Airspy have recently released an update to their ADSBspy decoder, which is an Airspy One/R2 compatible decoder for 1090 MHZ ADS-B signals. According to 'prog', the software developer of ADSBSpy, his setup can see almost double the number of aircraft and with fewer false positives when using the updated software. Prog writes that the secret to the improvement is some reworked DSP code that aims to exploit oversampling in the Airspy to the maximum.
We compared the new (1.0.0.38/39) decoder against the old decoder (1.0.0.37) which used to get similar performance to dump1090. The test setup was two Airspy dongles connected to a dipole antenna via a splitter, with our Triple Filtered ADS-B LNA used by the antenna. One Airspy was used to power the LNA via it's bias tee, and both units received the same amplified signal. We found indeed that the new version of ADSBSpy receives a good number more aircraft in our set up, and an increased number of ADS-B messages too.
It seems that most of the additionally received aircraft must be from extremely weak signals, because when looking in Virtual Radar Server the extra aircraft usually only show their ICAO and maybe altitude and speed until they get closer.
So far this software appears to provide the best performance on ADS-B that we've seen so far, so if you are using an Airspy for ADS-B tracking we'd like to hear results from anyone who upgrades.
The New ADS-B Spy Receives More Aircraft and Messages
Last year we posted about QuestaSDR, which is a simple SDR multi-mode GUI that is compatible with the RTL-SDR. Since then QuestaSDR has evolved, and is now available on Android devices as well. It looks to be a nice alternative to RF Analyzer and SDR Touch which are the most popular RTL-SDR Android apps. The description of Android QuestaSDR reads:
QuestaSDR - powerful and flexible, cross-platform Software Defined Radio Application (SDR). Built-in scheduler architecture provides integrate plugins, plugins kits and multi - UI. Typical applications are DXing, Ham Radio, Radio Astronomy and Spectrum analysis.
Support Hardware: - RTLSDR Dongle
Main features: - Dark, Ligth, Universal, Material application style - Many spectrum settings (FFT size, waterfall FPS and color theme) - AM/SSB/NFM/WFM demodulator - RDS decoder - Record AF file - Frequency bookmarks - Web remote - Supported IF-adapter, upconverter, downconverter hardware - Rig samplerate, frequency, level and iq disbalance calibrate
To start using QuestaSDR, you will need: - RTL-SDR dongle - USB OTG Cable - used to connect a RTLSDR to your Android device.
Connect the USB dongle to the USB-OTG, then insert the free end of the cable into the USB port of your Android device and launch the QuestaSDR! Now you can listen to live frequency range shortwave, VHF, UHF.
Feedback and bug reports are always welcome.
Please note that I am not responsible for any legal issues caused by the use of this application. Be responsible and familiarize yourself with local laws before using.
Back in March we posted about the release of Outernet's moRFeus device which is a low cost wideband RF signal generator. Since then we've received a few emails from two readers who've received their units and have found some interesting hacks and have developed software for it.
First we have a submission from Ohan Smit who discovered a hack that allows moRFeus to work as a wideband noise generator by setting the LO to 5 GHz and the Mixer current to 3. Together with an Airspy and the Spectrum Spy software he was able to measure the response of a bandstop FM filter. Over on the forums he also shows screenshots of Python based control software that he's developed for controlling moRFeus.
moRFeus Generating Noise
Next we have a moRFeus Linux GUI created by "Lama Bleu". It can be used to access the same functions as via the moRFeus LCD screen, but is also has a few very useful features such as a step generator which allows a generated tone to sweep across the frequency spectrum. The moRFeus GUI can also connect to GQRX and sync with the LO frequency specified in the GQRX GUI for easy control. It should also be possible to implement a CW morse code generator with some scripts.
Outernet moRFeus GUI
Over on the forums Zoltan, one of moRFeus' designers also notes that it might even be possible to use moRFeus for WSPR modulation, although this isn't confirmed yet. It seems that moRFeus is shaping up to be a very useful tool for RF testing and experimentation. The device is currently still available on Crowd Supply for $149US with over 136 units sold so far.
Over on his blog, Thierry Leconte has been writing about some IF bandwidth experiments that he's performed on the R820T2 chip. This is the tuner chip that is used in most RTL-SDR dongles, and well as on the Airspy R2 and Mini SDRs. It has a programmable IF bandwidth and high pass filter which can be used to filter neighboring interfering signals out to reduce imaging and overload problems. In the RTL-SDR and Airspy drivers the bandwidth is adjusted to a fixed setting depending on the bandwidth selected.
To perform the tests he uses a noise source connected to his Airspy, varies the IF filter bandwidth and then plots the results. He finds that there are two adjustments for the IF filter, one coarse and one fine, as well as an additional high pass filter. By manually reducing these settings it's possible to get better filtering at the expense of reduced bandwidth.
He notes that reducing the bandwidth is useful for his two apps, acarsdec and vdlm2dec which receive ACARS and VDL aircraft signals. These signals are not high in bandwidth so they can easily benefit from tighter filtering.
Over the last few days the NOAA-15 APT weather satellite has begun to show signs of failure with people receiving corrupted images. NOAA 15, 18 and 19 are weather satellites that can be easily received with an RTL-SDR and a satellite antenna such as a V-Dipole, QFH or Turnstile (tutorial here). NOAA 15 was launched on 13 May 1998, making it one month away from being 20 years old. To put it into perspective, NOAA-15 was only built to the spec of being designed to last 2 years minimum.
The problem currently appears to be intermittent and is due to a loss of lubricant on the scan motor. NOAA released a message:
The N15 AVHRR global imaging became corrupted on April 12 at ~0000 UTC due to sync issues. This may be caused by erratic scan motor current due to loss of lubricant. The problem appears to have corrected itself, as the global image is no longer corrupted. The issue is still under investigation.
In the Tweet below UHF Satcom displays an example of a corrupted image that was received.
The issue is intermittent, and hopefully it can be fixed, but if not we still have NOAA 18 and 19 which were launched in 2005 and 2009 respectively, as well as the Russian Meteor M2 satellite which was launched in 2014.
If you're interested discussion of this topic can be found on various Reddit threads [1], [2], [3].
Last week we posted news about the "SirenJack" radio security vulnerability which was released by Balint Seeber of the Bastille security research agency. SirenJack describes how a cheap TX capable SDR or a $30 handheld radio could allow an attacker to take over wirelessly controlled emergency sirens that are found in many cities around the US. In particular, it was discussed how Acoustic Technology, Inc (ATI Systems) sirens' were the first to be found as vulnerable.
Today Dr. Ray Bassiounim, President & CEO of ATI Systems wrote to us (and presumably other news agencies that ran the SirenJack story) a rebuttal which we paste below.
ATI Siren Vulnerability Misrepresented by Bastille Networks
Balint Seeber of Bastille Networks, Inc. has released information that he has been able to hack Acoustic Technology, Inc.’s wireless protocol. ATI believes that Seeber misrepresents his claims that he did so using only a $35 radio and a laptop. ATI understands the great lengths, time, effort, and expertise that Seeber and Bastille went through. However, their claim trivializes the fact that Seeber is a radio frequency expert with over a decade of training, knowledge, and access to advanced equipment. Bastille’s statement intended to maximize public fear and anxiety by purposefully omitting and simplifying information they released.
Seeber says he identified this vulnerability over 2 ½ years ago but decided not to notify ATI or the City of San Francisco until recently. If he truly believed this was a serious vulnerability, why did he wait so long to disclose it, effectively leaving the public at risk? Other discrepancies discovered include:
Bastille’s SirenJack white paper states in part “...nor was there access to equipment...” However, pictures in the white paper and videos on Bastille’s YouTube page clearly show Seeber utilizing ATI’s equipment in his Proof of Concept.
Seeber also states multiple times that anyone “…with a $35 transmitter…” can perform this hack. The white paper, however, confirms he used “…a number of Ettus Research Universal Software Radio Peripheral (USRP) and Software Defined Radio (SDR)….”. This equipment costs upwards of thousands of dollars for each unit, not merely the $35 radio as claimed.
In multiple YouTube videos, ATI’s equipment is blurred out during Seeber’s demonstration. For full disclosure, what was blurred out and why?
In Seeber’s YouTube demonstration of the SirenJack hack, it shows him with an embedded CPU debug cable plugged into the ATI siren. Since this cable is only used for programming and diagnostics of the ATI siren, why is this cable needed? There is no reason for it to be used while demonstrating siren activation through over-the-air hacking.
None of Bastille’s videos show any Over-The-Air (OTA) transmissions of malicious packets because transmitting on a licensed frequency is illegal. Yet the Motorola CM200 radio in the ATI siren is very easy to re-program to a different frequency (or a license free radio could have been used), and it could have been easily changed in order to legally demonstrate sending malicious packets OTA.
When the San Francisco system was installed in 2004, over 14 years ago, it was state-of-the-art. Since then, ATI has upgraded protocols to incorporate a 128-bit AES variable key with an additional ATI proprietary security layer that is now being implemented.
“For the past 30 years ATI has had thousands of clients, both nationally and internationally. Even though we have never experienced any fails or hacking incidents, ATI responded to Bastille’s false claims by raising security safeguards, and ATI encourages its clients to update their systems to ensure maximum security. We believe that Bastille’s representations are totally fabricated,” comments ATI’s CEO, Dr. Ray Bassiouni.
It's true that Balint and Bastille do have years of knowledge and the equipment to find vulnerabilities, however we believe that Bastille was only claiming that a $30 radio can be used to take over the system now that the vulnerability is already known. If a more malicious hacker found the vulnerability first, and then released the details to 'script kiddies' or other malicious people, it could have caused major issues.
The white paper on SirenJack is now available and can be found at sirenjack.com. From the white paper it appears that Bastille analyzed the RF spectrum to find the weekly siren test signal. Once found they were able to characterize the modulation scheme, and since no encryption was used, they were able to dissect the packet. They then determined that the packets could easily be reproduced and thus any transmit capable radio could be used to attack the system. Also although Bastille used USRP SDRs in the reverse engineering stage, it seems that the same reverse engineering work could be done with a simple RTL-SDR.
SirenJack: Could sirens be taken over with a $30 radio?
Over on YouTube Tech Minds has uploaded a new video where he shows how he can use his HackRF SDR with the SDRAngel software to easily transmit voice to a local ham radio repeater. If you are unfamiliar with ham radio, a ham repeater is simply a radio station that receives voice or other signals on a certain ham radio frequency, and re-transmits the signal with stronger power on another frequency. This allows communications to be receivable over a much larger distance.
SDRAngel is a very nice piece of SDR software that has controls for TX capable SDR's like the HackRF. In the video Tech Minds shows the HackRF being used as a transmitter, with it transmitting to a repeater at 145.137 MHz. An RTL-SDR is then used to listen to the repeater output at 145.737 MHz. With this set up he is able to contact a friend via the repeater easily.
It doesn't appear that Tech Minds is using any sort of external amplifier, so this shows that the HackRF is powerful enough to hit local repeaters just by itself.
Transmitting With A HackRF One Via My Local Ham Radio Repeater
A few weeks ago we posted about the MFJ1708SDR automatic relay switch and how it can be used to combine an RX only SDR with a transmit capable radio. An automatic antenna relay switch is used to automatically ground the SDR's antenna input whenever the TX capable radio transmits in order to protect the SDR's front end from blowing up due to high TX power.
In this YouTube video Pete Sobye shows us the MFJ1708SDR working together with an Icom IC7300 HF radio and an SDRplay which is being used as a panadapter. For software Pete uses HDSDR and Omnirig which allows the PC to control the IC7300.
Icom IC7300 panadapter MFJ-1708SDR, SDRPlay, HDSDR and OmniRig
