SDR Touch, the popular Android based software defined radio software for the RTL-SDR has been updated to version 2.0. This new version is a complete rewrite with many optimizations listed below.
100% rewritten from scratch
Improved reception sensitivity and quality
GUI overhaul (Landscape mode, more flexible)
16 bit audio
The author also writes that the rewrite allows for new features coming out in the future such as adjustable bandwidth, FFT size, plugins and a separate GUI for in-car use. SDR Touch is available from the Android Play store.
The R820T is the tuner chip that is used in the most popular RTL-SDR dongles. It turns out that there is also an R820T2 tuner chip available, but it does not seem to be used in any RTL-SDR dongles that we know of. According to superkuh’s RTL-SDR notes, the R820T2 has better sensitivity over the R820T with an apparent 6dB lower noise floor. It also has a wider IF bandwidth which makes no difference to the RTL-SDRs 3.2 MHz maximum bandwidth, but is why the Airspy with its 10 MHz of bandwidth is using the R820T2 in its design.
Nobu an RTL-SDR experimenter who had previously experimented with dongles retrofitted with TCXO’s has now retrofitted a standard RTL-SDR dongle with an R820T2 tuner chip (note that this post is in Japanese). The Google translation of this post is a little to difficult understand, but it seems that Nobu did notice an improvement due to the lower noise floor. If anyone can understand Japanese we’d appreciate confirmation on this in the comments.
Over on the Reddit discussion boards user gat3way has posted about his newly released software project called swscan. Swscan is a Linux console based program that can be used to scan and listen to shortwave broadcast stations. It has a built in database of shortwave station frequencies as well as their broadcast schedules and it will even show you the stations power level and distance you are from the transmitter. Swscan is based on GNU Radio 3.7, so you will need to have that installed first.
As shortwave stations exist at frequencies below the normal tuning range of the RTL-SDR, you will need an upconverter or be using the latest R820T experimental driver which can tune down to around 1 MHz.
There is a war going on between game console designers and the console modding community. Modders hack the console system so that they can jailbreak it and then install their own custom firmware while console designers are constantly finding new ways to prevent unauthorized modding. Custom firmware allows a console to run homebrew applications like media players and emulators that use the console in ways that is was not intended to be used in.
One PlayStation 3 modder has recently been using an RTL-SDR to help jailbreak a PlayStation 3 Super Slim (4K) console, whose current official firmware appears to not yet have been jailbroken. It’s important to note that so far no actual jailbreaking has been done with this method, but the modder is currently working on it. His idea is to receive leaked RF signals from the PS3 and then use methods similar to Acoustic Cryptoanalysis to decode the data and find out what opcode operations the processors are performing. The modder writes about his method in the following.
My idea was to hook up a rtl-sdr device to the PS3 4k between chassis and real ground (yes, I actually have a two meter copper rod buried in my lawn) using the antenna leads. First I had to make sure the PS3 4k chassis wasn’t grounded in the outlet, and that no video out or USB connector was hooked up to ground indirectly via other hardware. If you want to try this, make sure that the rtl-sdr antenna leads are the only lead between the PS3 mobo/chassis and real ground. Before connecting the rtl-sdr antenna leads I measured the voltage on the PS3 chassis which peaked at around 1.8V which was safe enough, didn’t want to blow it up on the first try.
This method will effectively turn your console into an “active antenna” leaking all kind of interesting data on the rtl-sdrfrequency spectrum (between 24 – 1766 MHz). After hooking it up, I started using gqrx on my laptop to look for signal peaks while the PS3 4k was turned on, after finding a peak I just powered off the PS3 completely and turned it back on, using the waterfall plot you’ve seen in my first post I can see if there is something interesting happening during boot and verify that the signal is indeed coming from the PS3. In a similar way I learned to distinguish between the PS3 BD drive, GPU and CPU which pops up at different frequencies. Then I dumped the data (I/Q recording) that looked interesting and made a note of the frequency.
It’s hard to describe the incredible feeling when you tune into a good signal and start watching the waterfall plot revealing opcodes, register bits and what might be stack contents. The Acoustic Cryptoanalysis paper (PDF) has a lot of good info how to interpret the output from various window functions in the plot.
What I’m coding right now is a gnuradio-companion block which will filter and test the dumped data for decryption keys against encrypted PS3 data.
You can get these changes from https://github.com/mutability/rtl-sdr/(you’ll need to build from source yourself). There should be no application changes needed, just tune as normal. (gqrx needs the “no limits” option turned on)
These changes work by limiting the tuner to a range of frequencies that it can reliably tune to, then allowing tuning beyond those bounds by making the 2832’s downconverter do the final bit of tuning. This can add up to 14.4MHz to each end of the range. Also, the tuner is switched to low-side mixing at the top of the range which gives a bit more range there. The practical range is limited by the width of the IF filter and aliasing effects at the extreme edges of the downconverter’s range.
I’ve been able to pick up broadcast AM and amateur CW/SSB down to around 15.5MHz without too much trouble.
I’d be interested to know how this works for others. Also.. these changes are likely to have broken offset tuning, direct sampling mods, and tuners other than the R820T, as it touches all those areas but I only have an unmodified R820T to test against. If you have different hardware and are willing to spend some time testing then please let me know. I expect that the range of the other tuners can be extended in the same way with not much trouble.
Over on the Reddit RTL-SDR discussion board there has been talk about this patch. Most users are reporting that it works well down to around 15 MHz, but some people are reporting that they have been able to receive signals down to around 4 MHz. Testers also report that this modified driver works much better than the no-hardware direct sampling mod patch released a few months ago.
The military air communications monitoring enthusiasts over at milaircomms.com have been using a system involving RTL-SDRs to monitor military air traffic through ADS-B. While military aircraft generally do not transmit GPS position information like commercial aircraft do, they are still able to record live information such as the aircraft’s hex code, registration number, aircraft type, the base station location and a graph of recorded altitudes. They also log all this data showing where military aircraft have been spotted over time.
To receive this information they so far have a network of about 30 volunteers running RTL-SDR based ground stations that use their custom MilAirComms1090 software. If you want to contribute, the software is available for Windows and for Linux/Raspberry Pi.
Since the HackRF was shipped to Kickstarter backers there have been a few new short videos uploaded to YouTube showing some transmit experiments that people have done.
Here YouTube user CFSworks uses his HackRF to record and replay a signal that causes the charge port on his Tesla Model S electric car to open.
HackRF vs. Tesla Model S
In this video YouTube user Chief Tinker shows his HackRF being used to ring his house doorbell.
HackRF Doorbell Replay
In this video YouTube user alaindecarolis uses his HackRF with hackrf_transfer to record and replay a voice signal from a standard Kenwood mobile radio.
HackRF hackrf_transfer test
Here YouTube user Jiao Xianjun shows the program he created that allows someone to send arbitrary Bluetooth Low Energy (BTLE/BT4.0) packets via a HackRF board.
Bluetooth Low Energy, BTLE/BT4.0 Packet Sender. (Software Defined Radio)
Finally this video shows a little public mischievousness with YouTube user sigmounte using his HackRF to turn off certain street lights via the Urban Light Management system which uses simple radio CCIR tones.
Blogger “French Fry Cattaneo” wanted a portable laptop with built in SDR capability. To achieve this he opened up his Panasonic ToughBook CF-30 laptop and embedded an RTL-SDR FubCube dongle into the laptop using the space left by unused expansion ports.
Cattaneo connected the two SDRs to a small hub and soldered the usb hub connections directly onto a laptop USB port. He also installed an external SMA connector for the RTL-SDR and connected the FunCube’s antenna port to a cellular antenna that was built into the laptop.
He notes that there could be RF interference issues from the laptop, but has so far had no trouble receiving the strong signals he is interested in.
To do the exercises in the course you will need a HackRF or other similar SDR radio. Most exercises involving reception only should be compatible with the RTL-SDR with some small modifications relating to things like the changing sample rate.