Category: RTL-SDR

Building a NEST Thermostat with Arduino and an RTL-SDR

The Nest thermostat is a smart thermostat that learns your schedule and automatically adjusts the heat in your house for optimal energy savings.  Tristan didn’t want to buy a Nest, but wanted to replicate the Nest thermostat’s functionality by using an Arduino to automatically regulate his apartments central heating boiler. To do this he needed to find a way to turn the heating on and off programatically.

Fortunately Tristan’s current thermostat is wireless, so he decided to use his RTL-SDR to sniff the data it sends to try and find the on and off signals. By using SDR# he was able to discover the radio traffic stream in the ISM band at 433 MHz. After simply recording the signal audio, he passed the audio file into Audacity to analyze the messages. He discovered that the ON and OFF signals were on-off key (OOK) modulated, and he was able to discover the binary control string and pulse timings.

With this information at hand, Tristan was then able to use a cheap 433 MHz radio transmitter together with his Arduino to replicate the ON/OFF boiler control signals. In the future Tristan plans to add a temperature sensor and web interface to monitor everything.

In the past we’ve also posted about a similar project by Tom Taylor where he reverse engineers his thermostat with an RTL-SDR and controls it with an Arduino.

thermostat_bits

PiTX QRP TX Shield for WSPR on 20M Now For Sale

Back in October 2015 we posted about a piece of software for the Raspberry Pi called PiTX. PiTX allows you to turn your Raspberry Pi into a fully functional RF transmitter. When combined with an RTL-SDR a full transceiver radio can be built using the QTCSDR software.

PiTX works by modulating the GPIO pins on the Pi in such a way that it is able to produce FM modulation. The major problem with using this method of producing radio is that it creates large amounts of harmonics and interference outside of the intended transmit frequency. Interference like this is illegal and could potentially disrupt life critical radio systems such as emergency services, cellphones and air traffic control.

In order to cleanly transmit with PiTX an output RF filter should be used. Recently, the team over at TAPR.org have released a 20M WSPR TX filter shield. WSPR is pronounced “Whisper” and is short for “Weak Signal Propagation Reporter Network“. It is a type of amateur radio signal that can be broadcast and received around the world by using very low transmit power. Radio amateurs use it to see how far their signal can travel when using very low power (QRP) and to investigate signal propagation conditions. 

The 20M WSPR shield sells for $20 at www.tapr.org/kits_20M-wspr-pi.html.

The WSPR shield sitting on top of a Raspberry Pi.
The WSPR shield sitting on top of a Raspberry Pi.

Combining the bandwidth of multiple RTL-SDRs: Now working in GQRX!

A few days ago we posted how Oliver, an RTL-SDR experimenter, managed to (incoherently) combine the bandwidths of two RTL-SDR dongles to create a 4.4 MHz FFT display in GNU Radio. Now Oliver has taken this idea further and produced an updated version of his GNU Radio program

Oliver’s GNU Radio program is now capable of combining four RTL-SDR dongles and is now also capable of piping the output via a FIFO to GQRX. With four RTL-SDR dongles you can get a total bandwidth of 8.4 MHz. He also writes that it is even possible to listen to analog signals that are in overlapping areas.

Four RTL-SDRs producing a total of 8.4 MHz of bandwidth in GQRX.
Four RTL-SDRs producing a total of 8.4 MHz of bandwidth in GQRX.

More talks from Defcon 23

Some more SDR and RF related talks from Defcon 23. See our previous posts [1][2] for other talks that we posted previously.

Colby Moore – Spread Spectrum Satcom Hacking

Recently there have been several highly publicized talks about satellite hacking. However, most only touch on the theoretical rather than demonstrate actual vulnerabilities and real world attack scenarios. This talk will demystify some of the technologies behind satellite communications and do what no one has done before – take the audience step-by-step from reverse engineering to exploitation of the GlobalStar simplex satcom protocol and demonstrate a full blown signals intelligence collection and spoofing capability. I will also demonstrate how an attacker might simulate critical conditions in satellite connected SCADA systems.

In recent years, Globalstar has gained popularity with the introduction of its consumer focused SPOT asset-tracking solutions. During the session, I’ll deconstruct the transmitters used in these (and commercial) solutions and reveal design and implementation flaws that result in the ability to intercept, spoof, falsify, and intelligently jam communications. Due to design tradeoffs these vulnerabilities are realistically unpatchable and put millions of devices, critical infrastructure, emergency services, and high value assets at risk.

DEF CON 23 - Colby Moore - Spread Spectrum Satcom Hacking

DaKahuna and satanklawz – Introduction to SDR and the Wireless Village

In many circumstances, we all have to wear different hats when pursuing hobbies, jobs and research. This session will discuss the exploration and use of software defined radio from two perspectives; that of a security researcher and Ham Radio operator. We will cover common uses and abuses of hardware to make them work like transceivers that the Ham crowed is use too, as well as extending the same hardware for other research applications. Additionally we will highlight some of the application of this knowledge for use at The Wireless Village! Come and join this interactive session; audience participation is encouraged.

DEF CON 23 - DaKahuna and satanklawz - Introduction to SDR and the Wireless Village

Lin Huang and Qing Yang – Low cost GPS simulator: GPS spoofing by SDR

It is known that GPS L1 signal is unencrypted so that someone can produce or replay the fake GPS signal to make GPS receivers get wrong positioning results. There are many companies provide commercial GPS emulators, which can be used for the GPS spoofing, but the commercial emulators are quite expensive, or at least not free. Now we found by integrating some open source projects related to GPS we can produce GPS signal through SDR tools, e.g. USRP / bladeRF. This makes the attack cost very low. It may influence all the civilian use GPS chipset. In this presentation, the basic GPS system principle, signal structure, mathematical models of pseudo-range and Doppler effect will be introduced. The useful open source projects on Internet will be shared with attendees.

DEF CON 23 - Lin Huang and Qing Yang - Low cost GPS simulator: GPS spoofing by SDR

Combining the bandwidth of two RTL-SDR dongles in GNU Radio

The maximum usable and stable bandwidth of an RTL-SDR is about 2.4 MHz. In order to get larger bandwidths it is possible to combine two or more dongles, although doing so comes with a big limitation – since the clocks and signal phases between separate dongles would not be synchronised, it would be impossible to decode a wideband signal this way. However, combining dongles for larger bandwidths is still useful for visualizing the spectrum through an FFT plot, or perhaps for decoding various separate narrowband signals. Although creating a wide band FFT plot with multiple dongles is fairly simple, we haven’t seen much software do this before.

However now RTL-SDR.com reader Oliver wrote in to show us the GNU Radio script he’s been using to combine the bandwidths of two RTL-SDR dongles together to get a 4.4 MHz FFT display. The script can be used to get a combined 4.4 MHz spectrum visualization without a center dip from roll off, or a 4.8 MHz spectrum with rolloff. Oliver writes:

I simply took two RTL-SDR dongles at their max. band width of 2.4 MHz, resampled the signals to 4.8 MHz, then shifted the first signal down by 1MHz, the other one 1 MHz up, added them together, divided the combined signal by 2 and finally feed it into a FFT plot.

At first, I tried shifting the signals by 1.2 MHz to get full 4.8 MHz, but I realized, that I had a notch in the center, so I reduced the frequency shift until I had no notch anymore.

 

The Bandwidth Combiner GRC Script
The Bandwidth Combiner GRC Script

Comparing a GPS Patch vs a DIY Patch Antenna on L-Band with the MIX4ALL

Over on YouTube user Adam Alicajic has recently been uploading videos that show him testing a prototype of his upcoming product the MIX4ALL. The MIX4ALL is an RF downconverter which will allow the RTL-SDR to receive signals at around 1.5 GHz or higher. Although the RTL-SDR can already tune up to ~1.7 GHz, above about 1.2 GHz sensitivity is poor and some units have problems receiving when they get hot. The downconverter will convert a 1.5 GHz signal into a signal at around 250 MHz, where the RTL-SDR operates well. At around 1.5 GHz there are several satellite signals of interest including Inmarsat EGC, Iridium and AERO signals.

On one video Adam decided to use the MIX4ALL to test the difference between a GPS patch antenna and a home made air gap patch antenna. The GPS patch antenna was salvaged from an old GPS receiver and the patch antenna is the one discussed in this previous post. In the test Adam used the MIX4ALL and an RTL-SDR, and tested reception of Inmarsat signals. His results showed that the reception given by the GPS patch was very poor compared to the home made patch antenna.

Comparing the GPS and DIY Patch antenna for the L-band INMARSAT

GPS antenna match on L-band 1575 MHz

Some other recent videos by Adam show him also testing his MIX4ALL with S-Band signals around 2.3 GHz and also receiving Alphasat XL.

MIX4ALL receiving on S-band terestrial weak signals

Alphasat XL band spectrum using the converter and R820T dongle

The Best RTL-SDR Posts of 2015

Things are developing fast in the software defined radio and RTL-SDR world. This year we’ve seen some amazing projects and developments occur. Here’s our highlight reel.

January

In January we first heard about Tim Haven’s RTL-SDR based “Driveby” system which he used to try and pinpoint a nasty source of noise in his neighbourhood. The system consisted of multiple RTL-SDR dongles scanning the spectrum and a GPS receiver. Together the system correlated noise power with locations and from the data Tim was able to pinpoint the source of the problem noise to a faulty power pole in his neighbourhood.

William Dillon, a small aircraft pilot and radio enthusiast also gave us an interesting set of videos that not only explained VOR navigation signals, but also showed how to decode them with an RTL-SDR in order to obtain a bearing.

We also heard from RF expert Leif who did a big test comparing several SDR’s on their dynamic range and other factors. The SDR-14 and Airspy SDR’s came out on top in most results.

Finally, near the end of the month Jay Moore wrote up a tutorial showing us how to receive SCA audio, which is a special audio service channel that is embedded into regular broadcast FM as a subcarrier.

February

At the beginning of February Vasilli, a SDR# plugins author released a new SDR# driver for the RTL-SDR that included manual gain control and access to the decimation feature. The decimation feature allows you to zoom in to signals without loosing FFT resolution, it is very useful for browsing HF signals.

Later in the month we saw the release of Artemis a companion program to our Signal Identification Guide sister site sigidwiki.com.

March

In March radio astronomer Jim Brown used an RTL-SDR and ham-it-up upconverter to listen to noise bursts originating from the planet Jupiter.

We also released a tutorial that showed how to measure the characteristics of RF filters and antenna VSWR with just an RTL-SDR dongle, noise source and directional coupler.

In this month we also saw the reduction of the SDRplay RSPs price from $299 down to $149. The SDRplay (and also the Airspy SDR) are software defined radios that can be considered as a next stage “step up” from the RTL-SDR dongles.

Finally, we also posted an interesting article about fingerprinting aircraft using aircraft scatter techniques, which could be done using an RTL-SDR dongle.

April

In April we learned that the FlightAware ADS-B app had started supporting UAT reception on 978 MHz, and we also reviewed Adam’s ADS-B folded monopole antenna.

May

In May we saw a post by amateur radio astronomers EA4EOZ and EB3FRN who showed us that it was possible to determine the radiant (origin point) of meteors showers, using meteor scatter techniques with an RTL-SDR.

Regular contributor to our blog Happysat wrote in and supplied us with a tutorial that showed how to decode LRPT images from Meteor M2 satellites using a new plugin by Vasilli and a new version of the Lrtpdecoder by Oleg.

June

In June on Hackaday Juha Vierinen did a nice write up that showed us how we could build a passive radar system using two RTL-SDR dongles.

We also saw an interesting story by John Wiseman about monitoring FBI aircraft that made headlines around the world on several news sites. Essentially John used ADS-B logs received by his RTL-SDR to discover several aircraft with suspicious flight paths and call signs. These aircraft turned out to probably be “persistent wide-area surveillance” FBI spy planes.

Later in the month we saw how University researchers from Tel Alviv university were able to use a FunCube dongle to extract encryption keys by sniffing unintended emissions from PCs.

July

In July we saw the release of a paper that describes how to use the RTL-SDR to detect meteors entering the earth’s atmosphere. The author also runs a live stream of his RTL-SDR based meteor detecting set up.

August

In August there were many interesting posts, but the very first piece of news was that the very first RTL-SDR manga comic book was released. Out of interest we bought a copy and it turned out to be a short comic book that detailed the installation and basic use of the RTL-SDR.

A light aircraft pilot also wrote in to let us know how some pilots have been using RTL-SDRs and dump978 as a cheap alternative to $500+ FIS-B weather report receivers.

We also released our new upgraded RTL-SDR Blog line of SDR dongles, all of which now include a TCXO and SMA connector by default.

Another story that made headlines on several news sites was Samy Kamkars Def Con conference talk on his RollJam device which can be used to break into almost any car wirelessly.

We released a tutorial that showed how to use the RTL-SDR together with a suitable L-band satellite antenna to decode Inmarsat STD-C EGC messages. The tutorial also showed how a cheap GPS antenna could be modified into a wideband L-band antenna.

We also heard about MIT Haystack Observatory researchers who had been using RTL-SDR to create a low cost ozone spectrometer to perform scientific measurements.

Bastian wrote in to show us how he was able to reverse engineer the bus telemetry signals in his area, and create a live map of all the bus locations in his area.

Finally in August we also heard how researchers at the University College of London were able to use already present WiFi signals and a USRP SDR to actually see through walls (or at least detect people and objects on the other side).

September

In September we discovered how radio astronomers Peter W East and GM Gancio were using RTL-SDR dongles to detect pulsars (rotating neutron stars). 

We also saw how Bastian Bloessl was able to use his RTL-SDR to reverse engineer the protocol used by a set of portable traffic lights used in construction outside his house. He was able to write a short program that displayed the current state of the traffic light on his PC.

September also showed us how easy it is getting to sniff GSM SMS and voice messages from mobile phones (assuming you have the encryption details of the phone you want to sniff).

October

October brought interesting news RF from the Raspberry Pi. Clever coder F5OEO was able to manipulate the GPIO pins on the Raspberry Pi enough to be able to actually transmit FM, AM, SSB and SSTV signals. Later developments saw a full transceiver built with F5OEO’s software and an RTL-SDR connected to the Pi.

Tatu Peltola created a “phase correlative direction finder” out of three RTL-SDRs and three antennas. With his system he is able to determine the direction of a transmitter.

We also saw how it it will be possible in the near future to use the RTL-SDR to decode DATV DVB-S signals from the ISS.

November

In November the Meteor M1 satellite managed to wake up from the dead, providing satellite image enthusiasts with another weather satellite signal that is receivable by the RTL-SDR.

Researchers at Disney created a very advanced smart watch prototype that could detect with good accuracy the actual (electrical) object the user was touching. The watch uses an RTL-SDR dongle as the RF receiver, and it works by receiving and correlating the electromagnetic emissions given off by electronic devices with a database of known emissions.

December

Finally in the last month of December we saw a new decoder for Inmarsat AERO signals released. AERO is a satellite based version of ACARS which is used by aircraft.

Mario Fillipi wrote in and gave us an interesting article on Ionosondes.

We reviewed the SpyVerter upconverter and determined that it is probably the one with the best performance and best value available for the RTL-SDR.

We also saw that it is now possible to use an RTL-SDR dongle and cheap GPS antenna to receive GPS signals and also acquire a position lock.

2016

2015 was full of interesting SDR developments, only some of which were covered in this post. If you want to read more we suggest going through our previous posts page by page.

No doubt we’ll continue to see more developments in the SDR field this year. We can expect to see new SDR hardware released, updates to existing SDR hardware and more accessories such as downconverters for the RTL-SDR. We can also expect to find new uses for low cost SDRs and to see new software released.

We hope that the readers of this blog will continue to experiment with the RTL-SDR and other SDR’s this year. If you have an interesting SDR related project that you’ve developed or found, please let us know at [email protected].

Decoding End Of Train and Head Of Train Packets with an RTL-SDR

Back in March 2014 we showed a video of a RTL-SDR user decoding End Of Train (EOT) and Head of Train (HOT) signals. Head of Train (HOT) and End of Train (EOT) signals are used on trains to transmit telemetry data such as brake line pressure and monitor accidental separation of the train. If you live near a trainyard of railway line you may be able to pick up these signals.

Now over on YouTube user berwin018 shows us another video of EOT and HOT signals being decoded. There doesn’t seem to be much information in these packets, but they could potentially be used to track which trains are passing by.

To decode EOT and HOT packets you can use the softEOT software which can be downloaded from the softEOT Yahoo! Group after requesting and being accepted into membership.

Decoding End Of Train & Head Of Train Packets