Hijacking FM Radio with a Raspberry Pi & wire

Reprint: https://null-byte.wonderhowto.com/how-to/hack-radio-frequencies-hijacking-fm-radio-with-raspberry-pi-wire-0177007/

software-defined Radio and Signals intelligence, we learned how to set up a radio listening station T o Find and decode hidden radio signals-just like the hackers who triggered the emergency siren system in Dallas, Texas, Probably did. Now so we can hear in the radio spectrum, it's time to explore the possibilities of broadcasting in a radio-connected wo Rld.

So how do the hackers in Dallas broadcast the code they found to control the sirens and why? Was it a distraction to divert attention from their real goal, a test of a foreign government probing American infrastruct Ure, or were they just engaging in the time-honored American pastime of being annoying?

Whatever their goal, the attack was doing by rebroadcasting a series of codes in the emergency band around-MHz to Trigg Er a series of repeaters to scare the crap out of some Texans. Did they need thousands of dollars of sophisticated equipment to doing so? Likely not. In fact, we can take over some radio systems without knowing any codes at all simply by being closer to our target.

This tutorial would show you a technique to use this effect to hack civilian FM radio bands and play your own social engine ering payload. Maybe you simply don't like the music a radio station in a particular business or vehicle are playing and you ' d like to PLA Y your own. Maybe you ' d like to play a message to get your the target to does something you want them to. Whatever The goal, all your really need to rebroadcast signals in the radio spectrum is a $ Raspberry Pi and a piece of W IRE for an antenna.

Previous:building a Radio Listening station to Decode Digital Audio & Police Dispatches

The Pi as a software-defined Radio transmitter for Hacking

The Raspberry Pi, with the addition of some free software, was capable of pulsing power on one of their general purpose in Put-output (GPIO) pins to transmit on any civilian FM radio frequency from around 87.5 MHz to 108 MHz. Without a wire, the range was only a foot or both. We ' ll focus on using the-ability to inserts our messages into the most common type of radio signals everyone have access to . FM radios exist in almost every car and in many businesses and homes. The ability to broadcast directly to them gives us a powerful the by speaking to someone anonymously, seemingly from a Tru Sted Source.

Hobbyists has embraced the Pi FM radio hack by adding a wire as an antenna for streaming music, short-range communication s, and even as an FM modem for exchanging information between devices. Applications like RPITX can even transmit Slow-scan TV images via FM. This hack are fun and useful for creating a signal with an intentionally limited range, and through some testing, I ' ve Foun d The signal is just powerful enough to overpower FM stations at close range.

A Do-It-Yourself Raspberry Pi pirate radio. Image by Sadmin/null Byte

Overpowering a station, also known as "broadcast signal intrusion," had the effect of hijacking the signal and allowing yo U-to-insert messages, songs, programming, or other seemingly legitimate information or news to support social engineering Strategies. Signal hijacking on the Pi is particularly useful against businesses playing FM radio or vehicle radio systems and can Hel P influence a target ' s beliefs or actions by posing as a media outlet.

Why a Raspberry Pi Works well for this

The fact that you can get started broadcasting in the radio spectrum with only a wire are incredibly useful to anyone inter ested in radio projects or software defined radio and how does does it work?

The pi ' s GPIO pins allow it to connect to peripherals, but is in this case, PIN number 4 can be pulsed using the pi ' s clock t o Square wave oscillator. While this works, there is a number of issues that must be considered as a result of the the the-the-the-the-the-creates Ion. These issues mean increasing the power also increases the likelihood of causing chaos in the radio frequency and getting C Aught by the FCC, which means this tool was for surgical strikes only without using additional filters.

All so is needed for the attack is a Raspberry Pi 3 and a wire. Image by Sadmin/null Byte

The biggest issue in using a Pi are the square wave oscillator used to generate the signal, which generates harmonics that can interfere with frequencies beyond those "re intending to broadcast on. In fact, these harmonics can go pretty far out of band to restricted frequencies, meaning boosting the power on a Pi FM Transmitter without applying a filter would interfere with all kinds of radio signals around.

The history of broadcast Signal intrusions

A broadcast signal intrusion is the hijacking of a radio or TV signal to play another message over the official programmin G, and it is relatively simple-to-pull off against radio stations.

While techniques involve splicing the message to the broadcast by breaking to the receiver site, all tha T is really needed is a FM transmitter capable of power powering the legitimate broadcasting signal to the target antenna . If your target is just one antenna, the Raspberry Pi can easily accomplish a surgical application of a broadcast intrusion .

Historically, broadcast signal instructions has been employed by hackers wanting to get their message out to the public, Although few, if any, attempted to hide the fact and the station had been hijacked. Motives range from political protests to trolling and jamming of the Playboy Network for religious reasons. While most hackers perpetrating large-scale broadcast intrusions were caught, one of the most notorious and strangest Inci Dents remains unsolved.

Perhaps the best-documented incident of intentional signal intrusion is the Max headroom incident in Chicago. In 1987, the WGN and WTTW TV stations were hijacked during an episode of Dr. who to play a Slow-scan message feat Uring a man in a Max headroom mask rambling and screaming, calling the radio station operators "nerds," and eventually bei ng spanked by a woman in a French maid outfit with a flyswatter.

Video Loading

The clip ran for nearly-seconds and only got more confusing as engineers were helpless to regain control, making nation Al News and leading to FBI involvement in the case. Despite the attention, no one is sure who's the Max headroom hacker was or what the purpose of his bizarre and brazen Takeov Er of WGN is supposed to accomplish beyond trolling tens of thousands of people.

It ' s believed this hack is accomplished without physical access to the stations and instead used sophisticated radio Tran Smitters to overpower the legitimate signal, is repeated to a larger broadcasting antenna. If you ' re a fan of the Mr. RobotSeries, #fsociety used this hack many times to get their video communications on The airwaves of major TV networks.

Don ' t Miss:learn the Hacks from Mr. Robot here on Null Byte

Surgical Signal intrusions for social Engineering

By overpowering the legitimate signal with ours, we is presented with the options:perform a denial of service attack or Attempt to impersonate legitimate traffic on the channel. Both of these options, by the same, is illegal in most countries due to the fact that we are jamming a legitimate radio BR Oadcast.

In a DOS attack, we can flood an FM radio channel used for communication with a signal that prevents the legitimate TRANSM Ission from being heard and makes no attempt to pretend to be the real transmission. In the second attack, we craft a message designed to being perceived as legitimate and insert it into programming to provoke a response. This can is as simple as a report of heavy traffic on a certain freeway requiring a different route, or as elaborate as pl Aying a SigAlert emergency alert describing the subject ' s car as the vehicle of a manhunt suspect.

Video Loading

Nuclear missiles coming from North korea?!

Because of the trust placed in the media and the surreptitious nature of the hijacking, a subject are unlikely to know the Signal have been hijacked unless the beginning or end of the transmission switch seems out of place.

Step 1:hardware & Software Requirements

To begin broadcasting, we don ' t need much. A Raspberry Pi 2 or 3 would both work, and the wire can is sourced from cords or whatever you have around. I used both stranded and solid core copper wire and both worked fine, although solid core is better.

Don ' t miss:how to Set up a Headless Raspberry Pi Hacking Platform Running Kali Linux

Here's all the hardware and software so you'll need for this guide:

• A piece of wire around 3 feet long for an antenna
• A fully updated Raspberry Pi 2/3
• Knowledge of which frequency you ' re trying to jam (or a $ RTL-SDR dongle to find it yourself)
• A source. wav file
• Make and Libsndfile1-dev
• Pifmrds from GitHub

To start, let's take care of the software requirements by running apt-get update and apt-get install upgrade< /c1>. Once Our version of Kali are updated and upgraded, we can install dependencies by running the following in a terminal Windo W.

Apt-get Install make Libsndfile1-dev

Step 2:download & Configure pifmrds

Connect your Pi to a HDMI display or SSH into it from your laptop. To clone Pifmrds, type the following into a terminal window:

git clone https://github.com/ChristopheJacquet/PiFmRds.git
CD PIFMRDS/SRC
Make clean
Make

Remember to run make clean as versions for different Raspberry Pi ' s is not compatible with each other.

Click or tap on the this image to enlarge.

Step 3:test Your First transmission

That's should be it! After navigating to the pifmrds/src folder, you should is able to test pifmrds by running:

sudo./pi_fm_rds-freq 107.0-audio sound.wav

This would start a test radio transmission on the frequency 100.1. Since we haven ' t yet attached our wire antenna, we can ' t expect it to transmit anything, right?

Turns out, even just the GPIO pin is capable of a short range transmission. Here, I can see a test broadcast from several feet away even without attaching an antenna.

Still able to receive from a few feet away even without an antenna. Image by Sadmin/null Byte

You should use the GPIO pin to test your messages whenever possible to avoid interfering with other frequencies Unnecessar ily. While good for testing, the pin alone cannot overpower a station. Once you ' ve confirmed your ' re transmitting, let's try hijacking a signal.

Step 4:add an antenna to Enable Signal hijacking

Now, we know we ' re transmitting and let's up the power. Attach a piece of wire (solid gauge or stranded would do) to the 4th GPIO pin (see diagram to figure out which that's).

Image via Raspberry Pi Foundation

You can use the insulation around the wire to keep it snug on the pin if your work the pin between the insulation and the C Opper inside the wire. Here's how I attached some solid core wire:

While the wire touched a few pins, pin 4 have been pushed between the insulation and the solid core copper wire. Image by Sadmin/null Byte

With this setup, the range is dramatically improved. I can receive the radio transmission all over the building, including on floors above and below me.

The signal is significantly boosted when a antenna is added. Image by Sadmin/null Byte

Step 5:load a WAV File & overpower an FM Signal

Now that we've boosted the power, we can expect to is able to hijack any radio station when we ' re within on twenty to T Hirty feet of the transmitter. Identify the station, want to hijack, and note the frequency in megahertz. For this example, we'll assume the station we were transmitting against IS 107.9 MHz.

On your Pi with the antenna attached, run the following in terminal to target and hijack 107.9 and play the audio file audio.wav.

sudo./pi_fm_rds-freq 107.9-audio audio.wav

You should hear the audio demo break into the legitimate transmission.

Hijacking 107.9 at nearly feet away (end of range). Image by Sadmin/null Byte

Put any WAV file in the pifmrds/src folder and change the name in the command above to play your own custom Messa Ge.

Final Warning

While the methods described was extremely easy and effective, intentionally jamming a legitimate broadcast was illegal in T He US, and most likely elsewhere. While the likelihood of being detected doing so on a small scale are low, increasing the power or operating in Out-of-band Frequencies can get trouble and interfere with military, police, and first responder radio signals.

The range of this device is short, and by experimenting with a radio to gauge the range, you can vary the length of the wire t o Adjust the range. In addition, playing messages this could alarm or frighten people deliberately is a great-to-get in trouble as well. While funny, my inbound North Korean nuclear missile example (in the video above) could cause panic, thus are best used in A lab setting only.

Use common sense when deciding on the message want to transmit and keep in mind it's likely the subject would really B Elieve it.

As always, the thanks for reading, and make sure to keep a eye on the Null Byte for more hacking tutorials. You can ask me questions here or @sadmin2001 on Twitter or Instagram.

Don ' t miss:how to Load & use keystroke injection payloads on the USB Rubber Ducky

• Follow Null Byte on Twitter and Google +
• Follow WonderHowTo on Facebook, Twitter, Pinterest, and Google +

Hijacking FM Radio with a Raspberry Pi & wire