Repository: fulldecent/system-bus-radio
Branch: main
Commit: 68862bb799c5
Files: 31
Total size: 66.1 KB
Directory structure:
gitextract_qt828ii7/
├── .github/
│ ├── FUNDING.yml
│ └── workflows/
│ └── tests.yml
├── .gitignore
├── LICENSE
├── README.md
├── RTL-SDR-GUIDE.md
├── TEST-DATA.tsv
├── docs/
│ ├── .gitignore
│ ├── Gemfile
│ ├── airgap.js
│ ├── index.html
│ ├── main.css
│ └── worker.js
├── implementations/
│ ├── c-_mm_stream_si128/
│ │ ├── Makefile
│ │ └── main.c
│ ├── c-apple-silicon/
│ │ ├── Makefile
│ │ ├── README.md
│ │ └── main.c
│ ├── c-apple-silicon-wav/
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── gen_sweep.c
│ │ └── main.c
│ ├── c-neon-threads/
│ │ ├── Makefile
│ │ └── main.c
│ └── cpp-counter-threads/
│ ├── Makefile
│ └── main.cpp
├── tests/
│ └── check-test-data-tabs.sh
└── tunes/
├── README.md
├── mary_had_a_little_lamb.tune
├── morse_code_sos.tune
└── smb.tune
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/FUNDING.yml
================================================
# These are supported funding model platforms
github: [fulldecent]
custom: ["https://www.paypal.me/fulldecent", "https://amazon.com/hz/wishlist/ls/EE78A23EEGQB"]
================================================
FILE: .github/workflows/tests.yml
================================================
name: Check Lines Script
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
run-check-lines:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run check-lines.sh script
run: ./tests/check-test-data-tabs.sh
================================================
FILE: .gitignore
================================================
# Object files
*.o
*.ko
*.obj
*.elf
# Precompiled Headers
*.gch
*.pch
# Libraries
*.lib
*.a
*.la
*.lo
# Shared objects (inc. Windows DLLs)
*.dll
*.so
*.so.*
*.dylib
# Executables
*.exe
*.out
*.app
*.i*86
*.x86_64
*.hex
# Debug files
*.dSYM/
/main
main
gmain
cmain
================================================
FILE: LICENSE
================================================
The MIT License (MIT)
Copyright (c) 2016 William Entriken
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
# System Bus Radio
This program transmits radio on computers / phones without radio transmitting hardware.
## Thank you to our sponsors
Listen to online radio -
## Why?
Some computers are intentionally disconnected from the rest of the world. This includes having their internet, wireless, bluetooth, USB, external file storage and audio capabilities removed. This is called "air gapping". Even in such a situation, this program can transmit radio.
Publicly available documents already discuss exfiltration from secured systems using various electromagnetic radiations. This is documented in the TEMPEST guidelines published by the US National Security Agency and the US Department of Defense. This project simply adds to that discussion.
## How to use it
**NEW:** Try it in your browser, click here:
Enter the implementations folder, select any of them and compile using `make`.
```sh
make
```
Run this using a 2015 model MacBook Air. Then use a Sony STR-K670P radio receiver with the included antenna and tune it to 1580 kHz on AM.
Run it and reference the a tune file or make your own!
```sh
./main ../../tunes/mary_had_a_little_lamb.tune
```
You should hear the "Mary Had a Little Lamb" tune playing repeatedly. Other equipment and tuning may work as well. On the equipment above, the author has achieved clear transmission over two meters of open air or one meter through drywall. Different results will be achievable with different equipment.
Are you using an antenna? At the beginning, the author placed the antenna directly on top of the number 4 key and that worked best (on any AM frequency). It was a round antenna. Then once they knew it worked they moved the antenna back. Moving it back reduced the number of frequencies that it worked on, and eventually only that one (1580 kHz) worked. Different hardware will certainly have different frequency response. Here are some results that have been sent in by readers. Please mail with your results (including makes and models of all equipment involved) or [edit this file directly](https://github.com/fulldecent/system-bus-radio/edit/master/TEST-DATA.tsv) and create a pull request.
**WANTED:** Please post your test results using Raspberry Pi and other embedded systems. This may be particularly good targets because of less shielding/hardening of their hardware.
**NEW:** See our [basic RTL SDR guide] to receive system bus signals using another computer with RTL SDR hardware.
## Technical explanation
This program runs instructions on the computer that cause electromagnetic radiation. The emissions are of a broad frequency range. To be accepted by the radio, those frequencies must:
* Be emitted by the computer processor and other subsystems
* Escape the computer shielding
* Pass through the air or other obstructions
* Be accepted by the antenna
* Be selected by the receiver
By trial and error, the above frequency was found to be ideal for that equipment.
The actual emissions are caused by the `_mm_stream_si128` instruction that writes through to a memory address. Inspiration for using this instruction was provided in:
> Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y. and Elovici, Y., 2015. GSMem: data exfiltration from air-gapped computers over GSM frequencies. In 24th USENIX Security Symposium (USENIX Security 15) (pp. 849-864).
>
>
Please note that replacing `_mm_stream_si128` with a simple `x++;` will work too. The author's experience has been that `_mm_stream_si128` produces a stronger signal. There may be other ideas that work even better, and it would be nice to improve this method to be more portable (not require SSE extensions).
The program uses square wave modulation, which is depicted below:
```
|<--------------------TIME-------------------->|
| |
|‾|_|‾|_|‾|_____________|‾|_|‾|_|‾|_____________
| | | |
|<------SIGNAL--------->| | |
| |
|<->| CARRIER
```
Notes on high precision time APIs:
* Get current time
* mach_absolute_time() gives time in int64_t of nanoseconds
* Converting to nanoseconds
* Declared
* Definition
* clock_get_time() gives a mach_timespec_t time
* Called from mach_absolute_time()
* mach_timespec_t
* Type documentation
* Declaration
*
*
* Sleep
* mach_wait_until()
* Notes
* nanosleep()
* Apple doc
* Definition
* clock_sleep_trap()
* Used from nanosleep()
* Declared
* Definition
* Uses clock_sleep_internal()
* Uses ADD_MACH_TIMESPEC
* clock type constants
* TIME_ABSOLUTE
* TIME_RELATIVE
* Defines ADD_MACH_TIMESPEC(t1, t2) // t1 += t2
* Defines CMP_MACH_TIMESPEC(t1, t2) // t1 <=> t2, also (t1 - t2) in nsec with max of +- 1 sec
* msleep()
* time/timer.c /
* kern/clock.h
## Press coverage
*
*
*
================================================
FILE: RTL-SDR-GUIDE.md
================================================
# RTL STR Basic Setup
## Test subject
For this guide, we are inspecting a **MacBook Pro M1 (13-inch, 2020)** for electromagnetic radiation.
This subject is tough because:
- Low power (wattage)
- System is tightly integrated (no user-replaceable RAM)
- Aluminum casing
If we are successful with the approaches in this paper, you should get even better results with other kinds of laptops.
## Hardware
*Other setups will work too. But this guide is explored with the following hardware:*
* Computer running macOS (to run SDR)
* RTL-SDR Blog V3 / [buy from manufacturer](https://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/) / [data sheet](https://www.rtl-sdr.com/wp-content/uploads/2018/02/RTL-SDR-Blog-V3-Datasheet.pdf)
* Ham It Up Plus / [buy from manufacturer](https://nooelec.com/store/ham-it-up-plus.html) / [data sheet](https://www.nooelec.com/store/downloads/dl/file/id/99/product/284/ham_it_up_plus_datasheet_revision_2.pdf)
* Requires a USB A/B cable and a USB power source (do not use the same device running your SDR)
* Balun One Nine / [buy from manufacturer](https://www.nooelec.com/store/balun-one-nine-v2.html) / could not find data sheet
* An AM loop antenna
* Affiliate link to buy everything / [from Amazon](https://www.amazon.com/ideas/amzn1.account.AHUITP6B2VTROJ7IMNP2LCUA5QDA/18H46X17FDG76?type=explore&_encoding=UTF8&tag=phornetandrel-20&linkCode=ur2&linkId=dedd255a129c5ac7415a9dcb713ae618&camp=1789&creative=9325)
You may have seen that the RTL-SDR Blog V3 above [already includes support for lower frequencies](https://www.rtl-sdr.com/rtl-sdr-blog-v-3-dongles-user-guide/), obviating the upconverter (Ham It Up Plus). General advice on the scene has been that you want to use an upconverter rather than the built-in bias tee. If I can get better results with the bias tee approach I will update this guide to recommend that simpler and more ecoromical approach.
## Setup
Your equipment is plugged in as:
```
Computer --M/M-plug-- RTL-SDR --M/M-plug-- Ham It Up Plus --optional-long-wire-- Balun One Nine --spring-terminal-- antenna
```
Note that the upconverter means you will be tuning your radio to +125 MHz offset versus the frequencies you want.
## Software
**Test subject**
For quick browsing and playing, I used the [counter and threads](https://github.com/fulldecent/system-bus-radio/tree/master/Using%20counter%20and%20threads) implementation running on the M1 test subject. This allowed me to quickly edit the code and rerun it at different frequencies. (I ran the compiler command by hand as the Makefile did not work on the M1. Not sure if this needs fixing.)
**Radio**
This was an 2018 MacBook Pro (Intel). [CubicSDR](https://cubicsdr.com) was easy to set up. Also it claimed to let me try the bias tee approach, but I failed to make it work.
Alternately, I tried running [RTL Power](http://kmkeen.com/rtl-power/) to sweep various frequencies. Try it like this with the test subject off:
```sh
time rtl_power -f 125M:126M:20K -g 50 -i 1m -1 noise.csv; say done
```
And then run it again with `signal.csv`. And compare those two results.
Here is a quick Swift program to convert from RTL power into something you can use in Excel:
```swift
import Foundation
while let line = readLine() {
// date, time, Hz low, Hz high, Hz step, samples, dbm, dbm, ...
let columns = line.components(separatedBy: ", ")
let hzLow = Double(columns[2])!
let hzStep = Double(columns[4])!
var hzCurrent = hzLow
for dbm in columns[6...] {
print(Int(hzCurrent), dbm)
hzCurrent += hzStep
}
}
```
And of course:
```sh
paste -d, noise-transpose.csv signal-transpose.csv > merged.csv
```
Now you can plot the signal-to-noise ratio.
## Results
The antenna placed directly over the bottom left of the keyboard produces the best signal. Start here so you can clearly hear the signal and as your tuning improves, begin backing away the antenna.
I could clearly hear the signal between 63 kHz and 5.5 MHz using bandwidths between 10 kHz and 50 kHz. The best signal was 1.52 MHz at 40 kHz bandwidth. Using the AM demodulator.
With this approach I achieved audible signals up to only several inches away from the M1 Mac. Not very useful for spying/exfiltration. Possible ways to improve that are below.
## Further research
*These are a little more advanced idea I'd like to try with a mentor. If you'd like to pick up the ball and explain how to improve with these techniques, please feel free to open a new wiki page, and ping @fulldecent in a new issue.*
* It may be possible to improve the signal by adding a low-noise amplifier between the antenna and the upconverter. I'd like to test the signal levels around these compenents and read specs before considering that further.
* I could not get GNU Radio to connect to the RTL-SDR V3. It could certainly create a better custom receiver for this project:
1. Wideband 2.5MHz (or, somehow, twin 5.0MHz) signal input
2. A 1,000-band equalizer based on the envelope above (see RTL Power above)
3. Demodulate with AM
4. Tight bandpass at 440 Hz (for a 440 Hz system bus signal)
* Better hardware. If you can recommend a better RTL-SDR, antenna, LNA, upconverter that might help, please let me know and I can add to my [project tip jar](https://github.com/fulldecent/system-bus-radio#system-bus-radio).
================================================
FILE: TEST-DATA.tsv
================================================
Date Tester Transmitter Receiver Software Frequency Result Recording
2016-03-01 William Entriken MacBook Air (13-inch, Early 2015) Sony STR-K670P, stock antenna _mm_stream_si128 1580 kHz 2m thru air, 1m thru drywall https://youtu.be/caGPmyMLYUI
2016-03-01 Scott Buchanan "MacBook Pro Retina 15"", early 2013" N/A _mm_stream_si128 ?m audible https://goo.gl/ll3PxH
2016-03-01 Samuel Steele MacBook Air (13-inch, Mid-2013) Onkyo HT-R550, JVC Loop antenna _mm_stream_si128 1580 kHz "2"", noisy by 6"
2016-03-01 Chris Smolinski MBP (??-inch, 2010) netSDR, ??? antenna _mm_stream_si128 Entire AM band No signal found
2016-03-01 Chris Smolinski iMac (??-inch, 2015) netSDR, ??? antenna _mm_stream_si128 Entire AM band No signal found
2016-03-01 Chris Smolinski MBP (??-inch, 2010) Sony 7600G, no antenna _mm_stream_si128 1580 kHz, Long wave 4 https://youtu.be/l8AYHnF8ZrA
2016-03-01 Chris HP ENVY 15-j142na (i7 version), Linux Icom IC-R10, ??? antenna PR #19 ?m audible https://youtu.be/TXkh1ANSFGw
2016-03-01 João Ventura MacBook Pro (15-inch, Late 2013) Tech Fuzzion, tele antenna _mm_stream_si128 1600 kHz 4 https://youtu.be/oXAeGZaka7o
2016-03-01 Elvis Pfutzenreuter MacBook (12-inch, Early 2015) Sony ICF-SW11, internal antenna _mm_stream_si128 1580 kHz 2m, recommends turning off mains & light
2016-03-01 somini Asus X201E, Linux Clock radio, internal antenna _mm_stream_si128 1580 kHz 4 https://youtu.be/Nroc2BtO6NU
2016-03-01 janka102 MacBook Pro (15-inch, Early 2011) iHome iP90, included AM antenna _mm_stream_si128 1580 kHz 8 https://youtu.be/qN9D3bxkbXk
2016-03-01 Ryan Faerman MacBook Air (11-inch, 2014) Grundid Traveler 2 Digital, internal antenna _mm_stream_si128 1600 kHz "6""-8"
2016-03-02 Tomi Salmi Mac mini (Late 2014) Sharp stereo cassette recorder WQ-T282H(GR), tele antenna _mm_stream_si128 1580 kHz "4"" noisy"
2016-03-02 Fe Yi MacBook Pro (13-inch, Early 2015) TECSUN PL-310ET, internal antenna _mm_stream_si128 1580 kHz ~10cm above keyboard
2016-03-02 Ryou Ezoe Acer ASPIRE 5750, GNU/Linux Tecsun PL-310 fm/am Stereo World Band Dsp Receiver, internal antenna PR #12 1440 kHz 30cm
2016-03-02 Yuval Adam MacBook Pro (13-inch, Mid-2010) HackRF, 125Mhz upconverter, random wire antenna _mm_stream_si128 1580 kHz No discernible signal
2016-03-02 Kyohei Takahashi MacBook Pro (Retina, 13-inch, Late 2012) KOIZUMI SAD-7701-R AM mode _mm_stream_si128 500 kHz – 1400 kHz 30cm https://youtu.be/RJlOnoK5WpQ
2016-03-02 David Haberthür "MacBook Pro Core i7 2.4 15"" Late 2011" Sony CFD-S38L _mm_stream_si128 1584 kHz 6cm
2016-03-02 Jeremy Zerfas MacBook Pro (15-inch, Mid 2012) 2.3 Sony CFS-201 boom-box, internal antenna _mm_stream_si128 Various AM channels 6'
2016-03-02 Jeremy Zerfas MacBook Pro (15-inch, Early 2008) 2.4 Yamaha RX-V675, Loop antenna nanosleep mod Various AM channels 7', definitely farther than Mid 2012 model w/ same rcvr
2016-03-02 Jeremy Zerfas Athlon II X2 240, Gigabyte GA-MA785GM-US2H, Antec FusionRemote 350 Yamaha RX-V675, Loop antenna PR #12 Various AM channels "6"" from the processor"
2016-03-02 Nipun Gunawardena MacBook Pro Retina (13-inch, Late 2013) Onkyo CR305TX, Loop antenna _mm_stream_si128 1610 kHz 85cm Other frequencies also usable when very close
2016-03-02 Masahiko Uota MacBook Pro 2.8GHz i7 15-inch Mid 2014 Sony ICF-T46, no antenna _mm_stream_si128 1300 kHz, 900 kHz 6 inches https://twitter.com/muota_here/status/704924596802342913
2016-03-02 Yuji Fujita Thinkpad X200 Sony ICF-SW100 PR #12 1363 kHz 0.5m https://youtu.be/li9hHM4NkWA
2017-07-25 Ernesto Sanchez Lenovo Thinkpad X201 INDIN BC-R28 master 1600 kHz 0.3m None
2016-03-02 Redgar Nord HP ProBook 4340s, Linux Sharp radio, whip antenna PR #12 ~1590 kHz "6-7"", very orientation dependent"
2016-03-02 Redgar Nord RaspberryPi, Linux Sharp radio, whip antenna PR #12 ~1590 kHz No signal at all
2016-03-02 Erin Pinheiro Acer Aspire E1-572-6 BR691 Generic AM radio, retractable antenna PR #12 ~1590 kHz 10-20cm Slightly noisy https://dl.dropboxusercontent.com/u/9435923/code/audio_2016-03-02_18-24-30.ogg
2016-03-02 Trevor Summerfield MacBook Pro (Retina, 15-inch, Mid 2015) Grundig G8 Traveler II Digital, Internal AM Antenna _mm_stream_si128 1580 kHz 8” above keyboard 50dbu signal, 0db SNR, audible
2016-03-05 Alessio Gerace MacBookPro Retina (13-inch, 2014) Majestic TT34CD/TP/USB _mm_stream_si128 ~1610 kHz 10/30 cm
2016-03-05 Quan Yang MacBookPro Retina (Late 2013) AR1741 Multiband Receiver Javascript 1560 khz 0.5m, more frequencies usable if charging https://youtu.be/6tM4EKUYogI
2016-03-07 Mehdi Asgari MacBook Pro Retina (13-inch, 2015) Tecsun PL680, internal whip antenna _mm_stream_si128 1610 kHz 90cm
2016-03-10 Gabriel Tremblay Cooler Master HAF 912, ASUS M5A97, AMD FX-8120, Corsair Vengeance 32GB Not known PR #12 ~1550 kHz ~20-30cm
2016-09-05 Chris Rochford Macbook Pro Retina (13-inch, 2015) Yamaha HTR-5730, loop antenna Javascript 1580 kHz 6 inches
2016-10-13 John Sampson MacBook Pro Retina (15-inch, Mid 2014) Sony ICFCS15IPN (stock antenna) _mm_stream_si128 ~1560 kHz 5 inches
2018-01-24 Philipp Hanslovsky Lenovo X1 Carbon (14-inch, 2014) Yamaha RX-V675, Loop antenna _mm_stream_si128 @ 03c3689 1590 kHz, 1600kHz 5 inches
2018-01-24 Fabian Briese Dell Inspiron 17 7000 (7737) Tevion Compact Disk Player Webbrowser (Chrome) 1560 kHz 125-150cm
2018-01-30 Troy Giorshev MacBook Air (13-inch, Early 2014) Eton Mini 300 _mm_stream_si128 1535 kHz 30cm
2020-12-17 Steven Shim MacBook Pro M1 (13-inch, 2020) Sony AM/FM Clock Radio _mm_stream_si128 1560kHz 2-3 inches from bottom right of trackpad
2022-02-01 Ilya Semichastnov MacBook Pro (16-inch, 2019) Yaesu FT-817 _mm_stream_si128 1530kHz wire antenna 50cm below the laptop
2024-01-03 Christian Mürtz MacBook Pro Late 2016 NORDMENDE - Compact Recorder 5043 K _mm_stream_si128 1550 kHz ~30cm https://www.youtube.com/watch?v=jUKchOM_TjM
2024-07-09 Noah King MacBook Late 2007 1958 Orion 10 Transistor Radio _mm_stream_si128 ~1690 kHz No antenna 10cm-1m https://www.youtube.com/watch?v=YCXruZPXfss
================================================
FILE: docs/.gitignore
================================================
/_site
Gemfile.lock
================================================
FILE: docs/Gemfile
================================================
source 'https://rubygems.org'
gem 'github-pages', group: :jekyll_plugins
================================================
FILE: docs/airgap.js
================================================
var player; // Define "player" var to make my code linter happy
function start() { // Start Web Worker & send song data to player
var logs = document.getElementById('progress'); // Define log element
window.logs = logs; // Make variable Global
window.logs.value = "";
// Create Web Worker if it doesn't already exist
if (window.Worker && typeof(player) == "undefined") {
var player = new Worker("worker.js");
window.player = player; // Make variable Global
player.onmessage = function(event) {
var data = event.data;
console.log(data)
window.logs.value += "x\n";
};
// Send song data to player
var song = document.getElementById("tune").value;
player.postMessage(song);
}
}
function end() { // Stops the Web Worker
window.logs.value = "";
player.terminate();
}
================================================
FILE: docs/index.html
================================================
System Bus Radio
System Bus Radio
Tested on MacBook Air / Chrome with AM tuner at 1560 kHz. See field reports for other equipment and frequencies.
Edit the above to make any music you like. Tune file format is frequency (Hz) and time (ms).
Chrome has errors if you open this file locally (file://). Try using php -S localhost:8000 or similar for a quick web server.
Listen to online radio -