L-Band Setup with Mini LNA4ALL and Mini Patch Antenna

Over on his YouTube channel Adam 9A4QV has uploaded a new video showing reception of L-band signals with a bias tee powered LNA4ALL and a small patch antenna. The video seems to show a new miniature bias tee powered LNA4ALL device that Adam might be working on. The LNA4ALL is a low noise amplifier that works well with our bias tee capable RTL-SDR dongles.

The patch antenna is made out of a single piece of PCB board which was made by etching out the patch pattern with masking tape. While the patch antenna is not optimal, and tested indoors, Adam is still able to receive some AERO signals.

Later in the video he compares the PCB patch against a GPS patch antenna which gets no reception. He also compares the results when two LNA4ALL’s are used in series. Using two LNA’s improves reception slightly.


Experimenting with Broadcast FM RDS (TMC, RT+) and SCA Audio

A typical broadcast FM station can sometimes contain “hidden” subcarriers embedded within the main signal. The subcarriers contain data or audio services.

An example of a data subcarrier hidden within broadcast FM is the “Traffic Message Channel” (TMC). The TMC contains traffic data, and is used on GPS devices that advertise as having live traffic capabilities. TMC data is encrypted so that it can be sold, but is very easily broken. Another data service is RDS-RT+ data which transmits song information, for radios that can display it.

An example of a voice subcarrier (SCA/ACS) might be niche radio stations, such as ethnic stations, elevator music, music for doctors offices etc. Usually a specialized radio is required to receive a SCA channel. In a previous post we showed how a user was able to receive SCA on Windows.

Over on his blog Gough Lui has been investigating the broadcast FM subcarriers in his home town of Sydney, Australia. In his post he looks at TMC, RDS-RT+ and SCA subcarriers and explains a bit about what they are and how they work. He also goes on to receive and decode the subcarriers with an RTL-SDR, gr-rds and GNU Radio. While Gough doesn’t bother to decrypt the TMC service, he can still see when an event occurs and what the even was. Without decryption he just doesn’t know where the location on the event is. For SCA he wrote a GNU Radio program to extract the audio subcarrier and was able to decode audio from a local Indian station for migrants.

SCA GNU Radio Decoder
SCA GNU Radio Decoder

Identifying Transmitters with CTCSS Fingerprinting

Oona Räisänen is a RF hacker and enthusiast who has in the past brought us posts about decoding burger pagers in restaurants, decoding wireless bus signs and FM-RDS with SDR’s like the RTL-SDR. This time she has written an interesting post that shows how she can “fingerprint” radio transmitters by analysing their CTCSS transmissions. CTCSS is short for “Continuous Tone-Coded Squelch System” and is a low frequency tone added on to some transmissions used in handheld radio systems shared by several distinct groups. The CTCSS tone prevents users of a shared system from having to listen to other users talking if they are not part of the same group with the same CTCSS tone frequency. CTCSS provides no means for actually individually identifying a radio.

Oona wanted to see if she could fingerprint and thus identify individual radios by their CTCSS tone by looking at identifying features such as small variances in CTCSS tone power and frequency. The idea is that each radio will have minute differences in the exact tone and power produced by the CTCSS circuitry, due to differences in the crystal oscillators and component tolerances. Oona used an RTL-SDR to record CTCSS data from a conversation on a local handheld radio network. Then by plotting the frequency vs power data on a heatmap graph she was able to find 8 different clusters of points, which potentially identifies 8 individual handheld radios.

Frequency vs power heatmap identifying 8 different radios.
Frequency vs power heatmap identifying 8 different radios.

With the individual radios identifiable by their cluster centers, each cluster can be assigned a name. Now each subsequent transmission can be compared to each cluster center, and assigned to the closest matching cluster, thus matching a new unknown transmission with a known radio. This makes it easier for someone listening in with no context to follow a conversation. 

Assign names to each radio.
Assign names to each radio/cluster center.

Outernet rxOS Version 3 Released: Automatic Decompression, APRS, NOAA Weather Data, News Updates

Outernet is a new L-band satellite services which aims to be a “library in the sky”. Their satellite signal can be received from almost anywhere in the world, and they aim to constantly transmit data like news, weather updates, books, images/videos and other data files. The service is free and can be received with an RTL-SDR, LNA and patch antenna. We have a full tutorial on receiving their service available here.

The “rxOS” decoder, file management system and web interface GUI has recently been updated to version 3.0. This new version has several new features:

  1. Downloaded files are automatically decompressed after downloading, so they can be viewed directly in the Outernet web interface.
  2. An hourly transmission of APRS data which comes from the repeater on board the international space station. APRS messages can now be relayed across the world via the ISS and Outernet.
  3. This Monday they will begin transmitting NOAA weather data (we are unsure if this entails images or text data yet)
  4. Soon they should begin transmitting news data too.

More details on the update can be found on their forum post. To update the service on a CHIP or Pi 3, download the .pkg file from the links on the forum and choose this file in the Update Firmware section of the Outernet settings menu. 

An example of some received APRS messages from the Outernet.
An example of some received APRS messages from the Outernet.
APRS messages

RTLSDR4Everyone: Review of the RTL-SDR V3 + Avoid Ripoff’s Part 4

Akos from the RTLSDR4Everyone blog has just released several new posts. The first three posts review our V3 dongle and the fourth post continues his series on helping users avoid bad deals when it comes to RTL-SDRs.

The first post compares the NooElec SMArt against the V3. Akos finds that the SMArt has a better enclosure for use with the Raspberry Pi, but the V3 has more features and a lower price. The second post is a general review of the V3 dongle, where Akos reviews the features of the V3, shows what comes in the package, shows visually the difference between V2 and V3 PCBs and demonstrates how the V3 has a cleaner waterfall with less spurs. Finally, the third post compares the V2, V3 and SMArt on ADS-B and concludes that there is little to no difference between the three.

The fourth post points out some rip off RTL-SDR related auctions found on eBay. As stated before we believe that the majority of these ripoff sellers are people who are using market arbitrage bots. These bots simply take a listing from Amazon or elsewhere and list it on eBay as their own with a price markup. Then when a buyer purchases from them, they simply order directly from the original seller and get them to ship to the customer. While this is unethical, it seems to be allowed by eBay.

ADS-B Shootout setup

The 20th Cyberspectrum Software Defined Radio Meetup

Every month SDR evangelist Balint Seeber hosts the Cyberspectrum Meetup in San Francisco, where many SDR fans come together to listen to various presentations. The 20th Cyberspectrum SDR meetup has now concluded, and the recorded video is available on YouTube.


The talks this time include a very interesting talk by Joe Steinmetz (@usa_satcom) about decoding L-Band weather satellites such as NASA GOES. Previously we made a post regarding GOES where Reddit user devnulling showed his GOES reception setup. To save time, on the video Joe’s talk starts at 00:10:45.

This presentation will cover most aspects of receiving, demodulating and decoding current L-Band Weather Satellite signals (NOAA, MetOp, Meteor, FengYun, GOES). Topics will include hardware, software, de-modulation/decoding techniques, challenges, flows as well as cool sample images and data.


 The second talk is titled “Disposable, Stealthy, Cheap SIGINT” is by Chris Kuethe, @kj6gve and delves into topics relating to low cost signal analysis. Chris’ talk starts at 1:45:00. The blurb reads:

This presentation covers some observations and considerations for using inexpensive and compact ARM boards for signals analysis.  Topics may include: power budget, air interface, attributability, performance tuning, lolcats and doges.


TETRA Decoding on Windows with Telive

TETRA is a type of digital voice and trunked radio communications system that stands for “Terrestrial Trunked Radio”. It is used heavily in many parts of the world, except for the USA. Telive is a decoder for TETRA which is compatible with RTL-SDR dongles, and has been around and in use for almost 2 years now. If you have unencrypted TETRA signals available in your area it can be used to listen in on them.

Telive is dependent on GNU Radio, so it is normally installed and used on a Linux system. Previously we wrote a tutorial on it’s installation and use, and other users have also made bootable Linux images of telive available.

However, now a TETRA experimenter by the handle of “cURLy bOi” has released a new prototype of a telive modification that works on Windows systems. It makes use of the GNU Radio for Windows development. The telive Windows file can be downloaded from curly’s webserver. His reademe file shows how to install and use the software and it reads:

This has been put together as lowest-effort configuration
to run telive on Windows system. I have also optimized to process (for example adding the CQPSK block to GRC since the python code in the original telive package is IN FACT some unused part of GNU Radio)

This package contains pre-compiled binaries that work on my 64-bit system. I have compiled them inside the M-SYS2 package. If you don’t trust me, you can follow the installation guide from telive docs, just be prepared you are going to need a lot of packages for the M-SYS2 (pacman -S gcc automake git wget, etc.)

1) Download GNU Radio for Windows from http://www.gcndevelopment.com/gnuradio/downloads.htm
and install
2) Copy contents of gnuradio_mod to c:\Program Files\GNURadio-3.7\
3) Download and install M-SYS2 from https://sourceforge.net/projects/msys2/ and install
4) Copy contents of msys_root to your M-SYS2 installation directory
5) Download FFmpeg for Windows (64-bit Shared) from https://ffmpeg.zeranoe.com/builds/
and extract everything from bin to usr\bin in your M-SYS2 installation directory
6) In M-SYS2 shell execute “pacman -S socat”
7) Get GNU Radio Companion (GRC) projects from original telive package at
(only udp or xmlrpc, pipes won’t work)
8) Open whatever GRC project you want to use and edit it:
– Delete the link between (all) Fractional Resampler and UDP Sink
– From the modules on the right (ctrl-f to search) drag CQPSK Demod to project
(If you don’t see CQPSK Demod then you have messed up #2)
– Connect Fractional Resampler -> CQPSK Demod -> UDP Sink
– Change UDP Sink Input Type to Float in its properties
– Save

1) Open GRC project of your choice (already with the CQPSK Demod box)
2) Use the Project/Execute to run the project from the GRC
– OR -
If you had headless (without GUI) project, use Project/Generate option
to generate top_block.py file in the GRC project directory.
Then open GNURadio Command Prompt from Start menu, the use this command
c:\Program Files\GNURadio-3.7\gr-python27\python.exe -u c:\path\to\grc\project\top_block.py
This will enhance performance.
3) Open new M-SYS2 shell for every channel in that project and execute
command “receiver1udp X” where X is the number of each channel in GRC project
4) Open new M-SYS2 shell, resize it to 203×60 and execute:
– cd /tetra/bin
– ./rxx OR ./rxx_xmlrpc (if you are using XMLRPC GRC project)
You can edit these files to match your preferences
5) That’s it, should work.

Note that we have not tested this out ourselves yet and can’t guarantee the file safety or that it works, but we have no reason to believe that it wouldn’t be safe or not work.

TETRA Decoding (with telive on Linux)
TETRA Decoding (with telive on Linux)

Version 2.6 of GQRX Released

Version 2.6 of the popular SDR program GQRX has just been released (changelog). GQRX is a general signal browsing program similar to programs like SDR#, HDSDR and SDR-Console. However GQRX is designed to run on Linux, MacOS and Raspberry Pi 2 & 3. Note that v2.6 is still a work in progress for MacOS. Apart from the new features and bug fixes, one of the major improvements appears to be reduced CPU usage, meaning that it should run better on older PCs. The changelog is pasted below:

New features

  • 1-2-5 scaling on FFT axis.
  • Audio waterfall.
  • Remember AGC settings between sessions.
  • Right-click on FFT resets frequency zoom.
  • Separate dB ranges for pandapter and waterfall.
  • Raw I/Q mode.
  • Portaudio support.
  • Command line option to set Qt style (fusion, windows, …)
  • Binary packages for Raspberry Pi 2 and 3 (see below)

Bugs fixed

  • Stuttering audio with Pulseaudio backend.
  • Use system font on FFT plot (too small font on high res displays).
  • Broken FUNcube Dongle Pro+ support on Mac OS X 10.11.4.
  • Correct display of negative offsets between -1 and 0 kHz.
  • Reset frequency digits below the one that is being changed.
  • LNB LO could not be set from I/O configuration dialog.
  • Update squelch level when switching between demodulators.
  • Set correct filter range when loading bookmark.
  • White area on waterfall.
  • RFSpace Cloud-IQ support on Mac OS X, RPI binaries and in PPA.

Miscellaneous improvements

  • Input decimator performance.
  • SDRPlay integration through SoapySDR.
  • Only probe for devices when the program is started.
  • Allow user to enter ALSA device name.
  • Set default audio FFT range to -70…0 dB.
  • Restore audio FFT dB scaling between sessions.