26–30 Sept 2022
Capital Hilton
US/Eastern timezone
All GRCon talks are now available to watch at https://www.youtube.com/GNURadioProject

Reverse Engineering the Positive Train Control (PTC) 220 MHz Wireless Protocol

28 Sept 2022, 13:00
30m
Presidential Ballroom (Capital Hilton)

Presidential Ballroom

Capital Hilton

Talk Digital Signal Processing Main Track

Speaker

David Twitchell

Description

Positive Train Control (PTC) is a collection of standards and technologies that attempts to prevent train collisions and derailments by automating certain safety functions aboard locomotives. The communications layer of one widely fielded PTC implementation uses proprietary wireless protocols operating at 220 MHz. Each locomotive has a PTC radio, and there are also stationary radios at certain points along the tracks and in central office locations.

As an independent vulnerability R&D project at Shift5, we purchased and studied several decommissioned 220 MHz PTC radios available on the open market. Our research is ongoing, but we will present the reverse engineering work that was required to fully decode the physical (PHY) layer of the radio traffic. This included open source research, signal analysis, and software/hardware reverse engineering.

The protocol utilizes a robust phase-shift keying (PSK) signal with non-standard inteleavers, multiple forward error correction (FEC) modes, and custom CRCs. We ultimately wrote a complete C++ library and several custom GNURadio signal processing blocks to implement the physical layer of the wireless protocol. We are able to demodulate/decode packets from the PTC radios as well as transmit our own packets that are correctly received by the radio. We will demonstrate both receive and transmit capabilities during the talk and release a fully functional out-of-tree module and flowgraph for the receive chain.

Talk Length 30 Minutes
Acknowledge Acknowledge In-Person

Primary author

Presentation materials

There are no materials yet.