Motivated by a recent issue on GitHub, I looked into using Scapy with my GNU Radio WLAN Transceiver.

Scapy is a Python packet manipulation tool that can be interesting for penetration testing. It can, for example, be used to create deauth frames or frames with random payload to fuzz a WLAN stack. Using Scapy in combination with the GNU Radio WLAN transceiver can be interesting since you can be sure that the frame is sent as is, i.e., that no chip/firmware/driver is mangling the payload.

To use Scapy, I extended the transmit flow graph with a Socket PDU block that is attached directly to the PHY.

In Python world, I use Scapy to create a WLAN beacon. Some fields are defined, some are set randomly by the Scapy’s fuzz function. (The CRC function is a very ugly hack…)

I just talked about hacking vehicular networks at Hackaday Uncon in Dublin, a meeting of the hacker/maker community. I enjoyed many presentations today – it’s really amazing what people are working on. My favorite talks were about a self-made electric motor bike and the security of smart meters.

I presented OpenC2X, a full Open Source communication stack for IEEE 802.11p, i.e., WLAN for cars. It was recently ported to OpenWrt, allowing it to run on a 30EUR AP. This makes it accessible for everyone. Think of it as a WiFi Pineapple for vehicular networks.

Here, you can see a TP-Link WDR3600 AP transmitting at 5.9GHz with 10MHz bandwidth. You can checkout the code on GitHub.

I just came back from a nice week in Paris and Lyon, where I was talking about GNU Radio and research on wireless. The meeting in Paris focused on SDR-driven research projects from both industry and academia. It explicitly invited researchers who typically work on higher layers, showing them what SDRs are and how they could fit in their projects. I was allowed to give an introductory talk.

For me, it was the first time that I could talk about a more general topic, i.e., not about a paper or project. This new experience turned out to be really fun, as I could add some anecdotes, making the whole thing a bit more personal.

I didn’t know a lot of French researchers, so it was also a great opportunity to get to know people that work on interesting projects.


The next day, I gave a seminar talk at the CITI Lab, which is part of INSA Lyon. Leonardo Cardoso was so kind to show me around in their lab. For students interested in SDR and wireless, this must be paradise. They have many well-equipped labs and the everybody is very supportive when it comes to GNU Radio and fun wireless projects.

Fortunately, I could stay a day longer and attend Jean-Michel Friedt’s talk on his passive radar experiments with GNU Radio and RTL-SDRs. It’s amazing what’s possible with 10EUR SDRs.


The guys in Lyon have fantastic labs, but their real baby is the CorteXlab. It is a completely RF-shielded room with 38 SDRs and PCs mounted at the ceiling. The effort that they put into this room is enormous.

Looking at the door, it is immediately clear that they are serious with shielding this room :-) With this, they created a truly controlled environment that allows reproducible experiments. And the best: CorteXlab is open for researchers. So if you ever wanted to do larger experiments, this is your testbed.


It was my first time in Lyon, so I was happy that I had some spare time to walk around in the city.

I’ll serve on the TPC of the 2018 IEEE 88th Vehicular Technology Conference, which will be held on 27–30 August 2018 in Chicago (VTC2018-Fall).

While preparing a bring-your-own-device hands-on SDR session, I thought a bit about the different options to provide students with a live environment.

In the end, I came up with (I admit) a bit of an over-engineered solution. I use packer to programmatically create a VM that provides a nice environment. It comes with GNU Radio, Fosphor, GQRX, and some of my modules, supports many SDRs, and is completely ready for offline use (for example, the UHD images are already downloaded). The readme in its GitHub repository has a more comprehensive list of the features.

The actual benefit, however, is that packer can just be re-run to get an updated version of the VM. Furthermore, it can be easily branded, extended, and customized for particular courses. For example, for my session at WLPC, I added some PFDs and specialized software. With packer, this can be made in an extension of the base image. This way, I don’t have to rerun everything from scratch. It also integrates well with git, where I can create a dedicated branch for the event (see the wlpc branch in the repository). When the VM is ready, it is exported as an OVA appliance that can be imported in VirtualBox and VMWare, and easily be converted for Parallels.

While this is already pretty good, a VM is not always the ideal solution. Some people just want a native environment; some have problems with getting high samples rates into the VM (yes, VirtualBox USB drivers, I’m looking at you); some have performance issues when rendering applications like GQRX inside the VM; and it goes on and on. I ran into all kinds of problems when testing the VM on different systems.

I, therefore, created a script that converts the VM in a live environment that can be booted from a USB drive. (See the script in the repository.) While that was more or less straightforward, I had the impression to open Pandora’s box when I looking into the boot process. (Legacy boot, UEFI boot, secure boot, etc. etc., …)

I ended up, creating a USB stick that uses an old DOS MBR (i.e., not GPT) that supports legacy boot and UEFI. Furthermore, I wanted to support persistence for the live environment. And I wanted to have an additional data partition that contains the VM. The three partitions can be created with something like:

Future me: beware of adapting /dev/sda to the device of the USB stick!

sudo sfdisk /dev/sda << EOF

sudo mkfs.vfat -F32 -n EFI /dev/sda1
sudo mkfs.ext4 -O ^has_journal -L casper-rw /dev/sda2
sudo mkfs.exfat -n data /dev/sda3

For the data partition, I used exFAT since it supports large files (which is great, since I wanted to copy VMs) and is natively supported by macOS and Windows. For Linux, there are fuse drivers (apt install exfat-fuse) that might already be installed on most systems.

In fact, I didn’t just want to boot my ISO, but also support the official GNU Radio live image (and potentially other ISOs). Fortunately, Grub2 supports mulit-boot ISOs where the boot menu allows to choose between different live images. This can be set up with:

sudo mount -t vfat /dev/sda1 /mnt -o uid=1000,gid=1000,umask=022
rm -rf /mnt/boot /mnt/EFI
mkdir -p /mnt/boot/grub
cp <path>/grub.cfg /mnt/boot/grub/

sudo grub-install --removable --target=x86_64-efi --no-uefi-secure-boot --boot-directory=/mnt/boot --efi-directory=/mnt /dev/sda
sudo grub-install --target=i386-pc --boot-directory=/mnt/boot --recheck /dev/sda

I disabled secure boot since it caused problems to on some laptops. Also it doesn’t provide any benefit and can be disabled on any PC. When copying the ISOs to /mnt/iso/, i.e., /iso/ on the UEFI partition, the grub.cfg looks something like

insmod part_msdos
insmod fat
insmod all_video


menuentry 'Instant GNU Radio' {
        set isofile="/iso/instant-gnuradio.iso"
        loopback loop $isofile
        linux (loop)/casper/vmlinuz boot=casper persistent iso-scan/filename=$isofile liveimg noprompt noeject --
        initrd (loop)/casper/initrd.img

menuentry 'GNU Radio Live SDR' {
        set isofile="/iso/ubuntu-16.04.2-desktop-amd64-gnuradio-3.7.11.iso"
        loopback loop $isofile
        linux (loop)/casper/vmlinuz.efi boot=casper iso-scan/filename=$isofile liveimg noeject nomodeset --
        initrd (loop)/casper/initrd.lz

Giving this stick to the students, they have the choice to

  • boot with legacy BIOS
  • boot with UEFI
  • import the VM into (VirtualBox, VMWare, or whatever)

In the session, that worked quite well.

I just came back from the Wireless LAN Professionals Conference (WLPC), where I gave two 90-minutes hands-on sessions on SDR and WLAN. I haven’t been at an industry conference before, so it was an interesting experience that gave me a new perspective on wireless.

Also, it was the first time that I taught a bring-your-own-device session on SDR. I was really worried that people might have problems setting up their environment. So I spent quite a lot of time creating a VM and a bootable live environment, but that’s a topic for another post.

In the end, everything went well and we had GNU Radio, Fosphor, GQRX, and friends running on all laptops.

my SDR Deep Dive session

In the session, we decoded FM radio, RDS (a digital subcarrier on FM Radio), and, of course, WLAN.

We also made experiments with Dynamic Frequency Selection (DFS), where we were emulating radar signals and chased an access point through the spectrum.

As an instructor, I was allowed to participate in a three-day Boot Camp. I selected the one about Python, where Jake (@jsnyder81) and Ryan (@radzima) were teaching us about lots of interesting stuff including virtual envs, REST APIs, and some Kismet goodness. In this session, we were using mini-PCs and APs from Mist. It was the first time that I was playing around with professional APs. Sadly, I couldn’t bring it back to Ireland as I was worried about customs.

hardware more hardware

The main conference was single-track with about 300 participants, so there were more than enough interesting people to meet. Apart from the normal conference program, there were also community events. I enjoyed the whiskey and podcast evening. (Even though memories are slightly blurred ;-))

main conference room whiskey session