The Gender Snooper
by Commander Crash
So you have this problem that seems simple enough to solve... you want to get the numbers your school uses to upload their grades to the main computer.
You figure it would be an easy task to hack their PCs by installing a key capture TSR... but wait! They use some screwball proprietary computer you haven't got the time nor the patience to figure out. Or maybe getting to the PC is so hard to get to, you don't want to bother going back to it a second time. What now? Give up? No way! They use an external modem that uses an RS-232 data link. What if it were possible to monitor all data the computer sends down its RS-232 cables?
Perhaps by slipping something inline with the cable, you could retrieve those much needed passwords and dial-up numbers. Never heard of such a device you say? Well, the wait is over. The GenderSnooper does just that, and looks exactly like a gender changer.
The schematic shown below (Figure 1) is for the transmitter. The one I built was housed inside a gutted gender changer. C1 and L1 create the tank circuit which sets the frequency transmitted on. These values are chosen based upon the typical equation for a tank circuit found in most any electronics theory books on RF. The transmitting range depends highly on the frequency chosen, and the length of antenna wire used, as well as the orientation of the antenna. For best results, use the FM broadcast band. Most FM radios have a very wide bandwidth and can support reliable reception of baud rates up to 19.2 kbps. Most scanners, however, only have a bandwidth of 15 KHz or so. This results in crappy reception at higher speeds, but it still works. R1 should be adjusted while you listen to the received signal from either an FM radio or your scanner.
Figure 2 depicts the receiver circuitry. LM741 op-amps and the 7400 TTL chip, as well as the MC1488 chip are all available presently at your local Radio Shack store.
Calibration is very critical. In order to calibrate the receiver, you must first locate two PCs within a few feet from each other. Place the GenderSnooper on the port of one, and load up your favorite terminal proggie. Start some large upload of a 50 meg text file at 300 bps. Now go over to your FM radio or scanner (whatever you are using to receive with) and find the signal. It should sound like alternating, low frequency tones. Once you are sure you've got the signal tuned in, it's time to hook up the receiver and calibrate it. Load up a terminal proggie on the other PC, and plug in the receiver into the serial port and scanner.
Calibration of the transmitter is easy. Adjust R1 until you can't hear the signal in your receiver. Now, slowly turn it until you hear it. Don't go too high! Too high of a setÂting will distort the signal. Now here's the fun part...
Calibration of the transmitter is very difficult, so you need to have lots of patience. Get your multimeter out, and adjust both pots in the receiver until they are both delivering exactly half of the supply voltage into the op-amps. Adjust R1 and R2 so the voltage is slightly above 0V.
What are you getting on your screen? If it is still garbage, raise R1 and R2 again. Keep doing this until the signal looks clear. If you can't get a good signal, then try re-adjusting R1 on the transmitter, or try flipping switch SW1 to the other position to invert the signal. With a little patience, you'll soon get it. Essentially, all you are doing is moving the "detection" levels for "1" and "0". See Figure 3 below. You should repeat this calibration process at higher and higher baud rates until it works at the highest one you expect to use. After you have accomplished that, then you should begin moving the transmitter and receiver farther apart. I achieved a maximum reliable range of around 550 feet using the FM broadcast band at 19.2 kbps.
So how does it work? It's quite simple. The transmitter simply sends out pulses of RF with every bit transition of the target computer's port. The receiver picks up these pulses in the audio signal. For a "1", the signal pulses positive, then slowly drifts down. For a "0", the signal pulses negative. Between these pulses, however, there is nothing but noise in the signal. The receiver simply outputs the same logic signal (1 for a positive pulse, 0 for a negative) between each pulse.
As you might have guessed, this device has many applications. It has been greatly helpful in getting into the local library's computers, the DMV, and a few others. Of course, I had their permission to test the device, and it was for educational purposes only! If you don't already own a portable PC, get one. It doesn't matter if it's a laptop, notebook, or Palmtop. Just make sure you can get it around the target without being suspicious. I purchased an HP 200LX Palmtop. It has a built-in serial port, is no larger than a checkbook, and comes with built-in communications software. I used this in combination with a Walkman inside my coat, and just stood around the target in most cases with my capture file open. Worked like a dream!
Happy hacking!
Figure 1
Figure 2
Figure 3