Temperature and Humidity Measurement using Arduino

Humidity and temperature are common parameters to measure environmental conditions. In this Arduino based project we are going to measure ambient temperature and humidity and display it on a 16×2 LCD screen. A combined temperature and himidity sensor DHT11 is used with Arduino uno to develop this Celsius scale thermometer and percentage scale humidity measurement project. In one of my previous project, I have also developed a digital thermometer using temperature sensor LM35.arduino 1

This project consists of three sections – one senses the humidity and temperature by using humidity and temperature sensor DHT11. The second section reads the DHT sensor module’s output and extracts temperature and humidity values into a suitable number in percentage and Celsius scale. And the third part of the system displays humidity and temperature on LCD.arduino 2.jpg

Working of this project is based on single wire serial communication. First arduino send a start signal to DHT module and then DHT gives a response signal containing temperature and humidity data. Arduino collect and extract in two parts one is humidity and second is temperature and then send them to 16×2 LCD.

 

Here in this project we have used a sensor module namely DHT11. This module features a humidity and temperature complex with a calibrated digital signal output means DHT11 sensor module is a combined module for sensing humidity and temperature which gives a calibrated digital output signal. DHT11 gives us very precise value of humidity and temperature and ensures high reliability and long term stability. This sensor has a resistive type humidity measurement component and NTC type temperature measurement component with an 8-bit microcontroller inbuilt which has a fast response and cost effective and available in 4-pin single row package.arduino 3

DHT11 module works on serial communication i.e. single wire communication. This module sends data in form of pulse train of specific time period. Before sending data to arduino it needs some initialize command with a time delay. And the whole process time is about 4ms. A complete data transmission is of 40-bit and data format of this process is given below:

8-bit integral RH data + 8-bit decimal RH data + 8-bit integral T data + 8-bit decimal T data + 8-bit check sum.

 

Complete Process

First of all arduino sends a high to low start signal to DHT11 with 18µs delay to ensure DHT’s detection. And then arduino pull-up the data line and wait for 20-40µs for DHT’s response. Once DHT detects starts signal, it will send a low voltage level response signal to arduino of time delay about 80µs. And then DHT controller pull up the data line and keeps it for 80µs for DHT’s arranging of sending data.

 

When data bus is at low voltage level it means that DHT11 is sending response signal. Once it is done, DHT again makes data line pull-up for 80µs for preparing data transmission.

Data format that is sending by DHT to arduino for every bit begins with 50µs low voltage level and length of high voltage level signal determines whether data bit is “0” or “1”.arduino 4.jpg

One important thing is to make sure pull up resistor value because if we are placing DHT sensor at <20 meter distance, 5k pull up resistor is recommended. If placing DHT at longer the 20 meter then use appropriate value pull up resistor.

 

Circuit Diagram and Explanation

arduino_04

A liquid crystal display is used for displaying temperature and humidity which is directly connected to arduino in 4-bit mode. Pins of LCD namely RS, EN, D4, D5, D6 and D7 are connected to arduino digital pin number 2, 3, 4, 5, 6 and 7. And a DHT11 sensor module is also connected to digital pin 12 of arduino with a 5k pull-up resistor.

 

Programming Description

In programming, we are going to use pre-built libraries for DHT11 sensor and LCD display module.

Then we haved defined pins for LCD and DHT sensor and initialized all the things in setup. Then in a loop by using dht function reads DHT sensor and then using some dht functions we extract humidity and temperature and display them on LCD.

Code: 

#include<dht.h>      // Including library for dht
#include<LiquidCrystal.h>
LiquidCrystal lcd(2, 3, 4, 5, 6, 7);

#define dht_dpin 12 

dht DHT;

byte degree[8] = 
              {
                0b00011,
                0b00011,
                0b00000,
                0b00000,
                0b00000,
                0b00000,
                0b00000,
                0b00000
              };

void setup()
{
 lcd.begin(16, 2);
 lcd.createChar(1, degree);
 lcd.clear();
 lcd.print(”   Humidity   “);
 lcd.setCursor(0,1);
 lcd.print(”  Measurement “);
 delay(2000);
 lcd.clear();
 lcd.print(“Circuit Digest “);
 delay(2000);
}

void loop()
{
  DHT.read11(dht_dpin);
  lcd.setCursor(0,0);
  lcd.print(“Humidity: “);
  lcd.print(DHT.humidity);   // printing Humidity on LCD
  lcd.print(” %”);
  lcd.setCursor(0,1);
  lcd.print(“Temperature:”);
  lcd.print(DHT.temperature);   // Printing temperature on LCD
  lcd.write(1);
  lcd.print(“C”);
  delay(500);
}

You should see the humidity and temperature on the LCD as well as on serial monitor once the sketch has been successfully uploaded to Arduino.

 

Prepared By:

Kamlesh Kumar Thakur (Sr: hardware engineer at radiojitter.com)

Kamlesh

Arduino projects: Ultrasonic distance sensor

This is our project on Arduino ultrasonic distance sensor we used the sensor HC-SR04 to allow a robot to see obstacles while moving and to act accordingly. The HC-SR04 is a very popular ultrasonic sensor and you should definitely learn how to make use of it.

This project will be subdivided into two parts. We want to build a device that will sense the distance from a moving object, send that distance to the serial port and display the distance on an LCD screen. And it is important that the distance is in the meter so we can easily apprehend and comprehend it.

To make the project simpler we will use an LCD with an I2C converter so we will need just 4 cables to connect it to Arduino. We will also need to add an additional library to the sketch, but worry not! it is easy to download.

Ultrasonic distance sensor

Here are the needed part:

1 x Arduino Uno Board

1 x HC-SR04 ultrasonic sensor

1 x LCD with I2C converter

Jumper wires

Let’s start with something simple. How do we display a distance on the serial port?

You first have to make the connections as shown on the schematic below. We do not need to add the LCD yet.schematic1

This is how it should look like, very simple right? just 4 cables, the Arduino Uno board, and the ultrasonic sensor.IMG_0025-Ultrasonic-distance-sensor

code_arduino

And this is what you should see on the serial port

terminal

Ok, half of the project is ready, let’s now add an LCD, here is how you should connect it.schematic2

Then we have to download the library. You can download it from the Arduino IDE. Simply open Sketch >> Include Library >> Manage Libraries and then find LCD I2C.

2 (1)

The code we have to upload is somewhat similar to the first one at the difference that this time instead of displaying on the serial, we display the values on the LCD.

#include<Wire.h>
#include<LiquidCrystal_I2C.h>
//trig of ultrasonic sensor
int trig = 2;
//echo of ultrasonic sensor
int echo= 3;
//Set the LCD address to 0x27 for 16 chars and 2 line display
LiquidCrystal_I2C lcd(0x27, 16, 2);
void setup()
{
    // initialize the LCD
    lcd.begin();
pinMode(trig, OUTPUT);
pinMode(echo,INPUT);
//Printing some text on startup
  lcd.setCursor(1, 0);
    lcd.print("Tutorial45.com");
  lcd.setCursor(4, 1);
  lcd.print("Presents");
  delay(2000);
}
void loop()
{
//that is the sequence for the sensor to start reading
digitalWrite(trig, LOW);
delayMicroseconds(2);
digitalWrite(trig, HIGH);
delayMicroseconds(10);
digitalWrite(trig, LOW);
//here we got travel time of sonic wave
int duration = pulseIn(echo, HIGH);
//and here we calculate distance from it
int distance = (duration/2) / 29.1;
//before displaying new value on LCD we have to clear it
lcd.clear();
//here we display the value on the LCD
lcd.print(distance);
//delay 100 so we have around 10Hz of frequency of readings
delay(100);
}

IMG_0033-Ultrasonic-distance-sensor

And There you have it! you can verify the project by proper connection and coding.

 

 

Prepared By:

Kamlesh Kumar Thakur (Sr: hardware engineer at radiojitter.com)

Kamlesh

How to connect HM-10 Bluetooth 4.0 module as a Central Device

CONNECT HM-10 as a Central Device

What is iBeacon? AND How does it work?

iBeacon is Apple’s implementation of Bluetooth low-energy (BLE) wireless technology to create a different way of providing location-based information and services to iPhones and other iOS devices. iBeacon arrived in iOS7, which means it works with iPhone 4s or later, iPad (third generation and onwards) iPad mini and iPod touch (fifth generation or later). It’s worth noting the same BLE technology is also compatible with Android 4.3. and above.

 

From a technical point of view, you can think of iBeacons as small digital lighthouses, just like those used to indicate where a port of shoreline is. Normally, the observer/receiver is an iOS app, while the broadcaster/transmitter can be a battery-powered sensor, an USB Bluetooth dongle, an Arduino kit, a Mac computer or an iOS device. The broadcaster side only sends data. The standard beacon advertisement consists of an UUID, a major and a minor value only. For example:

UUID: B9407F30-F5F8-466E-AFF9-25556B57FE6D
Major ID: 1
Minor ID: 2

The broadcaster (iBeacon) doesn’t do anything else besides sending this piece of information every fraction of a second or so. The UUID is an unique identifier. For example, if Starbucks decides to deploy beacon sensors inside its store and make an app that can tell the user once they arrive at a specific store, they would define a UUID that is unique to their app and the beacons inside their stores. Inside the stores, they would place beacon devices and configure each of them to use a different “minor” value. For example, at the store A, they would place all beacon devices broadcasting the Starbucks UUID, major value 1, minor 1 near the door, minor 2 near the mugs display and minor value 3 near the cashier. At store B, they would use the same UUID, but major 2 and minor values according to the location inside the store.

With the information broadcasted by each beacon, the app can detect them and tell how close (or far) the phone is from each of them and then perform actions, display alerts to the user, offer discounts, turn lights on and off, open doors and so on.

Bluetooth Low Energy? Bluetooth Smart? BLE?

Bluetooth Low Energy (BLE) is a new Bluetooth “flavor” offered within the Bluetooth 4.0 standard. For a device (be it an iPhone or desktop computer) to be able to enjoy this new Bluetooth flavor, it needs to be equipped with a more recent Bluetooth chip that is compatible with the 4.0 version of the Bluetooth standard.

Originally, Bluetooth Low Energy was invented by Nokia back in 2006 under the name of “Wibree”. Before Wibree got popular and became available to the masses, Nokia decided to transfer its low power technology to BSIG (Bluetooth Special Interest Group), which controls and standardizes the Bluetooth technology. After being incorporated by the BSIG, the technology was renamed to “Bluetooth Smart”, which is the commercial name of the “flavor” and it is the same as Bluetooth Low Energy, which is the technical name. Bluetooth Smart (or BLE) is only compatible and available on devices that are compatible with the 4.0 version of the Bluetooth Standard.

As the name says, Bluetooth Low Energy is a Bluetooth mode that uses low energy, which is normally used to connect to low data rate devices, such as cardio monitors, temperature monitors, smart watches and so on, but it doesn’t mean that every time you connect to a device via Bluetooth you’re necessarily using BLE. A wireless Bluetooth speaker for example will not use Bluetooth Smart/Low Energy to receive data stream from your computer or smartphone. Also, every time you connect to a BLE device, such as a wearable sensor, it doesn’t mean that you’re necessarily using BLE.

The major difference between the common Bluetooth protocol and BLE is that minimum energy is required for two devices to broadcast or detect BLE packets. Because low energy is the focus, the kind of data/information sent by these devices is also minimum, slim and very slow. That being said, a BLE device is not supposed to transfer audio, video or support any kind of application that requires high bandwidth or large amounts of data.
Ok, but what is a beacon then?

Non-technical people will imagine beacons as a small battery-powered device sticked onto a wall or place. Technical people will say it’s a small Bluetooth Low Energy (BLE) device that broadcasts a small amount of data every second or so. At a hardware level, beacons are BLE devices broadcasting data using Apple’s “iBeacon” protocol. At software level, beacons are messages sent by broadcasting devices that are detected and processed by receiver devices like a mobile app running on iOS. These data are considered beacons as well, depending on how you name things.

Bluetooth Low Energy? Bluetooth Smart? BLE?

Bluetooth Low Energy (BLE) is a new Bluetooth “flavor” offered within the Bluetooth 4.0 standard. For a device (be it an iPhone or desktop computer) to be able to enjoy this new Bluetooth flavor, it needs to be equipped with a more recent Bluetooth chip that is compatible with the 4.0 version of the Bluetooth standard.

Originally, Bluetooth Low Energy was invented by Nokia back in 2006 under the name of “Wibree”. Before Wibree got popular and became available to the masses, Nokia decided to transfer its low power technology to BSIG (Bluetooth Special Interest Group), which controls and standardizes the Bluetooth technology. After being incorporated by the BSIG, the technology was renamed to “Bluetooth Smart”, which is the commercial name of the “flavor” and it is the same as Bluetooth Low Energy, which is the technical name. Bluetooth Smart (or BLE) is only compatible and available on devices that are compatible with the 4.0 version of the Bluetooth Standard.

As the name says, Bluetooth Low Energy is a Bluetooth mode that uses low energy, which is normally used to connect to low data rate devices, such as cardio monitors, temperature monitors, smart watches and so on, but it doesn’t mean that every time you connect to a device via Bluetooth you’re necessarily using BLE. A wireless Bluetooth speaker for example will not use Bluetooth Smart/Low Energy to receive data stream from your computer or smartphone. Also, every time you connect to a BLE device, such as a wearable sensor, it doesn’t mean that you’re necessarily using BLE.

The major difference between the common Bluetooth protocol and BLE is that minimum energy is required for two devices to broadcast or detect BLE packets. Because low energy is the focus, the kind of data/information sent by these devices is also minimum, slim and very slow. That being said, a BLE device is not supposed to transfer audio, video or support any kind of application that requires high bandwidth or large amounts of data.
Using HM-10 BLE Modules as Low-Cost iBeacons

 

This document will describe how to use an HM-10 Bluetooth 4.0 module as an

iBeacon.  Although the HM-10 can also be used as a data link, a standalone sensor or control device, this document will not cover those other use cases.

 

The HM-10 is a readily available Bluetooth 4.0 module based on the Texas

Instruments CC2540 or CC2541 Bluetooth low energy (BLE) System on Chip (SoC).

The module design and firmware originated from the Jinan Huamao Technology

Company (JNHuaMao), but is sold by various Chinese suppliers, and by several U.S.and European distributors.

Hardware Connections (HOW TO CONNECT THE DEVICE)

 Two wire connections are needed to supply power to the module and two connections are needed for receive (RX) and transmit (TX) to configure the module through a USB serial adapter.1

Using a Terminal Emulator to Talk to the HM-10

HM-10

Once your hardware is ready you will want to be able to check if your HM-10 is working. With the serial adapter connected to the HM-10, connect the USB cable of the adapter to your PC. If this is the first time you are using the adapter, you may be asked for a device driver for the module. In most cases, the operating system will find the driver automatically (it may take a couple of minutes). If not, refer to the documentation that came with the device. If you can,

take note of the COM port assigned to the adapter.The HM-10 uses an AT command set that requires very unusual timing when manually typing in commands from the PC. The commands are not terminated by a carriage return or line feed and rely on a very short delay after the command line has been

entered to complete.

 

How to select and configure Terminal Emulator ?

  1. Right click on my computer
  2. Click on Manage2
  3. click on device manager3
  4. Click on ports and see which port is selected

( In my case COM5 is selected)4

  1. Now open SSCOM3.2 Terminal and select the port which is assigned by computer

(in my case COM5 is assigned so I selected COM5 for you it may be the deferent select appropriate port)

5

  1. See the port whether it is open or closed? If it is closed make it open by click on it

6

  1. Open the port and type AT command to see the response

7

Next you can check the firmware version in your HM-10. Enter the command

“AT+VERR?”. If you recently bought the HM-10 it should be version 526 or later. If

so, you can skip the Firmware Update section below, and go directly to the iBeacon

Configuration section. If you want the latest anyway, go ahead and update the firmware.

 

How to do Firmware Update?

If your HM-10 needs a firmware update, you must download the appropriate

version from the JNHuaMao web site. Determine which TI chip your HM-10 is using.

It will either be a CC2540 (older units) or CC2541 (newer units). You can look at

the square chip on the HM-10 under (use a magnifier if needed) and you should beable to read the markings.

Make sure you are downloading the correct version of the firmware! That would be

for the HM-10, and for the TI chip you have on your board.

Unizp the firmware update file, and place all the contents in the same folder. You

will see at least 3 files. One will be a readme.txt file with brief instructions. The

second will be the firmware file with a .bin suffix. The third file will be the firmware

update application .exe file for Windows (sorry Linux and Mac users). It will

probably be named HMSoft.exe.

Before updating the HM-10 firmware, make sure you have reliable connections to

the module, and that the wires and cables cannot be accidentally knocked loose.

Keep pets and small children from the area where you are doing the firmware

update to avoid accidental interruption of the update.

  1. Using the Arduino serial monitor enter the command AT+SBLUP

The HM-10 should respond with OK+SBLUP. At this point the HM-10 is

waiting for the firmware update.

  1. Exit the serial monitor program.
  2. Next, launch the firmware update program (the .exe file that you extracted

from the zip file) most likely called HMSoft.exe.

  1. In the COM Port field, enter the COM port number of the port connected to

your HM-10. For example, if it is COM3, enter 3 in the field.

  1. Click on the “…” button for the Image File field, and select the .bin file name

of the file that came in the zip file: HMSoft.bin.

  • Finally, click on Load Image button.

The firmware update will proceed and will take a couple of minutes. Do not interrupt

the update process. Do not do anything else on the PC while the

update is taking place to reduce the chances the process will be interrupted.

  1. When verification is complete, it may take a few seconds before the

Download completed successfully message is displayed.

8

The screenshot above shows an example of a successfully concluded firmware

update. When finished, exit the firmware update program, and re-launch the Arduino serial monitor program.

iBeacon Configuration

You have to type in a few commands to the HM-10 to configure it as an iBeacon.

Use the Arduino serial monitor program to do this. In the following list, the bold

initial text is the command you should type into the HM-10 and the rest is a

comment on what it does. Each command will be acknowledged with an OK…

 

 
1. AT+RENEW……………………………  Restores factory defaults
2. AT+RESET ………………………………  Reboot HM-10
 
3. AT    …………………………………………Wait for OK
4. AT+MARJ0x1234 …………………….   Set iBeacon Major number to 0x1234 (hexadecimal)
5. AT+MINO0xFA01 ……………… Set iBeacon Minor number to 0xFA01 (hexadecimal)
6. AT+ADVI5  ……………………………….Set advertising interval to 5 (546.25 milliseconds)
7. AT+NAMEDOPEY…………………Set HM-10 module name to DOPEY. Make this unique.
8. AT+ADTY3  ………………………………Make non-connectable (save power)
9. AT+IBEA1  ……………………………… Enable iBeacon mode
10.AT+DELO2 ………………………………iBeacon broadcast-only (save power)
11.AT+PWRM0 …………………Enable auto-sleep. This reduces power from 8 to 0.18 mA
12.AT+RESET  ……………………………..Reboot
 

 

Note: The values of the parameters in red on black should be what you want them to be.The above are just examples.After sending it this set of commands, the HM-10 should be visible on your iDevice

or Android device (using you favorite iBeacon App) as an iBeacon. You can select

the appropriate Major and Minor Numbers in steps 4 and 5.  The Major number is

the same in an area (e.g. a store or building) and the Minor number uniquely

identifies the iBeacon. The above procedure does not alter the default HM-10 UUID

which is a standard proximity UUID. If you want to change it, you may do so using

the AT+IBE0, AT+IBE1, AT+IBE2 and AT+IBE3 commands. The 16 byte UUID is

divided into 4 byte chunks and each one is altered with a different command. The

table below illustrates which part of the UUID is updated with each of the 4 commands.

 

UUID: 74278BDAB644-45208F0C-720EAF059935

 

AT+IBE074278BDA      AT+IBE1B6444520     AT+IBE28F0C720E     AT+IBE3AF059935

Sample iBeacon Scan

8

Remove the connections safely after configure hm10

The following screenshots show three of the HM-10 based iBeacons scanned by an

Android phone, and the distance to one of the devices.

 

Using the HM-10 as an iBeacon Proximity Device

The following eight UUIDs are built into Apple AirLocate as proximity devices. Use these to ensure compatibility with iOS apps that use AirLocate.

 

E2C56DB5-DFFB-48D2-B060-D0F5A71096E0
5A4BCFCE-174E-4BAC-A814-092E77F6B7E5
74278BDA-B644-4520-8F0C-720EAF059935    HM-10 Default
112ebb9d-b8c9-4abd-9eb3-43578bf86a41
22a17b43-552a-4482-865f-597d4c10bacc
33d8e127-4e58-485b-bee7-266526d8ecb2
44f506a4-b778-4c4e-8522-157aac0efabd
552452fe-f374-47c4-bfad-9ea4165e1bd9
  


Waking Up the HM-10

When the HM-10 is in auto-sleep mode, it will quickly go to sleep when powered up or rebooted. After sending it the AT+PWRM0 command and it is restarted, the HM-10 will no longer respond to AT commands. To wake up the device, send it a long line of random alphabetic characters which is 80 characters or more. It will wake up and respond with OK+WAKE. If you want to work with the device for a while, send it an AT+PWRM1 command so it does not sleep on you. You can then send it an AT+PWRM0 when you are done to reduce power consumption.

 

REFERENCES

http://www.zdnet.com/article/what-is-apple-ibeacon-heres-what-you-need-to-know/

http://www.beaconsandwich.com/what-is-ibeacon.html

 

Prepared by:

Kamlesh Kumar Thakur ( Sr.Hardware engineer at Radiojitter.com)

Kamlesh

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

REFERENCES

http://www.zdnet.com/article/what-is-apple-ibeacon-heres-what-you-need-to-know/

http://www.beaconsandwich.com/what-is-ibeacon.html

How do I receive FTA (Free to Air) channels via DD Free Dish (DD Direct Plus) INDIA

Contents

1 About……………………………………………………………………………………………………………………………. 2

2 More about DTH………………………………………………………………………………………………………………. 2

2.1 What is DTH ?……………………………………………………………………………………………………………. 2

2.2 What is DD Free Dish?…………………………………………………………………………………………………. 2

2.3 Future of DD Free Dish?………………………………………………………………………………………………. 3

2.4 How DD Free Dish is different from other DTH systems?…………………………………………………….. 3

2.5 How to receive DD Free Dish?……………………………………………………………………………………….. 3

2.6 Installation of the Receive System:…………………………………………………………………………………. 3

2.7 Satellite in use:………………………………………………………………………………………………………….. 4

2.8 DTH Receive Parameters:…………………………………………………………………………………………….. 4

3 DVB-S2 digital satellite receiver box……………………………………………………………………………………… 4

3.1 Introduction:…………………………………………………………………………………………………………….. 4

3.2 Features:………………………………………………………………………………………………………………….. 5

3.3 Technical specification:……………………………………………………………………………………………….. 5

3.4 How to setup and tune:……………………………………………………………………………………………….. 6

4 How assemble KU Band Dish Antenna:………………………………………………………………………………….. 6

5 5 LNB Ku Band For DTH……………………………………………………………………………………………………… 7

6 Cable type………………………………………………………………………………………………………………………. 8

6.1 Connectors:………………………………………………………………………………………………………………. 8

7 DTH Receiver…………………………………………………………………………………………………………………… 9

7.1 7.1 Types of DTH Receiver:…………………………………………………………………………………………… 9

7.2 Main Function :………………………………………………………………………………………………………….. 9

7.3 How to Scan The Channels………………………………………………………………………………………….. 10

8 Digital Satellite Tracer/dB Meter………………………………………………………………………………………… 14

8.1 Features:………………………………………………………………………………………………………………… 14

8.2 How To Track The satellite………………………………………………………………………………………….. 15

9 Received channels list……………………………………………………………………………………………………… 19

1         About

DD Free Dish is India’s only Free Direct-To-Home Service primarily known as DD Direct +. This service was launched in December, 2004. DD Free Dish DTH  service is owned and operated by Public Service Broadcaster Prasar Bharati (Doordarshan).

2         More about DTH

2.1      What is DTH ?

In general, DTH service is the one in which a large number of channels are digitally compressed, encrypted, uplinked and beamed  down over a territory from a very high power satellite. The DTH signals can be received  directly at homes with the help of a small sized dish receive unit containing a Dish Antenna of diameter 60 to 90 cm  installed at the building’s roof-top or on the wall facing clear south and one indoor

Set-Top-Box unit facilitating viewing of demultiplexed signals from DTH channel bouquet on TV set. The DTH signals can be received anywhere across the country irrespective of the terrain conditions provided the area comes under the footprint of the Satellite.

DTH transmission eliminates the intervening role of a local cable operator since a user is directly connected to the DTH service.  DTH Transmission is most preferred in Ku- Band so as to avoid the need of larger Dish sizes for suitably receiving the DTH signals. As the DTH telecast is in the Digital mode, user is able to reap all the benefits of Digital transmission. Programs in the DTH bouquet are having higher resolution picture and better audio quality than traditional analog signals.

Direct-to-Home (DTH) satellite television is becoming a buzzword in the satellite broadcast industry due to the fact that DTH offers immense opportunities to both broadcasters and viewers. Thanks to the rapid development of digital technology, DTH broadcast operators worldwide have been able to introduce a large number of new interactive applications in the television market besides a large number of entertainment programmes over a single delivery platform. In addition, since digital technology permits a highly efficient exploitation of the frequency spectrum, the number of TV channels that can be broadcast using digital technology is significantly higher than with analogue technology. The increased number of television channels allows the operator to satisfy the demand of a number of niche markets with dedicated transmissions.

2.2      What is DD Free Dish?

Doordarshan’s DD Free Dish is a multi-channel Free-To-Air Direct to Home (DTH) service. This service was launched in December’2004 with the modest beginning of 33 channels.  This service was inaugurated by Hon’ble Prime Minister of India.  DD Free Dish has been upgraded time to time and at present Doordarshan’s DTH platform has the capacity of 80 SDTV channels along with 32 Radio channels. DD Free Dish is available in Ku-Band on GSAT-15 (at 93.5°E) having MPEG-2 DVB-S, 5 streams of channels  with Downlink Frequencies -11090, 11170, 11470, 11510 and 11550 MHz. This Ku-Band DTH service provides the TV coverage throughout the Indian territory (except Andaman & Nicobar Islands). DTH signals can be received through a small sized dish receive system ( i.e. Set Top Box and Dish of size 60 to 90 cm in diameter)  for which no monthly subscription fee is payable by the viewers.

A separate DTH service in C-Band with a bouquet of 10 channels has also been provided by Doordarshan exclusively for Andaman & Nicobar Islands, which is also Free-To-Air. This C-Band DTH service is available on INSAT-4B (at 93.5°E) with downlink frequency of 3925 MHz, 27500 Ksps, FEC-3/4, Pol-H, L.O.-5150MHz. This service can be received through a STB and small sized Dish Antenna (approximately 120 cm diameter) for which also no monthly subscription fee  is payable by viewers.

2.3      Future of DD Free Dish?

Expansion of DD Free Dish has been carried out time to time. The present capacity is likely to be enhanced to 104 SDTV channels and 40 Radio channels in near future with the introduction of new MPEG-4, DVB-S2 stream.

2.4      How DD Free Dish is different from other DTH systems?

Most of the DTH Services, operating all over the world and in India, provide paid DTH Service. In the paid service, the DTH operators uplink the encrypted TV signals to the satellite and the signals are received by subscribers through a Dish receive system having a Dish Antenna and one Customized Set Top Box (DIGITAL DECODER). By choosing the bunch of various desired TV channels viz-a-viz the respective payment plan options, subscribers are given a key-code to decode/decrypt the TV channels through customized set top box. The subscription charges for viewing these channels are collected by the DTH operator.

Whereas, DD Free Dish is absolutely  different,  as Doordarshan is not charging any monthly subscription fee from the viewers for complete bouquet of the DD Free Dish channels, making the system quite affordable for all as it requires only a small one time investment in purchasing of Dish Receive System containing Set-Top-Box and small sized Dish Antenna.

2.5       How to receive DD Free Dish?

Receive system of DD Free Dish contains three units: 1) One small sized Dish Antenna along with LNBF 2) Indoor Set-Top-Box (STB) also known as IRD (Integrated Receiver Decoder) and 3) Handy Remote control unit for STB.  Dish Antenna installed at the roof top or on wall facing clear south receives the signal from satellite and transmits it to the indoor Set top box unit. The set top box further decodes the different TV channels from the DTH bouquet and feeds it to the TV set for viewing.

The complete DD Free Dish DTH system (Dish Antenna, Set Top Box and Remote control unit) is a one-time purchase from the open market with a nominal cost. There is absolutely no further recurring expenditure in terms of monthly subscription etc. for viewing DD Free Dish Channels.

2.6      Installation of the Receive System:

Installation of the DTH receive system is very easy and does not take much time. The viewers may take the services of skilled technical personnel to get the dish installed and oriented towards the desired Satellite, followed by tuning/configuring the Set-Top-Box unit. Dish Installation and STB-Tuning procedure is normally mentioned in the manual supplied by respective manufacturer along with their receive system. As a broad guideline, some of the parameters which may be required to be fed to the STB are indicated below.

2.7      Satellite in use:

GSAT series Geostationary Satellite GSAT-15 from ISRO is being used to provide the services of DD Free Dish in Ku-Band. Reception of DD Free Dish signal is available throughout the length and breadth of the Indian Territory except Andaman & Nicobar Islands.

Satellite.type: Geo-synchronous

Satellite’s Orbital location: 93.5° East

2.8       DTH Receive Parameters:

Receive parameters of the Doordarshan’s DTH bouquet of TV channels (spread in 5 streams), are as follows:

Transponder Polarization Downlink Frequency (MHz) LNB Frequency (MHz) Symbol Rate(Ksps) FEC
K-16 (36 MHz) V 11090 9750 29500 3/4
K-18 (36 MHz) V 11170 9750 29500 3/4
K-19 (36 MHz) V 11470 9750 29500 3/4
K-20 (36 MHz) V 11510 9750 29500 3/4
K-21 (36 MHz) V 11550 9750 29500 3/4

 

3         DVB-S2 digital satellite receiver

3.1      Introduction:

HDStar DVB-S2 TV Box

DVB-S2 HDStar is a digital satellite receiver box with USB2.0 interface, which allows you to access free-to-air high definition and standard definition digital satellite TV and digital radio in on your PC. It can be used to record and save TV programs directly to your PC’s hard disk in MPEG-2/H264 TS format.

You can even hook it up to your home video entertainment system with the additional AV input.

It’s also packed with a unique feature of allowing you to pause a live broadcast and continue from where you left with the Time Shift function.

 

3.2      Features:

Linux and Android drivers coming soon!

Watch free-to-air digital satellite HDTV(1920X1080)/SDTV program and listen to digital radio on PC

Fully Resizable TV (up to full screen)

Auto channel scan and automatic channel name recognition

Personal Digital VCR (Personal Video Recorder)

Pause, rewind and instant replay live TV program

Play back your recorded programs while continuing to record in real time (Time Shift)

Record/ Playback Live TV programs and video in MPEG-II/H264 quality

Recording Scheduler

Support single and multiple still image capture

Video Always on Top

Support Windows xp, Vista, Windows7

Fully Functional Remote Control

Technical specification:

 

input Signal System requirement Accessories Dimensions
·         75 Ohm Digital TV Antenna Input

 

·         IBM compatible PC

·         Pentium 4 2.5G, 256M RAM or better

·         At least one USB2.0 port

·         Direct Draw – compatible AGP Graphic card, min. 512MB RAM

·         Support Windows xp, Vista, Windows7

·         AGP or PCI-E VGA card with DirectX 9.0 or higher

·         Creative compatible sound card

·         Digital Satellite Dish

·         Available DVBS2 broadcasting

 

·         DVB-S2 HDStar box

·         Remote Control handset

·         Installation CD (incl. User’s Manual in PDF format)

·         Quick Installation Guide

·         USB cable

·         Power Adaptor

 

·         Hardware: 145.2mm x 56mm

3.3      How to setup and tune HD STAR:

 

4         How assemble KU Band Dish Antenna:

4.1.1    Installation and Debugging Manual for Satellite TV Antenna

  1. Prepare required tools and materials1Tools:Hammer, Compass, Marker, Drill and appropriate bit, Adjustable spanner, Helping tool for metallic wall plugs fixing.2Materials:Dish with All Pieces, L-Wall Mount, Stainless Steel Washers, F Connectors, Metallic Wall Plugs, Coaxial Cable for Satellite Signal, Hexagonal Screws, Digital TV Receiver or PCI Card or USB Receiver.

    About antenna diameter choosing

    According to the geographical location to install the antenna

    According to the signal field intensity of satellite used

     

    1. Install antenna mount

    • Steps:

     

    Firstly, find a suitable position based on the following two requirements:

    ①Measure and calculate the antenna AZ and El angle by a compass so that the antenna can align the satellite correctly at this installation position.

    ②There mustn’t be any barriers around the place of antenna aligning satellite.Put the “L” type antenna mount to the installed position by hand, and mark 4 signs with a marking pen according to the installation holes.

    3Drill 4 holes with an electric drill according to the marked holes. Usually, the hole depth is best within 0~5cm.

    4Insert the expansion bolt to the 4 holes, and knock on the expansion bolt with a hammer so that the expansion bolt can be inserted into the 4 holes completely.

    5Install L type antenna mount, fasten the flat gasket, spring washer and nuts at the corresponding holes.6

    3. Install antenna reflector

    • StepsFor different model and brand product, the installation method also varies. The following picture is the installation diagram of Antesky antenna reflector.7
    • Reflector installation consists of LNB, fastening bolts, and the position sign to align the satellite correctly marked in red as shown in below picture.8
      1. Debug the antenna to align satellite

      How to make antenna align the satellite accurately?

      Generally, we can find the satellite parameters to receive on the Lyngsat website and calculate the antenna AZ&El&Pol angle etc. according to the antenna installation location. Meanwhile according to the antenna installation location, we can also calculate the antenna AZ&El&Pol parameter by Dishpointer software, and then debug antenna to align the satellite according to these parameters. As shown in the below picture:

      AZ angle:

      AZ angle refers to the horizontal angle from the north line of a certain point to the target direction line by CW moving.

      9

    • El angleEl angle refers to pitching angle of the antenna relative to the XOY plane of the inertial coordinate system.

      10

    • Pol. anglePol. angle refers to the angle when antenna and satellite radiation electromagnetic wave satisfy polarization matching. Suppose the satellite beam center is at the same longitude with satellite, the receiving antenna at the same longitude with subpoint will match well with the satellite radiation electromagnetic wave, while the polarization of non-subpoint receiving antenna at different longitude with subpoint can’t match with the satellite electromagnetic wave until rotating a certain angle.

      11

    • All the parameters depend on the following two factors:①The geographical location to install the antenna.

      ②The longitude of the adopted satellite.

       

      1. Connect the cables and receive TV signals

      Make co-axial cables

      12

    • Satellite Name:
    • a)      Go to Installation menu or setup Programme from remote.
    • Connect the cables, debug and receive satellite signals13

              5 LNB Ku Band For DTH

      5.1 LNB Description:

      Solid Universal Twin Output LNB Ku-Band                                 

      Technical Specifications                  Features
      Ku-Band Twin LNBF
      I/P Freq: 10.70 -12.75 GHz
      L.O. Freq : 9.75/10.60  GHz
      N.F. : 0.30 dB (Typ.)
      Gain : 55 dB (Typ.)14
      Solid Universal Twin Output LNB Ku-Band

      Solid Ku-Band Two Output LNB – 1 Dish and Two Receiver LNB

      Receive all single and dual polarized ku-band satellite signals.
      Low Phase noise for Digital Receiving.
      Low Phase Noise Figure
      Low Power consumption
      Excellent DRO & Gain Flatness
      Qualified for Harsh Environments:
       

      6.Cable type

      75 Ohm Digital Video Coaxial Cable RG-59 Type by the Foot – Black

      Canare 75 ohm precision digital video cables, offers the professional Broadcaster a high performance,

      Specifications

       

      Features

       

      ·         HD-Serial Digital Video

      ·         Satellite Head Ends

      ·         HDTV Upgrades

      ·         Broadband Facilities

      ·         SMPTE 259M, 292M,424M

       

      ·         Solid Copper Center Conductor

      ·         Foam PE Dielectric

      ·         Tinned Copper Braid + 100% Foil Shield

      ·         Dielectric strips away clean from Conductor

      ·         Precision Coax 100% Sweep Tested

       

      15

      6.1      Connectors:

       F-Connector Screw On End for Satellite Virgin Coaxial Cables RG6

      17

      16

    • 7 DTH Receiver

                Solid digital Set-top Box Digital satellite Tv receiver F2A 

      18 

      7.1      Main Function :

      Specifications  Features & Functions
      ·         DVB-S/S2 digital TV Signal modulated in QPSK/8PSK

      ·         Input frequency range 950 MHz to 2150 Mhz

      ·         Support Diseqc 1.0 & 1.2

      ·         Reception for SCPC/MCPC. C/ku band reception

      ·         Favourite Channel Edit, parental lock

      ·         Support USB 2.0 and OTA Software upgrade

      ·         Voltage    :  14/18V

      ·         Tone         :   22K / Auto

      ·         Symbol Rate        :  2-45 MB/S

       

      ·         Fully compliant with the DVB-S2 digital tv reception standards.

      ·         Support 480i/480p/576i/576p/720p

      ·         Convenient auto search function

      ·         Intelligent graphical user interface design

      ·         Capacity of storing up to 2000 Transponders and 4000 channels.

      ·         Fast channel selection

      ·         Variable Aspectratio

      ·         (4:3,16:9) Pan & Scan or Channel search in

      ·         automatic blind scan

      ·         OSD  :  256 colors on screen display Letter Box modes

      ·         6 favorite channel groups.

       

      7.2      How to Scan The Channel

      1. Satellite Name:

    •  Go to Installation menu or setup Programme from the remote.19
    • Select Satellite Edit menu20
    • Select Add New Satellite menu
    • Select Sat Name Edit menu.
    • Enter Satellite Name as  DD or GSAT-15.
    • Enter Satellite Longitude as 93.5° E
    • Press Exit 212 . LNB Configuration
    •  Go to LNB Configuration menu. Ensure that satellite selected is DD or GSAT-15 only.
    • Set LNB Types as Universal.
    • Set LNB Power on.
    • Press Exit  and save yes22233. Transport streams of Transponder (TP) Edit:
    • Go to Transponder Edit menu. Ensure that satellite selected is GSAT-15.
    • Select Add New TP menu.
    • Enter TP Frequency as 11090/11170 /11470/11510 /11550 MHz one by one
    • Select Symbol rate as 29500 Ksps.
    • Select Polarization as Vertical.
    • ‘22K’    OFF*
    • ‘Disc. Equal’. Off
    • Select Scan as FTA.
    • Press OK.
    •  After filling the above values Go to ‘Scan’ 24
    •  8.digital Satellite Tracer/dB Meter25

    • 8.1      Features:

      • Capable to edit transponders, symbol rate and LO frequency etc.
      • Accurate and convenient facility for antenna installation
      • Support DVB-S2 and DVB-S and QPSK, 8PSK Demodulation
      • Calculate Dish Antenna Angle, Mini Compass provided in front
      • With Signal Strength and Quality / Rev. BER Display
      • Symbol Rate 1-45 Msps, Support DiSEqC 1.0
      • Support 0-22 KHz and 13-18 V to control signal
      • uilt-in Buzzer
      • LNBF Polarization Tilt (skew)Your LNB is marked with a label indicating the polarization tilt. Your local LNB polarity offset information varies by location. If you are in Houston, TX your LNB polarization is to be set at 0 degrees. But if you are on the California coast your LNB polarization could be as much as minus 30 degrees (clockwise rotation). And if you are in Maine your LNB polarization could be as much as plus 30 degree (counter-clockwise rotation. Peaking the dish and adjusting the polarity of the LNB will greatly improve your Signal Quality reading.

        When adjusting your LNBF, be sure you don’t leave that LNBF holding bracket loose. The LNBF won’t pick up the satellite if the bracket is loose, and it’s slightly off. Finally, when thinking about degrees, remember that 30 degrees is about 5 minutes on a clock. Don’t turn the LNB too much!

      • Angle Finder

        Use Dish pointer (Satellite Finder / Dish Alignment Calculator) to find the Lat/Long, Azimuth/Elev for required satellite and location where exactly you are.

        2931

      • Set the Desired angle using compass.For DD_Free Dish set it 93.5 deg east

        32

      • Set the elevation which is given in dish antenna as shown in fig below. Set the elevation according to your location

        33341

        After getting all the details of desired satellite Select a location with a direct line of sight in the direction of the satellite.Generally high locations such as a rooftop or balcony are used. Using an analog compass will make locating the angle easier.

        012

        Secure the dish in the selected position. The dish must be fixed tightly at the mounting point as it must be able to resist wind force. Otherwise, it might fall and injure people passing by or damage property below.

        3

        Adjust the dish direction so it points 93.5° East for DD_Free dish and tilt it up slightly. Tighten the screws controlling the direction adjustment, but do not tighten them completely.

        4

        Connect the satellite finder using the 6 foot (1.8 m) long coaxial cable. as shown in picture, connect power supply output terminal to the receiver and LNB out to the Satallite terminal of the satellite finder.

        36

      • Switch on the power supply you can see the different parameters in menu list.select find (press ok )37
      • Edit The parameters:Sat Name : select any satellite from the list

        Lo Frerq : Select univ

        Down Freq: 11090 (Make it 11090 for DD_free Dish)

        Symbol Rate: 29500 (Make it 29500 for DD_Free Dish)

        Polarity : V (For DD_Free_dish)

        DiSqC1.0: OFF

        22K: Auto

        Buzzer :ON

        385

        Start rotating the dish in exact position you will hear Beeping sound from satellite tracker along with signal quality and signal strength

        396

        Tighten the rotation control screw completely to fix this angle.Adjust the vertical angle in the same manner as the horizontal. The receiver dish will now be positioned to catch the satellite signals at the highest quality and strength.

         

        Compare Signal Strength and Quality

        40

      • Zero Strength and Zero Quality:If this is the symptom you are experiencing, then the receiver is currently not receiving the signal from the dish. Check all connections between your receiver and the dish. Make sure that they are all plugged in to the proper place and are tight.

        One of the most common connection problems is to have the cable coming from the dish plugged in to the connection marked “In from Antenna,” which is incorrect. The cable coming from the dish needs to be plugged in to the connection marked “In from Dish, Digital In, or LNB IN”One of the most common connection problems is to have the cable coming from the dish plugged in to the connection marked “In from Antenna,” which is incorrect. The cable coming from the dish needs to be plugged in to the connection marked “In from Dish, Digital In, or LNB IN”

        Also, the cables might have developed a short or might have gotten moisture in them, especially out at the dish. If this is a possibility, you may want to have an installer check the cables or take them to an installer yourself.

      • 0-30 Strength and Zero QualityIf you are experiencing these levels of strength and quality, you are getting only noise signals. Make sure that there are no obstacles between the dish and satellite.41
      • 40-60 Strength and Zero Quality:
      • With this level of strength and a lack of quality, it is very likely that the dish has moved since its initial installation or you are still off alignment. We recommend going through the Dish Installation pointing steps and finding the satellite signal again. This will likely take just a few minor adjustments of the dish since it should not have moved very much. Key causes for this problem include bolts not being tightened properly, heavy winds, or the dish being struck or bumped by something. Once the signal has been found again, make certain all bolts are tightened well. We also recommend that once you have everything tightened down and have your signal back, make a mark from the cap mount to the pole with paint or some other permanent substance. This will give you a reference point, should any future problems occur. You can also make a mark on the side of the cap mount where your elevation markings are imprinted.42
      • 40-60 Strength and 30-70 Quality:This level of strength and quality indicates that the dish needs to be fine-tuned to the satellite. You may have noticed that prior to getting the “Bad or No Signal” message your picture was occasionally blotchy and your audio may have been out of sync with the picture. These are all symptoms of the need to fine-tune the dish. Optimum signal quality is between 70 and 100

           9.Received channels list

        DD FREE DISH CHANNEL LIST 14 JUNE 2016

        Doordarshan’s DD Free Dish / DD Direct Plus Latest Channel List updated 13 June 2016 from GSAT15 satellite at 93.5 East

         

        Freq, Pol, S/R, FEC Standard, Modulation Encryption, System Channel Name Type APID VPID SID Last Updated
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DWDS_Service Radio 775 – eng
        4112 – eng
        0 3 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD NATIONAL TV 6001 5001 2001 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD NEWS TV 6002 5002 2002 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD SPORTS TV 6003 5003 2003 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD KISAN TV 6004 5004 2004 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD BHARATI TV 6005 5005 2005 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD BANGLA TV 6006 5006 2006 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD CHANDANA TV 6007 5007 2007 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD GIRNAR TV 6008 5008 2008 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD KASHIR TV 6009 5009 2009 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 MAHA MOVIE TV 6010 5010 2010 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AASTHA BHAJAN TV 6011 5011 2011 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 B4 U MOVIES TV 6012 5012 2012 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 WOW CINEMA TV 6013 5013 2013 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 INDIA NEWS TV 6014 5014 2014 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 IBN 7 TV 6015 5015 2015 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 BIGMAGIC GANGA TV 6016 5016 2016 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR VBS Radio 6801 0 2801 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR Telugu Radio 6802 0 2802 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR Marathi Radio 6803 0 2803 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR Tamil Radio 6804 0 2804 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR NATIONAL Radio 6805 0 2805 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 FM RAINBOW KOLKATA Radio 6806 0 2806 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 TEST 107 Radio 6807 0 2807 01-02-2016
        11090, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 TEST 108 Radio 6808 0 2808 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DWDS_Service Radio 775 – eng
        4112 – eng
        0 3 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD RAJASTHAN TV 6051 5051 2051 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD ORIYA TV 6052 5052 2052 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD PODHIGAI TV 6053 5053 2053 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD PUNJABI TV 6054 5054 2054 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD SAHYADRI TV 6055 5055 2055 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD YADAGIRI TV 6056 5056 2056 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD MALAYALAM TV 6057 5057 2057 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 LOK SABHA TV 6058 5058 2058 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 RAJYA SABHA TV 6059 5059 2059 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 SHRI NEWS TV 6060 5060 2060 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DANGAL TV 6061 5061 2061 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 BHOJPURI CINEMA TV 6062 5062 2062 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD BIHAR TV 6063 5063 2063 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD NORTH EAST TV 6064 5064 2064 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD UP TV 6065 5065 2065 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 SADHNA NATIONAL TV 6066 5066 2066 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR Gujrati Radio 6821 0 2821 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 FM Rainbow Radio 6822 0 2822 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR Punjabi Radio 6823 0 2823 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 FM Gold Radio 6824 0 2824 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Radio Kashir Radio 6825 0 2825 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 TEST 206 Radio 6826 0 2826 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 TEST 207 Radio 6827 0 2827 01-02-2016
        11170, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 TEST 208 Radio 6828 0 2828 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DWDS_service Radio 775 – eng
        4112 – eng
        0 3 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 NAAPTOL BLUE TV 6101 5101 2101 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD URDU TV 6102 5102 2102 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 CINEMA TV TV 6103 5103 2103 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD SAPTGIRI TV 6104 5104 2104 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 INDIA TV TV 6105 5105 2105 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AASTHA TV TV 6106 5106 2106 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 MANORANJAN TV TV 6107 5107 2107 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 NEWS NATION TV 6108 5108 2108 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 SONY PAL TV 6109 5109 2109 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DABANGG TV 6110 5110 2110 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 RISTHEY TV 6111 5111 2111 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 SONY MIX TV 6112 5112 2112 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 HOMESHOP 18 TV 6113 5113 2113 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DD MP TV 6114 5114 2114 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 ENTERR-10 TV 6115 5115 2115 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 ABC TV 6116 5116 2116 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Air Kannada Radio 6841 0 2841 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR Bangla Radio 6842 0 2842 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR Hindi Radio 6843 0 2843 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR NE Radio 6844 0 2844 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 FM Rainbow Chennai Radio 6845 0 2845 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 FM Gold MUMBAI Radio 6846 0 2846 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 TEST 307 Radio 6847 0 2847 01-02-2016
        11470, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 TEST 308 Radio 6848 0 2848 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DWDS_service Radio 775 – eng
        4112 – eng
        0 3 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 BIG MAGIC TV 6151 5151 2151 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 SANSKAR TV 6152 5152 2152 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 9XM TV 6153 5153 2153 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 France 24 TV 6154 5154 2154 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 INDIA 24×7 TV 6155 5155 2155 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Star Utsav TV 6156 5156 2156 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Zee ANMOL TV 6157 5157 2157 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 MASTI TV 6158 5158 2158 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 B4U Music TV 6159 5159 2159 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DILLAGI TV 6160 5160 2160 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 DW TV TV 6161 5161 2161 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 NEWS 24 TV 6162 5162 2162 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 TELESHOP TV TV 6163 5163 2163 09-04-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AAJ TAK TV 6164 5164 2164 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 ABP NEWS TV 6165 5165 2165 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 CHARDIKALA TIME TV TV 6166 5166 2166 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR Ragam Radio 6861 0 2861 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 FM Rainbow BLore Radio 6862 0 2862 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Air Urdu Radio 6863 0 2863 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Air Oriya Radio 6864 0 2864 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR Malayalam Radio 6865 0 2865 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 AIR Assamese Radio 6866 0 2866 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Test Radio 407 Radio 6867 0 2867 01-02-2016
        11510, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Test Radio 408 Radio 6868 0 2868 01-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 MANORANJAN MOVIES TV 6201 5201 2201 08-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 MOVIE HOUSE TV 6202 5202 2202 17-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 HOUSEFULL MOVIES TV 6203 5203 2203 19-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 STAR UTSAV MOVIES TV 6204 5204 2204 14-05-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 RUSSIA TODAY TV 6205 5205 2205 17-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 KHUSHBOO TV TV 6206 5206 2206 01-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 HOUSEFULL ACTION TV 6207 5207 2207 01-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 RT Movies TV 6208 5208 2208 19-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 M TUNES TV 6209 5209 2209 25-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 INDIA NEWS TV 6210 5210 2210 14-05-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 OSCAR MOVIES BHOJPURI TV 6211 5211 2211 01-03-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 RISHTEY CINEPLEX TV 6212 5212 2212 24-03-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 VISION TV SIKSHA TV 6213 5213 2213 01-03-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 X-ZONE TV 6214 5214 2214 15-03-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Fakt Marathi TV 6215 5215 2215 17-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 CHITRAPAT MARATHI TV 6216 5216 2216 17-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Test 551 Radio 6881 0 2881 01-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Test 552 Radio 6882 0 2882 01-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Test 553 Radio 6883 0 2883 01-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Test 554 Radio 6884 0 2884 01-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Test 555 Radio 6885 0 2885 01-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Test 556 Radio 6886 0 2886 01-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Test 557 Radio 6887 0 2887 01-02-2016
        11550, V, 29500, 3/4 DVB-S, QPSK Clear, MPEG-2 Test 558 Radio 6888 0 2888 01-02-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 601 TV 6251 5251 2251 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 602 TV 6252 5252 2252 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 603 TV 6253 5253 2253 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 604 TV 6254 5254 2254 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 605 TV 6255 5255 2255 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 606 TV 6256 5256 2256 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 607 TV 6257 5257 2257 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 608 TV 6258 5258 2258 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 609 TV 6259 5259 2259 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 610 TV 6260 5260 2260 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 611 TV 6261 5261 2261 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 612 TV 6262 5262 2262 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 613 TV 6263 5263 2263 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 614 TV 6264 5264 2264 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 615 TV 6265 5265 2265 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 616 TV 6266 5266 2266 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 617 TV 6267 5267 2267 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 618 TV 6268 5268 2268 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 619 TV 6269 5269 2269 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 620 TV 6270 5270 2270 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 621 TV 6271 5271 2271 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 622 TV 6272 5272 2272 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 INFO CH TV 6273 5273 2273 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 TV Test 624 TV 6274 5274 2274 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 Test 601 Radio 6901 2901 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 Test 602 Radio 6902 2902 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 Test 603 Radio 6903 2903 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 Test 604 Radio 6904 2904 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 Test 605 Radio 6905 2905 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 Test 606 Radio 6906 2906 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 Test 607 Radio 6907 2907 09-04-2016
        11630, V, 30000, 3/5 DVB-S2, 8PSK Clear, MPEG-4 Test 608 Radio 6908 2908 09-04-2016

         

        Sample screen shoots006

        005004002

    • References
    • http://www.wikihow.com
    • http://www.dishpointer.com
    • http://satellite-dish-for-sale.comPrepared by:

      Kamlesh kumar Thakur ( Sr.Hardware engineer at Radiojitter.com)

      Kamlesh

LORAWAN Network Setup -Part 1

 

SN Phase Repository Type of software Remark
1 Gateway https://github.com/Lora-net/lora_gateway Open source  
2 Gateway https://github.com/Lora-net/packet_forwarder Open source  
3 Node https://github.com/matthijskooijman/arduino-lmic Open source
4 Signal Check SDR# Closed Source
5 Signal Sniffing over Air https://github.com/rpp0/gr-lora/wiki/Capturing-LoRa-signals-using-an-RTL-SDR-device Open source
6 Signal Sniffing over Air https://revspace.nl/DecodingLora Open source  
7 Updated LORAWAN code https://github.com/tikiarya/LORA-NICERF/  

https://github.com/matthijskooijman/arduino-lmicFor LORAWAN node setup, Arduino LMIC library is used. The Github location for the library is

This library support Class A and Class B LORAWAN communication. The LMIC code is not directly usable for us, we need to do few changes to make it work for our node.

Replace NWKSKEY, APPSKEY, DEVADDR in the ABP (example code of Arduino Lmic by Matthijs Kooijman) Arduino code as generated in the TTN page or any other gateway server interface.

arduino

// LoRaWAN NwkSKey, network session key
// This is the default Semtech key, which is used by the early prototype TTN
// network.
static const PROGMEM u1_t NWKSKEY[16] = { 0xC6, 0x9D, 0xD9, 0x0C, 0xB2, 0xFE, 0x79, 0x52, 0x6F, 0x48, 0xB8, 0xEF, 0x5A, 0xC3, 0x13, 0x8B };
// LoRaWAN AppSKey, application session key
// This is the default Semtech key, which is used by the early prototype TTN
// network.
static const u1_t PROGMEM APPSKEY[16] ={ 0xE4, 0xE8, 0x25, 0x61, 0xC7, 0x16, 0x0B, 0xC8, 0xEF, 0xAB, 0xB9, 0x82, 0xC3, 0x7D, 0xF8, 0x49 };
// LoRaWAN end-device address (DevAddr)
static const u4_t DEVADDR = 0x26011E7C ; // <– Change this address for every node!

(The information is representative, the screenshot and the above value might not match)

The SPI speed needs to be changed to 2 Mhz for Arduino Uno in hal.cpphal

——————————————————————————————————

updates to ttn-abp.ino

—————————————————————————————————————————————-

const lmic_pinmap lmic_pins =

{

.nss = 10,

.rxtx =LMIC_UNUSED_PIN,

.rst = 9,

.dio = {2, 3, 4},

};

LMIC_setClockError(MAX_CLOCK_ERROR * 1 / 100);

// Let LMIC compensate for +/- 1% clock error

—————————————————————————————————————————————-

static void hal_spi_init ()

{

         SPI.begin();

              digitalWrite(lmic_pins.nss, LOW);

                /*

                // depends on LORA spi timing

                SPI.setBitOrder(MSBFIRST);

                // too fast may cause error

                SPI.setClockDivider(SPI_CLOCK_DIV16);

                SPI.setDataMode(SPI_MODE0);

                */

                SPI.beginTransaction(settings);

                Serial.println(“SPI Init”);

}

void hal_pin_nss (u1_t val)

{

if (val)

{

digitalWrite(lmic_pins.nss, HIGH);

//Serial.println(“NSS Set HIGH”);

}

else

{

digitalWrite(lmic_pins.nss, LOW);

//Serial.println(“NSS Set LOW”);

}

}

Config.h

#define LMIC_PRINTF_TO Serial

radio.c

// manually reset radio to simulate power OFF and ON

#ifdef CFG_sx1276_radio

hal_pin_rst(LOW); // drive RST pin low

#else

hal_pin_rst(1); // drive RST pin high

#endif

hal_waitUntil(os_getTime()+ms2osticks(10)); // wait  20 ms

hal_pin_rst(HIGH); // configure RST pin HIGH

hal_waitUntil(os_getTime()+ms2osticks(20)); // wait 20ms

opmode(OPMODE_SLEEP);

// some sanity checks, e.g., read version number

u1_t v = readReg(RegVersion);

printf(“Expected 0x12 from SX1276, read_new=0x%x”,v);

——————————————————————————————————

In this experiment we have used our own LORAWAN node based on NiceRF 500 mW

Lora module Lora1276F30

http://nicerf.com/product_179_213.html

500mW

Parameter

Min

Typ

 Max

Unit

Condition

Working condition

Working voltage range

3

5

6.5

V

Temperature voltage

-40

85

°C

Current consumption

Receiving

current

<13

mA

Transmitting current

  500

500

 650

mA

@ 30dBm

Sleep current

<10

uA

Parameter

Frequency range

840

868

920

MHz

@ 868MHz

 840

 915

 920

 MHz

@ 915MHz

Modulation rate

1.2

300

Kbps

FSK

0.018

37.5

Kbps

LoraTM

Output power range

21

27

dBm

Receiving sensitivity

-122

dBm

@ FSK data=1.2kbps,Fdev=10kHz

-139

dBm

@ Lora BW=125KHz_SF = 12_CR=4/5

Features:

 Frequency Range:  868 / 915MHz
  • Sensitivity up to -139 dBm 
  • Maximum output power: +27dBm
  • 13mA @receiver status
  • sleep current <10uA
  • Data transfer rate: @FSK 1.2-300 kbps ; @LoRa TM, 0.018-37.5kbps
  • 3.0-6.5 V Power supply
  • 127db dynamic range RSSI
  • No signal blocked
  • 256byte FIFO
  • CRC Frequency hopping
  • Low-power detection
  • Built-in Temperature sensor
  • Operating Temperature Range: -40~+85 °C

IMG_20180421_094955104IMG_20180421_095142342IMG_20180421_095018292

The ttn-abp.ino is compiled and uploaded to arduino uno. The signal transmission could be seen in waterfall spectrum of SDR#(SDR software) using RT-SDR Blog SDR. The transmission would keep hopping from channel to channel.

Waterfall-Spectrum PlotSDR

IMG_20180423_003550_HDR

Arduino Serial Monitor

Arduino Serial Monitor

 

Threat Modelling for Automotive – Part 3

  1. AUTOMOTIVE ETHERNET

 Automotive Ethernet is a physical network that is used to connect components within a car using a wired network. It is designed to meet the needs of the automotive market, including meeting electrical requirements (EMI/RFI emissions and susceptibility), bandwidth requirements, latency requirements, synchronisation, and network management requirements.

To fully meet the automotive requirements, multiple new specifications and revisions to specification are being done in the IEEE 802.3 and 802.1 groups.

Until the specs get through the IEEE, there are some interim specs sponsored by special interest groups such as:-The OPEN (One-Pair Ethernet) group, which is sponsoring Broadcom’s 100Mbps BroadR-Reach solution as a multi-vendor licensed solution. This 100Mbps PHY implementation uses technologies from 1G Ethernet to enable 100Mbps transmission over a single pair in both directions (using echo cancellation) using more advanced encoding to reduce the base frequency to 66MHz (from 125 MHz) allowing Ethernet to meet the automotive EMI/RFI specs. • AVnu adopted Audio-Video bridging standards ahead of IEEE 802.1 standardisation process.

1. Reason Ethernet not used in Cars before

Even though Ethernet has existed for over 20 years, it could not be previously used in automobiles due to the following limitations:

  1. Ethernet did not meet the OEM EMI/RFI requirements for the automotive market. 100Mbps (and above) Ethernet have too much RF “noise,” and Ethernet is also susceptible to “alien” noise from other devices in a car.
  2. Ethernet could not guarantee latency down to the low microsecond range. This was required to replace communication to any sensor/control that needed fast reaction time.
  3. Ethernet did not have a way to control bandwidth allocation to different streams so it could not be used to transmit shared data from multiple types of sources.
  4. Ethernet did not have a way of synchronizing time between devices and having multiple devices sample data at the same time.

2. Automotive Ethernet Drivers

 The electronics in a car are getting more complicated with more sensors, controls, and interfaces with higher bandwidth requirements. The different computers and domains in the car need to increasingly communicate with one another. The complexity, cost, and weight of wiring harnesses has increased such that the wiring harness is the third costliest and third heaviest component in a car.

Today, multiple different proprietary standards for communication are used, with each component typically using a dedicated wire/cable. By moving to a single standard, all the communications from all the different components can coexist on the same switched Ethernet network, with a single pair going to each location in the car from a central switch. A joint study by Broadcom and Bosch estimated that using “unshielded twisted pair (UTP) cable to deliver data at a rate of 100Mbps, along with smaller and more compact connectors can reduce connectivity cost up to 80 percent and cabling weight up to 30 percent.”

  3. Anatomy of Future Car Electronics Using Automotive Ethernet

The diagram below shows the estimated progression of Automotive Ethernet from today (1st generation) through 2020 (3rd generation).

Figure 15. Automotive Ethernet in future Generation

  1. DESIGNING A THREAT MODEL

Now we understand every detail that is required for designing a threat model for automotive cars. We will be using Microsoft Threat Modeling tool to design the model. The Threat Modeling Tool is a core element of the Microsoft Security Development Lifecycle (SDL). It allows software architects to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. As a result, it greatly reduces the total cost of development. Also, the tool was designed with non-security experts in mind, making threat modelling easier for all developers by providing clear guidance on creating and analysing threat models.

The tool enables us to:

  • Communicate about the security design of their systems
  • Analyze those designs for potential security issues using a proven methodology
  • Suggest and manage mitigations for security issues

Here are some tooling capabilities and innovations, just to name a few:

  • Automation: Guidance and feedback in drawing a model
  • STRIDE per Element: Guided analysis of threats and mitigations
  • Reporting: Security activities and testing in the verification phase
  • Unique Methodology: Enables users to better visualize and understand threats
  • Designed for Developers and Centered on Software: many approaches are centered on assets or attackers. We are centered on software. We build on activities that all software developers and architects are familiar with — such as drawing pictures for their software architecture.
  • Focused on Design Analysis: The term “threat modeling” can refer to either a requirements or a design analysis technique. Sometimes, it refers to a complex blend of the two. The Microsoft SDL approach to threat modeling is a focused design analysis technique.

We will be using the Automotive Threat Modelling Template provided by NCC Group.The Automotive Threat Modelling (TM) Template was created using the Microsoft (MS) Threat Modelling Tool 2016 and therefore threat models are created using this product.A threat modelling workshop for automotive-related technologies requires DFDs with custom elements, tailored threats and specific recommendations. The lack of a specific template for automotive threat modelling brought about the development of the Automotive TM Template, which takes advantage of a new feature in the MS Threat Modelling Tool 2016 that allows the creation of entirely new customised templates.

 1. Setting Up Environment

Each entity has its own set of properties in the automotive threat modeling template. Thus we need to set up each and every entity that will be used in designing the Threat Model based on the configuration of the entity. You can view these properties in the following diagram:

fig 1.pngfig 1-1.pngFigure 1. Setting up Entities Environment

  1. FLOWCHART

fig 2.png

Figure 2. DFD Diagram

fig 3.png

Figure 3. Top Layer view of Automotive Cars

  1. REPORT

 fig 4.png

 fig 5.png

fig 6.png

fig 7.png

 Thus the Microsoft Threat Modelling tool provides a best way to analyse threats and the template is suitable for Threat Modelling in Automotive.

I hope you enjoyed! Please do share and comment.

Parminder Singh

vicky.jpg

Email: singhvicky1516@gmail.com

Threat Modelling for Automotive – Part 2

Hi guys! In the Threat Modelling for Automotive – Part 2 we are going to explore deeply on connected cars and know about it in detail.

  1. Understanding Car’s Environment

 fig 1.png

Figure 1. Components of a connected car

2. Working of Automotive Cars

As cars are getting more interconnected with other vehicles and the environment around them, the security threats will continue to increase. Before the concept of a connected car was introduced, the automotive industry did not pay much attention to cyber-security because the attackers required physical access to perform an attack.

Today we have cars with multiple connection points to outside networks including a connection to the Internet. In addition to the LTE and Wi-Fi connections, Figure below shows all the additional services that the connected car will have in the future. Car2Cloud technology represents all internal services available because of the existence of Internet connections.

2.1. Automotive Networks

As the number of electrical components in vehicles increases, the need for a good network that will connect these parts becomes more important. Different electrical components have different functions and as such need different types of connectivity.

Today we have four main types of automotive networking:

  • LIN (Local Interconnect Network) – This network type provides a cost effective solution for connecting switches, intelligent actuators, temperature or rain sensors, small motors, lamps, sunroof or heating control. It has the smallest bandwidth of all four networks which is one of the reasons why it is used in non-critical functions of the vehicle system.
  • CAN (Controller Area Network) – The most widely used automotive network protocol. It is a single centralized network bus where all the data inside the vehicle is broadcast. This network type can be divided into two categories depending on the nature of the traffic: real-time control in powertrain (SAE Class C) and body control (SAE Class B). It is used in engine timing controls, anti-lock braking systems, electronic throttle control etc.
  • Flex-Ray – Main purpose of this network type is to support the new drive by-wire systems such as steer-by-wire and brake-by-wire, that require good error management along with high transmission rates.
  • MOST (Media Oriented Systems Transport) – Has the largest bandwidth of all networks and it is mainly used for audio, video, navigation and telecommunications systems. It is most suitable for real-time audio and video transmission applications.

Each of these networks has different attributes and application areas. The table below shows the main differences between them.

LIN CAN Flex-Ray MOST
Application Low-level Communication System Soft Real-time Systems Hard real-time Systems (X-by-wire) Multimedia, telematics
Control Single-master Multi-master Multi-master Timing-master
Bus Access Pooling CSMA/CA TDMA/FTDMA TDM/CSMA
Bandwidth 19.6kNit/s 500kBit/s 10 Mbit/s 24.5 Mbit/s
Data bytes per frame 0 to 8 0 to 8 0 to 254 0 to 60
Redundant channel Not supported Not supported Two channels Not supported
Physical Layer Electrical (single wire) Electrical (twisted wire) Optical, electronic Mainly Optical

Table 1. Overview of Automotive Networks

Figure below shows the internal structure of the in-vehicle networks and how they are organized in smaller sub-networks.

fig 2.png

Figure 2. Overview of Internal Vehicle sub-networks

Each sub-network is based on a different network technology depending on the requirements of the systems connected to that specific network. For example, the head unit is responsible for the audio and video transmission which requires a faster bandwidth, therefore it uses the MOST network type.

3. Motivation for Hacking

The motivation is an important attribute of threat agents because it tells us what human drives are involved and what the main reason is for their actions. The motivation usually has two meanings, cause and drive. The cause means the underlying reason for some harmful or unintentional action, which could be some specific situation or an emotional reason. The cause is the primary parameter used to describe the motivation, but the drive is also important because it defines a certain level of intensity or interest a threat agent might have.

         fig 3.png

Figure 3. Motivation of Threat agents

The main reasons behind the motivation parameter are:

  • Knowing the threat agent’s motivation can give us information, about the target or the asset, that agent is most likely to focus on.
  • If the security experts know the threat agent’s intent, they can focus their often limited resources on the most likely attack vectors for any asset.
  • Motivation shapes the intensity of the attack because the attackers usually act in a way that reflects their emotional or circumstantial state.
  • The motivation also helps in better describing the threat scenarios in a less technical language. The motivation describes a more detailed story.

The threat modelling process in this thesis describes two motivational aspects, defining motivation and personal motivators for individuals. The first one is the most descriptive, describes the threat agent group in the best way, and is the primary cause of their actions. The second one is focused on motivators for individuals that work alone or as part of a organisation. This aspect describes the main reasons and drives for these individuals.

The TARA (Threat Agent Risk Assessment) threat modelling method defines the following 10 types of motivation:

  • Accidental – Type of motivation that is usually connected to a threat agent with harmless intent that through distraction or poor training causes unintentional harm to the company.
  • Coercion – When someone is forced into doing something against their will on behalf of another is the core of this motivation type. An employee from a car manufacturer e.g. could be forced by intimidation or blackmail to give out confidential information or perform some other action that is harmful to his company.
  • Disgruntlement – Motivation type that is closely tied to employees or former employees that want to do harm to their company. The reason for this is mostly revenge or retaliation because of some wrongdoing by that company. This motivation type implies that there was some sort of prior interaction between the threat agent and the target company.
  • Dominance – An attempt to establish superiority over another individual, company, organization or even another country. It can take many forms such as intimidation, threatening to expose sensitive data or stealing information assets in order to become more powerful toward a goal of dominance. Access to this information allows the attacker to leverage them or exploit their vulnerabilities when they decide to attack.
  • Ideology – The agent motivated by ideology primarily relies on some personal belief, political loyalty, and sense of morality or justice.
  • Notoriety – This motivation type describes someone that is trying to become famous for his harmful actions in the cyber world. A threat agent with this type of motivation usually looks for confirmation and respect from the community in which they act.
  • Organizational gain – An unlawful action by a threat agent that would increase an organization’s profit or obtain some other advantage over a competing organization or company. This can be information theft, misuse of information, inappropriate acquisition, sabotage etc.
  • Personal financial gain – Probably one of the most common motivations where an individual or a group of individuals performs cyber-attacks with only one goal improving their financial status.
  • Personal satisfaction – Another very common type of motivation where a threat agent acts in order to accomplish some personal wish or a desire in order to satisfy their emotional self-interest.
  • Unpredictable – An action conducted by a threat agent that is totally random, strange and has no logical explanation. It creates unpredictable events.

4. Attack Vectors

The connected car can be exploited for a number of purposes:

  • Safety – How can attackers compromise the safety of the drivers, passengers and nearby people? For example, can an attacker manipulate communications between electronic control units to initiate a self-parking mode while the car is speeding down a highway?
  • Privacy – How secure is the acquisition of driver activities data (e.g., location of vehicle, navigation destination, etc.)? A recent study showed that 5 percent of all Americans (or more than 15 million people) could be identified just by knowing their home and work zip codes.
  • Fraud and theft – The connected car vision often includes the ability to easily make purchases from the car. How can developers protect your information from unauthorized commercial transactions? This area is a likely early target for attackers, as this exploit can be easily monetized.
  • Mischief – How can you prevent interference with on board non-safety vehicle systems such as infotainment, heating and air conditioning systems, etc.? While there’s no monetary gain to be had by attackers, developers still need to protect against the “bored teen” who wants to see if he can turn his neighbour’s heat up on the hottest summer day or continually honk the horn.

4.1. Finding the Attack Vectors

Attack surface refers to all the possible ways to attack a target, from vulnerabilities in individual components to those that affect the entire vehicle. When discussing the attack surface, we’re not considering how to exploit a target; we’re concerned only with the entry points into it.

The following questions should be asked when finding the attack surface.

  • What are the audio input options: CD? USB? Bluetooth?
  • Are there diagnostic ports?
  • What are the capabilities of DashBoard? Is there a GPS? Internet?
  • If the vehicle is electric, how does it charge?
  • Are there touch or motion sensors?
  • What signals are received? Radio Waves?
  • Is there physical keypad access?

fig 4.png

Figure 4. Weakest points of connected cars

Figure above illustrates the 15 most vulnerable points of a connected car according to the Intel security report from 2015. Each of these 15 points actually represents an advanced feature of the connected car. Most of these features are implemented through dedicated ECUs that are in charge of those specific functions. The ECUs are interconnected through the internal vehicle network called CAN (Controller Area Network). If any of these features gets compromised, the entire internal network is potentially in danger since these ECUs are interconnected, and depending on the attacker’s expertise some of the critical systems can be controlled.

fig 5.png

Figure 5. Connected Car Threats

The four main difficulties in securing the connected car are in the following areas:

  • Over-the-air updates (OTA) – The connected cars are very similar to computers, as they have a very complex software architecture and a variety of applications to enable some of the new enhanced features. As time goes by, this software needs to be updated with new bug-fixes or security patches to prevent discovered vulnerabilities. These updates are challenging for the automotive industry because some updates could be very critical and potentially dangerous for the safety of the driver and passengers if not installed on time. If the car cannot be updated due to the vehicle not always being on-line, whose responsibility will it be if outdated software causes an accident? At this time, only Tesla has remote updates enabled while others require a visit to the service centre.
  • Low computational power – Because of the long vehicle life-cycle and the environment conditions such as humidity, vibration and temperature, the computational power of vehicles is low. This is to the attacker’s advantage because they can leverage the power of stronger computers. Moreover, as the vehicle gets older, the more advanced technologies will be developed comparing to the car’s production year, making it even easier to exploit.
  • Difficult to monitor – It is difficult to monitor the status of the automotive electronics by a certified authority, as the car is not always connected to the Internet.
  • Cost – One of the major difficulties is, of course, the costs of making all the vehicle software secure. Companies would need to employ more people and they would need to change their entire development process in order to incorporate security from the very beginning.
  • No Safety without Security – Just one infected car on the road represents a potential hazard for all the surrounding vehicles, and each new security vulnerability exposes new safety issues e.g. if security mechanisms fail to ensure the integrity of messages sent by the braking system.

5. Major Components of Automotive Cars

  • ECU

The ECU, also known as the car computer, provides controls for a variety of systems within the engine thus the Brain of the car. It controls a series of actuators to make sure things are running smoothly within the engine. It reads signal coming from various sensors in different part of the car. Each car contains of at least 30 ECU. Each ECU in car need to interface with more than one ECU to perform its own functionality.

fig 6.pngfig 6-1.png

Figure 6. ECU

Parts of Engine ECU Controls are:

  • Amount of fuel injected into each cylinder
  • Ignition Timing
  • Revolution limit
  • Water temperature correction
  • Transient furling
  • Low fuel pressure modifier
  • Closed loop lambda- monitors output of a system to control the inputs to a system

fig 7.png

Figure 7. Automotive ECUs

  • CAN BUS

The most widely used automotive network protocol. It is a single centralized network bus where all the data inside the vehicle is broadcast. This network type can be divided into two categories depending on the nature of the traffic: real-time control in powertrain (SAE Class C) and body control (SAE Class B). It is used in engine timing controls, anti-lock braking systems, electronic throttle control etc.

CAN is a serial communication Protocol to allow communication between ECUs and Sensors. It is used in automotive electronics for critical tasks such as engine control and brake system. Depending on the importance of message the priorities will be given to different messages. Highest Priority message with lowest ID.

  • Auto start/stop
  • Electric park brakes
  • Parking assist systems
  • Auto lane assist/collision avoidance systems
  • Auto brake wiping

fig 8.png

Figure 8. CAN BUS

CAN Benefits are listed below:

  • Low-Cost,Lightweight Network
  • Broadcast Communication
  • Priority
  • Error Capabilities
  • OBD-II

The OBD II port (On-Board Diagnostics) is the oldest interface in the CEL library. The interface is typically located under the steering wheel. It is mainly used by service shops to run diagnostic checks and to read status information about different vehicle subsystems.

OBD systems give vehicle owner or repair technician access to the status of the various vehicle subsystems. It is an automotive term to a vehicle’s self diagnostic and reporting capability. OBD-II is an improvement over OBD-I in both capability and standardization.

The type A connector is used for vehicles that use 12V supply voltage, whereas type B is used for 24V vehicles and it is required to mark the front of the D-shaped area in blue color.

fig 9.png

Figure 9. OBD Port

It was firstly used to make modifications related to tweaking the engine or the vehicle mileage, while today this port can be used for orchestrating a wireless attack or violating the privacy of the driver. The attacker would need prior physical access to the OBD port in order to pull off any type of attack.

The security mechanism of this interface is so low that it would give almost full access to the entire vehicle system. Some of the possible wireless attacks could be conducted in case an aftermarket telematics unit is connected to this port, or if a wireless insurance/rent-a-car dongle is plugged into it. The attack could affect the safety features of the vehicle as well as violate the privacy of the driver.

fig 10.png

Figure 10. OBD Scan Tool

Ability to read and clear codes. These scanners can also offer the ability to check pending, or soft, codes that haven’t activated the check engine light yet, and provide access to a wealth of information. Data from virtually every sensor that provides an input to the onboard computer can be viewed via an OBD-II scanner, and some scanners can also set up custom lists of parameter IDs (PIDs).

When your car is not working properly, a dashboard warning light or, a (MIL) malfunction indicator light, will illuminate. This lets the driver know something is wrong but not exactly, what is wrong. This is where an OBD Scanner tool comes into use. It can be plugged into your vehicle easily and report a code. This in turn, will give you further information about what, is wrong. With all the complex electrical and mechanical systems within a car today it can be hard to troubleshoot issues without one.

  • Infotainment

The infotainment system is gradually becoming a standard in the automotive industry and is turning the car into an entertainment center with various features and Internet access. This system offers access to web browsers, social media applications, games and other applications that the user can download from the Internet.

The famous Jeep Cherokee attack from 2015 used a flaw in the Uconnect  entertainment system in order to get remote access to the vehicle. The Infotainment system is connected directly to the Controller Area Network (CAN) bus. As previously mentioned the in-vehicle network segmentation is very low which is why the attacker can access critical systems just by compromising the entertainment center. A recent paper demonstrated another flaw in the infotainment system that exploits the Mirror Link Protocol in order to get remote access to the vehicle’s controls.

It Includes:

  • Car Audio Systems- Radio, CD Players
  • Automotive navigation system
  • Video Player
  • USB
  • Bluetooth
  • WiFi
  • In-car internet
  • Dashboards knobs and dials
  • Hands Free voice control

In-car entertainment (ICE), or in-vehicle infotainment (IVI), is a collection of hardware and software in automobiles that provides audio or video entertainment.

  • Cellular connection (3G/4G)

Vehicles can have a dedicated cellular connection using a SIM-card that is implemented by the OEM and cannot be replaced by the driver. This connection is used for exchanging information with the car manufacturer such as delivering software updates or providing Internet access for applications in the Infotainment center.

This was the entry point for the famous Jeep Cherokee attack performed in 2015. The attackers exploited a vulnerability that allowed them access to the critical vehicle functions such as the steering wheel, brakes, infotainment system etc. A constant connection over a cellular network is certainly a tempting attack surface and the research shows it as a very likely target.

 

  • Over-The-Air (OTA) updates

This feature refers to software and firmware updates delivered to the vehicle over an Internet connection without visiting the service shop. A very small number of vehicles has this feature today but it is estimated that by 2022 over 200 million connected cars will have OTA updates enabled. The main reason for the OTA updates becoming a standard is that they provide a cheaper and more effective way of delivering updates for software bugs and vulnerabilities.

It is very important for this feature to have a strong security mechanism that would ensure a secure connection with the service provider and the integrity of the software package. If this feature gets compromised by an attacker, it could lead to major safety issues endangering the driver and the passengers. Research has shown that OTA updates are a major security concern and need to be addressed very carefully.

  • Smart-phone

Almost every new car today has an option to pair with your smartphone and make it easier to make phone calls, access the phone book, play music from the phone on to the car’s speaker system or even share the smartphone’s Internet connection with the vehicle.If the smartphone gets infected by malware it could easily spread to the vehicle and allow the attacker to further extend the length and scope of the attack and compromise the vehicle system.

The smartphone could be used to send malicious messages to the CAN network if the attacker gains access to it and, prior to the attack, enables a certain communication protocol in the infotainment system. Applications in the smartphone could also be exploited and this has already happened a number of times, but more details will be given in the “Remote link Type App” section.

  • Bluetooth

The main usage of the Bluetooth interface in the vehicle is to pair the smartphone with the vehicle system. This enables making phone calls through the in-car system, accessing your phone book and playing music on the car speaker system. The range of Bluetooth is around 10 meters but it can be extended through amplifiers and directional antennas.

Attacks on the Bluetooth connection can be conducted with an un-paired device and with a device paired with the in-vehicle system. The research shows that a malicious payload can be injected into the vehicle system by exploiting a vulnerability in the Bluetooth interface connected to the vehicle’s telematics unit.

  • Remote link Type App

This refers to different applications in the Infotainment system or in the driver’s smartphone that provide remote access to the vehicle system. This feature allows drivers to unlock, locate, track, turn on the heating, AC or even start the car’s engine and all of this remotely using an application on their smartphone.

Although this feature is very appealing to the driver it has significant security vulnerabilities that could allow the attacker to gain access to the vehicle system and the inside network. Many of the major car manufacturers (GM, BMW, Tesla, Nissan) have had security issues with this feature that was exploited by the attacker.

  • KeyFobs and Immobilizers

The main usage of these two technologies is for unlocking the vehicle and preventing any unauthorised access that would enable the attacker to get inside the car and start the engine. The immobilizer is a small device that prevents the fuel injection to the engine and thus prevents the engine from starting up, unless a correct key is inserted in the vehicle. This mechanism is mandatory in all vehicles. Key Fob is a remote key that unlocks the vehicle at the push of a button.

Car thieves are the main threat agents that target these attack surfaces. A common attack involves intercepting the frequency and the code that the car owner sends by pressing the button on the car keys, later on the thief tries to replay this code to the car in order to unlock it. In a recent paper by security experts from the University of Birmingham, it was revealed that over 100 million cars sold by Volkswagen since 1995 have a security flaw in the key-less entry systems and are vulnerable to an attack. Various researchers have proven that KeyFobs and Immobilizers are not secure enough and need more improvement in order to protect the vehicle from being stolen.

  • USB

Almost every modern car today has a USB interface for various purposes such as updating the vehicle software or charging the smartphone. USBs are very well known in the computer world as devices that can easily transfer malware from one computer to another even without an Internet connection. The same situation can happen in the automotive industry which is why this interface needs proper security mechanisms. It was also discovered that using a USB dongle can allow an attacker to exploit it and gain access to the vehicle’s functions.

  • ADAS System

The main features of this ADAS (Advanced Driver Assistance System) are the LDW (Lane Departure Warning), ACC (Adaptive Cruise Control) and the Brake Assistance/Collision Avoidance System.

If the attacker would be able to inject malicious data into these systems or force the sensors to read false data, it could lead to major safety issues, which could consequently cause material damage or injury to the driver and the passengers.

  • DSRC-based receiver (V2X)

The DSRC (Dedicated short-range Communications) is a high-speed wireless technology with a medium range (< 1 km) and a very low latency (50ms) that is specifically designed for the use in the automotive industry. This is one of the key wireless protocols to be used with the upcoming V2V and V2I technologies. It is constructed in a similar way as the existing Wi-Fi communication systems (IEEE 802.11p is the standard used in DSRC, which is a subset of the IEEE, 802.11 standard).

Because it is based on a similar standard as the Wi-Fi, it is vulnerable to similar attacks. These attacks include jamming, spoofing, interference and attacks on user confidentiality.

  • DAB Radio

The DAB (Digital audio broadcasting) radio broadcasts digital audio radio services and it is used in most countries in Europe and Asia. The radio is in most cases integrated into the Infotainment center and as such connected to the internal CAN network.

A security expert from the NCC Group company managed to perform a successful attack on a vehicle through the DAB Radio. Davis created a fake DAB Station, which broadcasted malicious data to the targeted car and allowed him to compromise the infotainment center. From this point, the attacker could access some of the critical controls such as the steering wheel and the brakes.

  • TPMS

The TPMS (Tire Pressure Monitoring System) system is used to monitor the air pressure inside the tires and notify the driver if the pressure is too low. The system is supposed to increase the safety of the vehicle by notifying the driver in time about potential problems with the tires.

The main vulnerability of the system is that it broadcasts a specific ID number, which can be used to identify the car and as such could be used for tracking specific vehicles. Even though the range of TPMS sensors is around 40 meters it still represents an interesting attack surface that could be exploited by the attackers.

  • GPS

The GPS (Global Positioning System) is a technology that most cars today have that is used to help the drivers find the right path to their destination. The reason it is vulnerable is that an attacker can use this system to locate and track specific vehicles as well as extract GPS history and get information about driver’s recent routes and home address. The attack surface is mainly seen as a threat to privacy.

  • eCall

The eCall is a new initiative of the European Union that would allow the car system to call the emergency services and send location data in case of a serious traffic accident. According to the EU, this feature would decrease the response time of emergency services by up to 40% in urban areas and by 50% on the countryside saving up to 2500 lives every year. The eCall system is not implemented in many cars today but in the future attackers because of its connection to the mobile network could potentially exploit it.

  • EV Charging port

The usage of vehicles powered by electricity is becoming more popular by each year; electric car manufacturers such as Tesla have their own charging stations across the world that can be used for free. The main threat to the EV charging port is represented through the use of the charging stations. These stations are usually connected to the Internet and have access to PII data of the driver when the car gets connected to the charging station. A security experts working for a company that produces these charging stations presented various attack scenarios in a recent talk. These scenarios included identity theft, financial theft and DoS attacks that could take down the entire smart grid, which will in the future be connected to these charging stations.

  • CD/DVD Player

Every vehicle today has a CD/DVD player in their infotainment center and even though it sounds very unlikely that a music CD could be used to attack the vehicle, it is actually possible to do this. Researchers have shown that a specifically designed mp3 file could be used to compromise the CD/DVD player, which is already integrated in the infotainment center and as such connected with the internal, CAN network.

  • WiFi

The Wi-Fi connection is a new feature of vehicles today. The vehicle can offer this in a form of a hot spot over a dedicated 3G/4G connection, and in this case, the vehicle owner would have to pay additional fees to use the feature. The other form of this function is to use the Internet connection of the driver’s smartphone in which case no additional charges would be made. In both cases, the Wi-Fi connection is broadcasted through the in-vehicle system.

This interface gives direct wireless access to the vehicle; although the range is limited, it can still be used to perform an attack. The initial attack can be used to infect the vehicle with malware, which would enable the attacker to access the car later on, possibly from a greater distance using the vehicle’s cellular connection. Recent attacks have shown that this interface can be used to perform attacks allowing the attackers to disable the alarm system, control the vehicle lights, drain the battery or even control the brakes of the vehicle.

I hope you got an idea on the components that are very important part of the connected cars. If you like it please comment and share.

Parminder Singh

vicky.jpg

Email: singhvicky1516@gmail.com

Threat Modelling for Automotive – Part 1

  1. INTRODUCTION

 Cars are becoming more and more intelligent and connected. On the other side, this technological transformation also makes modern vehicles vulnerable to cyber attacks. Cars used to be closed systems. The automotive systems were not designed with security in mind. Recent security breaches in the automotive domain raise the issue in the industry and the public, making it clear that security is a critical concern with an impact on public and road safety, especially when new technologies such as autonomous driving and intelligent transport systems (ITS) are becoming reality.

Rigorous security engineering to the development of automotive systems is required to address safety and security of modern vehicles. Security analysis is one of the important building blocks in this process. Since automotive cars were not designed with the security in mind making it open for various kinds of attacks. It is important to understand the safety for cars since our day to day life is dependent on it. Here where Threat Modeling comes up.  Threat modelling is a technique for security analysis. As a concept, threat modelling has been extensively covered in many previous works. With automotive applications, the development team needs to consider more than just safety in their threat models.

In this post, we will mainly focus on understand in depth about the automotive cars and designing a threat model accordingly to analyse the risks and attack vectors of the car. We will create a Threat model on automotive cars to derive potential security problems from a system specification.

The main objectives are listed below:

  • Understanding Threat Modeling
    • STRIDE
    • DREAD
  • Understanding the Environment of car.
  • Major Components of Car.
    • ECU
    • CAN Bus
    • OBD-II
    • Infotainment
  • Understanding how Automotive car works.
  • Attack Vectors.
  • Understanding Microsoft Threat Modelling Tool
  • Creating a Threat Modeling diagram
  • Risks / Threat that are identified.
  • Preventing the risks and providing recommendations

We will be using a Threat Modelling tool developed by Microsoft to generate a clear cut diagram that tells us all the vulnerabilities and types of Attack that can be performed in the cars.

  1. REQUIREMENT ANALYSIS

 1. H/W CONFIGURATION

Speed 2.3 GHz
Processor i5
RAM 4GB
Hard Disk 500GB

Table 1. H/W Configuration

 2. S/W CONFIGURATION

Operating System Windows 10
Tools Microsoft Threat Modelling Tool 2016

Table 2. S/W Configuration

  1.  THREAT MODELLING

 Security has become a major concern in recent years with hacks becoming bigger and risks becoming greater. Today’s software must be built with the ability to combat and cope with various malicious attacks, and yet, many software developers still might miss a crucial step while creating a secure SDLC (software development life cycle) process. In order to ensure secure software development, alongside conducting risk management, one of the first steps in your SDLC should be Threat Modelling.

Threat modelling is the process that improves software and network security by identifying and rating the potential threats and vulnerabilities your software may face, so that you can fix security issues before it’s too late. The process is then followed by defining countermeasures, which will prevent those same threats and exploits likely to put your system at risk. This allows you to address threats with the appropriate solutions in a logical order, starting with the ones, which present the greatest risk.

Starting this process in our software development life cycle is important as identifying and rating all potential threats and weaknesses while understanding the architecture could lead to significant changes. While threat modelling has been used by some industries for years, the process hasn’t been well integrated into many automotive suppliers’ development process. Since automotive industries did not mostly focus on security part of the cars, the risks and threats are high. Malicious hacking, which attempts to steal information and access the vehicle’s control system may render the vehicles uncontrollable leading to accidents and information hazards.

Below Figure 1 illustrates the steps that are involved in Threat Modeling.

fig 1.png

Figure 1. Steps involved in Threat Modelling

The threat-modelling process can be divided into five main steps:

  • Vision – Begin by envisioning how the product (e.g., infotainment unit, braking system, tire pressure monitor, etc.) will be used and potentially abused.
  • Model – Create a model that describes the product’s functionality.
  • Identify threats – Use the model to identify potential threats to the product and the assets it protects.
  • Mitigate – For each threat, document existing mitigations and identify gaps.
  • Validate – Finally, validate the accuracy of the model, threats, and mitigation.

1. STRIDE

 STRIDE is a classification scheme for characterising known threats according to the kinds of exploit that are used (or motivation of the attacker). The STRIDE acronym is formed from the first letter of each of the following categories.

The following Table illustrates the STRIDE model more clearly. We need to understand the STRIDE model clearly to proceed with Threat Modelling for automotive.

THREAT PROPERTY VALIDATED DEFINITION EXAMPLE
Spoofing Authentication Impersonating something or someone else Pretending to be any Bill Gates, Paypal.com or ntdll.dll
Tampering Integrity Modifying data or code Modifying a DLL on disk or DVD, or a packet as it traverses the network
Repudiation Non-repudiation Claiming to have not performed an action “I didn’t send that email,” ”I didn’t modify the file,” ”I certainly didn’t visit that website, dear!”
Information Disclosure Confidentiality Exposing information to someone not authorized to see it Allowing someone to read the Windows source code, publishing a list of customers to a web site.
Denial of Service Availability Deny or degrade service to users Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole
Elevation of Privilege Authorisation Gain capabilities without proper authorisation Allowing a remote internet user to execute commands is a classic example, but going from a limited user to admin is also EoP

Table 1. STRIDE Threat Modelling

1. DREAD

DREAD is a classification scheme for quantifying, comparing and prioritising the amount of risk presented by each evaluated threat. DREAD modelling influences the thinking behind setting the risk rating, and is used directly to sort the risks. The DREAD algorithm, shown below, is used to compute a risk value, which is an average of all five categories.

fig 2.png

Figure 2. DREAD Categorisation

Here are some examples of how to quantify the DREAD categories.

Using DREAD can be difficult at first. It may be helpful to think of Damage Potential and Affected Users in terms of Impact, while thinking of Reproducibility, Exploitability, and Discoverability in terms of Probability. Using the Impact vs Probability approach (which follows best practices such as defined in NIST-800-30), I would alter the formula to make the Impact score equal to the Probability score. Otherwise, the probability scores have more weight in the total. The calculation always produces a number between 0 and 10; the higher the number, the more serious the risk.

There are several ways to quantitatively or qualitatively determine the risk ranking for a threat. These range from the simple, non-scientific, Delphi heuristic methodology to more statistically sound risk ranking using the probability of impact and the business impact.

The three common ways to rank threats are:

1.1. Delphi ranking

 The Delphi technique of risk ranking is one in which each member of the threat modelling team makes his or her best guesstimate on the level of risk for a particular threat. During a Delphi risk ranking exercise, individual opinions on the level of risk for a particular threat are stated and the stated opinions are not questioned but accepted as stated. The individuals who are identified for this exercise include both members with skills at an expert level and those who are not skilled, but the participating members only communicate their opinions to a facilitator. This is to avoid dominance by strong personalities who can potentially influence the risk rank of the threat.

The facilitator must provide, in advance, predefined ranking criteria (1 – Critical, 2 – Severe, 3 – Minimal) along with the list of identified threats, to ensure that the same ranking criteria are used by all members. The criteria are often based merely on the potential impact of the threat materialising and the ranking process is performed until there is consensus or confidence in the way the threats are ranked.

While this may be a quick method to determine the consensus of the risk potential of a threat, it may not provide a complete picture of the risk and should be used sparingly and only in conjunction with other risk ranking methodologies. Furthermore, ambiguous or undefined risk ranking criteria and differing viewpoints and backgrounds of the participants can lead to the results’ being diverse and the process itself, inefficient.

1.2. Average ranking

Another methodology to rank the risk of the threat is to calculate the average of numeric values assigned to risk ranking categories. One such risk ranking categorization framework is DREAD, which is an acronym for Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability.

Each category is assigned a numerical range and it is preferred to use a smaller range (such as 1 to 3 instead of 1 to 10) to make the ranking more defined, the vulnerabilities less ambiguous, and the categories more meaningful.

1.2.1. Damage Potential

If a threat exploit occurs, how much damage will be caused?

1 = Nothing

2 = Individual user data is compromised or affected.

3 = Complete system or data destruction

1.2.2. Reproducibility

How easy is it to reproduce the threat exploit?

1 = Very hard or impossible, even for administrators of the application.

2 = One or two steps required, may need to be an authorized user.

3 = Just a web browser and the address bar is sufficient, without authentication.

 1.2.3. Exploitability

What is needed to exploit this threat?

1 = Advanced programming and networking knowledge, with custom or advanced attack tools.

2 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools.

3 = Just a web browser

 1.2.4. Affected Users

How many users will be affected?

1 = None

2 = Some users, but not all

3 = All users

1.2.5. Discoverability

How easy is it to discover this threat?

1 = Very hard to impossible; requires source code or administrative access.

2 = Can figure it out by guessing or by monitoring network traces.

3 = The information is visible in the web browser address bar or in a form.

Note: When performing a security review of an existing application, “Discoverability” will often be set to 10 by convention, as it is assumed the threat issues will be discovered.

Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5

                 Threats D R E A DI Average Rank (D+R+E+A+DI)/5
Injury via Faulty Design 3 2 3 2 1 2.2 (High)
Public Transportation 3 3 3 3 3 3 (High)
Privacy Concerns 2 2 2 2 1 1.8 (Medium)
Misuse of Technology 3 3 2 2 1 2.2 (High)
Feature deactivation 2 2 3 2 3 2.4 (High)
Espionage 3 1 2 2 2 2 (Medium)
Theft 1 1 3 2 1 1.6 (Medium)

High: 2.1 to 3.0, Medium: 1.1 to 2, Low:0.1 to 1

Table 4. Average Ranking

Below is the radar Diagram for the given Table 4.:

fig 3.png

Figure 3. RADAR Diagram for Average Ranking DREAD Model

1.1. Probability x Impact (P x I) ranking

Conventional risk management calculation of the risk to a threat materialising or to exploiting a vulnerability is performed by using the product of the probability (likelihood) of occurrence and the impact the threat will have on business operations, if it materialises. Companies that use risk management principles for their governance use the formula shown below to assign a risk ranking to the threats and vulnerabilities.

Risk = Probability of Occurrence X Business Impact

This methodology is relatively more scientific than the Delphi or the average ranking methodology. For the probability-times-impact (P x I) ranking methodology, we will once again take into account the DREAD framework. The risk rank will be computed using the formula given below.

Risk = Probability of Occurrence X Business Impact

Risk = (Rvalue + Evalue + DIvalue) X (Dvalue + Avalue)

Table below is an example illustrating the use of the P x I ranking methodology to rank various automotive threats.

Probability of Occurrence(P) Impact (I) P I Risk (P X I)
Threats R E DI D A (R+E+DI) (D+A) P X I
Injury via Faulty Design 2 3 1 3 2 6 5 30
Public Transportation 3 3 2 3 3 8 6 48
Privacy Concerns 2 2 1 2 2 5 4 20
Misuse of Technology 3 2 1 3 2 6 5 30
Feature (de)activation 3 3 3 3 2 9 5 45
Espionage 1 2 2 3 2 5 5 25
Theft 1 3 1 1 2 5 3 15
Audit Log Deletion 0 0 3 1 1 3 2 6

High: 41 to 60, Medium: 21 to 40, Low:0 to 20

Table 5. Probability x Impact (P x I) Ranking

fig 4.png

Figure 4. RADAR Diagram for Probability x Impact (P x I) Ranking

From this example, we can see that the Public Transportation threat and Feature deactivation are high risks, which need to be mitigated immediately, while the Misuse of Technology and Injury via Faulty Design threats are of medium risk.

There should be a plan in place to mitigate those as soon as possible. Privacy Concerns, Espionage, Theft and audit log deletion threats have a low risk rank and may be acceptable. To prioritize the efforts of the high-risk items (Public Transportation and Feature (deactivation), we can use the computed risk rank (P x I) or we can use either the probability of occurrence (P) or business impact (I) value.

While the Delphi methodology usually focuses on risk from a business impact vantage point, the average ranking methodology, when using the DREAD framework, takes into account both business impact (Damage potential, Affected users) and the probability of occurrence (Reproducibility, Exploitability, and Discoverability).

However, because of averaging the business impact and probability-of-occurrence values uniformly, the derived risk rank value does not give insight into the deviation (lower and upper limits) from the average. This can lead to uniform application of mitigation efforts to all threats, thereby potentially applying too much mitigation control effort on threats that are not really certain or too little mitigation control effort on threats that are serious.

The P x I ranking methodology gives insight into risk as a measure of both probability of occurrence and the business impact independently, as well as when considered together. This allows the design team the flexibility to reduce the probability of occurrence or alleviate the business impact independently or together, once it has used the P x I risk rank to prioritise where to focus its mitigation efforts. Additionally, the P x I methodology gives a more accurate picture of the risk.

Rating High (4-5) Medium (2-3) Low (1)
D Damage potential Attacker subverts the security system, get full trust authorization, run as admin, upload content Leaking sensitive information Leaking Trivial Information
R Reproducibility The attack can be reproduced every time and doesn’t require a timing window The attack can be reproduced, but only with a timing windows and a particular race situation The attack is very difficult to reproduce, even with knowledge of the security hole
E Exploitability A novice programmer could make the attack in a short time A skilled programmer could make the attack then repeat the steps The attack requires an extremely skilled person and in-depth knowledge every time to exploit
A Affected users All users, default configuration, key customers Some users, non-default configuration Very small percentage of users, obscure feature, affects anonymous users
D Discoverability Published information explains the attack. The vulnerability is found in the most commonly used feature and is very noticeable. The vulnerability is in a seldom-used part of the product, and only a few users should come across it. It would take some thinking to see malicious use. The bug is obscure, and it is unlikely that users will work out damage potential.

Table 6. An Example of DREAD Table

In this post, we learned about threat Modelling and the different types of it and which model would be more effective. In the next part we will learn about internal components of the connected cars. Please do like and share the post. Thanks!

Parminder Singh

vicky.jpg

Email: singhvicky1516@gmail.com

SDLC (SECURE DEVELOPMENT LIFE CYCLE)

The Microsoft Security Development Lifecycle (Microsoft SDL) is a software development process based on the spiral model, which has been proposed by Microsoft to help developers create applications or software while reducing security issues, resolving security vulnerabilities and even reducing development and maintenance costs. The process is divided into seven phases: training, requirements, design, implementation, verification, release and response.

The training phase is essential because practice is considered a requirement for the implementation of SDL. Concepts found in this phase include secure design, threat modeling, secure coding, security testing and practices regarding privacy. The requirements phase, on the other hand, includes the establishment of security and privacy that end-users require. Creating good quality gates/bug bars, and performing security and privacy risk assessments is part of the second phase.

TRAINING Core Security Training
REQUIREMENTS Establish Security Requirements Create Quality Gates / Bug Bars Perform security and Privacy Risk Assessments
 DESIGN Establish Design Requirement Perform Attack Surface Analysis / Reduction Use Threat Modeling
IMPLEMENTATION Use Approved Tools Deprecate Unsafe Functions Perform Static Analysis
VERIFICATION Perform Dynamic Analysis Perform Fuzz Testing Conduct Attack Surface Review
RELEASE Create an Incident Response Plan Conduct Final Security Review Certify Release and Archive
RESPONSE Execute Incident Response Plan

Table 1. SDLC

The third phase, design, considers security and privacy concerns, which helps decrease the risk of repercussions from the public. Attack surface analysis or reduction and the use of threat modelling will help apply an organised approach to dealing with threat scenarios during the design phase. Implementation of the design should employ approved tools and include the analysis of dynamic run-time performance to check an application’s functional limitations.

The release phase includes the final review of all the security activities that will help ensure the software’s security capacity. After the release phase comes the response phase to implement the incident response plan that was prepared during the release phase. This is crucial because it guards end-users from software vulnerabilities that can emerge and harm the software and/or the user.

Creating a secure Software Development Life Cycle (sSDLC) is starting to become one of the most comprehensive ways of ensuring safe web and mobile application development. But the three fundamentally different patterns implemented in today’s leading application development organisations are posing a huge challenge on the security front.

  • Waterfall (Sequential Design Process)
  • Agile/DevOps (Iterative Development)
  • Continuous Integration Continuous Development (CICD)

 The following tracks are integral to SDL implementation and each is explained in greater detail in focused sections further in this online artifact.

  • Developer Security Training – Ongoing courses provided to developers to improve their understanding of techniques for identifying and mitigating security vulnerabilities. Training focuses on topics including threat modelling, DAST testing, and coding techniques to prevent common defects such as SQL injection.
  • Design/Architecture Review – A collaborative effort between the ISV Customer Development/Engineering teams and their own product security group to assess and develop application or service design patterns that mitigate risk to the platform and associated applications and services.
  • Threat Modeling – A structured approach for analyzing the security of an application, with special consideration for boundaries between logical system components which often communicate across one or more networks.
  • Security User Stories / Security Requirements – A description of functional and non-functional attributes of a software product and its environment which must be in place to prevent security vulnerabilities. Security user stories/requirements are written in the style of a functional user story/requirement.
  • Automated Dynamic Application Security Testing (DAST) – A process of testing an application or software product in an operating state, implemented by a web application security scanner.
  • Automated Static Application Security Testing (SAST) – A process of testing an application or software product in a non-operating state, analyzing the source code for common security vulnerabilities.
  • Penetration Testing – Hands-on security testing of a runtime system. This sort of testing uncovers more complex security flaws that may not be caught by DAST or SAST tools.

Integration of security code review into the System Development Life Cycle (SDLC) can yield dramatic results to the overall quality of the code developed. Security code review is not a silver bullet, but is part of a healthy application development diet. Consider it as one of the layers in a defence-in-depth approach to application security. Security code review is also a cornerstone of the approach to developing secure software.

The idea of integrating a phase into your SLDC may sound daunting, yet another layer of complexity or an additional cost, but in the long term and in today’s cyber landscape it is cost effective, reputation building, and in the best interest of any business to do so.

Big organizations often have more than one of these being used simultaneously, as per the needs of the different development teams working on the project.

The testing phase requires the following steps:

  1. Fuzz testing
  2. Penetration testing
  3. Run-time verification
  4. Re-reviewing threat models
  5. Reevaluating the attack surface

Let’s look at each task in detail.

  • Fuzzing:

Fuzzing means creating malformed data and having the application under test consume the data to see how the application reacts. If the application fails unexpectedly, a bug has been found. The bug is a reliability bug and, possibly, also a security bug. Fuzzing is aimed at exercising code that analyzes data structures, loosely referred to as parsers.

There are three broad classes of parser:

  1. File format parsers Examples include code that manipulates graphic images (JPEG, BMP, WMF, TIFF) or document and executable files (DOC, PDF, ELF, PE, SWF).
  2. Network protocol parsers Examples include SMB, TCP/IP, NFS, SSL/TLS, RPC, and AppleTalk. You can also fuzz the order of network operations—for example, by performing a response before a request.
  3. APIs and miscellaneous parsers Examples include browser-pluggable protocol handlers (such as callto:).
  • Run-Time Verification

The final testing method is run-time verification testing using tools such as AppVerif to detect certain kinds of bugs in the code as it executes. AppVerif has been discussed earlier in the chapter as part of the fuzz-testing process. However, its usefulness extends beyond fuzz testing; it can also be used to find serious security flaws during normal testing or analysis. Hence, you should run the application regularly by using AppVerif, and you should review the log files to make sure there are no issues that require fixing. Microsoft Windows includes a tool called Driver Verifier (Verifier.exe) to perform similar tests on device drivers (Microsoft 2005).

  • Reviewing and Updating Threat Models

if Needed Threat models are invaluable documents to use during security testing. Sometimes functionality and implementation change after the design phase of a project. Threat models should be reviewed to ensure that they are still accurate and comprehensively cover all functionality delivered by the software. Threat models should be used to drive and inform security testing plans. Also, the riskiest portions of an application—usually those with the largest attack surface and the threats that are the highest risks—must be tested the most thoroughly.

  • Reevaluating the attack surface

 Software development teams should carefully reevaluate the attack surface of their product during the testing stage of the SDL. Measuring the attack surface will allow teams to understand which components have direct exposure to attack and, hence, have the highest risk of damage if a vulnerability occurs in those components. Assessing the attack surface will enable the team to focus testing and code-review efforts on high-risk areas and to take appropriate corrective actions. Such actions might include deciding not to ship a component until it is corrected, disabling a component by default, or modifying development practices to reduce the likelihood that vulnerabilities will be introduced by future modifications or new developments. After the attack surface has been reevaluated, the attack surface should be documented to reflect the rationale for the attack surface.

  • Static Application Security Testing (SAST):

SAST (Static Application Security Testing) is a white-box testing methodology which tests the application from the inside out by examining its source code for conditions that indicate a security vulnerability might be present. SAST solutions such as Source Code Analysis (SCA) have the flexibility needed to perform in all types of SDLC methodologies.

SAST solutions can be integrated directly into the development environment. This enables the developers to monitor their code constantly. Scrum Masters and Product Owners can also regulate security standards within their development teams and organizations. This leads to quick mitigation of vulnerabilities and enhanced code integrity.

#include “stdafx.h”
/* (O) STATIC VIOLATION     : 243 S : CERT-C++:2016 PRE06-CPP: Included file not protected with #define. :      6F/* OPEN FILE C:\Users\LDRA_new1\source\repos\vulneravilityserver\vulneravilityserver\stdafx.h */ */
#include “winsock.h”
/* (O) STATIC VIOLATION     : 243 S : CERT-C++:2016 PRE06-CPP: Included file not protected with #define. :     23F/* OPEN FILE C:\Program Files (x86)\Windows Kits\10\Include\10.0.15063.0\um\winsock.h */ */
#include “windows.h”//load windows socket
#pragma comment(lib, “wsock32.lib”)
/* (O) STATIC VIOLATION     : 69 S : CERT-C++:2016 MSC14-CPP: #pragma used. :     44F#pragma comment(lib, “wsock32.lib”) *///Define Return Messages
#define SS_ERROR 1
#define SS_OK 0
/*
void pr(char *str)
{
/* (O) STATIC VIOLATION     : 302 S : CERT-C++:2016 MSC04-CPP: Comment possibly contains code. :     50F{ */
char buf[500] = ” “;
/* (O) STATIC VIOLATION     : 302 S : CERT-C++:2016 MSC04-CPP: Comment possibly contains code. :     51Fchar buf[500] = ” “; */
strcpy(buf, str);
/* (O) STATIC VIOLATION     : 302 S : CERT-C++:2016 MSC04-CPP: Comment possibly contains code. :     52Fstrcpy(buf, str); */
}
/* (O) STATIC VIOLATION     : 302 S : CERT-C++:2016 MSC04-CPP: Comment possibly contains code. :     53F} */
*/

void sError(char * str)
{
printf(“Error %s”, str);
WSACleanup();
}

char str[5000];
/* (O) STATIC VIOLATION     : 604 S : CERT-C++:2016 DCL06-CPP: Use of numeric literal as array bound/subscript. : str: 5000 :     65F  str [ 5000 ] ; */

int  main(int argc, char * argv[])
{
WORD sockVersion;
/* (O) STATIC VIOLATION     : 560 S : CERT-C++:2016 DCL07-CPP: Scope of variable could be reduced.          : sockVersion :     73F      sockVersion ; */
WSADATA wsaData;
int rVal;
/* (O) STATIC VIOLATION     : 560 S : CERT-C++:2016 DCL07-CPP: Scope of variable could be reduced.          : rVal :     78F      rVal ; */
int bytesRecv;
/* (O) STATIC VIOLATION     : 560 S : CERT-C++:2016 DCL07-CPP: Scope of variable could be reduced.          : bytesRecv :     80F      bytesRecv ; */
u_short LocalPort = 1200;
SOCKET clientSocket;

SOCKADDR_IN sin;
SOCKET serverSocket;
/* (O) STATIC VIOLATION     : 560 S : CERT-C++:2016 DCL07-CPP: Scope of variable could be reduced.          : serverSocket :     91F      serverSocket ; */
HINSTANCE hDLL = LoadLibrary(_T(“C:\\ConsoleApplication4\\Debug\\dll.dll”));
char message[100] = “”;
/* (O) STATIC VIOLATION     : 604 S : CERT-C++:2016 DCL06-CPP: Use of numeric literal as array bound/subscript. : message: 100 :     98F      message [ 100 ] = “” ; */
/* (O) STATIC VIOLATION     : 397 S : CERT-C++:2016 CTR02-CPP: Array initialisation has insufficient items. : message[*]; given=1, expected=100 : 98 */

if (argv[1] == ‘\0’)
/* (O) STATIC VIOLATION     : 604 S : CERT-C++:2016 DCL06-CPP: Use of numeric literal as array bound/subscript. : argv: 1 :    101T      argv [ 1 ] == ‘\0’ */
{
//wsock32 initialized for usage
sockVersion = MAKEWORD(1, 1);
/* (O) STATIC VIOLATION     : 201 S : CERT-C++:2016 DCL06-CPP,EXP07-CPP,EXP09-CPP: Use of numeric literal in expression.        : 1 :    106T        MAKEWORD ( 1 , 1 ) ; */
/* (O) STATIC VIOLATION     : 201 S : CERT-C++:2016 DCL06-CPP,EXP07-CPP,EXP09-CPP: Use of numeric literal in expression.        : 1 : 106 */
WSAStartup(sockVersion, &wsaData);

//create server socket
serverSocket = socket(AF_INET, SOCK_STREAM, 0);
/* (O) STATIC VIOLATION     : 201 S : CERT-C++:2016 DCL06-CPP,EXP07-CPP,EXP09-CPP: Use of numeric literal in expression.        : 0 :    110T        socket ( AF_INET , SOCK_STREAM , 0 ) ; */

if (serverSocket == INVALID_SOCKET)
{
sError(“Failed socket()”);
/* (M) STATIC VIOLATION     : 623 S : CERT-C++:2016 STR05-CPP,STR30-C: String assigned to non const object. :    117T            sError ( */
return SS_ERROR;
}

sin.sin_family = AF_INET;
sin.sin_port = htons(LocalPort);
sin.sin_addr.s_addr = htonl(INADDR_ANY);

//bind the socket
rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
/* (O) STATIC VIOLATION     : 120 S : CERT-C++:2016 INT13-CPP,INT16-CPP: Use of bit operator on signed type. : & used with int: ( LPSOCKADDR ) :    129T        bind ( serverSocket , ( LPSOCKADDR ) & sin , sizeof ( sin ) */
if (rVal == SOCKET_ERROR)
{
sError(“Failed bind()”);
/* (M) STATIC VIOLATION     : 623 S : CERT-C++:2016 STR05-CPP,STR30-C: String assigned to non const object. :    137T            sError ( */
WSACleanup();
return SS_ERROR;
}

//get socket to listen
rVal = listen(serverSocket, 10);
/* (O) STATIC VIOLATION     : 201 S : CERT-C++:2016 DCL06-CPP,EXP07-CPP,EXP09-CPP: Use of numeric literal in expression.        : 10 :    145T        listen ( serverSocket , 10 ) ; */
if (rVal == SOCKET_ERROR)
{
sError(“Failed listen()”);
/* (M) STATIC VIOLATION     : 623 S : CERT-C++:2016 STR05-CPP,STR30-C: String assigned to non const object. :    152T            sError ( */
WSACleanup();
return SS_ERROR;
}
else
{
printf(“Listening”);
}

//wait for a client to connect

clientSocket = accept(serverSocket, NULL, NULL);
if (clientSocket == INVALID_SOCKET)
{
sError(“Failed accept()”);
/* (M) STATIC VIOLATION     : 623 S : CERT-C++:2016 STR05-CPP,STR30-C: String assigned to non const object. :    171T            sError ( */
WSACleanup();
return SS_ERROR;
}
else { printf(“\nConnected”); }
bytesRecv = SOCKET_ERROR;

printf(“%d”, bytesRecv);

while (bytesRecv == SOCKET_ERROR)
{

//receive the data that is being sent by the client max limit to 5000 bytes.
bytesRecv = recv(clientSocket, str, 5000, 0);
/* (O) STATIC VIOLATION     : 201 S : CERT-C++:2016 DCL06-CPP,EXP07-CPP,EXP09-CPP: Use of numeric literal in expression.        : 5000 :    190T            recv ( clientSocket , str , 5000 , 0 ) ; */
/* (O) STATIC VIOLATION     : 201 S : CERT-C++:2016 DCL06-CPP,EXP07-CPP,EXP09-CPP: Use of numeric literal in expression.        : 0 : 190 */
printf(str);
/* (M) STATIC VIOLATION     : 486 S : CERT-C++:2016 FIO00-CPP,FIO47-C: Incorrect number of formats in output function. : 0 formats, 1 output :    191T            printf ( str ) ; */
strcpy(message, str);
/* (O) STATIC VIOLATION     : 382 S : CERT-C++:2016 ERR10-CPP,EXP12-CPP,FIO04-CPP: (void) missing for discarded return value. :    192T            strcpy ( message , str ) ; */
/* (M) STATIC VIOLATION     : 489 S : CERT-C++:2016 ARR30-C,ARR39-C,CTR50-CPP,STR31-C,STR50-CPP: Insufficient space for operation.            : required = 5000, available = 100 : 192 */

if (bytesRecv == 0 || bytesRecv == WSAECONNRESET)
/* (O) STATIC VIOLATION     : 201 S : CERT-C++:2016 DCL06-CPP,EXP07-CPP,EXP09-CPP: Use of numeric literal in expression.        : 0 :    195T              bytesRecv == 0 */
/* (O) STATIC VIOLATION     : 49 S : CERT-C++:2016 EXP00-CPP: Logical conjunctions need brackets. : 195 */
/* (O) STATIC VIOLATION     : 49 S : CERT-C++:2016 EXP00-CPP: Logical conjunctions need brackets. :    197T              bytesRecv == WSAECONNRESET */
{
printf(“\nConnection Closed.\n”);
break;
}
}

//Pass the data received to the function pr
//pr(Message);
/* (O) STATIC VIOLATION     : 302 S : CERT-C++:2016 MSC04-CPP: Comment possibly contains code. :    205F         //pr(Message); */

//close client socketr
closesocket(clientSocket);
//close server socket
closesocket(serverSocket);

WSACleanup();

return SS_OK;
}
else
{
printf(“argument :%s”, argv[1]);
/* (O) STATIC VIOLATION     : 604 S : CERT-C++:2016 DCL06-CPP: Use of numeric literal as array bound/subscript. : argv: 1 :    216T        printf ( “argument :%s” , argv [ 1 ] ) ; */
strcpy(message, argv[1]);
/* (O) STATIC VIOLATION     : 382 S : CERT-C++:2016 ERR10-CPP,EXP12-CPP,FIO04-CPP: (void) missing for discarded return value. :    217T        strcpy ( message , argv [ 1 ] ) ; */
/* (O) STATIC VIOLATION     : 604 S : CERT-C++:2016 DCL06-CPP: Use of numeric literal as array bound/subscript. : argv: 1 : 217 */
}
WSACleanup();

}
/* (M) STATIC VIOLATION     : 527 S : CERT-C++:2016 ERR51-CPP,ERR56-CPP: No master exception handler. :    220T  } */
/* (O) VIOLATION            :  5 Q : CERT-C++:2016 MSC15-CPP: File does not end with new line. : C:\Users\LDRA_new1\source\repos\vulneravilityserver\vulneravilityserver\vulneravilityserver.cpp :    221F  */

  • Dynamic Application Security Testing (DAST):

Black Box testing is ideally suited for Waterfall environments, but falls short in the more progressive development methods due to its inherited limitations. DAST tools can’t be used on source code or uncomplied application codes, delaying the security deployment till the latter stages of development. DAST (Dynamic Application Security Testing) is a black-box security testing methodology in which an application is tested from the outside in by examining an application in its running state and trying to attack it just like an attacker would.

  • Interactive Application Security Testing (IAST):

IAST is designed to address the shortcomings of SAST and DAST by combining elements of both approaches. IAST places an agent within an application and performs all its analysis in the app in real-time and anywhere in the development process ­­ IDE, continuous integrated environment, QA or even in production. Because both SAST and DAST are older technologies, there are those who argue they lack what it takes to secure modern web and mobile apps. For example, SAST has a difficult time dealing with libraries and frameworks found in modern apps. That’s because static tools only see code they can follow. What’s more, libraries and third ­party components often cause static tools to choke, producing “lost sources” and “lost sinks” messages. The same is true for frameworks. Run a static tool on an API, web service or REST endpoint, and it won’t find anything wrong in them because it can’t understand the framework.

Riha Maheshwari

Riha Maheshwari

Riha Maheshwari is a college student who is passionate working towards the field of Cyber Security and will be graduating with her MCA-ISMS in June of 2018. She has done her CEH certification from EC-Council and CISE certification from Innobuzz Knowledge Solution. Riha has spent many hours exploring ways to penetrate windows machine, android devices, servers so she could get better idea of what she could be looking forward to in her field of Cyber Security. She also found vulnerabilities in her college’s website which she reported. Riha enjoys spending her time writing about the practical experiments that she performed. She also spends a great deal of time learning Guitar and watching TV Series.

Email: rihazz13@gmail.com
LinkedIn: https://www.linkedin.com/in/riha-maheshwari/

Buffer Overflow -Mitigation – Part 6

Hi guys, this post is all about how you can protect yourself from buffer overflow attack.

MITIGATION / RECOMMENDATION TECHNIQUES

  1. Windows

Since, security have become the most important part from an organisation point of view. Security Measures must be taken to ensure our data are secure and is private. Below are some of the security measures that should be taken for the protection from the Buffer Overflow attack.

The following are the techniques that are discussed below:

  • DEP
  • ASLR
  • SafeSEH
  • Stack Cookies/GS protection
  1. DEP

DEP stands for Data Execution Prevention. DEP is a security feature within the Operating System that helps to prevent damage from security threats and virus by preventing malicious code from running on the system. Since harmful Programs try to attack Windows by running malicious code from the memory.

Thus, to mitigate this Windows introduced DEP, a system-level protection that marks these memory locations as non-executable. In short, we need to remember that DEP will make it significantly harder to run exploits from the memory. For the Security purpose we should enable DEP from the Server side to protect the Server.

The following are the Configuration details on how to Enable DEP to safeguard from the attack:

1.1. Enable DEP using GUI

  •  Right click on My Computer –> choose Properties →Advanced System Settings–> click on the Advanced tab –> Settings under Performance.

fig 1.png

Figure 1. System Properties

  • Now click on Data Execution Prevention tab and you will see two radio buttons.

fig 2.png

Figure 2. Turning on DEP

  • Here is where it can be a bit tricky. By default, DEP should be set to the first radio button and therefore only protect essential Windows programs and services. If the second radio button is selected, it will turn on DEP for ALL processes, not just Windows processes.
  • Select the first radio button and restart the computer.

1.2. Enable DEP using CUI

 We can turn on DEP by using command prompt too. To do this run command prompt with admin and type the following command:

bcdedit.exe /set {current} nx AlwaysOn

Always On – DEP will be on for all processes in Window and you cannot exempt any process or program from protection.

To always turn off DEP, type the following command:

bcdedit.exe /set {current} nx AlwaysOff

Always Off – DEP will be completely turned off and no process or program, including Windows processes, will be protected.

fig 3.png

Figure 3. Turning on and off DEP using Command Prompt

1.3. Enable DEP in Visual Studio

We can also enable DEP in our server side from Visual Studio 2016 which we used to create the Vulnerable Server. To do so follow the following steps:

  • Click on Debug→ Vulnerable Server Properties.

Data Execution Prevention

Figure 4. DEP in Visual Studio

  • Click on Linker → All Options→ Data Execution Prevention → Yes(/NXCOMPAT) as shown in above figure.

2. Enhance Address Space Layout Randomization (ASLR)

ASLR is a computer security technique which involves randomly positioning the base address of an executable and the position of libraries, heap, and stack, in a process’s address space. The random mixing of memory addresses that are performed by ASLR means that an attack no longer knows at what address the required code (such as functions or ROP gadgets) is located. That way, rather than removing vulnerabilities from the system, ASLR attempts to make it more challenging to exploit existing vulnerabilities.

2.1. Enable ASLR in Visual Studio

To configure ASLR in Visual Studio follow the following steps:

  • Debug → Vulnerable Server Properties -> Linker -> Advanced -> “Randomized Base Address”–> Yes (/DYNAMICBASE)

fig 6.png

Figure 5. Enable ASLR

/DYNAMICBASE modifies the header of an executable to indicate whether the application should be randomly rebased at load time by the OS. The random rebase is well known as ASLR (Address space layout randomisation).

3. SafeSEH

Windows introduced the SafeSEH protection mechanism in which validated exception handlers are registered and stored in a table. The addresses in this table are checked prior to executing a given exception handler to ensure it is deemed “safe”. As a result, a POP+POP+RET address used to overwrite an SEH record that comes from a module compiled with SafeSEH will not appear in the table and the SEH exploit will fail.

SafeSEH is effective at preventing SEH-based exploits as long as the SEH overwrite address (e.g. POP+POP+RET) comes from a module compiled with SafeSEH. The good news (from an exploitability perspective) is that application modules are not typically compiled with SafeSEH by default. Even if most are, any module loaded by an application that was not compiled with SafeSEH can be used for your SEH overwrite.

Some additional protection was added to compilers, helping to stop the abuse of SEH overwrites. This protection mechanism is active for all modules that are compiled with /safeSEH.

3.1. Enable SafeSEH in Visual Studio

To turn on Safe SEH in Visual Studio follow the following steps:

  • Debug → Vulnerable Server Properties -> Linker -> Advanced ->Image Has Safe Exception Handler→ YES(/SAFESEH)

SafeSEH

Figure 6. Turn on SafeSEH in Visual Studio

When /SAFESEH is specified, the linker will only produce an image if it can also produce a table of the image’s safe exception handlers. This table specifies for the operating system which exception handlers are valid for the image.

4. Stack cookie /GS protection

The /GS switch is a compiler option that will add some code to function’s prologue and epilogue code in order to prevent successful abuse of typical stack based (string buffer) overflows. When an application starts, a program-wide master cookie (4 bytes (dword), unsigned int) is calculated (pseudo-random number) and saved in the .data section of the loaded module. In the function prologue, this program-wide master cookie is copied to the stack, right before the saved EBP and EIP. (between the local variables and the return addresses). During the epilogue, this cookie is compared again with the program-wide master cookie. If it is different, it concludes that corruption has occurred, and the program is terminated.

In order to minimize the performance impact of the extra lines of code, the compiler will only add the stack cookie if the function contains string buffers or allocates memory on the stack using _alloca. Furthermore, the protection is only active when the buffer contains 5 bytes or more.

In a typical buffer overflow, the stack is attacked with your own data in an attempt to overwrite the saved EIP. But before our data overwrites the saved EIP, the cookie is overwritten as well, rendering the exploit useless (but it may still lead to a DoS). The function epilogue would notice that the cookie has been changed, and the application dies.

4.1. Enable Security Checks in Visual Studio

To enable Security Checks in Visual Studio follow the following steps:

  • Go to Debug → Vulnerable Server Properties -> C/C++ → All Options → Security Checks→ Enable Security Check (/GS)

Security Checks

Figure 7. Enable Security Checks in Visual Studio

The Security Checks helps to detect stack- buffer overruns, a common attempted attack upon a Program’s Security.

Configuration/Recommendation

 In Visual Studio 2017, Go to Project tab in the Menu bar and click on Properties. The following are the overall configuration details that should be done to protect from the Buffer Overflow attack:

Configuration Properties
General Setup Recommendation
Platform Toolset Visual Studio 2017-Windows XP (v141-xp) Visual Studio 2017(v141)
Configuration Type Application(.exe)
C/C++
All Options Setup Recommendation
Conformance Mode Yes(/permissive-)
Optimization Disabled(/OD) Full Optimization(/Ox)
Precompiled Header Use(/Yu)
Preprocessor Definitions _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
SDL Checks No(/sdl) Yes(/sdl)
Security Checks Disable Security Check (/GS-) Enable Security Checks (/GS-)
Warning Level Turn Off All Warnings(/W()) Level3 (/W3)
Linker
All Options Setup Recommendation
Enable Incremental Linking Yes(/INCREMENTAL)
Data Execution Prevention No(/NXCOMPAT:NO) YES (/NXCOMPAT)
Generate Debug Info Generate Debug Information (/DEBUG) Generate Debug Information Optimized for Faster Links (/DEBUG:FASTLINK)
SubSystem Console (/SUBSYSTEM:CONSOLE)

Table 1. Configuration Details of Visual Studio 2017

I hope you liked the post. Please do like and leave a comment below. Also if you have any doubt you can drop a mail.

References for all parts:

 

Riha Maheshwari

Riha Maheshwari

Riha Maheshwari is a college student who is passionate working towards the field of Cyber Security and will be graduating with her MCA-ISMS in June of 2018. She has done her CEH certification from EC-Council and CISE certification from Innobuzz Knowledge Solution. Riha has spent many hours exploring ways to penetrate windows machine, android devices, servers so she could get better idea of what she could be looking forward to in her field of Cyber Security. She also found vulnerabilities in her college’s website which she reported. Riha enjoys spending her time writing about the practical experiments that she performed. She also spends a great deal of time learning Guitar and watching TV Series.

Email: rihazz13@gmail.com
LinkedIn: https://www.linkedin.com/in/riha-maheshwari/