-
Herald: Alright, well thank you for your
patience and now we are starting our talk:
-
"My journey into FM-RDS"
- radio data system by Oona Räisänen.
-
Please give her a warm round of applause!
applause
-
Oona: Thank you!
Sorry I brought my MacBook Pro.
-
My name is Oona I'm a signals hacker
and electronics hobbyist
-
and I do this thing only for hobby.
-
And let's see my slides here. Some of you may
-
remember my blog or have read it.
-
And you may have seen this one,
-
that I also made - the dialup diagram.
-
This talk is not about that, just to give you some context.
-
Okay, so, into the story:
-
One night in 2007 I was listening to my radio
-
just an FM channel and some music going on.
-
And I was looking at the spectrum of course
-
on my PC while doing that. And I noticed,
-
I see the audio, that's normal, then above
-
the audio, at about 19 kHz something weird
-
is going on. There is a persistent sinusoidal tone.
-
And something, looking like sidebands,
-
on both sides of it. And I wanted to find out,
-
what could it be up there? Actually I have
-
some audio on my other computer:
-
[Audio: rds-mixdown.wav]
This is just a radio channel played,
-
and I'm shifting the frequencies down to here,
-
what it sounds like up there.
-
Now at the moment it just sounds like a very piercing
[Sounds from the radio]
-
tone of 19 kHz. That's the tone,
-
and I'm not actually hearing just yet
-
whats around it. Let's turn it down a bit further.
-
Now this is one of this sidebands that you
-
are seeing there.
-
I'm also now filtering out the music
-
to make it clearer.
-
It sounds very periodic.
-
So it means it could be data of some kind.
-
And it also brings up the memories of modem sounds.
-
So, I started to investigate this matter
-
a bit further.
-
I knew already that in the FM signal there
-
is the RDS data, that is used to send to car
-
radios the station name and the program currently
-
running on it and also some other information
-
like alternate frequencies [AF on the slide]
-
that this channel is broadcasted on,
-
CT which is clock time, and something else,
-
information about other programs
-
and other frequencies and the program type,
-
radio text, traffic announcements,
-
and something called TMC or Traffic Message Channel.
-
So I thought, could this be it? So I downloaded
-
the 200 page RDS Standard,
-
or RDBS, as its called in the United States
-
and started to do some analysis. Actually I
-
spent nights reading this,
-
and many times I fell asleep reading it.
-
laughter
If you suffer from insomnia,
-
I suggest you read something like this.
-
And, what I found - well it was very well documented,
-
the protocol, there was for example this diagram
-
about an example receiver for RDS.
-
There's all the parts out there:
-
The FM signal is coming in, the audio is taken out,
-
and we are mixing it with some frequencies
-
to get out the RDS signal
-
and all that stuff. So, well using this information
-
I wrote a decoder in Perl. Everything must
-
be in perl clapping Thank you.
-
And I came up with this. Its showing a lot
-
of the information going on on the frequency.
-
And whats special about this is that it's only
-
decoded from the signal you were hearing on
-
the 19 kHz band. And it turns out this is actually
-
an error in the working of my radio.
-
Because I dropped it on the floor when I was moving,
-
and it started behaving weirdly. And I - it
-
was then when i got this weird signal on
-
the 19 kHz band. And it turns out that
-
the stereo decoder in my radio has somehow
-
started not to filter anymore the stereo signal,
-
which is near the RDS signal. So this is actually
-
being decoded from the audio, from the line
-
out of my radio. Nothing else was involved
-
in this. But then, well, its a bit noisy,
-
its near the 16 bit quantisation noise limit
-
of my soundcard. So I was thinking of better
-
ways to decode it with less noise.
-
And I started to look at my radio -
-
the schematics of my radio
-
and I found there is actually a decoder circuit
-
for RDS that it uses to display the data on
-
the screen, just the station name
-
and updates its clock. And unlike in todays
-
receivers the RDS chip is actually on its own
-
chip and its not a one-chip-wonder receiver.
-
So I found the 4 pins that I needed for data,
-
clock signal and ground and just a quality bit,
-
that I'm not actually using. And I did some
-
ugly soldering work because I didn't want to
-
remove the RF shielding from this chip to hook
-
some cords to the decoder chip.
-
And then I used my soundcard to sample that.
-
Because it happens that the voltages that soundcard
-
is using are very close to the logic voltages
-
of [?] Voltages of ICs in the 1 to 3.3 volt range.
-
So I actually used a sound card to sample
-
the logic coming out of there. And its 1 kbaud
-
so its not even very fast. And this is what
-
I was getting - at first. Well,
-
it looks like some bits, kind of.
-
Then after some filtering
-
and resoldering this is what i got.
-
Red is the left channel in the soundcard that
-
I hooked up in the clock signal output.
-
And green is what I hooked up to the data signal.
-
And its very clear that the data can be decoded
-
with no errors from this.
-
Afterwards I also made a raspberry pi version of all this,
-
so the perl code is actually running on my
-
raspberry pi and displaying it on an little
-
lcd next to it. But then - okay this is fun,
-
I can actually see more than
my radio is displaying there.
-
I can see the radio text, I can see a numerical
-
code for each station so I can log the stations
-
and I only need to decode the number to know
-
what I'm listening to. But there was something
-
more on the frequency. I was getting an application -
-
some application running there that I didn't
-
recognize right away, but reading the standard
-
it became apparent that this TMC that is used
-
in these car navigators to just send information
-
about traffic jams and construction works
-
and things like that. And of course,
-
for the fun, I had to see whats going on there.
-
Now it turns out that in Finland the RDS signal
-
is encrypted, for reasons of commercial stuff.
-
I mean its a business model, they encrypt
-
the signal and they sell the encryption keys
-
along with these navigator devices
-
and what they tell about the encryption in
-
the standard - they actually tell everything
-
about except the keys there. But one sentence
-
especially caught my mind there:
-
The encryption is only light, but was adjust
-
to be adequate to deter other than the most
-
determined hacker."
laughterclapping
-
Yeah, and obviously for hacker this is like an challenge
-
laughter
so I got to work. It was textually documented,
-
there was no encryption diagrams
-
or anything like that, but this is what I came
-
up with: It's a pretty simple cipher.
-
The location is a 16 bit database reference
-
to a database of locations that can be obtained
-
from the manufacturer of the navigators.
-
The keyspace is 16 bits, and different parts
-
of the key are used to like parameters for
-
the different operations in this cipher.
-
It's an easy enough cipher
to be used on paper also
-
so when cryptanalyzing it I made some tests
-
on paper. So, how do I begin? I checked I can't
-
just brute force it - knowing nothing about
-
the transmission. So I
made some assumtions:
-
The bandwidth is very low,
several hundred baud,
-
so it must be some kind of
filtering with this locations.
-
I was thinking, it could be
that they are sending
-
only the locations - I mean only the announcements
-
that are near the transmitter like 100 miles
-
range or something. I looked
at the location database,
-
that I by the way obtained by telling
-
the manufacturers that I'm an engineer
-
and I want to do some tests
-
and maybe some development
of RDS-TMC-Software
-
- and now I have the database.
So I started mapping,
-
actually listening to the annoucements.
-
I took one announcement and I figured
-
one announcement is used for several days in
-
an row - actually several weeks,
-
because when there
are roadworks on it
-
could last for months, weeks or something.
-
So, one day, I get the announcements
-
and I get the key-ID, which they are sending
-
in cleartext - thats how they signal which
-
key is in use today, because its a changing
-
key scheme and there is a different key for
-
every day. And then they send
the encrypted location.
-
So I listened for several weeks in a row,
-
documenting the encryption key id
-
and the location and then I just bruteforced
-
through the whole vast 16 bit keyspace to find
-
all the keys that decrypt into locations that
-
are near the transmitter. And eventually I
-
came up with all the keys. And here they are -
-
and because wouldn't want
to get into any more
-
trouble with this, well,
yeah, I ended up finding
-
all the keys. And here is a prototype receiver
-
I wrote. Its receiving the messages
-
and showing a little map of the announcements.
-
So then I published this in a blog,
-
and I got an interesting reply from someone
-
who is involved in developing this:
-
Sad to request, but can you take this offline?
-
It is kind of our service you hacked."
laughingapplause
-
I had promised in
-
the beginning of my blog post, that if anyone
-
of the involved parties requests to take this
-
offline I will take it offline. But of course,
-
there are, well, my definitions of an involved
-
party are quite strict. And I replied by requesting
-
just the same message, but signed with their
-
cryptographic signature and preferably I could
-
fetch their public key from under their company domain.
-
And they never replied, so the blog post is
-
still on.
laughingapplause
-
And actually while this conversation was going on,
-
it was of course being copied around
-
the world, in cryptome also, so there was no
-
point in replying anymore. So yeah,
-
this is the first part of my adventure into RDS-Subcarriers.
-
Then I heard an rumour when presenting about this:
-
That the Bus-Stop-Displays in Helsinki also
-
receive their data about the next buses on the RDS-Signal.
-
So I started to look a bit more in the applications,
-
but there was nothing in the application list
-
about bus stops or anything else than TMC.
-
For reference these are the displays I am talking about.
-
So they are displaying the busnumber
-
and the minutes and where it is going
-
and it's updating live. And these are battery-operated
-
and they are not connected to anything by wire.
-
So there must be some kind of a radio protocol.
-
But yeah, this was a nice clue.
-
So i started googling about this - there was
-
not very much information about it,
-
except for the finnish communication authorities
-
internal magazine. They were telling about
-
all kinds of - sorry about my finnish text
-
of course - they were telling about all kinds
-
of everyday radio signals,
-
and they confirmed my guess, that its being
-
transmitted on the FM radio and they even told
-
the channel, but that's all they told.
-
They were just telling it's being transmitted
-
on "YLE 1" frequencies. No protocol.
-
Nothing about RDS. So I fired up my other radio,
-
which can do a larger spectrum. Which is of
-
course the realtek rtl-sdr packaged in an aluminium
-
tin here. applause
-
So I demodulated the "YLE 1" station signal on a bigger bandwidth.
-
And here is what I saw. On the left is
-
the audio, here is the obnoxious tone you just heard.
-
Here is the stereo seperation signal that tells
-
the relation of the left channel
-
and the right channel. Here is RDS where it
-
actually should be, but for some reason it
-
was aliased to around the pilot tone in my
-
older radio. And this fourth harmonic of
-
the pilot tone contains obviously some data,
-
on a very wide bandwidth compared to
-
the RDS.
-
What could it be and
how could I ever find out? Well,
-
it's centered around 76 kHz on the demodulated signal,
-
the composite signal. So I started by googling
-
for 76 kHz, and I found something called DARC
-
or "Data Radio Channel". It's not to be confused
-
with RDS which is the Radio Data System of course.
-
These are very imaginative names.
-
I found out that it is a very much more complex
-
modulation scheme. It uses QPSK which is a
-
four phase modulation scheme. Well I'm not
-
a engineer, I'm not an DSP specialist,
-
I am a DSP hacker, but I don't know much about
-
demodulating QPSK. So I decided to treat it
-
as an FSK signal, because that is possible
-
with QPSK. It is suboptimal, but it works -
-
I can get the data out. The upper part is
-
the DARC signal filtered. Here is the DARC
-
signal using two band-pass filters that are
-
on 76+4 and 76-4 and superimposed in red
-
and blue, like an FSK. And here is just blue
-
minus red, or the other way around,
-
which is actually binary data. So I had to
-
treat the error correction
-
and error detection, and it was very complicated.
-
And I had to write general CRC subroutine in
-
Perl because I had to deal with such large
-
numbers that I couldn't use just integers -
-
I had to actually use string magic.
-
So I'm actually concatenateing strings of ones
-
and zeroes. And using this kind of general
-
CRC routing for calculating the error correction
-
and detection. So, this is DARC
-
and I actually getting packets out,
-
but I have no idea what the packets mean.
-
So I started looking for any human readable
-
data out of there, because there is no documentation
-
about this. For example, this was one type
-
of packet that I've found: RUSKEASUO BRUKAKĂRR,
-
that means something for finns - that's a place
-
in helsinki, where the bus 23N happens to go.
-
So I figured this could be a packet telling
-
something about, just generally about buses.
-
And actually I went so far as to label all
-
the fields in the end, because I collected
-
so many of them. And I found out,
-
the system is sending one of these packets
-
to every display once a day. So it's updating
-
the information about all possible buses that
-
are passing this bus stop today.
-
It's using such low bandwidth that updating
-
all the displays takes one day.
-
Then I found another type of packet,
-
with no actual strings. But I found definite
-
references to the above packet. And I found
-
this is the packet used to update the minutes
-
information in these displays. It's being sent
-
very fast, 3 times per minute, to every display.
-
It contains minutes for 8 buses per packet,
-
and information about whether they are actually
-
GPS located or if it's a guess based on time tables.
-
And I used all this information, I had a functional goal:
-
to build my own display, because the tram stop
-
is 200 metres from my house,
-
and I want to know when the tram is actually coming.
-
Because this information is actually
-
the GPS located information. So this is what
-
I built
applause
-
Its just a basic HD77480 display
-
controlled by a Raspberry Pi,
-
decoding the signal from the RTL-SDR. For some
-
reasons I blogged about it
-
and it became very popular in Finland,
-
in Helsinki especially, and there was an news
-
article about it. And a representant of
-
the bus company was saying that "OK,
-
she can decode the signal, but transmitting
-
will be difficult. "
laugther
-
I haven't actually done it yet.
But he was saying that
-
it's difficult because you have to shout louder
-
than everyone else on the frequency.
-
And even then it becomes mangeled, because
-
it becomes a mix of those two signals.
-
I don't think he really knew
what he was talking about,
-
because there is something called the FM capture effect.
-
That if you send stronger than another FM transmission
-
on the same frequency, only the stronger signal
-
becomes captured and the weaker
becomes actually attenuated.
-
That is a very useful phenomenon. Right now
-
I am actually in the process of making my own
-
display updater.
laughterapplause
-
Possibly for showing all kinds of funny stuff on
-
the displays. Someone at the bus company actually
-
donated one of those displays to me after this,
-
so I have something to test it on.
-
Because obviously I'm not going to transmit
-
any high-power signals with this ever.
-
But right now, I'm building it.
-
The only problem that I'm having right now
-
is that my soundcard that I am using to generate
-
the signal fully digitally of course is to slow.
-
The DARC signal is 76 kHz, so i need at least
-
162 kHz soundcard, i mean DAC,
-
to create my analogue signal. I only have a
-
96khz soundcard right now, so I only can generate
-
the stereo signal. Perhaps in the future,
-
that will be the next project. Thank you.
-
applause
-
Herald: Well, thank you very much, Oona,
-
I think we're all impressed with hacking a radio,
-
I never thought about this opportunity.
-
Now we have time for questions from
-
the room. If you want to ask questions,
-
could you please line up at the microphones
-
right here. In the mean time, let me ask our
-
signal angel if he has a question from
-
the internet. Could you tell us please?
Signal Angel: Yeah,
-
so the internet wants to know: Is there any
-
open hardware radio receiver that you can recommend
-
for tinkering at home?
Oona: Yeah,
-
the RTL-SDR is a very good
piece of hardware to start with
-
I think I have one of those with me right now,
-
I mean the one I showed with the Hello Kitty
-
tin around it. I've using a tin to attenuate
-
any local interference. But its just a DVB
-
digital tv stick some wise guy on the internet
-
found to be possible to hack
-
and tune to any frequency from 30 to 1.700 MHz
-
And it's very useful. Doesn't go higher
-
than that, doesn't go lower than that,
-
but it is a good start.
Herald: Okay. Questions from
-
the room?
Mic: I've just a bit of input on
-
the transmitter thing. There is a project that
-
uses the raspberry pi DMA controller,
-
where you can use to send signals at about
-
140 MHz on the GPIO pins, so maybe that could
-
be used.
Oona: Ooh, thanks for the [?] That will
-
be very useful. I've been thinking about
-
the GPIO but it's unfiltered of course.
-
Mic: The raw DMA controller output gets dumped on
-
one of the GPIO pins. As far as I know it's
-
good enough to transmit FM stereo audio.
-
Oona: Okay, yeah. It would be worthwhile testing
-
with RDS first maybe. Thank you for
-
the tip, yeah, it's very useful.
Herald: So maybe we
-
could buy them at the next congress,
-
right? laughter
Oona: Could be,
-
could be. Herald: Go ahead please.
Mic: Thanks for the interesting talk,
-
I've two questions. You said that you can decode Q-PSK as FSK by
-
a simple trick. How much less quality do you
-
get? 3db, 6db, what is it?
Oona: I'm not sure
-
about the details, but well it just crossed
-
my mind that you can do it. It's actually MSK
-
but its a sort of an Q-PSK signal.
-
So its a minimum shift keying. And essentially
-
its being generated in the transmitter as FSK,
-
but thats a special form of FSK,
-
so thats why it can be decoded as FSK.
-
Mic: Okay, and a brief second question: In
-
the picture where you took the signal from
-
your digital radio, it was a Sangean ATS 909
-
or what radio you used? I've got one of those
-
and I was wondering if I could pick up
-
the signals in there as well. [...]
-
Oona: The Radio is a Sangean ATS 909,
-
I've modified it a bit, you can take a look
-
if you want.
Herlad: Any other question from
-
the internet? Oh, our signal angel has nothing,
-
then lets go ahead right here please.
-
Mic: Have you considered what [...]
-
going to be beyond transmitting the signal.
-
What are you going to be next challenges you're
-
taking out? Are you going to look at other
-
wireless services that are around there in
-
terms of utilities, because traditionally there
-
are many.
Oona: There are many, yeah,
-
it's an very interesting world. And I'm actually
-
listening to serveral signals at the moment
-
in my home right now.
Mic: Mind telling us a little
-
glimpse?
Oona: There is the local taxi company
-
that is using the frequency range from 40 to
-
70 MHz, they send information about next clients
-
and also locating all their cabs,
-
and I'm trying to decode whats it's about.
-
Perhaps I'll make a map of all their cars. -
-
Of course there is also TETRA.
-
Not many people know that TETRA is not encrypted,
-
it's usually encrypted, but not always.
-
And many applications in TETRA are in clear text.
-
You can listen to it, if you really want to.
-
Mic: Which sort of teases me now to ask a question:
-
What's the legal situation for you in finland
-
when it comes to decoding such transmissions
-
when they are not encrypted.
Herald: You have
-
the right to remain silent.
Mic: Yeah,
-
you don't have to answer that
Oona: Well,
-
I believe that it its legal to decode them.
-
I don't care if it's not laughter
applause
-
Yeah, of course, actually making an FM transmitter would be illegal
-
if its an high enough power.
-
Herald: Okay, over there. Let's go, please?
Mic: Could you
-
maybe elaborate a bit about the bus stop packet contents,
-
so currently they are not encrypted,
-
is there any signature to verify its an legit
-
packet?
Oona: No they aren't using any encryption
-
or signature overhead, because its so an low-banded channel.
-
So you can spoof it. I guess it should be trivial.
-
Actually the are some types of packets that
-
I don't know the meaning of. But they are non changing,
-
so they obviously can't be anything [?]
-
or anything like that.
Herald: Okay, go ahead please.
-
Mic: I wanted to add some information on
-
the situation in Germany: We have two types
-
of radio stations, the public radio stations
-
broadcast RDS that are unencrypted, so if you
-
get the RDS data, you can get the raw location codes.
-
And the TMC messages are usually sent by private
-
radio stations. The fun thing is,
-
that you get both the unencrypted location
-
codes and encrypted location codes.
-
So if you listen to two radio stations in
-
the same area, you can actually cross-correlate
-
these and try to figure out the key.
-
And the other thing I wanted to say:
-
If somebody is just interested in RDS,
-
there are relatively cheap usb sticks that
-
will do all the decoding for you. -
-
Oona: Yeah, FM Radio sticks.
-
Mic: Is there any book you can recommend
in getting started for processing
-
of digital radio transmissions.
Oona: Well,
-
I've read a few chapters of the - I don't know
-
the name actually - but the DSP [?] guided
-
commerce[?] - The engineers guide to DSP,
-
It's a blue book, thats all I know.
-
Its freely available online, try it with google.
-
Mic: Thank you.
Herald: Any more questions,
-
or from the internet? Nothing right there.
-
Well, Oona, thank you very much.
-
That was a very interesting talk,
-
and we look forward having you next year
-
with more signals.
-
Applause
-
subtitles created by c3subtitles.de
