Reverse Engineering Bus Telemetry Data with an RTL-SDR
Bastian recently wrote into us at RTL-SDR.com to let us know that he’s been working on reverse engineering the bus telemetry system used in his hometown of Paderborn, Germany. Bus telemetry is often used to update live signs at bus stops that indicate based on GPS data how long a bus user needs to wait for the next bus.
A similar reverse engineering of bus telemetry was performed before by Oona Raissan in Helsinki, Finland. Oona found that in Helsinki bus telemetry was transmitted as a DARC subcarrier embedded in regular broadcast FM radio. In many countries bus telemetry runs through GSM or TETRA communications as well, which are encrypted and would be very difficult to decode.
However in Paderborn, Germany Bastian discovered that the bus telemetry system used a different protocol which he discovered by noticing that some very strong signals appeared on his spectrum at 150.9 MHz whenever a bus drove by his flat.
After making a recording of this signal in GQRX, bastian analysed it in Audacity and discovered that the binary data bits were encoded by the presence or absence of a half sine wave. After discovering the encoding he was then able to determine the bit rate and build a decoder in GNU Radio. His post goes into further detail about concepts he used in his GNU Radio program such as frame detection, bit stuffing and error detection.
Finally, with all his decoder program written he was able to gather lots of data from each packet such as the bus ID, line, bus stop, distance from last bus stop, delay, position and even the orientation of the bus. Bastian has also uploaded a video showing everything in action, which we have embedded below.