Recently a reader of our blog, Initrd, wrote in to let us know about a new tutorial he created that shows how to set up a dual NOAA APT and Meteor LRPT weather satellite monitoring station with an RTL-SDR dongle. These weather satellites transmit a live image of the portion of the earth that they are currently over, providing a valuable tool for weather analysis. APT transmissions are analogue and are transmitted by the American NOAA satellites, and the newer Meteor M2 satellite transmits a higher resolution image in the LRPT format. We also have posted separate tutorials that show how to set up NOAA APT and Meteor M2 LRPT decoding with an RTL-SDR, but Initrd’s tutorial appears to be a good all in one guide.
His tutorial takes you step by step through a process that involves setting up the satellite tracking software Orbitron, all the required SDR# plugins, the APT decoder WXtoIMG and the LRPT decoder. The tutorial also shows how to connect them all together and set them up so that APT and LRPT decoding can coexist.
QSpectrumAnalyzer is a Linux GUI for rtl_power which allows you to easily do wideband scans that are much wider than the RTL-SDR’s maximum bandwidth. RTL_power works by quickly switching between different frequencies and recording power values in each hop, then stitching them all together. A GUI for rtl_power can be used to display an FFT spectrum and waterfall for easy analysis.
Recently we posted about the release of rtl_power_fftw, which was a modified version of rtl_power. This modified version used a more efficient FFT library and reduces the acquisition time, which for rtl_power was capped at 1 second per scan. Essentially this means that rtl_power_fftw can do frequency scans much faster (though with less integration). In basic terms this means that you can now visualize large spectrum sweeps whilst having the waterfall look near real time.
Now QSpectrumAnalyzer has been updated to support rtl_power_fftw. To use rtl_power_fftw you’ll need to download and compile it yourself from https://github.com/AD-Vega/rtl-power-fftw. The compilation instructions are shown on the Github page, but you’ll also need to install the pkg-config, libtclap-dev and libfftw3-dev libraries first. Then once compiled in QSpectrumAnalyzer you can select the rtl_power_fftw binary in the settings.
Back in August of this year we showed how it was possible to use an RTL-SDR dongle, satellite antenna, LNA and decoding software to receive and decode STD-C EGC signals from Inmarsat satellites. We also showed how it was possible to modify a low cost GPS antenna to use as a satellite antenna.
Now a radio hobbyist called Jonti has released a Windows decoder for the Inmarsat AERO set of signals. AERO is a system that provides a satellite based version of VHF ACARS (Aircraft Communications Addressing and Reporting System). ACARS is typically used by ground control and pilots to send short messages and is also sometimes used for telemetry.
Jonti writes:
JAERO is a program that demodulates and decodes Classic Aero ACARS (Aircraft Communications Addressing and Reporting System) messages sent from satellites to Aeroplanes (SatCom ACARS) commonly used when Aeroplanes are beyond VHF range. Demodulation is performed using the soundcard. Such signals are typically around 1.5Ghz and can be received with a simple low gain antenna that can be home brewed in a few hours in conjunction with a cheap RTL-SDR dongle.
In the advent of MH370, Classic Aero has become a well-known name. A quick search on the net using “Classic Aero MH370” will produce thousands of results. The Classic Aero signals sent from satellites to the Aeroplanes are what JAERO demodulates and decodes.
Unlike the usual VHF ACARS, with SatCom ACARS you can not receive signals from the Aeroplane only the people on the ground talking to the people in the Aeroplane. This means you do not get the airplanes reporting their position. Instead you tend to get weather reports, flight plans, and that sort of stuff. Just like VHF ACARS they usually use cryptic shorthand notation. For example “METAR YSSY 040400Z 08012KT 9999 FEW040 SCT048 23/09 Q1024 FM0500 05012KT CAVOK=” is the weather report for Sydney Airport in Australia in a format called METAR. It tells you the time, when the report was issued, the wind direction and speed, visibility, clouds, temperature, due point and air pressure. Then it says from 5 AM UTC the wind direction and speed and that the weather will be nice. There are sites such as Flight Utilities that can decode such information and display it in a more understandable format.
In his post Jonti also shows how he uses a modified GPS antenna to receive the AERO signals.
Jonti’s modified GPS antenna for receiving Inmarsat AERO
We gave JAERO a test and found that it decoded AERO signals easily, even with low signal strength. To use JAERO tune to an Inmarsat AERO signal in SDR# or a similar program using USB mode. JAERO will listen to the audio from the sound card or from a virtual audio pipe. We recommend setting the AFC (Automatic Frequency Control) setting on on if you find that your RTL-SDR drifts too much.
AERO signals can be found at around 1545 MHz. They only use about 800 Hz in bandwidth. See UHF satcoms page for a list of AERO frequencies.
The JAERO decoder.Some AERO signals.
Remember that some R820T/2 RTL-SDR dongles can have problems when receiving this high, especially when they heat up. If you find that your dongle gets deaf at these L-band frequencies try cooling the R820T/2 chip with a heatsink or fan. The Airspy or SDRplay RSP software defined radios are better choices for decoding signals this high, but the RTL-SDR will work fine if your signal strength is decent and the R820T/2 chip is kept cool.
If you are interested in VHF ACARS as well, then we have a tutorial about decoding that here.
As the RTL-SDR’s maximum usable bandwidth is about 2.8 MHz, programs like rtl_power were written to scan over wider bandwidths by quickly hopping between different swaths of the frequency spectrum and then stitching the data together.
Now a new improved version of rtl_power called rtl_power_fftw has recently been developed and released. This version is designed for radio astronomy use, but also overcomes several issues general users may encounter with rtl_power. One of the authors, Klemen wrote in to us with this information:
I would like to tell you about a program we have been developing at Astronomical Society Vega – Ljubljana, namely one for measuring power spectrum with rtl dongles.
It addresses several shortcomings of the rtl_power program shipped with librtlsdr. The most notable is that it uses a much faster FFT algorithm (from the fftw3 library) and separate threads for acquiring data and FFT processing. This means that even the lowly raspberry pi is capable of processing spectra of sizes up to ~1024 bins in real-time (no slower than data acquisition). This enables the user to sample spectrum continuously and more efficiently.
The other benefit is the output format: data is presented in a gnuplot-friendly way, so plotting is simple, and no data is mangled to make an illusion that spectral hopping is not needed: FFT of each frequency hop is output separately, and user can make and informed decision on how to process data – the program stays out of this, to preserve the accuracy of the gathered data.
The program was developed for use in radio astronomy where all these things matter. Code is available on Github:
Over on YouTube the popular security and hacking themed channel Hak5 have created two videos together with Mike Ossmann (creator of the HackRF and Yardstick One) that give a good introduction and overview on reverse engineering unknown radio protocols. In the video they show how to use a SDR like the RTL-SDR or HackRF to initially capture the radio signal, and then how to use the Yardstick One to reverse engineer and recreate the signal. Using this process they reverse engineer the radio protocol for a wireless liquor cabinet lock.
The Yardstick One is a computer controlled wireless transceiver (but it is not an SDR). The Yardstick One understands many radio protocols by default and can be programmed in Python, lowering the learning barrier for reverse engineering signals.
Mike Ossmann has also been slowly releasing very detailed video tutorials about DSP and radio related topics. If you are interested in reverse engineering radio signals it is a very helpful series to watch.
Radio Hacking: Reverse Engineering Protocols Part 1 - Hak5 1913
Radio Hacking: Reverse Engineering Protocols Part 2 - Hak5 1914
Docker is a Linux based platform which allows you to build and deploy complex applications into a self contained “container” package that contains all the needed applications and dependencies. The container is completely preconfigured to just work as soon as you install the application without the need for any extra configuration.
The performance of WiFi networks can depend heavily on how crowded the WiFi channels are in your area. For example when your neighbours start streaming a movie over their own separate WiFi network, it can cause your own WiFi connection to slow down. This happens because generally separate WiFi networks do not collaborate with one another, and when two packets are sent on the same channel at the same time, they collide causing no packets to get through.
There are several methods that attempt to stop collisions, but none are very efficient because WiFi nodes are not synchronized to one another. If each WiFi node could be synchronized to a common reference time, then avoiding collisions is made easier.
Marcel Flores, Uri Klarman, and Aleksandar Kuzmanovic from Northwestern University have been working on this idea and have come up with a system they have termed Wi-FM which is based on FM RDS signals. Many FM radio stations transmit a digital Radio Data System (RDS) subcarrier on their broadcast frequency. This RDS signal is often used to simply display information on the radio such as the station name and current song playing.
Since each nearby WiFi node should be able to receive the same RDS signal at the exact same time, it can be used as a common synchronization signal. Then once synchronized each WiFi node can listen to the other nodes and work out what their transmit scheduling is like and then optimize their own transmit schedule.
In their prototyping they used an RTL-SDR dongle connected to a PC running GNU Radio. The GNU Radio program decodes the RDS signal and the resulting information is sent to the Linux kernel which handles the WiFi transmit schedule processing.
The prototype watch does this by using the RTL-SDR to detect the electromagnetic (EM) noise emitted by particular objects and compare it against a stored database. They call this technology EM-Sense. In the paper the authors summarize:
Most everyday electrical and electromechanical objects emit small amounts of electromagnetic (EM) noise during regular operation. When a user makes physical contact with such an object, this EM signal propagates through the user, owing to the conductivity of the human body. By modifying a small, low-cost, software-defined radio, we can detect and classify these signals in real-time, enabling robust on-touch object detection. Unlike prior work, our approach requires no instrumentation of objects or the environment; our sensor is self-contained and can be worn unobtrusively on the body. We call our technique EM-Sense and built a proof-of concept smartwatch implementation. Our studies show that discrimination between dozens of objects is feasible, independent of wearer, time and local environment.
The frequencies required for EM detection are around 0 - 1 MHz which falls outside the range of the RTL-SDR's lowest frequency of 24 MHz. To get around this, they ran the RTL-SDR in direct sampling mode. The RTL-SDR is connected to the watch, but a Nexus 5 smartphone is used to handle the USB processing which streams the signal data over WiFi to a laptop that handles the signal processing and live classification. In the future they hope to use a more advanced SDR solution, but the RTL-SDR has given them the proof of concept needed at a very low cost.
An example use scenario of the watch that Disney suggests is as follows:
Home – At home, Julia wakes up and gets ready for another productive day at work. Her EM-Sense-capable smartwatch informs and augments her activities throughout the day. For instance, when Julia grabs her electric toothbrush, EMSense automatically starts a timer. When she steps on a scale, a scrollable history of her weight is displayed on her smartwatch automatically. Down in the kitchen, EM-Sense detects patterns of appliance touches, such as the refrigerator and the stove. From this and the time of day, EM-Sense infers that Julia is cooking breakfast and fetches the morning news, which can be played from her smartwatch.
Fixed Structures – When Julia arrives at the office, EMSense detects when she grasps the handle of her office door. She is then notified about imminent calendar events and waiting messages: "You have 12 messages and a meeting in 8 minutes". Julia then leaves a reminder – tagged to the door handle – to be played at the end of the day: “Don’t forget to pick up milk on the way home.”
Workshop – In the workshop, EM-Sense assists Julia in her fabrication project. First, Julia checks the remaining time of a 3D print by touching anywhere on the print bed – “five minutes left” – perfect timing to finish a complementary wood base. Next, Julia uses a Dremel to cut a piece of wood. EM Sense detects the tool and displays its rotatory speed on the smartwatch screen. If it knows the task, it can even recommend the ideal speed. Similarly, as Julia uses other tools in the workshop, a tutorial displayed on the smartwatch automatically advances. Finally, the 3D print is done and the finished pieces are fitted together.
Office – Back at her desk, Julia continues work on her laptop. By simply touching the trackpad, EM-Sense automatically authenticates Julia without needing a password. Later in the day, Julia meets with a colleague to work on a collaborative task. They use a large multitouch screen to brainstorm ideas. Their EM-Sense-capable smartwatches make it possible to know when each user makes contact with the screen. This information is then transmitted to the large touchscreen, allowing it to differentiate their touch inputs. With this, both Julia and her colleague can use distinct tools (e.g., pens with different colors); their smartwatches provide personal color selection, tools, and settings.
Transportation – At the end of the day, Julia closes her office door and the reminder she left earlier is played back: “Don’t forget to pick up milk on the way home.” In the parking lot, Julia starts her motorcycle. EM-Sense detects her mode of transportation automatically (e.g., bus, car, bicycle) and provides her with a route overview: “You are 10 minutes from home, with light traffic”.
The EM-Sense watch detecting a door. The RTL-SDR dongle is the small square box under the watch.
EM-Sense: Touch Recognition of Uninstrumented Electrical and Electromechanical Objects
