Category: Applications

Nexmon SDR: Using the WiFi Chip on a Raspberry Pi 3B+ as a TX Capable SDR

Back in March of this year we posted about Nexmon SDR which is code that you can use to turn a Broadcom BCM4339 802.11ac WiFi chip into a TX capable SDR that is capable of transmitting any arbitrary signal from IQ data within the 2.4 GHz and 5 GHz WiFi bands. In commercial devices the BCM4339 was most commonly found in the Nexus 5 smartphone.

Recently Nexmon have tweeted that their code now supports the BCM43455c0 which is the WiFi chip used in the recently released Raspberry Pi 3B+. They write that the previous Raspberry Pi 3B (non-plus) cannot be used with Nexmon as it only has 802.11n, but since the 3B+ has 802.11ac Nexmon is compatible. 

Combined with RPiTX which is a Raspberry Pi tool for transmitting arbitrary RF signals using a GPIO pin between 5 kHz to 1500 MHz, the Raspberry Pi 3B+ may end up becoming a versatile low cost TX SDR just on it's own.

Automatically Receiving, Decoding and Tweeting NOAA Weather Satellite Images with a Raspberry Pi and RTL-SDR

Over on Reddit we've seen an interesting post by "mrthenarwhal" who describes to us his NOAA weather satellite receiving system that automatically uploads decoded images to a Twitter account. The set up consists of a Raspberry Pi with RTL-SDR dongle, a 137 MHz tuned QFH antenna and some scripts.

The software is based on the set up from this excellent tutorial, which creates scripts and a crontab entry that automatically activates whenever a NOAA weather satellite passes overhead. Once running, the script activates the RTL-SDR and APT decoder which creates the weather satellite image. He then uses some of his owns scripts in Twython which automatically posts the images to a Twitter account. His Twython scripts as well as a readme file that shows how to use them can be found in his Google Drive.

mrthenarwhal AKA @BarronWeather's twitter feed with automatically uploaded NOAA weather satellite images.
mrthenarwhal AKA @BarronWeather's twitter feed with automatically uploaded NOAA weather satellite images.

Video on using an RTL-SDR + Noise Generator as a Poor Man’s Network Analyzer

Over on YouTube user AE0AI has uploaded a video where he explains how he uses an RTL-SDR and a home made noise source as a poor man's network analyzer. A network analyzer is a tool that allows you to analyze the response of RF devices, such as filters. By using a noise source together with an RTL-SDR the same functionality as a network analyzer can be obtained, however of course with less accuracy.

In the video AE0AI shows us his home made noise generator, which is a based on a simple circuit that he found online. He then shows the noise generator connected to the RTL-SDR, which shows that his home made generator works up to about 40 MHz. Later in the video he tests a home made 40m filter with the noise source and RTL-SDR, and the response is easily visible. With the response visible he is able to tune the filter by adjusting the inductor windings.

We have a tutorial on the same concepts available here.

Poor Man's network analyzer for measuring filters (noise generator + RTL-SDR)

Information on Time Correlating Signals with RTL-SDRs

In a previous post back in September 2017 Stefan Scholl (DC9ST) treated us to a very interesting write up about how to localize transmitters to within a few meters using time difference of arrival (TDOA) techniques with multiple RTL-SDR dongles spread out over an area.

Stefan has recently added to his post now with some additional information on how to properly correlate signals received between multiple RTL-SDR dongles, which is one of the key parts to TDOA. He writes that he covers the following questions:

- What signal parameters influence the quality of the correlation?
- Which type of correlation calculations are available (four)
- Which are suitable with RTL-SDRs, considering noise and phase and frequency offset?

Stefan writes that his findings could be interesting to people interested in the following techniques:

- TDOA localization
- Synchronizing several RTL-SDRs
- Passive Radar

Comparing various bandwidth sizes on correlation quality
Comparing various bandwidth sizes on correlation quality

Using QIRX SDR and DAB Signals to Calibrate RTL-SDR Dongles

Over on his site, Clem the author of the QIRX SDR software package has written up a three part series where he explains an ultra-fast and very accurate method for calibrating the frequency offset of RTL-SDR receivers by using DAB signals. If you are unfamiliar with DAB, it stands for 'Digital Audio Broadcast' and is a type of digital radio station available in multiple countries in the world, especially in Europe. However it is not used in the USA. Clem writes:

I wrote a three-part tutorial about an ultra-fast, generally available (where you have DAB reception) and very accurate method to calibrate RTL-SDR receivers. It is called "Tutorial: Calibrate your RTL-SDR in 15 Seconds", http://softsyst.com/QIRXCalibrate?sequenceNo=0. It is using the frequency of a DAB transmitter as the reference signal, and is coming in three parts:

· Part I: Method and Measurement, describes the method (example) and compares it to two other, well-known methods.

· Part II: Checks, Frequencies, Sampling Rates: Tells how to make plausibility checks on the obtained calibration result, goes into the foundation of different measuring methods, and explains why calibrating a receiver is generally beneficial, not only for DAB purposes (where at least the frequency correction is mandatory).

· Part III: Improving DAB, Tells why it is advantageous for DAB reception not only correcting the frequency, but also the sampling rate (which is often omitted).

Part I and Part II of these are already on our website, Part III will come soon.

QIRX Being used to Calibrate an RTL-SDR dongle on DAB signals
QIRX Being used to Calibrate an RTL-SDR dongle on DAB signals

Going Portable with the Airspy HF+, Raspberry Pi and 7-Inch Touch LCD

Over on the swling blog we've seen a post where contributor 'Tudor' demonstrates his Airspy HF+ running nicely on a Raspberry Pi 3, 7-inch touchscreen LCD, and USB power bank. The video shows GQRX running very smoothly on the Pi, and how the setup is able to receive various HF signals. Tudor writes:

I bought the RPi to use it as a Spyserver for my Airspy HF+ SDR.

My main radio listening location is a small house located on a hill outside the city and there is no power grid there (it’s a radio heaven!), so everything has to run on batteries and consume as little power as possible.

My first tests showed that the Raspberry Pi works very well as a Spyserver: the CPU usage stays below 40% and the power consumption is low enough to allow it to run for several hours on a regular USB power bank. If I add a 4G internet connection there I could leave the Spyserver running and connect to it remotely from home.

Then I wondered if the Raspberry Pi would be powerful enough to run a SDR client app. All I needed was a portable screen so I bought the official 7” touchscreen for the RPi.

I installed Gqrx, which offers support for the Airspy HF+. I’m happy to say it works better than I expected, even though Gqrx wasn’t designed to work on such a small screen. The CPU usage is higher than in Spyserver mode (70-80%) but the performance is good. Using a 13000 mAh power bank I get about 3.5 hours of radio listening.

On the swling blog post comments Tudor explains some of his challenges including finding a battery that could supply enough current, finding a low voltage drop micro-USB cable, and reducing the noise emanating from the Raspberry USB bus. Check out the post comments for his full notes. 

Airspy HF+ and Gqrx running on Raspberry Pi

Art from Satellite Transmissions: SatNOGS and Software Defined Radio used in a Sound Art Installation

One of the piezo speakers playing the satellite transmissions.
One of the piezo speakers playing the satellite transmissions.

In the past we've seen software defined radio's like the HackRF use to create art installations such as the 'Holypager', which was an art project that aimed to draw attention to the breach of privacy caused by pagers used by doctors and staff at hospitals.

Recently another art installation involving a software defined radio was exhibited at Wichita State University. The project by artist Nicholas A. Knouf is called "they transmitted continuously / but our times rarely aligned / and their signals dissipated in the æther" and it aims to collect the sounds of various satellite transmissions, and play them back using small piezo speakers in the art gallery. To do this he built a SatNOGS receiver and used a software defined radio to capture the audio. He doesn't mention which SDR was used, but most commonly RTL-SDR's are used with the SatNOGS project. Nicholas describes the project below:

This 20-channel sound installation represents the results of collecting hundreds of transmissions from satellites orbiting the earth. Using custom antennas that I built from scratch, I tracked the orbits and frequencies of satellites using specialized software. This software then allows me to collect the radio frequency signals and translate them into sound.

The open source software and hardware, called SatNOGS and developed by a world-wide group of satellite enthusiasts, enables anyone to build a ground station for tracking satellites and their transmissions, which are then uploaded to a publicly accessable database. Data received by my ground stations can be found here. These transmissions are mostly from weather satellites, CubeSats (small satellites launched by universities world-wide for short-term research), or amateur radio repeaters (satellites designed for ham radio operators to experiment with communication over long distances).

I made the speakers hanging from the grid from a piezoelectric element embedded between two sheets of handmade abaca paper that was then air dried over a form.

The project was also discussed over on the SatNOGS forum.

The SatNOGS art installation
The SatNOGS art installation

Explaining and Demonstrating Jam and Replay Attacks on Keyless Entry Systems with RTL-SDR, RPiTX and a Yardstick One

Thank you to Christopher for submitting to us an article that he's written for a project of his that demonstrates how vulnerable vehicle keyless entry systems are to jam and replay attacks. In the article he explains what a jam and replay attack is, the different types of keyless entry security protocols, and how an attack can be performed with low cost off the shelf hardware. He explains a jam and replay attack as follows:

The attacker utilises a device with full-duplex RF capabilities (simultaneous transmit and receive) to produce a jamming signal, in order to prevent the car from receiving the valid code from the key fob. This is possible as RKEs are often designed with a receive band that is wider than the bandwidth of the key fob signal (refer Figure 3, right). The device simultaneously intercepts the rolling code by using a tighter receive band, and stores it for later use. When the user presses the key fob again, the device captures the second code, and transmits the first code, so that the user’s required action is performed (lock or unlock) (Kamkar, 2015). This results in the attacker possessing the next valid rolling code, providing them with access to the vehicle. The process can be repeated indefinitely by placing the device in the vicinity of the car. Note that if the user unlocks the car using the mechanical key after the first try, the second code capture is not required, and the first code can be used to unlock the vehicle.

In his demonstrating the attack he uses the RTL-SDR to initially find the frequency that they keyfob operates at and to analyze the signal and determine some of it's properties. He then uses a Raspberry Pi running RPiTX to generate a jamming signal, and the YardStick One to capture and replay the car keyfob signal.

Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.
Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.