Comparing the RSP1 and RSP2 on VLF, LF and AM BC Reception

Over on YouTube user Mile Kokotov has uploaded two new videos that show both the SDRplay RSP1 and RSP2 receiving VLF, LF and AM BC signals. The SDRplay RSP1 is a 12-bit SDR that can receive from about 10 kHz – 2 GHz. Recently the RSP2 was released which is an upgrade over the RSP1 with additional filters and features. On this blog we did an initial review of the RSP2 and found mostly improved performance over the RSP1.

Mile writes about the signals he receives:

Antenna on RSP2 is connected to its Hi-Z port.

Here are some information about signals in this video:

60 kHz Time signal from NPL is a radio signal broadcast from the Anthorn Radio Station near Anthorn, UK.
The signal, also known as the MSF signal is broadcast at a highly accurate frequency of 60 kHz and can be received throughout the UK, and in much of northern and western Europe. (But I am receiving it in Macedonia) The signal’s carrier frequency is maintained at 60 kHz controlled by caesium atomic clocks at the radio station.

77.5 kHz Time signal is German DCF77 longwave time signal and standard-frequency radio station. The highly accurate 77.5 kHz carrier signal is generated from local atomic clocks that are linked with the German master clocks.

On 295 kHz there is NDB (Non directional Beacon) from Alexander The Great Airport near Skopje (about 80 km from my home)

On AM Broadcast Band (530 kHz – 1620 kHz) you can see how many AM stations are on the spectrum display (with 9 kHz raster) receiving here at my home with Mini-Whip antenna which is only 10 cm long!

More information you can find on my web-page: http://www.qsl.net/z33t

The first video shows reception with a Mini-Whip, and the second with a Delta Loop. We don’t see much difference in reception between the RSP1 and RSP2 in these videos but viewers with more sensitive ears may be able to tell us if they notice any differences.

SDRplay RSP1 and RSP2 receiving VLF LF and AM BC with Mini-Whip

SDRplay RSP1 and RSP2 receiving 60 kHz and 77.5 kHz Time signals in Macedonia

Tweet
Share
Reddit
Vote
Email

Nigun (Melody): Open Hardware Plans for an RTL-SDR Downconverter

A downconverter is a circuit that allows the RTL-SDR to receive frequencies above its maximum frequency range of about 1.8 GHz. It works by converting all higher frequencies down into a lower frequency which can be received by the RTL-SDR. It is the opposite of an upconverter which is used to receive HF frequencies on an RTL-SDR. In the past the Outernet project was working on a commercial downconverter product for the RTL-SDR, but they had to unfortunately put an end to that project as the costs were not economical.

But now over on GitHub Raziel Einhorn has uploaded plans for his open hardware 1.5 – 3 GHz downconverter which is code named Nigun (Melody). Currently the design has just about been completed, and he is planning to order the first prototype this January. The main component appears to be the ADRF6612 RF mixer which is controlled by an ATSAMD21E18A ARM microcontroller. On the GitHub page he explains the main properties as:

  • Dynamic LO – LO will be determined by the user and programmed by the MCU
  • Almost no filtering – will leave this challenge outside of this project scope
  • Power up and programming via micro-usb connector. Should be able to power up from a USB power-pack (but probably not from a computer port)
  • Highest RF frequency will be 3GHz
  • Product also features a VCO for signal-generation purposes. VCO support should be 200-2700MHz
Nigun Downconverter Schematics
Nigun Downconverter Schematics
Tweet15
Share
Reddit
Vote
Email
15 Shares

HDSDR Version 2.75 (Stable) Released

The beta 2.75 version of HDSDR was released about two months ago. Now the stable version has just been released. HDSDR is a free general purpose SDR receiver, similar in nature to other programs like SDR# and SDR-Console. HDSDR can be downloaded from hdsdr.de.

The author of HDSDR emailed us with the following release information:

this morning we released the final version 2.75. Here’s the changelog:

Version 2.75 (January 01, 2017)
– more recording options
– support for 8bit sampling format – ideal for RTLSDR, halving RF recording size
– display level / clipping for RF and AF
– additive noise generator for hiding aliases
– Highpass Filter for AM/FM deactivatable – useful for slow digimodes
– configurable gain for I/Q output – useful for digimode decoding weak signals of SDRs with >16 Bit dynamic range
– Uniform “Calibration” dialog for Frequency/S-Meter/DC Removal/Channel Skew
– “Custom color palette” to customize colors of Waterfall/Spectrum and some more
– output soundcard no longer necessary (e.g. for recording or monitoring)
– support for 8k display resolution (7680×4320)
– some new keyboard shortcuts (see )
– extended ExtIO capabilities
– experimental transmit capability through ExtIO API interface
– many fixes and improvements

Some of the new features were introduced especially for the RTLSDR Dongles:

– 8 bit support, of course

– displaying the RF (ADC) level in dBFS allow working with deactivated Tuner AGC – NOT oversteering/clipping the ADC.
This would also ease making good suitable recordings as used in
https://www.rtl-sdr.com/using-rpitx-and-an-rtl-sdr-to-reverse-engineer-and-control-ask-devices

Especially for decoding this kind of signals (AM/FM) , deactivating the Highpass filter (Ctrl-H) will make the demodulated Audio clearer:
long periods of positive or negative levels will not fade towards zero.
Find attached recordings and screenshots with active and deactivated highpass filter of a garage door opener demodulated in AM.

– additive noise generator (Ctrl-N) is for hiding some alias carriers in scenarios where the ADC does not see real noise from the antenna.
The noise generators level has to be configured carefully for not hiding real signals. A level between -25 to -10 looked fine for me. But that should be measured in a lab.

Below are the mentioned attached images and .wav files.

Highpass Filter - Active
Highpass Filter – Active
Highpass Filter - Inactive
Highpass Filter – Inactive

Highpass Active .wav file (Download)

Highpass Inactive .wav file (Download)

Tweet20
Share
Reddit
Vote
Email
20 Shares

Receiving the Recently Launched BY70-1 Satellite

BY70-1 is a Chinese amateur Cubesat satellite which was recently launched on December 29, 2016. It is expected to stay in orbit for only 1 – 2 months due to a partial failure with the satellite releasing into an incorrect orbit. The purpose of the satellite is for education in schools and for amateur radio use. The receivable signals include an FM repeater and BPSK telemetry beacon both of which can be received at 436.2 MHz. The telemetry beacon is interesting because it also transmits images from an on board visible light camera. These signals can easily be received with an RTL-SDR or other SDR with an appropriate antenna.

Over on his blog Daneil Estevez has been posting about decoding these telemetry images. He’s been using telemetry data collected by other listeners, and the gr-satellites GNU Radio decoder which is capable of decoding the telemetry beacons on many amateur radio satellites. So far the decoded images haven’t been great, they’re just mostly black with nothing really discernible. Hopefully future decodes will show better images.

If you want to track the satellite and attempt a decode, the Satellite AR Android app has the satellite in its database.

Not many people seem to have gotten telemetry decodes or images yet, but below we show an image decoded by  on Twitter.

BY70-1 Image Decoded by @bg2bhc
BY70-1 Image Decoded by @bg2bhc
Tweet13
Share
Reddit
Vote
Email
13 Shares

Building a Wideband Vivaldi Antenna for SDR Use

Vivaldi’s are linearly polarized broadband antennas that have a directional radiation pattern at higher frequencies. The high end SDR manufacturer RF Space produces their own Vivaldi antennas made from PCB boards which they sell online. The larger the antenna, the lower its receiving frequency, and ones that go down to about 200 MHz are almost the size of a full adult person. But all sizes receive up to 6 GHz maximum. Typically smaller versions of Vivald antennas have been used in the past for L-Band satellite reception.

Over on his blog KD0CQ noted that he always had trouble trying to purchase a Vivaldi from RF Space because they were too popular and always out of stock. So he decided to try and build his own out of PCB boards. On this page he’s collected a bunch of Vivaldi cutout or transfer images. On his second page he shows a Vivaldi antenna that he built out of PCB material, just by using scissors and semi-rigid coax. With the Vivaldi placed outdoors he’s been able to successfully receive and decode L-Band AERO on his Airspy Mini even without an LNA. 

KD0CQ writes that he’ll update his blog soon with more results.

Simple Vivaldi antenna by KD0CQ cut out of PCB board.
Simple Vivaldi antenna by KD0CQ cut out of PCB board.
Tweet21
Share
Reddit
Vote
Email
21 Shares

Talks from the 33rd Chaos Computer Club Conference

Videos from the 33rd Chaos Communication Congress [33c3] of the Chaos Computer Club have recently been uploaded to YouTube. This is a yearly European conference with a theme on hacking. This year several SDR and RF related talks were presented and here below is a sampling of our favorites. See their YouTube Channel for more interesting talks.

Reverse Engineering Outernet

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Currently, they broadcast an L-band signal from 3 Inmarsat satellites, giving them almost worldwide coverage. The bitrate of the signal is 2kbps (or 20MB of content per day), and they use the signal to broadcast Wikipedia pages, weather information and other information of public interest.

Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I think this is contrary to the goal of providing free worldwide access to internet contents. Therefore, I have worked to reverse engineer the protocols and build an open source receiver. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

In this talk, I’ll explain which modulation, coding and framing is used for the Outernet L-band signal, what are the ad-hoc network and transport layer used, how the file broadcasting system works, and some of the tools and techniques I have used to do reverse engineering.

PDF slides available [here].

Intercoms Hacking

To break into a building, several methods have already been discussed, such as trying to find the code paths of a digicode, clone RFID cards, use some social engineering attacks, or the use of archaic methods like lockpicking a door lock or breaking a window.

New methods are now possible with recent intercoms. Indeed, these intercoms are used to call the tenants to access the building. But little study has been performed on how these boxes communicate to request and grant access to the building.

In the past, they were connected with wires directly to apartments. Now, these are more practical and allow residents to open doors not only from their classic door phone, but to forward calls to their home or mobile phone. Private houses are now equipped with these new devices and its common to find these “connected” intercoms on recent and renovated buildings.

In this short paper we introduce the Intercoms and focus on one particular device that is commonly installed in buildings today. Then we present our analysis on an interesting attack vector, which already has its own history. After this analysis, we present our environment to test the intercoms, and show some practical attacks that could be performed on these devices. During this talks, the evolution of our mobile lab and some advances on the 3G intercoms, and M2M intercoms attacks will be also presented.

Building a high throughput low-latency PCIe based SDR

Software Defined Radios (SDRs) became a mainstream tool for wireless engineers and security researches and there are plenty of them available on the market. Most if not all SDRs in the affordable price range are using USB2/USB3 as a transport, because of implementation simplicity. While being so popular, USB has limited bandwidth, high latency and is not really suitable for embedded applications. PCIe/miniPCIe is the only widespread bus which is embedded friendly, low latency and high bandwidth at the same time. But implementing PCIe/miniPCIe is not for the faint of heart – you have to write your own FPGA code, write your own Linux kernel driver and ensure compatibility with different chipsets, each with its own quirks. In this talk we will look at the requirements for a high performance SDR like XTRX, how this leads to certain design decisions and share pitfalls and gotchas we encountered (and solved).

We’ve been working with SDRs since 2008 and building own SDRs since 2011, focusing on embedded systems and mobile base stations. We created ClockTamer configurable clock source and UmTRX SDR and built a complete base station (UmSITE) to run OpenBTS and later Osmocom GSM stacks. This year we’ve started working on a new tiny high-performance SDR called XTRX which fits into the miniPCIe form-factor and using PCIe for the I/Q samples transfer.

We will talk about when to use PCIe and when not to use PCIe and why did we choose it for XTRX; FPGA implementation of PCIe with optimization for low latency and high throughput; Linux kernel driver for this PCIe device; integration with various SDR platforms; all the various issues we encountered and how you can avoid them.

Tweet13
Share
Reddit
Vote
Email
13 Shares

A Guide to Using RPiTX and an RTL-SDR to Reverse Engineer and Control ASK/OOK Devices

Erhard E. has been experimenting with capturing, analyzing, reverse engineering and then transmitting new ASK/OOK signals with his RTL-SDR and Raspberry Pi running RPiTX. Erhard has written a very informative guide/tutorial (pdf) that explains how he did it for wireless doorbell and for remote control toy cars. RPiTX is software for the Raspberry Pi which allows it to transmit almost any signal via modulation of a GPIO pin. RPiTX related posts have been featured on this blog several times in the past.

First Erhard records a copy of the doorbell signal using his RTL-SDR and then views the waveform in Audacity. He then writes that you’ll need to find the waveform characteristics either manually using Audacity, or by using the rtl_433 decoder. In the tutorial he uses rtl_433 which automatically gives his the pulse width, gap width and pulse period.

Next in order to actually generate the signal using RPiTX he uses the waveform characteristics that he found out and manually creates a .ft hex file that describes the signal to be generated. Then using using the rpitx command, the .ft file can be transmitted.

Later in the tutorial he also shows how he performed the same reverse engineering process with a cheap RC car toy (forward/reverse commands only), which uses OOK encoding on the wireless controller.

The tutorial can be downloaded in PDF form here.

Showing the Pulse Width, Gap Width and Symbol Period of a signal in Audacity.
Showing the Pulse Width, Gap Width and Symbol Period of a signal in Audacity.
Tweet17
Share
Reddit
Vote
Email
17 Shares

Designing a Remote SDR Station

Over on his blog w5fcx has posted an article that explains how he’s managed to set up a remote software defined radio based ham radio station. The article is more focused on high end ham equipment for RX and TX use, but similar principles could apply to a RX only station with SDRs like the RTL-SDR/Airspy/SDRplay.

He writes how he uses a VPN to remotely connect to his home computer and makes use of the SmartSDR app for Flex SDR radios which is available for iOS and Windows. Many of the apps he uses such as his antenna rotator software are also controlled over VPN via remote COM port software. He also notes requirements for having an internet controllable AC power supply in case TX needs to be shut down and a UPS for continuous power. For the actual radio side he uses a FlexRadio SDR, Elecraft Amplifier and Tuner, and antenna rotator and a Spiderbeam Yagi antenna.

The article explains in detail much of the equipment and software that he uses and is an excellent read for those wanting to get started in designing a remotely accessible SDR station.

Remote SDR Station Components
Remote SDR Station Components
Tweet12
Share
Reddit
Vote
Email
12 Shares