Category: Tutorial

Tutorial on Setting up OP25 for P25 Phase 2 Digital Voice Decoding

Most police departments is the USA have now upgraded or are in the process of upgrading their radio systems to P25 Phase 2 digital radio. The frequencies can easily be received with an RTL-SDR, but a decoder is required to be able to actually listen to the voice. Software like SDRTrunk and DSDPlus can decode P25 Phase 1, but at the moment the only software that is capable of decoding P25 Phase 1 AND 2 is a program called OP25. However, OP25 has a reputation of being fairly difficult to set up as it does not have a simple to use GUI, and requires Linux.

Over on John's Tech Blog, John has uploaded a very helpful step by step tutorial that should help with those trying to get OP25 to work. The tutorial assumes that you have Ubuntu 18.04 already installed, and then starts from downloading and installing OP25. The next steps involve setting up OP25 for the particular system in your area, which mostly involves just editing a spreadsheet to input frequency data from radioreference.com. John also mentions that he's been able to get OP25 running perfectly on a Raspberry Pi 3 B+ as well, with less than 40% CPU usage.

OP25 Running
OP25 Running

In the video below John reviews some of the steps, and shows OP25 running and decoding voice.

OP25 Tracking 2 Control Channels

Tutorial: Setting up a Low Cost QRP (FT8, JT9, WSPR etc) Monitoring Station with an RTL-SDR V3 and Raspberry Pi 3

QRP is amateur radio slang for 'low transmit power'. QRP digital modes such as FT8, JT9, JT65 and WSPR are modes designed to be transmit and received across the world on low transmit powers (although not everyone uses only low power). The special design of these modes allows even weak signals to be decodable by the receiving software. Released in 2017, FT8 has shown itself to now be the most popular mode by far with JT9 and JT65 taking a backseat. WSPR is also not as active as FT8, although WSPR is more of a beacon mode rather one used for making contacts. 

Apart from being used by hams to make contacts, these weak signal modes are also valuable indicators of the current HF propagation conditions. Each packet contains information on the location of the transmitter, so you can see where and how far away the packet you've received comes from. You also don't need to be a ham to set up a monitoring station. As an SWL (shortwave listener), it can be quite interesting to simply see how far away you can receive from, and how many countries in the world you can 'collect' signals from.

This tutorial is inspired by dg0opk's videos and blog post on monitoring QRP with single board computers. We'll show you how to set up a super cheap QRP monitoring station using an RTL-SDR V3 and a Raspberry Pi 3. The total cost should be about US $56 ($21 for the RTL-SDR V3, and $35 for the Pi 3).

With this setup you'll be able to continuously monitor multiple modes within the same band simultaneously (e.g. monitor 20 meter FT8, JT65+JT9 and WSPR all on one dongle at the same time). The method for creating multiple channels in Linux may also be useful for other applications. If you happen to have an upconverter or a better SDR to dedicate to monitoring such as an SDRplay or an Airspy HF+, then this can substitute for the RTL-SDR V3 as well. The parts you'll need are as follows:

  • RTL-SDR V3 (or upconverter, or other HF & Linux capable SDR)
  • Raspberry Pi 3 (or other SBC with similar performance)
  • Internet connection
  • Band filter (optional but recommended)
  • HF antenna (this could be as simple as a long wire)

Examples of QRP Receivers with an RTL-SDR

Monitoring FT8, JT9, JT65 and WSPR simultaneously with an RTL-SDR V3 and Pi 3
Monitoring FT8, JT9, JT65 and WSPR simultaneously with an RTL-SDR V3 and Pi 3

RASPBERRY PI3 SDR Monitor 40m FT8/JT65/JT9 (RTL-SDR/LINRAD)

Continue reading

Using an RTL-SDR and moRFeus as a Tracking Generator to Measure Filters And Antenna VSWR

The Outernet moRFeus

As Outernet is currently having a sale and selling their their moRFeus product at only US $99 (see next post for details - or simply use coupon code "rtlsdrblog" on their checkout - valid until Saturday 09 May 18), we thought that we'd show an interesting use for the moRFeus when combined with an RTL-SDR.

Outernet's moRFeus is a signal generator and frequency mixer that can be controlled either by it's built in LCD screen, or via software on a Windows or Linux PC. It can generate a clean low phase noise tone anywhere between 85 to 5400 MHz. Because it can be computer controlled it is possible to use moRFeus as a tracking generator for characterizing filters and measuring antenna SWR. A tracking generator is just a signal generator that can be set to output at the same frequency that the measurement receiver is tuned to.

In the past we've posted a tutorial showing how to use a wideband noise source for measuring filters and antenna SWR. However, if available, a tracking generator is usually preferred over a noise source. A wideband noise source outputs high power at all frequencies, and so can easily overload an RTL-SDR causing reduced dynamic range and accuracy in measurements. This is especially the case when measuring bandstop filters as they pass all frequencies, apart from a small blocking band. Since so much noise gets through to the dongle, dynamic range is reduced.

This post shows how to use the moRFeus as a tracking generator together with an RTL-SDR for making RF measurements. This could be called a scalar network analyzer. The set up uses GQRX and a Python script, but in the future it is possible that someone may develop a standalone app.

Equipment Required

  1. A directional coupler like the minicircuits ZFDC-20-5, or an RF Bridge with 50 Ohm dummy load.
  2. moRFeus or other computer controllable wideband signal generator.
  3. An RTL-SDR
  4. A ~20dB attenuator

Since the output of the moRFeus is quite strong, an attenuator is required to keep signal levels low enough to not overload the RTL-SDR.

The cheapest RF bridge we've found is available on eBay for about $7. With an RF Bridge you'll need a 50 Ohm dummy load as well to connect to the 'REF' port. Directional couplers seem to work more accurately however, and second hand minicircuits ones can often be found on eBay. A $2 TV 'tap' is also a directional coupler, and may also work, although we have not tested this.

Software Setup

In this tutorial we're using the method first described by 'LamaBleu' in his post to the Outernet forums. The method uses Linux and involves reading power levels from the RTL-SDR by using GQRX and it's remote telnet connection capabilities. The telnet command "F freq" can be used to change frequency in GQRX, and the command "l" can be used to read out the current power level in dbFS.

To control moRFeus we use Outernet's official "morfeus_tool",  which is a command line based tool.

A basic Python script was written to set the frequency in moRFeus and GQRX at the same time. After a 500 ms settling time the power level is measured and recorded in a CSV file, then the script iterates to the next frequency. We iterate at 1 MHz intervals.

If you have a moRFeus and want to try this project out, copy and paste the script from pastebin, and name the file morfeus_scalar.py. Place the morfeus_scalar.py file and the morfeus_tool_linux_x32 tool into the home folder.

To get the software started:

  1. Open GQRX and connect the dongle and required RF components for the test (shown below).
     
  2. Set the RTL-SDR gain to zero or just low enough so that the signal doesn't cause overload (moRFeus signal levels are fairly high).
     
  3. In the GQRX GUI ensure that the "Remote control via TCP" button is pressed in. (Looks like two computer screens).
     
  4. Edit the Python script and choose the frequency range that you'd like to scan by setting variable FREQ_MIN and FREQ_MAX.
     
  5. In a terminal run "sudo python morfeus_scalar.py".
     
  6. When the script completes you'll have a file "out.txt" which is a CSV file of frequency and signal power levels.

Characterizing Filters

To characterize a filter (find the response of a filter) simply connect the system like so:

moRFeus Filter Test
moRFeus Filter Test
  1. But first connect just the moRFeus, attenuator and RTL-SDR together.
     
  2. In GQRX increase the gain until just a few dB before the RTL-SDR overloads and starts showing signal images. This will maximize the available dynamic range.
     
  3. Run an initial calibration scan with morfeus_scalar.py. Save the results in out.txt into a spreadsheet.
     
  4. Connect the filter in the RF chain, and then run a second scan with morfeus_scalar.py. Save the results into another column in the spreadsheet.

  5. Subtract the calibration scan results from the filtered results. Plot the resulting values using the spreadsheet software. This will show the response of the filter.

Download Example Spreadsheet (.xls) (.ods)

Continue reading

Tutorial: Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX

UPDATE: Version 2 of RPiTX renders this tutorial obsolete, as it is now very easy to copy and replay signals using the RPiTX GUI and an RTL-SDR. The tutorial is still valid for the overall concept.

With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.

In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX.  With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.

Note that we've only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.

A video demo is shown below:

Replay Attacks at 433 MHz with RTL-SDR and a Raspberry Pi running RPiTX

Hardware used and wireless ISM band devices tested with RPiTX
Hardware used and wireless ISM band devices tested with RPiTX

RpiTX

RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.

Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).

For testing, a short wire antenna shouldn't radiate much further than a few meters past the room you're in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.

In the past we've seen RPiTX used for things like controlling an RC car, building a home made FM repeater, creating a ham transceiver and transmitting WSPR (via a well made filter). We've also seen people perform replay attacks using the cleaner but harder way by reverse engineering a 433 MHz signal, and then generating the RPiTX OOK modulation manually.

Continue reading

RTL-SDR Tutorial: Receiving and Decoding Data from the Outernet

NOTE: This tutorial is no longer valid as Outernet discontinued their L-Band service in late 2017. Please consult www.outernet.is for news on their latest delivery methods.

Outernet is a relatively new satellite service which aims to be a "library in the sky". Essentially their service is going to be constantly transmitting files and data like news and weather updates from geostationary satellites that cover almost the entire world. Geostationary means that the satellites are in a fixed position in the sky, and do not move over time. By simply pointing a small patch antenna at the sky (with LNA and RTL-SDR receiver), it is possible to download and decode this data from almost anywhere in the world. Their aim is to provide up to date information to users in locations with little to no internet (rural, third world and sea), or in countries with censored internet. It may also be of interest to disaster preppers who want an "off-grid" source of news and weather updates. It can kind of be thought as a kind of one-way download-only internet service.

Currently the L-band service is being tested, and while they are not yet sending actual Outernet files, they are already sending several daily test files like small videos, images and text documents as well as GRIB files for mariners. At a maximum you can expect to receive up to about 20 MB of data a day from their satellite. Previously they had C-band services but these required large satellite dishes. The C-band service is due to be discontinued at some point in the future.

In this guide we'll show you how to set up an Outernet L-band receiver with an RTL-SDR dongle. If you enjoy this guide then you might also enjoy our Inmarsat STD-C EGC Decoding Tutorial which has similar hardware requirements.

outernet_fullsetup

Outernet Setup: Patch Antenna -> LNA -> RTL-SDR with Bias Tee -> Raspberry Pi

librarian

Downloaded Files

outernet_book

Book Download

outernet_vid

Video Download

outernet_wx

Image Download

Continue reading

Tutorial on Setting up OP25 for P25 Phase 2 Digital Voice Decoding

Most police departments is the USA have now upgraded or are in the process of upgrading their radio systems to P25 Phase 2 digital radio. The frequencies can easily be received with an RTL-SDR, but a decoder is required to be able to actually listen to the voice. Software like SDRTrunk and DSDPlus can decode P25 Phase 1, but at the moment the only software that is capable of decoding P25 Phase 1 AND 2 is a program called OP25. However, OP25 has a reputation of being fairly difficult to set up as it does not have a simple to use GUI, and requires Linux.

Over on John's Tech Blog, John has uploaded a very helpful step by step tutorial that should help with those trying to get OP25 to work. The tutorial assumes that you have Ubuntu 18.04 already installed, and then starts from downloading and installing OP25. The next steps involve setting up OP25 for the particular system in your area, which mostly involves just editing a spreadsheet to input frequency data from radioreference.com. John also mentions that he's been able to get OP25 running perfectly on a Raspberry Pi 3 B+ as well, with less than 40% CPU usage.

OP25 Running
OP25 Running

In the video below John reviews some of the steps, and shows OP25 running and decoding voice.

OP25 Tracking 2 Control Channels

Tutorial: Setting up a Low Cost QRP (FT8, JT9, WSPR etc) Monitoring Station with an RTL-SDR V3 and Raspberry Pi 3

QRP is amateur radio slang for 'low transmit power'. QRP digital modes such as FT8, JT9, JT65 and WSPR are modes designed to be transmit and received across the world on low transmit powers (although not everyone uses only low power). The special design of these modes allows even weak signals to be decodable by the receiving software. Released in 2017, FT8 has shown itself to now be the most popular mode by far with JT9 and JT65 taking a backseat. WSPR is also not as active as FT8, although WSPR is more of a beacon mode rather one used for making contacts. 

Apart from being used by hams to make contacts, these weak signal modes are also valuable indicators of the current HF propagation conditions. Each packet contains information on the location of the transmitter, so you can see where and how far away the packet you've received comes from. You also don't need to be a ham to set up a monitoring station. As an SWL (shortwave listener), it can be quite interesting to simply see how far away you can receive from, and how many countries in the world you can 'collect' signals from.

This tutorial is inspired by dg0opk's videos and blog post on monitoring QRP with single board computers. We'll show you how to set up a super cheap QRP monitoring station using an RTL-SDR V3 and a Raspberry Pi 3. The total cost should be about US $56 ($21 for the RTL-SDR V3, and $35 for the Pi 3).

With this setup you'll be able to continuously monitor multiple modes within the same band simultaneously (e.g. monitor 20 meter FT8, JT65+JT9 and WSPR all on one dongle at the same time). The method for creating multiple channels in Linux may also be useful for other applications. If you happen to have an upconverter or a better SDR to dedicate to monitoring such as an SDRplay or an Airspy HF+, then this can substitute for the RTL-SDR V3 as well. The parts you'll need are as follows:

  • RTL-SDR V3 (or upconverter, or other HF & Linux capable SDR)
  • Raspberry Pi 3 (or other SBC with similar performance)
  • Internet connection
  • Band filter (optional but recommended)
  • HF antenna (this could be as simple as a long wire)

Examples of QRP Receivers with an RTL-SDR

Monitoring FT8, JT9, JT65 and WSPR simultaneously with an RTL-SDR V3 and Pi 3
Monitoring FT8, JT9, JT65 and WSPR simultaneously with an RTL-SDR V3 and Pi 3

RASPBERRY PI3 SDR Monitor 40m FT8/JT65/JT9 (RTL-SDR/LINRAD)

Continue reading

Using an RTL-SDR and moRFeus as a Tracking Generator to Measure Filters And Antenna VSWR

The Outernet moRFeus

As Outernet is currently having a sale and selling their their moRFeus product at only US $99 (see next post for details - or simply use coupon code "rtlsdrblog" on their checkout - valid until Saturday 09 May 18), we thought that we'd show an interesting use for the moRFeus when combined with an RTL-SDR.

Outernet's moRFeus is a signal generator and frequency mixer that can be controlled either by it's built in LCD screen, or via software on a Windows or Linux PC. It can generate a clean low phase noise tone anywhere between 85 to 5400 MHz. Because it can be computer controlled it is possible to use moRFeus as a tracking generator for characterizing filters and measuring antenna SWR. A tracking generator is just a signal generator that can be set to output at the same frequency that the measurement receiver is tuned to.

In the past we've posted a tutorial showing how to use a wideband noise source for measuring filters and antenna SWR. However, if available, a tracking generator is usually preferred over a noise source. A wideband noise source outputs high power at all frequencies, and so can easily overload an RTL-SDR causing reduced dynamic range and accuracy in measurements. This is especially the case when measuring bandstop filters as they pass all frequencies, apart from a small blocking band. Since so much noise gets through to the dongle, dynamic range is reduced.

This post shows how to use the moRFeus as a tracking generator together with an RTL-SDR for making RF measurements. This could be called a scalar network analyzer. The set up uses GQRX and a Python script, but in the future it is possible that someone may develop a standalone app.

Equipment Required

  1. A directional coupler like the minicircuits ZFDC-20-5, or an RF Bridge with 50 Ohm dummy load.
  2. moRFeus or other computer controllable wideband signal generator.
  3. An RTL-SDR
  4. A ~20dB attenuator

Since the output of the moRFeus is quite strong, an attenuator is required to keep signal levels low enough to not overload the RTL-SDR.

The cheapest RF bridge we've found is available on eBay for about $7. With an RF Bridge you'll need a 50 Ohm dummy load as well to connect to the 'REF' port. Directional couplers seem to work more accurately however, and second hand minicircuits ones can often be found on eBay. A $2 TV 'tap' is also a directional coupler, and may also work, although we have not tested this.

Software Setup

In this tutorial we're using the method first described by 'LamaBleu' in his post to the Outernet forums. The method uses Linux and involves reading power levels from the RTL-SDR by using GQRX and it's remote telnet connection capabilities. The telnet command "F freq" can be used to change frequency in GQRX, and the command "l" can be used to read out the current power level in dbFS.

To control moRFeus we use Outernet's official "morfeus_tool",  which is a command line based tool.

A basic Python script was written to set the frequency in moRFeus and GQRX at the same time. After a 500 ms settling time the power level is measured and recorded in a CSV file, then the script iterates to the next frequency. We iterate at 1 MHz intervals.

If you have a moRFeus and want to try this project out, copy and paste the script from pastebin, and name the file morfeus_scalar.py. Place the morfeus_scalar.py file and the morfeus_tool_linux_x32 tool into the home folder.

To get the software started:

  1. Open GQRX and connect the dongle and required RF components for the test (shown below).
     
  2. Set the RTL-SDR gain to zero or just low enough so that the signal doesn't cause overload (moRFeus signal levels are fairly high).
     
  3. In the GQRX GUI ensure that the "Remote control via TCP" button is pressed in. (Looks like two computer screens).
     
  4. Edit the Python script and choose the frequency range that you'd like to scan by setting variable FREQ_MIN and FREQ_MAX.
     
  5. In a terminal run "sudo python morfeus_scalar.py".
     
  6. When the script completes you'll have a file "out.txt" which is a CSV file of frequency and signal power levels.

Characterizing Filters

To characterize a filter (find the response of a filter) simply connect the system like so:

moRFeus Filter Test
moRFeus Filter Test
  1. But first connect just the moRFeus, attenuator and RTL-SDR together.
     
  2. In GQRX increase the gain until just a few dB before the RTL-SDR overloads and starts showing signal images. This will maximize the available dynamic range.
     
  3. Run an initial calibration scan with morfeus_scalar.py. Save the results in out.txt into a spreadsheet.
     
  4. Connect the filter in the RF chain, and then run a second scan with morfeus_scalar.py. Save the results into another column in the spreadsheet.

  5. Subtract the calibration scan results from the filtered results. Plot the resulting values using the spreadsheet software. This will show the response of the filter.

Download Example Spreadsheet (.xls) (.ods)

Continue reading

Tutorial: Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX

UPDATE: Version 2 of RPiTX renders this tutorial obsolete, as it is now very easy to copy and replay signals using the RPiTX GUI and an RTL-SDR. The tutorial is still valid for the overall concept.

With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.

In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX.  With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.

Note that we've only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.

A video demo is shown below:

Replay Attacks at 433 MHz with RTL-SDR and a Raspberry Pi running RPiTX

Hardware used and wireless ISM band devices tested with RPiTX
Hardware used and wireless ISM band devices tested with RPiTX

RpiTX

RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.

Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).

For testing, a short wire antenna shouldn't radiate much further than a few meters past the room you're in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.

In the past we've seen RPiTX used for things like controlling an RC car, building a home made FM repeater, creating a ham transceiver and transmitting WSPR (via a well made filter). We've also seen people perform replay attacks using the cleaner but harder way by reverse engineering a 433 MHz signal, and then generating the RPiTX OOK modulation manually.

Continue reading

RTL-SDR Tutorial: Receiving and Decoding Data from the Outernet

NOTE: This tutorial is no longer valid as Outernet discontinued their L-Band service in late 2017. Please consult www.outernet.is for news on their latest delivery methods.

Outernet is a relatively new satellite service which aims to be a "library in the sky". Essentially their service is going to be constantly transmitting files and data like news and weather updates from geostationary satellites that cover almost the entire world. Geostationary means that the satellites are in a fixed position in the sky, and do not move over time. By simply pointing a small patch antenna at the sky (with LNA and RTL-SDR receiver), it is possible to download and decode this data from almost anywhere in the world. Their aim is to provide up to date information to users in locations with little to no internet (rural, third world and sea), or in countries with censored internet. It may also be of interest to disaster preppers who want an "off-grid" source of news and weather updates. It can kind of be thought as a kind of one-way download-only internet service.

Currently the L-band service is being tested, and while they are not yet sending actual Outernet files, they are already sending several daily test files like small videos, images and text documents as well as GRIB files for mariners. At a maximum you can expect to receive up to about 20 MB of data a day from their satellite. Previously they had C-band services but these required large satellite dishes. The C-band service is due to be discontinued at some point in the future.

In this guide we'll show you how to set up an Outernet L-band receiver with an RTL-SDR dongle. If you enjoy this guide then you might also enjoy our Inmarsat STD-C EGC Decoding Tutorial which has similar hardware requirements.

outernet_fullsetup

Outernet Setup: Patch Antenna -> LNA -> RTL-SDR with Bias Tee -> Raspberry Pi

librarian

Downloaded Files

outernet_book

Book Download

outernet_vid

Video Download

outernet_wx

Image Download

Continue reading

GSM Sniffing: A Full YouTube Tutorial

Over on YouTube user Crazy Danish Hacker has been working on uploading an entire series on GSM Sniffing with an RTL-SDR. His series is explained in a slow and clear presenting style, and it starts at the very beginning from installing the RTL-SDR. The tutorial series is not yet complete, however he is uploading a new video almost daily. Presumably the series will end with showing you how to receive text messages and voice calls originating from your own cellphone.

So far he has shown how to install the RTL-SDR, identify GSM downlinks, install and use GQRX and kalibrate, locate nearby cell towers, install and use GR-GSM and how to extract the TMSI & KC keys from your cell phone. To obtain the TMSI & KC keys he shows us how to use an Android tool called usbswitcher which forces the phone to use its USB modem interface, from which the keys can be obtained.

The video below shows his teaser video on the series. Check out his GSM playlist to view the full series.

GSM Sniffing Teaser – Software Defined Radio Series!

Review: FlightAware ADS-B RTL-SDR + LNA Positioning

Recently FlightAware released a new RTL-SDR dongle sold at zero profit at $16.95 USD. It’s main feature is that it comes with an ADS-B optimized low noise amplifier (LNA) built directly into the dongle. FlightAware.com is a flight tracking service that aims to track aircraft via many volunteer ADS-B contributors around the world who use low cost receivers such as the RTL-SDR. In this post we will review their new dongle and hopefully at the same time provide some basic insights to LNA positioning theory to show in what situations this dongle will work well.

FlightAware Dongle Outside
FlightAware Dongle Outside

A good LNA has a low noise figure and a high IIP3 value. Here is what these things mean.

Continue reading

Creating a DIY 88-108 MHz FM Trap

One of the most problematic strong signals you can encounter is regular 88 – 108 MHz broadcast FM stations. They transmit at high power and can cause overloading and intermodulation problems on simple receivers such as the RTL-SDR. This means that FM stations can prevent you from receiving signals even when you are tuned far away from the broadcast band.

The simplest solution to reducing strong FM stations is to build an FM trap. This is simply a band stop filter that blocks frequencies between 88 – 108 MHz from entering your radio. Adam (9A4QV), the creator of the popular LNA4ALL and several other RTL-SDR compatible products has recently uploaded an article showing how to build a home made FM trap out of cheap common parts.

Adams article goes through and explains the design of a FM trap and how to use freeware software to aide in the calculations. The final FM trap designed by Adam uses just 3 common SMD capacitors and 3 hand wound coils. His filter attenuates more than 30dB in the 88-108 MHz range with an insertion loss of less than 1dB up to 1.7 GHz.

A DIY FM Trap
A DIY FM Trap