Category: Applications

SWSCAN – A Console Based Shortwave Broadcast Scanner for the RTL-SDR

Over on the Reddit discussion boards user gat3way has posted about his newly released software project called swscan. Swscan is a Linux console based program that can be used to scan and listen to shortwave broadcast stations. It has a built in database of shortwave station frequencies as well as their broadcast schedules and it will even show you the stations power level and distance you are from the transmitter. Swscan is based on GNU Radio 3.7, so you will need to have that installed first.

As shortwave stations exist at frequencies below the normal tuning range of the RTL-SDR, you will need an upconverter or be using the latest R820T experimental driver which can tune down to around 1 MHz.

Swscan can be downloaded from http://www.gat3way.eu/poc/swscan.tgz.

Console GUI for swscan.
Console GUI for swscan.

Hacking a PlayStation 3 using an RTL-SDR

There is a war going on between game console designers and the console modding community. Modders hack the console system so that they can jailbreak it and then install their own custom firmware while console designers are constantly finding new ways to prevent unauthorized modding. Custom firmware allows a console to run homebrew applications like media players and emulators that use the console in ways that is was not intended to be used in.

One PlayStation 3 modder has recently been using an RTL-SDR to help jailbreak a PlayStation 3 Super Slim (4K) console, whose current official firmware appears to not yet have been jailbroken. It’s important to note that so far no actual jailbreaking has been done with this method, but the modder is currently working on it. His idea is to receive leaked RF signals from the PS3 and then use methods similar to Acoustic Cryptoanalysis to decode the data and find out what opcode operations the processors are performing. The modder writes about his method in the following.

My idea was to hook up a rtl-sdr device to the PS3 4k between chassis and real ground (yes, I actually have a two meter copper rod buried in my lawn) using the antenna leads. First I had to make sure the PS3 4k chassis wasn’t grounded in the outlet, and that no video out or USB connector was hooked up to ground indirectly via other hardware. If you want to try this, make sure that the rtl-sdr antenna leads are the only lead between the PS3 mobo/chassis and real ground. Before connecting the rtl-sdr antenna leads I measured the voltage on the PS3 chassis which peaked at around 1.8V which was safe enough, didn’t want to blow it up on the first try. 

This method will effectively turn your console into an “active antenna” leaking all kind of interesting data on the rtl-sdr frequency spectrum (between 24 – 1766 MHz). After hooking it up, I started using gqrx on my laptop to look for signal peaks while the PS3 4k was turned on, after finding a peak I just powered off the PS3 completely and turned it back on, using the waterfall plot you’ve seen in my first post I can see if there is something interesting happening during boot and verify that the signal is indeed coming from the PS3. In a similar way I learned to distinguish between the PS3 BD drive, GPU and CPU which pops up at different frequencies. Then I dumped the data (I/Q recording) that looked interesting and made a note of the frequency.

It’s hard to describe the incredible feeling when you tune into a good signal and start watching the waterfall plot revealing opcodes, register bits and what might be stack contents. The Acoustic Cryptoanalysis paper (PDF) has a lot of good info how to interpret the output from various window functions in the plot. 

What I’m coding right now is a gnuradio-companion block which will filter and test the dumped data for decryption keys against encrypted PS3 data. 

PS3 Data Received with an RTL-SDR and Shown on GQRX
PS3 Data Received with an RTL-SDR and shown on a GQRX Waterfall

Monitoring Military Aircraft with an RTL-SDR

The military air communications monitoring enthusiasts over at milaircomms.com have been using a system involving RTL-SDRs to monitor military air traffic through ADS-B. While military aircraft generally do not transmit GPS position information like commercial aircraft do, they are still able to record live information such as the aircraft’s hex code, registration number, aircraft type, the base station location and a graph of recorded altitudes. They also log all this data showing where military aircraft have been spotted over time.

To receive this information they so far have a network of about 30 volunteers running RTL-SDR based ground stations that use their custom MilAirComms1090 software. If you want to contribute, the software is available for Windows and for Linux/Raspberry Pi.

Example of a US Coast Guard C-130 Aircraft doing Touch/Goes and Sighting History
Example Logs of a US Coast Guard C-130 Aircraft doing Touch/Goes and its Sighting History

Receiving NTSC Analogue TV with GNU Radio and an RTL-SDR

Over on GitHub user kik has uploaded a tutorial and code showing how to decode NTSC analogue TV in GNU Radio and an RTL-SDR. The tutorial is in Japanese, but Google translate should be good enough to understand the text. Kik shows us what GNU radio blocks to use and provides the python code needed to display the images on a simulated scope.

If you just want to receive analogue TV signals, try TVSharp.

gnuradiontsc
GNU Radio Decoding NTSC and showing images on a Scope

Reverse Engineering Wireless Wall Outlets And Automatically Cloning OOK Signals

Wireless wall outlets are electrical outlets that can be turned on or off by a wireless remote. Fabien is an experimenter who was looking for a way to control the power of his home devices from a remote location using HTTP. He thought of building his own from scratch, but quickly realized that the device would need to be certified for insurance purposes. Instead he bought a cheap commercially made certified wireless wall outlet and reverse engineered the protocol using an RTL-SDR.

To do that he used the existing OOK-Decoder software available on GitHub. From the analysis provided by OOK-Decoder, Fabien was able to successfully reimplement the transmission using an AVR microcontroller and 433 MHz transceiver circuit from Sparkfun.

After being successful with this, Fabien decided to take the project a step further and create the OOKLONE – a device that could automatically clone any 433.92 MHz OOK signal and replay it. The video below shows the OOKLONE in action.

RTL_POWER Heatmap Viewer

Back in June we posted about DE8MSH’s rtl_power based heatmap viewer which was automatically generated every day from a Raspberry Pi. The browser based heatmap display provides a way to view the frequency and time of where the mouse pointer is allowing you to easily identify signals.

Back then the code was unavailable but now DE8MSH has released his code on GitHub. An example heatmap generated by the code can be found here.

RTL_POWER Heatmap Viewer
RTL_POWER Heatmap Viewer

Triangulation of a VHF Signal with RTLSDR-Scanner

A few months back we posted about how the the RTLSDR-Scanner software had been updated to include signal triangulation capabilities. Now blogger Tobby has written a post about his attempt at triangulating the source of an encrypted police signal with RTLSDR-Scanner.

To do this he set up a laptop in his car with RTLSDR-Scanner installed and connected his RTL-SDR with stock antenna and a GPS receiver. After driving around for only 15 minutes he was able to get a triangulation heat map of reasonable accuracy.

RTLSDR-Scanner Signal Triangulation Heatmap
RTLSDR-Scanner Signal Triangulation Heatmap

RTL_POWER Instructions

A new instructional page for the rtl_power tool is now available on main author keenerds webpage. Rtl_power is a command line tool for logging wide band frequency power scans to a CSV file. The CSV files can then be used for analysis or to create a large frequency plot image. An example of a 2 GHz+ bandwidth scan over 24 hours is shown below. Rtl_power is available as part of the official osmocom RTL-SDR drivers.

Example scan over an E4000 dongles entire frequency range.
Example scan over an E4000 dongles entire frequency range.

Radio Astronomy with RTL Bridge and Radio-Sky Spectrograph

Amateur radio astronomy hobbyist Jim Sky has written on his blog about his new program called RTL Bridge with allows the RTL-SDR to directly connect to his other radio astronomy programs Radio-SkyPipe and Radio-Sky Spectrograph. Jim describes his two existing program as follows.

Radio-Sky Spectrograph displays a waterfall spectrum. It is not so different from other programs that produce these displays except that it saves the spectra at a manageable data rate and provides channel widths that are consistent with many natural radio signal bandwidths. For terrestrial , solar flare, Jupiter decametric, or emission/absorption observations you might want to use RSS.

Radio-SkyPipe is a souped-up strip chart program which plots signal strength over time. When getting its data from RTL Bridge, RSP is plotting the total power in the spectrum covered by the RTL receiver centered around its set frequency. While the raw values are proportional to power, you will have to apply a function via the RSP Equations feature to apply a calibration if you want absolute values. For signals that do not have significant spectral structure of interest, this would be the preferred way to plot the data.

RTL Bridge for Radio Astronomy
RTL Bridge for Radio Astronomy

3D Frequency Spectrum Visualization with Chrome and RTL-SDR

Over on ttrftech’s blog in Japanese (use Google translate), ttrftech has uploaded a new RTL-SDR program for Chrome which allows 3D visualization of the frequency spectrum. The program can be installed by simply downloading the files from GitHub and loading them into Chrome. Ttrftech explains that the program should work on any OS, but he has so far only been able to test it on MacOS.

Chrome 3D Frequency Spectrum for RTL-SDR
Chrome 3D Frequency Spectrum for RTL-SDR