June 21, 2015

Using the RTL-SDR as a Transmitter

Back in July of last year we posted about a video from oh2ftg where he showed how he was able to get his RTL-SDR to act as a crude transmitter by using the RTL-SDR’s leaky oscillator.

Now another RTL-SDR experimenter, Oscar Steila (IK1XPV) has had a similar idea to use the RTL-SDR as a transmitter, and has taken the idea further than OH2FTG did.

Oscar decided to take a standard RTL-SDR dongle and modify it so that it outputs a signal from the mixer output of the R820T tuner chip. To do this he removes some unneeded components from the PCB, and wires pin 5 of the R820T to the MCX antenna port through a 100pF capacitor. Pin 5 is connected to the mixer output from inside the R820T chip.

After performing the hack the RTL-SDR is able to output a signal anywhere between ~~500 MHz to 1500 MHz~~ 1.8 GHz to 3 GHz (see why). To control the output frequency you simply need to tune to the frequency you want to transmit at in SDR# (after setting an offset to account for the R820T’s IF offset). This tunes the mixer in the R820T and causes the output frequency to change.

In the future Oscar hopes to take this idea further by creating a specific tuning application for the generator and finding a way to possibly FM modulate the output.

Using SDR# to tune the TX RTL-SDR, and using another instance of SDR# and RTL-SDR to receive the 1GHz signal. — Using SDR# to tune the TX RTL-SDR to 1 GHz, and using another instance of SDR# and another RTL-SDR to receive the transmitted 1 GHz signal.

Update: Oscar has revised the frequency range from 500 – 1500 MHz to 1.8 GHz – 3 GHz. More information about his new tests can be found at http://www.steila.com/SDR/RFgenmod/index.html.

Tweet13

Vote

13 Shares

June 20, 2015

Building a 520 kHz High Pass Filter for the RTL-SDR

Over on YouTube user kugellagers has uploaded a video showing how he designs and builds a 520 kHz high pass filter for his RTL-SDR dongle + upconverter. In the video he explains how to design the filter with the free Elsie software which is an electrical filter design and analysis program. He then shows how he builds and selects the filter inductors and capacitors and how he assembles the components on a PCB. Finally he demonstrates how his 520 kHz high pass filter is useful for filtering out atmospheric noise from lightning strikes.

Previously we posted about kugellagers’s other video in which he demonstrates his FM bandstop filter and 1.8 MHz high pass filter.

520 kHz High Pass Filter Construction

Watch this video on YouTube

Vote

June 18, 2015

Retesting Nobu’s 14 MHz Low Pass Filter on a Direct Sampling Modified RTL-SDR

Back in May we did a review of Japanese RTL-SDR experimenter Nobu’s products, which were his HF Upconverter, Galvanic Isolator and 14 MHz Low Pass Filter. The low pass filter was designed to be used with a direct sampling modified RTL-SDR receiver, but unfortunately we didn’t have one of those on hand at the time.

Nobu was kind enough to send us one of his direct sampling modified RTL-SDR dongles that he also has on sale on his Japanese Amazon page. This is a nice little unit that has an upgraded 10 ppm oscillator, and an additional MCX port connected to the direct sampling pins of the RTL2832U chip through an impedance transformer. With this unit we were able to give the low pass filter a better test.

The image below shows the AM broadcast band with the filter in place. Mouse over the image to see the effect of removing the low pass filter. (If on mobile click inside the image, and outside the image to toggle the mouse over effect). We can see that there is some insertion loss from the filter, however with the LPF not connected there is severe interference from the broadcast FM band and some AM signals are completely unusable.

We repeated the same test at 9 MHz. Again, mouse over the image to see the effect of removing the low pass filter. Once more we see that without the LPF there is severe interference from the broadcast FM band, as well as in this case what looks to be a DAB signal.

Similar interference is found all through the 0 – 14 MHz frequencies without the low pass filter in place and most weak signals cannot be listened to without the filter connected. It is clear that without a low pass filter the direct sampling modification is almost useless in the presence of strong interfering signals, such as those from the FM broadcast band.

Nobu’s products are made in Japan, and at the moment can only be bought from the Japanese Amazon store [Direct Sampling Dongle – $~48 USD] [HF Upconverter – $~56 USD] [Upconverter Case ~$25 USD] [Galvanic Isolator – $23 USD] [Low Pass Filter – $~23 USD].

To purchase from outside of Japan you can use a third party shopping service available at http://agent.jzool.com/, which will buy and ship the product to you from Japan.

Vote

June 18, 2015

RTL-SDR as a Hardware Random Number Generator with rtl_entropy

Over on his blog, Aaron Toponce has posted a tutorial that shows how to use the RTL-SDR app rtl_entropy. This app uses the RTL-SDR to create random numbers from the atmospheric noise that it receives from the antenna. Aaron writes:

The theory behind the RNG is by taking advantage of atmospheric noise, which is caused by natural occurrences, such as weak galactic radiation from the center of our Milky Way Galaxy to the stronger local and remote lightning strikes. It’s estimated that roughly 40 lightning strikes are hitting the Earth every second, which equates to about 3.5 million strikes per 24 hour period. Interestingly enough, this provides a great deal of entropy for a random number generator.

In the post Aaron also shows how to put the rtl_entropy generated data through some standardized randomness tests, how to visualize the random output and also shows how to use rtl_entropy to generate 80-bit entropy passwords.

Visualizing the random noise output of rtl_entropy.

Tweet11

Vote

11 Shares

June 17, 2015

New SDR# Plugin: File Player

A new plugin for SDR# has been released by Vasilli over on rtl-sdr.ru. The new plugin is called File Player and replaces the default SDR# IQ file source player (page is in Russian, use Google translate if necessary). The new features include:

The ability to play 32-bit WAV files up to 4GB.
The ability to play very large 64-bit WAV files.
Adds a new display that shows a compressed image of the entire waterfall and shows where in time the playback is up to.
Allows you to modify the waterfall play time position with the mouse.
Adds a stop and pause button.

Note that to install this plugin you do not add the magicline to the plugins.xml file. Instead you need to add it to the <frontendPlugins> section of the SDRSharp.exe.Config text file.

Vote

June 17, 2015

Stealing Encryption Keys from PCs using Software Defined Radio and Unintentional Electromagnetic Emissions

Tel Alviv University researchers D. Genkin, L. Pachmanox, I. Pipman and E. Tromer have released a paper this year detailing their research on extracting encryption keys from PCs via their unintentional radio emissions. They say that they have been able to demonstrate their work by extracting encryption keys from GnuPG on laptops within seconds by using their non-intrusive wireless methods. GnuPG is software which allows you to encrypt and sign your data.

They write about the performance of their results:

Using GnuPG as our study case, we can, on some machines:

distinguish between the spectral signatures of different RSA secret keys (signing or decryption), and

fully extract decryption keys, by measuring the laptop’s electromagnetic emanations during decryption of a chosen ciphertext.

In their experiments they used a Funcube Dongle Pro+ to measure the unintentional RF emissions coming out of a laptop computer at around 1.6-1.75 MHz, but they also mention that a low cost RTL-SDR with upconverter could also work.

Every time the CPU on a target PC performs a new operation the unintentional frequency signature that is emitted changes. From these emissions they are able to use the unique RF signature to determine what operations are being performed by the CPU, and from that they can work out the operations GnuPG is performing when decrypting data. They write:

Different CPU operations have different power requirements. As different computations are performed during the decryption process, different electrical loads are placed on the voltage regulator that provides the processor with power. The regulator reacts to these varying loads, inadvertently producing electromagnetic radiation that propagates away from the laptop and can be picked up by a nearby observer. This radiation contains information regarding the CPU operations used in the decryption, which we use in our attack.

Recovering CPU assembly operations from its RF emissions. — Recovering CPU assembly code operations from its unintentional RF emissions.

In addition to the above they were also able to create portable attack hardware by connecting the Funcube Dongle Pro+ with a small Android based embedded computer called the Rikomagic MK802 IV. They also show that they were even able to perform the portable attack with a standard AM radio with the output audio being recorded with a smart phone.

A portable version of their attack set up with the Funcube Dongle Pro+ and microcontroller.

The researchers write that they will present their work at the CHES 2015 conference in September 2015.

Previously we also posted about Melissa Elliots talk on unintentional RF emissions, Milos Prvulovic’s work on spying on keyboard presses from unintentional RF emissions and also a security flaw discovered with some HP laptops which caused them to unintentionally convert audio picked up from the microphone into RF signals.

Vote

June 17, 2015

Transmitting DATV DVB-S Video with the HackRF Blue

Simon (G0FCU) has been using his HackRF Blue to transmit DVB-S video captured from his video camcorder. In the ham radio hobby there is something called digital amateur television (DATV) in which amateurs transmit digital video over radio to repeaters. Simon writes that in the UK DATV is usually transmitted at above 1.2 GHz and in the DVB-S format, which is the same format used by some satellite TV services.

Although there are dedicated DATV radios, Simon decided that he wanted to use the HackRF Blue as the radio for transmitting his own DATV signals. To do this he uses the software dvgrab to grab the video stream from the camera, then passes it to ffmpeg to compress the raw video into MPEG-2 and then uses a GNU Radio program called gr-dvbs to use the HackRF to transmit the DVB-S stream at 1000 MHz.

To test that his signal was transmitting correctly, Simon then used a standard DVB-S satellite TV with the LNB bypassed.

Previously we also posted about using a BladeRF for transmitting DATV DVB-T signals.

What the DVB-S output signal looks like on another HackRF. — What the DATV DVB-S output signal looks like on another HackRF.

Vote

June 17, 2015

Modifying an RTL-SDR by adding a Diplexer to receive HF and VHF/UHF

The lowest frequency that a standard RTL-SDR dongle can receive is about 24 MHz. However, by applying a hardware hack called the direct sampling mod, it is possible to use the RTL-SDR to listen to the HF frequencies.

Usually the direct sampling mod requires that you add a separate antenna port to the dongle, but Martin G8JNJ decided to take another route and instead use a diplexer to be able to use the same antenna port for both HF and VHF/UHF. A diplexer allows both HF and VHF/UHF signals to coexist on the same input port without causing interference to one another.

Along with the diplexer Martin added an impedance transformer, added additional coupling capacitors to the power rails and removed the IR LED components to make space for the transformer. Martin writes that the final modded RTL-SDR allows for tuning between 15 kHz to 1.8 GHz.

Vote