NotPike

Here's a quick and dirty python script I'm using with to transmit a my call sign over the Yard Stick One. I'm using MOD_ASK_OOK modulation to transmit in Morse code in binary. Kinda a redundant way to explain it being that Morse code is binary lol. Basically a dash is interpreted as 011 and a dot will be seen as 01. See the example below. K K 1 2 3 4 -.- -.- .---- ..--- ...-- ....- 01101011 01101011 01011011011011 0101011011011 010101011011 01010101011 Old school tech but it works. Here's a converter if you want to find out what your call sign is in Morse code https://cryptii.com/morsecode/binary #!/usr/bin/python2.7 from rflib import * import time print("What Freq do you want to TX on? Ex. 925.2e6") freq = input("Freq: ") print("Time inbetween transmissions in sec? Ex. 600 = 10min") sec = input("Time: ") def callsign(f,t): d = RfCat() d.setFreq(f) d.setMdmModulation(MOD_ASK_OOK) d.setMdmDRate(250) d.setMaxPower() while True: print("Transmitting callsign on "+str(f)+"Hz") d.RFxmit("01101011 01101011 01011011011011 0101011011011 010101011011 01010101011") #binary morce of KK1234 print("Hit Ctl-C to stop") for i in range(t): #Timer time.sleep(1) callsign(freq,sec)

Ok! So here's what I found out so far. Yate and YateBTS is a software implementation of a GSM/GPRS radio access network that has the capability to convert GSM traffic to VoIP. GSM (Global System for Mobile Communications) in short this is the technology being used to transmit and receive voice and text. GPRS (General Packet Radio Service) is a packet oriented mobile data service. This is how you get your Internet on a 2g or 3g cell network. GSM and GPRS are legacy now due to LTE (Long-Term Evelution) becoming the slandered for all cell phones. It's old tech but it's still supported by most if not all modern cell phones. One advantage to GSM is for the attacker is how you can set the base station to communicate everything in clear text. I like to think of this as being downgrade attack but TBH it was a struggle for me to make my cell authenticate with my base station. Seams like my phone preferred LTE over GSM so go figure lol. I had to configure my phone manually to make it connect. Another advantage of configuring a base station to be unencrypted is that it keeps it legal for hams to broadcast on the 900mhz HAM band :3. You just need to have another radio running on the same band as your base station's down link transmitting your call sign every 10 min in CW or RTTY. I'm using my Yard Stick One for that task. One limitation about using YateBTS is that any device that connects to the network will only exist in that network unless you configure outgoing SIP. When you connect to the base station your phone will be assigned a new phone number and will only be able to communicate with other devices on the network. Another downside about using a SIP service is that all outgoing calls will have a different phone number which makes call backs difficult. For my transceiver I'm using a BladeRF X115. I love this thing, no complaints, it's been working like a dream! You can do the same with a USRP or LimeSDR(when they come out), you just need something that's full duplex. Below is a tutorial I used to install all the software needed to run the BladeRF. https://github.com/Nuand/bladeRF/wiki/Getting-Started%3A-Linux Installing Yate and YateBTS. I used the tutorial provided by Nuand (the company who makes the BladeRF) https://github.com/Nuand/bladeRF/wiki/Setting-up-Yate-and-YateBTS-with-the-bladeRF Last but not least I used this tutorial to learn about the use and configuration of YateBTS. You have a choice in using a web UI or giving it commands threw telnet. It also explains how to route your Internet traffic threw YateBTS so your connected device will have GPRS capabilities. Kinda sad but I got more satisfaction browsing the Internet threw my own personal 3g network then seeing the web threw fiber :/. https://blog.strcpy.info/2016/04/21/building-a-portable-gsm-bts-using-bladerf-raspberry-and-yatebts-the-definitive-guide/ Future plans. Find a SIP service so I can make phone calls and text messages outside of the local network. Route the original phone numbers threw SIP Create personal SIM cards for my own network ????? Hack the Gibson This is barely scratching the surface of GSM poking. If you have any advice or questions about making a base station please let me know. Bonus points! Here's a paper about GSM surveillance that goes into grater detail about MSI-catcher's and using YateBTS to accomplish this. https://homepages.staff.os3.nl/~delaat/rp/2015-2016/p86/report.pdf

I'm going to dive down the rabbit hole and make my own personal base station using a BladeRF and YatesBTS. Has anyone else tried doing this? https://evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/ (Not a good Tutorial) http://yatebts.com/

Thanks! :3 The case and almost everything else I got was from Amazon. Here is a list of the parts I used. https://www.amazon.com/gp/product/B00D5T2IHG/ref=oh_aui_detailpage_o02_s01?ie=UTF8&psc=1 https://www.amazon.com/gp/product/B0153R2A9I/ref=oh_aui_detailpage_o02_s00?ie=UTF8&psc=1 https://www.amazon.com/gp/product/B0129EBDS2/ref=oh_aui_detailpage_o04_s01?ie=UTF8&psc=1 https://www.amazon.com/gp/product/B00EDIQA1S/ref=oh_aui_detailpage_o04_s01?ie=UTF8&psc=1 https://www.amazon.com/gp/product/B01CD5VC92/ref=oh_aui_detailpage_o04_s01?ie=UTF8&psc=1 https://www.amazon.com/gp/product/B00ZQ4JQAA/ref=oh_aui_detailpage_o01_s01?ie=UTF8&psc=1 https://www.amazon.com/gp/product/B007POCIM2/ref=oh_aui_detailpage_o02_s01?ie=UTF8&psc=1 https://www.amazon.com/gp/product/B00CJG2ZYM/ref=oh_aui_detailpage_o04_s00?ie=UTF8&psc=1 https://www.amazon.com/gp/product/B01D0N79K2/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1 https://www.amazon.com/gp/product/B00VAIEAUM/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1 https://www.amazon.com/gp/product/B00XJDP12W/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1

Also here's the screen shot of the source in question. I'm a nubit when it comes to determining wireless modulations but it looks like a from of OOK to me. Let me know if I'm wrong lol. Hard to say just from looking at a wave file. Can you upload an I/Q capture instead? I would recommend experimenting with different dip switch settings and comparing your captures against each other to see if you can find a pattern. For example take a look of what it dose with all the dip switches off vs. one of them on or all switches on. Not sure if you seen this or not (might be grate for the other guy who hasn't) but here's a video about reverse engineering transmitters. https://greatscottgadgets.com/sdr/8/ Edit. I'm thinking Pulse-Code Modulation. https://en.wikipedia.org/wiki/Pulse-code_modulation Taking a stab but it looks like 110101101110101101110101101101

Any time! :3

What's the FCC number for the remote you're trying to attack?

For no real reason but to learn something new, I built Raspberry Pi tablet with Kali and a couple of RTL-SDR's for radio monitoring. I'm naming this computer, "Seirēn" because I think it's pretty and she's a killer lol. She's a work in progress being that I need to see how it runs two RTL's, give it touch screen capabilities, give it sound, and paint the thing some dumb color like pink... More to come!

Hi, The HackRF uses the osmocom Source block under the Sources tab to receive radio signals. If you want to transmit you will need to use the osmocom Sink under the Sinks tab. Mike Ossmann, the maker of the HackRF made a few videos on how to use GRC with the HackRF if you want to learn more. https://greatscottgadgets.com/sdr/ Also here's a tutorial on how to install the GRC w/ the HackRF software if you want to run this on a bare metal Linux box. The live boot CD is grate but SDR takes up a lot of resources and you will get better performance on bare metal. https://mborgerson.com/getting-started-with-the-hackrf-one-on-ubuntu-14-04

Just a thought but you might be able to use Up/Down Converters to shift over to another frequency band. Haven't seen it done before but It might be worth a try.

Oh boy, ahh... Black Hat Python The Linux Command Line The Hobbyist's Guide to the RTL-SDR Practical Signal Processing Mein Kampf The Quran The Count of Monte Cristo I have a bad habit of getting board and then start reading another book...

0_o That's bad...

That was one of the best README's I've ever read for open software. I found this when I was researching 802.11 modules for GNU Radio, I haven't given it a try yet but you might be able to use this and change the frequencies. https://github.com/bastibl/gr-ieee802-11

TBH I learned about finding your offset using Kal or comparing your signal to a known source after I bought the oscillator lol. (I'm dumb some times). I got it anyway just to save myself the trouble in the future. The original writer of the GPS-SDR-SIM software stated that it can be done with out the TCXO. I'll give it a try again and see if I can do this with out the extra oscillator. :)

Looks cool! I might considerer this over getting a BladeRF but I'll wait until it's successfully funded. Never played with radar before lol.

-=UPDATE=- Success! I'm now a Bond villain! So here's what I did. I bought myself an external oscillator from Ebay (link below) that advertised 0.5 PPM. No idea if it's actually 0.5 PPM but I'll find out latter when a buddy of mine lends me his frequency counter. This board attaches to the P22 GPIO header on the Hackrf making it act as the external clock. You can check the external clock by running... hackrf_si5351c -n 0 -r If it works, it will return "[ 0] -> 0x01" If no external clock is detected, it will return "[ 0] -> 0x51" To generate the signal file, I used a bit rate of 8 and download an updated GPS broadcast ephemeris file(brdc1280.16n). You can download these files here. ./gps-sdr-sim -b 8 -e brdc1280.16n -l 40.712800,-74.005900,100 To transmit. sudo hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0 Being a good "citizen" I made a closed circuit with an USRP1 to use as my GPS receiver. I'm also using 51db worth of attenuator's to keep the load from braking the USRP1. Ebay TCXO clock PPM 0.1-PPM 0.5 for hackrf one

So, besides tricking the Sea Shadow from 007 Tomorrow Never Dies to sail into Chinese waters to obtain broadcasting rights in China... Has anyone else tried spoofing a GPS reserver? (BTW Mil GPS sats and receivers use encryption which makes it a bit tricky to spoof, they can downgrade to a non encrypted link just in case you where woundering.) https://github.com/osqzss/gps-sdr-sim Currently I'm failing at this TBH. I'm using the Hackrf as my SDR platform and after doing some research I found that the oscillator has a torrence of 20 PPM. This means while I'm transmitting at 1.57542Ghz my frequency deviates +- 31508.4Hz. This makes it a bit tricky finding the sweet spot to transmit on. I found that others had success with the Hackrf when they added an external oscillator to set the timing to at least 1 PPM. While I wait for my oscillator to come in the mail I wanted to know if anyone else tried doing this. -=Disclaimer=- Don't be a jerk and keep it legal. Use a dead load or create a close circuit to prevent interfering with other's GPS receivers.

Yah that was a good talk, I remember seeing that a wile back. I just bought The Hobbyist's Guide to the RTL-SDR so I'm sifting threw that book ATM.

So... yah... The Maker/Hacker space that I'm apart of received a donation a wile back of around $6K worth of Ettus Research SDR Peripheral's and accompanying daughterboards... Like literally, these radios where sitting in a box for years now and no one wanted to play with them! Because I'm the resident subject matter expert on SDR for the club (which isn't saying much lol) I'm now responsible fore these bad mama jamas. I'm sitting on 3 USRP's, 1x USRP1, 2x USRP2's, 21x daughterboards with Tx/Rx frequency ranges of 1-2500MHz, and box full of accessories. The USRP2's and most of these daughterboards are legacy and there's no more support for them I bet they can still do a thing. So my question to you guys is what fun "Activities" should I do with them? I'm trying to create a small demo to show off the capabilities to the club to create internist in SDR. My first thought was a build an OpenBTS base station on the ISM band but the UHF daughterboards I'm working with (FLEX900) doesn't want to work. Another Idea I had was to create a RX time share and host it on the clubs web sight but that might be a wile before that's potable. I'm open to Ideas. Here's the list of what we have. 1X USRP1 2X USRP2 2X BasicTX 1-250MHz Tx 3X TX Daughterboard 1-250MHz Tx 2X FLEX2400 2400-2500MHz Tx/Rx 2X FLEX400 400-500MHz Tx/Rx 2X FLEX900 750-1050Mhz Tx/Rx 2X DBSRX 800-2400MHz Rx 2X DBSRX-LF 800-2400MHz Rx 3X RX Daughterboard 1-250MHz Rx 2X BasicRX 1-250MHz Rx 1X TV Tuner

Cool! I'm learning Java on the fly now and I was curious. Is there an easy way to import the value of the IP address of 'br-lan'? IE like a global variable that's normal for OpenWrt systems. Or would you suggest I create a function to pull the IP address from the system or from the config file it's self? Thanks!

Okay, so I found some conflicts with some of the modules when I changed the Pineapple's IP. This is only a temp fix and I'll try to find a way to make change with the system's IP address. (I don't know how to code in Java) DWall has the default IP address hard coded in /pineapple/modules/DWall/js/module.js. I just commented out what defined the WebSocket and coped it with the updated IP address. $scope.startWS = (function() { $scope.throbber = true; // $scope.ws = new WebSocket("ws://172.16.42.1:9999/"); $scope.ws = new WebSocket("ws://10.0.0.1:9999/"); $scope.ws.onerror = (function() { $scope.ws.onclose = (function() {}); $scope.startWS(); If there's a better way please let me know. Hope this helps!

Not sure if this is true or not but it looks like the dhcp file under /etc/config makes a call for 'lan' which I assume is being called from the network file. I'm new to OpenWrt so I'm most likely wrong lol. -=dhcp=- config dhcp lan option interface lan option start 100 option limit 150 option leasetime 12h When I connected to the Pineapple, the DNS seamed to work just fine. I was able to browse the Internet without any problems. I'll test it more and see if I can find anything tomorrow.

Hi, I didn't see any posts on how to change the WiFi Pineapple IP address on the forum. It took me a while to figure this out so I wanted to make this quick how to for those who don't know how. 1.) Connect to your Pineapple via SSH (Secure Shell) ssh root@172.16.42.1 2.) Edit the network file under /etc/config using vim or nano. nano /etc/config/network 3.) Under config interface 'lan' edit option ipaddr, netmask, and gateway to your settings. (Make sure your ipaddr and gateway are in the same subnet) config interface 'lan' option ifname 'eth0' option type 'bridge' option proto 'static' option ipaddr '10.0.0.1' #172.16.42.1 is default option netmask '255.255.255.0' option gateway '10.0.0.42' #172.16.42.42 is default option dns '8.8.8.8, 8.8.4.4' 5.) Save the file, Reboot your WiFi Pineapple, and Reconnect to it using your brand new IP address. Hope this helps! If there's a better way to do this please let me know. ^_^

Hay I'm NotPike also known as Pike! Favourite OS: Ubuntu Sex: Male Favourite book: Fahrenheit 451 Favourite author: Ray Bradbury Favourite movie: The Matrix Favourite Comedian: Bill Burr Other hobbies: Gun Smithing, Shooting, Camping Occupation: Tree Lord