Thank you for Manuel Lausmann for submitting his videos where he tests out and upgrades an ATS25 Max-decoder receiver. The ATS25 Max-decoder is a low cost portable HF receiver which has a large number of decoders built in such as RTTY, Hell, FT8 and FT4. Manuel notes that more decoders are still to come, such as SSTV. The built in decoders make it superior to it's predecessors the x1 and x2.
We note that the ATS25 Max appears to be around US$75 on Aliexpress, but these appear to be Max units without the "-decoder" add on. So if you are looking at purchasing one, please make sure to check that you are getting one with the text "max-decoder".
Manuel also notes that older models of the ATS25 can be retrofitted with a decoder PCB and converted into an ATS25 Max-decoder with a firmware update written by Bernhard Binns.
Note that Manuel's videos below are narrated in German, however the YouTube subtitle auto-translate feature works well enough to understand what is being said. In the first video Manuel demonstrates and reviews the ATS25 Max-Decoder, showing off some of the decoding features.
In the second video Manuel shows how to update an old model ATS25 in to the ATS25 Max by soldering on the decoder board.
ATS25 max-Decoder
Alter ATS25 umbauen zum max Decoder Teil 1 Die Hardware
Over on his YouTube channel dereksgc has uploaded a new video where he tests out a new yet to be released downconverter product from NooElec. A downconverter works by shifting high frequencies down into a range that can be received by the RTL-SDR. This makes it useful for receiving 2.2 GHz S-band satellite downlinks which is out of the tuning range of RTL-SDR dongles.
In his video dereksgc shows the new 'Ham-it-down' downconverter, and tests it with an LNA and S-band helix feed and dish. He shows that he is able to easily receive S-band telecommunications satellites without a dish, and with a dish he is able to receive the Coriolis and Chandrayaan-3 satellites.
The ham-it-down is expected to cost US$90 when released. We note that a much lower cost solution might be a commercial 2.2 GHz MMDS downconverter which also comes built in with an LNA and filtering and can be obtained from Aliexpress for less than US$20. Alternatively, the $90 might be better put towards a HackRF clone which is almost the same price and can receive S-band natively without the need for external downconverter.
Receiving 2.2 GHz with the RTL-SDR and Nooelec Ham It Down
KiwiSDR is a 14-bit wideband RX only HF software defined radio created by John Seamons (ZL/KF6VO). The KiwiSDR has up to 32 MHz of bandwidth, so it can receive the entire 10 kHz - 30 MHz VLF/LF/MW/HF spectrum all at once. Other than the specifications, the main interesting feature about the KiwiSDR is that it is designed to be operated entirely as an online web based SDR which is accessed over a network connection. Owners can optionally share their KiwiSDRs online with anyone who wants to access it, which also allows for interesting distributed applications, such as TDoA direction finding, which allows users to pinpoint the location of unknown HF transmissions such as numbers stations.
KiwiSDR 2 has recently been "pre-announced" by creator John Seamons on the KiwiSDR forums. The changes to the design are not huge, but they bring a few iterative improvements. He writes:
KiwiSDR 2 Goals:
Minimal changes. Fastest time-to-market with lowest possible risk. BUT since the PCB is going to be re-spun fix some of the known limitations that don't add too much risk:
New RF front-end:
Balanced input via balun transformer
Digital attenuator (per the advisory group: pSemi PE4312, 0 - 31.5 dB, 0.5 dB steps)
Gas discharge tube (GDT) across input in addition to TVS diodes
Static drain resistors (100K) from input connections to ground
External ADC clock brought out on third SMA connector
Self test loopback mode using a short cable between this SMA and antenna input
New GPS chip to replace current one which is now EOL
Reverse polarity protection (via P-FET) on 5V DC input
If you weren't already aware, KrakenSDR is our 5-channel coherent radio based on RTL-SDRs, and it can be used for applications like radio direction finding. KrakenSDR is in stock and can be purchased from CrowdSupply or Mouser. More information is also available on our website at krakenrf.com.
Last month we used the KrakenSDR to find the location of a low power FM transmitter. Now in this video we're using KrakenSDR to find the location of GSM base station transmit towers for four frequencies. We're also using the multi-vfo feature to capture the bearing data of these four frequencies simultaneously which can save us some search time.
Once we've found the first transmit tower, we already have some logged bearing data that can be used to help us find the second tower faster. Then the third and fourth towers are even faster to find due to even more data having already been collected.
Interestingly, it also turns out that the first frequency we search for is actually being used by another tower that we pass along the way back. The location of this tower was picked up on the drive back to the first tower. It's possible that these two towers which are a few kilometers apart are covering different areas with directional antennas.
Also note that the first two transmitter searches use the "auto-zoom" map camera feature, which will automatically zoom the screen to show both the vehicle and estimated transmitter location. The second half uses the standard free camera mode.
This is on a new build of the App which is currently in testing, so some things may look slightly different to the currently released version. The new app version will have some minor feature improvements.
KrakenSDR: Finding Multiple GSM Base Station Transmit Towers with the Multi-VFO Feature
TETRA (Terrestrial Trunked Radio) is a digital voice and text radio communications protocol often used by authorities and industry in European and many countries other than the USA. A major advantage to a digital communications protocol like TETRA is it's ability to be secured via encryption.
Recently the security researchers at Midnight Blue in the Netherlands have discovered a collection of five vulnerabilities collectively called "TETRA:BURST" and most of the five vulnerabilities apply to almost every TETRA network in the world. These two most critical vulnerabilities allow TETRA to be easily decrypted or attacked by consumer hardware.
The first critical vulnerability is designated CVE-2022-24401 is described as decryption oracle attack.
The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.
The second vulnerability CVE-2022-24402 notes that a backdoor has been built into TEA1 encrypted TETRA, which allows for a very easy brute force decryption.
The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.
Midnight Blue are due to release more technical details about the vulnerabilities on August 9 during the BlackHat security conference. Due to the sensitivity of the findings, the team have also held back on their findings for over 1.5 years, notifying as many affected parties as possible, and releasing recommended mitigations. It's unclear at the moment how many TETRA providers have implemented mitigations already.
For more detail about the possible implications the team write:
The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.
The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.
The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.
Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.
Below is a demonstration of the TEA1 CVE-2022-24402 attack on TETRA, and if you are interested the Midnight Blue YouTube channel also contains a video demonstration for the CVE-2022-24401 decryption oracle attack.
Currently, it is possible to decode unencrypted TETRA using an RTL-SDR with software like TETRA-Kit, SDR# TETRA Plugin, WinTelive, and Telive. In the video the research team appear to use Telive as part of their work.
We also note that in the past we've run several stories about Dejan Ornig, a Slovenian researcher who was almost jailed because of his research into TETRA. Dejan's research was much simpler, as he simply discovered that many Police radios in his country had authentication turned off, when it should have been on.
Back in July 2021 we posted about the RadioBerry HF SDR Transceiver Raspberry Pi Hat which is an open source project by PA3GSB. It is based on the AD9866 chip which gives it a 12-bit ADC with one RX and one TX channel, a maximum bandwidth of up to 384 kHz, and an operating frequency range of 0 to 30 MHz.
Because of FPGA component shortages, the device has been out of stock and stagnant for a long time. However, recently a new version has been released by well known SDR hardware cloner Justin Peng and is now available for sale on Aliexpress for US$155. As the design for this project is open source, Justin's new version is legal and he has released the redesigned open source files on his GitHub.
In his latest video, Matt from the TechMinds YouTube channel tests out this new board. He starts by explaining the history of the RadioBerry, and shows how to set it up and install the software. He goes on to demonstrate it receiving some HF signals, transmitting on 3 kHz and 5 kHz, and how to run it standalone on a Raspberry Pi 4 with screen.
Over on his YouTube channel Mark Jessop has uploaded some dash cam footage showing him using a KrakenSDR and a custom LED display to hunt down three amateur radio transmitters during a fox-hunt.
An amateur radio fox-hunt is an activity where someone will hide a transmitter within a defined area, and it is up to the hunters to use radio direction finding equipment to find it. The KrakenSDR is our 5-channel coherent radio based on RTL-SDRs, and it can be used for applications like radio direction finding.
Mark uses a custom four element array on the roof of his car, which is connected to his KrakenSDR. Instead of the KrakenSDR app, Mark prefers to use his custom LED HUD to displays the bearings and signal power directly.
Some annotated and sped-up dash-cam footage captured during the July 2023 Amateur Radio Experimenters Group Fox-hunt. We run these monthly, and usually have three transmitters hidden around the Adelaide (South Australia) area.
I run a KrakenSDR with a custom-built 4-element antenna array mounted to the roof of my car. This gives me direction estimates to the target transmitter, at least when the signals are strong enough!
Thank you to Carl Reinemann (aka USRadioGuy) for letting us know through his blog post that goestools has recently been ported to Windows. Goestools is a software package that is used to receive and decode images from GOES weather satellites. In the past it was only available for Linux systems, however recently thanks to the work of Jamie Vital, goestools has now been ported and can run on Windows. Carl Reinemann has confirmed that the software runs perfectly on Windows. Our GOES tutorial should also be easily modified to work with the Windows port.
The Windows port can be downloaded from goestools-win on GitHub. If you are interested, Jamie Vital is also the author of Vitality GOES, which is a program that can display the received weather images in a nice GUI.
Alternatively we note that another cross platform GOES decoder is SatDump which is currently the most popular choice for GOES.
