Skip to content

Commit

Permalink
First version
Browse files Browse the repository at this point in the history
  • Loading branch information
fulldecent committed Feb 29, 2016
1 parent 45261fb commit ec00d94
Show file tree
Hide file tree
Showing 2 changed files with 161 additions and 1 deletion.
84 changes: 83 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,2 +1,84 @@
# system-bus-radio
System Bus Radio
==================
This program transmits radio on computers without radio transmitting hardware.

Why?
------------------
Some computers are intentionally disconnected from the rest of the world. This includes having their internet, wireless, bluetooth, USB, external file storage and audio capabilities removed. This is called "air gapping". Even in such a situation, this program can transmit radio.

Publicly available documents already discuss exfiltration from secured systems using various electromagnetic radiations. This is documented in the TEMPEST guidelines published by the US National Security Agency and the US Department of Defense. This project simply adds to that discussion.

How to Use It
------------------
Compile the problem using:

gcc main.c -Wall -O2 -o main

And run it on an Apple MacBook Air (13-inch, Early 2015):

./main

Then use a Sony STR-K670P radio receiver with the included antenna and tune it to 1580 kHz on AM.

You should hear the "Mary Had a Little Lamb" song playing repeatedly. Other equipment and tuning may work as well. On the equipment above, the author has achieved clear transmission over two meters of open air or one meter through drywall. Different results will be achievable with different equipment. Please send your results to [email protected]

Technical Explanation
------------------
Instructions in this program cause electromagnetic radiation to emit from the computer. The emissions are of a broad frequency range. To be accepted by the radio, those frequencies must:

* Be emitted by the computer processor and other subsystems
* Escape the computer shielding
* Pass through the air or other obstructions
* Be accepted by the antenna
* Be selected by the receiver

By trial and error, the above frequency was found to be ideal for that equipment. If somebody would like to send me a SDR that is capable of receiving 100 kHz and up then I could test other frequencies.

The actual emissions are caused by the `_mm_stream_si128` instruction that writes through to a memory address. Inspiration for using this instruction was provided in:

> Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y. and Elovici, Y., 2015. GSMem: data exfiltration from air-gapped computers over GSM frequencies. In 24th USENIX Security Symposium (USENIX Security 15) (pp. 849-864).
The program uses square wave modulation, which is depicted below:

```
|<--------------------TIME-------------------->|
| |
|‾|_|‾|_|‾|_____________|‾|_|‾|_|‾|_____________
| | | |
|<------SIGNAL--------->| | |
| |
|<->| CARRIER
```

Notes on high precision time APIs for Mac:

* Get current time
* mach_absolute_time() gives time in int64_t of nanoseconds
* Converting to nanoseconds https://developer.apple.com/library/mac/qa/qa1398/_index.html
* Declared https://opensource.apple.com/source/xnu/xnu-1456.1.26/osfmk/mach/mach_time.h
* Definition https://opensource.apple.com/source/Libc/Libc-320/i386/mach/mach_absolute_time.c
* clock_get_time() gives a mach_timespec_t time
* Called from mach_absolute_time()
* mach_timespec_t
* Type documentation https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/services/services.html
* Declaration https://opensource.apple.com/source/xnu/xnu-1456.1.26/osfmk/mach/clock_types.h
* http://stackoverflow.com/a/21352348/300224
* https://stackoverflow.com/questions/5167269/clock-gettime-alternative-in-mac-os-x
* Sleep
* nanosleep()
* Apple doc https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/nanosleep.2.html
* Definition https://opensource.apple.com/source/Libc/Libc-320.1.3/gen/nanosleep.c?txt
* clock_sleep_trap()
* Used from nanosleep()
* Declared https://opensource.apple.com/source/xnu/xnu-1456.1.26/osfmk/mach/mach_traps.h
* Definition http://unix.superglobalmegacorp.com/xnu/newsrc/osfmk/kern/clock.c.html
* Uses clock_sleep_internal()
* Uses ADD_MACH_TIMESPEC
* clock type constants https://opensource.apple.com/source/xnu/xnu-1456.1.26/osfmk/mach/clock_types.h?txt
* TIME_ABSOLUTE
* TIME_RELATIVE
* Defines ADD_MACH_TIMESPEC(t1, t2) // t1 += t2
* Defines CMP_MACH_TIMESPEC(t1, t2) // t1 <=> t2, also (t1 - t2) in nsec with max of +- 1 sec
* msleep() https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/services/services.html
* time/timer.c / http://lxr.free-electrons.com/source/kernel/time/timer.c#L1673
* kern/clock.h https://opensource.apple.com/source/xnu/xnu-1456.1.26/osfmk/kern/clock.h
78 changes: 78 additions & 0 deletions main.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
// SYSTEM BUS RADIO
// https://github.com/fulldecent/system-bus-radio
// Copyright 2016 William Entriken

#include <stdio.h>
#include <emmintrin.h>
#include <mach/mach_traps.h>
#include <mach/mach_time.h>
#include <math.h>

__m128i reg;
__m128i reg_zero;
__m128i reg_one;
mach_port_t clock_port;
mach_timespec_t remain;

static inline void square_am_signal(float time, float frequency) {
printf("Playing / %0.3f seconds / %4.0f Hz\n", time, frequency);
uint64_t period = NSEC_PER_SEC / frequency;

uint64_t start = mach_absolute_time();
uint64_t end = start + time * NSEC_PER_SEC;

while (mach_absolute_time() < end) {
uint64_t mid = start + period / 2;
uint64_t reset = start + period;
while (mach_absolute_time() < mid) {
_mm_stream_si128(&reg, reg_one);
_mm_stream_si128(&reg, reg_zero);
}
clock_sleep_trap(clock_port, TIME_ABSOLUTE, reset / NSEC_PER_SEC, reset % NSEC_PER_SEC, &remain);
start = reset;
}
}

int main()
{
mach_timebase_info_data_t theTimeBaseInfo;
mach_timebase_info(&theTimeBaseInfo);
puts("TESTING TIME BASE: the following should be 1 / 1");
printf(" Mach base: %u / %u nanoseconds\n\n", theTimeBaseInfo.numer, theTimeBaseInfo.denom);

uint64_t start = mach_absolute_time();
uint64_t end = mach_absolute_time();
printf("TESTING TIME TO EXECUTE mach_absolute_time()\n Result: %lld nanoseconds\n\n", end - start);

reg_zero = _mm_set_epi32(0, 0, 0, 0);
reg_one = _mm_set_epi32(-1, -1, -1, -1);

while (1) {
square_am_signal(0.400, 2673);
square_am_signal(0.400, 2349);
square_am_signal(0.400, 2093);
square_am_signal(0.400, 2349);
square_am_signal(0.400, 2673);
square_am_signal(0.400, 2673);
square_am_signal(0.790, 2673);
square_am_signal(0.400, 2349);
square_am_signal(0.400, 2349);
square_am_signal(0.790, 2349);
square_am_signal(0.400, 2673);
square_am_signal(0.400, 3136);
square_am_signal(0.790, 3136);
square_am_signal(0.400, 2673);
square_am_signal(0.400, 2349);
square_am_signal(0.400, 2093);
square_am_signal(0.400, 2349);
square_am_signal(0.400, 2673);
square_am_signal(0.400, 2673);
square_am_signal(0.400, 2673);
square_am_signal(0.400, 2673);
square_am_signal(0.400, 2349);
square_am_signal(0.400, 2349);
square_am_signal(0.400, 2673);
square_am_signal(0.400, 2349);
square_am_signal(0.790, 2093);
}
}

0 comments on commit ec00d94

Please sign in to comment.