Search results for: iphone

New Apple iOS (iPhone/iPad) RTL-SDR rtl_tcp Client App in Beta Testing

Over on our forums poster hotpaw2 has released news about his new RTL-SDR app for iOS (iPhones/iPads). If we're not mistaken, this will be the first app that enables RTL-SDR usage on iOS. However, as iOS devices don't allow RTL-SDRs (or any arbitrary USB device) to connect directly to devices, you still need to use a Raspberry Pi or other network connected computing device as an rtl_tcp server. So the RTL-SDR does not plug directly into the iOS device. Currently he is looking for beta testers to help test a pre-release of the software. Hotpaw2 writes:

Hi. A first version of my iOS SDR app is nearing completion. So I'm interested finding a few users who would like to beta test a pre-release of the app, and provide some feedback. The beta test requirements are having a 64-bit iOS device (iPhone or iPad) running iOS 11.2.x or newer, having Apple's TestFlight app installed, having a Mac, PC, Raspberry Pi (or other Linux box) that already has rtl_tcp installed and ready to run. (And an RTL-SDR obviously.) The rtl_tcp server must be on a fast WiFi network reachable by your iOS device. Note that iOS TestFlight app distributions do have an expiration date.

iOS does not recognize arbitrary USB devices such as an RTL-SDR. This is even true when using Apple's Lightning Camera Connection kit to provide an iPhone with a wired USB port. So an adapter must be used. I use a headless Raspberry Pi 3 running rtl_tcp as the USB adapter to provide raw IQ samples from the RTL-SDR to the iOS app. A Raspberry Pi Zero W would also work. I then connect to the server either over WiFi, or via wired ethernet. 

This iOS SDR app is fairly simple. I've been experimenting with developing low-level DSP code in Swift. So this SDR app was written from scratch in the Swift programming language. Because the app is targeted for the iOS App store, it uses none of the existing SDR C++ code base. 

The app currently demodulates AM, N-FM, and mono W-FM. It also displays a spectrum and rudimentary waterfall, and allows one to swipe-to-tune. There are not a lot of controls, as screen real-estate on an iPhone is quite limited. But I can walk around the house and, from my iPhone, monitor if my RTL-SDR or AirSpy HF+ are picking up any interesting signals.

Contact info for beta testing can be found here: 

Source code to librtlsdr and rtl_tcp can be found in many repositories on github, but zero support for finding or installing such, and/or setting up your Raspberry Pi, will be provided by me.

Screenshot of the RTL-SDR iOS app
Screenshot of the RTL-SDR iOS app


Fingerprinting Electronic Devices via their RF Emissions with an RTL-SDR and ImageMagick

Thank you to José Carlos Rueda for submitting his simple shell script that he uses for fingerprinting spurious RF emissions with an RTL-SDR, rtl_power, and imagemagick. The result is something like Disney's EM sense created with much simpler code.

It is well known that almost all electronic devices unintentionally emit unique spurious RF signals when in operation. By using an SDR like an RTL-SDR to record the spectra from electronic devices, it's possible to build up a database of known emissions. We can then detect when an electronic device is active by comparing the live spectrum to spectra stored in the database.

In a previous post we covered Disney's EM sense which is an experimental smart watch that automatically detects what electronic device the wearer is touching. With EM Sense they use an RTL-SDR and a database of raw pre-recorded spectrum data. To detect what the wearer is touching the live signal from the RTL-SDR is correlated against the database, and the closest match is returned.

José's script does something very similar, however instead of correlating with raw spectrum data he instead uses the waterfall image that is generated by rtl_power and The rtl_power program allows an RTL-SDR to scan the frequency spectrum over a wider bandwidth by rapidly scanning ~2.4 MHz chunks of bandwidth at different frequencies. is a program that turns the scanned data from rtl_power into a heatmap image of the spectrum.

To add an entry to the database, the electronic device is placed 7-8 centimeters away from the RTL-SDR, and a heatmap image recorded between 24 - 921 MHz is saved to disk. This can be repeated for multiple electronic devices. Each image will record the spurious signals from the electronic device, resulting in a unique heatmap image per electronic device.

Once the database has been created, you can then place any of the devices found in the database next to the RTL-SDR, and record a heatmap for 20-30s. That heatmap will then be compared against the images in the database using imagemagick which is an image analysis and manipulation library. The electronic device associated with the closest matching image in the database will be returned.

In his experiments he tested various electronic devices like an iPhone and was able to successfully determine when it was nearby.

Various electronic device spectra waterfall images recorded in the database
Various electronic device spectra waterfall images recorded in the database

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

New RTL-SDR Receiver App for iOS Released

SDR Receiver on iOS Screenshot
SDR Receiver on iOS Screenshot

A new RTL-SDR compatible app for Apple iOS (iPhone, iPad) has recently been released on the Apple App store. The app is called "SDR Receiver", costs US$9.99, and is used together with an RTL-SDR (or Airspy HF+) server running on a separate networked device such as a Raspberry Pi or PC. Limitations by Apple mean that the RTL-SDR can not run directly on iOS  devices. The software description reads:

SDR Receiver, a new iOS app for RTL-SDR and Airspy HF+, is now available on the App Store. The app works with an RTL-SDR or Airspy HF+ that is attached to a host Mac, PC or Raspberry Pi running the rtl_tcp server or equivalent. The iOS device, which may be an iPhone or an iPad, communicates over the network with the host computer which may be anywhere on the network that is reachable by TCP/IP and that can sustain the required bandwidth. 

  • SDR Receiver demodulates AM, narrowband FM and wideband FM signals. Key features include:
  • Easily entered and managed lists of stations to simplify station selection.
  • Adjustable squelch that works for both AM and FM signals.
  • Adjustable LNA gain for RTL-SDR.
  • Adjustable audio high pass and low pass filters.
  • Signal strength indicator that shows power level in the signal passband.
  • Multiple sampling rates down to 240Ksps for RTL-SDR.
  • Sampling rate of 768Ksps for Airspy HF+.

Streaming from an RTL-SDR requires installation of the librtlsdr package including the rtl_tcp utility on the host computer. Streaming from an Airspy HF+ requires installation of server software on the host computer that supports the Airspy HF+ and that streams data according to the protocol used by the rtl_tcp utility. One such server has been made available by Ron Nicholson in source code form on GitHub.

Requires an RTL-SDR or Airspy HF+, a host computer and server software which are not provided with the application.

Another RTL-SDR client for iOS is "RTL_TCP SDR" by Ron Nicholson which we posted about back in March when it was still in beta testing. RTL_TCP SDR includes a spectrum analyzer and FFT display. SDR Receiver appears to have no spectrum display, so is mostly useful for listening to preset frequencies, whilst RTL_TCP SDR appears to be more useful for spectrum exploring.

LocalRadio: A new RTL-SDR App for MacOS

Thanks to Doug Ward (@dsward) for letting us know about his new RTL-SDR compatible MacOS based app called LocalRadio. LocalRadio is an open source web browser based app that connects to a MacOS server running an RTL-SDR. The software allows you to listen in on any frequency supported by the RTL-SDR in AM or FM modes, and audio is capable of being streamed to multiple devices via a built the LAME MP3 encoder, EZStream and Icecast server. It does not provide an FFT or waterfall display however.

The software introduction reads:

LocalRadio is an experimental, GPL-2 licensed open-source application for listening to “software defined radio” on your Mac and mobile devices. With an inexpensive RTL-SDR device plugged into the Mac’s USB port, LocalRadio provides a casual listening experience for your favorite local FM broadcasts, free music, news, sports, weather, public safety and aviation scanner monitoring, and other radio sources.

LocalRadio’s easy-to-use web interface allows the radio to be shared from a Mac to iPhones, iPads, Android devices, and other PCs on your home network. No additional software or hardware is required for sharing with mobile devices, simply use the built-in mobile web browser to connect to LocalRadio and tune to your favorite stations. You can also listen to LocalRadio audio on your Apple TV and other AirPlay-compatible devices.

LocalRadio does not provide features like FFT waterfalls, panadapters, or signal recording that are found on other SDR software. For those features, GQRX for Mac is highly recommended. GQRX is a good way to discover radio frequencies that can be used with LocalRadio.

LocalRadio is intended for use as in-home entertainment, using a local area network with a private IP address. It has not been tested with a public IP address, particularly for security testing, therefore it is not recommended for that purpose. For simply listening to LocalRadio on the Mac with the RTL-SDR device plugged in, no network is required at all.

LocalRadio Interface in the Safari Web Browser
LocalRadio Interface in the Safari Web Browser

EM-ID: RTL-SDR based Tag-Less ID of Electrical Devices via Eletromagnetic Emissions

Back in November 2015 we posted about Disney Research’s EM-Sense which was an RTL-SDR based smart watch that was able to actually sense and detect the exact (electronic) object the wearer was touching. It worked by using the RTL-SDR to detect the specific electromagnetic emission signature given off by various different electronic devices.

Now Disney research has just released a new paper titled “EM-ID: Tag-less Identification of Electrical Devices via Electromagnetic Emissions”. In this paper the authors describe an RTL-SDR based system which serves as a replacement for RFID tags and readers. RFID (Radio Frequency ID) tags can be used in place of standard barcodes when placed on items as a means for easy inventory and asset tracking. An RFID tag is faster and easier to read than a barcode, but the individual cost of the tag has prevented its widespread adoption.

The Disney research team have put forward the idea that a low cost SDR like the RTL-SDR can be used in place of RFID tags when they would have been used to identify electronic devices. The idea is that the SDR can be used to read the electromagnetic emissions of the electronic device, which can then be used to identify the item, thus eliminating the need for an RFID tag or barcode. Their abstract reads:

Radio Frequency Identification technology has greatly improved asset management and inventory tracking. However, for many applications RFID tags are considered too expensive compared to the alternative of a printed bar code, which has hampered widespread adoption of RFID technology. 

To overcome this price barrier, our work leverages the unique electromagnetic emissions generated by nearly all electronic and electromechanical devices as a means to individually identify them. This tag-less method of radio frequency identification leverages previous work showing that it is possible to classify objects by type (i.e. phone vs. TV vs. kitchen appliance, etc). A core question is whether or not the electromagnetic emissions from a given model of device, is sufficiently unique to robustly distinguish it from its peers. 

We present a low cost method for extracting the EM-ID from a device along with a new classification and ranking algorithm that is capable of identifying minute differences in the EM signatures. Results show that devices as divers as electronic toys, cellphones and laptops can all be individually identified with an accuracy between 72% and 100% depending on device type.

While not all electronics are unique enough for individual identifying, we present a probability estimation model that accurately predicts the performance of identifying a given device out of a population of both similar and dissimilar devices. Ultimately, EM-ID provides a zero cost method of uniquely identifying, potentially billions of electronic devices using their unique electromagnetic emissions.

An EM-ID use case: Identifying difference laptop assets.
An EM-ID use case: Identifying difference laptop assets.

In the paper we can see that the EM-ID hardware is essentially just a direct sampling modified RTL-SDR and antenna. The RTL-SDR is modified to use direct sampling as this allows it to receive 0 – 28 MHz, and thus 0 – 500 kHz where the most useful EM emissions exist. The system process is to basically scan the device using the antenna and RTL-SDR, extract features such as power peaks from the recorded EMI spectrum and then turn this data into a device signature which can then be used to compare against a database of previously recorded and known device signatures. (e.g. light bulb, iPhone).

The EM-ID Hardware: Essentially an RTL-SDR and antenna.
The EM-ID Hardware: Essentially an RTL-SDR and antenna.
The EM-ID Process.
The EM-ID Process.

New Book out by the Author of the RTLSDR4Everyone Blog

Akos, the author of the rtlsdr4everyone blog has recently released a new Kindle book on Amazon which sells for $5 USD. It is titled “RTL-SDR for Everyone: Second Edition 2016 Guide including Raspberry Pi 2”. Akos writes that the book is intended for beginners and anyone wishing to maximise their RTL-SDR dongle’s performance. The blurb reads:

Chapters cover all you need to know for the best reception with $10 RTL-SDR dongles. Wideband and specialist antennas, modding and noise reduction tips aided with images and diagrams.

My blog at is only a fraction of the know-how in this book – if you want to take performance to the next level, or simply have no time to waste searching for information on the Internet, then this book is for you.

Readable on all platforms: Windows and Mac, Android and iPad, iPhone and Ipod touch.

Chapter 1 begins with Akos explaining some of the theory and jargon used in the radio world. Chapter 2 of the book talks about the hardware such as the RTL-SDR dongles, coax cabling, connectors and preamplifiers. Chapter 3 talks about the software and includes installation guides for programs like SDRsharp, SDRConsole, Virtual Audio Cable, as well as tutorials for receiving signals such as weather satellites and ADS-B. Chapter 4 goes on to talk about the different types of antennas and Chapter 5 discusses how to maximise the performance of the RTL-SDR. Finally Chapter 6 discusses the Raspberry Pi and it’s links to the RTL-SDR.

A preview of the first few pages in the book is available on Amazon and remember that there is no risk with buying Kindle books as they can easily be fully refunded within the first seven days of purchase.


Controlling Siri and Google Now with a Yagi and USRP

Wired magazine have recently run a story that shows how French researchers have discovered a method for remotely controlling modern smartphones through an RF attack that targets the voice control functionality called Siri on the iPhone and Google Now on Android. The attack only works for phones that have voice commands enabled, and there must be a pair of microphone enabled headphones plugged in.

The attack is pretty simple in theory. It works by using a software defined radio to transmit a high power amplitude modulated CW signal that will be picked up by the microphone’s cable which acts like an antenna. The AM CW signal is modulated in such a way that the built in low pass filter in the microphone works as a demodulator and turns the signal into an audio voice command.

In their experiments they were able to use a USRP SDR, amplifier and directional Yagi antenna to cause a smartphone to load up their webpage. The same attack could probably be performed with a cheaper HackRF SDR. 

A talk by the researchers was uploaded to Google earlier this month and is shown below.

HIP15-TALK:You don't hear me but your phone's voice interface does