Over on YouTube user Keld Norman has uploaded a video showing how he uses an RTL-SDR with gr-gsm and a Python script to create a simple IMSI catcher. IMSI stands for International mobile subscriber identity and is a unique number that identifies a cell phone SIM card in GSM (2G) mobile phone systems. For security IMSI numbers are usually only transmitted when a connection to a new cell tower is made. More advanced IMSI-catchers used by governmental agencies use a fake cell tower signal to force the IMSI to always be revealed. This way they can track the location of mobile phones as well as other data like who or when you are calling.
In the video Keld uses a Python script called IMSI-Catcher. This script displays the detected IMSI numbers, country, and mobile carrier on a text display. The video description shows how to install GR-GSM and the IMSI-Catcher script on Ubuntu.
Leandvb is command line based lightweight DVB-S decoder designed for receiving Digital Amateur TV, including signals like HamTV from the International Space Station. The RTL-SDR can be used together with leandvb and it turns out that leandvb can also be used to decode the Outernet signal. If you were unaware, Outernet is a free L-band based satellite service that provides content such as news, weather data, APRS repeats and more. Currently you can get about 20MB of data a day. Outernet receivers are also all based around the RTL-SDR, allowing for very cheap receivers to be built. At the moment you’ll need a C.H.I.P or their specialized Dreamcatcher hardware to run their special Skylark OS with software decoder, but a general Armbian decoder is in the works.
Alternatively leandvb can be used, and over on their website the folks behind the leandvb software have uploaded a tutorial showing how to use leandvb to decode Outernet. Thanks to some reverse engineering attempts by Daniel Estévez, it was discovered that the Outernet modulation is very similar to DVB-S so the standard decoder can be used with some custom flags. Leandvb only outputs raw frames, not decoded data. They haven’t tested it, but it may be possible to feed the frames into Daniel Estevez’s free-outernet project for obtaining the final files.
During the testing they also discovered some interesting notes about the E4000 and R820T RTL-SDRs. For example by patching the R820T2 drivers to add some additional VGA gain they were able to make the R820T2 chips more sensitive at the Outernet frequency compared to the E4000 chip by bringing the signal further out of the quantization noise. They also tested a 60cm dish vs a patch antenna and found that the dish works significantly better.
HamRadio360 is a bi-weekly podcast all about ham radio and related topics. On their June 13 podcast Nick, KK6LHR came on to discuss his experiences with decoding ADS-B with cheap SDR radio like the RTL-SDR. In the podcast they talk about the history of ADS-B, what it is, the difference between the 1090 MHz and 978 MHz frequencies, what all of the terms and acronyms mean, feeding sites like flightaware and flightradar24 and of course how to decode it with various forms of software packages.
Back in June we tested Outernet’s new Dreamcatcher which is an ARM based computing board with RTL-SDR and L-band LNA built in. The $99 USD kit also included an external active L-band patch antenna. The Dreamcatcher full kit has now been reduced to $89 USD, and the active L-band patch antenna can also now be purchased by itself for $29 USD. The active patch antenna is also compatible with the bias tee on our V3 dongles and is a good low cost option for exploring most L-band satellite signals like Outernet, Inmarsat STD-C and AERO around 1542 MHz. The filter does unfortunately cut off the higher Iridium frequencies though.
They are also selling off their older L-band SDRx RTL-SDR boards at a reduced price of $20 USD. The SDRx is a RTL-SDR PCB with a built in L-band LNA and filter, but unlike the Dreamcatcher does not have built in computing hardware. They also have a limited $25 USD edition version of their active patch antenna which includes a built in RTL-SDR. This version is a bit more noisy compared to the standard active patch, but may be an interesting experimental antenna for some.
FSQ (Fast Simple QSO) is a relatively new ham band mode for making text QSO’s (contact or exchange of information with another ham) over HF frequencies. It is a low data rate mode similar to PSK31 but with some interesting features like relaying which allows signals to be relayed further via other FSQ stations.
Over at in Melbourne, Australia a Cyberspectrum SDR meetup is held every few weeks. At this weeks meetup @faulteh discusses the FSQ mode and some of it’s interesting features. He also shows how he can transmit FSQ using a Si5351 clock generator and Arduino (with filtering). In the future he hopes to also create a fully automated receive station using a Raspberry Pi and RTL-SDR dongle.
With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.
In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX. With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.
Note that we’ve only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.
A video demo is shown below:
RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.
Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).
For testing, a short wire antenna shouldn’t radiate much further than a few meters past the room you’re in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.
Back in May of this year the DailyMail ran an article discussing how the HackRF by Great Scott Gadgets could be used to break into cars. The DailyMail is a British tabloid magazine well known for its low credibility and alarmist articles. This week they ran a new article about Great Scott Gadgets other product, the Yard Stick One. In the article they discuss how the £109 Yard Stick One tool can be used to disable wireless burglar alarms. The YARD Stick One is not an SDR, but rather a computer controlled radio which can be used to transmit and receive wireless digital signals below 1 GHz. It is useful for wireless security research and reverse engineering digital signals in a way that is a bit easier than with using an SDR like the HackRF.
In the experiment performed in the article they use the YARD Stick one to jam a wireless home alarm for a few seconds allowing entry to the property without setting off the alarm. All in all the article is a good advert for the YARD Stick One, and does do a decent job at drawing attention to the lack of security provided by many wireless security devices.
Over on his YouTube channel GusGorman402 has uploaded a video tutorial showing how to take an old internet router and install OpenWRT and the RTL-SDR drivers on it. OpenWRT is a third party Linux based router firmware which can greatly expand the usefulness of a standard router. As it is Linux based it is possible to install the RTL-SDR Linux drivers on the router and use the router as a cheap RTL-SDR streaming or decoding platform.
Gus’s tutorial takes us from the beginning where he first shows how to install OpenWRT firmware over the stock firmware on the router and how to configure the settings. He then shows how to install the RTL-SDR drivers and run software like rtl_tcp and dump1090 with opkg and luci.