A radiosonde is a small sensor and radio package normally attached to a weather balloon. Meteorological agencies around the world typically launch two balloons a day from several locations to gather data for weather prediction. We have featured radiosondes several times on this blog as it is easy to use an RTL-SDR and computer to receive and decode their signals, which can used to hunt down the fallen sonde, or to receive the weather telemetry data.
Recently RTL-SDR.COM reader António submitted a link to an interesting project called "MySondy" which is created by Mirko Dalmonte (IZ4PNN). MySondy is custom firmware for TTGO Lora32 433 MHz boards which allows them to be turned into a radiosonde tracker. A TTGO is a cheap ~US$20 LoRa32 IoT dev board with an onboard WiFi + Bluetooth enabled ESP32 microcontroller and OLED display. Some of the slightly higher priced units come with a built in GPS receiver as well. With the custom firmware it is capable of receiving and decoding common radiosonde protocols such as RS41, M10, RS92 and DFM.
A TTGO ESP32 LoRa BoardA TTGO running MySondy firmware enclosed in a 3D Printed Case
There is also an Android App called MySondy Go and MySondy FINDER which connect to the TTGO via Bluetooth. This app plots the location of the radiosonde on a map, allowing you to easily follow and track down the balloon. You can also go to mysondy.altervista.org to see public MySondy stations. Clicking on a blinking dot will connect you with the MySondy server, allowing you to see tracked sondes.
MySondy Web Interface
The firmware and software appear to be fairly new, so there isn't much information about this that we could find just yet. Also we note that all manuals and information about the project is written in Italian, except for a French magazine article (pdf) that António sent us to upload.
We note that these TTGO ESP32 LoRa boards are quite interesting by themselves, with other custom firmware available to do things like create a Paxcounter which counts the number of mobile devices in an area via WiFi and Bluetooth signals, and the ability to use them as a GPS enabled Mesh network based text message radio.
DEFCON 2020 was held online this year in and the talks were released a few days ago on their website and on YouTube. If you weren't already aware Defcon is a major yearly conference all about information security, and some of the talks deal with wireless and SDR topics. We found two very interesting SDR and wireless related talks that we have highlighted below. The first talk investigates using commercial satellite TV receivers to eavesdrop on satellite internet communications. The second discusses using a bladeRF or USRP to detect fake 4G cellphone basestations. Slides for these talks are available on the Defcon Media server under the presentations folder.
DEF CON Safe Mode - James Pavur - Whispers Among the Stars
Space is changing. The number of satellites in orbit will increase from around 2,000 today to more than 15,000 by 2030. This briefing provides a practical look at the considerations an attacker may take when targeting satellite broadband communications networks. Using $300 of widely available home television equipment I show that it is possible to intercept deeply sensitive data transmitted on satellite links by some of the world's largest organizations.
The talk follows a series of case studies looking at satellite communications affecting three domains: air, land, and sea. From home satellite broadband customers, to wind farms, to oil tankers and aircraft, I show how satellite eavesdroppers can threaten privacy and communications security. Beyond eavesdropping, I also discuss how, under certain conditions, this inexpensive hardware can be used to hijack active sessions over the satellite link.
The talk concludes by presenting new open source tools we have developed to help researchers seeking to improve satellite communications security and individual satellite customers looking to encrypt their traffic.
The talk assumes no background in satellite communications or cryptography but will be most interesting to researchers interested in tackling further unsolved security challenges in outer space.
DEF CON Safe Mode - James Pavur - Whispers Among the Stars
DEF CON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time
4G based IMSI catchers such as the Hailstorm are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. Until now IMSI catcher detection has focused on 2G IMSI catchers such as the Stingray which are quickly falling out of favor.
In this talk we will tell you how 4G IMSI Catchers might work to the best of our knowledge, and what they can and can't do. We demonstrate a brand new software project to detect fake 4G base stations, with open source software and relatively cheap hardware. And finally we will present a comprehensive plan to dramatically limit the capabilities of IMSI catchers (with the long term goal of making them useless once and for all).
This weeks video on the TechMinds channel explores the various online web SDRs that are available to access for free. Accessing these online SDRs does not require any hardware apart from a PC and internet connection, although of course you are then receiving signals from a different location to yourself.
In the video he shows how to access the SDR# Spy Server Network which mostly consists of Airpsy and RTL-SDR units, the SDR-Console V3 Server network which consists of a wide array of different SDRs, the browser based WebSDR network which is mostly soundcard based SDRs but also RTL-SDR and other SDRs, and finally the KiwiSDR network which is made up of KiwiSDRs.
Using Software Defined Radio Without SDR Hardware - WebSDR
In her last video Sarah from the SignalsEverywhere YouTube channel showed us how to set up SDRTrunk for reception of digital P25 Police and other services with two RTL-SDR dongles. On this weeks episode Sarah shows us how to set up Broadcastify with SDRTrunk. Broadcastify is a an online service that allows you to stream audio from your SDR or scanner radio to their website for anyone to listen to. We note that sharing audio or some talkgroups may not be legal in all countries so please do your research first.
In the video Sarah shows the full setup process involving setting up a Broadcastify account, creating an alias list, adding talkgroups to share and finally setting up the Icecast server for streaming to the Broadcastify servers.
Thank you to John D for writing in and letting us know that Wired magazine has recently run an article about the "Nyansat" project. Nyansat aims to bring low cost open source satellite ground stations to the masses. The goal is to democratize citizen access to space by allowing for easier collection of satellite data, or even for collaborative citizen science radio astronomy projects such as the detection of space debris or undocumented satellites. John writes:
While most people think of a satellite ground station as a giant dish mounted on top of a building in the desert, technically any radio receiver that tunes into a satellite's signal can be called a ground station. Somewhere between the giant dish and the GPS chip in your phone is a ground station that uses a directional antenna to pull in the faint signals. So unless you're only interested in geosynchronous satellites, the antenna needs to be aimed at the satellite, and that's where NyanSat comes in.
The design of the NyanSat consists of a pan-tilt head, an Inertial Measurement Unit (IMU) for precise azimuth and elevation measurements, a motor-driver board, an optional OLED display, an optional GPS module, and is powered by an ESP32. Full source code is available in their git repo, found at https://github.com/RedBalloonShenanigans/antenny. The NyanSat's software is written in micropython specifically for the ESP32, but obviously could be ported if desired.
Mounting an antenna, adding an RTL-SDR, and actually tuning in a satellite, is still up to the builder.
One of the goals of the NyanSat project is to eventually build up a network of ground stations that can collaborate to contribute frequently updated satellite ephemeris information.
When they're in stock, the project's sponsor, Red Balloon Security, has occasionally been offering a kit containing a custom PCB that is pre-populated with the ESP32 and motor driver; a pan-tilt gimbal; an IMU; and an RTL-SDR. They've been selling them for $1.00(!), just to get them out in the hands of people. Keep your eye open in case they get another batch in.
The Red Balloon store lists the kit as currently out of stock so we suggest keeping an eye on their store just in case any of the $1 kits come back in stock.
NyanSat will also present a live twitch demo at this years online DefCon conference on Friday Aug 7 6:30-8PM EDT and Sat Aug 8 6:30-8PM EDT. On Sun Aug 9 12:30 EDT they will hold another event where they judge the best work of the Nyansat community.
The SatNOGS project which we have covered many times before on this blog is quite similar with it's own open source antenna rotator design, however the Nyansat design looks a bit easier to build as it doesn't require 3D printed parts. Although critically from their demos we haven't seen what sort of sized antennas the gimbal chosen by Nyansat is capable of moving.
DragonOS is a ready to use Linux OS image that includes many SDR programs preinstalled and ready to use. The creator Aaron also runs a YouTube channel that has multiple tutorial videos demonstrating software built into DragonOS.
In a recent video Aaron shows how you can set up a GSM basestation within minutes by using the latest DragonOS version together with a USRP b205mini-i software defined radio. As the required software (osmo-BTS, osmo-bts, osmo-bts-trx) is all preinstalled, setting up the basestation is a simple matter of opening three terminal windows and running a few commands. We note that this latest DragonOS version is due to be released this Thursday.
In a previous video Aaron also shows a more detailed setup procedure showing how all the software was installed.
DragonOS Focal Running a GSM network in minutes (osmo-bts, osmo-bsc, osmo-bts-trx, USRP b205mini-i)
Flipper Zero isn't an SDR, but it is an interesting RF capable pentesting tool that is currently being crowdfunded, and we think it deserves a post. Based on a TI CC1101 transceiver chip, the Flipper Zero has a sub 1-GHz radio capable of doing things like emulating a garage door remote, transmitting digital signals like OOK/ASK/FSK/GFSK/MSK at 315/433/866 MHz, analyzing and decoding popular remote control algorithms like Keeloq, and reading and emulating 125 kHz RFID tags. And as the crowd funding stretch goals have already been reached, the hardware will also include a Bluetooth and NFC module.
In addition to the RF features, it has a 1-wire iButton/TouchMemory/Dallas key reader, can function as a U2F security token, has an infrared transceiver with learning feature for emulating IR remotes and has 12 5V tolerant GPIO pins available for expansion with modules such as interfaces, sensors, wireless modules and cellular modems. It can also emulate a USB slave device like a keyboard allowing you to deploy a keyboard payload.
Flipper Zero currently costs US$119 however it will soon jump to US$129 once the early bird special runs out. At the time of this post they already have 13,000 backers and have raised in excess of 2.5 million dollars. There is still 25 days left in the campaign.
A new SDR has recently launched on the CrowdSupply crowdfunding platform. This one is called "iotSDR" and is designed to be a software defined radio to help developers and enthusiasts design custom Internet of Things (IoT) algorithms and protocols.
It has a 2-channel AT86RF215 transceiver chip which is capable of tuning to all major IoT frequencies as well as a 13-bit ADC with sample rate of up to 4 MSPS. In addition is a MAX2769B chip which is used for the GNSS reception of GPS, GLONASS, Galileo and Beidou positioning satellites. An onboard ZYNQ XC7Z010 / XC7Z020 FPGA can be used for any hardware computing required.
iotSDR currently costs US$399 for the Zync XC7Z010 FPGA version, and US$599 for the Zynq XC7Z020 FPGA version. At the time of this post there are 37 days left in the campaign.
Embedding SDR in IoT
iotSDR provides a platform that allows SDR developers and enthusiasts to design innovative algorithms and cutting-edge products. While wide-band SDRs are more versatile, narrow-band transceivers perform better for many IoT-related applications. Accordingly, iotSDR hosts two narrow-band Microchip AT86RF215 transceivers that provide their own base-band cores and have the ability to handle their own I/Q signal streaming. The result is an extremely powerful tool for anyone who is looking to simplify the task of developing, testing, and deploying high-complexity frameworks.
A Powerful FPGA and a GNSS Chip to Round It Out
iotSDR’s Microchip transceivers are backed by a Zynq SoC—which provides an FPGA and a processing system in a single package—as well as a MAX2769 GNSS chip capable of streaming live signal records. That GNSS chip can be used for custom GPS, Galileo, BieDou, and GLONASS receiver development, and is perfect for projects in the location-based services (LBS) domain such as those related to navigation and surveying.
Use Existing Software, Design a Protocol, or Build a Gateway
You can drive the hardware described above using a wide variety of popular open source software, including the Xilinx PYNQ Python framework, Jupyter Notebooks, and GNU Radio.
And if your work is further down the stack, don’t worry. iotSDR still has you covered. If you want to design and implement a physical layer IoT protocol, for example—a protocol like LoRa, SigFox, WightLess, Bluetooth, BLE, 802.15.4, ZigBee, or something of your own design—this board is for you. It’s also a great place to start if you want to build a custom IoT gateway along the lines of The Things Network, LPWAN, or Google’s Thread.
Radio has long been a pillar of modernization and technology, and this remains true in the era of software-defined radio. The Internet of Things, in particular, stands to benefit from the latest advancements in SDR technology. With iotSDR, you can be part of the community that makes that happen.
