Fingerprinting Electronic Devices via their RF Emissions with an RTL-SDR and ImageMagick

Thank you to José Carlos Rueda for submitting his simple shell script that he uses for fingerprinting spurious RF emissions with an RTL-SDR, rtl_power, heatmap.py and imagemagick. The result is something like Disney's EM sense created with much simpler code.

It is well known that almost all electronic devices unintentionally emit unique spurious RF signals when in operation. By using an SDR like an RTL-SDR to record the spectra from electronic devices, it's possible to build up a database of known emissions. We can then detect when an electronic device is active by comparing the live spectrum to spectra stored in the database.

In a previous post we covered Disney's EM sense which is an experimental smart watch that automatically detects what electronic device the wearer is touching. With EM Sense they use an RTL-SDR and a database of raw pre-recorded spectrum data. To detect what the wearer is touching the live signal from the RTL-SDR is correlated against the database, and the closest match is returned.

José's script does something very similar, however instead of correlating with raw spectrum data he instead uses the waterfall image that is generated by rtl_power and heatmap.py. The rtl_power program allows an RTL-SDR to scan the frequency spectrum over a wider bandwidth by rapidly scanning ~2.4 MHz chunks of bandwidth at different frequencies. Heatmap.py is a program that turns the scanned data from rtl_power into a heatmap image of the spectrum.

To add an entry to the database, the electronic device is placed 7-8 centimeters away from the RTL-SDR, and a heatmap image recorded between 24 - 921 MHz is saved to disk. This can be repeated for multiple electronic devices. Each image will record the spurious signals from the electronic device, resulting in a unique heatmap image per electronic device.

Once the database has been created, you can then place any of the devices found in the database next to the RTL-SDR, and record a heatmap for 20-30s. That heatmap will then be compared against the images in the database using imagemagick which is an image analysis and manipulation library. The electronic device associated with the closest matching image in the database will be returned.

In his experiments he tested various electronic devices like an iPhone and was able to successfully determine when it was nearby.

Various electronic device spectra waterfall images recorded in the database
Various electronic device spectra waterfall images recorded in the database
Tweet
Share208
Reddit66
Vote
Email
274 Shares

Measuring the USB Power Consumption of Various Software Defined Radios

Over on his YouTube channel icholakov has uploaded a video comparing the USB power consumption of various software defined radios. In his tests he uses an inline USB current meter and compares a Perseus, RSP1, RSP1A, Airspy HF+, Airspy HF+ Discovery, RTL V3, Nooelec RTL Mini, Hauppauge 955Q, Flightaware RTL.

If you're only interested in the summary table, then this can be found at 05:49 in the video.

Generally SDRs with better performing tuners and more amplifiers will have higher power requirements, although current consumption can't solely be used to judge performance as some SDRs like the SDRplay make extensive use of filtering to overcome RX performance issues in their tuner. The RTL-SDR V3 and FlightAware dongles have slightly higher current draw compared to the Mini RTL-SDR as they contain an additional HF amplifier and ADS-B amplifier respectively. Lower power consumption may be useful when used with batteries and mobile phones.

2019: Nine SDR Receivers power consumption comparison - how much power does your SDR consume?

Tweet
Share58
Reddit
Vote
Email
58 Shares

Electrosense: RTL-SDR Based Crowd Sourced Spectrum Monitoring with a DC to 6 GHz Up/Downconverter

Recently we came across Electrosense which is an interesting open source project that aims to deploy radio spectrum sensors worldwide in order to analyze and understand radio spectrum usage. This information could be extremely valuable in order to make more efficient use of the limited radio spectrum, and for detecting sources of interference and illegal transmissions. The hardware that Electrosense uses consists of just an RTL-SDR, Raspberry Pi, antenna and an optional GPS for time synchronization.

The ElectroSense network is a crowd-sourcing initiative to collect and analyse spectrum data. It uses small radio sensors based on cheap commodity hardware and offers aggregated spectrum information over an open API.

The initiative's goal is to sense the entire spectrum in populated regions of the world and to make the data available in real-time for different kinds of stakeholders which require a deeper knowledge of the actual spectrum usage.

ElectroSense is an open initiative in which everyone can contribute with spectrum measurements and access the collected data.

High-level overview of the Electrosense network: Low-cost sensors collect spectrum information which are sent to the Electrosense backend. Different algorithms are run on the collected information in the backend and the results of these algorithms are provided to the users as a service through an open API. Users can develop their own applications from the spectrum information retrieved using the API.
Overview of the Electrosense network

There are already several spectrum sensing projects in the works by big companies like GoogleMicrosoft, and IBM, but these only cover a small portion of the spectrum, or use high cost sensing stations limiting their ability to be deployed on a wide scale. Electrosense solves these problems by using low cost RTL-SDRs, and a crowd sourcing paradigm.

At the time of writing there are 103 sensors registered to the Electrosense network, with 23 being online, most of which are in Europe. Once you register an account on their site, you can browse the active sensors. Clicking on the spectrum button for a sensor brings up a live spectrum graph. For example in the screenshot below we access the data from an RTL-SDR + downconverter sensor in Madrid. We're able to see a live wideband 20 MHz to 6 GHz spectrum scan, and graphs of frequency occupancy rates.

Electrosense Active Sensors
Electrosense Active Sensors
Electrosense Spectrum Scan and Occupancy Graphs
Electrosense Spectrum Scan and Occupancy Graphs

In addition to the standard SDR hardware being used, they've also designed a very interesting open hardware/source DC to 6 GHz up/downconverter board. The board is USB controlled, and switches between the upconverter for the lower HF bands, pass through for receiving DC- 1.6 GHz, and the downconverter for receiving up to 6 GHz. It has a 20 MHz output bandwidth which means that wide band SDRs can also make use of it.

Electrosense Up/Downconverter
Electrosense Up/Downconverter

The Electrosense website notes that anyone can host a sensor, and if you meet their criteria (permanent internet connection, ethernet connectivity and a low interference location) you can apply for a free kit. If you aren't selected for a free kit, then the Jetvision store based in Europe is selling Electrosense kits that include an RTL-SDR Blog V3, Raspberry Pi 3, power supply, SD card with preinstalled Electrosense software, and either our multipurpose dipole antenna, or a wideband discone with 15m of low loss cable for roof mounting.

The Electrosense team have been working hard on this project and have already published several related papers and a magazine article about the Electrosense network and it's use cases. One interesting paper discusses a method for decoding wideband signals using a network of non-coherent RTL-SDRs. Another paper discusses using using deep learning for automatic signal classification. The full list of publications can be found on their publications page.

If you're interested in this type of crowd sourced spectrum project, then you might also want to take a look at the KiwiSDR which is a networked 0 - 30 MHz SDR. Multiple crowd sourced KiwiSDR's can be used in a TDoA calculation for determining transmitter locations.

Tweet
Share88
Reddit15
Vote
Email
103 Shares

Building An Open Source SDR Based Hydrogen Line Radio Telescope

Over on Reddit we've seen a post by u/ArtichokeHeartAttack who has been working on a hydrogen line radio telescope, based on an RTL-SDR dongle and horn antenna designs by the DSPIRA program, and the Open Source Radio Telescopes website (site appears to be down, linked to the archive.org copy). [u/ArtichokeHeartAttack] has documented their radio telescope building journey, providing a comprehensive top-level document that is able to point interested people in the right direction towards understanding and building their own Hydrogen line radio telescope.

Briefly, their build consists of a horn antenna and reflector designed for the 1,420.4 MHz Hydrogen line frequency. The horn is built out of a few pieces of lumbar, metallic house wall insulation sheets and aluminum tape. The feed is made from a tin can and piece of wire. In terms of radio hardware, they used an Airspy SDR, GPIO labs Hydrogen Line Filter + LNA, and 2x Uputronics Wide band preamps, and a Minicircuits VBF-1445+ filter. For software processing, they used a GNU Radio flowgraph to integrate and record the spectrum.

The results show that they were able to achieve a good hydrogen line peak detection, and they were able to measure the galactic rotation curve doppler shift, and tangent points which prove that we do in fact live in a spiral galaxy.

The Finished Hydrogen Line SDR Based Horn Radio Telescope Antenna
The Finished Hydrogen Line SDR Based Horn Radio Telescope Antenna
Tweet14
Share170
Reddit
Vote
Email
184 Shares

Leif Continues his Comparisons of the Airspy HF+ Discovery, RSP1, Perseus and More SDRs

Leif (SM5BSZ) is fairly well known in the SDR community for doing very indepth technical tests of various SDR receivers over on his YouTube channel. Recently he's released part two of a series where he compares the new Airspy HF+ Discovery against various other SDRs such as the Perseus, SDRplay RSP1, Airpsy HF+ Dual, Airspy + SpyVerter and AFEDRI SDR-Net. In the first video he studied the blocking and second order intermodulation effects of each SDR using signal generators. We summarized those results in this previous post.

In the new video Leif compares the dynamic range of each SDR using real HF antenna signals at 7.2 MHz. In order to create a fair test of dynamic range, appropriate attenuation is added to each receiver in order to make their noise figures equivalent, so that the incoming signal strength is the same for each SDR.

The first set of dynamic range results is summarized at time 08:14, and these results show the dynamic range comparisons for strong night time signals. Again like in the other videos the Perseus is used as the reference SDR since it is always the best. The tests show that the HF+ Discovery trails behind the Perseus by only -3dB, followed by the HF+ Dual at -10dB, AFEDRI at -15dB, Airspy+SpyVerter at -18dB and finally the RSP1 at -23dB.

The second set of results is summarized at 17:47 and this includes a day time dynamic range test. The rankings are very similar to the night time test.

Tweet
Share58
Reddit
Vote
Email
58 Shares

PREORDER SALE: Active L-Band 1525-1637 Inmarsat to Iridium Patch Antenna Set For $34.95

Over the last several months we've been working on a versatile active L-band patch antenna that can cover Inmarsat to Iridium satellite frequencies. That antenna is now almost ready, and should be able to ship out from our Chinese storage warehouse by week 1 or 2 of October NOTE: Due to an unfortunate Typhoon near the factory in Taiwan, and the Chinese National Week long holidays and Taiwan National day we are expecting them to ship out in week 3 or 4 of October now. Apologies for the delays. No other components like filters or amplifiers are required to be able to use this antenna, as it is an all in one system.

The expected price will be US$39.95, but right now we're releasing it for a discounted PREORDER price of US$34.95 incl. free shipping.

Please see our store to preorder the unit.

Preorder sale has ended. Please see our store to order.

Your preorder will ship out as soon as it's stocked in the warehouse in China. If you prefer to wait we'll also have this product on Amazon (at retail $39.95) about 2-3 weeks after it is stocked in our Chinese warehouse.

The antenna is based on the active (low noise amplified with built in filter) ceramic patch design that was used by Othernet (aka Outernet), back when they had their L-band service active. We've asked them to modify the antenna to cover a wider range of frequencies, and include an enclosure that allows for easier mounting.

The antenna is 3.3 - 5V bias tee powered, so you will need a bias tee capable RTL-SDR like our RTL-SDR Blog V3, or a 5V external bias tee. It draws about 20-30mA of current, so it is compatible with other SDRs like the SDRplay, HackRF and Airspy too.

With this antenna we've paid close attention to the mounting solutions. One major difficulty with these patch antennas is finding a convenient place to mount them. The patch is designed with a built in 1/4" camera screw hole, so any standard camera mount can be used. In the kit we're including a window suction cup, a flexible tripod and 2 meters of RG174 cabling to help with mounting. Your own longer coax cabling can be used, however we'd recommend using lower loss cabling like RG59/58 or RG6 for anything longer than 3 meters.

The patch is also fully enclosed in an IP67 weather proof plastic case, so it can be kept mounted outdoors in the rain.

The RTL-SDR Blog L-Band Satellite Patch Antenna Set
The RTL-SDR Blog L-Band Satellite Patch Antenna Set
Ways to mount the patch antenna
Ways to mount the patch antenna

Performance

With the patch receiving AERO, STD-C and GPS should be a breeze. Simply point up at the sky, or towards the Inmarsat antenna, apply bias tee power and receive. Below are some sample screenshots showing reception.

Inmarsat Reception
Inmarsat Reception
Iridium Reception

Reception Tips

  • The patch is designed to be used with a 1m+ length of coax cable. It may perform poorly if the RTL-SDR is placed right at the antenna due to interference.
     
  • If receiving Inmarsat, the patch antenna should ideally be angled to face the satellite.
    • Rotate the patch until the signal strength is maximized. Rotating the patch optimizes the polarization of the antenna for the satellite and your location. NOTE: Using the wrong orientation could result in 20 dB attenuation, so please do experiment with the rotation.
    • You can also use the patch on a flat surface for Inmarsat (and rotate for best reception), but signal strength may be a little reduced. Depending on your location and the satellites elevation it should still be sufficient for decoding.
       
  • For receiving Iridium and GPS signals you can use the antenna flat, pointing straight up towards the sky. Try to get it seeing a clear view of the sky horizon to horizon to maximize the satellites that it can see.
     
  • If you happen to have a very marginal signal, you can clamp on a flat sheet of metal behind the patch antenna for improved performance.
     
  • AERO C-Channel: C-Channel transmissions are at 1647-1652 MHz which are outside of the advertised range of this antenna. However, the filter cut off is not that sharp, and you may be able to get results, although we cannot guarantee this. (If you want to test this for us and can demonstrate that you can receive C-Channel already, please contact us at [email protected] for a sample)

  • If you want to mount this on a car roof, you can use a standard magmount camera adapter.

What Can you do with this antenna?

Inmarsat STD-C EGC Decoding

AERO Satellite ACARS Decoding

Iridium Decoding

GPS Experiments

Tweet
Share112
Reddit
Vote
Email
112 Shares

Monitoring 3D Printer Filament Moisture with an RTL-SDR and rtl_433

Over on Hackaday we've seen a post about Scott M. Baker's 3D printer filament drying farm that is monitored by a 433 MHz ISM band sensor and an RTL-SDR running rtl_433. If you're familiar with 3D printing then you'll know that it is critical to keep the plastic filament free from absorbing moisture, otherwise it can cause all sorts of issues when it comes time to print something.

To keep them away from humid air Scott uses "PrintDry" plastic vacuum canisters. Unfortunately he found that the vacuum sealing system wasn't perfect, and that some canisters would lose their vacuum after a few days. In order to ensure that the canisters were properly sealed he decided to add some active monitoring with pressure and humidity sensors and a wireless transmitter.

His monitoring system consists of a cheap 315 MHz ISM band transmitter, ATTINY85  microcontroller and pressure + humidity sensor. To receive and monitor the data he uses an RTL-SDR that runs the rtl_433 software, which is a program that is capable of decoding many different types of wireless ISM band sensors.

DIY Wireless Temp/Humid/Pressure sensors for measuring vacuum sealed 3d printed filament containers

Tweet
Share76
Reddit
Vote
Email
76 Shares

Vancouver Broadcasts Hospital Patient Data Over Unencrypted Wireless Pagers

Canadian based researchers from the "Open Privacy Research Society" recently rang the alarm on Vancouver based hospitals who have been broadcasting patient data in the clear over wireless pagers for several years. These days almost all radio enthusiasts know that with a cheap RTL-SDR, or any other radio, it is possible to receive pager signals, and decode them using a program called PDW. Pager signals are completely unencrypted, so anyone can read the messages being sent, and they often contain sensitive pager data.

Open Privacy staff disclosed their findings in 2018, but after no action was taken for over a year they took their findings to a journalist.

Encryption is available for pagers, but upgrading the network and pagers to support it can be costly. Pagers are also becoming less common in the age of mobile phones, but they are still commonly used in hospitals in some countries due to their higher reliability and range.

In the past we've seen several similar stories, such as this previous post where patient data was being exposed over the pager network in Kansas City, USA. There was also an art installation in New York called Holypager, that continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
Tweet
Share206
Reddit1
Vote
Email
207 Shares