Category: Applications

Recovering 433MHz Messages with RTL-SDR and MATLAB

Recently RTL-SDR.com reader Ilias wrote in to let us know about a post he uploaded to his blog showing how he was able to decode data from a device transmitting at 433 MHz using an RTL-SDR and MATLAB. MATLAB is a technical computing language that can be used for signal analysis and processing. His post clearly explains the steps he took and is a great aide for anyone wanting to learn about decoding simple signals.

The goal of Ilias’ project was to be able to use the RTL-SDR and MATLAB to uncover the details of a 433 MHz transmitter he bought on Ebay. He wanted to see if he could determine the protocol and recover the data before even looking at the transmitter’s library code.

To do this he first used SDR# to record the data sent at 433 MHz. Then by looking at the waveform in the Audacity audio editor he was able to determine that the signal was on-off-key (OOK) modulated and from this knowledge he was able to manually recover the binary string. Next he used MATLAB to create a program that can automatically decode the received OOK signal. His post goes into further detail about the signal processing steps he took in MATLAB.

433 MHz OOK Transmitter
433 MHz OOK Transmitter

Testing GNU Radio on the Raspberry Pi 2

Earlier this year the successor to the hugely popular Raspberry Pi, the Raspberry Pi 2 was released. The Raspberry Pi 2 is a mini embedded computer that can run Linux.

Over on the RS Design Spark website Andrew Back has posted a tutorial showing how he installed GNU Radio and RTL-SDR on the Raspberry Pi 2. He also shows that the Raspberry Pi 2 runs the CPU intensive GNU Radio software well, utilizing 70% CPU when running osmocom_fft, a GNU Radio based spectrum analyzer. Andrew also installs and tests the gr-air-modes GNU Radio program which is an ADS-B receiver, finding that it also performed well with low CPU utilization.

Raspberry Pi 2 with an RTL-SDR Dongle Attached
Raspberry Pi 2 with an RTL-SDR Dongle Attached

New RTL-SDR Radio Data System (RDS) Decoder: Redsea

Signals hacker Oona Räisänen has released on GitHub a new software tool for the RTL-SDR called Redsea. On her blog she explains that Redsea is a Linux and OSX compatible perl based command line Radio Data System (RDS) decoder that uses the rtl_fm tool. Oona’s post explains a little about how RDS works and also explains how her software actually decodes RDS.

The Radio Data System (RDS) is a digital data subcarrier built into some broadcast FM signals. It usually carries information such as the station name and the song currently playing.

RDS Waveforms
RDS Waveform Decoding Steps

Building a Simple Downconverter for the RTL-SDR

Over on YouTube Adam Alicajic, seller of the LNA4ALL low noise amplifier has uploaded a video showing how to create a simple downconverter using a 1.3 GHz local oscillator and an LNA4ALL. A downconverter extends the frequency range of the RTL-SDR to frequencies higher than the RTL-SDR’s 1.7 GHz limit.

Adam capacitively connects the 1.3 GHz local oscillator to the input of the LNA4ALL, which causes the input signal to be mixed with the input signal from the antenna. This moves a test 2.8 GHz signal down to 1.5 GHz, which is receivable by the RTL-SDR.

DIY poor guy SDR Downconverter

Spying on Keyboard Presses with a Software Defined Radio

Last year Milos Prvulovic, a computer science researcher uploaded some videos to YouTube showing how he was able to remotely and covertly record the keystrokes of a target laptop in another room wirelessly using just a software defined radio, magnetic loop antenna and some custom software.

The target laptop was first modified with special drivers that cause increased and unique memory and processor activity for each key that is pressed. As computers emit unintentional RF emissions, the modified memory and processor activity causes the target laptop to emit a unique RF signature for each key pressed. Milos used this fact to create a program that can detect the RF emissions from the target laptop, and show the key presses made from the target laptop on the spying PC.

EM Covert Channel Attack Setup and Explanation

EM Covert Channel Attack Through a Wall

EM Covert Channel Attack from Nearby Desk

Listening to NXDN with SDRSharp, the AuxVFO Plugin and DSD+

Over on YouTube user John Miller has uploaded a video showing how he receives NXDN digital audio using a combination of SDR#, the AuxVFO plugin and DSD+. He writes:

I have it set with 5 auxiliary VFO’s one for each channel of the Christian Co NXDN system from the Kelly Towers. I use VAC to route the audio from each VFO to DSD+ each VFO has it own DSD+ running. I then have all the DSD+ go into one output VAC and use that to run a feed on Broadcastify, The secret to running multiple DSD+ is to have separate install of it, so I have 5 DSD+ folders.

HackRF Controlling a Quadcopter

Over on YouTube user Mike has uploaded a video showing a quadcopter being controlled by the HackRF, a low cost transmit capable software defined radio. Mike uses a Hubson X4 quadcopter and controls it with a USB joystick coupled with GNU Radio. According to a tweet by Micheal Ossmann (the inventor of the HackRF), there were initially USB latency issues that caused problems, but have since been fixed by Mike.

HackRF quadcopter control

RTL-SDR Cell Phone IMSI, TMSI and Key Sniffer

Over on YouTube user Kali Gsm has uploaded a video showing off a new software program he has written that allows an RTL-SDR to be used to gather IMSI, TMSI and Key information from a cell phone connected to a PC.

The IMSI (International Mobile Subscriber Identity) is a number that uniquely identifies a cell phone. Because IMSI’s are unique, they can be used to track a cell phone so they are rarely broadcast and instead a TMSI (Temporary Mobile Subscriber Identity) number is used to identify a cell phone instead. The TMSI is changed depending on geographic location or changed by the network randomly. The key is a number that is used to decrypt the GSM data sent to your phone.

Kali Gsm’s software is called rtl_tool_kit and is planned to be released soon on it’s GitHub page. It uses the gr-gsm software to sniff the GSM downlink with an RTL-SDR dongle and also interfaces to a connected mobile phone. The author writes that the following is possible with the software:

  1. You can get imsi tmsi and key of the device connected to your pc.
  2. You can send silent/flash sms
  3. You can connect/match tmsi to a mobile number if target is on the same BTS and in GSM900/2G mode.

Update 25/01/2015: All YouTube videos appear to have been removed – though the uploader reports in the comments that the videos will be back online soon.
Update 29/01/2015: Videos are back online.