Daniel Estévez
@destevez.net
Everything space & RF. Amateur radio operator (EA4GPZ / M0HXM). PhD in Mathematics from Univ. Autónoma de Madrid. he/him
This beacon probably does the same, but I argue that this is not a security problem because the system security relies on the NAS encryption and integrity.
Read more: destevez.net/2026/01/v16-...
Read more: destevez.net/2026/01/v16-...
V16 beacon full uplink conversation – Daniel Estévez
destevez.net
January 9, 2026 at 9:23 PM
This beacon probably does the same, but I argue that this is not a security problem because the system security relies on the NAS encryption and integrity.
Read more: destevez.net/2026/01/v16-...
Read more: destevez.net/2026/01/v16-...
I have found a report from a security researcher that has opened a similar beacon and obtained access to a debug serial port, finding that it transmits unencrypted data in a UDP packet.
January 9, 2026 at 9:23 PM
I have found a report from a security researcher that has opened a similar beacon and obtained access to a debug serial port, finding that it transmits unencrypted data in a UDP packet.
Then, every 100 seconds it transmits a data packet using the control plane CIoT EPS optimization which I explained in the previous post.
January 9, 2026 at 9:23 PM
Then, every 100 seconds it transmits a data packet using the control plane CIoT EPS optimization which I explained in the previous post.
I decode all the uplink transmissions in the recording and analyze the packets with Wireshark. What I see is that the beacon registers to the cell network 40 seconds after power on in a rather run of the mill way.
January 9, 2026 at 9:23 PM
I decode all the uplink transmissions in the recording and analyze the packets with Wireshark. What I see is that the beacon registers to the cell network 40 seconds after power on in a rather run of the mill way.
It saves them from the need to establish a full data plane connection as in regular LTE.
Read more: destevez.net/2025/12/deco...
Read more: destevez.net/2025/12/deco...
Decoding a V16 beacon – Daniel Estévez
destevez.net
December 29, 2025 at 5:03 PM
It saves them from the need to establish a full data plane connection as in regular LTE.
Read more: destevez.net/2025/12/deco...
Read more: destevez.net/2025/12/deco...
The beacon uses something called control plane CIoT EPS optimization to transmit a user data message encapsulated in a NAS message as soon as it completes an RRC connection. This is a mechanism intended for IoT devices that transmit a small amount of data.
December 29, 2025 at 5:03 PM
The beacon uses something called control plane CIoT EPS optimization to transmit a user data message encapsulated in a NAS message as soon as it completes an RRC connection. This is a mechanism intended for IoT devices that transmit a small amount of data.
Blind decoding of NPUSCH transmissions without access to the scheduling grants in the downlink is tricky, because we have to guess many parameters, including the RNTI. I show how with some cleverness and some brute force searches of reduced complexity these can be found.
December 29, 2025 at 5:03 PM
Blind decoding of NPUSCH transmissions without access to the scheduling grants in the downlink is tricky, because we have to guess many parameters, including the RNTI. I show how with some cleverness and some brute force searches of reduced complexity these can be found.
In this post I analyze a recording of the B20 band NB-IoT uplink of a V16 beacon, showing how to decode the NPUSCH and obtain MAC PDUs that we can inspect in Wireshark.
December 29, 2025 at 5:03 PM
In this post I analyze a recording of the B20 band NB-IoT uplink of a V16 beacon, showing how to decode the NPUSCH and obtain MAC PDUs that we can inspect in Wireshark.
It's a good read if you want to learn about RISC-V trap handling, and how LLVM turns Rust code into assembly and performs move elimination optimizations.
Read more: destevez.net/2025/12/note...
Read more: destevez.net/2025/12/note...
Notes on debugging Rust microcontroller stack usage – Daniel Estévez
destevez.net
December 19, 2025 at 11:04 AM
It's a good read if you want to learn about RISC-V trap handling, and how LLVM turns Rust code into assembly and performs move elimination optimizations.
Read more: destevez.net/2025/12/note...
Read more: destevez.net/2025/12/note...
Most of the recordings have a problem regarding a huge receiver frequency drift, as shown here. This limits the sensitivity of the acquisition algorithm.
Read more: destevez.net/2025/12/firs...
Read more: destevez.net/2025/12/firs...
December 10, 2025 at 11:27 AM
Most of the recordings have a problem regarding a huge receiver frequency drift, as shown here. This limits the sensitivity of the acquisition algorithm.
Read more: destevez.net/2025/12/firs...
Read more: destevez.net/2025/12/firs...
This takes a minute to do and benefits everyone. Thank you for your support!
November 29, 2025 at 6:06 PM
This takes a minute to do and benefits everyone. Thank you for your support!
I occasionally see SatYAML files shared in social media or forums, but it is hard to keep track of them in this way. If you have a SatYAML file that works for a given recording, please send a pull request to get it upstreamed, linking the recording you used to test it.
November 29, 2025 at 6:06 PM
I occasionally see SatYAML files shared in social media or forums, but it is hard to keep track of them in this way. If you have a SatYAML file that works for a given recording, please send a pull request to get it upstreamed, linking the recording you used to test it.
The telemetry packets contain many interesting strings with log messages, which appear to be generated by a Linux system running Rocket Lab's MAX flight software.
Read more: destevez.net/2025/11/deco...
Read more: destevez.net/2025/11/deco...
![Some log messages extracted from the telemetry:
/mnt/mmc0/logs/compton/inv_sts/inv_sts-1763132730.mtc.gz
/mnt/mmc0/logs/compton/inv_eps/inv_eps-1762763341.mtc.gz
/mnt/mmc0/logs/compton/inv_cdh_spoc_misc/inv_cdh_spoc_misc-1762770516.mtc.gz
E_CMD_HIST: [ OK ] EPS_SPOC_DIO_ST_OCP_EN ENABLE_STATE=[0, Off]
E_CMD_HIST: [ OK ] CDH_SPOC_IO_GPIO_STATE_SET IDX=[109] STATE=[0, E_Low]
E_CMD_HIST: [ OK ] FJ_ABORT, Proc: CommsFallback
E_INFO: set_st_power_state: End sequence
E_CMD_HIST: [ OK ] MISC_SYSTEM, STRING: echo 'WAIT(2)' >> /tmp/BackorbDownload.fj
E_CMD_HIST: [ OK ] MISC_SYSTEM, STRING: sed -i '$d' /tmp/BackorbDownload.fj
E_CMD_HIST: [ OK ] MISC_SYSTEM, STRING: rm /tmp/*_files_list.txt
E_CMD_HIST: [ OK ] MISC_CONFIG_PARSE, String: tlm_master.set_apid_freq(620, 0.05);
E_CMD_HIST: [ OK ] FJ_START_ABS, Time: 1763146080.000000, File: CommsFallback, Args:
E_CMD_HIST: [ OK ] FJ_START_REL, Seconds: 3600.000000, File: DisableComponents, Args: STA
E_CMD_HIST: [ OK ] FJ_START_REL, Seconds: 0.000000, File: BackorbInit, Args:
E_CMD_HIST: [ OK ] MISC_SYSTEM, STRING: echo PROC BackorbDownload > /tmp/BackorbDownload.fj
E_CMD_HIST: [ OK ] MISC_SYSTEM, STRING: echo \'CMD "MISC_SYSTEM" ("gzip -c -f -k /tmp/BackorbDownload.fj > /tmp/BackorbDownload.gz")\' >> /tmp/BackorbDownload.fj
E_WARNING: LoadProc (File: FJExecute.cpp Line: 1205): Procedure found in working directory, executing: /tmp/BackorbDownload.fj
E_INFO: SetThermostatMode: Setting thermostat 'EESA' to mode ClosedLoop
E_INFO: SetThermostatSetpointsClosedLoop: new setpoints for ON -35.000000 deg C. OFF -30.000000 deg C.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:guktqfnfjtqfbskpe4r3qq5s/bafkreibmkkiup3dfvtfgv2cyxzdck26kyukwf7o6ivuzo2fmiztdbql6na@jpeg)
November 19, 2025 at 9:56 PM
The telemetry packets contain many interesting strings with log messages, which appear to be generated by a Linux system running Rocket Lab's MAX flight software.
Read more: destevez.net/2025/11/deco...
Read more: destevez.net/2025/11/deco...
Head over to github.com/maia-sdr/plu... to download the firmware and to github.com/maia-sdr/mai... for updated information about connecting to an Android phone.
Release Maia SDR Pluto firmware v0.8.2 · maia-sdr/plutosdr-fw
Changelog
Changed
Update Maia SDR to v0.12.0. Updates dependencies.
Update IQEngine to latest main.
Add IPv6 link-local address fe80::1/64 to simplify connecting to the Pluto by ssh before the IPv...
github.com
November 9, 2025 at 7:21 PM
Head over to github.com/maia-sdr/plu... to download the firmware and to github.com/maia-sdr/mai... for updated information about connecting to an Android phone.