Akos the author of the radioforeveryone.com blog has recently added two new articles to his blog. The first post is a comprehensive guide to setting up your own ADS-B station. The guide focuses on creating a system that is easy to use, has good performance and is value for money. In the post he shows what type of computing hardware is required, what software can be used and what RTL-SDR dongles work best. He also shows what choices are available when it comes to amplification and filtering to improve signal reception and goes on to talk a bit about adapters and the antennas that work best for him.
The existing thermostat wireless receiver is a Danfoss RX2. In order to reverse engineer the protocol Andy opened up an older that one he had and saw that it used an Infineon TDA5210 RF receiver chip. Armed with this part number he was able to look up the datasheet and determine the operating frequency. Then by using an RTL-SDR he captured some packets while pressing buttons on the thermostat transmitter and piped the audio file into audacity, where he was able to clearly see the digital waveform.
Andy then wrote a Python program using the ‘wave’ library, which allowed him to easily read binary values for a .wav file. With his code he was able to extract the data from the signal and determine the preamble, sync word, thermostat ID and the instruction code (on/off/learn).
In a future post Andy hopes to show us how he’ll use an RF69 module with an Arduino to actually control the thermostat using the reverse engineered packet knowledge.
WaveConverter is a tool that helps you extract digital data from RF transmissions that have been captured via Software Defined Radio (SDR). After the user defines the modulation parameters, framing and encoding, WaveConverter will process a stored I-Q file and extract the data from any transmissions that match this definition. Using programmable timing tolerances and glitch filters, WaveConverter is able to extract data from signals that would otherwise appear corrupted.
This software will make the process of reverse engineering signals easier and more error-proof. Because WaveConverter includes the ability to store and retrieve signal protocols (modulation + encoding parameters), we have been generating a database of protocols that we can quickly use to iteratively attack unknown signals.
This tool should be very useful for reverse engineering digital signals, such as those found in keyfobs, wireless doorbells, wireless temperature sensors and any other simple RF device. Simply use an SDR device like an RTL-SDR to capture a sample of the signal of interest and then open it up in WaveConverter to first easily analyze the signal and determine it’s properties, then to automatically demodulate any subsequent signal into a binary string. For more information the documentation can be found here (pdf).
WaveConverter seems to be quite similar in purpose to Inspectrum and DSpectrum which are two Linux tools that are also designed for reverse engineering digital signals.
Recently the Outernet team sent us a prototype of their L-Band tuned RTL-SDR which is called the SDRx for testing. This is an RTL-SDR with RTL2832U and R820T2 chips together with an L-band LNA and filter on the same PCB. It is designed for their Outernet system which transmits from geostationary L-Band satellites.
Outernet is an L-band satellite service that hopes to be a library in the sky. Currently it is broadcasting down about 20 MB of data a day, with data like weather updates, books, pictures, wikipedia pages, APRS repeats and more.
For their DIY Outernet kit they have been using E4000 or our RTL-SDR V3 dongles, so we speculate that this SDRx is going to be used in the “Lantern” which will be their fully assembled Outernet receiver product. The Lantern looks like it will be a single unit, with patch antenna, battery pack, solar panel, RTL-SDR radio and CHIP built into a plastic enclosure.
The SDRx connects to the computer via a micro USB port. It also has a USB repeater and two USB expansion ports on board. This is useful as Outernet is designed to be used with the CHIP portable computer which only has one USB port. The expansion USB ports can be used for plugging in a portable hard drive which can be used as the storage for downloaded Outernet files.
We’ve been running a version of the SDRx prototype on an Outernet receiver for a number of weeks without issue. The SNR on Outernet signals is about identical to the V3 dongles combined with the external Outernet LNA and no L-band heat problems are observed.
Ships also has another interesting feature which is that it will automatically determine the PPM offset of a dongle, meaning that generic dongles without TCXO’s can be easily used for AIS. It appears to do this by using the AIS signals themselves, so you will need sufficient AIS traffic in your area for the calibration to work.
AIS stands for Automatic Identification System, and is a system used to track the locations of marine vessels. It is similar to ADS-B in that nearby ships can be plotted and tracked on a map by using an RTL-SDR as the receiver. We have a tutorial for PC available here.
Recently we heard about the PandwaRF Portable Analyzer (previously known as the GollumRF). This is not an SDR, but can probably be described as a programmable and computer controlled radio. It appears to be based on the Yardstick One design which is made by Micheal Ossmann, the creator of the HackRF. Both the Yardstick One and PandwaRF are based on the CC1111 sub-1 GHz RF transceiver chip. These types of pseudo-sdr’s can be very useful for reverse engineerin, analyzing and experimenting with simple digital signals.
For example it could be used to capture data from any ASK/OOK/MSK/2-FSK/GFSK modulation in the 300 – 928 MHz band. You can then easily analyze the data, and the restransmit the same or a modified signal. The same could be done with a TX capable SDR like the HackRF, but doing so tends to require a lot more work.
The difference between the Yardstick One and PandwaRF appears to be mainly in the connection interface. The PandwaRF is essentially the Yardstick One with a Bluetooth LE connectivity and an Android/iOS smartphone app. USB connectivity for Linux still exists. It also has an internal battery whereas the Yardstick One does not. They wrote a post comparing the RTL-SDR, Yardstick One and PandwaRF here.
The device seems to be new, as it just starting shipping in November and the first batch is still being sold. It costs 145 euros and appears to originate from the EU. There is also a ‘mini’ version in pre-order which also costs 145 euros. In comparison the Yardstick One costs about $99 – $145 USD depending on the shop you choose.
Over on YouTube user Tomi Simola has uploaded a video showing his servo based Outernet satellite antenna tracker. Outernet uses L-band geostationary satellites which means that they are at a fixed position in the sky. Optimal reception of the Outernet and other L-Band satellite signals can be obtained by pointing the patch antenna towards the satellite.
Tomi wanted an easy way to remotely switch the antenna to point at one of two geostationary satellites, Alphasat at 25E which has the Outernet signal and Inmarsat at 64E which has more services like AERO and STD-C. Another potential use of his tracker might be for tracking L-Band satellite while in a moving vehicle such as a car or boat.
To automatically point the Outernet L-band patch antenna Tomi used a commonly found Pan-Tilt servo mounted inside an waterproof enclosure. On the servo is a 3D printed mount which the patch antenna is attached on. An Arduino Nano with Bluetooth module allows control of the servo.
Erhard E. has been experimenting with capturing, analyzing, reverse engineering and then transmitting new ASK/OOK signals with his RTL-SDR and Raspberry Pi running RPiTX. Erhard has written a very informative guide/tutorial (pdf) that explains how he did it for wireless doorbell and for remote control toy cars. RPiTX is software for the Raspberry Pi which allows it to transmit almost any signal via modulation of a GPIO pin. RPiTX related posts have been featured on this blog several times in the past.
First Erhard records a copy of the doorbell signal using his RTL-SDR and then views the waveform in Audacity. He then writes that you’ll need to find the waveform characteristics either manually using Audacity, or by using the rtl_433 decoder. In the tutorial he uses rtl_433 which automatically gives his the pulse width, gap width and pulse period.
Next in order to actually generate the signal using RPiTX he uses the waveform characteristics that he found out and manually creates a .ft hex file that describes the signal to be generated. Then using using the rpitx command, the .ft file can be transmitted.
Later in the tutorial he also shows how he performed the same reverse engineering process with a cheap RC car toy (forward/reverse commands only), which uses OOK encoding on the wireless controller.