Exfiltrate data with a covert shortwave packet radio. – Part 1

Disclaimer: It is the reader’s responsibility to ensure that they obey all applicable laws in their area. Please operate within FCC guidelines.

This post’s goal is to examine the benefits and limitations of current minimalist embedded shortwave SDR projects. Two such projects are WsprryPi (used to send WSPR beacons via GPIO4) and rpiTX (several modulation schemes).

WsprryPi

First we test out the capabilities of WsprryPi. Type

git clone https://github.com/JamesP6000/WsprryPi
cd WsprryPi
make

I soldered Pin 7 to the Antenna feed and Pin 9 to my antenna’s ground plate.

I decided to use the antenna from this IC-22S VHF Transceiver. The transceiver is rated for the 2m band, so I setup for transmitting around 144MHz.

./wspr -n -r KG5VIG EL00 30 144490500

Detected Raspberry Pi version 2/3
WSPR packet contents:
Callsign: KG5VIG
Locator: EL00
Power: 30 dBm
Requested TX frequencies:
144.490500 MHz
Extra options:
NTP will be used to periodically calibrate the transmission frequency
Transmissions will continue forever until stopped with CTRL-C

Ready to transmit (setup complete)…
Desired center frequency for WSPR transmission: 144.490500 MHz
Transmitting immediately (not waiting for WSPR window)
Obtained new ppm value: -3.30473
TX started at: UTC 2018-02-13 14:08:20.439

But after much searching, no signal was seen on the waterfall. The HackRF was also used to try and catch a signal but once again, the wspr packet was not ever seen.

Finally I decided to try a lower frequency 7.0401 MHz. A much cleaner signal was isolated. Since the RTL-SDR wouldn’t go this low, the HackRF was used instead.

Zooming in, the peak appears around -54dBm.

 

Increasing the TX frequency into the 20m band gave a stronger signal.

The clearest transmissions from the Pi came on the 6m band (~50MHz) this can be attributed to my lengthening the overall antenna length during the soldering. At 50.294 MHz the signal cold be easily picked up by the rtl-sdr from at several yards away.

 

rpitx

git clone https://github.com/F5OEO/rpitx
cd rpitx
./install.sh

At this point a jumper wire leading to nowhere was placed on pin 12 to act as a crude antenna.

This configuration is meant to eliminate the need for the huge antenna (since we are supposed to be creating a covert device).

Below is the waterfall graph for the SSTV signal in Baudline.

I also tried removing the wire and just transmitting with the GPIO as an antenna. This time the signal was best in the 2m band (~144MHz). The signal was strong enough for the RTL-SDR to acquire SSTV (Martin 1 encoding) from the adjacent room (RX amplifier enabled).

The purpose of part one was just to demonstrate (as others have before) that the raspberry pi 3 can act as an HF or VHF radio transmitter without any modifications/extra parts. In part 2 we will use this technique to exfiltrate internal network data via a covert out-of-band channel. Our goal will be to receive information from the pi from several miles away.

Afterwards we will discuss implementation of this technique on other embedded devices such as network printers and IoT devices through their GPIO pins.

 

References:
1. https://www.rtl-sdr.com/raspberry-pirate-radio-fm-transmitter/
2. https://www.rtl-sdr.com/transmitting-data-raspberry-pi-rtl-sdr/
3. https://www.rtl-sdr.com/tag/pitx/
4. https://github.com/F5OEO/rpitx
5. https://www.rtl-sdr.com/transmitting-fm-am-ssb-sstv-and-fsq-with-just-a-raspberry-pi/
6. http://wsprnet.org/drupal/
7.http://pavel-demin.github.io/red-pitaya-notes/sdr-transceiver-wspr/

Leave a Reply

Your email address will not be published. Required fields are marked *