ADS-B Traffic Analytics with Valo and an RTL-SDR

Valo is a software service for real time big data streaming analytics of data from many sensors.  On their website they explain their service as follows.

Valo is a single platform for streaming (real time) and batch (historical) data analysis. Valo provides multi-paradigm big data storage for both semi-structured and numerical data. Valo contains a powerful analytics engine for processing all of this data. Finally Valo is super simple – a single tool that can be up and running in minutes.

Recently Rémi Selva wrote in to let us know about an interesting use-case for Valo which involves the RTL-SDR. In his post Rémi shows us how he uses an RTL-SDR, Raspberry Pi running dump1090, and Valo to create interesting data visualizations of the ADS-B aircraft data. He not only shows how to visualize the data in Valo, but also how to use queries to dig deeper into the data, looking for patterns.

Valo ADS-B Data Flow
Valo ADS-B Data Flow

Rémi writes that what he’s done is simply a proof of concept that shows the power of Valo. He writes that one such interesting future development could be using Valo to detect FBI/CIA surveillance aircraft. Previously we posted about how an RTL-SDR user discovered these surveillance aircraft by their odd circular flight paths. The analytics engine of Valo could be used to automatically detect odd flight patterns such as from these surveillance aircraft. 

Plotting the history of aircraft coming into land at HK airport
Plotting the history of aircraft coming into land at HK airport

Building an S-Band Antenna for the HackRF

Mario Filippi, a regular contributor to our blog and to the SDR community recently wrote in with an article showing how he built an S-Band (2 – 4 GHz) antenna for use with the HackRF. Of course the antenna can be used with any other SDR that can receive in this range, or with an RTL-SDR and downconverter. We post his article below.

S -Band Antenna for use with the HackRF One
Author: Mario Filippi, N2HUN

Ever since purchasing a HackRF One, which receives from 1 MHz – 6.0 GHz I’ve always wanted to explore the world above 1 Gig, specifically the 2.0 – 2.7 GHz portion of the S-band. This portion of the band is populated with satellite communications, ISM, amateur radio, and wireless networks. A good, homebrew antenna for S-band was needed, so with parts mostly from the junk box, a 2250 MHz S-band right hand circularly polarized omni-directional antenna was built. Below is a step by step tutorial on building this antenna. Plans were from UHF-Satcom’s site.

The final S-band antenna
The final S-band antenna

Continue reading

Kukuruku: A new SDR client that supports RTL-SDR

A new general purpose SDR software package called “Kukuruku” has recently been released. It appears to be a Linux only based client which is based on GNURadio. The authors write that they have several interesting features which we quote below:

Network transparency. Process the data remotely and send to the client only waterfall pixels and filtered narrowband channels instead of the entire SDR baseband. With this, you can use the SDR remotely over WAN.

Multiple demodulators running at once. How the hell can this be missing?

History browsing. It happens to me all the time: I see a new station scrolling on the waterfall. Before I manage to tune to it, it disappears (or at least the callsign is over). I have 8 GB of RAM, so why can’t I store the last minute of the entire SDR baseband for future reference?

Pluggable demodulators. Why is it so much pain to add GSM, Tetra, Tetrapol and other modes to existing software? I just want to provide a binary and have the data piped to stdin.

Squelch sucks. The squelch should not care about absolute signal level, but about level relative to surrounding channels. Additionally, it should have hysteresis and a small buffer, so when it triggers, it correctly replays the beginning of the conversation. Oh, and when recording, the squelch should timestamp the parts of conversation.

Histogram. It is difficult to see clipping on the FFT output. Why don’t we have histogram of samples?

Autotune/AFC. Obvious.

Scanner. Both for automatic demodulating all peaks in the spectrum and for retuning the SDR and finding stations. Even the crappiest rtl-sdr has 2 MHz bandwidth and can retune in 50 ms. This means 1600 channels per second. Compare this with commercial scanners.

At the moment one interesting plugin for Kukuruku is the TETRA plugin. The plugin appears to use tetra-listener and TERAPOL-kit as the demodulators, and simply passes the signal data to them for decoding and audio output.

The installation instructions can be found on the user guide. So far we unfortunately haven’t been able to install and test the software due to several compilation errors occurring, so if anyone tries this out and gets it to work, please post any installation tips in the comments. 

Kukuruku running and demodulating TETRA audio with a plugin.
Kukuruku running and demodulating TETRA audio with a plugin.

rx_tools: RTL-SDR Command Line Tools (rtl_power, rtl_fm, rtl_sdr) Now Compatible With Almost Any SDR

Developer R. X. Seger has recently released rx_tools which provides SDR independent ports for the popular command line RTL-SDR tools rtl_power, rtl_fm and rtl_sdr. This means that these tools can now be used on almost any SDR, such as the bladeRF, HackRF, SDRplay, Airspy and LimeSDR. If you don’t know what the tools do, then here is a quick break down:

rtl_fm / rx_fm: Allows you to decode and listen to FM/AM/SSB radio.
rtl_sdr / rx_sdr: Allows you to record raw samples for future processing.
rtl_power / rx_power: Allows you to do wideband scans over arbitrarily wide swaths of bandwidth by hopping over and recording signal power levels over multiple chunks of spectrum.

rx_tools is based on SoapySDR which is an SDR abstraction layer. If software is developed with SoapySDR, then the software can be more easily used with any SDR, assuming a Soapy plugin for that particular SDR is written. This stops the need for software to be re-written many times for different SDR’s as instead the plugin only needs to be written once.

rx_power scan with the HackRF at 5 GHz over 9 hours.
rx_power scan with the HackRF at 5 GHz over 9 hours.

Cheating at Pokémon Go with a HackRF and GPS Spoofing

“Pokémon Go” is the latest in smartphone augmented reality gaming crazes. You may have already heard about the game on the news, or seen kids playing it in your neighborhood. To play, players must walk around in the real world with their GPS enabled smartphone, collecting different virtual Pokémon which appear at random spots in the real world, replenishing the virtual items need to collect Pokemon at “Pokéstops” and putting Pokémon to battle at “Gyms”. Pokéstops and gyms are often city landmarks such as popular shops, fountains, statues, signs etc. For those who have no idea what “Pokémon” are: Pokémon are fictional animals from a popular children’s cartoon and comic.

Since the game is GPS based, Stefan Kiese decided to see if he could cheat at the game by spoofing his GPS location using a HackRF software defined radio. When playing the game, players often walk from Pokéstop to Pokéstop, collecting Pokémon along the way, and replenishing their items. By spoofing the GPS signal he is able to simulate walking around in the physical world, potentially automating the collection of Pokémon and replenishment of items at Pokéstops.

To do this he used the off the shelf “GPS-SDR-Sim” software by Takuji Ebinuma which is a GPS Spoofing tool for transmit capable SDR’s like the HackRF, bladeRF and USRP radios. At first, when using the software Stefan noticed that the HackRF was simply jamming his GPS signals, and not simulating the satellites. He discovered the problem was with the HackRF’s clock not being accurate enough. To solve this he used a function generator to input a stable 10 MHz square wave into the HackRF’s clock input port. He also found that he needed to disable “Assisted GPS (a-gps)” on his phone which uses local cell phone towers to help improve GPS location tracking.

Next he was able to use the GPS-SDR-Sim tools to plot a simulated walking route and see his virtual character walking around on the real world map. A warning if you intend on doing this: Remember that 1) spoofing or jamming GPS is highly illegal in most countries outside of a shielded test lab setting, so you must ensure that your spoofed GPS signal does not interfere with anything, and 2) the game likely has cheating detection and will probably ban you if you don’t simulate a regular walking speed.

GPS spoofing is not new. One attempt in 2013 allowed university researchers to send a 80 million dollar 213-foot yacht off course, and it is suspected that hackers from the Iranian government have used GPS spoofing to divert and land an American stealth drone back in 2011. In past posts we also showed how security researcher Lin Huang was able to spoof GPS and bypass drone no fly restrictions.

[Also seen on]
The "Pokemon Go" GPS spoofing set up.
The “Pokemon Go” GPS spoofing set up.

RTLSDR4Everyone: Avoiding RTL-SDR Rip Off’s Part 2

Over on his blog Akos has uploaded a new post that discusses the topic of avoiding RTL-SDR rip off’s on sites like eBay. On auction sites there are many dishonest sellers who sell or resell items at overly high prices, hoping that someone will make a mistake and purchase from them.

Akos also points out how most of the “full band” direct sampling based RTL-SDR’s are incredibly overpriced. We note that for the same or an even cheaper price you could pick up a regular RTL-SDR dongle plus an upconverter, and enjoy much better performance, or as Akos notes purchase a Soft66RTL3 or RSP. He also points out overpriced dedicated ADS-B sticks, which are now outperformed by even the cheapest of RTL-SDR dongles. Finally he mentions to avoid some sellers who are simply combining RTL-SDR dongles into strange contraptions mounted on a small camera tripod and selling them at high prices.

Strange RTL-SDR ripoff contraption at a much higher price.
Strange RTL-SDR ripoff contraption at a much higher price.

Using the Airspy as a Network Analyzer for Characterizing Antennas

Over on YouTube user Mile Kokotov has uploaded a very nice tutorial video that shows how the Airspy can be used as a low cost scalar network analzyer from between 0.1 – 1800 MHz. A network analyser allows you to characterize the performance of antennas, by determining the antenna SWR curve. A low point on an SWR graph indicates the frequency at which an antenna is resonant/tuned, so a network analyzer is very useful for tuning homemade or adjustable antennas.

Dedicated scalar network analyzers can costs thousands of dollars. Together with a cheap noise source and cheap directional coupler, the Airspy can be used as a very low cost scalar network analyzer for analyzing antennas. If you are interested in this we also have a similar tutorial on our blog that shows how to do this with an RTL-SDR. However, the Airspy R2 or Mini is of course a better tool for this job as it can scan the spectrum much faster than the RTL-SDR with its Spectrum Spy software. Mile writes:

In this video I am showing how Airspy SDR can be used for measuring Return Loss, Antenna SWR and Antenna Bandwidth of several commercial and homemade antennas.

The impedance of the Radio Station (transmitter or receiver) must be well matched to the antenna’s impedance if we want maximum available power to be delivered to antenna.

The return loss and SWR measurements show us the match of the system.

A poorly matched antenna will reflect costly RF energy which will not be available for transmission and will instead end up in the transmitter. This extra energy returned to the transmitter will not only distort the signal but it will also affect the efficiency of the transmitted power and the corresponding coverage area.

Return Loss and SWR both display the match of the system, but they show it in different ways. The return loss displays the ratio of reflected power to reference power in dB.

The return loss view is usually preferred over the SWR linear scale, because is easier to compare a small and large number on a logarithmic scale.

More than 20 dB system return loss is considered very efficient as only less than 1% of the power is returned and more than 99% of the power is transmitted. In that case the SWR is around 1.2

For radio amateur usage, Return loss more than 14 dB is acceptable. This is adequate to SWR of 1.5 which means that 4% of the power is returned and 96% of the power is transmitted.

0 dB Return loss represent an open or a short antenna terminal, while 45 or more dB Return loss would be close to a perfect match.

Many different methods can be used to measure standing wave ratio. Professionals usually use a vector network analyzer or frequency analyzer with sweep signal generator and directional coupler.

In this video I will show you very cheap and very good method for antenna characterizing which means measuring the Return loss versus frequency and usable antenna bandwidth like measuring with much, much more expensive, state of the art Network Analyzers and similar measuring equipment.

EDIT: It has been pointed out that we incorrectly used the term vector network analyzer in the previous title, when we should have instead used scalar network analyzer. A scalar network analyzer can measure amplitude, but a vector network analyzer can measure amplitude and phase and is a more complex device. Apologies for any confusion.

IBM’s Horizon Decentralized Autonomous Edge Compute using RTL-SDR

IBM’s “Horizon” is an Internet of Things (IoT) networking technology based on decentralized peer to peer technologies that are already used in successful apps like BitCoin and BitTorrent. It works by using a Horizon app which accesses your local data and sends and receives data from the Horizon P2P system. Currently Horizon is an experimental project, but they already have up and running two proof of concept projects that utilize the RTL-SDR.

In their first RTL-SDR based proof of concept demonstration they show how they have used the RTL-SDR to create a decentralized Horizon based ADS-B aircraft tracker which runs on a Raspberry Pi 2. A Horizon user can contribute data to the cloud and the data will be aggregated from users all over the world to create a complete map of aircraft. To see data from current contributors go to

ADS-B data received by IBM Horizon servers.
ADS-B data received by IBM Horizon servers.

The second RTL-SDR based proof of concept is a radio spectrum analysis application which scans the spectrum from 24 MHz to 1.75 GHz and sends the waterfall data to the cloud. This also runs on the Raspberry Pi 2. You can contribute spectrum to the cloud and you can also search the cloud for a device anywhere in the world that will allow you to listen to its RTL-SDR server. Currently the implementation allows you to view the waterfall of a remote RTL-SDR server and capture a 30 burst of audio from any frequency.

Remote Radio Scan with IBM Horizon and an RTL-SDR.
Remote Radio Scan with IBM Horizon and an RTL-SDR.

To try the radio spectrum app on a real server go to, click the cog icon in the top left and deselect everything but the ‘sdr’ check box. Then search the map for an SDR (there are only contributors in the USA and one in Germany at the moment), click on the blue dot, and select the radio tower icon that pops up. In the new screen you can use the mouse wheel and click and drag on the mouse to move the frequency. You can use the capture waterfall and Radio capture buttons on the left menu. After clicking the button the job will take a few seconds to run and complete.

It will be an interesting future when SDRs all over the world are accessible on the cloud and this could lead to many new interesting applications. Apart from RTL-SDR based applications, they are write about using Horizon to share weather station data, and to measure internet network speed.

IBM Horizon data flow
IBM Horizon data flow