Osmo-FL2K can be considered as the [evil] transmit-side brother of RTL-SDRs. It is a driver that allows cheap $5 - $15 USB 3.0 VGA adapters to be used as a transmit-only capable SDR. It might be considered [evil] as transmitting illegally and without filtering can pollute the RF spectrum, but being responsible with it and using appropriate filters could enable extremely low cost transmitters.
Recently at the October 2018 Osmocom Conference, Steve M, the man behind the Osmo-FL2K discovery and software (and heavily responsible for the development of RTL-SDR too) has given a talk titled "osmo-fl2k - the [evil] transmit-side brother of RTL-SDR". In the past he's also given a similar talk that we posted about previously.
The talk goes over the discovery and reverse engineering of Osmo-FL2k, discussion of the application itself, some signals that have been successfully transmitted and some measurements.
Osmocom is behind the discoveries of RTL-SDR and OsmoFL2K. If you'd like to support them please donate at OpenCollective, and check out their other projects at osmocom.org.
osmo-fl2k - the [evil] transmit-side brother of RTL-SDR
Last year in December we posted about Matt's element14 sponsored video which showed us how to create a portable briefcase contained NOAA satellite received based on a Raspberry Pi and RTL-SDR dongle. The build consisted of a heavy duty briefcase, modified ATX PSU and stripped down LCD monitor panel. This build resulted in a rugged and portable receiver. The full series of videos demonstrating the briefcase, ATX PSU conversion, LCD teardown, and NOAA satellite receiver demo can be found on his YouTube Playlist.
In his latest video Matt goes over the software installation procedure for creating an automated NOAA weather satellite receiver on the Raspberry Pi. He uses gpredict for predicting the satellite passes, and the Raspberry Pi version of WXtoImg for decoding the images. The rest of the video shows how to set up the software for your particular location, and how to set up decoding automation.
How To Set Up a Raspberry Pi as a NOAA Satellite Receiver with RTL-SDR
Over on YouTube user TheGazLab has uploaded a video that reviews the Airspy HF+, and also shows how to use the HF+ with SDR# and WSJT-X in order to create a FT8 monitor. The Airspy HF+ is high dynamic range HF/VHF receiver designed for DXing.
In the video TheGazLab demonstrates to us the decoding in real time, and explains the CAT control SDR# plugin that he's using. The CAT control plugin when combined with a virtual serial port driver allows the WSJT-X program to automatically tune SDR# to the FT8 frequency selected in WSJT-X.
Later in the video he also discusses the SpyServer network which allows SDR# users to connect to remote public Airspy and RTL-SDR units over the internet. He demonstrates connecting to a public server in the UK, and decoding FT8 via the remote server. The video also shows the new SpyServer interface by @zakhttp which nicely lays out the world SpyServer network on a map, making it easy to choose a desired location to listen to.
Airspy HFPlus, SDR# and WSJT-X with full CAT control decoding FT-8
Thank you to 'KeyLo99' for submitting news of the release of his new RTL-SDR based program called rtl_map. rtl_map is a currently a simple app that uses an RTL-SDR to display an FFT frequency graph. It is based on the gnuplot and fftw3 libraries.
Over on our forums KeyLo99 describes the motivation behind the project as mostly being a good reference program for people wanting to learn how to read and process IQ data from the RTL-SDR:
I'm a RTL-SDR researcher and DSP learner currently working on a project for properly figuring RTL2832 and I/Q fundamentals out. The project is about reading raw I/Q samples, processing samples and creating FFT graph from them. I tried to explain what I'm doing in detail with comment lines. I'm hoping that I will be helpful to RTL-SDR beginners with this rtl_map [C] project. Another purpose of the rtl_map project is making a frequency scanner application for signal security researches.
Thank you to M Khanfar for submitting news about his custom Linux kernel which allows an RTL-SDR and GQRX to run smoothly and with sound on an Intel Compute Stick. The Intel Compute Stick is a full dongle based computer the size of a pack of gum with pricing that starts from US$120. It has a Quad Core Atom Processor, 2GB RAM, 32 GB of built in storage and an HDMI out port. By default the stick comes with Windows 10 installed, but M Khanfar notes that it is very sluggish.
Instead of the sluggish Windows 10 OS, M Khanfar decided that he wanted to run Ubuntu Linux instead. However he found that the standard Ubuntu image did not have support for audio over HDMI or WiFi on the Compute stick. So he built his own custom kernel with some patches to fix this issue. With the issue fixed, GQRX with an RTL-SDR now runs smoothly with full audio support, and rtl_tcp can also be run over WiFi.
Over on YouTube user hubmartin has uploaded a video showing how to use an RTL-SDR and the Universal Radio Hacker (URH) software to reverse engineer and clone a 433 MHz remote control. URH is used to extract the signal timing and modulation characteristics as well as the binary/hex code.
Then in order to clone the signal hubmartin uses a cheap IoT microcontroller with button and 433 MHz transmitter attachments. Some C code is then used to program the microcontroller and 433 MHz transmitter with the extracted signal information and to transmit on a press of the button. In his example hubmartin uses his cloned dongle to control a wireless power plug and a motorized projector screen.
Universal Radio Hacker SDR Tutorial on 433 MHz radio plugs
Vasilli has recently released the SDR# TETRA plugin on his website RTL-SDR.RU (note that the site is in Russian, but can be translated with the Google Translate option in the top right of the page). Previously it was only available via ever changing forum links, so it's good to see that it has a permanent home now for the latest version. This plugin allows you to listen to TETRA digital voice via SDR#, without needing to set up any complicated GNU Radio based receivers which were necessary in the past.
The features include (note Translated from Russian):
Receiving a signal from the BS band 25kHz and modulation Pi / 4-DQPSK;
Automatic adjustment of the reception frequency;
Displays information about the BS;
Displays ISSI, GSSI subscribers in the channels (for open channels only);
Displays a service exchange network (for open channels only);
It allows you to listen to the channels in manual or automatic mode selection (only open channels);
It allows to filter and distribute the listening priority specified for groups (GSSI);
It displays a message with the location (just a short message format)
The current features not yet implemented are:
And listen to correctly display any encoded information in a network;
Display SDS type 4 (short messages);
Record audio from the channels (menu added, but does not work);
We also note that as discussed in a previous post there is a companion program for this plugin called TETRA Trunk Tracker.
Recently, the RF research team at Trend Micro released a very nice illustrated report, technical paper and several videos demonstrating how they were able to take control of building cranes, excavators, scrapers and other large industrial machines with a simple bladeRF software defined radio. Trend Micro is a well known security company mostly known for their computer antivirus products.
Trend write that the main problem stems from the fact that these large industrial machines tend to rely on proprietary RF protocols, instead of utilizing modern standard secure protocols. It turns out that many of the proprietary RF commands used to control these machines have little to no security in place.
Five different kinds of attack were tested. They included: a replay attack, command injection, e-stop abuse, malicious re-pairing and malicious reprogramming. The replay attack sees the attackers simply record commands and send them again when they want. Command injection sees the hacker intercept and modify a command. E-stop abuse brings about an emergency stop, while malicious re-pairing sees a cloned controller take over the functions of the legitimate one. And malicious reprogramming places a permanent vulnerability at the heart of the controller so it can always be manipulated.
So straightforward were the first four types of attack, they could be carried out within minutes on a construction site and with minimal cost. The hackers only required PCs, the (free) code and RF equipment costing anywhere between $100 and $500. To deal with some of the idiosyncracies of the building site tech, they developed their own bespoke hardware and software to streamline the attacks, called RFQuack.
Being a responsible security firm, Trend Micro has already notified manufacturers of these vulnerabilities, and government level advisories (1, 2) and patches have already been rolled out over the last year. However the Forbes article states that some vulnerabilities still remain unpatched to this day. Of interest, the Forbes articles writes that for some of these vendors the simple idea of patching their system was completely new to them, with the firmware version for some controllers still reading 0.00A.
The videos showing the team taking control of a model crane, real crane and excavator are shown below. The video shows them using bladeRF 2.0 SDRs which are relatively low cost TX/RX capable software defined radios. We also recommend taking a look at Trends web article as it very nicely illustrates several different RF attack vectors which could apply to a number of different RF devices.
![osmo-fl2k - the [evil] transmit-side brother of RTL-SDR](https://www.rtl-sdr.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FGryXF92C-Ds%2F0.jpg)
