Introduction
In recent weeks, my curiously led me to delve into learning radio communications, prompting me to purchase the well known Baofeng UV5R. Upon using this device, I quickly realized this device's potential for passive reconnaisance and information gathering. Despite it's modest price tag of under $20, the UV5R emerges as a versatile tool suited for pentesting applications. Although originally designed as a ham radio, its unlocked capabilities extend to GMRS frequencies, amplifying it's capability.
Most companies that use radios think that the transmission is encrypted. However, this is a feature that has to be configured, and most companies overlook this step.
This article isn't going to be so much about the technical side of radio, but more how to use it in a basic reconnaisance application. There are superior radio's to the UV5R, they often come with a considerable price increase. In my brief tenure with the UV5R, I've discovered a trove of sensitive data.
The following are just some of what I have encountered:
- A small company had login issues, inadvertently divulging employee details-- full names, emails, and login credentials-- during a conversation with their IT specialist.
- A large Biotech company amidst network maintenance, inadvertently disclosed network configurations and firewall protocols, including the vulnerable window during which the firewall would be temporarily disabled for upgrades.
- A large company nearby relies on radio for physical security operations; an exchange between a security guard and their manager revealed personal scheduling breaks with lack of coverage, potentially comprosiing site security.
- Even law enforcement agencies aren't immune; intercepting communications betewen a local police department and their dispatch unvieled sensitive details such as license plate numbers, vehicle registrations, and associated personal information.
These examples barely scratch the surface of the wealth of private information routinely exchanged over radio frequencies. In this tutorial you will learn how to use the Baofeng UV5R to obtain sensitive information.
Legality
It is completely legal to receive and listen to information on ham or GMRS radio. It is illegal to transmit over these frequencies without a license. The Baofeng UV5R is only ham compliant, however you can also get GMRS frequencies if you unlock it. Unlocking and using this radio on GMRS frequencies can result in a fine from the FCC, however there are no recorded instances of anyone receiving such fines for this.
What You Need
- Baofeng UV5R
- An official Baofeng Programming Cable
- CHIRP Software
Unlocking the UV5R
You can unlock the UV5R in just a few seconds to gain access to GMRS frequencies. This is completely optional, but will give you more frequencies to scan. To unlock all you have to do is:
- Make sure the radio is turned off
- Simultaneously press and hold down the
PTT
,MONI
, andVFO/MR
buttons - While holding down the buttons above, turn on the radio
If this was done correctly you the UV5R will turn on and you should see the display say FACTORY. It will then boot up as normal. You now have GMRS capability on your Baofeng UV5R.
Getting Started
The first thing you need to do is to set the squelch on your radio. Press the Menu
button and it should be the first option that shows up. If it isnt, press 0
. Once you see Squelch, press Menu
again and this will bring you down to the settings. Start by setting the Squelch to 1. Then press Menu
to save. If you're hearing static on all frequencies, then go back into the Squelch option and raise the number by +1. You will continue to do this until you are no longer hearing static on all of the frequencies. Most people can set their squelch between 1-3. Now do the following:
- Set the UV5R to a frequency that does not have any transmissions on it
- Turn Off The Radio
- Install the CHIRP software.
- Run the software and plug in the programming cable to the UV5R and USB to your computer. Make sure the UV5R is turned off while doing this!
- Turn on the UV5R and make sure the volume is all the way turned up.
Programming the UV5R With CHIRP
Programming the UV5R with the CHIRP software is relatively easy. There are a few steps to it, however it is much easier to use this software than to manually program the UV5R by hand.
1. Download Image Of Your Baofeng
Once you've connected your UV5R to your computer, you will need to create an image of your radio:
- In the CHIRP software go to
Radio->Download Radio
In the popup window select the correctPort
- For
Vendor
selectBaofeng
- For
Model
selectUV5X
. Even though there is a UV5R option, it is no longer supported in CHIRP and you use the UV5X.
Here is what your popup window should look like:
Then hit the OK
button. The CHIRP software is now creating an image of your UV5R.
2. Create a List Of Local Repeaters
These next steps will show you how to add all of the listed repeaters in your area. When scanning, you will only get transmissions from businesses and people using these repeaters. Many businesses will use repeaters, however many do not as they don't require the distance a repeater provides. Within the CHIRP software do the following:
- Go to
Radio -> Query Source -> RepeaterBook
- Fill out the necessary location info for the city you are currently in. You will need to do a google search to find the latitude and longitude of your city.
- In the
Service
field selectAmateur
. These are the ham radio bands. Typically GMRS repeaters don't have as much activity on them, at least from my experience. - For
Distance
, you will need to play with this option. The UV5R allows 127 memory slots. We want to fill them with as many local repeaters as possible without going over the 127 slot limit. Try starting out with40
. - You don't need to do anything for
Filter
or any of the other options. You can use these later after you've become more familiar with the radio then hitOK
.
Once you've hit OK
a spreadsheet-like window will pop up with all of the local repeaters within the distance you've selected. Make sure your list does not exceed 127 frequencies. If your is above 127, or significantly below, you can go back into the menu and select a larger or shorter Distance
.
3. Save Your list
Now you just need to save your list of repeaters:
- Make sure you have the
RepeaterBook
tab selected and that your new list of repeaters is showing. - Go to
File -> Export to CSV
, name the file, and clickSave
4. Import Local Repeaters
This last set of steps will import your newly created list of repeaters into your UV5R. Within the CHIRP software do the following:
- Select the Baofeng Image tab in the top left corner of the CHIRP window. It's usually titled something along the lines of
Baofeng_UV-5X_<date>.img
- Go to
File -> Import From File
, then select the CSV file you created with your list of repeaters. Then hitOK
- A warning window will pop up saying that it is not recommended to import a list. We can just ignore this and select
Import
. Another window may pop up saying it will overwrite existing memories, if so hitYES
- You may get yet another pop up saying certain entries are invalid. This just means that these repeaters will not work with the UV5R. However the majory of the entries will work.
- Go to
Radio -> Upload to Radio
then hitOK
If done correctly you will now see the software adding all of the entries to your UV5R. You can now disconnect the UV5R from your computer.
Scanning
There are 2 modes you can scan in, Frequency and Channel mode. The orange button labeled VFO/MR
will toggle between both of these modes. Frequency mode will scan all of the available frequencies. Channel mode will scan all of channels that we imported from CHIRP. I recommend just using Channel Mode
for a little bit until you get more comfortable and familiar with the features of the UV5R before moving onto Frequency Mode
.
1. Channel Mode
Once you're in Channel Mode
hold down the */Scan
button until the UV5R starts scanning. It should start scanning after about 1-3 seconds.
The UV5R will begin scanning, it will briefly stop on channels that have transmitting being done on them, then resume scanning. If you want it to stop scanning on a certain channel just hit the EXIT
button.
2. Frequency Mode
Frequency mode is a little more complicated and MUCH slower. The Baofeng UV5R does UHF and VHF frequencies. When scanning in Frequency Mode
you can only scan one type at a time.
- VHF Frequencies: 136-174mhz
- UHF Frequencies: 400-520mhz
There are 2 frequencies shown on the screen of the UV5R. You can toggle between them using the blue A/B
button. It is recommended to set one of these frequencies to a VHF
frequency and the other to a UHF
frequency. In order to do this all you need to do is type any frequency within the corresponding band. For example:
- In the top frequency enter
136.000
- In the bottom frequency enter
400.000
Now when you use the A/B
button and you're on the top band, you can scan VHF frequencies, and when you're on the bottom band you can scan UHF. Just press and hold down the */SCAN
button for 1-3 seconds until the scanning starts.
Conclusion
Make sure to spend several weeks scanning both Frequency
and Channel
mode. Write down a list of active channels in both modes, that way you can modify your CSV list in CHIRP and create a list with channels that have the most activity on them. It is also important to factor in the time of day you are scanning. Business hours are a crucial time to scan since that is when there is the most activity. However, I have got valuable information after hours when a business was doing their routine maintenance.
As one can see, the Baofeng UV5R is an extremely capable device especially for being priced under $20. This tutorial just covered basics of how to use and scan, however it is recommended to continue to learn this device and everything it can do. There is a ton of information available.
Member discussion: