Category: Featured Article

Tutorial: Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX

With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.

In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX.  With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.

Note that we’ve only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.

A video demo is shown below:

Hardware used and wireless ISM band devices tested with RPiTX
Hardware used and wireless ISM band devices tested with RPiTX

RpiTX

RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.

Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).

For testing, a short wire antenna shouldn’t radiate much further than a few meters past the room you’re in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.

In the past we’ve seen RPiTX used for things like controlling an RC car, building a home made FM repeater, creating a ham transceiver and transmitting WSPR (via a well made filter). We’ve also seen people perform replay attacks using the cleaner but harder way by reverse engineering a 433 MHz signal, and then generating the RPiTX OOK modulation manually.

Continue reading

Review: Airspy vs. SDRplay RSP vs. HackRF

asvsrspvshackrf

When people consider upgrading from the RTL-SDR, there are three mid priced software defined radios that come to most peoples minds: The Airspy (store), the SDRplay RSP (store) and the HackRF (store).  These three are all in the price range of $150 to $300 USD. In this post we will review the Airspy, review the SDRplay RSP and review the HackRF and compare them against each other on various tests.

Note that this is a very long review. If you don’t want to read all of this very long post then just scroll down to the conclusions at the end.

What makes a good SDR?

In this review we will only consider RX performance. So first we will review some terminology, features and specifications that are required for a good RX SDR.

SNR – When receiving a signal the main metric we want to measure is the “Signal to Noise” (SNR) ratio. This is the peak signal strength minus the noise floor strength.

Bandwidth – A larger bandwidth means more signals on the screen at once, and more software decimation (better SNR). The downside is that greater CPU power is needed for higher bandwidths.

Alias Free Bandwidth – The bandwidth on SDR displays tends to roll off at the edges, and also display aliased or images of other signals. The alias free bandwidth is the actual usable bandwidth and is usually smaller than the advertised bandwidth.

Sensitivity – More sensitive radios will be able to hear weaker stations easier, and produce high SNR values.

ADC – Analogue to digital converter. The main component in an SDR. It samples an analogue signal and turns it into digital bits. The higher the bit size of the ADC the more accurate it can be when sampling.

Overloading – Overloading occurs when a signal is too strong and saturates the ADC, leaving no space for weak signals to be measured. When overloading occurs you’ll see effects like severely reduced sensitivity and signal images.

Dynamic Range – This is directly related to ADC bit size, but is also affected by DSP software processing. Dynamic range is the ability of an SDR to receive weak signals when strong signals are nearby. The need for high dynamic range can be alleviated by using RF filtering. Overloading occurs when a strong signal starts to saturate the ADC because the dynamic range was not high enough.

Images/Aliasing – Bad SDRs are more likely to overload and show images of strong signals at frequencies that they should not be at. This can be fixed with filtering or by using a higher dynamic range/higher bit receiver.

Noise/Interference – Good SDRs should not receive anything without an antenna attached. If they receive signals without an antenna, then interfering signals may be entering directly through the circuit board, making it impossible to filter them out. Good SDRs will also cope well with things like USB interference.

RF Filtering/Preselection – A high performance SDR will have multiple preselector filters that switch in depending on the frequency you are listening to. 

Center DC Spike – A good SDR should have the I/Q parts balanced so that there is no DC spike in the center.

Phase Noise – Phase noise performance is determined by the quality of the crystal oscillators used. Lower phase noise oscillators means better SNR for narrowband signals and less reciprocal mixing. Reciprocal mixing is when high phase noise causes a weak signal to be lost in the phase noise of a nearby strong signal.

Frequency Stability – We should expect the receiver to stay on frequency and not drift when the temperature changes. To achieve this a TCXO or similar stable oscillator should be used.

RF Design – The overall design of the system. For example, how many lossy components such as switches are used in the RF path. As the design complexity increases usually more components are added to the RF path which can reduce RX performance.

Software – The hardware is only half of an SDR. The software the unit is compatible with can make or break an SDRs usefulness.

Next we will introduce each device and its advertised specifications and features:

Device Introduction and Advertised Specifications & Features

  Airspy SDR Play RSP HackRF
Price (USD)

$199 / $ 249 USD (with Spyverter) + shipping ($5-$20).

As of April 2016, the Airspy Mini is now also for sale at $99 USD.

$149 USD + shipping ($20-$30 world, free shipping in the USA)

£99 + VAT + ~£10 shipping for EU.

$299 USD + shipping
Freq. Range (MHz) 24 – 1800
0 – 1800 (with Spyverter addon)
0.1 – 2000 0.1 – 6000
ADC Bits 12 (10.4 ENOB) 12 (10.4 ENOB) 8
Bandwidth (MHz)

10 (9 MHz usable)

6 MHz (5 MHz usable) (AS Mini)

8 (7 MHz usable) (10 MHz in SDRuno/~9 MHz usable) 20
TX No No Yes (half duplex)
Dynamic Range (Claimed)(dB) 80 67 ~48
Clock Precision (PPM) 0.5 PPM low phase noise TCXO 10 PPM XO 30 PPM XO
Frontend Filters Front end tracking IF filter on the R820T2 chip. 8 switched preselection filters + switchable IF filter on MSI001 chip Two very wide preselection filters – 2.3 GHz LPF, 2.7 GHz HPF
ADC, Frontend Chips LPC4370 ARM, R820T2 MSi2500, MSi001 MAX5864, RFFC5071 
Additional Features 4.5v bias tee, external clock input, expansion headers. LNA on the front end 5v bias tee, LNA on front end, external clock input, expansion headers.
Notes

The Airspy is designed by Benjamin Vernoux & Youssef Touil who is also the author of the popular SDR# software. 

Of note is that there has been a misconception going around that the Airspy is an RTL-SDR/RTL2832U device. This is not true; there are no RTL2832U chips in the Airspy. The confusion may come from the fact that they both use the R820T2 tuner. The RTL2832U chip is the main bottleneck in RTL-SDR devices, not the R820T2. When coupled with a better ADC, the R820T2 works well and can be used to its full potential.

The Airspy team write that they sell units mostly to universities, governments and professional RF users. However, they also have a sizable number of amateur users.

Update: As of April 2016 the Airspy Mini is now for sale for $99 USD. The main difference is a 6 MHz bandwidth and fewer expansion headers, but all other specs appear to be the same.

The SDR Play Radio Spectrum Processor (RSP) is designed by UK based engineers who appear to be affiliated with Mirics, a UK based producer of SDR RF microchips.

The chips used in the SDRplay RSP are dedicated SDR chips which were designed for a wide variety of applications such as DVB-T tuners. The RSP uses these chips and improves on their front end capabilities by adding an LNA and filters in order to create a device capable of general SDR use.

Initially when writing this review we had deep problems with the imaging of strong signals on the RSP. However, a recent Dec 22 update to the drivers has fixed this imaging problem tremendously.

The SDRplay is currently selling about 1000 units a month according to electronicsweekly.com.

The HackRF is designed by Micheal Ossmann a computer security researcher who was given a development grant from DARPA. His company is called “Great Scott Gadgets”.

The HackRF’s most unique feature when compared to the other two SDR’s is that it is capable of both receiving and transmitting.

There is also a clone called the HackRF Blue out on the market which is about $100 cheaper, but they don’t seem to have stock or be producing these any more.

From the specs it is clear from the ADC sizes that both the Airspy and SDRplay RSP are in a different class of RX performance when compared to the HackRF. However, people always compare the Airspy and SDRplay with the HackRF due to their similar price range, so we will continue to compare the three here in our review, but with more of a focus on comparing the Airspy and SDRplay RSP.

In order to use the Airspy on HF (0 – 30 MHz) frequencies a $50 add on called the Spyverter is required. This is an upconverter that is designed for use with the Airspy’s high dynamic range and bias tee power port. However, one hassle is that the Spyverter must be connected/disconnected each time you want to switch between HF and VHF/UHF reception as it does not have VHF/UHF passthrough. The RSP and HackRF on the other hand can receive HF to UHF without the need of an upconverter or the need to change ports. A single port for HF to UHF can be very useful if you have a remote antenna switcher.

Post continues. Note that this is a long post with many images.

Continue reading

JAERO: A new RTL-SDR compatible decoder for Inmarsat AERO signals

Back in August of this year we showed how it was possible to use an RTL-SDR dongle, satellite antenna, LNA and decoding software to receive and decode STD-C EGC signals from Inmarsat satellites. We also showed how it was possible to modify a low cost GPS antenna to use as a satellite antenna.

Now a radio hobbyist called Jonti has released a Windows decoder for the Inmarsat AERO set of signals. AERO is a system that provides a satellite based version of VHF ACARS (Aircraft Communications Addressing and Reporting System). ACARS is typically used by ground control and pilots to send short messages and is also sometimes used for telemetry.

Jonti writes:

JAERO is a program that demodulates and decodes Classic Aero ACARS (Aircraft Communications Addressing and Reporting System) messages sent from satellites to Aeroplanes (SatCom ACARS) commonly used when Aeroplanes are beyond VHF range. Demodulation is performed using the soundcard. Such signals are typically around 1.5Ghz and can be received with a simple low gain antenna that can be home brewed in a few hours in conjunction with a cheap RTL-SDR dongle.

In the advent of MH370, Classic Aero has become a well-known name. A quick search on the net using “Classic Aero MH370” will produce thousands of results. The Classic Aero signals sent from satellites to the Aeroplanes are what JAERO demodulates and decodes.

Unlike the usual VHF ACARS, with SatCom ACARS you can not receive signals from the Aeroplane only the people on the ground talking to the people in the Aeroplane. This means you do not get the airplanes reporting their position. Instead you tend to get weather reports, flight plans, and that sort of stuff. Just like VHF ACARS they usually use cryptic shorthand notation. For example “METAR YSSY 040400Z 08012KT 9999 FEW040 SCT048 23/09 Q1024 FM0500 05012KT CAVOK=” is the weather report for Sydney Airport in Australia in a format called METAR. It tells you the time, when the report was issued, the wind direction and speed, visibility, clouds, temperature, due point and air pressure. Then it says from 5 AM UTC the wind direction and speed and that the weather will be nice. There are sites such as Flight Utilities that can decode such information and display it in a more understandable format.

In his post Jonti also shows how he uses a modified GPS antenna to receive the AERO signals.

Jonti's modified GPS antenna for receiving AERO
Jonti’s modified GPS antenna for receiving Inmarsat AERO

We gave JAERO a test and found that it decoded AERO signals easily, even with low signal strength. To use JAERO tune to an Inmarsat AERO signal in SDR# or a similar program using USB mode. JAERO will listen to the audio from the sound card or from a virtual audio pipe. We recommend setting the AFC (Automatic Frequency Control) setting on on if you find that your RTL-SDR drifts too much. 

AERO signals can be found at around 1545 MHz. They only use about 800 Hz in bandwidth. See UHF satcoms page for a list of AERO frequencies.

The JAERO decoder.
The JAERO decoder.
Some AERO signals.
Some AERO signals.

Remember that some R820T/2 RTL-SDR dongles can have problems when receiving this high, especially when they heat up. If you find that your dongle gets deaf at these L-band frequencies try cooling the R820T/2 chip with a heatsink or fan. The Airspy or SDRplay RSP software defined radios are better choices for decoding signals this high, but the RTL-SDR will work fine if your signal strength is decent and the R820T/2 chip is kept cool.

If you are interested in VHF ACARS as well, then we have a tutorial about decoding that here.

RTL-SDR Tutorial: Decoding Inmarsat STD-C EGC Messages

Inmarsat is a communications service provider with several geostationary satellites in orbit. They provide services such as satellite phone communications, broadband internet, and short text and data messaging services. Geostationary means that the satellites are in a fixed position in the sky and do not move. From almost any point on earth at least one Inmarsat satellite should be receivable. 

Inmarsat transmits in the L-band at around 1.5 GHz. With an RTL-SDR dongle, a cheap $10 modified GPS antenna or 1-2 LNA’s and a patch, dish or helix antenna you can listen to these Inmarsat signals, and in particular decode one channel known as STD-C NCS. This channel is mainly used by vessels at sea and contains Enhanced Group Call (EGC) messages which contain information such as search and rescue (SAR) and coast guard messages as well as news, weather and incident reports. More information about L band reception is available at UHF-Satcoms page. See the end of this post for a tutorial on modifying a GPS antenna for Inmarsat reception.

Also as a small aside, you might want to use this tutorial to practice your L-band reception since Outernet are planning to begin their L-band broadcasts later this year, which may be possibly be broadcast from Inmarsat or equivalent satellites. These broadcasts will be at a nearby frequency and will contain about 10 megabytes of daily data. The RTL-SDR should also be able to receive these broadcasts if a compatible decoder is written.

Some examples of the EGC messages you can receive on the STD-C NCS channel are shown below:

Military Operations: Live Firing Warning
STRATOS CSAT 4-AUG-2015 03:21:25 436322 SECURITE FM: RCC NEW ZEALAND 040300 UTC AUG 15 COASTAL NAVIGATION WARNING 151/15 AREA COLVILLE, PLENTY CUVIER ISLAND (REPUNGA ISLAND), BAY OF PLENTY 1. LIVE FIRING 060300 UTC TO 060500 UTC AUG 15 IN DANGER AREA NZM204. ANNUAL NEW ZEALAND NOTICES TO MARINERS NUMBER 5 REFERS. 2. CANCEL THIS MESSAGE 060600 UTC AUG 15 NNNN
Armed Robbery / Pirate Warning
NAVAREA XI WARNING NAVAREA XI 0571/15 SINGAPORE STRAIT. ARMED ROBBERY INFORMATION. 301845Z JUL. 01-04.5N 103-41.8E. FIVE ROBBERS ARMED WITH LONG KNIVES IN A SMALL UNLIT HIGH SPEED BOAT APPROACHED A BULK CARRIER UNDERWAY. ONE OF THE ROBBERS ATTEMPTED TO BOARD THE SHIP USING A HOOK ATTACHED TO A ROPE. ALERT CREW NOTICED THE ROBBER AND RAISED THE ALARM AND CREW RUSHED TO THE LOCATION. HEARING THE ALARM AND SEEING THE CREW ALERTNESS, THE ROBBERS ABORTED THE ATTEMPTED ATTACK AND MOVED AWAY. INCIDENT REPORTED TO VTIS SINGAPORE. ON ARRIVAL AT SINGAPORE WATERS, THE COAST GUARD BOARDED THE SHIP FOR INVESTIGATION. VESSELS REQUESTED TO BE CAUTION ADVISED.
Armed Robbery / Pirate Warning
NAVAREA XI WARNING NAVAREA XI 0553/15 SINGAPORE STRAIT. ROBBERY INFORMATION. 261810Z JUL. 01-03.6N 103-36.7E. DUTY ENGINEER ONBOARD AN UNDERWAY PRODUCT TANKER DISCOVERED THREE ROBBERS IN THE ENGINE ROOM NEAR THE INCINERATOR SPACE. THE ROBBER THEIR BOAT. A SEARCH WAS CARRIED OUT. NO ROBBERS FOUND ON BOARD AND NOTHING REPORTED STOLEN. VTIS SINGAPORE INFORMED. COAST GUARD BOARDED THE TANKER FOR INVESTIGATION UPON ARRIVAL AT SINGAPORE PILOT EASTERN BOARDING AREA.VESSELS REQUESTED TO BE CAUTION ADVISED. CANCEL 0552/15.
Submarine Cable Repair Warning
NAVAREA XI WARNING NAVAREA XI 0569/15 NORTH PACIFIC. SUBMARINE CABLE REPAIRING WORKS BY C/V ILE DE SEIN. 05 TO 20 AUG. IN VICINITY OF LINE BETWEEN A. 21-37.3N 156-11.5W AND 25-03.6N 148-43.2E. CANCEL THIS MSG 21 AUG.
Search and Rescue – Missing Vessel
ON PASSAGE FROM LAE (06-44S 147- 00E) TO FINSCHHAFEN (06-36S 147-51E), MOROBE PROVINCE. VESSEL DEPARTED LAE AT 310500Z JUL 15 FOR FINSCHAFFEN WITH ETA OF 310800Z JUL 15 BUT FAILED TO ARRIVE. ALL VESSELS REQUESTED TO KEEP A SHARP LOOKOUT AND BE PREPARED TO RENDER ASSISTANCE. REPORTS TO THIS STATION OR MRCC PORT MORESBY VIAEMAIL: ******@****.***.**, TELEPHONE +*** *** ****; RCC AUSTRALIA VIA TELEPHONE +*********** INMARSAT THROUGH LES BURUM (POR ***,IOR***), SPECIAL ACCESS CODE (SAC) **, HF DSC ******* NL BURUM LES 204 4-AUG-2015 03:23:14 773980 AMSA_ER 23150928 PAN PAN FM JRCC AUSTRALIA 030858Z AUG 15 INCIDENT 2015/5086 AUS4602 CORAL AND SOLOMON SEAS 23FT WHITE BANANA BOAT WITH BROWN STRIPES, AND A 40HP OUTBOARD AND 5 ADULT MALES IS OVERDUE ON PASSAGE FROM LAE (06-44S 147- 00E) TO FINSCHHAFEN (06-36S 147-51E), MOROBE PROVINCE. VESSEL DEPARTED LAE AT 310500Z JUL 15 FOR FINSCHAFFEN WITH ETA OF 310800Z JUL 15 BUT FAILED TO ARRIVE. ALL VESSELS REQUESTED TO KEEP A SHARP LOOKOUT AND BE PREPARED TO RENDER ASSISTANCE. REPORTS TO THIS STATION OR MRCC PORT MORESBY VIA EMAIL: *******@****.***.**, TELEPHONE +*** *** ****; RCC AUSTRALIA VIA TELEPHONE +************ INMARSAT THROUGH LES BURUM (POR ***,IOR ***), SPECIAL ACCESS CODE (SAC) **, HF DSC *********, EMAIL: ******@****.***.** OR BY FAX +************. NNNN
Scientific Research Vessel Drilling – Request for wide clearance
NL BURUM LES 204 4-AUG-2015 02:29:41 709950 AMSA_ER 23153978 SECURITE FM JRCC AUSTRALIA 040224Z AUG 15 AUSCOAST WARNING 202/15 SPECIAL PURPOSE VESSEL JOIDES RESOLUTION CONDUCTING DRILLING OPERATIONS IN POSITION 28 39.80` S 113 34.60` E 2.5NM CLEARANCE REQUESTED. NNNN
Weather Warning
PAN PAN TROPICAL CYCLONE WARNING / ISSUED FOR THE NORTH OF EQUATOR OF METAREA XI(POR). WARNING 050900. WARNING VALID 060900. TYPHOON WARNING. TYPHOON 1513 SOUDELOR (1513) 930 HPA AT 19.9N 133.2E WEST OF PARECE VERA MOVING WEST 12 KNOTS. POSITION GOOD. MAX WINDS 95 KNOTS NEAR CENTER. RADIUS OF OVER 50 KNOT WINDS 80 MILES. RADIUS OF OVER 30 KNOT WINDS 240 MILES NORTH SEMICIRCLE AND 210 MILES ELSEWHERE. FORECAST POSITION FOR 052100UTC AT 20.1N 130.6E WITH 50 MILES RADIUS OF 70 PERCENT PROBABILITY CIRCLE. 935 HPA, MAX WINDS 90 KNOTS NEAR CENTER. FORECAST POSITION FOR 060900UTC AT 20.8N 128.1E WITH 75 MILES RADIUS OF 70 PERCENT PROBABILITY CIRCLE. 935 HPA, MAX WINDS 90 KNOTS NEAR CENTER. JAPAN METEOROLOGICAL AGENCY.=

Continue reading

RTL-SDR Tutorial: Decoding Meteor-M2 Weather Satellite Images in Real-Time with an RTL-SDR

Back in September last year we posted a tutorial written by RTL-SDR.com reader Happysat which showed how to receive and decode high resolution Meteor-M2 LRPT satellite images. The tutorial required several offline manual processing steps to be performed and therefore could not decode the image in real time.

Now Vasili, a SDR# plugins programmer, and Oleg who is the coder of Lrptdecoder have combined ideas to create a new QPSK demodulator plugin for SDR# that allows the real time reception and decoding of Meteor-M2 LRPT images (in Russian use Google translate). The demodulator also offers the advantage of faster and longer signal locking, and also works much better with weak signals compared to the old method. 

At the same time Vasili has also released another plugin called DDE Tracker which allows a satellite tracking program such as Orbitron to interface with and control SDR#. The plugin can be downloaded on the same page as the QPSK plugin. This is similar to the already existing DDE plugins, but now also comes with a scheduler which allows users to automatically schedule recordings of Meteor-M2 and NOAA satellite passings.

NOTE: Meteor M1 has come alive again, so the frequency of Meteor M2 was changed from 137.1 MHz to 137.9 MHz. Meteor M1 is now at 137.1 MHz and can be received using the same steps as in this tutorial, though please note that images from Meteor M1 are not perfect since the satellite is tumbling.

Tutorial

To help users get set up with this new method, Happysat has again come forth with another tutorial which can be downloaded here (.pdf) (.docx) (.txt w/ images in .rar). At first glance the tutorial may seem more complicated than the old method, but in the end it is a much faster and more efficient way at decoding LRPT images. The basic steps involve setting up Orbitron and the DDE plugin to automatically track the Meteor-M2 LRPT satellite and signal, and then setting up the QPSK plugin and the new version of Lrptdecoder to talk to one another in real time via a local TCP connection.

Real time decoding of Meteor-M2 with two new SDR# Plugins.
Real time decoding of Meteor-M2 with two new SDR# Plugins.
QPSK Decoder SDR# Plugin
QPSK Demodulator SDR# Plugin
DDE Orbitron Interface SDR# Plugin.
DDE Orbitron Interface SDR# Plugin.

AMIGOS

One more Meteor-M2 related thing to look forward to in the future is the AMIGOS project which stands for Amateur Meteor Images Global Observation System. This will be a system where users around the world can contribute LRPT images through the internet to create a worldwide LRPT receiver. Oleg of LrptDecoder writes:

There is an idea to merge LRPT receive amateur radio stations in a network through the Internet and create a super LRPT receiver.

I see the benefit of professionals from the control center in the operational monitoring of the condition of the equipment MSU-MR, and for fans of the fullest reception of images from Meteor-M.

All is in testing phase and need some setup for the servers,  data is beeing shared thru a VPN connection to a central server which will have a continous flow of images from all over the world.

Users can join and share in realtime the data more info on:
http://meteor.robonuka.ru/for-experts/amigos/

What is Meteor-M2?

If you don’t understand what all this is about: The Meteor-M N2 is a polar orbiting Russian weather satellite that was launched on July 8, 2014. Its main missions are weather forecasting, climate change monitoring, sea water monitoring/forecasting and space weather analysis/prediction.

The satellite is currently active with a Low Resolution Picture Transmission (LRPT) signal which broadcasts live weather satellite images, similar to the APT images produced by the NOAA satellites. LRPT images are however much better as they are transmitted as a digital signal with an image resolution 12 times greater than the aging analog NOAA APT signals. Some example Meteor weather images can be found on this page and the satellite can be tracked in Orbitron or online.

A software defined radio such as the low cost RTL-SDR, or the higher end Airspy and Funcube dongles can be used to receive these signals.

An Example LRPT Image Received with an RTL-SDR from the Meteor-2 M2.
An Example LRPT Image Received with an RTL-SDR from the Meteor-2 M2.

Updates

The DDE plugin can also be used for tracking NOAA satellites. Some people have been having trouble with set up. Happysat writes a solution:

Download TLE from: http://www.celestrak.com/NORAD/elements/noaa.txt. Make sure the names are the same in DDE Sat Tracking Client schedule. https://dl.dropboxusercontent.com/u/124465398/NOAA_Setup.jpg. Same one as i post in the howto – https://dl.dropboxusercontent.com/u/124465398/DDESchedule.rar

RTL-SDR Tutorial: Measuring filter characteristics and antenna VSWR with an RTL-SDR and noise source

By using an RTL-SDR dongle together with a low cost noise source it is possible to measure the response of an RF filter. Also, with an additional piece of hardware called a directional coupler the standing wave ratio (SWR) of antennas can also be measured. Measuring the response of a filter can be very useful for those designing their own, or for those who just want to check the performance and characteristics of a filter they have purchased. The SWR of an antenna determines where the antenna is resonant and is important for tuning it for the frequency you are interested in listening to.

These tutorials are based heavily on information learned from Adam Alicajic’s (9A4QV), videos which can be found at [1], [2], [3], [4]. Adam is the creator of the LNA4ALL and several other RTL-SDR compatible products. Recently Tim Havens also posted some experiments with characterizing home made filters on his blog.

Characterizing Filters

Using just a noise source and RTL-SDR dongle it is possible to determine the properties of an RF filter. In our experiments we used the following equipment:

Equipment

The BG7TBL noise source is a wideband noise source that can provide strong noise over the entire frequency range of the RTL-SDR. It requires power from a 12V source which can be obtained from a common plug in power supply. It also uses an SMA female connector, so you may need some adapters to connect it to your filter under test (adapters can be found cheaply on Ebay). Finally a quick warning: be careful when handling the circuit board after it has been powered for some time as some of the components can get very hot. Note that if the Ebay store runs out of these there is also a seller on Aliexpress with some available, just type “noise source” in the search bar.

The BG7TBL Noise Source
The BG7TBL Noise Source

If you have a ham-it-up upconverter and are good at soldering small surface mount components you might instead consider purchasing the noise source kit add on. Here is a video showing how to build and test the ham-it-up noise source. Continue reading

RTL-SDR Tutorial: Listening to TETRA Radio Channels

TETRA is a trunked radio communications system that stands for “Terrestrial Trunked Radio”. It is used heavily in many parts of the world, except for the USA. Recently, a software program called Tetra Live Monitor (telive) was released on GitHub. This software can be used along with the (patched) Osmo-TETRA software to monitor and listen to unencrypted TETRA communications.

Below we show a tutorial on how to listen to TETRA communications using a RTL-SDR RTL2832U software defined radio. This tutorial is based heavily on the telive_doc.pdf file that is written by the author of telive and included in the telive git download. Please refer to that pdf file for further details on how the software works. We have modified their tutorial slightly to make it a little easier to understand. As this code is still under heavy development if you have trouble please check their PDF file for modifications to the procedures.

Again, we reiterate: This tutorial is not a substitute for a thorough reading of the documentation. If you have trouble setting this software up, please refer to the telive documentation first, before asking any questions. It contains a comprehensive FAQ section which solves most of the common problems. The documentation can be found directly at https://github.com/sq5bpf/telive/raw/master/telive_doc.pdf. There is also a discussion at http://forums.radioreference.com/digital-voice-decoding-software/302347-tetra-decoding.html.

Decoding and Listening to TETRA Tutorial

Most of this tutorial is performed in Linux and we assume that you have some decent Linux experience. We also assume you have some experience with the RTL-SDR dongle and have a decent antenna capable of picking up TETRA signals in your area. If you don’t have a RTL-SDR dongle yet see our Buy RTL-SDR dongles page.

Note: As of October 2016 there is now a Windows port of the Telive decoding software available. This may be an option for you if you prefer to run in Windows. More information here.

First, we will need to find some TETRA signals. The easiest way to do this is to open SDR# or another program like GQRX and look for them. TETRA signals are continuously broadcasting with a bandwidth of around 25 kHz. In most European countries they can be found at 390 – 470 MHz. In some countries they may be found around 850 MHz or 915 – 933 MHz. There may be several TETRA signals grouped in close proximity to one another. See the example images below.

 
A Zoomed in TETRA Signal
A Zoomed in TETRA Signal
 
TETRA Signals Zoomed Out
A Grouping of TETRA Signals Zoomed Out

An example audio clip of a TETRA signal recorded in NFM mode is shown below.

Once you have found some TETRA signals, record their frequencies. Now close SDR#, or whatever software you were using and boot into Linux. In this tutorial we use a 32-bit Ubuntu 14.04 virtual machine running on VMWare Player as our Linux system. Some of the commands may vary if you are using a different system.

Continue reading

RTL-SDR Tutorial: Receiving Meteor-M N2 LRPT Weather Satellite Images with an RTL-SDR

Update 11 May 2015: There is now a real time method for decoding Meteor-M2 LRPT images. Please also check out the new tutorial available here

The Meteor-M N2 is a polar orbiting Russian weather satellite that was launched on July 8, 2014. Its main missions are weather forecasting, climate change monitoring, sea water monitoring/forecasting and space weather analysis/prediction.

The satellite is currently active with a Low Resolution Picture Transmission (LRPT) signal which broadcasts live weather satellite images, similar to the APT images produced by the NOAA satellites. LRPT images are however much better as they are transmitted as a digital signal with an image resolution 12 times greater than the aging analog NOAA APT signals. Some example Meteor weather images can be found on this page and the satellite can be tracked in Orbitron or online.

The RTL-SDR and other SDRs like the Funcube along with some free software can be used to receive and decode these images. LRPT images from the Meteor-M N2 are transmitted at around 137.925 MHz, so any satellite antenna like those commonly used with the NOAA weather satellites can be used.

NOTE: Meteor M1 has come alive, (now offline again), so the frequency of Meteor M2 was changed from 137.1 MHz to 137.9 MHz. Meteor M1 is now at 137.1 MHz and can be received using the same steps as in this tutorial, though please note that images from Meteor M1 are not perfect since the satellite is tumbling.

Happysat, a satellite monitoring enthusiast has emailed us with a comprehensive tutorial showing how the RTL-SDR can be used to receive and decode these LRPT images (pdf warning) (txt file). The procedure is not quite as simple as with the NOAA satellites as it involves first pre-recording the transmission as a baseband I/Q file in SDR#, changing the sample rate in Audacity, processing the file with the Lrptrx.exe software, and then using Oleg’s LRPToffLineDecoder to finally produce the image.

The tutorial also shows an alternative and faster Linux based method using some GNU Radio scripts, but with the final processing still done with Oleg’s decoder in Windows.

The tutorial can be downloaded in PDF form from this link or alternatively in a text file here.

Update: This newer post now shows a slightly faster way for receiving and decoding LRPT images on a Windows PC which does not require the use of Audacity.

The Meteor-M2 Satellite
The Meteor-M2 Satellite
An Example LRPT Image Received with an RTL-SDR from the Meteor-2 M2.
An Example LRPT Image Received with an RTL-SDR from the Meteor-2 M2.
Another Sample LRPT Image
Another Sample LRPT Image
What a LRPT signal looks like in SDR#
What a LRPT signal looks like in SDR#

For a comprehensive book about the RTL-SDR you may be interested in our eBook available on Amazon.

The Hobbyist’s Guide to the RTL-SDR: Really Cheap Software Defined radio.