Category: Applications

Two Antenna Diversity For the SDRPlay RSPDuo now Available in SDRUno

The SDRplay RSPDuo is a 14-bit dual tuner software defined radio capable of tuning between 1 kHz - 2 GHz. It's defining feature is that it has two receivers in one radio, which should allow for interesting phase coherent applications such as diversity.

In the latest v1.32 release of SDRUno a diversity feature has been added. Diversity reception was demo'd back in May at Hamvention, and we have a previous post with video about that. Diversity works by subtracting or adding two signals from the two receivers running independent antennas. The result is an up to 3 dB increase in SNR, and better performance with fading signals. They write:

From V1.32 onwards, MRC (Maximal Ratio Combining) Diversity is supported using the RSPduo. MRC Diversity can be used to combine the 2 tuner input streams together to potentially improved the SNR (signal to noise ratio). The same frequency is used for both tuners in the RSPduo and the gain can be adjusted either on each tuner independently or locked together (the default method).

Diversity mode is enabled by clicking on the RSPduo MODE dropdown and select DIVERSITY. Make sure both the 50 ohm ports are connected to the correct input source and note that the HiZ port is not available for Diversity mode. Trying to use the HiZ port will result in an error message being displayed.

Diversity Controls in SDRUno
Diversity Controls in SDRUno

Meteor M N2-2 Successfully Launched: Awaiting LRPT Signal

On July 5 the Russian Meteor M N2-2 weather satellite was successfully launched into orbit and appears to be healthy. The LRPT weather camera signal is not yet broadcasting however, and we expect it to still take roughly 1-2 months before it begins (if all goes well) as satellites typically run through a long list of qualification tests before becoming operational. During this time there may be broadcasts of test patterns that can be caught. Meteor M N2-2 can currently be tracked in Orbitron and online at N2YO.

To try and dispel any confusion over the naming scheme, "Meteor M N2" is the currently operational LRPT satellite. "Meteor M N2-1" unfortunately failed in 2017 as it did not separate from the rocket. "Meteor M N2-2" is the new satellite which has just been successfully launched. Meteor M N2 and M N2-2 is often abbreviated as just "Meteor M2" and "Meteor M2-2". In the past there was Meteor M N1, but this satellite is no longer operational. We have upcoming launches for Meteor M2-3, M2-4, MP-1 and M3 to look forward to which are scheduled for 2020 and 2021.

Back on June 28 we posted about how Meteor M2 was experiencing orientation issues for a few days. Those issues appear to have been rectified now. Hopefully if M2 remains stable we'll have two Meteor LRPT weather satellites to receive alongside the three NOAA APT satellites.

If you're interested, there were also several other payloads onboard the rocket carrying M2-2, including a low cost Czech experimental cubesat called Lucky7 whose telemetry can be received in the amateur radio band at 437.525 MHz. There is an onboard camera too, but no details on how to receive it yet.

Soyuz Rocket carrying Meteor M2-2 Launched successfully. [Source: spaceflightnow]

Solar Sail Satellite Lightsail-2 Now Transmitting Morse Code Beacon

Lightsail-2 is a solar sail experiment which successfully launched on a Space-X Falcon Heavy on 25 June, and was released into orbit on July 2nd. A solar sail is a type of spacecraft that uses a large metallic foil to create propulsion via photons from the sun hitting it. Lightsail-2 is still undergoing testing, so it has not yet deployed it's solar sail, but recent updates indicate that it is healthy.

On board Lightsail-2 is a radio which is transmitting it's morse code beacon "WM9XPA" every 45 seconds at 437.025 MHz. This beacon should be able to be received with a handheld amateur radio 70cm Yagi and any radio such as an RTL-SDR. There is also an AX.25 telemetry data transmission, however although the beacon structure is available we are not aware of any publicly available decoding software.

One difficulty in receiving Lightsail-2 is that it is in an orbit inclination of only 24 degrees. So only locations with a latitude between 42 and -42 degrees will have a chance at receiving it. You can see the solar sail's current location at N2YO. Clicking on the 10-day predictions button will give you pass predictions for your location.

Estimated Lightsail-2 Viewing Range
Estimated Lightsail-2 Viewing Range
Lightsail-2 Deployed
Lightsail-2 Deployed

SignalsEverywhere: Investigating USGS Gaging Stations and their GOES Satellite Connection

The United States Geological Service maintains over 8500 "Gaging stations" in bodies of water all over the country. Gaging stations are devices that are used to measure environmental data such as groundwater levels, discharge, water chemistry, and water temperature. What's interesting is that they all upload their data in real time to GOES satellites - the same satellites that we can use with an RTL-SDR to receive weather images of the entire earth. The data is then downlinked in the L-band to the USGS scientists via a protocol known as DCP (Data Collection Platform).

In the latest SignalsEverywhere video, Corrosive investigates how these stations work, and how we can receive the downlink at 1.68 GHz with a simple Inmarsat L-band antenna. While a fully functional decoder is not yet available, Corrosive notes that one called goes-dcs is currently being worked on.

USGS Gaging Station | Satellite Uplink to GOES and DCP Messages

Tracking Company Jets with ADS-B to Give an Edge to Hedge Fund Investors

Financial news site Bloomberg recently ran an article about how hedge fund managers are using ADS-B to track private company aircraft in order to help predict the next megadeal between companies. They explain with an example:

In April, a stock research firm told clients that a Gulfstream V owned by Houston-based Occidental Petroleum Corp. had been spotted at an Omaha airport. The immediate speculation was that Occidental executives were negotiating with Buffett’s Berkshire Hathaway Inc. to get financial help in their $38 billion offer for rival Anadarko Petroleum Corp. Two days later, Buffett announced a $10 billion investment in Occidental.

There’s some evidence that aircraft-tracking can be used to get an early read on corporate news. A 2018 paper from security researchers at the University of Oxford and Switzerland’s federal Science and Technology department, tracked aircraft from three dozen public companies and identified seven instances of mergers-and-acquisitions activity. “It probably shouldn’t be your prime source of investing information, but as a feeder, as an alert of something else what might be going on, that’s where this work might be useful,” says Matthew Smith, a researcher at Oxford’s computer science department and one of the authors.

"Alternative data" collection firms like Quandl Inc. have services like "corporate aviation intelligence", where they use ADS-B data to keep tabs on private aircraft, then sell their data on to hedge funds and other investors who are hoping to gain an edge in the stock market.

Popular flight tracking sites that aggregate ADS-B data like FlightAware and FlightRadar24 censor data from private jets on their public maps upon the request of the owner, but it's not known if they continue to sell private jet data on to other parties. ADS-B Exchange is one ADS-B aggregator that promises to never censor flights, however the data is only free for non-commercial use. The value from using companies like Quandl is that they probably have a much more accurate database of who each private jet belongs to.

The Bloomberg article also mentions another use case for tracking private flights, which is  tracking the movements of known dictators via their private jets. We previously posted an article about this too. We've also in the past seen ADS-B data used to track world leaders, and help United Nations advisers track flights suspected of violating an arms embargo.

ADS-B data is typically collected these days with a low cost SDR like the RTL-SDR. We have a tutorial on setting up your own ADS-B home tracker here.

Features of Quandl Inc's Corporate Aviation Intelligence Service.
Features of Quandl Inc's Corporate Aviation Intelligence Service.

Rdio Scanner: A Web Based UI for Trunk Recorder

Trunk Recorder is an RTL-SDR compatible open source Linux app that records calls from Trunked P25 and SmartNet digital voice radio systems which are commonly used by Police and other emergency services in the USA. It can be used to set up a system that allows you to listen to previous calls at your leisure, however it does not have any UI for easy browsing.

Recently Chrystian Huot wrote in and wanted to share his new program called "Rdio Scanner", which is a nice looking UI for Trunk Recorder. Rdio Scanner uses the files generated by Trunk Recorder to create a web based interface that looks like a real hardware scanner radio. Some of the features include:

  • Built to act as a real police radio scanner
  • Listen to live calls queued to listen
  • Hold a single system or a single talkgroup
  • Select talkgroups to listen to when live feed is enabled
  • Search past calls stored in the database
  • Just upload Trunk Recorder files with Curl
Rdio Scanner Interface Screenshots
Rdio Scanner Interface Screenshots

Meteor M2 is Currently Experiencing Orientation Issues

Russian weather satellite Meteor M2 is a popular reception target for RTL-SDR radio enthusiasts, as it allows you to receive high resolution images of the Earth. However, currently it appears to be exhibiting orientation issues, causing off center and skewed images and sometimes poor/no reception. Russian blog "aboutspacejornal", writes that the orientation of the satellite can sometimes be restored presumably by a reset command from Earth, but shortly after goes back into uncontrolled rotation.

These sorts of off-axis images were commonly received from the older decommissioned Meteor-M1 satellite, which woke up from the dead in 2015. The resurrection was speculated to be from the batteries shorting out, allowing power to directly flow from the solar panels while in full sunlight. These days Meteor-M1 is no longer transmitting.

Meteor M2 proving the curvature of the earth due to it's orientation issues.
Meteor M2 proving the curvature of the earth due to it's orientation issues.  Image source aboutspacejornal.

Hopefully Meteor-M2 can be fixed, but if not, Meteor M2-2 is due to be launched on July 5 which should also have an LRPT signal that can be received easily with an RTL-SDR. Hopefully the launch is more successful than the November 2017 launch of Meteor M2-1 which unfortunately was a complete loss as it failed to separate from the rocket.

Hak5: Hacking Ford Key Fobs with a HackRF and Portapack

This weeks episode of Hak5 (an information security themed YouTube channel) features Dale Wooden (@TB69RR) who joins hosts Shannon and Darren to demonstrate a zero day vulnerability against Ford keyless entry/ignition. More details about the vulnerability will be presented at this years DEF CON 27 conference, which is due to be held on August 8 - 11.

In the video Dale first demonstrates how he uses a HackRF with Portapack to capture and then replay the signal from a Ford vehicle's keyfob. The result is that the original keyfob no longer functions, locking the owner out from the car. After performing a second process with another keyfob, Dale is now able to fully replicate a keyfob, and unlock the car from his HackRF.

Dale explains that unlike the well known jam-and-replay methods, his requires no jamming, and instead uses a vulnerability to trick the car into resetting the rolling code counter back to zero, allowing him to capture rolling codes that are always valid. Dale also notes that he could use any RX capable SDR like an RTL-SDR to automatically capture signals from over 100m away.

The vulnerability has been disclosed to Ford, and the full details and code to do the attack will only be released at DEF CON 27, giving Ford enough time to fix the vulnerability. It is known to affect 2019 Ford F-150 Raptors, Mustangs and 2017 Ford Expeditions, but other models are also likely to be vulnerable.

The video is split into three parts. In part 1 Dale demonstrates the vulnerability on a real vehicle and in part 2 he explains the story behind his discovery, how he responsibly disclosed the vulnerability to Ford and how to reset the keyfob yourself. Finally in part 3 Darren interviews Dale about his experiences in the RF security field.

Dales discovery has also been written up in an article by The Parallex which explains the exploit in more detail.

Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 3 - SDR Attacks with @TB69RR - Hak5 2525 [Cyber Security Education]