Category: Digital Signals

Explaining and Demonstrating Jam and Replay Attacks on Keyless Entry Systems with RTL-SDR, RPiTX and a Yardstick One

Thank you to Christopher for submitting to us an article that he's written for a project of his that demonstrates how vulnerable vehicle keyless entry systems are to jam and replay attacks. In the article he explains what a jam and replay attack is, the different types of keyless entry security protocols, and how an attack can be performed with low cost off the shelf hardware. He explains a jam and replay attack as follows:

The attacker utilises a device with full-duplex RF capabilities (simultaneous transmit and receive) to produce a jamming signal, in order to prevent the car from receiving the valid code from the key fob. This is possible as RKEs are often designed with a receive band that is wider than the bandwidth of the key fob signal (refer Figure 3, right). The device simultaneously intercepts the rolling code by using a tighter receive band, and stores it for later use. When the user presses the key fob again, the device captures the second code, and transmits the first code, so that the user’s required action is performed (lock or unlock) (Kamkar, 2015). This results in the attacker possessing the next valid rolling code, providing them with access to the vehicle. The process can be repeated indefinitely by placing the device in the vicinity of the car. Note that if the user unlocks the car using the mechanical key after the first try, the second code capture is not required, and the first code can be used to unlock the vehicle.

In his demonstrating the attack he uses the RTL-SDR to initially find the frequency that they keyfob operates at and to analyze the signal and determine some of it's properties. He then uses a Raspberry Pi running RPiTX to generate a jamming signal, and the YardStick One to capture and replay the car keyfob signal.

Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.
Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.

Video Tutorial on Decoding FT-8 and RTTY with an SDRplay RSP1A

Over on YouTube radio content creator Techminds has recently started a series that shows how to decode various signals using an SDR such as the SDRplay RSP1A. The first video explains what FT-8 is and shows how to decode it using the WSJT-X software. FT-8 is a modern digital HF ham mode that is designed to be receivable even in weak signal reception. However, the amount of information sent in a FT-8 message is small, so it is not possible to have a full conversation, and you can only make contacts.

In his second video Tech Minds explains RTTY and also shows how to decode it. RTTY is another much older mode that is used by the military as well as hams. To decode it he uses Digital Master 780 which is a program included in the Ham Radio Deluxe software. DAB Decoder updated to Version 1.0 is a Windows/Linux/MacOS/Android/Raspberry Pi compatible DAB and DAB+ broadcast radio decoder which supports RTL-SDR dongles, as well as the Airspy and any dongle supported by SoapySDR. It is a touch screen friendly piece of software which is excellent for use on tablets, phones and perhaps on vehicle radio touch screens.

DAB stands for Digital Audio Broadcast and is a digital signal that is available in many countries outside of the USA. The signal contains digital broadcast radio stations, and is an alternative/replacement for standard broadcast FM.

Early last year we posted about a couple of times, but now the software has reached maturity as version 1.0 has just been released. Author Albrech writes to us:

We fixed a lot of bugs again and added the translation to Hungarian, Norwegian, Italian and French.

Binary packages are available for Windows, Linux and Android (APK and Play store). The macOS support is possible via Homebrew and we now that runs also on a Rapsberry Pi 2 and newer.

For questions and support please feel free to use the new forum (


Viewing Drone Signals with HackRF being used as a Wideband Spectrum Analyzer

Over on his YouTube channel user Andy Clarke has uploaded a video where he demonstrates his HackRF being used as a wideband spectrum analyzer with the HackRF Spectrum Analyzer software. About a year ago the HackRF team released a new firmware update which enabled the HackRF to be able to sweep through the frequency spectrum at a rate of up to 8 GHz per second. This allowed the HackRF to be used as a wideband spectrum analyzer which is able to display an arbitrarily large swath of spectrum. Shortly after the firmware update spectrum analyzer program by 'pavsa' was released on GitHub.

In the video Andy demonstrates the HackRF being used to view the WiFi band and show a 2.4 GHz WiFi connection between a drone and it's controller. He also shows it working with a handheld radio and the uplink of his mobile phone. Andy hopes to use the HackRF to avoid losing his drones due to interference.

Decoding Meteor-M Images on a Raspberry Pi with an RTL-SDR

Thanks to Andrey for writing in and showing us his Java based Meteor-M decoder for the RTL-SDR which he uses on a Raspberry Pi. The decoder is based on the meteor-m2-lrpt GNU Radio script and the meteor_decoder which he ported over to Java. Essentially what he's done is port over to Java a bunch of GNU Radio blocks as well as the meteor decoder. The ported Java blocks could also be useful for other projects that want to be cross platform or run without the need for GNU Radio to be installed.

In his blog post (blog post is in Russian, use Google Translate for English) Andrey explains his motivation for writing the software which was that the Windows work flow with SDR# and LRPTofflineDecoder is quite convoluted and cannot be run headless on a Raspberry Pi. He then goes on to explain the decoding algorithm, and some code optimizations that he used in Java to speed up the decoding. Andrey notes that his Java version is almost 2x slower compared to the GNU Radio version, but still fast enough for real time demodulation.

Meteor-M2 is a Russian weather satellite that operates in the 137 MHz weather satellite band. With an RTL-SDR and satellite antenna these images can be received. Running on a Raspberry Pi allows you to set up a permanent weather satellite station that will consistently download images as the satellite passes over.

Decoded Images with Andry's Meteor-M software on Raspberry Pi.
Images received with Andry's Meteor-M software running on a Raspberry Pi.

SDR# TETRA Plugin Updated: No longer requires MSYS2

Last week we posted about the release of a new TETRA decoder plugin for SDR#. The plugin made setting up a TETRA decoder significantly easier compared to previous methods, but it still required the installation and use of the MSYS2 environment on Windows. 

Thanks to reader Zlati for letting us know that the TETRA plugin has recently been updated once again and now no longer requires MSYS2 to be installed first. Now it is as easy to install as any other plugin, just drop the .dlls into the SDR# folder and add the magicline to the plugins.xml file. We tested it out and decoding worked fine. At the moment the "Net info" button is not working however.

x64 plugin:
x86 plugin:

In the future news and download lines for newer versions will probably be available on the programmers forum thread which is available here (use Google Translate to read):

Updated TETRA Decoder Plugin
Updated TETRA Decoder Plugin

Outernet 3.0: Implementation Details and a 71,572km LoRa World Record

Outernet Dreamcatcher Board running with an LNB
Outernet Dreamcatcher Board running with a cheap satellite TV LNB

Outernet 3.0 is gearing up for launch soon, and just today they've released a blog post introducing us to the RF protocol technology behind the new service. If you weren't already aware, Outernet is a free satellite based information service that aims to be a sort of 'library in the sky'. Their aim to to have satellites constantly broadcasting down weather, news, books, radio, web pages, and files to everyone in the world. As it's satellite based this is censorship resistant, and useful for remote/marine areas without or with slow/capped internet access.

Originally a few years ago they started with a 12 GHz DVB-S satellites service that gave 1GB of content a day, but that service required a large dish antenna which severely hampered user adoption. Their second attempt was with an L-band service that only needed a small patch antenna. This service used RTL-SDR dongles as the receiver, so it was very cheap to set up. Unfortunately the L-band service had a very slow data rates (less than 20MB of content a day), and leasing an L-band transmitter on a satellite proved to be far too expensive for Outernet to continue with. Both these services have now been discontinued.

Outernet 3.0 aims to fix their previous issues, giving us a service that provides over 300MB of data a day, with a relatively cheap US$99 receiver that is small and easy to set up. The new receiver uses a standard Ku-Band LNB as the antenna, which is very cheaply available as they are often used for satellite TV reception. The receiver itself is a custom PCB containing a hardware (non-SDR based) receiver with a LoRa decoder.

LoRa is an RF protocol that is most often associated with small Internet of Things (IoT) devices, but Outernet have chosen it as their satellite protocol for Outernet 3.0 because it is very tolerant to interference. In Outernet 3.0 the LNB is pointed directly at the satellite without any directive satellite dish, meaning that interference from other satellites can be a problem. But LoRa solves that by being tolerant to interference. From the uplink facility to the satellite and back to their base in Chicago the LoRa signal travels 71,572 km, making it the longest LoRa signal ever transmitted.

According to notes in their forums Outernet 3.0 is going to be first available only in North America. Europe should follow shortly after, and then eventually other regions too. When ready, their 'Dreamcatcher 3.0' receiver and computing hardware is expected to be released for US$99 on their store. You can sign up for their email list on that page to be notified upon release.

Also as a bonus, for those interested in just LoRa, the Dreamcatcher 3.0 is also going to be able to transmit LoRa at frequencies anywhere between 1 MHz to 6 GHz, making it great for setting up long range LoRa links. This might be an interesting idea for hams to play with.

The Outernet 3.0 'Dreamcatcher' Receiver.
The Outernet 3.0 'Dreamcatcher' Receiver.

Video Tutorial: Setting up DMR Decoding with SDR#, DSD+ and an RTL-SDR

Over on YouTube user Tech Minds has uploaded a useful video which shows how to set up DMR decoding with SDR#, VB-Cable, DSD+ and an RTL-SDR dongle. He also uses the DSD plugin for SDR# which makes controlling the command line DSD+ software a little easier. If you are interested we also have a short tutorial on DMR/P25 decoding available here. The video starts from downloading and installing the software, and explains every step very carefully, so it is a very good starting video for beginners.

DMR (aka MotoTRBO or TRBO) is a digital voice protocol used by Motorola radios. Software like DSD+ is required to listen to it, but it can only listen in if the signal is unencrypted.

Tech Minds has also uploaded several other tutorial videos to his channel over the last few months including guides on how to set up the ham-it-up upconverter, ADS-B tracking, using a Raspberry Pi to create a FM transmitter and more.