Building an RTL-SDR “Moto Mod”

One nice feature of modern Motorola smartphones is that some models can accept ‘mods’, which are essentially phone cases that snap onto the back of the phone and interface via some exposed data pins. Some examples include a snap on speaker, projector, battery pack and zoom lens. Currently Moto Mods and Indiegogo are running a promotional campaign that gives developers a chance to pitch new Moto Mod ideas to Motorola, and if successful be partnered with Motorola and receive funding to complete and sell the hardware.

Vaclav Bouse is one developer who has been working on an RTL-SDR based Moto Mod. The idea is to integrate RTL-SDR hardware into the Moto Mod phone case form factor and possibly even add transceiver capabilities via an AX5043 transceiver chip. The hardware is still in the very early concept and design phases, and Vaclav is seeking donations on Indiegogo to help fund the development of a prototype (note that donating will not get you the final product). As it will be an RTL-SDR, it should be compatible with all Android RTL-SDR software, such as SDR Touch.

The hardware is also related to his other Moto Mod campaign idea which is a universal remote control.

The Moto Mod RTL-SDR Concept
The Moto Mod RTL-SDR Concept

Reverse Engineering Linear DX Wireless Door Locks

Employees at the network data security company Duo recently had their interest piqued when they discovered that their office’s keycard based door system had a wireless remote which was used by reception to unlock and lock the door. The device was a DX model magnetic lock created by Linear.

After noting down the FCC ID printed on the device, they determined that the operating frequency was 315 MHz. They discovered from the documentation that each wireless DX device is encoded with a unique code that is precoded at the factory. Only remotes with the correct code programmed in can open the door.

The first attack they tried was a simple replay attack. They used a HackRF to record the signal, and then play it back again. This worked perfectly first time.

Next they decided to take this further and reverse engineer the protocol and see if a brute force attack could be applied. By doing some logic analysis on the circuit, they were able to figure out how to iterate over the entire key space. It turns out that the lock can be brute forced in at most 14.5 hours, or 7.25 hours on average.

The Linear DX Wireless Door Lock
The Linear DX Wireless Door Lock

Video Tutorial: Transmitting Signals with a Raspberry Pi

Over on YouTube Crazy Danish Hacker, who earlier brought us an excellent video tutorial series on GSM sniffing, has now uploaded a two part series that shows how to transmit signals with a Raspberry Pi and the PiFM and RPiTX software. We’ve featured RPiTX several times on this blog before as a cheap TX complement to the RTL-SDR. The software allows you to modulate a GPIO pin on your Raspberry Pi in such a way that it produces AM/FM/SSB etc radio signals at a frequency of choice.

Crazy Danish Hackers tutorial shows us how to set up RPiTX, starting from installing Raspbian and enabling SSH to installing the software and actually transmitting something. Some useful tips to get around common problems are also presented.

An RTL-SDR Based Wireless Backscatter Soil Moisture Sensor Network

Recently researcher Spyros Daskalakis wrote in to us and wanted to share his Masters thesis research which is titled ‘Environmental Scatter Radio Sensors with RF Energy Harvesting‘. The research involved creating a low cost, low power (200 microwatt) and yet long range (up to 250m) sensor network for monitoring soil moisture on farms. An RTL-SDR dongle is utilized to receive data from the sensors and MATLAB is used to decode the data.

One interesting innovation is that the sensors transmit data via a backscatter technique which is similar to how RFID tags are read. A carrier emitter is placed in the center of a cluster of sensors and the sensors receive RF bursts from it. The sensor antenna acts as a carrier reflector, and information is modulated onto the reflected signal by changing the antenna-load reflection coefficients according to the sensor reading. This method allows the sensors to only require extremely small amounts of power from a button battery or solar panel in order to transmit at distances of up to 250m. Spyros also proposes using wireless RF energy harvesting techniques which could harvest the electricity needed to power the circuit directly from the carrier emitters or powerful local FM stations.

Spyros’ thesis is available here, and a research paper here.

Backscatter Sensors and RTL-SDR. Received backscatter spectrum.
Backscatter Sensors and RTL-SDR (left). Received backscatter spectrum (right).

Airspy HF+: An upcoming low cost yet high performance HF SDR

Over on the Airspy Yahoo forums and Twitter we’ve seen news of an upcoming new product from the developers of the Airspy SDR. The new product is called the Airspy HF+ and will be a low cost, yet extremely high performance HF specialty radio.

Preliminary specs:

RX range: 0 .. 30 MHz (HF) and 60 – 270 MHz (+)
Architecture: Hybrid (Direct conversion + DDC) using 2 x sigma delta ADC’s @ 36MSPS
Front end: Tracking Filters (all bands), High Dynamic Range LNA’s and Mixers
AGC: Smart AGC controlled by the DSP
DSP: CIC, CFIR and a final (programmable) channel FIR – 18bit resolution
Final bandwidth/resolution after DDC: 18bit @ 600kHz – Scaled and streamed as 16bit
Image rejection: better than 120dBc
Blocking DR: 108 dB
Separate HF and VHF RF inputs – with option to use one multiplexed input if desired
USB 2.0 with Plug and play – No drivers needed
The RF section resides inside a metal shield
Aluminium enclosure about 60 x 100 x 15 mm^3

Basically, this addresses the lack of affordable and good performing receivers for HF and VHF.
Target price < $200

As with all Airspy products the SDR focuses on achieving extremely high dynamic range. From the specs is seems that the dynamic range and image rejection will be high enough so that even extremely strong broadcast AM or FM stations will not require any filtering or attenuation. They are also confident enough to say that no gain sliders will need to ever be adjusted to avoid overload.

For SWLers and MW DXers this seems like the ideal SDR as it should perform as well as high end SDRs like the Perseus, RFSpace and Elad SDRs, but at a fraction of the price.

The product is still in development and no release date has been offered yet, but judging from the Twitter feed the prototype is already working.

Searching for giga-Jansky fast radio bursts from the Milky Way with a global array of low-cost radio receivers (RTL-SDRs)

A few days ago a University research paper titled “Searching for giga-Jansky fast radio bursts from the Milky Way with a global array of low-cost radio receivers” was uploaded to the Cornell University Library. In this paper authors Dan Maoz of Tel-Aviv University and Abraham Loeb of Harvard suggest that citizen science enabled mobile phones and RTL-SDR dongles placed around the world could be used to detect fast radio bursts (FRBs) originating from within our own galaxy. The abstract reads:

If fast radio bursts (FRBs) originate from galaxies at cosmological distances, then their all-sky rate implies that the Milky Way may host an FRB on average once every 30-1500 years. If FRBs repeat for decades or centuies, a local FRB could be active now. A typical Galactic FRB would produce a millisecond radio pulse with ~1 GHz flux density of ~3E10 Jy, comparable to the radio flux levels and frequencies of cellular communication devices (cell phones, Wi-Fi, GPS). We propose to search for Galactic FRBs using a global array of low-cost radio receivers. One possibility is to use the ~1GHz communication channel in cellular phones through a Citizens-Science downloadable application. Participating phones would continuously listen for and record candidate FRBs and would periodically upload information to a central data processing website, which correlates the incoming data from all participants, to identify the signature of a real, globe-encompassing, FRB from an astronomical distance. Triangulation of the GPS-based pulse arrival times reported from different locations will provide the FRB sky position, potentially to arc-second accuracy. Pulse arrival times from phones operating at diverse frequencies, or from an on-device de-dispersion search, will yield the dispersion measure (DM) which will indicate the FRB source distance within the Galaxy. A variant of this approach would be to use the built-in ~100 MHz FM-radio receivers present in cell phones for an FRB search at lower frequencies. Alternatively, numerous “software-defined radio” (SDR) devices, costing ~$10 US each, could be plugged into USB ports of personal computers around the world (particularly in radio quiet regions) to establish the global network of receivers.

‘Fast radio bursts’ or FRBs are very brief pulses of extremely strong radio waves which have the transmit power of 500 million suns, though by the time they reach the earth they can only be picked up by radio telescopes. Radio astronomers have so far been mystified by the cause of these FRBs, and research has been hampered by the fact that the source of FRBs is notoriously difficult to pinpoint because they are unpredictable, and their energy appears to originate from all over the sky and not from a single point. Many scientists think that most FRBs must originate from outside of our galaxy, and in 2016 one was finally pinpointed as coming from a dwarf galaxy 2.5 billion light years away from earth. But the authors of the paper speculate from the rate of how often FRBs are seen, that our Milky Way galaxy could host its own local FRB event once every 30 – 1500 years.

If an FRB occurs within our own galaxy then they speculate that the received power could be strong enough to be detected by consumer level mobile phones or RTL-SDR radios, meaning that no large radio telescope dish is required for detection. By continuously monitoring for FRBs on mobile phones and/or RTL-SDRs spread around the world, a local FRB source could one day be pinpointed thanks to the high resolving power of multiple detectors spread apart.

[Also discussed at]
The Very Large Array in Mexico was used to pinpoint an FRB in 2016.
The Very Large Array in Mexico was used to pinpoint an FRB in 2016.
Illustration of an FRB. Certain frequencies arrive faster than others.
Illustration of an FRB. Certain frequencies arrive faster than others.

Soft66IP: Network Connected RTL-SDR with rtl_tcp

Previously from JA7TDO who is a RTL-SDR builder in Japan we’d seen the Soft66RTL and Soft66Q which are both modified RTL-SDR units that are capable of receiving HF as well. To receive HF the Soft66RTL used an upconverter circuit and the newer Soft66Q uses an implementation of the direct sampling mod. Both units come with a preselection filter for the HF bands.

Now JA7TDO has managed to come out with a new modified RTL-SDR which he calls the Soft66IP. The Soft66IP appears to have the same specifications at the Soft66Q except without the additional preselection filter. Instead, its defining feature is that it is built together which what we assume is a Linux enabled wireless router, or some other networked single board PC. This allows you to easily get set up with rtl_tcp for streaming the radio over your network, or the internet. It seems that the unit comes preloaded with the rtl_tcp software installed, making it almost plug and play. JA7TDO advertises the features as:

  • RTL-SDR based
  • 3kHz to 1.7GHz (15MHz to 24MHz is over sampling)
  • 10/100Mbps Ethernet
  • DHCP
  • Wifi(option)
  • cheap price

Streaming the radio over a network might be advantageous as it allows you to place the unit near the antenna, avoiding long coax or USB cable runs. But rtl_tcp is quite bandwidth heavy, so it can have trouble streaming at higher sample rates. However, whatever single board PC is used on the Soft66IP may also be capable of running other more efficient streaming software such as OpenWebRX, or more specialized applications such as networked ADS-B decoders as well.

JA7TDO is selling the Soft66IP for a pre-order price of $80 USD which includes worldwide shipping. Shipping starts on March 1. After the pre-order phase the price may rise to $96 USD.

The Soft66IP, networked RTL-SDR.
The Soft66IP, networked RTL-SDR.

Reverse Engineering Signals with the Universal Radio Hacker Software

Thanks to reader M Kizan who notified us about a Python based digital signal reverse engineering software program called ‘Universal Radio Hacker’ which is developed by Johannes Pohl. The software supports hardware interfaces for SDRs such as the RTL-SDR and HackRF and can be run on Windows, MacOS and Linux.

The Universal Radio Hacker is a software for investigating unknown wireless protocols. Features include

  • hardware interfaces for common Software Defined Radios
  • easy demodulation of signals
  • assigning participants to keep overview of your data
  • customizable decodings to crack even sophisticated
  • encodings like CC1101 data whitening
  • assign labels to reveal the logic of the protocol
  • fuzzing component to find security leaks
  • modulation support to inject the data back into the system

Inspectrum and Waveconverter are two similar programs for analyzing digital signals, however Universal Radio Hacker seems to be the most advanced.

Johannes has also uploaded four tutorial videos to YouTube which show the software in action. In the videos he uses Universal Radio Hacker to reverse engineer a wirelessly controlled power socket, and then in the last video he uses the software to transmit the reverse engineered signals via a HackRF.