Category: Applications

Turbine: Capture and Stream all Frequencies in a Trunked Radio System with a HackRF

Over on Reddit we've discovered an interesting program called 'Turbine' that has recently been open sourced by the author. This program connects to a wideband capable SDR such as a HackRF and captures and streams all frequencies in a trunked radio system. Users can then browse the recordings online. On his reddit post u/norasector introduces Turbine, and his application for it called 'NoraSector'.

I am open sourcing the SDR code for NoraSector, which currently captures and streams the radio systems for both King and Snohomish County, WA. It uses a HackRF One to capture every channel concurrently, and can even process multiple systems at the same time, provided they are within the same bandwidth that is captured by the SDR and there's adequate reception. I plumb the output through a WebRTC streaming infrastructure I built to stream audio to clients over the web with very low latency. My goal was to give complete access to an entire system to anyone over the web, just as they would have if they were using a handheld scanner, and with comparable latency.

Turbine is a bit different other SDR software out there. It's written entirely in Go, and was built explicitly to only use a single SDR rather than bonding multiple SDRs together.

Turbine works by tuning known control frequencies and then tuning all voice frequencies it learns from them. Voice transmissions are encoded using the Opus audio codec for compatibility with WebRTC and blasted out as frames over UDP. It also includes a functional-but-janky built-in visualization web server to look at each stage of the DSP pipeline for each frequency, which was crucial for debugging as I was building it.

Right now, it only supports legacy Motorola SmartZone systems (which is what is used near me), but it shouldn't be a large lift to make it support P25. The code is heavily influenced by op25 and GNURadio (and in some places just outright copying them). I built it in Go because a) it's what I'm most familiar with and b) the sheer density of GNURadio made it hard for me to piece things together how I wanted. Go's concurrency model is a natural fit for doing many concurrent operations on the byte stream, and I haven't had issues with garbage collection pausing execution in a detrimental way.

Turbine isn't intended for use with lower sample rate SDRs like the RTLSDR. It has a driver for it, but doesn't support bonding multiple SDRs together. If an entire system fits within the 2MHz sample rate, it would probably be fine. You should be able to fire it up with a RTLSDR but it will not be able to capture very much. It currently only officially supports the HackRF One, but adding other SDRs should be relatively trivial. Note that the HackRF I am using is the model with the upgraded TCXO, as I found that the built-in oscillator was not accurate enough.

Turbine has only been tested to run on Linux and is very CPU-intensive; the production radio runs on a dedicated i7-11700k 8c/16t CPU and consumes about 60% of all cores decoding both systems. There are some potential optimizations that could be made that would lower CPU consumption during periods of low activity, but I built it for the worst case of having to encode every voice frequency at once.

The usual disclaimers about OSS apply. I hope you find it interesting or perhaps useful, and maybe portions can be adapted so Go can be used more in SDR projects.

There have been similar projects in the past like radiocapture-rf, scaneyes, and broadcastify calls, but Turbine looks like one of the most comprehensive.

Norasector: An implementation of the Turbine Trunk Recording software

Tech Minds: 10 Common Mistakes Made With Software Defined Radio

Matt from the Tech Minds YouTube channel has recently uploaded a video highlighting 10 common mistakes made with software defined radio. The topics go over software choices, driver installation, coax choices, signal bandwidth, time of day, modulation type, high gain settings, low gain settings, cheap & cloned SDRs and finally antennas. This is a great video to watch if you are new to SDRs and radio in general.

10 Common Mistakes Made With Software Defined Radio

New GNU Radio Beginners Tutorials Available

A new set of beginners tutorials for the GNU Radio platform have been released on the GNU Radio Wiki.  GNU Radio is an open source development toolkit for signals processing and is commonly used to build software demodulators and decoders for Software Defined Radios including the RTL-SDR.

The tutorials lead you through topics such as understanding flowgraphs, creating custom Python blocks, using DSP blocks, GNU Radio core mechanics, modulation and demodulation and more.

We are pleased to announce a new set of beginner-level tutorials, as well as a new tutorials landing page, you can check them out here

A big thank you to NumFOCUS for sponsoring the work and to Matt from wavewalkerdsp who did the bulk of the work!

These beginner-level tutorials walk a new user through starting GRC and creating a simple flowgraph, all the way up to creating custom blocks and using tags and message passing.

We would like to create follow-up tutorials that the GNU Radio community needs so please leave feedback in the Discuss tab of the main Tutorials page, here are some suggestions:

  • Do you have ideas for future tutorials you’d like to see made?
  • What doesn’t make sense in GNU Radio, or what is hard to understand?
  • Where are the sticking points? What is hard to remember?
  • What is hard to use?
  • Are there any points in the current tutorials you’d like to see in more detail?
  • What would you change about the tutorials?

You can also access the tutorials using the Tutorials link on the left hand sidebar of the GNU Radio wiki, from any page.

GNU Radio Tutorial Topics

If you're interested in these tutorials you might also want to check out Michael Ossmann's set of video tutorials for the HackRF, which features GNU Radio usage heavily.

SDR++ Server Beta Now Available

SDR++ is a general purpose receiver program compatible with almost any software defined radio including the RTL-SDR. Recent developments have seen the author release a beta of  "SDR++ server" which is a program that allows users to access SDRs remotely, by connecting to them over a network connection. This is similar to existing server applications like rtl_tcp and Spyserver, however like SDR++ itself, SDR++ Server is compatible with almost any SDR and that is a major drawcard.

The server is still in development and the author notes that he is still working on adding new features like lossless compression techniques in order to reduce network bandwidth requirements. However, it has already seen to be running well in tests with a remote server positioned half way around the world, even without compression enabled.

We note that SDR++ author 'Ryzerth' has a Patreon. If you like seeing these SDR++ developments please consider support him.

Video Tutorial: Decoding HD Radio on Windows with nrsc5-gui

Thank you to "Double A" for submitting his video that shows how to install and run the RTL-SDR compatible HD Radio decoder nrsc5-gui on a Windows machine. We've posted about nrsc5-gui and the modified nrsc5-dui software in the past, however despite being Windows compatible, it has only been simple to run on Linux.

In his video Double A shows us how to download and extract the files, how to set up the Windows mingw environment which is required to run the software, and where to place a required dll file dependency. Finally he demonstrates the software in action, running on his Windows machine.

Decoding HD Radio on Windows with RTL-SDR USB

Frugal Radio: Testing a Loop on Ground Antenna with an Airspy HF+ Discovery

The KK5JY Loop on Ground (LoG) antenna is a 15 feet per side square loop designed for reception of HF and lower. It simply consists of an isolation transformer and wire that as the name implies is placed somewhere on the ground in a square loop like shape. It is cheap and easy to build and compact in that it does not take up any usable space. 

In his latest video Rob from the Frugal Radio YouTube channel tests out this antenna with his Airspy HF+ Discovery SDR. He uses a bit of wire lying around, and a low cost 9:1 Balun from NooElec as the isolation transformer. With this antenna he was able to pick up signals in the USA and all the way over to Australia from his home in Canada. NDB signals were also receivable.

2022 LoG (Loop on Ground antenna) for SDR radio tested on Airspy HF+ Discovery SDR KK5JY HAM radio

Reverse Engineering a 30 Year Old Wireless Garage Door Opener with a HackRF and GNU Radio

At his childhood home Maxwell Dulin discovered that his garage door was controlled by a 30 year old system called the "Sears Craftsman 139.53708 Garage Door Remote". Being interested in SDRs Maxwell decided to see if he could reverse engineer the remote using his HackRF.

His first steps were to search for the frequency which he found active at 390 MHz. He then moved on to analyzing the signal with Inspectrum, discovering the OOK modulation, then working his way towards the binary control strings. One thing that helped with his reverse engineering was the use of the 9-bit DIP switches on the remote that configure the security code that opens up a specific door as this allowed him to control the transmitted bits, and determine which bits were used for the security code. With this and a bit of GNU Radio code he was able to recreate the signal and transmit it with his HackRF.

Finally Maxwell wanted to see how vulnerable this door is to a brute force attack that simply transmits every possible security code. Through some calculations, he discovered that brute forcing every possible security code in the 9-bit search space would only take 104 minutes to open any garage using this opener.

GNU Radio replaces a 30 year old garage door remote

Remoticon 2021: Smart Meter Hacking Talk

Remoticon 2021 was an online conference held in November 2021 and videos of presentations have recently been uploaded to the Hackaday YouTube channel this month. One very interesting talk was the presentation by Hash Salehi (RECESSIM) on reverse engineering electricity smart meters that are used to remotely monitor and bill home electricity usage in some neighborhoods.

In the past we've posted about Hash (RECESSIM)'s series on smart meter hacking a few times before. In this latest talk Hash summarizes his smart meter hacking experience, talking about how he went from reverse engineering the firmware, to using an SDR to capture and decode information from all the smart meters in his neighborhood, and finally to determining how to actually transmit data to his own smart meter network.

Hackaday have also posted a full writeup on his talk. This is a very in depth reverse engineering project so it is a great talk to learn from.

Remoticon 2021 // Hash Salehi Outsmarts His Smart Meter