Category: Applications

NUT2NT+ Crowdfunding: Open Source GNSS RF-to-bits Receiver

Back in May 2018 we first posted about Amungo Navigation's NUT4NT+ project, which is a four channel global navigation satellite system (GNSS) board based on the NT1065 chip. With the right antenna, it is capable of receiving any navigation satellite including GPS, GLONASS, Galileo, BeiDou, IRNSS, and QZSS. With access to multiple satellite systems, the positioning resolution can be down to the centimeter.

Currently Crowd Funding now on CrowdSupply is the NUT2NT+, which is their low cost 2-input GNSS board. Early bird units are going for $250 (12 units left at the time of posting), with the normal price being $320. Compared to their previous legacy version it has an FPGA, TCXO, bias tee and other improvements. They write:

NUT2NT+ hardware is open source, as is the software - giving the user the ability to set a receiver’s modes and frequencies, to capture all signals continuously, and to have complete control over primary processing features.

Several startups and large companies offer proprietary GNSS positioning solutions and even mobile GNSS software-defined receivers. But a closed ecosystem reduces accessibility for an enthusiast or professional developer, and it limits what a user can do with their hardware. We are happy to bring NUT2NT+ to the world as an open source option.

We note that this is an advanced device for developers and experimenters, but the possible applications they write about such as precision positioning for autonomous vehicles and black box logging are quite interesting.

NUT2NT+ with RA125 antenna for precision positioning of autonomous vehicles.
NUT2NT+ with RA125 antenna for precision positioning of autonomous vehicles.

Their higher end four channel input version (which appears to only be for sale via contact on their website at the moment) can be used as a coherent receiver which can locate sources of GPS jamming via an augmented reality app. In our previous post we highlighted how they were able to find the location of the GPS jammer/spoofers famously active around the Russian Kremlin buildings.

XNZR is searching for Moscow GPS Spoofing Anomaly

SignalsEverywhere: Setting Up Priority and Groups in DSDPlus Fastlane

In his last video, Corrosive from the SignalsEverywhere YouTube channel showed us a quick guide on setting up a Phase 1 P25 digital voice decoder with two RTL-SDR dongles and the DSDPlus Fastlane decoder.

Now in his latest video Corrosive continues with the DSDPlus tutorial and this time explains how to set up priority and groups. On a trunked radio system there may be many different agencies using the same system simultaneously. Without priorities and groups, you would be listening to all communications in the system, and following a conversation within a particular agency would be difficult. Setting up priorities and groups allows you to filter out the conversations that you are not interested in, allowing you to focus on listening in to a particular agency only.

RTL SDR Digital Radio Scanning Priority and Groups With DSDPlus Fastlane Setup Tutorial

Replicating A Rolljam Wireless Vehicle Entry Attack with a Yardstick One and RTL-SDR

Over on his hackaday.io blog, Gonçalo Nespral has written about his experiences in recreating Samy Kamkars now famous low cost rolljam attack. A rolljam attack allows an attacker break into a car by defeating the rolling code security offered by wireless keyfobs. Back at Defcon 2015, an information security conference, Samy Kamkar presented a method for creating a $32 Rolljam device that consisted of two 433 MHz transceiver modules controlled by an Arduino.

In his version, Gonçalo was able to recreate the attack using a Yardstick One and an RTL-SDR. The RTL-SDR receives the signal, whilst the Yardstick One performs the jamming and retransmit functions.

Actually using this attack in a real scenario would be difficult due to the need to properly jam and receive the keyfob signal, which could prove tricky in an uncontrolled environment. However, there have been reports of criminals entering high end cars with wireless devices before and this could be one such attack method in use.

The important thing to learn is to be suspicious if your car key fob doesn't work on the first press while you are definitely in range of the car. To mitigate the possibility of wireless keyfob attacks, always use a manual key and if you must use the wireless keyfob, only unlock the car when standing right next to it, so that the keyfob signal is strong enough to overcome the jammer. Although it is still plausible that an attacker could attach the rolljam device to the car itself for greater jamming power, and then retrieve it later.

[First seen on Hackaday]

How RollJam Works
How RollJam Works

SignalsEverywhere: Using DSDPlus Fastlane for Listening to Phase 1 P25 Trunking

DSDPlus is a popular piece of software often used with RTL-SDR dongles to listen to unencrypted digital voice signals such as P25 and DMR. Digital voice is now commonly used by many Police and emergency services as well as business radio. DSDPlus fastlane is DSD's paid upgrade which allows subscribers to access to the latest releases of DSDPlus early.

Over on the SignalsEverywhere YouTube channel, Corrosive has uploaded a quick video guide that shows how to use DSDPlus Fastlane and two RTL-SDR dongles to set up a Phase 1 P25 voice decoder that automatically follows a P25 trunking channel. The basic process involves running two FMP instances which is a program in the DSDPlus suite that connects to the RTL-SDR's and receives the signal. One DSDPlus instance monitors the trunking channel, and this tunes the second FMP+DSD instance to the frequency currently active in the trunking system.

Corrosive also explains how people who are subscribed to RadioReference can download pre-populated data files that will allow the DSDPlus event log to display talkgroup information so that you can see who is talking to who.

RTL SDR Digital Radio Scanning With DSDPlus Setup FastlaneTutorial

SigintOS: A Linux Distro for Signal Intelligence

Recently we've heard of a new Linux distribution called SigintOS becoming available for download. SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as RTL-SDRs and other TX capable SDRs like the HackRF, bladeRF and USRP radios.

The distro appears to be very well executed, with a built in GUI that grants easy access to the some common sigint tools like an FM and GPS transmitter, a jammer, a GSM base station search tool and an IMSI catcher. SigintOS also has various other preinstalled programs such as GNU Radio, gr-gsm, YatesBTS, wireshark and GQRX.

The OS also teases an LTE search and LTE decoder which to access requires that you get in contact with the creators, presumably for a licencing fee. Regarding an LTE IMSI catcher they write:

LTE IMSI Catcher is not myth!

Due to the nature of LTE base stations, the capture of IMSI numbers seems impossible. LTE stations use GUTI to communicate with users instead of IMSI. The GUTI contains the temporary IMSI number called T-IMSI. This allows the operator to find out who is at the corresponding LTE station who is authorized to query T-IMSI information.

Can the GUTI number be found?
Answer Yes!

How to find GUTI and T-IMSI numbers?
Can be found with the help of SigintOS …

For detailed information [email protected]

The image comes as a 2GB ISO file, and it's possible to run it in WMWare or VirtualBox.

SIGINTOS IMSI Catcher
SigintOS IMSI Catcher

QIRX SDR Beta 2.0.1.0 Released: Improvements to DAB Scanner, Recorder and Spectra Display

QIRX SDR is a multimode SDR program compatible with the RTL-SDR. One of its defining features is that it has a built in DAB+ decoder. Recently beta version 2.01 of QIRX SDR was released which has some scanner, recording and spectra display improvements. We note that the beta version appears to be a DAB decoder only, with no multi-mode features. The new features and improvements include:

Scanner:

  • Configurable w/r to the Muxes to be scanned and/or included in the usual set of Muxes being used.
  • New algo, considerably faster
  • "Scan forever" feature, interesting for DX-ers wishing to observe Muxes over a longer time, particularly together with TII logging.
  • Selectable waiting time after recognition of a Mux, for TII logging.

Recorders:

  • TII Recorder: File structure improved, now directly importable into Excel, with TAB as separator.
  • Audio Recorder (DAB+ only): Format selectable between WAV (as usual) and pure AAC (with ADTS headers). The latter allows for high-quality recordings compressed by at least a factor of 10 compared to WAV. The popular Foobar2000 app is able to play these files. Not seekable yet though, because embedding in a suitable container is not yet implemented.

Spectra:

  • CIR with different scales (Samples, Distance, Time)
  • Indication of the correlation peaks used for the "FFT Window" determination in the CIR spectrum.
QIRX SDR Beta 2.0.1.0
QIRX SDR Beta 2.0.1.0
 

Receiving Voice Communications From the Soyuz MS-12 Expedition to the ISS

On March 14 the Soyuz MS-12 spacecraft mission was launched and this carried three astronauts to the International Space Station (ISS). Back on the ground, YouTube creator Tysonpower was able to receive the voice communications of Russian cosmonaut Alexey Ovchinin while the Soyuz spacecraft was approaching the ISS. To do this he used an Airspy SDR and home made QFH antenna, and he notes that reception could just have easily been achieved with an RTL-SDR.

Tysonpower has uploaded a video explaining what he received along with a subtitled and translated recording of the communication. More information also available on his blog post.

[EN subs] Empfang von Cosmonaut Alexey Ovchinin im Soyuz MS-12

Conference Talk: Linux, Raspberry Pi, RTLSDR, LAME and Open Source (A Recipe For Responding to Natural Disasters)

The SCaLE conference on open source and free software was recently held on March 10 in Pasadena, California. One of the talks by Ben Kuo AI6YR was titled "Linux, Raspberry Pi, RTLSDR, LAME and Open Source (A Recipe For Responding to Natural Disasters)". This talk was streamed live, and is archived on YouTube.

In the talk Ben discusses how RTL-SDR's can be useful in disaster response by putting radio communications onto online audio streaming sites like Broadcastify. He notes how difficult it was for residents affected by the California wildfires to get up to date information on how close the fire was to their house from news stations and authorities. In contrast information on the internet came in much faster and more accurately. He notes in particular how listening in to firefighter radio communications via online streams uploaded by RTL-SDR users can give the fastest and most up to date information to concerned residents.

Ben also mentions how it can also useful to track the movement of fires via the ADS-B flight tracking data transmitted by fire fighting aircraft. By watching the aircraft movements the spread of the fire can be determined.

In the YouTube video stream, Ben's talk starts at about 3:31:00 and the video below should start at that time. The three other talks recorded in this stream are all ham radio related and may also be of interest to you.

Room 212 Sunday Mar. 10 - SCaLE 17x