OH2BNF’s Plan for a Large Scale Raspberry SDR (LSR-SDR) Based on RTL-SDR Dongles

Thanks to OH2BNF for writing in and sharing his plan to build a "Large Scale Raspberry SDR" (LSR-SDR), which will be based on RTL-SDR dongles. To create the LSR-SDR he plans to take a 19" rack which can support up to 40 Raspberry Pi 3's, plus up to 160 USB devices, and turn it into a massive SDR array. The rack is key as it allows for simple power management of all the Pi's and other devices to be connected.

OH2BNF plans to connect 20 or so RTL-SDRs, with some operating individually and with others operating coherently via a common external oscillator. The rack may also contain some transceivers, an ICOM IC-7300, antenna switches, upconverters, LNAs and other hardware too. Once completed he hopes to move the system to a low RFI environment and operate the unit entirely remotely. With this he hopes to solve his local RFI issues. He also writes regarding applications:

Primary objectives are to incorporate automated adaptivity to the system at large – for example leveraging on band condition information, WSPR (Weak Signal Propagation Report) & friends, automated signal detection and decoding, great flexibility in terms of individual cluster nodes being able to fast respond to various needs and tasks, strong emphasis in parallel processing where applicable depending on the problem type and dataset, support for multiple end users benefiting from the computing and reception capacity of the cluster – to name the most significant.

It's an interesting idea for sure, and we hope to see some updates from OH2BNF in the future.

The Raspberry Pi 19" Rack
The Raspberry Pi 19" Rack

The Lego Pi RTL-SDR FM Radio

Thank you to RTL-SDR.com reader 'JJ' for writing in with a submission for his Lego Pi Radio. JJ's Lego Pi Radio consists of a Raspberry Pi and RTL-SDR and is designed to be an FM Radio, MP3 and internet radio player all in one, with a cute enclosure made out of Lego bricks. The radio is controlled by an external numpad which allows for a number of presets to be chosen from.

The internet radio and MP3 players are handled in software by VLC player and a script written by JJ is used to map the numpad to RTL-SDR FM presets, or MP3 and internet radio functions. The whole unit is run headless and if anything needs to be updated such as internet radio links, JJ simply accesses the unit via an SSH shell. JJ also writes how he had to try 3 different brands of speakers before he found one that could be driven directly from the Pi with adequate sound quality. In the future he hopes to add a bluetooth remote.

One problem that JJ found was that the standard rtl_fm did not produce high quality audio. Fortunately he found the NGSoftFM software which is capable of outputting high quality FM stereo sound and is compatible with RTL-SDR dongles.

In the past we've seen a similar project that was implemented on a BeagleBone Black. The idea in that project was to switch between FM and internet radio depending on the reception quality.

Testing the Airspy with the New And Improved Version of ADSBSpy

Airspy have recently released an update to their ADSBspy decoder, which is an Airspy One/R2 compatible decoder for 1090 MHZ ADS-B signals. According to 'prog', the software developer of ADSBSpy, his setup can see almost double the number of aircraft and with fewer false positives when using the updated software. Prog writes that the secret to the improvement is some reworked DSP code that aims to exploit oversampling in the Airspy to the maximum.

We compared the new ( decoder against the old decoder ( which used to get similar performance to dump1090. The test setup was two Airspy dongles connected to a dipole antenna via a splitter, with our Triple Filtered ADS-B LNA used by the antenna. One Airspy was used to power the LNA via it's bias tee, and both units received the same amplified signal. We found indeed that the new version of ADSBSpy receives a good number more aircraft in our set up, and an increased number of ADS-B messages too.

It seems that most of the additionally received aircraft must be from extremely weak signals, because when looking in Virtual Radar Server the extra aircraft usually only show their ICAO and maybe altitude and speed until they get closer.

So far this software appears to provide the best performance on ADS-B that we've seen so far, so if you are using an Airspy for ADS-B tracking we'd like to hear results from anyone who upgrades.

The New ADS-B Spy Receives More Aircraft and Messages
The New ADS-B Spy Receives More Aircraft and Messages

QuestaSDR: New RTL-SDR Software for Android

Last year we posted about QuestaSDR, which is a simple SDR multi-mode GUI that is compatible with the RTL-SDR. Since then QuestaSDR has evolved, and is now available on Android devices as well. It looks to be a nice alternative to RF Analyzer and SDR Touch which are the most popular RTL-SDR Android apps. The description of Android QuestaSDR reads:

QuestaSDR - powerful and flexible, cross-platform Software Defined Radio Application (SDR). Built-in scheduler architecture provides integrate plugins, plugins kits and multi - UI. Typical applications are DXing, Ham Radio, Radio Astronomy and Spectrum analysis.

Support Hardware:
- RTLSDR Dongle

Main features:
- Dark, Ligth, Universal, Material application style
- Many spectrum settings (FFT size, waterfall FPS and color theme)
- AM/SSB/NFM/WFM demodulator
- RDS decoder
- Record AF file
- Frequency bookmarks
- Web remote
- Supported IF-adapter, upconverter, downconverter hardware
- Rig samplerate, frequency, level and iq disbalance calibrate

To start using QuestaSDR, you will need:
- RTL-SDR dongle
- USB OTG Cable - used to connect a RTLSDR to your Android device.

Connect the USB dongle to the USB-OTG, then insert the free end of the cable into the USB port of your Android device and launch the QuestaSDR! Now you can listen to live frequency range shortwave, VHF, UHF.

Feedback and bug reports are always welcome.

Please note that I am not responsible for any legal issues caused by the use of this application. Be responsible and familiarize yourself with local laws before using.

QuestaSDR - New RTL-SDR Compatible Android App
QuestaSDR - New RTL-SDR Compatible Android App

New GUI and Info on Outernet’s moRFeus Wideband Signal Generator

Back in March we posted about the release of Outernet's moRFeus device which is a low cost wideband RF signal generator. Since then we've received a few emails from two readers who've received their units and have found some interesting hacks and have developed software for it.

First we have a submission from Ohan Smit who discovered a hack that allows moRFeus to work as a wideband noise generator by setting the LO to 5 GHz and the Mixer current to 3. Together with an Airspy and the Spectrum Spy software he was able to measure the response of a bandstop FM filter. Over on the forums he also shows screenshots of Python based control software that he's developed for controlling moRFeus.

moRFeus Generating Noise
moRFeus Generating Noise

Next we have a moRFeus Linux GUI created by "Lama Bleu". It can be used to access the same functions as via the moRFeus LCD screen, but is also has a few very useful features such as a step generator which allows a generated tone to sweep across the frequency spectrum. The moRFeus GUI can also connect to GQRX and sync with the LO frequency specified in the GQRX GUI for easy control. It should also be possible to implement a CW morse code generator with some scripts.

Outernet moRFeus GUI
Outernet moRFeus GUI

Over on the forums Zoltan, one of moRFeus' designers also notes that it might even be possible to use moRFeus for WSPR modulation, although this isn't confirmed yet. It seems that moRFeus is shaping up to be a very useful tool for RF testing and experimentation.  The device is currently still available on Crowd Supply for $149US with over 136 units sold so far.

Investigating the Adjustable IF Bandwidth on the R820T Chip

Over on his blog, Thierry Leconte has been writing about some IF bandwidth experiments that he's performed on the R820T2 chip. This is the tuner chip that is used in most RTL-SDR dongles, and well as on the Airspy R2 and Mini SDRs. It has a programmable IF bandwidth and high pass filter which can be used to filter neighboring interfering signals out to reduce imaging and overload problems. In the RTL-SDR and Airspy drivers the bandwidth is adjusted to a fixed setting depending on the bandwidth selected.

To perform the tests he uses a noise source connected to his Airspy, varies the IF filter bandwidth and then plots the results. He finds that there are two adjustments for the IF filter, one coarse and one fine, as well as an additional high pass filter. By manually reducing these settings it's possible to get better filtering at the expense of reduced bandwidth. 

He notes that reducing the bandwidth is useful for his two apps, acarsdec and vdlm2dec which receive ACARS and VDL aircraft signals. These signals are not high in bandwidth so they can easily benefit from tighter filtering.

Adjusting the High Pass Filter on the R820T2
Adjusting the High Pass Filter on the R820T2

The NOAA-15 Weather Satellite May be Failing

Over the last few days the NOAA-15 APT weather satellite has begun to show signs of failure with people receiving corrupted images. NOAA 15, 18 and 19 are weather satellites that can be easily received with an RTL-SDR and a satellite antenna such as a V-Dipole, QFH or Turnstile (tutorial here). NOAA 15 was launched on 13 May 1998, making it one month away from being 20 years old. To put it into perspective, NOAA-15 was only built to the spec of being designed to last 2 years minimum. 

The problem currently appears to be intermittent and is due to a loss of lubricant on the scan motor. NOAA released a message:

The N15 AVHRR global imaging became corrupted on April 12 at ~0000 UTC due to sync issues. This may be caused by erratic scan motor current due to loss of lubricant. The problem appears to have corrected itself, as the global image is no longer corrupted. The issue is still under investigation.

In the Tweet below UHF Satcom displays an example of a corrupted image that was received.

The issue is intermittent, and hopefully it can be fixed, but if not we still have NOAA 18 and 19 which were launched in 2005 and 2009 respectively, as well as the Russian Meteor M2 satellite which was launched in 2014. 

If you're interested discussion of this topic can be found on various Reddit threads [1], [2], [3].

SirenJack: Rebuttal by ATI Systems

Last week we posted news about the "SirenJack" radio security vulnerability which was released by Balint Seeber of the Bastille security research agency. SirenJack describes how a cheap TX capable SDR or a $30 handheld radio could allow an attacker to take over wirelessly controlled emergency sirens that are found in many cities around the US. In particular, it was discussed how Acoustic Technology, Inc (ATI Systems) sirens' were the first to be found as vulnerable.

Today Dr. Ray Bassiounim, President & CEO of ATI Systems wrote to us (and presumably other news agencies that ran the SirenJack story) a rebuttal which we paste below.

ATI Siren Vulnerability Misrepresented by Bastille Networks

Balint Seeber of Bastille Networks, Inc. has released information that he has been able to hack Acoustic Technology, Inc.’s wireless protocol. ATI believes that Seeber misrepresents his claims that he did so using only a $35 radio and a laptop. ATI understands the great lengths, time, effort, and expertise that Seeber and Bastille went through.  However, their claim trivializes the fact that Seeber is a radio frequency expert with over a decade of training, knowledge, and access to advanced equipment. Bastille’s statement intended to maximize public fear and anxiety by purposefully omitting and simplifying information they released.

Seeber says he identified this vulnerability over 2 ½ years ago but decided not to notify ATI or the City of San Francisco until recently. If he truly believed this was a serious vulnerability, why did he wait so long to disclose it, effectively leaving the public at risk? Other discrepancies discovered include:

  • Bastille’s SirenJack white paper states in part “...nor was there access to equipment...”  However, pictures in the white paper and videos on Bastille’s YouTube page clearly show Seeber utilizing ATI’s equipment in his Proof of Concept.
  • Seeber also states multiple times that anyone “…with a $35 transmitter…” can perform this hack. The white paper, however, confirms he used “…a number of Ettus Research Universal Software Radio Peripheral (USRP) and Software Defined Radio (SDR)….”. This equipment costs upwards of thousands of dollars for each unit, not merely the $35 radio as claimed.
  • In multiple YouTube videos, ATI’s equipment is blurred out during Seeber’s demonstration. For full disclosure, what was blurred out and why?
  • In Seeber’s YouTube demonstration of the SirenJack hack, it shows him with an embedded CPU debug cable plugged into the ATI siren.  Since this cable is only used for programming and diagnostics of the ATI siren, why is this cable needed? There is no reason for it to be used while demonstrating siren activation through over-the-air hacking.
  • None of Bastille’s videos show any Over-The-Air (OTA) transmissions of malicious packets because transmitting on a licensed frequency is illegal. Yet the Motorola CM200 radio in the ATI siren is very easy to re-program to a different frequency (or a license free radio could have been used), and it could have been easily changed in order to legally demonstrate sending malicious packets OTA.

When the San Francisco system was installed in 2004, over 14 years ago, it was state-of-the-art. Since then, ATI has upgraded protocols to incorporate a 128-bit AES variable key with an additional ATI proprietary security layer that is now being implemented.

“For the past 30 years ATI has had thousands of clients, both nationally and internationally.  Even though we have never experienced any fails or hacking incidents, ATI responded to Bastille’s false claims by raising security safeguards, and ATI encourages its clients to update their systems to ensure maximum security. We believe that Bastille’s representations are totally fabricated,” comments ATI’s CEO, Dr. Ray Bassiouni.

It's true that Balint and Bastille do have years of knowledge and the equipment to find vulnerabilities, however we believe that Bastille was only claiming that a $30 radio can be used to take over the system now that the vulnerability is already known. If a more malicious hacker found the vulnerability first, and then released the details to 'script kiddies' or other malicious people, it could have caused major issues.

The white paper on SirenJack is now available and can be found at sirenjack.com. From the white paper it appears that Bastille analyzed the RF spectrum to find the weekly siren test signal. Once found they were able to characterize the modulation scheme, and since no encryption was used, they were able to dissect the packet. They then determined that the packets could easily be reproduced and thus any transmit capable radio could be used to attack the system. Also although Bastille used USRP SDRs in the reverse engineering stage, it seems that the same reverse engineering work could be done with a simple RTL-SDR.

SirenJack: Could sirens be taken over with a $30 radio?
SirenJack: Could sirens be taken over with a $30 radio?