Category: Applications

Radenso Theia: An SDR Based Police Radar Detector

Radenso is a company that sells radar detectors. These are used to help motorists avoid speeding fines from Police using radar speed detectors in their cruisers. Their latest upcoming product is called the "Radenso Theia" and is a software defined radio based solution.

In one of their latest YouTube videos they explain how SDR is used in the Theia, noting that the SDR ADC chip they are using is an AD9248. The use of an SDR allows them to more easily apply advanced digital signal processing algorithms to the radar detection task. In particular they note that they can now apply deep learning artificial intelligence filtering which helps to classify different radar gun FFT signatures and avoid false positives from other radar sources such as automatic doors.

While the Theia is designed to be a radar detector, they note that the device could also be used by hardware hackers as a standalone software defined radio. They have thought about this use case and have added a separate uFL connector that can be enabled by soldering a zero ohm connector, and this allows users to connect any antenna to it.

What is a software defined radio and why does it matter for Radenso Theia?

Decoding 5GHz NTSC Video from Drones with a HackRF, DragonOS and SigDigger

Over on his YouTube channel Aaron has uploaded a video showing how we can SigDigger to decode analog NTSC video from a drone camera which is transmitted at 5.7 GHz. SigDigger is a rapidly evolving SDR program for Linux and MacOS that has a lot of built in functionality for inspecting signals in more depth. Although not specifically designed for it, the Symbol Stream viewer in SigDigger can be used to display NTSC Analog Video. Aaron writes:

For the most part, the older an analog modulation is, the easier it is to get basic results when decoding. TV receivers were rather dumb back in the day, basically fast fax machines glued to an off-band FM radio receiver. Receiver circuits were also slow, and the signal had lots of invisible blank spaces in the borders so that the cheapest TVs could switch to the next line in time. The invention of Teletext leveraged those blanks in order to carry digital information and color information was embedded as an additional narrowband signal in the gaps in the spectrum.With this in mind I wanted to take a look at decoding analog video transmissions from drones. While some drones have moved to more effective digital compression and channel transmission technologies allowing for high definition video, there’s still drones using RC-like communications and the FPV video link is pure FM-modulated NTSC.

Searching the internet provided few results on how I could go about using low cost equipment, such as the HackRF One, to decode drone feeds. After an extensive search I decided to start looking at Linux based software defined radio applications I was already familiar with. By chance I happened to be working with SigDigger, a free digital signal analyzer. It has been discussed on RTL-SDR.com and more recently on Signal Lounge (https://signal-lounge.com/2020/05/05/sigdigger-for-signal-analysis/). It is also included in my own creation, DragonOS (https://sourceforge.net/projects/dragonos-lts/)

After a brief email exchange with the developer it was brought to my attention that visualizing analog video transmission is possible in SigDigger (although with no color information, of course). Since SigDigger supports the HackRF and the HackRF provides coverage in the 5ghz band, it was now possible for me to try to decode a 5ghz drone video feed. I’ve documented the process and my results on my YouTube channel. I should point out that this is currently a side feature of SigDigger and currently lacks synchronization. The symbol view area I used in the video is not made for this. It is meant to display symbols and symbols patterns which, due to its behavior, can incidentally show the contents of analog TV and weather faxes with lots of manual adjustments.

While the SigDigger developer makes mention of plans to include an embedded generic analog TV viewer and possibly add the ability to automatically sync video, there’s currently no timeframe on when that might become available.

SigDigger Decoding NTSC Video from a Drone Camera
SigDigger Decoding NTSC Video from a Drone Camera
DragonOS LTS SigDigger demodulating a 5 GHz analog video/FPV drone link (HackRF One, SigDigger)

We note that if you're interested in PAL/NTSC decoding, there is also the excellent TVSharp plugin for SDR# available.

Tutorial on Using xrit-rx to Receive Weather Images from Geostationary Satellite GK-2A

Over on his website VKSDR has recently released a tutorial about his Linux based xirt-rx software which allows RTL-SDR and other SDR owners receive weather images from the geostationary satellite known as GEO-KOMPSAT-2A (GK-2A). GK-2A is a Korean satellite, hence it is positioned over the Asia-Pacific region, covering Asia, Eastern Russia, Australia and New Zealand. 

To receive images from GK-2A you'll need an RTL-SDR, 2.4 GHz WiFi grid antenna and an L-band LNA. We have an earlier tutorial about receiving GK-2A and GOES geostationary L-band satellites that goes into more detail about the hardware required. 

VKSDR's xrit-rx software decodes the Low Rate Information Transmission (LRIT) signal from GK-2A which provides a 64kbps data stream and full disk images of the earth every 10 minutes. His tutorial explains the various image types that are transmitted, shows a few example images, and shows that some smooth animations can be created with the 144 images received over a day. The rest of the tutorial goes into the software setup, and explains the installation and configuration procedure.

We note that the latest version of xrit-rx now also comes with a nice web based dashboard that allows you to view the latest image, as well as the upcoming image schedule.

Full Disk Images Received from GK-2A via XRIT-RX
Full Disk Images Received from GK-2A via xrit-rxThe new web based dashboard for xrit-rx

The new web based dashboard for xrit-rx

GNU Radio TEMPEST Implementation Now Available

TEMPEST refers to a technique that is used to eavesdrop on electronic equipment via their unintentional radio emissions (as well as via sounds and vibrations). All electronics emit some sort of unintentional RF signals, and by capturing and processing those signals some data can be recovered. For example the unintentional signals from a computer screen can be captured, and converted back into a live image of what the screen is displaying.

Until recently we have relied on an open source program by Martin Marinov called TempestSDR which has allowed RTL-SDR and other SDR owners perform interesting TEMPEST experiments with computer and TV monitors. We have a tutorial and demo on  TempestSDR available on a previous post of ours. However, TempestSDR has always been a little difficult to set up and use.

More recently a GNU Radio re-implementation of TempestSDR called gr-tempest has been released. Currently the implementation requires the older GNU Radio 3.7, but they note that a 3.8 compatible version is on the way.

The GNU Radio implementation is a good starting point for further experimentation, and we hope to see more developments in the future. They request that the GitHub repo be starred as it will help them get funding for future work on the project.

The creators have also released a video shown below that demonstrates the code with some recorded data. They have also released the recorded data, with links available on the GitHub. It's not clear which SDR they used, but we assume they used a wide bandwidth SDR as the recovered image is quite clear.

Examples using gr-tempest

GR-TEMPEST: GNU Radio TEMPEST Implementation
GR-TEMPEST: GNU Radio TEMPEST Implementation

Running rtl_tcp over the TOR Network

Over on his DragonOS YouTube tutorial channel Aaron has uploaded a video showing how it is possible to run rtl_tcp over the TOR network. TOR is an "anonymity network" which routes your internet traffic through thousands of volunteer nodes in order to make tracing your internet activity more difficult.

Aaron's tutorial shows how to route rtl_tcp traffic through a TOR connection on his Linux distribution DragonOS (although it should work on any Linux distro), and connect to it with GQRX.

However, a major caveat is that the data streaming result is rather poor with there being lots of data drops, probably due to the slowness of the TOR network. Perhaps running a smaller sample rate, or using a more efficient server like Spyserver might work better.  

DragonOS LTS Remote access RTL-SDR over TOR network (Gqrx, rtl_tcp, OpenWRT)

The 2020 GNU Radio Conference will be held Virtually – Talks Streamed for Free

The yearly GNU Radio Conference (GRCon) is a conference all about the development of GNU Radio and projects based on GNU Radio. GNU Radio is an open source digital signal processing (DSP) toolkit which is often used in cutting edge radio applications and research to implement decoders, demodulators and various other SDR algorithms.

This years 2020 GNU Conference is to be the 10th one ever held and was supposed to take place in Charlotte, NC. However due to the ongoing pandemic the organizers have now decided that it will be held entirely online this year. The starting date is September 14 and the talks and events will probably run for several days. All talks will be streamed for free, however, registering for US$50 will get you access to the live workshops and other events.

There is a great line up of keynote speakers, and if you have a talk that you'd like to submit, submissions are now open. For ideas on what GNU Radio talks are like, you can see full recordings from previous GNU Radio conferences on their YouTube channel playlists.

GNU Radio Conference (GRCon) is the annual conference for the GNU Radio project & community, and has established itself as one of the premier industry events for Software Radio. It is a week-long conference that includes high-quality technical content and valuable networking opportunities. GRCon is a venue that highlights design, implementation, and theory that has been practically applied in a useful way. GRCon attendees come from a large variety of backgrounds, including industry, academia, government, and hobbyists.

GRCon20 will be held starting September 14, 2020 online as a virtual event. The organizing team is hard at work to create a fun and interactive experience.

Our keynote speakers include: Becky Schoenfeld W1BXY, managing editor of QST magazine, Oona Räisänen [ windytan ] hacker of signals and computer programmer, and Jim St. Leger, Director Open Source, Intel.

With an annual program that has broad appeal, GRCon attracts people new to Software Radio just looking to learn more, experts that want to keep their finger on the pulse & direction of the industry, and seasoned developers ready to show off their latest work.

Call for Participation is now open!

Registration

Registration is available now!

Register Here

Refund Policy

GNU Radio Code for Android Now Released

Back in November 2019 we posted how Bastian Bloessl (@bastibl) had teased us with his ability to get GNU Radio running on an Android phone. Now he has officially released his code to the public on GitHub. This is quite a remarkable development as you can now carry a full DSP processing suite in your pocket. In addition to the code, he's put up a short blog post explaining a bit about the port. He notes some highlights of the release:

  • Supports the most recent version of GNU Radio (v3.8).
  • Supports 32-bit and 64-bit ARM architectures (i.e., armeabi-v7a and arm64-v8a).
  • Supports popular hardware frontends (RTL-SDR, HackRF, and Ettus B2XX). Others can be added if there is interest.
  • Supports interfacing Android hardware (mic, speaker, accelerometer, …) through gr-grand.
  • Does not require to root the device.
  • All signal processing happens in C++ domain.
  • Provides various means to interact with a flowgraph from Java-domain (e.g., Control Port, PMTs, ZeroMQ, TCP/UDP).
  • Comes with a custom GNU Radio double-mapped circular buffer implementation, using Android shared memory.
  • Benefits from SIMD extensions through VOLK and comes with a profiling app for Android.
  • Benefits from OpenCL through gr-clenabled.
  • Includes an Android app to benchmark GNU Radio runtime, VOLK, and OpenCL.
  • Includes example applications for WLAN and FM.

He's even included demonstration code that turns a USRP B200 SDR connected to an Android phone into a WLAN transceiver which can run in real time on faster devices.

Installing it may not be easy for most, but Bastian has included full build instructions on the GitHub page, and makes use of a Docker file which should simplify the installation a bit.

GNU Radio running on an Android phone, usinga USRP B200 SDR as a WLAN transceiver.
GNU Radio running on an Android phone, usinga USRP B200 SDR as a WLAN transceiver.
GNU Radio 3.8 on un-rooted Android receiving FM w/ HackRF (take 2)

Performing a Side Channel TEMPEST Attack on a PC

TEMPEST refers to a technique that is used to eavesdrop on electronic equipment via their unintentional radio emissions (as well as via sounds and vibrations). All electronics emit some sort of unintentional RF signals, and by capturing and processing those signals some data can be recovered. For example the unintentional signals from a computer screen could be captured, and converted back into a live image of what the screen is displaying. We have tutorials on how to do this with a program called TempestSDR available on a previous post of ours.

Recently Mikhail Davidov and Baron Oldenburg from duo.com have uploaded a write up about their TEMPEST experiments. The write up introduces the science behind TEMPEST eavesdropping first, then moves on to topics like software defined radios and antennas.

At the end of their post they perform some experiments like constantly writing data to memory on a PC, and putting the PCs GPU under varying load states. These experiments result in clear RFI bursts and pulsing carriers being visible in the spectrum, indicating that the PC is indeed unintentionally transmitting RF. They note that machine learning could be used to gather some information from these signals.

Their write up reminds us of previous TEMPEST related posts that we've uploaded in the past. One example is where an RTL-SDR was used to successfully attack AES encryption wirelessly via the unintentional RF emitted by an FPGA performing an encryption algorithm. Another interesting post was where we saw how a HackRF was used to obtain the PIN of a cyprocurrency hardware wallet via TEMPEST. Search TEMPEST on our blog for more posts like that.

TEMPEST PC Side Channel Setup: RF pulses from writing to memory and a GPU.
TEMPEST PC Side Channel Setup: RF pulses from writing to memory and a GPU.