KrakenSDR: Passive Radar Demonstration

KrakenSDR is a 5-tuner coherent software defined radio based on RTL-SDR. It is the successor to the KerberosSDR and will be crowdfunded on Crowd Supply in a couple of months time. Please sign up to the KrakenSDR Crowd Supply mailing list to be notified as soon as the campaign begins.

The KrakenSDR (prototype - enclosure may change slightly)

Passive Radar uses existing FM, TV or mobile phone transmitters. The signal from these transmitters reflects off objects such as road vehicles and aircraft. By using two antennas on two receive channels, and an algorithm to compare the reflected signal against a clean reference copy of the actual signal, we can achieve a radar like display of bi-static range vs doppler speed.

In this test KrakenSDR is used as a two antenna passive radar system. The reference antenna points towards a horizontally polarized 620 MHz DVB-T transmitter, and the surveillance antenna points towards an Airport.

Passive Radar setup with two TV Yagis

Reflections of aircraft and road vehicles can be seen on the map as red dots/trails. Notice how we can also determine the overall neighborhood activity of road vehicles as we pointed out in a previous KerberosSDR post.

Of note is that we've placed the surveillance antenna in a vertically polarized configuration. With passive radar you want to keep the reference signal out of the surveillance channel, as ideally the surveillance channel only receives the reflections. Using the surveillance antenna in vertical polarization achieves 20dB attenuation of the horizontally polarized DVB-T signal. The reflections are assumed to be randomly polarized, so the vertically polarized antenna should pick up the reflection just the same no matter what polarization is used. This scheme woks especially well in our setup as the angle between the reference transmitter and target reflected objects is small.

This test uses the older KerberosSDR code (slightly modified to allow for trails), however new passive radar code is being worked on for the new KrakenSDR code base which will be released later this year. We expect the new code to also be able to make use of GPU accelerated CUDA hardware, such as the NVIDIA Jetson. This will allow for a much faster update rate and/or more processing gain.

The new KrakenSDR code will also try to make use of the additional three unused channels. With these extra channels we should be able to add a direction finding array that will help to plot on a map the actual location and elevation of the reflections.

KrakenSDR Passive Radar Demonstration 1

Frugal Radio: Monitoring General Aviation VHF Communications

Rob from Frugal Radio has recently uploaded the next part his airband monitoring series. This episode covers the topic of monitoring General Aviation communications, which consists of communications with non-military and non-airline aircraft.

In the video Rob discusses what you might hear on general aviation channels, including things like parachuters, news helicopters, air ambulances, police aircraft, aerial surveyors, ultralights, aerobatics, flight training, private and corporate, and sightseeing. He then discusses the various frequencies in use in Canada, North America and the UK.

Monitoring General Aviation Communications in VHF Air Band

STARWAVES DRM SoftRadio: A new Android DRM Decoder for RTL-SDR, Airspy, SDRPlay

A new RTL-SDR compatible DRM decoding Android app called "STARWAVES DRM SoftRadio" has recently been released on the Google Play store for US$5.49, and on Amazon DE for EUR4.49. The author notes that a Windows version will also be published soon. Digital Radio Monodial (DRM) is a type of digital audio shortwave radio signal that is used by some international shortwave radio broadcasters.

The STARWAVES DRM SoftRadio allows you to conveniently enjoy any DRM live radio broadcast on your Android smartphone or tablet. No Internet connection required. All you need is an SDR RF dongle or receiver connected to your device via USB.

DRM or Digital Radio Mondiale is the global digital radio standard used for all digital international transmissions as well as for national and local services in many countries. To learn more about DRM and its features visit

The STARWAVES DRM SoftRadio is designed for ease-of-use and supports all core features of the DRM standard:

  • Listener-centric and easy to navigate app design and user interface
  • Multiple user interface languages. Currently supported: English, German, Simplified Chinese
  • Convenient frequency tuning and DRM Service selection
  • DRM Service labels and graphical service logos
  • Full service metadata: programme/app type, language, country of origin, etc.
  • All standardized DRM audio codecs incl. xHE-AAC with optimized tune-in performance for a quick start of audio playback
  • Journaline, DRM’s advanced text application, allows to interactively browse through latest news, sports and weather updates, programme background information and schedules, distance learning/RadioSchooling text books, travel information, and much more
  • Full Journaline feature set including hot-button interactivity, geo-references and embedded/linked images
  • Convenient and fast Journaline information access with update notifications for page-content (and automatic updates for menus), as well as persistent caching for instant content access when switching between DRM services
  • DRM text messages incl. DL+ support
  • Slideshow images
  • Unicode support for all textual elements: service labels, text messages, Journaline
  • DRM EWF – Emergency Warning Functionality within the DRM transmission: in case of an emergency alarm signal, automatically re-tunes from the current service to the emergency programme; presents the emergency audio along with multi-lingual Journaline content to provide in-depth instructions with interactive access and to serve non-native speakers or hearing impaired users

In addition, STARWAVES DRM SoftRadio is designed for maximum tuning flexibility and performance:

  • Free tuning to any DRM broadcast frequency
  • Supports all DRM frequency bands – from the former AM bands (LW/MW/SW) to the VHF bands (including the FM band), depending only on RF dongle functionality
  • Supports all DRM robustness modes (A-E), modulation parameters and on-air signal bandwidths
  • Optimized frequency tuning and re-sync performance
  • Graphical spectrum view to check the signal on the tuned frequency

For live reception, an SDR RF dongle must be connected to the device’s USB port (with USB host functionality). The following SDR RF dongle families are currently supported, along with a range of specifically tested models:

  • Airspy HF+ family: Airspy HF Discovery, Airspy HF+ (Dual Port). (Note: Airspy Mini and R2 are NOT supported.)
  • SDRplay family: SDRPlay RSP1A, SDRPlay RSPdx, SDRPlay RSPduo, SDRPlay RSP1, SDRPlay RSP2, SDRPlay RSP2pro, MSI.SDR Panadapter (Note: SDRPlay family support on Android is currently limited to the 32-bit version of this app.)
  • RTL-SDR family: The experimental support for RTL-SDR based RF dongles requires that you manually start the following separate tool before opening this app (on standard port '14423'): The app 'SDR driver' can be installed from the Google Play Store and other Android app stores.
Starwaves DRM Decoder App Screenshots

Feeding Audio from SDR# To Multiple PCs over TCP

Thank you to M Khanfar for submitting his latest video that shows us how to use a launcher that he's created called "GUI SDR TCP STREAMER" (which is actually a combination of several freeware Windows programs including Advanced IP Scanner and TCP Streamer) to stream demodulated audio from SDR# to other PCs over a network connection.

TCP Streamer takes the audio from SDR# via VB-Cable, streams it over TCP to the client PC, then plays the audio on the client side speakers. We note that TCP Streamer should also work with any other SDR program that can output audio to VB-Cable.

SDR Audio TCP Streamer

DragonOS: Now with RF Propagation and Calculation Tool

DragonOS is a ready to use Ubuntu Linux image that comes preinstalled with multiple SDR software packages. In the recent R14 Preview update, Aaron, the creator of DragonOS has added a new very useful RF propagation and calculation tool. The tool works in conjunction with elevation data to calculate the theoretical signal propagation of a transmitter.

The tool is provided by the open source Signal Server software package, which is based on the original SPLAT! software by John Magliacane (KD2BD). Aaron has also provided a video that demonstrates the software in action, shows how to use it, and explains his future plans for making it easier to use.

This video is a preview of a new RF Propagation and Calculation feature provided by Signal Server. Additionally, custom web server scripts by Dr. Bill Walker, will also be included in DragonOS Focal R14 in the near future. There's a lot of moving parts, but once complete, all you "should" have to do is download, convert, and place the SRTM elevation data for the areas needing coverage calculations in the /usr/src/SDF directory. In the meantime, I'd recommend reading up on all the below material. I've been reading a lot and still don't understand it all!

DragonOS Focal R14 Preview w/ Signal Server + RF Propagation Web Server (SPLAT!, Dr. Bill Walker)

Two reviews of our new L-Band Patch Antenna + Stock Update

Last month we released our new L-band active patch antenna for sale, and not too long after we had a review from Frugal Radio praising it. We now have two more YouTube reviews available to share.

The first is from Tech Minds who does a teardown and demonstrates it receiving and decoding the Inmarsat STD-C NCS channel, receiving and decoding GPS and receiving Iridium signals. The second is from Mike Ladd from SDRplay, who tests it with an SDRplay RSP1A software defined radio. He shows that the patch works perfectly with an RSP1A, and demonstrates it receiving and decoding STD-C while mounted on the dash of his vehicle.

L-Band Patch Stock Availability Note: We note that we are already close to selling out of the first batch of these units as they sold much faster than expected! New sales of this patch are currently backordered but we expect to have a few more units from this first batch available by the end of next week. Also the freighter with Amazon USA stock should be arriving any day now, but it could still take a few weeks to get through the port and reach the warehouse due to the current port delays.

The second production batch of this antenna might still be a while away due to the electronic component shortage crisis occurring now, so if you were thinking about picking one up, please order ASAP.

RTL-SDR BLOG L-BAND Patch Antenna Version 2 - Inmarsat - Iridium - GPS

SDRplay RSP1a - RTL SDR Blog L-Band Patch antenna

Smart Meter Hacking Hack Chat to be held April 14 Noon Pacific Time

In the last post from a couple of days ago we posted about RECESSIM's YouTube series about smart meter hacking. Hackaday have noted that Hash, the security researcher behind the RECESSIM channel will be hosting a Hack Chat on April 14 noon pacific time. If you're unfamiliar with them, hack chats are live chat events where you can chat directly with an expert on a particular topic.

That electrical meter on the side of your house might not look like it, but it's pretty packed with technology. What was once a simple electromechanical device that a human would have to read in person is now a node on a far-flung network. Not only does your meter tote up the amount of electricity you use, but it also talks to other meters in the neighborhood, sending data skipping across town to routers that you might never have noticed as it makes its way back to the utility. And the smartest of smart meters not only know how much electricity you're using, but they can also tease information about which appliances are being used simply by monitoring patterns of usage.

While all this sounds great for utility companies, what does it mean for the customers? What are the implications of having a network of smart meters all talking to each other wirelessly? Are these devices vulnerable to attack? Have they been engineered to be as difficult to exploit as something should be when it's designed to be in service for 15 years or more?

These questions and more burn within Hash, a hardware hacker and security researcher who runs the RECESSIM reverse-engineering wiki. He's been inside a smart meter or two and has shared a lot of what he has learned on the wiki and with some in-depth Smart Meter Hacking videos. He'll stop by the Hack Chat to discuss what he's learned about the internals of smart meters, how they work, and where they may be vulnerable to attack.

Reverse Engineering Wireless Mesh Smart Meters with Software Defined Radio

Over on YouTube channel RECESSIM has uploaded a three part series on reverse engineering smart utility meters. In many locations wireless mesh smart electricity meters are installed in houses allowing for completely wireless monitoring. These mesh network devices pass the wireless data from meter to meter until the data reaches a router that is typically placed on a neighborhood power pole.

In the first video Recessim explains how a smart meter mesh network works, and demonstrates signal reception in the 900 MHz band with a USRP B200 software defined radio.

In the second video he demonstrates how he can see meter ID and power outage information from Oncor meters, explains his GNU Radio flowgraph setup and goes on to explain how he reverse engineered the data packets.

Finally in the third video he performs a few teardowns of smart meters he found on eBay, and shows his reverse engineering setup with a faraday cage. More videos are likely to be on the way, so you might want to consider subscribing to his channel for updates. Recessim is also diligently recording all the information he's discovered about the meters on his Wiki.

Smart Meter Hacking - Episode 1