Category: Mobile

SDR++ Android App Public Pre-Release Now Available

SDR++ is an open source program compatible with most software defined radios including the RTL-SDR that has been going through rapid development making it now one of the top software choices.

Yesterday a public 'pre-release' Android version of SDR++ was made available for download. The release is announced as a 'pre-release' due to various bugs still existing. However, we note that we have been testing a private release for the past few weeks, and we can say that it is working great most of the time. The Android App replicates most of the desktop experience perfectly, and it operates very smoothly on most modern devices.

The author Alexandre Rouma writes:

I'm happy to release the first public pre-release of SDR++ for android. It's still quite early and has a few bugs and quirks that you might run into:

  • SDR MUST be plugged in before starting SDR++ and you MUST press refresh in the SDR source you're using before pressing play if you first plugged in the SDR or unplugged/replugged, otherwise expect a crash. The USB handling still needs some work.
  • There are still a few UI glitches
  • There is no easy way to select a path for recording or file for playback
  • The audio sink on Android may have higher latency
  • All menus sometimes close when app goes in the background.
  • Resizing the menu and/or waterfall is kinda fiddly, be precise when trying to grab the resize bar!!!
  • At some size menu sizes, the app crashes. If this happens, start in landscape
  • On Samsung devices, the keyboard doesn't always work for some obscure reason...

MINIMUM REQUIREMENTS:

  • Android 9.0
  • OpenGL 2.1

Since phones usually have a high screen resolution, set the DPI scaling in the Display menu or you'll have a hard time using the app.

Current Device/Protocol Support:

  • Airspy
  • Airspy HF+
  • HackRF
  • PlutoSDR (network only)
  • RFspace
  • RTL-SDR
  • RTL-TCP
  • SDR++ Server
  • SpyServer

In any case, I'd love to get some feedback on it, so feel free to try it out and let me know!

Download Here: https://www.sdrpp.org/

PS: If you like this work, feel free to support me on Patreon, since putting it on the App Store won't be cheap and I want to make sure it's completely free with no ads!

SDR++ Android App Screenshot. Credit: goscickiw https://github.com/AlexandreRouma/SDRPlusPlus/discussions/703

Simple FM Radio and Airband RTL-SDR Android Applications

On the Google Play store developer Knowle Consultants have recently released a new free application called "FM Radio (RTL-SDR)". This is a simple app that allows you to use a connected or remotely networked RTL-SDR to tune into preset broadcast FM stations. People wishing to use an Android enabled head unit in their car may be interested in the app as it makes tuning into broadcast FM stations easy just like it is on a standard radio.

They also have a similar app called "Airband Radio (RTL-SDR)" which provides a similar simple interface for tuning into airband presets.

Knowles Consultants simple Android RTL-SDR FM and Airband Receiver Apps

Dump1090 now Available as an Android App

The company ebcTech who makes AIS Share for Android has recently come out with a new app which is an Android App version of Dump1090. Dump1090 is a popular command line based ADS-B decoder for RTL-SDR dongles which allows you to receive and plot the locations of nearby aircraft on a map.

The app directly accesses the RTL-SDR via a USB OTG connection and provides a list of aircraft with planespotters.net image lookup, and a Google map display. The app is free however there is a message limit on received aircraft which can be unlocked via a low cost in-app purchase.

The author also wrote in and wanted to make a note about a special feature "In the app you can add Airport layers – This consist now 4480 Airports – most of them with corresponding homepage address / or Wikipedia link."

Dump1090 Android App

LibreCellular: Easy 4G Cellular Network with LimeSDR and Intel NUC

We recently came across the LibreCellular project which is aiming to make it easy to implement 4G cellular networks with open source software and low cost SDRs. The project appears to be in the early stages, and seems to be focusing on deploying and modifying existing open source 4G basestation software known as srsRAN which will be used with a particular combination of hardware in order to create a reliable and easy to set up 4G basestation solution.

The reference hardware that they are recommending consists of an Intel NUC single board computer ($699), LimeSDR ($315), LimeRFE front end filtered power amplifier ($699), and Leo Bodnar Mini Precision GPS Reference Clock ($140). All together you can create a 4G basestation for around $1850.

LibreCellular Components for a 4G Basestation: LimeRFE, Leo Bodnar GPS Clock, LimeSDR, Intel NUC.

Radio Spectrum Analysis in Virtual Reality with an RTL-SDR and Google Cardboard

Thank you to José Carlos Rueda for submitting his project called "a-radio: a web virtual reality radio power spectrum analyzer". The idea behind the project is to first use an RTL-SDR together with rtl_power and heatmap.py to generate a heatmap image of the RF spectrum. This image is then projected into a 3D 360 degree view and hosted on a web server via José's script for the a-frame VR web framework, allowing the heatmap to be viewed with a virtual reality (VR) smartphone headset. José' recommends using a cheap VR headset like Google Cardboard which can be used with your Android smartphone. 

José notes that the project is just a proof of concept, but he hopes to inspire future work around the combination of RF and VR.

Virtual Reality Visualization of an RF Spectrum Heatmap.

New RTL-SDR Driver for Android Developers

Android developers have a new RTL-SDR driver wrapper available to use called "RTL-SDR CP Driver". This driver by Evgeni Karalamov is designed to have an additional feature over the current Android RTL-SDR drivers in that it implements client application permission management. The overview reads:

RTL-SDR CP Driver utilises the rtl-sdr codebase and is meant to be kept in sync with the developments there. The provided interface mirrors the functionality of rtl_tcp in an Android way. Instead of via a TCP socket, the communication is carried out through file descriptors returned by a ContentProvider.

Since some potentially sensitive information could be captured through the SDR receivers, like indications of the device location, the RTL-SDR CP Driver implements permission control similar to that of the Android framework. Prior to accessing receivers, client applications have to ask the user for permission to access the driver by starting the driver's permission flow via startActivityForResult. Once the user grants access, their answer is remembered and they are not prompted again. The user has the ability to later revoke the permission from the driver's UI, accessible via the Android launcher.

The actual driver app can be downloaded from the Google Play Store. Note that this doesn't provide any functionality by itself. We will need to wait until apps take advantage of it.

RTL-SDR CP Driver Screenshots

YouTube Guide to Setting up and Running RTLion

RTLion is a software framework for RTL-SDR dongles that currently supports various features such as a power spectrum plot and frequency scanning. The software can run on a Raspberry Pi 3 and all features are intended to be accessed via an easy to use web browser interface, or via an Android app. The software can also be run with Docker, making it useful for IoT applications.

Over on YouTube M Khanfar has uploaded a comprehensive tutorial video explaining how to setup and run the RTLion server software on a Linux computer. He goes on to demonstrate and explain how to use the server via the web interface and also via the RTLion Android app.

 

RTLion Setup and Running Guide

Eavesdropping on LTE Calls with a USRP Software Defined Radio

Ars Technica recently ran a story about how University researchers have been able to eavesdrop on LTE mobile phone calls using a USRP B210 software defined radio which runs the Airscope software. The technique exploits a flaw in how some LTE carriers are implementing their keystream. A keystream is a stream of random data combined with the actual voice data, resulting in encrypted data.

It turns out that many LTE carriers reuse the same keystream when two calls are made within a single radio connection. An attacker can then record an encrypted conversation, then immediately call the victim after that conversation. The attacker can now access the encrypted keystream, and as the keystream is identical to the first conversation, the first conversation can now be decoded. 

The Ars Technica article, the original paper and a website created about the ReVoLTE technique and software go into detail about how the attack works. On the website the team explain the attack in simple terms:

The ReVoLTE attacks exploit the reuse of the same keystream for two subsequent calls within one radio connection. This weakness is caused by an implementation flaw of the base station (eNodeB). In order to determine how widespread the security gap was, we tested a number of randomly selected radio cells mainly across Germany but also other countries. The security gap affected 12 out of 15 base stations.

The ReVoLTE attack aims to eavesdrop the call between Alice and Bob. We will name this call the target or first call. To perform the attack, the attacker sniffs the encrypted radio traffic of Alice within the cell of a vulnerable base station. Shortly after the first call ends, the attacker calls Alice and engages her in a conversation. We name this second call, or keystream call. For this call, the attacker sniffs the encrypted radio traffic of Alice and records the unencrypted sound (known plaintext).

For decrypting the target call, the attacker must now compute the following: First, the attacker xors the known plaintext (recorded at the attacker's phone) with the ciphertext of the keystream call. Thus, the attacker computes the keystream of the keystream call. Due to the vulnerable base station, this keystream is the same as for the target (first) call. In a second step, the attacker decrypts the first call by xoring the keystream with the first call's ciphertext. It is important to note that the attacker has to engage the victim in a longer conversation. The longer he/she talked to the victim, the more content of the previous communication he/she can decrypt. For example, if the attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.

The ReVoLTE Attack
Demonstration of the ReVoLTE attack in a commerical LTE network.