IoT Radio Communication Attack – Part 3
This is part 3 of a series titled “IoT – Radio Communication Attack”. I hope you have read part one and part two, if you haven’t, please go through it. I hope you have installed the GNU Radio Companion (hereafter GRC) software on your laptop. Also, if you wish, you can use Pentoo OS as mentioned in the last post.
What we will learn
– In this post I will explain how to build an FM radio receiver and Radio Communication Attack along with GRC and RTL-SDR.
What is GRC – GRC is an open source software development toolkit that provides signal processing blocks to implement SDR concepts. More information about GRC can be found here – https://wiki.gnuradio.org/index.php/What_is_GNU_Radio%3F and for guided tutorials see – https://wiki.gnuradio.org/index.php/Guided_Tutorials .
Also Read:BIOS/UEFI Forensics:Firmware Acquisition and Analysis Appr0aches
It looks like this –Radio Communication Attack
As seen above, it contains 3 main components –
Workspace
– Middle area where we see blocks like – Options and Variable.
Blocks – One on the right side containing blocks like OFDM, WX GUI Notebook, FFT and Graphical Sinks etc.
Messages – bottom with text “Welcome to GNU Radio Companion…”.
Overview of FM signal demodulation – Suppose you want to listen to FM on your mobile. You launch the FM app, tune it to a specific channel and listen to a song.
But what’s going on in the background?
Your mobile phone has a receiver that receives the FM signal. The received signals are modulated signals and need to be demodulated first. It’s like decrypting encrypted data. Once demodulated, the data should be passed to the audio chip for audio playback. An audio chip cannot play a signal of any frequency. Standard supported frequencies are 16khz, 22.05khz, 24khz, 32khz, 44.1khz and 48khz. So, after demodulation, the signal of the frequencies above should be passed to the audio chip to play the song. If the signal passed is not one of the above frequencies, the audio chip will not be able to play the song and will simply display an error. So the signal obtained after demodulation should have the frequency mentioned above. I hope the song playback process is clear.
Plug the RTL-SDR into one of the USB ports. To check if it has been detected, run the rtl_test command and if you see the output as shown below, it means your RTL-SDR has been detected and is ready to use.
Press Ctrl+C to stop the test.
Now start GRC using “gnuradio-companion” command as shown below –
GRC GUI is shown below –
By default it has 2 blocks – Options and Variable. In options the GUI is set to QT GUI and in variables components – id is samp_rate and sample rate value is 32k i.e. 32000. It’s like declaring a variable in programming language as a=20 where “a” is id and 20 is value variables. In our case, samp_rate is the variable and 32000 is the value of the variable. Double click on the samp_rate variable and change it to 1.5M ie 15 lakhs.
Double click on the Options block and change the GUI to WX GUI as shown below –
To import a block, click the search icon (blue icon) and search for a specific block. Locate the RTL-SDR source block and drag it into the workspace. If the RTL-SDR resource is not present in GRC, ask Google to get the RTL-SDR resource in GRC. Alternatively, you can use Pentoo OS to perform all the above tasks.
So we have the RTL-SDR source to the workspace as shown below –
You may be wondering why use the RTL-SDR source. The RTL-SDR picks up the FM signal and the same is displayed in the GRC through the RTL-SDR source. Thus, the RTL-SDR source will provide the FM signal in the GRC.
Double click on the RTL-SDR source block and you should see the following values as shown below –
93.5 is an FM station for receiving an FM signal. In my country 93.5 works fine. You can set the value according to your country. The sampling rate is the value of the samp_rate variable. We have already declared a variable called samp_rate and set it to 1.5 million i.e. 15 lakhs. So the RTL-SDR captures signals with a sample rate of 1.5M.
Similarly, import other blocks and create a chart with the value shown in the screenshot below –
Let’s look at the role of each block and understand how it processes the signal.
Low Pass – The RTL-SDR source will produce a signal with a sample rate of 1.5M. Processing a signal with such a high sample rate requires too much computing power. So the sampling frequency must be reduced. We pass the output to a low-pass filter for adjustment/processing of the original signal. In the low pass, the signal is decimated by 10 as shown. We often use words like decimation and interpolation. Decimation means dividing the signal and interpolation means multiplying the signal. Decimating the original signal i.e. 1.5 M/10 produces signals with a sample rate of 1.5 lakhs. The transition width is 10k, i.e. 10000 for noise elimination.
WBFM Receive – WBFM receive is used to demodulate the signal. It will demodulate a signal with a sample rate of 1.5 lakhs. In WBFM we have Quadrature rate and Audio decimation. The quadrature frequency is the sampling frequency of the received signal from the low pass filters i.e. 1.5 lakhs. Since we have to pass this signal to the audio chip, we decimate it by 10. So the value of the output signal is 150000/10 = 15000, i.e. 15k. So WBFM will output a signal of 15k. This value must be passed to the audio chip.
Rational Resampler – An audio chip, as mentioned above, can receive frequencies of specific values. In our case, we will transmit a signal with a frequency of 48k i.e. 48000 to the audio chip. So we need to convert the input signal of 15000 to 48000. This is done using Rational Resampler. In Rational Resampler, we divide the signal by 15. This gives us an output of 1000, which after multiplying by 48 gets 48000, i.e. 48k. Rational Resampler will therefore create a signal with a frequency of 48k.
Audio Sink – This block is responsible for playing the track. The output from the Rational Resampler, i.e. the 48k frequency signal, is fed to the audio sink for audio playback, i.e. the data received from the FM signal. This will play the song on our laptop.
So this is how to demodulate an FM signal in GRC. This gives us an idea of what is happening in the background when we play a song in GQRX. Hope you understand, if you have any doubt please comment.
Now you are aware of digital signal processing and its concepts, in the next section I will explain how to analyze radio communication using some real IoT devices.
Stay tuned.
References –
http://adammelton.com/RTL-SDR.html
