Listening in to a DECT Digital Cordless Phone with a HackRF

Over on YouTube SignalsEverywhere (aka Corrosive) has uploaded a new video where he shows a demonstration of him listening in to a DECT digital cordless phone with his HackRF. 

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his video Corrosive uses gr-dect2, a GNU Radio based program that can decode unencrypted DECT signals. In the video he shows it decoding a DECT call from his cordless phone in real time.

Demonstration Listening to DECT Phone Call with a HackRF SDR

Building a Carbon Fibre Dual Band Yagi Antenna for Amateur Radio Satellites with 3D Printed Parts for 20€

Back in early 2017 we posted about Manuel's (aka DO5TY / Tysonpower) design for a single band 140 MHz 3D printed carbon fibre Yagi antenna. Today he's submitted a new video about creating a dual band 3D printed carbon fibre cross Yagi antenna for only 20€. Note that the video is narrated in German, but there are English subtitles. He's also uploaded an English text tutorial to his blog, which includes links to the 3D printer STL files.

The antenna is designed to be a low cost replacement for the commonly used Arrow dual band 2m/70cm antenna which is designed for receiving and transmitting to amateur radio satellites. Many amateur radio satellites have an uplink frequency set at around 145 MHz, and a downlink frequency around 435 MHz (and some satellites have the frequencies reversed). So a dual band Yagi is ideal for these satellites. Manuel writes that with his 5W Baofeng handheld he's already made several successful contacts with his new antenna.

Manuel's antenna consists of several 3D printed joints, with a carbon fibre rod used as the main boom. Aluminum rods make up the receiving and transmitting elements. The video also discusses impedance matching and how he uses a diplexor so that there is only one connection required to the radio. The advantage of his antenna over the Arrow is that it is significantly cheaper, and also much lighter in weight.

[EN subs]Carbon Arrow Yagi Antenne - leichte Dual Band Yagi für 20€ bauen

Help Track Data from CubeSail with an RTL-SDR

On December 16 Rocket Lab launched 13 new cubesats into orbit via it's Electron rocket which was launched from New Zealand. One of those Cubesats is "CubeSail" which is a set of two satellites that aims to deploy a 260 m long solar sail between the two.

CubeSail is a technology demonstration by CU Aerospace which shows the viability of solar sail propulsion for deep space missions. It was built and is operated by students at the University of Illinois at Urbana-Champaign through the Satellite Development, or SatDev student organization.

Over on Reddit, one of the engineers working on the Cubesail project has put out a request to help receive and upload any telemetry that you receive from the Cubesail satellite. Currently they only have one ground station which makes monitoring the satellite difficult as they can only collect data when it is passing overhead.  By employing the help of radio enthusiasts from around the world they hope to gather more data. He writes:

Hello amateur radio enthusiasts! I'm part of the CubeSail mission, one of the 13 satellites deployed early this morning (2018/12/16) from RocketLab's Electron rocket.

The reason why I'm posting is that we need your help! We're trying to gather as much data as possible from the beacons, but only have one groundstation at the moment. I've put together a little Python script which can be used to decode the data, so if you're interested and willing to help out a bunch of eager fellow space enthusiasts to get some data, please try and get a packet or two!


Here's the information you need to know (let me know if I'm missing anything):

Frequency: 437305 kHz

Modulation: GFSK (GR3UH scrambling)

Bandwidth: 15kHz

Callsign: WI2XVF

Link Layer: AX.25/HDLC

Baud Rate: 9600

TLE:

cubesail_temp
1 99999U          18350.31100694  .00048519  00000-0  21968-2 0 00004
2 99999 085.0351 178.2861 0013006 291.7248 120.7146 15.20874873000012

Here's a link to the decoder, it runs in Python 3: https://github.com/ijustlovemath/cubesail-decoder

According to the information a 437 MHz antenna is required, and most likely it will need to be a directional antenna that is hand or motor tracked. Some SatNOGS ground stations are already receiving and recording Cubesail data too.

An artists rendition of the CubeSail solar sail deployment
An artists rendition of the CubeSail solar sail deployment

Some tips on using DSD+ and SDR# to Listen to DMR Digital Voice

Over on YouTube user knoxieman has uploaded a video that provides a few tips on using DSD+ and an RTL-SDR for listening to DMR digital voice signals. The video is designed as a companion to Tech Minds' video which shows a full set up procedure for DSD+.

Knoxieman's video includes some tips on SDR# settings, virtual audio cable setup, and using a program called "DisplayFusion" to keep the DSD+ event windows permanently on top of the SDR# window. 

Tips on using SDR Plus and DSDPLUS to listen to DMR/DIGITAL conversations.

Using an RTL-SDR and RPiTX to Unlock a Car with a Replay Attack

Over on YouTube user ModernHam has uploaded a video showing how to perform a replay attack on a car key fob using a Raspberry Pi running RPiTX and an RTL-SDR. A replay attack consists of recording an RF signal, and then simply replaying it again with a transmit capable radio. RPiTX is a program that can turn a Raspberry Pi into a general purpose RF transmitter without the need for any additional hardware.

The process is to record a raw IQ file with the RTL-SDR, and then use RPiTX V2's "sendiq" command to transmit the exact same signal again whenever you want. With this set up he's able to unlock his 2006 Toyota Camry at will with RPiTX.

We note that this sort of simple replay attack will only work on older model cars that do not use rolling code security. Rolling code security works by ensuring that an unlock transmission can only be utilized once, rendering replays ineffective. However, modern rolling code security systems are still susceptible to 'rolljam' style attacks.

In the video below ModernHam goes through the process from the beginning, showing how to install the RTL-SDR drivers and RPiTX. Near the end of the video he shows the replay attack in action.

Unlock Cars with a Raspberry Pi And SDR - Replay attack

RTL-SDR Retrogram: ASCII Art Spectrum Analyzer

Over on GitHub, Rakesh Peter (r4d10n) has uploaded a new terminal/ssh based console application called "retrogram~rtlsdr". This program uses an RTL-SDR and terminal window to display a spectrum analyzer drawn in ASCII art. Because it is terminal based, it is even possible to view the spectrum of a remote device over an SSH connection. The program is based on software designed for Ettus USRP SDRs, and has been adapted for RTL-SDR.

For other SDRs r4d10n has also worked on a "retrogram~soapysdr" version which should work with any SoapySDR compatible SDR, and "retrogram~plutosdr" for PlutoSDR SDRs.

Running RTL-SDR Android Apps on an Android TV Box

Thank you to Giuseppe (IT9YBG) who just wanted to write in and note that Android TV boxes are an excellent computing platform for RTL-SDR dongles. They allow you to monitor frequencies or listen to DAB music directly from a TV, and at the same time there is no need to worry about battery consumption.

Giuseppe notes that using an Android TV box for SDR is as simple as installing the Martin Marinov Android RTL-SDR drivers from the Google Play store, and then downloading the SDR apps that interest you. No extra USB OTG cable is required, just plug the dongle into the back of the device. In his post he shows screenshots from apps like SDRTouch, welle.io DAB+, RTL-SDR AIS and SDRoid all running smoothly on his Android TV box.

With a system like this is it probably also a good idea to connect a wireless keyboard/mouse combination into a USB port as well.

RTL-SDR V3 running on an Android TV Box
RTL-SDR V3 running on an Android TV Box

Using a 25 Meter Radio Dish and an RTL-SDR as a SatNOGS Ground Station

SatNOGS is an open source project that aims to make it easy for volunteers to build and run RTL-SDR or other SDR based RF ground stations that automatically monitor satellites, and upload that data to the internet for public access. The antennas used in a typical home based SatNOGS station are small enough for a single person to handle, however recently the SatNOGS team have been working on setting up a monitoring station at the Dwingeloo Radio Observatory in the Netherlands.

Dwingeloo has a large 25 meter satellite dish antenna, and they connect it to an RTL-SDR on a laptop running the SatNOGS software. In the video they show it tracking the PRISM amateur radio satellite, and note that the use of this large dish will only be used in special circumstances. They write:

This week the Dwingelooradio Observatory tested their 25 meter dish as a SatNOGS station! Although not set up as a permanent SatNOGS station it is great to see this historic observatory linked to the network. Dwingeloo radio observatory was built between 1954 and 1956 near the village of Dwingeloo in the Netherlands. Since 2009 this single 25 meter dish has been a national heritage site.

Dwingeloo Radio Observatory as a SatNOGS 📡 station

Dwingleloo Satellite Antenna in the Netherlands
Dwingleloo Satellite Antenna in the Netherlands [Source: Wikipedia]