Category: Digital Signals

Decoding PAL Video from a Nintendo with an Airspy SDR

Oona (also known as [Windytan] and @windyoona) was recently looking for a way to capture PAL composite video from her old 1980’s Nintendo Entertainment System (NES) without spending a bunch of money on what are often poor video capture cards. As she already owned an Airspy SDR she decided to receive the PAL signal with the Airspy and modify some software to act as a PAL decoder.

PAL decoding was handled via some modifications to her private Tempest software. Normally Tempest type programs like TempestSDR that we covered in a [previous article] are used to spy on computer/TV monitors from signals that are unintentionally emitted in the surrounding area.

Oona has made the connection from the composite output directly to the SDR antenna input so it’s not unexpected that you’d have a strong signal. However, I have to admit that’s an incredibly clear image for a video being demodulated via a software radio.

What makes this an even more amazing feat is that the latency is low enough that it’s nearly playable using a computer and SDR in place of a television set.

We note that we’ve also seen SDRs used to decode standard PAL TV broadcasts before with an SDR# plugin called TVSharp.

WebWSPR: A Browser Based WSPR Decoder and Visualization Tool

A few days ago we posted about [dj0abr / Radio Electronics'] WebSDR software for QO-100. Having looked through his GitHub we've seen that he also has an a similar browser based server tool called WebWSPR for WSPR decoding and visualization (click with WebWSPR link) which was released earlier this year.

WSPR is an amateur radio digital HF mode designed to be decodable even if the signal is transmitted with very low power and is very weak. It can be used to help determine HF radio propagation conditions as WSPR reception reports are typically automatically uploaded to wsprnet. In the past we have been able to receive WSPR and similar modes like FT8 with our RTL-SDR V3 running in direct sampling mode.

Like his QO-100 WebSDR software, WebWSPR is designed to run on a single board computer like a Raspberry Pi or any Linux machine. It serves a web page that shows the WSPR waterfall, decoded data and has various WSPR related control options. The web page can be accessed remotely from any machine on the same network as the server, or could be put on the internet with port forwarding and a hostname service like noip.

A ready to use Raspberry Pi image for WebWSPR is available here (does not seem to support the latest Pi4 or 3B+ however). Manual installation instructions can be found here. The code is all open source and available on GitHub.

The software appears to take input from the soundcard for standard hardware receivers, but it should be possible to pipe audio from an RTL-SDR into pulseaudio, which the software can then use. The instructions from our RTL-SDR V3 WSJT-X tutorial may help.

WebWSPR Browser Screenshot
WebWSPR Browser Screenshot

SDRTrunk 0.4.0 Alpha 9 Updates Highlighted

You may recall that a few years ago we released a tutorial on how to set up and use [SDRTrunk]. Fast forward a few years and the software has seen numerous changes. This application was designed primarily for tracking trunking radio systems but also has the ability to decode things like MDC-1200, LoJack and more.

The software is compatible with many Software Defined Radios such as our RTL-SDR v3, HackRF and the Airspy. Some of the newer improvements include a bundled copy of java so that an installation of java is not required on the host computer, as well as decoding improvements for P25 among other digital voice modes. You can find a full list of improvements along with the latest release on [GitHub]

The biggest feature many have been waiting for is the ability to import talk groups for their radio system into the application from radio reference. While this has not yet been implemented, user [Twilliamson3] has created a [web application] that will convert table data from radio reference into a format that is supported by SDRTrunk.

SDRTrunk Screenshot
SDRTrunk Screenshot

Investigating the Galileo Satellite Navigation System Outage with a LimeSDR

Galileo is a European Union owned satellite navigation system. Galileo was created so that the EU does not need to rely on the US GPS or the Russian GLONASS satellites, as there is no guarantee that these systems won't be purposely turned off or degraded by their governments at any time.

Unfortunately since July 11 the Galileo system has been out of service. Not much information about the outage has been provided, but it appears to be related to problems with the Italian ground based Precise Timing Facility which consists of two ultra high precision atomic clocks that keep the Galileo systems' reference time. (We note that recently within the last few hours of this post, most satellites seem to have come back into operational status, but the EGSA website still reports an outage.)

Over on his blog, Daniel Estevez has been using his LimeSDR and a small patch antenna to gather some more information about the outage directly from the Galileo satellites. His investigations found that the modulation and signal itself are still working correctly. However, by using the GNSS-SDR software to investigate the signal data he was able to obtain the ephemeris, and see that the ephemeris is stuck in the past. The ephemeris data is used to calculate compensations for orbital drift and without frequent ephermis updates, orbital errors add up within hours resulting in poor positioning accuracy. In order to generate the ephermis, the Precise Timing Facility must be operational.

Daniel's post goes into further technical details about the information he's collected, and it's definitely an interesting read. One interesting bit of information that you can read from his post explains why the service has gone from initially just heavily degraded accuracy from July 11, to completely nonsense results from July 15 onwards.

Rdio Scanner: A Web Based UI for Trunk Recorder

Trunk Recorder is an RTL-SDR compatible open source Linux app that records calls from Trunked P25 and SmartNet digital voice radio systems which are commonly used by Police and other emergency services in the USA. It can be used to set up a system that allows you to listen to previous calls at your leisure, however it does not have any UI for easy browsing.

Recently Chrystian Huot wrote in and wanted to share his new program called "Rdio Scanner", which is a nice looking UI for Trunk Recorder. Rdio Scanner uses the files generated by Trunk Recorder to create a web based interface that looks like a real hardware scanner radio. Some of the features include:

  • Built to act as a real police radio scanner
  • Listen to live calls queued to listen
  • Hold a single system or a single talkgroup
  • Select talkgroups to listen to when live feed is enabled
  • Search past calls stored in the database
  • Just upload Trunk Recorder files with Curl
Rdio Scanner Interface Screenshots
Rdio Scanner Interface Screenshots

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

Tracking and Recovering A NWS Weather Balloon & Radiosonde with an RTL-SDR

Over on YouTube OLHZN High Altitude Balloons has posted a very entertaining video showing how to use an RTL-SDR and small grid dish antenna to track and recover a fallen weather balloon and its radiosonde. OLHZN writes:

The US National Weather Service (#NWS) launches over 200 weather balloons everyday carrying an LMS-6 #radiosonde / rawinsonde made by Lockheed Martin to an altitude of over 100,000 ft. and you can track & follow the flights from home and even find the landing site and pick them up! This is a fun #DIY project that you can do yourself from home and I'll show you how to do it here along with some tips so you can go find yourself a weather balloon & radiosonde!

How to track & recover a NWS weather balloon & radiosonde 🎈🎈 Ham Radio DIY

The RadioInstigator: A $150 Signals Intelligence Platform Consisting of a Raspberry Pi, RPiTX, 2.4 GHz Crazyradio and an RTL-SDR

Circle City Con is a yearly conference that focuses on information security talks. At this years conference Josh Conway presented an interesting talk titled "SigInt for the Masses Building and Using a Signals Intelligence Platform for Less than $150". Josh's talk introduces his "RadioInstigator" hardware which is a combination of a Raspberry Pi, CrazyRadio and an RTL-SDR all packaged into a 3D printed enclosure with LCD screen. The idea behind the RadioInstigator is to create a portable and low cost Signals Intelligence (SIGINT) device that can be used to investigate and manipulate the security of radio signals.

The RadioInstigator makes use of the RPiTX software which allows a Raspberry Pi to transmit an arbitrary radio signal from 5 kHz up to 1500 MHz without the use of any additional transmitting hardware - just connect an antenna directly to a GPIO pin. Connected to the Pi is a CrazyRadio, which is a nRF24LU1+ based radio that can be used to receive and transmit 2.4 GHz. And of course there is an RTL-SDR for receiving every other signal. Josh has made the plans for the RadioInstigator fully open source over on GitLab.

In his talk Josh introduces the RadioInstigator, then goes on to discuss other SDR hardware, antenna concepts and software installed on the RadioInstrigator like RPiTX, GNU Radio, Universal Radio Hacker, Salamandra, TempestSDR and more.

[First seen on Hackaday]

Track 3 07 SigInt for the Masses Building and Using a Signals Intelligence Platform for Less than 15