Category: Digital Signals

Decoding Public Utility Meters with an RTL-SDR

Over on YouTube a talk about decoding water and electricity usage meters with an RTL-SDR has been uploaded from the 2015 Camp++ conference in Hungary. The presenter, Stef writes:

Budapest public utilities started to roll out some new metering devices for water and heating (at least in my block). The plumbers who should install these could not tell me about the privacy protections considered, as I was a bit worried about the things leaking information over radio-waves, so I built a radio and reversed the messages.

The talk shows how the presenter was able to reverse engineer the FSK wireless protocol of his heating meter with help from some patent information that he found on the web. Using a GNU Radio flow graph that he created he was able to extract information such as total energy consumption and temperature readings.

Being a security themed conference, the presenter also discusses some of the security risks associated with wireless meters such as whether or not the meter can be used to detect if someone is currently at home.

The code he wrote and used can be found at https://github.com/stef/smeter and https://github.com/jmichelp/gr-wmbus.

Camp++ 0x7df // stef: Dumbmeters in Public Utilities

An example water meter that could be monitored with an RTL-SDR dongle
An example water meter that could be monitored with an RTL-SDR dongle

Uni-SDR Link: Control SDR Console V2 with Unitrunker

A new program called Uni-SDR Link has just been released. This software allows Unitrunker to control SDR-Console V2.

Unitrunker is software that allows you to follow trunked voice conversations, and SDR-Console V2 is a general purpose receiver, similar to other software such as SDR#. The authors write:

This applications sole purpose is to allow Universal Trunker (aka Unitrunker) to control the tuning frequency of individual VFO’s in SDR Console v2. This is achieved by translating Unitrunker Receiver Control commands into a format accepted by SDR Console. Communication occurs over virtual com / serial ports.

Uni-SDR Link has been tested on Windows 7 & Windows 8 and requires .NET Framework version 4.0 or greater.

Just download & launch. No installation required.

The Uni-SDR-Link.chm file contains help for the application should be placed in the same directory as the Uni-SDR-Link.exe.

 

Trunking with the Latest DSD+ 1.08t Fast Lane Version

DSD+ stands for Digital Speech Decoder Plus and is a software program that can allow you to decode digital voice signals such as P25 and MotoTRBO/DMR. DSD+ is under continual development, and in their last public update they began offering early access to the latest DSD+ features in development through their fast lane subscription. The fast lane subscription costs $10 USD for one year and $25 for unlimited early access. Information about joining the fast lane service can be found in the readme file of the latest DSD+ 1.074 public release.

Over on YouTube user John Miller has been testing the latest early access version DSD+ 1.08t. This new version adds trunking support which allows you to follow conversations. Previously other software like Unitrunker was required to follow the trunking signal. On YouTube John has uploaded a video first showing trunking in action, and a second video showing how to set up DSD+ 1.08t for trunking.

DSDplus 1.08t trunking

DSDplus Trunking Setup 1.08t

Monitoring FBI Surveillance Aircraft with ADS-B and an RTL-SDR

After reading an article by the Washington Post about FBI surveillance aircraft spotted in the air after the West Balimore riots, John Wiseman decided to look for more information about these aircraft. Fortunately, John had on his hands a database of about 2 months of ADS-B data that was collected by his continuously running RTL-SDR + BeagleBone Black ADS-B decoder set up.

From reports on the internet John found out that FBI aircraft squawked with 4414 or 4415 codes, and used call signs like JENNA or JENA. With this information John decided to take a look through his ADS-B logs to see if if he could find anything similar. Out of 15,000 aircraft he had tracked, he found 9 aircraft in his logs that matched the criteria, and saw that they did exhibit suspicious behaviour such as circling over LA for hours at a time. Then by looking up their FAA records of the tail numbers of the suspicious aircraft, he was able to discover that these aircraft where licensed to companies with names like NG Research, OBR Leasing, Aerographics Inc. and PXW Services which are suspected Department of Justice front companies. John also writes:

If you Google the tail numbers of aircraft registered to those companies, you start to find forum and mailing list posts (often at sites that tilt toward paranoid/conspiracy/right wing, but not always) with people discussing these specific tail numbers and linking them to the FBI. Some of the supposed evidence includes details of radio communications that people have heard, e.g. talking about “being on station” or using callsigns that start with JENNA, JENA or ROSS, which are supposedly used by the FBI. Other posts claim that DOJ/FBI surveillance aircraft often squawk 4414 or 4415 on their transponders.

An article from the startribune talks about the surveillance planes and says:

The planes use “persistent wide-area surveillance” to photograph large areas for hours at a time, Stanley said. The captured images allow authorities to go back in time, if necessary, to trace pedestrians and vehicles who come to their attention.

Other devices known as “dirtboxes,” “Stingrays” or “IMSI catchers” can capture cellphone data. Stanley said it’s still unclear what technologies have been used in the surveillance flights.

 

Possible FBI Surviellance Aircraft Path from flightradar24.com
Possible FBI Surviellance Aircraft Path from flightradar24.com

How coax cable loss affects ADS-B reception

Over on YouTube user Adam Alicajic has uploaded a video showing how coax cable loss affects the frame rate when receiving ADS-B. To do this test Adam uses a precision attenuator in between his ADS-B antenna and RTL-SDR dongle to simulate attenuation from coax cable loss. His results show that for every 1 dB of attenuation the frame rate drops by about 10%.

Coax cable loss for common type of cable can be estimated with calculators available at http://www.net-comber.com/cable-loss.html and http://www.arrg.us/pages/Loss-Calc.htm. RG-6 cable has a low loss at 1090 MHz of about 0.23 – 0.32 dB per meter, whereas RG58 has a loss of about 0.5 – 0.6 dB per meter and RG174 (stock antenna cable on most RTL-SDR units) has a greater loss of about 1.2 dB per meter.

Coax length loss contribution to the bad ADS-B reception

New EAS SAME Weather Alert Decoder

Over on Reddit and GitHub user cuppa-joe has released a Python based EAS SAME Alert message decoder called dsame which is compatible with the RTL-SDR. EAS is an acronym for Emergency Alert System and is a system that is most commonly used to alert the public to local weather emergencies such as tornadoes, flash floods and severe thunderstorms.

Local EAS weather alerts are encoded with the SAME (Specific Area Message Encoding) protocol. They are transmitted on the local weather radio frequency in the USA and Canada and some weather radio’s are capable of decoding the EAS SAME data. Cuppa-joe’s dsame EAS decoder outputs full EAS weather messages such as:

The National Weather Service in Pleasant Hill, Missouri has issued a Required Weekly Test valid until 12:30 PM for the following counties in Kansas: Leavenworth, Wyandotte, Johnson, Miami, and for the following counties in Missouri: Clay, Platte, Jackson, Cass. (KEAX/NWS)

To use the software you will still need to use a EAS demodulator such as multimon-ng which is available for Windows and Linux, and you will also need Python 2.7+ installed.

An example EAS SAME alert can be heard in the player below:

Receiving SSTV from FleetSatcom Pirates

Radio pirates often make use of the Fleetsatcom satellites to send and receive slow scan television (SSTV) pictures over a wide distance. Fleetsatcom is a satellite communications system used by the US Navy for radio communications. Since these satellites are simply radio repeaters with no authentication mechanisms, pirates soon discovered that they could take over the satellites for their own use.

Over on YouTube user LEGION ELMELENAS has uploaded a video showing his reception of some pirates transmitting a SSTV image at a Fleetsatcom frequency of 252 MHz. To receive the image he used a home made turnstile antenna, an RTL-SDR dongle, SDR# and the RX-SSTV decoder. The image appears to be a photo of a pirates son.

We previously posted more information about Fleetsatcom SSTV pirates in this post.

SSTV from Satcom satellites. RTL-SDR SDRSharp FLTSATCOM pirates

New Version of Digital Speech Decoder DSD+ 1.071 Released

The latest version of Digital Speech Decoder+ (DSD+) has just been released, bringing it up to version 1.071. There appears to be no changelog, so we are unsure as to what is new, but one obvious change is that they now include a new program called FMP which is a simple NFM demodulator, similar to rtl_fm, although it does have a GUI with point and click tuning. FMP can be used as a replacement for SDR# or similar software, and is especially useful to use on low end devices such as netbooks.

An active discussion on the latest release of this software can be found in this thread on the RadioReference.com forums.

The FMP NFM demodulator tuned to a MotoTRBO signal.
The FMP NFM demodulator tuned to a MotoTRBO signal.

DSD+ is a Windows program which can be used to decode and listen to digital voice protocols such as D-STAR, NXDN4800, NXDN9600, DMR/MotoTRBO, P25 Phase 1, X2-TDMA and ProVoice with an RTL-SDR or other radio. On some DMR systems you may also be able to use the included LRRP software, which allows you to view the GPS locations of broadcasting radios. The last major release was version 1.05.

DSD+ GUI
DSD+ GUI

The DSD+ team are now also offering a “fast lane” early access program, which for a small donation will allow you to have early access to new and upcoming DSD+ features. They aim to release a new update to donators every 7 to 30 days, while stable public releases will continue to be released every 4 to 6 months. The donation costs $10 for one year of early access, and $25 for lifetime updates. Some features they are currently working on include:

  • Better tablet support
  • IDAS/NEXEDGE/Cap+/Con+/TIII trunk voice following
  • Per-call audio recordings
  • Other needed DSD+ upgrades
  • FMP upgrades
    • Squelch
    • Drift tracking
    • Selectable sampling rates
    • Adjustable windows sizes
    • TCP client/server mode (eliminates VAC / VB-C)
    • Multiple VFOs
    • Airspy support