Over on GitHub, Martin (mgrone) recently released stream1090, a new open source C++ Mode-S demodulator that takes a fundamentally different approach to finding aircraft messages. Rather than searching for the traditional preamble pulse sequence as dump1090 and readsb do, stream1090 continuously maintains shift registers and identifies valid messages based on their CRC checksum. In busy airspace where preambles can be corrupted by overlapping signals, this approach theoretically cannot miss a message as long as the data itself is intact. Since the CRC is always being computed, it can also be used for single-bit error correction.
The software supports both RTL-SDR and Airspy dongles. It's lightweight enough to run on a Raspberry Pi Zero 2W. Stream1090 is a demodulator only, designed to pipe output into readsb or dump1090-fa via socat, slotting into your existing ADS-B stack as a drop-in replacement for the demodulation stage.
If you have an ADS-B station in a high-traffic area, let us know if Stream1090 increases your message rate! There is also a discussion about it on FlightAware, where many people have indicated that they are getting great results.
Thank you to Paul Maine, who has submitted to us new SatDump tutorials that he has uploaded to his YouTube channel. The new tutorials focus on the new SatDump V2.x.x alpha version.
The first tutorial shows how to install SatDump 2.x.x, and how to obtain an EUMETSAT API key and use the 'Load First Party' feature to view and analyze satellite data downloaded from the internet. The second tutorial focuses on the nbew DSP Flowgraph feature, and the third discusses how Look Up Tables (LUTs) are used with satellite imagery.
Over on the saveitforparts YouTube channel, Gabe has recently posted two videos where he attempts to receive the Artemis 2 signal. His setup consists of a surplus satellite dish inside a geodesic radar dome at his "Sandland" radio observatory, a 3D-printed feed, a HackRF One SDR, and various LNAs, including a dedicated S-band unit from LMA Scientific. He used GPredict for tracking and SDR++ for spectrum analysis, targeting the expected downlink frequency around 2216.5 MHz.
The main challenges were the capsule's low elevation angle from his location in Minnesota, rapidly changing orbital elements that made TLE-based tracking unreliable during the trans-lunar injection burn, and the fact that all telemetry is encrypted. During his first overnight session, he was only able to detect what appeared to be an extremely faint carrier at approximately 2216.49 MHz, which is consistent with the expected Doppler-shifted frequency, which disappeared when the dish was moved off-target. In a second session timed to catch a handover between NASA's Goldstone and Canberra Deep Space Network stations, he received a noticeably stronger carrier signal and even observed sideband activity, though still not strong enough to resolve any modulation detail.
He notes that NASA's original citizen science RFP called for ~9 meter dishes, far larger than his ~2.5 meter setup, and that the capsule also uses a laser communications system for high-bandwidth data. The Canadian Space Dashboard and DSN Now websites proved useful for predicting optimal observation windows during ground station handovers.
Can I Overhear The Artemis II Moon Mission With SDR?
Listening To Artemis II's Return To Earth With DIY Satellite Station
Thank you to Simone Spadino for writing in and sharing how he received the S-band carrier signal from the Artemis 2 Orion capsule from his home in Italy, using a simple one-meter Wi-Fi grid dish, an Airspy R2, an LNA, a filter, and a downconverter. Simone notes that his results show it is possible to receive the Artemis carrier signal with a small dish.
Artemis 2 may have already returned to Earth safely, but there are future missions planned for 2027 and beyond, so Simone's write-up serves as a great place to get yourself ready to receive those future missions.
Simone's write-up notes that perfect tracking with a rotator wasn't required because the Wi-Fi dish had a beamwidth of about 11°, so he was able to manually orient the dish every 10 minutes using an Android smartphone. On the first night, he achieved a carrier SNR of 5.5dB, and on the second night, 6.5 dB.
Artemis S-Band Carrier Received with Wi-Fi Grid Dish
Joel (jLynx), known for his work on the HackRF Mayhem firmware, has released an open-source project called BrowSDR that turns a HackRF or RTL-SDR into a fully browser-based SDR receiver. The application connects to your SDR directly via WebUSB and uses a high-performance Rust/WebAssembly DSP pipeline running in Web Workers for smooth, real-time spectrum and waterfall display. It supports WFM, NFM, AM, SSB, CW, and raw IQ demodulation, along with RDS decoding and POCSAG pager decoding. A standout feature is the ability to open unlimited simultaneous VFOs, each with independent demodulation and DSP settings, with the developer having tested up to 62 running at once.
The real killer feature is remote access. Using WebRTC, you can share your locally connected SDR and access it from anywhere in the world through a browser with no server setup required. BrowSDR also includes built-in Whisper AI transcription that can live-transcribe audio from each VFO independently. The project currently supports HackRF, HackRF Pro, and the RTL-SDR Blog V4, with AirSpy and LimeSDR support coming soon. It also works on Android devices with a USB-C cable. BrowSDR is open source under the AGPL-3.0 license and a live demo is available at browsdr.jlynx.net.
Our Discovery Drive campaign is currently being crowd-funded on Crowd Supply. Please consider ordering a unit if you are interested in a high-quality, low-power, and portable antenna rotator. Below is an update from the campaign exploring a potential use-case for measuring antenna gain patterns:
In this update, we’ll examine an alternative use case: measuring antenna gain radiation patterns.
One interesting use of a capable Az/El rotator is to measure the radiation pattern of various antennas. This is normally done in an anechoic chamber, but if you have a large enough open space, it can be done cheaply with a rotator and signal source.
To test this as a proof of concept, we used Claude code to very quickly create a tool that could help us create an antenna pattern plot. The software tool simply rotates the antenna on the Discovery Drive one step at a time, measures the SNR using an RTL-SDR, and plots the reading on a graph. To be clear, this simple setup is not providing any sort of calibrated readings, but it will at least give you an idea of what the radiation pattern and performance of an antenna looks like.
In our test, we mounted a TV Yagi on the Discovery Drive and used our software to plot the radiation pattern at 433 MHz. As expected from a Yagi, we see higher gain at the front and lower gain at the rear.
Antenna Gain Results
Due to a lack of a suitable open area, this test was performed in a small backyard and, hence, the radiation pattern is a little lopsided due to multipath. In this test, we also used a simple omnidirectional antenna for the signal source, which exacerbated the multipath. A way to improve this test would be to use a directional antenna on the transmit side, too.
We will release this open-source tool for others to play with, but please be aware that it was only created for proof of concept. However, if there is interest, we can continue to refine it.
Below is a photo of the physical setup. A HackRF with Portapack and whip antenna are mounted on a tripod a few meters away, while the Discovery Drive carries a Yagi antenna. As the Discovery Drive rotates the Yagi through 0 to 360° in azimuth and -30 to 90° in elevation, it measures the received power at each step.
I actually started down this path as an "interest". There was a Ham radio Technical Interest Group I was planning on attending a meeting. I had already wanted to convert my Raspberry Pi into a fallback radio receiver for potential internet outages and listening to storm chasers on SKYWARN. Now I have the "v4" dongle, and a full end-to-end SDR solution. !Spoilers, I'm releasing a native smart phone client soon.
The RTL2832U chipset has powered affordable software-defined radio for over a decade. The reference driver, librtlsdr, was written in C around 2013 and follows the same architectural pattern it always has: a blocking callback loop, manual buffer management, and a programming model that predates modern async runtimes by years.
rtlsdr-next is a ground-up Rust rewrite. It exposes SDR data as a native Tokio Stream, ships a zero-allocation DSP pipeline, and has first-class support for the RTL-SDR Blog V4 — a newer hardware variant the upstream driver handles correctly but never cleanly abstracted. The result is faster, safer, and substantially easier to build applications on top of.
1.49 GiB/s IQ conversion on Pi 5 · ~45ms frequency switching (was ~270ms with 20 I2C toggles) · 0 allocations in the streaming hot path
Why rewrite it at all?
The C driver works. Millions of people run it daily via OpenWebRX, GQRX, SDR++, and friends. But its architecture creates friction at every layer: the callback-based stream makes backpressure impossible to reason about, the I2C bus is hammered with redundant open/close cycles, and the conversion routine uses a 256-entry lookup table whose cache pressure eats into throughput on modern out-of-order cores.
More practically: trying to integrate librtlsdr into a modern async Rust application means spawning a dedicated thread, wrapping callbacks in channels, and handling all the lifetime gymnastics manually. For every project that does this, someone reinvents the same boilerplate. There are plenty of Rust "wrappers" out there That exemplifies this.
The stream architecture
The primary interface is a standard async stream. A SampleStream wraps a background USB reader thread that feeds raw IQ bytes into a tokio::mpsc channel. The F32Stream layer sits on top and handles conversion, decimation, DC removal, and AGC — all in a single pipeline with no intermediate heap allocations.
let mut stream = driver.stream_f32(8) // ÷8 → 256 kSPS
.with_dc_removal(0.01)
.with_agc(1.0, 0.01, 0.01);
while let Some(Ok(iq)) = stream.next().await {
// interleaved f32 I/Q, ready to demodulate
}
The blocking USB read thread never touches the async runtime. Sample delivery to async consumers happens entirely through the channel, and the PooledBuffer type ensures the backing buffers are returned to the pool via Drop — no explicit lifecycle management needed at the call site.
SampleStream — Blocking USB thread → tokio::mpsc channel. Pre-allocated buffer pool. Flush-on-tune via broadcast::Sender.
F32Stream — Convert → decimate (FIR) → DC remove → AGC. Processes split I/Q in-place. No per-block allocation.
PooledBuffer — Returns buffer to pool on Drop. try_send with blocking fallback thread — the pool never silently starves.
BoardOrchestrator — V4Orchestrator / GenericOrchestrator produce a TuningPlan. Board logic never leaks into chip drivers.
The I2C repeater optimization
Every register write to the R828D tuner chip goes through an I2C bridge in the RTL2832U. The bridge must be explicitly opened and closed around each transaction. In a naive implementation — which is what the reference driver does — every call to set_frequency independently opens and closes the repeater for each register write.
A full frequency switch involves setting the PLL, MUX, filter coefficients, and various control registers. That adds up to roughly 20 open/close cycles, and each one costs ~13ms of USB round-trip time.
The fix: a single with_repeater(|| { ... }) closure that holds the bridge open for the entire mux + PLL sequence. One open, one close, all the work done in between.
// Before: ~20 repeater toggles ≈ 270ms
self.set_mux(hz)?; // 10 writes, each with open/close
self.set_pll(hz)?; // 10 writes, each with open/close
// After: 1 repeater toggle ≈ 45ms
self.with_repeater(|| {
self.set_mux_raw(hz)?;
self.set_pll_raw(hz)?;
Ok(())
})?;
The distinction between write_reg_mask (opens and closes the repeater itself) and write_reg_mask_raw (no repeater toggle, must be inside a bracket) is enforced by convention throughout the codebase. Any raw variant called outside a bracket is a bug that surfaces immediately as a timeout rather than silently returning stale data.
Converter throughput
librtlsdr converts raw IQ bytes to float via a static 256-entry lookup table. It is a reasonable approach from an era when float math was expensive and cache was plentiful. On the Cortex-A76 inside the Pi 5, the situation is inverted: the NEON FPU is underutilized and random-access table reads create cache pressure that limits throughput.
The arithmetic equivalent — (x as f32 - 127.5) / 127.5 — is computed in two instructions per sample and is trivially auto-vectorized by LLVM. The compiler emits NEON FMLA instructions without any manual intrinsics.
Operation
librtlsdr (C)
rtlsdr-next (Rust)
Standard conversion (256KB)
172.32 µs · 1.42 GiB/s
164.35 µs · 1.49 GiB/s
V4 inverted conversion
256.07 µs · 976 MiB/s
170.81 µs · 1.43 GiB/s
FIR decimation ÷8
N/A
615 µs · 426 MSa/s
The V4 inversion case is a particularly notable optimization. librtlsdr implements it as a two-pass operation: first a full LUT conversion, then a second pass to negate every Q sample. The Rust implementation folds both into a single pass, processing I and Q pairs together and avoiding a complete re-read of the output buffer.
RTL-SDR Blog V4 specifics
The V4 is a substantial hardware revision. It ships with an R828D tuner (not R820T), adds an HF upconverter and a GPIO-switched triplexer, and has several initialization quirks that librtlsdr discovered through usbmon traces and EEPROM string detection.
The board logic is isolated entirely in V4Orchestrator. Given a target frequency, it returns a TuningPlan — the actual tuner frequency, whether spectral inversion is needed, which triplexer path to select, and whether the frequency falls inside a notch band. The R828D chip driver never touches a GPIO.
Notable quirks baked into the driver: the R828D responds at I2C address 0x74 rather than the R820T's 0x34; frequencies below 28.8 MHz are upconverted by adding the crystal frequency, and the resulting spectrum is inverted (Q = –Q). Every demodulator register write must be followed by a dummy read of page 0x0a register 0x01 — the hardware requires this as a flush sync, and omitting it causes subsequent control transfers to stall with a pipe error.
Built-in DSP pipeline
The dsp module ships a complete demodulation stack. The decimator uses a windowed-sinc FIR with NEON acceleration on aarch64, with a scalar fallback that LLVM auto-vectorizes on x86_64. The FM demodulator is a quadrature discriminator with configurable de-emphasis. AM uses a two-stage DC-subtraction envelope detector. SSB uses the phasing method with a 65-tap Hilbert transformer windowed with Blackman-Harris for high sideband rejection.
All demodulators maintain state across block boundaries — the history overlap buffer in the decimator ensures the FIR convolution is correct at every chunk edge, which is essential for continuous streaming.
Standalone servers
Two installable binaries ship alongside the library. rtl_tcp implements the standard RTL-TCP protocol and is compatible with OpenWebRX+, GQRX, and SDR++. websdr is a self-contained WebSocket SDR server with a full spectrum and waterfall UI embedded as a compiled-in HTML file — no separate web server needed. Both support TLS. The WebSDR binary accepts --cert and --key flags for wss:// connections, which are required by iOS App Transport Security when using a public domain.
OpenWebRX+ — confirmed working
GQRX — confirmed working
SDR++ — confirmed working
Corona SDR (iOS) — confirmed working
Getting started
cargo install rtlsdr-next
# Smoke test — run this first
RUST_LOG=info cargo run --release --example hw_probe
# Start an rtl_tcp server
rtl_tcp --address 0.0.0.0 --port 1234
# Start the WebSDR UI
websdr --address 0.0.0.0 --port 8080
On Linux, set up a udev rule for persistent USB access without sudo. On Windows, Zadig is required to swap the DVB-T driver to WinUSB — build works without it, but the USB runtime requires it at runtime.
Source on GitHub at github.com/mattdelashaw/rtlsdr-next. Licensed Apache 2.0. Benchmarks measured on Raspberry Pi 5 (aarch64) and AMD Ryzen 7600X (x86_64) with cargo build --release, no target-cpu=native.
Keep and eye out for the smart phone app release here: Spectral Bands
OsmocomBB is an open-source project that replaces the stock baseband firmware on old Motorola phones (C118, C139, etc.) that use the Texas Instruments Calypso chipset. By flashing custom "layer23" firmware over serial, these cheap legacy handsets become capable of accessing raw GSM radio data at the baseband level, enabling cell scanning, burst capture, and passive subscriber identity harvesting.
SPECTRAL-GSM builds on this by wrapping OsmocomBB into a full GSM intelligence suite controlled from a single browser tab. The system supports up to five phones simultaneously and provides a structured pipeline: scan local GSM cells, capture raw bursts on a target channel, crack the A5/1 encryption using rainbow tables on a 2 TB SSD, and then use the recovered session key for real-time voice and SMS decryption. Additional modules handle passive IMSI catching, targeted single-IMSI surveillance, silent SMS location probing via a USB modem, and OpenCellID cell tower mapping.
The developer notes that the platform is intended for authorized research, law enforcement, and educational use. At the moment, Mini0com has not provided a link or website to the software, only providing a PDF file, and video demonstrations of the system on their YouTube channel. Contact details for Mini0com can be found in the description on the YouTube videos below.
Spectral-GSM OsmocomBB
OTP Capture Demonstration Using Spectral-GSM OsmocomBB
