Category: Digital Signals

Student Arrested in Taiwan for using SDR and Handheld Radios to Halt Four High Speed Trains with TETRA Hack

The Taipei Times has reported that a 23-year-old university student in Taiwan has been arrested after using a software-defined radio and hand held radio to hack into Taiwan High Speed Rail Corporation's (THSRC) internal radio communications and halt four trains mid-service.

Chinese-language coverage from UDN and Newtalk fills in some details omitted in the English Taipei Times article. The system the student compromised is TETRA, and at 23:23 on April 5, 2026, the student transmitted a "General Alarm" (GA) signal, the highest-priority TETRA alert, which automatically instructs trains in the area to switch to manual emergency braking. Four trains were stopped for 48 minutes. THSRC's radio system has reportedly been in service for 19 years with seven verification layers, but parameters were apparently never meaningfully rotated over that period.

Police describe the suspect as buying an SDR online, connecting it between an antenna and a laptop, capturing THSRC traffic, and decoding the relevant parameters in software, then programming those parameters into one of his eleven handheld radios. A 21-year-old friend also allegedly supplied some critical THSRC parameters. The actual details of the 'hack' aren't entirely clear from the news articles. We suspect that the THSRC TETRA system is simply unencrypted, and that the student was able to spoof a legitimate signal. It's also possible that the THSRC TETRA system used TEA1 encryption, which is known to be broken

Police located the student through a combination of network-side TETRA logs and CCTV. When the THSRC control center called back to verify the alarm, the person on the other end gave contradictory answers and then powered the radio off, prompting THSRC to audit their handheld fleet, confirm every issued radio was accounted for in its storage locker, and report to police that the parameters had been cloned.

Base station logs from the THSRC TETRA infrastructure (which record which sites received the uplink, with multi-site signal strength narrowing the origin) were used to localize the transmission source, and CCTV from around the coverage area was then used to identify the student and trace him to his rental unit. Search warrants on 28 April seized 11 handheld radios, a laptop, and the SDR. 

He is currently out on NT$100,000 (3,200 USD) bail and faces up to ten years under Taiwan's Railway Act and Criminal Code, with an unconvincing "had it in my pocket and accidentally pressed the button" defense.

Stories like this are a reminder that experimenting with operational safety-of-life radio systems carries serious legal consequences. Back in 2016, we covered the case of Dejan Ornig, a Slovenian university student who used an RTL-SDR and the open source Osmocom TETRA decoder to discover that his country's police TETRA terminals were running unauthenticated, despite official documents stating otherwise. After seven years of court hearings, he ended up with a seven-month suspended sentence. More recently, we posted on the End of Train (EoT) vulnerability, where a security researcher demonstrated that an SDR can replicate the unauthenticated braking command on US freight trains.

The Equipment Seized by Police
The Equipment Seized by Police
A Taiwanese High Speed Train (Source: https://en.wikipedia.org/wiki/File:THSR_700T_TR17_20130907.jpg)
A Taiwanese High Speed Train (Source: https://en.wikipedia.org/wiki/File:THSR_700T_TR17_20130907.jpg)
Translated news graphic from https://udn.com/news/story/7315/9475450
Translated news graphic from https://udn.com/news/story/7315/9475450
 

P25-Survey: A Tool for Scanning and Logging P25 Control Channels with an SDR

Over on GitHub, programmer blantonl has released p25-survey, a Python tool that scans a frequency range with an RTL-SDR, Airspy or HackRF and identifies any P25 control channels present. For each one found, it logs the WACN, System ID, NAC, RFSS ID and Site ID, the full IDEN_UP band plan, neighbor sites with resolved frequencies, and signal quality metrics including RSSI, BER and decode rate.

The tool also has an optional RadioReference cross-reference mode that annotates results with the RR system name and site description, flags frequency offsets versus the database, and generates a Markdown submission report for data not yet in RadioReference. An auto-gain feature sweeps gain values on each confirmed control channel and recommends the optimal setting for your SDR and location based on BER.

P25 Survey Tool
P25 Survey Tool

Tactical_FSK_Modem: An Open Software MFSK Image & Text Modem for PC and Android

Thanks to Ibrahim (YD1RUH), who wrote in to share his open-source open-software project Tactical_FSK_Modem, which turns a standard PC or Android device into an audio-based MFSK transceiver for sending images and text over a radio link. Conceptually similar to SSTV or HF FAX, it adds Hamming (7,4) Forward Error Correction that wraps every 4 data bits into a 7-bit block and repairs single-bit errors in real time, significantly lowering BER in low-SNR conditions. The system forces a hardened 720p vertical resolution for noise resistance, and a 1400 Hz → 1000 Hz → 1400 Hz VIS-like "start melody" handles automatic RX canvas reset and sync with no manual alignment.

Pre-built Windows and Android binaries are available in the repo, and the Android port is probably the most interesting part. Operators can connect a smartphone to HT, ham radio, or an SDR to send tactical images directly from the field. 

We note that while the code is Apache 2.0 licensed, we don't appear to see any source code in the repo, but the .exe and .apk files are available to download. Ibrahim notes that he is actively looking for feedback and collaboration to further improve the system's robustness for tactical and emergency communication use cases.

Licensing Update: Ibrahim has clarified that he mistakenly referred to the project as open-source, but his intention was to actually refer to it as 'open-software'. The software is free, but the source code is not provided.

Tactical FSK Modem UI
Tactical FSK Modem UI

Exploring the Privacy Risks of Tire Pressure Monitoring Systems with RTL-SDR

Tire Pressure Monitoring System (TPMS) privacy concerns are a topic that comes up every now and then. Most modern vehicles have wireless tire pressure sensors that communicate with the vehicle's computer to alert the driver when tire pressure falls below a safety threshold.

The privacy issue is that these TPMS sensors each transmit a unique identifier, so the computer can know which tire is being measured, and not read other vehicles' sensors by mistake. As TPMS is not encrypted in any way, anyone with an RTL-SDR or other similar radio can receive and decode TPMS messages, including the unique identifier. This raises privacy concerns as this can be used to log the presence and movement of individual vehicles. 

A recent academic paper by university researchers showed how researchers deployed simple RTL-SDR + Raspberry Pi-based receivers along a road over a period of 10 weeks. They showed that TPMS transmissions can not only be used to identify, track, and detect the presence and daily routines of individual vehicles, but also to determine the type and weight of the vehicle via pressure readings.  Interestingly, they also note that variations in the weight of an identified vehicle could indicate, for example, whether a truck is loaded or unloaded, or whether there are additional passengers in a car.

The researchers highlight privacy concerns, noting that such data could be collected and sold by data mining companies without the driver's knowledge. 

RTL-SDR + Raspberry Pi for TPMS Monitoring
RTL-SDR + Raspberry Pi for TPMS Monitoring
The TPMS Monitoring Setup
The TPMS Monitoring Setup

Frugal Radio: Beginners Guide to P25 Decoding with the Latest DSD Plus Release

Over on his YouTube channel 'Frugal Radio', Rob has uploaded a comprehensive video detailing how to set up the latest DSD Plus release for P25 Public Safety decoding.

Back in December 2025, we posted about how the DSD Plus team released version 2.547. The release had already been available to DSD Fastlane customers, but it is now available to the public. The new version brings various improvements and features, but it also changes the software signal flow that was used in previous versions.

In the video, Rob explains how to set up the new DSD Plus version, including how to use the new FMP24 demodulator with an RTL-SDR. He then goes on to show the various features, like control channel monitoring mode, getting P25 system data, holding and IDing talkgroups, and setting talkgroup aliases.

HUGE free DSDPlus Update 2026 : Decode P25 Public Safety with your SDR and this beginner guide!

Multimon Pager Decoding on Android

Sarah (aka SignalsEverywhere) has recently released another open-source Android app that enables the multi-signal decoder Multimon-ng to be used on Android. Multimon-ng is a commonly used decoding app, that supports various protocols such as POCSAG/FLEX pagers, as well as DTMF, ZVEI, EAS and more.

The app requires the SDR++ Android app to be running in the background with an SDR like an RTL-SDR connected. The role of SDR++ is to receive the signal and send the demodulated audio over a network connection to the Multimon-NG app, which performs the final decoding.

The app APK can be downloaded from Sarah's website via a minimum $0 donation, or alternatively, built and installed from source.

Multimon-ng on Android!

Pocket 25: An Android P25 Phase 1 Digital Voice Radio Decoder

Thank you to reader "EN53" for submitting news about a newly released open source Android app called Pocket 25. Pocket 25 is an Android-based APCO Project 25 (P25) phase 1 digital voice decoder based on the DSD-Neo decoder engine. It was developed by Sarah Rose (aka SignalsEverywhere), whose other software we have posted about in the past.

APCO P25 phase 1 trunked digital voice systems are commonly used in the United States, Canada, Australia, and other countries by emergency services. As long as the P25 network is unencrypted, it is commonly decoded to audio with an RTL-SDR and decoding software such as DSDPlus or SDRTrunk.

Pocket 25 allows users to now decode P25 signals on portable Android devices. An RTL-SDR can be connected to an Android device via a USB-OTG cable, or a remote networked RTL-SDR can be used via an rtl_tcp connection. The app also supports RadioReference accounts, automatic GPS site hopping, smart filtering, and logging.

In the readme, Sarah also notes that, because Pocket 25 is based on the DSD-Neo engine, it supports additional digital voice protocols, including DMR, NXDN, and others. However, the interface is designed around P25, so non-P25 systems may show incorrect metadata.

The software is open source and code can be found on the GitHub. There is also an active discussion about the app on RadioReference.

Pocket25 | Running DSD-Neo on Android!

Telive osmo-tetra-sq5bpf: An Experimental TETRA Decoder that Enables Voice Decryption (If You Have the Key)

Thank you to Jacek / SQ5BPF for letting us know that he's recently released a modified version of the Telive TETRA decoder for Linux. The modification allows the user to listen to TEAx-encrypted voice signals if they have the decryption key. Typically, if a TETRA signal is encrypted, there is no way to listen to it, unless you have obtained the decryption key from the network operator, or extracted it from TETRA keyloader hardware.

But because the TEA1 encryption was broken due to a backdoor being discovered in 2023, he has also added support for using the 32-bit short key directly, which can be automatically recovered from TETRA traffic using his other software called teatime. TEA1 encryption is being phased out, but many deployments still use it.

The software is designed for advanced users to compile and run, so very little documentation is provided. However, there is a blog post here that explains the overall steps. Some additional information can be found on SQ5BPF's RadioReference post here.

TETRA Decoding (with telive on Linux)
TETRA Decoding (with telive on Linux)