GBPPR Remote Telephone Surveillance Experiments

The Beginning

The summer of 2010 saw yet another HOPE "hacker" conference take place.  Yawn.  The hubbub this year was surrounding the WikiLeaks website.  Apparently, after milking Kevin Mitnick for 15 years, Eric Corley has yet another project to scam money out of his little kiddie following.  It order to whip the teenage boys into a frenzy, Eric Corley released fraudulent information that the filthy Ashkenazi Julian Assange was "wanted" by the boogeyman and is in imminent danger.  While anyone with an I.Q. over 40 knows WikiLeaks is just a scam for releasing their pro-Zionist/Marxist/Globalist propaganda, there still appears to be some people within the "hacker" community that have fallen for this blatant disinformation.  Let's start from the beginning:

Eric Corley (Emmanuel Goldstein):  Rich, gay pedophile who exploits the hacker community to further his own interests.  Editor-in-Chief of $2600 Magazine who also operates a broadcast radio program about how "suppressed" his life is - from New York City!  Really!  He tries to play the "non-profit" angle, but WBAI receives funding from several of George Soros' anti-West, anti-U.S., "progressive" front organizations.  Corley often falls for fake or planted information, then attacks anyone who doesn't agree with him and will censor (or edit) anyone pointing this out.

Mark Tabry (RedHackt):  One of Corley's boy toys and now Associate Editor at $2600 Magazine.  Wants to destroy the Electoral College - the foundation of our republic - just because a bunch of clueless New York'ers living in filth can't admit the fact they are wrong.

Ed Cummings (Bernie S. [Spindel]):  Probably the only one associated with $2600 Magazine who has a clue, but is an asshole in real-life.  Helps to ban people from the HOPE conferences who expose Eric Corley's little "secrets."  Spouted pro-Obama propaganda from a "non-profit" radio station, but that's not his worst crime.  This is the guy who posts crap all the time on James Atkinson's TSCM mailing list!

Steve Rombom (Steve Rambam):  Loony JDL domestic terrorist who once threatened a 14-year-old boy.  Routinely gives speeches at the HOPE conferences and is also believed to be a pedophile.  He's a private detective who scares people that there are Nazis out to get 'em, but ignores all those Jewish Bolshevik/Marxist/Communist murderers and war criminals.

Richard Osband (Cheshire Catalyst):  Former editor of the YIPL/TAP newsletter, which was probably the first true hacker magazine.  Doesn't want you to know his bat-shit insane YIPL/TAP Jew buddies Abbie Hoffman and Ira Einhorn helped murder Holly Maddux in 1977.

Jennifer Grannick:  Rich, loony lawyer (and Democrat) at the EFF who screams about "rights & privacy" but doesn't want people to show any valid identification to vote!  Security, apparently, is only good for EFF offices and this kike cunt's bank account.  Think about this one for a minute...  Hint:  She wants illegal aliens to be able to vote as genetically inferior and low-I.Q. people tend to support Democrats.  She doesn't care about your rights - she wants power.

And that's just to name a few!  I could go on and on...  The hacker community, which once consisted of the brightest minds on the planet, now mostly consists of a bunch of sheep, charlatans, and snake oil peddlers.  Thankfully, the "election" of O-bummer has brought about the most corrupt, and just plain disastrous, presidential administration in U.S. history.  This, combined with the population's dissatisfaction with the overwhelmly Jewish media and the rise of true grassroots Tea Party movements, hopefully means one thing.  Are Americans finally starting to see the big picture?

To understand where all these nutcases are coming from, you'll have to study the "progressive" ideology from the early 1900s and the anti-Western, anti-White "political correctness" or "cultural Marxism" teachings at the Frankfurt School in Germany and Columbia University in the U.S. today.  Yes, the "progressive" movement consists of nothing more that rehashed Jewish Marxist and Bolshevik propaganda from over 100 years ago!  They can't say this outright, as that would never get you elected in the U.S. or other Western countries.  Progressives fundamentally believe that you're too stupid to make your own decisions and that only government can make the correct choices.  For example, progressives won't come right out and ban books or speech, they'll just try to shut you down for expounding "hate speech" or for not being "politically correct."  They'll also use things like "diversity" and "multiculturalism" in an effort to force their one-party dictatorship onto you.  You'll see this style of brainwashing in our public schools today as they teach homosexuality and living off welfare are O.K., while being a hard-working farmer, hunter, or business man is evil.

There is a great book to counter these types of brain-dead liberals.  It's called The Decline of the Progressive Movement in Wisconsin 1890-1920 by Herbert F. Margulies.  The best thing about his book is that it was written in 1968!  I guess "progressive" really mean "regressive" in newspeak.  Just don't plan on hearing any of this from your college professors or on MSNBC!

            

Wake up White man!  Your ancestors fought tyranny - theirs created it.  As these assholes slowly lose power, their attacks against you will only increase.  Remember, people like Rahm Emanuel's daddy murdered the innocent when he helped blow up the King David Hotel in the name of Jewish supremacism.  They won't think twice of killing you, or your entire family, in order to stay in power.  Just try to walk through Democrat-run Chicago, Detroit, Milwaukee, or New York City at night if you don't believe me...  Fighting this tribe of parasites and nation wreckers will require determination - and a whole new form of open-source unconventional warfare.  Described next will be one type of remote audio surveillance which is ripe for further exploration.

Overview

It is possible to remotely intercept telephone audio by flooding the speaker/microphone circuitry in a target phone with microwave energy.  The electronics inside the telephone modulate this microwave energy and the reflected microwave signal will contain this new modulated signal.  The equipment to begin experiments with this type of surveillance can be found in Decatur RM-715 or MV-715 Range Master X-band police radars from the late 1970s.  One reason for using this older model of Doppler radar is the fact they use a pseudo-quadrature receiver architecture to increase the radar's performance.  Another reason is that Range Master radars utilize a M/A-Com MA86651 10.525 GHz Gunn diode oscillator which has a RF output power of +16 dBm (40 mW) into a circular horn antenna with approximately 20 dB of gain and 3 dB beamwidth of around 15°.  The Effective Radiated Power (ERP) of this radar gun is around +36 dBm or 4 watts.  This is fairly high RF power for a 10 GHz operation, when you compare it to those wimpy little 5 mW Gunn oscillators which are common today.  Now you can see why they created RF exposure laws...

For just experimenting, the receive audio can be taken straight off the Range Master's speaker.  You may wish to pass the audio through further band-pass or high-pass filtering to remove the significant amount of low-frequency "rumble" which will be on the received audio signal.

Operation

Using a device of this type in a remote surveillance operation can be quite tricky.  The horn antenna's beamwidth will be very narrow and you'll need to be able to position the antenna in any direction as the "sweet spot" for receiving audio from a telephone will be quite small.  The idea is to aim at the circuitry which contains an audio amplifier or microphone pre-amplifier in the phone.  The problem is that every phone will be different.  This is where experimenting will be the key.

Older phones with long component leads, wires, and PC board traces are ideal as they all act as little antennas.  Really old phones with only passive carbon microphones and speakers are actually quite immune to this type of RF flooding attack.  Something to keep in mind...  Private Branch Exchange (PBX) systems which convert the audio signal into a digital stream can also be intercepted, as long as you can intercept the audio signal before it reaches the analog-to-digital conversion stage.  There are even some older PBX systems which pass audio signals while the phone is still on hook!  On systems like this, attacking the PBX's backplane circuitry could provide audio interception throughout an entire building.

Note that not just telephones are vulnerable to this type of attack.  Pretty much anything containing an electronic audio amplifier or microphone could potentially be intercepted.  This technique is also a good way to intercept encrypted two-way radio or digital cellular phone transmissions, as long as your target is fairly stationary or easily followed.  It's even possible to intercept a key exchange between two cryptographic devices using a RF flooding technique like this, but pulling the actual key out the noise is a project for someone else...

To extend the operating range of this device, you'll need to increase the output RF power, narrow the antenna's beamwidth, and lower the phase noise of any oscillator stages.  A common 18-inch DSS satellite receiving dish has a gain of around 30 dB at 10 GHz and 3 dB beamwidth of 5°.  Refer to GBPPR 'Zine Issue #63 for more info on how to modify these satellite dishes.

An easy way to lower the phase noise of a Gunn oscillator is to replace the stock regulated power supply with a modern lower-noise equivalent.  The M/A-Com MA8665 Gunn diode oscillator in the Range Master uses a LM723 voltage regulator to provide the +10 VDC Gunn diode bias and there are newer voltage regulators which can be dropped in.

Another method to improve overall performance is to modulate the DC bias on the Gunn diode with an ultrasonic carrier so the received signal is occupying a "sideband" of this modulating signal.  This gets you away from the close-in phase noise of the main oscillator carrier and allows the received signal to be demodulated using a higher-performance synchronous detector.

You can see a real-world application of this technique in William McGrath's U.S. Patent Application 2005/0220310 for "Technique and Device for Through-the-Wall Audio Surveillance."  His device modulates the transmitting microwave signal with a 1 kHz tone and the received signal is further downconverted and AM demodulated using a diode detector.  This audio signal then passes through a lock-in amplifier which tracks the phase of the input 1 kHz tone and tries to follow that same tone on the received signal.  This allows one to extract a signal which is down significantly (100 dB or more) in the noise.  This method of remote audio surveillance by using microwaves is a little more complicated than just using a stock radar gun, but should be doable by the dedicated experimenter.  Government-level microwave surveillance devices of this type (supposedly - hehe...) use a special range-gating modulation which allows one to tune in on a particular range "cell" in which to receive the remote audio.  This helps to eliminate any background clutter or noise and the final result will let you listen to a human heartbeat at 300 feet.  Still trying to figure this device out, though...

Pictures & Construction Notes

A stock Decatur RM-715 Range Master X-band (10.525 GHz) Doppler radar used for this experiment.

A stock Decatur MV-715 Range Master X-band (10.525 GHz) Doppler radar will also work.

Note that K-band (24 GHz) radars give fairly poor performance when used in this type of application.  This is most likely due to the poor penetration of the higher operating frequency.  There are probably certain applications where a 24 GHz signal will be ideal, as it's possible to get the 3 dB beamwidth down to 2° or lower.

Overview of the display and control electronics inside a Decatur RM-715 Range Master radar.

Yes, those are Nixie tubes for the speed display!

The main counter and display circuitry is based around standard 7400-series logic and most are socketed for easy repair.  If you find a "dead" Range Master radar, you can most likely get it operating again by reseating all the logic chips in their sockets.

Overview of the radar's 1N23B mixer diode assembly and post-mixer amplifier circuits.

A 1N23B point-contact diode is under the large screw cap on the left.

The post-mixer amplifier appears to just be a common-emitter (low-impedance) 2N5089 transistor and LM358 op-amp with a gain cell to act as some type of level control.

Needless to say, this amplifier circuit is rip for experimentation and updating for higher gain and lower noise.

Overview of the M/A-Com MA86651 10.525 GHz Gunn diode assembly and its LM723-based +10 VDC voltage regulator.

This is just a Gunn diode mount and doesn't contain a varactor diode.

Replacing the 1N23B mixer diode with one with a lower noise figure.

1N23-series diodes are classified by their noise figure.  Noise figure is a measure of the degradation to a system's overall Signal-to-Noise Ratio (SNR) caused by actual components in the RF signal chain.  Simply put, the lower the noise figure, the better.

An easy trick to slighty improve the range and/or signal quality of a microwave surveillance device of this type is to replace the stock 1N23B with one having a better noise figure.  The noise figure for a 1N23B diode is usually around 10 dB.  I replaced it with a 1N23D diode, having a noise figure of around 8.5 dB.  1N23C (9.0 dB), 1N23E (7.5 dB), 1N23F (7.0 dB), 1N23G (6.5 dB), and 1N23H (6.0 dB) all have respective lower noise figures, but these diodes are getting to be difficult to find.  You'll have to scrounge hamfests for older X-band microwave receiving converters for a good source of 1N23-series diodes.

Note that 1N21-series diodes are only designed for operation up to around 3 GHz.


1N23D Point-Contact Diode

    

Intercepting the audio from an old telephone test set connected to a regular POTS line.

The sample audio is straight from the Range Master's speaker with no additional filtering.

Audio is the dial tone then the standard "If you'd like to make a call..." message.  After that is the off-hook alert tone, which really gave good interception results, but that's because the tone leaves the central office at a fairly high power level.

Note that the range of this test was only a few feet.  Range can be significantly increased by taking the time to aim at just the right spot in the target phone.  You can also use metal ducting, and other structures like hallways, as a makeshift waveguide to direct your illuminating RF signal.

There will be several short videos containing intercepted audio samples at the following URLs and on the GBPPR YouTube channel at youtube.com/GBPPR2 - provided they are not deleted or marked "offensive" by you-know-who:

  1. http://zine.gbppr.org/GBPPR_Tele_Surv_Audio-1.wmv
  2. http://zine.gbppr.org/GBPPR_Tele_Surv_Audio-2.wmv












U.S. Patent Application 2005/0220310

"Technique and Device for Through-the-Wall Audio Surveillance" by William R. McGrath