Category: Applications

Building an RF Direction Finding Robot with an RTL-SDR

Over on Hackaday.io, project logger Humpelstilzchen has been writing about his attempts to create an autonomous RF direction finding robot RC car with an RTL-SDR. The goal is to set up an ISM band transmitter as a beacon, and use the RTL-SDR on the robot as the receiver. It will then use direction finding techniques to drive towards the beacon. The robot is a 4WD RC toy car with some autonomous navigational features like GPS, ultrasonic, IMU and vision sensors.

In his latest project log Humpelstilzchen describes his first semi-successful attempt at getting RF direction finding working. In the experiment he uses a 433 MHz module to send out an FSK beacon. On the robot two antennas are used for the time difference of arrival/pseudo-doppler direction finding technique, and PIN diodes are used to rapidly switch between the antennas. A GNU Radio script running on a HummingBoard single board computer computes the TDOA/pseudo-doppler algorithm.

Psuedo-doppler direction finding works by rapidly switching between several antennas. The difference in the time that the signal arrives at each antenna can be used to calculate the transmitter's direction.

With the current set up he's been able to get the robot to distinguish if the beacon is closer to the left, or closer to the right, or equidistant. However, he notes that there are still problems with reflections of the beacon signal which can cause the robot to drive in the wrong direction.

This is still a work in progress and we look forward to his future results.

Humpelstilzchen's RF direction finding robot
Humpelstilzchen's RF direction finding robot

Using a LimeSDR to Implement Software Defined Optoelectronic Systems

Back in January of this year we posted about PhD student Lucas Riobó's work that about about using an RTL-SDR to create a low cost optical "high-speed real-time heterodyne interferometer". In that work he used an RTL-SDR as a data acquisition tool for an optoelectronic front end sensor (opto = visual light). This allowed him to translate optical data into an RF signal, which could be received by the RTL-SDR, and then easily processed in a PC.

In his latest work Lucas has published a paper titled "Software Defined Optoelectronics: Space and Frequency Diversity in Heterodyne Interferometry" in the IEEE Sensors Journal. Note that the paper is behind an IEEE paywall, but Lucas notes that if you're interested in discussing his work that you can contact him at [email protected]. The research is similar to the work published in January, but uses a LimeSDR which can take advantage of TX capabilities. Lucas writes:

In this work, a general architecture for the implementation of software-defined optoelectronic systems (SDOs) is described. This concept harnesses the flexibility of software-defined hardware (SDH) to implement optoelectronic systems which can be configured to adapt to multiple high speed optical engineering applications. As an application example, a software-defined optical interferometer (SDOI) using the LimeSDR platform is built. The system is tested by performing high speed optical detection of laser-induced photoacoustic signals in a concentrated dye solution. Using software modifications only, conventional single carrier and also multicarrier heterodyne techniques with space and frequency diversity are performed.

A main difference with the other article described in this post, is that we could also use the transmission path of the LimeSDR to perform many modulation waveforms of the electromagnetic fields which will interfere, to provide a noticeable performance improvement in single-shot interferometric measurements.

PC: Programmable controller, SDH: Software-defined hardware platform, E/O: Electrical-Optical block, O/E: Optical-Electrical block, OS: Optical System.
PC: Programmable
controller, SDH: Software-defined hardware platform, E/O: Electrical-Optical block, O/E:
Optical-Electrical block, OS: Optical System.
A Software Defined Optical Interferometer
A Software Defined Optical Interferometer

Decoding 12 AERO Channels Simultaneously with an Airspy, Outernet Patch Antenna and SDR-Console V3

In a post uploaded last month we noted that Outernet was selling off some of their old L-Band satellite antennas cheaply. Nils Schiffhauser (DK8OK) decided to take advantage of the sale and bought one. Now Nils has created a blog post that shows how he's been able able to decode 12 L-Band AERO channels simultaneously with the Outernet L-band antenna, an Airspy R2 and SDR-Console V3. AERO is the satellite based version of aircraft ACARS, and it's L-band signals contain short ground to air messages like weather reports and flight plans. Multiple channels are often in use at any one time.

To achieve this Nils uses the multi-channel tuning capabilities of SDR-Console V3, which allows him to open up 12-channels, each tuned to a different AERO frequency. He then opens up 12 instances of the AERO decoder known as JAERO, and then uses VB-Cable to pipe the audio from each channel into a JAERO instance. Nils writes that the key to making JAERO run with multiple instances is to install JAERO into different folders on your PC, and give each JAERO.exe a unique file name like JAERO_1.exe.

He collects all the data into a program called Display Launcher and Nils notes that the whole set up has been stable digesting 54,000 messages over the last 24 hours. 

12x JAERO Decoders Running
12x JAERO Decoders Running

Tracking Planes with RTL-SDR, Apache Kafka, KSQL, Kibana and a Raspberry Pi

Inspired by a low flying aircraft that kept waking his cat in the morning, Simon Aubury decided to use an RTL-SDR and ADS-B tracking software dump1090 to determine which plane was the culprit. This is all now standard stuff, however, Simon's software implementation and management of the received ADS-B data is quite unique, as he uses Apache Kafka, KSQL and Kibana as his tools for processing and visualizing the ADS-B data.

Apache Kafka is a 'distributed streaming platform', and KSQL enables real time processing of the data from Kafka. Kibana is a data visualization tool. Essentially these technologies are just ways to manage, process and digest in a human readable way large amounts of real time data coming into a database.

So with some clever database coding Simon was able to create a constantly updating dashboard in Kibana that plots aircraft positional heat maps, displays data such as spotted airlines and destination frequencies in a text cloud, and displays aircraft height data in a line graph. Finally using a database lookup and his gathered data Simon was able to determine that an A380 aircraft flying over his house was waking his cat in the morning.

Using RTL_433 to Decode SimpliSafe Home Security Systems

SimpliSafe is an American DIY home security system company that claims over 2 million customers. Their system relies on 433/315 MHz ISM band wireless radio communications between its various sensors, control panels and remote controls. Back in 2016 we already posted about research from Dr. Andrew Zonenberg and Micheal Ossmann who showed that the SimpliSafe wireless communications are unencrypted, and can easily be intercepted, decoded, and spoofed. SimpliSafe responded to those concerns by downplaying them and mentioning that sophisticated hardware was required.

However, now Adam of simpleorsecure.net has recently disclosed a security advisory and a blog post discussing how easy it is to decode SimpliSafe wireless communications with an RTL-SDR and the rtl_433 software. He also also released slides from a recent talk that he did that go over his entire process and findings.

Adam began with some initial manual RF analysis with an RTL-SDR, and then later worked with rtl_433 dev Christian Zuckschwerd to add PiWM demodulation capability, which is the modulation used by SimpliSafe systems. Now Adam is able to easily decode the serial number, pin codes, and status codes transmitted by SimpliSafe sensors and key pads in real time with just an RTL-SDR.

This is very concerning as not only could a burglar easily learn the alarm disarm pincode, but they could also profile your behavior to find an optimal time to break in. For example if you arm your alarm before bed, and disarm in the morning your sleep schedule is being broadcast. It is also possible to determine if a particular door or window has been left open. With a tuned Yagi antenna Adam was able to receive signals from 200+ feet (60m) in free space, and 115 feet (35m) through walls.

In addition to the lack of encryption, Adam also discovered that the SimpliSafe system was susceptible to jamming attacks, and that the tamper detection system can be easily compromised. Adam has disclosed all concerns and findings to SimpliSafe who are aware of the problems. They assure him that next generation systems will not suffer from these flaws. But unfortunately for current generation owners, the hardware will need to be eventually replaced as there is no over the air update capability. 

An RTL-SDR and SimpliSafe KeyPad
An RTL-SDR and SimpliSafe KeyPad

A Lightweight Meteor M2 Demodulator

Over on GitHub dbdexter-dev has released a new lightweight and open source Meteor M2 demodulator. Meteor M2 is a Russian weather satellite that transmits images down in the digital LRPT format. This provides much higher resolution images compared to the NOAA APT signals. With an RTL-SDR, appropriate satellite antenna and decoding software it is possible to receive these images.

This new lightweight demodulator may be especially useful for single board PCs like the Raspberry Pi. Previously, on Linux GNU Radio based demodulators have been used, and GNU Radio isn't exactly a light weight piece of software. To use the software you first need to record an IQ file of the Meteor M2 LRPT signal, downsample the IQ file to 140 kHz (if required), then pass it into the demodulator. This will spit out an 8-bit soft-QPSK file which can be used with LRPTofflinedecoder (now known as M2_LRPT_Decoder) on Windows or meteor_decoder on Linux to generate an image.

An Example LRPT Image Received with an RTL-SDR from the Meteor-2 M2.
An Example LRPT Image Received with an RTL-SDR from Meteor-2 M2.

CalicoCAT: New Serial CAT Control Plugin for SDR#

CalicoCAT: CAT Control Plugin for SDR#
CalicoCAT: CAT Control Plugin for SDR#

Thanks to Stephen 'Tag' Loomis (N0TTL) for submitting news about his new plugin called 'CalicoCAT' which is a serial CAT control plugin for SDR#. The plugin emulates the Kenwood TS-2000 CAT control command set, and is used to allow SDR# to communicate with other software running on the PC via a virtual serial port. To create a virtual serial port you can use free software like com0com.

Stephen notes that the plugin could be used to allow software like WSJT-X to control SDR#. For example you could use it to automatically change bands at certain times.

Video Demonstrating C-Band AERO Aircraft Tracking

AERO is essentially the satellite based version of aircraft ACARS. AERO's L-band signals contains short ground to air messages with things like weather reports and flight plans. The C-band signals are the air to ground portion of AERO and more difficult to receive as they require an LNB and large dish. However they are much more interesting as they contain flight position data, like ADS-B.

Over on YouTube Tomasz Haddad has uploaded a video of C-band AERO being received from the Inmarsat 3 F2 (Atlantic Ocean Region – East (AOR-E) 15W satellite. He uses a 1.80m motorized satellite dish with Kaonsat KS-N201G C-band LNB, a Prof 7301 PCI satellite card (to power the LNB) and an RTL-SDR V3. The C-band LNB translates the high C-band frequencies down to L-band which is receivable with an RTL-SDR. He notes that the LNB drifts quite a lot as it is not frequency stabilized.

With the signals received by his setup he's able to use the JAERO decoding software together with Virtual Radar Server to plot aircraft positional data using Virtual Radar Server. The plotted aircraft are mostly all in the middle of the ocean or in remote areas, which is where C-band AERO is normally used due to the lack of ground ADS-B stations.

Inmarsat 3 F2 15W C Band AERO Reception Using Jaero And Virtual Radar