Back in September 2015 we made a post about how Bastian Bloessl was able to use his RTL-SDR dongle to reverse engineer and decode the signals coming from portable wirelessly synchronized traffic lights which are commonly set up around road construction zones.
To reverse engineer these new lights he made a recording of the signals in GQRX and then opened them up in Inspectrum, which is a very nice tool for helping to reverse engineer digital signals. Thanks to Inspectrum he was easily able to extract the preamble and decode the data in GNU Radio.
Bastian has also uploaded a video that shows him reverse engineering the binary frame format in the Vim text editor which may be useful for those wishing to understand how it’s done.
Reversing Frame Format with Vim
Once the frame format was reverse engineered, he was able to use the program he created last year which allows him to view the status of the lights remotely in real time.
First he explains how he used Python to extract the data from the RTL-SDR I/Q samples. From those samples he calculates the amplitude data, and plots it on a graph which shows the digital signal. He then decimates the signal to reduce the number of samples and figures out how to detect the preamble, data bits and packet repetitions. Then to decode the signal he explains how he does clock recovery, convolution and thresholding, and also the importance and meaning of those steps.
If you’re new to reverse engineering signals and don’t have a DSP background, then spenmcgee’s write up is an excellent starting point. It’s written in a way that even a layman should be able to understand with a little effort. If you have a Lacross TX29 wireless temperature meter that you just want to decode, then his code will also be of use.
Earlier this month we posted about “cURLy bOi”’s release of his Windows port of telive. Telive is a popular TETRA decoder created by SQ5BPF which until recently only ran on Linux systems. TETRA is a digital voice radio system used in many countries other than the USA.
Now cURLy bOi has just updated his software adding new Windows GUI features and simplifying the install process. The software and text install instructions can be downloaded from his web server, and the code can be found on GitHub.
In order to show the new features and how to use the software cURLy bOi has also created a tutorial video up on YouTube, which is shown below.
A typical broadcast FM station can sometimes contain “hidden” subcarriers embedded within the main signal. The subcarriers contain data or audio services.
An example of a data subcarrier hidden within broadcast FM is the “Traffic Message Channel” (TMC). The TMC contains traffic data, and is used on GPS devices that advertise as having live traffic capabilities. TMC data is encrypted so that it can be sold, but is very easily broken. Another data service is RDS-RT+ data which transmits song information, for radios that can display it.
An example of a voice subcarrier (SCA/ACS) might be niche radio stations, such as ethnic stations, elevator music, music for doctors offices etc. Usually a specialized radio is required to receive a SCA channel. In a previous post we showed how a user was able to receive SCA on Windows.
Over on his blog Gough Lui has been investigating the broadcast FM subcarriers in his home town of Sydney, Australia. In his post he looks at TMC, RDS-RT+ and SCA subcarriers and explains a bit about what they are and how they work. He also goes on to receive and decode the subcarriers with an RTL-SDR, gr-rds and GNU Radio. While Gough doesn’t bother to decrypt the TMC service, he can still see when an event occurs and what the even was. Without decryption he just doesn’t know where the location on the event is. For SCA he wrote a GNU Radio program to extract the audio subcarrier and was able to decode audio from a local Indian station for migrants.
Oona Räisänen is a RF hacker and enthusiast who has in the past brought us posts about decoding burger pagers in restaurants, decoding wireless bus signs and FM-RDS with SDR’s like the RTL-SDR. This time she has written an interesting post that shows how she can “fingerprint” radio transmitters by analysing their CTCSS transmissions. CTCSS is short for “Continuous Tone-Coded Squelch System” and is a low frequency tone added on to some transmissions used in handheld radio systems shared by several distinct groups. The CTCSS tone prevents users of a shared system from having to listen to other users talking if they are not part of the same group with the same CTCSS tone frequency. CTCSS provides no means for actually individually identifying a radio.
Frequency vs power heatmap identifying 8 different radios.
With the individual radios identifiable by their cluster centers, each cluster can be assigned a name. Now each subsequent transmission can be compared to each cluster center, and assigned to the closest matching cluster, thus matching a new unknown transmission with a known radio. This makes it easier for someone listening in with no context to follow a conversation.
TETRA is a type of digital voice and trunked radio communications system that stands for “Terrestrial Trunked Radio”. It is used heavily in many parts of the world, except for the USA. Telive is a decoder for TETRA which is compatible with RTL-SDR dongles, and has been around and in use for almost 2 years now. If you have unencrypted TETRA signals available in your area it can be used to listen in on them.
However, now a TETRA experimenter by the handle of “cURLy bOi” has released a new prototype of a telive modification that works on Windows systems. It makes use of the GNU Radio for Windows development. The telive Windows file can be downloaded from curly’s webserver. His reademe file shows how to install and use the software and it reads:
This has been put together as lowest-effort configuration to run telive on Windows system. I have also optimized to process (for example adding the CQPSK block to GRC since the python code in the original telive package is IN FACT some unused part of GNU Radio)
Warning: ——— This package contains pre-compiled binaries that work on my 64-bit system. I have compiled them inside the M-SYS2 package. If you don’t trust me, you can follow the installation guide from telive docs, just be prepared you are going to need a lot of packages for the M-SYS2 (pacman -S gcc automake git wget, etc.)
Install: ——— 1) Download GNU Radio for Windows from http://www.gcndevelopment.com/gnuradio/downloads.htm and install 2) Copy contents of gnuradio_mod to c:\Program Files\GNURadio-3.7\ 3) Download and install M-SYS2 from https://sourceforge.net/projects/msys2/ and install 4) Copy contents of msys_root to your M-SYS2 installation directory 5) Download FFmpeg for Windows (64-bit Shared) from https://ffmpeg.zeranoe.com/builds/ and extract everything from bin to usr\bin in your M-SYS2 installation directory 6) In M-SYS2 shell execute “pacman -S socat” 7) Get GNU Radio Companion (GRC) projects from original telive package at https://github.com/sq5bpf/telive/tree/master/gnuradio-companion (only udp or xmlrpc, pipes won’t work) 8) Open whatever GRC project you want to use and edit it: – Delete the link between (all) Fractional Resampler and UDP Sink – From the modules on the right (ctrl-f to search) drag CQPSK Demod to project (If you don’t see CQPSK Demod then you have messed up #2) – Connect Fractional Resampler -> CQPSK Demod -> UDP Sink – Change UDP Sink Input Type to Float in its properties – Save
Use: —— 1) Open GRC project of your choice (already with the CQPSK Demod box) 2) Use the Project/Execute to run the project from the GRC – OR – If you had headless (without GUI) project, use Project/Generate option to generate top_block.py file in the GRC project directory. Then open GNURadio Command Prompt from Start menu, the use this command c:\Program Files\GNURadio-3.7\gr-python27\python.exe -u c:\path\to\grc\project\top_block.py This will enhance performance. 3) Open new M-SYS2 shell for every channel in that project and execute command “receiver1udp X” where X is the number of each channel in GRC project 4) Open new M-SYS2 shell, resize it to 203×60 and execute: – cd /tetra/bin – ./rxx OR ./rxx_xmlrpc (if you are using XMLRPC GRC project) You can edit these files to match your preferences 5) That’s it, should work.
Note that we have not tested this out ourselves yet and can’t guarantee the file safety or that it works, but we have no reason to believe that it wouldn’t be safe or not work.
Earlier in the month we posted about the “Unallocated Space” free four week class on signal analysis taking place in the Baltimore-DC area. The course has now started and they are live streaming the lectures and saving them on YouTube. The first two classes have already passed, and two videos are uploaded.
The first class went over installing the RTL-SDR as well as showing a few examples of decoding some signals. The second class covers various modulation types and digital encoding schemes. They show how to learn how to identify various digital signals by listening to them and viewing them on the waterfall. The class slides are also available on links placed in the video description.
The third and fourth classes have not yet streamed. The third class will be live streamed on October 4, 7PM local time. Visit their YouTube channel for the videos.
Recently nullwolf (T.J. Acton) wrote in to let us know about a very useful wrapper for Inspectrum that he has created, called DSpectrum. Inspectrum is a Linux/Mac based tool that makes it very easy to extract a binary string from a digital transmission which can be recorded with any SDR like an RTL-SDR. DSpectrum builds on Inspectrum and further automates the reverse engineering process. He writes:
The wrapper [DSpectrum] assesses the amplitude measurements, or frequency shifts, that are reported by Inspectrum. The wrapper uses the average of the provided values as a threshold. When a cell’s value falls below the threshold, the wrapper determines that the value is a binary ‘0’, and when it is above the threshold, it records the value as a ‘1’. It then returns this raw binary data as output, in addition to the binary’s hex and ascii translations.
…
Another two features were included: the semi-automatic comparison of two portions of a transmission in the same file, and the semi-automatic comparison of two signals in separate files.
Nullwolf notes that with DSpectrum the time taken for him to reverse engineer signals has dropped from 1 hour down to 5 minutes in some cases.
