Category: Satellite

December High Powered Rocket Flight with RTL-SDR used for GPS Measurements

The rocket carrying the RTL-SDR.
The rocket carrying the RTL-SDR.

Back in April and July of last year we posted about Philip Hahn and Paul Breed's experiments to use an RTL-SDR for GPS logging on their high powered small rockets. Basically they hope to be able to use an RTL-SDR combined with a computing platform like a Raspberry Pi or Intel Compute stick and software like gnss-sdr to record GPS data on their rocket. Using an RTL-SDR would get around the COCOM limits that essentially stop GPS from working if it measures faster than 1,900 kmph/1,200 mph and/or higher than 18,000 m/59,000 ft.

In the past they've been able to get usable data from the flights, but have had trouble with reliability and noise. That said they also tried commercial GPS solutions which have also failed to work properly even on flights travelling under the COCOM limits, whereas the RTL-SDR actually got data that could still be post processed.

On their latest flight they still had trouble with the RTL-SDR GPS solution working live during flight, but RF GPS data was still recorded and post-processing the data with SoftGNSS yielded results again as in their previous trials. The post goes over the more details and provides the raw RF data to play with if you want to have a go at extracting the data yourself.

If you are interested in a full summary of Phillip and Paul's experiments, then the GNU Radio blog has a nice summary written by Phillip that explains their full journey of trying to get a working RTL-SDR based GPS system for their rockets.

Rocket Trajectory as measured by the RTL-SDR based GPS receiver.
Rocket Trajectory as measured by the RTL-SDR based GPS receiver.

SDR and Radio Talks from the 34th Chaos Communication Congress: SatNOGs, Bug Detection, GSM with SDR, Open Source Satellites and WiFi Holography

Every year the Chaos Computer Club hold the Chaos Communication Congress (CCC) which is a conference that aims to discuss various topics related to technology and security. This year was the 34th conference ever held (34C3) and there were several interesting SDR and radio related talks which we post below. Further links and video downloads are available in the YouTube description.

SatNOGS: Crowd-sourced satellite operations

An overview of the SatNOGS project, a network of satellite ground station around the world, optimized for modularity, built from readily available and affordable tools and resources.

We love satellites! And there are thousands of them up there. SatNOGS provides a scalable and modular platform to communicate with them. Low Earth Orbit (LEO) satellites are our priority, and for a good reason. Hundreds of interesting projects worth of tracking and listening are happening in LEO and SatNOGS provides a robust platform for doing so. We support VHF and UHF bands for reception with our default configuration, which is easily extendable for transmission and other bands too.

We designed and created a global management interface to facilitate multiple ground station operations remotely. An observer is able to take advantage of the full network of SatNOGS ground stations around the world.

34C3 - SatNOGS: Crowd-sourced satellite operations

Spy vs. Spy: A Modern Study Of Microphone Bugs Operation And Detection

In 2015, artist Ai Weiwei was bugged in his home, presumably by government actors. This situation raised our awareness on the lack of research in our community about operating and detecting spying microphones. Our biggest concern was that most of the knowledge came from fictional movies. Therefore, we performed a deep study on the state-of-the-art of microphone bugs, their characteristics, features and pitfalls. It included real life experiments trying to bug ourselves and trying to detect the hidden mics. Given the lack of open detection tools, we developed a free software SDR-based program, called Salamandra, to detect and locate hidden microphones in a room. After more than 120 experiments we concluded that placing mics correctly and listening is not an easy task, but it has a huge payoff when it works. Also, most mics can be detected easily with the correct tools (with some exceptions on GSM mics). In our experiments the average time to locate the mics in a room was 15 minutes. Locating mics is the novel feature of Salamandra, which is released to the public with this work. We hope that our study raises awareness on the possibility of being bugged by a powerful actor and the countermeasure tools available for our protection.

34C3 - Spy vs. Spy: A Modern Study Of Microphone Bugs Operation And Detection

Running GSM mobile phone on SDR

Since SDR (Software Defined Radio) becomes more popular and more available for everyone, there is a lot of projects based on this technology. Looking from the mobile telecommunications side, at the moment it's possible to run your own GSM or UMTS network using a transmit capable SDR device and free software like OsmoBTS or OpenBTS. There is also the srsLTE project, which provides open source implementation of LTE base station (eNodeB) and moreover the client side stack (srsUE) for SDR. Our talk is about the R&D process of porting the existing GSM mobile side stack (OsmocomBB) to the SDR based hardware, and about the results we have achieved.

There is a great open source mobile side GSM protocol stack implementation - OsmocomBB project. One could be used for different purposes, including education and research. The problem is that the SDR platforms were out of the hardware the project could work on. The primary supported hardware for now are old Calypso based phones (mostly Motorola C1XX).

Despite they are designed to act as mobile phone, there are still some limitations, such as the usage of proprietary firmware for DSP (Digital Signal Processor), which is being managed by the OsmocomBB software, and lack of GPRS support. Moreover, these phones are not manufactured anymore, so it's not so easy to find them nowadays.

Taking the known problems and limitations into account, and having a strong desire to give everyone the new possibilities for research and education in the telecommunications scope, we decided to write a 'bridge' between OsmocomBB and SDR. Using GNU Radio, a well known environment for signal processing, we have managed to get some interesting results, which we would like to share with community on the upcoming CCC.

34C3 - Running GSM mobile phone on SDR

UPSat - the first open source satellite

During 2016 Libre Space Foundation a non-profit organization developing open source technologies for space, designed, built and delivered UPSat, the first open source software and hardware satellite.

UPSat is the first open source software and hardware satellite. The presentation will be covering the short history of Libre Space Foundation, our previous experience on upstream and midstream space projects, how we got involved in UPSat, the status of the project when we got involved, the design, construction, verification, testing and delivery processes. We will also be covering current status and operations, contribution opportunities and thoughts about next open source projects in space. During the presentation we will be focusing also on the challenges and struggles associated with open source and space industry.

34C3 - UPSat - the first open source satellite

Holography of Wi-Fi radiation

Can we see the stray radiation of wireless devices? And what would the world look like if we could?

When we think of wireless signals such as Wi-Fi or Bluetooth, we usually think of bits and bytes, packets of data and runtimes.

Interestingly, there is a second way to look at them. From a physicist's perspective, wireless radiation is just light, more precisely: coherent electromagnetic radiation. It is virtually the same as the beam of a laser, except that its wavelength is much longer (cm vs µm).

We have developed a way to visualize this radiation, providing a view of the world as it would look like if our eyes could see wireless radiation.

Our scheme is based on holography, a technique to record three-dimensional pictures by a phase-coherent recording of radiation in a two-dimensional plane. This technique is traditionally implemented using laser light. We have adapted it to work with wireless radiation, and recorded holograms of building interiors illuminated by the omnipresent stray field of wireless devices. In the resulting three-dimensional images we can see both emitters (appearing as bright spots) and absorbing objects (appearing as shadows in the beam). Our scheme does not require any knowledge of the data transmitted and works with arbitrary signals, including encrypted communication.

This result has several implications: it could provide a way to track wireless emitters in buildings, it could provide a new way for through-wall imaging of building infrastructure like water and power lines. As these applications are available even with encrypted communication, it opens up new questions about privacy.

34C3 - Holography of Wi-Fi radiation

Turning an old Radiosonde into an Active L-Band Antenna

VK5QI's Radiosonde Collection
VK5QI's Radiosonde Collection

Over on his blog VK5QI has shown how he has was able to re-purpose an old radiosonde into a wideband active L-band antenna. Radiosondes are small packages sent up with weather balloons. They contains weather sensors, GPS and altitude meters and use an antenna and radio transmitter to transmit the telemetry data back down to a ground station. With a simple radio such as an RTL-SDR and the right software, these radiosondes can be tracked and the weather data downloaded in real time. Some hobbyists such as VK5QI go further and actually chase down the weather balloons and radiosondes as they return to earth, collecting the radiosonde as a prize.

VK5QI and his friend Will decided to put some of his radiosonde collection to good use by modifying one of his RS92 radiosondes into a cheap active L-band antenna. They did this by first opening and removing unnecessary components that may interfere such as the main CPU, GPS receiver, 16 MHz oscillator, SAW filters and balun. They left the battery, LDO's, LNA's and Quadrifilar Helix GPS antenna which is tuned to the GPS L-band frequency. Finally they soldered on a coax connector to a tap point on the PCB and it was ready to use.

They then connected the new antenna to a RTL-SDR V3 and fired up GQRX. They write that their results were quite promising with several Inmarsat and Iridium signals being visible in the spectrum. VK5QI also used gr-iridium with the antenna as was able to decode some Iridium signals.

Modified Radiosonde L-Band Antenna connected to a RTL-SDR V3.
Modified Radiosonde L-Band Antenna connected to a RTL-SDR V3.

Airspy HF+ Can Receive L-Band 1.2 GHz to 1.67 GHz

The Airspy HF+ is a much anticipated and recently released software defined radio that specializes in HF and VHF reception. However, one little known and not often advertised feature is that it can actually be used for L-band reception between 1.2 and 1.67 GHz as well. This means that it could be used for signals such as AERO, STD-C, Iridium, the 23cm amateur radio band and more.

Over on YouTube Adam 9A4QV has uploaded a video that tests the HF+ with Alphasat AERO signals at about 1.545 GHz. He notes that the sensitivity is quite good as it is able to receive the satellite signals directly with only the antenna connected and no external LNA used. Of course adding in an external low noise figure LNA and filter would improve the signal even further. Adam notes that reception on the 23cm amateur band (1240 MHz to 1300 MHz) is also quite good with sensitivity reaching about -130 dBm.

Airspy HF+ L-band satcom test

Outernet 3.0 Coming Soon: Free 30kbps – 100kbps satellite data downlink for news, weather, audio etc

The new Outernet Dreamcatcher v3.01
The new Outernet Dreamcatcher v3.01

Over the past few years we've posted quite a bit about Outernet who offered a free downlink of satellite data such as news, Wikipedia articles and weather updates that was able to be received with a small L-band patch antenna, LNA and an RTL-SDR dongle.

Recently we've seen news on their forums that Outernet is planning on discontinuing their L-band service, and instead opening up a new much more efficient Ku-band service. Unfortunately that means that RTL-SDRs and the previous Outernet L-band hardware will no longer be useful for the downlink, but the new service appears to offer several significant advantages.

Firstly the downlink data rate is much higher at 30kbps, with the plan to eventually go up to 100kpbs. That's 300MB - 1 GB a day which is a lot more compared to the previous L-band implementation that gave less than 20MB a day.

Secondly the hardware seems to be simplified as well. All that is needed is their new Dreamcatcher V3 receiver board and a small Ku-band LNB (11.7-12.75 GHz). They claim that no dish is required as the LNB pointed at the satellite by itself will work just fine. The first iteration of Outernet also used Ku-band satellites, but required a large dish antenna to receive it which was a major hurdle to user adoption. They now appear to have discovered a new way to broadcast in the Ku-band without the need for a dish.

Thirdly, moving to Ku-band means significant cost savings for Outernet allowing them to survive and continue with their free data service. From what we understand the L-Band satellite downlink service is extremely costly to run, whereas a Ku-band service is much cheaper. There are also cost savings for the user as Ku-band LNBs are very common hardware that can be found cheaply for $10 - $20 US.

About the new services that they can offer and the cost savings that they can achieve Syed the CEO of Outernet writes:

The fatter pipe [300MB - 1GB] makes a lot of things possible, one of which is a true radio broadcast. How about a national radio broadcast that isn't SiriusXM? Our new receiver will include a speaker; audio through the speaker while files download in the background. But more data is not the most important thing that comes out of all this. The real win is that leasing standard, commodity Ku bandwidth is far, far more cost effective than the few kilohertz we have on L-band. Long-term sustainability of a free broadcast is no longer the financial burden that it once was--especially considering how much more interesting the service becomes.

There is no concrete hardware release date just yet, but on the forums Syed estimates mid-Jan. You can sign up to the Outernet mailing list on their buy-now page to be emailed when the new hardware is released. In the forums Syed also writes that the target price for the hardware is $99 US, with the intention to provide lower cost options in the future. Of course it might still be possible to DIY your own unit just like it was with the previous Outernet iterations.

We're really looking forward to this and think that this is what will finally make Outernet a very popular and useful service!

The Outernet 3.0 prototype setup
The Outernet 3.0 prototype setup

Scytale-C: A New Inmarsat STD-C Decoder + Tekmanoid STD-C Decoder Updates

Over on the BitBucket code repository a new open source decoder for Inmarsat STD-C called Scytale-C has been released. The software is available for Windows, and a ready to use binary .exe file can be downloaded from the downloads section of the BitBucket repo.

Inmarsat STD-C is an L-band geosynchronous satellite signal that transmits at 1.541450 GHz. This means that the signal can be received with a simple patch antenna, LNA and RTL-SDR dongle. The satellite is geosynchronous (stationary in the sky), so no tracking is required. On the STD-C channel you'll see messages mainly for mariners at sea such as weather updates, military operational warnings, pirate sightings/reports, submarine activity, search and rescue messages and more. If you are interested we have a tutorial based on other software packages available here which also shows some STD-C message examples. The tutorial can easily be adapted for use with Scytale-C instead.

We've also seen on Twitter that Scytale-C beta tester @otti has noted that a SDR# plugin based on Scytale-C seems to be in the works.

Scytale-C Screenshot
Scytale-C Screenshot

An Important Note on the Coding Ethics of Scytale-C + Tekmanoid Decoder Updates

We feel that it is responsible to make a note on coding and licencing ethics about this software. Originally the software was illegally decompiled by 'microp11' from the closed source Tekmanoid STD-C decoder written by Alex and re-released in a different programming language with a different GUI as the 'open source' B4000Hz software. After Alex took action and micrcop11 realized what he did was wrong he took B4000Hz down. Since then microp11 notes that he has written Scytale-C fully from scratch without the closed source code knowledge. But to be unquestionably legal a full two man clean-room rewrite would probably need to be done as once knowledge of source code is acquired it can be difficult to think of a separate implementation (a somewhat related post discussing this on StackExchange).

However, Alex has noted microp11's passion, and microp11's remorse at the initial decompilation and release of B4000Hz, and has decided to take the higher road and not pursue any further DMCA complaints. Instead he has kindly decided to allow the software to exist, but with acknowledgement of Tekmanoid included. We're glad that the matter was resolved amicably, but still if you use the Scytale-C software we would urge you to still consider the free or paid version of the Tekmanoid STD-C decoder to support Alex

Recently Alex has updated his software to include a spectrum analyzer and more appealing method of displaying EGC messages. Alex writes regarding his Tekmanoid STD-C decoder:

This software [Tekmanoid STD-C Decoder] is closed source and has been since it was first released around 2009. At that time I made a choice to keep the source private but share the executable EGC app for free with the public, so that others could have some fun on the L-band!

The "pro" EGC-LES version was developed in parallel the same year but kept private, nobody even knew it existed. Although I recognized its potential financial value I didn't take "advantage" of it. Firstly because it was a personal hobby project (can't put a price on intellectual property) and second, because I didn't want to help to further expose people's private communications to the open public.

In February 2017 a raw clone of my de-compiled code was made public, to be later withdrawn with an apology. That is the moment I decided to release the PRO version as payware to the public. Many new features present in today's PRO version have been proposed by users and my aim is to satisfy everyone's wishes.

Recently another similar project was released from the same author, with lots of documents to support the code and only minute traces of the initial de-compilation. This time one could indeed claim to have built it "from scratch" - codewise at least. The fact still remains that *part* of the knowledge (not 'code' necessarily) required to put it together was obtained from this initial reverse engineering process.

Despite the negativity surrounding this case, I decided to withdraw my takedown request on the project in exchange for an acknowledgement to the original Tekmanoid decoder, as this person himself wished to include from the start anyway.

To end it with another positive note, I can only hope this newcomer will bring something new to the scene, and that we will see some interesting things!

Below is a video of the updated Tekmanoid decoder.

Tekmanoid EGC+LES pro decoder

Update: Microp11 wrote to us after this post went out and wrote the following:

I just want to let you know that scytalec is not a re-write. It is another solution of solving the problem of decoding the Inmarsat-C. Written from scratch. Inadvertently any Inmarsat-C decoder in the 1.5GHz band will have the same the building blocks and they are now documented in detail in the bibliography published with my code. The information is hard to find. All the information is from publicly available sources only. Such that the code will be able to withstand the obstacles or remaining open source. The majority of the documentation is technical manuals, as they each in part reveal a piece of the puzzle, and collectively they contain an almost complete communication protocol. Some are books and they must be the specific revision mention within the bibliography. Moreover if any coder will read the documentation they will actually be able to write a better decoder as I found parts of it too late for a more elegant code writing. And this is the whole idea of scytalec, that anyone can do it if they put their mind to it. There is enough documentation to tackle the C-band as well. And giving enough time, I might be planning on doing that after the sdr# plugin I’m working at. Not alone, as I was and I am being helped by others to which I am grateful and their names were and will be mentioned within the code. Just so you will have an idea of how deep the documentation correctness went for this project, even if a code comment was incorrect, say I was referring to a frame as a “block” or “part” I would get an admonishing email on that. So yes, I have high reasons to stand by this code originality.

A Video Tutorial about Receiving HRPT Weather Satellite Images

Over on YouTube 'Tysonpower' has recently uploaded a very informative video and blog post showing how he is able to receive HRPT weather satellite images. Note that the video is in German, but English subtitles are provided.

Most readers of this blog are probably familiar with the more commonly received APT images that are broadcast by the NOAA satellites at 137 MHz, or perhaps the LRPT images also broadcast at 137 MHz by the Russian Meteor M2 satellite. HRPT signals are a little different and more difficult to receive as they are broadcast in the L-band at about 1.7 GHz. Receiving them requires a dish antenna (or high gain Yagi antenna), L-band dish feed, LNA and a high bandwidth SDR such as an Airspy Mini. The result is a high resolution and uncompressed image with several more color channels compared to APT and LRPT images.

In his video Tysonpower shows how he receives the signal with his 3D printed L-band feed, a 80cm offset dish antenna (or 1.2m dish antenna), two SPF5189Z based LNAs and an Airspy Mini. As L-band signals are fairly directional Tysonpower points the dish antenna manually at the satellite as it passes over. He notes that a mechanised rotator would work a lot better though. For software he uses the commercial software available directly from USA-Satcom.com.

[EN subs] HRPT - Erste Bilder! und mein Setup

An Example HRPT Image Received by Tysonpower.
An Example HRPT Image Received by Tysonpower.

Building a DIY AZ/EL Antenna Rotator for Satellite Tracking

Over on his YouTube channel Tysonpower a.k.a Manuel has uploaded a video showing a demonstration of his home made antenna rotator. Manuel has also created a blog post about his antenna rotator, which includes a full parts list and a link to all the files.

An antenna rotator can be used to automatically point a high gain directional antenna such as a Yagi at a low earth orbit satellite which passes overhead relatively quickly. Such as antenna can be easily connected to an SDR like the RTL-SDR to receive data such as HRPT weather satellite images from satellites.

Manuel's antenna tracker is inspired by the SatNOGs rotator, but he writes that his one was designed to slightly to be smaller and more powerful. For the driving motors he uses NEMA23 steppers which are mounted in a frame made out of 2020 aluminum extrusions. An Arduino Nano with optical end stops controls two TB6600 stepper drivers which control the motors. The rest of the parts such as brackets and gears are all 3D printed.

Attached to the antenna rotator is Manuel's home made carbon Yagi antenna. He also attempted to use his 1.2m dish but found that the rotator could not handle the weight.

[EN subs] DIY AZ/EL Antennen Rotor / Sat Tracker