Category: Applications

Using the RTL-SDR as a Transmitter

Back in July of last year we posted about a video from oh2ftg where he showed how he was able to get his RTL-SDR to act as a crude transmitter by using the RTL-SDR’s leaky oscillator.

Now another RTL-SDR experimenter, Oscar Steila (IK1XPV) has had a similar idea to use the RTL-SDR as a transmitter, and has taken the idea further than OH2FTG did. 

Oscar decided to take a standard RTL-SDR dongle and modify it so that it outputs a signal from the mixer output of the R820T tuner chip. To do this he removes some unneeded components from the PCB, and wires pin 5 of the R820T to the MCX antenna port through a 100pF capacitor. Pin 5 is connected to the mixer output from inside the R820T chip.

TX mod for the RTL-SDR.
TX mod for the RTL-SDR.

After performing the hack the RTL-SDR is able to output a signal anywhere between 500 MHz to 1500 MHz 1.8 GHz to 3 GHz (see why). To control the output frequency you simply need to tune to the frequency you want to transmit at in SDR# (after setting an offset to account for the R820T’s IF offset). This tunes the mixer in the R820T and causes the output frequency to change.

In the future Oscar hopes to take this idea further by creating a specific tuning application for the generator and finding a way to possibly FM modulate the output.

Using SDR# to tune the TX RTL-SDR, and using another instance of SDR# and RTL-SDR to receive the 1GHz signal.
Using SDR# to tune the TX RTL-SDR to 1 GHz, and using another instance of SDR# and another RTL-SDR to receive the transmitted 1 GHz signal.

Update: Oscar has revised the frequency range from 500 – 1500 MHz to 1.8 GHz – 3 GHz. More information about his new tests can be found at

Building a 520 kHz High Pass Filter for the RTL-SDR

Over on YouTube user kugellagers has uploaded a video showing how he designs and builds a 520 kHz high pass filter for his RTL-SDR dongle + upconverter. In the video he explains how to design the filter with the free Elsie software which is an electrical filter design and analysis program. He then shows how he builds and selects the filter inductors and capacitors and how he assembles the components on a PCB. Finally he demonstrates how his 520 kHz high pass filter is useful for filtering out atmospheric noise from lightning strikes.

Previously we posted about kugellagers’s other video in which he demonstrates his FM bandstop filter and 1.8 MHz high pass filter.

RTL-SDR as a Hardware Random Number Generator with rtl_entropy

Over on his blog, Aaron Toponce has posted a tutorial that shows how to use the RTL-SDR app rtl_entropy.  This app uses the RTL-SDR to create random numbers from the atmospheric noise that it receives from the antenna. Aaron writes:

The theory behind the RNG is by taking advantage of atmospheric noise, which is caused by natural occurrences, such as weak galactic radiation from the center of our Milky Way Galaxy to the stronger local and remote lightning strikes. It’s estimated that roughly 40 lightning strikes are hitting the Earth every second, which equates to about 3.5 million strikes per 24 hour period. Interestingly enough, this provides a great deal of entropy for a random number generator.

In the post Aaron also shows how to put the rtl_entropy generated data through some standardized randomness tests, how to visualize the random output and also shows how to use rtl_entropy to generate 80-bit entropy passwords.

Visualizing the random noise output of rtl_entropy.
Visualizing the random noise output of rtl_entropy.

Stealing Encryption Keys from PCs using Software Defined Radio and Unintentional Electromagnetic Emissions

Tel Alviv University researchers D. Genkin, L. Pachmanox, I. Pipman and E. Tromer have released a paper this year detailing their research on extracting encryption keys from PCs via their unintentional radio emissions. They say that they have been able to demonstrate their work by extracting encryption keys from GnuPG on laptops within seconds by using their non-intrusive wireless methods. GnuPG is software which allows you to encrypt and sign your data.

They write about the performance of their results:

Using GnuPG as our study case, we can, on some machines:

  • distinguish between the spectral signatures of different RSA secret keys (signing or decryption), and
  • fully extract decryption keys, by measuring the laptop’s electromagnetic emanations during decryption of a chosen ciphertext.

In their experiments they used a Funcube Dongle Pro+ to measure the unintentional RF emissions coming out of a laptop computer at around 1.6-1.75 MHz, but they also mention that a low cost RTL-SDR with upconverter could also work.

Every time the CPU on a target PC performs a new operation the unintentional frequency signature that is emitted changes. From these emissions they are able to use the unique RF signature to determine what operations are being performed by the CPU, and from that they can work out the operations GnuPG is performing when decrypting data. They write:

Different CPU operations have different power requirements. As different computations are performed during the decryption process, different electrical loads are placed on the voltage regulator that provides the processor with power. The regulator reacts to these varying loads, inadvertently producing electromagnetic radiation that propagates away from the laptop and can be picked up by a nearby observer. This radiation contains information regarding the CPU operations used in the decryption, which we use in our attack.

Recovering CPU assembly operations from its RF emissions.
Recovering CPU assembly code operations from its unintentional RF emissions.

In addition to the above they were also able to create portable attack hardware by connecting the Funcube Dongle Pro+ with a small Android based embedded computer called the Rikomagic MK802 IV. They also show that they were even able to perform the portable attack with a standard AM radio with the output audio being recorded with a smart phone.

A portable version of their attack set up with the Funcube Dongle Pro+ and microcontroller.
A portable version of their attack set up with the Funcube Dongle Pro+ and microcontroller.

The researchers write that they will present their work at the CHES 2015 conference in September 2015.

Previously we also posted about Melissa Elliots talk on unintentional RF emissions, Milos Prvulovic’s work on spying on keyboard presses from unintentional RF emissions and also a security flaw discovered with some HP laptops which caused them to unintentionally convert audio picked up from the microphone into RF signals.

Transmitting DATV DVB-S Video with the HackRF Blue

Simon (G0FCU) has been using his HackRF Blue to transmit DVB-S video captured from his video camcorder. In the ham radio hobby there is something called digital amateur television (DATV) in which amateurs transmit digital video over radio to repeaters. Simon writes that in the UK DATV is usually transmitted at above 1.2 GHz and in the DVB-S format, which is the same format used by some satellite TV services.

Although there are dedicated DATV radios, Simon decided that he wanted to use the HackRF Blue as the radio for transmitting his own DATV signals. To do this he uses the software dvgrab to grab the video stream from the camera, then passes it to ffmpeg to compress the raw video into MPEG-2 and then uses a GNU Radio program called gr-dvbs to use the HackRF to transmit the DVB-S stream at 1000 MHz.

To test that his signal was transmitting correctly, Simon then used a standard DVB-S satellite TV with the LNB bypassed. 

Previously we also posted about using a BladeRF for transmitting DATV DVB-T signals.

What the DVB-S output signal looks like on another HackRF.
What the DATV DVB-S output signal looks like on another HackRF.

Trunking with the Latest DSD+ 1.08t Fast Lane Version

DSD+ stands for Digital Speech Decoder Plus and is a software program that can allow you to decode digital voice signals such as P25 and MotoTRBO/DMR. DSD+ is under continual development, and in their last public update they began offering early access to the latest DSD+ features in development through their fast lane subscription. The fast lane subscription costs $10 USD for one year and $25 for unlimited early access. Information about joining the fast lane service can be found in the readme file of the latest DSD+ 1.074 public release.

Over on YouTube user John Miller has been testing the latest early access version DSD+ 1.08t. This new version adds trunking support which allows you to follow conversations. Previously other software like Unitrunker was required to follow the trunking signal. On YouTube John has uploaded a video first showing trunking in action, and a second video showing how to set up DSD+ 1.08t for trunking.

Lantern: A New 925 MHz to 2175 MHz RTL2832U Based SDR for Satellite Reception

Over on Reddit we’ve seen news about a new 925 MHz to 2175 MHz RTL2832U based software defined radio which is currently under development. It is called the “Lantern” and is being developed for the Outernet project.

The Outernet project aims to be a “library in the sky” satellite based service that will provide free access to daily downloads of data such as books, news, videos and other information. It’s goal is to provide people who may not have easy physical or uncensored access to the internet an easy way to access daily information.

Outernet Overview Poster
Outernet Overview Poster

To achieve this goal the Outernet project needs a good low cost satellite receiver. The RTL-SDR is a good candidate, but it’s performance at about 1.5 GHz isn’t great, and this appears to be the frequency Outernet wants to use. To improve the performance for satellite reception at these frequencies they have redesigned the RTL-SDR by replacing the R820T2 tuner with a MAX2120 tuner chip which tunes from 925 MHz to 2175 MHz. They have also improved the components used and the PCB layout. The regular RTL2832U chip is used as the ADC and USB interface, so the maximum bandwidth and ADC bit depth remain the same.

The Lantern is currently being prototyped and there is a discussion about it on Reddit. They are aiming for a price point below $20, but note that it will take time to get to that low price as mass production will be required.

The current Lantern prototype.
The current Lantern prototype.

Building a Passive Radar System with RTL-SDR Dongles

Back in 2013 we posted about Juha Vierinen’s project in which he created a passive radar system from two RTL-SDR dongles, two Yagi antennas, and some custom processing code. Passive radar can be used to detect flying aircraft by listening for signals bouncing off their fuselage and can also be used to detect meteors entering the atmosphere. The radar is passive because it does not use a transmitter, but instead relies on other already strong transmitters such as FM broadcast radio stations. Juha writes:

A passive radar is a special type of radar [that] doesn’t require you to have a transmitter. You rely on a radio transmitter of opportunity provided by somebody else to illuminate radar targets. This can be your local radio or television station broadcasting with up to several megawatts of power. 

How passive radar works
How passive radar works

His previous write up was brief, but now over on Hackaday Juha has made a detailed post about his RTL-SDR passive radar project. In the post he explains what passive radar is, shows some examples of his and others results, shows how it can be done with an RTL-SDR dongle, and finally briefly explains the signal processing required. In his next post Juha aims to go into further detail on how passive radar works in practice.

Below we show a video that shows an example of one of his passive radar tests that was performed with a USRP software defined radio and two Yagi antennas. 

This video shows a lot of airplanes around the New England area detected using a simple passive radar setup, consisting of: one USRP and two yagi antennas, a quad core linux PC. Every now and then an occasional specular meteor echo is observed too.

In his other tests shown on YouTube Juha also used two RTL-SDR dongle’s with a shared clock and was able to get similar results.