Reverse Engineering and Controlling a Pan-Tilt Camera Servo with an RTL-SDR and Arduino

The ZIFON YT-500 is a pan-tilt tripod designed for mounting small cameras and smart phones. It also comes with an RF based 433 MHz wireless remote control that allows you to remotely control the positioning.

However, Konstantin Dorohov wanted to be able to control the camera positioning from his PC rather than through the remote control, so he set out to reverse engineer and clone the 433 MHz wireless control signal.

To do this he first used an RTL-SDR and SDR# to record the signals generated by each button press of the remote. He then opens the audio files in Audacity which allows him to inspect the signal's structure and determine some important information such as the preamble + payload timing and ON/OFF pattern. 

Knowing this information he was then able to use an Arduino with a 433 MHz transmitter connected to replicate the signal exactly. His post contains the sample code that he used.

Reverse Engineering the Pan/Tilt Servo with an RTL-SDR, and replicating the signal with an Arduino.
Reverse Engineering the Pan/Tilt Servo with an RTL-SDR, and replicating the signal with an Arduino.
Tweet
Share
Reddit
Vote
Email

SignalsEverywhere Reviews our RTL-SDR Blog L-Band Active Patch Antenna Kit

Over on the SignalsEverywhere YouTube channel Corrosive from the SignalsEverywhere channel has uploaded a review of our RTL-SDR Blog L-Band Active Patch antenna. Our patch antenna can be used for applications such as Inmarsat, Iridium and GPS reception. 

In the video Corrosive shows what the kit comes with, and first demonstrates the antenna working indoors. He also shows how signal SNR can be improved for indoor reception simply by adding a larger ground plane to the back of the antenna and clamping it on with the mounting screw. Later he shows what reception is like outdoors, and shows it being used to decode from STD-C Inmarsat and Iridium signals.

If you're interested in this antenna we also previously posted about TechMinds review video.

The antenna is available for sale on our web store, or from Amazon.

RTL SDR Blog L-Band Inmarsat/Iridium Satellite Service Patch Antenna

Tweet
Share
Reddit
Vote
Email

Tysonpower Reviews A Cheap 15€ DAB/DAB+ USB Receiver Dongle that Generates an MP3 Stream

Thank you to Tysonpower who wanted to share his review of a cheap 15€ DAB/DAB+ receiver USB dongle that he found on eBay.de (we also found the same device on eBay.com for US$23.99).  The device is not an SDR, but it receives BAND III DAB/DAB+ at 160-240 MHz and generates an MP3 stream which can be played back on any MP3 capable device such as a PC, single board computer or car head unit.

His review notes that the dongle works well. When you plug it in the device shows up as a storage device. You then simply press a button to automatically search for DAB+ channels, and then choose one of the mp3 stream files that will show up to play live DAB+ audio on your device. In his video he also gives a quick tear down, showing that it uses a FCI FC8080 demodulator and a MVSilicon 32-bit Micro with audio FFT accelerator.

While RTL-SDR dongles can also be used to receive DAB+ cheaply with software like SDR-J and welle.io, this may be a simpler method since it can be used on any device that can play MP3s.

Note that Tysonpowers video is narrated in German, with English subtitles. He also has a short blog post with images from the tear down.

[EN subs] DAB+ für nur 15€ Nachrüsten! - Digitalradio für alle MP3 fähigen Geräte mit USB

Tweet
Share
Reddit
Vote
Email

Decoding Differential GPS (DGPS) with an RSPdx and MultiPSK

Over on YouTube the TechMinds channel has uploaded a new video about decoding Differential GPS (DGPS) using an SDRplay RSPdx SDR. DGPS is a terrestrially transmitted long wave signal that is used to help correct and improve GPS position data calculations which may have timing errors due to atmospheric propagation delays. It works by broadcasting correction data calculated by the difference in received GPS location and the known location of the DGPS transmission site. DGPS is typically transmitted on longwave between 285 kHz and 315 kHz, but in Argentina there are two stations at 2570 and 2950 kHz.

In the video TechMinds explains how DGPS works, and some location around the world from where it is transmitted from. Later in the video he shows a DGPS signal being received by a SDRplay RSPdx SDR, and then show a demo of how it can be decoded with MultiPSK.

We note that there also various other DGPS decoders available including decoders for Android and iOS. A list of decoders can be found on the DGPS sigidwiki page.

DGPS Differential GPS Decoding With RSPdx And MultiPSK

Tweet
Share
Reddit
Vote
Email

Airspy 30% Off Black Friday Sale Coupon Now Active

Airspy have recently announced on Twitter that they are holding a 30% off Black Friday sale that runs from November 26 to December 2. The coupon is apparently valid from all their distributors which can be found on their purchase page.

Airspy sell a range of software defined radios. The HF+ Discovery is one of the best low cost HF SDRs we've tested, and the Airspy Mini and R2 are good wide band VHF/UHF radios that are a step up from RTL-SDRs. The SpyVerter is a good upconverter that is also compatible with RTL-SDRs, and can be used with the bias tee on the RTL-SDR Blog V3.

The sale brings the pricing down to the following prices in USD (plus shipping costs):

Airspy HF+ Discovery: $169 $118.30
Airspy HF+ Dual: $199 $139.30
Airspy Mini: $99 $69.30
Airspy R2: $169 $118.30
SpyVerter: $49 $34.40

This is probably the cheapest pricing we'll see all year, and last years Black Friday sale was only 15% off, so now's a good time to purchase if you were interested in these products as this is the cheapest pricing we've seen yet.

Airspy Black Friday Sale
Airspy Black Friday Sale
Tweet
Share
Reddit
Vote
Email

Coole-Radar: A Retro Terminal Based Radar Display for ADS-B Aircraft Data

John Wiseman has been working on a cool old-school retro styled aircraft ADS-B radar that runs entirely within a terminal window. So no GUI desktop should be required. The project, called "coole-radar", is available as open source code on GitHub.

It takes decoded ADS-B data via a Virtual Radar Server webpage, so it should be fairly easy to set up together with an RTL-SDR and dump1090 that feeds Virtual Radar Server. The latest version displays a radar screen with decay-like effect, a list of currently detected aircraft, and a pixelated screen of the aircraft image downloaded from the internet.

Tweet
Share
Reddit
Vote
Email

A Homebrew All-In-One RTL-SDR with Screen and Control Knobs Running on a Mini PC

Over on YouTube user Pablo Sala (KI7OJL) has uploaded a video that shows a neat all-in-one receiver build based on an RTL-SDR. Pablo's build runs on a Pipo x8 Mini PC which is a US$110 PC/tablet that includes a build in LCD touch screen. The build also adds several Arduino powered control knobs for tuning, mode and bank selection, squelch and volume to the base. The knobs directly interface with HDSDR, his chosen software.

The video titles are dated 2017, but the video only seems to have been uploaded recently. Unfortunately we weren't able to find much more information about this build, other than the video.

Homebrew: RTL-SDR Receiver with Arduino-powered knobs on a Pipo X8 Mini PC running HDSDR, May 2017

Tweet
Share
Reddit
Vote
Email

DEF CON 27 SDR Talks: Antennas for Surveillance, Ford Keyfob Hack, Smart TV Wireless Side Channel Attack

Talks from this years DEF CON 27 conference which was held back in August are now available on YouTube. DEFCON is a yearly conference that a focuses on information security topics and often includes talks about SDRs and other wireless radio topics too. In particular we wanted to highlight the the DEF CON 27 Wireless Village playlist which contains numerous talks related to wireless, radio and SDRs.

Most talks from the wireless village relate to WiFi, but one talk with some very useful information that we really enjoyed was "Antennas for Surveillance" by Alex Zakhorov. 

We will cover the various kinds of antennas available to optimized your SDR radio for different types of spectrum monitoring. We will also explain why RF filters are necessary on most SDR's and when Low Noise Amplifiers help, and when Low Noise Amplifiers hurt reception.

Kent Britain/WA5VJB - Antennas for Surveillance - DEF CON 27 Wireless Village

Another interest talk was called "The Ford Hack Raptor Captor video" by Dale Wooden (Woody) where he shows how he used an RTL-SDR and HackRF to hack a Ford car key fob. If you're interested we wrote about the Hak5 videos on this hack in a previous post.

This talk will show flaws with development of security protocols in New Ford key fobs. This will exploit several areas. The ability for a denial of service to the keyfob WITHOUT jamming. How to trick the vehicle into resetting its rolling code count. How to lock, unlock, start, stop, and open the trunk of ford vehicles using a replay attacked after resetting rolling code count. How to find the master access code for Fords keypad to bypass security. This talk will also demonstrate how to reset your key fobs if they are attacked by a deauth attack. We will also demonstrate gnu-radio script to automate RF collection of Ford key fobs. As seen on HAK5 episodes 2523-2525

Woody - The Ford Hack Raptor Captor video - DEF CON 27 Wireless Village

Outside of the Wireless village there were also some interesting SDR topics including this talk titled "SDR Against Smart TVs URL Channel Injection Attacks" by Pedro Cabrera Camara. If you're interested we also wrote about Pedro's work in a previous post.

Software-defined-radio has revolutionized the state of the art in IoT security and especially one of the most widespread devices: Smart TV. This presentation will show in detail the HbbTV platform of Smart TV, to understand and demonstrate two attacks on these televisions using low cost SDR devices: TV channel and HbbTV server impersonation (channel and URL injection). This last attack will allow more sophisticated remote attacks: social engineering, keylogging, crypto-mining, and browser vulnerability assessment.

Pedro Cabrera Camara - SDR Against Smart TVs URL Channel Injection Attacks - DEF CON 27 Conference

Tweet
Share
Reddit
Vote
Email