Category: Applications

Decoding a Garage Door Opener with an RTL-SDR

After listening to dock workers with his RTL-SDR for a few days, RTL-SDR.com reader Eoin decided that he wanted to try a more practical experiment. He decided to see if he could reverse engineering the wireless protocol on his garage door opener. Upon opening his remote he discovered a bunch of DIP switches, which are presumably used to program the remote to a particular garage door. Eoin’s next step was to determine at what frequency the garage door opener was transmitting at. He made an assumption that it would be in the 433 MHz unlicenced ISM band as this is where many handheld remotes transmit at. He was right, and found the signal.

The garage door remote showing the DIP switches.
The garage door remote showing the DIP switches.

His next step was then to record the signal audio in Audacity. From the audio waveform he could see a square wave which looked just like binary bits. By manually eyballing the waveform and translating the high/low squarewave into bits he was able to get the binary data. He then confirmed this data with the dipswitch positions and discovered that a 010 binary code matched with the UP position on the dip switch and 011 matched with the DOWN position.

Having decoded the signal manually fairly easily, Eoin decided his next challenge would be to automate the whole decoding in GNU Radio. In the end he was successful and managed to create a program that automatically determines the position of the DIP switches from the signal. His post goes into detail about his algorithm and GNU Radio program.

Showing the decoded DIP switch positions from his GNU Radio program.
Showing the decoded DIP switch positions from his GNU Radio program.

Updates on using an RTL-SDR for GPS on a High Powered Rocket

Back in April we posted about Philip Hahn and Paul Breed’s experiments to use an RTL-SDR for GPS logging on their high powered small rockets. As GPS is owned by the US military, a standard GPS module cannot be used on a rocket like this, as they are designed to fail if the GPS device breaches the COCOM limit, which is when it calculates that it is moving faster than 1,900 kmph/1,200 mph and/or higher than 18,000 m/59,000 ft. The idea is that this makes it harder for GPS to be used in non-USA or home made intercontinental missiles. As SDR GPS decoders are usually programmed in open source software, there is no need for the programmers to add in these artificial limits.

In their last tests they managed to gather lots of GPS data with an RTL-SDR, but were only able to decode a small amount of it with the GNSS-SDR software. In this post Philip discovers a flaw in the way the GNSS-SDR performs acquisition and retracking that GNSS-SDR decodes in such a way that makes it difficult to obtain a location solution with noisy high-acceleration data. By using a different GPS implementation coded in MATLAB, he was able to get decoded GPS data from almost the entire ascent up until the parachutes deploy. Once the parachutes deploy the GPS has a tough time keeping a lock as it sways around. His post clearly explains the differences in the way the code is implemented in GNSS-SDR and in the MATLAB solution and shows why the GNSS-SDR implementation may not be suitable for high powered rockets.

In addition, they write that while the flight was just under the artificial COCOM GPS fail limits for speed and height, the commercial GPS solution they also had on board failed to collect data for most of the flight too. With the raw GPS data from the RTL-SDR + some smart processing of it, they were able to decode GPS data where the commercial solution failed.

GPS data acquired from the RTL-SDR on the rocket.
GPS data acquired from the RTL-SDR on the rocket (blue line shows solution from MATLAB code, yellow shows GNSS-SDR solution, and red shows commercial GPS receiver solution).

LuaRadio: New Flowgraph Based Digital Signal Processing Framework for SDR

LuaRadio is a new Digital Signal Processing (DSP) framework for software defined radios such as the RTL-SDR. It is similar to GNU Radio in that the flowgraph is composed of graphical blocks that can be visually connected to one another in an editor. However compared to GNURadio it aims to be very lightweight in terms of disk space used (1 MB footprint) and the number of dependencies required (zero dependencies required unless you need real time highly optimized libraries). It is also written purely in the Lua programming language. The authors of LuaRadio write “LuaRadio is more inclined towards scripting and prototyping than GNU Radio, and emphasizes fast block development.”

On their website there are already several example application flowgraphs uploaded, such as decoders for WBFM Mono/Stereo, NBFM, AX.25, POCSAG, RDS, AM and SSB. Looking and building such flowgraphs is extremely helpful for learning DSP, and DSP languages like this are excellent for prototyping new signal decoders. In addition, if you are new to SDR they also have a very useful page that explains basic SDR and radio concepts.

A LuaRadio based POCSAG decoder flowgraph.
A LuaRadio based POCSAG decoder flowgraph.

Building an ESP8266 Based Plane Spotter with an RTL-SDR Feeder

Living near Zurich airport, Daniel Eichorn wanted an easy way to show his house guests what planes are flying near him. Usually he opens up his Flightradar24 app on his phone, but he wanted a more permanent always on display. To do this Daniel has built an ESP8266 based OLED display which automatically displays the ADS-B flight information of aircraft outside his window. The ESP8266 is a very cheap and highly popular WiFi module which can give a microcontroller access to WiFi networks.

Daniel feeds his locally received ADS-B data to adsbexchange.com using a Raspberry Pi and RTL-SDR. While actually feeding ADS-B data with an RTL-SDR is not required to make the ESP8266 module work, this step ensures that he has good local coverage of his area. The ESP8266 module then queries the adsbexchange.com database via WiFi for information about planes in his area and displays the information on the OLED screen.

In previous posts we also showed how the ESP8266 could be used to transmit data like NTSC TV in a similar way to Rpitx.

ESP8266 + OLED screen displaying ADS-B data.
ESP8266 + OLED screen displaying ADS-B data.

An RTL-SDR to RTL-SDR QSO with RTL-TRX: Transmit RTTY with the RTL-SDR

Back in 2014 oh2ftg discovered that the RTL-SDR could actually be used to transmit data by modulating leakage from its internal local oscillator. Now it seems that tejeez and oh2ftg have released a new program that makes transmitting with the RTL-SDR easy. The program is called rtl-trx. It runs on Linux and allows you to to transmit RTTY or a simple beacon with the RTL-SDR. The software is available on GitHub at https://github.com/tejeez/rtl-trx. About how it works, the readme says:

Local oscillator leakage from an RTL-SDR dongle can be used as a very low power FSK transmitter. This program transmits RTTY and also makes it easy to use the same dongle to receive RTTY in between transmissions. The goal is to make it possible to have a two-way QSO between two dongles.

Over on YouTube oh2ftg has also uploaded a video that demonstrates the software in action by doing a 1270 MHz RTTY QSO between two modified RTL-SDR dongles. He uses fldigi to decode the RTTY signal and the signal is sent with the following settings: 425 Carrier shift, 45.45 Baud rate, 5 Bits per character, none Parity, 2 Stop bits. 

This previous post shows the hardware modification that can be done to improve the output power. Again, as with the Raspberry Pi transmitters, the output power is very low and probably won’t cause any trouble, but still please do take care if you intend on actually transmitting anything as the output spectrum is probably not very clean.

RTL2RTL QSO! on 1270MHz

Sniffing ANT-FS with an RTL-SDR and MMDS Downconverter in Pothos

ANT-FS is a wireless file transfer protocol that is designed specifically for transferring files wireless between two devices. It is designed for ultra low power devices and typically runs on devices operated by a coin sized battery. It is commonly used in applications like fitness tracker devices, which store data to later be downloaded to a PC.

Over on YouTube user sghctoma has uploaded a video showing a teaser of him receiving and decoding ANT-FS packets with blocks developed for the POTHOS graphical language. As ANT-FS is usually transmitted at 2.4 GHz, he had to use a MMDS downconverter which allowed his RTL-SDR to receive the packets. Sghctoma writes that the video is simply a teaser, and that a live demo with real deivce, and the full code + details will be released during his talk at DEFCON titled “Help, I’ve got ANTs!!!”.

ANT-FS sniffing with RTL-SDR, an MMDS downconverter and Pothosware

Building a Quad RTL-SDR Receiver for Radio Astronomy

Amateur radio astronomer Peter W East has recently uploaded a new document to his website. The document details how he built a quad RTL-SDR based receiver for his radio astronomy experiments in interferometry and wide-band pulsar detection (pdf – NOTE: Link Removed. Please see his website for a direct link to the pdf “Quad RTL Receiver for Pulsar Detection”. High traffic from this post and elsewhere has made the document go offline several times). Interferometry is a technique which uses multiple smaller radio dishes spaced some distance apart to essentially get the same resolution a much larger dish. Pulsars are rapidly rotating neutron stars which emit radio waves, and the strongest ones can be observed by amateur radio telescopes and a receiver like the RTL-SDR.

The Quad receiver has four RTL-SDR’s all driven by a single TCXO, mounted inside an aluminum case with fans for air cooling. He also uses a 74HC04 hex inverter to act as a buffer for the 0.5 PPM TCXO that he uses. This ensures that the TCXO signal is strong enough to drive all four RTL-SDRs.

The Quad RTL-SDR with air cooling.
The Quad RTL-SDR with air cooling.

Whilst all the clocks are all synced to a single master clock, synchronisation between the RTL-SDR’s is still difficult to achieve because of jitter introduced by the operating system. To solve this he introduces a noise source and a switch. By switching the noise source on and off, correlation of the signal data can be achieved in post processing.

Noise Source and Switch Calibration Unit.
Noise Source and Switch Calibration Unit.
How correlation with the pulsed noise source works.
How correlation with the pulsed noise source works.

In the document Peter shows in detail how the system is constructed, and how it all works, as well as showing some interferometry results. The system uses custom software that he developed and this is all explained in the document as well.

Using the SUP-2400 Downconverter with an LNA and RTL-SDR to Receive 2.4 GHz Video

Earlier in June YouTube user T3CHNOTURK posted a video demonstrating him receiving signals above the maximum 1.7 GHz range of the RTL-SDR by using a modified SUP-2400 downconverter. Back in April it was discovered by KD0CQ that a $5 DirecTV SUP-2400 circuit could be modified and turned into a downconverter for use with the RTL-SDR.

Now T3CHNOTURK has uploaded a new video showing more demonstrations of the RTL-SDR + SUP-2400 combo in action. This time he adds a PGA-103 based LNA to boost the signal strength, which gives him better effective range. In the video he shows reception of a wireless keyboard once again, and then goes on to show him receiving 2.4 GHz analog PAL video using the RTL-SDR program TVSharp. The picture is not particularly clear, but it is a decent demonstration.

RTLSDR, TVsharp 2.4 Ghz video receiver moded SUP-2400 & pga-103 LNA