Over on YouTube user Cameron Conover has been testing a simple FM broadcast bandstop filter with his HackRF. The same filter can just as easily be used with the RTL-SDR to remove broadcast FM interference and images. Cameron uses a MCM Electronics 88 – 108 MHz FM Trap which can be found very cheaply on Amazon or Ebay for around $15 USD. His video shows that the FM trap works very well and significantly reduces out of band FM interference.
Some car security systems from around 2001 – 2003 use an embedded RFID tag inside the car key as an added security measure against key copying. Using his HackRF, ChiefTinker was able to analyse and decode the data from an active RFID token used in a car key. He notes that the same analysis could also be performed with an RTL-SDR dongle.
Upon powering the RFID tag with a power supply, ChiefTinker noticed that the tag emitted a short transmission every 5 seconds in the ISM band at 433.920 MHz. On closer inspection he determined that the transmitted data was encoded with a simple AM on-off keying (OOK) scheme. After importing the audio into Audacity and cleaning up the signal a little, he was able to clearly see the OOK square wave showing the transmitted binary data.
Next he analysed the data and compared the binary output against two different RFID keys. From the comparison he was able to determine that the tag simply beacons a unique serial number, which is susceptible to capture and replay attacks. After further processing he was able to convert the transmitted binary serial number into hexadecimal, then ASCII to find the unique serial number being broadcast in decimal.
The Meteor-M N2 is a polar orbiting Russian weather satellite that was launched on July 8, 2014. Its main missions are weather forecasting, climate change monitoring, sea water monitoring/forecasting and space weather analysis/prediction.
The satellite is currently active with a Low Resolution Picture Transmission (LRPT) signal which broadcasts live weather satellite images, similar to the APT images produced by the NOAA satellites. LRPT images are however much better as they are transmitted as a digital signal with an image resolution 12 times greater than the aging analog NOAA APT signals. Some example Meteor weather images can be found on this page and the satellite can be tracked in Orbitron or online.
The RTL-SDR and other SDRs like the Funcube along with some free software can be used to receive and decode these images. LRPT images from the Meteor-M N2 are transmitted at around 137.1 MHz, so any satellite antenna like those commonly used with the NOAA weather satellites can be used.
Happysat, a satellite monitoring enthusiast has emailed us with a comprehensive tutorial showing how the RTL-SDR can be used to receive and decode these LRPT images (pdf warning) (txt file). The procedure is not quite as simple as with the NOAA satellites as it involves first pre-recording the transmission as a baseband I/Q file in SDR#, changing the sample rate in Audacity, processing the file with the Lrptrx.exe software, and then using Oleg’s LRPToffLineDecoder to finally produce the image.
The tutorial also shows an alternative and faster Linux based method using some GNU Radio scripts, but with the final processing still done with Oleg’s decoder in Windows.
In this episode of Hak5, a popular YouTube technology channel, Shannon shows how to use the RTL-SDR on Debian Linux. She shows how to install the RTL-SDR drivers from scratch if using a distribution without them pre-installed and also shows how to install and use rtl_fm, a command line FM demodulator.
Recently two new SDR# plugins have just been released.
The first is a plugin which shows the name and language of the shortwave station that is currently tuned in using data from short-wave.info. It can be downloaded from http://sourceforge.net/projects/sdrsharpshortwaveinfoplugin/.
The second plugin is a Digital Code Squelch (DCS) decoder plugin. The plugin will display the DCS codes that are transmitted with the signal and will display all possible compatible codes. DCS is a squelching system similar to CTCSS which allows for radio user sharing by ensuring that radio users are not bothered by communications not intended for them. The DCS Decoder plugin can be downloaded from http://www.rtl-sdr.ru/page/novyj-plagin-dcs-decoder (note page in Russian).
SDR Touch, the popular Android based software defined radio software for the RTL-SDR has been updated to version 2.0. This new version is a complete rewrite with many optimizations listed below.
- 100% rewritten from scratch
- Improved reception sensitivity and quality
- Optimized engine
- GUI overhaul (Landscape mode, more flexible)
- 16 bit audio
- FIR filtering
The author also writes that the rewrite allows for new features coming out in the future such as adjustable bandwidth, FFT size, plugins and a separate GUI for in-car use. SDR Touch is available from the Android Play store.
The R820T is the tuner chip that is used in the most popular RTL-SDR dongles. It turns out that there is also an R820T2 tuner chip available, but it does not seem to be used in any RTL-SDR dongles that we know of. According to superkuh’s RTL-SDR notes, the R820T2 has better sensitivity over the R820T with an apparent 6dB lower noise floor. It also has a wider IF bandwidth which makes no difference to the RTL-SDRs 3.2 MHz maximum bandwidth, but is why the Airspy with its 10 MHz of bandwidth is using the R820T2 in its design.
Nobu an RTL-SDR experimenter who had previously experimented with dongles retrofitted with TCXO’s has now retrofitted a standard RTL-SDR dongle with an R820T2 tuner chip (note that this post is in Japanese). The Google translation of this post is a little to difficult understand, but it seems that Nobu did notice an improvement due to the lower noise floor. If anyone can understand Japanese we’d appreciate confirmation on this in the comments.
Over on the Reddit discussion boards user gat3way has posted about his newly released software project called swscan. Swscan is a Linux console based program that can be used to scan and listen to shortwave broadcast stations. It has a built in database of shortwave station frequencies as well as their broadcast schedules and it will even show you the stations power level and distance you are from the transmitter. Swscan is based on GNU Radio 3.7, so you will need to have that installed first.
As shortwave stations exist at frequencies below the normal tuning range of the RTL-SDR, you will need an upconverter or be using the latest R820T experimental driver which can tune down to around 1 MHz.
Swscan can be downloaded from http://www.gat3way.eu/poc/swscan.tgz.
There is a war going on between game console designers and the console modding community. Modders hack the console system so that they can jailbreak it and then install their own custom firmware while console designers are constantly finding new ways to prevent unauthorized modding. Custom firmware allows a console to run homebrew applications like media players and emulators that use the console in ways that is was not intended to be used in.
One PlayStation 3 modder has recently been using an RTL-SDR to help jailbreak a PlayStation 3 Super Slim (4K) console, whose current official firmware appears to not yet have been jailbroken. It’s important to note that so far no actual jailbreaking has been done with this method, but the modder is currently working on it. His idea is to receive leaked RF signals from the PS3 and then use methods similar to Acoustic Cryptoanalysis to decode the data and find out what opcode operations the processors are performing. The modder writes about his method in the following.
My idea was to hook up a rtl-sdr device to the PS3 4k between chassis and real ground (yes, I actually have a two meter copper rod buried in my lawn) using the antenna leads. First I had to make sure the PS3 4k chassis wasn’t grounded in the outlet, and that no video out or USB connector was hooked up to ground indirectly via other hardware. If you want to try this, make sure that the rtl-sdr antenna leads are the only lead between the PS3 mobo/chassis and real ground. Before connecting the rtl-sdr antenna leads I measured the voltage on the PS3 chassis which peaked at around 1.8V which was safe enough, didn’t want to blow it up on the first try.
This method will effectively turn your console into an “active antenna” leaking all kind of interesting data on the rtl-sdr frequency spectrum (between 24 – 1766 MHz). After hooking it up, I started using gqrx on my laptop to look for signal peaks while the PS3 4k was turned on, after finding a peak I just powered off the PS3 completely and turned it back on, using the waterfall plot you’ve seen in my first post I can see if there is something interesting happening during boot and verify that the signal is indeed coming from the PS3. In a similar way I learned to distinguish between the PS3 BD drive, GPU and CPU which pops up at different frequencies. Then I dumped the data (I/Q recording) that looked interesting and made a note of the frequency.
It’s hard to describe the incredible feeling when you tune into a good signal and start watching the waterfall plot revealing opcodes, register bits and what might be stack contents. The Acoustic Cryptoanalysis paper (PDF) has a lot of good info how to interpret the output from various window functions in the plot.
What I’m coding right now is a gnuradio-companion block which will filter and test the dumped data for decryption keys against encrypted PS3 data.
Over on the Osmocom mailing list, Oliver Jowett an RTL-SDR experimenter has posted about his new experimental driver for the R820T RTL-SDR which extends the tunable range down to around 13 and up to 1864 MHz (previously 24 – 1766 MHz). Oliver writes
You can get these changes from https://github.com/mutability/rtl-sdr/(you’ll need to build from source yourself). There should be no application changes needed, just tune as normal. (gqrx needs the “no limits” option turned on)
These changes work by limiting the tuner to a range of frequencies that it can reliably tune to, then allowing tuning beyond those bounds by making the 2832’s downconverter do the final bit of tuning. This can add up to 14.4MHz to each end of the range. Also, the tuner is switched to low-side mixing at the top of the range which gives a bit more range there. The practical range is limited by the width of the IF filter and aliasing effects at the extreme edges of the downconverter’s range.
I’ve been able to pick up broadcast AM and amateur CW/SSB down to around 15.5MHz without too much trouble.
I’d be interested to know how this works for others. Also.. these changes are likely to have broken offset tuning, direct sampling mods, and tuners other than the R820T, as it touches all those areas but I only have an unmodified R820T to test against. If you have different hardware and are willing to spend some time testing then please let me know. I expect that the range of the other tuners can be extended in the same way with not much trouble.
Over on the Reddit RTL-SDR discussion board there has been talk about this patch. Most users are reporting that it works well down to around 15 MHz, but some people are reporting that they have been able to receive signals down to around 4 MHz. Testers also report that this modified driver works much better than the no-hardware direct sampling mod patch released a few months ago.