HydraSDR Preview: A 4x Coherent RTL-SDR for Direction Finding, Passive Radar and more

Over the last few months we've been working on a 4-input coherent RTL-SDR called 'HydraSDR' that is designed to be a low cost way to get into applications such as RF direction finding, passive radar, beam forming and more. It can also be used as a standard 4-channel SDR for monitoring multiple frequencies as well.

Phase coherent RTL-SDRs have been worked on and demonstrated several times over the past few years, but we've been disappointed to find that so far there hasn't been any easy way to replicate these experiments. The required hardware has been difficult to build and access, and the software has been kept as unreleased closed source or has been too complicated to install and use. With HydraSDR we aim to change that by making phase coherent applications easier to access and run by providing ready to use hardware and software.

Thanks to our developer Tamás Peto, a PhD student at Budapest University of Technology and Economics whom we hired via the ad in our previous post, and the Othernet (formerly Outernet) engineering team who are our partners on this project, we've been able to build a working system, and demonstrate coherent direction finding and passive radar working as expected (demo videos below). We plan to eventually release Tamás' code as open source so that the entire community can benefit and build on it. Also if HydraSDR turns a profit, we plan to reinvest some of the profits into continually improving the software and expanding the list of use cases.

At the moment we are finalizing our prototype, and plan to begin final production within the next 2-3 months.

If you have any interest in HydraSDR, please sign up to our Hydra mailing list. This will help us gauge how many units to produce and will affect the final pricing. If you've already signed up to our weekly posts list, please sign up to this list too as it's a different list. Subscribers to this list will be the first to know when Hydra goes on preorder, and the first 100 sales will receive a discounted price. We expect to begin taking preorders in within a month and to ship 1-2 months after preorders begin.

Subscribe to our HydraSDR Announcement

Please select all the ways you would like to hear from RTL-SDR Blog:

You can unsubscribe at any time by clicking the link in the footer of our emails. We use MailChimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to MailChimp for processing. Learn more about MailChimp's privacy practices here.

Direction Finding

HydraSDR can be used to find the bearing towards a signal using it's coherent direction finding capabilities. The software by Tamás currently implements several direction finding algorithms such as Bartlett, Capon, Maximum Entropy (MEM) and MUSIC. In the video below we show a quick test of the direction finding system working with a HackRF being used as a signal source, and four dipole antennas connected to HydraSDR in a linear array. The MUSIC algorithm is used.

HydraSDR Direction Finding Test

In the image below we also attempted to find the direction towards a known TETRA transmitter. We were able to confirm the direction with an Android compass app that points towards the known transmitter location. As the two angles match, we can be confident that Hydra is finding the correct direction to the transmitter.

Finding the direction of a TETRA Transmitter
Finding the direction of a TETRA Transmitter

Passive Radar

HydraSDR can also be used for passive radar. Normal radar systems work by transmitting a pulse of RF energy, and listening to the reflections from objects like planes, cars and ships. Passive radar works by using already existing transmitters such as those for FM/TV and listening for reflections that bounce of objects.

With a simple passive radar system you need two directional antennas and two coherent receivers. One antenna points at the transmitting 'reference' tower, and the other at the 'surveillance' area where you want to listen for reflections. It's important to try and keep as much of the reference signal out of the surveillance antenna as possible, which is why directional antennas like Yagi's are used.

The result is a doppler vs time delay graph, where the reflection of aircraft, cars, ships and other objects can be seen. The doppler gives you the speed of the object relative to your antenna and the transmitting tower, and the time delay gives you the distance relative to your antenna and the transmitter tower.

Below is an example time lapse video of HydraSDR being used for passive radar. The reference antenna points towards a DVB-T transmitter at 588 MHz, and the surveillance antenna overlooks a small neighborhood, with aircraft sometimes flying over. The antennas we used were two very cheap TV Yagis.

You can constantly see the reflections from vehicles at small doppler values (low speeds), and every now and then you see an aircraft reflection which shows up at much higher doppler (speed) and further time delay (distance) points. 

HydraSDR Passive Radar Timelapse Test 1

More information about HydraSDR

HydraSDR includes:

  • 4x Coherent R820T2 based RTL-SDR dongles with standard 24 MHz - 1.7 GHz frequency range
  • On board GPIO switched wide band noise source for sample sync and phase calibration
  • Special phase calibration PCB for 4x inputs. Required to make the Hydra phase coherent.
  • On board USB Hub, so only one USB port is required on the PC
  • Shielded metal enclosure

HydraSDR can also be extended to 8x receivers by daisy chaining two boards together, so that their clocks and noise sources are connected. We've also taken into account undesirable effects such as heat related PLL drift which can be an issue for phase coherence.

At the moment we are also investigating whether singleboard computers like the Raspberry Pi 3 or Tinkerboard can be used, and there will be a header available for powering them via the Hydra PCB.

Once released we plan to have extensive tutorials and documentation that show exactly how to set up and replicate direction finding and passive radar experiments with low cost antennas.

Screenshots of HydraSDR software:

Screenshots of each HydraSDR software screen
Screenshots of each HydraSDR software screen

Remember, if you're interested please sign up to the HydraSDR mailing list for announcements and the chance to get in early with the cheaper first 100 units.

Tweet18
Share38
+1
Email
56 Shares

A Web and RTL-SDR Based Trunking Scanner

During the Cyberspectrum Wireless Village talks a few days ago Gavin Rozzi gave a talk about his online RTLSDR-based trunking scanner website at ocradio.live. Recently he wrote in and wanted to share a little more about his system. He writes:

[The talk focuses] on my experience implementing several open source software packages to create an online RTLSDR-based trunking scanner website, https://ocradio.live/ that serves the part of New Jersey that I live in. Using multiple RTLSDR receiving locations, the site is demodulating, recording, and timeshifting multiple talkgroups of local and state trunked radio systems to create a live streaming service and archive of past scanner calls. Data from the site is also accessible over a REST API and we allow the creation of custom scan lists. My presentation is going to center on the advantages the site has over traditional hardware scanners and some of the technical challenges that we had to overcome to get the project off the ground.

In the Cyberspectrum YouTube video, Gavin's talk starts at around 2:40:22 and his slides are available at https://cyberspectrum23.ocradio.live

OCRadio Streams Screenshot
OCRadio Streams Screenshot
Tweet5
Share23
+1
Email
28 Shares

HDSDR Version 2.80 Beta Released

HDSDR is a popular general purpose multimode program for Windows that supports various SDRs including the RTL-SDR. Version 2.80 (beta) of HDSDR was released a few days ago and brings with it a few GUI and feature updates. An extensive description of the changes can be found in the change log, but briefly the changes are:

  • GUI buttons updated to a more modern and cleaner look
  • Improved friendliness to blind users during IQ recording playback
  • A better IQ file player with the ability to loop over a certain time frame
  • Improved snap to frequency option
  • Improved LO tuning with an "autochange LO if necessary" option
  • The ability to sort IQ recordings by date
  • Ham/broadcast band spectrum identifiers added
  • Ability to import the HFCC frequency list into the frequency manager
HDSDR v2.76a (left) vs. v2.80 (right)
HDSDR v2.76a (left) vs. v2.80 (right)
Tweet6
Share45
+1
Email
51 Shares

Using a HackRF SDR to Withhold Treatment from an Insulin Pump

A MiniMed Insulin Pump

Recently Arstechnica ran a story about how during this August's Black Hat security conference, researchers Billy Rios and Jonathan Butts revealed that a HackRF software defined radio could be used to withhold a scheduled dose of insulin from a Medtronic Insulin Pump. An insulin pump is a device that attaches to the body of a diabetic person and deliveries short bursts of insulin throughout the day. The Medtronic Insulin Pump has a wireless remote control function that can be exploited with the HackRF. About the exploit MiniMed wrote in response:

In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.

This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.

As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.

In addition to this wireless hack they also revealed issues with Medtronic's pacemaker, where they found that they could hack it via compromised programming hardware, and cause it to deliver incorrect shock treatments.

Earlier in the year we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Tweet21
Share55
+1
Email
76 Shares

Building a Tracking Mount for HRPT Weather Satellite Reception Part 2

Earlier this month we posted about The Thought Emporium who uploaded a video to YouTube where they documented the first steps of their construction of a tracking mount for a 2.4 GHz grid WiFi dish which they intend to use for HRPT weather satellite reception.

If you didn't already know, receiving HRPT weather satellite signals is a little different to the more commonly received NOAA APT or Meteor M2 LRPT images which most readers may already be familiar with. HRPT is broadcast by the same NOAA satellites that provide the APT signal at 137 MHz, but is found in the L-band at around 1.7 GHz. The signal is much weaker, so a high gain dish antenna with motorized tracking mount, LNA and high bandwidth SDR like an Airspy is required. The payoff is that HRPT images are much higher in resolution compared to APT.

In this video they document the steps required to finish the physical build and add the electronics and motors required to control and move the dish. The final product is a working tracking mount that should be able to track the NOAA satellites as they pass over. In the next video which is not yet released they plan to actually test reception.

DIY Satellite Tracker/Radio Telescope - Part 2

Tweet8
Share15
+1
Email
23 Shares

CyberSpectrum Special: DEF CON Wireless Village Talks now Live

Cyberspectrum #23 is now live and can be viewed via the YouTube live stream below. It should be available for delayed viewing after the event as well. The talks include SDR and radio related topics on subjects such as:

  • HAARP ionosphere research
  • An open source implementation of DVB-S2 and DVB-S2X for both satellite and terrestrial amateur radio use
  • An open source SpyServer based tool for automatically demodulating/recording and parsing RF data
  • Reverse engineering X-Band satellites
  • An RTL-SDR powered web based trunking scanner with timeshifting capabilities.

Cyberspectrum Special: DEF CON Wireless Village

Since out last post previewing the event, some new talks have been added, and we've posted the line up and info below.

At this years DEFCON conference SDR evangelist Balint Seeber will be hosting Cyberspectrum #23. DEFCON is a yearly conference with a focus on hacker topics, which often include SDRs and other radio topics too. This years conference will be help on August 9 - 12 a Caesars Palace & Flamingo in Las Vegas. Cyberspectrum is an almost monthly meetup of SDR enthusiasts and researchers that is normally held in the San Francisco Bay Area, but often hosts remote speakers via teleconference. This months meetup will be held at DEFCON on August 9, hosted by the Wireless Village.

Chris Fallen, Ph.D. (@ctfallen): "Opportunities for radio enthusiasts and heaters of the ionosphere: HAARP is just another instrument, or is it?"

Preview of a future #cyberspectrum talk: Background of passive and active ways to get involved with HAARP experiments (and perhaps with other natural natural ionosphere events) based on prior and ongoing work.

Michelle Thompson (@abraxas3d): "ORI and Phase 4 Ground" (https://phase4ground.github.io/)

Open Research Institute (ORI) is a new non-profit research and development organization which provides all of its work to the general public under the principles of Open Source and Open Access to Research.

One of our projects is called Phase 4 Ground. Our mission is to provide an open source implementation of DVB-S2 and DVB-S2X for both satellite and terrestrial amateur radio use. Phase 4 Ground radio system has a 5GHz uplink and a 10GHz downlink. We are developing SDR software that heavily leverages IP multicast and RTP protocols to set up and tear down distributed remote radio functions.

The reference designs are in GNU Radio and we will provide recipes for as many SDRs as possible.

Phase 4 Ground radios are intended to be reusable and reconfigurable, supporting payloads at GEO (AMSAT Phase 4B), HEO (AMSAT Phase 3E), and beyond (such as NASA's Cube Quest Challenge). Additionally, our radios will work as terrestrial microwave stations. These 'Groundsats' on mountaintops or towers establish a fun and flexible digital microwave experience. If you want to build up your radio from SDRs, you can. If you want to build it entirely from scratch, then you can. Our manufacturing partner for an off-the-shelf design is Flex Radio.

Lucas Teske (@lucasteske): SegDSP SpyServer Segment Digital Signal Processor

SegDSP is a WIP "Segment Digital Signal Processor" that is tuned for connecting into a SPY Server and do automatically demodulation/recording/parsing of RF data. This talk will be about what it does today, how was the development, how it works, how it will work and what are the uses for it. Tired of losing the pass of a LEO satellite? Want to hear the recording from last week? SegDSP is a Open Source tool made in Go for both learning and monitoring Satcom and Terrestrial Com.

Luigi Freitas (@luigifcruz): "Reverse Engineering X-Band Satellites Datalink And The Worst Software Defined Radio Ever"

This talk will be about the reverse engineering process of the next generation X-Band datalink signal on-board of Sun Synchronous Satellites like Suomi (NPP) and NOAA-20 (NPOESS/JPSS-1). From the RAW I/Q recording to the decompressed high-resolution Earth pictures. This is the latest addition to the Open Satellite Project, a non-profit organization that is committed to develop and publish software tools and hardware projects that enable the Open-Source Community to access spacecraft non-sensitive data.

The other half (or so) of this talk will be about the “Worst SDR Ever” that is made entirely of dirty cheap parts readily available from China. This project is intended to demonstrate how a Software Defined Radio works utilizing real hardware and comprehensive modular software.

Gavin Rozzi (@gavroz): "OC Radio Live" (https://ocradio.live)

An online trunking scanner website with time shifting capabilities covering New Jersey powered by the RTLSDR and open source software.

Tweet16
Share10
+1
Email
26 Shares

Decoding a Moon Orbiting Satellite 378500 km’s away with an RTL-SDR

Thanks to IU2EFA (William) for writing in and letting us know about his success in decoding telemetry from the moon orbiting satellite known as DSLWP-B / LONGJIANG-2. LONJIANG-2 is a Chinese lunar microsatellite (45kg) that was launched in May 2018. It is designed to perform ultra long-wave radio astronomy observations. It also has an on board camera and took some nice photos of the Earth back in June.

While the satellite is still being tested, William notes that it is transmitting telemetry data to Earth during it's scheduled days at 435.4 MHz and 436.4 MHz, and the signal can be received with an RTL-SDR and Yagi antenna. William writes:

[LONJIAN-2] transmits with a little linear antenna and a little power of just 2 Watts.

In other sessions, I used a professional radio to have the maximum performance.

But this morning I wanted to test the reception, just using my RTLSDR V3 and my antenna yagi 15 elements pointed to the Moon. No other options (as filters, pre aplifiers, or other stuffs. Zero of these)

Well, the result was great. I received the signals and also i could decode them!

So I think people can be happy to know, that with a very little setup, they can receive incredible little signals from great distances.

When I received these signals, the Moon distance was about 378500 km.

LONGJIAN-2 transmits telemetry with GMSK and JT4G, and JT4G can be decoded with WSJT-X or WSJT 10. There is also a GNU Radio program called gr-dslwp that can be used to decode the telemetry. JT4G is a weak signal coding that can be decoded with signal levels down to -17 dB. Therefore anyone with modest hardware can decode the satellite. More information about the coding can be found on this post by Daniel Estevez.

On the Lilacsat page for LONGJIANG-2 if you scroll down you can also see reports from several other amateur radio operators who have managed to receive the satellite with RTL-SDR dongles and other radios. Below is an image of an example for SP5ULN who was able to receive and decode the JT4G signal with an RTL-SDR, LNA, and 19-element Yagi.

Example of LONJIAN-2 being received with an RTL-SDR by SP5ULN as noted on the LilacSat website.
Example of LONJIAN-2 being received with an RTL-SDR by SP5ULN as noted on the LilacSat website.
Tweet13
Share112
+1
Email
125 Shares

Receiving GOES Weather Satellite HRIT with an SDRplay and 2.4 GHz WiFi Grid Antenna

Over on the SDRplay forums member RSP2user has posted a new tutorial, this time showing how to receive weather satellite images from GOES satellites with an RSP2 and cheap 2.4 GHz WiFi grid antenna

GOES 15/16/17 are geosynchronous weather satellites that beam back high resolution weather  images and data. In particular they send beautiful high resolution 'full disk' images which show one side of the entire earth. As the satellites are in geosynchronous orbit, they are quite a bit further away from the earth. So compared to the more easily receivable low earth orbit satellites such as the NOAA APT and Meteor M2 LRPT satellites, a dish antenna, good LNA and possibly a filter is required to receive them. However fortunately, as they are in a geosynchronous orbit, the satellite is in the same position in the sky all the time, so no tracking hardware is required.

In the tutorial RSP2user notes that he's been using a $16 2.4 GHz WiFi grid dish antenna and the NooElec SAWbird LNA. In the past we've also seen GOES reception from Pieter Noordhuis who used a 1.9 GHz grid antenna from L-Com which seems to be a better match to the 1.7 GHz GOES frequency. However, 2.4 GHz WiFi grid antennas are much more common and therefore much cheaper. In the past there has been debate on whether or not these cheaper WiFi antennas would be good enough for GOES, so it's good to see that the cheaper option is confirmed to work, at least for the satellite elevations found in the RSP2user's part of the USA.

The SAWBird is a 1.7 GHz LNA which is required to improve SNR by reducing system noise figure, and to filter any interfering out of band signals. The SAWbird is currently not available for public sale, but NooElec have noted that it is due to be released soon. RSP2user also notes that the polarization of the dish is important, so the dish may need to be rotated, and also that flipping the secondary reflector significantly increases the gain at 1.69 GHz.

For software the XRIT demodulator from USA-Satcom for a small fee is used together with the SDRplay RSP2. As seen by Pieter Noordhuis' results, it's also possible to receive these signals with an RTL-SDR and Pieters free software. So it may be possible to reduce the costs of a GOES reception system by using an RTL-SDR, SAWBird and 2.4 GHZ WiFi grid antenna. With those components the total cost would be well under $100.

As a bonus, in later posts on his forum thread, RSP2user shows that the system can also be used to receive HRPT images from the low earth orbit NOAA 19 satellite by hand tracking the antenna as the satellite passes over.

RSP2users GOES Receiver: SDRplay, SAWBird LNA, 2.4 GHz WiFi Grid Antenna
RSP2users GOES Receiver: SDRplay, SAWBird LNA, 2.4 GHz WiFi Grid Antenna
Tweet14
Share73
+1
Email
87 Shares