Testing the MIX4ALL Downconverter on L-Band

Adam (9a4QV) is well known in the RTL-SDR community for creating and selling the LNA4ALL low noise amplifier and several filter circuits as well. Now Adam has uploaded on his YouTube channel a new video that shows a prototype of his latest upcoming RTL-SDR compatible product called the MIX4ALL. The MIX4ALL is a downconverter that will improve the ability of the RTL-SDR to receive satellite signals in the L-band which are usually at around 1.5 GHz.

It is known that the most common R820T/2 RTL-SDR’s are not very sensitive at 1.5 GHz, and some can even stop receiving properly at this frequency when they get too hot. A downconverter will simply convert the 1.5 GHz signals into a lower frequency which can be received much better by the RTL-SDR.

In the first video Adam shows the MIX4ALL being used with an RTL-SDR to receive various Inmarsat signals with a patch antenna. In the second video he shows reception of AERO-I signals.

Adam writes that he expects to be able to sell the MIX4ALL near the end of January 2016.

MIX4ALL test @ L-band Inmarsat

MIX4ALL AERO-I L band Inmarsat 4F2

Tweet
Share
Reddit
Vote
Email

Setting up an RTL-SDR based APT/Meteor Satellite Weather Station Receiver

Recently a reader of our blog, Initrd, wrote in to let us know about a new tutorial he created that shows how to set up a dual NOAA APT and Meteor LRPT weather satellite monitoring station with an RTL-SDR dongle. These weather satellites transmit a live image of the portion of the earth that they are currently over, providing a valuable tool for weather analysis. APT transmissions are analogue and are transmitted by the American NOAA satellites, and the newer Meteor M2 satellite transmits a higher resolution image in the LRPT format. We also have posted separate tutorials that show how to set up NOAA APT and Meteor M2 LRPT decoding with an RTL-SDR, but Initrd’s tutorial appears to be a good all in one guide.

His tutorial takes you step by step through a process that involves setting up the satellite tracking software Orbitron, all the required SDR# plugins, the APT decoder WXtoIMG and the LRPT decoder. The tutorial also shows how to connect them all together and set them up so that APT and LRPT decoding can coexist.

sdrsharp_apt

Tweet
Share
Reddit
Vote
Email

Chasing Ionosondes with an RTL-SDR Dongle

Mario Filippi a regular contributor to our blog has recently written in with another article of his. This time he’s submitted an interesting article about ionosondes and how he listens to and watches them with an RTL-SDR dongle and upconverter. We present his article below.

Chirp Sounders and Those Ear-Jarring “Zwoops”

Written by Mario Filippi (N2HUN) – (All photos courtesy of author)

Have you ever experienced a loud disconcerting “zwoop” sound quickly passing through your headphones while listening to the HF or shortwave bands? Surely many of us have, and for years these odd sounding transmissions were a mystery, but the conundrum was unraveled one day when using my RTL-SDR (software defined radio) dongle for some HF (high frequency, 2MHz – 30MHz) listening. The HF band is populated by an array of non-voice (digital) signals from familiar modes such as CW, RTTY, and FAX to more contemporary modes such as ALE, PSK-31, and JT65, to name a few. Many different modes and sounds, both man-made and from Mother Nature, some familiar, some mysterious, inhabit the breadth of the HF band. These frequently heard “zwoops,” on different portions of the band definitely were in the “mysterious” category.

Over the past several years these high-pitched “zwoops” passing through my headset at lightning speed disturbed the calm of a normal evening spent listening to shortwave with my venerable boat anchor-like Yaesu FRG-7 receiver. However, further investigation using a RTL-SDR dongle (from www.rtl-sdr.com), Nooelec HamItUp upconverter, and SDR# software visualized these signals emanating from ionosondes. Their transmissions appear on the waterfall image as pulsed lines traveling up (and sometimes down) different segments of the HF band. Their purpose is helping to assess the ionosphere’s propagation status.

Author’s RTL-SDR dongle, Nooelec upconverter (in plexiglass case), and MJF antenna tuner
Author’s RTL-SDR dongle, Nooelec upconverter (in plexiglass case), and MJF antenna tuner.

In short, ionosondes, or ionospheric sounders, sometimes referred to as “chirp sounders” are transmitters that send out a radio signal across a specific frequency range, only to be heard by receivers at distant locations that analyze what the propagation characteristics are. Armed with this information, these analyses are an aid in two-way radio communications, such as determining the best frequencies to use at a given time by radio operators around the world. So what do these ionosonde transmissions appear like using the RTL-SDR and SDR# software? See some examples below.

Chirp sounder appears as steeply-sloped line in center of SDR# waterfall. Strong signal at 20 MHz is time signal station WWV, Ft. Collins, CO.
Chirp sounder appears as steeply-sloped line in center of SDR# waterfall. Strong signal at 20 MHz is time signal station WWV, Ft. Collins, CO.
Pulse-like chirp sounder moving up the 15 meter (18.900MHz – 19.020MHz) shortwave band.
Pulse-like chirp sounder moving up the 15 meter (18.900MHz – 19.020MHz) shortwave band.
CB (Citizen’s Band, 26.965MHz - 27.405MHz) band exhibiting chirp sounder activity.
CB (Citizen’s Band, 26.965MHz – 27.405MHz) band exhibiting chirp sounder activity.
Weak chirp sounder in the 20 meter (14.000MHz – 14.350MHz) ham band.
Weak chirp sounder in the 20 meter (14.000MHz – 14.350MHz) ham band.

Chirp sounder transmissions appear randomly as one navigates the HF bands and in the author’s experience are a hit and miss affair, but with the advent of software defined radios with real-time spectral displays of two megahertz or more in width, one can increase the possibility of hearing and seeing them more regularly. Note that ionosonde tracings on a waterfall can take many different shapes; I have shown only a few examples. The speed at which the ionosonde transmits up or down the band varies with the setup, but it’s an amusing signal to watch as it gracefully and speedily streaks across the band’s waterfall image with its’ meteor-like trail.

If you’d like to submit an article related to SDR, please remember to contact us at rtlsdrblog_AT_gmail.com.

Tweet
Share
Reddit
Vote
Email

QSpectrumAnalyzer Updated to support rtl_power_fftw

QSpectrumAnalyzer is a Linux GUI for rtl_power which allows you to easily do wideband scans that are much wider than the RTL-SDR’s maximum bandwidth. RTL_power works by quickly switching between different frequencies and recording power values in each hop, then stitching them all together. A GUI for rtl_power can be used to display an FFT spectrum and waterfall for easy analysis.

Recently we posted about the release of rtl_power_fftw, which was a modified version of rtl_power. This modified version used a more efficient FFT library and reduces the acquisition time, which for rtl_power was capped at 1 second per scan. Essentially this means that rtl_power_fftw can do frequency scans much faster (though with less integration). In basic terms this means that you can now visualize large spectrum sweeps whilst having the waterfall look near real time.

Now QSpectrumAnalyzer has been updated to support rtl_power_fftw. To use rtl_power_fftw you’ll need to download and compile it yourself from https://github.com/AD-Vega/rtl-power-fftw. The compilation instructions are shown on the Github page, but you’ll also need to install the pkg-config, libtclap-dev and libfftw3-dev libraries first. Then once compiled in QSpectrumAnalyzer you can select the rtl_power_fftw binary in the settings.

The latest release of QSpectrumAnalyzer can be downloaded from https://github.com/xmikos/qspectrumanalyzer/releases.

QSpectrumAnalyzer with rtl_power_fftw doing a 7 MHz scan of the FM broadcast band.
QSpectrumAnalyzer with rtl_power_fftw doing a 7 MHz scan of the FM broadcast band.
Tweet
Share
Reddit
Vote
Email

Live Right Now: The 12th Cyberspectrum Software Defined Radio Meetup

Cyberspectrum is a monthly software defined radio meetup that is held in San Francisco. During this meetup presenters show and discuss their SDR related work. The 12th Cyberspectrum meetup is occurring right now and this time there will be presentations from amateur radio astronomer Marcus Leech from Canada and wireless security researcher Tobias Zillner from Austria.

There is a live stream on YouTube shown below, and after it finishes it will also be available for viewing:

Edit: Stream is over. Marcus Leech gave a nice talk that gave an overview or amateur radio astronomy and explained some of his set up where he uses RTL-SDR dongles as the receiver.

Cyberspectrum: Bay Area Software Defined Radio #12 (Dec 2015)

The overview of today’s presentations are as follows:

Marcus Leech from SBRAC“An integrated proof-of-concept ‘all-digital’ feed for 21cm radio astronomy”

We show ongoing work in designing and building a proof-of-concept ‘all digital’ feed for 21cm radio astronomy experiments. While many professional radio astronomy observatories are using “digitize at the feed” techniques, amateur experiments (and successes) in this are very close to non-existent.

Digitizing at the feed carries many advantages, including overall system gain stability, and the ability to carry signals over cheap ethernet-over-fiber links.

We’ll show an example feed arrangement that uses a differential radiometry approach, and does much of the initial processing right at the feed, including radiometry and spectral calculations, sending summary data to an ordinary PC host over ethernet.

Challenges and pitfalls will be discussed.

Tobias Zillner from Cognosec: “ZigBee Smart Homes – A Hacker’s Open House”

ZigBee is one of the most widespread communication standards used in the Internet of Things and especially in the area of smart homes. If you have for example a smart light bulb at home, the chance is very high that you are actually using ZigBee by yourself. Popular lighting applications such as Philips Hue or Osram Lightify and also popular smart home systems such as SmartThings or Googles OnHub are based on ZigBee. New IoT devices have often very limited processing and energy resources. Therefore they are not capable of implementing well-known communication standards like Wifi. ZigBee is an open, public available alternative that enables wireless communication for such limited devices.

ZigBee provides also security services for key establishment, key transport, frame protection and device management that are based on established cryptographic algorithms. So a ZigBee home automation network with applied security is secure and the smart home communication is protected?

No, definitely not. Due to “requirements” on interoperability and compatibility as well as the application of ancient security concepts it is possible to compromise ZigBee networks and take over control of all included devices. For example it is easily possible for an external to get control over every smart light bulb that supports the ZigBee Light Link profile. Also the initial key transport is done in an unsecured way. It is even required by the standard to support this weak key transport. On top of that another vulnerability allows third parties to request secret key material without any authentication and therefore takeover the whole network as well as all connected ZigBee devices. Together with shortfalls and limitations in the security caused by the manufacturers itself the risk to this last tier communication standard can be considered as highly critical.

This talk will provide an overview about the actual applied security measures in ZigBee, highlight the included weaknesses and show also practical exploitations of actual product vulnerabilities. Therefore new features in the ZigBee security testing tool SecBee will be demonstrated and made public available. 

Tweet
Share
Reddit
Vote
Email

JAERO: A new RTL-SDR compatible decoder for Inmarsat AERO signals

Back in August of this year we showed how it was possible to use an RTL-SDR dongle, satellite antenna, LNA and decoding software to receive and decode STD-C EGC signals from Inmarsat satellites. We also showed how it was possible to modify a low cost GPS antenna to use as a satellite antenna.

Now a radio hobbyist called Jonti has released a Windows decoder for the Inmarsat AERO set of signals. AERO is a system that provides a satellite based version of VHF ACARS (Aircraft Communications Addressing and Reporting System). ACARS is typically used by ground control and pilots to send short messages and is also sometimes used for telemetry.

Jonti writes:

JAERO is a program that demodulates and decodes Classic Aero ACARS (Aircraft Communications Addressing and Reporting System) messages sent from satellites to Aeroplanes (SatCom ACARS) commonly used when Aeroplanes are beyond VHF range. Demodulation is performed using the soundcard. Such signals are typically around 1.5Ghz and can be received with a simple low gain antenna that can be home brewed in a few hours in conjunction with a cheap RTL-SDR dongle.

In the advent of MH370, Classic Aero has become a well-known name. A quick search on the net using “Classic Aero MH370” will produce thousands of results. The Classic Aero signals sent from satellites to the Aeroplanes are what JAERO demodulates and decodes.

Unlike the usual VHF ACARS, with SatCom ACARS you can not receive signals from the Aeroplane only the people on the ground talking to the people in the Aeroplane. This means you do not get the airplanes reporting their position. Instead you tend to get weather reports, flight plans, and that sort of stuff. Just like VHF ACARS they usually use cryptic shorthand notation. For example “METAR YSSY 040400Z 08012KT 9999 FEW040 SCT048 23/09 Q1024 FM0500 05012KT CAVOK=” is the weather report for Sydney Airport in Australia in a format called METAR. It tells you the time, when the report was issued, the wind direction and speed, visibility, clouds, temperature, due point and air pressure. Then it says from 5 AM UTC the wind direction and speed and that the weather will be nice. There are sites such as Flight Utilities that can decode such information and display it in a more understandable format.

In his post Jonti also shows how he uses a modified GPS antenna to receive the AERO signals.

Jonti's modified GPS antenna for receiving AERO
Jonti’s modified GPS antenna for receiving Inmarsat AERO

We gave JAERO a test and found that it decoded AERO signals easily, even with low signal strength. To use JAERO tune to an Inmarsat AERO signal in SDR# or a similar program using USB mode. JAERO will listen to the audio from the sound card or from a virtual audio pipe. We recommend setting the AFC (Automatic Frequency Control) setting on on if you find that your RTL-SDR drifts too much. 

AERO signals can be found at around 1545 MHz. They only use about 800 Hz in bandwidth. See UHF satcoms page for a list of AERO frequencies.

The JAERO decoder.
The JAERO decoder.
Some AERO signals.
Some AERO signals.

Remember that some R820T/2 RTL-SDR dongles can have problems when receiving this high, especially when they heat up. If you find that your dongle gets deaf at these L-band frequencies try cooling the R820T/2 chip with a heatsink or fan. The Airspy or SDRplay RSP software defined radios are better choices for decoding signals this high, but the RTL-SDR will work fine if your signal strength is decent and the R820T/2 chip is kept cool.

If you are interested in VHF ACARS as well, then we have a tutorial about decoding that here.

Tweet
Share
Reddit
Vote
Email

Software defined radio talks from Defcon 23

Defcon is a yearly conference that focuses on computer security and hacking talks. In recent years they have included a “Wireless Village” section that includes talks about all things wireless. This year there were several interesting talks related to Software Defined Radio in some way. Recently some of these talks have been uploaded to YouTube and below we present the ones we have found – let us know if we missed any interesting ones.

Balint Seeber – SIGINT & Blind Signal Analysis w/ GNU Radio & SDR

The workshop will cover many common techniques used to reverse engineer the physical layer of a wireless communications system:

– Blind signal analysis on a signals re-broadcast from a satellite transponder: modulation type, order, symbol rate, error correction,scrambling, differential coding, visualization

– Applying auto-correlation to interesting signals on the HF band: RADAR, OFDM, symbol timing

– Frequency hopping: wide-band, real-time spectrum visualization

All with GNU Radio!

DEF CON 23 - Wireless Village - Balint Seeber - SIGINT & Blind Signal Analysis w/ GNU Radio & SDR

Tim Oshea – GNU Radio Tools for Radio Wrangling/Spectrum Domination

An overview of modern tools available in GNU Radio and the greater GNU Radio ecosystem for building, testing, inspecting and playing with radio system physical layers in gory detail.

DEF CON 23 - Wireless Village - Tim Oshea - GNU Radio Tools for Radio Wrangling/Spectrum Domination

Michael Calabro – Software Defined Radio Performance Trades & Tweaks

This workshop is targeted at new and experienced software defined radio (SDR) operators, developers, and enthusiasts seeking a better end-to-end system understanding, and anyone looking to maximize their SDR’s performance. Commercially available SDRs (e.g. USRPs, RTL-SDRs, BladeRFs, etc) are commonly used to fuzz wireless interfaces, deploy private cellular infrastructure, conduct spectrum surveys, and otherwise interact with a wide variety of custom and commercial devices. This workshop focuses on the key parameters and performance drivers in SDR setup and operation that elevate these common platforms to the level of fidelity required to interact seamlessly with commercial devices and networks.

The workshop will begin by surveying different SDR hardware architectures and summarizing the performance tradespaces of several of SDR applications (e.g. collection/survey/transmit). Then the workshop will break down into three main content focuses:

Understanding SDR Hardware: Breakdown common RF frontend and receiver architectures. Identify and derive key performance parameters, and when they will bound performance. Topics covered will include: Noise figure calculation, internal amplification, Frequency selectivity, external RF chains, and noise sources.

Understanding SDR Platform Objectives: Collection, transmission, surveying, and other applications, each present unique challenges to SDRs and will be limited by different dimensions of SDR processing and/or setup configuration. Topics covered include: real-time processing, host buffering, sampling, guard-intervals, framework selection (GRC vs REDHAWK vs MATLAB vs custom), and frequency and time domain signal representation.

Optimizing and Improving Performance: Now that the hardware and platform trade space have been characterized, how do attendees meet and exceed the performance requirements of their application? We will present specific examples for several common platforms (RTL-SDR and USRP). Topics covered will include clock selection, ADC dynamic range, FPGA/SoC offloading, RFIC configuration, CIC filters, sampling, DC biases, antenna selection & pointing, host buffering / processing, and cost-performance trades.

DEF CON 23 - Wireless Village - Michael Calabro - Software Defined Radio Performance Trades & Tweaks

Karl Koscher – DSP for SDR

The barrier to entry in software-defined radio is now almost non-existent. Wide band, receive-only hardware can be obtained for as little as $10, and tools like gqrx and SDR# make it extremely easy to get started listening to signals. However, there is a steep learning curve graduating from an SDR script kiddie to developing your own SDR tools. In this talk, I’ll cover the basic theory behind software-defined radios digital signal processing, and digital communication, including I/Q samples, FIR filters, timing and carrier recovery, and more.

DEF CON 23 - Wireless Village - Karl Koscher - DSP for SDR

In addition to these Wireless Village talks there was also an interesting talk by Samy Kamkar in which explains how he uses SDR in his vehicle security research.

Samy Kamkar – Drive it like you Hacked it: New Attacks and Tools to Wireles

Gary Numan said it best. Cars. They’re everywhere. You can hardly drive down a busy freeway without seeing one. But what about their security?

In this talk I’ll reveal new research and real attacks in the area of wirelessly controlled gates, garages, and cars. Many cars are now controlled from mobile devices over GSM, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy).

We will investigate how these features work, and of course, how they can be exploited. I will be releasing new tools and vulnerabilities in this area, such as key-space reduction attacks on fixed-codes, advanced “code grabbers” using RF attacks on encrypted and rolling codes, and how to protect yourself against such issues.

By the end of this talk you’ll understand not only how vehicles and the wirelessly-controlled physical access protecting them can be exploited, but also learn about various tools for car and RF research, as well as how to use and build your own inexpensive devices for such investigation.

Ladies and gentlemen, start your engines. And other people’s engines.

Samy Kamkar is a security researcher, best known for creating The MySpace Worm, one of the fastest spreading viruses of all time. He (attempts to) illustrate terrifying vulnerabilities with playfulness, and his exploits have been branded:

“Controversial”, -The Wall Street Journal
“Horrific”, -The New York Times
“Now I want to fill my USB ports up with cement”, -Gizmodo

He’s demonstrated usurping typical hardware for surreptitious means such as with KeySweeper, turning a standard USB wall charger into a covert, wireless keyboard sniffer, and SkyJack, a custom drone which takes over any other nearby drones allowing them to be controlled as a massive zombie swarm. He’s exposed issues around privacy, such as by developing the Evercookie which appeared in a top-secret NSA document revealed by Edward Snowden, exemplifying techniques used by governments and corporations for clandestine web tracking, and has discovered and released research around the illicit GPS and location tracking performed by Apple, Google and Microsoft mobile devices. He continues to produce new research and tools for the public as open source and open hardware.

DEF CON 23 - Samy Kamkar - Drive it like you Hacked it: New Attacks and Tools to Wireles

Tweet
Share
Reddit43
Vote
Email
43 Shares

An online Software Defined Radio training course

We’ve recently found what looks to be a new online video based course that uses the RTL-SDR to teach basic software defined radio topics. The course is not free, it is priced at $29.99, but the first three videos are free. Judging from the first three videos the content appears to be quite basic, but is presented in a very clear way that may be useful for beginners. Currently the lessons include:

  1. Course Overview 

    Welcome to the exciting world of Software Defined Radio. In this video, we’ll discuss what SDR is, and why it’s such a hot button topic right now.

  2. Setting up the environment

    In this module, we’ll setup our environment for development. If you’re already very comfortable with Ubuntu, you might want to just follow the guide below.

  3. Browsing the spectrum 

    In this module, we’ll cut our teeth on GRQX, and learn a little about the radio spectrum.

  4. Signals Intelligence

    In this module, we’ll learn how to find transmissions in the frequency domain, and capture them to disk for offline analysis.

  5. Modulations

    In this module, we’ll learn how to identify two types of basic digital transmissions, and talk a little about the history of radio.

  6. Demodulation – Part 1

    In this module, we’ll practice capturing signals in the wild, identifying the modulation, and demodulating the signal with GNU Radio.

  7. Demodulation – Part 2

    In this module, we’ll learn about clock recovery. And we’ll pull out packets from the garage door remote.

It also appears that they plan to have some live classes in the future.

We note that there are also alternative SDR training courses available such as Micheal Ossmanns lessons at greatscottgadgets.com/sdr.

sdrtrainingonline

Tweet
Share
Reddit
Vote
Email