Thank you to Apostolos for sharing with us his educational video that introduces "scattering parameters" (aka S-Parameters), and how these parameters relate to antennas and RF networks. S-Parameters are a matrix of values that can be used to describe an electrical network. Apostolos' video explains these parameters in detail, giving good visual examples. Apostolos writes:
Thank you to Ryan K for submitting his latest blog post where he gives an in depth explanation of how he reverse engineered his La Crosse weather station using an RTL-SDR, PlutoSDR and the Universal Radio Hacker (URH) software.
The La Crosse weather station system consists of a LCD base station, and various wireless sensors. Ryan first discovered that the devices used the 915 MHz frequency band via details written on the device itself. His next step was to open up Universal Radio Hacker and use one of his SDRs to record a packet. URH then allowed him to convert that data into bits for packet analysis. The rest of his post goes into detail on how he set the symbol rate, discovered the preamble and reverse engineered the CRC code.
The next step he took was to generate a spoofed packet generated by URH and transmitted by the PlutoSDR. This allowed him to set the base station display to any temperature that he specified. But he ran into a problem where only the first packet he sent after power up was received. Eventually he discovered that the system sets a randomized interval for each of the transmitters at startup, and data outside of that interval is ignored.
Ryan's post explains his whole though process and progress in detail, so is an excellent study for anyone looking to get into reverse engineering wireless signals.
Reverse Engineering a La Crosse Weather Station with a PlutoSDR and RTL-SDR
For some time now there has been chatter about the possibility of using WSPR logs to help track the mysterious disappearance of flight MH370. WSPR or the "Weak Signal Propagation Reporter" is a protocol typically used on the HF bands by amateur radio operators. The properties of the protocol allow WSPR signals to be received almost globally despite using low transmit power. Amateur radio operators use it for making contacts, or for checking HF radio propagation conditions. MH370 is a flight that infamously vanished without a trace back in 2014.
The theory proposed by aerospace engineer Richard Godfrey is to use logs of sent and received WSPR transmissions that may have intersected the potential flight path of MH370, and to look for potential reflections or 'scatter' in the signal from the metal aircraft hull. From the reflections an approximate track of the aircraft could be calculated much in the same way that bistatic over the horizon radar systems work.
While it is an exciting theory, it is unfortunately considered by most experts as highly unlikely to yield any suitable results with the main problems being WSPR transmission power too weak to detect reflections from an aircraft, and the effect of the ionosphere too difficult to account for.
Over on his blog Nils Schiffhauer (DK8OK) has posted a thorough critique of the idea, explaining the theory, technical details and difficulties in depth, ultimately coming to the conclusion that the idea is based more in wishful thinking than in fact. Nils summarizes:
Time and again, there are news stories in the professional and popular press about the fact that log data from the WSPR data network can help locate aircraft. In particular, the effort is to determine the actual crash site of flight MH370. This effort essentially amounts to detecting "unusual" level jumps and frequency changes ("drift") in the archived WSPR log data and attributing them to reflections from specific aircraft ("aircraft scatter").
In a blog entry, Nils Schiffhauer, DK8OK, for the first time critically evaluates this theory. On the one hand, this is based on years of observation of aircraft scatter on shortwave as well as an investigation of about 30 Doppler tracks. The results of this complex analysis of more than 10,000 data in one example alone are sobering: The effects of aircraft scatter on the overall signal are almost always well below 0.3 dB.
To prove a correlation between level changes of the overall signal and aircraft scatter seems hardly possible on the basis of the WSPR data material. The reasons are manifold, but lie mainly in shortwave propagation, where level changes of 30 dB within a few seconds are the rule rather than the exception.
However, since the local and temporal state of the ionosphere is not known in previous investigations on the WSPR data material - it is recorded in parallel in professional OTH radar systems and calculated out of the received signal - level jumps can hardly be clearly assigned from the sum signal alone. This finding is supported by further arguments in the blog: https://t1p.de/t5kr
Nils demonstrates aircraft scatter on China Radio International, a 500kW transmitter.
SDRAngel is a general purpose software defined radio program that is compatible with most SDRs including the RTL-SDR. We've posted about it several times before on the blog, however we did not realize how much progress has occurred with developing various built in plugins and decoders for it.
Thanks to Jon for writing in and sharing with us a demonstration video that the SDRAngel team have released on their YouTube channel. From the video we can see that SDRAngel now comes stock with a whole host of built in decoders and apps for various radio applications making it close to an all-in-one SDR platform. The built in applications include:
ADS-B Decoder: Decodes aircraft ADS-B data and plots aircraft positions on a map
NOAA APT Decoder: Decodes NOAA weather satellite images (in black and white only)
DVB-S: Decodes and plays Digital TV DVB-S and DVB-S2 video
AIS: Decodes marine AIS data and plots vessel positions on a map
VOR: Decodes VOR aircraft navigational beacons, and plots bearing lines on a map, allowing you to determine your receivers position.
DAB+: Decodes and plays DAB digital audio signals
Radio Astronomy Hydrogen Line: With an appropriate radio telescope connected to the SDR, integrates and displays the Hydrogen Line FFT with various settings, and a map of the galaxy showing where your dish is pointing. Can also control a dish rotator.
Radio Astronomy Solar Observations: Similar to the Hydrogen line app, allows you to make solar measurements.
Broadcast FM: Decoding and playback. Includes RDS decoding.
Noise Figure Measurements: Together with a noise source you can measure the noise figure of a SDR.
Graves Radar Tracker: For Europeans, track a satellite and watch for reflections in the spectrum from the French Graves space radar.
Radio Clocks: Receive and decode accurate time from radio clocks such as MSF, DCF77, TDF and WWVB.
APRS: Decode APRS data, and plot APRS locations and moving APRS enabled vehicles on a map with speed plot.
Pagers: Decode POCSAG pagers
APRS/AX.25 Satellite: Decode APRS messages from the ISS and NO-84 satellites, via the built in decoder and satellite tracker.
Channel Analyzer: Analyze signals in the frequency and time domains
QSO Digital and Analog Voice: Decode digital and analog voice. Digital voice handled by the built in DSD demodulator, and includes DMR, dPMR and D-Star.
Beacons: Monitor propagation via amateur radio beacons, and plot them on a map.
We note that the video doesn't show the following additional features such as an analog TV decoder, the SDRAngel "ChirpChat" text mode, a FreeDV decoder and several other features.
A few weeks ago we posted about Reddit member u/OlegKutkov who used his HackRF supercluster to receive Starlink beacons, but details on the HackRF supercluster project itself were a little sparse. Now Oleg has posted a full description about the HackRF supercluster, noting that the 8 HackRF's in the system can provide up to 160 MHz of live monitoring bandwidth.
Oleg shows how each of the boards are connected to the same GPS disciplined 10 MHz clock source, how it uses an RF splitter with LNA and how it requires 8 separate host controllers connected to individual PCIe lines in his computer system to overcome the USB2.0 data bandwidth limits. He also shows the GNU Radio script he's created that combines the 8 sources into one.
Oleg writes how he's using the HackRF supercluster together with a TV Ku-Band LNB and satellite dish for wideband satellite monitoring.
Black Cat Systems have recently released two new programs that may be of interest to HF monitoring enthusiasts. The first is a multichannel capable ALE decoder and the second is a multichannel GMDSS-DSC decoder. Both programs are not free, with an (introductory) price tag of $29.99 each for three parallel input channels, and $99 for up to 24 parallel input channels.
With an appropriate HF capable SDR, like a SDRplay, Airspy HF+ Discovery, or even an RTL-SDR V3 in direct sampling mode, these programs allow you to set up a home monitoring station.
ALE or Automatic Link Establishment is a digital RF protocol that enables users to initiate a reliable call over HF frequencies, by automatically choosing the best frequency based on propagation conditions, allowing for telephone like calling operation, and enabling short text messages.
GMDSS or Global Maritime Distress and Safety System is a set of radio protocols that enables digital text communications between ship to ship and the shore, as well as weather broadcasts, and distress beacons.
Over on his blog Nils Schiffhauer (DK8OK) has been testing these two programs out. In his first post about the ALE decoder, Nils explains ALE in more depth, and demonstrates how he uses the multi-channel capable SDR-Console with Virtual Audio Cable to feed 16 ALE channels into the decoder. He goes on to show how to filter by callsign and provides some tips for best reception. He notes that with ALE you might receive messages from:
... forces, diplomatic services, emergency agencies, police, militia, UN missions, drug enforcement, border control and even amateur radio. It is used from aircraft like AWACS, as from aircraft carriers, from mobile units to fixed stations.
In his second post Nils tests out the GMDSS decoder noting that it is an "extraordinary sensitive decoder" and "it also includes smart processing of the data – from looking up vessel’s complete data from ITU’s Ship Station List (internet connection needed) to saving all data to a fully-fledged database". His post goes on to explain the GMDSS format in more detail and demonstrate multichannel decoding.
Black Cat Systems ALE and GMDSS Decoders demonstrated by Nils Schiffhauer (DK8OK)
Derek OK9SGC has recently posted a write-up of how they’ve been able to receive the Ku-band beacon signals from the Starlink constellation of communication satellites continually launched by SpaceX since 2015. While we recently covered Starlink Beacons being captured with a HackRF Supercluster Derek has noted that receiving the beacons requires little more than an LNB, a low-cost SDR such as the RTL-SDR V3 and a power injector to provide 12V DC to the LNB. Derek notes that a dish is not even required as the beacons transmit with high power.
Starlink Beacon Receiver Setup
Due to the low earth orbit and thus high speed of travel of the Starlink constellation you’ll notice strong Doppler effect drifts in your received signal. Derek notes that it may be interesting to perform Doppler analysis on the satellites with the satellite tracking toolkit for radio observations (strf) software. He also noted that in the 30 minutes he was receiving for, there was almost no point in time where a beacon was not being received, indicating that the Starlink constellation is close to achieving 100% sky coverage.
Derek has made the process easy to understand and illustrates just how easy it is to listen to these beacon signals. Of course we note that these are just the beacons, and they carry no data. Still they are fun signal to receive, and doppler analysis could reveal interesting information about orbits.
Starlink beacons shown in a fast FFT (LEFT), and slow FFT (RIGHT)
Low cost ESP32 based LoRa capable boards have been available from marketplaces like Aliexpress for some time now. They typically include features such as LoRa, WiFi or Bluetooth and GPS all on a PCB board with small screen and battery holder for mobile use. LoRa is a modern IoT communications protocol that is designed to be operated with low power, and in a networked mesh-way for extended range. One application of this hardware is to use it as a mesh based text messaging system, using the Meshtastic firmware. This might be useful for teams of hikers, pilots, or skiiers who operate in remote areas without cell phone reception.
In his latest video Matthew from the Tech Minds YouTube channel shows how to install and use the Meshtastic firmware on a TTGO board. He uses the alpha firmware which has a web app, allowing users to send text messages through a web based GUI that users can connect to locally via WiFi.
OFF-GRID LORA Radio Mesh Text Messaging - Meshtastic
