Category: Digital Signals

Decoding Amateur Radio Digital Voice with an RTL-SDR and the QRadioLink Android App

Thank you to Adrian for submitting his video about using the Android App called QRadioLink and an RTL-SDR to decode digital amateur radio voice transmissions. Adrian writes that in the video the RTL-SDR connects to the Android phone with a USB OTG cable and uses a sample rate of 1 MSPS. He also writes the following about QRadioLink:

QRadioLink is a building platform which allows experimenting with VHF-UHF SDR transceivers using different modulation schemes for digital data transmissions. So far digital voice and text transmission is supported, using either a narrow band modem and Codec2 or a high bandwidth modem and Opus. Supported hardware includes the RTL-SDR, Ettus USRP, HackRF, BladeRF and in general all devices supported by libgnuradio-osmosdr.

Monitoring Train Railway Lines with an RTL-SDR and ATCS Monitor

Back in June Gus Gorman showed us via a YouTube tutorial and demo on how to monitor ATSC (Advanced Train Control System) signals from trains. ATSC is found in the USA and is used for things like communications between trains, rail configuration data, train location data, speed enforcement, fuel monitoring, train diagnostics and general instructions and messages. Gus used an RTL-SDR and the ATSC Monitor software to decode the signals and give us a view of the current state of the railway line.

In his latest video Gus gives a better demonstration of the software by parking outside a train station so that he can receive many more signals from the trains. At the start of the video he shows the track view of BNSF trains, and then later switches over to the Union Pacific track view.

Decoding the ALERT Protocol from a USGS Streamgage with an RTL-SDR

Over on his YouTube channel GusGorman402 has uploaded a video that shows how he was able to capture and decode data from a USGS (United States Geological Service) streamgage.

A streamgage is a sensor for streams and rivers that is used for measuring the amount of water flowing. In particular the ALERT (Automated Local Evaluation in Real-Time) streamgages are designed for the warning of flooding. The ALERT streamgages are wireless with some transmitting data upwards to the GOES-15 geosynchronous satellite with a cross Yagi and some transmitting locally via a standard Yagi. Gus shows if you’re close to a streamgage antenna then you can still receive the signal on the ground with an RTL-SDR. Gus also mentions that all streamgages in his area are slowly being converted to satellite uplink.

His first video simply shows the RTL-SDR receiving a Streamgage satellite uplink signal at 400 MHz. In his second video he moves to a streamgage with terrestrial link at 170 MHz and shows that the data can actually be decoded into a binary string using minimodem. Another program called udfc-node can then be used to turn the data into a human readable format. The binary packets consist of an address that identifies the particular streamgage, and some data that describes the current level of the stream and how much precipitation it has counted.

SDRTrunk Setup and Use Tutorial

Over on his blog John Hagensieker has uploaded a tutorial that shows how to set up SDRTrunk with RTL-SDR dongles. SDRTrunk is an application that allows you to follow trunked radio conversations, and decode some digital voice protocols such as P25 Phase 1. It is similar to Unitrunker and DSDPlus combined into one program. It is also Java based so it is cross platform and so can be used on Linux and MacOS systems as well.

John’s tutorial contains many useful screenshots, so it should be great for a beginner. He starts from the beginning, with finding trunking frequencies over on, then goes on to the installation and use on Linux. He also later explains how the Airspy can be used instead of multiple RTL-SDR to cover 10 MHz of bandwidth so that multiple systems can be monitored.

SDRTrunk Running and decoding a P25 Phase 1 System
SDRTrunk Running and decoding a P25 Phase 1 System

Using an RTL-SDR as a Simple IMSI Catcher

Over on YouTube user Keld Norman has uploaded a video showing how he uses an RTL-SDR with gr-gsm and a Python script to create a simple IMSI catcher. IMSI stands for International mobile subscriber identity and is a unique number that identifies a cell phone SIM card in GSM (2G) mobile phone systems. For security IMSI numbers are usually only transmitted when a connection to a new cell tower is made. More advanced IMSI-catchers used by governmental agencies use a fake cell tower signal to force the IMSI to always be revealed. This way they can track the location of mobile phones as well as other data like who or when you are calling.

In the video Keld uses a Python script called IMSI-Catcher. This script displays the detected IMSI numbers, country, and mobile carrier on a text display. The video description shows how to install GR-GSM and the IMSI-Catcher script on Ubuntu.

IMSI-Catcher Python Script
IMSI-Catcher Python Script

Demodulating the Outernet signal with leandvb and an RTL-SDR

Leandvb is command line based lightweight DVB-S decoder designed for receiving Digital Amateur TV, including signals like HamTV from the International Space Station. The RTL-SDR can be used together with leandvb and it turns out that leandvb can also be used to decode the Outernet signal. If you were unaware, Outernet is a free L-band based satellite service that provides content such as news, weather data, APRS repeats and more. Currently you can get about 20MB of data a day. Outernet receivers are also all based around the RTL-SDR, allowing for very cheap receivers to be built. At the moment you’ll need a C.H.I.P or their specialized Dreamcatcher hardware to run their special Skylark OS with software decoder, but a general Armbian decoder is in the works.

Alternatively leandvb can be used, and over on their website the folks behind the leandvb software have uploaded a tutorial showing how to use leandvb to decode Outernet. Thanks to some reverse engineering attempts by Daniel Estévez, it was discovered that the Outernet modulation is very similar to DVB-S so the standard decoder can be used with some custom flags. Leandvb only outputs raw frames, not decoded data. They haven’t tested it, but it may be possible to feed the frames into Daniel Estevez’s free-outernet project for obtaining the final files.

During the testing they also discovered some interesting notes about the E4000 and R820T RTL-SDRs. For example by patching the R820T2 drivers to add some additional VGA gain they were able to make the R820T2 chips more sensitive at the Outernet frequency compared to the E4000 chip by bringing the signal further out of the quantization noise. They also tested a 60cm dish vs a patch antenna and found that the dish works significantly better.

Patch vs Dish Antenna for Outernet
Patch vs Dish Antenna for Outernet

Tutorial: Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX

With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.

In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX.  With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.

Note that we’ve only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.

A video demo is shown below:

Hardware used and wireless ISM band devices tested with RPiTX
Hardware used and wireless ISM band devices tested with RPiTX


RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.

Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).

For testing, a short wire antenna shouldn’t radiate much further than a few meters past the room you’re in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.

In the past we’ve seen RPiTX used for things like controlling an RC car, building a home made FM repeater, creating a ham transceiver and transmitting WSPR (via a well made filter). We’ve also seen people perform replay attacks using the cleaner but harder way by reverse engineering a 433 MHz signal, and then generating the RPiTX OOK modulation manually.

Continue reading

Installing and Using SDRTrunk on Linux for Live Trunk Tracking with an RTL-SDR

SDRTrunk is a cross platform Java based piece of software that can be used for following trunked radio conversations. In addition to trunk tracking it also has a built in P25 Phase 1 decoder. Compared to Unitrunker SDRTrunk is an all-in-one package, and currently it supports most trunking system control channels, but unlike Unitrunker it still misses out on some systems EDACS and DMR.

Over on his YouTube channel AVT Marketing has uploaded an excellent 6-part video series that shows how to install SDRTrunk and the Java runtime environment on Ubuntu Linux. The sections covered include, installing Java, setting the Java environment variables, installing other SDRTrunk prerequisites such as Apache Ant and the JMBE audio codec for decoding P25, and finally actually using and setting up SDRTrunk. Like all of AVT’s other videos, this is an excellent tutorial that takes you through the entire process from the very beginning so is useful for beginners as well.

If you’re new to trunking: Trunking systems are typically used with handheld radio systems (e.g. those that police, security guards, workmen etc carry around). The basic idea is that each radio constantly listens to a digital control channel which tells it what frequency to switch to if a call is being made. This allows the frequency spectrum to be shared, instead of designating one fixed frequency per user which would be very inefficient. But this system makes it difficult for scanner radios to listen in to, because the voice frequency could change at any time. Therefore software like Unitrunker and SDRTrunk which can decode the control channel is required. In addition many new systems use digital audio like P25 or DMR which requires digital decoders like SDRTrunk or DSDPlus.