On this weeks episode of SignalsEverywhere, host Corrosive tests out our KerberosSDR coherent RTL-SDR unit for radio direction finding. If you didn't already know KerberosSDR is our experimental 4x Coherent RTL-SDR product. With it, coherent applications like radio direction finding (RDF) and passive radar are possible. Together with the KerberosSDR direction finding Android app it is possible to visualize the direction finding data produced by a KerberosSDR running on a Pi3/Tinkerboard.
In the video Corrosive uses the KerberosSDR together with the recently updated companion Android app to determine the location of a P25 control channel. By driving around with the app constantly collecting data he's able to pinpoint the location within about 15 minutes.
In addition to his video, Corrosive has also created a very useful calculator that can be used to calculate the required antenna spacing for a circular or linear direction finding array that can be used with the KerberosSDR.
Thank you to Christian, programmer of the AIS Share Android App for letting us know about some updates to his AIS Share Android application. AIS Share is a €2 app for Android that allows you to turn an Android device into an AIS receiver together with an RTL-SDR. AIS stands for Automatic Identification System and is used by ships to broadcast their GPS locations in order to help avoid collisions and aide with rescues. An RTL-SDR with the right software can be used to receive and decode these signals, and plot ship positions on a map.
Recent updates to AIS Share have brought improved AIS reception, and updates allowing it to run on the latest Android version. A new video demonstrating the software was also uploaded to YouTube.
AIS SHARE - Android (RTL-SDR AIS receiver)
The App has also been featured in the February 2019 edition the "Practical Boat Owner" magazine (paid magazine with digital editions). The article discusses using AIS Share and an RTL-SDR to stream data to Boat Beacon, which is a popular chart navigation app. A similar but free tutorial on setting up AIS Share and Boat Beacon can be found here.
An excerpt of the Practical Boat Owner AIS Share RTL-SDR Article.
GOES 16/17 and GK-2A are geosynchronous weather satellites that transmit high resolution weather images and data. In particular they are far enough away from the earth to be able to take beautiful 'full disk' images which show the entirety of one side of the Earth. As these satellites are in a geosynchronous orbit, they can be counted on to be in the same position in the sky at all times, so no tracking hardware is required and images can be pulled down constantly throughout the day without having to wait for a polar orbiting satellite to pass over like you would with the NOAA APT or Russian Meteor satellites.
With a low cost WiFi grid dish antenna, LNA and RTL-SDR dongle, any home user within the footprint of one of these weather satellites can receive and decode live images directly from the sky. Setting up a station is overall not too difficult, but it can be a bit fiddly with a number of steps to complete. Below is our comprehensive guide. We'll show how to set up a self contained Raspberry Pi based system with goestools (free), as well as a guide for the Windows PC software XRIT decoder (US$125).
We've attempted to make the tutorial as newbie friendly as possible, but we do need to assume basic RF knowledge (know what antennas, SDRs, coaxial, adapters etc are), basic Linux competency for the goestools tutorial (using the terminal, using nano text editor), and basic Windows competency for the XRIT decoder tutorial (unzipping, editing text files, running programs).
A full disk false color image received directly from the GOES-17 satellite with an RTL-SDR. Click for the full size image (14MB).
There are two fourth generation NOAA GOES satellites that are currently active, GOES-16 and GOES-17. These transmit HRIT signals, and also transmit shared data from the older third generation GOES 15, and Japanese Himiwari8 satellites. At the moment GOES-16 and GOES-17 are producing full disk images every 30 minutes, and close up "mesoscale" shots of the USA every ~15 minutes. GOES-16 (aka GOES-R) and GOES-17 (aka GOES-S) are also known as GOES-EAST and GOES-WEST respectively. At least one of these satellites can be received from North/South America, Canada, Alaska/Hawaii, New Zealand, Eastern Australia and some pacific islands.
There is also the older generation GOES-15 and GOES-14 which have been placed in standby orbits. These transmit LRIT signals which provide images at a slower rate.
GOES 16/East and GOES 17/West Signal Footprint
There is also the Korean GK-2A (GEO-KOMPSAT-2A) satellite which is very similar to the GOES satellites. GK-2A covers countries like India, Asia, Australia, New Zealand and parts of Russia. Note that you may have previously heard of the COMS-1 satellite which used to cover this area. Since July 2019 COMS-1 was replaced by GK-2A. Unlike GOES, GK-2A images are encrypted. However it has been found that "sample" encryption keys found online in demo code work just fine.
GK-2A contains both LRIT and HRIT channels, but at the moment only the LRIT channel can be decoded with the currently available software. The LRIT channel sends full disk IR images every 10 minutes in 2200 x 2200 resolution. Compared to the 5424 x 5424 resolution GOES full disk images, this is smaller, but still large enough to be interesting.
Note that even if HRIT decoding is added by the current software, you would require an Airspy or other wideband SDR as the GK-2A HRIT signal bandwidth is 5 MHz. Also since the HRIT bandwidth is so wide, the signal strength is reduced, meaning that you'll need a larger dish. People who have received the HRIT signal note that a 3M+ sized dish seems to be required.
GK-21 (GEO-KOMPSAT-2A) Footprint
You might ask why bother receiving these satellite images directly, when you can get the exact same images from NOAA at https://www.star.nesdis.noaa.gov/GOES/index.php. Well, you might want to set up your own station to be independent from the internet, or you live in a remote location without internet, or maybe just for the fun and learning of it.
To set up a receiver for GOES 16/17 HRIT or GK-2A LRIT you'll need to purchase a dish antenna such as a cheap 2.4 GHz WiFi antenna, an RTL-SDR, GOES LNA, and a Raspberry Pi if using goestools, otherwise a Windows PC can be used. The total cost could be anywhere from $150 - $200 depending on what pieces you already have available.
Before we start the tutorial, you might want to use an augmented reality Android app like "Satellite-AR" to get a rough idea of where either GOES 16/17 or GK-2A (GEO-KOMPSAT-2A) is in your sky, and if receiving them is even feasible for your location. You'll need to find an area on your land where you can mount a small satellite dish with an unobstructed line of sight view to the satellite (no trees or buildings can be blocking the signal path). If the satellite is low on the horizon (below 25 deg elevation), then things get a little more difficult as you have more obstructions and a weaker signal. But it can still be done, and we're able to routinely get good results at 24.5 deg elevation.
Note that for Europe and Africa, unfortunately there are no satellites that can be received easily with an SDR and LNA. But you might instead be interested in the EUMETCAST service, which can be received from EUTELSAT 10A (Ku band), Eutelsat 5 WEST A (C Band) and SES-6 (C Band) . To receive this service you'll need a DVB-S2 receiver and a satellite dish with appropriate band LNB. You also need a license keys and software which all together cost €100. EUMETCAST reception is not covered in this tutorial, instead see this video.
Oona (also known as [Windytan] and @windyoona) was recently looking for a way to capture PAL composite video from her old 1980’s Nintendo Entertainment System (NES) without spending a bunch of money on what are often poor video capture cards. As she already owned an Airspy SDR she decided to receive the PAL signal with the Airspy and modify some software to act as a PAL decoder.
SDR-based PAL decoder is still black & white, but after a notch filter on the audio the picture quality is getting a lot better. pic.twitter.com/SUoBlnBZF3
PAL decoding was handled via some modifications to her private Tempest software. Normally Tempest type programs like TempestSDR that we covered in a [previous article] are used to spy on computer/TV monitors from signals that are unintentionally emitted in the surrounding area.
Oona has made the connection from the composite output directly to the SDR antenna input so it’s not unexpected that you’d have a strong signal. However, I have to admit that’s an incredibly clear image for a video being demodulated via a software radio.
What makes this an even more amazing feat is that the latency is low enough that it’s nearly playable using a computer and SDR in place of a television set.
I’ve been looking for ways to capture NES video on my Mac. No easy+cheap solutions, but with some changes to my Tempest tool I can use the Airspy to receive the analog video carrier. The latency is almost good enough for playing, though it’s not my goal 🙂 pic.twitter.com/B6x44NEuvK
There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling transmission.
At this years Defcon conference security researcher Pedro Cabrera held a talk titled "SDR Against Smart TVs; URL and channel injection attacks" that showed how easy it is to take over a modern internet connected smart TV with a transmit capable SDR and drone. The concept he demonstrated is conceptually simple - just broadcast a more powerful signal so that the TV will begin receiving the fake signal instead. However, instead of transmitting with extremely high power, he makes use of a drone that brings a HackRF SDR right in front of the targets TV antenna. The HackRF is a low cost $100-$300 software defined radio that can transmit.
Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.
While the hijacking of TV broadcasts is not a new idea, Pedro's talk highlights the fact that smart TVs now expose significantly more security risks to this type of attack. In most of Europe, Australia, New Zealand and some places in Western Asia and the Middle East they use smart TV's with the HbbTV standard. This allows for features like enhanced teletext, catch-up services, video-on-demand, EPG, interactive advertising, personalisation, voting, games, social networking, and other multimedia applications to be downloaded or activated on your TV over the air via the DVB-T signal.
The HbbTV standard carries no authentication. By controlling the transmission, it's possible to display fake phishing messages that ask for passwords and transmit the information back over the internet. A hacker could also inject key loggers and install cryptominers.
Recorded talks from the Defcon conference are not up on YouTube yet, but Wired recently ran a full story on Pedros talk, and it's worth checking out here. The slides from his presentation can be found on the Defcon server, and below are two videos that show the attack in action, one showing the ability to phish out a password. His YouTube channel shows off several other hijacking videos too.
Recently a new open source Linux based SDR application called SigDigger was released by programmer BatchDrake (Gonzalo J. Carracedo). It is based on his own DSP libraries called Sigutils and Suscan which can take advantage of multi-core CPUs. SigDigger also makes use of the SoapySDR interface, so it is compatible with almost all software defined radios including the RTL-SDR.
SigDigger Screenshot
Like other general purpose SDR applications, SigDigger has your typical AM/FM/LSB/USB demodulation and audio playback features. However, it also has some key additional features that make it worth taking a look at if you're interested in reverse engineering, or taking a closer look at digital signals. The features include:
Both realtime and replay analysis modes
Analog audio playback (AM, FM, LSB and USB)
Baseband recording (full spectrum and per-channel)
Per-device gain presents
Dynamic spectrum browsing
ASK, FSK and PSK inspection
Gradient-descent SNR calculation
Different spectrum sources (cyclostarionary analysis, signal power…)
Symbol recording and visualization
Transition analysis
Planned features already implemented and just waiting to be exposed to the UI:
Symbol tagging (correspondence between symbols and groups of bits)
Automatic symbol tagging guessing
Automatic convolutional code detection
Viterbi decoding
We note that while the UI looks like GQRX, it is not based on GQRX at all. Rather BatchDrake just liked the minimal UI of GQRX. Also unlike GQRX, SigDigger is not based on GNU Radio, so it may be a bit more efficient and lightweight.
Below we've embedded a video that BatchDrake uploaded his YouTube channel which demonstrates SigDigger being used to inspect a PSK channel.
Using SigDigger to inspect a PSK channel
This software looks great, and we think it deserves some serious attention and testing, so check it out on the GitHub. Binary releases are also available, although BatchDrake notes that they are minimally tested, for x64 Linux only, and preferably for Debian-like distros. Alternatively, it can be installed from source, after installing the Sigutils and Suscan DSP library dependencies.
Thanks to Happysat for providing info on updates to these programs again. Meteor Demodulator V2.2 is a plugin for SDR# that connects to the M2 LRPT Decoder software. Together with an RTL-SDR and 137 MHz satellite antenna, these programs are used to receive, track, demodulate and decode Meteor M satellite signals into live weather satellite images. Happysat has a tutorial available here, however we note that at the time of this post it hasn't been updated to use the latest software versions.
The biggest change appears that you can now affect the decoder settings from within the SDR# plugin. This is useful because the METEOR M2-2 satellite appears to be changing it's operating mode often (number of infrared vs visible channels, data rate etc).
We also note news from Happysat that the Meteor M-N2-2 satellite has now changed frequency to 137.100 MHz mode 72K on 16 Aug. 9:30 Moscow time (6:30 UTC). Other users have also indicated that M2-2 is currently transmitting two IR channels, and one visible now. Meteor M2 appears to still be transmitting visible channels.
M2 LRPT Decoder V47:
- Added Meteor Demodulator V2.2 socket support
- only mode, sat, rgb are supported so far.
- Fix manual s-file processing
By design, the plug-in will manage the settings of the decoder and this should reduce the number of settings that must be done when changing the Meteor operating modes.
Example scheduler options:
M2_decoder_init_Line <rgb=123.jpg> or (rgb=125,444,555 ect)
In order for the decoder to work with Meteor Demodulator V2.2 http://happysat.nl/meteor_2.2.zip , the ini-file mode and sat entries must be assigned to auto!
Added interaction with Meteor LRPT-Decoder via socket.
At the beginning of the data transmission, the configuration of the modulation speed and modulation type (satellite name) is transmitted to the decoder.
That is, there is no need to change the decoder settings when changing 72K / 80K and M2 / M2.2.
It will receive signal information from the plugin.
It is enough to change the speed in the scheduler.
A new scheduler command "M2_decoder_init_Line <>" has been added to the plugin.
Using it, you can transfer any commands that are in the ini file of the decoder (for example, the command to select channels to save a color picture:
M2_decoder_init_Line <rgb = 123.jpg>)
In general, this allows you to change the settings when changing the reception conditions only in the scheduler and not in the entire chain of programs for processing the signal from the satellite.
M2 decoder compatible with these functions is >V47
Over on Reddit u/tsimola has posted about his remote ADS-B station that is accessed via an LTE connection. When an opportunity came up to install a remote ADS-B station on a tall building with unobstructed 360 degree views, tsimola decided to build the best ADS-B monitoring station that he could, and make sure that it would be easily to maintain and monitor from afar.
He notes that his ADS-B station consists of a FlightAware Prostick Plus and 16-element collinear coaxial antenna. The following components are also used:
Power via UPS (1 hour and 45-minute runtime) and text message controlled power socket (for hard reboots)
Powered USB hub with three basic RTL-SDR dongles (ACARS, VDL Mode 2 and voice)
Three temperature sensors and one humidity sensor, 80 mm exhaust fan (filtered air intakes)
Magnetic switch for push notifications if the lid is opened (IFTTT and Webhooks)
LTE/4G router for Internet connection
In addition to the ADS-B station, tsimola has also added ACARS, VDL2, and AM voice air traffic control monitoring with a second station in the same location that utilizes three RTL-SDR dongles. This second airband station is connected to a 128 MHz tuned airband dipole antenna, with an LNA4all and GPIO labs airband filter.
As well as descriptions of the hardware, tsimola's post goes over his software choices and explains how it is securely accessed. We think that this is a very well put together build that should be replicated in other locations too.
A remote ADS-B, ACARS, VDL2 and Air Traffic Control Monitoring Station.
