Swag Bag Lab

Way West 2021 Swag Bag Lab

Welcome to the Swag Bag Lab page for the 2021 Wild West Hackin’ Fest – Way West Conference. This year’s Swag Bag Lab includes an introduction to software-defined radio (SDR) along with a scavenger hunt. There’s both an in-person and virtual scavenger hunt; if you’re in person, you can do both, if you’d like.

In addition to the Swag Bag Lab found on this page, we have an introduction lab for all attendees to get you familiar with some of the tools and hardware used for the Swag Bag Lab. This introduction lab might be helpful If you are new to software-defined radio (SDR) or have never used GQRX, an SDR application. You can find the introduction lab here: https://wildwesthackinfest.com/way-west/intro-to-sdr/.

Note: We will reuse the software below for the Deadwood 2021 Wild West Hackin’ Fest Swag Bag Lab. So be sure to hang on to it (and don’t lose it) if you are planning on attending that conference.

Disclaimer

Any time you transmit a radio signal, be sure you are following the laws and regulations that apply to your location. Like the air we all breathe, the radio spectrum is a shared resource, so it’s important to be careful how you use it.

The rules and penalties for violation are handled in the US by the FCC, in Canada by the ISED, and in other countries by similar agencies. The rules are generally easy to find and understand. Enforcement tends to be strict. Some Amateur Radio operators make a game of finding and reporting violators, so don’t think nobody will notice.

Specifically for this lab, do not modify the transmitter module by amplifying the transmitted signal (whether by an amplifier circuit or by attaching a frequency-matched wire antenna that may be too effective). If you can receive your transmitted signal from more than about 200 feet away, you may be in violation. See https://docs.fcc.gov/public/attachments/DOC-297510A1.pdf for the details of the FCC rule.

If you keep the transmitter and receiver within about a foot or two of each other during the lab, you won’t need an antenna at all on the transmitter.

When transmitting any data, be sure you don’t accidentally break any laws by illegally transmitting on regulated frequencies. In the US, there are some frequencies that are illegal to even listen to, such as the parts of the 800MHz and 900MHz bands still used for cordless telephones. Learn the rules and you’ll be fine. One great way to learn the rules is to pass the licensing exam as an Amateur Radio Operator. The ARRL has guides and more information about how to do that at http://www.arrl.org/getting-licensed.

Introduction

The intent of this lab is to offer an introduction to software-defined radio (SDR) and some of the tools available for forensic analysis of radio frequency (RF) signals. Additionally, it provides an opportunity to present participants with the hardware that we use in some of our on-site conference hardware labs. Participants can revisit the lab in the comfort of their homes as well as use the hardware for future SDR labs and events.

Objectives for this Lab

• Set up an FM Transmitter module to provide a “live” audio signal to capture using software-defined radio hardware and software
• Perform basic implementation of the GQRX (SDR software) application
• Introduce a few tools available to dissect and evaluate captured demodulated signals

FM Transmitter and Audio Player hardware assembly instructions

Locate the following items in the swag bag:

• (1) FM Transmitter (w/ LCD display) module
• (1) Audio Player (w/ microSD holder) module
• (1) MicroSD card (might already be inserted into the Audio Player)
• (2) MicroUSB power cables (Audio player and FM Transmitter)
• (1) 2-slot USB wall plug
• (1) 3.5mm stereo audio cable
• (1) Nooelec RTL-SDR receiver dongle w/antenna

You can see the parts included in Swag Bag Lab below:

Assembly instructions: (reference Figure 1)

• Step 1: Insert the microSD card into the microSD holder of the Audio Player module (if not already inserted).
• Step 2: Attach one end of 3.5mm audio cable to the (black) line-out connector of the Audio Player module and the other end to the line-in connector of the FM Transmitter module. Be sure that both ends are tightly seated.
• Step 3: Use a micro-USB cable to connect the Audio Player module to one of the open slots of the 2-slot USB wall plug.
• Step 4: Use another microUSB power cable to connect the FM Transmitter to the remaining open slot of the 2-slot USB wall plug
• Step 5: Plug the 2-slot USB wall plug into an available wall outlet to power both modules. Keep the FM Transmitter module within a foot or so of the Nooelec RTL-SDR receiver dongle during the lab.

Hardware power up:

Upon powering up, the FM Transmitter will illuminate and display “HI” and then immediately display its default frequency; also, a red LED on the Audio Player module will blink indicating the audio file on the microSD is playing on a loop.

The audio file (mp3) stored on the microSD card has been carefully crafted to include two seconds of silence, appended to the end of the file. This allows us to continuously loop on the audio file while generating a two-second break between sessions. You can verify the file with the following SHA1 digest:

SHA1(WWHF.mp3)= 013cf859e0991424506dd4102614d24b75d295d8

Note: A quick check to determine that our hardware is working properly can be verified by tuning an FM radio to the broadcast frequency displayed on the FM Transmitter module. If we hear the demodulated audio, our hardware is working as expected.

If no audio is heard, recheck the steps above, ensure there is a programmed microSD installed in the Audio Player, ensure all cable connections are secure, ensure the FM Transmitter display is illuminated and displaying a clear frequency, ensure the radio is tuned to this frequency, and ensure the red LED is blinking on the Audio Player module.

Important: You can adjust the transmitting frequency up or down by pressing the FRE+ or FRE- buttons on the FM Transmitter module. You should locate a frequency that is not busy with local radio station broadcasts in your area, which can interfere with your transmission.

Software-Defined Radio (SDR) Setup

If you downloaded the live USB from the link included in the Intro to SDR lab at https://wildwesthackinfest.com/way-west/intro-to-sdr/, then you do not need to conduct the following steps to install the software.

Note: Testing of this Swag Bag Lab was conducted using the following software:

• Ubuntu 18.04.5 LTS (available from http://releases.ubuntu.com/18.04/)
• GQRX version 2.9
  • GQRX 2.8 and 2.12 are known to NOT WORK for this lab.
  • GQRX 2.12 is the default version on Ubuntu 20.04.
• Audacity version 2.2.1

Install GQRX software

sudo apt update

sudo apt install gqrx-sdr

IMPORTANT: The lab requires GQRX version 2.9.

Attach the Nooelec RTL-SDR dongle to an available USB slot on the PC.
Ensure an antenna is attached to the Nooelec RTL-SDR dongle.

Run gqrx

Please refer to the Intro to SDR link (https://wildwesthackinfest.com/way-west/intro-to-sdr/) for screenshots and further information for the below instructions if needed.

gqrx -e    (the -e flag prompts you to select your SDR hardware as GQRX starts up)

• Ensure the device is set to the RTL-SDR dongle and click OK.
• Click on the Receiver options tab.
• Adjust the frequency setting to match your FM transmitting frequency (89.1MHz = 891 000 000 for this example).
• Zero out any offset value (Note: The offset displayed below is the fine-tuning adjustment required for our locale).
• Select Mode “WFM (stereo)” (wideband, FM, stereo).
• Set AGC (automatic gain control) to Fast.
• Click the “Play” button.

Note: You will likely need to make a slight adjustment to get centered on the actual FM transmission. Simply left click in the center of the signal peak (as shown below). The red line will move to this position. The screenshot below shows that the received signal is at 89.115Mhz (whereas the transmit frequency indicated on the FM module was 89.1MHz; this minor offset is normal). Alternately, you can fine adjust the frequency offset by changing the numbers in the right upper-hand corner.

Recording and saving the demodulated audio signal

Listen to the audio signal and watch the waterfall. When the audio signal cycle completes, there will be a two-second silence in the signal; nothing will be heard, and the waterfall will show a constant signal level. During this silence, click the REC (Record) button at the bottom right of the display one time and monitor another full cycle of the audio signal session. When the silence occurs again, click the REC button again to stop the recording.

GQRX saves this recorded sample using the following naming convention: gqrx_date_time_frequency.wav

For example: gqrx_20210328_184039_89115000.wav was recorded on March 28, 2021, at 18:04:39 local time while tuned to 89.115MHz.

At this point, we can power down the FM Transmitter / Audio Player hardware. Clicking the Play button from the “Audio” tab (see below) will replay the captured audio signal and display the GQRX-generated filename. There will be no waterfall running during the replay.

Locate the saved GQRX .wav audio file and make note of its folder location.

Install Audacity

sudo apt update

sudo apt install audacity

Open Audacity

Click File -> Import -> Audio and locate your saved GQRX .wav file.

After the file loads, make two selections from the drop-down menu by clicking the upside-down triangle as indicated in the image below.

The “Waveform (dB)” view makes the on and off pulses in the signal more prominent. The “Split Stereo Track” item allows you to work with the two channels independently.

Click the Solo button for the left channel.

When we click the Solo button and then click Play, we can hear what appears to be Morse code. From the screenshot above, we can clearly see the dots and dashes making up the audio we hear when soloing on each channel (left and right). The screenshot also shows us that the left and right channels appear to have two distinctively different patterns.

NOTE: If you do not see different patterns between the left and right audio, it could be that you are running the wrong version of GQRX or that the receiver was set to “WFM (mono)”, “Narrow FM”, or another non-stereo setting when the recording was made. GQRX version 2.21 will record in mono even if the transmitted signal is stereo when the signal-to-noise ratio is too low. Most FM radios do this automatically, as well.

At this point, we could use Audacity to save the left and right channels as two separate .wav files for further analysis; however, there is also a cool Linux command line tool that will do this for us quickly and efficiently. FFmpeg is a collection of libraries and tools to process multimedia content such as audio, video, subtitles, and related metadata.

Install FFmpeg

sudo apt update

sudo apt install ffmpeg

Note: Testing of this lab was conducted using version 3.4.8.0 of FFMpeg.

Split channels into separate left/right audio files

ffmpeg -i gqrx_20210521_155306_89115000.wav -map_channel 0.0.0 left.wav -map_channel 0.0.1 right.wav

Based upon our analysis of the data in Audacity, we can clearly see we are dealing with on-off keying (OOK), denoting the simplest form of amplitude-shift keying (ASK). Morse code, in fact, uses continuous wave (CW), which is a simple on-off keying modulation (OOK) mode. We can therefore conclude that we have two unique Morse code messages, one message on the left channel and one message on the right channel.

A quick search online can provide us with an abundance of information pertaining to Morse code decoding. There are plenty of sites displaying Morse code charts, images, and software applications for decoding and encoding Morse code. For example, you can learn more about Morse code here: https://en.wikipedia.org/wiki/Morse_code.

With the help of any one of these sites, we could manually decode our data fairly easily. But there’s an even faster way. A quick Google search of “Online Morse code decoder” provides us with https://morsecode.world/international/translator.html, where we can input the dots (“.”) and dashes (“-“), and the tool will output the corresponding alphanumeric text.

Conclusion

To complete this Swag Bag Lab, you will need to decode the embedded messages using the aforementioned tools and hardware. One decoded message will provide a 32-character hexadecimal value. When you discover the value, append it to the following URL: https://labs.wwhf.fun/. The URL should read https://labs.wwhf.fun/HEX-VALUE, where “HEX-VALUE” is the hex value that you discovered. The other decoded message will provide you with an AES ECB cipher key that you will need after you navigate to your newly appended URL.

When you arrive at your newly formed URL, you will need to discover the secret message embedded within the page.

IMPORTANT: Please do not perform resource intensive attacks against the web pages (i.e., running content discovery or brute-force attacks). This is considered out of scope.

Good luck!!

After the Wild West Hackin’ Fest Deadwood 2021 conference in September, we will post a solution file for both conferences.

Problems or questions? Check out the Appendix below or post a question in the #swag-bag-lab channel in the conference Discord server.

Appendix

Troubleshooting Section

Problem:                      No red blinking LED on Audio Player module when powered up
Possible cause:           MicroSD card missing, corrupt, or not fully seated
Possible cause:           Defective microUSB power cable
Fix:                              Download file for MicroSD card at https://labs.wwhf.fun/SBL.mp3

Problem:                      Stereo waveform appears as mono waveform in Audacity
Possible cause:           Use of a GRQX version that is NOT 2.9
Possible cause:           Transmitter too far from SDR dongle (signal to noise ratio too low)
Possible cause:           GQRX not tuned to the center frequency during recording

Problem:                      No signal visible in GQRX
Possible cause:           GQRX not set to use correct SDR hardware
Possible cause:           GQRX “Play” button not activated
Possible cause:           Loose 3.5mm patch cable between Audio Player and FM transmitter
Possible cause:           GQRX not tuned to same frequency as shown on FM transmitter

Problem:                     Sound from GQRX is garbled or otherwise unclear
Possible cause:           Receiver not set to “WFM (Wideband FM)”
Possible cause:           GQRX not tuned to center frequency of transmitter
Possible cause:           Interference from other radio sources in the area

If you are not using the live USB and you have problems with your RTL-SDR not playing (active waveform with sound), try the following.