How To Hack Radio Frequency With Your Phone

In our offset part on software-divers radio and signals intelligence, nosotros learned how to set up a radio listening station to find and decode hidden radio signals — just similar the hackers who triggered the emergency siren system in Dallas, Texas, probably did. Now that we can hear in the radio spectrum, it'due south time to explore the possibilities of broadcasting in a radio-continued globe.

So how did the hackers in Dallas circulate the lawmaking they constitute to control the sirens and why? Was it a distraction to divert attention from their real goal, a exam of a foreign government probing American infrastructure, or were they engaging in the time-honored American pastime of being abrasive?

• Previous: Build a Radio Listener to Decode Digital Sound & Police Dispatches

Whatsoever their goal, the assault was done by rebroadcasting a series of codes in the emergency ring effectually 900 MHz to trigger a series of repeaters to scare the crap out of some Texans. Did they demand thousands of dollars of sophisticated equipment to do so? Probable not. In fact, we tin can take over some radio systems without knowing whatsoever codes at all just past being closer to our target.

This tutorial will prove you a technique to use this effect to hack noncombatant FM radio bands and play your social engineering payload. Maybe you don't similar the music a radio station in a particular concern or vehicle is playing and you'd similar to play your ain. Maybe yous'd like to play a message to get your target to do something yous want them to. Any the goal, all you need to rebroadcast signals in the radio spectrum is a $35 Raspberry Pi and a piece of wire for an antenna.

The Pi equally a Software-Defined Radio Transmitter for Hacking

The Raspberry Pi, with the addition of some free software, is capable of pulsing ability on i of its general purpose input-output (GPIO) pins to transmit on any civilian FM radio frequency from around 87.5 MHz to 108 MHz. Without a wire, the range is only a pes or two. Nosotros'll focus on using this power to insert our messages into the most common type of radio signals anybody has access to. FM radios exist in almost every car and in many businesses and homes. The ability to broadcast directly to them gives us a powerful way of speaking to someone anonymously, seemingly from a trusted source.

Hobbyists accept embraced the Pi FM radio hack by adding a wire every bit an antenna for streaming music, curt-range communications, and fifty-fifty as an FM modem for exchanging data between devices. Applications like rpitx can fifty-fifty transmit tiresome-scan Tv set images via FM. This hack is fun and useful for creating a signal with an intentionally limited range, and through some testing, I've found the signal is just powerful enough to overpower FM stations at shut range.

A do-it-yourself Raspberry Pi pirate radio. Paradigm by SADMIN/Zero Byte

Overpowering a station, also known as "broadcast indicate intrusion," has the effect of hijacking the signal and allowing you to insert messages, songs, programming, or other seemingly legitimate data or news to support social engineering strategies. Signal hijacking on the Pi is peculiarly useful against businesses playing FM radio or vehicle radio systems and can assist yous to influence a target's beliefs or actions by posing as a media outlet.

Why a Raspberry Pi Works Well for This

The fact that you can get started broadcasting in the radio spectrum with only a wire is incredibly useful to anyone interested in radio projects or software divers radio, merely how does information technology piece of work?

The Pi's GPIO pins let it to connect to peripherals, but in this example, pin number iv tin can be pulsed using the Pi's clock to square wave oscillator. While this works, in that location are a number of issues that must exist considered every bit a result of the way the Pi creates the transmission. These bug mean increasing the power as well increases the likelihood of causing anarchy in the radio frequency and getting caught by the FCC, which means this tool is for surgical strikes only without using boosted filters.

All that is needed for this attack is a Raspberry Pi 3 and a wire. Image by SADMIN/Null Byte

The biggest consequence in using a Pi is the square wave oscillator used to generate the signal, which generates harmonics that tin can interfere with frequencies across those y'all're intending to broadcast on. In fact, these harmonics can become pretty far out of band into restricted frequencies, meaning boosting the ability on a Pi FM transmitter without applying a filter will interfere with all kinds of radio signals around you.

The History of Broadcast Signal Intrusions

A broadcast signal intrusion is the hijacking of a radio or Television receiver signal to play another bulletin over the official programming, and it is relatively unproblematic to pull off against radio stations.

While more avant-garde techniques involve splicing the bulletin into the broadcast by breaking into the receiver site, all that is really needed is an FM transmitter capable of power powering the legitimate broadcasting signal to the target antenna. If your target is just 1 antenna, the Raspberry Pi tin easily accomplish a surgical application of a broadcast intrusion.

Historically, broadcast signal instructions have been employed by hackers wanting to get their message out to the public, although few, if any, attempted to hide the fact that the station had been hijacked. Motives range from political protests to trolling and jamming of the Playboy Network for religious reasons. While most hackers perpetrating big-calibration broadcast intrusions were defenseless, ane of the most notorious and strangest incidents remains unsolved.

Perhaps the best-documented incident of intentional signal intrusion was the Max Headroom incident in Chicago. In 1987, the WGN and WTTW TV stations were hijacked during an episode of Dr. Who to play a slow-scan bulletin featuring a human in a Max Headroom mask rambling and screaming, calling the radio station operators "nerds," and somewhen being spanked past a woman in a French maid outfit with a flyswatter.

The clip ran for almost 90 seconds and only got more confusing every bit engineers were helpless to regain control, making national news and leading to FBI involvement in the case. Despite the attention, no ane is sure who the Max Headroom hacker was or what the purpose of his baroque and brazen takeover of WGN was supposed to attain beyond trolling tens of thousands of people.

Information technology's believed this hack was achieved without physical access to the stations and instead used sophisticated radio transmitters to overpower the legitimate signal that was repeated to a larger broadcasting antenna. If yous're a fan of the Mr. Robot series, #fsociety used this hack many times to get their video communications on the airwaves of major TV networks.

• Don't Miss: Acquire the Hacks from Mr. Robot Here on Null Byte

Surgical Signal Intrusions for Social Engineering

By overpowering the legitimate signal with ours, we are presented with two options: perform a denial of service attack or try to impersonate legitimate traffic on the channel. Both of these options, by the style, are illegal in nigh countries due to the fact that nosotros are jamming a legitimate radio broadcast.

In a DOS attack, nosotros can flood an FM radio channel used for communication with a signal that prevents the legitimate transmission from being heard and makes no try to pretend to be the real transmission. In the second attack, we craft a message designed to exist perceived as legitimate and insert it into programming to provoke a response. This can be equally simple every bit a report of heavy traffic on a sure throughway requiring a unlike route, or as elaborate equally playing a SIGALERT emergency alert describing the discipline'south car as the vehicle of a manhunt suspect.

Nuclear missiles coming from Democratic people's republic of korea?!

Considering of the trust placed in the media and the surreptitious nature of the hijacking, a subject is unlikely to know the signal has been hijacked unless the outset or end of the transmission switch seems out of identify.

Step 1: Hardware & Software Requirements

To begin dissemination, we don't need much. A Raspberry Pi 2 or 3 will both work, and the wire can be sourced from cords or whatever you have around. I used both stranded and solid core copper wire and both worked fine, although solid core was meliorate.

• Don't Miss: Set Up a Headless Raspberry Pi Hacking Platform Running Kali

Here's all the hardware and software that you lot'll need for this guide:

• a piece of wire around iii feet long for an antenna
• a fully updated Raspberry Pi 2/3
• knowledge of which frequency you're trying to jam (or a $20 RTL-SDR dongle to find it yourself)
• a source .wav file
• brand and libsndfile1-dev
• PiFmRds from GitHub

To start, let'southward take care of the software requirements by running apt-get update and apt-go install upgrade. One time our version of Kali is updated and upgraded, we can install dependencies past running the following in a terminal window.

            apt-get install brand libsndfile1-dev          

Step two: Download & Configure PiFmRds

Connect your Pi to an HDMI display or SSH into information technology from your laptop. To clone PiFmRds, blazon the following four lines into a terminal window. Think to run make clean as versions for different Raspberry Pis are not compatible with each other.

            git clone https://github.com/ChristopheJacquet/PiFmRds.git cd PiFmRds/src clean make  gcc -Wall -std=gnu99 -c -g -03 -march+armv7-a -mtune+arm1176jzf-s -mfloat-ab1=hard -mfpu=vfp -ffast-math -DRASPI=2 rds.c gcc -Wall -std=gnu99 -c -g -03 -march+armv7-a -mtune+arm1176jzf-s -mfloat-ab1=hard -mfpu=vfp -ffast-math -DRASPI=2 waveforms.c gcc -Wall -std=gnu99 -c -g -03 -march+armv7-a -mtune+arm1176jzf-southward -mfloat-ab1=hard -mfpu=vfp -ffast-math -DRASPI=2 pi_fm_rds.c gcc -Wall -std=gnu99 -c -g -03 -march+armv7-a -mtune+arm1176jzf-s -mfloat-ab1=hard -mfpu=vfp -ffast-math -DRASPI=2 fm_mpx.c gcc -Wall -std=gnu99 -c -g -03 -march+armv7-a -mtune+arm1176jzf-south -mfloat-ab1=hard -mfpu=vfp -ffast-math -DRASPI=2 control_pipe.c gcc -Wall -std=gnu99 -c -yard -03 -march+armv7-a -mtune+arm1176jzf-s -mfloat-ab1=difficult -mfpu=vfp -ffast-math -DRASPI=2 mailbox.c gcc -o pi_fm_rds rds.o waveforms.o mailbox.o pi_fm_rds.o gm_mpx.o control_pipe.o -lm -lsndfile          

Pace 3: Test Your Get-go Transmission

That should be it! Afterwards navigating to the PiFmRds/src folder, you should be able to test PiFmRds past running:

            sudo ./pi_fm_rds -freq 107.0 -audio audio.wav          

This will start a test radio transmission on the frequency 100.1. Since nosotros haven't nonetheless attached our wire antenna, we can't expect it to transmit annihilation, right?

Turns out, even just the GPIO pin is capable of brusque range transmission. Here, I can see a test broadcast from several anxiety abroad even without attaching an antenna.

Still able to receive from a few feet abroad even without an antenna. Image by SADMIN/Nil Byte

Y'all should use the GPIO pin to examination your messages whenever possible to avoid interfering with other frequencies unnecessarily. While practiced for testing, the pin alone cannot overpower a station. Once you've confirmed you're transmitting, let's try hijacking a signal.

Stride 4: Add an Antenna to Enable Point Hijacking

Now that nosotros know nosotros're transmitting, allow's up the power. Attach a piece of wire (solid estimate or stranded volition practise) to the fourth GPIO pin (see diagram to figure out which that is).

Paradigm via Raspberry Pi Foundation

You can use the insulation around the wire to keep it snug on the pin if you work the pivot between the insulation and the copper inside the wire. Here is how I attached some solid core wire:

While the wire touched a few pins, pin iv has been pushed betwixt the insulation and the solid core copper wire. Image past SADMIN/Zip Byte

With this setup, the range is dramatically improved. I tin can receive the radio transmission all over the building, including on floors in a higher place and below me.

The signal is significantly boosted when an antenna is added. Paradigm by SADMIN/Nothing Byte

Step 5: Load a WAV File & Overpower an FM Signal

Now that we've boosted the power, we tin expect to be able to hijack any radio station when we're within almost twenty to thirty anxiety of the transmitter. Identify the station y'all want to hijack and note the frequency in megahertz. For this example, we will assume the station we are transmitting against is 107.9 MHz.

On your Pi with the antenna attached, run the following in terminal to target and hijack 107.9 and play the audio file audio.wav.

            sudo ./pi_fm_rds -freq 107.9 -audio sound.wav          

You should hear the audio demo break into the legitimate transmission.

Hijacking 107.ix at nearly 40 feet away (end of range). Image by SADMIN/Null Byte

Put whatsoever WAV file in the PiFmRds/src binder and change the proper noun in the command above to play your ain custom message.

Final Alert

While the methods described are extremely like shooting fish in a barrel and constructive, intentionally jamming a legitimate broadcast is illegal in the US, and almost likely elsewhere. While the likelihood of being detected doing so on a pocket-size scale is low, increasing the power or operating in out-of-band frequencies can become you in problem and interfere with military machine, law, and commencement responder radio signals.

The range of this device is brusque, and by experimenting with a radio to approximate the range, you can vary the length of wire to accommodate the range. In addition, playing messages that could alarm or frighten people deliberately is a great way to become in trouble too. While funny, my inbound North Korean nuclear missile instance (in the video to a higher place) could crusade panic, thus is best used in a lab setting only.

Utilize common sense when deciding on the bulletin you want to transmit and proceed in mind it is likely the subject will actually believe it.

As always, thanks for reading, and make sure to keep an center on Null Byte for more hacking tutorials. Y'all tin ask me questions here or @sadmin2001 on Twitter or Instagram.

Want to first making money every bit a white hat hacker? Bound-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Parcel from the new Null Byte Store and become over 60 hours of grooming from cybersecurity professionals.

Buy Now (ninety% off) >

Other worthwhile deals to bank check out:

• 97% off The Ultimate 2021 White Chapeau Hacker Certification Bundle
• 99% off The 2021 All-in-One Data Scientist Mega Parcel
• 98% off The 2021 Premium Learn To Code Certification Bundle
• 62% off MindMaster Mind Mapping Software: Perpetual License

Encompass image by SADMIN/Cypher Byte

How To Hack Radio Frequency With Your Phone,

Source: https://null-byte.wonderhowto.com/how-to/hack-radio-frequencies-hijacking-fm-radio-with-raspberry-pi-wire-0177007/

Posted by: gallmanheatted.blogspot.com

Share this post