system-bus-radio

by fulldecent

fulldecent / system-bus-radio

Transmits AM radio on computers without radio transmitting hardware.

5.0K Stars 370 Forks Last release: almost 4 years ago (1.0.0) MIT License 137 Commits 1 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

System Bus Radio

This program transmits radio on computers / phones without radio transmitting hardware.

:wine_glass: Project tip jar: https://amazon.com/hz/wishlist/ls/EE78A23EEGQB

Why?

Some computers are intentionally disconnected from the rest of the world. This includes having their internet, wireless, bluetooth, USB, external file storage and audio capabilities removed. This is called "air gapping". Even in such a situation, this program can transmit radio.

Publicly available documents already discuss exfiltration from secured systems using various electromagnetic radiations. This is documented in the TEMPEST guidelines published by the US National Security Agency and the US Department of Defense. This project simply adds to that discussion.

How to use it

NEW: Try it without compiling anything, click here: http://fulldecent.github.io/system-bus-radio/

Enter the

Using _mm_stream_si128
folder and compile using
make
. (There are also other flavors you can
make
and try in different folders!)
make

Run this using a 2015 model MacBook Air. Then use a Sony STR-K670P radio receiver with the included antenna and tune it to 1580 kHz on AM.

You should hear the "Mary Had a Little Lamb" tune playing repeatedly. Other equipment and tuning may work as well. On the equipment above, the author has achieved clear transmission over two meters of open air or one meter through drywall. Different results will be achievable with different equipment.

Are you using an antenna? At the beginning, the author placed the antenna directly on top of the number 4 key and that worked best (on any AM frequency). It was a round antenna. Then once they knew it worked they moved the antenna back. Moving it back reduced the number of frequencies that it worked on, and eventually only that one (1580 kHz) worked. Different hardware will certainly have different frequency response. Here are some results that have been sent in by readers. Please mail [email protected] with your results (including makes and models of all equipment involved) or edit this file directly and create a pull request.

Technical Explanation

This program runs instructions on the computer that cause electromagnetic radiation. The emissions are of a broad frequency range. To be accepted by the radio, those frequencies must:

  • Be emitted by the computer processor and other subsystems
  • Escape the computer shielding
  • Pass through the air or other obstructions
  • Be accepted by the antenna
  • Be selected by the receiver

By trial and error, the above frequency was found to be ideal for that equipment. If somebody would like to send a SDR that is capable of receiving 100 kHz and up then other frequencies could be tested.

The actual emissions are caused by the

_mm_stream_si128
instruction that writes through to a memory address. Inspiration for using this instruction was provided in:

Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y. and Elovici, Y., 2015. GSMem: data exfiltration from air-gapped computers over GSM frequencies. In 24th USENIX Security Symposium (USENIX Security 15) (pp. 849-864).

https://www.usenix.org/node/190937

Please note that replacing

_mm_stream_si128
with a simple
x++;
will work too. The author's experience has been that
_mm_stream_si128
produces a stronger signal. There may be other ideas that work even better, and it would be nice to improve this method to be more portable (not require SSE extensions).

The program uses square wave modulation, which is depicted below:

||
|                                              |
|‾|_|‾|_|‾|_____________|‾|_|‾|_|‾|_____________
|                       |   |   |
||   |   |
                            |   |
                            || CARRIER

Notes on high precision time APIs:

  • Get current time
    • machabsolutetime() gives time in int64_t of nanoseconds
    • Converting to nanoseconds https://developer.apple.com/library/mac/qa/qa1398/_index.html
    • Declared https://opensource.apple.com/source/xnu/xnu-1456.1.26/osfmk/mach/mach_time.h
    • Definition https://opensource.apple.com/source/Libc/Libc-320/i386/mach/machabsolutetime.c
    • clockgettime() gives a machtimespect time
    • Called from machabsolutetime()
    • machtimespect
    • Type documentation https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/services/services.html
    • Declaration https://opensource.apple.com/source/xnu/xnu-1456.1.26/osfmk/mach/clock_types.h
    • http://stackoverflow.com/a/21352348/300224
    • https://stackoverflow.com/questions/5167269/clock-gettime-alternative-in-mac-os-x
  • Sleep
    • machwaituntil()
    • Notes https://developer.apple.com/library/ios/technotes/tn2169/_index.html
    • nanosleep()
    • Apple doc https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/nanosleep.2.html
    • Definition https://opensource.apple.com/source/Libc/Libc-320.1.3/gen/nanosleep.c?txt
    • clocksleeptrap()
    • Used from nanosleep()
    • Declared https://opensource.apple.com/source/xnu/xnu-1456.1.26/osfmk/mach/mach_traps.h
    • Definition http://unix.superglobalmegacorp.com/xnu/newsrc/osfmk/kern/clock.c.html
    • Uses clocksleepinternal()
    • Uses ADDMACHTIMESPEC
    • clock type constants https://opensource.apple.com/source/xnu/xnu-1456.1.26/osfmk/mach/clock_types.h?txt
    • TIME_ABSOLUTE
    • TIME_RELATIVE
    • Defines ADDMACHTIMESPEC(t1, t2) // t1 += t2
    • Defines CMPMACHTIMESPEC(t1, t2) // t1 <=> t2, also (t1 - t2) in nsec with max of +- 1 sec
    • msleep() https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/services/services.html
    • time/timer.c / http://lxr.free-electrons.com/source/kernel/time/timer.c#L1673
    • kern/clock.h https://opensource.apple.com/source/xnu/xnu-1456.1.26/osfmk/kern/clock.h

Press coverage

  • http://hardware.slashdot.org/story/16/03/01/1727226/microcasting-color-tv-by-abusing-a-wi-fi-chip
  • http://news.softpedia.com/news/emitting-radio-waves-from-a-computer-with-no-radio-transmitting-hardware-501260.shtml

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.