Wednesday, October 16, 2013

How to Make a $19 Police Scanner


In this guide I will explain how to build an inexpensive SDR (software defined radio) that can be used to receive police, fire, taxi, and other digital radio transmissions. I will do my best to explain the steps in detail, and provide further resources to help along the way.

I have to give a lot of credit to the creator of the following guide: This how to is based largely from that, and other sites listed in the Resources section.

For questions or comments please see the instructables page:
Please use the information in this guide responsibly.

Demo Video


The only hardware required besides a computer is going to be a SDR receiver. The bulk of these radios are just USB TV tuners, rebranded and sold as SDR receivers. Many are available on Amazon and eBay. A quick google search should turn up some more as well. I recommend purchasing from somebody who knows about SDR, a popular dealer is (NooElec also has stores on eBay and Amazon)

In this guide I will be using a Newsky TV28T v2 with a RTL2832U & R820T tuner.


Please use the normal download link if possible to receive the latest software packages. Secondary links are provided for redundancy.


Software defined radio application. Allows for tuning and receiving of audio from receiver.
A modified version will be needed that is capable of connecting to UniTrunker.
Updated file for SDRSharp 
ZadigVersion used:
Allows for receiver driver installation. 
UniTrunkerVersion used: preview
Provides decoding support for trunking control channels and issuance of tuning commands. 
Virtual Audio CableVersion used: 4.10
Provides audio routing between components. Trial available, purchase for $25. 
Digital Speech Decoder (DSD)Version used: 1.6.0 Beta
Provides digital voice decoding support.
Linux support for Windows. Required by DSD.
Microsoft Visual C++ 2010 Runtime
Required by remote.dll


Most of the information in this tutorial is stuff pulled together from the web. Here are some great places to get more information.

SDRSharp Quick Start Guide:
Digital Speech Decoder (DSD) Guide:
Unitrunker Configuration Guide: <-- See for two receiver configuration
Massive Radio Frequency Database:

Configuring the SDR Receiver

Install Drivers

Download and extract Zadig (you will need a program like WinRAR or 7-Zip). Take note if using Windows XP you will need to download the XP version. Connect the receiver to your computer and ignore/cancel any attempts Windows tries to make to automatically install drivers. In Zadig select “Bulk-In, Interface (Interface 0)”. You may need to go under options and list all devices. Select WinUSB as the driver to install and press Install/Replace Driver.
Next to Driver it should now say WinUSB and the version number. I don’t believe it is required, but if you like you can do the same for Interface 1.

Install SDRSharp

Download the modified SDRSharp package and extract it. Inside the folder is a file called rtlsdr.dll that needs to be replaced. We will get the updated version from inside Use the file in the /x32 folder. Also note contains executables that can be helpful in troubleshooting should you encounter any driver issues.
If you like you can test to make sure your radio is working properly. Open SDRSharp, set the front end to “RTL-SDR / USB” select WFM and type in a known FM radio station to the center/frequency boxes and press play. For example, if you would like to tune to 97.9 type in 97900000. You can drag the red line to align with the stream in the waterfall.

Configuring Digital Speech Decoder (DSD)

Virtual Audio Cable

Install Virtual Audio Cable as it is required to route the audio out from SDRSharp into DSD. Using the trial version will work reasonably well however since it periodically adds a voice over the stream you may or may not have some decoding errors. A new Virtual Audio Cable device should now appear under your playback and recording devices.

Windows Sound System Configuration

DSD uses the Windows default recording device as an input. Ensure Virtual Audio Cable Line 1 is set as the default recording audio device in the windows sound properties.

Install Cygwin

Install Cygwin using all of the default settings. Once installed browse to C:/cygwin/bin and copy the cygwin1.dll file to the same folder the DSD program will be in.

Download DSD

Download the Windows Binary and place it in the same folder as the cygwin1.dll file.

Configuring UniTrunker

A trunked radio system is simply a system of radios in which the frequencies used are dynamically managed by a central controller. Most police and fire radios use a trunked radio system. Unitrunker decodes the control channel, and tells the receiver which frequency to tune to.
After downloading and installing, run UniTrunker. Choose “First Time Installation” and Continue.
Two receivers must be configured in UniTrunker, a ‘Signal’ receiver used to receive the control channel signal, and a ‘Control’ receiver used to receive the voice channel transmissions.  This can be a little confusing as the signal that the ‘Signal’ receiver is receiving is typically called a ‘Control Channel’.

Signal Receiver

To configure the signal receiver, press the plus button on the top and select “Signal”.
For the Audio Port setting, select the Virtual Audio Cable created earlier. Set the Sample Rate to 48000, and check all of the decoding protocols.

Control Receiver

To configure the Control receiver, press the plus again and select “Control”.
Set the Model to “Debug”, and select all three control protocols: P25, ProVoice, and VSELP.
Finally, in the main UniTrunker options screen, click the Enable checkbox in the Listen section:
There should now be two receivers listed under the Receivers tab. One control and one signal. Select each and press the play button.

Finding a Control Channel

Before starting SDRSharp, open the ‘sdrsharp.exe.config’ file and ensure this line is set as follows:
                    <add key="minOutputSampleRate" value="48000" />
Open SDRSharp and configure with the following settings:
  • set the radio to NFM
  • Press the “Front end” button, disable RTL AGC, and enable Tuner AGC
  • set the Filter bandwidth to 12500
  • ensure Squelch, Snap to grid, Correct IQ, and Swap I & Q are all disabled
  • under the Audio dropdown ensure Filter Audio is unchecked, and the audio output is the Virtual Audio Cable.
Press Play.
Now we need to locate a control channel. This part can be a bit tricky, but after some practice it gets easier. You can start by looking for channels in the 850-900MHz range, but another good place to start is in the frequency database.
Browse to your area and find the section labeled “Trunked Radio Systems”. Browse through the systems and find one that has a good amount of information. See the example below.
We are interested in the control channels, shown in red and blue.
Test each control channel until you find one you can receive. For example, if I want to test 856.21250a then I need to enter 856212500 into the Frequency and Center boxes in SDRSharp. (Note the extra 0, and no decimal point)
Control channels will be a continuous stream in the waterfall window, unlike voice transmissions which are intermittent.
If you cannot find a signal, try other trunked systems listed in your area, listed in surrounding areas, or by manually browsing the spectrum.
If you find that a control stream is to the near right or near left of the red line after typing in a known frequency, manually move the line to be in the center of the stream. It may be helpful to zoom in. This problem will be dealt with under the calibration section.
After about 10-15 seconds of being tuned to a control channel, a new window should pop up in UniTrunker.
After a few seconds to a few minutes several frequencies should populate and channel activity will start scrolling by. If you see a red “Frequency Needed” and 0.00000, wait a few more minutes to see if it goes away. If not, click on the small calculator icon at the top and then standard.

Calibrating the Tuner

Because this tuner will be tuned programmatically, it is essential that it is correctly calibrated.
Enter the known control frequency (either from radioreference, or the red frequency listed in UniTrunker) in the center and frequency boxes.
You may see that red line not aligned with the channel. Open the “Front End” dialog box and adjust the Frequency correction value until the red line is centered onto the channel.

Lock UniTrunker to the Control Channel

After you have found a control channel and calibrated the tuner you will need to lock UniTrunker down to only receive that control channel. Everything would technically work without this step, but it helps UniTrunker find the control channel faster as it switches between the control and signal.
Double click the Signal line under the Receivers tab and change the “Lock Mode” to Dedicated.
Double click the Control line and change the Park frequency to the control channel. In my case it’s 856.21250.

Setup UniTrunker to control SDRSharp

Copy Remote.dll from the SDRSharp directory into the UniTrunker installation directory. Remote.dll requires Microsoft Visual C++ 2010 Runtime, so you will need to download and install that as well.
Close and then reopen UniTrunker. Ensure SDRSharp is tuned to the control channel and UniTrunker is receiving the control signal.
Under the Trunking tab in SDRSharp set the “UniTrunker Install Directory” to the directory containing the ‘sdrsharptrunking.log’ file. This is the file that UniTrunker makes to tell SDRSharp which channels to tune to.
NOTE: The code currently makes the poor assumption that you’re running UniTrunker directly from the install directory.  If you run it from the shortcut, you will find the ‘sdrsharptrunking.log’ file in your %AppData% directory, typically C:\Users\<username>\AppData\Roaming\UniTrunker. This is the folder you need to select, and because it does not see UniForm.exe or Remote.dll in the same directory, it may complain. Ignore that.
Check the “Delay Re-Tune Until Call Completes” box. This setting controls the level at which SDRSharp will retune back to the control frequency after an audio transmission ends. This value will need some adjusting as you go along, but to roughly set it look at the peak signal strength of the control channel, in my previous screenshots you can see it’s around -15db. Subtract another 15db or 20db and set it to that number.
Set the “Tune to Control Channel” to the known control channel frequency.

Start Listening!

At this point we can launch the Digital Speech Decoder executable and check the Enable box under Trunking in SDRSharp.
You will more than likely need to adjust the AF Gain value under the Audio dropdown. As a general rule you want to try and get the inlvl value in DSD to around 30% for the best quality audio decoding. Note that your computer may work better at another value, so experiment a little.
In my case, setting AF Gain to around 60% worked well.
Also experiment with adjusting the AGC settings in the “Front end” dialog box. Try enabling/disabling the RTL AGC, Tuner AGC, and RF Gain values to get the best signal. Note if you change the AGC values you will likely need to change the “Delay Re-Tune Until Call Completes” value as well.

Go Further

Keep in mind this setup is not ideal; it’s a basic setup using minimal components. You will not receive all transmissions and there can be a delay when retuning back to the control channel. For an optimal setup you will want to have two SDR receivers; one dedicated to the control channel and one dedicated to the signal. For information on how to configure this take a look at the UniTrunker Configuration Guide under resources.
I read somewhere that connecting the USB receiver to your computer through a USB extension cable can help reduce interference. I had an old cable lying around from a wireless mouse and it seems to work well.
Also, read over the other resources, they can help you better calibrate your setup.

Tuesday, September 17, 2013

how to hack a windows phone

In today’s how to we will be discussing on how to hack a Windows Phone 8. Every hacker should know about the internals of a device and operating system before he could attempt to compromise it. So lets try to understand the underlying hardware and OS security before we try to break it.
To begin, we will try to compromise the hardware so that we can gain access to the hardware and then exploit the OS and ultimately take control of it or at least to steal data from it.
Windows Phone employs UEFI Firmware Hardware at the very low level. In addition to that, every hardware which runs Windows Phone 8 OS has to be certified by Microsoft. Now when we say certified, it also means that all the hardware has to be signed and the chips will be burned with the keys from Microsoft. The “Trusted Boot Chain” component will make sure that all the signatures are in place and if they are valid before and during the process. Every program written in the silicon chip has to be signed including the BIOS, drivers etc. On top of these Windows Phone 8 device will also come with a TPM chip which means your encrypted data it is as good your Windows 7 & 8 PC.
UEFI Windows Phone
UEFI Windows Phone

Lets see what are the options we have to break the security of the device.


Now that we know all the components / programs are verified for the signature by the “Trusted Boot Chain”, why don’t we try to spoof the boot chain program itself with our own. If we are able to do that then we could easily make the device load our own components instead of the Windows Phone OS exploiting it completely naked.
Though at the first look it is appears to be a very good idea, unfortunately all the hardware chips which can’t or can be overwritten comes with something called an efuse. The moment when you are trying to write something in these chips without a valid signature which will be there only with Microsoft and the device manufacturer, the efuse will trip. Once the efuse trips off, the boot loader will not be able to boot up your device. Congratulations! now you have a phone which is officially no better than a brick.
For a moment even if we assume that you somehow fooled the efuse, the device still wont boot up just because you don’t have a valid key.

Operating System

Windows NT kernel it is. The Redmond guys have made sure that its sturdy enough. Windows NT kernel along with “Code Signing” makes a killer shield that you will not be able to penetrate. If you think you can get the control of the kernel using some code, wait till you read the “Malicious Code” section.
For now lets think about the Windows Phone updates. Windows Phone does do regular updates just like your PC so what if we can trick the windows phone to install my program? Unfortunately the windows phone is programmed to get the updates only from the Microsoft update servers and no other place. Still its no big deal because I can always trick my network to believe some malicious hardware / software as the update server. Sadly, the update will again need the code signing process to pass. You can never break through it unless you are hacking into the Microsoft update server; definitely not a great plan.


How about the internal storage itself? Why don’t we break the phone take out the internal storage and may be at least try to steal the data? But wait, the storage again uses a 128 bit Bitlocker for encryption. The drive remains encrypted until the boot loader performs the job completely. The TPM chip which comes with the hardware is the one which manages the key for the encryption which means that once the disk is outside the hardware, you will need the 128 bit recovery key to break in the data. The storage behaves the same way as what your bitlocked hard drive behaves.
Brute force opening a encryption is a very well known procedure to break encryption however its impossible when it comes to a 128 bit encryption. So to understand the quantum of complexity, lets assume that you have 10 million computers where every computer can process 100 billion keys per second (higher than 100GHz) and if you put them all together to crack the key, it will take 1013 years to find the key which is longer than the age of universe itself.
If you are thinking of trying the PIN instead, you can always configure your phone to automatically wipe after a amount of incorrect tries.
Some people try to snoop the data from the disk after it is wiped because it is easier that way since it wont have any encryption constraints. Luckily for the user what Windows Phone, it never decrypts the data but it wipes the encrypted data along with the key. You can be pretty sure that not even NSA can retrieve them.

Malicious Code

We have now almost come to the last and the mot favorite resort of a hacker. Most the hackers disassemble the system instructions and try to inject or alter the commands in the memory location. However the app model which windows phone function is always a sandbox, which means the app will have its own area where it can execute store data and perform actions. Windows Phone with the advantage of Code Signing will sign the apps based on the feature set they are allowed to access. E.g.) If a program does not have a valid signature to access the Camera, it wont be able to. This is true for any feature or hardware access in the device. So even for a moment if we assume that you are able to try writing something into the system memory location of the phone, the “Code Signing” will invalidate the program and unload it immediately.

Starting from the phone to your protected mail message, everything is safe in Windows Phone 8. As a matter of fact there are zero hacks till date. If you think you can, then write to me and yeah its an open challenge.
More information on the security of Windows Phone can be found at
This how to is written based on Windows Phone 8. Actual functionality might differ from device to device. Some features may not be available with pre-Windows Phone 8.

Sunday, September 01, 2013

Delete any Photo from Facebook by Exploiting Support Dashboard

I would like to share one of Critical Bug in facebook which leads to delete any photo from facebook without user interaction. At first,Facebook Team Could not able to recognize this bug.So I have sent them Video Proof of Concept & I have clearly Explained this bug with the help of demo accounts.So Facebook team has recognized my bug after sending Video POC.Interesting Part is,In that Video I have Exploited Mark Zuckerberg's Photo from his Photo Album & I did not remove his photo.Now it has been fixed fully & Facebook has rewarded me 12,500$(US Dollars) for finding this Critical Bug.In 2013,This is second time I am going to receive bounty from facebook.Already Facebook has approved my 3 Open Redirectors which is eligible to get bounty of 1500$. 

Dismissal Response:

Bug Approval:

Bounty Details:


Before going into Bug Explanation, Just think a second about this ???
How do you feel if anybody removed your photos from your facebook Profile which is having more likes & comments?

How do you feel if anybody removed important photos which you have tagged & Shared?

How do you feel if anybody removed your Suggested Posts?

Bug Details:
[#] Title:  Delete any Photo from Facebook by Exploiting Support Dashboard.
[#] Worth: 12,500$ (US Dollars)
[#] Status: Fixed
[#] Severity : Very High
[#] Works on: Any Browser with any Version
[#] Author: Arul Kumar.V
[#] Email:

The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week.

Mainly this Flaw exists on Mobile domain.In Support Dashboard,If any reported photo was not removed by facebook team,user has the other option to send Photo Removal Request to owner via messages.If users sends a claim message,Facebook Server Will automatically generate Photo removal Link & it will send to the Owner.If Owner clicks that link,Photo will be removed.

This flaw exists while sending message.I can manually modify Photo_id & Owners Profile_idso that I can able to receive any photo removal link to my inbox.It would be done without any user’s Interaction.And also Facebook will not notify owner if his photo was removed.

Impact of this Bug:
1)      We can remove any photo from verified real users & Pages such as
     Mark Zuckerberg,Eminem,Rihanna and so on.

2)      We can remove any Shared & Tagged photos.

3)      We can remove any User’s photo from his Status & Photo album.

4)      We can remove any photo from a Page,Group and so on.

5)      We can remove Photo from Suggested Post & also from Comments.

These are the things that we need to exploit this bug:

1)       We need two Facebook accounts to delete anyones Photo Permanently.
One account will act as "Sender" to send claim message.Another account will act as"Receiver" who receives Photo removal Link from sender.

2)      Before deleting a Photo,We should gathert photo_id (fbid) which we need to remove and also profile_id of receiver to receive Photo Removal message.

How this Exploit Works:

Steps to Reproduce:

1)      As I told before,You should have use two real accounts to exploit this.
Consider one as "sender" & another as "Receiver".Make sure both are logged in at same time.

2)      For every photo there is having "fbid" Value.Click a photo at anywhere in facebook such as status updates,pages,groups,etc.Then look at the URL, You can able to find Photo_id value & copy it (i.e) Just copy down numerical "fbid=" Value.

3)       After that we should gather "Profile_id" Value of receiver profile.You are using two facebook accounts. Choose one profile as receiver to receive Photo Removal Link.
By Using this  you can find "profile_id" of receiver. Just copy down Numerical profile id of receiver profile. 

4)      So we have gathered two values:
         a)Photo_id  (Target Photo to remove without user’s interaction)
         b)Profile_id  (To receive Photo Removal Request from sender)
Vulnerable URL & Parameters:{"first_dialog_phase": 8,"support_dashboard_item_id":396746693760717,"next":"\/settings\/support\/details\/?fbid=396746693760717","actions_to_take":"{\"send_message\":\"send_message\"}"}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID

Look at the URL You can able to find "cid" & "rid" Parameters at end.These are vulnerable parameters from which we can able to send Photo Removal Link of any photo to my receivers inbox by modifying value of "photo_id" & "profile_id". 

    cid=  Photo_id (Just include your target photo’s Id value as "cid" input )
    rid=  Profile_id (You need to include receiver’s Profile ID as "rid" input )

After Including those values ,Press enter.Then If you click "Continue" Button Facebook will automatically send photo Removal Link to your Receiver Profile.From your Receiver Profile,You can able to remove photo which you have added in that Vulnerable Parameter.Now this Bug has been Fixed fully.

Video POC:
Kindly Watch this Video in HD  for Best  Quality.









Now this Bug has Been Fixed Fully :) Here is the Screenshot :)