There is a war going on between game console designers and the console modding community. Modders hack the console system so that they can jailbreak it and then install their own custom firmware while console designers are constantly finding new ways to prevent unauthorized modding. Custom firmware allows a console to run homebrew applications like media players and emulators that use the console in ways that is was not intended to be used in.
My idea was to hook up a rtl-sdr device to the PS3 4k between chassis and real ground (yes, I actually have a two meter copper rod buried in my lawn) using the antenna leads. First I had to make sure the PS3 4k chassis wasn’t grounded in the outlet, and that no video out or USB connector was hooked up to ground indirectly via other hardware. If you want to try this, make sure that the rtl-sdr antenna leads are the only lead between the PS3 mobo/chassis and real ground. Before connecting the rtl-sdr antenna leads I measured the voltage on the PS3 chassis which peaked at around 1.8V which was safe enough, didn’t want to blow it up on the first try.
This method will effectively turn your console into an “active antenna” leaking all kind of interesting data on the rtl-sdrfrequency spectrum (between 24 – 1766 MHz). After hooking it up, I started using gqrx on my laptop to look for signal peaks while the PS3 4k was turned on, after finding a peak I just powered off the PS3 completely and turned it back on, using the waterfall plot you’ve seen in my first post I can see if there is something interesting happening during boot and verify that the signal is indeed coming from the PS3. In a similar way I learned to distinguish between the PS3 BD drive, GPU and CPU which pops up at different frequencies. Then I dumped the data (I/Q recording) that looked interesting and made a note of the frequency.
It’s hard to describe the incredible feeling when you tune into a good signal and start watching the waterfall plot revealing opcodes, register bits and what might be stack contents. The Acoustic Cryptoanalysis paper (PDF) has a lot of good info how to interpret the output from various window functions in the plot.
What I’m coding right now is a gnuradio-companion block which will filter and test the dumped data for decryption keys against encrypted PS3 data.
You can get these changes from https://github.com/mutability/rtl-sdr/(you’ll need to build from source yourself). There should be no application changes needed, just tune as normal. (gqrx needs the “no limits” option turned on)
These changes work by limiting the tuner to a range of frequencies that it can reliably tune to, then allowing tuning beyond those bounds by making the 2832′s downconverter do the final bit of tuning. This can add up to 14.4MHz to each end of the range. Also, the tuner is switched to low-side mixing at the top of the range which gives a bit more range there. The practical range is limited by the width of the IF filter and aliasing effects at the extreme edges of the downconverter’s range.
I’ve been able to pick up broadcast AM and amateur CW/SSB down to around 15.5MHz without too much trouble.
I’d be interested to know how this works for others. Also.. these changes are likely to have broken offset tuning, direct sampling mods, and tuners other than the R820T, as it touches all those areas but I only have an unmodified R820T to test against. If you have different hardware and are willing to spend some time testing then please let me know. I expect that the range of the other tuners can be extended in the same way with not much trouble.
Over on the Reddit RTL-SDR discussion board there has been talk about this patch. Most users are reporting that it works well down to around 15 MHz, but some people are reporting that they have been able to receive signals down to around 4 MHz. Testers also report that this modified driver works much better than the no-hardware direct sampling mod patch released a few months ago.
The military air communications monitoring enthusiasts over at milaircomms.com have been using a system involving RTL-SDRs to monitor military air traffic through ADS-B. While military aircraft generally do not transmit GPS position information like commercial aircraft do, they are still able to record live information such as the aircraft’s hex code, registration number, aircraft type, the base station location and a graph of recorded altitudes. They also log all this data showing where military aircraft have been spotted over time.
To receive this information they so far have a network of about 30 volunteers running RTL-SDR based ground stations that use their custom MilAirComms1090 software. If you want to contribute, the software is available for Windows and for Linux/Raspberry Pi.
Since the HackRF was shipped to Kickstarter backers there have been a few new short videos uploaded to YouTube showing some transmit experiments that people have done.
Here YouTube user CFSworks uses his HackRF to record and replay a signal that causes the charge port on his Tesla Model S electric car to open.
HackRF vs. Tesla Model S
In this video YouTube user Chief Tinker shows his HackRF being used to ring his house doorbell.
HackRF Doorbell Replay
In this video YouTube user alaindecarolis uses his HackRF with hackrf_transfer to record and replay a voice signal from a standard Kenwood mobile radio.
HackRF hackrf_transfer test
Here YouTube user Jiao Xianjun shows the program he created that allows someone to send arbitrary Bluetooth Low Energy (BTLE/BT4.0) packets via a HackRF board.
Bluetooth Low Energy, BTLE/BT4.0 Packet Sender. (Software Defined Radio)
Finally this video shows a little public mischievousness with YouTube user sigmounte using his HackRF to turn off certain street lights via the Urban Light Management system which uses simple radio CCIR tones.
Blogger “French Fry Cattaneo” wanted a portable laptop with built in SDR capability. To achieve this he opened up his Panasonic ToughBook CF-30 laptop and embedded an RTL-SDR FubCube dongle into the laptop using the space left by unused expansion ports.
Cattaneo connected the two SDRs to a small hub and soldered the usb hub connections directly onto a laptop USB port. He also installed an external SMA connector for the RTL-SDR and connected the FunCube’s antenna port to a cellular antenna that was built into the laptop.
He notes that there could be RF interference issues from the laptop, but has so far had no trouble receiving the strong signals he is interested in.
To do the exercises in the course you will need a HackRF or other similar SDR radio. Most exercises involving reception only should be compatible with the RTL-SDR with some small modifications relating to things like the changing sample rate.
FlightAware is an online service providing real time flight tracking. The flights are primarily tracked by volunteers who run ADS-B decoding hardware which is networked through the internet to the FlightAware servers.
Now FlightAware have written in to RTL-SDR.com to let us know about their new PiAware software which enables a Raspberry Pi running dump1090 to contribute data to the FlightAware network. Dump1090 is a popular RTL-SDR compatible ADS-B decoder program for Linux systems.
A major perk for running their software and contributing data is that FlightAware will buy you a licensed copy of PlanePlotter.
The press release provided is quoted below.
If you are running an inexpensive Raspberry Pi ADS-B receiver with dump1090 then you can install the PiAware Package from FlightAware to freely view nearby flight traffic and transmit this data to FlightAware’s tracking network. Most aircraft within Europe by 2017 and USA by 2020 will be required to have ADS-B transmitters onboard.
FlightAware’s user-hosted worldwide ADS-B receiver network tracks about 90,000 unique aircraft per day and feeds this live data into the FlightAware website in combination with other public/private flight tracking data sources. FlightAware has over 500 user-hosted ADS-B sites online across 60 countries, with top contributors tracking over 10,000 aircraft per day. To see how ADS-B data is put to use, check out the FlightAware Live Map.
The PiAware installation process takes only a few minutes. If you don’t have PlanePlotter, you can download it and then send FlightAware your installation’s serial number and we’ll buy you a license. FlightAware will also give users a free Enterprise Account ($90/month value) in return for installing PiAware.
New software defined radio (SDRs) products are popping up every few months these days so we thought we’d compile a big list of available SDRs as there are a few people who were bitten by the RTL-SDR bug and are now looking to upgrade.
For each SDR we compare the cost, frequency range, ADC resolution, maximum instantaneous bandwidth, whether or not it can TX and if it has any pre selectors built in. Here is a quick guide to what some of these metrics mean.
Frequency Range: The range of frequencies the SDR can tune to. ADC Resolution: Higher is better. More resolution means more dynamic range, less signal imaging, a lower noise floor, more sensitivity when strong signals are present and better ability to discern weak signals. Instantaneous Bandwidth: The size of the real time RF chunk available. RX/TX: Can the radio receive and/or transmit. Preselectors: Analogue filters on the front end to help reduce out of band interference and imaging.
General Use Software Defined Radios
We define general use SDRs as ones with a wide frequency range and with no focus on any specific frequency band.
R820T RTL2832U a.k.a RTL-SDR
Cost: $10 – 22 USD Frequency Range: approx. 24 MHz – 1766 MHz ADC Resolution: 8 Bits Max Bandwidth: 3.2 MHz / 2.4 or 2.8 MHz max stable. TX/RX: RX Only Preselectors: None
The RTL-SDR is still the best ‘bang for your buck’ software defined radio out there. While it was never designed to be used as a general purpose SDR in the first place, its performance is still surprisingly good. If you’re on a budget or are just starting out with SDR or radio this is the one to get. (Link)