Airplanes constantly broadcast unencrypted ADS-B signals at 1090 MHz, see how we captured and interpreted that data with dump1090 and BladeRF
The post SDR (Signals Intelligence) for Hackers: Capturing Aircraft Signals first appeared on Hackers Arise.
Welcome back, my aspiring cyberwarriors!
Every few minutes an airplane may fly over your head, maybe more than one. If you live close to an airport, the air traffic in your area is especially heavy. Services like Flightradar24 show information about aircraft in the air with surprising accuracy because they get data using the ADS-B protocol. You can collect that data yourself, and here we will show how.
Of course, everyone has flown on a plane or at least seen one. These large metal birds circle the globe and carry hundreds of millions of people to different parts of the world. That wasn’t always the case. Just 100 years ago people mostly moved by land and there were no highly reliable flying machines. After planes were invented and commercial flights began, it became clear that we needed a way to track aircraft in the sky, otherwise accidents would be unavoidable. Radar and visual observation are not enough for this, so radio communication came into use. Now every aircraft has an aviation transponder on board. It makes life much easier for dispatchers and pilots, as the aircraft sends data from onboard sensors and receives instructions from the ground while in flight.
Put simply, an aviation transponder is a two-way radio device that does two things:
1. Answers queries from ground stations: when an air traffic controller requests data, the transponder replies automatically. A query for data is also called interrogation.
2. Acts as an airborne radio beacon: in this mode the transponder periodically broadcasts information about itself, for example position or speed.
Modes
There are different generations or modes of transponders. Each was created for different purposes and has its own signal structure. Although newer modes keep the features of the older ones, the signal protocols are not mutually compatible. There are five main modes:
1. Mode A: transmits only the aircraft’s identification code. This code can be hard-programmed into the transponder or assigned by the dispatcher before flight. In practice Mode A was mostly used to track which aircraft was at which airport.
2. Mode C: developed later, it allowed tracking not only the aircraft ID but also flight altitude. Its main advantage was that altitude could be obtained automatically without asking the pilot.
3. Mode S: this is the modern mode used on about 99% of all aircraft today. It allows not only reading sensor data from the aircraft but also sending data back to the plane. In Mode S an aircraft has full two-way communication with ground stations. ADS-B, which we will look at today, is part of this mode.
4. Mode 4 and Mode 5: these are more advanced but used only by the military. Both are much better protected (that is, they have some security, unlike the older modes), so they are not something we can play with.
A careful reader will notice we did not include Mode B or Mode D in the list. Both existed only briefly, so it makes little sense to discuss them here.
ADS-B
If you read the description of Mode S closely, you’ll notice that Mode S messages are normally sent by the transponder in response to a ground station query. All of them except ADS-B. ADS-B stands for Automatic Dependent Surveillance Broadcast. In plain English that means it is an automatic flight-tracking system. The word “Broadcast” means the messages are sent out to everyone, not to a specific recipient, and that lets us receive them.
Many people treat ADS-B as a separate transponder mode on the same level as Mode A, C, or S, but actually ADS-B is just a part of Mode S. An ADS-B message is simply a Mode S message with type 17.
Types of Mode S messages
We will focus on ADS-B (type 17) in this article, but it helps to know about other Mode S message types for context:
All-call reply (type 11): the transponder replies to a ground interrogation with a unique 24-bit identifier. This number is usually programmed at the factory and does not change, although in military contexts it may be altered.
ACAS short and long replies (type 0/16): messages used by collision-avoidance systems. If a transponder detects another aircraft nearby it will send alerts to other systems that can prevent a mid-air collision.
Altitude and identity replies (type 4/5): messages containing altitude and the call sign (the so-called squawk code that the pilot enters before flight).
Comm-B (type 20/21): messages with readings from onboard sensors, planned route, and other data useful for aircraft control.
ACAS is especially clever in how it works, but discussing it in detail would take us beyond this article.
All Mode S transmissions to aircraft use 1030 MHz (uplink), and transmissions from aircraft to the ground use 1090 MHz.
The radio transmission itself is not encrypted. It carries a lot of useful information about the aircraft’s position, altitude, speed, and other parameters. That is how services like Flightradar24 started making aircraft information available to everyone for free. These services collect data from many sensors installed by volunteers around the world. You can become one of those volunteers too. All you need is to sign up and get a receiver from a service operator for installation.
Physical structure of the signal
ADS-B signals are transmitted by aircraft on 1090 MHz, just like the other Mode S signals. The other frequency, 1030 MHz (uplink), is not needed for ADS-B because ADS-B transmissions are sent without being asked.
Pulse-Position Modulation (PPM) is used to encode the signal. In basic terms, the transmitter sends bits over the air that can be read by sampling the signal every N microseconds. On ADS-B each bit lasts 0.5 microseconds, so you can sample every 0.5 μs, see whether the signal level is high or low at each moment, record that, then convert the result into bytes to reconstruct the original message. That’s the theory, in practice it’s more challenging.
Packet structure
If you take the raw sampled data you first get a bit of a mess that must be parsed to extract useful information. The messages themselves have a clear structure, so if you can find repeated parts in the data stream you can reconstruct the whole packet. A packet consists of a preamble and the data payload. The preamble lasts 8 μs, and then the data follows for either 56 or 112 μs.
The preamble is especially important because all aircraft transmit on the same frequency and their signals can arrive at the receiver at the same time. Loss of overlapping signals is handled simply: if a receiver fails to catch a message, some other receiver will. There are many receivers and they cover all inhabited land on Earth, so if a particular signal is too weak for one receiver it will be loud enough for another. This approach doesn’t guarantee every single signal will be caught, but ADS-B messages are transmitted repeatedly, so losing some packets is not a disaster.
We already said each bit is encoded as 0.5 μs, but to make reception easier a convention was introduced where one real bit is encoded using two half-microsecond elements. A logical one is encoded as “1 then 0”, and a logical zero as “0 then 1”. For example, data bits 1011 would be transmitted as 10011010. This does not complicate the receiver much, but it protects against noise and makes the signal more reliable. Without this doubling, a sequence of zeros would look like silence. With it the receiver always detects activity, even when zeros are sent.
Structure of useful data
Suppose we decoded the signal and found a message. Now we need to decode the payload and filter out unwanted messages (that is, all Mode S messages except ADS-B).
The ADS-B message length we care about is 112 μs, which corresponds to 112 bits (thanks to the two-half-microsecond coding!). The message divides into five main blocks:
1. DF (Downlink Format) – the format code, 5 bits. For ADS-B this is always 17.
2. CA (Transponder capability) – type of transponder and its capability level, 3 bits. This tells a controller what data can be requested from this transponder. This field can be 0, 4, 5, or 6. Values 1–3 and 7 are reserved for future use. 0 means a first-level transponder, usually without ACAS. 4 means a second-level (or higher) transponder that can send altitude (i.e., supports Mode C and Mode S) but does not have ACAS. 5 and 6 are like 4 but with ACAS support: 6 indicates ACAS may be enabled, 5 indicates ACAS may be present but disabled.
3. ICAO — unique aircraft number, 24 bits. This number identifies the signal sender. It is typically programmed once at the factory and does not change during operation, although some people know how to change it. Military transponders follow different rules, so anything can happen there.
4. ME (Message) – the actual payload with data about altitude, speed, or other information. Length is 56 bits. We will look at this block in detail below.
5. PI (Parity/Interrogator ID) – checksum, 24 bits.
The ME field
The ME field is the most interesting part for us because it carries coordinates, speed, altitude, and other data from onboard sensors. Since 56 bits are not enough to carry all possible data at once, each message has a type indicated by the first five bits of ME. In other words, there is a nested format: Mode S uses a certain message type to indicate ADS-B, and ADS-B uses its own internal type to say what data is inside.
ADS-B defines 31 data types in total, but we will review only the main ones.
Type 1-4: identification messages. They contain the call sign and other registration/identification information (for example, whether this is a light aircraft or a heavy one). These call signs are shown on airport displays and usually reflect the flight number. A decoded message looks approximately like this:
Type 5-8: ground position. These messages are used to know where and on which runway the aircraft is located. The message may include latitude, longitude, speed, and heading. Example decoded message:
Type 9-19: airborne position (usually transmitted together with altitude). It is important to understand that you will not always find latitude and longitude in the usual long numeric form in these messages, instead a compact notation is used.
Type 19: aircraft velocity.
We could go bit-by-bit through the structure of each message, but that takes a long time. If you are really interested you can find ready ADS-B parsers on GitHub and inspect the formats there. For our purpose, however, diving deeper into the protocol’s details isn’t necessary right now, because we are not going to transmit anything yet.
CPR or how to make a simple thing more complex
To describe a location, we usually use latitude and longitude. A 32-bit floating number can store them with about seven decimal places, which is accurate down to a few centimeters. If we don’t need that much detail and are fine with accuracy of just tens of centimeters, both latitude and longitude together could be stored in about 56 bits. That would have been enough, and there would be no need for special “compressed” coordinate tricks. Since an airplane moves at more than 100 meters per second, centimeter-level accuracy is useless anyway. This makes it strange why the protocol designers still chose the compact method.
CPR (Compact Position Reporting) is designed specifically to send coordinates compactly. Part of CPR was already visible in the coordinate example earlier. Because it’s impossible to compress a lot of data into a small field without loss, the designers split the data into parts and send them in two passes with packets labeled “even” and “odd”. How do we recover normal coordinates from this? We will show the idea.
Imagine all aircraft flying in a 2D plane. Divide that plane into two different grids and call them the even grid and the odd grid. Make the even grid 4×4 and the odd grid 5×5. Suppose we want to transmit a position that in a 16×16 grid is at (9, 7). If we had one grid we would just send 9 and 7 and an operator could locate us on the map. In CPR there are two grids, though.
In these grids we would represent our position (9, 7) as (1, 3) on the even grid and (4, 2) on the odd grid. When an operator receives both messages, they must align the two grids.
If you overlay the grids with the received coordinates, the point of intersection is the true location.
We described the algorithm without math so you can imagine how coordinates are reconstructed from two parts. The real grids are far more complex than our toy example and look like the image below.
A simple way to receive ADS-B
Now that we understand the main parts of the protocol, we can try to receive a real signal. To receive any such signal you need three basic things: an antenna, a receiver, and a PC.
Antenna
Start with the most important item, which is the antenna. The choice depends on many factors, including frequency, directionality of the signal, and the environment where it travels. Our signal is transmitted at 1090 MHz, and we will receive it outdoors. The simplest antenna (but not the most efficient) is a straight rod (a monopole). You can make such an antenna from a piece of wire. The main thing is to calculate the right length. Antenna length depends on the wavelength of the signal you want to receive. Wavelength is the distance between two neighboring “peaks” of the wave.
Lambda (λ) is the wavelength. You get it from frequency with the formula λ = C / f, where C is the speed of light and f is the signal frequency. For 1090 MHz it is about 27.5 cm. If you take a metal rod of that length you get a full-wave antenna, which you can safely shorten by half or by four to get a half-wave or quarter-wave antenna, respectively. These different designs have different sensitivity, so I recommend a half-wave antenna, which should be roughly 13.75 cm long.
We won’t build our own antenna here. It is not the simplest task and we already had a suitable antenna. You might use radio handheld antennas if you receive outdoors and there isn’t too much interference. We use a simple vertical coil-loaded whip antenna. It behaves like a whip but is shorter because of the coil.
You can measure antenna characteristics with a special vector network analyzer that generates different frequencies and checks how the antenna reacts.
The output from NanoVNA looks complicated at first, but it’s simple to interpret. To know if an antenna suits a particular frequency, look at the yellow SWR line. SWR stands for standing wave ratio. This shows what part of the signal the antenna radiates into the air and what part returns. The less signal that returns, the better the antenna works at that frequency. On the device we set marker 1 to 1090 MHz and SWR there was 1.73, which is quite good. Typically an antenna is considered good if SWR is about 1 (and not more than 2).
Receiver
For the receiver we will use an SDR dongle. It’s basically a radio controlled by software rather than a mechanical dial like old receivers. Any SDR adapter will work for ADS-B reception, from the cheap RTL-SDR to expensive devices like BladeRF. Cheap options start around $30, so anyone can get involved. We will use a BladeRF micro, as it supports a wide frequency range and a high sampling rate.
Putting it all together
Once you have an antenna and an SDR, find a place with few obstructions and low interference. We simply drove about ten kilometers out of town. Signals near 1 GHz (which includes ADS-B) don’t travel much past the horizon, so if you don’t live near an airport and there are obstacles around you may not catch anything.
To inspect the radio spectrum we use GQRX. This program is available for Linux and macOS. On Windows we recommend SDR#. In Ubuntu GQRX can be installed from the standard repositories:
bash$ > sudo apt update
bash$ > sudo apt install -y gqrx
Then increase the volume, select your SDR as the input source, and press the large Start button. If everything is set up correctly, your speakers will start hissing loudly enough to make you jump, after which you can mute the sound with the Mute button in the lower right corner.
You can choose the receive frequency at the top of the screen, so set it to 1.090.000, which equals 1090 MHz. After that you will see something like the screenshot below.
The short vertical strips near the center are ADS-B signals, which stand out from the background noise. If you don’t see them, try changing the gain settings on the Input Controls tab on the right. If that does not help, open FFT Settings and adjust the Plot and WF parameters. You can also try rotating the antenna or placing it in different orientations.
dump1090
When you get stable reception in GQRX you can move to the next step.
In practice, people who want to receive and decode Mode S signals usually use an existing program. A common open-source tool demodulates and decodes almost all Mode S signals and even outputs them in a neat table. To verify that our setup works correctly, it’s best to start with something that’s known to work, which is dump1090.
To install it, clone the repository from GitHub and build the binary. It’s very simple:
bash$ > git clone https://github.com/antirez/dump1090
bash$ > cd dump1090
bash$ > make
After that you should have the binary. If you have an RTL-SDR you can use dump1090 directly with it, but we have a BladeRF which requires a bit more work for support.
First, install the driver for your SDR. Drivers are available in the repositories of most distributions, just search for them. Second, you will need to flash special firmware onto the SDR. For BladeRF those firmware files are available on the Nuand website. Choose the file that matches your BladeRF version.
Next, download and build the decoding program for your SDR:
git clone https://github.com/Nuand/bladeRF-adsb
cd bladeRF-adsb/bladeRF_adsb
make
Then flash the firmware into the BladeRF. You can do this with the bladerf-cli package:
bash$ > bladeRF-cli -l ~/Downloads/adsbxA4.rbf
Now run dump1090 in one terminal and bladeRF-adsb in another (the commands below are examples from our setup):
bash$ > ~/Soft/dump1090/dump1090 --raw --device-type bladerf --bladerf-fpga ' '
bash$ > ~/Soft/Blade/bladeRF-adsb
If everything is correct, in the dump1090 window you will see many hexadecimal lines, those are Mode S messages that still need to be decoded and filtered.
If you remove --raw from the dump1090 startup arguments, the program will automatically decode messages and display them in a table.
Summary
Now you’ve seen how aircraft transponders work, what ADS-B actually is, and how signals at 1090 MHz can be received and decoded with simple equipment. None of this requires expensive tools, just an antenna, a software-defined radio and some patience. Once it’s ready, you can watch the same kind of live flight data that powers big services like Flightradar24. We kept the heavy math out of the way so it stays approachable for everyone, but still leaves you with something useful to take away. It’s possible to push yourself further and do it the hard way without relying on tools like dump1090, but that path takes a lot more time, patience, and willingness to grind through the details.
The post SDR (Signals Intelligence) for Hackers: Capturing Aircraft Signals first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/sdr-signals-intelligence-for-hackers-capturing-aircraft-signals/