TempestSDR is a nice tool which can be used to eavesdrop on computer monitors using the electromagnetic (EM) emissions causes by them. While this concept is not a new thing, the use of cheap software defined radio (SDR) hardware has enabled the possibility of performing this attack a lot more easier. I was struggling to get the tool up and running on Ubuntu Linux for a while and ended up without a result. Finally, I moved into Windows platform and tried it. Luckily, things went so smoothly and I got TempestSDR tool running with both RTL-SDR and HackRF hardware. (1) Download SDR# from here.(2) Extract the ZIP archive, and then inside it, double-click on the install-rtlsdr.bat file.

• Digital Mode Identification Software

A CMD prompt will start and download some files. It will exit automatically.(3) Now double click on the SDRSharp.exe tool and it will open the window. You can select the 'RTL-SDR (USB)' option for the source.(4) Keep scrolling while looking for a signal which varies the peaks when I make any change in the screen of the computer such as maximizing / minimizing windows, etc. If there's a strong signal which changes the amplitude when a window is maximized, there's a good chance that it is an emission from the monitor. Note down such frequencies. (6) In the very first makefile, remove the following line@$(MAKE) -C TSDRPluginMirics/ all MIRICSHOME=$(MIRICSHOME)(7) Due to the fact that there are spaces in the path to Java installation directory, TempestSDR tool faces some difficulties while running the make file.

Therefore, let's copy java installation folder to a new place which does not have spaces in the path.I copied 'C:Program Files (x86)Java' folder to ' C:Java' location.(8) Now go into TempestSDR folder from CMD prompt and and run the following command.make all JAVAHOME=C:Javajdk1.8.0151If the compilation completes successfully, we are good to go.Running the TempestSDR software:(1) Connect either RTL-SDR dongle or HackRF device into a USB port of the computer. (2) Go to the JavaGUI folder in the TempestSDR source code directory.

There should be a jar file which we need to run.java -jar JTempestSDR.jar(2) From the File menu, select the 'Load ExtIO source' option. Then browse to the installation directory of HDSDR software where you copied the ExtIO DLL driver for either RTL-SDR or HackRF. Select that DLL file.(3) Select the resolution and refresh rate of the monitor being eavesdropped. Then, select the frequency of EM emanation which we manually found using SDR# software.

Digital Mode Identification Software

Click 'Start' and we are good to go.

In this entry I’ll discuss using it to decode digital signals (this example on fixed remote signals often used for garages / gates ) so that they can be replayed/brute forced with something like the RFCat project (based on TI’s CC1111EMK module). This has probably been done to death already but I figured since I struggled with it maybe this will help someone else do it a lot quicker (and mostly cause I think its cool). SetFreq ( 403550000 ) #Set my frequency to the gate remoted. SetMdmModulation (MODASKOOK ) #Set my modulation to the right moded. MakePktFLEN ( 4 ) #Set my packetlength to 4 as I am sending 4 bytesd. SetMdmDRate ( 4800 ) #Baudrated.

SetMaxPower ( ) #PowerMuch? For i in range ( 0, 15 ):d. RFxmit ( ' xDE xAD xBE xEF' ); #Send this a few times as I want to clearly see my signald.setFreq(403550000) #Set my frequency to the gate remoted.setMdmModulation(MODASKOOK) #Set my modulation to the right moded.makePktFLEN(4) #Set my packetlength to 4 as I am sending 4 bytesd.setMdmDRate(4800) #Baudrated.setMaxPower #PowerMuch?for i in range(0,15):d.RFxmit('xDExADxBExEF'); #Send this a few times as I want to clearly see my signalTaking a quick sqwizz at the above HDSDR output you can see that a) My garage remote is not at 403.55 and b) my RFcat is not there either!

This is for a number of reasons but primarily because the RTL-SDR that I have isn’t that precise (you can configure it to get the offset correctly). But in this case I don’t really need that I merely need to keep changing the frequency until I have both at the same point. Decimal key: 1203Binary (NON PWM ) key: 0b1Binary (PWM ) key: 0bDecimal key: 1203Binary (NON PWM) key: 0b1Binary (PWM) key: 0bAt this stage I could take that binary and convert it to a byte string (x0Ex63x9CxC7x31x8Ex73x18) and send it out with the above example and record it again with HDSDR.

So to do this once more I opened RFCat and ran:d.setFreq(403492750)d.setMdmModulation(MODASKOOK)d.makePktFLEN(8)d.setMdmDRate(4800)d.setMaxPowerfor i in range(0,5):d.RFxmit(‘x0Ex63x9CxC7x31x8Ex73x18’);Now I had the recording I opened it in Audacity, I also have the original signal so I could compare the two of them: (to get another track in Audacity just use file-import-audio)As you can see, all’s not well in paradise at this stage. For starters there is a series of data thats clearly not mine at the beginning and the gate remote seems to be arching upwards whilst my signal is arching downwards.The first part of the signal is actually the preamble and syncword which for all intents and purposes I equate to something like a packet header that describes what the data will be, its commonly found throughout RF but for the remotes I am looking to spoof is not necessary.

Lucky At1as has an option to simply turn this off, so using the same code but adding d.setMdmSyncMode(0) will turn off sync words and preamble. So if you re-record the remote and compare now you will see the following:Fantastic! So now we have two signals that are almost correct the only difference is that the original remote signal (bottom) has a leading 0 (not sure where I am missing one) and it starts from a high (1).

Michael Ossmann explained this as “There is a carrier transmitted between each sequence. So the transmitter is never in the off (low) state except during a symbol.”, and what I had to do for that was simply pad the beginning and the end with ‘xffxff’.So from doing that (for all intents and purposes just using d.makePktFLEN(12) and sending ‘xFFxFFx0Ex63x9CxC7x31x8Ex73x18xFFxFF’) I now get the following:Bazinga! The two signals look the same:) Next was to go down to the garages to attempt to open them with this, first few tries I got absolutely nothing until someone asked how many times I was sending the signal and I said 5 (which seemed okay to me), but it appears I need to send it about 20-25 times before the garage opens. The range on the device was impressive however and I could do it a lot further away than I anticipated (I could open it from the gate of my complex which is around 20m or so to the garage).So of course I wanted to take this a little further, first being able to simply cook up a python script I could execute to simulate the button press, that came out something like this. #!/usr/bin/env python import sys import time from rflib import.from struct import.d = RfCat ( )keyLen = 0baudRate = 4800 def ConfigureD (d ):d. SetMdmModulation (MODASKOOK )d. SetFreq ( 403493000 )d.

MakePktFLEN (keyLen )d. SetMdmSyncMode ( 0 )d. SetMdmDRate (baudRate )d.

#!/usr/bin/env python import sys import time import bitstringfrom rflib import.from struct import.d = RfCat ( )keyLen = 0fixedLen = 13baudRate = 4800codes = def ConfigureD (d ):d. SetMdmModulation (MODASKOOK )d. SetFreq ( 403493000 )d. MakePktFLEN (fixedLen )d. SetMdmSyncMode ( 0 )d.

SetMdmDRate (baudRate )d. SetMaxPower ( ) print 'Generating keys.'

I must admit im a bit pre occupied couldnt read thru the entire thing. Mstrt,Thanks for the comment, so with regards to what I did, rather than just replaying the signal I wanted to figure out how it worked so that I could not only replay it but also attack other codes in a similar range.There are a few questions I have about rolling codes, firstly how implemented are they, are they common for entry gates? I briefly looked at mine earlier and it just seems to be a much longer code, 64 bits, with a preamble at the beginning. When holding down the button on the remote I dont see it changing freq at all, so i dont think it is code hoping.For an alarm system I have access to I see it changing frequency (only every few seconds, about 5) between presses (not when holding it down) but it doesnt look like it is changing code, its a very basic system and I was wondering If you know how those are generally implemented.-AM.

That script I linked to is actually command-line only. GNURadio Companion is probably the GUI you’re thinking of. It’s basically like using Visio, but it generates python when you compile/run. So you could use it on a headless box over ssh, but I would definitely prefer to be on or very near the actual box and have a GUI. There are some other tools that launch GUI interfaces (e.g., mulimode or gqrx).

Yes, I haven’t had much luck with a vitualized box either. It works, it just drops a lot of data at every sample rate (as shown by rtl-test).

Alex,Thanks for the updates:) Yeah when I mentioned GNURadio I did mean GRC:) I’ve seen it and played briefly but not enough to warrant me writing a post on it. Basically just stuck to what I could do for now.WRT to the reflashing, I was only testing at 403 and 433mhz, so I am not sure on the entire range, but during the workshop at Blackhat seemed to indicate that it can do almost everything from 300-928mhz. I honestly don’t know, I’d recommend speaking to the rfcat project guys about it:)Cheers,Andrew. Hey Andrew,i work in security, and are conducting a proof of concept at my work based on record and play back of our cafeteria’s vibrating “unipgae” paging system.

Each pager is uniquely paged but are all on the same frequency. I have recorded the signal on 450.3750mhz.

The signal does not show clear zero’s and ones like your images. What would the process be to just replay the signal without manipulating it or understanding it?

Is there a way to hand the wav file to an app that replays the signal through the CC1111EMK?Sorry if the question doesn’t make sense, this layer is totally new to me.Thanks,Adam. Adam,Glad to see you are tinkering away, that project sounds AWESOME! So I had a quick look at the unipage.site and found this document:(I just google dorked it with “frequency site:unipage.com.au”)So having a look at that document it appears that its 450.3 as you said, it uses FM modulation and POCSAG paging, so its not exactly the same as mine, but you can get SDR#, Virtual Audtio Cable and PDW to try and decode them.Once you have that you will have to try get it to work with the CC1111EMK, I’m not sure how to do it, but you could easily test at home!Cheers,Andrew. Hi Andrew,Great post, this has really helped me.I am working on a similar project.

I have examined my signal in great depth and it made me wonder if all remote signals follow a similar convention. My signal always starts with a long low (a pilot stream), one high (a sync bit) and then the code as set by the DIP switches on my remote. However, when I examined your signal I noticed that your signal does not follow the same convention. In contrast, your signal seems to start with a long high (perhaps a pilot stream) and there doesn’t appear to be a sync bit, just the 12 bits as set by your DIP switches.I think this difference might be down to the encoder chip that the remote uses. My remote uses a HT12E chip. I was wondering if you might be able to tell me what chip your uses?

You have a picture of the upside of your remote showing DIP switches, is there a chip visible on the reverse side with a part name on it?I would be very interested to know if our encoder chips are the same. Found this page as it was mentioned on an old hak5 episode. They also had an episode where michael ossman used osmocomfft / inspectrum to decode a wireless cabinet lock!But as a total beginner, I find it a bit confusing all the hardware and software products. For example,Are HDSDR and SDR Sharp both used for the same purpose/hardware? Would any of those $20 dongles (i.e. RTL2382U adc/usb with E4000 tuner?) work equally with those software?I know rfcat runs on ti’s wireless transceiver chip (cc1111) (ex. $150 yardstick), but can it do anything the hackrf or limesdr couldn’t do?What about the ubertooth one (CC2591/CC2400)?

Could a general purpose sdr (usrp b210, sdrplay) run the same software (wireshark/kismet) and do the same thing?For example, I’d love to try gnuradio to do atsc decoding, or do a gsm station (openbts?), or reverse engineering the RF protocol on a ceiling fan, or hacking a 433MHz Remote Control, or decode a Kambrook Power Point Controller, bluetooth, key fobs, etc, etc!Any thoughts on the Airspy-r2 or the PantronX Titus II SDR?.