Category: RTL-SDR

Chasing Ionosondes with an RTL-SDR Dongle

Mario Filippi a regular contributor to our blog has recently written in with another article of his. This time he’s submitted an interesting article about ionosondes and how he listens to and watches them with an RTL-SDR dongle and upconverter. We present his article below.

Chirp Sounders and Those Ear-Jarring “Zwoops”

Written by Mario Filippi (N2HUN) – (All photos courtesy of author)

Have you ever experienced a loud disconcerting “zwoop” sound quickly passing through your headphones while listening to the HF or shortwave bands? Surely many of us have, and for years these odd sounding transmissions were a mystery, but the conundrum was unraveled one day when using my RTL-SDR (software defined radio) dongle for some HF (high frequency, 2MHz – 30MHz) listening. The HF band is populated by an array of non-voice (digital) signals from familiar modes such as CW, RTTY, and FAX to more contemporary modes such as ALE, PSK-31, and JT65, to name a few. Many different modes and sounds, both man-made and from Mother Nature, some familiar, some mysterious, inhabit the breadth of the HF band. These frequently heard “zwoops,” on different portions of the band definitely were in the “mysterious” category.

Over the past several years these high-pitched “zwoops” passing through my headset at lightning speed disturbed the calm of a normal evening spent listening to shortwave with my venerable boat anchor-like Yaesu FRG-7 receiver. However, further investigation using a RTL-SDR dongle (from www.rtl-sdr.com), Nooelec HamItUp upconverter, and SDR# software visualized these signals emanating from ionosondes. Their transmissions appear on the waterfall image as pulsed lines traveling up (and sometimes down) different segments of the HF band. Their purpose is helping to assess the ionosphere’s propagation status.

Author’s RTL-SDR dongle, Nooelec upconverter (in plexiglass case), and MJF antenna tuner
Author’s RTL-SDR dongle, Nooelec upconverter (in plexiglass case), and MJF antenna tuner.

In short, ionosondes, or ionospheric sounders, sometimes referred to as “chirp sounders” are transmitters that send out a radio signal across a specific frequency range, only to be heard by receivers at distant locations that analyze what the propagation characteristics are. Armed with this information, these analyses are an aid in two-way radio communications, such as determining the best frequencies to use at a given time by radio operators around the world. So what do these ionosonde transmissions appear like using the RTL-SDR and SDR# software? See some examples below.

Chirp sounder appears as steeply-sloped line in center of SDR# waterfall. Strong signal at 20 MHz is time signal station WWV, Ft. Collins, CO.
Chirp sounder appears as steeply-sloped line in center of SDR# waterfall. Strong signal at 20 MHz is time signal station WWV, Ft. Collins, CO.
Pulse-like chirp sounder moving up the 15 meter (18.900MHz – 19.020MHz) shortwave band.
Pulse-like chirp sounder moving up the 15 meter (18.900MHz – 19.020MHz) shortwave band.
CB (Citizen’s Band, 26.965MHz - 27.405MHz) band exhibiting chirp sounder activity.
CB (Citizen’s Band, 26.965MHz – 27.405MHz) band exhibiting chirp sounder activity.
Weak chirp sounder in the 20 meter (14.000MHz – 14.350MHz) ham band.
Weak chirp sounder in the 20 meter (14.000MHz – 14.350MHz) ham band.

Chirp sounder transmissions appear randomly as one navigates the HF bands and in the author’s experience are a hit and miss affair, but with the advent of software defined radios with real-time spectral displays of two megahertz or more in width, one can increase the possibility of hearing and seeing them more regularly. Note that ionosonde tracings on a waterfall can take many different shapes; I have shown only a few examples. The speed at which the ionosonde transmits up or down the band varies with the setup, but it’s an amusing signal to watch as it gracefully and speedily streaks across the band’s waterfall image with its’ meteor-like trail.

If you’d like to submit an article related to SDR, please remember to contact us at rtlsdrblog_AT_gmail.com.

QSpectrumAnalyzer Updated to support rtl_power_fftw

QSpectrumAnalyzer is a Linux GUI for rtl_power which allows you to easily do wideband scans that are much wider than the RTL-SDR’s maximum bandwidth. RTL_power works by quickly switching between different frequencies and recording power values in each hop, then stitching them all together. A GUI for rtl_power can be used to display an FFT spectrum and waterfall for easy analysis.

Recently we posted about the release of rtl_power_fftw, which was a modified version of rtl_power. This modified version used a more efficient FFT library and reduces the acquisition time, which for rtl_power was capped at 1 second per scan. Essentially this means that rtl_power_fftw can do frequency scans much faster (though with less integration). In basic terms this means that you can now visualize large spectrum sweeps whilst having the waterfall look near real time.

Now QSpectrumAnalyzer has been updated to support rtl_power_fftw. To use rtl_power_fftw you’ll need to download and compile it yourself from https://github.com/AD-Vega/rtl-power-fftw. The compilation instructions are shown on the Github page, but you’ll also need to install the pkg-config, libtclap-dev and libfftw3-dev libraries first. Then once compiled in QSpectrumAnalyzer you can select the rtl_power_fftw binary in the settings.

The latest release of QSpectrumAnalyzer can be downloaded from https://github.com/xmikos/qspectrumanalyzer/releases.

QSpectrumAnalyzer with rtl_power_fftw doing a 7 MHz scan of the FM broadcast band.
QSpectrumAnalyzer with rtl_power_fftw doing a 7 MHz scan of the FM broadcast band.

JAERO: A new RTL-SDR compatible decoder for Inmarsat AERO signals

Back in August of this year we showed how it was possible to use an RTL-SDR dongle, satellite antenna, LNA and decoding software to receive and decode STD-C EGC signals from Inmarsat satellites. We also showed how it was possible to modify a low cost GPS antenna to use as a satellite antenna.

Now a radio hobbyist called Jonti has released a Windows decoder for the Inmarsat AERO set of signals. AERO is a system that provides a satellite based version of VHF ACARS (Aircraft Communications Addressing and Reporting System). ACARS is typically used by ground control and pilots to send short messages and is also sometimes used for telemetry.

Jonti writes:

JAERO is a program that demodulates and decodes Classic Aero ACARS (Aircraft Communications Addressing and Reporting System) messages sent from satellites to Aeroplanes (SatCom ACARS) commonly used when Aeroplanes are beyond VHF range. Demodulation is performed using the soundcard. Such signals are typically around 1.5Ghz and can be received with a simple low gain antenna that can be home brewed in a few hours in conjunction with a cheap RTL-SDR dongle.

In the advent of MH370, Classic Aero has become a well-known name. A quick search on the net using “Classic Aero MH370” will produce thousands of results. The Classic Aero signals sent from satellites to the Aeroplanes are what JAERO demodulates and decodes.

Unlike the usual VHF ACARS, with SatCom ACARS you can not receive signals from the Aeroplane only the people on the ground talking to the people in the Aeroplane. This means you do not get the airplanes reporting their position. Instead you tend to get weather reports, flight plans, and that sort of stuff. Just like VHF ACARS they usually use cryptic shorthand notation. For example “METAR YSSY 040400Z 08012KT 9999 FEW040 SCT048 23/09 Q1024 FM0500 05012KT CAVOK=” is the weather report for Sydney Airport in Australia in a format called METAR. It tells you the time, when the report was issued, the wind direction and speed, visibility, clouds, temperature, due point and air pressure. Then it says from 5 AM UTC the wind direction and speed and that the weather will be nice. There are sites such as Flight Utilities that can decode such information and display it in a more understandable format.

In his post Jonti also shows how he uses a modified GPS antenna to receive the AERO signals.

Jonti's modified GPS antenna for receiving AERO
Jonti’s modified GPS antenna for receiving Inmarsat AERO

We gave JAERO a test and found that it decoded AERO signals easily, even with low signal strength. To use JAERO tune to an Inmarsat AERO signal in SDR# or a similar program using USB mode. JAERO will listen to the audio from the sound card or from a virtual audio pipe. We recommend setting the AFC (Automatic Frequency Control) setting on on if you find that your RTL-SDR drifts too much. 

AERO signals can be found at around 1545 MHz. They only use about 800 Hz in bandwidth. See UHF satcoms page for a list of AERO frequencies.

The JAERO decoder.
The JAERO decoder.
Some AERO signals.
Some AERO signals.

Remember that some R820T/2 RTL-SDR dongles can have problems when receiving this high, especially when they heat up. If you find that your dongle gets deaf at these L-band frequencies try cooling the R820T/2 chip with a heatsink or fan. The Airspy or SDRplay RSP software defined radios are better choices for decoding signals this high, but the RTL-SDR will work fine if your signal strength is decent and the R820T/2 chip is kept cool.

If you are interested in VHF ACARS as well, then we have a tutorial about decoding that here.

Software defined radio talks from Defcon 23

Defcon is a yearly conference that focuses on computer security and hacking talks. In recent years they have included a “Wireless Village” section that includes talks about all things wireless. This year there were several interesting talks related to Software Defined Radio in some way. Recently some of these talks have been uploaded to YouTube and below we present the ones we have found – let us know if we missed any interesting ones.

Balint Seeber – SIGINT & Blind Signal Analysis w/ GNU Radio & SDR

The workshop will cover many common techniques used to reverse engineer the physical layer of a wireless communications system:

– Blind signal analysis on a signals re-broadcast from a satellite transponder: modulation type, order, symbol rate, error correction,scrambling, differential coding, visualization

– Applying auto-correlation to interesting signals on the HF band: RADAR, OFDM, symbol timing

– Frequency hopping: wide-band, real-time spectrum visualization

All with GNU Radio!

DEF CON 23 - Wireless Village - Balint Seeber - SIGINT & Blind Signal Analysis w/ GNU Radio & SDR

Tim Oshea – GNU Radio Tools for Radio Wrangling/Spectrum Domination

An overview of modern tools available in GNU Radio and the greater GNU Radio ecosystem for building, testing, inspecting and playing with radio system physical layers in gory detail.

DEF CON 23 - Wireless Village - Tim Oshea - GNU Radio Tools for Radio Wrangling/Spectrum Domination

Michael Calabro – Software Defined Radio Performance Trades & Tweaks

This workshop is targeted at new and experienced software defined radio (SDR) operators, developers, and enthusiasts seeking a better end-to-end system understanding, and anyone looking to maximize their SDR’s performance. Commercially available SDRs (e.g. USRPs, RTL-SDRs, BladeRFs, etc) are commonly used to fuzz wireless interfaces, deploy private cellular infrastructure, conduct spectrum surveys, and otherwise interact with a wide variety of custom and commercial devices. This workshop focuses on the key parameters and performance drivers in SDR setup and operation that elevate these common platforms to the level of fidelity required to interact seamlessly with commercial devices and networks.

The workshop will begin by surveying different SDR hardware architectures and summarizing the performance tradespaces of several of SDR applications (e.g. collection/survey/transmit). Then the workshop will break down into three main content focuses:

Understanding SDR Hardware: Breakdown common RF frontend and receiver architectures. Identify and derive key performance parameters, and when they will bound performance. Topics covered will include: Noise figure calculation, internal amplification, Frequency selectivity, external RF chains, and noise sources.

Understanding SDR Platform Objectives: Collection, transmission, surveying, and other applications, each present unique challenges to SDRs and will be limited by different dimensions of SDR processing and/or setup configuration. Topics covered include: real-time processing, host buffering, sampling, guard-intervals, framework selection (GRC vs REDHAWK vs MATLAB vs custom), and frequency and time domain signal representation.

Optimizing and Improving Performance: Now that the hardware and platform trade space have been characterized, how do attendees meet and exceed the performance requirements of their application? We will present specific examples for several common platforms (RTL-SDR and USRP). Topics covered will include clock selection, ADC dynamic range, FPGA/SoC offloading, RFIC configuration, CIC filters, sampling, DC biases, antenna selection & pointing, host buffering / processing, and cost-performance trades.

DEF CON 23 - Wireless Village - Michael Calabro - Software Defined Radio Performance Trades & Tweaks

Karl Koscher – DSP for SDR

The barrier to entry in software-defined radio is now almost non-existent. Wide band, receive-only hardware can be obtained for as little as $10, and tools like gqrx and SDR# make it extremely easy to get started listening to signals. However, there is a steep learning curve graduating from an SDR script kiddie to developing your own SDR tools. In this talk, I’ll cover the basic theory behind software-defined radios digital signal processing, and digital communication, including I/Q samples, FIR filters, timing and carrier recovery, and more.

DEF CON 23 - Wireless Village - Karl Koscher - DSP for SDR

In addition to these Wireless Village talks there was also an interesting talk by Samy Kamkar in which explains how he uses SDR in his vehicle security research.

Samy Kamkar – Drive it like you Hacked it: New Attacks and Tools to Wireles

Gary Numan said it best. Cars. They’re everywhere. You can hardly drive down a busy freeway without seeing one. But what about their security?

In this talk I’ll reveal new research and real attacks in the area of wirelessly controlled gates, garages, and cars. Many cars are now controlled from mobile devices over GSM, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy).

We will investigate how these features work, and of course, how they can be exploited. I will be releasing new tools and vulnerabilities in this area, such as key-space reduction attacks on fixed-codes, advanced “code grabbers” using RF attacks on encrypted and rolling codes, and how to protect yourself against such issues.

By the end of this talk you’ll understand not only how vehicles and the wirelessly-controlled physical access protecting them can be exploited, but also learn about various tools for car and RF research, as well as how to use and build your own inexpensive devices for such investigation.

Ladies and gentlemen, start your engines. And other people’s engines.

Samy Kamkar is a security researcher, best known for creating The MySpace Worm, one of the fastest spreading viruses of all time. He (attempts to) illustrate terrifying vulnerabilities with playfulness, and his exploits have been branded:

“Controversial”, -The Wall Street Journal
“Horrific”, -The New York Times
“Now I want to fill my USB ports up with cement”, -Gizmodo

He’s demonstrated usurping typical hardware for surreptitious means such as with KeySweeper, turning a standard USB wall charger into a covert, wireless keyboard sniffer, and SkyJack, a custom drone which takes over any other nearby drones allowing them to be controlled as a massive zombie swarm. He’s exposed issues around privacy, such as by developing the Evercookie which appeared in a top-secret NSA document revealed by Edward Snowden, exemplifying techniques used by governments and corporations for clandestine web tracking, and has discovered and released research around the illicit GPS and location tracking performed by Apple, Google and Microsoft mobile devices. He continues to produce new research and tools for the public as open source and open hardware.

DEF CON 23 - Samy Kamkar - Drive it like you Hacked it: New Attacks and Tools to Wireles

An online Software Defined Radio training course

We’ve recently found what looks to be a new online video based course that uses the RTL-SDR to teach basic software defined radio topics. The course is not free, it is priced at $29.99, but the first three videos are free. Judging from the first three videos the content appears to be quite basic, but is presented in a very clear way that may be useful for beginners. Currently the lessons include:

  1. Course Overview 

    Welcome to the exciting world of Software Defined Radio. In this video, we’ll discuss what SDR is, and why it’s such a hot button topic right now.

  2. Setting up the environment

    In this module, we’ll setup our environment for development. If you’re already very comfortable with Ubuntu, you might want to just follow the guide below.

  3. Browsing the spectrum 

    In this module, we’ll cut our teeth on GRQX, and learn a little about the radio spectrum.

  4. Signals Intelligence

    In this module, we’ll learn how to find transmissions in the frequency domain, and capture them to disk for offline analysis.

  5. Modulations

    In this module, we’ll learn how to identify two types of basic digital transmissions, and talk a little about the history of radio.

  6. Demodulation – Part 1

    In this module, we’ll practice capturing signals in the wild, identifying the modulation, and demodulating the signal with GNU Radio.

  7. Demodulation – Part 2

    In this module, we’ll learn about clock recovery. And we’ll pull out packets from the garage door remote.

It also appears that they plan to have some live classes in the future.

We note that there are also alternative SDR training courses available such as Micheal Ossmanns lessons at greatscottgadgets.com/sdr.

sdrtrainingonline

rtl_power_fftw: An improved version of rtl_power designed for radio astronomy

As the RTL-SDR’s maximum usable bandwidth is about 2.8 MHz, programs like rtl_power were written to scan over wider bandwidths by quickly hopping between different swaths of the frequency spectrum and then stitching the data together.

Now a new improved version of rtl_power called rtl_power_fftw has recently been developed and released. This version is designed for radio astronomy use, but also overcomes several issues general users may encounter with rtl_power. One of the authors, Klemen wrote in to us with this information:

I would like to tell you about a program we have been developing at Astronomical Society Vega – Ljubljana, namely one for measuring power spectrum with rtl dongles.

It addresses several shortcomings of the rtl_power program shipped with librtlsdr. The most notable is that it uses a much faster FFT algorithm (from the fftw3 library) and separate threads for acquiring data and FFT processing. This means that even the lowly raspberry pi is capable of processing spectra of sizes up to ~1024 bins in real-time (no slower than data acquisition). This enables the user to sample spectrum continuously and more efficiently.

The other benefit is the output format: data is presented in a gnuplot-friendly way, so plotting is simple, and no data is mangled to make an illusion that spectral hopping is not needed: FFT of each frequency hop is output separately, and user can make and informed decision on how to process data – the program stays out of this, to preserve the accuracy of the gathered data.

The program was developed for use in radio astronomy where all these things matter. Code is available on Github:

https://github.com/AD-Vega/rtl-power-fftw

New Mini RTL-SDR Dongle Available from Nooelec

The Nooelec store have recently come out with a new small RTL-SDR model called the Nano 2, which appears to an improved version of the old tiny square dongles. These new ones are sized at 24mm x 21mm x 8mm and come in a new plastic case with vent holes to prevent overheating. They also come with the newer R820T2 tuner chip. This appears to be a good improvement over the older models which were reported to have overheating and thermal frequency drift issues.

These small dongles look to be great for embedded or mobile phone applications that have space restrictions.

The new dongle is currently selling for $24.95 USD + $1.99 shipping.

The Nano 2 with vent holes in the case.
The Nano 2 with vent holes in the case.
The Nano 2 circuit.
The Nano 2 circuit.

Hak5: Reverse Engineering Radio Protocols with SDR and the Yardstick One

Over on YouTube the popular security and hacking themed channel Hak5 have created two videos together with Mike Ossmann (creator of the HackRF and Yardstick One) that give a good introduction and overview on reverse engineering unknown radio protocols. In the video they show how to use a SDR like the RTL-SDR or HackRF to initially capture the radio signal, and then how to use the Yardstick One to reverse engineer and recreate the signal. Using this process they reverse engineer the radio protocol for a wireless liquor cabinet lock.

The Yardstick One is a computer controlled wireless transceiver (but it is not an SDR). The Yardstick One understands many radio protocols by default and can be programmed in Python, lowering the learning barrier for reverse engineering signals.

Mike Ossmann has also been slowly releasing very detailed video tutorials about DSP and radio related topics. If you are interested in reverse engineering radio signals it is a very helpful series to watch.

Radio Hacking: Reverse Engineering Protocols Part 1 - Hak5 1913

Radio Hacking: Reverse Engineering Protocols Part 2 - Hak5 1914