Tuesday, February 6, 2018

Running TempestSDR on Windows 10

TempestSDR is a nice tool which can be used to eavesdrop on computer monitors using the electromagnetic (EM) emissions causes by them. While this concept is not a new thing, the use of cheap software defined radio (SDR) hardware has enabled the possibility of performing this attack a lot more easier. I was struggling to get the tool up and running on Ubuntu Linux for a while and ended up without a result. Finally, I moved into Windows platform and tried it. Luckily, things went so smoothly and I got TempestSDR tool running with both RTL-SDR and HackRF hardware.

In this post, I'm writing down the steps I followed to get TempestSDR running on Windows 10 operating system with both RTL-SDR and HackRF hardware.

Preparing RTL-SDR and HackRF hardware:

It is necessary to have the required drivers installed on Wondows 10 in order to use both RTL-SDR and HackRF devices. Therefore before everything, let's get the drivers installed. A previous post written by me describes the required steps for. Refer it and install the drivers described here: http://recolog.blogspot.ie/2018/02/installing-drivers-for-rtl-sdr-and.html

Identifying the EM emission frequency of a target monitor:

Before we prepare the TempestSDR tool to eavesdrop on a computer monitor, we need to identify the frequencies where EM emissions occur on the target. This is a little bit cumbersome task as we have to go through the spectrum and identify them. We'll use SDR# software for this purpose.

(1) Download SDR# from here.
https://airspy.com/download/

(2) Extract the ZIP archive, and then inside it, double-click on the install-rtlsdr.bat file. A CMD prompt will start and download some files. It will exit automatically.

(3) Now double click on the SDRSharp.exe tool and it will open the window. You can select the "RTL-SDR (USB)" option for the source.

(4) Keep scrolling while looking for a signal which varies the peaks when I make any change in the screen of the computer such as maximizing / minimizing windows, etc. If there's a strong signal which changes the amplitude when a window is maximized, there's a good chance that it is an emission from the monitor. Note down such frequencies.

Setting up TempestSDR software:

(1) Installed JDK 8 - 32-bit version. I downloaded it from here,
http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html The exact file I downloaded is jdk-8u151-windows-i586.exe

(2) Download and install MinGW and MSYS. We have to download a single installer and inside it, we can select the packages of MingGW and MSYS that we want to install.
https://sourceforge.net/projects/mingw/files/

(3) Set the bin folder paths to MinGW and MSYS in Windows PATH. The instructions to set PATH environmental variable on Windows can be found here: https://www.computerhope.com/issues/ch000549.htm

In my system, the paths to the bin folders of those tools after the installation were as follows.

C:\MinGW\bin
C:\MinGW\msys\1.0\bin


(4) Add JAVA_HOME path variable too. The instructions to do this can be found in this link: https://www.mkyong.com/java/how-to-set-java_home-on-windows-10/
 In my system, the path to the directory where Java was installed is as follows.

C:\Program Files (x86)\Java\jdk1.8.0_151

(5) Download TempestSDR from here. Then extract the files.

https://github.com/rtlsdrblog/TempestSDR

(6) In the very first makefile, remove the following line

@$(MAKE) -C TSDRPlugin_Mirics/ all MIRICS_HOME=$(MIRICS_HOME)

(7) Due to the fact that there are spaces in the path to Java installation directory, TempestSDR tool faces some difficulties while running the make file. Therefore, let's copy java installation folder to a new place which does not have spaces in the path.

I copied "C:\Program Files (x86)\Java" folder to "C:\Java" location.

(8) Now go into TempestSDR folder from CMD prompt and and run the following command.

make all JAVA_HOME=C:\Java\jdk1.8.0_151

If the compilation completes successfully, we are good to go.

Running the TempestSDR software:

(1) Connect either RTL-SDR dongle or HackRF device into a USB port of the computer.

(2) Go to the JavaGUI folder in the TempestSDR source code directory. There should be a jar file which we need to run.

java -jar JTempestSDR.jar

(2) From the File menu, select the "Load ExtIO source" option. Then browse to the installation directory of HDSDR software where you copied the ExtIO DLL driver for either RTL-SDR or HackRF. Select that DLL file.

(3) Select the resolution and refresh rate of the monitor being eavesdropped. Then, select the frequency of EM emanation which we manually found using SDR# software. Click "Start" and we are good to go.

Trouble Shooting:

Time to time, TempestSDR tool faced difficulties in detecting the RTL-SDR or HackRF device. In such situations, I used the following steps to resolve the issue.

(1) Restart the machine.

(2) Run SDR# with RTL-SDR/HackRF first to get the correct driver running.

(3) Then try running TempestSDR jar file from the beginning.

Following are some of the screenshots of my attempts.

A checker board image was placed on the target computer screen.

TempestSDR capturing data from a Dell monitor with RTL-SDR
 
TempestSDR capturing data from a Samsung monitor with HackRF


~*******~

Installing Drivers for RTL-SDR and HackRF on Windows 10

Since I have been using software defined radio (SDR) tools on Linux platform for a long time, it was a very new thing to me when I had to use some SDR tools on Windows. Anyway, the installation of the relevant drivers went smoothly and the devices were ready to use within a short while. In this post, I'm writing down the steps I followed to get my RTL-SDR dongle and HackRF device up and running on a Windows 10 machine. Here we go.

Instructions for RTL-SDR:

(1) Connected RTL-SDR dongle to the USB port and Windows automatically detected the device and installed some drivers. But, we need to manually install a special driver called ExtIO.

(2) Download the Zadig USB driver installer from here: http://zadig.akeo.ie/
No installation necessary. It can be run immediately.

(3) Run Zadig executable. With all the default settings, click "Install Driver" to install the WinUSB driver.

Zadig tool is used to install WinUSB driver


(4) Download and install HDSDR tool. Even though we install it, do not attempt to use RTL-SDR with HDSDR software yet.
http://hdsdr.de/download/HDSDR_install.exe

(5) Download the ExtIO driver DLL for RTL-SDR from here.
http://hdsdr.de/download/ExtIO/ExtIO_RTL2832.dll

(6) Copy the ExtIO driver DLL file to the installation directory of our HDSDR software which we installed a short while ago. In my system, this directory is,
C:\Program Files (x86)\HDSDR

(7) Now, start HDSDR. In my system, HDSDR automatically picked the RTL-SDR dongle as the input and sound card as the output and started picking signals. That means everything is working.

Instructions for HackRF:

(1) Connect the HackRF to the USB port and windows automatically detected it and installed some drivers.

(2) Download the Zadig USB driver installer from here: http://zadig.akeo.ie/
No installation necessary. It can be run immediately.

(3) Run Zadig executable. From the options menu, select "List All Devices". Then from the drop-down list, select "HackRF One".

(4) Since I have already installed the WINUSB driver for RTL-SDR, I don't have to do anything here. It shows that the driver is the latest already. In case you don't have that option, go ahead and click "Install Driver" to install the WinUSB driver.

(5) Download and install HDSDR tool. Even though we install it, do not attempt to use HackRF with HDSDR software yet.
http://hdsdr.de/download/HDSDR_install.exe

(6) Download the ExtIO driver DLL for HackRF from here.
https://github.com/jocover/ExtIO_HackRF/releases

(7) Copy the ExtIO driver DLL file to the installation directory of our HDSDR software which we have installed. In my system, this directory is,
C:\Program Files (x86)\HDSDR

(8) Now, start HDSDR. In my system, HDSDR automatically prompted asking to select which DLL to be used, either RTL-SDR or HackRF. Select the DLL file for HackRF and it starts picking signals. That means everything is working.


~**********~