0:00:09.930,0:00:15.840
Herald: Alright, well thank you for your[br]patience and now we are starting our talk:
0:00:15.840,0:00:21.040
"My journey into FM-RDS"[br]- radio data system by Oona Räisänen.
0:00:21.040,0:00:27.850
Please give her a warm round of applause![br]applause
0:00:27.850,0:00:34.510
Oona: Thank you![br]Sorry I brought my MacBook Pro.
0:00:34.510,0:00:40.570
My name is Oona I'm a signals hacker[br]and electronics hobbyist
0:00:40.570,0:00:44.200
and I do this thing only for hobby.
0:00:44.200,0:00:52.500
And let's see my slides here. Some of you may
0:00:52.500,0:00:55.520
remember my blog or have read it.
0:00:55.520,0:01:00.990
And you may have seen this one,
0:01:00.990,0:01:09.840
that I also made - the dialup diagram.
0:01:09.840,0:01:14.440
This talk is not about that, just to give you some context.
0:01:14.440,0:01:18.710
Okay, so, into the story:
0:01:18.710,0:01:22.250
One night in 2007 I was listening to my radio
0:01:22.250,0:01:28.680
just an FM channel and some music going on.
0:01:28.680,0:01:32.810
And I was looking at the spectrum of course
0:01:32.810,0:01:38.810
on my PC while doing that. And I noticed,
0:01:38.810,0:01:42.250
I see the audio, that's normal, then above
0:01:42.250,0:01:46.630
the audio, at about 19 kHz something weird
0:01:46.630,0:01:51.490
is going on. There is a persistent sinusoidal tone.
0:01:51.490,0:01:54.850
And something, looking like sidebands,
0:01:54.850,0:01:58.690
on both sides of it. And I wanted to find out,
0:01:58.690,0:02:06.900
what could it be up there? Actually I have
0:02:06.900,0:02:15.510
some audio on my other computer:
0:02:15.510,0:02:23.970
[Audio: rds-mixdown.wav][br]This is just a radio channel played,
0:02:23.970,0:02:26.610
and I'm shifting the frequencies down to here,
0:02:26.610,0:02:31.200
what it sounds like up there.
0:02:41.130,0:02:44.190
Now at the moment it just sounds like a very piercing[br][Sounds from the radio]
0:02:44.190,0:02:47.920
tone of 19 kHz. That's the tone,
0:02:47.920,0:02:50.670
and I'm not actually hearing just yet
0:02:50.670,0:02:56.390
whats around it. Let's turn it down a bit further.
0:03:04.460,0:03:07.030
Now this is one of this sidebands that you
0:03:07.030,0:03:10.230
are seeing there.
0:03:10.230,0:03:13.663
I'm also now filtering out the music
0:03:13.663,0:03:16.589
to make it clearer.
0:03:20.289,0:03:22.360
It sounds very periodic.
0:03:22.360,0:03:25.607
So it means it could be data of some kind.
0:03:25.607,0:03:29.568
And it also brings up the memories of modem sounds.
0:03:29.568,0:03:33.398
So, I started to investigate this matter
0:03:33.398,0:03:35.128
a bit further.
0:03:39.248,0:03:47.480
I knew already that in the FM signal there
0:03:47.480,0:03:58.620
is the RDS data, that is used to send to car
0:03:58.620,0:04:03.420
radios the station name and the program currently
0:04:03.420,0:04:07.210
running on it and also some other information
0:04:07.210,0:04:12.410
like alternate frequencies [AF on the slide]
0:04:12.410,0:04:14.230
that this channel is broadcasted on,
0:04:14.230,0:04:18.850
CT which is clock time, and something else,
0:04:18.850,0:04:20.970
information about other programs
0:04:20.970,0:04:25.730
and other frequencies and the program type,
0:04:25.730,0:04:29.840
radio text, traffic announcements,
0:04:29.840,0:04:34.546
and something called TMC or Traffic Message Channel.
0:04:34.546,0:04:40.830
So I thought, could this be it? So I downloaded
0:04:40.830,0:04:43.360
the 200 page RDS Standard,
0:04:43.360,0:04:47.840
or RDBS, as its called in the United States
0:04:47.840,0:04:51.980
and started to do some analysis. Actually I
0:04:51.980,0:04:54.870
spent nights reading this,
0:04:54.870,0:04:56.540
and many times I fell asleep reading it.
0:04:56.540,0:05:00.380
laughter[br]If you suffer from insomnia,
0:05:00.380,0:05:04.960
I suggest you read something like this.
0:05:04.960,0:05:10.270
And, what I found - well it was very well documented,
0:05:10.270,0:05:13.040
the protocol, there was for example this diagram
0:05:13.040,0:05:15.840
about an example receiver for RDS.
0:05:15.840,0:05:18.216
There's all the parts out there:
0:05:18.216,0:05:23.720
The FM signal is coming in, the audio is taken out,
0:05:23.720,0:05:27.720
and we are mixing it with some frequencies
0:05:27.720,0:05:30.500
to get out the RDS signal
0:05:30.500,0:05:38.830
and all that stuff. So, well using this information
0:05:38.830,0:05:42.770
I wrote a decoder in Perl. Everything must
0:05:42.770,0:05:49.495
be in perl clapping Thank you.
0:05:49.495,0:05:52.480
And I came up with this. Its showing a lot
0:05:52.480,0:05:55.729
of the information going on on the frequency.
0:05:55.729,0:05:58.520
And whats special about this is that it's only
0:05:58.520,0:06:02.840
decoded from the signal you were hearing on
0:06:02.840,0:06:07.990
the 19 kHz band. And it turns out this is actually
0:06:07.990,0:06:09.750
an error in the working of my radio.
0:06:09.750,0:06:13.999
Because I dropped it on the floor when I was moving,
0:06:13.999,0:06:17.840
and it started behaving weirdly. And I - it
0:06:17.840,0:06:19.730
was then when i got this weird signal on
0:06:19.730,0:06:22.890
the 19 kHz band. And it turns out that
0:06:22.890,0:06:26.310
the stereo decoder in my radio has somehow
0:06:26.310,0:06:33.170
started not to filter anymore the stereo signal,
0:06:33.170,0:06:38.800
which is near the RDS signal. So this is actually
0:06:38.800,0:06:41.280
being decoded from the audio, from the line
0:06:41.280,0:06:45.360
out of my radio. Nothing else was involved
0:06:45.360,0:06:49.830
in this. But then, well, its a bit noisy,
0:06:49.830,0:06:54.420
its near the 16 bit quantisation noise limit
0:06:54.420,0:06:57.750
of my soundcard. So I was thinking of better
0:06:57.750,0:07:01.520
ways to decode it with less noise.
0:07:01.520,0:07:03.820
And I started to look at my radio -
0:07:03.820,0:07:05.570
the schematics of my radio
0:07:05.570,0:07:08.140
and I found there is actually a decoder circuit
0:07:08.140,0:07:11.610
for RDS that it uses to display the data on
0:07:11.610,0:07:13.970
the screen, just the station name
0:07:13.970,0:07:18.230
and updates its clock. And unlike in todays
0:07:18.230,0:07:20.730
receivers the RDS chip is actually on its own
0:07:20.730,0:07:25.260
chip and its not a one-chip-wonder receiver.
0:07:25.260,0:07:31.580
So I found the 4 pins that I needed for data,
0:07:31.580,0:07:35.840
clock signal and ground and just a quality bit,
0:07:35.840,0:07:41.430
that I'm not actually using. And I did some
0:07:41.430,0:07:43.820
ugly soldering work because I didn't want to
0:07:43.820,0:07:50.630
remove the RF shielding from this chip to hook
0:07:50.630,0:07:57.621
some cords to the decoder chip.
0:07:57.621,0:08:01.750
And then I used my soundcard to sample that.
0:08:01.750,0:08:05.140
Because it happens that the voltages that soundcard
0:08:05.140,0:08:07.830
is using are very close to the logic voltages
0:08:07.830,0:08:17.050
of [?] Voltages of ICs in the 1 to 3.3 volt range.
0:08:17.050,0:08:20.830
So I actually used a sound card to sample
0:08:20.830,0:08:27.240
the logic coming out of there. And its 1 kbaud
0:08:27.240,0:08:33.850
so its not even very fast. And this is what
0:08:33.850,0:08:38.159
I was getting - at first. Well,
0:08:38.159,0:08:41.519
it looks like some bits, kind of.
0:08:41.519,0:08:43.610
Then after some filtering
0:08:43.610,0:08:47.180
and resoldering this is what i got.
0:08:47.180,0:08:50.950
Red is the left channel in the soundcard that
0:08:50.950,0:08:54.380
I hooked up in the clock signal output.
0:08:54.380,0:08:58.840
And green is what I hooked up to the data signal.
0:08:58.840,0:09:02.548
And its very clear that the data can be decoded
0:09:02.548,0:09:07.650
with no errors from this.
0:09:07.650,0:09:17.140
Afterwards I also made a raspberry pi version of all this,
0:09:17.140,0:09:19.860
so the perl code is actually running on my
0:09:19.860,0:09:22.590
raspberry pi and displaying it on an little
0:09:22.590,0:09:29.580
lcd next to it. But then - okay this is fun,
0:09:29.580,0:09:32.850
I can actually see more than[br]my radio is displaying there.
0:09:32.850,0:09:36.550
I can see the radio text, I can see a numerical
0:09:36.550,0:09:40.850
code for each station so I can log the stations
0:09:40.850,0:09:45.340
and I only need to decode the number to know
0:09:45.340,0:09:48.840
what I'm listening to. But there was something
0:09:48.840,0:09:53.780
more on the frequency. I was getting an application -
0:09:53.780,0:09:58.480
some application running there that I didn't
0:09:58.480,0:10:03.230
recognize right away, but reading the standard
0:10:03.230,0:10:07.090
it became apparent that this TMC that is used
0:10:07.090,0:10:12.500
in these car navigators to just send information
0:10:12.500,0:10:15.350
about traffic jams and construction works
0:10:15.350,0:10:18.650
and things like that. And of course,
0:10:18.650,0:10:26.230
for the fun, I had to see whats going on there.
0:10:26.230,0:10:29.550
Now it turns out that in Finland the RDS signal
0:10:29.550,0:10:34.610
is encrypted, for reasons of commercial stuff.
0:10:34.610,0:10:38.500
I mean its a business model, they encrypt
0:10:38.500,0:10:41.480
the signal and they sell the encryption keys
0:10:41.480,0:10:45.170
along with these navigator devices
0:10:45.170,0:10:47.040
and what they tell about the encryption in
0:10:47.040,0:10:49.510
the standard - they actually tell everything
0:10:49.510,0:10:55.260
about except the keys there. But one sentence
0:10:55.260,0:10:58.270
especially caught my mind there:
0:10:58.270,0:11:01.990
The encryption is only light, but was adjust
0:11:01.990,0:11:04.280
to be adequate to deter other than the most
0:11:04.280,0:11:14.314
determined hacker."[br]laughterclapping
0:11:14.314,0:11:19.644
Yeah, and obviously for hacker this is like an challenge
0:11:19.644,0:11:23.770
laughter[br]so I got to work. It was textually documented,
0:11:23.770,0:11:26.950
there was no encryption diagrams
0:11:26.950,0:11:29.020
or anything like that, but this is what I came
0:11:29.020,0:11:35.099
up with: It's a pretty simple cipher.
0:11:35.099,0:11:38.570
The location is a 16 bit database reference
0:11:38.570,0:11:42.400
to a database of locations that can be obtained
0:11:42.400,0:11:47.804
from the manufacturer of the navigators.
0:11:47.804,0:11:52.940
The keyspace is 16 bits, and different parts
0:11:52.940,0:11:57.230
of the key are used to like parameters for
0:11:57.230,0:11:59.990
the different operations in this cipher.
0:11:59.990,0:12:04.660
It's an easy enough cipher[br]to be used on paper also
0:12:04.660,0:12:12.510
so when cryptanalyzing it I made some tests
0:12:12.510,0:12:17.390
on paper. So, how do I begin? I checked I can't
0:12:17.390,0:12:20.860
just brute force it - knowing nothing about
0:12:20.860,0:12:24.765
the transmission. So I[br]made some assumtions:
0:12:24.765,0:12:28.520
The bandwidth is very low,[br]several hundred baud,
0:12:28.520,0:12:33.530
so it must be some kind of[br]filtering with this locations.
0:12:33.530,0:12:36.120
I was thinking, it could be[br]that they are sending
0:12:36.120,0:12:39.950
only the locations - I mean only the announcements
0:12:39.950,0:12:42.930
that are near the transmitter like 100 miles
0:12:42.930,0:12:47.350
range or something. I looked[br]at the location database,
0:12:47.350,0:12:49.690
that I by the way obtained by telling
0:12:49.690,0:12:52.000
the manufacturers that I'm an engineer
0:12:52.000,0:12:54.160
and I want to do some tests
0:12:54.160,0:12:57.340
and maybe some development[br]of RDS-TMC-Software
0:12:57.340,0:13:05.050
- and now I have the database.[br]So I started mapping,
0:13:05.050,0:13:10.714
actually listening to the annoucements.
0:13:10.714,0:13:14.950
I took one announcement and I figured
0:13:14.950,0:13:17.390
one announcement is used for several days in
0:13:17.390,0:13:19.030
an row - actually several weeks,
0:13:19.030,0:13:21.060
because when there[br]are roadworks on it
0:13:21.060,0:13:24.390
could last for months, weeks or something.
0:13:24.390,0:13:29.890
So, one day, I get the announcements
0:13:29.890,0:13:33.080
and I get the key-ID, which they are sending
0:13:33.080,0:13:36.370
in cleartext - thats how they signal which
0:13:36.370,0:13:38.740
key is in use today, because its a changing
0:13:38.740,0:13:42.520
key scheme and there is a different key for
0:13:42.520,0:13:49.000
every day. And then they send[br]the encrypted location.
0:13:49.000,0:13:52.890
So I listened for several weeks in a row,
0:13:52.890,0:13:56.490
documenting the encryption key id
0:13:56.490,0:14:00.930
and the location and then I just bruteforced
0:14:00.930,0:14:05.220
through the whole vast 16 bit keyspace to find
0:14:05.220,0:14:11.480
all the keys that decrypt into locations that
0:14:11.480,0:14:17.150
are near the transmitter. And eventually I
0:14:17.150,0:14:21.230
came up with all the keys. And here they are -
0:14:21.230,0:14:24.240
and because wouldn't want[br]to get into any more
0:14:24.240,0:14:30.440
trouble with this, well,[br]yeah, I ended up finding
0:14:30.440,0:14:34.430
all the keys. And here is a prototype receiver
0:14:34.430,0:14:40.160
I wrote. Its receiving the messages
0:14:40.160,0:14:46.666
and showing a little map of the announcements.
0:14:46.666,0:14:51.012
So then I published this in a blog,
0:14:51.012,0:14:55.670
and I got an interesting reply from someone
0:14:55.670,0:15:01.447
who is involved in developing this:
0:15:01.447,0:15:04.460
Sad to request, but can you take this offline?
0:15:04.460,0:15:18.882
It is kind of our service you hacked."[br]laughingapplause
0:15:18.882,0:15:19.970
I had promised in
0:15:19.970,0:15:23.670
the beginning of my blog post, that if anyone
0:15:23.670,0:15:25.620
of the involved parties requests to take this
0:15:25.620,0:15:28.340
offline I will take it offline. But of course,
0:15:28.340,0:15:31.940
there are, well, my definitions of an involved
0:15:31.940,0:15:39.580
party are quite strict. And I replied by requesting
0:15:39.580,0:15:43.680
just the same message, but signed with their
0:15:43.680,0:15:47.700
cryptographic signature and preferably I could
0:15:47.700,0:15:52.560
fetch their public key from under their company domain.
0:15:52.560,0:15:55.860
And they never replied, so the blog post is
0:15:55.860,0:16:06.975
still on.[br]laughingapplause
0:16:06.975,0:16:09.280
And actually while this conversation was going on,
0:16:09.280,0:16:11.900
it was of course being copied around
0:16:11.900,0:16:15.740
the world, in cryptome also, so there was no
0:16:15.740,0:16:18.120
point in replying anymore. So yeah,
0:16:18.120,0:16:25.580
this is the first part of my adventure into RDS-Subcarriers.
0:16:25.580,0:16:29.160
Then I heard an rumour when presenting about this:
0:16:29.160,0:16:32.950
That the Bus-Stop-Displays in Helsinki also
0:16:32.950,0:16:40.474
receive their data about the next buses on the RDS-Signal.
0:16:40.474,0:16:43.600
So I started to look a bit more in the applications,
0:16:43.600,0:16:46.480
but there was nothing in the application list
0:16:46.480,0:16:52.760
about bus stops or anything else than TMC.
0:16:52.760,0:16:58.840
For reference these are the displays I am talking about.
0:16:58.840,0:17:02.090
So they are displaying the busnumber
0:17:02.090,0:17:04.510
and the minutes and where it is going
0:17:04.510,0:17:07.589
and it's updating live. And these are battery-operated
0:17:07.589,0:17:11.445
and they are not connected to anything by wire.
0:17:11.445,0:17:13.608
So there must be some kind of a radio protocol.
0:17:13.608,0:17:17.770
But yeah, this was a nice clue.
0:17:17.770,0:17:20.600
So i started googling about this - there was
0:17:20.600,0:17:22.770
not very much information about it,
0:17:22.770,0:17:26.700
except for the finnish communication authorities
0:17:26.700,0:17:31.180
internal magazine. They were telling about
0:17:31.180,0:17:35.780
all kinds of - sorry about my finnish text
0:17:35.780,0:17:39.660
of course - they were telling about all kinds
0:17:39.660,0:17:42.090
of everyday radio signals,
0:17:42.090,0:17:45.230
and they confirmed my guess, that its being
0:17:45.230,0:17:48.900
transmitted on the FM radio and they even told
0:17:48.900,0:17:50.970
the channel, but that's all they told.
0:17:50.970,0:17:53.820
They were just telling it's being transmitted
0:17:53.820,0:17:57.200
on "YLE 1" frequencies. No protocol.
0:17:57.200,0:18:02.850
Nothing about RDS. So I fired up my other radio,
0:18:02.850,0:18:06.570
which can do a larger spectrum. Which is of
0:18:06.570,0:18:11.050
course the realtek rtl-sdr packaged in an aluminium
0:18:11.050,0:18:20.093
tin here. applause
0:18:20.093,0:18:30.803
So I demodulated the "YLE 1" station signal on a bigger bandwidth.
0:18:30.803,0:18:34.020
And here is what I saw. On the left is
0:18:34.020,0:18:43.315
the audio, here is the obnoxious tone you just heard.
0:18:43.315,0:18:47.020
Here is the stereo seperation signal that tells
0:18:47.020,0:18:49.380
the relation of the left channel
0:18:49.380,0:18:53.230
and the right channel. Here is RDS where it
0:18:53.230,0:18:56.800
actually should be, but for some reason it
0:18:56.800,0:19:00.760
was aliased to around the pilot tone in my
0:19:00.760,0:19:06.090
older radio. And this fourth harmonic of
0:19:06.090,0:19:10.090
the pilot tone contains obviously some data,
0:19:10.090,0:19:12.890
on a very wide bandwidth compared to
0:19:12.890,0:19:16.850
the RDS.
0:19:16.850,0:19:22.280
What could it be and[br]how could I ever find out? Well,
0:19:22.280,0:19:26.250
it's centered around 76 kHz on the demodulated signal,
0:19:26.250,0:19:31.500
the composite signal. So I started by googling
0:19:31.500,0:19:36.710
for 76 kHz, and I found something called DARC
0:19:36.710,0:19:40.660
or "Data Radio Channel". It's not to be confused
0:19:40.660,0:19:44.850
with RDS which is the Radio Data System of course.
0:19:44.850,0:19:48.528
These are very imaginative names.
0:19:48.528,0:19:51.450
I found out that it is a very much more complex
0:19:51.450,0:19:59.960
modulation scheme. It uses QPSK which is a
0:19:59.960,0:20:04.500
four phase modulation scheme. Well I'm not
0:20:04.500,0:20:07.380
a engineer, I'm not an DSP specialist,
0:20:07.380,0:20:12.490
I am a DSP hacker, but I don't know much about
0:20:12.490,0:20:17.730
demodulating QPSK. So I decided to treat it
0:20:17.730,0:20:20.980
as an FSK signal, because that is possible
0:20:20.980,0:20:30.020
with QPSK. It is suboptimal, but it works -
0:20:30.020,0:20:37.610
I can get the data out. The upper part is
0:20:37.610,0:20:42.350
the DARC signal filtered. Here is the DARC
0:20:42.350,0:20:47.750
signal using two band-pass filters that are
0:20:47.750,0:20:53.380
on 76+4 and 76-4 and superimposed in red
0:20:53.380,0:20:59.600
and blue, like an FSK. And here is just blue
0:20:59.600,0:21:02.770
minus red, or the other way around,
0:21:02.770,0:21:14.990
which is actually binary data. So I had to
0:21:14.990,0:21:16.680
treat the error correction
0:21:16.680,0:21:19.550
and error detection, and it was very complicated.
0:21:19.550,0:21:24.700
And I had to write general CRC subroutine in
0:21:24.700,0:21:30.940
Perl because I had to deal with such large
0:21:30.940,0:21:34.260
numbers that I couldn't use just integers -
0:21:34.260,0:21:37.550
I had to actually use string magic.
0:21:37.550,0:21:40.920
So I'm actually concatenateing strings of ones
0:21:40.920,0:21:44.180
and zeroes. And using this kind of general
0:21:44.180,0:21:50.570
CRC routing for calculating the error correction
0:21:50.570,0:21:56.570
and detection. So, this is DARC
0:21:56.570,0:21:58.830
and I actually getting packets out,
0:21:58.830,0:22:02.107
but I have no idea what the packets mean.
0:22:02.107,0:22:05.020
So I started looking for any human readable
0:22:05.020,0:22:08.020
data out of there, because there is no documentation
0:22:08.020,0:22:17.290
about this. For example, this was one type
0:22:17.290,0:22:22.640
of packet that I've found: RUSKEASUO BRUKAKĂRR,
0:22:22.640,0:22:26.400
that means something for finns - that's a place
0:22:26.400,0:22:32.730
in helsinki, where the bus 23N happens to go.
0:22:32.730,0:22:36.010
So I figured this could be a packet telling
0:22:36.010,0:22:42.317
something about, just generally about buses.
0:22:42.317,0:22:46.020
And actually I went so far as to label all
0:22:46.020,0:22:49.980
the fields in the end, because I collected
0:22:49.980,0:22:52.660
so many of them. And I found out,
0:22:52.660,0:22:57.420
the system is sending one of these packets
0:22:57.420,0:23:01.710
to every display once a day. So it's updating
0:23:01.710,0:23:05.190
the information about all possible buses that
0:23:05.190,0:23:11.427
are passing this bus stop today.
0:23:11.427,0:23:13.930
It's using such low bandwidth that updating
0:23:13.930,0:23:18.338
all the displays takes one day.
0:23:18.338,0:23:20.920
Then I found another type of packet,
0:23:20.920,0:23:27.800
with no actual strings. But I found definite
0:23:27.800,0:23:33.200
references to the above packet. And I found
0:23:33.200,0:23:35.750
this is the packet used to update the minutes
0:23:35.750,0:23:38.440
information in these displays. It's being sent
0:23:38.440,0:23:47.210
very fast, 3 times per minute, to every display.
0:23:47.210,0:23:55.450
It contains minutes for 8 buses per packet,
0:23:55.450,0:24:00.480
and information about whether they are actually
0:24:00.480,0:24:05.320
GPS located or if it's a guess based on time tables.
0:24:08.110,0:24:13.340
And I used all this information, I had a functional goal:
0:24:13.340,0:24:18.010
to build my own display, because the tram stop
0:24:18.010,0:24:19.830
is 200 metres from my house,
0:24:19.830,0:24:27.200
and I want to know when the tram is actually coming.
0:24:27.200,0:24:29.740
Because this information is actually
0:24:29.740,0:24:34.810
the GPS located information. So this is what
0:24:34.810,0:24:45.331
I built[br]applause
0:24:45.331,0:24:51.306
Its just a basic HD77480 display
0:24:51.306,0:24:53.560
controlled by a Raspberry Pi,
0:24:53.560,0:24:59.280
decoding the signal from the RTL-SDR. For some
0:24:59.280,0:25:02.560
reasons I blogged about it
0:25:02.560,0:25:04.300
and it became very popular in Finland,
0:25:04.300,0:25:07.980
in Helsinki especially, and there was an news
0:25:07.980,0:25:14.550
article about it. And a representant of
0:25:14.550,0:25:16.830
the bus company was saying that "OK,
0:25:16.830,0:25:19.690
she can decode the signal, but transmitting
0:25:19.690,0:25:27.250
will be difficult. "[br]laugther
0:25:27.250,0:25:31.570
I haven't actually done it yet.[br]But he was saying that
0:25:31.570,0:25:34.830
it's difficult because you have to shout louder
0:25:34.830,0:25:37.080
than everyone else on the frequency.
0:25:37.080,0:25:41.290
And even then it becomes mangeled, because
0:25:41.290,0:25:44.990
it becomes a mix of those two signals.
0:25:44.990,0:25:47.880
I don't think he really knew[br]what he was talking about,
0:25:47.880,0:25:52.050
because there is something called the FM capture effect.
0:25:52.050,0:25:56.890
That if you send stronger than another FM transmission
0:25:56.890,0:26:00.020
on the same frequency, only the stronger signal
0:26:00.020,0:26:07.877
becomes captured and the weaker[br]becomes actually attenuated.
0:26:07.877,0:26:13.380
That is a very useful phenomenon. Right now
0:26:13.380,0:26:18.220
I am actually in the process of making my own
0:26:18.220,0:26:30.500
display updater.[br]laughterapplause
0:26:30.500,0:26:33.080
Possibly for showing all kinds of funny stuff on
0:26:33.080,0:26:37.320
the displays. Someone at the bus company actually
0:26:37.320,0:26:41.390
donated one of those displays to me after this,
0:26:41.390,0:26:44.160
so I have something to test it on.
0:26:44.160,0:26:46.640
Because obviously I'm not going to transmit
0:26:46.640,0:26:52.460
any high-power signals with this ever.
0:26:52.460,0:26:53.990
But right now, I'm building it.
0:26:53.990,0:26:56.060
The only problem that I'm having right now
0:26:56.060,0:26:59.510
is that my soundcard that I am using to generate
0:26:59.510,0:27:04.510
the signal fully digitally of course is to slow.
0:27:04.510,0:27:09.040
The DARC signal is 76 kHz, so i need at least
0:27:09.040,0:27:12.920
162 kHz soundcard, i mean DAC,
0:27:12.920,0:27:18.400
to create my analogue signal. I only have a
0:27:18.400,0:27:22.930
96khz soundcard right now, so I only can generate
0:27:22.930,0:27:27.910
the stereo signal. Perhaps in the future,
0:27:27.910,0:27:31.970
that will be the next project. Thank you.
0:27:31.970,0:27:47.880
applause
0:27:47.880,0:27:50.200
Herald: Well, thank you very much, Oona,
0:27:50.200,0:27:52.970
I think we're all impressed with hacking a radio,
0:27:52.970,0:27:55.940
I never thought about this opportunity.
0:27:55.940,0:27:58.110
Now we have time for questions from
0:27:58.110,0:27:59.780
the room. If you want to ask questions,
0:27:59.780,0:28:02.900
could you please line up at the microphones
0:28:02.900,0:28:07.380
right here. In the mean time, let me ask our
0:28:07.380,0:28:09.310
signal angel if he has a question from
0:28:09.310,0:28:11.840
the internet. Could you tell us please?[br]Signal Angel: Yeah,
0:28:11.840,0:28:14.300
so the internet wants to know: Is there any
0:28:14.300,0:28:16.950
open hardware radio receiver that you can recommend
0:28:16.950,0:28:19.590
for tinkering at home?[br]Oona: Yeah,
0:28:19.590,0:28:25.300
the RTL-SDR is a very good[br]piece of hardware to start with
0:28:25.300,0:28:28.270
I think I have one of those with me right now,
0:28:28.270,0:28:31.110
I mean the one I showed with the Hello Kitty
0:28:31.110,0:28:35.070
tin around it. I've using a tin to attenuate
0:28:35.070,0:28:38.590
any local interference. But its just a DVB
0:28:38.590,0:28:47.400
digital tv stick some wise guy on the internet
0:28:47.400,0:28:49.930
found to be possible to hack
0:28:49.930,0:28:58.090
and tune to any frequency from 30 to 1.700 MHz
0:28:58.090,0:29:01.690
And it's very useful. Doesn't go higher
0:29:01.690,0:29:03.800
than that, doesn't go lower than that,
0:29:03.800,0:29:07.750
but it is a good start.[br]Herald: Okay. Questions from
0:29:07.750,0:29:13.030
the room?[br]Mic: I've just a bit of input on
0:29:13.030,0:29:17.270
the transmitter thing. There is a project that
0:29:17.270,0:29:21.190
uses the raspberry pi DMA controller,
0:29:21.190,0:29:23.370
where you can use to send signals at about
0:29:23.370,0:29:28.320
140 MHz on the GPIO pins, so maybe that could
0:29:28.320,0:29:31.060
be used.[br]Oona: Ooh, thanks for the [?] That will
0:29:31.060,0:29:33.660
be very useful. I've been thinking about
0:29:33.660,0:29:36.640
the GPIO but it's unfiltered of course.
0:29:36.640,0:29:42.150
Mic: The raw DMA controller output gets dumped on
0:29:42.150,0:29:47.340
one of the GPIO pins. As far as I know it's
0:29:47.340,0:29:50.490
good enough to transmit FM stereo audio.
0:29:50.490,0:29:53.960
Oona: Okay, yeah. It would be worthwhile testing
0:29:53.960,0:29:56.850
with RDS first maybe. Thank you for
0:29:56.850,0:30:00.270
the tip, yeah, it's very useful.[br]Herald: So maybe we
0:30:00.270,0:30:02.220
could buy them at the next congress,
0:30:02.220,0:30:03.600
right? laughter[br]Oona: Could be,
0:30:03.600,0:30:09.730
could be. Herald: Go ahead please.[br]Mic: Thanks for the interesting talk,
0:30:09.730,0:30:18.120
I've two questions. You said that you can decode Q-PSK as FSK by
0:30:18.120,0:30:21.700
a simple trick. How much less quality do you
0:30:21.700,0:30:25.270
get? 3db, 6db, what is it?[br]Oona: I'm not sure
0:30:25.270,0:30:28.720
about the details, but well it just crossed
0:30:28.720,0:30:34.140
my mind that you can do it. It's actually MSK
0:30:34.140,0:30:37.690
but its a sort of an Q-PSK signal.
0:30:37.690,0:30:41.240
So its a minimum shift keying. And essentially
0:30:41.240,0:30:46.570
its being generated in the transmitter as FSK,
0:30:46.570,0:30:50.580
but thats a special form of FSK,
0:30:50.580,0:30:53.390
so thats why it can be decoded as FSK.
0:30:53.390,0:30:55.500
Mic: Okay, and a brief second question: In
0:30:55.500,0:30:58.630
the picture where you took the signal from
0:30:58.630,0:31:01.530
your digital radio, it was a Sangean ATS 909
0:31:01.530,0:31:09.390
or what radio you used? I've got one of those
0:31:09.390,0:31:11.290
and I was wondering if I could pick up
0:31:11.290,0:31:15.700
the signals in there as well. [...]
0:31:15.700,0:31:19.660
Oona: The Radio is a Sangean ATS 909,
0:31:19.660,0:31:22.530
I've modified it a bit, you can take a look
0:31:22.530,0:31:26.500
if you want.[br]Herlad: Any other question from
0:31:26.500,0:31:29.270
the internet? Oh, our signal angel has nothing,
0:31:29.270,0:31:32.630
then lets go ahead right here please.
0:31:32.630,0:31:35.030
Mic: Have you considered what [...]
0:31:35.030,0:31:38.550
going to be beyond transmitting the signal.
0:31:38.550,0:31:41.960
What are you going to be next challenges you're
0:31:41.960,0:31:44.160
taking out? Are you going to look at other
0:31:44.160,0:31:47.360
wireless services that are around there in
0:31:47.360,0:31:50.690
terms of utilities, because traditionally there
0:31:50.690,0:31:52.030
are many.[br]Oona: There are many, yeah,
0:31:52.030,0:31:56.750
it's an very interesting world. And I'm actually
0:31:56.750,0:31:58.970
listening to serveral signals at the moment
0:31:58.970,0:32:04.240
in my home right now.[br]Mic: Mind telling us a little
0:32:04.240,0:32:07.290
glimpse?[br]Oona: There is the local taxi company
0:32:07.290,0:32:11.800
that is using the frequency range from 40 to
0:32:11.800,0:32:17.430
70 MHz, they send information about next clients
0:32:17.430,0:32:22.120
and also locating all their cabs,
0:32:22.120,0:32:25.540
and I'm trying to decode whats it's about.
0:32:25.540,0:32:30.590
Perhaps I'll make a map of all their cars. -
0:32:30.590,0:32:32.740
Of course there is also TETRA.
0:32:32.740,0:32:35.980
Not many people know that TETRA is not encrypted,
0:32:35.980,0:32:38.020
it's usually encrypted, but not always.
0:32:38.020,0:32:42.480
And many applications in TETRA are in clear text.
0:32:42.480,0:32:46.210
You can listen to it, if you really want to.
0:32:46.210,0:32:52.660
Mic: Which sort of teases me now to ask a question:
0:32:52.660,0:32:55.990
What's the legal situation for you in finland
0:32:55.990,0:32:59.150
when it comes to decoding such transmissions
0:32:59.150,0:33:01.170
when they are not encrypted.[br]Herald: You have
0:33:01.170,0:33:03.200
the right to remain silent.[br]Mic: Yeah,
0:33:03.200,0:33:06.470
you don't have to answer that[br]Oona: Well,
0:33:06.470,0:33:09.470
I believe that it its legal to decode them.
0:33:09.470,0:33:19.060
I don't care if it's not laughter[br]applause
0:33:19.060,0:33:21.920
Yeah, of course, actually making an FM transmitter would be illegal
0:33:21.920,0:33:28.600
if its an high enough power.
0:33:28.600,0:33:32.440
Herald: Okay, over there. Let's go, please?[br]Mic: Could you
0:33:32.440,0:33:36.520
maybe elaborate a bit about the bus stop packet contents,
0:33:36.520,0:33:38.250
so currently they are not encrypted,
0:33:38.250,0:33:42.380
is there any signature to verify its an legit
0:33:42.380,0:33:45.160
packet?[br]Oona: No they aren't using any encryption
0:33:45.160,0:33:48.560
or signature overhead, because its so an low-banded channel.
0:33:48.560,0:33:53.140
So you can spoof it. I guess it should be trivial.
0:33:53.140,0:33:55.220
Actually the are some types of packets that
0:33:55.220,0:33:58.590
I don't know the meaning of. But they are non changing,
0:33:58.590,0:34:01.890
so they obviously can't be anything [?]
0:34:01.890,0:34:07.740
or anything like that.[br]Herald: Okay, go ahead please.
0:34:07.740,0:34:10.699
Mic: I wanted to add some information on
0:34:10.699,0:34:13.980
the situation in Germany: We have two types
0:34:13.980,0:34:16.159
of radio stations, the public radio stations
0:34:16.159,0:34:20.949
broadcast RDS that are unencrypted, so if you
0:34:20.949,0:34:25.110
get the RDS data, you can get the raw location codes.
0:34:25.110,0:34:30.470
And the TMC messages are usually sent by private
0:34:30.470,0:34:34.100
radio stations. The fun thing is,
0:34:34.100,0:34:37.740
that you get both the unencrypted location
0:34:37.740,0:34:40.550
codes and encrypted location codes.
0:34:40.550,0:34:42.580
So if you listen to two radio stations in
0:34:42.580,0:34:46.920
the same area, you can actually cross-correlate
0:34:46.920,0:34:50.719
these and try to figure out the key.
0:34:50.719,0:34:52.480
And the other thing I wanted to say:
0:34:52.480,0:34:55.719
If somebody is just interested in RDS,
0:34:55.719,0:34:59.480
there are relatively cheap usb sticks that
0:34:59.480,0:35:01.290
will do all the decoding for you. -
0:35:01.290,0:35:09.010
Oona: Yeah, FM Radio sticks.
0:35:09.010,0:35:14.950
Mic: Is there any book you can recommend[br]in getting started for processing
0:35:14.950,0:35:17.110
of digital radio transmissions.[br]Oona: Well,
0:35:17.110,0:35:21.380
I've read a few chapters of the - I don't know
0:35:21.380,0:35:23.990
the name actually - but the DSP [?] guided
0:35:23.990,0:35:28.160
commerce[?] - The engineers guide to DSP,
0:35:28.160,0:35:33.410
It's a blue book, thats all I know.
0:35:33.410,0:35:39.020
Its freely available online, try it with google.
0:35:39.020,0:35:46.280
Mic: Thank you.[br]Herald: Any more questions,
0:35:46.280,0:35:50.565
or from the internet? Nothing right there.
0:35:50.565,0:35:52.170
Well, Oona, thank you very much.
0:35:52.170,0:35:54.229
That was a very interesting talk,
0:35:54.229,0:35:56.188
and we look forward having you next year
0:35:56.188,0:35:57.728
with more signals.
0:35:57.728,0:36:02.124
Applause
0:36:02.124,0:36:11.722
subtitles created by c3subtitles.de