August 26, 2015

Painting on the RF Spectrum with a HackRF

Last week several people from the Chaos Communication Camp conference and others on the #hackrf IRC channel were playing around with the idea of painting pictures on the RF spectrum with the HackRF – a low cost transmit capable software defined radio. This idea works simply by modulating a signal so that it produces a desired image pattern on a frequency domain waterfall display.

To make this easier to do, GitHub user polygon has authored a Python program called Spectrum Painter which easily converts an image into an IQ file which can be transmitted with a HackRF. In addition as described in the Reddit thread linked above, a Windows program called Coagula can also be used to convert images into .wav files, which can then be transmitted on any capable radio. The RF painted images can then be received on another SDR radio like the RTL-SDR.

As always remember to only transmit at a frequency you are licensed on, or at low power in a RF controlled environment.

Below is an example image and video showing images being painted on the RF waterfall.

Spectrum painter transmitted output image

hackrf transmitting images in the frequency domain

Watch this video on YouTube

Tweet13

Vote

13 Shares

August 25, 2015

Reverse Engineering Bus Telemetry Data with an RTL-SDR

Bastian recently wrote into us at RTL-SDR.com to let us know that he’s been working on reverse engineering the bus telemetry system used in his hometown of Paderborn, Germany. Bus telemetry is often used to update live signs at bus stops that indicate based on GPS data how long a bus user needs to wait for the next bus.

Bus sign: Wireless bus telemetry updates this sign.

A similar reverse engineering of bus telemetry was performed before by Oona Raissan in Helsinki, Finland. Oona found that in Helsinki bus telemetry was transmitted as a DARC subcarrier embedded in regular broadcast FM radio. In many countries bus telemetry runs through GSM or TETRA communications as well, which are encrypted and would be very difficult to decode.

However in Paderborn, Germany Bastian discovered that the bus telemetry system used a different protocol which he discovered by noticing that some very strong signals appeared on his spectrum at 150.9 MHz whenever a bus drove by his flat.

After making a recording of this signal in GQRX, bastian analysed it in Audacity and discovered that the binary data bits were encoded by the presence or absence of a half sine wave. After discovering the encoding he was then able to determine the bit rate and build a decoder in GNU Radio. His post goes into further detail about concepts he used in his GNU Radio program such as frame detection, bit stuffing and error detection.

Finally, with all his decoder program written he was able to gather lots of data from each packet such as the bus ID, line, bus stop, distance from last bus stop, delay, position and even the orientation of the bus. Bastian has also uploaded a video showing everything in action, which we have embedded below.

Bus position heatmap from data obtained via the RTL-SDR

Buses Everywhere

Watch this video on YouTube

Vote

August 25, 2015

A new AIS Decoder for the RTL-SDR on Android

A reader of our blog, EBC81, has written in to let us know about a new RTL-SDR based AIS decoder that he has written for the Android OS. AIS stands for Automatic Identification System and is used by ships to broadcast their GPS locations, to help avoid collisions and aid with rescues. An RTL-SDR with the right software can be used to receive and decode these signals, and plot ship positions on a map.

EBC81’s program is called rtl_ais_android and can be downloaded from this GitHub link. It decodes the AIS data into NMEA messages, which can then be sent via UDP to mapping programs in Android or a program like OpenCPN on your PC. To use the app you will need a USB OTG cable to connect your Android device to the RTL-SDR.

In the future EBC81 hopes to create a second app which will display the ship positions on a map.

Watch this video on YouTube

Vote

August 19, 2015

RTL-SDR Tutorial: Decoding Inmarsat STD-C EGC Messages

Inmarsat is a communications service provider with several geostationary satellites in orbit. They provide services such as satellite phone communications, broadband internet, and short text and data messaging services. Geostationary means that the satellites are in a fixed position in the sky and do not move. From almost any point on earth at least one Inmarsat satellite should be receivable.

Inmarsat transmits in the L-band at around 1.5 GHz. With an RTL-SDR dongle, a cheap $10 modified GPS antenna or 1-2 LNA's and a patch, dish or helix antenna you can listen to these Inmarsat signals, and in particular decode one channel known as STD-C NCS. This channel is mainly used by vessels at sea and contains Enhanced Group Call (EGC) messages which contain information such as search and rescue (SAR) and coast guard messages as well as news, weather and incident reports. More information about L band reception is available at UHF-Satcoms page. See the end of this post for a tutorial on modifying a GPS antenna for Inmarsat reception.

Some examples of the EGC messages you can receive on the STD-C NCS channel are shown below:

Military Operations: Live Firing Warning	STRATOS CSAT 4-AUG-2015 03:21:25 436322 SECURITE FM: RCC NEW ZEALAND 040300 UTC AUG 15 COASTAL NAVIGATION WARNING 151/15 AREA COLVILLE, PLENTY CUVIER ISLAND (REPUNGA ISLAND), BAY OF PLENTY 1. LIVE FIRING 060300 UTC TO 060500 UTC AUG 15 IN DANGER AREA NZM204. ANNUAL NEW ZEALAND NOTICES TO MARINERS NUMBER 5 REFERS. 2. CANCEL THIS MESSAGE 060600 UTC AUG 15 NNNN
Armed Robbery / Pirate Warning	NAVAREA XI WARNING NAVAREA XI 0571/15 SINGAPORE STRAIT. ARMED ROBBERY INFORMATION. 301845Z JUL. 01-04.5N 103-41.8E. FIVE ROBBERS ARMED WITH LONG KNIVES IN A SMALL UNLIT HIGH SPEED BOAT APPROACHED A BULK CARRIER UNDERWAY. ONE OF THE ROBBERS ATTEMPTED TO BOARD THE SHIP USING A HOOK ATTACHED TO A ROPE. ALERT CREW NOTICED THE ROBBER AND RAISED THE ALARM AND CREW RUSHED TO THE LOCATION. HEARING THE ALARM AND SEEING THE CREW ALERTNESS, THE ROBBERS ABORTED THE ATTEMPTED ATTACK AND MOVED AWAY. INCIDENT REPORTED TO VTIS SINGAPORE. ON ARRIVAL AT SINGAPORE WATERS, THE COAST GUARD BOARDED THE SHIP FOR INVESTIGATION. VESSELS REQUESTED TO BE CAUTION ADVISED.
Armed Robbery / Pirate Warning	NAVAREA XI WARNING NAVAREA XI 0553/15 SINGAPORE STRAIT. ROBBERY INFORMATION. 261810Z JUL. 01-03.6N 103-36.7E. DUTY ENGINEER ONBOARD AN UNDERWAY PRODUCT TANKER DISCOVERED THREE ROBBERS IN THE ENGINE ROOM NEAR THE INCINERATOR SPACE. THE ROBBER THEIR BOAT. A SEARCH WAS CARRIED OUT. NO ROBBERS FOUND ON BOARD AND NOTHING REPORTED STOLEN. VTIS SINGAPORE INFORMED. COAST GUARD BOARDED THE TANKER FOR INVESTIGATION UPON ARRIVAL AT SINGAPORE PILOT EASTERN BOARDING AREA.VESSELS REQUESTED TO BE CAUTION ADVISED. CANCEL 0552/15.
Submarine Cable Repair Warning	NAVAREA XI WARNING NAVAREA XI 0569/15 NORTH PACIFIC. SUBMARINE CABLE REPAIRING WORKS BY C/V ILE DE SEIN. 05 TO 20 AUG. IN VICINITY OF LINE BETWEEN A. 21-37.3N 156-11.5W AND 25-03.6N 148-43.2E. CANCEL THIS MSG 21 AUG.
Search and Rescue - Missing Vessel	ON PASSAGE FROM LAE (06-44S 147- 00E) TO FINSCHHAFEN (06-36S 147-51E), MOROBE PROVINCE. VESSEL DEPARTED LAE AT 310500Z JUL 15 FOR FINSCHAFFEN WITH ETA OF 310800Z JUL 15 BUT FAILED TO ARRIVE. ALL VESSELS REQUESTED TO KEEP A SHARP LOOKOUT AND BE PREPARED TO RENDER ASSISTANCE. REPORTS TO THIS STATION OR MRCC PORT MORESBY VIAEMAIL: ****@.., TELEPHONE + * **; RCC AUSTRALIA VIA TELEPHONE +******* INMARSAT THROUGH LES BURUM (POR ,IOR), SPECIAL ACCESS CODE (SAC) , HF DSC ***** NL BURUM LES 204 4-AUG-2015 03:23:14 773980 AMSA_ER 23150928 PAN PAN FM JRCC AUSTRALIA 030858Z AUG 15 INCIDENT 2015/5086 AUS4602 CORAL AND SOLOMON SEAS 23FT WHITE BANANA BOAT WITH BROWN STRIPES, AND A 40HP OUTBOARD AND 5 ADULT MALES IS OVERDUE ON PASSAGE FROM LAE (06-44S 147- 00E) TO FINSCHHAFEN (06-36S 147-51E), MOROBE PROVINCE. VESSEL DEPARTED LAE AT 310500Z JUL 15 FOR FINSCHAFFEN WITH ETA OF 310800Z JUL 15 BUT FAILED TO ARRIVE. ALL VESSELS REQUESTED TO KEEP A SHARP LOOKOUT AND BE PREPARED TO RENDER ASSISTANCE. REPORTS TO THIS STATION OR MRCC PORT MORESBY VIA EMAIL: ***@.., TELEPHONE + * **; RCC AUSTRALIA VIA TELEPHONE +******** INMARSAT THROUGH LES BURUM (POR ,IOR ), SPECIAL ACCESS CODE (SAC) , HF DSC *******, EMAIL: **@..* OR BY FAX +************. NNNN
Scientific Research Vessel Drilling - Request for wide clearance	NL BURUM LES 204 4-AUG-2015 02:29:41 709950 AMSA_ER 23153978 SECURITE FM JRCC AUSTRALIA 040224Z AUG 15 AUSCOAST WARNING 202/15 SPECIAL PURPOSE VESSEL JOIDES RESOLUTION CONDUCTING DRILLING OPERATIONS IN POSITION 28 39.80` S 113 34.60` E 2.5NM CLEARANCE REQUESTED. NNNN
Weather Warning	PAN PAN TROPICAL CYCLONE WARNING / ISSUED FOR THE NORTH OF EQUATOR OF METAREA XI(POR). WARNING 050900. WARNING VALID 060900. TYPHOON WARNING. TYPHOON 1513 SOUDELOR (1513) 930 HPA AT 19.9N 133.2E WEST OF PARECE VERA MOVING WEST 12 KNOTS. POSITION GOOD. MAX WINDS 95 KNOTS NEAR CENTER. RADIUS OF OVER 50 KNOT WINDS 80 MILES. RADIUS OF OVER 30 KNOT WINDS 240 MILES NORTH SEMICIRCLE AND 210 MILES ELSEWHERE. FORECAST POSITION FOR 052100UTC AT 20.1N 130.6E WITH 50 MILES RADIUS OF 70 PERCENT PROBABILITY CIRCLE. 935 HPA, MAX WINDS 90 KNOTS NEAR CENTER. FORECAST POSITION FOR 060900UTC AT 20.8N 128.1E WITH 75 MILES RADIUS OF 70 PERCENT PROBABILITY CIRCLE. 935 HPA, MAX WINDS 90 KNOTS NEAR CENTER. JAPAN METEOROLOGICAL AGENCY.=

Continue reading →

Tweet78

Reddit40

Vote

118 Shares

August 19, 2015

A Tutorial on Decoding NOAA and Meteor M2 Weather Satellite Images in Ubuntu

Recently an RTL-SDR.com reader by the name of Pete wrote in to let us know about a comprehensive tutorial that he has written about setting up NOAA and Meteor M2 weather satellite decoding in Ubuntu Linux with an RTL-SDR.

Pete’s tutorial starts from a fresh install of Ubuntu and uses GQRX, GNU Radio Companion, WxtoIMG and the MeteorM2 decoding tools. He shows how to set up the audio piping within Linux, how to run the MeteorM2 LRPT Offline decoder Windows tool in Wine, a Linux Windows emulator and how to use WxtoIMG together with GQRX.

The NOAA and Meteor M2 weather satellites transmit images that they have taken of the earth. With an RTL-SDR and appropriate antenna you can receive these images. On this blog we have Windows tutorials on receiving NOAA and Meteor M2 satellites.

The Windows LRPTOfflineDecoder tool running in Linux with Wine.

Vote

August 19, 2015

SDR Talks from the 2015 Chaos Communication Camp

The Chaos Communication Camp (CCC) conference was recently held in Germany this year. The conference is a five day event that focuses on topics such computer security, hacking, electronics and other similar related topics. The full list of talks can be found here, but on this page we list all the SDR related talks which we could find. If you know of any more SDR related talks from the CCC please let us know in the comments.

“The Rad1o: Listen to all the things”

This year participants of the CCC were all given a Rad1o badge, which is a HackRF variant. In this talk the creators of the Rad1o explain their experience with creating the Rad1o and give an overview of it’s hardware and software options.

“Satellite Open Ground Station Network: open source ground station, optimized for modularity, built from readily available and affordable tools and resources.”

(Audio broken until 2:50) The SatNOGS project aims to provide low cost satellite ground stations (where one critical component is currently an RTL-SDR dongle) along with free networking software in order to create a crowd sourced satellite coverage network. The SatNOGS project was also the grand prize winner of the 2014 Hackaday prize which saw them take away almost $200k US dollars of prize money. This talk introduces the SatNOGS project.

“Iridium Hacking: please don’t sue us”

Iridium is a satellite service that provides global communications. This talk discusses how the presenters were able to decode the Iridium pager network with a simple software defined radio like the RTL-SDR. At the end of the presentation they show a live demo of the Iridium signals being decoded.

Vote

August 18, 2015

A tutorial on using RDS Spy with the SDR# MPX Output Plugin

Over on YouTube user pe1etr has uploaded a tutorial video showing how to set up RDS Spy and SDR# for monitoring RDS. RDS stands for Radio Data System and is a sub carrier added to some FM broadcast signals which carries information such as the station name, the song/programme playing and other data. Although SDR# decodes RDS stations already, a more powerful RDS decoder and monitoring tool is RDS Spy. To get RDS Spy to work with SDR# you need to use a special plugin called MPX Output, which allows SDR# to output audio that includes the RDS subcarrier, which can then be piped via a virtual audio cable to RDS Spy.

Pe1etr’s video shows how to install the MPX Output plugin, how to set it up with virtual audio cable and how to use it with RDS Spy.

Tutorial: Using RDS Spy with the SDR# mpx output plug-in

Watch this video on YouTube

Tweet10

Vote

10 Shares

August 18, 2015

Creating a low cost Ozone Spectrometer out of RTL-SDR’s to measure mesospheric winds and tides

Over at the MIT Haystack Observatory in Westford Massachusetts, researchers O.B Alam and A.E.E Rogers have been working on creating a low cost ground based Ozone spectrometer out of RTL-SDR dongles (pdf warning). An Ozone spectrometer is used by scientists to measure the concentration, velocity and temperature of the ozone gasses in the mesosphere (50 – 85 km above the ground) and lower thermosphere (85 km+) at the Ozone line frequency of 11072.4545 MHz.

The spectrometer the researchers built consists of a satellite TV parabolic reflector dish with 46.72cm diameter, 9750 MHz LNBF, two Bias Tees, two 740 MHz high pass filters, two 8dB attenuators, a calibration pulse generator, an Intel NUC mini PC and three R820T RTL-SDR dongles.

RTL-SDR based Ozone Spectrometer block diagram from the MIT Haystack Observatory.

Photo of some of the components of the ozone spectrometer.

Vote