Category: Applications

Reverse engineering a wireless thermostat with an RTL-SDR

When Tom Taylors home heating boiler was replaced the builders also replaced the old wired rotary thermostat with a digital wireless one. It sounds good, but Tom soon discovered that the thermostat UI was terrible and that the buttons were horrible to press, making him prefer to shiver in the cold. So Tom decided to see if there was a smarter way to control the heating.

When Tom investigated the thermostat, he discovered that the wireless unit transmitted in the unlicensed 433 MHz band and that the thermostat only transmitted two commands, turn on or turn off. By using his RTL-SDR and the CubicSDR software on his Mac he was able to detect the short blip of the thermostat wireless signal. Next he recorded the on and off signals and opened the sound files in Audacity, an audio processing software tool. In Audacity he was able to compare the sound waveforms of the on and off signals.

From his analysis he discovered that each signal consisted of a preamble and then an on or off command which is repeated twice, presumably to reduce the likelihood of interference. Tom also discovered that the commands were encoded with pulse width modulation.

From this knowledge Tom was then able to use a cheap 433 MHz transmitter together with an Arduino microcontroller board and a short script to create identical on or off transmissions that control the boiler. Tom writes that his next steps are now to create a heating schedule based on his families shared calender, make a thermostat control loop and create a web connected interface with a Raspberry Pi.

The 433 MHz thermostat on/off signal detected with an RTL-SDR in the CubicSDR software
The 433 MHz thermostat on/off signal detected with an RTL-SDR in the CubicSDR software

Demonstrating the RTL-SDR based “Etch-A-SDR” Portable SDR

Over on YouTube user devnulling has uploaded a video showing his “Etch-A-SDR” project. This project involved creating an all-in-one SDR device out of an Odroid C1, Teensy 3.1 and an RTL-SDR dongle. The Odroid C1 is an embedded computer, similar to the Raspberry Pi 2 and the Teensy 3.1 is a microcontroller development board. The “Etch-A-SDR” is named as such because of its resemblance to an Etch-A-Sketch toy. It has two knobs that can be used for tuning and several side buttons for changing demodulation modes etc.

Upon boot the Etch-A-SDR opens GQRX and is ready for tuning within seconds of turning it on. In addition to using it as a portable SDR with GQRX the Etch-A-SDR can also be booted into normal Linux mode and into Etch-A-Sketch mode, where it operates as a normal Etch-A-Sketch toy.

The code can be downloaded from https://github.com/devnulling/etch-a-sdr.

The Etch-A-SDR portable SDR
The Etch-A-SDR portable SDR

Video showing SMS Texts and Voice Calls being sniffed with an RTL-SDR

Over on YouTube user Osama SH has uploaded a video briefly showing the steps needed to use an RTL-SDR dongle to sniff some SMS text messages and voice calls made from his own phone. This can be done if some encryption data is known about the phone sending the messages, so it cannot be used to listen in on any phone – just ones you have access to. In the video he uses Airprobe and Wireshark to initially sniff the data, and find the information needed to decode the text message. Once through the process he is able to recover the SMS message and some voice audio files.

New Demo of the Upcoming Spyverter Upconverter

The Spyverter is a new high performance upconverter that is being developed by the team behind the Airspy software defined radio and the SDR# software. It is designed to be used together with the Airspy, but it should also be compatible with other SDRs as well. The main claimed advantages over other upconverters will be it’s low loss and high IIP3 performance, which means that the Spyverter will not saturate in the presence of strong signals as easily as other upconverters.

Recently W9RAN, who is involved in the design and testing of the Spyverter uploaded some demo videos of the Spyverter + Airspy combo in action. The first video shows how the Spyverter when used together with the Airspy and SDR# allows for seamless tuning between VLF, HF through to VHF/UHF (no need to set any offsets).

Seamless tuning of SDR# with AIrspy & Spyverter

The next video shows the Spyverter + Airspy combo working during a RTTY contest on 40M with very densely packed signals, some of which were very strong.

W9RAN demo of Spyverter in 40 meter RTTY contest

W9RAN (ranickel on YouTube) also has additional Spyverter + Airspy videos on YouTube for viewing if you are interested.

Reverse Engineering Wireless Mobile Traffic Lights with an RTL-SDR

When roadworks suddenly appeared on Bastian Bloessl’s girlfriends street the workers put up a set of automated wireless traffic lights to control the flow of traffic during the works. Seeing these lights, Bastian quickly grabbed his RTL-SDR dongle and got to work on reverse engineering the status telemetry signals transmitted by these lights.

Wireless traffic lights reverse engineered with an RTL-SDR
Wireless traffic lights reverse engineered with an RTL-SDR

Bastian discovered two signals at around 170 MHz which corresponded to two pairs of lights. By analyzing the signal in Baudline and Audacity he discovered that the signal was AFSK1200 modulated between 1200Hz and 2400Hz. He then created a simple GNU Radio program which was able to output the frame bit data. After some analysis he was able to make sense of the structure and create a simple web interface that visualized the data as virtual traffic lights on his PC. The YouTube video below shows the signal and his RTL-SDR decoding software in action.

It seems that the telemetry is unencrypted, however we would assume that the control signals are encrypted.

Traffic Lights + GNU Radio + RTL SDR

Reverse Engineering a Vintage Wireless Keypad with an RTL-SDR

Over on his blog, Veghead has posted about how he was able to reverse engineer a wireless alarm panel keypad from 1986 with an RTL-SDR dongle. The goal of his reverse engineering was to be able to eventually hook it up to a modern alarm system.

By first looking at the old FCC label on the keypad, Veghead discovered that the device transmitted between 319 MHz and 340 MHz. He then used his RTL-SDR dongle to take a recording of the transmitted signals, before opening them up in Audacity – a free audio processing program.

By analyzing the waveform in Audacity, Veghead discovered that the alarm panel uses simple ON-OFF Keying (OOK) modulation. Although the frequency of the signal drifted a lot (probably due to aged components), he was able to write a decoder that he called cletus which converts the recorded complex I/Q signal into a real signal and then uses a state machine to turn the waveform into 1’s and 0’s. Finally the program then outputs the correct button that was pressed to the terminal.

Vintage wireless alarm keypad reverse engineered with an RTL-SDR
Vintage wireless alarm keypad reverse engineered with an RTL-SDR

ADS-B On Android App Now Supports 978 MHz FIS-B NEXRAD Weather and Traffic

The “ADS-B on Android” app has been updated and now supports the reception and display of 978 MHz UAT FIS-B Weather and Traffic data. The app also receives ADS-B data as per normal. To use the app you will need an RTL-SDR dongle and a USB OTG cable.

UAT stands for Universal Access Transceiver and is a protocol similar to ADS-B that is used mainly by smaller aircraft in the USA. UAT has some extra features for pilots compared to ADS-B. In addition to location information UAT provides a Traffic Information Service (TIS-B) which allows pilots in the air to see what ground control sees on their traditional RADAR system. It also provides a Flight Information Service-Broadcast (FIS-B) which includes NEXRAD weather data and other information. NEXRAD is an array of ground station weather radars that are used to provide pilots with accurate maps of precipitation and wind.

The free version of the app has ads and does not display NEXRAD weather radar on the default map. The pro version removes the ads and allows you to display a NEXRAD overlay on the map. It costs $2.50 USD.

Free Version: https://play.google.com/store/apps/details?id=com.wilsonae.android.usbserial

Pro Version: https://play.google.com/store/apps/details?id=com.wilsonae.android.usbserial.pro

NEXRAD FIS-B precipitation data displayed on map.
NEXRAD FIS-B precipitation data displayed on map on the pro version of “ADS-B On Android”

 

Detecting Pulsars (Rotating Neutron Stars) with an RTL-SDR

The RTL-SDR has been used for some time now as an amateur radio astronomy tool. Radio astronomers Peter W East and GM Gancio have recently uploaded a paper that details their experiments with detecting Pulsars with an RTL-SDR (doc file).

A pulsar is a rotating neutron star that emits a beam of electromagnetic radiation. If this beam points towards the earth, it can then be observed with a large dish antenna and a radio, like the RTL-SDR. The abstract of the paper reads: 

This project sought to determine the minimum useful antenna aperture for amateur radio astronomers to successfully detect pulsars around the Hydrogen line frequency of 1420MHz. The technique relied on the collaboration with GM Gancio, who provided RTL SDR data of the Vela pulsar (B0833-45, J0835-4510) and others, collected with a 30m radio telescope. This data was processed to determine the achievable signal-to-noise ratio from which, the minimum useful dish size necessary for some effective amateur work, could be calculated. Two software packages were developed to do synchronous integration, a third to provide a power detection function and a fourth for spectrum analysis to recover pulsar rotation rate.

With their system the authors were able to detect and measure the rotation period of the Vela pulsar. Also, from their data they were able to estimate that the minimum dish aperture required to observe the Vela pulsar would be 6m, noting that the Vela pulsar is probably the strongest pulsar ever detected. They also write that by utilizing 5 RTL-SDRs to gather 10 MHz of bandwidth together with some processing that the minimum required dish aperture could be reduced to 3.5m.

The Vela pulsar pulse power integrated over a 50 second 100MB file, combining some 560 pulsar pulses
The Vela pulsar pulse power integrated over a 50 second 100MB file, combining some 560 pulsar pulses.

In addition to these Pulsar experiments, Peter has also uploaded new papers about improving his Hydrogen Line RTL-SDR Telescope (pdf), and has updated his paper on improving the frequency stability of RTL-SDR’s with air cooling (doc file). Peter found that the frequency stability of the RTL-SDR (with standard oscillator) could be significantly improved by adding heat sinks and aircooling them. The graph from his paper below summarizes his results.

Results from air cooling the RTL-SDR.
Results from air cooling the RTL-SDR.
The air cooled and heatsinked RTL-SDRs
The air cooled and heat sinked RTL-SDRs

All of Peters papers can be found on his website at y1pwe.co.uk/RAProgs/index.html. He has many RTL-SDR radio astronomy related resources there, so check it out if you are interested.