Loftek LK5200 as an rtl-sdr server

The sacrificial offering.

I have had this router sitting in a bag for approximately 4 years. About 2 years ago, I had the idea that it would be a good platform to try to build a pineapple if it supported OpenWRT as I had already done a TP-Link MR3020 to be one, and the Loftek had a built in battery, making it easier to deploy. I went through various attempts to find a way to install OpenWRT on the device to no avail. I finally came back to the LK5200 today, and decided to dig a little deeper. To start with today, I opened the case.

You can see its bare circuits

An AR9331-AL1A is the processor that this device uses. Well, we know that it is an ARM processor, and it is very similar to the one in the MR-3020. (Exactly the same as the V1.8 of the hardware). This bodes well for me. Before I go and attempt to flash this though, let’s see what else I can find out about the device. Connecting the router to my network, the defaults are to not use DCHP and instead assign itself a static IP of 192.168.168.1, so I’ll use that address and run an nmap scan on it with “nmap 192.168.168.1 -vv”. The image below shows the results.

Hmmm. These look normal. Almost.

This gives us a listing of all of the open ports. Port 53 is a DNS server (expected), port 80 is the admin interface webserver (expected), ports 139 and 445 are used for Samba shares (expected as there is a usb port for file sharing on the network), and port 8181 is … Wait, what is that? It’s up in the non-privileged area. Most times i’ve come across this port it’s another webserver. Let’s try and get to it in the browser.

Odd, it looks like a command prompt and a banner for OpenWRT.

That is interesting. It seems as if the Loftek LK5200 is already running OpenWRT. Let’s try connecting to the same address and port with telnet using telnet 192.168.168.1 8181

Well, that was easier than I thought it would be.

Now I have access to the root shell on the router. First thing to do is update the package listing because I don’t believe it has ever been done. This is accomplished with opkg update . Once done, I install rtl_sdr with opkg install rtl_sdr. This installed all of the tools for using my neSDR smart as a SDR receiver. One last thing to do is blacklist the original driver built into the kernel. On this device there was no /etc/modprobe.d/ folder, so it had to be created with mkdir /etc/modprobe.d/ . Then we needed to create the blacklist.conf file underneath the directory we had just created. To do this use, echo “blacklist dvb_usb_rtl28xxu” >> /etc/modprobe.d/blacklist.conf . This command puts what is inside the quotes into a the file “blacklist.conf” in the directory “/etc/modprode.d/”.

A simple reboot later, and we can plug in our USB SDR stick, login over telnet as before and run the rtl_tcp program to feed the data to another device on the network. This is accomplished with rtl_tcp -a 192.168.168.1 . This command effectively creates a server that feeds the data received by the SDR to another machine on the network. The -a in the command tells rtl_tcp which address to serve it on. Now we can load up whatever our preferred application to view the stream (which for me is GQRX). If it’s your first time loading GQRX, you will be greeted by this screen, which should be filled in thusly.

Look at all the numbers!

After clicking OK, you may then press the play button and search the waterfall for interesting things.

This is definitely an interesting thing.

POCSAG on the Raspberry Pi

Back in October of 2018, almost immediately after being laid off, I finally achieved a long time goal of getting my ticket punched. Since then I have been a proud owner of a general class amateur radio license. While I greatly enjoy being able to broadcast, passively listening to all of the devices around me has become something of a passion. While the FCC license is not required to listen, studying for the exam shored up my knowledge on antenna theory and provided a path to build my own antennas tuned to the frequencies I wished to capture.

Over the past weekend, an interesting topic arose. Medical/emergency pagers are still used nationwide: Can we receive these signals and decode them using an approximately $20 RTL-SDR adapter? Some quick research revealed that the software exists, and it is incredibly easy to do. Let’s get started. I am starting out with a fresh install of Raspbian Stretch Lite available at https://www.raspberrypi.org/downloads/raspbian/ , a Raspberry Pi Model 2, and the NooElec NESDR Smart. The same process can be done with any variation of the Raspberry Pi, you will most likely require a powered USB hub to use the SDR.

I won’t go into the details of writing the image to an SD card, nor setting up the pi to be accessed headless with networking enabled on first boot, as that has been covered more times than I care to count, although I do need to lookup the formatting of the wpa_supplicant file on each new install (note: keep a copy for future use).

After the initial boot and required resizing of the file system, log in over ssh without having the SDR plugged in. As always, we want to update our fresh install so that we aren’t pulling in outdated packages. Connect via SSH and update. This is done with “sudo apt update && sudo apt upgrade -y && sudo apt dist-upgrade -y”. Sit back, relax, and wait approximately 20 minutes for this all to complete.

Once the updates are complete, I like the first this I install to be screen. This allows me to continue where I left off, even if my WiFi drops for some reason. The key thing is to remember to launch “screen” on login, and if disconnected use “screen -r” on re-connection. This will allow the install to continue if you get disconnected.

The next step is to install all of the software required to build our packages. Some distributions may include multimon-ng as a download in their package manager, however I like to have the bleeding edge version and this means compiling from source. Let’s go ahead and install all of the packages that we will need to run everything. To install the prerequisties, type “sudo apt install git cmake build-essential libusb-1.0 qt4-qmake libpulse-dev libx11-dev qt4-default -y”. Sit back and await completion of the install.

Once this is done, we can get to the fun part. Create a new directory in your home folder to hold all of the source code you will be getting. this can be called sdr, source, src, or whatever you like. I’m going to use source, because I like descriptive names. To make the directory and enter it in one line “mkdir ~/source && cd ~/source”.

Next we are going to build our rtl-sdr drivers and blacklist the default ones built into the kernel. The source code for the rtl-sdr driver we want to use, as well as some additional useful programs for providing a raw datastream from the SDR is available at https://github.com/osmocom/rtl-sdr. To pull it to our Pi easily we use “git clone https://github.com/osmocom/rtl-sdr”. Things will happen and when done, a new folder appears called rtl-sdr. Next, change to the rtl-sdr directory with “cd rtl-sdr” and make and change into a new directory called build with “mkdir build && cd build”. Now inside the build directory we can use cmake to create a makefile; this is done with the command “cmake ../ -DINSTALL_UDEV_RULES=ON” the -DINSTALL_UDEV_RULES=ON tells cmake to create a makefile that will include udev rules for our adapter. Once this is done, run “make” then “sudo make install” and finally “sudo ldconfig” to add the udev rules to the system. This should blacklist the default drivers, but to be sure, I like to “sudo nano /etc/modprobe.d/blacklist.conf” and add the following, each on a new line: “blacklist dvb_usb_rtl28xxu”, “blacklist dvb_core”, “blacklist rtl2830”, and “blacklist dvb_usb_v2”. Use CTRL+X to exit nano, type “y” and press enter to save.

Next we are going to get the source and compile multimon-ng. We are going to go back to our source directory using “cd ~/source” and we will get the source code from https://github.com/EliasOenal/multimon-ng using git clone again like so, “git clone https://github.com/EliasOenal/multimon-ng”. Once that is done, “cd multimon-ng && mkdir build && cd build” to enter the directory git created, make a build directory inside that directory, and finally change into the build directory. For this program, we are going to rely on qmake as the author provided a .pro file to help automate the build. To invoke this use “qmake ../multimon-ng.pro” and patiently await the creation of the makefile. Once complete run “make” followed by “sudo make install”.

With all of the required programs installed, we can now start listening for pager traffic. The best way I have found to locate the frequencies (which vary based geographic location) is to use the SDR along with a program that provides a waterfall display. You can check https://www.sigidwiki.com/wiki/POCSAG for frequency lists of where pagers operate. Using the waterfall, you can home in on an interesting frequency and use that in rtl_fm to feed to multimon-ng. An example of this would be a command like “rtl_fm -f 152.180M -s 22050 | multimon-ng -t raw -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -f alpha /dev/stdin >> ~/page.txt”. Breaking down this command, rtl_fm is used to control the SDR, the -f sets the frequency to the frequency entered (here it is 152.18 MHz) -s sets the sample rate to the entered value, the | sends the output to multimon-ng the -t tells multimon-ng that we are providing raw data, the -a switches tell multimon-ng to attempt to decode POCSAG512, POCSAG1200, and POCSAG2400 (different types of pager encodings, we could also include -a FLEX which is another pager encoding), the -f alpha /dev/stdin tells multimon-ng that we only want the alphanumeric data reported to stdin and the >> ~/page.txt writes the data to a text file in the home directory called page.txt. In more simple terms, rtl_fm tunes the dongle, then we pipe that to multimon-ng, multimon-ng then sends the decoded information to a text file.

Good luck with your decoding, and hopefully all the messages don’t read, “Be sure to drink your Ovaltine.”



BBS in 2019!? Say What?

Or, why would I even want to do this.

It has been a long time since I have had the opportunity to use a BBS system, and never before have I been a SYSOP. With my current status of being underemployed, I have chosen to utilize the time unwisely and have a nostolgic flashback to the pre-internet days. I can still recall begging for a modem for my Tandy 1000 HX that I started out with on this journey, but the modem would not come until we upgraded to a 386 machine with Windows 3.1 and 4800 baud (sexy right?) Ahh, Windows 3.1 with your lack of a TCP/IP stack. That PC would eventually get an upgraded modem to 9600 then to 14400, but the hard drive would never come to being a 1 GB drive. On the plus side, it did have internal storage, unlike the Tandy.

The truth of the matter is, I long for the days of BBS door games like Legend of the Red Dragon, Pimpwars, TradeWars, and others. Also, with the internet existing as it does and both Mystic and Synchronet supporting telnet, ssh, and rlogin it should be simple to network everything (famous last words).

After a few false starts, trying both Mystic BBS and Synchronet BBS, running in a 64-bit Ubuntu VM and discovering that no matter how many times I read the instructions I could not get DOSEMU to function, I was on the verge of giving up. Luckily I chose to persist, and can now play Legend of the Red Dragon 2 on my own BBS!

First step in the process was setting up the VM. For this I chose to use Virtualbox. I know full well that I can accomplish the same thing with KVM, however I am more comfortable using VirtualBox for this since I’ve been using it longer, and when all you have is a hammer….

I installed a small 64-bit Ubuntu 16.04 server VM, and installed the SSH server only. Once installed, I did the required updates and installed unrar. Mystic BBS comes packaged in a rar file, so I guess we need it.

I downloaded the 64-bit release from http://www.mysticbbs.com/downloads.html and proceeded to unrar the files as instructed. Mystic wants to install itself to the root directory, as such we need to escalate our privilege to do so, “sudo su”. then “./install”.

Up next, we changed the ownership of the mystic folder to one with less privileges. I created a new user of “bbs” and then “chown bbs:bbs -R /mystic”. Next I left the root account, and switched to my default user which has sudo privileges, as the bbs user does not.

Next, I installed dosemu with “sudo apt install dosemu” and modified the file /etc/dosemu/dosemu.conf to reflect a us keyboard layout so dosemu would not pester me every time a door game was launched.

After this, I followed the instructions in http://wiki.mysticbbs.com/doku.php?id=cryptlib to install cryptlib so I could enable logging into the bbs over ssh as well as telnet.

Coming soon….. Configuring Door Games!