The Beginners Guide to RF hacking
by Ph0n-E of BLA & DOC
Airphones suck. I'm on yet another long plane ride to some
wacky event. I've tried dialing into my favorite isp using this lame GTE
airphone, $15 per call no matter how long you "talk". In big letters it
says 14.4k data rate, only after several attempts I see the very fine
print, 2400 baud throughput. What kind of crap is that? A 14.4 modem that
can only do 2400? It might be the fact they use antiquated 900MHz AM
transmissions. The ATT skyphones that are now appearing use imarsat
technology, but those are $10/minute. Anyway they suck, and I have an
hour or so before they start showing Mission Impossible so I guess I'll
write this Phrack article Route has been bugging me about.
There are a bunch of people who I've helped get into radio stuff, five
people bought handheld radios @ DefCon... So I'm going to run down some
basics to help everyone get started. As a disclaimer, I knew nothing about
RF and radios two years ago. My background is filmmaking, RF stuff is just
for phun.
So why the hell would you want to screw around with radio gear? Isn't it
only for old geezers and wanna be rentacops? Didn't CB go out with Smokey
& the Bandit?
Some cool things you can do:
Fast-food drive thrus can be very entertaining, usually the order taker
is on one frequency and the drivethru speaker is on another. So you can
park down the block and tell that fat pig that she exceeds the weight
limit and McDonalds no longer serves to Fatchix. Or when granny pulls up
to order those tasty mcnuggets, blast over her and tell the nice MCD slave
you want 30 happy meals for your trip to the orphanage. If you're lucky
enough to have two fast food palaces close to each other you can link them
together and sit back and enjoy the confusion.
You've always wanted a HERF gun, well your radio doubles as a small
scale version. RF energy does strange and unpredictable things to
electronic gear, especially computers. The guy in front of me on the plane
was playing some lame game on his windowz laptop which was making some very
annoying cutey noises. He refused to wear headphones, he said "they mushed
his hair...". Somehow my radio accidentally keyed up directly under his
seat, there was this agonizing cutey death noise and then all kinds of cool
graphics appeared on his screen, major crash. He's still trying to get it
to reboot.
Of course there are the ever popular cordless phones. The new ones work
on 900MHz, but 90% of the phones out there work in the 49MHz band. You can
easily modify the right ham radio or just use a commercial low band radio
to annoy everyone. Scanning phone calls is OK, but now you can talk back,
add sound effects, etc... That hot babe down the street is talking to
her big goony boyfriend, it seems only fair that you should let her know
about his gay boyfriend. Endless hours of torture.
You can also just rap with your other hacker pals (especially useful
cons). Packet radio, which allows you up to 9600 baud wireless net
connections, its really endless in its utility.
How to get started:
Well you're supposed to get this thing called a HAM license. You take
this test given by some grampa, and then you get your very own call sign.
If you're up to that, go for it. One thing though, use a P.O. box for your
address as the feds think of HAMs as wackos, and are first on the list when
searching for terrorists. Keep in mind that most fun radio things are
blatantly illegal anyway, but you're use to that sort of thing, right?
If you are familiar with scanners, newer ones can receive over a very
large range of frequencies, some range from 0 to 2.6 GHz. You are not going
to be able to buy a radio that will transmit over that entire spectrum. There
are military radios that are designed to sweep large frequencies ranges for
jamming, bomb detonation, etc. - but you won't find one at your local radio
shack.
A very primitive look at how the spectrum is broken down into sections:
0 - 30MHz (HF) Mostly HAM stuff, short-wave, CB.
30 - 80MHz (lowband) Police, business, cordless phones, HAM
80 - 108MHz (FM radio) You know, like tunes and stuff
110 - 122MHz (Aircraft band) You are clear for landing on runway 2600
136 - 174MHz (VHF) HAM, business, police
200 - 230MHz Marine, HAM
410 - 470MHz (UHF), HAM, business
470 - 512MHz T-band, business, police
800MHz cell, trunking, business
900MHz trunking, spread spectrum devices, pagers
1GHZ+ (microwave) satellite, TV trucks, datalinks
Something to remember, the lower the frequency the farther the radio waves
travel, and the higher the frequency the more directional the waves are.
A good place to start is with a dual band handheld. Acquire a Yaesu
FT-50. This radio is pretty amazing, its very small, black and looks cool.
More importantly it can easily be moded. You see this is a HAM radio, it's
designed to transmit on HAM bands, but by removing a resistor and solder
joint, and then doing a little keypad trick you have a radio that transmits
all over the VHF/UHF bands. It can transmit approximately 120-232MHz and
315-509MHz (varies from radio to radio), and will receive from 76MHz to about
1GHz (thats 1000MHz lamer!), and yes that *includes* cell phones. You also
want to get the FTT-12 keypad which adds PL capabilities and other cool stuff
including audio sampling. So you get a killer radio, scanner, and red box all
in one! Yaesu recently got some heat for this radio so they changed the eprom
on newer radios, but they can modified as well, so no worries.
Now for some radio basics. There are several different modulation schemes,
SSB - Single Side Band, AM - Amplitude Modulation, FM - Frequency Modulation,
etc. The most common type above HF communications is NFM, or Narrow band
Frequency Modulation.
There are three basic ways communication works:
Simplex - The Transmit and Receive frequencies are the same, used for short
distance communications.
Repeater - The Transmit and Receive frequencies are offset, or even on
different bands.
Trunking - A bunch of different companies or groups within a company share
multiple repeaters. If you're listening to a frequency with a scanner and
one time its your local Police and the next it's your garbage man, the fire
dept... - that's trunking. Similar to cell phones you get bits and pieces
of conversations as calls are handed off among repeater sites.
Their radios are programmed for specific "talk groups", so the police only
hear police, and not bruno calling into base about some weasel kid he found
rummaging through his dumpsters. There are three manufacturers - Motorola,
Ericsson (GE), and EF Johnson. EFJ uses LTR which sends sub-audible codes
along with each transmission, the other systems use a dedicated control
channel system similar to cell phones. Hacking trunk systems is an entire
article in itself, but as should be obvious, take out the control channel
and the entire system crashes (in most cases).
OK so you got your new radio you tune around and your find some security
goons at the movie theater down the street. They are total losers so you
start busting on them. You can hear them, but why they can't hear you?
The answer-- SubAudible Tones. These are tones that are constantly
transmitted with your voice transmission - supposedly subaudible, but if
you listen closely you can hear them. With out the tone you don't break
their squelch (they don't hear you.) These tones are used keep nearby
users from interfering with each other and to keep bozos like you from
messing with them. There are two types, CTCSS Continuos Tone-Codes Squelch
system (otherwise known as PL or Privacy Line by Motorola) or DCS Digital
Coded Squelch (DPL - Digital Privacy Line). If you listened to me and got
that FT-50 you will be styling because its the only modable dual band that
does both. So now you need to find their code, first try PL because its
more common. There is a mode in which the radio will scan for tones for
you, but its slow and a pain. The easiest thing to do is turn on Tone
Squelch, you will see the busy light on your radio turn on when they are
talking but you wont hear them. Go into the PL tone select mode and tune
through the different tones while the busy light remains on, as soon as you
hear them again you have the right tone, set it and bust away! If you
don't find a PL that works move on to DPL. There is one other squelch
setting which uses DTMF tone bursts to open the squelch, but its rarely
used, and when it is used its mostly for paging and individuals.
Now you find yourself at Defcon, you hear DT is being harassed by
security for taking out some slot machines with a HERF gun, so you figure
it's your hacker responsibility to fight back. You manage to find a
security freq, you get their PL, but their signal is very weak, and only
some of them can hear your vicious jokes about their moms. What's up? They
are using a repeater. A handheld radio only puts out so much power,
usually the max is about 5 watts. That's pretty much all you want radiating
that close to your skull (think brain tumor). So a repeater is radio that
receives the transmissions from the handhelds on freq A and then
retransmits it with a ton more watts on freq B. So you need to program
your radio to receive on one channel and transmit on another. Usually
repeaters follow a standard rule of 5.0MHz on UHF and .6MHz on VHF, and
they can either be positive or negative offsets. Most radios have a
auto-repeater mode which will automatically do the offset for you or you
need to place the TX and RX freqs in the two different VCOs. Government
organizations and people who are likely targets for hacks (Shadow Traffic
news copter live feeds) use nonstandard offsets so you will just need to
tune around.
Some ham radios have an interesting feature called crossband repeat.
You're hanging out at Taco Bell munching your Nachos Supreme listening to the
drive thru freq on your radio. You notice the Jack in the Box across the
street, tuning around you discover that TacoHell is on VHF (say 156.40) and
Jack in the Crack is on UHF (say 464.40). You program the two freqs into
your radio and put it in xband repeat mode. Now when someone places their
order at Taco they hear it at Jacks, and when they place their order at
Jacks they hear it at Taco. When the radio receives something on 156.40 it
retransmits it on 464.40, and when it receives something on 464.40 it
retransmits it on 156.40.
"...I want Nachos, gimme Nachos..."
"...Sorry we don't have Nachos at Jack's..."
"...Huh? Im at Taco Bell..."
Get it? Unfortunately the FT-50 does not do xband repeat, that's the only
feature it's lacking.
Damn it, all this RF hacking is fun, but how do I make free phone calls?
Well you can, sort of. Many commercial and amateur repeaters have a
feature called an autopatch or phonepatch. This is a box that connects the
radio system to a phone line so that you can place and receive calls. Keep
in mind that calls are heard by everyone who has their radio on! The
autopatch feature is usually protected by a DTMF code. Monitor the input
freq of the repeater when someone places a call you will hear their dtmf
digits - if you're super elite you can tell what they are by just hearing
them, but us normal people who have lives put the FT-50 in DTMF decode mode
and snag the codez... If your radio doesn't do DTMF decode, record the audio
and decode it later with your soundblaster warez. Most of the time they
will block long-distance calls, and 911 calls. Usually there is a way
around that, but this is not a phreaking article. Often the repeaters are
remote configurable, the operator can change various functions in the field
by using a DTMF code. Again, scan for that code and you too can take
control of the repeater. What you can do varies greatly from machine to
machine, sometimes you can turn on long-distance calls, program speed-dials,
even change the freq of the repeater.
What about cordless phones, can't I just dial out on someone's line?
Sort of. You use to be able to take a Sony cordless phone which did
autoscanning (looked for an available channel) drive down the block with
the phone on until it locked on to your neighbors cordless and you get a
dialtone. Now cordless phones have a subaudible security tone just like PL
tones on radios so it doesn't work anymore. There are a bunch of tones and
they vary by phone manufacturer, so it's easier to make your free calls other
ways.
But as I mentioned before you can screw with people, not with your FT-50
though. Cordless phones fall very close to the 6 meter (50MHz) HAM band and
the lowband commercial radio frequencies. There are 25 channels with the
base transmitting 43-47MHz and the handset from 48-50MHz. What you want to
do is program a radio to receive on the base freqs and transmit on the
handset freqs. The phones put out a few milliwatts of power (very little).
On this freq you need a fairly big antenna, handhelds just don't cut it -
think magmount and mobile. There are HAM radios like the Kenwood TM-742A
which can be modified for the cordless band, however I have not found a
radio which works really well receiving the very low power signals the
phones are putting out. So, I say go commercial! The Motorola
Radius/Maxtrac line is a good choice. They have 32 channels and put out
a cool 65watts so your audio comes blasting out of their phones. Now
the sucko part, commercial radios are not designed to be field
programmable. There are numerous reasons for this, mainly they just want
Joe rentalcop to know he is on "Channel A" , not 464.500. Some radios are
programmed vie eproms, but modern Motorola radios are programmed via a
computer. You can become pals with some guy at your local radio shop and
have him program it for you. If you want to do it yourself you will need
a RIB (Radio Interface Box) with the appropriate cable for the radio, and
some software. Cloned RIB boxes are sold all the time in rec.radio.swap
and at HAM swap meets. The software is a little more difficult, Motorola
is very active in going after people who sell or distribute thier software
(eh, M0t?) They want you to lease it from them for a few zillion dollars.
Be cautious, but you can sometimes find mot warez on web sites, or at HAM
shows. The RIB is the same for most radios, just different software, you
want Radius or MaxTrac LabTools. It has built in help, so you should be
able to figure it out. Ok so you got your lowband radio, snag a 6 meter
mag mount antenna, preferably with gain, and start driving around. Put
the radio in scan mode and you will find and endless amount of phone calls
to break into. Get a DTMF mic for extra fun, as your scanning around listen
for people just picking up the phone to make a call. You'll hear dialtone,
if you start dialing first since you have infinitely more power than the
cordless handset you will overpower them and your call will go through.
It's great listening to them explain to the 411 operator that their phone is
possessed by demons who keep dialing 411. Another trick is to monitor the
base frequency and listen for a weird digital ringing sound - these are tones
that make the handset ring. Sample these with a laptop or a yakbak or
whatever and play them back on the BASE frequency (note, not the normal
handset freq) and you will make their phones ring. Usually the sample won't
be perfect so it will ring all wacko. Keep in mind this tone varies from
phone to phone, so what works on one phone wont work on another.
Besides just scanning around how do you find freqs? OptoElectronics
makes cool gizmos called near-field monitors. They sample the RF noise
floor and when they see spikes above that they lock on to them. So you
stick the Scout in your pocket, when someone transmits near you, the scout
reads out their frequency. The Explorer is thier more advanced model which
will also demodulates the audio and decode PL/DPL/DTMF tones. There are
also several companies that offer CDs of the FCC database. You can search
by freq, company name, location, etc. Pretty handy if your looking for a
particular freq. Percon has cool CDs that will also do mapping. Before
you buy anything check the scanware web site, they are now giving away
their freq databases for major areas.
OK radioboy, you're hacking repeaters, you're causing all the cordless
phones in your neighborhood to ring at midnight, and no one can place
orders at your local drivethrus. Until one day, when the FCC and FBI
bust down your door. How do you avoid that?? OK, first of all don't
hack from home. Inspired people can eventually track you down. How?
Direction Finding and RF Fingerprinting. DF gear is basically a
wideband antenna and a specialized receiver gizmo to measure signal
strength and direction. More advanced units connect into GPS units for
precise positioning and into laptops for plotting locations and advance
analysis functions such as multipath negations (canceling out reflected
signals.) RF finger printing is the idea that each individual radio has
specific characteristics based on subtle defects in the manufacture of the
VCO and AMP sections in the radio. You sample a waveform of the radio and
now theoretically you can tell it apart from other radios. Doesn't really
work though-- too many variables. Temperature, battery voltage, age,
weather conditions and many other factors all effect the waveform.
Theoretically you could have a computer scanning around looking for a
particular radio, it might work on some days. Be aware that fingerprinting
is out there, but I wouldn't worry about it *too* much. On the other hand
DF gear in knowledgeable hands does work. Piss off the right bunch of HAMS
and they will be more than happy to hop in their Winnebego and drive all
over town looking for you. If you don't stay in the same spot or if you're
in an area with a bunch of metal surfaces (reflections) it can be very very
hard to find you. Hack wisely, although the FCC has had major cutbacks
there are certain instances in which they will take immediate action. They
are not going to come after you for encouraging Burger King patrons to become
vegetarians, but if you decide to become an air-traffic controller for a day
expect every federal agency you know of (and some you don't) to come looking
for your ass.
My plane is landing so thats all for now, next time - advanced RF hacking,
mobile data terminals, van eck, encryption, etc.
EOF
----<>----
|