Galileo is a European Union owned satellite navigation system. Galileo was created so that the EU does not need to rely on the US GPS or the Russian GLONASS satellites, as there is no guarantee that these systems won't be purposely turned off or degraded by their governments at any time.
Unfortunately since July 11 the Galileo system has been out of service. Not much information about the outage has been provided, but it appears to be related to problems with the Italian ground based Precise Timing Facility which consists of two ultra high precision atomic clocks that keep the Galileo systems' reference time. (We note that recently within the last few hours of this post, most satellites seem to have come back into operational status, but the EGSA website still reports an outage.)
Over on his blog, Daniel Estevez has been using his LimeSDR and a small patch antenna to gather some more information about the outage directly from the Galileo satellites. His investigations found that the modulation and signal itself are still working correctly. However, by using the GNSS-SDR software to investigate the signal data he was able to obtain the ephemeris, and see that the ephemeris is stuck in the past. The ephemeris data is used to calculate compensations for orbital drift and without frequent ephermis updates, orbital errors add up within hours resulting in poor positioning accuracy. In order to generate the ephermis, the Precise Timing Facility must be operational.
Daniel's post goes into further technical details about the information he's collected, and it's definitely an interesting read. One interesting bit of information that you can read from his post explains why the service has gone from initially just heavily degraded accuracy from July 11, to completely nonsense results from July 15 onwards.
Trunk Recorder is an RTL-SDR compatible open source Linux app that records calls from Trunked P25 and SmartNet digital voice radio systems which are commonly used by Police and other emergency services in the USA. It can be used to set up a system that allows you to listen to previous calls at your leisure, however it does not have any UI for easy browsing.
Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.
In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).
Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.
Over on YouTube OLHZN High Altitude Balloons has posted a very entertaining video showing how to use an RTL-SDR and small grid dish antenna to track and recover a fallen weather balloon and its radiosonde. OLHZN writes:
The US National Weather Service (#NWS) launches over 200 weather balloons everyday carrying an LMS-6 #radiosonde / rawinsonde made by Lockheed Martin to an altitude of over 100,000 ft. and you can track & follow the flights from home and even find the landing site and pick them up! This is a fun #DIY project that you can do yourself from home and I'll show you how to do it here along with some tips so you can go find yourself a weather balloon & radiosonde!
How to track & recover a NWS weather balloon & radiosonde 🎈🎈 DIY
Circle City Con is a yearly conference that focuses on information security talks. At this years conference Josh Conway presented an interesting talk titled "SigInt for the Masses Building and Using a Signals Intelligence Platform for Less than $150". Josh's talk introduces his "RadioInstigator" hardware which is a combination of a Raspberry Pi, CrazyRadio and an RTL-SDR all packaged into a 3D printed enclosure with LCD screen. The idea behind the RadioInstigator is to create a portable and low cost Signals Intelligence (SIGINT) device that can be used to investigate and manipulate the security of radio signals.
The RadioInstigator makes use of the RPiTX software which allows a Raspberry Pi to transmit an arbitrary radio signal from 5 kHz up to 1500 MHz without the use of any additional transmitting hardware - just connect an antenna directly to a GPIO pin. Connected to the Pi is a CrazyRadio, which is a nRF24LU1+ based radio that can be used to receive and transmit 2.4 GHz. And of course there is an RTL-SDR for receiving every other signal. Josh has made the plans for the RadioInstigator fully open source over on GitLab.
In his talk Josh introduces the RadioInstigator, then goes on to discuss other SDR hardware, antenna concepts and software installed on the RadioInstrigator like RPiTX, GNU Radio, Universal Radio Hacker, Salamandra, TempestSDR and more.
Over on YouTube Andreas Spiess has been helping his friend create a pressure monitoring system for his home brew beer bottles. In order to do this, Andreas uses an externally mounted after market wireless tire pressure sensor whose data can be received with an RTL-SDR and the rtl_433 decoder software. Modern vehicle tires contain a TPMS (tire pressure monitoring system) sensor, which keeps track of tire pressure, temperature and acceleration. The data is wirelessly transmitted via 433 or 315 MHz to the cars dashboard and computer for safety monitoring.
In the first video Andreas discusses tire pressure monitors and how they could be used for other non-tire applications, talks a bit about the wireless protocol used, and how to reverse engineer it. He notes that the author of rtl_433 was able to implement his particular tire pressure sensor brand's protocol into the rtl_433 database, so now anyone can decode them. Finally in this video he also shows that he can easily spoof a flat tire signal using a HackRF and GNU Radio which might cause a modern high end car to refuse to move.
The second video shows how to continuously monitor that TPMS data for the home brew set up. Andreas uses an RTL-SDR and Raspberry Pi running rtl_433, which outputs it's data into Mosquitto, Node-Red, InfluxDB and the Grafana. These programs help to read, manage, log and graph the data. The rtl_433 program is also monitored by Supervisord which automatically restarts rtl_433 if the program crashes.
The main new feature is the integration of Openstreetmap to display the locations of DAB transmitters (please see attached picture of a raw recording from England), together with the own position of the receiver.
In case the transmitter ident code (TII) is detected and the transmitter is contained in the database, it is displayed on the map as an icon, colored according to the TII signal strength.
The "Own Position" is indicated as a red or green dot, either (without GNSS sensor) placed by dragging the red circle with the mouse to its correct position, or by attaching a GNSS (GPS or GLONASS) sensor.
When recording raw I/Q data, the GNSS positions are written into a second file, parallel with the .raw file. On replaying, the current recorded geolocation is displayed synchronously to the recorded transmitters on the map. This might be useful in a mobile environment. The distances are displayed in the TII table.
Over on YouTube Corrosive from the SignalsEverywhere channel has uploaded a new video showing us how to set up P25 trunking and decoding with DSDPlus Fastlane and only a single RTL-SDR.
Normally two dongles are required to follow a P25 trunking system. One dongle continuously receives the trunking channel, and a second tunes to the voice channel chosen by the trunking channel. However, the latest DSDPlus Fastlane has a feature that allows one only dongle to be used. It works by tuning back and forth between the control and voice channel. The disadvantage is that trunking information could be missed while tuned to a voice channel, so some calls could be missed.
RTL SDR Setup P25 Trunking With 1 SDR and DSDPlus FastLane