Over on GitHub user martinber has released a new NOAA APT image decoder that can run on both Linux and Windows. The decoder is called noaa-apt and takes a .WAV file of a NOAA satellite pass, and turns it into an image file. The .WAV file can be recorded in any SDR program like SDR#, HDSDR, GQRX etc. The program is programmed in Rust, and has ready to run binaries available for both Linux and Windows available on it's GitHub Releases page.
Compared to the features found in WXtoIMG the software is fairly basic, but as WXtoIMG has been abandoned it's good to see new APT decoders still being worked on. The software can also be used to simply resample the .WAV file into a sample rate required by other more featured decoders like aptdec.
NOAA weather satellites broadcast an Automatic Picture Transmission (APT) signal, which contains a live weather image of your area. With an RTL-SDR and antenna they can be received and downloaded every time one of the satellite's passes overhead. We have a tutorial on using an RTL-SDR with WXtoIMG available here.
The project is by Kazunori Miura who is the creator of the Soft66 range of RTL-SDR retrofit products. The kickstarter appears to be for the "Soft66IP", which has been around since early 2017. The main difference appears to be that now OpenWebRX is preloaded on the SDCard, and that there is a custom script running on the Orange Pi Zero which allows you to choose between OpenWebRX and HDSDR. Presumably clicking on HDSDR runs an rtl_tcp server, which can then be connected over the network.
The idea is that this system will be used together with software like OpenWebRX, which would enable the RTL-SDR and radio stream to be accessed online from anywhere in the world via an Ethernet connection. Examples of OpenWebRX receivers can be found on sdr.hu, just search for "RTL-SDR" on the page to find relevant examples.
There are several support options, with the main board (without Orange Pi Zero or RTL-SDR) starting at US$22, and US$88 for the main board including RTL-SDR, Orange Pi Zero, enclosure and SD card. The system could probably be home built for much cheaper, but there is a convenience in purchasing a ready to use system. Although if you're interested in HF and want an internet connected SDR, then you might be better off shelling out for a $299 KiwiSDR instead, which is also an OpenWebRX based SDR.
Thanks to a RTL-SDR.COM reader for submitting a tip about radiosondy.info, a weather balloon data aggregation website made by SQ6KXY. Weather balloons carry a sensor and transmitter payload called a radiosonde. These radiosondes transmit their data to a ground station via an RF signal, which is typically at around 400 - 406 MHz in most countries. With an RTL-SDR and decoder software (related tutorial) it is possible to receive and decode their weather data, and also often their GPS location data. The location data can be used to find and collect radiosondes once they reach the ground.
SQ6KXY has created a website called radiosondy.info which aims to aggregate and make weather balloon data received by contributors public. It is similar to sites like flightradar24 which aggregate ADS-B data from aircraft. The main page allows you to view radiosondes that are currently flying, and the archive of previous flights.
To make contributing to the site as simple as possible, SQ6KXY has created a custom image for the Raspberry Pi, which is automatically generated by the website for your particular user account, local radiosonde frequency requirements, and number of SDRs. They don't specifically mention it, but we assume that contributors are mostly using RTL-SDRs in their receivers. The custom image is available for generation after signing up.
Web tool to generate a custom Raspberry Pi Image for Radiosonde Tracking
In the first test he uses RPiTX to generate a 2-FSK signal, which is then received and decoded by a RTL-SDR V3 connected to an attenuator and laptop. The Bit Error Rate (BER) is then measured while the attenuation is increased until the decoder fails. With this test he found a MDS somewhere between -115 dBm and -125 dBm, and a maximum input power of -30 dBm before clipping.
In another test he measures the RTL-SDR's ability to withstand a blocking CW signal. The results show that even with a 65 dB stronger signal just 7 kHz away, the 2-FSK modem system was able to continue working.
Finally he concludes:
So I figure for the lower HF bands this receivers performance is OK – the ADC quantisation noise isn’t likely to impact performance and the strong signal performance is good enough. An overload of -30dBm (S9+40dB) is also acceptable given the use case is remote communications where there is unlikely to be any nearby transmitters in the input filter passband.
Over the last few months we've been working on a 4-input coherent RTL-SDR called 'KerberosSDR' (formerly known as HydraSDR) that is designed to be a low cost way to get into applications such as RF direction finding, passive radar, beam forming and more. It can also be used as a standard 4-channel SDR for monitoring multiple frequencies as well.
Phase coherent RTL-SDRs have been worked on and demonstrated several times over the past few years, but we've been disappointed to find that so far there hasn't been any easy way to replicate these experiments. The required hardware has been difficult to build and access, and the software has been kept as unreleased closed source or has been too complicated to install and use. With KerberosSDR we aim to change that by making phase coherent applications easier to access and run by providing ready to use hardware and software.
Thanks to our developer Tamás Peto, a PhD student at Budapest University of Technology and Economics whom we hired via the ad in our previous post, and the Othernet (formerly Outernet) engineering team who are our partners on this project, we've been able to build a working system, and demonstrate coherent direction finding and passive radar working as expected (demo videos below). We plan to eventually release Tamás' code as open source so that the entire community can benefit and build on it. Also if KerberosSDR turns a profit, we plan to reinvest some of the profits into continually improving the software and expanding the list of use cases.
KerberosSDR will be usable for coherent applications from ~80-100 MHz up to 1.7 GHz (as a standard receiver it will work down to 24 MHz like a regular RTL-SDR). The lower coherent limitation is due to the phase calibration board, and could be improved by custom creating a larger calibration PCB.
At the moment we are finalizing our prototype, and plan to begin final production within the next 2-3 months.
If you have any interest in KerberosSDR, please sign up to our Kerberos mailing list.
Direction Finding
KerberosSDR can be used to find the bearing towards a signal using it's coherent direction finding capabilities. The software by Tamás currently implements several direction finding algorithms such as Bartlett, Capon, Maximum Entropy (MEM) and MUSIC. In the video below we show a quick test of the direction finding system working with a HackRF being used as a signal source, and four dipole antennas connected to KerberosSDR in a linear array. The MUSIC algorithm is used.
KerberosSDR Direction Finding Test
In the image below we also attempted to find the direction towards a known TETRA transmitter. We were able to confirm the direction with an Android compass app that points towards the known transmitter location. As the two angles match, we can be confident that Kerberos is finding the correct direction to the transmitter.
Finding the direction of a TETRA Transmitter
Passive Radar
KerberosSDR can also be used for passive radar. Normal radar systems work by transmitting a pulse of RF energy, and listening to the reflections from objects like planes, cars and ships. Passive radar works by using already existing transmitters such as those for FM/TV and listening for reflections that bounce of objects.
With a simple passive radar system you need two directional antennas and two coherent receivers. One antenna points at the transmitting 'reference' tower, and the other at the 'surveillance' area where you want to listen for reflections. It's important to try and keep as much of the reference signal out of the surveillance antenna as possible, which is why directional antennas like Yagi's are used.
The result is a doppler vs time delay graph, where the reflection of aircraft, cars, ships and other objects can be seen. The doppler gives you the speed of the object relative to your antenna and the transmitting tower, and the time delay gives you the distance relative to your antenna and the transmitter tower.
Below is an example time lapse video of KerberosSDR being used for passive radar. The reference antenna points towards a DVB-T transmitter at 588 MHz, and the surveillance antenna overlooks a small neighborhood, with aircraft sometimes flying over. The antennas we used were two very cheap TV Yagis.
You can constantly see the reflections from vehicles at small doppler values (low speeds), and every now and then you see an aircraft reflection which shows up at much higher doppler (speed) and further time delay (distance) points.
More information about KerberosSDR
KerberosSDR includes:
4x Coherent R820T2 based RTL-SDR dongles with standard 24 MHz - 1.7 GHz frequency range
On board GPIO switched wide band noise source for sample sync and phase calibration
Special phase calibration PCB for 4x inputs. Required to make the Kerberos phase coherent.
On board USB Hub, so only one USB port is required on the PC
Shielded metal enclosure
KerberosSDR can also be extended to 8x receivers by daisy chaining two boards together, so that their clocks and noise sources are connected. We've also taken into account undesirable effects such as heat related PLL drift which can be an issue for phase coherence.
At the moment we are also investigating whether singleboard computers like the Raspberry Pi 3 or Tinkerboard can be used, and there will be a header available for powering them via the Kerberos PCB. In the future we also plan to work on optimizing the code and potentially using CUDA/OpenCL GPU optimizations for passive radar so everything runs smoothly.
Once released we plan to have extensive tutorials and documentation that show exactly how to set up and replicate direction finding and passive radar experiments with low cost antennas.
Screenshots of KerberosSDR software:
Screenshots of each KerberosSDR software screen
Remember, if you're interested please sign up to the KerberosSDR mailing list for announcements and the chance to get in early with the cheaper first 100 units.
Be on the look out for more interesting demos that will be posted in the coming weeks!
[the_ad id="14114"]
Update: Please note that due to a Trademark complaint, we have changed the name of this unit from HydraSDR to KerberosSDR.
KerberosSDR Updates: 27 August 18
This week we've managed to get the KerberosSDR demo software made by Tamás Peto functioning on a TinkerBoard. The TinkerBoard is a US$60 single board computer. It's similar to a Raspberry Pi 3, but more powerful. We've also tested the app running on the Raspberry Pi 3 and Odroid XU4. The Pi 3 is capable of running the software but it is a little slow, and the Odroid XU4 is a little faster than the TinkerBoard. In the future we hope to further optimize the code so even Raspberry Pi 3's will be smooth.
In the video below we used a circular array of four whip antennas connected to KerberosSDR. The TinkerBoard is connected to KerberosSDR and is set up to generate a WiFi hotspot, which we connect to with an Android phone and a Windows laptop. The Windows laptop connects to the TinkerBoard's desktop via VNC, and the Android phone receives an HTML/JavaScript based compass display via an Apache server running on the Tinkerboard. With this setup we can wirelessly control and view information from KerberosSDR and the TinkerBoard.
We've also tested the KerberosSDR system on a real signal, and have found it to work as expected. More demo's of that coming later.
KerberosSDR Direction Finding Test 2: Tinkerboard + Circular Array
KerberosSDR Prototype with TinkerBoard Running Computations
KerberosSDR Updates: 4 September 2018
In this post we'll show an experiment that we performed which was to pinpoint the location of a transmitter using KerberosSDR's coherent direction finding capabilities. RF direction finding is the art of using equipment to determine the location of a transmitting signal. The simplest way is by using a directional antenna like a Yagi to try and determine the bearing based on signal strength. Another method is using a pseudo-doppler or coherent array of antennas to determine a bearing based on phase information.
For the test we tuned the KerberosSDR RTL-SDRs to listen to a signal at 858 MHz and then drove to multiple locations to take direction readings. The antennas were set up as a linear array of four dipole antennas mounted on the windshield of a car. To save space, the dipoles were spaced at approximately a 1/3 the frequency wavelength, but we note that optimal spacing is at half a wavelength. The four dipole antennas were connected to KerberosSDR, with a laptop running the direction finding demo software.
Low cost direction finding array mounted to vehicle windshield.
Our open source demo software (to be released later when KerberosSDR ships) developed by Tamás Peto gives us a graph and compass display that shows the measured bearing towards the transmitter location. The measured bearing is relative to the antenna array, so we simply convert it by taking the difference between the car's bearing (determined approximately via road direction and landmarks in Google Earth) and the measured bearing. This hopefully results in a line crossing near to the transmitter. Multiple readings taken at different locations will end up intersecting, and where the intersection occurs is near to where the transmitter should be.
KerberoSDR SDR Directing Finding DOA Reading
In the image below you can see the five bearing measurements that we made with KerberosSDR. Four lines converge to the vicinity of the transmitter, and one diverges. The divergent reading can be explained by multipath. In that location the direct path to the transmitter was blocked by a large house and trees, so it probably detected the signal as coming in from the direction of a reflection. But regardless with four good readings it was possible to pinpoint the transmitting tower to within 400 meters.
In the future we hope to be able to automate this process by using GPS and/or e-compass data to automatically draw bearings on a map as the car moves around. The readings could also be combined with signal strength heatmap data for improved accuracy.
This sort of capability could be useful for finding the transmit location of a mystery signal, locating a lost beacon, locating pirate or interfering transmitters, determining a source of noise and more.
KerberosSDR pinpointing a transmitters location
KerberosSDR Updates 7 September 2018
For this test we parked our car to the side of a highway and pointed a cheap DVB-T Yagi antenna towards a DVB-T transmission tower, and another cheap Yagi down the road. The video shown below displays the results captured over a 5 minute period. The blips on the top half of the display indicate vehicles closing on our location (positive doppler shift), and the blips on the bottom half indicate objects moving away (negative doppler shift).
DVB-T Antennas In Car
The resolution of each individual vehicle is not great, but it is sufficient to see the overall speed of the highway and could be used to determine if a road is experiencing traffic slowdowns or not. When larger vehicles pass by it is also obvious on the display by the brighter blip that they show. The display also shows us that the highway direction coming towards us is much busier than the direction moving away.
In the future we'll be working on optimizing the code so that the display updates much faster and smoother. It may also be possible in the future to use the third and fourth tuners to obtain even greater object resolution.
KerberosSDR Updates 27 September 2018
In this post we're showing some more passive radar demos. The first video is a time lapse of aircraft coming in to land at a nearby airport. The setup consists of two DVB-T Yagi antennas, with KerberosSDR tuned to a DVB-T signal at 584 MHz. The reference antenna points towards a TV tower to the west, and the surveillance antenna points south. Two highlighted lines indicate roughly where reflections can be seen from within the beam width (not taking into account blockages from mountains, trees etc).
The second video shows a short time lapse of a circling helicopter captured by the passive radar. The helicopter did not show up on ADS-B. On the left are reflections from cars and in the middle you can see the helicopter's reflection moving around.
We are expecting to receive the final prototype of KerberosSDR within the next few weeks. If all is well we may begin taking pre-orders shortly after confirming the prototype.
During the Cyberspectrum Wireless Village talks a few days ago Gavin Rozzi gave a talk about his online RTLSDR-based trunking scanner website at ocradio.live. Recently he wrote in and wanted to share a little more about his system. He writes:
[The talk focuses] on my experience implementing several open source software packages to create an online RTLSDR-based trunking scanner website, https://ocradio.live/ that serves the part of New Jersey that I live in. Using multiple RTLSDR receiving locations, the site is demodulating, recording, and timeshifting multiple talkgroups of local and state trunked radio systems to create a live streaming service and archive of past scanner calls. Data from the site is also accessible over a REST API and we allow the creation of custom scan lists. My presentation is going to center on the advantages the site has over traditional hardware scanners and some of the technical challenges that we had to overcome to get the project off the ground.
Recently Arstechnica ran a story about how during this August's Black Hat security conference, researchers Billy Rios and Jonathan Butts revealed that a HackRF software defined radio could be used to withhold a scheduled dose of insulin from a Medtronic Insulin Pump. An insulin pump is a device that attaches to the body of a diabetic person and deliveries short bursts of insulin throughout the day. The Medtronic Insulin Pump has a wireless remote control function that can be exploited with the HackRF. About the exploit MiniMed wrote in response:
In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.
This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.
As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.
In addition to this wireless hack they also revealed issues with Medtronic's pacemaker, where they found that they could hack it via compromised programming hardware, and cause it to deliver incorrect shock treatments.
Earlier in the year we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.
Thanks to IU2EFA (William) for writing in and letting us know about his success in decoding telemetry from the moon orbiting satellite known as DSLWP-B / LONGJIANG-2. LONJIANG-2 is a Chinese lunar microsatellite (45kg) that was launched in May 2018. It is designed to perform ultra long-wave radio astronomy observations. It also has an on board camera and took some nice photos of the Earth back in June.
While the satellite is still being tested, William notes that it is transmitting telemetry data to Earth during it's scheduled days at 435.4 MHz and 436.4 MHz, and the signal can be received with an RTL-SDR and Yagi antenna. William writes:
[LONJIAN-2] transmits with a little linear antenna and a little power of just 2 Watts.
In other sessions, I used a professional radio to have the maximum performance.
But this morning I wanted to test the reception, just using my RTLSDR V3 and my antenna yagi 15 elements pointed to the Moon. No other options (as filters, pre aplifiers, or other stuffs. Zero of these)
Well, the result was great. I received the signals and also i could decode them!
So I think people can be happy to know, that with a very little setup, they can receive incredible little signals from great distances.
When I received these signals, the Moon distance was about 378500 km.
LONGJIAN-2 transmits telemetry with GMSK and JT4G, and JT4G can be decoded with WSJT-X or WSJT 10. There is also a GNU Radio program called gr-dslwp that can be used to decode the telemetry. JT4G is a weak signal coding that can be decoded with signal levels down to -17 dB. Therefore anyone with modest hardware can decode the satellite. More information about the coding can be found on this post by Daniel Estevez.
On the Lilacsat page for LONGJIANG-2 if you scroll down you can also see reports from several other amateur radio operators who have managed to receive the satellite with RTL-SDR dongles and other radios. Below is an image of an example for SP5ULN who was able to receive and decode the JT4G signal with an RTL-SDR, LNA, and 19-element Yagi.
Example of LONJIAN-2 being received with an RTL-SDR by SP5ULN as noted on the LilacSat website.
