Finnish Hacker Isolates Helicopter GPS Coordinates From YouTube Video Sounds

An anonymous reader sends a post by Finnish electronics hacker Oona Räisänen, who heard a mysterious digital signal in the audio accompanying a YouTube video of a police chase. The chase was being filmed by a helicopter. Räisänen wrote: "The signal sits alone on the left audio channel, so I can completely isolate it. Judging from the spectrogram, the modulation scheme seems to be BFSK, switching the carrier between 1200 and 2200 Hz. I demodulated it by filtering it with a lowpass and highpass sinc in SoX and comparing outputs. Now I had a bitstream at 1200 bps. ... The bitstream consists of packets of 47 bytes each, synchronized by start and stop bits and separated by repetitions of the byte 0x80. Most bits stay constant during the video, but three distinct groups of bytes contain varying data." She guessed that the data was location telemetry from the helicopter, so she analyzed it to extract coordinates. When she plotted them and compared the resulting curve to the route taken by the fleeing car in the video, it was a match.

It's just 1200baud 7O1 Bell 202

[marcansoft]

0x80 is just a null byte with odd parity. What she apparently missed is that this is bog-standard Bell 202 AFSK (1200 baud) with 7 data bits and odd parity, and the data is ASCII. By throwing away the top nybble, she was throwing away the parity bit and the top 3 bits of the ASCII encoding of decimal digits. The fact that it was a parity bit should've been pretty obvious, since the top nybble flips between 0x3x and 0xbx in the pattern that you'd expect for a parity bit.

You can decode it with off the shelf software, throw away the top bit, and get back mostly ASCII:

$ ./minimodem --rx 1200 -f ~/helicopter.wav | tr '\200-\377\r' '\000-\177\n'
### CARRIER 1200 @ 1200.0 Hz ###
  282 0002.3
#L N390374 W09432938YJ
#AL #NA 282 0002.3
#L N390374 W09432938YJ
#AL #NA 283 0002.3
#L N390372 W09432928YJ
#AL #NA 283 0002.3
#L N390370 W09432918YJ
#AL #NA 283 0002.3
#L N390370 W09432918YJ
#AL #NA 283 0002.3
[...]

I'm actually surprised that she missed / didn't mention this, considering her experience with signals analysis and demodulation. This is pretty much as basic as telemetry data modulation gets! Then again, as a reverse engineer myself, sometimes we get caught up doing deep analysis of something that later turns out to be totally trivial :)

Re:It's just 1200baud 7O1 Bell 202

[pe1chl]

She mentioned that she used a spectral analysis to deduce that this was 1200/2200 Hz FSK, well I knew that by just listening to it!
This is exactly the same sound as 1200 baud AFSK amateur packet radio made in the eighties/nineties, indeed using Bell 202 AFSK modems.
I have heard so many of those packets while seeing them scrolling by on the screen that I can sometimes hear what kind of packet it is by just listening. (of course not the exact content)
Only in this case it is async serial data, while with packet radio it was HDLC NRZI-encoded sync data. And because in packet radio there are alternating transmissions from different transmitters, you hear a characteristic "leader" pattern similar to the idle pattern in this broadcast followed by a data packet and a keydown of the transmitter.
She probably was at an advantage not knowing about this, as she did not waste time to see if it was HDLC.

Yeah! "Hacker" used in the good old meaning!

[garry_g]

... and not as the negative it is most often used nowadays ...

Awesome Techie, Artist, ... and a Babe

[fygment]

http://www.redbubble.com/peopl...