https:/.../30c3-5588-en-de-My_journey_into_FM-RDS_h264-iprod.mp4
-
0:10 - 0:16Herald: Alright, well thank you for your
patience and now we are starting our talk: -
0:16 - 0:21"My journey into FM-RDS"
- radio data system by Oona Räisänen. -
0:21 - 0:28Please give her a warm round of applause!
applause -
0:28 - 0:35Oona: Thank you!
Sorry I brought my MacBook Pro. -
0:35 - 0:41My name is Oona I'm a signals hacker
and electronics hobbyist -
0:41 - 0:44and I do this thing only for hobby.
-
0:44 - 0:52And let's see my slides here. Some of you may
-
0:52 - 0:56remember my blog or have read it.
-
0:56 - 1:01And you may have seen this one,
-
1:01 - 1:10that I also made - the dialup diagram.
-
1:10 - 1:14This talk is not about that, just to give you some context.
-
1:14 - 1:19Okay, so, into the story:
-
1:19 - 1:22One night in 2007 I was listening to my radio
-
1:22 - 1:29just an FM channel and some music going on.
-
1:29 - 1:33And I was looking at the spectrum of course
-
1:33 - 1:39on my PC while doing that. And I noticed,
-
1:39 - 1:42I see the audio, that's normal, then above
-
1:42 - 1:47the audio, at about 19 kHz something weird
-
1:47 - 1:51is going on. There is a persistent sinusoidal tone.
-
1:51 - 1:55And something, looking like sidebands,
-
1:55 - 1:59on both sides of it. And I wanted to find out,
-
1:59 - 2:07what could it be up there? Actually I have
-
2:07 - 2:16some audio on my other computer:
-
2:16 - 2:24[Audio: rds-mixdown.wav]
This is just a radio channel played, -
2:24 - 2:27and I'm shifting the frequencies down to here,
-
2:27 - 2:31what it sounds like up there.
-
2:41 - 2:44Now at the moment it just sounds like a very piercing
[Sounds from the radio] -
2:44 - 2:48tone of 19 kHz. That's the tone,
-
2:48 - 2:51and I'm not actually hearing just yet
-
2:51 - 2:56whats around it. Let's turn it down a bit further.
-
3:04 - 3:07Now this is one of this sidebands that you
-
3:07 - 3:10are seeing there.
-
3:10 - 3:14I'm also now filtering out the music
-
3:14 - 3:17to make it clearer.
-
3:20 - 3:22It sounds very periodic.
-
3:22 - 3:26So it means it could be data of some kind.
-
3:26 - 3:30And it also brings up the memories of modem sounds.
-
3:30 - 3:33So, I started to investigate this matter
-
3:33 - 3:35a bit further.
-
3:39 - 3:47I knew already that in the FM signal there
-
3:47 - 3:59is the RDS data, that is used to send to car
-
3:59 - 4:03radios the station name and the program currently
-
4:03 - 4:07running on it and also some other information
-
4:07 - 4:12like alternate frequencies [AF on the slide]
-
4:12 - 4:14that this channel is broadcasted on,
-
4:14 - 4:19CT which is clock time, and something else,
-
4:19 - 4:21information about other programs
-
4:21 - 4:26and other frequencies and the program type,
-
4:26 - 4:30radio text, traffic announcements,
-
4:30 - 4:35and something called TMC or Traffic Message Channel.
-
4:35 - 4:41So I thought, could this be it? So I downloaded
-
4:41 - 4:43the 200 page RDS Standard,
-
4:43 - 4:48or RDBS, as its called in the United States
-
4:48 - 4:52and started to do some analysis. Actually I
-
4:52 - 4:55spent nights reading this,
-
4:55 - 4:57and many times I fell asleep reading it.
-
4:57 - 5:00laughter
If you suffer from insomnia, -
5:00 - 5:05I suggest you read something like this.
-
5:05 - 5:10And, what I found - well it was very well documented,
-
5:10 - 5:13the protocol, there was for example this diagram
-
5:13 - 5:16about an example receiver for RDS.
-
5:16 - 5:18There's all the parts out there:
-
5:18 - 5:24The FM signal is coming in, the audio is taken out,
-
5:24 - 5:28and we are mixing it with some frequencies
-
5:28 - 5:30to get out the RDS signal
-
5:30 - 5:39and all that stuff. So, well using this information
-
5:39 - 5:43I wrote a decoder in Perl. Everything must
-
5:43 - 5:49be in perl clapping Thank you.
-
5:49 - 5:52And I came up with this. Its showing a lot
-
5:52 - 5:56of the information going on on the frequency.
-
5:56 - 5:59And whats special about this is that it's only
-
5:59 - 6:03decoded from the signal you were hearing on
-
6:03 - 6:08the 19 kHz band. And it turns out this is actually
-
6:08 - 6:10an error in the working of my radio.
-
6:10 - 6:14Because I dropped it on the floor when I was moving,
-
6:14 - 6:18and it started behaving weirdly. And I - it
-
6:18 - 6:20was then when i got this weird signal on
-
6:20 - 6:23the 19 kHz band. And it turns out that
-
6:23 - 6:26the stereo decoder in my radio has somehow
-
6:26 - 6:33started not to filter anymore the stereo signal,
-
6:33 - 6:39which is near the RDS signal. So this is actually
-
6:39 - 6:41being decoded from the audio, from the line
-
6:41 - 6:45out of my radio. Nothing else was involved
-
6:45 - 6:50in this. But then, well, its a bit noisy,
-
6:50 - 6:54its near the 16 bit quantisation noise limit
-
6:54 - 6:58of my soundcard. So I was thinking of better
-
6:58 - 7:02ways to decode it with less noise.
-
7:02 - 7:04And I started to look at my radio -
-
7:04 - 7:06the schematics of my radio
-
7:06 - 7:08and I found there is actually a decoder circuit
-
7:08 - 7:12for RDS that it uses to display the data on
-
7:12 - 7:14the screen, just the station name
-
7:14 - 7:18and updates its clock. And unlike in todays
-
7:18 - 7:21receivers the RDS chip is actually on its own
-
7:21 - 7:25chip and its not a one-chip-wonder receiver.
-
7:25 - 7:32So I found the 4 pins that I needed for data,
-
7:32 - 7:36clock signal and ground and just a quality bit,
-
7:36 - 7:41that I'm not actually using. And I did some
-
7:41 - 7:44ugly soldering work because I didn't want to
-
7:44 - 7:51remove the RF shielding from this chip to hook
-
7:51 - 7:58some cords to the decoder chip.
-
7:58 - 8:02And then I used my soundcard to sample that.
-
8:02 - 8:05Because it happens that the voltages that soundcard
-
8:05 - 8:08is using are very close to the logic voltages
-
8:08 - 8:17of [?] Voltages of ICs in the 1 to 3.3 volt range.
-
8:17 - 8:21So I actually used a sound card to sample
-
8:21 - 8:27the logic coming out of there. And its 1 kbaud
-
8:27 - 8:34so its not even very fast. And this is what
-
8:34 - 8:38I was getting - at first. Well,
-
8:38 - 8:42it looks like some bits, kind of.
-
8:42 - 8:44Then after some filtering
-
8:44 - 8:47and resoldering this is what i got.
-
8:47 - 8:51Red is the left channel in the soundcard that
-
8:51 - 8:54I hooked up in the clock signal output.
-
8:54 - 8:59And green is what I hooked up to the data signal.
-
8:59 - 9:03And its very clear that the data can be decoded
-
9:03 - 9:08with no errors from this.
-
9:08 - 9:17Afterwards I also made a raspberry pi version of all this,
-
9:17 - 9:20so the perl code is actually running on my
-
9:20 - 9:23raspberry pi and displaying it on an little
-
9:23 - 9:30lcd next to it. But then - okay this is fun,
-
9:30 - 9:33I can actually see more than
my radio is displaying there. -
9:33 - 9:37I can see the radio text, I can see a numerical
-
9:37 - 9:41code for each station so I can log the stations
-
9:41 - 9:45and I only need to decode the number to know
-
9:45 - 9:49what I'm listening to. But there was something
-
9:49 - 9:54more on the frequency. I was getting an application -
-
9:54 - 9:58some application running there that I didn't
-
9:58 - 10:03recognize right away, but reading the standard
-
10:03 - 10:07it became apparent that this TMC that is used
-
10:07 - 10:12in these car navigators to just send information
-
10:12 - 10:15about traffic jams and construction works
-
10:15 - 10:19and things like that. And of course,
-
10:19 - 10:26for the fun, I had to see whats going on there.
-
10:26 - 10:30Now it turns out that in Finland the RDS signal
-
10:30 - 10:35is encrypted, for reasons of commercial stuff.
-
10:35 - 10:38I mean its a business model, they encrypt
-
10:38 - 10:41the signal and they sell the encryption keys
-
10:41 - 10:45along with these navigator devices
-
10:45 - 10:47and what they tell about the encryption in
-
10:47 - 10:50the standard - they actually tell everything
-
10:50 - 10:55about except the keys there. But one sentence
-
10:55 - 10:58especially caught my mind there:
-
10:58 - 11:02The encryption is only light, but was adjust
-
11:02 - 11:04to be adequate to deter other than the most
-
11:04 - 11:14determined hacker."
laughterclapping -
11:14 - 11:20Yeah, and obviously for hacker this is like an challenge
-
11:20 - 11:24laughter
so I got to work. It was textually documented, -
11:24 - 11:27there was no encryption diagrams
-
11:27 - 11:29or anything like that, but this is what I came
-
11:29 - 11:35up with: It's a pretty simple cipher.
-
11:35 - 11:39The location is a 16 bit database reference
-
11:39 - 11:42to a database of locations that can be obtained
-
11:42 - 11:48from the manufacturer of the navigators.
-
11:48 - 11:53The keyspace is 16 bits, and different parts
-
11:53 - 11:57of the key are used to like parameters for
-
11:57 - 12:00the different operations in this cipher.
-
12:00 - 12:05It's an easy enough cipher
to be used on paper also -
12:05 - 12:13so when cryptanalyzing it I made some tests
-
12:13 - 12:17on paper. So, how do I begin? I checked I can't
-
12:17 - 12:21just brute force it - knowing nothing about
-
12:21 - 12:25the transmission. So I
made some assumtions: -
12:25 - 12:29The bandwidth is very low,
several hundred baud, -
12:29 - 12:34so it must be some kind of
filtering with this locations. -
12:34 - 12:36I was thinking, it could be
that they are sending -
12:36 - 12:40only the locations - I mean only the announcements
-
12:40 - 12:43that are near the transmitter like 100 miles
-
12:43 - 12:47range or something. I looked
at the location database, -
12:47 - 12:50that I by the way obtained by telling
-
12:50 - 12:52the manufacturers that I'm an engineer
-
12:52 - 12:54and I want to do some tests
-
12:54 - 12:57and maybe some development
of RDS-TMC-Software -
12:57 - 13:05- and now I have the database.
So I started mapping, -
13:05 - 13:11actually listening to the annoucements.
-
13:11 - 13:15I took one announcement and I figured
-
13:15 - 13:17one announcement is used for several days in
-
13:17 - 13:19an row - actually several weeks,
-
13:19 - 13:21because when there
are roadworks on it -
13:21 - 13:24could last for months, weeks or something.
-
13:24 - 13:30So, one day, I get the announcements
-
13:30 - 13:33and I get the key-ID, which they are sending
-
13:33 - 13:36in cleartext - thats how they signal which
-
13:36 - 13:39key is in use today, because its a changing
-
13:39 - 13:43key scheme and there is a different key for
-
13:43 - 13:49every day. And then they send
the encrypted location. -
13:49 - 13:53So I listened for several weeks in a row,
-
13:53 - 13:56documenting the encryption key id
-
13:56 - 14:01and the location and then I just bruteforced
-
14:01 - 14:05through the whole vast 16 bit keyspace to find
-
14:05 - 14:11all the keys that decrypt into locations that
-
14:11 - 14:17are near the transmitter. And eventually I
-
14:17 - 14:21came up with all the keys. And here they are -
-
14:21 - 14:24and because wouldn't want
to get into any more -
14:24 - 14:30trouble with this, well,
yeah, I ended up finding -
14:30 - 14:34all the keys. And here is a prototype receiver
-
14:34 - 14:40I wrote. Its receiving the messages
-
14:40 - 14:47and showing a little map of the announcements.
-
14:47 - 14:51So then I published this in a blog,
-
14:51 - 14:56and I got an interesting reply from someone
-
14:56 - 15:01who is involved in developing this:
-
15:01 - 15:04Sad to request, but can you take this offline?
-
15:04 - 15:19It is kind of our service you hacked."
laughingapplause -
15:19 - 15:20I had promised in
-
15:20 - 15:24the beginning of my blog post, that if anyone
-
15:24 - 15:26of the involved parties requests to take this
-
15:26 - 15:28offline I will take it offline. But of course,
-
15:28 - 15:32there are, well, my definitions of an involved
-
15:32 - 15:40party are quite strict. And I replied by requesting
-
15:40 - 15:44just the same message, but signed with their
-
15:44 - 15:48cryptographic signature and preferably I could
-
15:48 - 15:53fetch their public key from under their company domain.
-
15:53 - 15:56And they never replied, so the blog post is
-
15:56 - 16:07still on.
laughingapplause -
16:07 - 16:09And actually while this conversation was going on,
-
16:09 - 16:12it was of course being copied around
-
16:12 - 16:16the world, in cryptome also, so there was no
-
16:16 - 16:18point in replying anymore. So yeah,
-
16:18 - 16:26this is the first part of my adventure into RDS-Subcarriers.
-
16:26 - 16:29Then I heard an rumour when presenting about this:
-
16:29 - 16:33That the Bus-Stop-Displays in Helsinki also
-
16:33 - 16:40receive their data about the next buses on the RDS-Signal.
-
16:40 - 16:44So I started to look a bit more in the applications,
-
16:44 - 16:46but there was nothing in the application list
-
16:46 - 16:53about bus stops or anything else than TMC.
-
16:53 - 16:59For reference these are the displays I am talking about.
-
16:59 - 17:02So they are displaying the busnumber
-
17:02 - 17:05and the minutes and where it is going
-
17:05 - 17:08and it's updating live. And these are battery-operated
-
17:08 - 17:11and they are not connected to anything by wire.
-
17:11 - 17:14So there must be some kind of a radio protocol.
-
17:14 - 17:18But yeah, this was a nice clue.
-
17:18 - 17:21So i started googling about this - there was
-
17:21 - 17:23not very much information about it,
-
17:23 - 17:27except for the finnish communication authorities
-
17:27 - 17:31internal magazine. They were telling about
-
17:31 - 17:36all kinds of - sorry about my finnish text
-
17:36 - 17:40of course - they were telling about all kinds
-
17:40 - 17:42of everyday radio signals,
-
17:42 - 17:45and they confirmed my guess, that its being
-
17:45 - 17:49transmitted on the FM radio and they even told
-
17:49 - 17:51the channel, but that's all they told.
-
17:51 - 17:54They were just telling it's being transmitted
-
17:54 - 17:57on "YLE 1" frequencies. No protocol.
-
17:57 - 18:03Nothing about RDS. So I fired up my other radio,
-
18:03 - 18:07which can do a larger spectrum. Which is of
-
18:07 - 18:11course the realtek rtl-sdr packaged in an aluminium
-
18:11 - 18:20tin here. applause
-
18:20 - 18:31So I demodulated the "YLE 1" station signal on a bigger bandwidth.
-
18:31 - 18:34And here is what I saw. On the left is
-
18:34 - 18:43the audio, here is the obnoxious tone you just heard.
-
18:43 - 18:47Here is the stereo seperation signal that tells
-
18:47 - 18:49the relation of the left channel
-
18:49 - 18:53and the right channel. Here is RDS where it
-
18:53 - 18:57actually should be, but for some reason it
-
18:57 - 19:01was aliased to around the pilot tone in my
-
19:01 - 19:06older radio. And this fourth harmonic of
-
19:06 - 19:10the pilot tone contains obviously some data,
-
19:10 - 19:13on a very wide bandwidth compared to
-
19:13 - 19:17the RDS.
-
19:17 - 19:22What could it be and
how could I ever find out? Well, -
19:22 - 19:26it's centered around 76 kHz on the demodulated signal,
-
19:26 - 19:32the composite signal. So I started by googling
-
19:32 - 19:37for 76 kHz, and I found something called DARC
-
19:37 - 19:41or "Data Radio Channel". It's not to be confused
-
19:41 - 19:45with RDS which is the Radio Data System of course.
-
19:45 - 19:49These are very imaginative names.
-
19:49 - 19:51I found out that it is a very much more complex
-
19:51 - 20:00modulation scheme. It uses QPSK which is a
-
20:00 - 20:04four phase modulation scheme. Well I'm not
-
20:04 - 20:07a engineer, I'm not an DSP specialist,
-
20:07 - 20:12I am a DSP hacker, but I don't know much about
-
20:12 - 20:18demodulating QPSK. So I decided to treat it
-
20:18 - 20:21as an FSK signal, because that is possible
-
20:21 - 20:30with QPSK. It is suboptimal, but it works -
-
20:30 - 20:38I can get the data out. The upper part is
-
20:38 - 20:42the DARC signal filtered. Here is the DARC
-
20:42 - 20:48signal using two band-pass filters that are
-
20:48 - 20:53on 76+4 and 76-4 and superimposed in red
-
20:53 - 21:00and blue, like an FSK. And here is just blue
-
21:00 - 21:03minus red, or the other way around,
-
21:03 - 21:15which is actually binary data. So I had to
-
21:15 - 21:17treat the error correction
-
21:17 - 21:20and error detection, and it was very complicated.
-
21:20 - 21:25And I had to write general CRC subroutine in
-
21:25 - 21:31Perl because I had to deal with such large
-
21:31 - 21:34numbers that I couldn't use just integers -
-
21:34 - 21:38I had to actually use string magic.
-
21:38 - 21:41So I'm actually concatenateing strings of ones
-
21:41 - 21:44and zeroes. And using this kind of general
-
21:44 - 21:51CRC routing for calculating the error correction
-
21:51 - 21:57and detection. So, this is DARC
-
21:57 - 21:59and I actually getting packets out,
-
21:59 - 22:02but I have no idea what the packets mean.
-
22:02 - 22:05So I started looking for any human readable
-
22:05 - 22:08data out of there, because there is no documentation
-
22:08 - 22:17about this. For example, this was one type
-
22:17 - 22:23of packet that I've found: RUSKEASUO BRUKAKĂRR,
-
22:23 - 22:26that means something for finns - that's a place
-
22:26 - 22:33in helsinki, where the bus 23N happens to go.
-
22:33 - 22:36So I figured this could be a packet telling
-
22:36 - 22:42something about, just generally about buses.
-
22:42 - 22:46And actually I went so far as to label all
-
22:46 - 22:50the fields in the end, because I collected
-
22:50 - 22:53so many of them. And I found out,
-
22:53 - 22:57the system is sending one of these packets
-
22:57 - 23:02to every display once a day. So it's updating
-
23:02 - 23:05the information about all possible buses that
-
23:05 - 23:11are passing this bus stop today.
-
23:11 - 23:14It's using such low bandwidth that updating
-
23:14 - 23:18all the displays takes one day.
-
23:18 - 23:21Then I found another type of packet,
-
23:21 - 23:28with no actual strings. But I found definite
-
23:28 - 23:33references to the above packet. And I found
-
23:33 - 23:36this is the packet used to update the minutes
-
23:36 - 23:38information in these displays. It's being sent
-
23:38 - 23:47very fast, 3 times per minute, to every display.
-
23:47 - 23:55It contains minutes for 8 buses per packet,
-
23:55 - 24:00and information about whether they are actually
-
24:00 - 24:05GPS located or if it's a guess based on time tables.
-
24:08 - 24:13And I used all this information, I had a functional goal:
-
24:13 - 24:18to build my own display, because the tram stop
-
24:18 - 24:20is 200 metres from my house,
-
24:20 - 24:27and I want to know when the tram is actually coming.
-
24:27 - 24:30Because this information is actually
-
24:30 - 24:35the GPS located information. So this is what
-
24:35 - 24:45I built
applause -
24:45 - 24:51Its just a basic HD77480 display
-
24:51 - 24:54controlled by a Raspberry Pi,
-
24:54 - 24:59decoding the signal from the RTL-SDR. For some
-
24:59 - 25:03reasons I blogged about it
-
25:03 - 25:04and it became very popular in Finland,
-
25:04 - 25:08in Helsinki especially, and there was an news
-
25:08 - 25:15article about it. And a representant of
-
25:15 - 25:17the bus company was saying that "OK,
-
25:17 - 25:20she can decode the signal, but transmitting
-
25:20 - 25:27will be difficult. "
laugther -
25:27 - 25:32I haven't actually done it yet.
But he was saying that -
25:32 - 25:35it's difficult because you have to shout louder
-
25:35 - 25:37than everyone else on the frequency.
-
25:37 - 25:41And even then it becomes mangeled, because
-
25:41 - 25:45it becomes a mix of those two signals.
-
25:45 - 25:48I don't think he really knew
what he was talking about, -
25:48 - 25:52because there is something called the FM capture effect.
-
25:52 - 25:57That if you send stronger than another FM transmission
-
25:57 - 26:00on the same frequency, only the stronger signal
-
26:00 - 26:08becomes captured and the weaker
becomes actually attenuated. -
26:08 - 26:13That is a very useful phenomenon. Right now
-
26:13 - 26:18I am actually in the process of making my own
-
26:18 - 26:30display updater.
laughterapplause -
26:30 - 26:33Possibly for showing all kinds of funny stuff on
-
26:33 - 26:37the displays. Someone at the bus company actually
-
26:37 - 26:41donated one of those displays to me after this,
-
26:41 - 26:44so I have something to test it on.
-
26:44 - 26:47Because obviously I'm not going to transmit
-
26:47 - 26:52any high-power signals with this ever.
-
26:52 - 26:54But right now, I'm building it.
-
26:54 - 26:56The only problem that I'm having right now
-
26:56 - 27:00is that my soundcard that I am using to generate
-
27:00 - 27:05the signal fully digitally of course is to slow.
-
27:05 - 27:09The DARC signal is 76 kHz, so i need at least
-
27:09 - 27:13162 kHz soundcard, i mean DAC,
-
27:13 - 27:18to create my analogue signal. I only have a
-
27:18 - 27:2396khz soundcard right now, so I only can generate
-
27:23 - 27:28the stereo signal. Perhaps in the future,
-
27:28 - 27:32that will be the next project. Thank you.
-
27:32 - 27:48applause
-
27:48 - 27:50Herald: Well, thank you very much, Oona,
-
27:50 - 27:53I think we're all impressed with hacking a radio,
-
27:53 - 27:56I never thought about this opportunity.
-
27:56 - 27:58Now we have time for questions from
-
27:58 - 28:00the room. If you want to ask questions,
-
28:00 - 28:03could you please line up at the microphones
-
28:03 - 28:07right here. In the mean time, let me ask our
-
28:07 - 28:09signal angel if he has a question from
-
28:09 - 28:12the internet. Could you tell us please?
Signal Angel: Yeah, -
28:12 - 28:14so the internet wants to know: Is there any
-
28:14 - 28:17open hardware radio receiver that you can recommend
-
28:17 - 28:20for tinkering at home?
Oona: Yeah, -
28:20 - 28:25the RTL-SDR is a very good
piece of hardware to start with -
28:25 - 28:28I think I have one of those with me right now,
-
28:28 - 28:31I mean the one I showed with the Hello Kitty
-
28:31 - 28:35tin around it. I've using a tin to attenuate
-
28:35 - 28:39any local interference. But its just a DVB
-
28:39 - 28:47digital tv stick some wise guy on the internet
-
28:47 - 28:50found to be possible to hack
-
28:50 - 28:58and tune to any frequency from 30 to 1.700 MHz
-
28:58 - 29:02And it's very useful. Doesn't go higher
-
29:02 - 29:04than that, doesn't go lower than that,
-
29:04 - 29:08but it is a good start.
Herald: Okay. Questions from -
29:08 - 29:13the room?
Mic: I've just a bit of input on -
29:13 - 29:17the transmitter thing. There is a project that
-
29:17 - 29:21uses the raspberry pi DMA controller,
-
29:21 - 29:23where you can use to send signals at about
-
29:23 - 29:28140 MHz on the GPIO pins, so maybe that could
-
29:28 - 29:31be used.
Oona: Ooh, thanks for the [?] That will -
29:31 - 29:34be very useful. I've been thinking about
-
29:34 - 29:37the GPIO but it's unfiltered of course.
-
29:37 - 29:42Mic: The raw DMA controller output gets dumped on
-
29:42 - 29:47one of the GPIO pins. As far as I know it's
-
29:47 - 29:50good enough to transmit FM stereo audio.
-
29:50 - 29:54Oona: Okay, yeah. It would be worthwhile testing
-
29:54 - 29:57with RDS first maybe. Thank you for
-
29:57 - 30:00the tip, yeah, it's very useful.
Herald: So maybe we -
30:00 - 30:02could buy them at the next congress,
-
30:02 - 30:04right? laughter
Oona: Could be, -
30:04 - 30:10could be. Herald: Go ahead please.
Mic: Thanks for the interesting talk, -
30:10 - 30:18I've two questions. You said that you can decode Q-PSK as FSK by
-
30:18 - 30:22a simple trick. How much less quality do you
-
30:22 - 30:25get? 3db, 6db, what is it?
Oona: I'm not sure -
30:25 - 30:29about the details, but well it just crossed
-
30:29 - 30:34my mind that you can do it. It's actually MSK
-
30:34 - 30:38but its a sort of an Q-PSK signal.
-
30:38 - 30:41So its a minimum shift keying. And essentially
-
30:41 - 30:47its being generated in the transmitter as FSK,
-
30:47 - 30:51but thats a special form of FSK,
-
30:51 - 30:53so thats why it can be decoded as FSK.
-
30:53 - 30:56Mic: Okay, and a brief second question: In
-
30:56 - 30:59the picture where you took the signal from
-
30:59 - 31:02your digital radio, it was a Sangean ATS 909
-
31:02 - 31:09or what radio you used? I've got one of those
-
31:09 - 31:11and I was wondering if I could pick up
-
31:11 - 31:16the signals in there as well. [...]
-
31:16 - 31:20Oona: The Radio is a Sangean ATS 909,
-
31:20 - 31:23I've modified it a bit, you can take a look
-
31:23 - 31:26if you want.
Herlad: Any other question from -
31:26 - 31:29the internet? Oh, our signal angel has nothing,
-
31:29 - 31:33then lets go ahead right here please.
-
31:33 - 31:35Mic: Have you considered what [...]
-
31:35 - 31:39going to be beyond transmitting the signal.
-
31:39 - 31:42What are you going to be next challenges you're
-
31:42 - 31:44taking out? Are you going to look at other
-
31:44 - 31:47wireless services that are around there in
-
31:47 - 31:51terms of utilities, because traditionally there
-
31:51 - 31:52are many.
Oona: There are many, yeah, -
31:52 - 31:57it's an very interesting world. And I'm actually
-
31:57 - 31:59listening to serveral signals at the moment
-
31:59 - 32:04in my home right now.
Mic: Mind telling us a little -
32:04 - 32:07glimpse?
Oona: There is the local taxi company -
32:07 - 32:12that is using the frequency range from 40 to
-
32:12 - 32:1770 MHz, they send information about next clients
-
32:17 - 32:22and also locating all their cabs,
-
32:22 - 32:26and I'm trying to decode whats it's about.
-
32:26 - 32:31Perhaps I'll make a map of all their cars. -
-
32:31 - 32:33Of course there is also TETRA.
-
32:33 - 32:36Not many people know that TETRA is not encrypted,
-
32:36 - 32:38it's usually encrypted, but not always.
-
32:38 - 32:42And many applications in TETRA are in clear text.
-
32:42 - 32:46You can listen to it, if you really want to.
-
32:46 - 32:53Mic: Which sort of teases me now to ask a question:
-
32:53 - 32:56What's the legal situation for you in finland
-
32:56 - 32:59when it comes to decoding such transmissions
-
32:59 - 33:01when they are not encrypted.
Herald: You have -
33:01 - 33:03the right to remain silent.
Mic: Yeah, -
33:03 - 33:06you don't have to answer that
Oona: Well, -
33:06 - 33:09I believe that it its legal to decode them.
-
33:09 - 33:19I don't care if it's not laughter
applause -
33:19 - 33:22Yeah, of course, actually making an FM transmitter would be illegal
-
33:22 - 33:29if its an high enough power.
-
33:29 - 33:32Herald: Okay, over there. Let's go, please?
Mic: Could you -
33:32 - 33:37maybe elaborate a bit about the bus stop packet contents,
-
33:37 - 33:38so currently they are not encrypted,
-
33:38 - 33:42is there any signature to verify its an legit
-
33:42 - 33:45packet?
Oona: No they aren't using any encryption -
33:45 - 33:49or signature overhead, because its so an low-banded channel.
-
33:49 - 33:53So you can spoof it. I guess it should be trivial.
-
33:53 - 33:55Actually the are some types of packets that
-
33:55 - 33:59I don't know the meaning of. But they are non changing,
-
33:59 - 34:02so they obviously can't be anything [?]
-
34:02 - 34:08or anything like that.
Herald: Okay, go ahead please. -
34:08 - 34:11Mic: I wanted to add some information on
-
34:11 - 34:14the situation in Germany: We have two types
-
34:14 - 34:16of radio stations, the public radio stations
-
34:16 - 34:21broadcast RDS that are unencrypted, so if you
-
34:21 - 34:25get the RDS data, you can get the raw location codes.
-
34:25 - 34:30And the TMC messages are usually sent by private
-
34:30 - 34:34radio stations. The fun thing is,
-
34:34 - 34:38that you get both the unencrypted location
-
34:38 - 34:41codes and encrypted location codes.
-
34:41 - 34:43So if you listen to two radio stations in
-
34:43 - 34:47the same area, you can actually cross-correlate
-
34:47 - 34:51these and try to figure out the key.
-
34:51 - 34:52And the other thing I wanted to say:
-
34:52 - 34:56If somebody is just interested in RDS,
-
34:56 - 34:59there are relatively cheap usb sticks that
-
34:59 - 35:01will do all the decoding for you. -
-
35:01 - 35:09Oona: Yeah, FM Radio sticks.
-
35:09 - 35:15Mic: Is there any book you can recommend
in getting started for processing -
35:15 - 35:17of digital radio transmissions.
Oona: Well, -
35:17 - 35:21I've read a few chapters of the - I don't know
-
35:21 - 35:24the name actually - but the DSP [?] guided
-
35:24 - 35:28commerce[?] - The engineers guide to DSP,
-
35:28 - 35:33It's a blue book, thats all I know.
-
35:33 - 35:39Its freely available online, try it with google.
-
35:39 - 35:46Mic: Thank you.
Herald: Any more questions, -
35:46 - 35:51or from the internet? Nothing right there.
-
35:51 - 35:52Well, Oona, thank you very much.
-
35:52 - 35:54That was a very interesting talk,
-
35:54 - 35:56and we look forward having you next year
-
35:56 - 35:58with more signals.
-
35:58 - 36:02Applause
-
36:02 - 36:12subtitles created by c3subtitles.de
- Title:
- Video Language:
- English
- Duration:
- 36:11
Show all