Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

EE354 Cyber Project: Hacking an Unmanned Ground Vehicle

advertisement 
EE354 Cyber Project: Hacking an Unmanned Ground Vehicle
The EE354 vs EE434 CyberWar Games
__________________________________________________________________________
Basics of Electronic Warfare
We have devoted the vast majority of this course to discussing physical layer communications, however, we’re
now introducing the concept of Cyber Warfare. Why? Because “Cyber” doesn’t exist solely in a single
computer or a closed network. “Cyber” is not just “computer
hacking” or “computer viruses”. You can have a significant impact
by using Electronic Warfare as an enabler for Cyber effects.
http://breakingdefense.com/2013/04/adm-greenert-wireless-cyberem-spectrum-changing-navy/
Now we’re going to put all your EE354 knowledge to the test and
apply your cyber skills in a simulated real-world scenario.
Your objective for this project is to (1) correctly decode the
command and control signals being transmitted to an UGV (simulated by a Radio Controlled car), (2)
successfully take over the operation of the UGV, and then (3) successfully drive the UGV around a closed
course. Part (1) will be performed in lab and parts (2) and (3) will be a timed evolution during an evening
block.
Administrative Info
Important Dates
Project Grade Weighting
Phase 1 & 2 – In Class: March 31, 2016
Last Opportunity for EI: April 22, 2016 @ 2359
Phase 3 (Evening):
April 28, 2016 @ 1900-2300
Phase 1
Phase 2
Phase 3
Presentation
40%
15%
25%
20%
Bonus Credit
No collisions with walls of the course/No departing the course boundaries: +15
Fastest course time: +15; Second fastest: +10; Third fastest: +5
Producing a 60-second EE/Comms/Cyber “Spirit Spot” showcasing your comms/cyber skills on this project: +10
Project Groups & Honor Information
Students will be expected to work in groups of 2 (a single three-person group will be authorized at the instructor’s
discretion). While discussion of theory, techniques, results, etc. among groups and/or with other faculty members is
allowed and encouraged, copying another group’s work in whole or in part (to include Matlab code, designs and/or design
elements, or project presentation materials) is an honor violation. Copying code (in whole or in part) from other
classes/sources that are performing similar cyber projects is also an honor violation. For the presentation, any work that is
not the sole original creation of the group members must be properly cited in IEEE format.
1
Part I: System Identification
Set-up.
Equipment required:
□ Your issued Laptop
□ LeCroy “Wave Surfer” 104MXS 1GHz Oscilloscope
□ Anritsu MS2711D Spectrum Analyzer
□ Telescoping Antenna w/ BNC connector
□ RC Vehicle
□
TURN OFF YOUR CELL PHONE! (The next two hours of your life will be easier if your cell phone
isn’t adding noise to the Electromagnetic Spectrum.)
Part I: Data Collection
Communications System. For part one of this activity, we’ll explore the entire communications system
employed by a Radio Control (RC) vehicle.
Answer the questions below to examine the RC vehicle’s communications.
a)
b) Coiled wire right under here!
Note: These images resemble the models in your classroom enough to give you the general idea. We can’t all
have Ferraris, after all!
2
Question 1: What type of channel does this communications system involve?
Question 2: What do you expect your “information” to be in this case?
Question 3: What will happen when the “information” is recovered at the receiver?
Question 4: Does the transmitter or receiver give any indication of carrier frequency? If so, what is fc?
To verify the carrier frequency of the transmitted signal, use the Anritsu MS2711D Spectrum Analyzer.
□
□
□
□
□
□
□
Press “Recall Setup” (Hard Key
#6)
Ensure “Default” is highlighted
Press “Enter”
Set “Center” to the carrier
frequency determined in the
previous question.
Set “Span” to 200 kHz
Transmit from RC vehicle
controller (ensure power is on);
signal will display on the
spectrum analyzer
Capture a copy of the spectrum
and include it in your coversheet. Be sure to clearly showcase the modulation/sidebands.
Question 5: What is the carrier frequency? Does it match what (if anything) was reported on the
transmitter?
3
Part II: Reverse Engineering
So now we know the carrier frequency, but if we want to actually take control of the car, we need to know more
about the RC car’s signal. What does the transmitted signal look like? What type of modulation does it use?
How do controls work? To accomplish this, we’re going to look at the signal using the LeCroy Oscilloscope.
First, some initial set-up for the O-Scope:
□ Configure Channel 1 with the following settings:
o Set Volts/div to 20 mV
o Set Coupling to DC50Ω
o Set “Trigger” to 25.0 mV
o Touch “Timebase” to set Time/Division to 5.00 ms/div
Once you’ve set up your Channel configuration on the O-Scope, it’s time to capture the signal.
□
□
□
On “Trigger” section of O-Scope display, select “Normal”
Holding RC car transmitter close to the O-Scope, send the “forward” signal by driving the car forward.
Ensure antenna is extended!
When your signal is displayed on the screen, press “Stop” on Trigger menu, while still sending the
“forward” signal.
If done correctly, your O-scope display should look similar* to this:
* Captured signal may vary – that’s ok for now!
4
Question 6: What type of modulation does this car use?
Question 7: What pattern of 0’s and 1’s does the transmitted signal represent?
Question 8: What is the transmitted bit rate?
To be able to control the RC car, we want to be able to do more than just drive it forward. How does the signal
change for reverse, left, or right?
Think about the controls – how many different signals do you expect to control the car? In addition to driving
forward, the car can operate in reverse, as well as turning left and right… and any combination thereof! There
are actually 8 different combinations of signals, as well as a “stop” signal. Here’s the catch: The chips that
process the signal and control the vehicles motion aren’t necessarily wired the same way in every car, so you
need to identify which operation each transmitted signal represents!
Examine each transmitted signal by repeating the process you just followed to capture the signal:
□ On “Trigger” section of O-Scope display, select “Normal”
□ Transmit desired signal (Forward, Left, Forward AND Left, etc.).
□ When your signal is displayed on the screen, press “Stop” on Trigger menu.
□ Capture all 8 of the possible signals and include them on the coversheet.
Question 9: What is the transmitted information (bit pattern) for each of the 8 possible signals?
Question 10: Now that you’ve identified the modulated signal that controls the car, could you
determine the baseband binary signal (Polar/Bipolar, RZ/NRZ) for each function?
We now know the bits that are transmitted to control the forward, turning, and reverse motions of the RC car.
We also know that we can’t transmit the baseband binary signal, so we need to modulate it on a high frequency
carrier. If we can generate the bits and mix it up with the high frequency carrier, do we need the “real” remote
to drive the RC car? Let’s find out!
5
Part III: The Hook
In this section, you’ll create MATLAB code to generate the control signals for your card and your soundcard
(plus a superheterodyne transmitter) to transmit the control signals to the RC car. Your code from the Digital
Line Codes mini-lab will be most helpful for this part.
You may have noticed that each transmitted signal consists of a synchronization sequence pulses followed by a
specific 0/1 bit pattern. Since you’ve already matched the waveform to the driving direction, now all you need
to do is count the number of “0/1” combinations and then use that to recreate the waveform in Matlab.
Question 20: Fill in the table by entering the number of “0/1” combinations trailing the sync pulses for
each RC car operation. You must find the exact value or else your transmitter will fail!
Direction
Number of
0/1’s in trail
Forward
Reverse
Right
Left
Fwd-Right
Fwd-Left
Rev-Right
Rev-Left
The next step is to create the baseband waveforms in Matlab and then generate the transmitted ASK waveform
at an IF of 10.0 kHz. Below is Matlab code to get you started. For long “0/1” sequences, you may find the
command repmat.m to be useful.
%
%
%
%
!!!!! NOTE !!!!!
If you do something wrong and Matlab terminates unexpectedly (you get a
lot of angry red Error messages) you will have to close out and restart
Matlab in order to clear out the sound card buffer!!!
clear all
close all
fs = ######;
T_s = 1/fs;
sam_per_sym = ##;
Rb = fs./sam_per_sym;
fif = 10e3;
%
%
%
%
%
Establish our Sampling Frequency (Soundcard!)
Time increment between samples
Samples per Symbol
Resulting Bit Rate
10.0 kHz (IF) Frequency: 6-12 kHz Acceptable
% Setup The Bit Sequence
sync = ######;
forward = ######;
reverse = ######;
right_fwd = ######;
left_fwd = ######;
% Generate the Baseband Line Code & Upsample
% See Digital Line Code Lab for Information
% Resulting Output Variable will be up_data !!!!!
% Generate the "baseband" (IF) waveform – Consider multiplying by a
% Complex Exponential in order to get a one-sided spectrum
time_stop = length(up_data);
time = linspace(0,(1/fs).*time_stop, length(up_data));
s_lo = #########;
s_if = #########;
6
□
Now Execute your code; generate Matlab plots of all 8 signals and include them on the coversheet.
Question 11: What do you hear? What type of signal is being generated?
Question 12: What do you need to do to transmit this signal so that the car receives it?
The instructor’s station has a transmitter version of the superheterodyne receiver we discussed in class – it
works exactly the same way except in reverse.
Question 22: What LO do you need to use to
transmit the RC car control signal at the correct
frequency?
s(t)
IF
RF
LO
fLO
□
Setup your computer and get ready to drive! Use the Anritsu spectrum analyzer to verify that you are
transmitting on the correct frequency. Capture a copy of the spectrum and include it on the coversheet.
Question 13: Do you need the car’s transmitter to control the car? What just happened?
Question 14: Think of some examples of how this might be significant in a military setting.
Need ideas? Check this out! http://www.engr.utexas.edu/features/humphreysspoofing
7
Part IV: Showtime
The final part of your cyberwarfare mission is to successfully take over a new/unknown RC car and navigate it
through a specifically designed course. The new RC car may be on a different frequency range and may have a
different mapping of commands to functions, but will still use the same modulation scheme/bit patterns you
decoded in Part III. The course will be constructed from metal rods that have lengths of 0.5m, 1.0m, and 1.5m.
One potential course design is shown below. The actual design will not be released until the appointed test
date/time.
Finish
1.0m
1.0m
Start
0.5m 0.5m
1.0m
1.5m
At the appointed time, each group will be given 30 minutes to successfully hack the RC car and demonstrate
that it can be controlled by the PC. Groups will then be given an additional 30 minutes to navigate the course.
Any number of trial runs is permissible, however, the instructors must observe at least one full and complete run
(starting with the front wheels on the “start line” and ending with the rear wheels crossing the “finish line”) in
order for the group to receive full credit for completing the course. Rules of Engagement for the “EE354 vs
EE434” EW contest follow below.
At the end of the 30 minute allotment, each group will be given 30 minutes to compose their thoughts, and then
must deliver a 10 minute Powerpoint briefing (absolute maximum 6 slides including title slide) on their design
and results to the instructors. The briefing should contain the following elements:
•
•
•
•
•
•
Overview of your design, Matlab Code, any unique features, and motivation/rationale for design choices.
Overview of predicted results (and how you developed your prediction) for the design, whether theoretical,
simulated, or empirical.
Procedure you followed to hack the RC Car and results from the Course Navigation.
Strategy for dealing with EE434 Electronic Attack and results.
Comparison of the Course Navigation Results with the pre-predicted results, with discussion on the causes of
any differences and any real-time corrections you made.
Team collaboration and acknowledgement of each member’s individual contribution -- how was the result
more than just the sum of the parts.
8
EE434 vs EE354 Cyber Night Rules of Engagement
1. Only one (1) EE434 Team may operate during the 30-minute Course Navigation Evolution; and it must
be the same team for the entire evolution.
2. Inside the 30-minute Evolution, EE354 shall have “RF Quiet” time consisting of 5 minutes at the
beginning (to verify control of the car) and 5 minutes at the end (for a last-ditch course navigation
effort).
3. EE434 Teams are limited to a 1 Watt Transmit Power (as measured and verified by the instructor) input
to any antenna design they desire. The default antenna shall be a simple monopole. If more than one
antenna is used, the net total transmit power must still adhere to the 1 Watt requirement.
4. EE434 Teams must maintain at least a 5 meter standoff distance as measured from the center of the RC
Car Course to the physical center of their antenna. If more than one antenna is used, the center of each
antenna must adhere to the 5 meter standoff requirement.
5. EE434 and EE354 Teams shall not physically interfere with each other’s operation. This prohibition
shall extend to “off duty” teams not actively engaged in the Course Navigation/Attack Evolution.
6. EE434 Teams may use any lab equipment contained in Rickover 061 and Rickover 071 that is not
actively being utilized by an EE354 Team.
7. EE434 Teams must operate between 10 MHz and 300 MHz, and may transmit any waveform or signal
they desire (as would be the case in real life).
8. EE354 Teams may employ electronic countermeasures that operate between 10 MHz and 300 MHz.
EE354 Teams may also employ physical countermeasures that maintain a minimum 3 meter standoff
distance from the EE434 Teams, respect Rule (5) above, and can be physically assembled and
disassembled inside Rickover 061 during the allotted 30 minute time.
9. In the event of a dispute of the rules, or transgression of the rules, the Instructor reserves the right to
issue a determination and judgment; all judgements are final.
The rubric for grading the design and presentations is provided below.
LCDR Jennie Wood and Assoc. Prof. Chris Anderson
Modified Assoc. Prof. Chris Anderson 20160328
9
Team Members: ____________________________
Evaluator: _____________________
Score
(0–5)
Item
0
3
5
Introduction
Not given
Need, and objectives
presented but
incomplete
Clear & concise “forest
view” of project
x2=
Problem Overview
Missing
Present but not
motivated or vague.
Mission and expected
outcome clearly
motivated and articulated
x1=
Missing or
Insufficient level of
detail for design
Incomplete
description of
important material;
not justified,
quantified, or too
abstract.
Present, clearly
articulated, and
appropriately formed.
x3=
Design Architecture
Insufficient level of
detail for design
Some but not all of the
approach is described;
missing steps or
incomplete
information.
Engineering
Analysis
Barely substantiate
data, simulation, or
predicted results; no
discussion
performance
differences between
predicted and
tested.
Some discussion of
data, simulation, or
predictions; delineated
the origin of some
performance
differences between
predicted and tested.
Response to Questions
Team is completely
thrown or defensive
Team struggled with
some questions but
maintained
composure
Answered questions
readily and professionally
x1=
Slide Quality
Completely illegible
Some slides are
difficult to read
Slides are legible, correct,
and visually appealing
x2=
Professionalism
Mumbling and/or no
eye contact; too
long/short
Low energy;
presentation contains
typos, seems rough,
inadequate
figure/slide titles.
Dynamic and charismatic;
Presentation is polished,
professional, and clearly
delivered
x1=
Engineering Requirements
Presentation Score:
Block diagrams &
functional descriptions
clearly provided. Clearly
described approach to
analyzing the problem
space and associated
engineering process.
Clearly and concisely
discussed data,
simulation, and predicted
results and tied all three
together. Clearly
delineated the origin of
performance differences;
identified contributors.
Weight
x5=
x5=
Sum:
10
Score
Related documents
MATH 308 – 530, 531 Homework 1 Spring 2016
MATH 308 – 530, 531 Homework 1 Spring 2016
Homework/Programming 2. (Due Feb 4.)
Homework/Programming 2. (Due Feb 4.)
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
Quiz_2_sol - UCSD Department of Physics
Quiz_2_sol - UCSD Department of Physics
Jorge Valenzuela
Jorge Valenzuela
or edit the om
or edit the om
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
Download
advertisement