Thank you to Ryan K for submitting his latest blog post where he gives an in depth explanation of how he reverse engineered his La Crosse weather station using an RTL-SDR, PlutoSDR and the Universal Radio Hacker (URH) software.
The La Crosse weather station system consists of a LCD base station, and various wireless sensors. Ryan first discovered that the devices used the 915 MHz frequency band via details written on the device itself. His next step was to open up Universal Radio Hacker and use one of his SDRs to record a packet. URH then allowed him to convert that data into bits for packet analysis. The rest of his post goes into detail on how he set the symbol rate, discovered the preamble and reverse engineered the CRC code.
The next step he took was to generate a spoofed packet generated by URH and transmitted by the PlutoSDR. This allowed him to set the base station display to any temperature that he specified. But he ran into a problem where only the first packet he sent after power up was received. Eventually he discovered that the system sets a randomized interval for each of the transmitters at startup, and data outside of that interval is ignored.
Ryan's post explains his whole though process and progress in detail, so is an excellent study for anyone looking to get into reverse engineering wireless signals.
Reverse Engineering a La Crosse Weather Station with a PlutoSDR and RTL-SDR
For some time now there has been chatter about the possibility of using WSPR logs to help track the mysterious disappearance of flight MH370. WSPR or the "Weak Signal Propagation Reporter" is a protocol typically used on the HF bands by amateur radio operators. The properties of the protocol allow WSPR signals to be received almost globally despite using low transmit power. Amateur radio operators use it for making contacts, or for checking HF radio propagation conditions. MH370 is a flight that infamously vanished without a trace back in 2014.
The theory proposed by aerospace engineer Richard Godfrey is to use logs of sent and received WSPR transmissions that may have intersected the potential flight path of MH370, and to look for potential reflections or 'scatter' in the signal from the metal aircraft hull. From the reflections an approximate track of the aircraft could be calculated much in the same way that bistatic over the horizon radar systems work.
While it is an exciting theory, it is unfortunately considered by most experts as highly unlikely to yield any suitable results with the main problems being WSPR transmission power too weak to detect reflections from an aircraft, and the effect of the ionosphere too difficult to account for.
Over on his blog Nils Schiffhauer (DK8OK) has posted a thorough critique of the idea, explaining the theory, technical details and difficulties in depth, ultimately coming to the conclusion that the idea is based more in wishful thinking than in fact. Nils summarizes:
Time and again, there are news stories in the professional and popular press about the fact that log data from the WSPR data network can help locate aircraft. In particular, the effort is to determine the actual crash site of flight MH370. This effort essentially amounts to detecting "unusual" level jumps and frequency changes ("drift") in the archived WSPR log data and attributing them to reflections from specific aircraft ("aircraft scatter").
In a blog entry, Nils Schiffhauer, DK8OK, for the first time critically evaluates this theory. On the one hand, this is based on years of observation of aircraft scatter on shortwave as well as an investigation of about 30 Doppler tracks. The results of this complex analysis of more than 10,000 data in one example alone are sobering: The effects of aircraft scatter on the overall signal are almost always well below 0.3 dB.
To prove a correlation between level changes of the overall signal and aircraft scatter seems hardly possible on the basis of the WSPR data material. The reasons are manifold, but lie mainly in shortwave propagation, where level changes of 30 dB within a few seconds are the rule rather than the exception.
However, since the local and temporal state of the ionosphere is not known in previous investigations on the WSPR data material - it is recorded in parallel in professional OTH radar systems and calculated out of the received signal - level jumps can hardly be clearly assigned from the sum signal alone. This finding is supported by further arguments in the blog: https://t1p.de/t5kr
Nils demonstrates aircraft scatter on China Radio International, a 500kW transmitter.
SDRAngel is a general purpose software defined radio program that is compatible with most SDRs including the RTL-SDR. We've posted about it several times before on the blog, however we did not realize how much progress has occurred with developing various built in plugins and decoders for it.
Thanks to Jon for writing in and sharing with us a demonstration video that the SDRAngel team have released on their YouTube channel. From the video we can see that SDRAngel now comes stock with a whole host of built in decoders and apps for various radio applications making it close to an all-in-one SDR platform. The built in applications include:
ADS-B Decoder: Decodes aircraft ADS-B data and plots aircraft positions on a map
NOAA APT Decoder: Decodes NOAA weather satellite images (in black and white only)
DVB-S: Decodes and plays Digital TV DVB-S and DVB-S2 video
AIS: Decodes marine AIS data and plots vessel positions on a map
VOR: Decodes VOR aircraft navigational beacons, and plots bearing lines on a map, allowing you to determine your receivers position.
DAB+: Decodes and plays DAB digital audio signals
Radio Astronomy Hydrogen Line: With an appropriate radio telescope connected to the SDR, integrates and displays the Hydrogen Line FFT with various settings, and a map of the galaxy showing where your dish is pointing. Can also control a dish rotator.
Radio Astronomy Solar Observations: Similar to the Hydrogen line app, allows you to make solar measurements.
Broadcast FM: Decoding and playback. Includes RDS decoding.
Noise Figure Measurements: Together with a noise source you can measure the noise figure of a SDR.
Graves Radar Tracker: For Europeans, track a satellite and watch for reflections in the spectrum from the French Graves space radar.
Radio Clocks: Receive and decode accurate time from radio clocks such as MSF, DCF77, TDF and WWVB.
APRS: Decode APRS data, and plot APRS locations and moving APRS enabled vehicles on a map with speed plot.
Pagers: Decode POCSAG pagers
APRS/AX.25 Satellite: Decode APRS messages from the ISS and NO-84 satellites, via the built in decoder and satellite tracker.
Channel Analyzer: Analyze signals in the frequency and time domains
QSO Digital and Analog Voice: Decode digital and analog voice. Digital voice handled by the built in DSD demodulator, and includes DMR, dPMR and D-Star.
Beacons: Monitor propagation via amateur radio beacons, and plot them on a map.
We note that the video doesn't show the following additional features such as an analog TV decoder, the SDRAngel "ChirpChat" text mode, a FreeDV decoder and several other features.
Black Cat Systems have recently released two new programs that may be of interest to HF monitoring enthusiasts. The first is a multichannel capable ALE decoder and the second is a multichannel GMDSS-DSC decoder. Both programs are not free, with an (introductory) price tag of $29.99 each for three parallel input channels, and $99 for up to 24 parallel input channels.
With an appropriate HF capable SDR, like a SDRplay, Airspy HF+ Discovery, or even an RTL-SDR V3 in direct sampling mode, these programs allow you to set up a home monitoring station.
ALE or Automatic Link Establishment is a digital RF protocol that enables users to initiate a reliable call over HF frequencies, by automatically choosing the best frequency based on propagation conditions, allowing for telephone like calling operation, and enabling short text messages.
GMDSS or Global Maritime Distress and Safety System is a set of radio protocols that enables digital text communications between ship to ship and the shore, as well as weather broadcasts, and distress beacons.
Over on his blog Nils Schiffhauer (DK8OK) has been testing these two programs out. In his first post about the ALE decoder, Nils explains ALE in more depth, and demonstrates how he uses the multi-channel capable SDR-Console with Virtual Audio Cable to feed 16 ALE channels into the decoder. He goes on to show how to filter by callsign and provides some tips for best reception. He notes that with ALE you might receive messages from:
... forces, diplomatic services, emergency agencies, police, militia, UN missions, drug enforcement, border control and even amateur radio. It is used from aircraft like AWACS, as from aircraft carriers, from mobile units to fixed stations.
In his second post Nils tests out the GMDSS decoder noting that it is an "extraordinary sensitive decoder" and "it also includes smart processing of the data – from looking up vessel’s complete data from ITU’s Ship Station List (internet connection needed) to saving all data to a fully-fledged database". His post goes on to explain the GMDSS format in more detail and demonstrate multichannel decoding.
Black Cat Systems ALE and GMDSS Decoders demonstrated by Nils Schiffhauer (DK8OK)
In the latest video on the Signals Everywhere YouTube channel, Sarah investigates how a PlutoSDR can be used as a Spectrum Analyzer with the SATSAGEN software. The SATSAGEN software is able to work as a spectrum analyzer by rapidly sweeping over multiple frequencies and stitching the spectrum slices together. It support SDRs like the HackRF, PlutoSDR and RTL-SDR (in receive mode only). The PlutoSDR can transmit, so it is able to work as a full spectrum analyzer with tracking generator, allowing users to measure RF devices such as filters, tune antennas, and work as a frequency generator.
In the video Sarah demonstrates how to use the PlutoSDR and SATSAGEN to measure our RTL-SDR Blog Broadcast FM filter, and to tune our multipurpose dipole antenna.
Spectrum Analyzer and Tracking Generator with Pluto SDR
Over on Reddit u/Xerbot has posted about the release of his new software called "LeanHRPT". When combined with a software defined radio, this software can be used to decode and view HRPT weather satellite images received from satellites such as NOAA, Meteor, MetOp and FengYun. We note that unlike APT and LRPT weather satellite signals which transmit in the VHF bands, HRPT signals are generally at ~1.70 GHz and require a motorized or hand tracked satellite dish to receive. u/Xerbot writes:
LeanHRPT is a flexible, easy to use and powerful set of tools for the manipulation of HRPT data (maybe I could be convinced to add LRPT support).
When used properly LeanHRPT Decode can generate (almost) L1B data usable in actual land/weather observation, or just pretty images :)
The LeanHRPT project also contains LeanHRPT Demod, as you probably guessed, a HRPT demodulator. It features an incredibly high sensitivity as well as being able to do both realtime (through SoapySDR) and offline demodulation (baseband).
The GNU Radio conference talks are generally about cutting edge SDR research topics and the YouTube playlist contains 67 videos covering a gambit between what changes have been made in new releases of GNU Radio to presentations and demonstrations focusing on topics such as reverse engineering smart power meters and 5G cell detection among many others.
Some of the talks from this years conference that we found most interesting include:
Back in July we posted about the release of Viol Tailor's "uSDR" software, which is a lightweight general purpose multimode program for Windows which supports the RTL-SDR, Airspy, BladeRF, HackRF and LimeSDR radios. Recently Viol has updated the software to V1.4.0. The new release brings SDRplay support, and various performance and GUI improvements listed below.
