Category: Digital Signals

Reverse Engineering the RF Communications on a 27 MHz RC Toy with an RTL-SDR and GNU Radio

On his blog, Jacob has recently uploaded an interesting post showing how he used an RTL-SDR to reverse-engineer the 27 MHz RF communications protocol used by his kids' RC toy truck.

To reverse engineer the protocol, Jacob used GNU Radio to visualize and demodulate the signal. He discovered that it was modulated via Amplitude Shift Keying (ASK), and viewing the waveform in a time-domain plot confirmed the on-off nature of the signal. Next, using symbol sync and thresholding blocks, he generated a bit pattern, which was then processed using Python.

Reverse Engineering the RC Toy Truck 27 MHz Signal
Reverse Engineering the RC Toy Truck 27 MHz Signal

Creating an Open Source DMR Transceiver with a LimeSDR Mini

Thank you to Adrian Musceac for writing and sharing his article detailing how he implemented an open-source DMR (Digital Mobile Radio) transceiver modem with his LimeSDR Mini and GNU Radio.

DMR is a digital voice communications protocol often used by commercial business band radios, as well as by amateur radio hobbyists.

Adrian explains:

I wrote an article about the implementation of an open-source DMR transceiver using the LimeSDR-mini, GNU Radio and Codec2, which could be used for SDR experiments.

The DMR modem was designed to work both in repeater and direct (DMO) mode, and supports voice and other basic features of the ETSI TS 102 361-1 standard.

In the article there is discussion about aspects of the TDMA transmission, time synchronization, as well as how David Rowe's Codec2 can be used to replace the default vocoder.

The work builds upon Jonathan Naylor's extensive DMR implementation which a large number of amateur radio operators are using as part of MMDVM.

DMR TX Flowgraph
DMR TX Flowgraph
Transmitting DMR with the LimeSDR-mini

Saveitforparts: Snooping on the SatGus Selfie Satellite

SatGus is a recently launched cubesat owned by CrunchLabs/Mark Rober, an extremely popular science and engineering YouTuber. The satellite is designed to take selfies of CrunchLabs customers' own photos in space, using a screen and a selfie camera mounted on the satellite. It then broadcasts the selfie image back down to a CrunchLabs ground station, where it is eventually emailed to the customer. Customers then claim that they've had their selfie taken in space.

Over on the saveitforparts YouTube channel, Gabe has been attempting to listen in on the SatGus downlink using a HackRF and a motorized satellite dish setup. SatGus transmits telemetry at 400.2 MHz and the payload dump at 2,262.5 MHz. While he is able to receive the signal, Gabe notes that it is encrypted, so not much can be done with it.

Snooping On SatGus Again

TechMinds: Building an Automated NavTex Receiver using a Raspberry Pi and SDRplay

Over on the TechMinds YouTube channel, Matt has uploaded a video tutorial showing how to create an automated NavTex receiver using a Raspberry Pi and an SDRplay software- defined radio.

NavTex is a safety and navigational information radio text broadcast system for mariners, typically broadcast at 518 kHz and 490 kHz. On ships, it is typically received by dedicated hardware that prints out information on a piece of paper as it comes in. However, with an appropriate antenna and an SDR, it is possible to receive and decode NavTex signals at home. 

In his video, Matt shows how a Raspberry Pi loaded with a piece of software created by "boat-comm" can be combined with an SDRplay RSPdx to create a homemade automated NavTex receiver. Matt shows how to install the software and goes on to demonstrate it in action.

Currently, only SDRplay receivers are supported by boat-comms software, but it's possible that in the future, other SDRs may be supported, too.

Automated NavTex Receiver Using A Raspberry Pi & SDRPlay SDR

If you're interested, boat-comm also has a video about his software available on his YouTube channel and we've embedded his video below.

NAVTEX on raspberrypi for sailors

CCC Conference Talk: Investigating the Iridium Satellite Network

Over the years, we've posted numerous times about the work of “Sec” and “Schneider,” two information security researchers who have been investigating the Iridium satellite phone network using SDRs. Iridium is a constellation of 66 satellites in low Earth orbit that supports global voice, data, and messaging services.

In a talk at the Chaos Computer Club (CCC) 2024 conference, they provided updates on their work. The recorded video of their talk has recently been uploaded to YouTube.

The Iridium satellite (phone) network is evolving and so is our understanding of it. Hardware and software tools have improved massively since our last update at 32C3. New services have been discovered and analyzed. Let's dive into the technical details of having a lot of fun with listening to satellites.

We'll cover a whole range of topics related to listening to Iridium satellites and making sense of the (meta) data that can be collected that way:

  • Overview of new antenna options for reception. From commercial offerings (thanks to Iridium Time and Location) to home grown active antennas.
  • How we made it possible to run the data extraction from an SDR on just a Raspberry Pi.
  • Running experiments on the Allen Telescope Array.
  • Analyzing the beam patterns of Iridium satellites.
  • Lessons learned in trying to accurately timestamp Iridium transmissions for future TDOA analysis.
  • What ACARS and Iridium have in common and how a community made use of this.
  • Experiments in using Iridium as a GPS alternative.
  • Discoveries in how the network handles handset location updates and the consequences for privacy.
  • Frame format and demodulation of the Iridium Time and Location service.
38C3 - Investigating the Iridium Satellite Network

DragonBridge: Streaming IQ Data Over 802.11ah HaLow via Two Relay Drones

Aaron, creator of DragonOS, has uploaded a video on his YouTube channel showing him testing out long-range communications via 802.11ah Wireless Networking and a T-HaLow bridge on two drones. 802.11ah (aka HaLow) is a WiFi protocol designed for long range IoT communications of up to 1 km (without obstructions).

In the video, Aaron attempts to stream IQ data with SDR++ over 802.11ah HaLow from a Pi + KrakenSDR operating over 1.6km away. The communication is established via two drones in the air that act as a relay bridge between the two ground stations. Although there are issues with keeping the connection stable, these experiments serve as a great first test of this capability.

Join me on an exciting month long+ journey as I push the boundaries of wireless communication using the Lilygo T-HaLow 802.11ah devices in bridge mode! In this video, I demonstrate how I successfully established an SSH connection from my laptop, across six T-HaLow units—some mounted on two drones and others on the ground—to a Raspberry Pi ground station equipped with DragonOS pi64 and a KrakenSDR.

What You'll See:

Innovative Network Setup: I configured three pairs of T-HaLow units, each pair consisting of an access point and a client. The first pair connected my laptop to the first drone. On each drone, I bridged two T-HaLow units via Ethernet, effectively creating a relay system. The second pair connected the two drones, and the third pair linked the second drone to the ground station Raspberry Pi.

Successful Long-Distance Communication: By the third attempt, I achieved a stable ping across the entire bridge and streamed IQ data from the SDR++ server on the Raspberry Pi to the SDR++ client on my laptop—over a distance of 1.6 km between drones!

Challenges and Triumphs: Experience the hurdles I faced, from connectivity issues to environmental obstacles, and how perseverance led to a successful connection.

Stunning Aerial Footage: Enjoy breathtaking drone shots that not only showcase the technology but also add a visual treat to the technical journey.

Why This Matters:

This project highlights the potential of increasing the standoff distance between equipment using 802.11ah technology, also known as Wi-Fi HaLow. Operating in the sub-1 GHz unlicensed bands, 802.11ah offers extended range and improved propagation through obstacles compared to traditional Wi-Fi frequencies. It's designed for low-power, long-range connectivity with lower power consumption—ideal for IoT applications, remote deployments, and innovative projects like this DragonBridge.

Equipment Used:

Building the DragonBridge: Long-Range 802.11ah Wireless Networking with Drones and T-HaLow Devices

mmng-ui: A Text User Interface for Multimon-NG

Thank you to Jason for writing in and sharing with his his recently released software "mmng-ui" which is a TUI (text user interface) for Multimon-NG. If you were unaware, Multimon-NG is multipurpose decoder software for the RTL-SDR and other SDRs which is capable of decoding pager protocols like POCSAG and FLEX, as well as other common protocols like EAS, AFSK, FSK9600 DTMF, CW and more.

mmng-ui is a front end for Multimon-NG that allows you to view pager messages in a clean-looking text interface. mmng-ui listens on a chosen UDP port for raw streams from software like SDR++, passes that to Multimon-NG, and then displays the results.

The mmg-ui Text User Interface
The mmg-ui Text User Interface

Exploring HD Radio and Other Signals While on Holiday

Over on his YouTube channel, Simon has uploaded a video showing how while on holiday he was able to explore the various HD Radio stations available around the USA. 

If you are in the USA, you might recognize HD Radio (aka NRSC-5) signals as the rectangular looking bars on the frequency spectrum that surround common broadcast FM radio signals. These signals only exist in the USA and they carry digital audio data which can be received by special HD Radio receivers. Earlier in 2017 a breakthrough in HD Radio decoding for SDRs like the RTL-SDR was achieved by Theori when he was able to piece together a full HD Radio software audio decoder that works in real-time. Nowadays you can use software like HDFM - HD Radio GUI to easily receive HD Radio with an RTL-SDR.

In his video Simon shows the various HD Radio signals he found while on holiday, and also shows some of their secondary features, including traffic data, and weather radar maps. Interestingly he also spots HD Radio in the AM bands, but finds his signal is not strong enough to decode.

The rest of the video explores other signals he finds such as a studio link, and TV audio signals.

I Found Some CRAZY Radio Technology while Traveling!