Category: Digital Signals

InmarScope: An Inmarsat AERO and STD-C Decoder with Multichannel Decoding and Automatic Call Following

Over on the SignalsEverywhere YouTube channel, Sarah Rose has released InmarScope, a multichannel L-band Inmarsat decoder that connects directly to an RTL-SDR, Airspy, or HackRF. The software can receive and decode both aeronautical (AERO) and maritime (STC-C / EGC) traffic at the same time. Decoders are dropped directly onto the aligned FFT and waterfall by holding CTRL and left-clicking, and the software lets you stack Aero MSK (600/1200 bps), high-rate OQPSK (10500 bps), AMBE voice (8400 bps), and Inmarsat-C BPSK decoders side by side.

One of the more interesting features is automatic voice-call following. By monitoring the 10500 baud forward-link channels, InmarScope can receive C channel voice assignments and automatically retune the SDR to the assigned frequency, lock the carrier, decode and record the AMBE call, and then hop back to where it was. There is also a two-SDR mode that dedicates a second radio to voice with a live split-view spectrum so one radio stays on the P control channel while the other tunes to voice calls. For assignments that never get broadcast, there is also a Call Hunter feature that uses a squelch threshold to automatically drop the decoder when a call appears. When a call is playing, the built in flight map also decodes the aircraft hex ICAO address and looks it up on airplanes.live, showing the plane's position and route in real time.

Recent updates have added a community-editable band plan, message search and filtering, an IQ recorder that also captures the seconds before you hit record, and a web dashboard for browsing decoded data from a phone.

The software is completely open source on GitHub, and the C++ code can be compiled from source, or a precompiled Windows build is available on sarasforge.dev for $15, with Sarah's Patreon patrons getting it free.

We note that Inmarsat signals such as AERO and STD-C/EGC can be received with our RTL-SDR Blog L-band Patch Antenna, which is available in our store.

Multi-Channel Voice Following Inmarsat Decoder for Windows!

Decoding Inmarsat in 2026

GopherTrunk: A New Pure-Go Trunked Radio Scanner Supporting P25, DMR, TETRA, NXDN and More

Thank you to Matt Cheramie, who wrote in to let us know about his new software called GopherTrunk, a new RTL-SDR compatible radio scanner that follows digital trunked-radio voice calls and decodes them into audio. Gopher Trunk runs on a pool of RTL-SDR dongles and ships as a single ~10 MB static binary for Linux, macOS, and Windows. There are no C dependencies, so neither librtlsdr nor libusb are required at build or runtime, which makes deployment on a fresh machine or Raspberry Pi very straightforward.

On the protocol side, GopherTrunk handles control-channel decoding for P25 (Phase 1 and 2), DMR, TETRA, NXDN, Motorola Type II, EDACS, LTR, MPT 1327, dPMR, D-STAR, and YSF. The voice path is written in pure-Go and implements IMBE and AMBE+2 vocoders directly, removing the dependency on external DVSI or mbelib. The interface is terminal-based, but also includes a full browser-based operator console. There is also a configuration importer that parses RadioReference.com PDF exports and CSV bundles straight into the daemon config.

Matt notes that while the engine is running end-to-end, he is looking for SDR enthusiasts to test it against real-air captures to help refine the on-air FEC layers and vocoder audio levels. Prebuilt releases and the quick start guide are available at gophertrunk.org/downloads, and the full source is on GitHub. Feedback and bug reports are very welcome if you give it a try.

Gopher Trunk: A New Digital Trunking Scanner for RTL-SDR written in Pure-Go
GopherTrunk: A New Digital Trunking Scanner for RTL-SDR written in Pure-Go

Student Arrested in Taiwan for using SDR and Handheld Radios to Halt Four High Speed Trains with TETRA Hack

The Taipei Times has reported that a 23-year-old university student in Taiwan has been arrested after using a software-defined radio and hand held radio to hack into Taiwan High Speed Rail Corporation's (THSRC) internal radio communications and halt four trains mid-service.

Chinese-language coverage from UDN and Newtalk fills in some details omitted in the English Taipei Times article. The system the student compromised is TETRA, and at 23:23 on April 5, 2026, the student transmitted a "General Alarm" (GA) signal, the highest-priority TETRA alert, which automatically instructs trains in the area to switch to manual emergency braking. Four trains were stopped for 48 minutes. THSRC's radio system has reportedly been in service for 19 years with seven verification layers, but parameters were apparently never meaningfully rotated over that period.

Police describe the suspect as buying an SDR online, connecting it between an antenna and a laptop, capturing THSRC traffic, and decoding the relevant parameters in software, then programming those parameters into one of his eleven handheld radios. A 21-year-old friend also allegedly supplied some critical THSRC parameters. The actual details of the 'hack' aren't entirely clear from the news articles. We suspect that the THSRC TETRA system is simply unencrypted, and that the student was able to spoof a legitimate signal. It's also possible that the THSRC TETRA system used TEA1 encryption, which is known to be broken

Police located the student through a combination of network-side TETRA logs and CCTV. When the THSRC control center called back to verify the alarm, the person on the other end gave contradictory answers and then powered the radio off, prompting THSRC to audit their handheld fleet, confirm every issued radio was accounted for in its storage locker, and report to police that the parameters had been cloned.

Base station logs from the THSRC TETRA infrastructure (which record which sites received the uplink, with multi-site signal strength narrowing the origin) were used to localize the transmission source, and CCTV from around the coverage area was then used to identify the student and trace him to his rental unit. Search warrants on 28 April seized 11 handheld radios, a laptop, and the SDR. 

He is currently out on NT$100,000 (3,200 USD) bail and faces up to ten years under Taiwan's Railway Act and Criminal Code, with an unconvincing "had it in my pocket and accidentally pressed the button" defense.

Stories like this are a reminder that experimenting with operational safety-of-life radio systems carries serious legal consequences. Back in 2016, we covered the case of Dejan Ornig, a Slovenian university student who used an RTL-SDR and the open source Osmocom TETRA decoder to discover that his country's police TETRA terminals were running unauthenticated, despite official documents stating otherwise. After seven years of court hearings, he ended up with a seven-month suspended sentence. More recently, we posted on the End of Train (EoT) vulnerability, where a security researcher demonstrated that an SDR can replicate the unauthenticated braking command on US freight trains.

The Equipment Seized by Police
The Equipment Seized by Police
A Taiwanese High Speed Train (Source: https://en.wikipedia.org/wiki/File:THSR_700T_TR17_20130907.jpg)
A Taiwanese High Speed Train (Source: https://en.wikipedia.org/wiki/File:THSR_700T_TR17_20130907.jpg)
Translated news graphic from https://udn.com/news/story/7315/9475450
Translated news graphic from https://udn.com/news/story/7315/9475450

P25-Survey: A Tool for Scanning and Logging P25 Control Channels with an SDR

Over on GitHub, programmer blantonl has released p25-survey, a Python tool that scans a frequency range with an RTL-SDR, Airspy or HackRF and identifies any P25 control channels present. For each one found, it logs the WACN, System ID, NAC, RFSS ID and Site ID, the full IDEN_UP band plan, neighbor sites with resolved frequencies, and signal quality metrics including RSSI, BER and decode rate.

The tool also has an optional RadioReference cross-reference mode that annotates results with the RR system name and site description, flags frequency offsets versus the database, and generates a Markdown submission report for data not yet in RadioReference. An auto-gain feature sweeps gain values on each confirmed control channel and recommends the optimal setting for your SDR and location based on BER.

P25 Survey Tool
P25 Survey Tool

Tactical_FSK_Modem: An Open Software MFSK Image & Text Modem for PC and Android

Thanks to Ibrahim (YD1RUH), who wrote in to share his open-source open-software project Tactical_FSK_Modem, which turns a standard PC or Android device into an audio-based MFSK transceiver for sending images and text over a radio link. Conceptually similar to SSTV or HF FAX, it adds Hamming (7,4) Forward Error Correction that wraps every 4 data bits into a 7-bit block and repairs single-bit errors in real time, significantly lowering BER in low-SNR conditions. The system forces a hardened 720p vertical resolution for noise resistance, and a 1400 Hz → 1000 Hz → 1400 Hz VIS-like "start melody" handles automatic RX canvas reset and sync with no manual alignment.

Pre-built Windows and Android binaries are available in the repo, and the Android port is probably the most interesting part. Operators can connect a smartphone to HT, ham radio, or an SDR to send tactical images directly from the field. 

We note that while the code is Apache 2.0 licensed, we don't appear to see any source code in the repo, but the .exe and .apk files are available to download. Ibrahim notes that he is actively looking for feedback and collaboration to further improve the system's robustness for tactical and emergency communication use cases.

Licensing Update: Ibrahim has clarified that he mistakenly referred to the project as open-source, but his intention was to actually refer to it as 'open-software'. The software is free, but the source code is not provided.

Tactical FSK Modem UI
Tactical FSK Modem UI

Exploring the Privacy Risks of Tire Pressure Monitoring Systems with RTL-SDR

Tire Pressure Monitoring System (TPMS) privacy concerns are a topic that comes up every now and then. Most modern vehicles have wireless tire pressure sensors that communicate with the vehicle's computer to alert the driver when tire pressure falls below a safety threshold.

The privacy issue is that these TPMS sensors each transmit a unique identifier, so the computer can know which tire is being measured, and not read other vehicles' sensors by mistake. As TPMS is not encrypted in any way, anyone with an RTL-SDR or other similar radio can receive and decode TPMS messages, including the unique identifier. This raises privacy concerns as this can be used to log the presence and movement of individual vehicles. 

A recent academic paper by university researchers showed how researchers deployed simple RTL-SDR + Raspberry Pi-based receivers along a road over a period of 10 weeks. They showed that TPMS transmissions can not only be used to identify, track, and detect the presence and daily routines of individual vehicles, but also to determine the type and weight of the vehicle via pressure readings.  Interestingly, they also note that variations in the weight of an identified vehicle could indicate, for example, whether a truck is loaded or unloaded, or whether there are additional passengers in a car.

The researchers highlight privacy concerns, noting that such data could be collected and sold by data mining companies without the driver's knowledge. 

RTL-SDR + Raspberry Pi for TPMS Monitoring
RTL-SDR + Raspberry Pi for TPMS Monitoring
The TPMS Monitoring Setup
The TPMS Monitoring Setup

Frugal Radio: Beginners Guide to P25 Decoding with the Latest DSD Plus Release

Over on his YouTube channel 'Frugal Radio', Rob has uploaded a comprehensive video detailing how to set up the latest DSD Plus release for P25 Public Safety decoding.

Back in December 2025, we posted about how the DSD Plus team released version 2.547. The release had already been available to DSD Fastlane customers, but it is now available to the public. The new version brings various improvements and features, but it also changes the software signal flow that was used in previous versions.

In the video, Rob explains how to set up the new DSD Plus version, including how to use the new FMP24 demodulator with an RTL-SDR. He then goes on to show the various features, like control channel monitoring mode, getting P25 system data, holding and IDing talkgroups, and setting talkgroup aliases.

HUGE free DSDPlus Update 2026 : Decode P25 Public Safety with your SDR and this beginner guide!

Multimon Pager Decoding on Android

Sarah (aka SignalsEverywhere) has recently released another open-source Android app that enables the multi-signal decoder Multimon-ng to be used on Android. Multimon-ng is a commonly used decoding app, that supports various protocols such as POCSAG/FLEX pagers, as well as DTMF, ZVEI, EAS and more.

The app requires the SDR++ Android app to be running in the background with an SDR like an RTL-SDR connected. The role of SDR++ is to receive the signal and send the demodulated audio over a network connection to the Multimon-NG app, which performs the final decoding.

The app APK can be downloaded from Sarah's website via a minimum $0 donation, or alternatively, built and installed from source.

Multimon-ng on Android!