Category: RTL-SDR

SDR-J Now Compatible with the Raspberry Pi 2

The popular software DAB (Digital Audio Broadcast) decoder SDR-J has recently been updated and can now run on the Raspberry Pi 2. In addition the author has also added experimental DRM decoding capabilities to his shortwave receiving software. The author writes about the Raspberry Pi 2:

The Raspberry PI 2 has a processor chip with 4 computing cores. By carefully spreading the computational load of the handling of DAB over these cores it is possible to run the DAB software on the Raspberry PI 2.

In my home situation the – headless – Raspberry PI 2 is located on the attic and remotely controlled through an SSH connection using the home WiFi on my laptop in my “lazy chair”. To accomodate listening remotely, the DAB software on the Raspberry PI 2 sends – if so configured – the generated PCI samples (rate 48000) also to an internet port (port 100240). On the laptop then runs a very simple piece of program reading the stream and sending it to the soundcard

DAB is a digital audio protocol that is used in some countries as a digital alternative to broadcast FM (music stations). SDR-J is a suite of programs that includes the ability to decode DAB, FM, and several shortwave modes such as AM, USB, LSB, PSK, RTTY, WeatherFax, SSTV, BPSK, QPSK, CW, NavTex (Amtor-B), MFSK, Domino, Olivia, Hell, Throb and now DRM. It can directly connect to RTL-SDR receivers as well as other hardware such as the Airspy and SDRplay.

Screenshot of SDR-J running on the Raspberry Pi 2.
Screenshot of SDR-J running on the Raspberry Pi 2.

An Unfiltered ADS-B co-op: ADSBexchange

Recently Dan, a reader of RTL-SDR.com wrote in to let us know about a new web project he’s started called adsbexchange.com. ADSBexchange is similar to services like FlightRadar24.com and FlightAware.com, but with one key difference. ADSBExchange explicitly states that they do not and will not filter ADS-B traffic for security reasons. Other similar services all filter FAA BARR (Block Aircraft Registration Request), military and other potentially sensitive ADS-B data. However, Dan argues that filtering the data is simply unneeded security theatre as anyone can build their own unfiltered receiver for very cheap. He writes:

I recently started a website that collects SDR ADS-B and MLAT data (typically from dump1090) worldwide, and displays it unfiltered – http://www.adsbexchange.com . This means that military, “blocked” and other “restricted” traffic is available to see, which is unique as far as I can tell.  We’ve recently tracked a U2 over the UK above 60,000 ft., Air Force One, and various diplomatic aircraft.  Additionally, there is a database of all previous aircraft “sightings” searchable on various parameters.

All of my research indicates this is legal, but perhaps “frowned upon” by local authorities.  The major flight tracking sites seem to not want to make any waves and voluntarily strip this data from their public feeds, even though they are typically fed “unfiltered” data from their volunteer participants.

The service is currently looking for RTL-SDR users who feed ADS-B data to join their feeding program so that they can expand their service coverage.

adsbexchange

Hak5: Hacking Wireless Doorbells and Software Defined Radio tips

On this weeks episode of Hak5, a popular electronics and hacking YouTube show, the presenters talk about reverse engineering and performing replay attacks on wireless devices such as a doorbell. They also talk about using the recently released Yardstick One which is a PC controlled wireless transceiver that understands multiple modulation techniques (ASK, OOK, GFSK, 2-FSK, 4-FSK, MSK) and works on multiple bands (300-348 MHz, 391-464 MHz, and 782-928 MHz), but is not a software defined radio.

Finally they discuss how to use the RTL-SDR and GQRX to stream received audio over a UDP network connection using netcat in Linux.

Hacking Wireless Doorbells and Software Defined Radio tips - Hak5 1910

If you are interested in the Yardstick one, Hak5 also uploaded two earlier episodes this month showing how to use the Yardstick one, and how to hack wireless remotes by using the RTL-SDR to do the initial reverse engineering, and then using the Yarstick One to do the transmitting.

How to begin hacking with the YARD Stick One - Hak5 1908

How to Hack Wireless Remotes with Radio Replay Attacks - Hak5 1909

Hacking GSM Signals with an RTL-SDR and Topguw

The ability to hack some GSM signals has been around for some time now, but the steps to reproduce the hack have been long and difficult to set up. Recently RTL-SDR.com reader Bastien wrote into us to let us know about his recently released project called Topguw. Bastien's Topguw is a Linux based program that helps piece together all the steps required in the GSM hacking process. Although the steps are simplified, you will still need some knowledge of how GSM works, have installed Airprobe and Kraken, and you'll also need a 2TB rainbow table which keeps the barrier to this hack still quite high. Bastien writes about his software:

So like I said my software can "crack" SMS and call over GSM network.

How ?

I put quotation marks in crack because my software is not enough to deciphered GSM itself. My software can make some steps of the known-plaintext attack, introduce by Karsten Nohl, and by the way, increase the time to decipher an SMS or call. I'll not explain here all the steps because they are long and tedious, but there is a lot of work done behind the Gui.

Actually my software can extract Keystream (or try to find some of them) from a capture file of GSM, or by sniffing GSM with a rtl-sdr device. Then you just have to use Kraken to crack the key and you're able to decipher sms or call.

Why ?

This hack is very interesting! With only a little receiver (rtl-sdr) and some hard-disk capacity (2Tb), everyone can try to hack the GSM. It's very low cost compare to other hack vector. Moreover the success rate is really great if you guess the Keystream correctly. So when I started to done this with my hands I though -> why don't try to make something to do this automatically.
This is how Topguw was born.

Topguw, I hope, will sensitize people about risk they take by calling or sending sms with GSM.

My software is currently in beta version but I did run several time and I got good results. Maybe better than something done by hand. But Topguw is made to help people who want to learn the hack. This is why several files are made to help GSM reverse-engineering.

Topguw can be downloaded from GitHub at https://github.com/bastienjalbert/topguw. Bastien has also uploaded a video showing his software in action. If you're interested in Bastiens YouTube channel as he plans to upload another video soon where he shows himself hacking his own GSM sms/call signals.

Topguw Proof of concept - GSM Hacking educational purpose

Of course remember that hacking into GSM signals is very illegal and if you do this then you must check the legality of doing so in your country and only receive your own messages or messages that are intended for you.

Update 27 Feb 2023: Note that this content is constantly being censored by video upload sites. If the above video is down, Bastien has uploaded links to alternative video upload sites on pastebin.

Receiving Digital Amateur TV from the ISS with an RTL-SDR

The international space station (ISS) is currently testing transmission of a DVB-S digital video signal. At the moment only a blank test pattern is transmitted, but one day they hope to be able to transmit live video properly for the purposes of making live contact with astronauts, and possibly to stream video of scientific experiments, extravehicular activities, docking operations, or simply live views of the Earth from space.

Over at www.pabr.org the author Pabr has been experimenting with using an RTL-SDR dongle for the reception of these digital amateur TV (DATV) signals. Over on Reddit he also posted some extra information about his work:

I have been able to receive DVB-S broadcasts from the ISS (known as HamVideo or HamTV) with a high-gain 2.4 GHz WiFi antenna ($50), a custom downconverter ($65), a R820T2 dongle, and a software demodulator (Edmund Tse’s gr-dvb). I used to think this could only be done with much more expensive SDR hardware.

It is commonly known that rtl-sdr dongles do not have enough bandwidth to capture mainstream satellite TV broadcasts, but the ISS happens to transmit DVB-S at only 2Msymbols/s in QPSK with FEC=1/2, which translates to 2 MHz of RF bandwidth (2.7 MHz including roll-off).

Before anyone gets too excited I should mention that:

  • This was done during a favourable pass of the ISS (elevation 85°)
  • With a fixed antenna, only a few seconds worth of signal can be captured
  • Demodulation is not real-time (on my low-end PC)
  • Currently the ISS only transmits a blank test pattern.

I now believe the BoM will be less than $50 by the time the ISS begins broadcasting interesting stuff on that channel.

Pabr uses a 2.4 GHz parabolic WiFi antenna to receive the signal. He writes that ideally a motorized antenna tracker would be used with this antenna to track the ISS through the sky. Also since the DATV signal is transmitted at around 2.4 GHz, a downconverter is required to convert the received frequency into one that is receivable with the RTL-SDR. The DATV decoder is available on Linux and requires GNU Radio.

Receiving DATV from the ISS
Receiving DATV from the ISS with an RTL-SDR

An RTL-SDR Phase Correlative Direction Finder

Over on YouTube user Tatu Peltola has uploaded a video showing his RTL-SDR based phase correlative direction finder in action. This set up uses three RTL-SDR dongles and three antennas to measure phase differences and thus determine the direction towards a signal source. All three RTL-SDR’s must be coherent, meaning that all three of their 28.8 MHz clock signals must come from the same source. 

In the video Tatu walks around the three antennas with a handheld radio. An arrow on a laptop screen points in the direction of the transmitter.

A known problem with RTL-SDR’s is that even with the clock sources synchronized there is still an unknown cause of additional phase shift. To solve this problem Tatu writes:

Each rtl-sdr is fed from the same reference clock to make their phase shift remain constant. They still have unknown phase shifts and sampling time differences relative to each other. This is calibrated by disconnecting them from antennas and connecting every receiver to the same noise source. Cross correlation of the noise gives their time and phase differences so that it can be corrected.

The three antennas used for direction finding.
The three antennas used for direction finding.
RTL-SDR phase correlative direction finder

RTL-SDR Heat Dissipation as seen by a Thermal Camera

The RTL-SDR is known to get quite hot during operation and when it gets too hot reception of frequencies over 1.2 GHz can be degraded. Marko Cebokli wrote into us at RTL-SDR.com to show us some thermal imaging pictures that he has made of the RTL-SDR PCB. The images clearly show that the hottest part of the PCB is the R820T chip. The RTL2832U chip stays cool and the only other hot component on the PCB is the voltage regulator. In the post Marko also explains his conclusions on why the reception fails at frequencies over 1.2 GHz when it gets too hot.

The images show that the top of the R820T chip reaches a temperature of 85 degrees Celsius after just 10 minutes of operation. The underside of the chip reaches 68.9 degrees Celsius. Marko writes that these temperatures may be even higher when the RTL-SDR is placed inside the plastic case.

In general the RTL-SDR runs fine at these temperatures, but cooling the R820T chip will improve performance when tuning into signals that are higher than 1.2 GHz, for example with L-band satellites. Other RTL-SDR enthusiasts have cooled their RTL-SDR’s with thermal pads, heatsinks, fans and oil.

The RTL-SDR PCB seen with a thermal camera
The RTL-SDR PCB seen with a thermal camera

Another L-Band Antenna Build and comparing L-Band reception on the RTL-SDR, HackRF and SDRplay

Over on Reddit user killmore231 has made a post showing his comparison of L-Band reception with RTL-SDR, HackRF and SDRplay software defined radios. killmore231 built the L-band patch antenna which Adam 9A4QV showed how to build on his YouTube channel late last month.

When testing the antenna on his RTL-SDR he saw no reception of any L-band signals at all. The RTL-SDR requires an external LNA to properly receive signals at this frequency range, which he did not have. Next he tried it on his HackRF and saw that some signals were weakly visible. When he tried it on his SDRplay the L-band satellite signals were clearly visible, probably due to the SDRplay’s good sensitivity at this frequency range and the fact that it has a built in LNA. His results show that the SDRplay is a good SDR for receiving L-band satellites as it does not need an external LNA for decent reception. An external LNA may still be needed if a long run of coax cable is used however.

SDRplay reception of L-band satellite signals with no external LNA.
SDRplay reception of L-band satellite signals with no external LNA.
L-band patch antenna
L-band patch antenna