Category: Applications

KiwiSDR TDoA Direction Finding Now Freely Available for Public Use

A few weeks ago we posted about some experimental work going on with Time Difference of Arrival (TDoA) direction finding techniques on KiwiSDR units. The idea is that public KiwiSDRs distributed around the world can be used to pinpoint the physical locations of any 0 - 30 MHz transmitter using the TDoA technique. This feature has recently been activated and can be accessed for free via any KiwiSDR.

The KiwiSDR is a US$299 HF SDR that can monitor the entire 0 - 30 MHz band at once. It is designed to be web-based and shared, meaning that the KiwiSDR owner, or anyone that they've given access, can tune and listen to it via a web browser over the internet. Many public KiwiSDRs can be found and browsed from the list at sdr.hu or by signal strength and location on this website.

One thing that KiwiSDRs have is a GPS input which allows the KiwiSDR to run from an accurate clock, as well as providing positional data. Time Difference of Arrival (TDoA) is a direction finding technique that relies on measuring the difference in time that a signal is received at over multiple receivers spread out over some distance. In order to do this an accurate clock that is synchronized with each receiver is required. GPS provides this and is able to accurately sync KiwiSDR clocks worldwide. 

Just recently all KiwiSDRs were pushed with a beta update (changelog) that enables easy TDoA direction finding to be performed with them. Since many KiwiSDRs are public, this means that right now anyone can browse to a KiwiSDR web interface and start a direction finding computation. You don't even need to own a KiwiSDR to do this so this is the first freely accessible RF direction finding system available to the public. This could be useful for locating signals like numbers stations, military transmissions, pirate stations, jammers and unknown sources of noise.

KiwiSDR TDoA Interface
KiwiSDR TDoA Interface. Locating a STANAG Signal Source.

Usage

Running a TDoA job is as simple as using the KiwiSDR OpenWebRX GUI interface to select a signal and choose two or more receivers to use in the calculation.

If you want to try this out then it's easiest to start with VLF/LF or MW stations (less than 1.6 MHz) as these signals tend to propagate to receivers only via direct ground wave. HF sky wave signals are a bit more difficult to locate as they tend to travel longer distances by skipping, bouncing and refracting around the ionosphere, so it is difficult to determine exactly where they are coming from since the bounces result in a difficult to predict time delay. But if you know the rough location of the transmitter, you can try and select nearby KiwiSDR receivers, which will hopefully ensure that the signals are received directly via ground wave, and not via sky wave. More advanced users could try using receivers spaced further away, but at similar distances from the expected transmitter location. This will hopefully ensure that all the receivers have identical skip distances, and thus identical delays.

Skywave and Groundwave Propagation
Sky wave and ground wave propagation. Ground wave is received directly vs sky wave which is received via ionospheric bounces

To get started follow these steps (and we also recommend reading the Help text, which is available by clicking the 'Help' button on the TDoA extension):

  1. Open a KiwiSDR that can receive some signals that you are interested in locating. You can browse KiwiSDRs by map and signal strength quality on this website.
      
  2. With the 'extension' drop down menu in the bottom right controls window choose TDoA and double check that the receiver modulation mode is set to 'IQ'.
     
  3. You should now see a map on the top half of the screen. This map displays all KiwiSDRs in the world that have GPS enabled and thus can be used for TDoA.

    The map also displays several known transmitters in white with green markers that can be used as TDoA practice. Clicking on a known transmitter will automatically tune the KiwiSDR to that station.
     
  4. Tune to the signal that you are interesting in locating. Make sure that the receiver bandwidth covers the signal.
     
  5. Now you need to find two or more KiwiSDRs on the map that can receive the signal that you're interested in locating. (Two will give you a line of possible locations, whilst three may allow you to pinpoint the signal. But we recommend starting with only two or three first as more receivers can cause the calculation to fail).
     
    To test and see if a KiwiSDRs from the map can receive the signal, double click on its marker. This will open the selected KiwiSDR in a new browser window, with it tuned to the station of interest. If you have a rough idea on where the transmitter is located, try to select KiwiSDRs such that they surround the transmitter.
     
  6. Once you've found a KiwiSDR that receives your signal of interest, close the second KiwiSDR receiver window that you just opened, and go back to the original KiwiSDR window. Now instead of double clicking just click once on the KiwiSDR pin on the map that you confirmed reception with. This will add that KiwiSDR to the window in the bottom left. This window displays the KiwiSDRs that will be used in the TDoA calculation.

    Make sure that it shows "XX GPS fixes/min" beside a selected KiwiSDR. If you get an error, remove that KiwiSDR and choose another.
     
  7. When you've found two or more KiwiSDRs that receive the signal of interest, position the map to where you'd like the TDoA result heat map to be displayed. The positioning of the KiwiSDR map will determine where the TDoA heat map plot is displayed.

  8. Click the 'submit' button to begin the TDoA calculations. The KiwiSDR server will gather 30 seconds of samples from each of your selected KiwiSDRs, and then run the TDoA algorithm on the KiwiSDR server. The whole process should take about 1-3 minutes to complete.
     
  9. Once completed you can view the results by using the drop down menu next to the submit button to choose the 'TDoA Map'
KiwiSDR TDoA Results
KiwiSDR TDoA Heat Map Results. Located a Military STANAG Signal Source in France.

The KiwiSDR TDoA feature is still in testing and can be a little buggy. If you get "Octave Error", try refreshing the KiwiSDR page and trying again with different receivers. Sometimes you'll also get an error saying that the GPS of a KiwiSDR hasn't updated in a while. In this case just remove that receiver and choose another one. We also find that if you're zoomed too far out on the map, the TDoA algorithm will sometimes return 'Octave error'. Try zooming in a bit closer to the approximately expected location. KiwiSDRs can also only support four simultaneous users at a time, so during peak periods it's possible that some may become busy.

Over on the KiwiSDR forums Martin G8JNJ has also provided a list of helpful tips that he's discovered. For example he recommends choosing KiwiSDRs that are spaced evenly around the estimated transmitter location (if known). Ideally they should also be chosen an opposing pairs (e.g. one pair north and south of the transmitter, and one east and west of it).

Results

We tested the new TDoA feature a few times. Below are some examples of the results we achieved.

USA: NLK @ 24.6 kHz.

This is a Naval transmitter located in Seattle, Washington. With three receivers surrounding the transmitter, we were able to get a pretty close location marker, that is confirmed with the known location.

USA NLK
USA NLK

Europe: DCF77 Time Beacon @ 77.5 kHz.

This is a German long wave time beacon transmitter. Again with three receivers we were able to pinpoint the signal fairly accurately.

DCF77 Located with KiwiSDR TDoA
DCF77 Located with KiwiSDR TDoA

Australia: Local MW Radio Station @ 549 kHz.

Here we tried to locate an Australian MW station. Unfortunately in Australia there is a lack of KiwiSDRs, and of the ones that are there, only three had GPS enabled and could receive the MW station, and two of those were right next to each other. With only effectively two stations we could only obtain a line of possible locations. Comparing with the known location plotted on Google Maps we confirmed that the transmitter is indeed located on the line.

ABC Western Plains Australian MW Radio Station
ABC Western Plains Australian MW Radio Station

We also tested a few signals at higher frequencies. As mentioned previously, anything above VLF/LF/MW (ie the HF bands) is a lot more difficult to locate since the signal can bounce around the atmosphere and can case extra delays to occur in the signal arrival time. The extra delays can cause problems with the time of arrival measurements. Thus for these signals it's important to find receivers close to the transmitter, or receivers spaced further away at the same distance so they each have identical skip distances, and thus identical delays.

When locating an HF signal that is in a completely unknown location we recommend starting with only two or three receivers, checking the heat map, and slowly adding more receivers in the hot parts of the heat map and removing receivers that turn out to be in the cooler areas. This way you can slowly narrow down the receivers to ones that are closer to the signal source, and are thus more likely to receive the signal directly, rather than via ionosphere bounces.

The Buzzer (UVB-76)

Using the just previously mentioned technique we attempted to locate the source of the Buzzer (UVB-76), a Russian numbers station at 4.625 MHz. Eventually we came to the results shown below. According to the heat map the buzzer appears to be located somewhere in the vicinity of St. Petersburg. Back in 2014 the numbers station researchers at priyom.org received an anonymous tip from a member citing a transmitter location just north of St. Petersburg. The TDoA heat map results seem to confirm that the anonymous tipper is correct.

The Buzzer (UVB-76)
The Buzzer (UVB-76) TDoA Heatmap compared against the known location

Final Words

Right now the biggest problem appears to be the lack of active KiwiSDRs around the world. The more active KiwiSDRs there are, the better the direction finding results can be. At the moment Northern Europe and the USA are fairly well represented, but the rest of the world is not. Asia, Africa, Russia and South America are especially lacking. Also not all KiwiSDRs are utilizing the GPS feature. If you are running a KiwiSDR please do consider activating the GPS option. Another issue is that many KiwiSDRs suffer from poor reception and bad antenna setups, so not all active receivers are actually useful.

In the future we expect this feature to only improve, with the people behind it, John Seamons and Christoph Mayer, working hard to improve results. For example one possible future improvement is utilizing ray-tracing techniques to try and take into account delays caused by sky-bounce propagation. Update (15 July 2018): You can now also plot results over Google Maps.

If you want to purchase a KiwiSDR and contribute to the worlds first freely accessible TDoA system, you can purchase it immediately on Amazon or Seeed Studios for $299, or wait for a sale to occur on massdrop.com, where it is often discounted by up to US$100.

New GNU Radio Block for Decoding Meteor M2 Images

Thank you to Reiichiro Nakano for submitting news about his work on converting the Pascal based meteor_decoder software into a C++ GNU Radio block. meteor_decoder is a decoder for the Meteor M2 weather image satellite. Meteor M2 is a Russian weather satellite that transmits images down in the digital LRPT format. This provides much higher resolution images compared to the NOAA APT signals. With an RTL-SDR, appropriate satellite antenna and decoding software it is possible to receive these images.

Reiichiro works for Infostellar, which appears to be a Japanese company aiming to connect satellites to the internet via distributed and shared ground stations. It appears to be somewhat similar to the SatNOGs project. Reiichiro writes:

Just wanted to share a simple project I built for my company Infostellar, in the past week. I converted https://github.com/artlav/meteor_decoder to C++ and placed it within a GNURadio block for direct decoding of Meteor M2 images. It's a sink that expects soft QPSK demodulated signed bytes. Once the flowgraph stops running, it parses out received packets and dumps the received Meteor images in a specified location. 

The block is part of our Starcoder repository and can be installed from here (https://github.com/infostellarinc/starcoder/blob/master/gr-starcoder/lib/meteor_decoder_sink_impl.cc ).

Video on Hacking 433 MHz Devices with an RTL-SDR and Raspberry Pi

Over on YouTube user Andreas Spiess has uploaded a video showing how to use an RTL-SDR to reverse engineer 433 MHz ISM band devices such as Internet of Things (IoT)/home automation sensors and actuators. 

Andreas decided to do this because he has a 433 MHz remote controlled actuated outdoor awning which he wants to have automatically retract when the wind speed gets too high. To do this he wanted to use a wireless 433 MHz ISM band weather station with wind speed sensor. But unfortunately he discovered that it has a proprietary protocol that can't talk to his awning, which also has it's own proprietary protocol.

Andreas' solution is to use an RTL-SDR and Raspberry Pi running the rtl_433 decoder software to receive the weather station data. The rtl_433 software already contained a decoder for his weather station, so no further reverse engineering was required. The data is then converted into MQTT which is a common TCP/IP protocol for IoT devices. MQTT is then read by Node-RED which is a flowgraph based programming environment for IoT devices.

Next, unlike the weather station rtl_433 did not already have a decoder implemented for his awning. So Andreas had to reverse engineer the signal from scratch using the Universal Radio Hacker software. Using the reverse engineered signal information, Andreas then uses an ESP32 processor/WiFi chip and cheap 433 MHz transmitter to implement a clone of the awning's remote control signals. The ESP32 is programmed to understand the MQTT data sent from the Raspberry Pi via WiFi, so now the weather station can control the awning with a little bit of logic code in Node-RED.

#209 How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)

New RTL-SDR Frequency Heatmap Generator Plugin for SDR#

Thanks to VE3NEA for letting us know about his new RTL-SDR compatible heatmap generator plugin for SDR#. To use the plugin you first need to generate some heatmap CSV data by using the rtl_power software. You can then open the CSV file in the plugin and it will generate a heatmap image. A frequency heatmap shows a wideband waterfall image of detected frequency activity.

RTL-SDR heatmap tools are nothing new, but the convenience of having it as a SDR# plugin is that you can click on the heatmap image to instantly tune to a frequency where activity was recorded during the initial rtl_power scan.

SDRSharp RTL-SDR Heatmap Plugin
SDRSharp RTL-SDR Heatmap Plugin

Using an SDRplay RSP2 to Measure IMD

Over on YouTube channel Rate My Radio has uploaded a set of three videos showing how to use an SDRplay RSP2 as a low cost spectrum analyzer to measure the inter modulation distortion (IMD) performance of lower end hardware TX capable radios. The test can only be performed on radios that have IMD performance less than that of the RSP2, so very high end amateur radios cannot be tested.

The process is to use audacity to play two audio tones into the transmitting radio under test, and then the SDRplay is used to receive the output. On the SDRuno software you're then able to see the third order and higher IMD products. Later he also performs white noise IMD tests as well. Below is the video description:

We cover 2 Tone Testing, White Noise Testing, and how the later can be particularly useful in terms of station monitoring. Naturally, we show the effects of 'all knobs to the right' :)

Jarrad also covers how with just an SDR Play and a 'rubber ducky' antenna, station performance can be monitored in real time.

Why would a Ham want to do this? The answer is simple: To defend their station performance against that on air Expert, who got their ticket when you needed to send CW at 50WPN, who served in the military radio unit for 20 years, has 3 engineering degrees and worked as a professor at both MIT and Havard, not to mention the times they lectured at Cambridge & Oxford.

With an SDR Play and a bit of simple math, any OM can put such experts in their place.

Below we only post the third video of the three part series. Links to Part 1 and Part 2 are available in those links, or on his channel.

Part 3: IMD Testing & Realtime Station Monitoring

Locating Various HF Transmitters and Number Stations with KiwiSDRs

If you weren't already aware, the KiwiSDR is a US$299 HF SDR that can monitor the entire 0 - 30 MHz band at once. It is designed to be web-based and shared, meaning that the KiwiSDR owner, or anyone that they've given access, can tune and listen to it via a web browser over the internet. Many public KiwiSDRs can be found and browsed from the list at sdr.hu.

One thing that KiwiSDRs have is a GPS input which allows the KiwiSDR to run from an accurate clock, as well as providing positional data. Time Difference of Arrival (TDoA) is a direction finding technique that relies on measuring the difference in time that a signal is received at over multiple receivers spread out over some distance. In order to do this an accurate clock that is synchronized with each receiver is required. GPS provides this and is able to accurately sync KiwiSDR clocks worldwide.

Over on his blog Christoph Mayer has been steadily documenting his work on getting Time Difference of Arrival (TDoA) direction finding to work with KiwiSDRs. This is not an easy task with HF signals, as they tend to bounce around and propagate through various means, meaning that signals can be delayed if not received directly. So far it appears that he's been most successful in locating signals received by ground wave, but he is also working with an ionospheric ray-tracing model and electron density data to take into account propagation delays from skywave propagation.

Skywave and Groundwave Propagation
Skywave and Groundwave Propagation

In one post from late last year Christoph shows that he was able to pinpoint the location of the German DCF77 longwave time station by using three KiwiSDRs spread out around Europe. The actual location of DCF77 is already known, so this shows that the technique actually works. Other posts show him locating transmitters for STANAG 4285, some unknown frequency hopping signals, OTH radar from Cyprus, CODAR, DRM, VOLMET and more.

Christophs' code can be found at https://github.com/hcab14/TDoA. According to users gathering the data and running the code is still a fairly elaborate process. But there is talk over on the KiwiSDR forums about eventually creating a server that would allow users to more easily request a location computation for a particular signal. 

Pinpointing DCF77 with KiwiSDRs
Pinpointing DCF77 with KiwiSDRs (Bottom right image shows pinpointed location)

Also related to this topic, priyom.org has been using KiwiSDRs to try and locate numbers stations. Numbers stations are mysterious voice stations on the HF bands that when transmitting read out a string of numbers. Most speculate that the numbers are some sort of code intended for international spy agents. Using a simpler method of just noting which KiwiSDRs in the world receive a particular numbers station more strongly, they've been able to determine the likely country of some well known stations.

Building A Giant $200 3D Corner Reflector Antenna for GOES, Moon Bounce and Pulsar Detection

A corner reflector antenna is basically a monopole antenna with a metallic 'corner' reflector placed behind it. The reflector helps the monopole collect signals over a wider aperture resulting in signals coming in stronger from the direction that the corner is pointing at. In past posts we've seen a homemade tinfoil corner reflector used to improve reception of the generic stock RTL-SDR monopole antenna, and a larger one was used in a radio astronomy experiment to detect a pulsar with an RTL-SDR.

Recently The Thought Emporium YouTube channel has uploaded a video showing how to build a large 2 meter 3D corner reflector out of readily available metal conduit pipes and chicken wire. While the antenna has not been tested yet, they hope to be able to use it to receive weather satellite images from GOES-16, to receive moon bounce signals, to map the Hydrogen line and to detect pulsars. 

Tracking Police and Military Aircraft at the G7 Summit with an RTL-SDR

Back in early 2016 we posted about a journalist who used an RTL-SDR to gather ADS-B data about the type of aircraft used at the world economic forum in Davos. The idea was to help highlight the vast wealth and power of the attendees by showing off their heavy use of private aircraft.

Now more recently Laurent Bastien Corbeil has published a similar article in Motherboard (a Vice News tech magazine) explaining how he tracked police and military planes at this years G7 summit which was held in Canada in early June. Laurent used an RTL-SDR Blog V3 with the small dipole antenna attached to a window to gather ADS-B data from all the aircraft activity during the summit.

ADS-B is a radio system used on modern aircraft which broadcasts the aircraft's current GPS location and other data such as aircraft identifiers. It is now used extensively by air traffic controllers as it is significantly more reliable than traditional radar. With a simple RTL-SDR it is possible for anyone to track and plot ADS-B data on a map, and this is how tracking sites like flightradar24.com and flightaware.com work.

From his collected data he was able to spot several interesting aircraft such as Canadian Air Force Chinooks, C130 Hercules', RCMP Pilatus', a military Bombardier jet, and a coast guard Bell 427. He also notes that while he was able to spot Donald Trumps Marine One helicopter with his own eyes, the ADS-B data was not present, indicating that more important military aircraft do not broadcast ADS-B for security reasons.

In the article Laurent makes estimates of the costs of operating these aircraft, and makes some guesses on the type of mission flown by some of the aircraft.

G7 Aircraft Flight Costs (Data by Laurent Bastien Corbeil, Graphics by Marvin Lau)
G7 Aircraft Flight Costs (Data by Laurent Bastien Corbeil, Graphics by Marvin Lau)