Thank you to 'KeyLo99' for submitting news of the release of his new RTL-SDR based program called rtl_map. rtl_map is a currently a simple app that uses an RTL-SDR to display an FFT frequency graph. It is based on the gnuplot and fftw3 libraries.
Over on our forums KeyLo99 describes the motivation behind the project as mostly being a good reference program for people wanting to learn how to read and process IQ data from the RTL-SDR:
I'm a RTL-SDR researcher and DSP learner currently working on a project for properly figuring RTL2832 and I/Q fundamentals out. The project is about reading raw I/Q samples, processing samples and creating FFT graph from them. I tried to explain what I'm doing in detail with comment lines. I'm hoping that I will be helpful to RTL-SDR beginners with this rtl_map [C] project. Another purpose of the rtl_map project is making a frequency scanner application for signal security researches.
Thank you to M Khanfar for submitting news about his custom Linux kernel which allows an RTL-SDR and GQRX to run smoothly and with sound on an Intel Compute Stick. The Intel Compute Stick is a full dongle based computer the size of a pack of gum with pricing that starts from US$120. It has a Quad Core Atom Processor, 2GB RAM, 32 GB of built in storage and an HDMI out port. By default the stick comes with Windows 10 installed, but M Khanfar notes that it is very sluggish.
Instead of the sluggish Windows 10 OS, M Khanfar decided that he wanted to run Ubuntu Linux instead. However he found that the standard Ubuntu image did not have support for audio over HDMI or WiFi on the Compute stick. So he built his own custom kernel with some patches to fix this issue. With the issue fixed, GQRX with an RTL-SDR now runs smoothly with full audio support, and rtl_tcp can also be run over WiFi.
Over on YouTube user hubmartin has uploaded a video showing how to use an RTL-SDR and the Universal Radio Hacker (URH) software to reverse engineer and clone a 433 MHz remote control. URH is used to extract the signal timing and modulation characteristics as well as the binary/hex code.
Then in order to clone the signal hubmartin uses a cheap IoT microcontroller with button and 433 MHz transmitter attachments. Some C code is then used to program the microcontroller and 433 MHz transmitter with the extracted signal information and to transmit on a press of the button. In his example hubmartin uses his cloned dongle to control a wireless power plug and a motorized projector screen.
Universal Radio Hacker SDR Tutorial on 433 MHz radio plugs
Vasilli has recently released the SDR# TETRA plugin on his website RTL-SDR.RU (note that the site is in Russian, but can be translated with the Google Translate option in the top right of the page). Previously it was only available via ever changing forum links, so it's good to see that it has a permanent home now for the latest version. This plugin allows you to listen to TETRA digital voice via SDR#, without needing to set up any complicated GNU Radio based receivers which were necessary in the past.
The features include (note Translated from Russian):
Receiving a signal from the BS band 25kHz and modulation Pi / 4-DQPSK;
Automatic adjustment of the reception frequency;
Displays information about the BS;
Displays ISSI, GSSI subscribers in the channels (for open channels only);
Displays a service exchange network (for open channels only);
It allows you to listen to the channels in manual or automatic mode selection (only open channels);
It allows to filter and distribute the listening priority specified for groups (GSSI);
It displays a message with the location (just a short message format)
The current features not yet implemented are:
And listen to correctly display any encoded information in a network;
Display SDS type 4 (short messages);
Record audio from the channels (menu added, but does not work);
We also note that as discussed in a previous post there is a companion program for this plugin called TETRA Trunk Tracker.
Recently, the RF research team at Trend Micro released a very nice illustrated report, technical paper and several videos demonstrating how they were able to take control of building cranes, excavators, scrapers and other large industrial machines with a simple bladeRF software defined radio. Trend Micro is a well known security company mostly known for their computer antivirus products.
Trend write that the main problem stems from the fact that these large industrial machines tend to rely on proprietary RF protocols, instead of utilizing modern standard secure protocols. It turns out that many of the proprietary RF commands used to control these machines have little to no security in place.
Five different kinds of attack were tested. They included: a replay attack, command injection, e-stop abuse, malicious re-pairing and malicious reprogramming. The replay attack sees the attackers simply record commands and send them again when they want. Command injection sees the hacker intercept and modify a command. E-stop abuse brings about an emergency stop, while malicious re-pairing sees a cloned controller take over the functions of the legitimate one. And malicious reprogramming places a permanent vulnerability at the heart of the controller so it can always be manipulated.
So straightforward were the first four types of attack, they could be carried out within minutes on a construction site and with minimal cost. The hackers only required PCs, the (free) code and RF equipment costing anywhere between $100 and $500. To deal with some of the idiosyncracies of the building site tech, they developed their own bespoke hardware and software to streamline the attacks, called RFQuack.
Being a responsible security firm, Trend Micro has already notified manufacturers of these vulnerabilities, and government level advisories (1, 2) and patches have already been rolled out over the last year. However the Forbes article states that some vulnerabilities still remain unpatched to this day. Of interest, the Forbes articles writes that for some of these vendors the simple idea of patching their system was completely new to them, with the firmware version for some controllers still reading 0.00A.
The videos showing the team taking control of a model crane, real crane and excavator are shown below. The video shows them using bladeRF 2.0 SDRs which are relatively low cost TX/RX capable software defined radios. We also recommend taking a look at Trends web article as it very nicely illustrates several different RF attack vectors which could apply to a number of different RF devices.
Last week we posted about some videos of talks from the 2018 GNU Radio Conference which had been release on YouTube. This week a few more videos have been released and we display a small selection below. The full collection of videos can be found on their YouTube channel.
RF Ranging with LoRa Leveraging RTL-SDRs and GNU Radio
Wil Myrick discusses the use of RTL-SDRs and GNU Radio to create a low cost LoRa RF ranging prototype, to aid in the localization of IoT transmitters.
GRCon18 - RF Ranging with LoRa Leveraging RTL SDRs and GNU Radio
Using GNU Radio and Red Pitaya for Citizen Science
Robert W McGwier discusses the use of Red Pitaya SDRs and GNU Radio for use in citizen science ionosphere measurement experiments.
GRCon18 - Using GNU Radio and Red Pitaya for Citizen Science
SETI Breakthrough Listen
Steve Croft discusses the Search for Extraterrestrial Intelligence (SETI) project and how software defined radio is being used in the search.
Over on YouTube Corrosive from channel SignalsEverywhere has uploaded a new video in his series on Digital Amateur Television (DATV). The new video shows us how to use a transmit capable SDR like a LimeSDR or PlutoSDR to transmit DATV with a free Windows program called DATV Express.
In the video he explains the various transmit and video encoding settings, and then demonstrates the signal being received on SDRAngel with an RTL-SDR (which he explained in his previous video)
DATV DVB-S Transmitter With a LimeSDR or Pluto SDR and DATV Express
Es'hail 2 was launched last November and it is the first geostationary satellite to contain an amateur radio transponder. The satellite is positioned at 25.5°E which is over Africa. It's reception footprint covers Africa, Europe, the Middle East, India, eastern Brazil and the west half of Russia/Asia.
Although the satellite was launched last year, turning on the amateur transponders has been slow because the commercial systems of the satellite have higher priority for testing and commissioning. However, within the last day the Es'hail 2 team have now begin testing the amateur transponder, and the test signal has been successfully received by several enthusiasts (just check out the Twitter feed). There also appears to have already been a suspected pirate CW signal broadcasting "WELCOME DE ES2HAIL". Actual uplink use of the satellite is not currently wanted, and from the Amsat forums one of the engineers writes:
Before the IOT starts there will be a TRR (test readyness review) in front of the customer. All the testplans and test-specifications will be reviewed. When the test is done there will be a TRB (test readyness board). In the TRB they have to show/present all the measurement results (e.g. inband performance like Gainflatness, Groupdelay... aso.) and compare these results with the specification in the contract. Each unwanted signal makes the measurement difficult and needs to be explained or leads to a so named NCR (non conformance report).
The IOT will be done in shifts/nightshifts and with unwanted signals (if not explain able) some measurements needs to start again and again and leads in addition to a delay for the handover and operation of the satellite.
Maybe that helps to understand why it is really important to have only the IOT uplink signal.
To measure the pattern of each antenna the satellite will be moved east/west by the propulsion system of the DS2000 Bus and the signal level is measured by the IOT station on ground (some cuts) .
The commercial beacon can maybe be switched from LEOP Omni antenna to on station antenna when the satellite is placed in the final slot. This should be the reason for the change of the commercial Ku Band beacon signal level the last days.
If you are interested in receiving Es'hail 2, but live outside the footprint, or don't have a receiver then you can use Zoltan's OpenwebRX live stream of the narrow band portion of the Es'hail 2 downlink. At the moment the beacon doesn't appear to be transmitting, but we expect it to be on and off during the next few days. In his set up he uses an RTL-SDR V3, Inverto LNB, 90cm dish, a DIY bias tee and a Raspberry Pi 3.
He also took a recording of the pirates CW transmission shown in the video below.
