Category: Applications

Creating a FSK SSDV data system for High Altitude Balloons

David and Mark are building a 115 kbit/s FSK SSDV (slow scan digital video) data system for high altitude balloons. In their system, on the balloon transmit side they use a Raspberry Pi, Raspberry Pi camera and a RFM22B wireless transceiver modulator board to transmit the SSDV FSK signal. On the receive side they use an RTL-SDR dongle, low noise preamplifier and a GNU Radio program to demodulate the SSDV images. The first video below demonstrates the hardware and GNU Radio program and shows them receiving the SSDV signal. In the second video they demonstrate that the images can be received at low signal levels (-106dBm) as well, by heavily attenuating the signal.

115.2kbaud FSK Modem Test

115.387kbaud FSK Modem Test - Part 2

If you are interested, all their code for the SSDV system has been uploaded to https://github.com/projecthorus/HorusHighSpeed.

While testing the RTL-SDR for use in this system they also measured the noise figure of an R820T RTL-SDR dongle. The noise figure at maximum gain comes out at around 5.6 dB. By adding a low noise amplifier they reduce the measured noise figure down to 2 dB.

Testing the attenuated SSDV signal reception with an RTL-SDR.
Testing the attenuated SSDV signal reception with an RTL-SDR.

Using Multiple RTL-SDR’s to Capture a Trunking System

An RTL-SDR dongle has a maximum usable bandwidth of about 2.4 MHz which most often isn’t enough to capture an entire trunking system that may be spread out over a larger bandwidth. In order to get around this limitation Luke Brendt has been using three RTL-SDR dongles together to capture a trunking system in his area which is spread over 6 MHz of bandwidth.

Luke uses his own Trunk Recorder software and writes that he has modified it to support multiple SDR’s. His software has the following description:

Trunk Recorder is able to record the calls on a trunked radio system. It uses 1 or more Software Defined Radios (SDRs) to do. The SDRs capture large swatches of RF and then use software to process what was recieved. GNURadio is used to do this processing and provides lots of convienent RF blocks that can be pieced together to do complex RF processing. Right now it can only record one Trunked System at a time.

  • Trunk Recorder currently supports the following:
  • P25 & SmartNet Trunking Systems
  • SDRs that use the OsmoSDR source ( HackRF, RTL – TV Dongles, BladeRF, and more)
  • Ettus USRP
  • P25 Phase 1 & Analog voice

Luke also mentions that using three RTL-SDRs like this seems to be more efficient on the CPU than using a single SDR that has 8 MHz of bandwidth due to the amount of down sampling that needs to be done on larger bandwidth SDRs. 

When I was using a single SDR, each Recorder had to take in the full 8MHz and pull out the small 12.5KHz that was interesting. The end results is that I could only record about 3 channels at once before the CPU got overloaded. Since that control channel was going at the same time, that was the equivalent of about 32MHz of bandwidth to process.

With the RTL-SDR, each Recorder only has to look at 2MHz, which puts a lot lighter load on the CPU. Roughly speaking, having 3 Recorders active, plus the control channel would mean that only a total of 8MHz was being processed. As you can see, this means that it scales much more efficiently.

Using three RTL-SDR's to monitor a 6 MHz trunking system.
Using three RTL-SDR’s to monitor a 6 MHz trunking system.

Creating a wireless RTL-SDR server with a small OpenWRT WiFi Router

Over on his blog yo2ldk has been experimenting with creating a wireless RTL-SDR server by using a mini OpenWRT based WiFi router (page in Romanian, use Google Translate for English). The router he uses is the GL iNet 802.11n 150Mbps router, which is a mini WiFi router that only costs $27 USD and is about the same size as an RTL-SDR dongle. It is mainly intended for use with IoT devices, but it runs the Linux based OpenWRT firmware and has enough processing power and WiFi bandwidth to run an rtl_tcp server streaming at 2MSPS with no lag.

With an RTL-SDR connected and the router running rtl_tcp, the router can be placed anywhere there is power (yo2ldk uses a portable battery pack) to create a remote radio receiver with absolutely no coax cable losses. It’s WiFi range could be extended over long distances by using a directional Yagi antenna.

Using routers instead of mini computers like the recently released Raspberry Pi 3 may be a good option because they are very small, usually much cheaper, maybe be more power efficient, and may work better at transmitting the large amounts of data rtl_tcp requires.

In the future yo2ldk hopes to install everything into a shielded metal case, add an upconverter and also a solar panel for remote power.

YO2LDK's remote RTL-SDR set up.
YO2LDK’s remote RTL-SDR set up.

We note that if you have an old Android phone, then this could also potentially be used as a remote RTL-SDR server. To create an android RTL-SDR server simply download the Martin Marinov Android RTL2832U Driver from the Google play store. Find the IP address of your Android phone by going to Settings -> About Device -> Status -> IP Address. Then open the RTL2832U driver app and click on “Enable advanced mode (for debug & stream to PC)”. Initially the rtl_tcp string will have the code “-a 0.0.0.0”, simply change this to the IP address of your Android phone, for example “-a 192.168.1.15” and then click Start stream. Now on a remote PC connected to the same network open SDR# go to RTL-SDR (TCP) and type in the IP address of the phone and use the port number 14423. Click the play button and you should now be streaming your RTL-SDR data over WiFi.

Hacking Alarm Systems with an RTL-SDR and RFcat

Back in 2014 the author of boredhackerblog.blogspot.com did a final year project for his wireless security class on hacking home alarm systems. His presentation was titled “How we broke into your house”. In his research the author used both an RTL-SDR and a simple RFcat wireless transmitter and performs a simple replay attack on a cheap $50 alarm system. His process for reverse engineering the alarm was essentially:

  1. Look up the device frequency and listen to it with an RTL-SDR and SDR#.
  2. Record the signal and visually study the waveform in Audacity.
  3. Look up system part info and determine encoding type (e.g. ASK/OOK)
  4. Determine the bit string and baud rate.
  5. Program the RFcat to send the same disarm binary string.

Once again research like this shows that cheap home alarm systems have literally zero protections against wireless attacks. In a previous post we also showed how the popular Simplisafe wireless alarm system could be disarmed in a somewhat similar way.

$50 home alarm system broken by an RTL-SDR and RFcat.
$50 home alarm system broken by an RTL-SDR and RFcat.

FlightBox: Commercial RTL-SDR Based ADS-B (1090ES & 978UAT) Receiver for Pilots

For some time now, small aircraft pilots who don’t have access to expensive ~$1000+ ADS-B gear have been successfully using an RTL-SDR and Raspberry Pi combination to receive ADS-B and UAT to display aircraft and weather data on an iPad. The first time we posted about this was back in August 2015.

The full implementation uses two RTL-SDR dongles to receive both 1090ES aircraft position information and 978 UAT to receive weather radar information. Both dongles are used on a Raspberry Pi mini computer that runs a program called Statrux. Stratux takes the ADS-B information received by the RTL-SDR’s and re-transmits the data out via WiFi. Then an iPad running special pilot navigation aid software such as ForeFlight can interface with the WiFi signal and receive the ADS-B and weather information.

Assembly of a Stratux box requires the purchase of each individual component or a Raspberry Pi kit that includes the stratux software image on an SD card, RTL-SDR and WiFi adapter. However, setting up a Stratux box may be a little difficult for pilots who do not have any electronics DIY skills.

To solve this, a new product called FlightBox recently ran a successful Kickstarter campaign. FlightBox provides a ruggedized plastic case, a Raspberry Pi 2 preloaded with software, two nano RTL-SDR dongles, two pigtail adapters, a 10Hz WAAS GPS module, and two customized ADS-B whip antennas (one for 978 MHz and one for 1090 MHz).

The FlightBox costs $200 for single band operation and $250 for dual band (1090ES and 978UAT). They are currently accepting pre-orders for delivery in late March/April.

For more information about Stratux see the active discussion forum at reddit.com/r/stratux.

The FlightBox: An RTL-SDR based ADS-B 1090ES and 978UAT receiver for Pilots.
The FlightBox: An RTL-SDR based ADS-B 1090ES and 978UAT receiver for Pilots.
Components used in the FlightBox, including two RTL-SDR dongles.
Components used in the FlightBox, including two nano RTL-SDR dongles.

YouTube video showing Inmarsat C-Band AERO Reception

Last week we posted how programmer Jonti had successfully implemented a C-Band AERO decoder into his JAERO software. C-band AERO signals are the earth downlink portion of AERO. Planes transmit data upwards towards the satellites and then the Inmarsat C-band transmitter re-transmits the information back to a basestation on earth. This is different to the L-band AERO signals which are signals transmitted from the satellites to the aircraft. C-band signals are interesting because they contain plane position info, and so can be used to track aircraft much like what is done with ADS-B reception, but over a much larger area. However, C-Band signals are much more difficult to receive as they are at 3.616 GHz and require a 1.8m or larger satellite dish.

Over on YouTube user AceBlaggard has uploaded a video showing an example of C-Band signals being received with an Airspy SDR and being decoded with the new version of JAERO. About the hardware used AceBlaggard writes:

Hardware is a 1.8M PF dish and Titanium Satellite C1 PLL LNB feeding a Prof-Tuner 7301 sat card which loops out to an Airspy SDR.

Inmarsat C Band aero feed.

Creating an RF Proximity Alarm (Close Call) with an RTL-SDR

“Close Call” is a feature that some radio scanners have which notifies the user when there is a radio transmitter that is in the near vicinity (such as from a police radio). It works by detecting the strength of signals from near field emissions, and it requires a strong RF signal to trigger.

Over on the ar15.com forums, user seek2 wanted something similar to the “close call” feature, but didn’t want certain transmissions like APRS signals from hams driving by to set it off. He also didn’t want to be restricted to near field emissions, rather he wanted something that acted more like a squelch that would activate for strong signals only.

To implement this seek2 used an RTL-SDR dongle, together with the rtl_power spectrum scanning software. He outputs the signal strength data generated by rtl_power to a CSV file which is then piped into a tail -f terminal command in Linux which simply outputs the latest lines of the CSV file as it updates in real time. Then he uses a simple Python script to monitor the output and to set off an alarm and report strong signals when it see’s them. His script is also used to filter out reports from strong unwanted signals like APRS.

Below is a video showing an example of Close Call working on a Uniden hardware radio scanner for reference.

Uniden CloseCall© What is it? How does it work? How well does it perform?

Using AIS Share, OpenCPN and an RTL-SDR on a Sailboat

AIS Share is an app for Android that allows you to turn an Android device into an AIS receiver by using an RTL-SDR. AIS stands for Automatic Identification System and is used by ships to broadcast their GPS locations, to help avoid collisions and aid with rescues. An RTL-SDR with the right software can be used to receive and decode these signals, and plot ship positions on a map.

AIS Share is a dual channel decoder that outputs decoded NMEA messages via UDP, so that plotting software like OpenCPN can be used to display the ships on a map. AIS Share had been around before in another form known as rtl_ais_android which we posted before, but this version of AIS Share is a newly updated and improved version that now includes a very nice GUI. The app costs about $2 and is available on the Google Play store, but there is a demo available that will work up until 1000 messages are received. You will need an RTL-SDR and a USB OTG cable to run the app.

Recently the author of the app received word from a user called Harmen who has successfully been using his AIS Share app on his sailboat. Harmen uses the app on an Android tablet which is enclosed in a waterproof box. For an antenna he uses a coax collinear.

In the future the author writes that he’d like to update the app to support things like the ability to change more dongle settings like bandwidth/sample rate and add the possibility of using the internal phone/tablet GPS. He is also open to any community suggestions.

AIS Share Receiver on the sailboat in a waterproof case.
AIS Share Receiver on the sailboat in a waterproof case.
The back of the Android Tablet, showing the RTL-SDR and the antenna connection.
The back of the Android Tablet, showing the RTL-SDR and the antenna connection.
The AIS Share main screen GUI.
The AIS Share main screen GUI.

https://www.youtube.com/watch?v=ApGk8P82THs (Unfortunately the video has been removed)