Meteor M2 is Currently Experiencing Orientation Issues

Russian weather satellite Meteor M2 is a popular reception target for RTL-SDR radio enthusiasts, as it allows you to receive high resolution images of the Earth. However, currently it appears to be exhibiting orientation issues, causing off center and skewed images and sometimes poor/no reception. Russian blog "aboutspacejornal", writes that the orientation of the satellite can sometimes be restored presumably by a reset command from Earth, but shortly after goes back into uncontrolled rotation.

These sorts of off-axis images were commonly received from the older decommissioned Meteor-M1 satellite, which woke up from the dead in 2015. The resurrection was speculated to be from the batteries shorting out, allowing power to directly flow from the solar panels while in full sunlight. These days Meteor-M1 is no longer transmitting.

Meteor M2 proving the curvature of the earth due to it's orientation issues.
Meteor M2 proving the curvature of the earth due to it's orientation issues.  Image source aboutspacejornal.

Hopefully Meteor-M2 can be fixed, but if not, Meteor M2-2 is due to be launched on July 5 which should also have an LRPT signal that can be received easily with an RTL-SDR. Hopefully the launch is more successful than the November 2017 launch of Meteor M2-1 which unfortunately was a complete loss as it failed to separate from the rocket.

Hak5: Hacking Ford Key Fobs with a HackRF and Portapack

This weeks episode of Hak5 (an information security themed YouTube channel) features Dale Wooden (@TB69RR) who joins hosts Shannon and Darren to demonstrate a zero day vulnerability against Ford keyless entry/ignition. More details about the vulnerability will be presented at this years DEF CON 27 conference, which is due to be held on August 8 - 11.

In the video Dale first demonstrates how he uses a HackRF with Portapack to capture and then replay the signal from a Ford vehicle's keyfob. The result is that the original keyfob no longer functions, locking the owner out from the car. After performing a second process with another keyfob, Dale is now able to fully replicate a keyfob, and unlock the car from his HackRF.

Dale explains that unlike the well known jam-and-replay methods, his requires no jamming, and instead uses a vulnerability to trick the car into resetting the rolling code counter back to zero, allowing him to capture rolling codes that are always valid. Dale also notes that he could use any RX capable SDR like an RTL-SDR to automatically capture signals from over 100m away.

The vulnerability has been disclosed to Ford, and the full details and code to do the attack will only be released at DEF CON 27, giving Ford enough time to fix the vulnerability. It is known to affect 2019 Ford F-150 Raptors, Mustangs and 2017 Ford Expeditions, but other models are also likely to be vulnerable.

The video is split into three parts. In part 1 Dale demonstrates the vulnerability on a real vehicle and in part 2 he explains the story behind his discovery, how he responsibly disclosed the vulnerability to Ford and how to reset the keyfob yourself. Finally in part 3 Darren interviews Dale about his experiences in the RF security field.

Dales discovery has also been written up in an article by The Parallex which explains the exploit in more detail.

Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 3 - SDR Attacks with @TB69RR - Hak5 2525 [Cyber Security Education]

SignalsEverywhere: SDR Bias-Tee’s and Enabling the V3 Bias Tee

Today's video from Corrosive on the SignalsEverywhere YouTube channel discusses Bias Tee's. He explains what they're used for, and how to enable them on various SDRs. In particular he shows how to use the software to enable the bias tee on our RTL-SDR Blog V3 dongles. A bias tee allows you to power antenna side devices like low noise amplifiers by putting DC voltage on the coaxial cable.

The RTL-SDR Blog V3 dongle has a built in software selectable bias tee. By default it is turned off, and can easily be turned on by running some simple software. Instructions are available on the V3 users guide at www.rtl-sdr.com/V3

Bias T | Enable The Bias Tee on the RTL-SDR v3

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

Raspberry Pi 4 Released: Improvements to CPU, Networking, USB, RAM and more

The Raspberry Pi is the most popular credit sized computing board in the world. It is commonly used as a low cost and portable computing platform for SDRs like the RTL-SDR. Today the Raspberry Pi 4 was released, bringing us a new US$35 single board computer with many improvements. Some of the main improvements that make the Pi 4 great for software defined radios are listed below:

CPU: The Pi 4 uses a Quad-Core Broadcom ARM A72 clocked at 1.5 GHz. This chip should be significantly faster compared to the older chip used on the Pi3B+ with performance now being similar to that of the Tinkerboard. This will be especially useful for CPU intensive SDR applications like the direction finding and passive radar software for our coherent 4-tuner RTL-SDR known as the KerberosSDR. It should also help allow OpenWebRX servers to serve more simultaneous users, allow graphical programs like GQRX to run smoother, and allow for higher sample rates on higher end SDRs.

GPU: The new faster GPU should help graphical SDR programs run smoother.

RAM: The Pi 4 comes with three RAM options, either 1GB, 2GB or 4GB of RAM. The versions with more RAM will be great for memory intensive applications such as GNU Radio (and compiling GNU Radio). It will also allow more programs to run in the background, and perhaps combined with the improved CPU speed allow for multiple SDRs to be used on demanding tasks.

Networking: The Pi 4 finally support Gigabit Ethernet which will be very useful to people using the board as an SDR server over the internet.

USB: There are now two USB 3.0 ports available which means that USB 3.0 SDRs like the LimeSDR could in theory be used at higher sample rates on the Pi 4.

There are also many other improvements such as dual 4K HDMI ports, a USB-C power supply port and faster SD card transfers.

Raspberry Pi 4 Improvements
Raspberry Pi 4 Improvements

It is not yet known if the very useful Raspberry Pi specific software known as RPiTX will continue to function on the new Pi 4. RPiTX is software that turns Raspberry Pi units into fully functional RF transmitters without the need for any additional transmitting hardware - just attach an antenna wire to a GPIO pin. It works by modulating the GPIO pin in such a way to create almost any type of RF transmission. RPiTX only functions on the specific proprietary Broadcom CPU chips that the Raspberry Pi's use. The Pi 4 does continue to use a Broadcom CPU, so we are hopeful.

The new changes bring the Raspberry Pi up to speed with rivals like the Tinkerboard, but at a lower price and with a much better amount of software and OS support provided. The boards currently cost $35 for the 1GB version, $45 for the 2GB version and $55 for the 4GB version. They are sold via local resellers which can be found on the official Pi 4 product page.

New Products in Store: RadarBox ADS-B Bundle Including Outdoor ADS-B Antenna and ADS-B Optimized RTL-SDR Dongle

A while back we posted about flight tracking company RadarBox.com who had launched their 1090 MHz ADS-B optimized RTL-SDR. Like other ADS-B optimized RTL-SDR's, the dongle contains a 1090 MHz filter and a low noise amplifier that reduces the noise figure, resulting in better SNR, and thus more planes spotted at further distances.

We spoke with RadarBox and asked if they could provide a low cost RTL-SDR + Antenna bundle for us. That bundle is now available in our store for $49.95 + shipping. Shipping takes about 2-3 weeks and costs between $10 - $25 depending on your country. Shipping costs will automatically added to the cart on checkout (please ignore other shipping options and choose free shipping unless you have other items in the cart). Please note that due to the larger size this will be shipped in a cylindrical package from a separate Chinese warehouse, and tracking info will come a few days later in a separate email.

The bundle includes:

  • 1x RadarBox ADS-B 1090 MHz SMA Outdoor Antenna with mounting brackets
  • 1x RadarBox ADS-B Optimized 1090 MHz RTL-SDR

The antenna has 7 dBi gain, 50 (+-5) Ohm impedance, and is made from fiberglass and aluminum. It is fully waterproof and outdoor rated. This is a great set at a great price to get started tracking planes with ADS-B.

To purchase, please click the Add to Cart button below or visit our store at www.rtl-sdr.com/store. Please note we only have limited stock of this product! NOTE: The first shipment of this product will be on July 2nd.

Add to cart
RadarBox Bundle: Includes 1x Outdoor ADS-B Antenna, 1x ADS-B Optimized RTL-SDR
RadarBox Bundle: Includes 1x Outdoor ADS-B Antenna, 1x ADS-B Optimized RTL-SDR

 

SignalsEverywhere: Decoding Inmarsat EGC and AERO ACARS

On his latest video Corrosive from the SignalsEverywhere YouTube channel discusses Inmarsat LES EGC and AERO ACARS decoding. Inmarsat is a satellite provider that has multiple geosynchronous satellites that can be received from almost anywhere in the world at around 1.5 GHz with an RTL-SDR and appropriate antenna + LNA. Inmarsat EGC and AERO are two channels on Inmarsat satellites that can easily be decoded.

The Enhanced Group Call (EGC) messages typically contain text information such as search and rescue (SAR) and coast guard messages as well as news, weather and incident reports. AERO messages on the other hand are a form of satellite ACARS, and typically contain short messages from aircraft. More interestingly with a bit of work compiling audio decoders, it is also possible to listen in to AERO C-Channel conversations, which is an emergency phone call service available on some aircraft.

In his video Corrosive gives an overview and demonstration of EGC and AERO reception.

Inmarsat LES EGC and AERO ACARS Decoding

A LimeSDR Mini Based Es’Hail-2 DATV Ground Station Uplink

Daniel Estévez has posted on the LimeSDR Mini CrowdSupply blog about his ground-station build for the Es'Hail-2 satellite. Es'Hail-2 is the first geostationary satellite with amateur radio transponders on board. The LimeSDR Mini is a $159 RX/TX capable SDR with 10 MHz to 3.5 GHz frequency range.

The Es'Hail-2 satellite is positioned at 25.5°E which is over Africa. It's reception footprint covers Africa, Europe, the Middle East, India, eastern Brazil and the west half of Russia/Asia. There are two amateur transponders on the satellite. One is a narrow band linear transponder which uplinks from 2400.050 - 2400.300 MHz and downlinks from 10489.550 - 10489.800 MHz. Another is a wide band digital transponder for digital amateur TV (DATV) which uplinks from 2401.500 - 2409.500 MHz and downlinks from 10491.000 - 10499.000 MHz.

Daniel's ground station uses a LimeSDR Mini running on a Beaglebone Black. A 2.4 GHz WiFi parabolic grid antenna is used to transmit to the satellites digital amateur TV uplink. In order to generate enough power for the uplink transmission a GALI-84 amplifier chip is cascaded with a 100W power amplifier. All the electronics are enclosed in a watertight box and placed outside.

A LimeSDR Mini Based Es'Hail-2 DATV Uplink Ground Station
A LimeSDR Mini Based Es'Hail-2 DATV Uplink Ground Station