Category: RTL-SDR

Student Arrested in Taiwan for using SDR and Handheld Radios to Halt Four High Speed Trains with TETRA Hack

The Taipei Times has reported that a 23-year-old university student in Taiwan has been arrested after using a software-defined radio and hand held radio to hack into Taiwan High Speed Rail Corporation's (THSRC) internal radio communications and halt four trains mid-service.

Chinese-language coverage from UDN and Newtalk fills in some details omitted in the English Taipei Times article. The system the student compromised is TETRA, and at 23:23 on April 5, 2026, the student transmitted a "General Alarm" (GA) signal, the highest-priority TETRA alert, which automatically instructs trains in the area to switch to manual emergency braking. Four trains were stopped for 48 minutes. THSRC's radio system has reportedly been in service for 19 years with seven verification layers, but parameters were apparently never meaningfully rotated over that period.

Police describe the suspect as buying an SDR online, connecting it between an antenna and a laptop, capturing THSRC traffic, and decoding the relevant parameters in software, then programming those parameters into one of his eleven handheld radios. A 21-year-old friend also allegedly supplied some critical THSRC parameters. The actual details of the 'hack' aren't entirely clear from the news articles. We suspect that the THSRC TETRA system is simply unencrypted, and that the student was able to spoof a legitimate signal. It's also possible that the THSRC TETRA system used TEA1 encryption, which is known to be broken

Police located the student through a combination of network-side TETRA logs and CCTV. When the THSRC control center called back to verify the alarm, the person on the other end gave contradictory answers and then powered the radio off, prompting THSRC to audit their handheld fleet, confirm every issued radio was accounted for in its storage locker, and report to police that the parameters had been cloned.

Base station logs from the THSRC TETRA infrastructure (which record which sites received the uplink, with multi-site signal strength narrowing the origin) were used to localize the transmission source, and CCTV from around the coverage area was then used to identify the student and trace him to his rental unit. Search warrants on 28 April seized 11 handheld radios, a laptop, and the SDR. 

He is currently out on NT$100,000 (3,200 USD) bail and faces up to ten years under Taiwan's Railway Act and Criminal Code, with an unconvincing "had it in my pocket and accidentally pressed the button" defense.

Stories like this are a reminder that experimenting with operational safety-of-life radio systems carries serious legal consequences. Back in 2016, we covered the case of Dejan Ornig, a Slovenian university student who used an RTL-SDR and the open source Osmocom TETRA decoder to discover that his country's police TETRA terminals were running unauthenticated, despite official documents stating otherwise. After seven years of court hearings, he ended up with a seven-month suspended sentence. More recently, we posted on the End of Train (EoT) vulnerability, where a security researcher demonstrated that an SDR can replicate the unauthenticated braking command on US freight trains.

The Equipment Seized by Police
The Equipment Seized by Police
A Taiwanese High Speed Train (Source: https://en.wikipedia.org/wiki/File:THSR_700T_TR17_20130907.jpg)
A Taiwanese High Speed Train (Source: https://en.wikipedia.org/wiki/File:THSR_700T_TR17_20130907.jpg)
Translated news graphic from https://udn.com/news/story/7315/9475450
Translated news graphic from https://udn.com/news/story/7315/9475450

SatDump V2 Image Product Expressions YouTube Tutorial

Thank you to Paul Maine, who has submitted a new SatDump tutorial to us that he has uploaded to his YouTube channel. The new tutorial is the fourth in a series focused on SatDump V2.x. In an earlier post, we showed Paul's three previous tutorials.

His SatDump V2.x Part 4 video provides an introduction to SatDump’s “Image Product Expressions”. The video begins with satellite calibration units and descriptions, and includes Albedo, Brightness Temperature, and Radiance. The video then discusses satellite sensors, providing examples. The GOES-19 Satellite and its Advanced Baseline Imager are used in the examples.

Color RGB Images can be created using various satellite bands and Image Product Expressions to produce very beautiful and useful satellite imagery.

Image Product Expression Examples
Image Product Expression Examples
E 27 SatDump v2.x Part4 Image Product Expressions

L-Band Weather Imagery Soon Coming Back to Western Europe via Elektro-L3

Thanks to weather satellite enthusiast 'Heja Ali' who wrote in to share some welcome news. On February 12, 2026, Roscosmos successfully launched Elektro-L No.5 aboard a Proton-M rocket from Baikonur Cosmodrome, the fifth in the Elektro-L series of Russian geostationary weather satellites (following No.1 in 2011, No.2 in 2015, No.3 in 2019 and No.4 in 2023). Like its predecessors, it carries an unencrypted 1691 MHz L-band downlink with both LRIT and HRIT imagery.

The interesting consequence for amateur satellite enthusiasts is what happens next. Per SatDump's satellite list, L5 is now commissioning at 76°E (L3's old slot), L4 is operational at 165.75°E, and the European slot at 14.5°W is currently held by L2, which has lost its L-band transmitter to a power supply failure. Once L5 is fully operational, L3 is expected to drift west to 14.5°W to replace L2, finally restoring an unencrypted geostationary L-band downlink to the UK, Ireland, Iceland, Portugal, western France, and Spain for the first time since EUMETSAT switched off Meteosat HRIT in 2018.

The Electro-L 1691 MHz signal is easily received by an RTL-SDR Blog V3 or V4, LNA, and a modest 65 cm dish. Our Discovery Dish with the L-band weather satellite feed is a good choice, with existing users in southern Europe routinely pulling Elektro-L3 at 5 to 6 dB SNR using SatDump (which only needs around +1 dB to decode).

There is no firm public timeline yet for L3's drift west, but if you are in far-western Europe and have been waiting on a geostationary L-band satellite to become available, now is a good time to start planning for the receive hardware.

Receiving Electro-L Satellite Imagery With SatDump
Receiving Electro-L Satellite Imagery With SatDump

P25-Survey: A Tool for Scanning and Logging P25 Control Channels with an SDR

Over on GitHub, programmer blantonl has released p25-survey, a Python tool that scans a frequency range with an RTL-SDR, Airspy or HackRF and identifies any P25 control channels present. For each one found, it logs the WACN, System ID, NAC, RFSS ID and Site ID, the full IDEN_UP band plan, neighbor sites with resolved frequencies, and signal quality metrics including RSSI, BER and decode rate.

The tool also has an optional RadioReference cross-reference mode that annotates results with the RR system name and site description, flags frequency offsets versus the database, and generates a Markdown submission report for data not yet in RadioReference. An auto-gain feature sweeps gain values on each confirmed control channel and recommends the optimal setting for your SDR and location based on BER.

P25 Survey Tool
P25 Survey Tool

Portable ADS-B Receiver Firmware for the ESP32-P4 Based LILYGO T-Display-P4 with RTL-SDR

Over on GitHub, John Stockdale has released ADS-B Scope – T-Display-P4, a portable open source 1090 MHz ADS-B firmware for the LILYGO T-Display-P4, which is a smartphone-shaped handheld microcontroller with a 4" touchscreen, GPS, SD card, SX1262 LoRa, and a USB 2.0 host port, built around the dual-core 360 MHz RISC-V ESP32-P4.

The most interesting bit is that John has written a custom USB host driver that allows an RTL-SDR to plug directly into the T-Display-P4. Neither a Pi nor a laptop is needed in the chain. The driver supports the Blog V4/V3 with software bias-tee control and Mode-S demodulation (adapted from dump1090), which runs in real time alongside an on-device aircraft table and radar scope (range rings, trails, helicopter silhouettes). The firmware also implements adaptive gain control, a 587K-record OpenSky aircraft database cached in PSRAM, SD card CSV logging, USB hot-plug, OTA updates, MQTT telemetry, and a WebSerial companion app at adsb-scope.offx1.com with live map, 3D view, CSV replay, and firmware flashing.

In addition to all that, the firmware also runs a Meshtastic-compatible mesh radio on the SX1262 (with PKI DM decryption and MQTT gateway forwarding) and an MP3 player through the onboard ES8311 DAC. John reports ~30 nm range from Oakland, CA on a 7" telescopic antenna, decoding 15–30 messages per second with 12–30+ aircraft tracked.

ADS-B Scope – T-Display-P4 Interface
ADS-B Scope – T-Display-P4 Interface

Fixing a Locked-Up RTL-SDR 700 km Away Using uhubctl USB Power Cycling

Over on Medium, Jugy depin has shared a useful troubleshooting write-up describing how they recovered a frozen RTL-SDR on a remote Raspberry Pi station located 700 km away, with no physical access available. The dongle had stopped responding with  usb_claim_interface error -6 and Failed to open rtlsdr device #0 errors, while still showing up in lsusb.

After ruling out the usual suspects, such as DVB drivers, conflicting processes, permissions, and even a full reboot, they concluded that the RTL2832U had locked up at the USB hardware level. To make things worse, they discovered that a Raspberry Pi reboot from the terminal does not actually power-cycle its USB ports.

The fix was to use uhubctl to cut and restore power to only the specific port the SDR was plugged into, after first carefully identifying which port that was (so as not to accidentally kill the Ethernet port and lose remote access entirely). The commands shown in the post performed a true hardware-level reset equivalent to unplugging and replugging the dongle, and rtl_test confirmed the device came back cleanly.

Jugy recommends that anyone running remote SDR stations either build uhubctl into a healthcheck script or add a smart plug for unattended recovery.

Build a Cubesat Reviews a Discovery Drive Prototype and Sets up SatNOGS

Over on YouTube Manuel from the 'Build a Cubesat' channel has uploaded a video testing a prototype version of our Discovery Drive antenna rotator. If you are unaware, Discovery Drive is our new antenna rotator product for applications like satellite tracking and general antenna positioning that is currently being crowd-funded over on Crowd Supply. There are two days left in the campaign.

In the video, Manuel overviews the Discovery Drive, shows the internals, and walks us through the web UI. He goes on to show how it can be set up with the SatNOGS project. The SatNOGS project has volunteers set up ground-based satellite stations, and anyone can use those stations to log an observation anywhere in the world.

We note that he mentioned some trouble with getting SatNOGS to rotate the Discovery Drive over zenith. We have added a note to our Wiki showing how this can be fixed by specifying the correct rotational limits for the Discovery Drive.

Discovery Drive Antenna Rotator Preview

RTL-SDR 433: A New Android App for Decoding 433 MHz Sensors with rtl_433

Thank you to Christian Ebner from ebcTech, who has submitted news about his newly released Android app RTL-SDR 433, which lets you run the rtl_433 decoder directly on your phone using an RTL-SDR dongle connected via a USB OTG cable.

The app bundles rtl_433 as a native Android library and supports all 258 device protocols out of the box, including weather stations, TPMS, wireless doorbells, PIR motion sensors, energy meters, door/window contacts, and remote sockets. Decoding runs entirely on-device with no internet connection required, no root, and no special drivers. It uses the standard Android USB Host API together with a libusb Android port.

The UI is built with Jetpack Compose and Material 3, and shows a live list of unique sensors with expandable cards (temperature, pressure, RSSI, raw JSON) plus a full history log. The app is free to try with a decreasing per-session reading limit, and a one-time purchase for a few dollars removes the limit permanently.

We note that the GPL-licensed native layer (rtl_433, rtl-sdr, libusb Android port and EBC's integration glue) is published openly at github.com/ebc81/rtlsdr433-native-gpl in compliance with GPL-2.0, while the UI layer remains closed-source. 

More information about the app is available on the ebcTech page at https://ebctech.eu/rtl-sdr-433-android.

RTL SDR 433 for Android