Introduction of 《Inside Radio: An Attack and Defense Guide》


Inside Radio:An Attack and Defense Guide

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

About the Authors


Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.


Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.



This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.


Qiren GU is a senior security researcher at Radio Security Department of 360 Technology, a member of UnicornTeam. He focuses on wireless communication security,cellular network security, SDR Related Technologies, and also other problems in ADS-B, GPS, Bluetooth, Wifi, NFC, RFID. He is the trainer for ISC, also the lecturer of 360 Network Security University, defcon group 010 speaker. guy behind


Jun LI is a senior security researcher at Radio Security Department of 360 Technology, core member of UnicornTeam, he got a master degree from Chengdu University of Information Technology . His is focusing on the security research of connected cars,wireless communication,hardware etc. He had presented his researches at premier security conferences like Blackhat, DEFCON,ISC,CanSecWest, HITB, Syscan360 etc. He is the trainer for ISC . He is the author of Smart Car Attack&Defence Demystified. He won sixth place i n MITRE IoT Challenge .He was featured in the documentary A Century With Cars by CCTV. He started the first DEFCON GROUP in China—DC010 and his is the member of DEFCON GROUPs Global Advisory Board .


Haoqi Shan is a senior security researcher at Radio Security Department of 360 Technology. He is also a PhD student in information security at University of Florida. He focuses on Wi-Fi penetration, 2G/4G system, embedded device hacking etc. He made serial presentations about RFID hacking and LTE devices hacking on BlackHat, Defcon, Cansecwest, CodeBlue, Syscan360 and HITB, etc.


Yingtao ZENG is a Security researcher at UnicornTeam in the Radio Security Research Department of 360 Technology. He is mainly focused on the security of Internet of things, car remote control systems and automotive radar safety research. He has found vulnerabilities in a variety of automobile manufacturers including Buick, Volvo, Chevrolet, Toyota, Nissan, BYD and more. He was a speaker at the Hack In The Box(HITB),DEFCON CarHacking Village,Black Hat


Wanqiao ZHANG is a senior security researcher at Radio Security Department of 360 Technology, a member of UnicornTeam, she got a master degree from Nanjing University of Aeronautics and Astronautics. She is focusing on the security research of Communication, Radio of Civil Aviation, Satellite Communication etc. She had presented her researches at premier security conferences like DEFCON, POC, RUXCON, MOSEC etc.She is the trainer for IChunqiu . A delegate of Qihoo 360 in 3GPP.


hardcover 978-981-10-8446-1

eBook 978-981-10-8447-8

Publisher: Springer Singapore

Publisher: Springer; 1st ed. 2018 edition (May 9, 2018)Or April 9,2018

We will sell the book in HITB SECCONF 2018 Amsterdam .



Index to Outline of 《Inside Radio: An Attack and Defense Guide》

 Chapter 1 Overview of Wireless Security, Attack and Defense

1.1 Overview of wireless security
1.1.1 Origin of wireless security
1.1.2 Difference between wireless security and mobile security
1.1.3 Status quo of wireless security
1.2 Wireless attack and defense methods
1.2.1 Common attack targets
1.2.2 Wireless attack methods
1.2.3 Wireless defense methods
1.2.4 Trend of wireless security

Chapter 2 Tools for Wireless Security Research

2.1 Software-defined radio technology
2.1.1 SDR capabilities
2.1.2 SDR usage
2.2 SDR hardware tools
2.2.1 USRP
2.2.2 RTL-SDR
2.2.3 HackRF
2.2.4 bladeRF
2.2.5 LimeSDR
2.3 SDR software tool — GNU Radio
2.3.1 GNU Radio installation
2.3.2 The first thing to do after installation
2.3.3 Example: OFDM Tunnel
2.4 Sniff mouse and keyboard data
2.4.1 Use SDR to sniff data packets of wireless keyboards and mouses running on nordic chips
2.4.2 MouseJack

Chapter 3 RFID/NFC Security

3.1 Introduction to Mifare Classic
3.2 Security analysis of Mifare Classic
3.2.2 Review of the process of cracking Mifare Classic
3.3 A real case of cracking Mifare Classic
3.3.1 Introduction to Proxmark Ⅲ
3.3.2 Burn and use Proxmark III firmware
3.3.3 Proxmark III client
3.3.4 Test the security of Mifare Classic with Proxmark III
3.3.5  Introduction to Chameleon-Mini
3.3.6 Burn and use Chameleon-Mini firmware
3.3.7 Simulate Mifare Classic by combining Proxmark III and Chameleon-Mini
3.3.8 Conclusion of HF attack and defense
3.4 Security analysis of LFID cards
3.4.1 Introduction to LFID cards
3.4.2 Coding principle of ID cards
3.4.3 Decoding principle of ID cards
3.4.4 Read data from ID cards
3.4.5 Format of the ID card number
3.5 Clone an LFID card
3.5.1 Simulation attacks with Proxmark III
3.5.2 Clone attacks with a blank card
3.5.3 Simulation attacks with HackID
3.6 EMV privacy leakage
3.6.1 EMV introduction
3.6.2 Mechanism of privacy leakage in contactless chip cards
3.6.3 Phenomenon of privacy leakage in contactless chip cards
3.6.4 Contactless chip card fraud
3.6.5 Privacy protection in the use of contactless chip cards

Chapter 4 433/315MHz Communication

4.1 Sniff and analyze the security of remote control signals
4.2 Attacks by replaying remote control signals
4.2.1 Parking bar signal replay
4.2.2 Wireless door bell signal replay
4.2.3 Vibrator signal replay
4.3 Crack fixed-code garage doors with brute force
4.3.1 Complexity of brute-force attack
4.3.2 Hardware for fixed-code brute-force attack
4.4 Security analysis of remote car key signals
4.4.1 Generation of remote control signals
4.4.2 Security analysis of Keeloq key generation algorithm
4.4.3 An example of remote controller bugs
4.4.4 Rolljam replay attacks on car keys
4.4 Security analysis of the PKE system
4.5 Security analysis of the tire pressure monitoring system

Chapter 5 Aeronautical Radio Navigation

5.1 Introduction to ADS-B system
5.1.1 Definition of ADS-B
5.1.2 Definition of 1090ES
5.2 ADS-B signal encoding
5.2.1 Modulation method
5.2.2 Format of message
5.2.3 Altitude code
5.2.4 CPR longitude and latitude code
5.2.5 CRC validation
5.3 ADS-B signal sniffing
5.3.1 Receive ADS-B signal with “dump1090”
5.3.2 Receive ADS-B signal with “gr-air-modes”
5.4 ADS-B signal deception
5.5 Analysis of attack and defense

Chapter 6 Bluetooth Security

6.1 Introduction to Bluetooth technology
6.3 Bluetooth sniffing tool Ubertooth
6.3.1 Ubertooth software installation
6.3.2 Ubertooth usage
6.4 Low-power Bluetooth
6.4.1 TI’s BLE Sniffer
6.4.2 Sniff BTLE data packets with “ubertooth-btle”
6.4.3 Read and write BLE devices’ properties with a mobile app
6.4.4 Transmit data packets by simulating the BLE device

Chapter 7 ZigBee Technology

7.1 Introduction to ZigBee
7.1.1 The relationship between ZigBee and IEEE 802.15.4
7.1.2 Structure of 802.15.4 frames
7.1.3 Different types of MAC frame in ZigBee
7.1.4 Device types and network topology of ZigBee
7.1.5 ZigBee networking
7.1.6 Application layer of ZigBee
7.1.7 The application support sub-layer of ZigBee
7.1.8 Application profile of ZigBee
7.2 ZigBee security
7.2.1 Security layers
7.2.2 Key types
7.2.3 Security levels
7.2.4 Key distribution
7.2.5 Access authentication for ZigBee nodes
7.3 ZigBee attacks
7.3.1 Attacking tools
7.3.2 Protocol analysis software
7.3.3 Network discovery
7.3.4 Attack an unencrypted network
7.3.5 Attack an encrypted network
7.4 An example of attacking
7.4.1 Obtain the key from the device
7.4.2 Attacks by using the key
7.5 Summary of attacks and defenses

Chapter 8 Mobile Network Security

8.1 Security status of the GSM system
8.1.1 Terminology and basic concepts of the GSM/UMTS system
8.1.2 Security of GSM encryption algorithms
8.1.3 Active attack and passive attack in GSM
8.1.4 GSM sniffing with “gr-gsm”
8.2 IMSI Catcher
8.2.1 What is an IMSI Catcher?
8.2.2 IMSI Catcher in GSM environment
8.2.3 IMSI Catcher in UMTS environment
8.2.4 IMSI Catcher in LTE environment
8.2.5 Defect of the IMSI Catcher
8.2.6 Stingray cellphone tracker
8.2.7 IMSI Catcher Detector
8.3 Femtocell security
8.3.1 Introduction to femtocell
8.3.2 Attack surface of femtocell
8.3.4 GSM femtocell based on VxWorks
8.4 LTE redirection and downgrade attack
8.4.1 Redirection attack principles IMSI catcher DoS Attack Redirection Attack
8.4.2 The cause of redirection bugs
8.5 ‘Ghost Telephonist’ Attack
8.5.1 Vulnerability principle
8.5.2 Experiment setting
8.5.3 Attack methods
8.5.4 Countermeasures
8.6 Analysis of attack and defense

Chapter 9 Satellite Communication

9.1 Overview of artificial satellites
9.2 GPS security research
9.2.1 GPS sniffing and security analysis
9.2.2 GPS spoofing
9.2.3 Methods of defense and suggestions
9.3 Security analysis of Globalstar system
9.3.1 Globalstar’s CDMA technology
9.3.2 Globalstar data cracking
9.3.3 Possible attack methods


PlutoSDR Getting Started中文版 | PlutoSDR入门指南

PlutoSDR Getting Started PlutoSDR入门指南

post on

0x00 关于PlutoSDR

PlutoSDR是ADI公司 Analog Devices Inc又名亚德诺半导体技术有限公司设计生产的一款SDR硬件,是一款面向高校师生的SDR主动学习模块。通过该模块,电气工程专业的学生可快速地掌握软件定义无线电(SDR)、射频(RF)和无线通信的基础知识。 ADALM-PLUTO SDR针对不同层次和背景的学生而设计,可将这款独立自足的便携式射频实验室同时用于教师辅导和自主学习。

模块采用AD9363 RF捷便收发器,其特性如下:
频率支持 : 325 MHz – 3.8 GHz
Bandwidth 带宽:20 MHz



RF Transceiver LO tuning range Bandwidth
AD9363 PlutoSDR正在使用 325 – 3800 MHz 20 MHz
AD9364 PlutoSDR可升级成 70 – 6000 MHz 56 MHz

看完上面的表格,我们知道了PlutoSDR的芯片通过“升级”可以实现超频!支持的频率范围直接从原来的325-3800 MHz 升级到 70-6000 MHz,而且频宽也有大幅提升!

0x01 驱动 & Tools

在Win7 环境下,首先需要安装的是PlutoSDR-M2k-USB驱动,下载链接:


USB的驱动主要实现了USB COM口、USB网口等的驱动,另外在插入USB时,PlutoSDR自带U盘功能,config.txt文件配有PlutoSDR的IP地址、网关等参数:

安装完驱动之后可尝试通过CMD ping该地址:

0x02 “upgrade” PlutoSDR to 70 – 6000 MHz


# fw_printenv attr_name
## Error: "attr_name" not defined
# fw_printenv attr_val
## Error: "attr_val" not defined
#fw_setenv attr_name compatible
#fw_setenv attr_val ad9364



# fw_printenv attr_name
# fw_printenv attr_val


0x03 安装SDRSharp插件

这里需要使用x86 / 32-bit 版本的SDR# 目前不支持64位版本。
从Github下载ADALM-PLUTO frontend for SDRSharp 并把压缩包内的文件解压到SDR#软件的主目录,在FrontEnds.xml中增加一行:

<br />



最后便可使用支持70-6000 MHz的PlutoSDR了!试试收听FM广播:


git clone
cd gr-osmosdr-gqrx/
git checkout plutosdr
mkdir build
cd build/
cmake ../
sudo make install
sudo ldconfig

最终gqrx、gnuradio通过osmosdr sink调用PlutoSDR。

0x04 参考


Mac OSX 编译 LeanSDR

LeanSDR:Lightweight, portable software-defined radio

git clone
cd leansdr/src/apps


g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leandvb  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leandvb
In file included from
../leansdr/gui.h:16:10: fatal error: 'X11/X.h' file not found
#include <X11/X.h>
1 error generated.
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leansdrscan  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leansdrscan warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare]
        if ( nr < 0 ) fatal("read");
             ~~ ^ ~
1 warning generated.
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation) warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare]
        if ( nr < 0 ) fatal("read");
             ~~ ^ ~
1 warning generated.
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leansdrcat  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leansdrcat
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leantsgen  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leantsgen
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leanchansim  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leanchansim
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leandvbtx  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leandvbtx
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)


sudo find / -name "X.h"
find: /dev/fd/cn0xroot: No such file or directory
find: /dev/fd/cn0xroot: No such file or directory


APPS = leandvb leansdrscan
APPS += leansdrcat leantsgen leanchansim leandvbtx

all: $(APPS)

rm -f $(APPS)

DEPS = ../leansdr/*.h

CXXFLAGS = -O3 -I.. -I/opt/X11/include -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable

%: $(DEPS)
g++ $(CXXFLAGS) -DGUI $< -lX11 -L/opt/X11/lib -o $@ || \
g++ $(CXXFLAGS) $< -o $@

EMBED_FLAGS= -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable \
-Ofast -mfpu=neon -funsafe-math-optimizations -fsingle-precision-constant

leandvb.embedded: $(DEPS)
g++ $(CXXFLAGS) $(EMBED_FLAGS) $< -static -o $@ || \
g++ $(CXXFLAGS) $(EMBED_FLAGS) $< -o $@


leandvb --help
Usage: leandvb [options]  < IQ  > TS
Demodulate DVB-S I/Q on stdin, output MPEG packets on stdout

Input options:
  --u8           Input format is 8-bit unsigned (rtl_sdr, default)
  --f32          Input format is 32-bit float (gqrx)
  -f HZ          Input sample rate (default: 2.4e6)
  --loop         Repeat (stdin must be a file)
  --inbuf N      Additional input buffering (samples)

Preprocessing options:
  --anf N        Number of birdies to remove (default: 1)
  --derotate HZ  For use with --fd-pp, otherwise use --tune
  --resample     Resample baseband (CPU-intensive)
  --resample-rej K  Aliasing rejection (default: 10)
  --decim N      Decimate baseband (causes aliasing)
  --cnr          Measure CNR (requires samplerate>3*symbolrate)
  --fd-pp NUM    Dump preprocessed IQ data to file descriptor

DVB-S options:
  --sr HZ        Symbol rate (default: 2e6)
  --tune HZ      Bias frequency for demodulation
  --drift        Track frequency drift beyond safe limits
  --standard S   DVB-S (default), DVB-S2 (not implemented)
  --const C      QPSK (default), BPSK .. 32APSK (DVB-S2 only)
  --cr N/D       Code rate 1/2 (default) .. 7/8 .. 9/10
  --fastlock     Synchronize more aggressively (CPU-intensive)
  --sampler      nearest, linear, rrc
  --rrc-steps N  RRC interpolation factor
  --rrc-rej K    RRC filter rejection (defaut:10)
  --roll-off A   RRC roll-off (default: 0.35)
  --viterbi      Use Viterbi (CPU-intensive)
  --hard-metric  Use Hamming distances with Viterbi

Compatibility options:
  --hdlc         Expect HDLC frames instead of MPEG packets
  --packetized   Output 16-bit length prefix (default: as stream)

General options:
  --buf-factor   Buffer size factor (default:4)
  --hq           Maximize sensitivity
                 (Enables all CPU-intensive features)
  --hs           Maximize throughput (QPSK CR1/2 only)
                 (Disables all preprocessing)

UI options:
  -h             Display this help message and exit
  -v             Output debugging info at startup and exit
  -d             Output debugging info during operation
  --fd-info NUM  Output demodulator status to file descriptor
  --fd-const NUM Output constellation and symbols to file descr
  --gui          Show constellation and spectrum (X11)
  --duration S   Width of timeline plot (default: 60)
  --linger       Keep GUI running after EOF

Testing options:
  --awgn STDDEV  Add white gaussian noise (slow)
eanchansim --help
Usage: leanchansim [options]  <  > IQ.out
Simulate an imperfect communication channel.

Input options:
  --iu8              Interpret stdin as complex unsigned char
  --if32             Interpret stdin as complex float
  -f Hz              Specify sample rate
  --loop             Repeat (stdin must be a file)

Gain options:
  --scale FACTOR     Multiply by constant

Drift options:
  --lo HZ            Specify nominal LO frequency
  --ppm PPM          Specify LO accuracy
  --drift-period S   Drift +-ppm every S seconds
  --drift-rate R     Drift with maximum rate R (Hz/s)
  --drift2-amp HZ    Add secondary drift (range in Hz)
  --drift2-freq HZ   Add secondary drift (rate in Hz)

Noise options:
  --awgn STDDEV      Add white gaussian noise (dB)

Output options:
  --ou8              Output as complex unsigned char
  --of32             Output as complex float
leandvbtx --help
Usage: leandvbtx [options]  < TS  > IQ
Modulate MPEG packets into a DVB-S baseband signal
Output float complex samples

Options:  -f INTERP[/DECIM]        Samples per symbols (default: 2)
  --roll-off R             RRC roll-off (defalt: 0.35)
  --power P                Output power (dB)
  --agc                    Better regulation of output power
  -v                       Verbose output
leansdrcat --help
Usage: leansdrcat [options]
Forward from stdin to stdout at constant rate.

  --block      Pause when stdout is busy (default: '#' on stderr)
  --nonblock   Silently ignore when stdout is busy
  --cbr R      Set rate in bits per second
  --cbr8 R     Set rate in bytes per second
  --cbr16 R    Set rate in 16-bit words per second
  --cbr32 R    Set rate in 32-bit words per second
  --cbr64 R    Set rate in 64-bit words per second
  -h           Display this help message and exit
leansdrscan --help
Usage: leansdrscan [options]  [program settings]
Run , cycling through combinations of settings.
Example: 'leansdrscan -v cat -n,-e' will feed stdin through 'cat -n' and 'cat -e' alternatively.

  -h              Print this message
  -v              Verbose
  --timeout N     Next settings if no output within N seconds
  --rewind        Rewind input (stdin must be a file)
  --probesize N   Forward only N bytes (with --rewind)
leantsgen --help
Usage: leantsgen [-c PACKETCOUNT]
Output numbered MPEG TS packets on stdout.


rtl_sdr -g 0 -f 315e6 -s 1000000 /tmp/test.ts
leandvb --gui -v -d -f 1000e3 --sr 500e3 --cr 1/2 --derotate -4500 --anf 0 < /tmp/test.ts > mpeg.ts