Carriers Everywhere

I’m very proud to join the GNU Radio core developers to work mainly on runtime related issues.

Looks like, with this, I have unlocked several new buttons on GitHub. I will try to use them with care :-) And, of course, give my best to make GNU Radio even better than it is today.

I just received the reviews of my application for the EDGE Fellowship, which would allow me to spend two years at Linda Doyle’s research group at the CONNECT centre, associated with Trinity College Dublin.

The peer-reviews of my proposal were quite positive and I made it to the final round. The next step is a 30 minutes interview in person or via Skype.

Keep you fingers crossed :-)

When playing around with wireless mobile traffic lights, I also thought about options to transmit on the VHF and UHF bands. I remembered that I bought a Baofeng that I never actually used. Turns out, this radio is exactly what I was looking for, as it

  • supports RX/TX on 136-174MHz and 400-520MHz
  • is cheap (25 EUR)
  • is portable

Furthermore, it has a line-in for an external microphone, which allows connecting the radio to the PC. There is quite some information available on how to do that properly. (I plugged it directly into the PC and it worked, but maybe it was plain luck that I didn’t fry my sound card. Most people recommend decoupling the circuits.)

To disable push-to-talk and automatically transmit when a signal is sent from the PC, you have to enable the VOX option.

As a proof-of-concept, I created a web GUI that allowed me to toggle the traffic lights in the browser. In response, the web server sent UDP frames to a GNU Radio flow graph, which created an audio signal.

Overall, the process looked as follows:
Browser → Web Server → UDP → GNU Radio → Audio Sink → Line-out → Baofeng

I just came back from some very nice days in Brussels. On Thursday and Friday, I joined the DARPA SDR Hackfest, which was all about characterization and detection of incidental interference sources. Unfortunately, I was one day late and missed the discussion and teaming phase. I, therefore, did not contribute to the actual hacking, but, nevertheless, had some very nice days.

It was a great get-together and DARPA was an fantastic host. For the hackfest, they booked the top floor of The Hotel, where we had an awesome view over Brussels.

On Saturday, there was a very dense and interesting program in the SDR DevRoom of FOSDEM 2017. During the whole day, people were queuing in front of the door. I also gave a short talk about me playing around with mobile wireless traffic lights.

Apart from that, I was very proud to be invited to the SDR panel on Which are the top 3 challenges for free software radio?. I don’t know if I had much to contribute, since the other panelists were so much more experienced than me. They were Francois Quitin (Prof. in Brussels), Ben Hilburn (Head of GNU Radio), and Tom Rondeau (DARPA Program Manager). Anyhow, I’m very grateful for this awesome experience.

Recently, I came across Mathy Vanhoef’s amazing work on advanced WiFi attacks. He modified the firmware of off-the-shell WiFi cards from Atheros to implement constant and reactive jamming.

Fortunately, Mathy released the code under an Open Source license and even prepared a VM with everything pre-installed. The firmware modifications are compatible with three different types of WiFi cards, two out of which are available on Amazon and Ebay. Of all things, the only card that supports both the 2.4GHz band and the 5GHz band seems to be very hard to get.

To implement reactive jamming he had to use a little trick: The WiFi card consists of a transceiver chip and micro controller. When the transceiver receives a frame it writes it to memory that is shared with the micro controller. For reactive jamming, firmware of the micro controller is changed to busy wait for decoded data from the transceiver.

Once the first bytes are decoded, the firmware matches fields like the frame type or the MAC address to predefined patterns. If the frame is supposed to be jammed, the firmware aborts reception and triggers transmission of an interfering frame, jamming the signal.

Of course, there is some delay between detection of the frame to sending the jam signal. And, in fact, it turns out to be too high to jam, for example, acknowledgment frames (ACKs). Anyhow, I found it pretty amazing that it is possible in the first place. Furthermore, if you have fixed sized frames, it is possible to work around the limitation by detecting the data frame and delaying the jam signal until the ACK is sent. That worked surprisingly well.

Mathy Vanhoef and Frank Piessens, “Advanced Wi-Fi Attacks Using Commodity Hardware,” Proceedings of 30th Annual Computer Security Applications Conference, New Orleans, LA, December 2014, pp. 256-265. [DOI, BibTeX, Details…]

Recently, I helped a colleague to get a basic Visible Light Communications (VLC) experiment up and running. I was really surprised how straightforward that went.

We used two Ettus Research N210 with LFTX/LFRX daughterboards, an off-the-shelf photo diode and a custom LED driver that converts the output voltage to a corresponding current.

I tried my GNU Radio IEEE 802.15.4 transceiver and my car key fob transceiver. Both worked out of the box. To be honest, I’m not completely sure why O-QPSK worked – but hey, not my department :-)

Just to be clear, every time the LED switches on, it transmits a whole frame. For IEEE 802.15.4 that was a chip rate of 2Mcps with a data rate of 250kbps.

During the last year, I was happy to serve as the Publication Chair of IEEE VNC 2016. Since everything is done now, I wanted to write down some notes and anecdotes.

  • The most interesting part, for me, was to have a look behind the curtain, i.e., being in the loop when the General Chairs and the TPC discussed the conference. Now, I have at least a bit of an idea how a conference is organized.

  • It was really fun to work close with people I didn’t know too good before. It was very productive and, I think, I learned a lot about professional communication.

  • VNC uses EDAS, a popular conference management system. It was great to unlock some more menus and get a better understanding of how it works. I only knew it from the perspective of an author.

    However, I found the role of a publication chair to be extremely restrictive. In fact, I didn’t have the required permissions to do many of the things that people considered to be my job.

  • VNC is sponsored and co-organized by IEEE, but that doesn’t have anything to do with the proceedings. Conference organization and publications seem to be two separate things. That means, the conference has still to be registered for potential inclusion in IEEE Xplore. This is done by submitting a Conference Publication Form to apply for a Letter of Acquisition.

    read more

Today, I visited the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) to present some ideas for IEEE 802.11p device fingerprinting and discuss potential privacy issues in Vehicular Ad Hoc Networks.

It was a really nice and constructive meeting. Let’s see if we can use GNU Radio and my WiFi Transceiver to extract some physical layer features from typical devices.

Let’s talk about GNU Radio’s build system, because it seems to get more and more cluttered over time. If things don’t work, people just add stuff until it finally compiles – on Ubuntu. And maybe some other distros.

Let’s, for example, look at the includes:


LOG4CXX_INCLUDE_DIRS is never defined. So some lines below someone made another attempt:


It’s not added to the above list (where it would be obvious that something goes wrong), but added as a new statement. OK. At least, we managed to included log4cpp in UHD. Makes a lot of sense, because UHD uses log4cpp, right?

Nope. UHD uses GNU Radio runtime, which in turn uses log4cpp.

Woot?!?! But it already included ${GNURADIO_RUNTIME_INLCUDE_DIRS}.

Yes, but that’s basically just another name for gnuradio-runtime/include, i.e., the definition is not really helpful and doesn’t provide dependency tracking whatsoever.

read more

Yay! My FOSDEM talk was just accepted. In February, I will talk about Receiving Wireless Mobile Traffic Lights. The preliminary abstract reads like:

Wireless mobile traffic lights are often used to secure construction sites when roads are partially blocked. Some day, when a pair of them was placed close to our home, I set off to explore how they are working. In this talk, I will describe how I used a cheap RTL-SDR together with GQRX, Inspectrum, and GNU Radio to reverse engineer the modulation and frame format of different types of wireless traffic lights. With some patience, I could also make some sense out of the bits. In particular, I was able to extract the signal state and display it in a web interface, mirroring the traffic light. A closer look at the frame format and the apparent absence of any authentication might leave one with a bit of a worrying impression regarding the security of those systems.

The days before FOSDEM, there will also be a Hackfest sponsored by DARPA. Hope to see you in Brussels.