Traditionally when we think about Software-Defined Radio we’re thinking about little USB adapters that unlock a world of radio in the palm of our hands. This is done by allowing us to directly sample the IQ data from the mixer within the SDR.
However, this isn’t the only way to experience Software-Defined Radio. Ham Radio operator [Charlie Morris] has uploaded a 10 part series on YouTube explaining how he implemented his own HF transceiver, including custom software. Some of the components such as the amplifier and filters are built completely from scratch, other components use a little DSP magic from a “Teensy” microcontroller.
Charlie actually samples the I and Q data in a similar way that today’s SDRs do and even implemented the transmit side of the radio so he can make contact with other radio operators around the world, and man… it sounds good!
You can find a complete playlist from Charlie with well-explained videos that go over his entire process from planning, schematics, layout and final operation. The channel appears to be quite active and will surely continue to pump out amazing content.
Homebrew SDR SSB Rig - Part 1 Design Ideas and Thoughts
Thank you to John ZL/KF6VO (creator of the KiwiSDR) for submitting some interesting KiwiSDR related conference talks that might be of interest to some readers. If you were unaware the KiwiSDR is a US$299 HF SDR that can monitor the entire 0 - 30 MHz band at once. It is designed to be web-based and shared, meaning that the KiwiSDR owner, or anyone that they've given access to can tune and listen to it via a web browser over the internet. Many public KiwiSDRs can be found and browsed from the list at sdr.hu or by signal strength and location on this website. One of the most interesting KiwiSDR features is it's TDoA capabilities, which allow users to geographically locate HF transmitters.
Introduction to the KiwiSDR and Bodnar GPSDO
Rob Robinett, AI6VN, gave a talk at the HamSCI Workshop 2019 (USA) “Introduction to the KiwiSDR and Bodnar GPSDO”. In addition to Kiwi basics he shows a live demo of the performance advantages in using an external GPSDO as the Kiwi ADC clock. A line-of-sight measurement of frequency/time station WWV in Colorado using the Kiwi’s internal GPS-compensated crystal oscillator (XO) is compared against using an external Bodnar GPSDO. The Kiwi’s IQ display extension shows the frequency/phase difference between the ADC clock, internal or external, and WWV. Rob also discusses the publicly available (kphsdr.com:8074) eight Kiwi installation he made at coastal radio station KPH north of San Francisco.
Introduction to the KiwiSDR
KiwiSDR as a new GNURadio source and TDoA geo-location
Christoph Mayer, DL1CH, is the author of the Kiwi’s TDoA algorithm. His talk “KiwiSDR as a new GNURadio source and TDoA geo-location” was given at the Software Defined Radio Academy (SDRA) as part of HAM Radio 2019 in Friedrichshafen, Germany. He includes a very technical description of the TDoA process used by the Kiwi including a live demo of direction finding a 16 MHz over-the-horizon-radar (OTHR) signal from Cypress.
Christoph Mayer, DL1CH: KiwiSDR as a new GNURadio Source
Lightsail-2 is a solar sail experiment which successfully launched on a Space-X Falcon Heavy on 25 June, and was released into orbit on July 2nd. A solar sail is a type of spacecraft that uses a large metallic foil to create propulsion via photons from the sun hitting it. Lightsail-2 is still undergoing testing, so it has not yet deployed it's solar sail, but recent updates indicate that it is healthy.
On board Lightsail-2 is a radio which is transmitting it's morse code beacon "WM9XPA" every 45 seconds at 437.025 MHz. This beacon should be able to be received with a handheld amateur radio 70cm Yagi and any radio such as an RTL-SDR. There is also an AX.25 telemetry data transmission, however although the beacon structure is available we are not aware of any publicly available decoding software.
One difficulty in receiving Lightsail-2 is that it is in an orbit inclination of only 24 degrees. So only locations with a latitude between 42 and -42 degrees will have a chance at receiving it. You can see the solar sail's current location at N2YO. Clicking on the 10-day predictions button will give you pass predictions for your location.
The United States Geological Service maintains over 8500 "Gaging stations" in bodies of water all over the country. Gaging stations are devices that are used to measure environmental data such as groundwater levels, discharge, water chemistry, and water temperature. What's interesting is that they all upload their data in real time to GOES satellites - the same satellites that we can use with an RTL-SDR to receive weather images of the entire earth. The data is then downlinked in the L-band to the USGS scientists via a protocol known as DCP (Data Collection Platform).
In the latest SignalsEverywhere video, Corrosive investigates how these stations work, and how we can receive the downlink at 1.68 GHz with a simple Inmarsat L-band antenna. While a fully functional decoder is not yet available, Corrosive notes that one called goes-dcs is currently being worked on.
USGS Gaging Station | Satellite Uplink to GOES and DCP Messages
In April, a stock research firm told clients that a Gulfstream V owned by Houston-based Occidental Petroleum Corp. had been spotted at an Omaha airport. The immediate speculation was that Occidental executives were negotiating with Buffett’s Berkshire Hathaway Inc. to get financial help in their $38 billion offer for rival Anadarko Petroleum Corp. Two days later, Buffett announced a $10 billion investment in Occidental.
There’s some evidence that aircraft-tracking can be used to get an early read on corporate news. A 2018 paper from security researchers at the University of Oxford and Switzerland’s federal Science and Technology department, tracked aircraft from three dozen public companies and identified seven instances of mergers-and-acquisitions activity. “It probably shouldn’t be your prime source of investing information, but as a feeder, as an alert of something else what might be going on, that’s where this work might be useful,” says Matthew Smith, a researcher at Oxford’s computer science department and one of the authors.
"Alternative data" collection firms like Quandl Inc. have services like "corporate aviation intelligence", where they use ADS-B data to keep tabs on private aircraft, then sell their data on to hedge funds and other investors who are hoping to gain an edge in the stock market.
Popular flight tracking sites that aggregate ADS-B data like FlightAware and FlightRadar24 censor data from private jets on their public maps upon the request of the owner, but it's not known if they continue to sell private jet data on to other parties. ADS-B Exchange is one ADS-B aggregator that promises to never censor flights, however the data is only free for non-commercial use. The value from using companies like Quandl is that they probably have a much more accurate database of who each private jet belongs to.
Regulus is a company that deals with sensor security issues. In one of their latest experiments they've performed GPS spoofing with several SDRs to show how easy it is to divert a Tesla Model 3 driving on autopilot away from it's intended path. Autopilot is Tesla's semi-autonomous driving feature, which allows the car to decide it's own turns and lane changes using information from the car's cameras, Google Maps and it's Global Navigation Satellite System (GNSS) sensors. Previously drivers had to confirm upcoming lane changes manually, but a recent update allows this confirmation to be waived.
The Regulus researchers noted that the Tesla is highly dependent on GNSS reliability, and thus were able to use an SDR to spoof GNSS signals causing the Model 3 to perform dangerous maneuvers like "extreme deceleration and acceleration, rapid lane changing suggestions, unnecessary signaling, multiple attempts to exit the highway at incorrect locations and extreme driving instability". Regarding exiting at the wrong location they write:
Although the car was a few miles away from the planned exit when the spoofing attack began, the car reacted as if the exit was just 500 feet away— slowing down from 60 MPH to 24 KPH, activating the right turn signal, and making a right turn off the main road into the emergency pit stop. During the sudden turn the driver was with his hands on his lap since he was not prepared for this turn to happen so fast and by the time he grabbed the wheel and regained manual control, it was too late to attempt to maneuver back to the highway safely.
In addition, they also tested spoofing on a Model S and found there to be a link between the car's navigation system and the automatically adjustable air suspension system. It appears that the Tesla adjusts it's suspension depending on the type of road it's on which is recorded in it's map database.
In their work they used a ADALM PLUTO SDR ($150) for their jamming tests, and a bladeRF SDR ($400) for their spoofing tests. Their photos also show a HackRF.
Regulus are also advertising that they are hosting a Webinar on July 11, 2019 at 09:00PM Jerusalen time. During the webinar they plan to talk about their Tesla 3 spoofing work and release previously unseen footage.
Back at the 2018 Black Hat conference it was revealed by security researchers Billy Rios and Jonathan Butts that a HackRF could be used to take control of a Medtronic insulin pump. Back then FDA advisories were issued, but recently a new warning noting that Medtronic MiniMed 508 and Paradigm series insulin pumps could be vulnerable to wireless attacks was again issued. The vulnerabilities could allow hackers to wireless cause the device to deliver excessive amounts of insulin or stop insulin delivery.
Apparently the vulnerabilities cannot be fixed with a software update, so Medtronic have issued a voluntary recall, asking customers to contact their healthcare providers so that they can upgrade to their newer units which are more secure (although these newer units are not available everywhere outside the USA). We also note that Medtronic implantable cardiac defibrillators (ICDs) which appear to share the same vulnerability do not appear to have been recalled. For both the insulin pumps and ICDs, the issues stem from the fact that the "Conexus" wireless protocol used in the products do not use encryption, authentication or authorization.
Security researchers Billy Rios, Jonathan Butts, and Jesse Young found that the wireless radio communications used between a vulnerable MiniMed pump uses and its CareLink controller device was insecure. An attacker who was in close enough physical proximity to the pump could masquerade as a CareLink unit, and send potentially life-threatening commands to the insulin pump over the air using a software-defined radio or similar kit.
"The vulnerabilities affect the radio features," Rios told The Register. "They use a custom radio protocol and the vulnerabilities were exploited through the use of software-defined radios."
Previously we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.
Trunk Recorder is an RTL-SDR compatible open source Linux app that records calls from Trunked P25 and SmartNet digital voice radio systems which are commonly used by Police and other emergency services in the USA. It can be used to set up a system that allows you to listen to previous calls at your leisure, however it does not have any UI for easy browsing.
Recently Chrystian Huot wrote in and wanted to share his new program called "Rdio Scanner", which is a nice looking UI for Trunk Recorder. Rdio Scanner uses the files generated by Trunk Recorder to create a web based interface that looks like a real hardware scanner radio. Some of the features include:
Built to act as a real police radio scanner
Listen to live calls queued to listen
Hold a single system or a single talkgroup
Select talkgroups to listen to when live feed is enabled
