but this way was more fun. :-)

~~~
phyzome
Reminds me of the CHDK hackers trying to dump firmware off a Canon camera.
They could get the altered firmware to activate and could read memory and
control an LED, so... they blinked the firmware out through the LED, and read
it with a ball mouse's optical sensor attached to a microphone cord. :-)

~~~
nyreed
I half-remember reading that someone dumped the firmware of an older iPod by
listening to hard disk noises.

Thinking back this doesn't make much sense.

EDIT: I was maybe ⅓ right
[https://web.archive.org/web/20070613032334/http://www.ipodli...](https://web.archive.org/web/20070613032334/http://www.ipodlinux.org/stories/piezo/)

------
cestith
Back a couple of decades, my alphabetic pager was going off but the messages
were gibberish. It turned out the CPU in the PC I'd been asked to look at was
a Pentium running at 150 MHz. I'd set my pager directly on top of the case,
and the nominal frequency for it was 150.5 MHz, frequency modulated.

The lines in the motherboard can be used as antennae and the CPU pins can
produce a clock pulse and modulate it. There used to be a parallel port audio
device for PCs which was mainly just different resistors. The driver for it
just timed pulses to the different pins.

This software just shows a bit of a novel implementation to modulate the
motherboard bus itself in an ordered way to produce a signal with useful data
in it. I imagine FM may be easier to pull off cleanly than AM, actually.

This shows that an air gap has to be pretty large, and should probably be
backed up by a Faraday cage if your data is that sensitive.

I don't suspect this will be used to get grandma's credit card number from her
home desktop considering the logistics of the actual attack. Source code to
something really important, military data, diplomatic dispatches, or something
else of really high value would be the only sensible targets in a closed area.
However, a university lab, Internet cafe, coffee shop, or public library might
be easy enough. Most of the machines there will be on the network, and that's
an easier way to exfiltrate. The main advantage of this in the common
attacker's toolkit is it won't be seen by a host-based firewall. DNS, DHCP, or
lots of other ways could be used to exfiltrate through most firewalls though.

This sort of thing is a great novelty for most of the computer-using world.
It's kind of scary for people who are actually in need of an air gap, but I
don't think it's unforeseen.

~~~
gtufano
Years ago I was in the same building during the installation of a "NATO
standard" (whatever that means) environment suitable for developing sensitive
software, and the air gap was indeed pretty large, the entire 2 rooms were air
gapped from the building (at 4th floor), enclosed in a Faraday cage and with
special precautions (out of my clearance level) for electricity going in. It
was very quiet inside (even cell phone did not have any signal, of course).

~~~
netsharc
Hopefully cellphones weren't allowed? Otherwise it would be interesting to
hack the phone to go to "record AM signals" if there's no cell/wifi/FM/GPS
signals (if it were on a plane it would still see GPS signals). Or maybe to
announce its presence using ultrasonic, so if there's also compromised
machines/CPUs/hypervisor environments inside the secured environment, it would
detect the "Hello" and start uploading data to it. Later when the phone user
reconnects to the cell network, it can upload your secret data..

~~~
gtufano
Of course they were forbidden, as it was every not authorized device. The
physical security was tight. I just entered it during the building, before the
certification (I was in a manager role in the building)

------
dsign
People had fanciful minds. They had expected the civilization to end in bio-
warfare, or atomic bombs, or a blazing meteorite impact.

No such luck. The end of the civilization came, rather anticlimactically, when
the humans discovered that side effects and timing attacks made any form of
cyber-security a joke. Their computers screeched to a halt bogged down by
nightmarish security patches.

By then, it was already too late to go back and live off the land.

~~~
kibwen
This code is more fun and interesting than scary. The only way this could be
used maliciously would be in the one-in-a-million environment where arbitrary
code execution is possible but exfiltration is difficult and where the
attacker has physical proximity to the machine. The other 999,999 times, if
you have ACE then it's much simpler to just exfiltrate via the network or USB
or etc.

~~~
Eduard
Scenario: broadcasting out passwords and PINs

~~~
exikyut
Solution: bluetooth transciever silicon is <5mm square when packaged

------
Tomte
If you're ever near Stuttgart, Germany, go and visit the university's computer
museum!

[http://computermuseum.informatik.uni-
stuttgart.de/](http://computermuseum.informatik.uni-stuttgart.de/)

Klemens usually feeds punched cards into one of his treasures and puts a radio
on top. Playing music.

So much to see!

[http://computermuseum.informatik.uni-
stuttgart.de/cm003.html](http://computermuseum.informatik.uni-
stuttgart.de/cm003.html)

Including real core memory.

~~~
Fwirt
Living Computer Museums are fascinating.

Anyone who's in Seattle for any length of time owes it to themselves to check
out the Living Computer Museum: [http://www.livingcomputers.org/Discover/At-
The-Museum/Vintag...](http://www.livingcomputers.org/Discover/At-The-
Museum/VintageComputers.aspx)

In addition to the working Alto, MITS Altair, etc. they have a dedicated cold
room for working vintage mainframes. You can even request an account on one of
'em so you can remotely telnet in. You're also openly invited to interact with
just about any of the microcomputers they have up and running that day.

That's just a small part of their collection. Neat stuff.

~~~
barbs
Also quite good is the Centre For Computing History in Cambridge.

[http://www.computinghistory.org.uk/](http://www.computinghistory.org.uk/)

------
qubex
This is so well-known there's even an _oeuvre_ appropriately titled “IBM 1401:
A User’s Manual” by Icelandic neoclassical composer Jóhann Jóhannsson that
involves recording the noises made on a radio by running different code on an
old mainframe.

[https://pitchfork.com/reviews/albums/9583-ibm-1401-a-users-m...](https://pitchfork.com/reviews/albums/9583-ibm-1401-a-users-
manual/)

------
em3rgent0rdr
Alternative air gap bypasses:

badBIOS Sound: [https://arstechnica.com/information-
technology/2013/10/meet-...](https://arstechnica.com/information-
technology/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-
airgaps/)

Acoustical Mesh Network: [https://arstechnica.com/information-
technology/2013/12/scien...](https://arstechnica.com/information-
technology/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-
inaudible-sound/)

DiskDrive Sound: [https://arstechnica.com/information-
technology/2016/08/new-a...](https://arstechnica.com/information-
technology/2016/08/new-air-gap-jumper-covertly-transmits-data-in-hard-drive-
sounds/)

Survellance Cameras: [https://arstechnica.com/information-
technology/2017/09/attac...](https://arstechnica.com/information-
technology/2017/09/attackers-can-use-surveillance-cameras-to-grab-data-from-
air-gapped-networks/)

------
anfractuosity
I wrote a program based on that:

[https://github.com/anfractuosity/musicplayer](https://github.com/anfractuosity/musicplayer)

Which plays .wav files (example with Taylor Swift) to a nearby radio

[https://www.youtube.com/watch?v=xSj5skknXWg&feature=youtu.be](https://www.youtube.com/watch?v=xSj5skknXWg&feature=youtu.be)

------
ravenstine
That's pretty damned clever.

In a far less sophisticated way, I was able to achieve audio transmission
without any extra hardware except for a ~6 foot aux audio cable. This was back
when I was maybe 14 years old and I was already building RF circuits with
crystal oscillators and such. Learning that audio is sampled at specific
frequencies, I was then lead to wonder if the same principles used to send and
receive audio through proximal electromagnetism(since electrical current
generate fields). While this is obvious to any adult with basic knowledge of
science, it was quite novel for me to discover that my boom box radio, when
set to auxiliary mode, could slightly pick up audio passing through an open-
ended cable from my sound card. What I really didn't expect was that by upping
the volume further, I could send a clear signal across several feet. Clearly,
this wasn't just the force of magnetism but there was some radio activity
happening. I never figured out what was going on, although I hypothesized that
the transistors in the microphone input hardware of the boom box were
configured in a way that was behaving like a transistor radio.

I would love to understand what was really happening there.

~~~
digi_owl
AM is basically and audio signal applied to a carrier wave, while FM is a
whole different beast. Meaning that AM is quite similar to what pass down a
speaker wire.

I am not a professional, but my impression is that AUX mode basically just
pass the input audio signal directly to the speakers.

I am not quite sure what you mean by an open ended cable though, nor what end
of the setup you upped the volume one (i suspect the PC).

~~~
ravenstine
Actually, you're correct since there's no one frequency that's being
modulated. It must have been AM.

By open-ended cable, I meant that there was an audio cable coming out of my
sound card but connected to nothing on the other end. That's how I remember
it, anyway. Actually, I think I increased the volume output in my PC was well
as the volume on my receiver.

------
c-smile
Quite old trick actually.

At Cold War time, in USSR, American spy device was discovered that was placed
on the street outside the wall of main frame computer installation nearby drum
printers
([https://en.wikipedia.org/wiki/Printer_(computing)#/media/Fil...](https://en.wikipedia.org/wiki/Printer_\(computing\)#/media/File:Drum-
printer.jpg)). The device was recording signals from them and retransmitted
recording in compressed form to satellite.

~~~
xenadu02
Do you have a link to more information about this?

~~~
c-smile
We were told about this by our lecturer in university (USSR). Discipline was
"data protection / security" ("Защита данных" in Russian).

The device was masqueraded as a canned "Килька черноморская в томате" (Canned
fish: Black Sea sprat in tomato) and was transmitting short narrow beams
upstream on schedule.

~~~
shabble
maybe something more like
[https://en.wikipedia.org/wiki/Acoustic_cryptanalysis](https://en.wikipedia.org/wiki/Acoustic_cryptanalysis)
?

I suppose it could be capturing EM emissions from the printers rather than
acoustic, but that would make it fundamentally more like the other TEMPEST
hacks as a way to exploit _unintentional_ emissions, rather than as a sneaky
covert channel where you have control over the computer equipment, but don't
have access to external interfaces to offload your stolen data.

Unless I'm misunderstanding some part of your description, anyway.

~~~
TeMPOraL
With the printers and mainframes of old being _big_ , couldn't it be just
recording vibrations of the wall?

------
BuildTheRobots
There's also PiFM[1] which (iirc) modulates one of the GPIO pins fast enough
on a Pi to produce an FM radio signal.

It's fun to play with, and is a great hack, but please don't try and use it
for anything or any length of time; it puts out a tonne of horrible harmonics
all over the radio spectrum.

[1] [https://github.com/rm-hull/pifm](https://github.com/rm-hull/pifm)

~~~
j_s
Or take the rails completely off (5 KHz-500 MHz // FM,AM,SSB,SSTV,FSQ):
[https://github.com/F5OEO/rpitx](https://github.com/F5OEO/rpitx)

 _I have a „Hörmann“ garage door opener. For a long time, I want to use my
phone instead of the original sender. Therefore, I thought to run a raspberry
and send the signal from there._

 _I recorded the signal with HackRF One as .wav, the problem here is that
HackRF records with a sampling rate much higher than 48kHz (by default it is
10MHz!). So one has to downsample the recorded file, which I did with Matlab
(downsample(signal, „fs_of_record /fs_for_rpitx“)). The resulting .wav signal
is now send at 433MHz (either my garage door listens their too, or 2nd
harmonic works?!)_

src:
[https://github.com/F5OEO/rpitx/issues/50](https://github.com/F5OEO/rpitx/issues/50)

~~~
cadr
For a really good time, I suggest
[https://github.com/JamesP6000/WsprryPi](https://github.com/JamesP6000/WsprryPi)
\- it is super fun run a signal into a long wire and see it picked up around
the world!

(You do need an amateur radio license for this, but in the USA at least the
technician one is very easy to get.)

~~~
j_s
For the semi-serious there is a pre-made filter "temporarily unavailable"
(2018-01-15) for purchase: Raspberry Pi QRP TX Shield for WSPR |
[https://www.tapr.org/kits_20M-wspr-
pi.html](https://www.tapr.org/kits_20M-wspr-pi.html)

 _the harmonics are filtered by a LPF, and the broadband noise is filtered by
a BPF [...] a buffer amp is provided for isolation. This also provides a boost
to the TX signal_

And this project ties in an RTL-SDR for receiving:
[https://github.com/ha7ilm/qtcsdr](https://github.com/ha7ilm/qtcsdr)
mentioning _AM /NFM/WFM/LSB/USB [...] although NFM/WFM works as expected, the
AM/SSB modes need a much higher level of filtering_

~~~
sgtpepper
Building your own LPF is surprisingly easy and educational!

~~~
cadr
Specifically, I would recommend searching for "W3NQN CWAZ" filter. Look at
[http://www.kitsandparts.com/](http://www.kitsandparts.com/) for the toroids.

------
komali2
I love how this person linked their amazon wishlist as their "project tip
jar." That's a fun idea. We kind of get a sense of their personality as well
through it - they obviously like tea, for example.

------
joshwa
System Bus Radio (github.com) 499 points by sssilver 687 days ago

[https://news.ycombinator.com/item?id=11203951](https://news.ycombinator.com/item?id=11203951)

------
neolefty
Does anyone know a way to _receive_ these signals without installing extra
hardware? Then we need a name for it. DarkFi?

~~~
j_s
[http://microbit.org/guide/features/#light](http://microbit.org/guide/features/#light)

 _reversing the LEDs of the screen to become an input, the LED screen works as
a basic light sensor_

(only the very tiniest bit related, for the BBC micro:bit)

------
AlexVranas
If I were to run this on a VM, would the host machine start transmitting AM,
or would the hypervisor ruin the mechanism in which this works?

I rent a VPS at a nearby datacenter, and I could maybe ask for a tour. It
would be interesting if I could pick up these signals from their server racks
by running the code on my VM.

~~~
exikyut
I thought about this for a minute, and my theory is that it wouldn't, because
the hypervisor wasn't based on an RTOS. If it was RTOS-based, and the
hypervisor's needed to use a known constant amount of time for its own
housekeeping, you _might_ be able to find a frequently multiple that worked.

But as things are, I don't THINK so, due to indeterminate scheduling. The
likelihood is very low. (Translation: I really do want this to work because it
would be cool :P - but the VM world has already been turned upside down this
year....)

If you have a spare machine lying around you could maybe spin up the same VM
software on that and see if anything interesting happens. After establishing
very very good radio transmissions off the bare metal (and finding all
potential frequencies etc), of course.

The other good question is what sort of transmission frequency would be used
by the hardware your VPS is running on. That would be fun to find out about...

------
JetSpiegel
I remember this from a few years back, but apparently this was ported to JS.

[https://fulldecent.github.io/system-bus-
radio/](https://fulldecent.github.io/system-bus-radio/)

------
ChuckMcM
Always a fun side effect that can be the catalyst for people becoming more
interested in radio! I ported code written for the Altair 8800 that did this
to my Cromemco S-100 system in high school, the MIT AI lab had a 'tunes'
program on their KL-10 that could play music on a nearby radio. I even
intentionally used this effect in my easter egg locator beacon system (the PIC
chips can output their 1Mhz clock to a pin and it is easy to modulate it from
there).

It will be a sad time when the AM bands are discontinued or moved to digital
modes (where this technique will no longer work).

------
fernly
Live demo at the Computer History Museum, of an IBM 1401 playing music via AM
radio bus emissions.

[https://www.youtube.com/watch?v=EPk8MVEmiTI](https://www.youtube.com/watch?v=EPk8MVEmiTI)

You can see the 1401 demo'd on Wednesdays and Saturdays -- although they don't
do this in the regular demo, just read cards and print on the line printer.

------
davidgerard
I used to play BASIC games on my Dick Smith System 80 (a TRS-80 clone) with a
radio next to it tuned to no station, for sound effects.

------
ferongr
It works for me, on a desktop enclosed in a metal case, using a small handheld
radio with an internal AM antenna. Interesting.

------
handelaar
See also (about ten years ago):
[https://bellard.org/dvbt/](https://bellard.org/dvbt/) \- digital television
broadcasting from a VGA card

------
aatishnn
I stumbled upon this a long time ago:
[http://www.erikyyy.de/tempest/](http://www.erikyyy.de/tempest/)

Uses the monitor to generate an AM signal.

------
TomV1971
Tangentially related: the singing Commodore 64 floppy drive.

[https://m.youtube.com/watch?v=5gnMgmlKi_o](https://m.youtube.com/watch?v=5gnMgmlKi_o)

~~~
beamatronic
I remember that! I believe it did some small amount of damage to the drive.
Head needed to be realigned or such.

~~~
vidarh
You're right. It works because there's no protection against trying to send
the drive head past where it's meant to be able to go, because nobody expected
anyone would try to repeatedly ask it to move out of bounds, and the vibration
can easily get the head out of alignment.

------
nsxwolf
Didn't work for me on a 2013 Mac Pro or a 2015 MacBook Pro. I have a handheld
and I tried multiple antenna positions.

------
jim_lawless
This sounds like a modern-day equivalent of the classic "Fool on the Hill"
played on the AM radio sitting on top of an Altair 8800 ( recreated in the
video below ):

[https://www.youtube.com/watch?v=1FDigtF0dRQ](https://www.youtube.com/watch?v=1FDigtF0dRQ)

------
braythwayt
In the 1970s, I read about people doing this at MIT or some such, on real
computers. Our high school had a Nova 1220 minicomputer, but we had no access
to assembly for it, so all I could do was write programs in BASIC.

After a bit of experimentation, I was able to produce two or three distinct
tones of discordant buzzing with loops.

Computer music!

~~~
godelmachine
I think you are referring to "Foot on the Hill" being played on that Altair
8800, which cunningly made use of the radio frequency interference/ static
controlled by the timing loops by the program - created by Steve Dompier .

Bill Gates was confounded and astounded, and described it as, "the best demo
program I've seen for the Altair…". He could not figure out how the computer
could broadcast to the radio.

You can read more about it here =>
[https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists](https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists)

~~~
braythwayt
I seem to recall reading about this running on minicomputers or mainframes, as
described in another reply, and I also think this predated the Altair, as I
first became smitten with computers around 1972.

Here's a video of a minicomputer generating AM radio music in 1971:

[https://www.youtube.com/watch?v=akvSE5Z474c&lc=D5Mdy7u7Cxwsk...](https://www.youtube.com/watch?v=akvSE5Z474c&lc=D5Mdy7u7CxwskML7wm06K0-_TEHfmrxPlonoX60N9Ho)

~~~
univacky
I think that computer was built in 1971; the video mentions that the software
used is Richard Wilson's player, which was written in 1975 (the DECUS entry is
dated 2/11/1976).

------
Blackthorn
Only half related, but it's kind of neat that we've used such a relatively
simple standard of radio for so long. Modern modulation schemes are so
complicated that they require dedicated functionality just to interpret.
Wasn't always like that.

------
randyrand
I don't understand it. What determines the carrier frequency of the computer?
How does he change the amplitude of the signal?

~~~
anfractuosity
The signal appears on many different frequencies, so afaik they must be
harmonics, I'm curious as to what is defining the base carrier frequency too
as the code itself doesn't determine that really.

Edit: I just saw lovelearning's explanation -
[https://news.ycombinator.com/item?id=16168969](https://news.ycombinator.com/item?id=16168969)

"In this case, the copper traces connecting CPU to RAM on that particular
computer are emitting EM radiation at a frequency of 1580 kHz."

I think 1580kHz could just be one of the harmonics.

I'm curious what defines the carrier, if it's a factor of the length of copper
on the memory bus, clock frequencies etc?

------
lubujackson
Now if we could just have AM receivers in all our phones!

------
baq
side channel information leak for two, please

~~~
samfisher83
This is how you debug hardware.You put a oscilloscope on the bus and you
decode the bytes. This is what people have been doing since the advent of the
computer.

~~~
baq
'on the bus' is quite a bit different from '1 meter of drywall away' though...

~~~
samfisher83
Maxwells Law says a time varying electric field will radiate so maybe make
sure people can't get near the computer.

~~~
tibbon
Macbook Pro Lead Edition - blocks em radiation. Weights 50lbs!

------
dvaita99
Can you someone do a ELI5 on this project? Tried to read but couldn't move
further.

~~~
lovelearning
Here's one.

This sentence from the linked paper is informative - "When data is exchanged
between the CPU and the RAM, radio waves are emitted from the bus's long
parallel circuits."

For some background:

Digital circuits like computer motherboards have components called oscillators
that switch voltage on and off a number of times every second. This is what
"clock speeds" refers to - 2.8 GHz CPU clock speed means voltage to CPU is
being switched on and off 2.8x10^9 times per second.

All components like the processors, IO buses, RAM modules, etc. synchronize
their actions to the rise and falls in these voltage levels. It's a way of
synchronizing their actions.

One consequence of switching voltage on and off is that electrical fields
build up and collapse (voltage is a measure of the electrical field), and
cause magnetic fields to build up and collapse. We lay people call
"oscillating electromagnetic fields" as "radio waves". This is the origin of
radio waves from motherboards.

The missing link for transmission is that like any radio transmission, it
requires an "antenna" \- that is a conductor of some length. There are
conductors on a circuit board in the form of copper traces through which
current passes. These start acting like antennas.

In this case, the copper traces connecting CPU to RAM on that particular
computer are emitting EM radiation at a frequency of 1580 kHz.

So far, all there is is some EM radiation with certain frequency and an
antenna to transmit it. This is just the "carrier wave". But for transmitting
useful information, some kind of modulation is necessary to encode data over
that carrier wave. This project uses an SSE2 CPU instruction called MOVNTDQ or
_mm_stream_si128 to write to memory, with the data to be transmitted encoded
as sequences of 1s and 0s with certain frequency (rate) and for a certain time
period. This act of at writing at a certain rate for some time period results
in switching on and off of voltages on the traces between CPU and RAM which in
turn creates modulated EM radiation.

TBH, I didn't understand the details of how this project modulates the binary
data over a square wave and how it gets treated as amplitude modulation by a
regular radio receiver, and I request another ELI5 from somebody else to
explain it to me :)

~~~
randyrand
First realize the aptitude modulation in this radio is very crude. Unlike
normal radio which has many amplitudes, this radio only has 2. On and off.
Tone or no tone. This radio has no control over the exact amplitude.

Due to this limitation, this radio can only transfer a single tone at a time.
Music must be monophonic.

To transfer a 60htz tone we just switch between the on and off state at 60htz.
The On state will be at some random amplitude that we can't control.

What are these states? In the On state, we write to a memory address
repeatedly very very fast (as fast as the computer allows). And in the off
state we sleep.

~~~
anfractuosity
Despite the fact you can only modulate the carrier on/off, you can still also
output normal music with speech etc using pulse density modulation -

[https://news.ycombinator.com/item?id=16168317](https://news.ycombinator.com/item?id=16168317)

Which I don't think is monophonic, but I could be wrong?

~~~
randyrand
How does a pulse density modulated audio signal sound to the human ear?

You may be right if that you tube clip is any indication. Neat!

