Introduction

In recent weeks, my curiously led me to delve into learning radio communications, prompting me to purchase the well known Baofeng UV5R. Upon using this device, I quickly realized this device's potential for passive reconnaisance and information gathering. Despite it's modest price tag of under $20, the UV5R emerges as a versatile tool suited for pentesting applications. Although originally designed as a ham radio, its unlocked capabilities extend to GMRS frequencies, amplifying it's capability.

Most companies that use radios think that the transmission is encrypted. However, this is a feature that has to be configured, and most companies overlook this step.

This article isn't going to be so much about the technical side of radio, but more how to use it in a basic reconnaisance application. There are superior radio's to the UV5R, they often come with a considerable price increase. In my brief tenure with the UV5R, I've discovered a trove of sensitive data.

The following are just some of what I have encountered:

  • A small company had login issues, inadvertently divulging employee details-- full names, emails, and login credentials-- during a conversation with their IT specialist.
  • A large Biotech company amidst network maintenance, inadvertently disclosed network configurations and firewall protocols, including the vulnerable window during which the firewall would be temporarily disabled for upgrades.
  • A large company nearby relies on radio for physical security operations; an exchange between a security guard and their manager revealed personal scheduling breaks with lack of coverage, potentially comprosiing site security.
  • Even law enforcement agencies aren't immune; intercepting communications betewen a local police department and their dispatch unvieled sensitive details such as license plate numbers, vehicle registrations, and associated personal information.

These examples barely scratch the surface of the wealth of private information routinely exchanged over radio frequencies. In this tutorial you will learn how to use the Baofeng UV5R to obtain sensitive information.

Legality

It is completely legal to receive and listen to information on ham or GMRS radio. It is illegal to transmit over these frequencies without a license. The Baofeng UV5R is only ham compliant, however you can also get GMRS frequencies if you unlock it. Unlocking and using this radio on GMRS frequencies can result in a fine from the FCC, however there are no recorded instances of anyone receiving such fines for this.

What You Need

  1. Baofeng UV5R
  2. An official Baofeng Programming Cable
  3. CHIRP Software

Unlocking the UV5R

You can unlock the UV5R in just a few seconds to gain access to GMRS frequencies. This is completely optional, but will give you more frequencies to scan. To unlock all you have to do is:

  1. Make sure the radio is turned off
  2. Simultaneously press and hold down the PTT, MONI, and VFO/MR buttons
  3. While holding down the buttons above, turn on the radio

If this was done correctly you the UV5R will turn on and you should see the display say FACTORY. It will then boot up as normal. You now have GMRS capability on your Baofeng UV5R.

Getting Started

The first thing you need to do is to set the squelch on your radio. Press the Menu button and it should be the first option that shows up. If it isnt, press 0. Once you see Squelch, press Menu again and this will bring you down to the settings. Start by setting the Squelch to 1. Then press Menu to save. If you're hearing static on all frequencies, then go back into the Squelch option and raise the number by +1. You will continue to do this until you are no longer hearing static on all of the frequencies. Most people can set their squelch between 1-3. Now do the following:

  1. Set the UV5R to a frequency that does not have any transmissions on it
  2. Turn Off The Radio
  3. Install the CHIRP software.
  4. Run the software and plug in the programming cable to the UV5R and USB to your computer. Make sure the UV5R is turned off while doing this!
  5. Turn on the UV5R and make sure the volume is all the way turned up.

Programming the UV5R With CHIRP

Programming the UV5R with the CHIRP software is relatively easy. There are a few steps to it, however it is much easier to use this software than to manually program the UV5R by hand.

1. Download Image Of Your Baofeng
Once you've connected your UV5R to your computer, you will need to create an image of your radio:

  • In the CHIRP software go to Radio->Download Radio
    In the popup window select the correct Port
  • For Vendor select Baofeng
  • For Model select UV5X. Even though there is a UV5R option, it is no longer supported in CHIRP and you use the UV5X.

Here is what your popup window should look like:
image_2024-04-21_155305760.png

Then hit the OK button. The CHIRP software is now creating an image of your UV5R.

2. Create a List Of Local Repeaters
These next steps will show you how to add all of the listed repeaters in your area. When scanning, you will only get transmissions from businesses and people using these repeaters. Many businesses will use repeaters, however many do not as they don't require the distance a repeater provides. Within the CHIRP software do the following:

  • Go to Radio -> Query Source -> RepeaterBook
  • Fill out the necessary location info for the city you are currently in. You will need to do a google search to find the latitude and longitude of your city.
  • In the Service field select Amateur. These are the ham radio bands. Typically GMRS repeaters don't have as much activity on them, at least from my experience.
  • For Distance, you will need to play with this option. The UV5R allows 127 memory slots. We want to fill them with as many local repeaters as possible without going over the 127 slot limit. Try starting out with 40.
  • You don't need to do anything for Filter or any of the other options. You can use these later after you've become more familiar with the radio then hit OK.

Once you've hit OK a spreadsheet-like window will pop up with all of the local repeaters within the distance you've selected. Make sure your list does not exceed 127 frequencies. If your is above 127, or significantly below, you can go back into the menu and select a larger or shorter Distance.

3. Save Your list
Now you just need to save your list of repeaters:

  • Make sure you have the RepeaterBook tab selected and that your new list of repeaters is showing.
  • Go to File -> Export to CSV, name the file, and click Save

4. Import Local Repeaters
This last set of steps will import your newly created list of repeaters into your UV5R. Within the CHIRP software do the following:

  • Select the Baofeng Image tab in the top left corner of the CHIRP window. It's usually titled something along the lines of Baofeng_UV-5X_<date>.img
  • Go to File -> Import From File, then select the CSV file you created with your list of repeaters. Then hit OK
  • A warning window will pop up saying that it is not recommended to import a list. We can just ignore this and select Import. Another window may pop up saying it will overwrite existing memories, if so hit YES
  • You may get yet another pop up saying certain entries are invalid. This just means that these repeaters will not work with the UV5R. However the majory of the entries will work.
  • Go to Radio -> Upload to Radio then hit OK

If done correctly you will now see the software adding all of the entries to your UV5R. You can now disconnect the UV5R from your computer.

Scanning

There are 2 modes you can scan in, Frequency and Channel mode. The orange button labeled VFO/MR will toggle between both of these modes. Frequency mode will scan all of the available frequencies. Channel mode will scan all of channels that we imported from CHIRP. I recommend just using Channel Mode for a little bit until you get more comfortable and familiar with the features of the UV5R before moving onto Frequency Mode.

1. Channel Mode
Once you're in Channel Mode hold down the */Scan button until the UV5R starts scanning. It should start scanning after about 1-3 seconds.

The UV5R will begin scanning, it will briefly stop on channels that have transmitting being done on them, then resume scanning. If you want it to stop scanning on a certain channel just hit the EXIT button.

2. Frequency Mode
Frequency mode is a little more complicated and MUCH slower. The Baofeng UV5R does UHF and VHF frequencies. When scanning in Frequency Mode you can only scan one type at a time.

  • VHF Frequencies: 136-174mhz
  • UHF Frequencies: 400-520mhz

There are 2 frequencies shown on the screen of the UV5R. You can toggle between them using the blue A/B button. It is recommended to set one of these frequencies to a VHF frequency and the other to a UHF frequency. In order to do this all you need to do is type any frequency within the corresponding band. For example:

  • In the top frequency enter 136.000
  • In the bottom frequency enter 400.000

Now when you use the A/B button and you're on the top band, you can scan VHF frequencies, and when you're on the bottom band you can scan UHF. Just press and hold down the */SCAN button for 1-3 seconds until the scanning starts.

Conclusion

Make sure to spend several weeks scanning both Frequency and Channel mode. Write down a list of active channels in both modes, that way you can modify your CSV list in CHIRP and create a list with channels that have the most activity on them. It is also important to factor in the time of day you are scanning. Business hours are a crucial time to scan since that is when there is the most activity. However, I have got valuable information after hours when a business was doing their routine maintenance.

As one can see, the Baofeng UV5R is an extremely capable device especially for being priced under $20. This tutorial just covered basics of how to use and scan, however it is recommended to continue to learn this device and everything it can do. There is a ton of information available.