AmaateurRadio.com and NooElec are currently running a big competition to give away 50 of their new SMA RTL-SDR dongles (branded as NooElec SMArt). To enter simply go to the competition post on amateurradio.com and comment on theirpost (not ours!). The compeition closes on August 7 at 20:00 UTC.
They are giving away a total of 50 units: two bundles that come with their SMA RTL-SDR and Ham-It-Up Upconverter, one bundle with a Raspberry Pi and RTL-SDR dongle, three double pack RTL-SDR + antenna bundles, ten double packs of RTL-SDR dongles, ten RTL-SDR + antenna sets, and ten sets of just the RTL-SDR dongle itself.
The NooElec SMART is NooElec’s latest RTL-SDR variant which like ours comes with an SMA coax plug and metal enclosure.
Over on YouTube user Crazy Danish Hacker has been working on uploading an entire series on GSM Sniffing with an RTL-SDR. His series is explained in a slow and clear presenting style, and it starts at the very beginning from installing the RTL-SDR. The tutorial series is not yet complete, however he is uploading a new video almost daily. Presumably the series will end with showing you how to receive text messages and voice calls originating from your own cellphone.
So far he has shown how to install the RTL-SDR, identify GSM downlinks, install and use GQRX and kalibrate, locate nearby cell towers, install and use GR-GSM and how to extract the TMSI & KC keys from your cell phone. To obtain the TMSI & KC keys he shows us how to use an Android tool called usbswitcher which forces the phone to use its USB modem interface, from which the keys can be obtained.
The video below shows his teaser video on the series. Check out his GSM playlist to view the full series.
GSM Sniffing Teaser - Software Defined Radio Series!
In his post Lukas describes how he designed the PCB with Altium Designer, routing the traces carefully to ensure the shortest path was used, and to ensure impedance matching was correct. Then after producing the PCB’s with OSH park he writes how he assembled the board by carefully placing the components down by hand and using his reflow oven. This was no easy task due to the manual nature of the operation and the high possibility for undetectable solder problems to arise. Despite the difficulties he found that the SDR powered up as expected.
His next steps were to start work on the FPGA controller design, however he discovered that he had failed to properly route some clock pins on the FPGA. On his third revision of the PCB he was able to fix this. Finally he was able to program the FPGA and get his SDR to work.
Designing an SDR from scratch is no easy task, especially if you have little design experience like Lukas did. However, in the end despite some mistakes he was able to build a working SDR that interfaces with GNU Radio.
Valo is a software service for real time big data streaming analytics of data from many sensors. On their website they explain their service as follows.
Valo is a single platform for streaming (real time) and batch (historical) data analysis. Valo provides multi-paradigm big data storage for both semi-structured and numerical data. Valo contains a powerful analytics engine for processing all of this data. Finally Valo is super simple – a single tool that can be up and running in minutes.
Rémi writes that what he’s done is simply a proof of concept that shows the power of Valo. He writes that one such interesting future development could be using Valo to detect FBI/CIA surveillance aircraft. Previously we posted about how an RTL-SDR user discovered these surveillance aircraft by their odd circular flight paths. The analytics engine of Valo could be used to automatically detect odd flight patterns such as from these surveillance aircraft.
Plotting the history of aircraft coming into land at HK airport
Mario Filippi, a regular contributor to our blog and to the SDR community recently wrote in with an article showing how he built an S-Band (2 – 4 GHz) antenna for use with the HackRF. Of course the antenna can be used with any other SDR that can receive in this range, or with an RTL-SDR and downconverter. We post his article below.
S -Band Antenna for use with the HackRF One Author: Mario Filippi, N2HUN
Ever since purchasing a HackRF One, which receives from 1 MHz – 6.0 GHz I’ve always wanted to explore the world above 1 Gig, specifically the 2.0 – 2.7 GHz portion of the S-band. This portion of the band is populated with satellite communications, ISM, amateur radio, and wireless networks. A good, homebrew antenna for S-band was needed, so with parts mostly from the junk box, a 2250 MHz S-band right hand circularly polarized omni-directional antenna was built. Below is a step by step tutorial on building this antenna. Plans were from UHF-Satcom’s site.
Network transparency. Process the data remotely and send to the client only waterfall pixels and filtered narrowband channels instead of the entire SDR baseband. With this, you can use the SDR remotely over WAN.
Multiple demodulators running at once. How the hell can this be missing?
History browsing. It happens to me all the time: I see a new station scrolling on the waterfall. Before I manage to tune to it, it disappears (or at least the callsign is over). I have 8 GB of RAM, so why can’t I store the last minute of the entire SDR baseband for future reference?
Pluggable demodulators. Why is it so much pain to add GSM, Tetra, Tetrapol and other modes to existing software? I just want to provide a binary and have the data piped to stdin.
Squelch sucks. The squelch should not care about absolute signal level, but about level relative to surrounding channels. Additionally, it should have hysteresis and a small buffer, so when it triggers, it correctly replays the beginning of the conversation. Oh, and when recording, the squelch should timestamp the parts of conversation.
Histogram. It is difficult to see clipping on the FFT output. Why don’t we have histogram of samples?
Autotune/AFC. Obvious.
Scanner. Both for automatic demodulating all peaks in the spectrum and for retuning the SDR and finding stations. Even the crappiest rtl-sdr has 2 MHz bandwidth and can retune in 50 ms. This means 1600 channels per second. Compare this with commercial scanners.
At the moment one interesting plugin for Kukuruku is the TETRA plugin. The plugin appears to use tetra-listener and TERAPOL-kit as the demodulators, and simply passes the signal data to them for decoding and audio output.
The installation instructions can be found on the user guide. So far we unfortunately haven’t been able to install and test the software due to several compilation errors occurring, so if anyone tries this out and gets it to work, please post any installation tips in the comments.
Kukuruku running and demodulating TETRA audio with a plugin.
rtl_fm / rx_fm: Allows you to decode and listen to FM/AM/SSB radio. rtl_sdr / rx_sdr: Allows you to record raw samples for future processing. rtl_power / rx_power: Allows you to do wideband scans over arbitrarily wide swaths of bandwidth by hopping over and recording signal power levels over multiple chunks of spectrum.
rx_tools is based on SoapySDR which is an SDR abstraction layer. If software is developed with SoapySDR, then the software can be more easily used with any SDR, assuming a Soapy plugin for that particular SDR is written. This stops the need for software to be re-written many times for different SDR’s as instead the plugin only needs to be written once.
rx_power scan with the HackRF at 5 GHz over 9 hours.
"Pokémon Go" is the latest in smartphone augmented reality gaming crazes. You may have already heard about the game on the news, or seen kids playing it in your neighborhood. To play, players must walk around in the real world with their GPS enabled smartphone, collecting different virtual Pokémon which appear at random spots in the real world, replenishing the virtual items need to collect Pokemon at "Pokéstops" and putting Pokémon to battle at "Gyms". Pokéstops and gyms are often city landmarks such as popular shops, fountains, statues, signs etc. For those who have no idea what "Pokémon" are: Pokémon are fictional animals from a popular children's cartoon and comic.
Since the game is GPS based, Stefan Kiese decided to see if he could cheat at the game by spoofing his GPS location using a HackRF software defined radio. The HackRF is a relatively low cost multipurpose TX and RX capable software defined radio. When playing the game, players often walk from Pokéstop to Pokéstop, collecting Pokémon along the way, and replenishing their items. By spoofing the GPS signal he is able to simulate walking around in the physical world, potentially automating the collection of Pokémon and replenishment of items at Pokéstops.
To do this he used the off the shelf "GPS-SDR-Sim" software by Takuji Ebinuma which is a GPS Spoofing tool for transmit capable SDR's like the HackRF, bladeRF and USRP radios. At first, when using the software Stefan noticed that the HackRF was simply jamming his GPS signals, and not simulating the satellites. He discovered the problem was with the HackRF's clock not being accurate enough. To solve this he used a function generator to input a stable 10 MHz square wave into the HackRF's clock input port. He also found that he needed to disable "Assisted GPS (a-gps)" on his phone which uses local cell phone towers to help improve GPS location tracking.
Next he was able to use the GPS-SDR-Sim tools to plot a simulated walking route and see his virtual character walking around on the real world map. A warning if you intend on doing this: Remember that 1) spoofing or jamming GPS is highly illegal in most countries outside of a shielded test lab setting, so you must ensure that your spoofed GPS signal does not interfere with anything, and 2) the game likely has cheating detection and will probably ban you if you don't simulate a regular walking speed.
