Category: RTL-SDR

Talk: My journey into FM-RDS by Oona Räisänen

Back in November we posted about Oona’s work with decoding radio controlled bus stop display signs using her RTL-SDR. Oona has given a talk at the Chaos Communication Congress about her work on decoding FM-RDS and the bus stop displays. The talk is now available on YouTube.

How I discovered mysterious hidden signals on a public radio channel and eventually found out their meaning through hardware hacking, reverse engineering and little cryptanalysis.

A story about my experiences with FM-RDS (Radio Data System), a digital subcarrier embedded in FM broadcast transmissions, and also cryptanalysis of the weakly encrypted TMC traffic messages contained therein. I originally found about the existence of such transmissions in a roundabout way, by using a spectrum analyzer program to examine intermodulation distortion in my radio’s Line Out audio. As it turned out, the inaudibly quiet distortion, probably caused by the radio’s stereo demuxer circuitry, contained all the information needed to decode all RDS data present in the transmission. I will demonstrate the journey I took and give a short introduction to how the data is actually encoded. Live acquisition of local RDS data depending on signal conditions in the premises.

As a bonus, I’m introducing yet another little-known FM subcarrier called DARC, and my recent reverse engineering of the bus stop display radio protocol used in Helsinki.

Talk: Monitoring the Spectrum: Building Your Own Distributed RF Scanner Array

Andrew Reiter a researcher at Veracode has given a talk at the Chaos Communication Congress about building a distributed RF scanner array using cheap RTL-SDR dongles. This talk has been uploaded to YouTube.

Software-Defined Radio (SDR) has increased in popularity in recent years due to the decrease in hardware costs and increase in processing power. One example of such a class of devices is the RTL-SDR USB dongles based on the Realtek RTL2832U demodulator. This talk will discuss my experience in building a distributed RF scanner array for monitoring and spectrum mapping using such cheap SDR devices. The goal is to help the audience understand the what, why, and how of building their own RF monitoring array so that they will be able to do it themselves. In this era of increasingly being “watched”, we must be prepared to do our own “watching”.

Software-Defined Radio (SDR) has increased in popularity in recent years due to the decrease in hardware costs and increase in processing power.One example of such a class of devices is the RTL-SDR USB dongles based on the Realtek RTL2832U demodulator. This work investigates building and running an RF scanner array for monitoring and spectrum mapping using cheap SDR devices. The array allows for both RF sampling and power analysis to be split over multiple systems in order to increase capture and spectrum analysis capabilities. The system allows for “strong signal capture” as well as, simply, signal modeling with “strong signal alerting”. Also discussed will be using the array versus USRPs and the issue of antennae for all of the devices. I will explain the mistakes I made in building the array and what I did to attempt toovercome such pitfalls. The code for running the array will be introduced and released for public consumption. In addition, while we target the RTL-SDR devices, we will discuss the feasibility of including non-traditional SDR hardware in the array, including non-Realtek tuner cards and inclusion of HackRF devices.

Talk: Tracking of Low Earth Orbit Satellites with the RTL-SDR

Back in July we posted about Travis Goodspeed’s project on setting up a satellite dish that automatically tracks satellites in low earth orbit, where he uses an RTL-SDR for the radio. Travis gave a talk on this project at the Chaos Communication Congress conference, and the video has now been uploaded to YouTube.

Satellites in Low Earth Orbit have tons of nifty signals, but they move quickly though the sky and are difficult to track with fine accuracy. This lecture describes a remotely operable satellite tracking system that the author built from a Navy-surplus Inmarsat dish in Southern Appalachia.

The entire system is controlled through a Postgres database, fed by various daemons spread across multiple machines. So when I click on a satellite on my laptop or cellphone, it runs “UPDATE target SET name=’Voyager 1′;” and the motor daemon then begins to track the new target while the prediction daemon maintains accurate estimates of its position in the sky. Additional daemons take spectral prints or software-defined radio recordings of the targeted object for later review.

Improved Digital Voice P25 Decoding with DSD+

Update: This post is now very old. The latest version of DSD+ can now to found at www.dsdplus.com.

Over on Reddit we've seen mention of an upgraded Digital Speech Decoder (DSD) program, named DSD+. The original DSD is a program that can be used in conjuction with a SDR receiving program such as SDR#, and an audio piping program like VBCable to decode digital speech, such as P25 and DMR/MOTOTRBO.

DSD+ claims to have improved decoding and audio quality capabilities. An audio sample from a weak P25 sample can be found here for DSD+, and for comparison here for the old DSD.

DSD+ can be downloaded from this megaupload link.

To run DSD+. you will need to place an MP3 encoder file lame_enc.dll into the same folder as the dsd.exe executable. This file is not included with DSD+ due to licencing. For Windows, lame_enc.dll can be downloaded from http://lame1.buanzo.com.ar/#lamewindl (Mega Mirror). Download the ZIP option, and then copy the dll file into the same folder as DSD+.

If you don't know how to use DSD, see our tutorial on using DSD here, and if desired simply use DSD+ instead of the original DSD. (Note cygwin is not required for DSD+)

DSD+ Output
DSD+ Output

Using an RTL-SDR and RTL_433 to Decode Various Devices

Over on his blog, Gough Lui has posted about his experiences with decoding various ASK/OOK devices on the unlicenced 433 MHz ISM band using an RTL-SDR and the command line program rtl_433.

Gough shows how he was able to receive and decode the data from an Aldi weather station device and a wireless doorbell transmitter. He also was able to modify the rtl_433 code slightly to produce a CSV log file of the temperatures that were received and decoded from the weather station.

rtl_433 output of the weather station
rtl_433 output of the weather station

Elster R2S Smart Meter GNU Radio Decoder

Smart meters are meters that monitor electricity usage and wirelessly transmit their data to the electricity company. They are a part of the “smart grid”, and allow for better electricity control and usage reporting.

Clayton Smith was able to reverse engineer the data signal from the Elster R2S meters which are used in the Ottawa area on the 902-928 MHz band. The Elster meters use frequency hopping channels, and Clayton was able to receive 6 out of the 25 channels in his area, which should be sufficient, as most of the data packets are repeated on different channels.

He has released his GNU Radio program which will work the the RTL-SDR. Currently, it is capable of displaying meter readings and hourly electricity usage to a terminal.

TCXO RTL-SDR Soon Available Internationally

Andy, programmer of the RTL1090 ADSB decoder software, and owner of the 1090Mhz webstore has notified us that he will soon be selling to international buyers the TCXO RTL-SDR dongle modified by Nobu Saitou. We recently featured a story about the TCXO RTL-SDR and also gave it a review on this blog. From the review we concluded that the TCXO RTL-SDR is a good product and will be useful for applications that need good frequency accuracy and stability.

Interested buyers can look for the contact us link on the 1090MHz shop TCXO page description to contact Andy for a reservation and notification on when the TCXO RTL-SDR becomes available for sale. Andy expects the first batch of TCXO RTL-SDRs to arrive in January.

Receiving a 10 GHz Reflected Moon Beacon with the RTL-SDR

There is an amateur radio group in Germany known as DL0SHF which transmits a 10 GHz (QRG = 10.368.025 MHz) beacon at the moon whenever it is visible at their site. The goal of this transmission is to detect the very weak beacon reflection.

Amateur radio hobbyist Rein (W6SZ) has written in to let us know about his, DK7IJ’s and the DL0SHF groups success with receiving the beacon using the RTL-SDR. He writes

DL0SHF transmit a signal to the moon when the moon is visible at the site. The run 2 modes 50 and 500 W output, 20 seconds on, 40 seconds off.

Last night, I managed to detect the beacon with a very simple receiving package. Amazing enough, using WSJT moon tracking data, the signal appeared right away when the moon appeared here above the trees.

The signal lasts only 20 seconds but then 40 seconds later, it returned! By the books.

I use a simple 10 GHz receiver here that I use for scouting signals on 10 GHz terrestrial as member of the San Bernardino Microwave Society.

It consists of a RTL Dongle IF block tuned to 618 MHz as IF.
Front-end is a PLL LNB, not modified, running with 9.750 GHz LO

The LNB is powered with 12 Volts by means of a Bias Tee.

Both items can be acquired for about USD 25.- on eBay and other places.

The antenna is a standard 18 inch satellite off-set dish.

The antenna has some elevation control and the feed ( LNB ) can be rotated for polarity control.

Every variable is manually operated.

At times I measured the beacon as high as 15 dB above the noise using HDSDR as DSP processor software.

The beacon was running in the 500 W output mode during these observations.

Moon bounce Visisble on the waterfall
Moon bounce visible on the waterfall
Moonbounce Equipment Setup
Moonbounce Equipment Setup