Category: RTL-SDR

Improving Reception with the Stock RTL-SDR Antenna by Building a Corner Reflector

Last week a reader of RTL-SDR.com wrote into us to let us know about some experiments that he had been performing with the telescopic stock antennas provided in our RTL-SDR dongle packages. The reader had built a corner antenna reflector in order to improve reception in one direction. We are posting his write up and results below:

This tutorial will discuss the use of a Corner Reflector with a monopole antenna, i.e. the stock RTL-SDR antenna. To keep this tutorial concise, the reader is encouraged to study the Wikipedia pages for details about Corner Reflector Antennas, Dipoles and Monopoles.

Corner Reflector Antennas are very easily constructed from 2 A4-sized cardboard panels, covered with tinfoil. This allows for a foldable and transportable external reflector to the built-in wifi antennas of a laptop, which are located on the upper corners of the display. 

The reader is pointed to the fact that corner antennas are based on a Dipole, where the stock RTL-SDR antenna is a Monopole, so some adjustments will have to be made, which is discussed and explained later in this text. If there are real antenna specialists reading this, they are encouraged to do a more thorough writeup on the exact mechanism of a monopole-based corner reflector antenna, as there was little information to be found on the internet.

The experiment started as an attempt to receive a DVB-T signal centered around 506 MHz, from a mast about 10 miles away. Indoors. This should have given a clear and strong signal, but alas, the signal was very weak.

Initial reception of the DVB-T signal with the stock antenna and no modifications.
Initial reception of the DVB-T signal with the stock antenna and no modifications.

Reading up on Monopoles and their need for a ground plane, the magnetic base of the 14 cm long antenna was placed on a metal cooking pot. The signal was a lot stronger. (The middle part of the waterfall plot above.) Clearly a wooden table is not much of a ground plane.

Next a Corner Reflector was made from tinfoil and a cardboard box, much to the dismay of the resident Feline Overlord that had seized it. 🙂 A triangular piece was added for rigidity and as a ground plane. The Monopole antenna was placed on the ground plane triangle in the middle of the 90° corner and at the correct distance from the fold in the reflector. i.e. the Focal Axis, but the gain was less than the theoretical 10dB so this setup was unsuccessful. (Upper part of waterfall plot above.)

The breakthrough came when I wanted to study the effect of a larger ground plane. For this I put the corner reflector sideways and put the monopole on the outer edge to reduce possible reflections from the standing panel. There was only a slight effect compared to the cooking pot, so I decided to progressively move the monopole towards the back panel in order to see if the additional reflection would get some more gain. When I reached about 10 cm distance from the panel, the waterfall plot exploded with a very powerful signal! See the picture below for the transition from wooden table to the sideways configuration. (On top of the waterfall plot there is some residual from the ground plane cooking pot test.)

DVB-T signal with corner reflector.
DVB-T signal with corner reflector.

The setup looks like this:

04-sideways-setup
For a few days I was baffled as to why the corner reflector behaved this way. It had already dawned on me that the diagonal distance from the fold till the antenna tip was 14 cm in this configuration, so 1/4 WL. It was only after I visualized how a monopole works, that I understood: a 1/4 WL monopole is physically a quarter wavelength open ended resonator. i.e. at the base/feed point the electric current is maximum and the voltage minimum. At the tip it is reversed, with maximum voltage and zero current. See this page for details: http://www.radio-electronics.com/info/antennas/vertical-antennas/quarter-wavelength.php

Alternatively, the polar plot of a Corner Reflector Antenna also shows that the signal is weakest/zero in the direction of the panels, where the monopole base is located, while the maximum signal is along the center line between the 2 panels, which is where the tip of the monopole is located. Hence the signal *difference* over the monopole is thus maximized and this way it works best. As stated in the beginning, if an antenna expert can write up a better explanation, please contact the maintainer of the RTL-SDR Blog.

In retrospect, the original setup I tested could not work optimal since the entire monopole is irradiated equally if it is aimed along the Focal Axis. Moreover it was suspected that the mirror image antenna that makes a monopole work, was distorted because of the electrical contact between the triangular ground plane and the reflector panels. A test with an isolated triangular ground plane was planned but has now been permanently shelved.

For those who want to re-create the experiment, these are the reflector dimensions:

  • 2 panels of 42*25cm, joined along the longest side.
  • 36*25*25cm triangle at the bottom. This should give a 90° angle between the 2 largest panels.
  • The tinfoil can be wiped smooth and attached with some glue.

So to summarize;

  • Make sure you have a good ground plane!
  • A Corner Reflector Antenna can be constructed at frugal cost with a cardboard box and tinfoil. Larger reflectors are better, especially in the plane perpendicular to the Monopole, so it is better to have wide reflectors in stead of high reflectors.
  • Make sure the base of the stock monopole antenna is located in an area with low signal strength and the tip is located in an area of maximum signal, therefore maximizing the *difference* between base and tip of the Monopole. Usually this means perpendicular to the Focal Axis of the reflector panels.
  • Distances and Monopole lengths can easily be adjusted for various frequency ranges, making this a very versatile modification or enhancement to the stock antenna.

Speculation: Since there is a focal Axis rather than a Point (i.e. like a Parabolic Dish), the sideways configuration might be more suitable for tracking a moving satellite across the horizon, ideally at 45° azimuth.

Spektrum: New RTL-SDR Spectrum Analyzer Software

Recently a reader of RTL-SDR.com, Pavel wrote in to let us know about a new program called “Spektrum” which he has written. Spektrum runs on Windows and Linux and turns an RTL-SDR dongle into a spectrum analyzer in a similar way to rtl_power GUI front ends and RTLSDR Scanner. However one key improvement is that it is based on a version of rtl_power that has been modified by Pavel in order to make it more responsive and remove the need to wait until a full sweep is completed before you can see any results. The modified version of rtl_power can be found at https://github.com/pavels/rtl-sdr.

Spektrum also has an additional “relative mode” feature. This allows Spektrum to be easily used together with a wideband noise source to measure things like filter characteristics and the VSWR of antennas. See our previous tutorial on this here, but note that in our tutorial we used Excel instead of Spektrum to do relative measurements.

The Processing language was used to create Spektrum and Pavel has also released his processing library for accessing rtl_power functionality over at https://github.com/pavels/processing-rtlspektum-lib/releases.

Ready to use releases of Spektrum for Windows and Linux 64-Bit OSes can be downloaded from https://github.com/pavels/spektrum/releases. Note that there may be a bug with the current release which causes only a gray window to show, but we’ve contacted the author about it and it may be fixed soon.

Spektrum: A new spectrum analyzer program for the RTL-SDR
Spektrum: A new spectrum analyzer program for the RTL-SDR

Building a Ham Transceiver with an RTL-SDR, Raspberry Pi and Rpitx

A few days ago we posted about RpiTx, a piece of software that allows you to turn your Raspberry Pi into a multi purpose transmitter by modulating the output on one of the GPIO pins.

Now over on YouTube user HA7ILM has uploaded a video showing his related software qtcsdr. Qtcsdr runs on the Raspberry Pi and interfaces with an RTL-SDR dongle and RpiTx to create a simple transceiver radio. In the video HA7ILM shows the software in action by using a microphone and RTL-SDR plugged into the Raspberry Pi, and showing the microphone transmitting via RpiTx and being received via the RTL-SDR.

Qtcsdr can be downloaded from https://github.com/ha7ilm/qtcsdr.

As always with this type of thing only transmit if you are licensed and take care with the transmitted distance and filter the antenna output when transmitting over a distance that is further than your room. Also regarding this, on the qtcsdr GitHub page the author mentions that a Raspberry Pi shield called the QRPi filter + amplifier is currently in development (white paper).

QTCSDR Control GUI
QTCSDR Control GUI
Testing qtcsdr: receiving the transmission with an RTL-SDR via attenuator

Creating a DIY 88-108 MHz FM Trap

One of the most problematic strong signals you can encounter is regular 88 – 108 MHz broadcast FM stations. They transmit at high power and can cause overloading and intermodulation problems on simple receivers such as the RTL-SDR. This means that FM stations can prevent you from receiving signals even when you are tuned far away from the broadcast band.

The simplest solution to reducing strong FM stations is to build an FM trap. This is simply a band stop filter that blocks frequencies between 88 – 108 MHz from entering your radio. Adam (9A4QV), the creator of the popular LNA4ALL and several other RTL-SDR compatible products has recently uploaded an article showing how to build a home made FM trap out of cheap common parts.

Adams article goes through and explains the design of a FM trap and how to use freeware software to aide in the calculations. The final FM trap designed by Adam uses just 3 common SMD capacitors and 3 hand wound coils. His filter attenuates more than 30dB in the 88-108 MHz range with an insertion loss of less than 1dB up to 1.7 GHz.

A DIY FM Trap
A DIY FM Trap

SDR-J Now Compatible with the Raspberry Pi 2

The popular software DAB (Digital Audio Broadcast) decoder SDR-J has recently been updated and can now run on the Raspberry Pi 2. In addition the author has also added experimental DRM decoding capabilities to his shortwave receiving software. The author writes about the Raspberry Pi 2:

The Raspberry PI 2 has a processor chip with 4 computing cores. By carefully spreading the computational load of the handling of DAB over these cores it is possible to run the DAB software on the Raspberry PI 2.

In my home situation the – headless – Raspberry PI 2 is located on the attic and remotely controlled through an SSH connection using the home WiFi on my laptop in my “lazy chair”. To accomodate listening remotely, the DAB software on the Raspberry PI 2 sends – if so configured – the generated PCI samples (rate 48000) also to an internet port (port 100240). On the laptop then runs a very simple piece of program reading the stream and sending it to the soundcard

DAB is a digital audio protocol that is used in some countries as a digital alternative to broadcast FM (music stations). SDR-J is a suite of programs that includes the ability to decode DAB, FM, and several shortwave modes such as AM, USB, LSB, PSK, RTTY, WeatherFax, SSTV, BPSK, QPSK, CW, NavTex (Amtor-B), MFSK, Domino, Olivia, Hell, Throb and now DRM. It can directly connect to RTL-SDR receivers as well as other hardware such as the Airspy and SDRplay.

Screenshot of SDR-J running on the Raspberry Pi 2.
Screenshot of SDR-J running on the Raspberry Pi 2.

An Unfiltered ADS-B co-op: ADSBexchange

Recently Dan, a reader of RTL-SDR.com wrote in to let us know about a new web project he’s started called adsbexchange.com. ADSBexchange is similar to services like FlightRadar24.com and FlightAware.com, but with one key difference. ADSBExchange explicitly states that they do not and will not filter ADS-B traffic for security reasons. Other similar services all filter FAA BARR (Block Aircraft Registration Request), military and other potentially sensitive ADS-B data. However, Dan argues that filtering the data is simply unneeded security theatre as anyone can build their own unfiltered receiver for very cheap. He writes:

I recently started a website that collects SDR ADS-B and MLAT data (typically from dump1090) worldwide, and displays it unfiltered – http://www.adsbexchange.com . This means that military, “blocked” and other “restricted” traffic is available to see, which is unique as far as I can tell.  We’ve recently tracked a U2 over the UK above 60,000 ft., Air Force One, and various diplomatic aircraft.  Additionally, there is a database of all previous aircraft “sightings” searchable on various parameters.

All of my research indicates this is legal, but perhaps “frowned upon” by local authorities.  The major flight tracking sites seem to not want to make any waves and voluntarily strip this data from their public feeds, even though they are typically fed “unfiltered” data from their volunteer participants.

The service is currently looking for RTL-SDR users who feed ADS-B data to join their feeding program so that they can expand their service coverage.

adsbexchange

Hak5: Hacking Wireless Doorbells and Software Defined Radio tips

On this weeks episode of Hak5, a popular electronics and hacking YouTube show, the presenters talk about reverse engineering and performing replay attacks on wireless devices such as a doorbell. They also talk about using the recently released Yardstick One which is a PC controlled wireless transceiver that understands multiple modulation techniques (ASK, OOK, GFSK, 2-FSK, 4-FSK, MSK) and works on multiple bands (300-348 MHz, 391-464 MHz, and 782-928 MHz), but is not a software defined radio.

Finally they discuss how to use the RTL-SDR and GQRX to stream received audio over a UDP network connection using netcat in Linux.

Hacking Wireless Doorbells and Software Defined Radio tips - Hak5 1910

If you are interested in the Yardstick one, Hak5 also uploaded two earlier episodes this month showing how to use the Yardstick one, and how to hack wireless remotes by using the RTL-SDR to do the initial reverse engineering, and then using the Yarstick One to do the transmitting.

How to begin hacking with the YARD Stick One - Hak5 1908

How to Hack Wireless Remotes with Radio Replay Attacks - Hak5 1909

Hacking GSM Signals with an RTL-SDR and Topguw

The ability to hack some GSM signals has been around for some time now, but the steps to reproduce the hack have been long and difficult to set up. Recently RTL-SDR.com reader Bastien wrote into us to let us know about his recently released project called Topguw. Bastien's Topguw is a Linux based program that helps piece together all the steps required in the GSM hacking process. Although the steps are simplified, you will still need some knowledge of how GSM works, have installed Airprobe and Kraken, and you'll also need a 2TB rainbow table which keeps the barrier to this hack still quite high. Bastien writes about his software:

So like I said my software can "crack" SMS and call over GSM network.

How ?

I put quotation marks in crack because my software is not enough to deciphered GSM itself. My software can make some steps of the known-plaintext attack, introduce by Karsten Nohl, and by the way, increase the time to decipher an SMS or call. I'll not explain here all the steps because they are long and tedious, but there is a lot of work done behind the Gui.

Actually my software can extract Keystream (or try to find some of them) from a capture file of GSM, or by sniffing GSM with a rtl-sdr device. Then you just have to use Kraken to crack the key and you're able to decipher sms or call.

Why ?

This hack is very interesting! With only a little receiver (rtl-sdr) and some hard-disk capacity (2Tb), everyone can try to hack the GSM. It's very low cost compare to other hack vector. Moreover the success rate is really great if you guess the Keystream correctly. So when I started to done this with my hands I though -> why don't try to make something to do this automatically.
This is how Topguw was born.

Topguw, I hope, will sensitize people about risk they take by calling or sending sms with GSM.

My software is currently in beta version but I did run several time and I got good results. Maybe better than something done by hand. But Topguw is made to help people who want to learn the hack. This is why several files are made to help GSM reverse-engineering.

Topguw can be downloaded from GitHub at https://github.com/bastienjalbert/topguw. Bastien has also uploaded a video showing his software in action. If you're interested in Bastiens YouTube channel as he plans to upload another video soon where he shows himself hacking his own GSM sms/call signals.

Topguw Proof of concept - GSM Hacking educational purpose

Of course remember that hacking into GSM signals is very illegal and if you do this then you must check the legality of doing so in your country and only receive your own messages or messages that are intended for you.

Update 27 Feb 2023: Note that this content is constantly being censored by video upload sites. If the above video is down, Bastien has uploaded links to alternative video upload sites on pastebin.