Category: RTL-SDR

A Homebrew All-In-One RTL-SDR with Screen and Control Knobs Running on a Mini PC

Over on YouTube user Pablo Sala (KI7OJL) has uploaded a video that shows a neat all-in-one receiver build based on an RTL-SDR. Pablo's build runs on a Pipo x8 Mini PC which is a US$110 PC/tablet that includes a build in LCD touch screen. The build also adds several Arduino powered control knobs for tuning, mode and bank selection, squelch and volume to the base. The knobs directly interface with HDSDR, his chosen software.

The video titles are dated 2017, but the video only seems to have been uploaded recently. Unfortunately we weren't able to find much more information about this build, other than the video.

Homebrew: RTL-SDR Receiver with Arduino-powered knobs on a Pipo X8 Mini PC running HDSDR, May 2017

DEF CON 27 SDR Talks: Antennas for Surveillance, Ford Keyfob Hack, Smart TV Wireless Side Channel Attack

Talks from this years DEF CON 27 conference which was held back in August are now available on YouTube. DEFCON is a yearly conference that a focuses on information security topics and often includes talks about SDRs and other wireless radio topics too. In particular we wanted to highlight the the DEF CON 27 Wireless Village playlist which contains numerous talks related to wireless, radio and SDRs.

Most talks from the wireless village relate to WiFi, but one talk with some very useful information that we really enjoyed was "Antennas for Surveillance" by Alex Zakhorov. 

We will cover the various kinds of antennas available to optimized your SDR radio for different types of spectrum monitoring. We will also explain why RF filters are necessary on most SDR's and when Low Noise Amplifiers help, and when Low Noise Amplifiers hurt reception.

DEF CON 27 Wireless Village - Alex Zakhorov - Antennas for Surveillance

Another interest talk was called "The Ford Hack Raptor Captor video" by Dale Wooden (Woody) where he shows how he used an RTL-SDR and HackRF to hack a Ford car key fob. If you're interested we wrote about the Hak5 videos on this hack in a previous post.

This talk will show flaws with development of security protocols in New Ford key fobs. This will exploit several areas. The ability for a denial of service to the keyfob WITHOUT jamming. How to trick the vehicle into resetting its rolling code count. How to lock, unlock, start, stop, and open the trunk of ford vehicles using a replay attacked after resetting rolling code count. How to find the master access code for Fords keypad to bypass security. This talk will also demonstrate how to reset your key fobs if they are attacked by a deauth attack. We will also demonstrate gnu-radio script to automate RF collection of Ford key fobs. As seen on HAK5 episodes 2523-2525

DEF CON 27 Wireless Village - Woody - The Ford Hack Raptor Captor video

Outside of the Wireless village there were also some interesting SDR topics including this talk titled "SDR Against Smart TVs URL Channel Injection Attacks" by Pedro Cabrera Camara. If you're interested we also wrote about Pedro's work in a previous post.

Software-defined-radio has revolutionized the state of the art in IoT security and especially one of the most widespread devices: Smart TV. This presentation will show in detail the HbbTV platform of Smart TV, to understand and demonstrate two attacks on these televisions using low cost SDR devices: TV channel and HbbTV server impersonation (channel and URL injection). This last attack will allow more sophisticated remote attacks: social engineering, keylogging, crypto-mining, and browser vulnerability assessment.

DEF CON 27 Conference - Pedro Cabrera Camara - SDR Against Smart TVs URL Channel Injection Attacks

Networked Radio Direction Finding with KerberosSDR and RDFMapper

We've just uploaded a short Python script to GitHub that allows radio direction bearings from a KerberosSDR to be used with the RDF Mapper software created by Jonathan Musther. RDF Mapper is a (~US$25) program that was initially written for the RDF42, a kit based doppler direction finding system. RDFMapper runs on Windows/MacOS and Linux.

KerberosSDR is our experimental 4-Tuner Coherent RTL-SDR product made in collaboration with Othernet. It can be used for applications such as radio direction finding and passive radar. Currently it's available for US$149 on the Othernet store.

The RDF Mapper software allows you to upload bearings from multiple devices distributed around a city to a public RDF server, and view all the bearings on any internet connected PC. This can allow you to quickly triangulate the location of a transmitter.

Normally you would use RDFMapper combined with an RDF42 to upload bearings, but we've written a simple script that can be used to upload bearings generated by a KerberosSDR onto the server. The RDFMapper software can then be used to visualize those bearings.

The script is based on Python, and can run directly on the Pi 3/4 or Tinkerboard that is running the KerberosSDR, or on another PC that can see the KerberosSDR bearing server if you prefer.

Instructions are available on the GitHub page. Simply set unique station names for each of your distributed units, entry your lat/lon and fixed direction bearing. Then on the RDF Mapper software open the 'Web upload/download' tab and add the unique station ID name. All the other tabs for connecting to a GPS and serial port can be ignored, as those are used for the RDF42.

This script will only work for stationary KerberosSDR units as the lat/lon is fixed. If you want to try radio direction finding in a vehicle, we recommend using our Android App for a better experience. If there is interest, we may also add support for the Android app to upload to an RDFMapper server for mobile bearing uploads. 

Notes: RDFMapper runs on the system's default browser and it needs to run in either Chrome or Firefox to work. IE does not work. It also appears that Jonathan processes orders manually, so we just want to note that there may be a delay between payment and receiving the software.

RDF Mapper Software. Data from networked units.
RDF Mapper Software. Plotting bearing data from networked units.

cuSignal: Easy CUDA GPU Acceleration for SDR DSP and Other Applications

The RAPIDS cuSignal project is billed as an ecosystem that makes enabling CUDA GPU acceleration in Python easy. Scipy is a Python library that is filled with many useful digital signal processing (DSP) algorithms. The cuSignal documentation notes that in some cases you can directly port Scipy signal functions over to cuSignal allowing you to leverage GPU acceleration.

In computing, most operations are performed on the CPU (central processing unit). However, GPU's (graphical processing units) have been gaining popularity for general computing as they can perform many more operations in parallel compared to CPUs. This can be used to significantly accelerate DSP code that is commonly used with SDRs.

In particular the developers have already created a notebook containing some examples of how cuSignal can be used with RTL-SDRs to accelerate an FFT graph. There are various other DSP examples in the list of notebooks too. According to the benchmarks in the notebooks, the GPU computation times are indeed much faster. In the benchmarks they appear to be using a high end NVIDIA P100 GPU, but other NVIDIA graphics cards should also show a good speedup. 

The cuSignal code is based on CUDA, so for any GPU acceleration code to work you'll need to have an NVIDIA based GPU (like a graphics card) with a Maxwell or newer core.

We note that in the future we'll be investigating how this could be used to speed up the passive radar algorithms that are used in the KerberosSDR. It may also be useful for running DSP code quickly on a $99 NVIDIA Jetson Nano single board computer.

NVIDIA Tesla P100. A high end $3000+ GPU.
NVIDIA Tesla P100. A high end $3000+ GPU.

Creating An Automated Raspberry Pi and RTL-SDR Based NOAA Weather Satellite Station

The nootropicdesign blog has recently uploaded a comprehensive tutorial showing how to create an automated NOAA Weather Satellite ground station using an RTL-SDR V3 and an Raspberry Pi 3. The project also makes use of an Amazon S3 bucket, which is a cheap web storage platform that allows you to store and access the downloaded images.

The tutorial starts by showing you how to set up your Amazon AWS credentials and bucket on the Raspberry Pi, and how to host a simple webpage that can be accessed publicly. The second stage shows how to set up the RTL-SDR drivers and wxtoimg which is used to decode the images. Finally, the third stage shows how to create the automation scripts that automatically schedule a decode, and upload images to the AWS bucket.

Flowgraph for an automated NOAA satellite weather image station.
Flowgraph for an automated NOAA satellite weather image station.

Using an RTL-SDR and Speech To Text to Create Alerts on Specific Phrases

Atlassian Opsgenie Engineer Fahri Yardımcı has recently written up an interesting post that details how he's using Opsgenie and Amazon Transcribe to automatically create alerts when specific voice phrases are mentioned on a radio channel. For example, if the words "blue team" are heard on the radio, the system can automatically issue an alert with the spoken words to members of the blue team in an organization. Amazon Transcribe is a cloud based speech to text service and Opsgenie is a platform that is used for managing and delegating alerts from multiple IT or other computer systems.

The system works by using an RTL-SDR and the ham2mon software to scan, receive and record voice from multiple voice channels. Fahri notes that he modified ham2mon slightly in order to allow it to upload the .wav files to an AWS S3 server which then runs the Amazon Transcribe service to convert the voice into a text file.

To make an interesting use case, we have imagined this scenario: When we detect a phrase in predefined words, like “Help”, “Execute Order 66”, “North outpost is compromised”, “Eggs are boiled”, we want to create an alert in Opsgenie. Opsgenie can send notifications to users via various ways such as push notifications and calls.

Amazon Transcribe uses advanced machine learning methodologies, to convert an audio stream to a text. As mentioned before, ham2mon uploads to .wav files to S3 and a Lambda is triggered from S3 Events. Lambda calls Transcribe API and depending on the result, Lambda creates an Opsgenie Alert through API.

Fahri writes that his system also filters out small files that may just be noise, and files with voice less than 3 second long. He's also added a custom vocabulary to Amazon Transcribe with words commonly heard on the radio, as this improves the transcription algorithm, especially in the presence of radio noise.

The rest of the post goes into further detail about the specific cloud services used and the flow of the system.

Flow Graph of the Radio to Transcription System
Flow Graph of the Radio to Transcription System
An example alert from Opsgenie when the phrase "red team" was heard.
An example alert from Opsgenie when the phrase "red team" was heard.

QRUQSP – Receiving Weather Sensors via RTL-SDR and Sharing over APRS

Thank you to Andrew Rivett for writing in and sharing news about his project called "QRUQSP" which is aiming to provide an easy to set up system for allowing amateur radio operators to put weather sensors on the APRS network and log the weather data. Andrew writes:

For that last 2 years I've been working on, a system to receive weather sensors via a V3 on a Raspberry Pi and then beacon that data over Amateur Radio APRS. I've also developed a dashboard that can be used on iPad 1 and old tablets, and soon will have the ability to sync data between Pi's and to the cloud.

For more information, please check out , we have roadmaps under Software and Hardware.

The QRUQSP website also explains:

Amateur Radio offers many opportunities to receive digital messages, decode them and make use of the data contained within those messages. Our primary goal is to store and organize those messages in a database in a way that improves the operator's ability to analyze, assess importance, and relay messages as appropriate for his or her amateur radio service.

The service makes use of his hardware kits that are currently available for preorder on his website, with the basic kit starting at $80. Purchasing a kit or $10 monthly subscription to the cloud service software allows you to participate in the closed beta, which is currently only available for amateur radio operators.

The QRUQSP Hardware
The QRUQSP Hardware

In terms of software Andrew has also created a web application that can be used to collect and display the weather data collected over APRS or rtl_433. The service can be hosted directly on the systems Raspberry Pi, or online on the cloud via the QRUQSP subscription service.

QRUQSP Dashboard and Weather Data Log Display
QRUQSP Dashboard and Weather Data Log Display

Measuring Traffic in a Neighborhood with KerberosSDR and Passive Radar

KerberosSDR is our four tuner coherent RTL-SDR product made in collaboration with Othernet. With KerberosSDR applications like radio direction finding and passive radar are possible, and our free open source demo software helps to make it easier to get started exploring these applications. In this post we explore how a simple passive radar setup can be used to measure how busy a neighborhood is in terms of vehicular traffic.

KerberosSDR is currently available from the Othernet store for US$149.95, and the setup guide is available at

Passive radar makes use of already existing strong 'illuminator' signals such as broadcast FM, DAB, digital TV and cellular. When these signals reflect off a moving metallic object like an aircraft or vehicle, it distorts the signal slightly. By comparing the distorted signal to a clean signal we can determine the distance and speed of the object causing the reflection. Wide reaching digital signals like DVB-T and DAB are often the best illuminators to use. Wideband cellular signals can also be used to detect more local targets.

In a simple passive radar system we use two directional antennas such as Yagi's. One Yagi points towards the broadcast tower and receives the clean non-distorted reference signal. This is known as the reference channel. A second Yagi points towards the area you'd like to monitor for reflections, and this is called the surveillance channel.

In our setup we point the reference channel Yagi towards a 601 MHz DVB-T transmitter roughly 33 km away. A second Yagi is placed on a vantage point overlooking a neighborhood. The Yagi's used are cheap DVB-T TV Yagi's that can be found in any electronics or TV retail store (or on Amazon for ~$30 - $60 USD).  In the software we used a bandwidth of 2.4 MHz and adjusted the gains for maximum SNR.

It is important that the surveillance channel is isolated from the reference signal as much as possible. We improve the isolation simply by placing a metal sheet next to the surveillance Yagi to block the reference DVB-T signal more. Note that putting the antennas outside will obviously result in much better results. These walls and windows contain metal which significantly reduce signal strength. We also added our RTL-SDR Blog wideband LNA to the surveillance channel powered by a cheap external bias tee to improve the noise figure of the surveillance channel.

KerberosSDR Passive Radar Setup
KerberosSDR Passive Radar Setup
Surveillance Antenna View
Surveillance Antenna View

The resulting passive radar display shows us a live view of objects reflecting. Each dot on the display represents a moving vehicle that is reflecting the DVB-T surveillance signal. In the image shown below the multiple colored objects in the left center are vehicles. The X-Axis shows the distance to the object, and the Y-Axis shows the doppler speed. Both axes are relative to the observation location AND the transmit tower location.

Vehicles on the Passive Radar Display
Vehicles on the Passive Radar Display

When there are more moving cars on the road during the day and rush hours, there are more blips seen on the passive radar display. Larger vehicles also produce larger and stronger blips. By simply summing the matrix that produces this 2D display, we can get a crude measurement of how busy the neighborhood is, in terms of cars on the road since reflections are represented by higher values in the matrix. We logged this busyness value over the course of a day and plotted it on a graph.

The resulting graph is as you'd intuitively expect. At 6AM we start to see an increase in vehicles with people beginning their commute to work. This peaks at around 8:30AM - 9am with parents presumably dropping their kids off to the neighborhood school which starts classes at 9AM. From there busyness is relatively stable throughout the day. Busyness begins to drop right down again at 7PM when most people are home from work, and reaches it's minimum at around 3am.

Traffic Busyness detected with KerberosSDR Passive Radar
Traffic Busyness detected with KerberosSDR Passive Radar

One limitation is that this system cannot detect vehicles that are not moving (i.e. stuck in standstill traffic). Since the doppler speed return will be zero, resulting in no ping on the radar display. The detection of ground traffic can also be distorted by aircraft flying nearby. Aircraft detections result in strong blips on the radar display which can give a false traffic result.

It would also be possible to further break down the data. We could determine the overall direction of traffic flow by looking at the positive and negative doppler shifts, and also break down busyness by distance and determine which distances correspond to particular roads. In the future we hope to be able to use the additional channels on the KerberosSDR to combine passive radar and direction finding, so that the the blips can actually be directly plotted on a map.

If you want to try something similar on the KerberosSDR software edit the RD_plot function in the _GUI/ file, and add the following simple code before CAFMatrix is normalized. You'll then get a log file traffic.txt which can be plotted in excel (remember to convert Unix time to real time and apply a moving average)

CAFMatrixSum = np.sum(CAFMatrix)
trafficLog = open("traffic.txt", "a")
logString = str(round(time.time())) + "," + str(round(CAFMatrixSum)) + "\r\n"