Since 2.4 GHz is out of any of the RTL-SDR’s receivable range, Omri used a cheap downconverter which he was able to buy from China using Aliexpress. The downconverter converts the 2.4 GHz signal into a lower frequency at around 400 MHz which is in the receivable range of the RTL-SDR.
He was then able to use his NRF24-BTLE-Decoder software that he developed to convert the received data from the NRF24L01+ transceiver into a decoded packet by simply piping the output of RTL_FM into his program.
Since the NRF24L01+ uses hardware similar to the Bluetooth Low Energy (BTLE) protocol, Omri was able to modify his code to be able to also decode BTLE packets.
2.4GHz packet received on the RTL-SDR + downconverter from a Logitech mouseDecoded NRF24 Packets
ANT-FS is a wireless file transfer protocol that is designed specifically for transferring files wireless between two devices. It is designed for ultra low power devices and typically runs on devices operated by a coin sized battery. It is commonly used in applications like fitness tracker devices, which store data to later be downloaded to a PC.
Over on YouTube user sghctoma has uploaded a video showing a teaser of him receiving and decoding ANT-FS packets with blocks developed for the POTHOS graphical language. As ANT-FS is usually transmitted at 2.4 GHz, he had to use a MMDS downconverter which allowed his RTL-SDR to receive the packets. Sghctoma writes that the video is simply a teaser, and that a live demo with real deivce, and the full code + details will be released during his talk at DEFCON titled “Help, I’ve got ANTs!!!”.
ANT-FS sniffing with RTL-SDR, an MMDS downconverter and Pothosware
To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. The post goes into further detail on the specifics of the reverse engineering.
The Syma X8C drone to be stolen in the competition.
By using a Python script to make the Crazyradio constantly transmit, and then by using GNU Radio, Arnuad was able to sniff and demodulate the GFSK signal from the nRF24 based Crazyradio and pipe the demodulated signal into a nRF24 decoder.
There are now dozens of software defined radio packages that support the ultra cheap RTL-SDR. On this page we will attempt to list, categorize and provide a brief overview of each software program. We categorize the programs into general purpose software, single purpose software, research software and software compatible with audio piping.
If you know of a program that is missing please leave a comment in the comments section at the bottom of the page.
SDR# (pronounced "SDR Sharp") is the most popular free RTL-SDR compatible software in use at the moment. It is relatively simple to use compared to other SDR software and has a simple set up procedure. We have a full overview of the installation procedure on our Quick Start Page. SDR# is designed to be use with the $199 Airspy SDR, but works just fine with the RTL-SDR.
SDR# is a simple to use program that also has some advanced features. It has a useful modular plugin type architecture, and many plugins have already been developed by third party developers. The basic SDR# download without any third party plugins includes a standard FFT display and waterfall, a frequency manager, recording plugin and a digital noise reduction plugin. SDR# also decodes RDS signals from broadcast FM.
HDSDR is based on the old WinRAD SDR program. HDSDR supports the RTL-SDR through use of an ExtIO.dll module. To install HDSDR, download the program from the link on the main HDSDR page, then to use the RTL-SDR you will need to download the ExtIO_RTL2832.dll file an place it into the HDSDR folder. When opening HDSDR, select the newly copied ExtIO_RTL2832.dll. The other dlls that come with HDSDR will not work with the RTL-SDR, even though they have RTL-SDR in their filename. The official installation instructions can be found here.
Along with a FFT display and waterfall, HDSDR has some extra advanced features. Users will also find an Audio FFT and waterfall display on the bottom of the screen. The output audio can also be bandpass filtered by dragging the filter borders on the display. Bandpass filtering the audio can really help clean up a noisy signal. The audio processing also supports placing of notch filters either manually or automatically. There are also noise reduction and noise blanker features and an automatic frequency centering algorithm which will automatically center the signal, so you don't need to click exactly in the center of a signal. Traditional ham radio users will also enjoy the S-units signal strength meter and the built in frequency manager.
SDR-RADIO.COM V2 and the newer V3 is a popular SDR program with many advanced features. As such is it a fair amount more difficult to learn and use compared to SDR# and HDSDR. Be sure you install version 2 and not V1.5 as only V2 has RTL-SDR support.
Once sdr-radio is installed, to get it working with the RTL-SDR you will need to compile or download three .dll files (SDRSourceRTL2832U.dll, rtlsdr.dll and libusb-1.0.dll) and place them into the sdr-radio folder. To compile your own dlls see the instructions here, otherwise download the dlls directly from the bottom of this link. If the dlls were placed in the correct folder you will be able to add your RTL-SDR as a receiver by clicking on the +Definitions button, and then finding and adding the RTL SDR (USB) option under the search drop down menu.
Like HDSDR, not only does sdr-radio have a RF FFT signal and waterfall display, but also an optional audio spectrum FFT and waterfall display. Built in are also several DSP features like a noise blanker, noise reduction filter, notch filter and squelch options. The EMNS noise reduction filter is particularly good at automatically cleaning up and clarifying voice signals.
To add to the feature list, sdr-radio also has built in PSK, RTTY and RDS decoders, and also comes with a satellite tracker. Furthermore, sdr-radio V2 (not V3 yet) has an excellent remote server which will allow you to easily set up and connect to a remote RTL-SDR server over a network or the internet. Finally, sdr-radio is capable of listening to up to 6 signals in the same chunk of visible spectrum at a time.
In order to validate that his hardware settings were set correctly and that the NRF905 was transmitting correctly, he used an RTL-SDR and his recently written NRF905 decoder program to check the output frames.
