Category: Digital Signals

Reverse Engineering a Radio Weather Station with an RTL-SDR

On his blog Josef Gajdysek has posted about his experience with using an RTL-SDR to reverse engineer the radio protocol used by his home weather station. Josef’s weather station is an ISM band device and transmits at 433 MHz. First he opened up GQRX and tuned to his weather station’s transmit frequency of 433.6 MHz and recorded some audio in AM mode. Josef initially assumed that the device would use on-off-keying (OOK) to encode the data. However, when he opened the sound file in Audacity and looked at it’s waveform he found that the weather station instead used Differential Pulse Position Modulation. In this modulation scheme the distance between pulses determines whether or not the binary bit is high or low.

Differential Pulse Position Modulation in Audacity
Differential Pulse Position Modulation in Audacity

To decode this Josef then wrote a python script to measure the distance between pulses and thus convert the pulses into a binary string. Then by decoding and analyzing the captured packets he was able to isolate the checksum, temperature, channel, and status flags. Knowing all this information finally allowed him to create a real time decoder that uses rtl_fm. The python script can be downloaded from his post.

The weather station transmitter.
The weather station transmitter.

AISRec for Android: New AIS Decoder

Back in December last year we posted about Jane feverlay’s work on his software called AISRec, which was a Windows AIS decoder for the RTL-SDR that he had developed.

AIS is an acronym for Automatic Identification System and is a system used by ships to broadcast position and vessel information. By monitoring AIS transmissions with the RTL-SDR we can build a boat radar system. We have a tutorial on this here.

Now from YouTube it looks as though Jane has developed a new Android version of AISRec which he describes as a high performance dual-channel AIS receiver for use with a single RTL-SDR dongle. The features of AISRec include:

1. Functions include AIS and GPS NMEA I/O, from/to USB devices and serial ports (special android devices with serial ports).
2. It supports TCP server and UDP forwarding jointly or independently for AIS and GPS.
3. It supports steaming in WIFI in AP or station modes and Ethernet.
4. It supports auto run on boot for especially rooted devices.

He also writes that AISRec also has companion implementations for Windows desktop and metro, Linux on Raspberry Pi 2 and the Radxa pro.

Unfortunately, at the moment there does not seem to be a link available to download the software and the video may only be a preview. The video does link to his Taobao shop at http://shop114459024.taobao.com/ (in Chinese use Google Translate), which is where he might release the software when it is ready.

Sigimira Decoder now supports the RTL-SDR Directly

Sigmira is a popular free Windows software program which supports decoding of radio modes such as PSK31, RTTY, CW, STANAG 4285, Japanese Slot Machine, FSK, HFDL and M141 as well as standard modes such as NFM, AM, USB and LSB.

Previously Sigmira could be used with the RTL-SDR by piping audio into it from another program such as SDR#. In the latest version that was just released Sigmira now directly supports connecting to the RTL-SDR, allowing for a spectrographic display and point and click tuning. Sigmira also now includes a database with frequencies of over 2000 known signals.

Screenshot of the Sigmira decoding software which now supports the RTL-SDR directly.
Screenshot of the Sigmira decoding software which now supports the RTL-SDR directly.
Sigmira Signal Database
Sigmira Signal Database.

Listening to an NFC Polling Signal from a Nexus 7 with an RTL-SDR

Over on YouTube user 2e26tenW has uploaded a video showing reception of the second harmonic of an NFC polling signal with his RTL-SDR. NFC stands for “Near Field Communication” and is a technology that enables smartphones and other devices to communicate with one another and some smart cards simply by bringing the two devices together.

In his experiment he uses a Nexus 7 tablet to poll an NFC enabled transportation card. As the RTL-SDR cannot receive the NFC frequency of 13.56 MHz directly without an upconverter or hardware or software direct sampling modified dongle, 2e26tenW instead tunes to the second harmonic at 27.12 MHz which allows him to receive the signal.

Nexus 7 NFC polling signal (2nd harmonic)

Decoding Differential GPS Beacons with an RTL-SDR, Speclab and SDR#

Over on his blog “RTL-SDR DX” dewdude has been exploring the reception and decoding of Differential GPS (DGPS) signals. DGPS signals are transmitted by government authorities in the long wave band at around 300 kHz. These beacons are used to dramatically improve the accuracy of GPS (Global Positioning System) devices from their default accuracy of about 15 m down to about 10 cm. Unlike GPS signals which originate from satellites, the DGPS signal is terrestrial based and is broadcast from multiple known fixed positions. The signal itself contains information about the difference between the DGPS stations received GPS position and it’s known exact position. These differences can be used to correct other GPS receivers that receive DGPS signal.

By using his RTL-SDR (with upconverter or HF modification) dewdude was able to receive the DGPS beacon in SDR#. Then by piping the output audio into SpectrumLab’s DGPS decoder he was able to decode the data contained within the DGPS signal. His post contains a tutorial showing how to set up SpectrumLab to decode DGPS. If you’re interested in hearing what a DGPS signal sounds like, dewdude has uploaded a sound sample at the bottom of another post of his.

Decoding Differential GPS (DGPS) signals in SpectrumLab
Decoding Differential GPS (DGPS) signals in SpectrumLab

Using a USRP E310 for Digital Video Downlink and Scanning on a Drone

Balint, one of the researchers at Ettus Research (the company behind the USRP range of software defined radios) has recently uploaded a video to YouTube showing one of his projects where he is prototyping the use of a digital signal for transmitting digital FPV video on a drone. The drone carries a USRP E310 SDR and transmits a QPSK video down developed in GNU Radio to a receiver on the ground.

FPV strands for “first person view” and is a growing hobby where remote controlled aircraft such as quadcopter drones are flown in first person view using live video from an on board camera.

Drone + SDR: USRP E310 real-time digital video downlink (teaser)

In another video balint also shows how the on board E310 can be used to transmit frequency scan FFT data via a WiFi link. This can be very useful for getting an antenna up high enough to get good reception for a scan.

Drone + SDR: USRP E310 airborne spectrum monitoring (teaser)

Linux Command Line based Doppler Correction and Demodulation Tools

Programmer Andres has recently been working on creating a toolset for receiving AX.25 packets (FSK 9600) from satellites with an RTL-SDR or other software defined radio. The AX.25 protocol is commonly used for APRS packet radio or telemetry in amateur radio satellites. Andres’ programs focus on using a true UNIX philosophy of piping data between different programs. The toolset consists of doppler correction and demodulation tools and the piping philosophy is demonstrated in the following example:

rtl_sdr | doppler | demod | multimon-ng

Andres writes…

rtl_sdr receives raw IQ data from satellites which is then piped to “doppler” which corrects doppler offset. Zero centered baseband signal is piped to “demod” which outputs demodulated audio suitable for multimon-ng to do actual AX.25 packet decoding.

Such pipeline is intended for resource constrained embedded platforms like RaspberryPi or BeagleBoneBlack where running full blown SDR software would be too much.

The doppler corrector tool works by using the same libraries for calculating satellite positions as those used in Gpredict and the demod tool uses the liquid-dsp library to demodulate the IQ stream.

More information about Andres’ project can be found in these three blog posts that he has written.

Andres also writes that he would be interested in hearing any feedback or pull requests on GitHub for these tools.

How to Receive the Funcube Satellite with an RTL-SDR

Over on the Hamspirit.de blog author Jan as written a post explaining how to receive the FUNcube satellite with an RTL-SDR dongle (note in German, use Google translate). The FUNcube is a CubeSat (a low cost miniature 10 cm cube sized satellite) which is intended mainly for educating young people about radio, space, physics and electronics, but has also piqued the interest of amateur radio hobbyists.

Jan first writes how the Funcube Dongle was originally invented as a low cost means of receiving the FUNcube satellite, but now there are the even lower cost RTL-SDR dongles. Jan’s post then goes over how to receive the FUNcube at a frequency of 145.935 MHz using software such as SDR-Radio or SDR# and how to decode the telemetry data using the FUNcube dashboard. He also explains a bit about the FUNcubes operating modes which change the satellites transmission strength depending whether or not its solar panels are in sunlight or not.

Funcube Telemetry Dashboard
Funcube Telemetry Dashboard