February 2016 Software Defined Radios Lab

All right, well thanks everyone for coming out. I think we're gonna get started here. My name is John, this is David. We're gonna be kind of co-presenting tonight. A little bit later, I'll be walking around and helping people while he presents and then when we're done with the presentation side of things, I assume you can walk around and help out as well. So first of all, I wanna start off and thank our sponsor, Tech Systems. Tech Systems is a recruiting company in the area. We have Ryan right here, raise your hand, Ryan. These are gonna have to cut out a little bit early, so if you need to get in contact with them though, I have some cards. I just wanted to let you know about a couple opportunities

that they have right now. They have three security job openings right now that they're trying to fill. One is a Linux admin, Citrix admin, and then they have a more senior position that's gonna be focusing on scene. I believe that's one focused. The companies that they're working with contain PPG, AHN, PNC, Westinghouse, Erie Insurance, Highmark, they have job openings at all of those companies right now. They also have some non-security job openings if anybody's interested in that, project management, some stuff, and a lot of other things.

Robit? Hey guys, you have a seat. So big thanks to them for helping support this. They gave me the funds so I was able to purchase some of these RTL SDRs and hand them out here, make it a little bit easier for you guys. Maybe next month I'll buy a couple beers on them. So big thanks to them. And again, if you wanna talk to Ryan or get ahold of Ryan or anyone from that team, if you're interested in this job openings, you can either get ahold of him directly before he leaves or get ahold of me, I can put you in contact with him and give you his card. So, this is Steel City Information Security. If you're not here for

Steel City Information Security, you're in the wrong place. But welcome. So we're a group, we meet, I see a lot of new faces here tonight, which is really great. We meet every month, and we do three different types of events. Tonight is what's considered the hands-on lab. Of course, what we do, we also do presentations and networking events. So next month, we'll have a networking event, and then we'll start quarter two, 2016, on a new topic, we're gonna be doing car hacking. So we have a couple of really smart researchers in the area that are going to be presenting. And then, so that goes for that entire quarter. There'll be a hands-on lab regarding it,

a networking event, and a presentation. And then for quarter three of this year, we're going to be doing some short-range wireless stuff. So semi-related to what we're doing tonight, but like NFC, RFID, iBeacon, Eddystone, you know, those sorts of things. I actually put something on Twitter the other day trying to get devices to play with, and I have multiple companies say, hey, we'll send you stuff for free. So I think it would be really good. I actually bought a PropSmart, I bought multiple RFID reading and writing boxes, some teensies, some pies. I bought all kinds of stuff thanks to the dollars that I get from our sponsors. And so I'll be able to have that for the lab and we'll be able to get

hands on and I'll set up a couple different stations. I think it would be really cool. And then the last quarter of the year we take off. So everyone's busy with holidays, it's cold, I'll give you guys the flexibility. If you guys are interested in doing something, let me know. Maybe we'll be doing a networking event or something. So we are here to talk about software-defined radios. So just a little bit of prep before I hand it over to David and he's in that handle with the technical part of tonight. Hey, how you doing? Do you have a seat? So we're going to be dealing mostly with the RTL-SDR. I see a couple people around, I see a HECRF, I know you had an

AirSpy. Those should work for the lab, but we really focus this around the RTL-SER just to kind of make it simple and accessible to pretty much everybody. These devices are like $15 if you don't get an antenna, $25, $30 if you get the two different antennas, which is kind of nice. So this is the newer version. So if you have this one, you have the newer version. It just came out at like the middle of January. And this is the older one, so this is the first batch that I ordered until I bought all the ones that they had available and they were sorted out for a little bit. They actually are almost sorted out

of the new ones again too. So if you're interested in getting one, buy it soon. Or buy it off me, I have a couple. So yeah, so it essentially started out as a tiki tuner, and a couple guys found out that it's, that you're able to kind of adjust it to listen to the different airwaves. And people have kind of almost manipulated that into a legit SDR. But there are nicer SDRs available, like the HackRF, the AirSpy, the B200, B210s, the KSRPs. A lot more expensive, though. You're going to be talking about at least a couple hundred bucks if you go up to the next level. But those are able to do things like transmit or receive. Some can transmit and receive. Some

can do that. They can do memos, they can do two transmitting receipts at the same time. They can connect their x-arma clocks. You get a lot of nice gadgets when you pay a little bit more money for that. So there are two options on how to approach the lab for tonight. You can either download and open the VM, that's a QR code that actually goes to the VM, it doesn't download anything nasty on your computer, I swear. Or you can go to that Google link up there, that'll do the pretty much same thing, you just click download. Like I mentioned earlier, you can grab the Wi-Fi, SSIDs, PackPigsberg, PackPGH, and the password is sealantad. The other option, and slightly less preferred

option, but functional, is to clone the repo for tonight. I set up a tag specifically for tonight, so you can go directly to the exact convey, if I update it, that command will always go to exactly what we did tonight. And then you can just run the Kickstarter script. Two warnings there, one, that's gonna modify your machine, add a bunch of stuff, and in two different cases, it could actually do a hard reset of a Git repo that's planned locally. Like if you already had PyBOMs or you already had MyRepo on there, it would reset it to the correct version. So that might be unintended, depending on how you're using the machine. And it also takes about two plus hours to do. So there's a lot of compiling

and building and installing. It takes a long time to do it. So if you can download the VM, you'll probably be faster even on the internet speed that we have here. You'll probably get the VM faster than you can actually build this thing. Because you also have to download a bunch of packages from the internet to do that as well. So I'm gonna turn it over to Dave for a little more technical side of this. All right, thanks. I grabbed the F. So when I say modulation demodulation, probably everyone in the room knows what I'm talking about. Like, okay. So generally, we have a radio signal. We have the original signal that you want to transmit. And then if you want to have a carrier

frequency that you're sort of mapping that onto. In one case, you may have amplitude modulation. So if that's our original signal there on the top, if you use amplitude modulation to sort of add the envelope to it, look there in the middle. You also have frequency modulation. So you can see as The signal goes low, the frequency goes down because the waves get longer. And if the signal goes up, the frequency goes up and the waves get closer together. So when we talk about radio, this is what we're talking about. So the radio spectrum is somewhere almost from DC, like 3 kilohertz, to about 300 gigahertz. So that's about where infrared begins. Obviously, sound waves are not necessarily RF, right? Those sort of things. We're talking about

microwaves, so like your microwave ovens operate in that. They go from very low frequency waves to extremely high frequency waves. It's regulated, so the International Regulation Committee is like the ITU. They specify international regulations that generally have to do with international communication. So if I'm on a ship and I'm gonna broadcast where I am or radio navigation signals with other countries, that's sort of what they And they sort of map off things for radio astronomy, those sorts of things. They sort of map those off, those pieces of the spectrum. Here in the U.S., it's the FCC for civilians and for the federal government. Or sorry, the NTIA is for the federal government. The state and local is

the FCC. So the FCC regulates the television broadcast, the radio. They regulate the radio broadcast, that sort of stuff. Just a quick aside on transmission, you probably want to make sure that you're within the FCC regs before you start transmitting, just to make sure that you're not interfering with something important. If you don't know anything about transmission, you probably shouldn't be transmitting. It behooves you to look up whether or not the frequencies you're transmitting, the power you're transmitting on, you're allowed to be that legally. And also, even reception could be tricky if you're receiving things like cell phone calls or something that people have a reasonable expectation of privacy to, you know, or you're decrypting stuff, right? So you want to be cognizant of that.

I'm not a lawyer. If you're doing this for real, for serious, you probably want to go consult someone that's more qualified. Yep, and so these are the ITU persistence. We're in region two, which you can't even see, but it's the left side. Okay, so what is a software-defined radio and how does it work? So the general layout for a software-defined radio is it's a lot like a analog to digital converter that just accepts lots of samples over your antenna. So on the left side here we have our modulated signal. It's got AM modulation coming in through our antenna. It has some hardware filtering so it will actually do some channelization of the frequency you're looking for. It can massage the signal in hardware before it even gets

to your computer. It also will do some amplification. So a lot of SDRs will have front end RF amplification so that you can amplify a signal before it comes into your computer. Then it goes to something that's akin to a giant analog digital converter that's controlled by a user controlled clock that sort of works as your local oscillator for your target frequency that you're trying to demodulate. And then it sends the I and Q samples, which are two samples that comes out which includes with phase and amplitude information, sends those to your computer. So if you look at an SDR, it will say it has these many samples per second at this rate, and it can communicate on these frequencies. The particular radios, the RTL-SDR,

I think is, it goes down to 20 megahertz or something like that. It's like 20 or 30 megahertz, then it goes up to 1700, something like that. I think there's a gap in there too, 1700 megahertz. They sell SDRs that go from almost DC to about 6 gigahertz now, which is a pretty broad spectrum. I think Eddis has one that actually does 100 megahertz of, or 100 megahertz samples per second. So you can basically sniff the entire 2.4 gigahertz ISM bandwidth goes from 2,400 megahertz to 2,500 megahertz with one device, right? Assuming your computer can eat your samples fast enough, and then assuming you can do something productive with the samples once you get them. So that's pretty cool. So the first thing we're going to do, moving on

to the hands-on part, is we're going to open up GQRX in our VM. So if you open the VM and you open a terminal, and you just say GQRX. It's going to come up with something like this.

Does everybody have that up and running?

And I think it should actually be pre-configured for the RTL SDR. So you can actually go to this memory-looking stick thing, and it will show you the configuration options for your SDR. So you can select the input rate, We have 1.8 megahertz or mega samples per second on this guy, which is fine. And then when you want to start, you go up here to this power option, and you begin to see spectrum. And you should have a waterfall clock too. I actually have my RTL-SDR plugged in and connected to this long antenna here, which is probably not the best for 27 megahertz. Although we do have some interesting stuff going on at 27 megahertz. But you can go up

to, say, 88 to 108 is FM band. So you can start looking at radio stations. You can see you've got one that's here at 96.9.

So does everybody kind of have that up and going? Yeah? Anybody have any problems?

If everyone's having an issue, you can just raise your hand. I have to go over and tell you. Yeah, John's here. OK, so if you go up to the FM bands, you can see the actual FM signal for the radio is actually moving left and right. So you can see it wobbling back and forth. And that's because it's FM radio, so it's frequency modulated. So you can actually see the x-axis here is the frequency of it. And so you can see the power is going back and forth, which sort of encased there. There's some sort of signal there that the frequency is changing with time. So that generally tells you it's frequency modulated. You can also see these sidebands here. Let's

see. So you can see the HD radio signals there on the side. So you can tell that those aren't necessarily FM because they're not moving around. And it's kind of hard to see, but you can actually see there are yellow dots going in there, which really indicates that it's binary data and not necessarily FM-modulated audio. So that's how HD radio gets to your machine. All right. Let me turn on my speakers here.

OK, cool thing you can do with GQRX also is demodulate the signal. So if I come over here,

and I kind of go over to 96.1, just sort of the center of this guy. And then I go over to mode, and you can change the demod. So you can see you've got a lot of options for demodulation. So that would be AM if you had an SDR that went down the kilohertz range, or AM. You can go to wide FM mono. So

you can sort of hear that, right? OK. So it demodulates the FM. There's also stereo.

And let's see. There's also some narrowband FM, AM. And raw IQ. So that's sort of like, I think raw IQ is more for like, if you want to listen, sort of like in contact or something. And I think a lot of ham radio operators can actually do that. And they can tell the sort of modulation there is just by listening to the raw IQ signal, which is pretty neat. So we've got a few things. You can actually add favorites down here in the bottom of GQRX. And it turns out there's a weather station for everyone, basically. in the US. And so our closest one is 162 megahertz.

So if you buy a weather radio or something like that, this is how it knows when there's alerts. Or something that plays a tone, actually, when there's severe weather and sort of tells you weather updates. So that's how those work, if you're wondering how those all-weather radios work. I kind of want to solve, just kind of play around a little bit and kind of look around the spectrum. So start maybe like 62, kind of work your way up.

So has everyone played with GTRx before? I sort of preach to the choir here. There's also, if you keep looking, I think there's the emergency bands like police and stuff and fire with me on, I want to say, 300 something megahertz. Is it 450? OK. You can actually look that up. And one cool thing you can do with SDR is you can actually build a new radio flow wrap and actually demodulate, say, all of them at the same time. Whereas there's a lot of scanners, you can only do one channel. With new radio, you can actually listen to a broad swab and then demodulate all of them at the same time, assuming you have the CPU cycles to do that. OK, so does anybody have any questions

about G2Rx before Google author? Yes, we'll let this work. SHANNON SKIPPER- We've got to work. OK, great. If there weren't, just do that. OK, cool. Thanks, Ron. SHANNON SKIPPER- OK, the next thing we're going to show is an ADSV receiver. So how many people have heard of ADSV before? Yeah, so that's like the emissions that planes give out. It's mode S. that actually transmit their GPS all the time. So if you look at FlightRadar24, many of those plane tracking apps, they actually have a network of receivers throughout the country that actually check and track planes. And it's interesting because they'll do things like track planes that go down or if there's a plane crash or something like that. They'll

be the first to know. And so reporters and stuff will call the FlightRadar24 people. An interesting article I read recently said that sometimes the government asks them to remove planes from there. So that's interesting stuff. So let's kind of explore that. So there's a command called modes GUI. Modes underscore GUI. I'm sorry.

And if you just do modes GUI, you can run that back.

OK, for this, we need a shorter antenna because it uses 1090 megahertz. So you can kind of take your large telescopic antenna and push it down. But actually, I think this might be a little long, actually. I'm going to switch to my smaller telescopic antenna. Here we go. So I think for 1090, you can look up online. In fact, I'll do that. I wonder if I can put this in there.

You want this up right now? There we go. OK. 5.15

inches, please. Yeah. I actually have a ruler here. So here, I can show you the site. So you just check out.

Just Google antenna link.

The first one is actually pretty good.

So you can say 1090, which is ADF-B. Say calculate, and then it tells you your WIP antenna, which is effectively what a telescopic antenna is, and the actual half wavelength that you need. So 5.15 inches, which if you bought the kit, is kind of the small one. sort of, I don't know, yay, yay big.

Does everybody got that set up? All right, so let's go back to modes.

And you wanna configure this, so we have an RTL-SDR which is compatible with the OsmoCom driver. So you wanna select the OsmoCom driver here. And then threshold,

I generally have good experiences with using 9, but it depends on sort of where you are and what, like are you on top of a building, are you outside, what sort of amplification do you have for your antenna, so we sort of have to play with this. So let's try it out. We're going to leave the gain at 50 since we're kind of indoors. So we're going to boost the gain a lot because our antenna's not really amplified. There's a lot of videos online of people making crazy ADS-B antennas that are super high amplification and then they kind of put them outside of their house, and they listen to planes all day, I guess, which is cool. So I like using the pulse match filtering.

And then I think I have Pittsburgh in for the latitude and longitude. So we can hit start. And you can see that we're receiving, you should see reports per second come up in the lower right-hand corner. We're not getting that many. Usually you get more than that. But you can actually see the live data if you go over to the Live Data tab. You can see type 0, type 5. We're getting some no handler messages, which actually usually means that your gain is up a little bit too high and you're getting some erroneous packets. So we can back off on the gain a little bit. So I'm not too optimistic that we'll get to see any planes down here in this

basement type thing. But sometimes if you wait long enough, you'll see visible aircrafts in this left side. That'll be their identifier.

So, is anyone seeing any planes? Maybe people closer to the door? Or the outside, maybe? I don't have a display, but I, like, plus three, just dropped the two aircraft. Aircraft? Okay. So you went over to the, uh... I'm not on that. I'm on something else. Are you on, like, Flight Radar 24? Mm-hmm.

an app downloading. All right, let's see here. Usually you can pick up one or two. So you're actually receiving messages from planes, but not all of them contain their location information, right? So you'll see them pinging each other, but you've got to kind of wait until you get a a message containing their GPS coordinates, and then it can plot it and actually look at their altitude, their heading. Well, it's kind of unfortunate we're not getting any in here tonight. I'm getting something that says DLH441. OK. So if you click on it in this list on the left, and then maybe you go to dashboard, it should tell you the bearing and the range of the plane and its heading, that sort of stuff. That sounds like a

real call sign. Can

you go back to the set? Oh, yeah, sure. This is more important. So you want the Osmocom 24. I'm going to actually try it again. I'm going to back off on my gain a little bit and maybe increase my threshold.

There's a bug in mode's GUI, actually, though. If you change the settings, it actually breaks it. So I have to go back and restart the application.

Fun fact about mode of security.

And you run that in W script again. And go do the whole thing. And just go and do the updates and see if you're in the . And it says, hey, just do .

So you can see we're receiving a lot more reports per second, but I'm guessing they're probably bogus. If they go over here, live data, it's probably going to say no handler for a bunch of messages. Right. So I think I backed off too much on my threshold. But we may actually be able to see an aircraft that resolves.

There we go. It says one. Usually it resolves the call sign faster than that. Yeah, I guess it's because we're in the world and it's not doing super awesome. Oh, yeah? Really, we should all just go outside. Or I should just carry my laptop over by a window. But when you get home, check out Modes GUI. It's really cool, especially if you can have a hill or you live on a hill or you have an unobstructed view of the sky. It works pretty well. And it's pretty neat because you can see planes. I've seen planes all the way up to like Erie and really far away actually from my apartment's window. And not using any crazy location or anything like that. And like I said, you can

get a premium account at, I forget which website it is, for actually feeding them this data. So if you leave it running on a Raspberry Pi or something like that and you just feed them the data continuously, they'll give you a free premium account or something like that. And you're doing your service to everyone that wants to know where the plane is. OK, so are there any questions about modes GUI?

As kind of abysmal as our performance has been tonight.

OK, let's move on. So that was sort of fun demos of stuff you can do. GQRX, like I said, is your go-to spectrum analyzer when you don't know what's around. And you can look at it and see what sort of Signals around but once you kind of find one you're gonna want to start actually Analyzing it with the new radio companion Actually gonna switch to mirroring real quick so I don't have to keep cringing my head around

So run GNU Radio Companion, you type GNU Radio Companion.

And I already have some stuff in here, which will usually be greeted with

this sort of blank flow graph with a variable called stamp rate and QtUE. So what we're actually going to do is create sort of that waterfall plot and that spectrum analyzer in GNU radio first as sort of a first pass. Has everybody got GNU radio open? You're staring at a blank flow graph? OK. So this guy, we're going to double click this top block thing. We're going to select WXQE instead of QT, because most of the widgets we're going to use are going to use the WX options instead of QT. Oh, OK. So on the right here, you have all the blocks you can use. So these are all the blocks that you can select. And generally, we want to select our sources first. And our source,

in this case, is going to be an RTL SDR source. So you can go down to the twist and say RTL SDR source and drag it in. And you get a new block. Or a quick shortcut is you can hit Control F, and you can just type into the window there, so if I say RTL, SDR, it comes right up. You don't have to sort of dig around in the menus.

Okay. Hopefully everybody can see that okay.

Okay, so we're gonna change our sample rate. We're gonna use two mega samples per second. So we're gonna say, you double click the sample rate, say two e to the sixth, which is two million.

So if we double click our RTL SDR source, we will see that our sample rate reflects this variable, which is samp rate, and it's set for two million. Set our frequency. It's set for 100 megahertz right now, sort of like we did in GQRX. That's fine, or you can set it for, what is it, 89.5. There's a couple radio stations around there. So we're going to say OK. And then we're actually going to add our graphical widgets. So if you Control-F, you get over there to the search, and then type in FFT. What we want is the instrumentation panel. WX and WX GUI FFT sync. So the GUI FFT sync. So if you double click that, or you can drag it, it adds it to your flow

graph. Where did we set your Sampboard? You didn't set it in the source? Yeah, so I set it in this variable called SampRate. That just makes it convenient so that when we use, in the future, we can just set it for SampRate. And then we don't have to worry about that. So most of the widgets actually default to samp rate being a variable in the widget. So you don't even have to type it in. Right. So what you should have now is your RTL SDR source. We set our channel to be 89 megahertz. Really, you could make a variable for that if you wanted to, for your frequency. And then we have a GUI FFT sync. Does everybody kind of wish so far?

So if you click the out of RTL-SDR source, and then you click the in for the GUI FFT sync, it connects them. So now you have a flow graph that's directional. So the samples are going to be flowing from the RTL-SDR source to our WXGUI FFT sync.

OK, I'm actually going to also set the baseband frequency for the GUI FFT sync there on the right to be our frequency, which is 89 megahertz, 89e to this six. I really should just make a variable.

Okay, we'll save it. Let's see. Save it as SDR, and we'll save it as fm.grc.

Okay, so then you can go ahead and execute your flow graph.

And you should see, oh right, I have my short dinky antenna on, so as you can see I don't have super awesome power on this radio station. So I'm gonna switch back really quick to my FM antenna.

which should help significantly more reception of FM.

Right. So as you can see, our power went up to about negative 20. And it's not linear, right? It's dB. So that's significantly better. You can also see our noise threshold is actually kind of up to about negative 70, which is kind of high also. But so this looks very similar to GQRx. So what you can do in this case is we've kind of located our signal, 89.3. And we say, OK, this is the one we want to modulate. And you can see in the FFT plot that it's there. You can do some cool stuff, like you can turn on averaging, which probably helps not make it so spastic so you can see the signal

better. You can also turn on peak hold, which actually holds the peak for the signal, which can be very useful if you have very bursty communications. If you're actually studying something that transmits for a very short amount of time, but it's very powerful, the actual peak hold will be very useful to actually see that frequency. Because sometimes you may be looking at the spectrum. You may not know where the actual signal is. But once you see that peak, you'll be able to see, OK, that's where it is. So we have actually, with this averaging and the peak hold, we have a pretty good idea of the spectrum around 89.3 megahertz.

You can change the averaging. You can turn this down, where it's a lot of averaging, or you can turn it up. So everybody's got the FFT plot up. And we're looking at a radio station or something.

Are there any questions so far? OK. So what we can do next is So what you may want to do once you've sort of isolated your signal is actually dump it to a file so that you can analyze it without having to worry about pushing a button or whatever it is that causes RF to go. So in the case of say this garage door opener, I don't want to sit by the antenna and push the button every time I analyze it to an actual RF. So what we're going to do is we're going to add another block. So we're going to go up here and we're going to say we're going to add a file sync. So if you type in file,

you should see all the file operators you can. But we want file sync. So

we're going to drag that over. And then we can actually connect that up. So you can see we have two syncs. And it's OK if they're both connected at the same time. What's going to happen is we're just going to get the FFT plot. And it's going to dump the RF to a file at the same time. Some of you are in VMs, so let me know if the CPU pegs out for doing some of this. So actually rendering the FFT and dumping the stuff to disk might actually get kind of hairy in a VM. OK, so if you double click the file sync, you can go to your file picker. And I'm going to go to my SDR directory and just

save it as something. So save it as fmcap. I like raw. as an extension, but you can save it as whatever you like. If you're a photographer, you might not want to do that. OK. So that's all we have to do. We say OK.

So now when we run the flow graph, it's actually going to dump all of those samples straight to our file. Now the file format for GDU Radio Companion is just straight dumping floats to the disk. Like there's no header, there's no metadata, which actually I don't really like. I wish that there were some sort of format. Generally, you have to tell, actually, you know what? I'm going to do this. I'm going to rename it, because what you want to do when you're capturing things is actually include the frequency that you captured and the sample rate, because later you're going to forget these things, and it's not included in the metadata. So I'm going to say 89 megahertz. get two mega samples per second.

So later, if I forget what frequency it was or what the rate was, I can do that. OK. So if we run or execute our flow graph with the play button,

we should see the FFT plot. But it's also logging all of that stuff to disk also. Is that working for you guys? Working out? OK. You might want to hit stop pretty quick because it's really disc intensive. Each of these samples is 64. Yes? I'm looking the play button to light up. OK. Do you have the red circle-y flow graph error thing? Yeah. So click this red flow graph thing. This? Yeah. And what does it say?

Generate blocks in this mode. Oh, okay. So you need to go to the top block over here in the upper left, double click that, and then you need to change it from QTGUI to WXGUI. Right. In the top left. This. Yep. Double click that guy. Not that far. Oh, not that far. Sorry. Go back. Yeah. Okay. The options block. Okay.

Yeah, and then drop that down. I don't know why it defaults to Qt GUI. Most of the cool analysis tools are WX GUI. There's a lot of quirks with GUI radio that you can only find out when you kind of throw yourself at them and you fail and then you figure it out. So hopefully I can transition some of this to you guys tonight so that it won't be so bizarre when you encounter this. But always the first thing I do when I create a new flow graph is switch to WX GUI. Okay, so.

I guess you can go look at the file, but we should have all of our samples. So what we're going to do is we're going to look at those in the FFT sync as if it were coming from the RTL-SDR. So what you can do is hit D on a block and it disables it. So what we're going to do is disable our file sync and we're going to click on our RTL-SDR and then hit D and that disables our RTL-SDR. So

and then we're going to add a file source. So if you search for file again, so Control F and then file, you should see file source up here. So if you double click that or you can drag it over, you'll see this file source. So we're gonna select, we're gonna double click that, go up and select our file that we, it was in SDR and then it was,

So you notice that it's 213 megabytes for that small time that we sampled. So this is important when you're actually doing capturing to limit the sample rate, if you can, and limit the sample time that you're actually sampling so that you get the smallest capture possible. Because these things can blow up really quickly. Especially if you have a really awesome SDR like the hackrf1 or the edis like b200 or 210 or whatever and they have a lot of bandwidth So you can actually sample it 30 mega samples per second if you want but that is huge and it blows up tremendously Okay, so say okay, and we should have this file source You can also set the repeat I'm gonna

leave it on yes, but if you're dumping something out the file you probably don't want to have repeat on because it will keep dumping. OK, so one tricky thing that you need when you're actually reading from a file source is something called a throttle. So if you do a Control-F and you go to throttle, you can add that to our flow graph. Hopefully you guys can read this text.

OK, so the thing about a file source is it's not naturally limited in its rates of samples. It tries to read. samples from the file as fast as it can. Now this might be what you want if you're actually reading a sample and trying to get, say, a code out of the RF as fast as possible. And you don't care about playing it in real time. You just want to scan it through your flow graph and actually get all the information out as quickly as possible. But if you actually want to replay it at speed, you need this thing called a throttle. And usually you're going to set it to your sample rate. So we

know that we sampled this at two mega samples per second. So we're going to set our sample rate at, well, we're going to set the samp rate, which is 2 million. So we're going to connect the out from the file source to our throttle. And we're going to connect our throttle to our FFT sync again.

And then we can go ahead and execute this flow graph. And there we go.

This is a long-winded exercise to prove that you can actually dump to a file and then read in from a file, and actually it looks the same as if you read it straight from the RTL-SDR lab. This is not an efficient mechanism for recording FM radio. Do you have a question right here? Yeah. How fast is the computer you're using? This one is a dual-core Pentium. I'm sorry. It's a dual-core core. 4600 it's dual core it's a dual core mobile processor so it's uh it's got 16 meg or 16 gigs of ram but um i don't think it requires that much ram to do this uh really it's cpu bound a lot of the stuff you're going to do like especially when we

get into demodulation that's going to require a lot of cpu power because for every sample that's coming in it's going to have to do some mathematical operation And so when you're talking about two million samples per second, and you're doing something with each one of those samples, that can get really CPU intensive real quick, especially if it's something complex, right? Okay. So I think we have that. Okay, we're gonna do a real quick FM demodulation here.

So, we're gonna leave this. We're going to do a

So if you do FM, you'll see that there are several types of FM modulation.

One is called Wideband FM Receive.

So we're gonna select that. Now one thing we may want to do is actually back down our sample rate from two million per second to something more reasonable so that our FM demodulator isn't working with every single sample. So we may want to divide that. And that's called decimation. When you actually say, I have 10 samples come in and I only want, say, five of them to come out, I've decimated by two. So I've divided it by two. So if you search for decimation, let's see. Actually, we can use a rational resampler. There's several types of decimating filters here. We're going to use one called a rational resampler. It's under the resamplers. So you double click

that guy, bring it over here. That resolution is pretty terrible, so my flow graph is going to get kind of full. OK.

So a rational resampler can do decimation or interpolation. Interpolation is the opposite of decimation. So if I have one sample and I want to make 10 samples come out, I can interpolate it by 10. If I have 10 and I want 1 to come out, I can decimate by 10. So dividing and multiplying. That's all you really need to know about rational resamplers. So we're actually going to, let's see, it's 2. Let's decimate by 4.

which means that for each sample that comes in, each four samples that come in, only the one's gonna come out. So that's gonna equal a 500k roundabout sampling rate when we're done.

Okay. So we're gonna connect that to our FM receiver. So this is really the FM demodulator. And that's the nice part about GNU radio is you don't have to write everything from scratch. There's lots of blocks for demodulating lots of different protocols. So if I want to import an FM receiver, I can just do that. And there's automatically block written. So it's pretty convenient. Our quadrature rate is going to be our sample rate divided by our decimation. So it's sort of the rate that's coming into this FM receiver. So we have our sample rate, which is 2 million. So we're going to say SAMP rate. And then we decimated by 4.

I'm going to go ahead and say 4, but you could have a variable that's decimation. So then that ends up being 500k that's coming into our receiver. For audio decimation, that's going to divide your quadrature signal into your audio. So I know that the sound card rate is 48 kilohertz, so I want to get kind of close to that when I'm actually demodulating this. So I can say the audio decimation is 10, which will mean that it's 500k divided by 10, which is 50k, which is pretty close to 48k. We're about to make it exactly 48k. So after that, we're going to resample again. So if you get another rational resampler up. Sorry, am I going too fast? Is

everybody with me? Is everybody bored because they've done FM modulation before? We'll get to some cooler stuff here in just a second. How much time do I have, John? 8.30? Is that the... Midnight, no problem. Midnight. Duh. Thought you guys would want to stay. Okay. Anyway, this will be over quick. This is just a basic FM demodulation. So we've got this. So we've got 50K coming out. So we're going to want to connect these two, except... So what comes out of an FM demodulator is actually audio. Audio is not a complex signal. So the INQ that's coming in from our... Source is actually a complex signal. It involves I and Q. And what comes out of the audio is actually we

just want the amplitude for your sound card. So long story short, it means that this is actually colorblind. What color is this? Orange. So this orange means float. And this is blue, I guess, which is a complex in signal. So the problem is this is orange, and this is blue, which doesn't match. So if you double click this, you can actually go in and change the type to be float. So it's a floating point instead of complex.

So now we can connect these and everything's copacetic. OK, so we have 50K coming out and we want 48. What we can do is do a 48 and then a 50 for interpolation and decimation. You can consider that, so 50K comes in For the sake of argument, we can say we divide it by 50 and we multiply it by 48, which gives us 48 kilohertz. Internally, I believe the rational resampler actually does the division for you and figures out the correct ratio. You can type any numbers in here. In fact, I failed to mention this, all of these are just Python. So you can type almost invalid Python in any one of these fields and you can execute it and evaluate it. This is

cool and interesting for security folks because any Any GNU Radio Companion file you download from the internet, understand that you're just running Python that this person gave you. It's not some sort of PDF that never executes code. We all know PDFs don't execute code. Of course not. They shouldn't. But anyway,

understand that this is all Python and anything can happen here. OK, so we've got this. So now we have a 48 kilohertz sample that we're going to actually play with our sound card. So if you do this and you say audio,

you can get an audio sync. So we add our audio sync, and then we connect these to each other. And the samp rate is not samp rate. The samp rate is actually 48 kilohertz, because that's what our sound card outputs. It's not two mega samples per second. OK, so we connect. Oh, that's pretty terrible. Let's see if I can shift. OK, so assuming this works, you should have the play button. And you don't have the red flow graph errors button. If you do, you can click that. And then it will tell you something that may be cryptic, or it may actually help you fix the problems that you have with the flow graph. If anybody's got that, John is happy

to help you out with that situation. All right, I hear something. It doesn't necessarily sound like music.

Oh, right. Ha. So we are, OK, so it's not music. And the answer to why it's not music is because we have a center frequency here, and that's where it's trying to demodulate. So it's actually trying to demodulate our center frequency. We actually have an offset here for where the actual radio is. And we can fix that, actually.

Let's see. I'm going to delete this file sync just to get it out of the way and RTL-SDR source so that it's clearer for you guys. Right. So the reason that happens is because 89 is not the actual radio station. What is it? It's 89.3? Is that what it is? Yeah. 89.3. OK. So what we need to do is we can actually offset it if we find

a waveform generator.

Actually, just to save time, let's delete the file source. And we're going to add our OsmoCom source back. If you don't already have it, you can just enable it if you already have it. And we're going to connect that to this. And we're going to change the frequency to be 89.3, just so we can move on from the FM delodulation. What you can do is actually multiply a cosine wave by your original file that will actually shift the center of the frequency when we come to 89.3. We're going to get sued.

Anyone else got it? I heard some static. The problem is I think VMware player, the sound card emulation is not very good. It's like it might actually be kind of bad. And you would see a lot of U's down here. So actually, oh, you can't even see that. In the lower left in the log, you'll see a bunch of U's if you have an under run, which generally means the SDR is trying to send samples to your flow graph faster than your flow graph can process them. All right. So anyway, we've created an extremely expensive FM radio so far. And that's fun, but you can go buy one of those for pretty cheap. And you don't need to use hundreds of dollars worth of equipment to

do that. How easy is it to connect my phone to my computer, though? Yeah. Well, you have a microphone, don't you? Yeah. No, I agree. So this is sort of just an example of kind of capturing and replaying stuff.

But let's move on to analyzing maybe like a mystery signal or something that you have laying around. So what we're going to analyze tonight is this garage door opener that I have. Actually, so let's do kind of an exercise. There's no FTC ID on this. So I live in an apartment building, and they handed this to me when I moved in. And it looks like it's from the early 80s possibly or something like that. It's possibly the same battery. It's probably like one of those Rayovac batteries from like the 1980s or something. Nine volts, it's in here. But I have no idea. It doesn't have an FCC ID on it. So I need to actually figure out what it does. So it's actually called multicode is

what was written on this thing that I kind of pried off. So can someone Google multicode and try to figure out what frequency it operates at?

Incorrect.

It's around 300? Yeah, it's around 300. So my sort of

algorithm here, so if it has an FCC ID, you can go to FCC.io.

And you can type in an FCC ID.

one right here. So J in ZCU 0014.

Almost every modern wireless device has an FCC ID. And generally you can look it up and the first thing that hits you in the face is the frequency.

So this is the wireless receiver for the presenter. Although I think Logitech uses this for all sorts of their keyboards, presenters, mice, or a universal receiver for them. I don't think it's encrypted or anything like that. 300 megahertz. 300 megahertz. Yeah, that's right. So this one's 2.474, but it goes from 24.05 to 24.74. So that's in the highest, the 2.4 gigahertz ISM band. But yeah, if you Google multicode, you find out that it's actually about 300 megahertz. So the first thing you do in that case is load up GQRX. And you can go to 300 megahertz.

My antenna is probably not set up for 300 megahertz, but that's fine. This thing, I can hold it right by the antenna. So even if it's not a very good antenna, you can see it. So, go to 300 megahertz. I'm gonna turn off my demodulation.

Okay, we've actually got a few interesting signals at, you know, 290 something. So I'm gonna push the button. You can see that this thing is definitely doing something, right? You can actually see it's a pretty terrible transmitter, actually, because it has some harmonics there at like 299 and somewhere above 300. Really, it's trying to transmit at 300. You can see from the waterfall also the power. And it didn't look like it was necessarily doing any sort of frequency modulation. It looks like it's drifting. But that doesn't necessarily indicate that it's doing frequency modulation. It could just be not a great transmitter. So we've seen it. So we've opened up GQRX, and we've seen the signal

that we want to analyze. So the next step is going back to GNU radio companion and actually starting to do an analysis of this thing. So we're going to go back to GNU radio companion. I think I closed it.

I already have a full graph called Caption. But really, all you need is an OsmoCom source. And then we're going to use our FFT sync. We're going to look at it.

I have a frequency variable here. You can make one. So if you go to Samp Rate, and you hit Control-C, and then Control-V, you can paste variables. So that's sort of how I do new variables, if you want to have a frequency or something. OK.

So let's change our frequency from 1090 to 300.

And then. We have our sample rate at 1.8 million. You can use 1.8 or 2. It's not a real big deal which one you use for this guy. Our RF gain is actually set. So for the RTL-SDR, you have several gain settings. You have the RF gain, which is sort of like the front end. You have the IF gain, which is the intermediate frequency, and then the BV gain, which is your baseband. We can actually set this to something pretty low. So I'm going to set it to 10. This really doesn't matter, but you really want to make sure you don't set it too high so that you're not blowing up the graph since you're not actually

seeing the data that you want. You want the data to be in a nice signal-to-noise ratio. You want it to be above the noise, but you don't want it to be so high above the noise that you max out and you're not going to be able to modulate it. OK, so you have your source, your FFT sync. We set our frequency to 300 megahertz. Let's go.

OK, so this is live.

I forgot to set the frequency for my FFT plot. Understand that 0 is 300 megahertz, right? So can you guys actually see it when I push this? Yeah. Yep. OK, do we want to try a collective capture here? Do you think we can do that? I'm going to at least capture it. Actually, you guys should have this in your VM already. So we don't have to go through that exercise of some sort of orchestrating a capture situation. There should be a file in the VM. Let's see, if we go to a file source. And then it's going to be different. It's going to be on the desktop under lab. Under lab. And then desktop, lab, labs, and multicode. Multicode with a

capital M. And then there's going to be a file. So I don't have the same directory layout, sorry, on my machine. But it's going to be called, I think it's going to be called multicode 300 megahertz. Yeah. 2M. Yep, 2M. So select that guy. And that's going to be our source, right?

So what do we need here that I forgot that you always need when you have a file source? Throttle. So it would have, I mean, you can try it. It's going to send samples at my FFT sync as fast as possible. So it's not real time. It's like running through the FFT as quickly as it can. And it's going to max out my CPU. Hopefully I can stop this before it gets out of hand. OK, there we go.

OK, trying that in a VM may not be a good idea.

OK, so we have our throttle at our sample rate. Oh, we need to change our sample rate because you can see from the file name it was sampled at 2 mega samples per second. So 2e to the 6 for our sample rate variable. And then that should change our throttle. And then we have our FFT sample. I'm going to go ahead and change the baseband frequency on my FFT sync. So we can see that it's .

Is everybody with me? Are we? Yeah, sorry. So we have our file source. It's got our file. We have our throttle. It's two mega samples per second. And then we have our FFT sync. That's going to be what we're going to use to look at it. So yeah.

So if you play that,

see something very similar to the live capture we just did. I actually captured this with my my Edis B200 and I think it has a lower noise floor so you can't actually see the noise floor in this graph you have to lower the in fact let's do that so if you close out of this and you change the reference level so the reference level is zero you can change it to negative 20 and alters the reference level.

Sorry, that's the ref level, db. Then we look at this again, so we can actually see the noise floor now. It was at 100 before, now it's at a negative 120. So we can actually see the noise floor, and we can see our signal here. And we can see it just moving around. It's a horrible transmitter. But we can see that it looks like the strongest part of it is at about 300.1 megahertz. So that's actually probably where our signal lies. And it doesn't look like it's frequency modulated. So what we can do is actually look at it in something called the WXGUI scope, which is going to be the next tool that we use. So

if you search for the scope, you should see this WXGUI scope. Double click it, you can add it to your flow graph.

Ah, the scope sync, yeah. And then if we hit play on that guy,

we should see something that looks like an oscilloscope. I don't really have room for both of these on my screen. So I'm actually going to disable my FFT sync. And then we're going to run this back. And you should see something that looks like this. Now, this is not a very useful plot right now. But you should see silence. And then you see some waves. And then it looks like noise. So what we're going to do is we're going to turn off auto range. So it's auto ranging the signal for the range here, the counts, which is sort of the power level. So we're going to plus the counts per div, which is actually sort

of like an oscilloscope. We're going to increase the range here for this. So it's at 200 micro right now. So we want it to be bigger than that. So if you hit plus over here on the counts per div, you can see that this is sort of the noise. And then something's happening, right? Something that looks less like noise and more like signal.

And if you keep adding it, you begin to see something that looks like this. So there's sort of silence. And then there's transmission. Does everybody see that? OK. So this is our first hint that we have two phases here. We have the silence phase, and then we have some transmission. The two plots that you see are the i and q components of the signal. So that's why you see two of them, because there's two samples coming in. So we can also do the seconds per div, just like in a oscilloscope. I don't know how many folks have used oscilloscopes before, but it's just like that. So you just up your seconds per division. And then you should see it start to look

more like this, right? So we're setting, you know, these are milliseconds now instead of microseconds. I don't know if the VMs you guys are using can handle this. It could be that it gets really slow trying to do this flow graph. But you begin to see these bursts, right? So can everybody see these bursts? Looks kind of like they're short and long. You can also let it stop at any point, and it shows you sort of this. So I'm going to keep zooming out just a little bit further. I'm going to run again, see if I can catch one here.

OK, you can also use this T offset, which moves you around inside of the scope. once you stop it, once you hit the stop button. OK. So we have something that sort of kind of looks like long, short, long, short, long, short, long, long. It's hard to tell because there's two sort of channels here. But I'm getting the impression that it doesn't look like the amplitude is being modulated because they all seem to have the same sort of envelope, right? It seems like it's more like pulse. on off kind of stuff. So you see silence and then you see on and you see off and you see on off. So what we're going to do to make this easier to see is we're going to

do something called complex to mag. So complex to mag. It's in your type converters.

And so we're going to We're going to delete the connection between the throttle and the scope sync. We're actually going to connect this complex to mag in between them.

As you can see, we have a type mismatch here between our complex mag and our GUI scope sync. So we're going to go into our GUI scope sync and actually change that from complex to float.

OK. So what have we done when we said complex to mag? We've actually taken the INQ signals, and we've actually squared them, and actually taken the magnitude of those values, which actually just gives us the envelope for the amplitude of the signal. So it's sort of like power. So it just gives us how much power is in the signal in a given time, sort of collapsed it into one dimension of how much is going on. So we want to know when the signal is on or off. So we only want to care about when it's on. So when it has high amplitude, it's going to go up. When it's low, when there's silence, it's going

to go down. So we sort of collapsed all that into one dimension. And you'll see how this is useful.

OK, so you can see we have one channel because we sort of collapsed everything in one dimension. You can get rid of our auto range again and sort of start doing our seconds per division and our counts per division. So you plus on both of those. Really counts is what you want to do. until you begin to see something that looks like this. And there's silence, and then it starts transmitting again. Does everybody sort of see that? So we've actually got the magnitude of this signal. So we have these

sorts of long, short, long, short. The pattern that we saw before when we had the waves, the sort of long, short, would sort of collapse it down into, OK, What kind of magnitude is in these waves? And we have this.

I'm going to keep stepping out our seconds per division so that we keep seeing more and more of the signal. Let's see if I can make this bigger slightly. OK. There we go.

It's kind of finicky sometimes. But so clearly, we have sort of a long, short pattern of on-off, right? And this is called on-off keying. So it sort of means there's nothing, and it's on, and it's off. I will tell you that these multicodes have 10 single bit positions on them. So that's how you set the code. It's either up or down. Up is a 1. Down is a 0. And so there's 10 codes. or 10 switches you flip on here. And that's how your garage door opener knows that you're trying to open your garage and not your friend's garage, and how your buddy can't just open your garage door, sort of, until he buys a software-defined radio. So we know that there's 10 things we

care about here. So we have 1, 2, 3, 4, 5, 6, 7, 8, 9, 10. And it really is that simple in this case. One of these represents a 1, and one represents a 0. So this one actually has short is 0, long is a 1 for the encoding scheme that they're using. And it's really that simple. So you don't need some fancy demodulator to actually get the bits out of the signal. You can just look at it in the scope, and it actually shows you the bits. And I can verify that it is what? 1, 0, 1, 0, 1, 0, 1, 1, 0, 1.

And so all you have to do, I know you can't transmit with an RTL-SDR, but you can pick up these multi-codes off of Amazon and then set the code to this. And then voila, you can open the garage door. Sammy, the Sammy worm guy, actually has a really awesome garage door opener brute force thing that's way more effective. This is not like state of the art security, but it is sort of how you analyze a signal that you've never seen before.

OK, so before we finish, I want to tell you how I demodulated this. And there's a Python script in the same multicode directory that will actually take in a file of these and then actually output the code in binary, like 1, 0, 1, 0, whatever. And you can do clock reconstruction to try to actually figure out where the clock is for these guys.

What you can also do is if you change this marker to dot large, you can actually see the raw samples in the signal. So each one of these dots is actually literally one sample from the SDR. So what you can do is you can literally write Python to count them. So it says, OK, there's 10 here, and let's say there's 30 here. Well, OK, if I receive the signal where it went up and it rose to high, we'll define high as being above maybe 0.002 or something like that. Then you count it. You say, OK, if it's between 28 and 32, because sometimes the SDR won't be perfect, and God knows this transmitter is not perfect. So there's a little bit of slop in it. But you can count

that, and you can say, OK, if I received 30 highs in a row, that's a 1. And if I received maybe 10, maybe 8 to 12, that's a 0. And you can actually do that and actually get the code out. Now, it's kind of finicky based on your amplitude, or sorry, your gain that you set. But it works pretty well for demodulating stuff. And there's some simple Python in there. I don't necessarily think we have time to go over it right now. But it's in the VM. So if you want to take a look at it, feel free to take a look at it. Because everything you can do in Canoe Radio Companion, you can actually do in Python. without having to use

the GUI at all, which allows you to do lots of things like count, where you can't really do that as much in a graphical flow graph. OK, that's about all I had. Do you guys have any questions?

Yes, sir? I was messing around with some different signal types in there before. I'm trying to do some conversions. And I get really confused with like, I know for the ones that We need to change the signal type. We just popped into the module and dropped down the type. But not all of them were that apparent. Is there any mapping of color to the type of signal that it's supposed to be? Yeah. Oh, you mean like in the documentation? Yeah. Good question. There probably is. I only have really dealt with float and complex. You could probably do something like this type converter and just drag all of them over and see what color they are. So this is a complex to. Imaginary, I guess. So imaginary has a

color. I can't help you out with what color it is. But in complex to real, just kind of look at them. Yeah, I would say you generally don't need to convert the type unless you're doing something like complex and you're doing a type conversion. Or you're doing something like your demodulation with your wideband or your FM demodulator and actually converts the type. I think I was doing something with pager signals. And it was giving me purple. I'm going to do it purple. What's purple? I can't remember. It's like a lot more time ago. Right. So what you can do is go look at the Python or the C++ API, and they'll actually have the input and output types written in the code. So you can check that

out if you know the module that we're using. Yeah, it goes. That would help you out. Anything else? So guys, yeah, feel free to explore. It's pretty awesome. You can see what's around. And if you have any desire to check out My mom has like wireless candles, like they're candles that you can turn on in the remote. And those are 2.4 gigahertz. But you know, there's a lot of stuff that's 300 megahertz, 27 megahertz. I had a keyboard that I really wanted to demo and I'm almost done demodulating it. But it's those 27 megahertz old keyboards with like the big receivers. Most of them are 2.4 gigahertz nowadays. But the older ones were 27 megahertz. And I'm kind of

working on demodulating those. So you know, it's pretty cool. And understand you can also transmit, right? I mean, if you have not the RTL-SDR, but if you have maybe a HackRF, you can also transmit. And that really opens the door for attackers to kind of attack. So if you're doing an analysis or a pen test of a system, you have to understand that attackers are going to have this sort of technology in the near term future. And stuff like the new radio makes it really easy for them to actually build something to sort of attack your infrastructure or just to listen to your infrastructure. If you have a pager system that you use, say, at

a hospital or something, and someone's actually sniffing all of that, that could be bad. And you'd want to know about that. So if you're doing defense for them, you could build something and then show it to the company and then try to get it fixed. But a lot of this stuff is hardware, so it's going to take longer than a simple patch. The 27 megahertz keyboard, do you have to be pretty close to the sniffing? You have to be pretty close, yeah. You could probably design some sort of 27 megahertz Yagi or some sort of thing or that could actually detect it from further away. But those you have to be pretty close, yeah. The actual range on the keyboards

themselves is not that good. Yeah, it's horrible. 2.4 gigahertz is way better. Yes, sir? What's the antenna sizes? Once GUI, you use a short 5-inch one. For this, it's FM radio and other stuff that's full on. Yep. So generally, the general algorithm is the lower the frequency, the larger the antenna you need. So you'll notice that 2.4 gigahertz antennas are pretty short. and say the FM antennas are very large. But like I said, you can just Google antenna size for a whip antenna, and it'll tell you the correct size for the telescopic antenna. There's all sorts of antenna sizes, and you can buy a Yagi off the internet. And generally, they'll trade off an omnidirectional capacity for targeted. So if you actually want to listen to something

in a specific direction, you can get a better DB game for that, but you won't be able to see stuff behind you. or something like that. All right. Thank you guys so much. Yes? I just wanted to contribute one thing. So as you know, I've been trying to do something that turns out is exactly the same as your broadsoral. Oh, really? It's the next same coding and everything. You can have the Python. Well, yeah. No, the scope cloud is an excellent for me. But there was a tool that I came across. It was a lot of help just beforehand. And I just saw that it gave the same output, just in binary. There's a tool called RTL underscore 443, which is focused on

decoding, transmissions from a lot of wireless weather stations or wireless doorbells and that kind of stuff. RETO MEIER- RTL443. RETO MEIER- RTL443. But you can set it to whatever frequency you want. So it's not just 443. RETO MEIER- Right. Yeah. I mean, this is 350 megahertz. RETO MEIER- OK. RETO MEIER- And it has an analyzer that's actually really useful figuring out what kind of encoding is being done and actually spew hex for what bits are in particular. I'll just use one now. Oh, cool. Yeah, there's actually a cool tool that I was using when doing this called the binary slicer. And what the binary slicer does is it will actually, everything that's above 0, it will convert to a 1 for that sample.

And everything that's below 0 will convert to a 0. So when you have a signal that's like this, where it's sort of a square wave kind of thing, you can actually shift it downward. And then you can say all 1's for everything above, and then all 0's for everything below. You can dump that to a file and then just count things as opposed to actually doing it. So it's actually pretty neat. And there's a lot of stuff. GNU Radio is not wonderfully documented, and I'm sorry. But Michael Osmond's tutorial series is excellent. And so I would watch all of them. And it's great, especially his explanation of I and Q and that sort of thing. It takes a long time for

that to sort of sink in and how complex signals work. But he gives a good explanation. Thank you guys. Okay, so just a couple quick things. So I wanted to say thank you Jack Whitford for hosting us here tonight. They actually are having an event I think tomorrow night, almost along these lines. It's like an intro to Python class. So if anybody here who hasn't done Python in the past and is interested in getting into it, do you know what time that starts? 7.30. 7.30, 7.30 p.m. tomorrow right here. You can get your Instagram Python on. And from what I hear, they may be doing more than one, so they may get progressively more advanced with

that. So if you want to get into Python, that might be a good opportunity to do that. And again, thank you, Hack Pittsburgh, for hosting us here. We do almost all of our hands-on labs here. So our next event is the second Thursday of next month. That's kind of a recurring theme, second Thursday in the evening. It's just a networking event, so we're going to go grab a couple beers. Penn Brewery so all the information is on the website if you guys want to come out and hang out and talk it's just mostly a social event and then like I said next quarter we're gonna be doing automated security so there's gonna be two researchers

from local security companies that have done research in that area and there'll be more information about that on the on the website If anybody else wants a RTL FDR, I have a couple left, just a couple. If you want a second one or you know somebody wants one or whatever, or I can just hang around with them. Just let me know after this event or if you decide at the next event you want one, I go to pretty much all of my own events. So I can bring it then as well because they're 30 bucks each. So maybe even discounted now that I have a couple left there, maybe 20 bucks, 20 bucks. So that's pretty much it. Thanks for coming out, everyone. I'll see you

guys on the hero's. Yes.