Category: Tutorial

RTL-SDR.COM GOES 16/17 and GK-2A Weather Satellite Reception Comprehensive Tutorial

GOES 16/17 and GK-2A are geosynchronous weather satellites that transmit high resolution weather images and data. In particular they are far enough away from the earth to be able to take beautiful 'full disk' images which show the entirety of one side of the Earth. As these satellites are in a geosynchronous orbit, they can be counted on to be in the same position in the sky at all times, so no tracking hardware is required and images can be pulled down constantly throughout the day without having to wait for a polar orbiting satellite to pass over like you would with the NOAA APT or Russian Meteor satellites.

With a low cost WiFi grid dish antenna, LNA and RTL-SDR dongle, any home user within the footprint of one of these weather satellites can receive and decode live images directly from the sky. Setting up a station is overall not too difficult, but it can be a bit fiddly with a number of steps to complete. Below is our comprehensive guide. We'll show how to set up a self contained Raspberry Pi based system with goestools (free), as well as a guide for the Windows PC software XRIT decoder (US$125).

We've attempted to make the tutorial as newbie friendly as possible, but we do need to assume basic RF knowledge (know what antennas, SDRs, coaxial, adapters etc are), basic Linux competency for the goestools tutorial (using the terminal, using nano text editor), and basic Windows competency for the XRIT decoder tutorial (unzipping, editing text files, running programs).

Click for the full size image (14MB)
A full disk false color image received directly from the GOES-17 satellite with an RTL-SDR. Click for the full size image (14MB).

There are two fourth generation NOAA GOES satellites that are currently active, GOES-16 and GOES-17. These transmit HRIT signals, and also transmit shared data from the older third generation GOES 15, and Japanese Himiwari8 satellites. At the moment GOES-16 and GOES-17 are producing full disk images every 30 minutes, and close up "mesoscale" shots of the USA every ~15 minutes. GOES-16 (aka GOES-R) and GOES-17 (aka GOES-S) are also known as GOES-EAST and GOES-WEST respectively. At least one of these satellites can be received from North/South America, Canada, Alaska/Hawaii, New Zealand, Eastern Australia and some pacific islands.

There is also the older generation GOES-15 and GOES-14 which have been placed in standby orbits. These transmit LRIT signals which provide images at a slower rate. 

GOES 16/East and GOES 17/West Signal Footprint
GOES 16/East and GOES 17/West Signal Footprint

There is also the Korean GK-2A (GEO-KOMPSAT-2A) satellite which is very similar to the GOES satellites. GK-2A covers countries like India, Asia, Australia, New Zealand and parts of Russia. Note that you may have previously heard of the COMS-1 satellite which used to cover this area. Since July 2019 COMS-1 was replaced by GK-2A. Unlike GOES, GK-2A images are encrypted. However it has been found that "sample" encryption keys found online in demo code work just fine.

GK-2A contains both LRIT and HRIT channels, but at the moment only the LRIT channel can be decoded with the currently available software. The LRIT channel sends full disk IR images every 10 minutes in 2200 x 2200 resolution. Compared to the 5424 x 5424 resolution GOES full disk images, this is smaller, but still large enough to be interesting.

Note that even if HRIT decoding is added by the current software, you would require an Airspy or other wideband SDR as the GK-2A HRIT signal bandwidth is 5 MHz. Also since the HRIT bandwidth is so wide, the signal strength is reduced, meaning that you'll need a larger dish. People who have received the HRIT signal note that a 3M+ sized dish seems to be required.

GK-21 (GEO-KOMPSAT-2A) Foorprint
GK-21 (GEO-KOMPSAT-2A) Footprint

You might ask why bother receiving these satellite images directly, when you can get the exact same images from NOAA at https://www.star.nesdis.noaa.gov/GOES/index.php. Well, you might want to set up your own station to be independent from the internet, or you live in a remote location without internet, or maybe just for the fun and learning of it.

To set up a receiver for GOES 16/17 HRIT or GK-2A LRIT you'll need to purchase a dish antenna such as a cheap 2.4 GHz WiFi antenna, an RTL-SDR, GOES LNA, and a Raspberry Pi if using goestools, otherwise a Windows PC can be used. The total cost could be anywhere from $150 - $200 depending on what pieces you already have available.

Before we start the tutorial, you might want to use an augmented reality Android app like "Satellite-AR" to get a rough idea of where either GOES 16/17 or GK-2A (GEO-KOMPSAT-2A) is in your sky, and if receiving them is even feasible for your location. You'll need to find an area on your land where you can mount a small satellite dish with an unobstructed line of sight view to the satellite (no trees or buildings can be blocking the signal path). If the satellite is low on the horizon (below 25 deg elevation), then things get a little more difficult as you have more obstructions and a weaker signal. But it can still be done, and we're able to routinely get good results at 24.5 deg elevation.

Note that for Europe and Africa, unfortunately there are no satellites that can be received easily with an SDR and LNA. But you might instead be interested in the EUMETCAST service, which can be received from EUTELSAT 10A (Ku band), Eutelsat 5 WEST A (C Band) and SES-6 (C Band) . To receive this service you'll need a DVB-S2 receiver and a satellite dish with appropriate band LNB. You also need a license keys and software which all together cost €100. EUMETCAST reception is not covered in this tutorial, instead see this video.

Continue reading

Tutorial on Setting up OP25 for P25 Phase 2 Digital Voice Decoding

Most police departments is the USA have now upgraded or are in the process of upgrading their radio systems to P25 Phase 2 digital radio. The frequencies can easily be received with an RTL-SDR, but a decoder is required to be able to actually listen to the voice. Software like SDRTrunk and DSDPlus can decode P25 Phase 1, but at the moment the only software that is capable of decoding P25 Phase 1 AND 2 is a program called OP25. However, OP25 has a reputation of being fairly difficult to set up as it does not have a simple to use GUI, and requires Linux.

Over on John's Tech Blog, John has uploaded a very helpful step by step tutorial that should help with those trying to get OP25 to work. The tutorial assumes that you have Ubuntu 18.04 already installed, and then starts from downloading and installing OP25. The next steps involve setting up OP25 for the particular system in your area, which mostly involves just editing a spreadsheet to input frequency data from radioreference.com. John also mentions that he's been able to get OP25 running perfectly on a Raspberry Pi 3 B+ as well, with less than 40% CPU usage.

OP25 Running
OP25 Running

In the video below John reviews some of the steps, and shows OP25 running and decoding voice.

OP25 Tracking 2 Control Channels

Tutorial: Setting up a Low Cost QRP (FT8, JT9, WSPR etc) Monitoring Station with an RTL-SDR V3 and Raspberry Pi 3

QRP is amateur radio slang for 'low transmit power'. QRP digital modes such as FT8, JT9, JT65 and WSPR are modes designed to be transmit and received across the world on low transmit powers (although not everyone uses only low power). The special design of these modes allows even weak signals to be decodable by the receiving software. Released in 2017, FT8 has shown itself to now be the most popular mode by far with JT9 and JT65 taking a backseat. WSPR is also not as active as FT8, although WSPR is more of a beacon mode rather one used for making contacts. 

Apart from being used by hams to make contacts, these weak signal modes are also valuable indicators of the current HF propagation conditions. Each packet contains information on the location of the transmitter, so you can see where and how far away the packet you've received comes from. You also don't need to be a ham to set up a monitoring station. As an SWL (shortwave listener), it can be quite interesting to simply see how far away you can receive from, and how many countries in the world you can 'collect' signals from.

This tutorial is inspired by dg0opk's videos and blog post on monitoring QRP with single board computers. We'll show you how to set up a super cheap QRP monitoring station using an RTL-SDR V3 and a Raspberry Pi 3. The total cost should be about US $56 ($21 for the RTL-SDR V3, and $35 for the Pi 3).

With this setup you'll be able to continuously monitor multiple modes within the same band simultaneously (e.g. monitor 20 meter FT8, JT65+JT9 and WSPR all on one dongle at the same time). The method for creating multiple channels in Linux may also be useful for other applications. If you happen to have an upconverter or a better SDR to dedicate to monitoring such as an SDRplay or an Airspy HF+, then this can substitute for the RTL-SDR V3 as well. The parts you'll need are as follows:

  • RTL-SDR V3 (or upconverter, or other HF & Linux capable SDR)
  • Raspberry Pi 3 (or other SBC with similar performance)
  • Internet connection
  • Band filter (optional but recommended)
  • HF antenna (this could be as simple as a long wire)

Examples of QRP Receivers with an RTL-SDR

Monitoring FT8, JT9, JT65 and WSPR simultaneously with an RTL-SDR V3 and Pi 3
Monitoring FT8, JT9, JT65 and WSPR simultaneously with an RTL-SDR V3 and Pi 3

Continue reading

Using an RTL-SDR and moRFeus as a Tracking Generator to Measure Filters And Antenna VSWR

The Outernet moRFeus

As Outernet is currently having a sale and selling their their moRFeus product at only US $99 (see next post for details - or simply use coupon code "rtlsdrblog" on their checkout - valid until Saturday 09 May 18), we thought that we'd show an interesting use for the moRFeus when combined with an RTL-SDR.

Outernet's moRFeus is a signal generator and frequency mixer that can be controlled either by it's built in LCD screen, or via software on a Windows or Linux PC. It can generate a clean low phase noise tone anywhere between 85 to 5400 MHz. Because it can be computer controlled it is possible to use moRFeus as a tracking generator for characterizing filters and measuring antenna SWR. A tracking generator is just a signal generator that can be set to output at the same frequency that the measurement receiver is tuned to.

In the past we've posted a tutorial showing how to use a wideband noise source for measuring filters and antenna SWR. However, if available, a tracking generator is usually preferred over a noise source. A wideband noise source outputs high power at all frequencies, and so can easily overload an RTL-SDR causing reduced dynamic range and accuracy in measurements. This is especially the case when measuring bandstop filters as they pass all frequencies, apart from a small blocking band. Since so much noise gets through to the dongle, dynamic range is reduced.

This post shows how to use the moRFeus as a tracking generator together with an RTL-SDR for making RF measurements. This could be called a scalar network analyzer. The set up uses GQRX and a Python script, but in the future it is possible that someone may develop a standalone app.

Equipment Required

  1. A directional coupler like the minicircuits ZFDC-20-5, or an RF Bridge with 50 Ohm dummy load.
  2. moRFeus or other computer controllable wideband signal generator.
  3. An RTL-SDR
  4. A ~20dB attenuator

Since the output of the moRFeus is quite strong, an attenuator is required to keep signal levels low enough to not overload the RTL-SDR.

The cheapest RF bridge we've found is available on eBay for about $7. With an RF Bridge you'll need a 50 Ohm dummy load as well to connect to the 'REF' port. Directional couplers seem to work more accurately however, and second hand minicircuits ones can often be found on eBay. A $2 TV 'tap' is also a directional coupler, and may also work, although we have not tested this.

Software Setup

In this tutorial we're using the method first described by 'LamaBleu' in his post to the Outernet forums. The method uses Linux and involves reading power levels from the RTL-SDR by using GQRX and it's remote telnet connection capabilities. The telnet command "F freq" can be used to change frequency in GQRX, and the command "l" can be used to read out the current power level in dbFS.

To control moRFeus we use Outernet's official "morfeus_tool",  which is a command line based tool.

A basic Python script was written to set the frequency in moRFeus and GQRX at the same time. After a 500 ms settling time the power level is measured and recorded in a CSV file, then the script iterates to the next frequency. We iterate at 1 MHz intervals.

If you have a moRFeus and want to try this project out, copy and paste the script from pastebin, and name the file morfeus_scalar.py. Place the morfeus_scalar.py file and the morfeus_tool_linux_x32 tool into the home folder.

To get the software started:

  1. Open GQRX and connect the dongle and required RF components for the test (shown below).
     
  2. Set the RTL-SDR gain to zero or just low enough so that the signal doesn't cause overload (moRFeus signal levels are fairly high).
     
  3. In the GQRX GUI ensure that the "Remote control via TCP" button is pressed in. (Looks like two computer screens).
     
  4. Edit the Python script and choose the frequency range that you'd like to scan by setting variable FREQ_MIN and FREQ_MAX.
     
  5. In a terminal run "sudo python morfeus_scalar.py".
     
  6. When the script completes you'll have a file "out.txt" which is a CSV file of frequency and signal power levels.

Characterizing Filters

To characterize a filter (find the response of a filter) simply connect the system like so:

moRFeus Filter Test
moRFeus Filter Test
  1. But first connect just the moRFeus, attenuator and RTL-SDR together.
     
  2. In GQRX increase the gain until just a few dB before the RTL-SDR overloads and starts showing signal images. This will maximize the available dynamic range.
     
  3. Run an initial calibration scan with morfeus_scalar.py. Save the results in out.txt into a spreadsheet.
     
  4. Connect the filter in the RF chain, and then run a second scan with morfeus_scalar.py. Save the results into another column in the spreadsheet.

  5. Subtract the calibration scan results from the filtered results. Plot the resulting values using the spreadsheet software. This will show the response of the filter.

Download Example Spreadsheet (.xls) (.ods)

Continue reading

Tutorial: Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX

UPDATE: Version 2 of RPiTX renders this tutorial obsolete, as it is now very easy to copy and replay signals using the RPiTX GUI (or the "sendiq" command) and an RTL-SDR. This tutorial is still valid for the overall concept.

With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.

In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX.  With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.

Note that we've only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.

A video demo is shown below:

Replay Attacks at 433 MHz with RTL-SDR and a Raspberry Pi running RPiTX

Hardware used and wireless ISM band devices tested with RPiTX
Hardware used and wireless ISM band devices tested with RPiTX

RpiTX

RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.

Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).

For testing, a short wire antenna shouldn't radiate much further than a few meters past the room you're in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.

In the past we've seen RPiTX used for things like controlling an RC car, building a home made FM repeater, creating a ham transceiver and transmitting WSPR (via a well made filter). We've also seen people perform replay attacks using the cleaner but harder way by reverse engineering a 433 MHz signal, and then generating the RPiTX OOK modulation manually.

Continue reading

RTL-SDR Tutorial: Receiving and Decoding Data from the Outernet

NOTE: This tutorial is no longer valid as Outernet discontinued their L-Band service in late 2017. Please consult www.outernet.is for news on their latest delivery methods.

Outernet is a relatively new satellite service which aims to be a "library in the sky". Essentially their service is going to be constantly transmitting files and data like news and weather updates from geostationary satellites that cover almost the entire world. Geostationary means that the satellites are in a fixed position in the sky, and do not move over time. By simply pointing a small patch antenna at the sky (with LNA and RTL-SDR receiver), it is possible to download and decode this data from almost anywhere in the world. Their aim is to provide up to date information to users in locations with little to no internet (rural, third world and sea), or in countries with censored internet. It may also be of interest to disaster preppers who want an "off-grid" source of news and weather updates. It can kind of be thought as a kind of one-way download-only internet service.

Currently the L-band service is being tested, and while they are not yet sending actual Outernet files, they are already sending several daily test files like small videos, images and text documents as well as GRIB files for mariners. At a maximum you can expect to receive up to about 20 MB of data a day from their satellite. Previously they had C-band services but these required large satellite dishes. The C-band service is due to be discontinued at some point in the future.

In this guide we'll show you how to set up an Outernet L-band receiver with an RTL-SDR dongle. If you enjoy this guide then you might also enjoy our Inmarsat STD-C EGC Decoding Tutorial which has similar hardware requirements.

The Outernet demodulator running in Linux.
The Outernet demodulator running in Linux.

Continue reading

RTL-SDR.COM GOES 16/17 and GK-2A Weather Satellite Reception Comprehensive Tutorial

GOES 16/17 and GK-2A are geosynchronous weather satellites that transmit high resolution weather images and data. In particular they are far enough away from the earth to be able to take beautiful 'full disk' images which show the entirety of one side of the Earth. As these satellites are in a geosynchronous orbit, they can be counted on to be in the same position in the sky at all times, so no tracking hardware is required and images can be pulled down constantly throughout the day without having to wait for a polar orbiting satellite to pass over like you would with the NOAA APT or Russian Meteor satellites.

With a low cost WiFi grid dish antenna, LNA and RTL-SDR dongle, any home user within the footprint of one of these weather satellites can receive and decode live images directly from the sky. Setting up a station is overall not too difficult, but it can be a bit fiddly with a number of steps to complete. Below is our comprehensive guide. We'll show how to set up a self contained Raspberry Pi based system with goestools (free), as well as a guide for the Windows PC software XRIT decoder (US$125).

We've attempted to make the tutorial as newbie friendly as possible, but we do need to assume basic RF knowledge (know what antennas, SDRs, coaxial, adapters etc are), basic Linux competency for the goestools tutorial (using the terminal, using nano text editor), and basic Windows competency for the XRIT decoder tutorial (unzipping, editing text files, running programs).

Click for the full size image (14MB)
A full disk false color image received directly from the GOES-17 satellite with an RTL-SDR. Click for the full size image (14MB).

There are two fourth generation NOAA GOES satellites that are currently active, GOES-16 and GOES-17. These transmit HRIT signals, and also transmit shared data from the older third generation GOES 15, and Japanese Himiwari8 satellites. At the moment GOES-16 and GOES-17 are producing full disk images every 30 minutes, and close up "mesoscale" shots of the USA every ~15 minutes. GOES-16 (aka GOES-R) and GOES-17 (aka GOES-S) are also known as GOES-EAST and GOES-WEST respectively. At least one of these satellites can be received from North/South America, Canada, Alaska/Hawaii, New Zealand, Eastern Australia and some pacific islands.

There is also the older generation GOES-15 and GOES-14 which have been placed in standby orbits. These transmit LRIT signals which provide images at a slower rate. 

GOES 16/East and GOES 17/West Signal Footprint
GOES 16/East and GOES 17/West Signal Footprint

There is also the Korean GK-2A (GEO-KOMPSAT-2A) satellite which is very similar to the GOES satellites. GK-2A covers countries like India, Asia, Australia, New Zealand and parts of Russia. Note that you may have previously heard of the COMS-1 satellite which used to cover this area. Since July 2019 COMS-1 was replaced by GK-2A. Unlike GOES, GK-2A images are encrypted. However it has been found that "sample" encryption keys found online in demo code work just fine.

GK-2A contains both LRIT and HRIT channels, but at the moment only the LRIT channel can be decoded with the currently available software. The LRIT channel sends full disk IR images every 10 minutes in 2200 x 2200 resolution. Compared to the 5424 x 5424 resolution GOES full disk images, this is smaller, but still large enough to be interesting.

Note that even if HRIT decoding is added by the current software, you would require an Airspy or other wideband SDR as the GK-2A HRIT signal bandwidth is 5 MHz. Also since the HRIT bandwidth is so wide, the signal strength is reduced, meaning that you'll need a larger dish. People who have received the HRIT signal note that a 3M+ sized dish seems to be required.

GK-21 (GEO-KOMPSAT-2A) Foorprint
GK-21 (GEO-KOMPSAT-2A) Footprint

You might ask why bother receiving these satellite images directly, when you can get the exact same images from NOAA at https://www.star.nesdis.noaa.gov/GOES/index.php. Well, you might want to set up your own station to be independent from the internet, or you live in a remote location without internet, or maybe just for the fun and learning of it.

To set up a receiver for GOES 16/17 HRIT or GK-2A LRIT you'll need to purchase a dish antenna such as a cheap 2.4 GHz WiFi antenna, an RTL-SDR, GOES LNA, and a Raspberry Pi if using goestools, otherwise a Windows PC can be used. The total cost could be anywhere from $150 - $200 depending on what pieces you already have available.

Before we start the tutorial, you might want to use an augmented reality Android app like "Satellite-AR" to get a rough idea of where either GOES 16/17 or GK-2A (GEO-KOMPSAT-2A) is in your sky, and if receiving them is even feasible for your location. You'll need to find an area on your land where you can mount a small satellite dish with an unobstructed line of sight view to the satellite (no trees or buildings can be blocking the signal path). If the satellite is low on the horizon (below 25 deg elevation), then things get a little more difficult as you have more obstructions and a weaker signal. But it can still be done, and we're able to routinely get good results at 24.5 deg elevation.

Note that for Europe and Africa, unfortunately there are no satellites that can be received easily with an SDR and LNA. But you might instead be interested in the EUMETCAST service, which can be received from EUTELSAT 10A (Ku band), Eutelsat 5 WEST A (C Band) and SES-6 (C Band) . To receive this service you'll need a DVB-S2 receiver and a satellite dish with appropriate band LNB. You also need a license keys and software which all together cost €100. EUMETCAST reception is not covered in this tutorial, instead see this video.

Continue reading

Tutorial on Setting up OP25 for P25 Phase 2 Digital Voice Decoding

Most police departments is the USA have now upgraded or are in the process of upgrading their radio systems to P25 Phase 2 digital radio. The frequencies can easily be received with an RTL-SDR, but a decoder is required to be able to actually listen to the voice. Software like SDRTrunk and DSDPlus can decode P25 Phase 1, but at the moment the only software that is capable of decoding P25 Phase 1 AND 2 is a program called OP25. However, OP25 has a reputation of being fairly difficult to set up as it does not have a simple to use GUI, and requires Linux.

Over on John's Tech Blog, John has uploaded a very helpful step by step tutorial that should help with those trying to get OP25 to work. The tutorial assumes that you have Ubuntu 18.04 already installed, and then starts from downloading and installing OP25. The next steps involve setting up OP25 for the particular system in your area, which mostly involves just editing a spreadsheet to input frequency data from radioreference.com. John also mentions that he's been able to get OP25 running perfectly on a Raspberry Pi 3 B+ as well, with less than 40% CPU usage.

OP25 Running
OP25 Running

In the video below John reviews some of the steps, and shows OP25 running and decoding voice.

OP25 Tracking 2 Control Channels

Tutorial: Setting up a Low Cost QRP (FT8, JT9, WSPR etc) Monitoring Station with an RTL-SDR V3 and Raspberry Pi 3

QRP is amateur radio slang for 'low transmit power'. QRP digital modes such as FT8, JT9, JT65 and WSPR are modes designed to be transmit and received across the world on low transmit powers (although not everyone uses only low power). The special design of these modes allows even weak signals to be decodable by the receiving software. Released in 2017, FT8 has shown itself to now be the most popular mode by far with JT9 and JT65 taking a backseat. WSPR is also not as active as FT8, although WSPR is more of a beacon mode rather one used for making contacts. 

Apart from being used by hams to make contacts, these weak signal modes are also valuable indicators of the current HF propagation conditions. Each packet contains information on the location of the transmitter, so you can see where and how far away the packet you've received comes from. You also don't need to be a ham to set up a monitoring station. As an SWL (shortwave listener), it can be quite interesting to simply see how far away you can receive from, and how many countries in the world you can 'collect' signals from.

This tutorial is inspired by dg0opk's videos and blog post on monitoring QRP with single board computers. We'll show you how to set up a super cheap QRP monitoring station using an RTL-SDR V3 and a Raspberry Pi 3. The total cost should be about US $56 ($21 for the RTL-SDR V3, and $35 for the Pi 3).

With this setup you'll be able to continuously monitor multiple modes within the same band simultaneously (e.g. monitor 20 meter FT8, JT65+JT9 and WSPR all on one dongle at the same time). The method for creating multiple channels in Linux may also be useful for other applications. If you happen to have an upconverter or a better SDR to dedicate to monitoring such as an SDRplay or an Airspy HF+, then this can substitute for the RTL-SDR V3 as well. The parts you'll need are as follows:

  • RTL-SDR V3 (or upconverter, or other HF & Linux capable SDR)
  • Raspberry Pi 3 (or other SBC with similar performance)
  • Internet connection
  • Band filter (optional but recommended)
  • HF antenna (this could be as simple as a long wire)

Examples of QRP Receivers with an RTL-SDR

Monitoring FT8, JT9, JT65 and WSPR simultaneously with an RTL-SDR V3 and Pi 3
Monitoring FT8, JT9, JT65 and WSPR simultaneously with an RTL-SDR V3 and Pi 3

Continue reading

Using an RTL-SDR and moRFeus as a Tracking Generator to Measure Filters And Antenna VSWR

The Outernet moRFeus

As Outernet is currently having a sale and selling their their moRFeus product at only US $99 (see next post for details - or simply use coupon code "rtlsdrblog" on their checkout - valid until Saturday 09 May 18), we thought that we'd show an interesting use for the moRFeus when combined with an RTL-SDR.

Outernet's moRFeus is a signal generator and frequency mixer that can be controlled either by it's built in LCD screen, or via software on a Windows or Linux PC. It can generate a clean low phase noise tone anywhere between 85 to 5400 MHz. Because it can be computer controlled it is possible to use moRFeus as a tracking generator for characterizing filters and measuring antenna SWR. A tracking generator is just a signal generator that can be set to output at the same frequency that the measurement receiver is tuned to.

In the past we've posted a tutorial showing how to use a wideband noise source for measuring filters and antenna SWR. However, if available, a tracking generator is usually preferred over a noise source. A wideband noise source outputs high power at all frequencies, and so can easily overload an RTL-SDR causing reduced dynamic range and accuracy in measurements. This is especially the case when measuring bandstop filters as they pass all frequencies, apart from a small blocking band. Since so much noise gets through to the dongle, dynamic range is reduced.

This post shows how to use the moRFeus as a tracking generator together with an RTL-SDR for making RF measurements. This could be called a scalar network analyzer. The set up uses GQRX and a Python script, but in the future it is possible that someone may develop a standalone app.

Equipment Required

  1. A directional coupler like the minicircuits ZFDC-20-5, or an RF Bridge with 50 Ohm dummy load.
  2. moRFeus or other computer controllable wideband signal generator.
  3. An RTL-SDR
  4. A ~20dB attenuator

Since the output of the moRFeus is quite strong, an attenuator is required to keep signal levels low enough to not overload the RTL-SDR.

The cheapest RF bridge we've found is available on eBay for about $7. With an RF Bridge you'll need a 50 Ohm dummy load as well to connect to the 'REF' port. Directional couplers seem to work more accurately however, and second hand minicircuits ones can often be found on eBay. A $2 TV 'tap' is also a directional coupler, and may also work, although we have not tested this.

Software Setup

In this tutorial we're using the method first described by 'LamaBleu' in his post to the Outernet forums. The method uses Linux and involves reading power levels from the RTL-SDR by using GQRX and it's remote telnet connection capabilities. The telnet command "F freq" can be used to change frequency in GQRX, and the command "l" can be used to read out the current power level in dbFS.

To control moRFeus we use Outernet's official "morfeus_tool",  which is a command line based tool.

A basic Python script was written to set the frequency in moRFeus and GQRX at the same time. After a 500 ms settling time the power level is measured and recorded in a CSV file, then the script iterates to the next frequency. We iterate at 1 MHz intervals.

If you have a moRFeus and want to try this project out, copy and paste the script from pastebin, and name the file morfeus_scalar.py. Place the morfeus_scalar.py file and the morfeus_tool_linux_x32 tool into the home folder.

To get the software started:

  1. Open GQRX and connect the dongle and required RF components for the test (shown below).
     
  2. Set the RTL-SDR gain to zero or just low enough so that the signal doesn't cause overload (moRFeus signal levels are fairly high).
     
  3. In the GQRX GUI ensure that the "Remote control via TCP" button is pressed in. (Looks like two computer screens).
     
  4. Edit the Python script and choose the frequency range that you'd like to scan by setting variable FREQ_MIN and FREQ_MAX.
     
  5. In a terminal run "sudo python morfeus_scalar.py".
     
  6. When the script completes you'll have a file "out.txt" which is a CSV file of frequency and signal power levels.

Characterizing Filters

To characterize a filter (find the response of a filter) simply connect the system like so:

moRFeus Filter Test
moRFeus Filter Test
  1. But first connect just the moRFeus, attenuator and RTL-SDR together.
     
  2. In GQRX increase the gain until just a few dB before the RTL-SDR overloads and starts showing signal images. This will maximize the available dynamic range.
     
  3. Run an initial calibration scan with morfeus_scalar.py. Save the results in out.txt into a spreadsheet.
     
  4. Connect the filter in the RF chain, and then run a second scan with morfeus_scalar.py. Save the results into another column in the spreadsheet.

  5. Subtract the calibration scan results from the filtered results. Plot the resulting values using the spreadsheet software. This will show the response of the filter.

Download Example Spreadsheet (.xls) (.ods)

Continue reading

Tutorial: Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX

UPDATE: Version 2 of RPiTX renders this tutorial obsolete, as it is now very easy to copy and replay signals using the RPiTX GUI (or the "sendiq" command) and an RTL-SDR. This tutorial is still valid for the overall concept.

With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.

In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX.  With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.

Note that we've only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.

A video demo is shown below:

Replay Attacks at 433 MHz with RTL-SDR and a Raspberry Pi running RPiTX

Hardware used and wireless ISM band devices tested with RPiTX
Hardware used and wireless ISM band devices tested with RPiTX

RpiTX

RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.

Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).

For testing, a short wire antenna shouldn't radiate much further than a few meters past the room you're in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.

In the past we've seen RPiTX used for things like controlling an RC car, building a home made FM repeater, creating a ham transceiver and transmitting WSPR (via a well made filter). We've also seen people perform replay attacks using the cleaner but harder way by reverse engineering a 433 MHz signal, and then generating the RPiTX OOK modulation manually.

Continue reading

RTL-SDR Tutorial: Receiving and Decoding Data from the Outernet

NOTE: This tutorial is no longer valid as Outernet discontinued their L-Band service in late 2017. Please consult www.outernet.is for news on their latest delivery methods.

Outernet is a relatively new satellite service which aims to be a "library in the sky". Essentially their service is going to be constantly transmitting files and data like news and weather updates from geostationary satellites that cover almost the entire world. Geostationary means that the satellites are in a fixed position in the sky, and do not move over time. By simply pointing a small patch antenna at the sky (with LNA and RTL-SDR receiver), it is possible to download and decode this data from almost anywhere in the world. Their aim is to provide up to date information to users in locations with little to no internet (rural, third world and sea), or in countries with censored internet. It may also be of interest to disaster preppers who want an "off-grid" source of news and weather updates. It can kind of be thought as a kind of one-way download-only internet service.

Currently the L-band service is being tested, and while they are not yet sending actual Outernet files, they are already sending several daily test files like small videos, images and text documents as well as GRIB files for mariners. At a maximum you can expect to receive up to about 20 MB of data a day from their satellite. Previously they had C-band services but these required large satellite dishes. The C-band service is due to be discontinued at some point in the future.

In this guide we'll show you how to set up an Outernet L-band receiver with an RTL-SDR dongle. If you enjoy this guide then you might also enjoy our Inmarsat STD-C EGC Decoding Tutorial which has similar hardware requirements.

The Outernet demodulator running in Linux.
The Outernet demodulator running in Linux.

Continue reading

GSM Sniffing: A Full YouTube Tutorial

Over on YouTube user Crazy Danish Hacker has been working on uploading an entire series on GSM Sniffing with an RTL-SDR. His series is explained in a slow and clear presenting style, and it starts at the very beginning from installing the RTL-SDR. The tutorial series is not yet complete, however he is uploading a new video almost daily. Presumably the series will end with showing you how to receive text messages and voice calls originating from your own cellphone.

So far he has shown how to install the RTL-SDR, identify GSM downlinks, install and use GQRX and kalibrate, locate nearby cell towers, install and use GR-GSM and how to extract the TMSI & KC keys from your cell phone. To obtain the TMSI & KC keys he shows us how to use an Android tool called usbswitcher which forces the phone to use its USB modem interface, from which the keys can be obtained.

The video below shows his teaser video on the series. Check out his GSM playlist to view the full series.

GSM Sniffing Teaser - Software Defined Radio Series!

Review: FlightAware ADS-B RTL-SDR + LNA Positioning

Recently FlightAware released a new RTL-SDR dongle sold at zero profit at $16.95 USD. It’s main feature is that it comes with an ADS-B optimized low noise amplifier (LNA) built directly into the dongle. FlightAware.com is a flight tracking service that aims to track aircraft via many volunteer ADS-B contributors around the world who use low cost receivers such as the RTL-SDR. In this post we will review their new dongle and hopefully at the same time provide some basic insights to LNA positioning theory to show in what situations this dongle will work well.

FlightAware Dongle Outside
FlightAware Dongle Outside

A good LNA has a low noise figure and a high IIP3 value. Here is what these things mean.

Continue reading