Category: Applications

Creating a wireless RTL-SDR server with a small OpenWRT WiFi Router

Over on his blog yo2ldk has been experimenting with creating a wireless RTL-SDR server by using a mini OpenWRT based WiFi router (page in Romanian, use Google Translate for English). The router he uses is the GL iNet 802.11n 150Mbps router, which is a mini WiFi router that only costs $27 USD and is about the same size as an RTL-SDR dongle. It is mainly intended for use with IoT devices, but it runs the Linux based OpenWRT firmware and has enough processing power and WiFi bandwidth to run an rtl_tcp server streaming at 2MSPS with no lag.

With an RTL-SDR connected and the router running rtl_tcp, the router can be placed anywhere there is power (yo2ldk uses a portable battery pack) to create a remote radio receiver with absolutely no coax cable losses. It’s WiFi range could be extended over long distances by using a directional Yagi antenna.

Using routers instead of mini computers like the recently released Raspberry Pi 3 may be a good option because they are very small, usually much cheaper, maybe be more power efficient, and may work better at transmitting the large amounts of data rtl_tcp requires.

In the future yo2ldk hopes to install everything into a shielded metal case, add an upconverter and also a solar panel for remote power.

YO2LDK's remote RTL-SDR set up.
YO2LDK’s remote RTL-SDR set up.

We note that if you have an old Android phone, then this could also potentially be used as a remote RTL-SDR server. To create an android RTL-SDR server simply download the Martin Marinov Android RTL2832U Driver from the Google play store. Find the IP address of your Android phone by going to Settings -> About Device -> Status -> IP Address. Then open the RTL2832U driver app and click on “Enable advanced mode (for debug & stream to PC)”. Initially the rtl_tcp string will have the code “-a 0.0.0.0”, simply change this to the IP address of your Android phone, for example “-a 192.168.1.15” and then click Start stream. Now on a remote PC connected to the same network open SDR# go to RTL-SDR (TCP) and type in the IP address of the phone and use the port number 14423. Click the play button and you should now be streaming your RTL-SDR data over WiFi.

Hacking Alarm Systems with an RTL-SDR and RFcat

Back in 2014 the author of boredhackerblog.blogspot.com did a final year project for his wireless security class on hacking home alarm systems. His presentation was titled “How we broke into your house”. In his research the author used both an RTL-SDR and a simple RFcat wireless transmitter and performs a simple replay attack on a cheap $50 alarm system. His process for reverse engineering the alarm was essentially:

  1. Look up the device frequency and listen to it with an RTL-SDR and SDR#.
  2. Record the signal and visually study the waveform in Audacity.
  3. Look up system part info and determine encoding type (e.g. ASK/OOK)
  4. Determine the bit string and baud rate.
  5. Program the RFcat to send the same disarm binary string.

Once again research like this shows that cheap home alarm systems have literally zero protections against wireless attacks. In a previous post we also showed how the popular Simplisafe wireless alarm system could be disarmed in a somewhat similar way.

$50 home alarm system broken by an RTL-SDR and RFcat.
$50 home alarm system broken by an RTL-SDR and RFcat.

FlightBox: Commercial RTL-SDR Based ADS-B (1090ES & 978UAT) Receiver for Pilots

For some time now, small aircraft pilots who don’t have access to expensive ~$1000+ ADS-B gear have been successfully using an RTL-SDR and Raspberry Pi combination to receive ADS-B and UAT to display aircraft and weather data on an iPad. The first time we posted about this was back in August 2015.

The full implementation uses two RTL-SDR dongles to receive both 1090ES aircraft position information and 978 UAT to receive weather radar information. Both dongles are used on a Raspberry Pi mini computer that runs a program called Statrux. Stratux takes the ADS-B information received by the RTL-SDR’s and re-transmits the data out via WiFi. Then an iPad running special pilot navigation aid software such as ForeFlight can interface with the WiFi signal and receive the ADS-B and weather information.

Assembly of a Stratux box requires the purchase of each individual component or a Raspberry Pi kit that includes the stratux software image on an SD card, RTL-SDR and WiFi adapter. However, setting up a Stratux box may be a little difficult for pilots who do not have any electronics DIY skills.

To solve this, a new product called FlightBox recently ran a successful Kickstarter campaign. FlightBox provides a ruggedized plastic case, a Raspberry Pi 2 preloaded with software, two nano RTL-SDR dongles, two pigtail adapters, a 10Hz WAAS GPS module, and two customized ADS-B whip antennas (one for 978 MHz and one for 1090 MHz).

The FlightBox costs $200 for single band operation and $250 for dual band (1090ES and 978UAT). They are currently accepting pre-orders for delivery in late March/April.

For more information about Stratux see the active discussion forum at reddit.com/r/stratux.

The FlightBox: An RTL-SDR based ADS-B 1090ES and 978UAT receiver for Pilots.
The FlightBox: An RTL-SDR based ADS-B 1090ES and 978UAT receiver for Pilots.
Components used in the FlightBox, including two RTL-SDR dongles.
Components used in the FlightBox, including two nano RTL-SDR dongles.

YouTube video showing Inmarsat C-Band AERO Reception

Last week we posted how programmer Jonti had successfully implemented a C-Band AERO decoder into his JAERO software. C-band AERO signals are the earth downlink portion of AERO. Planes transmit data upwards towards the satellites and then the Inmarsat C-band transmitter re-transmits the information back to a basestation on earth. This is different to the L-band AERO signals which are signals transmitted from the satellites to the aircraft. C-band signals are interesting because they contain plane position info, and so can be used to track aircraft much like what is done with ADS-B reception, but over a much larger area. However, C-Band signals are much more difficult to receive as they are at 3.616 GHz and require a 1.8m or larger satellite dish.

Over on YouTube user AceBlaggard has uploaded a video showing an example of C-Band signals being received with an Airspy SDR and being decoded with the new version of JAERO. About the hardware used AceBlaggard writes:

Hardware is a 1.8M PF dish and Titanium Satellite C1 PLL LNB feeding a Prof-Tuner 7301 sat card which loops out to an Airspy SDR.

Inmarsat C Band aero feed.

Creating an RF Proximity Alarm (Close Call) with an RTL-SDR

“Close Call” is a feature that some radio scanners have which notifies the user when there is a radio transmitter that is in the near vicinity (such as from a police radio). It works by detecting the strength of signals from near field emissions, and it requires a strong RF signal to trigger.

Over on the ar15.com forums, user seek2 wanted something similar to the “close call” feature, but didn’t want certain transmissions like APRS signals from hams driving by to set it off. He also didn’t want to be restricted to near field emissions, rather he wanted something that acted more like a squelch that would activate for strong signals only.

To implement this seek2 used an RTL-SDR dongle, together with the rtl_power spectrum scanning software. He outputs the signal strength data generated by rtl_power to a CSV file which is then piped into a tail -f terminal command in Linux which simply outputs the latest lines of the CSV file as it updates in real time. Then he uses a simple Python script to monitor the output and to set off an alarm and report strong signals when it see’s them. His script is also used to filter out reports from strong unwanted signals like APRS.

Below is a video showing an example of Close Call working on a Uniden hardware radio scanner for reference.

Uniden CloseCall© What is it? How does it work? How well does it perform?

Using AIS Share, OpenCPN and an RTL-SDR on a Sailboat

AIS Share is an app for Android that allows you to turn an Android device into an AIS receiver by using an RTL-SDR. AIS stands for Automatic Identification System and is used by ships to broadcast their GPS locations, to help avoid collisions and aid with rescues. An RTL-SDR with the right software can be used to receive and decode these signals, and plot ship positions on a map.

AIS Share is a dual channel decoder that outputs decoded NMEA messages via UDP, so that plotting software like OpenCPN can be used to display the ships on a map. AIS Share had been around before in another form known as rtl_ais_android which we posted before, but this version of AIS Share is a newly updated and improved version that now includes a very nice GUI. The app costs about $2 and is available on the Google Play store, but there is a demo available that will work up until 1000 messages are received. You will need an RTL-SDR and a USB OTG cable to run the app.

Recently the author of the app received word from a user called Harmen who has successfully been using his AIS Share app on his sailboat. Harmen uses the app on an Android tablet which is enclosed in a waterproof box. For an antenna he uses a coax collinear.

In the future the author writes that he’d like to update the app to support things like the ability to change more dongle settings like bandwidth/sample rate and add the possibility of using the internal phone/tablet GPS. He is also open to any community suggestions.

AIS Share Receiver on the sailboat in a waterproof case.
AIS Share Receiver on the sailboat in a waterproof case.
The back of the Android Tablet, showing the RTL-SDR and the antenna connection.
The back of the Android Tablet, showing the RTL-SDR and the antenna connection.
The AIS Share main screen GUI.
The AIS Share main screen GUI.

https://www.youtube.com/watch?v=ApGk8P82THs (Unfortunately the video has been removed)

Broadcasting Analgoue NTSC TV with a $7 ESP8266

The ESP8266 is a $7 WiFi module that can be used to give any microcontroller access to a WiFi network. It is designed for creating Internet of Things (IoT) devices and has various features such as it’s ability to host it’s own web applications. The ESP8266 also has a I2S output with DMA support. By hooking up this I2S output pin to a short wire, YouTuber CNLohr has demonstrated that he is able to use the ESP to broadcast full color NTSC TV.  This works in a similar way to how PiTX works, by using the pin to modulate a radio signal. CNLohrs code note only broadcasts color NTSC, but also provides a full web interface for controlling it.

In the first video CNLohr shows off his initial work at getting the NTSC output working and in the second video he shows color working. Later in the second video he also uses an RTL-SDR to check on the NTSC spectrum that is being output.

Broadcasting Analog TV on an ESP8266!

Broadcasting COLOR Channel 3 on an ESP

Bypassing Rolling Code Systems – CodeGrabbing/RollJam

A while back we posted about Samy Kamkars popular “RollJam” device, which was a $32 home made device that was able to defeat rolling code based wireless security systems such as those used on modern cars.

Wireless security researcher Andrew Macpherson became interested in RollJam and has now written up a post showing how to create a similar device using the YardStickOne and RFcat wireless tools. In his post Andrew shows how he automates the replay attack side of things using a Python script and two RFcat devices. He also fully explains how rolling codes work and how to attack them using the CodeGrabbing/RollJam technique. Andrew explains the RollJam technique as follows:

  1. Target parks their car, gets out the carAttacker launches a jammer that prevents the car from receiving the code from the remote
  2. Target presses the remote, car does NOT lock and the attacker obtains the first keypress
  3. Target presses the remote a second time and the attacker obtains the second keypress
  4. Attacker then sends the first key press to lock the car, car locks as per normal
  5. Target assumes all is well and carries on about their day
  6. Attacker then sends the second keypress to the car, unlocking it
  7. Profit.
  8. Target returns to the vehicle and remote works as per normal

In the video below Andrew uses an SDR to help demonstrate the RollJam attack.

6. jam and replay rolling code rolljam codegrabbing

Showing how the RollJam attack works.
Showing how the RollJam attack works.