
Intro to SDR and RF Signal Analysis - pentestercrab
https://www.elttam.com.au/blog/intro-sdr-and-rf-analysis/
======
forg0t_username
If you want to dabble for _cheap_ with SDR, the RTL-SDR [1] is a < $10 USB
receiver that works from 24 to 1766 MHz.

It allows to listen to FM radio, decode most 433MHz devices (weather
stations), car keys signals, and even NOAA weather satellites [2] with a DIY
antenna [3].

[1] [https://osmocom.org/projects/sdr/wiki/rtl-
sdr](https://osmocom.org/projects/sdr/wiki/rtl-sdr)

[2] [http://www.rtl-sdr.com/rtl-sdr-tutorial-receiving-noaa-
weath...](http://www.rtl-sdr.com/rtl-sdr-tutorial-receiving-noaa-weather-
satellite-images/)

[3] [http://tinhatranch.com/how-to-build-a-qfh-quadrifilar-
helix-...](http://tinhatranch.com/how-to-build-a-qfh-quadrifilar-helix-
antenna-to-download-images-from-weather-satellites/)

~~~
echelon
Can you suggest something that could be used to read or reprogram wireless
access cards, such as the HID Proxcard II? I want to clone my apartment's key
fob into a bracelet I can wear when I go jogging.

~~~
voltagex_
If you have an Android phone, grab a NFC reader app - this should at least
tell you if the card is able to be cloned.

~~~
gfv
Not all RFID cards are created the same. Most RFID cards that are some kind of
"smart" (i.e. contactless bank cards, subway tickets) conform to ISO/IEC 14443
standard that mandates the use of ~13.5MHz carrier to communicate between the
reader and the card. This is "the NFC" as your phone understands it.

Proximity cards used for door access usually have the 125kHz carrier
compatible with the EM-Marin EM4100. No cell phones I know of have an antenna
for this frequency range; therefore, no phone can read, clone or emulate an
EM-Marin proximity card.

Since the HID Proxcard II is a "value priced 125 kHz proximity card", you
cannot use a phone to read it.

~~~
crispyambulance
Assuming you could read signals to/from a key-fob/HID-card, isn't there some
encryption involved that would prevent merely repeating the signal to "clone"
a key-fob?

~~~
problems
You can't clone it as many do challenge response but you can relay it - check
out NFCgate for example.

This would allow you to say, hold one device to the reader and one against
someone's pocket to open a door.

Or to share an NFC transit pass between multiple people over the internet.

~~~
amenghra
Search for "distance bound protocol" if you want to read about current crypto
research to prevent relaying.

~~~
problems
There are some interesting attempts at these protocols but most of them rely
on multiple powered devices, not induction powered smartcards which inherently
adds delay and not necessarily predictable delay.

No one has a proven system for doing this in today's smartcards to my
knowledge. Though there is some research which promises this may be possible
in the future.

Even those proximity car locks do a horrible job of distance bounding - many
of them do it off RF level which means an attacker merely needs an amplifier
to steal your car - and that offers an almost optimal situation for the
application. So I think we'll probably see it there before smart cards. Maybe
the timers necessary make this cost prohibitive though. I'm not in a position
to say one way or the other.

------
p00b
For what it's worth, Great Scott Gadgets (Michael Ossman's group) put out a
great series of primers [1] on Software Defined Radio (SDR) and the
fundamentals of Digital Signal Processing (DSP) a while back, that are some of
the best I've seen out there to date.

[1] [https://greatscottgadgets.com/sdr/](https://greatscottgadgets.com/sdr/)

------
pentestercrab
For anyone interested in Software-defined radio (SDR) I can also highly
recommend the Cyberspectrum YouTube channel [1].

[1]
[https://www.youtube.com/playlist?list=PLPmwwVknVIiXGzKhtimTM...](https://www.youtube.com/playlist?list=PLPmwwVknVIiXGzKhtimTMjhcyppeRRsnE)

~~~
pentestercrab
There is also meetup groups in San Francisco [1] and Melbourne (Australia)
[2].

[1] [https://www.meetup.com/en-US/Cyberspectrum/](https://www.meetup.com/en-
US/Cyberspectrum/)

[2] [https://www.meetup.com/en-US/Cyberspectrum-
Melbourne/](https://www.meetup.com/en-US/Cyberspectrum-Melbourne/)

~~~
audi100quattro
Thanks for posting links to the videos and the meetup group, would've joined
it years ago if I'd known about it. Quick question, anything radar related in
the videos?

~~~
bigiain
Have you seen this: [http://www.rtl-sdr.com/passive-radar-dual-coherent-
channel-r...](http://www.rtl-sdr.com/passive-radar-dual-coherent-channel-rtl-
sdr/)

I can't find the link here right now, but there's some more recent work that's
doing that without needing the two clock synced receivers too...

~~~
audi100quattro
Looking at [http://www.rtl-sdr.com/tag/passive-radar/](http://www.rtl-
sdr.com/tag/passive-radar/) and youtube, it seems like some progress has been
made. Not sure if any of the code is open sourced in GNU Radio, Desktop SDR or
[http://www.rtl-sdr.com/big-list-rtl-sdr-supported-software/](http://www.rtl-
sdr.com/big-list-rtl-sdr-supported-software/) Will look into it more, it's
been 2+ years since the last time.

------
j_s
This discussion from 6 months ago brought together a bunch of introductory
info and example applications:

[https://news.ycombinator.com/item?id=13101924](https://news.ycombinator.com/item?id=13101924)

------
wwkeyboard
If you want to see a lot of HF signals, field day is this weekend:
[http://www.arrl.org/field-day](http://www.arrl.org/field-day)

------
anonymous_iam
Anyone know the story behind why baudline hasn't been updated in seven years?
The site has promised a beta version with some highly desirable features for a
LONG time, but nothing. Also, since it's closed source, there's nothing we can
do but hope and wait (unless someone were to start an open source equivalent
project).

------
fellellor
Are there companies/sectors that look for candidates with these skills, or is
this more focused towards hackers and hobbyists?

~~~
femto
Virtually every professional radio is software defined to some extent these
days, so every company that designs radios wants signal processing and
information theory skills, more so if they are doing proprietary protocols
rather than implementing a standard. It's pretty well the same skill set,
whether you are designing or analysing systems. There is a surprising amount
of reverse engineering in building radio systems, as the big players (looking
at you Motorola) often drop speed humps into their implemetations to try and
break compatability with the smaller players' products.

~~~
fellellor
Where can I read more about this?

It's always nice to see RF and Signal Processing stuff on HN.

~~~
femto
Best thing is to just jump in and do it. You don't even need hardware to start
with.

If you're seriously interested, download Octave (Matlab replacement) and write
a program from scratch to simulate a BPSK system and generate a "waterfall"
(bit error vs. noise) curve. Don't stop until you can get your curve to
perfectly match the one in a text book [1]. By doing this, you will learn
about modulation, demodulation and and "Additive White Gaussian Noise" (AWGN)
channel models. If you can get the waterfall curve to match exactly, you will
also be covering concepts such as "energy per bit". A BPSK should be quite
doable for an amateur.

Once you have the BPSK simulation, try extending your simulation in different
directions and matching the textbook curves. The following challeges are
roughly in order of increasing difficulty

1) Add a block code, such as Hamming or BCH.

2) Replace the simple AWGN channel model with a Rayleigh or Ricean model

3) Add a convolutional code (with Viterbi decoder)

4) Implement Orthogonal Frequency Division Multiplexing (OFDM)

5) Implement an LMS receiver

6) Implement a Low-Density Parity Check code (use the one from the WiFi
standard)

7) Implement a complete 802.11a simulation

8) Implement a complete DVB-T simulation

9) Implement a MIMO system, assuming perfect channel knowledge

10) Implement a MIMO system with channel estimation

Get to number 10, and you will know more about radio signal processing than
most engineers.

[1] eg. "Lin and Costello" Error Control Coding or "Proakis" DSP

------
wonderous
Beside HackRF One, I've been looking at LimeSDR.

Are there any other comparable options?

~~~
platz
I have a LimeSDR and although multiple channels is nice, the device/software
is a bit buggy and I wish I'd gotten a HackRF instead.

------
thinkMOAR
Great intro, and nice links in the comments, excellent!

