Broadcast Signal Intrusion with RPi Zero and an old rusty Guitar String
by German Namestnikov
Today we will talk about the radio. It has been nearly a year since I bought my RTL-SDR dongle to have some fun in spare time.
Public stations, citizens band radio and even urgent services - it was a very interesting journey to the world of SDR, especially in big cities like Moscow, where you cannot find an empty slot on your band, because everything is filled with speech, digital signals, Soviet military secrets and other.
But when you are listening to someone, you probably may want to answer him, don’t you? RTL-SDR is a good toy that can fascinate you for months, but it becomes useless when you decide to send your own signals to the radio space.
More powerful things like HackRF and BladeRF could be used for both receiving and transmitting, but they may be too expensive for just toys.
The good news here is that every Raspberry Pi device can be used to transmit FM signals within the 1-250 MHz range without any additional hardware!
This is not so wide range but it includes HF (High Frequency) and VHF (Very High Frequency) bands of radio spectrum. These bands are used in multiple areas from citizen band radio and broadcasting to air traffic control and urgent services, so, we still can have some fun inside of this range.
How is it possible?
How I said before, every RPi could be used to send FM radio signals. This is possible because it has a 500 MHz General Purpose Clock source (GPCLK with PLLD) available onboard.
Such clock sources like PLLD are used for a feature named Spread-Spectrum Clock Generation (SSCG). As I know, SSCG is actively used for Electromagnetic Interference (EMI) reduction in modern synchronous digital systems. So, in theory, you can find GPCLK interfaces
Ok, we have a clock source with 500 MHz frequency. What’s next? How can we send our FM signals within the 1-250 MHz range?
There is a simple equation that allows us to get the required frequency on GPCLK pin from some source. The output GPCLK frequency is a product of original PPL (PPLD in our case) frequency and some multiplication factor.
Fortunately, we can set these multiplication factors for each clock source programmatically, therefore, we control GPCLK output frequency.
There are a lot of projects implementing such technique. As I know, PiFM was the first one. For my current actions, I use PiFmAdv. It is pretty documented. The single problem I faced happened because of my inattention - I didn’t change gpu_freq parameter in the /boot/config.txt file.
Now we can generate some FM signal, but without the proper antenna, we are limiting our signal range in ~10 sm. Not so impressive :D
The good news here is that we can use a simple wire for such purpose. I saw a lot of posts on the Internet where people used Antennas based on several solderless wires connected with GPIO GPCLK pins.
At this stage, I remembered how “great” it was to catch FM radio broadcasting in my amplifier while playing electric guitar and decided to use my old rusty G-string as an antenna for this RPi FM project.
No multiple connectors, just a plain piece of wire powered by a bit of heavy metal magic :D
In the real world, antenna theory and design is a “rocket science”. If you really want to send long-range FM signals with your RPi, you should learn it and build your antenna accordingly necessary wavelength (we are still working in VHF and HF bands), power consumption and other parameters. But for a couple of simple tests, a piece of string or the wire works perfectly.
There are not so many bands where we can legally check our RPi FM radio station. But still, there are some bands where you can check your FM transmitters. For initial checks, I used Citizen Band within 27 MHz.
This is easy, just run something like this in your RPi bash shell:
# sudo ./pi_fm_adv --audio sound.wav --freq 27.0
Broadcast Signal Intrusion
Legal Note: Such activities are illegal in most countries. Don’t do it, be a good boy.
Let’s have some fun and check whether RPi allows us to intrude broadcast radio signal. “Together with my friend, we performed broadcast signal intrusion against radio receiver inside his car” - I would say if we really did it :D
There is a video of how it could have been:
You can see that RPi Zero completely replaces the original signal. Even with a limited in its length antenna it still remains extremely powerful. Nice way to listen only music you like in your Uber :D
As you can see, the embedded ability for FM transmitting in your RPi is an amazing thing! You can use it pure legally, transmitting signals in open frequencies.
But if you are interested in applying your device in Red Teaming operations, this is still useful because of the ability to intrude broadcast signals. How would your company employees act if the radio says them to leave their office and keep their PCs unlocked?
Just take a powerful antenna with you and enjoy it!
About the Author
Hello! My name is German Namestnikov.
I like computer & network security, malware analysis and other such things, so, here I will write some stories and share my experience.
Actually, I don’t really think that somebody will read this stuff. But seems like that blogging is a great way to contribute an IT Security community that helped me a lot.
If you have anything to say, just drop me a line! Any feedback will be appreciated.
The article has been originally published at: https://illegalbytes.com/2019-07-01/rpi-broadcast-signal-intrusion/