Category: Digital Signals

An Update on the PantronX Titus II SDR

The PantronX Titus II is a yet-to-be-released portable Android tablet based SDR that we've been following since 2016. The device will feature a 100 kHz - 2 GHz tuning range, and software that focuses on HF digital DRM decoding, as well as DAB on VHF. 

Thomas from the excellent SWLing blog got curious about the Titus II as he had not heard any updates from the team in a while, so he emailed them requesting an update. Mike from PantronX wrote the following reply:

As you might be aware, we have joined up with Fraunhofer to include their MMPlayer app standard on Titus–what a difference a professional decoder, for both analog, DRM(+), and DAB(+), makes! MMPlayer is full featured even including reliable one way file downloads with DRM.

We are attempting also to license HD to include on the app for North America, making a truly worldwide receiver. Some deficiencies in our version of Android have caused issues as well as MMPlayer. All of which have caused delays leading to some serious business decisions – as you can imagine. You are correct that broadcasters have made large orders that will be fulfilled first. There are units in the field testing and such and continuing resolution of the software issues.

One of the issues that folks seem to have a hard time understanding is that we can not just build a few hundred or even thousands of units. Our minimum run is 10,000pcs! To do that everything has to be 100% – including the software. We simply will not ship units that are not 100%. Titus works, MMPlayer works – its that last 5% that takes the most time to resolve. These facts preclude any incremental production attempts. All that being said, we are very hopeful that the first production run is ready by last quarter of this year.

The Titus II
The Titus II

Forwarding Pager Messages Received with an RTL-SDR to Email

Over on YouTube Jack Riley has created a video that documents his system which uses an RTL-SDR to receive POCSAG pager messages and forward messages sent to specific pager addresses to an email address. He uses his RTL-SDR on a Raspberry Pi, together with rtl_fm and multimon-ng to receive and decode the pager messages.

Then using a custom program that is available on his website he filters messages for a particular 'capcode' which indicates the address of a particular pager. When a pager message to the specified capcode address is received, the program turns the message into an email which is instantly sent out.

This is a nice way to forward pager messages on to a more modern device such as a smart phone.

Creating a Pager using a Raspberry Pi and RTL-SDR to send alerts via Email.
Creating a Pager using a Raspberry Pi and RTL-SDR to send alerts via Email.

SDR# TETRA Decoder Plugin Updated

The TETRA plugin for SDR# has been updated a few times since our last post on it back in March. The latest version can be downloaded directly here, and the original link comes from the Russian scanner forums.

In the new version the 'Net Info' button is now functioning and it is possible to see the current calls, groups, and meta information on the current cell and neighbour cell. It also appears that it has been updated to allow for multiple SDR# TETRA decoder instances to be opened simultaneously now for wider band monitoring.

SDR# TETRA Plugin Net Info Window
SDR# TETRA Plugin Net Info Window

Hacker Warehouse Demonstrates Pager Decoding with an RTL-SDR

Over on YouTube the web show Hacker Warehouse have created a video explaining wireless pagers and how RTL-SDRs can be used to sniff them. In the video host Troy Brown starts by explaining what pagers are and how they work, and then he shows how to decode them with SDR# and PDW. We have a tutorial on this project available here too.

Later in the video he shows some examples of pager messages that he's received. He shows censored messages such as hospital patient data being transmitted in plain text, sports scores, a memo from a .gov address claiming allegations of abuse from a client, office gossip about a hookup, a message about a drunk man with a knife, a message from a Windows server with IP address and URL, a message from a computer database, and messages from banks.

In the past we've also seen an art installation in New York which used SDR to highlight the blatant breach of privacy that these pager messages can contain.

Decoding Pager Data with RTLSDR - Tradecraft
Decoding Pager Data with RTLSDR - Tradecraft

Building A Low Cost GOES Weather Satellite Receiver with an RTL-SDR

Over on Twitter and his github.io page, Pieter Noordhuis (@pnoordhuis) has shared details about his low cost RTL-SDR based GOES satellite receiving setup. GOES 15/16/17 are geosynchronous weather satellites that beam back high resolution weather images and data. In particular they send beautiful high resolution 'full disk' images which show one side of the entire earth. As the satellites are in geosynchronous orbit, they are quite a bit further away from the earth. So compared to the more easily receivable low earth orbit satellites such as the NOAA APT and Meteor M2 LRPT satellites, a dish antenna, good LNA and possibly a filter is required to receive them. However fortunately, as they are in a geosynchronous orbit, the satellite is in the same position in the sky all the time, so no tracking hardware is required.

In the past we've seen people receive these images with higher end SDRs like the Airspy and SDRplay. However, Pieter has shown that it is possible to receive these images on a budget. He uses an RTL-SDR, a 1.9 GHz grid dish antenna from L-Com, a Raspberry Pi 2, the NooElec 'SAWBird' LNA, and an additional SPF5189Z based LNA. The SAWBird is a yet to be released product from NooElec. It is similar to their 1.5 GHz Inmarsat LNA, but with a different SAW filter designed for 1.7 GHz GOES satellites. The total cost of all required parts should be less than US $200 (excluding any shipping costs).

Pieter also notes that he uses the stock 1.9 GHz feed on the L-com antenna, and that it appears to work fine for the 1.7 GHz GOES satellite frequency. With this dish he is able to receive all three GOES satellites at his location with the lowest being at 25 degrees elevation. If the elevation is lower at your location he mentions that a larger dish may be required. It may be possible to extend the 1.9 GHz L-Band dish for better reception with panels from a second cheaper 2.4 GHz grid dish, and this is what @scott23192 did in his setup.

For software Pieter uses the open source goestools software that Pieter himself developed. The software is capable of running on the Raspberry Pi 2 and demodulating and decoding the signal, and then fully assembling the decoded signal into files and images.

Pieters GOES RTL-SDR Receiving Setup
Pieters Low Cost GOES RTL-SDR Receiving Setup

Explaining and Demonstrating Jam and Replay Attacks on Keyless Entry Systems with RTL-SDR, RPiTX and a Yardstick One

Thank you to Christopher for submitting to us an article that he's written for a project of his that demonstrates how vulnerable vehicle keyless entry systems are to jam and replay attacks. In the article he explains what a jam and replay attack is, the different types of keyless entry security protocols, and how an attack can be performed with low cost off the shelf hardware. He explains a jam and replay attack as follows:

The attacker utilises a device with full-duplex RF capabilities (simultaneous transmit and receive) to produce a jamming signal, in order to prevent the car from receiving the valid code from the key fob. This is possible as RKEs are often designed with a receive band that is wider than the bandwidth of the key fob signal (refer Figure 3, right). The device simultaneously intercepts the rolling code by using a tighter receive band, and stores it for later use. When the user presses the key fob again, the device captures the second code, and transmits the first code, so that the user’s required action is performed (lock or unlock) (Kamkar, 2015). This results in the attacker possessing the next valid rolling code, providing them with access to the vehicle. The process can be repeated indefinitely by placing the device in the vicinity of the car. Note that if the user unlocks the car using the mechanical key after the first try, the second code capture is not required, and the first code can be used to unlock the vehicle.

In his demonstrating the attack he uses the RTL-SDR to initially find the frequency that they keyfob operates at and to analyze the signal and determine some of it's properties. He then uses a Raspberry Pi running RPiTX to generate a jamming signal, and the YardStick One to capture and replay the car keyfob signal.

Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.
Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.

Video Tutorial on Decoding FT-8 and RTTY with an SDRplay RSP1A

Over on YouTube radio content creator Techminds has recently started a series that shows how to decode various signals using an SDR such as the SDRplay RSP1A. The first video explains what FT-8 is and shows how to decode it using the WSJT-X software. FT-8 is a modern digital HF ham mode that is designed to be receivable even in weak signal reception. However, the amount of information sent in a FT-8 message is small, so it is not possible to have a full conversation, and you can only make contacts.

In his second video Tech Minds explains RTTY and also shows how to decode it. RTTY is another much older mode that is used by the military as well as hams. To decode it he uses Digital Master 780 which is a program included in the Ham Radio Deluxe software.

Decoding FT-8 With WSJT-X And A SDRplay RSP1A SDR Receiver
Decoding FT-8 With WSJT-X And A SDRplay RSP1A SDR Receiver

Decoding RTTY With Digital Master And A SDRplay RSP1A SDR Receiver
Decoding RTTY With Digital Master And A SDRplay RSP1A SDR Receiver

Welle.io DAB Decoder updated to Version 1.0

Welle.io is a Windows/Linux/MacOS/Android/Raspberry Pi compatible DAB and DAB+ broadcast radio decoder which supports RTL-SDR dongles, as well as the Airspy and any dongle supported by SoapySDR. It is a touch screen friendly piece of software which is excellent for use on tablets, phones and perhaps on vehicle radio touch screens.

DAB stands for Digital Audio Broadcast and is a digital signal that is available in many countries outside of the USA. The signal contains digital broadcast radio stations, and is an alternative/replacement for standard broadcast FM.

Early last year we posted about Welle.io a couple of times, but now the software has reached maturity as version 1.0 has just been released. Author Albrech writes to us:

We fixed a lot of bugs again and added the translation to Hungarian, Norwegian, Italian and French.

Binary packages are available for Windows, Linux and Android (APK and Play store). The macOS support is possible via Homebrew and we now that welle.io runs also on a Rapsberry Pi 2 and newer.

For questions and support please feel free to use the new forum (https://forum.welle.io).

The Welle.io GUI
The Welle.io GUI