Over on his blog John Hagensieker has uploaded a tutorial that shows how to set up SDRTrunk with RTL-SDR dongles. SDRTrunk is an application that allows you to follow trunked radio conversations, and decode some digital voice protocols such as P25 Phase 1. It is similar to Unitrunker and DSDPlus combined into one program. It is also Java based so it is cross platform and so can be used on Linux and MacOS systems as well.
John’s tutorial contains many useful screenshots, so it should be great for a beginner. He starts from the beginning, with finding trunking frequencies over on radioreference.com, then goes on to the installation and use on Linux. He also later explains how the Airspy can be used instead of multiple RTL-SDR to cover 10 MHz of bandwidth so that multiple systems can be monitored.
Over on YouTube user Keld Norman has uploaded a video showing how he uses an RTL-SDR with gr-gsm and a Python script to create a simple IMSI catcher. IMSI stands for International mobile subscriber identity and is a unique number that identifies a cell phone SIM card in GSM (2G) mobile phone systems. For security IMSI numbers are usually only transmitted when a connection to a new cell tower is made. More advanced IMSI-catchers used by governmental agencies use a fake cell tower signal to force the IMSI to always be revealed. This way they can track the location of mobile phones as well as other data like who or when you are calling.
In the video Keld uses a Python script called IMSI-Catcher. This script displays the detected IMSI numbers, country, and mobile carrier on a text display. The video description shows how to install GR-GSM and the IMSI-Catcher script on Ubuntu.
Leandvb is command line based lightweight DVB-S decoder designed for receiving Digital Amateur TV, including signals like HamTV from the International Space Station. The RTL-SDR can be used together with leandvb and it turns out that leandvb can also be used to decode the Outernet signal. If you were unaware, Outernet is a free L-band based satellite service that provides content such as news, weather data, APRS repeats and more. Currently you can get about 20MB of data a day. Outernet receivers are also all based around the RTL-SDR, allowing for very cheap receivers to be built. At the moment you’ll need a C.H.I.P or their specialized Dreamcatcher hardware to run their special Skylark OS with software decoder, but a general Armbian decoder is in the works.
Alternatively leandvb can be used, and over on their website the folks behind the leandvb software have uploaded a tutorial showing how to use leandvb to decode Outernet. Thanks to some reverse engineering attempts by Daniel Estévez, it was discovered that the Outernet modulation is very similar to DVB-S so the standard decoder can be used with some custom flags. Leandvb only outputs raw frames, not decoded data. They haven’t tested it, but it may be possible to feed the frames into Daniel Estevez’s free-outernet project for obtaining the final files.
During the testing they also discovered some interesting notes about the E4000 and R820T RTL-SDRs. For example by patching the R820T2 drivers to add some additional VGA gain they were able to make the R820T2 chips more sensitive at the Outernet frequency compared to the E4000 chip by bringing the signal further out of the quantization noise. They also tested a 60cm dish vs a patch antenna and found that the dish works significantly better.
With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.
In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX. With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.
Note that we’ve only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.
A video demo is shown below:
RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.
Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).
For testing, a short wire antenna shouldn’t radiate much further than a few meters past the room you’re in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.
SDRTrunk is a cross platform Java based piece of software that can be used for following trunked radio conversations. In addition to trunk tracking it also has a built in P25 Phase 1 decoder. Compared to Unitrunker SDRTrunk is an all-in-one package, and currently it supports most trunking system control channels, but unlike Unitrunker it still misses out on some systems EDACS and DMR.
Over on his YouTube channel AVT Marketing has uploaded an excellent 6-part video series that shows how to install SDRTrunk and the Java runtime environment on Ubuntu Linux. The sections covered include, installing Java, setting the Java environment variables, installing other SDRTrunk prerequisites such as Apache Ant and the JMBE audio codec for decoding P25, and finally actually using and setting up SDRTrunk. Like all of AVT’s other videos, this is an excellent tutorial that takes you through the entire process from the very beginning so is useful for beginners as well.
If you’re new to trunking: Trunking systems are typically used with handheld radio systems (e.g. those that police, security guards, workmen etc carry around). The basic idea is that each radio constantly listens to a digital control channel which tells it what frequency to switch to if a call is being made. This allows the frequency spectrum to be shared, instead of designating one fixed frequency per user which would be very inefficient. But this system makes it difficult for scanner radios to listen in to, because the voice frequency could change at any time. Therefore software like Unitrunker and SDRTrunk which can decode the control channel is required. In addition many new systems use digital audio like P25 or DMR which requires digital decoders like SDRTrunk or DSDPlus.
Device Frontend: Manual Center Freq. Correction in kHz
Raw Recording: Playback Control, for a timed positioning (“seek”) in “arbitrary” large (GBytes) recorded raw files.
Legacy DAB, intended for users where DAB+ is not generally available, like in the UK or Spain. As this could only be superficially tested here in Germany (no standard DAB any more, I used some raw samples recorded in Madrid), I would be very interested in feedback of users about it.
Synchronization of raw files recorded with central frequency offset
Enhanced manual synchronization control, mainly for tests in mobile environments
Detection of the Transmitter Identifications (TII). However, as this is a feature only useful for specialized applications, it is not included in the distribution. To my knowledge, qirx is the only DAB SDR having this feature.
Some Bug fixing.
The QIRX team have also added a new Quickstart Guide to help users get set up with their software quickly. In addition QIRX author Clem also writes that the QIRX software will be demonstrated during this weekends Ham-Radio fair in Friedrichshafen, Germany.
Over on YouTube user radiosification has uploaded a video tutorial that shows how to decode, follow and listen to NXDN/IDAS trunking radio signals. NXDN/IDAS is a narrowband digital voice protocol commonly used with handheld radio terminals.
In the tutorial radiosification explains how to set up DSDPlus and its frequencies text file to automatically listen to and track conversations using the control channel. SDR# is initially used to find the NXDN control and voice channels, which are then entered into the text file. Using this method only DSDPlus and its corresponding receiver FMP is used. Trunking software like Unitrunker is not needed.
Radiosification also notes that the method he presents can also be used for other digital trunking systems such as P25 as well.
Aerial TV is an Android app that allows you to watch DVB-T TV with an RTL-SDR on a mobile device. We posted about Aerial TV back in April and it was available on the Google Play store back then. Unfortunately Aerial TV has recently been banned from the Google Play store as apparently the app can be used to display copyrighted material from TV. The author writes the following on a Facebook post:
Google Play has suspended Aerial TV due to “[Aerial TV] claims to provide copyrighted contents from TV channels”. According to Google apps that display live TV are of “questionable nature”. I am trying to clarify what they mean. I would like to apologize to all affected users. If you have any concerns, feel free to get in touch with Google directly.
This is quite odd and probably a mistake. But if you are looking for Aerial TV it is now available on the Amazon app store with a current 35% discount. If you bought the app on the Google Play store then to get new updates you will need to uninstall it, contact the developer for a refund, and then purchase it again on the Amazon store. More info about that is available on the Facebook page. Updates about it’s availability will always be provided on the official website at aerialtv.eu.