Detecting Hidden GPS Trackers via Electromagnetic Unintentional Emissions with a HackRF

Researchers from Hunan University, Boise State, and UT Arlington have published a paper called "GPSBuster" (PDF link), demonstrating how a HackRF One can sniff out covert GPS trackers by their unintended electromagnetic radiation. Hidden trackers are hard to find since they only receive satellite signals and may store coordinates locally rather than transmit. Instead of looking for transmissions, GPSBuster targets side-channel leakage from the tracker's mixed-signal SoC, specifically the coupling between the quartz oscillator, local oscillator, and mixer used to downconvert the 1575.42 MHz L1 signal.

The team found that an active tracker leaks two characteristic spectra: a low band around 26 to 104 MHz and a high band around 1545 to 1625 MHz, each with a strong peak and evenly spaced harmonics. The low band reflects coupling between the quartz oscillator (typically 26 MHz) and the IF, while the high band contains LO plus IF spacing that always sums to 1575.42 MHz, giving a database-free detection rule. The setup consists of a HackRF, an NFP-3 near-field probe, and a 35 dB LNA. The use of the near-field probe means that sweeping the probe over an area to find the tracker is necessary, and the maximum detection range was 0.61 m.

Tested against the top 10 trackers available on a popular online marketplace, GPSBuster hit a 98.4% detection rate, working through plastic, cotton, canvas, and leather, and alongside phones, laptops, and speakers. It also extended to L1+L5 modules like the Quectel LC29H series, and even metal-shielded chips still leaked enough via PCB traces to be picked up.

Covert GPS Tracker Detection with a HackRF and Near Field Probe
Covert GPS Tracker Detection with a HackRF and Near Field Probe
GPSBuster Field Prototype
GPSBuster Field Prototype
Tweet
Share
Reddit
Vote
Email

Bending the Flipper Zero’s CC1101 Into an APRS Transmitter

Over on GitHub, Richard YO3GND has released a Flipper Zero APRS TX application that pushes the device's onboard CC1101 radio into transmitting Bell 202 AFSK, despite FM not really being what that chip was designed to do.

The author is upfront that this is very impractical: it is transmit-only, the transmitted signal is imperfect and not recognized by some APRS hardware (software decoders seem to work well), and the joystick text entry is painful.

The implementation builds the full APRS stack on the Flipper itself, handling packet type construction, AX.25 framing, and waveform generation in software, and supports status, position, bulletins, and direct APRS messages. There are also some low-level settings exposed in the UI, including 300 baud operation, preamble length, and lead-in tuning, alongside the standard APRS settings.

While this may be impractical for any real use case, the idea of implementing the protocol properly on a constrained device is an interesting read.

Flipper ham - An experimental APRS transmitter

Tweet
Share
Reddit
Vote
Email

Fixing a Locked-Up RTL-SDR 700 km Away Using uhubctl USB Power Cycling

Over on Medium, Jugy depin has shared a useful troubleshooting write-up describing how they recovered a frozen RTL-SDR on a remote Raspberry Pi station located 700 km away, with no physical access available. The dongle had stopped responding with  usb_claim_interface error -6 and Failed to open rtlsdr device #0 errors, while still showing up in lsusb.

After ruling out the usual suspects, such as DVB drivers, conflicting processes, permissions, and even a full reboot, they concluded that the RTL2832U had locked up at the USB hardware level. To make things worse, they discovered that a Raspberry Pi reboot from the terminal does not actually power-cycle its USB ports.

The fix was to use uhubctl to cut and restore power to only the specific port the SDR was plugged into, after first carefully identifying which port that was (so as not to accidentally kill the Ethernet port and lose remote access entirely). The commands shown in the post performed a true hardware-level reset equivalent to unplugging and replugging the dongle, and rtl_test confirmed the device came back cleanly.

Jugy recommends that anyone running remote SDR stations either build uhubctl into a healthcheck script or add a smart plug for unattended recovery.

Tweet
Share
Reddit
Vote
Email

Build a Cubesat Reviews a Discovery Drive Prototype and Sets up SatNOGS

Over on YouTube Manuel from the 'Build a Cubesat' channel has uploaded a video testing a prototype version of our Discovery Drive antenna rotator. If you are unaware, Discovery Drive is our new antenna rotator product for applications like satellite tracking and general antenna positioning that is currently being crowd-funded over on Crowd Supply. There are two days left in the campaign.

In the video, Manuel overviews the Discovery Drive, shows the internals, and walks us through the web UI. He goes on to show how it can be set up with the SatNOGS project. The SatNOGS project has volunteers set up ground-based satellite stations, and anyone can use those stations to log an observation anywhere in the world.

We note that he mentioned some trouble with getting SatNOGS to rotate the Discovery Drive over zenith. We have added a note to our Wiki showing how this can be fixed by specifying the correct rotational limits for the Discovery Drive.

Discovery Drive Antenna Rotator Preview

Tweet
Share
Reddit
Vote
Email

Hacking a Secondhand Marine Satellite Dish to Track Satellites with Gpredict

Thank you to Melan / Alex for submitting news about their project, where they reverse-engineered a second-hand Intellian i4 marine satellite dish, which retails new for around €4000 but which they picked up second-hand for about €200. The dish itself is a 40 cm prime-focus design with a quad LNB, beefy stepper motors, and a motorized sub-reflector implementing Intellian's Dynamic Beam Tilting (DBT) technology, where the small sub-reflector handles fast beam corrections so the main motors only deal with large movements.

The dish normally expects heading data from the boat via NMEA 0183 over RS-422, so Melan solved the "we're not on a boat" problem with an RP2040 and a TTL-to-RS-422 module spoofing $HCHDG compass sentences to the Antenna Control Unit. To avoid being tied to Intellian's Aptus software, they decompiled the C# application to reverse engineer the ACU's text-based serial protocol. They then wrote a shim making the dish appear as a generic rotator to Gpredict, and put it on the roof of Dutch hackerspace NURDspace, pulling in Ku-band satellite TV. 

The full write-up includes photos of the internals, an auto-generated protocol document, and a video of the dish doing a test dance.

The Intellian i4 Marine Satellite Dish Platform
The Intellian i4 Marine Satellite Dish Platform
Tweet
Share
Reddit
Vote
Email

RTL-SDR 433: A New Android App for Decoding 433 MHz Sensors with rtl_433

Thank you to Christian Ebner from ebcTech, who has submitted news about his newly released Android app RTL-SDR 433, which lets you run the rtl_433 decoder directly on your phone using an RTL-SDR dongle connected via a USB OTG cable.

The app bundles rtl_433 as a native Android library and supports all 258 device protocols out of the box, including weather stations, TPMS, wireless doorbells, PIR motion sensors, energy meters, door/window contacts, and remote sockets. Decoding runs entirely on-device with no internet connection required, no root, and no special drivers. It uses the standard Android USB Host API together with a libusb Android port.

The UI is built with Jetpack Compose and Material 3, and shows a live list of unique sensors with expandable cards (temperature, pressure, RSSI, raw JSON) plus a full history log. The app is free to try with a decreasing per-session reading limit, and a one-time purchase for a few dollars removes the limit permanently.

We note that the GPL-licensed native layer (rtl_433, rtl-sdr, libusb Android port and EBC's integration glue) is published openly at github.com/ebc81/rtlsdr433-native-gpl in compliance with GPL-2.0, while the UI layer remains closed-source. 

More information about the app is available on the ebcTech page at https://ebctech.eu/rtl-sdr-433-android.

RTL SDR 433 for Android

Tweet
Share
Reddit
Vote
Email

Setting up a MastChain AIS Tracking System

AIS (Automatic Identification System) is the VHF protocol on ~162 MHz that ships use to broadcast position, speed, heading and identity, and it's long been a popular decoding target for RTL-SDR owners.

Feeder networks like MarineTraffic and AISHub have relied on volunteer receivers for years, but a newer project called MastChain applies the DePIN (Decentralized Physical Infrastructure Network) model, similar in spirit to Helium, to maritime tracking. Independent operators run their own stations, feed decoded AIS into a shared distributed network, and earn crypto MAST tokens in return, with rewards based on coverage, uptime, and data consistency.

We wanted to thank "depinguy" who has shared with us a write-up on Medium that walks through a build using a Raspberry Pi 3 or 4, an RTL-SDR Blog V4, and a marine-band antenna (optionally with a Uputronics filtered preamp). Installation is handled by a one-line script called MastControl, which deploys AIS-catcher (branded "MastRadar" here) and configures automatic uploads. You create an account at app.mastchain.io, generate a station token, paste it into the installer, then verify with sudo mastcontrol status. We also note that maritime industry publication Spash247 has also recently covered Dan's post.

We note that MastChain is the new name for WAKE, which we covered back in 2025.

As with anything crypto-related, we recommend experimenting only for the fun of it and not expecting to even recoup your hardware costs, as this has been the case with many hardware-based crypto projects before.

Mastchain UI
Mastchain UI
Tweet
Share
Reddit
Vote
Email

Tactical_FSK_Modem: An Open Software MFSK Image & Text Modem for PC and Android

Thanks to Ibrahim (YD1RUH), who wrote in to share his open-source open-software project Tactical_FSK_Modem, which turns a standard PC or Android device into an audio-based MFSK transceiver for sending images and text over a radio link. Conceptually similar to SSTV or HF FAX, it adds Hamming (7,4) Forward Error Correction that wraps every 4 data bits into a 7-bit block and repairs single-bit errors in real time, significantly lowering BER in low-SNR conditions. The system forces a hardened 720p vertical resolution for noise resistance, and a 1400 Hz → 1000 Hz → 1400 Hz VIS-like "start melody" handles automatic RX canvas reset and sync with no manual alignment.

Pre-built Windows and Android binaries are available in the repo, and the Android port is probably the most interesting part. Operators can connect a smartphone to HT, ham radio, or an SDR to send tactical images directly from the field. 

We note that while the code is Apache 2.0 licensed, we don't appear to see any source code in the repo, but the .exe and .apk files are available to download. Ibrahim notes that he is actively looking for feedback and collaboration to further improve the system's robustness for tactical and emergency communication use cases.

Licensing Update: Ibrahim has clarified that he mistakenly referred to the project as open-source, but his intention was to actually refer to it as 'open-software'. The software is free, but the source code is not provided.

Tactical FSK Modem UI
Tactical FSK Modem UI
Tweet
Share
Reddit
Vote
Email