Hack RF for ADS-B

Homebuilt Aircraft & Kit Plane Forum

Help Support Homebuilt Aircraft & Kit Plane Forum:

BrianW

Well-Known Member
Joined
Jul 2, 2018
Messages
140
Location
Altus SW Oklahoma
I’m a bah humbug on adsb. It’s not going to stop anything. Flying with a friend, we had a Barron oblivious try and hit us with ATC and ADSB. We Volunteered to descend to keep space even though the Barron was the one being told to change heading. Perfect clear day. We saw the traffic 8 miles away and he passed right over our heads like he was aiming for us. We were watching our ADSB and I know he was too because he was going to fly as close as he could because his screen said he was clear. He never looked out the window. Just like people shooting in holes seen on XM weather and finding the have been closed up.

Hmmm...let's see: because you had access to an ADSB-IN display, you knew the distance, altitude, heading, and registration number of an aircraft on a collision course, and changed altitude to avoid the conflict traffic. With the conflict overhead, you complained that he did not look out the window?

Sounds a little like my memorable ADSB-IN incident: on final approach north bound,
to an uncontrolled airport I spotted an aircraft southbound on the same runway on my Stratux equipped moving map display.
I called, and the EMS helicopter pilot explained he was south bound, low and east of the runway.
 
Last edited:

Daleandee

Well-Known Member
Joined
Sep 11, 2015
Messages
1,381
Location
SC
Sounds a little like my memorable ADSB-IN incident: on final approach north bound,
to an uncontrolled airport I spotted an aircraft southbound on the same runway on my Stratux equipped moving map display.
I called, and the EMS helicopter pilot explained he was south bound, low and east of the runway.
When departing a non-towered field I seen a red target pop-up on the screen very near and closing in quickly. Of course I had seen it as I waited at the hold line for runway 05. It was a friend in his plane returning to the field. I like the ADSB but the eyeballs seen him first. Still, it's good to have another alert for the time the eyes can't see through the blazing sun.

There is the part about privacy with ADSB that concerns me but real privacy is gone in today's world. I carry a phone that know where I'm going, where I've been, and likely more about me that I know myself ... 🤣
 

TFF

Well-Known Member
Joined
Apr 28, 2010
Messages
14,750
Location
Memphis, TN
Knew the distance because we looked when ATC said look. Yes I have almost been hit by planes in the air. Not saying it can’t be good to have ADSB, but don’t live for it. Half a dozen times the planes that tried to hit me were no electrical. My plane is no electric too.
 

blane.c

Well-Known Member
HBA Supporter
Joined
Jun 27, 2015
Messages
4,690
Location
capital district NY
My car knows were I've been, how long it took me to get there etc soon it'll be hooked up to automatic ticketing ... well by then we may not legally be allowed to drive ourselves we'll have to let the computer do it.
 

pwood66889

Well-Known Member
Joined
Feb 10, 2007
Messages
1,890
Location
Sopchoppy, Florida, USA
I got a Patent Attourney, Trim, that you should talk to. Yes, he speaks aviation - to the extent that he flys a `coupe.
Not the sharpest tool in the shed, but I have cut a line of code (or two) and kinda doped down to where you are as well.
I'm looking forward to the day when they stop fooling with elections and go for ADS-B. The Air Force (Navy, too) will be running around over DC; burning lots of jet fuel, looking for Phantom Ercoupes.
If ever in NW FL, USA, lemme know. I'll spring for the coffee.
 

trimtab

Well-Known Member
Joined
Apr 30, 2014
Messages
189
Location
rocky mountains, rocky, usa
I got a Patent Attourney, Trim, that you should talk to.
I hire a couple of patent bar attorneys as needed as well and received my 17th utility patent 2 1/2 weeks ago.

There really aren't any good or ethical ways to patent implementations of open standards, and that was never my intention. To me, a patent is less desirable than proprietary, especially in the US. I knew that these companies struggled to produce anything with their talent in bloated legacy companies. They were thoroughly financialized long ago and de-engineered. It was in that environment that I felt a proprietary (not patented) SoC that could offer high performance and full functionality for every aspect of ADS-b would sell well with a $50 license fee. That would have allowed those companies to focus on interface and certification differentiation for their products commensurate with a level of skill familiar to their software staff. That fee would have been far cheaper than having several very bored, expensive engineers they were stuck with at each company developing the same functionality separately.

As it happens, I talked with a former engineer from one of those companies (will remain anonymous for reasons.clear below) this year (FAA engineer now) who described their pathway to a functional production firmware core for their product. After two years and over a million and a half in salaries and 7 failed attempts, they finally figured out nepotism really doesn't work very well in management, got rid of a few of their domestic engineers and contracted two Hungarian college students who completed a successful production quality core in less than three weeks. They contracted the electrical design to a Taiwan firm who completed the hardware design and prototypes.and validation in 12 weeks, and a Canadian firm to do the mechanicals in a few months to have pilot production complete in 5 months. All of it allegedly cost less than the bailout bye-bye package they gave to the nephew who tanked their program in the first place, let alone the lost opportunity costs from time and program costs.

At some point, it doesn't make sense to have any faith that "things will just work out". There are reasons this hardware is so costly, why they perform so underwhelmingly, and why others outside the US seem to be able to do some things a lot better. There is a lot that could be done to make them a lot more functional.
 

Dusan

Well-Known Member
Joined
Sep 15, 2014
Messages
150
Location
Canada
I built an ADS-b out 6 years ago using the HackRF One. It took me about 12 hours to code and get to work, with very little RF experience. I used the specification documents to generate the encoding scheme. Now, the Stratux open source code can be used even faster to determine the same encoding scheme. I bet that's what all these recent projects are doing.

It worked very well, and quickly demonstrated that the existing $5k to $8k TSO units were total trash. Worse than trash. So easily spoofed by even a crude ddos attack. Confused by even moderate traffic levels. Total amateur hour.

My goal was to develop a simple SoC (based on a Xilinx Zynq, actually) to license to companies to make good, inexpensive ads-b panel units. I talked to three familiar companies. One told me of it was so easy, why did they need 6-8 digital RF engineers in the R&D section alone. Another told me it would ruin the market if it was even possible. The third simply sent a cease and desist letter from a lawyer indicating that any new hardware that implemented ADS-b was likely an IP infringement against them.

Seriously. These companies are not innovative, and actually their staff and management aren't particularly bright at all based on the responses I got.

I had already busy growing another business at the time, and I lost interest.

A couple of the issues I figured the FAA must be cussing about that my system could address were spoofing and ghosting. With very little use of bandwidth, ground based translateration would become obsolete. I had no idea the FAA at the time was fighting both battles and basically losing for a time in true government fashion.

The compromises of the US system created a dumb and insecure network. It is 1990's tech at best, which means the FAA will continue it for another 50 years.

In any case, I won't release the code even though at one time I was going to after that truly bizarre cease and desist letter from the company that rhymes with Garmin.

There are enough dumb monkeys out there to make that clearly a bad idea, even if a reasonably intelligent high school nerd could figure it out pretty fast on their own. At least they probably have no desire to use it improperly.
Hacking together some electronics for receiving ADSB is ok-ish, it could increase safety. Hacking for sending ADSB out is a big NO-NO. There are reasons these things needs to be certified by FAA and FCC so they are sure it's working properly.

Are the ADSB and GPS easy to spoof and jam? Certainly, but anyone disturbing air traffic is going to be labelled as a terrorist, so not too many people are going to try it in the name of "experimenting". Another reason for protocols not being encrypted - the equipment is simplified, engineering and certification is simpler. At this time, it would be a total hassle to develop an encrypted protocol: every time a bug or a flaw is discovered everything needs to be developed, re-certified and updated.

This status quo is the result of laws regarding avionics certification and intellectual property. The ADSB is considered an aid to navigation and one should not totally rely on it, so at this point I wonder if an open-source system on an unlicensed band would be more practical, much more configurable and encrypt-able, not to mention cheaper.
 

trimtab

Well-Known Member
Joined
Apr 30, 2014
Messages
189
Location
rocky mountains, rocky, usa
Hacking together some electronics for receiving ADSB is ok-ish, it could increase safety. Hacking for sending ADSB out is a big NO-NO. There are reasons these things needs to be certified by FAA and FCC so they are sure it's working properly.

Are the ADSB and GPS easy to spoof and jam? Certainly, but anyone disturbing air traffic is going to be labelled as a terrorist, so not too many people are going to try it in the name of "experimenting". Another reason for protocols not being encrypted - the equipment is simplified, engineering and certification is simpler. At this time, it would be a total hassle to develop an encrypted protocol: every time a bug or a flaw is discovered everything needs to be developed, re-certified and updated.

This status quo is the result of laws regarding avionics certification and intellectual property. The ADSB is considered an aid to navigation and one should not totally rely on it, so at this point I wonder if an open-source system on an unlicensed band would be more practical, much more configurable and encrypt-able, not to mention cheaper.
I never intended to sell or distribute a non-certified system into a marketplace.

And making an ADS-b out isn't hacking any more than making a sandwich at home is hacking compared to buying a terrible version of a sandwich at Subway. It doesn't mean a person can go and sell sandwiches from their driveway without following the rules.

I didn't break any rules at all in the development or test of my various ADS-b systems...not even once. I didn't need to.

Encryption will not solve any of the translateration, spoofing, or DDOS issues at all. If they encrypted the system, it would be the equivalent of making every school child in Phoenix wear a down jacket and galoshes to make them more secure from rain: complete mismatch between the problems and its root causes, and a solution that only sounds plausible to people who don't actually know or care about the problems or root causes in the first place. Might as well have said "why not use blockchain?" (sounds of investors who just finished an uplifting weekend seminar on "how to be a VC and get rich" scurrying around).

Time of flight and computationally efficient Bayesian analysis (sounds far fancier that it ever was) is able to detect anything more than about 30 meters (and often less than that) different than where any two flying receivers think something is in seconds...with $5 timing chips and 15 cm resolution at shorter ranges and a gate of 100 miles). Three receivers can solve within a few dozen milliseconds (each receiver is a different client/plane). The bandwidth to support the filter is 5 percent of the service volume or less. In addition, the offending aircraft or spoof is readily identified for the rest of the service volume, and the offender knows immediately they are offending by consensus, not some sort of letter from the FAA a month down the road. And the DDOS by mass spoofing is eliminated if they simply utilized one of the dozens of CDMA algorithms in massive use today. Bandwidth for service volume goes up through the roof, security is enabled, and poor performing and spoofed messages are identified and filtered immediately. Then there would be more room for service volume (think: drones...) and for weather and other products that are actually timely (weather is very delayed and it is because it eats up so much bandwidth already).

All of this was pretty old hat by 2006, and anyone who has taken a couple of RF comms classes within the past decade would be able to understand and perhaps even implement something resembling this if they were curious and capable enough to pass the classes. My TOF system used a LIDAR timing chip that could detect a spoof 1.1 miles away from two receivers spaced 400 yards apart to within 50 yards on the very first try within about 10 seconds.

The EU is looking at a massive upgrade in the coming decades. A glance at some of the docs suggests they may indeed be looking at a jump to a CDMA scheme. The FAA may tell everyone to buy new boxes in a decade or more.
 

rv7charlie

Well-Known Member
Joined
Nov 17, 2014
Messages
1,562
Location
Jackson
I don't doubt your evaluation of the system, or the possibility of a better, independent system. I attended a forum at OSH over 20 years ago where the presenter described a functional independent position 'squitter' that took only a few microseconds to squit its position, listening between squits to avoid stepping on others.

No doubt the FAA's problem with it was the simple fact that it was *in*dependent; the *D* in ADSB ensures both real time and retroactive monitoring of everyone who installs Mode S hardware. In my non-lawyerly opinion, this is the moral equivalent of prior restraint. We can choose to turn off our cell phones, and in more extreme avoidance wants/needs, and drive an older car without built-in tracking. But once that Mode S xponder goes in a plane, it is illegal to turn it off under any circumstances, and it's still a gray area on whether you can fly the plane at all if it fails for any reason.

At least there's a tiny loophole available with *some* 978 MHz versions by using 'anonymous mode' while squawking 1200 (but check user feedback; some devices don't truly support it even though the option can be selected).

Charlie
 

Daleandee

Well-Known Member
Joined
Sep 11, 2015
Messages
1,381
Location
SC
At least there's a tiny loophole available with *some* 978 MHz versions by using 'anonymous mode' while squawking 1200 (but check user feedback; some devices don't truly support it even though the option can be selected).
The Echo unit reportedly has the "anonymous mode" that can be turned on via Wi-Fi from an app on your phone. But during the certification flight it cannot be used. Also (I'm certain you are aware of this but I post for those that may not) if you are squawking anything but 1200 (as when using flight following or in towered airspace) the anonymous mode is off.

There are some privacy issues with ADSB but many of us realize that real privacy is a thing of the past. How is it said ... "You can run, but you can't hide!" :wonder:
 
Top