Compromising Electromagnetic Emanations of PS/2 Keyboards

Interim Project Report of Tempest Working Group 22,23,24 April 2009
hosted by xxxxx / Berlin

Bengt Sjölén, Danja Vasiliev, Gordan Savicic, Martin Howse
Any time a machine is used to process classified information electrically, the various switches, contacts.
relays, and other components in that machine may emit radio frequency or acoustic energy.

... This problem of compromising radiation we have given the covername TEMPEST.

[TEMPEST: A Signal Problem. NSA 1972]

More information about TEMPEST at		

Understanding PS/2

We were using an standard QWERTZ german layout PS/2 (AT) keyboard hooked up to the computer via a PS/2-USB converter. 
Data Signal of PS/2 protocol has been picked up at 12.004 Mhz (clock signal of USB1 device) which happens to be 
keyboard-scancode carrier frequency. 

The keyboard uses a serial protocol with 11-bit frames.  These bits are:

	* 1 start bit.  This is always 0.
	* 8 data bits, least significant bit first.
	* 1 parity bit (odd parity).
	* 1 stop bit.  This is always 1.


In our expirement two different keys were pressed:

P -> KeyNum 26 -> Scancode 0x4D
Ä -> KeyNum 41 -> Scancode 0x52 (Ä resembles the ";" on QWERTY keyboards)

Useful information about ps2:

Using USRP & GNU Radio

Hardware Setup:

	* USRP Gnu Radio with LFRX 0-30MHz Module from
	* 1 meter wire as antenna


	* Modified the from gnuradio examples (changed bandpass settings, added file_sink)
	* Audacity for analysing RAW data


	# python -f 12.004M -n tempestoutput.raw  


RAW data was imported as 32bit float, 128000 Samples into Audacity

Download Audacity project including RAW files