Category: Tutorial

Building your own Rogue GSM Basestation with a BladeRF

Over on his blog author Simone Margaritelli has added a tutorial that shows how to set up a bladeRF to act as a GSM basestation (cell tower). Having your own GSM basestation allows you to create your own private and free GSM network, or for more malicious illegal users it can allow you to create a system for intercepting peoples calls and data. Simone stresses that it is well known that GSM security is broken (and is probably broken by design), and now it is about time that these flaws were fixed.

In his tutorial he uses a single bladeRF x40 and a Raspberry Pi 3 as the processing hardware. The bladeRF is a $420 transmit and receive capable software defined radio with a tuning range of 300 MHz – 3.8 GHz and 12-bit ADC. He also uses a battery pack which makes the whole thing portable. The software used is Yate and YateBTS which is open source GSM basestation software. Installation as shown in the tutorial is as simple as doing a git clone, running a few compilation lines and doing some simple text configuration. Once set up mobile phones will automatically connect to the basestation due to the design of GSM.

Once setup you can go further and create your own private GSM network, or make the whole thing act as a “man-in-the-middle” proxy to a legitimate GSM USB dongle, which would allow you to sniff the traffic on anyone who unknowingly connects to your basestation. This is similar to how a “Stingray” operates, which is a IMSI-catcher device used by law enforcement to intercept and track GSM communications. More information on using the bladeRF as an IMSI catcher with YateBTS can be found in this white paper.

bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.
bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.

RTL-SDR Tutorial: Receiving and Decoding Data from the Outernet

Outernet is a relatively new satellite service which aims to be a “library in the sky”. Essentially their service is going to be constantly transmitting files and data like news and weather updates from geostationary satellites that cover almost the entire world. Geostationary means that the satellites are in a fixed position in the sky, and do not move over time. By simply pointing a small patch antenna at the sky (with LNA and RTL-SDR receiver), it is possible to download and decode this data from almost anywhere in the world. Their aim is to provide up to date information to users in locations with little to no internet (rural, third world and sea), or in countries with censored internet. It may also be of interest to disaster preppers who want an “off-grid” source of news and weather updates. It can kind of be thought as a kind of one-way download-only internet service.

Currently the L-band service is being tested, and while they are not yet sending actual Outernet files, they are already sending several daily test files like small videos, images and text documents as well as GRIB files for mariners. At a maximum you can expect to receive up to about 20 MB of data a day from their satellite. Previously they had C-band services but these required large satellite dishes. The C-band service is due to be discontinued at some point in the future.

In this guide we’ll show you how to set up an Outernet L-band receiver with an RTL-SDR dongle. If you enjoy this guide then you might also enjoy our Inmarsat STD-C EGC Decoding Tutorial which has similar hardware requirements.

Outernet Setup: Patch Antenna -> LNA -> RTL-SDR with Bias Tee -> Raspberry Pi

Downloaded Files

Book Download

Video Download

Image Download

Continue reading

Building your own Rogue GSM Basestation with a BladeRF

Over on his blog author Simone Margaritelli has added a tutorial that shows how to set up a bladeRF to act as a GSM basestation (cell tower). Having your own GSM basestation allows you to create your own private and free GSM network, or for more malicious illegal users it can allow you to create a system for intercepting peoples calls and data. Simone stresses that it is well known that GSM security is broken (and is probably broken by design), and now it is about time that these flaws were fixed.

In his tutorial he uses a single bladeRF x40 and a Raspberry Pi 3 as the processing hardware. The bladeRF is a $420 transmit and receive capable software defined radio with a tuning range of 300 MHz – 3.8 GHz and 12-bit ADC. He also uses a battery pack which makes the whole thing portable. The software used is Yate and YateBTS which is open source GSM basestation software. Installation as shown in the tutorial is as simple as doing a git clone, running a few compilation lines and doing some simple text configuration. Once set up mobile phones will automatically connect to the basestation due to the design of GSM.

Once setup you can go further and create your own private GSM network, or make the whole thing act as a “man-in-the-middle” proxy to a legitimate GSM USB dongle, which would allow you to sniff the traffic on anyone who unknowingly connects to your basestation. This is similar to how a “Stingray” operates, which is a IMSI-catcher device used by law enforcement to intercept and track GSM communications. More information on using the bladeRF as an IMSI catcher with YateBTS can be found in this white paper.

bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.
bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.

RTL-SDR Tutorial: Receiving and Decoding Data from the Outernet

Outernet is a relatively new satellite service which aims to be a “library in the sky”. Essentially their service is going to be constantly transmitting files and data like news and weather updates from geostationary satellites that cover almost the entire world. Geostationary means that the satellites are in a fixed position in the sky, and do not move over time. By simply pointing a small patch antenna at the sky (with LNA and RTL-SDR receiver), it is possible to download and decode this data from almost anywhere in the world. Their aim is to provide up to date information to users in locations with little to no internet (rural, third world and sea), or in countries with censored internet. It may also be of interest to disaster preppers who want an “off-grid” source of news and weather updates. It can kind of be thought as a kind of one-way download-only internet service.

Currently the L-band service is being tested, and while they are not yet sending actual Outernet files, they are already sending several daily test files like small videos, images and text documents as well as GRIB files for mariners. At a maximum you can expect to receive up to about 20 MB of data a day from their satellite. Previously they had C-band services but these required large satellite dishes. The C-band service is due to be discontinued at some point in the future.

In this guide we’ll show you how to set up an Outernet L-band receiver with an RTL-SDR dongle. If you enjoy this guide then you might also enjoy our Inmarsat STD-C EGC Decoding Tutorial which has similar hardware requirements.

Outernet Setup: Patch Antenna -> LNA -> RTL-SDR with Bias Tee -> Raspberry Pi

Downloaded Files

Book Download

Video Download

Image Download

Continue reading

GSM Sniffing: A Full YouTube Tutorial

Over on YouTube user Crazy Danish Hacker has been working on uploading an entire series on GSM Sniffing with an RTL-SDR. His series is explained in a slow and clear presenting style, and it starts at the very beginning from installing the RTL-SDR. The tutorial series is not yet complete, however he is uploading a new video almost daily. Presumably the series will end with showing you how to receive text messages and voice calls originating from your own cellphone.

So far he has shown how to install the RTL-SDR, identify GSM downlinks, install and use GQRX and kalibrate, locate nearby cell towers, install and use GR-GSM and how to extract the TMSI & KC keys from your cell phone. To obtain the TMSI & KC keys he shows us how to use an Android tool called usbswitcher which forces the phone to use its USB modem interface, from which the keys can be obtained.

The video below shows his teaser video on the series. Check out his GSM playlist to view the full series.

https://www.youtube.com/watch?v=uSPAAuBEBRs

Review: FlightAware ADS-B RTL-SDR + LNA Positioning

Recently FlightAware released a new RTL-SDR dongle sold at zero profit at $16.95 USD. It’s main feature is that it comes with an ADS-B optimized low noise amplifier (LNA) built directly into the dongle. FlightAware.com is a flight tracking service that aims to track aircraft via many volunteer ADS-B contributors around the world who use low cost receivers such as the RTL-SDR. In this post we will review their new dongle and hopefully at the same time provide some basic insights to LNA positioning theory to show in what situations this dongle will work well.

FlightAware Dongle Outside
FlightAware Dongle Outside

A good LNA has a low noise figure and a high IIP3 value. Here is what these things mean.

Continue reading

Creating a DIY 88-108 MHz FM Trap

One of the most problematic strong signals you can encounter is regular 88 – 108 MHz broadcast FM stations. They transmit at high power and can cause overloading and intermodulation problems on simple receivers such as the RTL-SDR. This means that FM stations can prevent you from receiving signals even when you are tuned far away from the broadcast band.

The simplest solution to reducing strong FM stations is to build an FM trap. This is simply a band stop filter that blocks frequencies between 88 – 108 MHz from entering your radio. Adam (9A4QV), the creator of the popular LNA4ALL and several other RTL-SDR compatible products has recently uploaded an article showing how to build a home made FM trap out of cheap common parts.

Adams article goes through and explains the design of a FM trap and how to use freeware software to aide in the calculations. The final FM trap designed by Adam uses just 3 common SMD capacitors and 3 hand wound coils. His filter attenuates more than 30dB in the 88-108 MHz range with an insertion loss of less than 1dB up to 1.7 GHz.

A DIY FM Trap
A DIY FM Trap

Tutorial on Properly Positioning a Preamp (LNA) in a Radio System

Radio blogger Anthony Stirk has made a post on his blog explaining some critical concepts behind understanding why it is important to position a low noise amplifier (LNA) near the radio antenna, rather than near the radio. In the post Anthony explains how the Noise Figure (NF) and linearity (IP3) of a radio system affect reception.

Using the free AppCAD RF design assistant software, Anthony explains how the noise figure of a system increases with longer coax cable runs, and how it can be reduced by placing an LNA right next to the antenna. He also explains why the sensitivity of the radio won’t increase if the LNA is placed close to the radio instead.

In addition to this, he also explains why adding more LNA’s to a system decreases the linearity (IP3) of the system and that if the receiver has a built in LNA that the system linearity can be severely degraded by adding extra LNA’s, causing easy overloading and intermodulation. In conclusion Anthony writes the following:

In summary, a setup with a good antenna system connected to a receiver with a built in LNA:

  • May not benefit from having a preamp at the antenna.
  • The presence of a built in LNA is detrimental to the linearity and may degrade the signals.

So in conclusion:

  • Put the preamp as close to the antenna as possible.
  • Receivers with a built in LNA may not get the most out of an antenna system or preamp.
  • Proper gain distribution guarantees better performance than one-size-fits-all solutions, both in terms of sensitivity and strong signals handling.
Optimal Setup: Antenna -> LNA -> Coax -> Receiver
Optimal Setup: Antenna -> LNA -> Coax -> Receiver
NF and Linearity Calculations
NF and Linearity Calculations in AppCAD

RTL-SDR Tutorial: Decoding Inmarsat STD-C EGC Messages

Inmarsat is a communications service provider with several geostationary satellites in orbit. They provide services such as satellite phone communications, broadband internet, and short text and data messaging services. Geostationary means that the satellites are in a fixed position in the sky and do not move. From almost any point on earth at least one Inmarsat satellite should be receivable. 

Inmarsat transmits in the L-band at around 1.5 GHz. With an RTL-SDR dongle, a cheap $10 modified GPS antenna or 1-2 LNA’s and a patch, dish or helix antenna you can listen to these Inmarsat signals, and in particular decode one channel known as STD-C NCS. This channel is mainly used by vessels at sea and contains Enhanced Group Call (EGC) messages which contain information such as search and rescue (SAR) and coast guard messages as well as news, weather and incident reports. More information about L band reception is available at UHF-Satcoms page. See the end of this post for a tutorial on modifying a GPS antenna for Inmarsat reception.

Also as a small aside, you might want to use this tutorial to practice your L-band reception since Outernet are planning to begin their L-band broadcasts later this year, which may be possibly be broadcast from Inmarsat or equivalent satellites. These broadcasts will be at a nearby frequency and will contain about 10 megabytes of daily data. The RTL-SDR should also be able to receive these broadcasts if a compatible decoder is written.

Some examples of the EGC messages you can receive on the STD-C NCS channel are shown below:

Military Operations: Live Firing Warning
STRATOS CSAT 4-AUG-2015 03:21:25 436322
SECURITE
FM: RCC NEW ZEALAND 040300 UTC AUG 15

COASTAL NAVIGATION WARNING 151/15

AREA COLVILLE, PLENTY
CUVIER ISLAND (REPUNGA ISLAND), BAY OF PLENTY
1. LIVE FIRING 060300 UTC TO 060500 UTC AUG 15 IN DANGER AREA NZM204. 
ANNUAL NEW ZEALAND NOTICES TO MARINERS NUMBER 5 REFERS.
2. CANCEL THIS MESSAGE 060600 UTC AUG 15
NNNN
Armed Robbery / Pirate Warning
NAVAREA XI WARNING
NAVAREA XI 0571/15
SINGAPORE STRAIT.
ARMED ROBBERY INFORMATION. 301845Z JUL.
01-04.5N 103-41.8E.
FIVE ROBBERS ARMED WITH LONG KNIVES IN A SMALL UNLIT HIGH SPEED BOAT APPROACHED A BULK CARRIER UNDERWAY.  ONE OF THE ROBBERS ATTEMPTED TO BOARD THE SHIP USING A HOOK ATTACHED TO A ROPE. ALERT CREW NOTICED THE ROBBER AND RAISED THE ALARM AND CREW RUSHED TO THE LOCATION. HEARING THE ALARM AND SEEING THE CREW ALERTNESS, THE ROBBERS ABORTED  THE ATTEMPTED ATTACK AND MOVED AWAY. INCIDENT REPORTED TO VTIS SINGAPORE. ON ARRIVAL AT SINGAPORE WATERS, THE COAST GUARD BOARDED THE SHIP FOR INVESTIGATION.

VESSELS REQUESTED TO BE CAUTION ADVISED.
Armed Robbery / Pirate Warning
NAVAREA XI WARNING
NAVAREA XI 0553/15
SINGAPORE STRAIT.
ROBBERY INFORMATION. 261810Z JUL. 
01-03.6N 103-36.7E. 
DUTY ENGINEER ONBOARD AN UNDERWAY PRODUCT TANKER DISCOVERED THREE ROBBERS IN THE ENGINE ROOM NEAR THE INCINERATOR SPACE. THE ROBBER THEIR BOAT. A SEARCH WAS CARRIED OUT. NO ROBBERS FOUND ON BOARD AND NOTHING REPORTED STOLEN. VTIS SINGAPORE INFORMED. COAST GUARD BOARDED THE TANKER FOR INVESTIGATION UPON ARRIVAL AT SINGAPORE PILOT EASTERN BOARDING AREA.VESSELS REQUESTED TO BE CAUTION ADVISED.
CANCEL 0552/15.
Submarine Cable Repair Warning
NAVAREA XI WARNING
NAVAREA XI 0569/15
NORTH PACIFIC. 
SUBMARINE CABLE REPAIRING WORKS BY 
C/V ILE DE SEIN. 05 TO 20 AUG. 
IN VICINITY OF LINE BETWEEN 
A. 21-37.3N 156-11.5W AND 25-03.6N 148-43.2E.
CANCEL THIS MSG 21 AUG.
Search and Rescue – Missing Vessel
ON PASSAGE FROM LAE (06-44S 147- 00E) TO FINSCHHAFEN (06-36S 147-51E), MOROBE PROVINCE. VESSEL DEPARTED LAE AT 310500Z JUL 15 FOR FINSCHAFFEN WITH ETA OF 310800Z JUL 15 BUT FAILED TO ARRIVE. 
ALL VESSELS REQUESTED TO KEEP A SHARP LOOKOUT AND BE PREPARED TO RENDER ASSISTANCE. REPORTS TO THIS STATION OR MRCC PORT MORESBY VIAEMAIL: ******@****.***.**, TELEPHONE +*** *** ****; RCC AUSTRALIA VIA TELEPHONE +*********** INMARSAT THROUGH LES BURUM (POR ***,IOR***), SPECIAL ACCESS CODE (SAC) **, HF DSC *******
NL BURUM LES 204 4-AUG-2015 03:23:14 773980
AMSA_ER 23150928
PAN PAN
FM JRCC AUSTRALIA 030858Z AUG 15 INCIDENT 2015/5086
AUS4602 CORAL AND SOLOMON SEAS
23FT WHITE BANANA BOAT WITH BROWN STRIPES, AND A 40HP OUTBOARD AND 5 ADULT MALES IS OVERDUE ON PASSAGE FROM LAE (06-44S 147- 00E) TO FINSCHHAFEN (06-36S 147-51E), MOROBE PROVINCE. VESSEL DEPARTED LAE AT 310500Z JUL 15 FOR FINSCHAFFEN WITH ETA OF 310800Z JUL 15 BUT FAILED TO ARRIVE. 
ALL VESSELS REQUESTED TO KEEP A SHARP LOOKOUT AND BE PREPARED TO RENDER ASSISTANCE. REPORTS TO THIS STATION OR MRCC PORT MORESBY VIA EMAIL: *******@****.***.**, TELEPHONE +*** *** ****; RCC AUSTRALIA VIA TELEPHONE +************ INMARSAT THROUGH LES BURUM (POR ***,IOR ***), SPECIAL ACCESS CODE (SAC) **, HF DSC *********, EMAIL: ******@****.***.** OR BY FAX +************.
NNNN
Scientific Research Vessel Drilling – Request for wide clearance
NL BURUM LES 204 4-AUG-2015 02:29:41 709950
AMSA_ER 23153978
SECURITE
FM JRCC AUSTRALIA 040224Z AUG 15 
AUSCOAST WARNING 202/15
SPECIAL PURPOSE VESSEL JOIDES RESOLUTION CONDUCTING DRILLING OPERATIONS IN POSITION 28 39.80` S 113 34.60` E
2.5NM CLEARANCE REQUESTED.
NNNN
Weather Warning
PAN PAN
TROPICAL CYCLONE WARNING / ISSUED FOR THE NORTH OF EQUATOR OF METAREA
XI(POR).
WARNING 050900.
WARNING VALID 060900.
TYPHOON WARNING.
TYPHOON 1513 SOUDELOR (1513) 930 HPA
AT 19.9N 133.2E WEST OF PARECE VERA MOVING WEST 12 KNOTS.
POSITION GOOD.
MAX WINDS 95 KNOTS NEAR CENTER.
RADIUS OF OVER 50 KNOT WINDS 80 MILES.
RADIUS OF OVER 30 KNOT WINDS 240 MILES NORTH SEMICIRCLE AND 210 MILES
ELSEWHERE.
FORECAST POSITION FOR 052100UTC AT 20.1N 130.6E WITH 50 MILES RADIUS
OF 70 PERCENT PROBABILITY CIRCLE.
935 HPA, MAX WINDS 90 KNOTS NEAR CENTER.
FORECAST POSITION FOR 060900UTC AT 20.8N 128.1E WITH 75 MILES RADIUS
OF 70 PERCENT PROBABILITY CIRCLE.
935 HPA, MAX WINDS 90 KNOTS NEAR CENTER.

JAPAN METEOROLOGICAL AGENCY.=

Continue reading

A Tutorial on Decoding NOAA and Meteor M2 Weather Satellite Images in Ubuntu

Recently an RTL-SDR.com reader by the name of Pete wrote in to let us know about a comprehensive tutorial that he has written about setting up NOAA and Meteor M2 weather satellite decoding in Ubuntu Linux with an RTL-SDR.

Pete’s tutorial starts from a fresh install of Ubuntu and uses GQRX, GNU Radio Companion, WxtoIMG and the MeteorM2 decoding tools. He shows how to set up the audio piping within Linux, how to run the MeteorM2 LRPT Offline decoder Windows tool in Wine, a Linux Windows emulator and how to use WxtoIMG together with GQRX.

The NOAA and Meteor M2 weather satellites transmit images that they have taken of the earth. With an RTL-SDR and appropriate antenna you can receive these images. On this blog we have Windows tutorials on receiving NOAA and Meteor M2 satellites.

The Windows LRPTOfflineDecoder tool running in Linux with Wine.
The Windows LRPTOfflineDecoder tool running in Linux with Wine.