The Meteor-M N2 is a polar orbiting Russian weather satellite that was launched on July 8, 2014. Its main missions are weather forecasting, climate change monitoring, sea water monitoring/forecasting and space weather analysis/prediction.
The satellite is currently active with a Low Resolution Picture Transmission (LRPT) signal which broadcasts live weather satellite images, similar to the APT images produced by the NOAA satellites. LRPT images are however much better as they are transmitted as a digital signal with an image resolution 12 times greater than the aging analog NOAA APT signals. Some example Meteor weather images can be found on this page and the satellite can be tracked in Orbitron or online.
The RTL-SDR and other SDRs like the Funcube along with some free software can be used to receive and decode these images. LRPT images from the Meteor-M N2 are transmitted at around 137.925 MHz, so any satellite antenna like those commonly used with the NOAA weather satellites can be used.
NOTE:Meteor M1 has come alive, (now offline again), so the frequency of Meteor M2 was changed from 137.1 MHz to 137.9 MHz.Meteor M1 is now at 137.1 MHz and can be received using the same steps as in this tutorial, though please note that images from Meteor M1 are not perfect since the satellite is tumbling.
New software defined radio (SDRs) products are popping up every few months these days so we thought we'd compile a big list of available SDRs as there are a few people who were bitten by the RTL-SDR bug and are now looking to upgrade.
For each SDR we compare the cost, frequency range, ADC resolution, maximum instantaneous bandwidth, whether or not it can TX and if it has any pre selectors built in. Here is a quick guide to what some of these metrics mean.
Frequency Range: The range of frequencies the SDR can tune to. ADC Resolution: Higher is better. More resolution means more dynamic range, less signal imaging, a lower noise floor, more sensitivity when strong signals are present and better ability to discern weak signals. Some SDR's give their resolution in ENOB which stands for effective number of bits. Instantaneous Bandwidth: The size of the real time RF chunk available. RX/TX: Can the radio receive and/or transmit. Preselectors: Analogue filters on the front end to help reduce out of band interference and imaging.
* - Denotes top choice for high value
General Use Software Defined Radios
We define general use SDRs as ones with a wide frequency range and with no focus on any specific frequency band.
R820T RTL2832U a.k.a RTL-SDR*
Cost: $10 - 22 USD Frequency Range: approx. 24 MHz - 1766 MHz (below 24 MHz available on RTL-SDR.com V3 dongles) ADC Resolution: 8 Bits Max Bandwidth: 3.2 MHz / 2.4 or 2.8 MHz max stable. TX/RX: RX Only Preselectors: Uses tracking RF filters on the R820T2 chip. Release Date: August 2016
The RTL-SDR is still the best 'bang for your buck' software defined radio out there. While it was never designed to be used as a general purpose SDR in the first place, its performance is still surprisingly good. If you're on a budget or are just starting out with SDR or radio this is the one to get. (Link)
The popular trunking decoding software Unitrunker now supports the RTL2832U R820T RTL-SDR directly in its new version. This means that extra SDR receiver software like SDR# is no longer required to use Unitrunker.
In a normal radio system, one company (or talkgroup) might use a single frequency for radio communications. However, this is very inefficient as the frequency may not be in use for the majority of the time. In a trunked radio system, a small set number of frequencies are shared between a large number of talkgroups. Each radio receives a special computer controlled control channel. The control channel determines a vacant frequency that a particular talkgroup should use. This helps to make radio frequency allocations more efficient.
Because a talkgroup might switch between various frequencies often, it can make listening to a conversation difficult for radio scanners. Unitrunker can be used to decode the control channel and follow a voice conversation as it hops across various frequencies. With two RTL-SDR dongles you can set up a trunking receiver station with just Unitrunker. What follows below is a tutorial on how to set this up.
There are now dozens of software defined radio packages that support the ultra cheap RTL-SDR. On this page we will attempt to list, categorize and provide a brief overview of each software program. We categorize the programs into general purpose software, single purpose software, research software and software compatible with audio piping.
If you know of a program that is missing please leave a comment in the comments section at the bottom of the page.
SDR# (pronounced "SDR Sharp") is the most popular free RTL-SDR compatible software in use at the moment. It is relatively simple to use compared to other SDR software and has a simple set up procedure. We have a full overview of the installation procedure on our Quick Start Page. SDR# is designed to be use with the $199 Airspy SDR, but works just fine with the RTL-SDR.
SDR# is a simple to use program that also has some advanced features. It has a useful modular plugin type architecture, and many plugins have already been developed by third party developers. The basic SDR# download without any third party plugins includes a standard FFT display and waterfall, a frequency manager, recording plugin and a digital noise reduction plugin. SDR# also decodes RDS signals from broadcast FM.
HDSDR is based on the old WinRAD SDR program. HDSDR supports the RTL-SDR through use of an ExtIO.dll module. To install HDSDR, download the program from the link on the main HDSDR page, then to use the RTL-SDR you will need to download the ExtIO_RTL2832.dll file an place it into the HDSDR folder. When opening HDSDR, select the newly copied ExtIO_RTL2832.dll. The other dlls that come with HDSDR will not work with the RTL-SDR, even though they have RTL-SDR in their filename. The official installation instructions can be found here.
Along with a FFT display and waterfall, HDSDR has some extra advanced features. Users will also find an Audio FFT and waterfall display on the bottom of the screen. The output audio can also be bandpass filtered by dragging the filter borders on the display. Bandpass filtering the audio can really help clean up a noisy signal. The audio processing also supports placing of notch filters either manually or automatically. There are also noise reduction and noise blanker features and an automatic frequency centering algorithm which will automatically center the signal, so you don't need to click exactly in the center of a signal. Traditional ham radio users will also enjoy the S-units signal strength meter and the built in frequency manager.
SDR-RADIO.COM V2 and the newer V3 is a popular SDR program with many advanced features. As such is it a fair amount more difficult to learn and use compared to SDR# and HDSDR. Be sure you install version 2 and not V1.5 as only V2 has RTL-SDR support.
Once sdr-radio is installed, to get it working with the RTL-SDR you will need to compile or download three .dll files (SDRSourceRTL2832U.dll, rtlsdr.dll and libusb-1.0.dll) and place them into the sdr-radio folder. To compile your own dlls see the instructions here, otherwise download the dlls directly from the bottom of this link. If the dlls were placed in the correct folder you will be able to add your RTL-SDR as a receiver by clicking on the +Definitions button, and then finding and adding the RTL SDR (USB) option under the search drop down menu.
Like HDSDR, not only does sdr-radio have a RF FFT signal and waterfall display, but also an optional audio spectrum FFT and waterfall display. Built in are also several DSP features like a noise blanker, noise reduction filter, notch filter and squelch options. The EMNS noise reduction filter is particularly good at automatically cleaning up and clarifying voice signals.
To add to the feature list, sdr-radio also has built in PSK, RTTY and RDS decoders, and also comes with a satellite tracker. Furthermore, sdr-radio V2 (not V3 yet) has an excellent remote server which will allow you to easily set up and connect to a remote RTL-SDR server over a network or the internet. Finally, sdr-radio is capable of listening to up to 6 signals in the same chunk of visible spectrum at a time.
Around the world meteorological weather balloons are launched twice daily, and continuously transit weather telemetry to a ground station using something called a radiosonde. The RTL-SDR software defined radio combined with a decoding program can be used to intercept this telemetry, and display it on your own computer. You will be able to see real time graphs and data of air temperature, humidity, pressure as well as the location and height of the balloon as it makes it's ascent.
This tutorial is also applicable to other software defined radios such as the Funcube dongle, Airspy, HackRF, BladeRF or even hardware radios with discriminator taps, but the RTL-SDR is the cheapest option that will work.
In this example YouTube user Superphish shows a radiosonde being received and decoded using a RTL-SDR, SDRSharp and SondeMonitor.
Weather Balloon (Radiosonde) tracking with RTL SDR (RTL2832), Sondemonitor and SDR Sharp
The RTL-SDR software defined radio can be used to analyze cellular phone GSM signals, using Linux based tools GR-GSM (or Airprobe) and Wireshark. This tutorial shows how to set up these tools for use with the RTL-SDR.
Example - Analysing GSM with RTL-SDR Software Defined Radio
Here is a screenshot and video showing an example of the type of data you can receive. You can see the unencrypted GSM packet information. You will not be able to see any sensitive information like voice or text message data since that part is encrypted. Decryption of messages that are not your own is very difficult, illegal and is not covered in this tutorial.
Analyzing Cellular GSM with RTL-SDR (RTL2832), Airprobe and Wireshark
First, you will need to find out at what frequencies you have GSM signals in your area. For most of the world, the primary GSM band is 900 MHz, in the USA it starts from 850 MHz. If you have an E4000 RTL-SDR, you may also find GSM signals in the 1800 MHz band for most of the world, and 1900 MHz band for the USA. Open up SDRSharp, and scan around the 900 MHz (or 850 MHz) band for a signal that looks like the waterfall image below. This is a non-hopping GSM downlink signal. Using NFM, it will sound something like the example audio provided below. Note down the strongest GSM frequencies you can find.
The rest of the tutorial is performed in Linux and we assume that you have basic Linux skills in using the terminal. For this tutorial we used Ubuntu 14.04 in a VMWare session. You can download the various ready to go Ubuntu VMWare images from here, and the free VMWare player from here. Note that virtual box is reported not to work well with the RTL-SDR, as its USB bandwidth capabilities are poor, so VMWare player should be used.
Plug in your RTL-SDR and connect it to your VM if necessary. Run grgsm_livemon by typing grgsm_livemon at the terminal. A new window should open.
In the new window tune to a GSM downlink frequency which you determined while browsing in SDR# and set the gain appropriately.
Start Wireshark by using sudo wireshark -k -Y '!icmp && gsmtap' -i lo which will automatically start wireshark in the loopback mode with the gsmtap filter activated. You may get an error when opening Wireshark but this can be ignored.
You should now see the GSM data scrolling along in Wireshark.
[expand title = "Old Method using Airprobe (Click to Expand)"]
Install GNU Radio
You will need to install GNU Radio first in order to get RTL-SDR to work. An excellent video tutorial showing how to install GNU Radio in Kali Linux can be found in this video shown below. Note that I had to run apt-get update in terminal first, before running the build script, as I got 404 not found errors otherwise. You can also use March Leech's install script to install the latest version of GNU Radio on any Linux OS. Installation instructions can be found here. I recommend installing from source to get the latest version. http://www.youtube.com/watch?v=B8Acp6_3DA0
Update: The new version 3.7 GNU Radio is not compatible with AirProbe. You will need to install GNU Radio 3.6. However, neeo from the comments section of this post has created a patch which makes AirProbe compatible with GNU Radio 3.7. To run it, place the patch file in your airprobe folder and then run patch -p1 < zmiana3.patch.
Airprobe is the tool that will decode the GSM signal. I used multiple tutorials to get airprobe to install. First from this University of Freiberg tutorial, I used their instructions to ensure that the needed dependencies that airprobe requires were installed.
Update: Thanks to shyam jos from the comments section who has let us know that some extra dependencies are required when using the new Kali Linux (1.0.5) for airprobe to compile. If you've skipped installing GNURadio because you're using the new Kali 1.0.5 with SDR tools preinstalled, use the following command to install the extra required dependencies.
git clone git://git.osmocom.org/libosmocore.git
sudo make install
Now, I discovered that the airprobe git repository used in the University tutorial (berlin.ccc.de) was out of date, and would not compile. From this reddit thread I discovered a more up to date airprobe git repository that does compile. Clone airprobe using the following git command.
git clone git://git.gnumonks.org/airprobe.git
Now install gsmdecode and gsm-receiver.
Now, cd into to the airprobe/gsm-receiver/src/python directory. First we will test Airprobe on a sample GSM cfile. Get the sample cfile which I found from this tutorial by typing into terminal.
Note: The tutorial and cfile link is sometimes dead. I have mirrored the cfile on megaupload at this link. Place the cfile in the airprobe/gsm-receiver/src/python folder. Now open wireshark, by typing wireshark into a second terminal window. Wireshark is already installed in Kali Linux, but may not be in other Linux distributions. Since Airprobe dumps data to a UDP port, we must set Wireshark to listen to this. Under Start in Wireshark, first set the capture interface to lo (loopback), and then press Start. Then in the filter box, type in gsmtap. This will ensure only airprobe GSM data is displayed. Back in the first terminal that is in the python directory, type in
If everything installed correctly, you should now be able to see the sample GSM data in wireshark.
Receive a Live Channel
To decode a live channel using RTL-SDR type in terminal
./gsm_receive_rtl.py -s 1e6
A new window will pop up. Tune to a known non-hopping GSM channel that you found earlier using SDRSharp by entering the Center Frequency. Then, click in the middle of the GSM channel in the Wideband Spectrum window. Within a few seconds some GSM data should begin to show constantly in wireshark. Type ./gsm_receive_rtl.py -h for information on more options. The -s flag is used here to set the sample rate to 1.0 MSPS, which seems to work much better than the default of 1.8 MSPS as it seems that there should be only one GSM peak in the wideband spectrum window.
Capturing a cfile with the RTL-SDR (Added: 13/06/13)
I wasn't able to find a way to use airprobe to capture my own cfile. I did find a way to capture one using ./rtl_sdr and GNU Radio however. First save a rtl_sdr .bin data file using where -s is the sample rate, -f is the GSM signal frequency and -g is the gain setting. (rtl_sdr is stored in 'gnuradio-src/rtl-sdr/src')
Next, download this GNU Radio Companion (GRC) flow graph (scroll all the way down for the link), which will convert the rtl_sdr .bin file into a .cfile. Set the file source to the capture.bin file, and set the file output for a file called capture.cfile which should be located in the 'airprobe/gsm-receiver/src/python' folder. Also, make sure that 'Repeat' in the File Source block is set to 'No'. Now execute the GRC flow graph by clicking on the icon that looks like grey cogs. This will create the capture.cfile. The flow chart will not stop by itself when it's done, so once the file has been written press the red X icon in GRC to stop the flow chart running. The capture.cfile can now be used in airprobe. However, to use this cfile, I found that I had to use ./gsm_receive.py, rather than ./go.sh as a custom decimation rate is required. I'm not sure why, but a decimation rate of 64 worked for me, which is set with the -d flag.
./gsm_receive.py -I rtl_sdr_capture.cfile -d 64
Going Further with Decryption
We don't cover how to decode the actual encrypted GSM data here, but this is possible to do with messages going to your own phone once you extract the encryption code for your sim card. But note that if you want to do this you'll need to put in some good study and research into understanding how GSM actually works before you can even think about trying it. Disclaimer: Only decrypt signals that you are legally allowed to (such as from/to your own cell phone) to avoid breaching privacy.
A reader wrote in to let us know some information on obtaining the TMSI and Kc numbers, which are useful if you wish to go further and actually decode messages coming from your own phone. He writes:
For some reason, most of posts on the Internet concerning GSM sniffing provide very few examples of how to get our own TMSI and Kc numbers. These rely either on the BlackBerry engineering screen or the use of a SIM-card reader (see for example http://domonkos.tomcsanyi.net/?p=369). I know there are other methods like the one you describe in www.rtl-sdr.com/rtl-sdr-cell-phone-imsi-tmsi-key-sniffer/.
However, I have rarely seen anything related to the Android IMSI-Catcher Detector app. This can be easily installed via the standard repositories and it allows us to send AT commands to the modem provided we root the MS. This procedure works on many devices (I checked it on a Motorola Moto E).
Just a quick reminder of the basic AT+commands:
1. Extraction of IMSI -> AT+CRSM=176,28423,0,0,3.
2. Extraction of Ciphering Key Kc -> AT+CRSM=176,28448,0,0,9 (for SIM), AT+CRSM=176,20256,0,0,9 (for USIM). First 16 entries.
3. Extraction of TMSI -> AT+CRSM=176,28542,0,0,11. First 8 entries.
The Android IMSI-Catcher Detector provides some additional interesting data, like the cell ID the device is connected to, the LAI, etc.
We note that software such as SimSpyII together with a Sim Card reader can also be used to easily acquire the Kc value.
If you enjoyed this tutorial you may like our book available on Amazon. Available in eBook and paperback formats.
The RTL-SDR software defined radio combined with SDRSharp, and a POCSAG/Flex capable decoding application can be used to decode pager messages. With this setup you can receive pager messages from all pager users on the system. If you don't know what a pager is, since they are now uncommon, here is a brief explanation from Wikipedia:
A pager is a wireless telecommunications device that receives and displays numeric or text messages, or receives and announces voice messages.
Not many people use pagers these days with mobile phone text messaging being used more, but pagers are still popular with doctors, hospitals in general, some fire and ambulance agencies and various IT companies, as they tend to be more reliable and have greater coverage.
Privacy and Security
Obviously a lot of messages sent through pagers are plain text and contain personal data. Especially messages from hospitals. This is a concern as it is a major breach of patient privacy.
Security concerns also stem from the fact that many IT companies set up systems that forward notices of emails being received with the subject line visible, and system messages that contain IP addresses, email addresses and names, database error messages, and URLs.
We note that in most countries it is perfectly legal to receive pager messages, as they are plain text unencrypted, but it is illegal to share or act on the information received. In some countries it may be illegal to even set up a receiver. Please research and respect your local laws before attempting this project.
Here YouTube user nerdymark shows 18 minutes of pager decoding using SDRSharp, PDW and an RTL-SDR.
18 Minutes of Pager Traffic 2012 July 12 San Jose rtlsdr sdr# pdw flex
While directed at the RTL-SDR, this tutorial may also be useful for use with other software defined radios such as the Funcube dongle, Airspy and HackRF, or even traditional hardware radios with a discriminator tap.
Since pager signals are usually transmitted at a very strong power, usually almost any antenna will work to receive them, even the stock antenna that comes with the dongle. Pager frequencies differ among different countries. Usually they will be anywhere from 137 - 160 MHz, around ~450 MHz, or around 900 MHz. Check radioreference.com or Google for frequencies in your area, or just search for them manually - they are usually quite easy to spot. Pagers normally use either the POCSAG or FLEX protocols, and the signals will look on a waterfall something like the signal shown below. They also have a distinctive sound when played with NFM mode. A sound sample is also shown below.
For this tutorial, you will need to have an RTL-SDR dongle set up and working with SDRSharp. We will assume you have this much done already. If you do not, visit the Buy RTL-SDR page, and then the Quickstart guide. You will also need to have an audio piping method installed and set up. Audio piping will allow the audio from SDRSharp to be passed to a decoding program. You can use either windows stereo mix, VB-cable (free) or Virtual Audio Cable (paid with trial version).
Now, to decode the POCSAG or Flex signals, you need need to download and install a free program called PDW, which can be downloaded from this page, then follow these steps.
Open SDRSharp and set the audio piping method to the one you will use under the Audio Output drop down box and then press Play.
Tune to a pager POCSAG/Flex signal. Set the receive mode to NFM, filter bandwidth to 12500 Hz, filter order to 10, turn squelch OFF and filter audio OFF. Adjust the RF gain settings under the configure menu until good reception is achieved.
Open PDW. You may initially receive some errors upon first opening it, but they can be safely ignored. Go to Options -> Options and Click Enable Pocsag Decoding, and ensure the 512, 1200 and 2400 boxes are all checked. Also, ensure Enable Flex Decoding is enabled and that the 1600, 3200 and 6400 boxes are all checked. Press OK.
Go to Interface -> Setup. Enable the Soundcard checkbox, set the Configuration to Custom, and choose your audio piping method in the Soundcard drop down box. If you only have one audio piping method enabled in the Windows recording properties, it will automatically choose that method. Press OK.
Go to Monitor, and ensure POCSAG/FLEX is ticked.
Now, if everything is set up correctly, the pager audio from SDRSharp should be being sent to PDW. In the top right hand corner of PDW, there should be a volume gauge. You will need to adjust the volume settings in SDRSharp, and/or the Windows volume settings so that the volume meter goes up when a pager signal is sent. The percentage shown below the gauge shows the decode error rate. If you are receiving good signals the error rate should be very low and the percentage should be at or near 100%.
PagerMon is a app that records and displays all messages from MultimonNG in a nice web page.
Pager signals are generally very strong, and so almost any antenna can pick them up - even the stock antenna included with many dongle packages. However, if you live far away from the transmitter a better antenna matched to the pager frequency you want to monitor may be required.
If reception is very poor, you may get some garbled messages in the PDW window.
Since pagers can be so strong, you may actually need to reduce the RF gain to clearly discern between a real pager and an image. Reducing the gain may also help decoding if it is so strong that it begins overloading in the RF spectrum.
Sometimes setting the volume too loud can cause the pager audio signal to become distorted. Make sure you do not have the audio set too loud.
If you enjoyed this tutorial you may like our book available on Amazon. Available in eBook and physical formats.
With the right additional hardware, the RTL-SDR software defined radio can be used as a super cheap radio telescope for radio astronomy experiments such as Hydrogen line detection, meteor scatter and Pulsar observing.
Two slightly-different designs for a simple, small, effective, radio telescope capable of observing the Sun, and the galactic plane in both continuum and spectral modes, easily able to show the hydrogen line in various parts of the galactic plane.
Here is a link to an interesting gif Marcus made with his RTL-SDR, showing a timelapse of recorded hydrogen emissions over 24 hours. Reddit user patchvonbraun (a.k.a Marcus Leech) writes on this thread an explanation of what is going on in the gif.
And here is just one of his many resulting graphs shown in the document showing the Hydrogen line.
A similar radio astronomy project has previously been done with the Funcube. More information about that project can be found in this pdf file. In that project they used the Funcube, a 3 meter satellite dish and the Radio Eyes software.
However, in this Reddit post patchvonbraun explains that the Funcube’s much smaller bandwidth is problematic, and so the rtl-sdr may actually be better suited for radio astronomy.
This image is from the Funcube project document.
Another related project is the Itty Bitty Telescope (IBT), which does not use SDR, but may be of interest.
Meteor scatter works by receiving a distant but powerful transmitter via reflections off the trails of ionized air that meteors leave behind when they enter the atmosphere. Normally the transmitter would be too far away to receive, but if its able to bounce off the ionized trail in the sky it can reach far over the horizon to your receiver. Typically powerful broadcast FM radio stations, analog TV, and radar signals at around 140 MHz are used. Some amateur radio enthusiasts also use this phenomena as a long range VHF communications tool with their own transmitted signals. See the website www.livemeteors.com for a livestream of a permanently set up RTL-SDR meteor detector.
In Europe typically the Graves radar station can be used for meteor scatter experiments. Graves is a space radar based in France which is designed to track spacecraft and orbital debris. If you are in Europe you can also make use of the Graves radar simply by tuning to its frequency of 143.050 MHz and listening for reflections of its signal bouncing off things like meteors, planes and spacecraft. Since Graves points its signal upwards, it’s unlikely that you’ll directly receive the signal straight from the antenna, instead you’ll only see the reflections from objects.
In other countries old and distant analogue TV stations can be used or FM transmitters can also be used.
To set meteor scatter up, simply use an outdoor antenna to tune to a distant transmitter. It should be far enough away so that you can not be receive the transmitter directly, or the signal should be weak. If you detect a meteor the signal will briefly show up strongly at your receiver. Performance can be enhanced by using a directional antenna like a Yagi to point upwards at the sky in the direction of the transmitter.
We have several post about meteor scatter available on the blog here. Read through them to get a better understanding of the ways in which it can be monitored. You may also be interested in Marcus Leech’s tutorial where he uses the RTL-SDR to detect forward meteor scatter. (doc here) (pdf here)
A pulsar is a rotating neutron star that emits a beam of electromagnetic radiation. If this beam points towards the earth, it can then be observed with a large dish antenna and a radio, like the RTL-SDR.
Pulsars create weakly detectable noise bursts across a wide frequency range. They create these noise bursts at precise intervals (milliseconds to seconds depending on the pulsar), so they can be detected from within the natural noise by performing some mathematical analysis on the data. Typically a few hours of data needs to be received to be able to analyze it, with more time needed for smaller dishes.
One problem is that pulsar signals can suffer from ‘dispersion’ due to many light years of travel through the interstellar medium. This simply means that higher frequencies of the noise burst tend to arrive before the lower frequencies. Mathematical de-dispersion techniques can be used to eliminate this problem enabling one to take advantage of wideband receivers like the RTL-SDR and other SDRs. The more bandwidth collected and de-dispersed, the smaller the dish required for detection.
Pulsar detection requires some pretty large antennas, and a good understanding of the techniques and math required for data processing so it is not for the beginner. See the previous Pulsar posts on this blog for more information.
If you enjoyed this tutorial you may like our ebook available on Amazon.