Tagged: GSM

Receiving, Decoding and Decrypting GSM with the RTL-SDR : YouTube Talk and Slides

A few days ago we posted about how Domi aka Domonkos Tomcsányi wrote on his blog about decoding and decrypting GSM signals from your own cell phones. Domi also did a talk at the CampZero conference which has now been uploaded to YouTube. His slides can be obtained from this link.

CampZer0 // Domonkos Tomcsányi: GSM - have we overslept the last wake-up call?

Receiving, Decoding and Decrypting GSM Signals with the RTL-SDR

A while back we did a small write up on receiving and analyzing cellular GSM signals with the RTL-SDR. Now blogger Domi has taken it further and has done an excellent big write up on his blog showing how to receive, decode, and also decrypt your own cell phone GSM signals with the RTL-SDR.

Domi’s big write up is split into four posts. It starts with an introduction to GSM, then focuses on setting up the environment and required software, then uncovering the TMSI (step to be released later), and then finally shows how to actually receive and decrypt your cell phone data such as voice and SMS messages.

GSM Decoding with Airprobe and Wireshark and RTL-SDR
GSM Decoding with Wireshark

How to Calibrate RTL-SDR using Kalibrate-RTL on Linux

YouTube user NeedSec has posted a good tutorial video showing how to use Kalibriate-RTL, a program used to determine the frequency offset error of your RTL-SDR dongle. Every RTL-SDR dongle will have a small frequency error as it is cheaply mass produced and not tested for accuracy.  This frequency error is linear across the spectrum, and can be adjusted in most SDR programs by entering a PPM (parts per million) offset value.

Kalibrate is a Linux program that uses GSM mobile cell phone base stations to determine the PPM offset, by using the GSM signals own frequency correction bursts. See the tutorial video below.

RTL-SDR Tutorial: Analyzing GSM with Airprobe/GR-GSM and Wireshark

The RTL-SDR software defined radio can be used to analyze cellular phone GSM signals, using Linux based tools GR-GSM (or Airprobe) and Wireshark. This tutorial shows how to set up these tools for use with the RTL-SDR.

Example - Analysing GSM with RTL-SDR Software Defined Radio

Here is a screenshot and video showing an example of the type of data you can receive. You can see the unencrypted GSM packet information. You will not be able to see any sensitive information like voice or text message data since that part is encrypted. Decryption of messages that are not your own is very difficult, illegal and is not covered in this tutorial.

Analyzing Cellular GSM with RTL-SDR (RTL2832), Airprobe and Wireshark

Kali Linux with Airprobe and Wireshark and RTL-SDR Software Defined Radio First, you will need to find out at what frequencies you have GSM signals in your area. For most of the world, the primary GSM band is 900 MHz, in the USA it starts from 850 MHz. If you have an E4000 RTL-SDR, you may also find GSM signals in the 1800 MHz band for most of the world, and 1900 MHz band for the USA. Open up SDRSharp, and scan around the 900 MHz (or 850 MHz) band for a signal that looks like the waterfall image below. This is a non-hopping GSM downlink signal. Using NFM, it will sound something like the example audio provided below. Note down the strongest GSM frequencies you can find. GSM Non Hopping Waterfall Image

The rest of the tutorial is performed in Linux and we assume that you have basic Linux skills in using the terminal. For this tutorial we used Ubuntu 14.04 in a VMWare session. You can download the various ready to go Ubuntu VMWare images from here, and the free VMWare player from here. Note that virtual box is reported not to work well with the RTL-SDR, as its USB bandwidth capabilities are poor, so VMWare player should be used. 

Install GR-GSM

This tutorial is heavily based on the instructions from the gr-gsm GitHub readme at https://github.com/ptrkrysik/gr-gsm.

  1. The easiest way to install gr-gsm is to use Pybombs. Pybombs will automatically install gr-gsm, and all the required dependencies including GNU Radio.
    $ sudo apt-get update
    $ sudo apt-get install git python-pip
    $ sudo pip install PyBOMBS
    $ sudo pybombs prefix init /usr/local -a default_prx
    $ sudo pybombs config default_prefix default_prx
    $ sudo pybombs recipes add gr-recipes git+https://github.com/gnuradio/gr-recipes.git
    $ sudo pybombs recipes add gr-etcetera git+https://github.com/gnuradio/gr-etcetera.git
    $ sudo pybombs install gr-gsm
    $ sudo ldconfig
  2. Plug in your RTL-SDR and connect it to your VM if necessary. Run grgsm_livemon by typing grgsm_livemon at the terminal. A new window should open.
  3. In the new window tune to a GSM downlink frequency which you determined while browsing in SDR# and set the gain appropriately.
  4. Start Wireshark by using sudo wireshark -k -Y '!icmp && gsmtap' -i lo which will automatically start wireshark in the loopback mode with the gsmtap filter activated. You may get an error when opening Wireshark but this can be ignored.
  5. You should now see the GSM data scrolling along in Wireshark.

[expand title = "Old Method using Airprobe (Click to Expand)"]

Install GNU Radio

You will need to install GNU Radio first in order to get RTL-SDR to work. An excellent video tutorial showing how to install GNU Radio in Kali Linux can be found in this video shown below. Note that I had to run apt-get update in terminal first, before running the build script, as I got 404 not found errors otherwise. You can also use March Leech's install script to install the latest version of GNU Radio on any Linux OS. Installation instructions can be found here. I recommend installing from source to get the latest version. http://www.youtube.com/watch?v=B8Acp6_3DA0

Update: The new version 3.7 GNU Radio is not compatible with AirProbe. You will need to install GNU Radio 3.6. However, neeo from the comments section of this post has created a patch which makes AirProbe compatible with GNU Radio 3.7. To run it, place the patch file in your airprobe folder and then run patch -p1 < zmiana3.patch.

Install Airprobe

Airprobe is the tool that will decode the GSM signal. I used multiple tutorials to get airprobe to install. First from this University of Freiberg tutorial, I used their instructions to ensure that the needed dependencies that airprobe requires were installed.

Install Basic Dependencies

sudo apt-get –y install git-core autoconf automake libtool g++ python-dev swig libpcap0.8-dev

Update: Thanks to shyam jos from the comments section who has let us know that some extra dependencies are required when using the new Kali Linux (1.0.5) for airprobe to compile. If you've skipped installing GNURadio because you're using the new Kali 1.0.5 with SDR tools preinstalled, use the following command to install the extra required dependencies.

 sudo apt-get install gnuradio gnuradio-dev cmake git libboost-all-dev libusb-1.0-0 libusb-1.0-0-dev libfftw3-dev swig python-numpy

Install libosmocore

git clone git://git.osmocom.org/libosmocore.git
cd libosmocore
autoreconf –i
./configure
make
sudo make install
sudo ldconfig

Clone Airprobe

Now, I discovered that the airprobe git repository used in the University tutorial  (berlin.ccc.de) was out of date, and would not compile. From this reddit thread I discovered a more up to date airprobe git repository that does compile. Clone airprobe using the following git command.

git clone git://git.gnumonks.org/airprobe.git

Now install gsmdecode and gsm-receiver.

Install gsmdecode

cd airprobe/gsmdecode
./bootstrap
./configure
make

Install gsm-receiver

cd airprobe/gsm-receiver
./bootstrap
./configure
make

Testing Airprobe

Now, cd into to the airprobe/gsm-receiver/src/python directory. First we will test Airprobe on a sample GSM cfile. Get the sample cfile which I found from this tutorial by typing into terminal.

cd airprobe/gsm-receiver/src/python
wget ​https://svn.berlin.ccc.de/projects/airprobe/raw-attachment/wiki/DeModulation/capture_941.8M_112.cfile

Note: The tutorial and cfile link is sometimes dead. I have mirrored the cfile on megaupload at this link. Place the cfile in the airprobe/gsm-receiver/src/python folder. Now open wireshark, by typing wireshark into a second terminal window. Wireshark is already installed in Kali Linux, but may not be in other Linux distributions. Since Airprobe dumps data to a UDP port, we must set Wireshark to listen to this. Under Start in Wireshark, first set the capture interface to lo (loopback), and then press Start. Then in the filter box, type in gsmtap. This will ensure only airprobe GSM data is displayed. Back in the first terminal that is in the python directory, type in

./go.sh capture_941.8M_112.cfile

If everything installed correctly, you should now be able to see the sample GSM data in wireshark.

Receive a Live Channel

To decode a live channel using RTL-SDR type in terminal

./gsm_receive_rtl.py -s 1e6

A new window will pop up. Tune to a known non-hopping GSM channel that you found earlier using SDRSharp by entering the Center Frequency. Then, click in the middle of the GSM channel in the Wideband Spectrum window. Within a few seconds some GSM data should begin to show constantly in wireshark. Type ./gsm_receive_rtl.py -h for information on more options. The -s flag is used here to set the sample rate to 1.0 MSPS, which seems to work much better than the default of 1.8 MSPS as it seems that there should be only one GSM peak in the wideband spectrum window. GSM Decoding with Airprobe and Wireshark and RTL-SDR Software Defined Radio

Capturing a cfile with the RTL-SDR (Added: 13/06/13)

I wasn't able to find a way to use airprobe to capture my own cfile. I did find a way to capture one using ./rtl_sdr and GNU Radio however. First save a rtl_sdr .bin data file using where -s is the sample rate, -f is the GSM signal frequency and -g is the gain setting. (rtl_sdr is stored in 'gnuradio-src/rtl-sdr/src')

./rtl_sdr /tmp/rtl_sdr_capture.bin -s 1.0e6 -f 936.6e6 -g 44.5

Next, download this GNU Radio Companion (GRC) flow graph (scroll all the way down for the link), which will convert the rtl_sdr .bin file into a .cfile. Set the file source to the capture.bin file, and set the file output for a file called capture.cfile which should be located in the 'airprobe/gsm-receiver/src/python' folder. Also, make sure that 'Repeat' in the File Source block is set to 'No'. Now execute the GRC flow graph by clicking on the icon that looks like grey cogs. This will create the capture.cfile. The flow chart will not stop by itself when it's done, so once the file has been written press the red X icon in GRC to stop the flow chart running. The capture.cfile can now be used in airprobe. However, to use this cfile, I found that I had to use ./gsm_receive.py, rather than ./go.sh as a custom decimation rate is required. I'm not sure why, but a decimation rate of 64 worked for me, which is set with the -d flag.

./gsm_receive.py -I rtl_sdr_capture.cfile -d 64

[/expand]

Going Further with Decryption

We don't cover how to decode the actual encrypted GSM data here, but this is possible to do with messages going to your own phone once you extract the encryption code for your sim card. But note that if you want to do this you'll need to put in some good study and research into understanding how GSM actually works before you can even think about trying it. Disclaimer: Only decrypt signals that you are legally allowed to (such as from/to your own cell phone) to avoid breaching privacy.

The most complete video guide is probably the YouTube tutorial by Crazy Danish Hacker, and the most complete web guide is the one by Domonkos P. Tomcsanyi available on his blog here.

A reader wrote in to let us know some information on obtaining the TMSI and Kc numbers, which are useful if you wish to go further and actually decode messages coming from your own phone. He writes:

For some reason, most of posts on the Internet concerning GSM sniffing provide very few examples of how to get our own TMSI and Kc numbers. These rely either on the BlackBerry engineering screen or the use of a SIM-card reader (see for example http://domonkos.tomcsanyi.net/?p=369). I know there are other methods like the one you describe in www.rtl-sdr.com/rtl-sdr-cell-phone-imsi-tmsi-key-sniffer/.

However, I have rarely seen anything related to the Android IMSI-Catcher Detector app. This can be easily installed via the standard repositories and it allows us to send AT commands to the modem provided we root the MS. This procedure works on many devices (I checked it on a Motorola Moto E).

Just a quick reminder of the basic AT+commands:

1. Extraction of IMSI -> AT+CRSM=176,28423,0,0,3.

2. Extraction of Ciphering Key Kc -> AT+CRSM=176,28448,0,0,9 (for SIM),
AT+CRSM=176,20256,0,0,9 (for USIM). First 16 entries.

3. Extraction of TMSI -> AT+CRSM=176,28542,0,0,11. First 8 entries.

The Android IMSI-Catcher Detector provides some additional interesting data, like the cell ID the device is connected to, the LAI, etc.

We note that software such as SimSpyII together with a Sim Card reader can also be used to easily acquire the Kc value.

If you enjoyed this tutorial you may like our book available on Amazon. Available in eBook and paperback formats.

The Hobbyist's Guide to the RTL-SDR: Really Cheap Software Defined radio.

Radio Signal Identification Guide

NOTE: Recent changes to WordPress seem to have broken the audio on this page. Please use the new Signal Identification Wiki which has many new signals. Anyone can edit and improve the information on the pages on the wiki.

A guide to help you identify some amateur and utility digital radio signals and sounds which you may find on the frequency spectrum. Most of these have been received with an RTL-SDR software defined radio. I will be slowly adding more to this list over time. If you enable stereo mix and pass the sample audio to an appropriate decoding program the sample audio should be decodable for most samples.

If you would like to suggest a modification or contribute a sample, please send a sample, waterfall image and information about the signal to [email protected], or post in the comments. (Note I am currently backlogged with contributed signals, if I haven’t replied or added your signal yet it will be done within a month or two).

More sites with sample audio can be found at this list on dxzone.com. A very nice overview video of the HF spectrum by balint can be found here. There are also two paperback books: Technical Handbook for Radio Monitoring VHF/UHF (PDF Excerpt) & Technical Handbook for Radio Monitoring HF (PDF Excerpt) which have a very comprehensive list, description and images of many signals.

ACARS

Sample Audio:

Typical Frequency: 131.550 MHz

Mode: AM

Bandwidth: 5000-8000 Hz

Description: Aircraft Communications Addressing and Reporting System (ACARS). Short messages sent to and from aircraft.

Decoding Software: PlanePlotter, ACARSD

Video Examples: [1], [2]

ACARS Packets

P25 Phase 1 (C4FM Modulation) (Encrypted)

Sample Audio:

Typical Frequency: ~860 MHz, ~500 MHz + others

Mode: NFM

Bandwidth: 10000 Hz

Description: P25 encrypted digital voice signal with C4FM modulation.

Decoding Software: Digital Speech Decoder (DSD). Note, only unencrypted can be decoded.

Video Examples:  [1], [2][3]

P25 Waterfall Example

DMR/MotoTRBO

Sample Audio:

Typical Frequency: ~860 MHz

Mode: NFM

Bandwidth: 10000 Hz

Description: Motorola digital voice signal known as MotoTRBO (pronouced Moto-Turbo).

Decoding Software: Digital Speech Decoder (DSD). Note, only unencrypted can be decoded.

Video Examples: [1], [2]

DMR/MOTOTRBO Signal Waterfall

POCSAG/FLEX-A

Sample Audio:

Typical Frequency: ~151 MHz, ~900-950 MHz

Mode: NFM

Bandwidth: 10000 Hz

Description: Pager digital signal known as POCSAG. An acronym of Post Office Code Standardization Advisory Group.

Decoding Software: PDW

Video Examples: [1], [2]

 POCSAG/FLEX Pager Waterfall Image

Weather Balloon (Radiosonde) Vaisala RS92SGP

Sample Audio:

Typical Frequency: ~400 MHz

Mode: NFM

Bandwidth: ~5500 Hz

Description: Weather balloon (Radiosonde) telemetry data. Only transmits during a weather balloon launch.

Decoding Software: SondeMonitor

Video Examples: [1], [2]

  RS92SGP Radiosonde Waterfall Image

TETRA Downlink

Sample Audio:

Typical Frequency: 380 – 430 MHz

Mode: –

Bandwidth: 25000 Hz

Description: Terrestrial Trunked Radio (TETRA), also know as Trans-European Trunked Radio is a professional mobile radio and two-way transceiver (walkie-talkie) specification. Modulated with π/4 DQPSK. Audio sample recorded in NFM mode.

Thanks to Jenda for the submission.

Decoding Software: osmocomTETRA

Video Examples: [1], [2]

TETRA Downlink

Trunking Control MPT1327

Sample Audio:

Typical Frequency: ~420 MHz

Mode: NFM

Bandwidth: 10000 Hz

Description: Radio trunking control channel.

Decoding Software: Trunkview, UniTrunker

Video Examples: [1]

MPT1327 Waterfall Image

Trunking Control Motorola Type II Smartnet

Sample Audio:

Typical Frequency: ~860 MHz

Mode: NFM

Bandwidth: 8000 Hz

Description: Radio trunking control channel.

Decoding Software: UniTrunker

Video Examples:

Motoroal 2F1D Trunking Channel

Trunking Control EDACS96

Sample Audio:

Typical Frequency: ~860 MHz

Mode: NFM

Bandwidth: 10000 Hz

Description: Radio trunking control channel.

Decoding Software: UniTrunker

Video Examples:

EDACS96 Trunking Channel

Trunking Control APCO P25

Sample Audio:

Typical Frequency: ~860MHz

Mode: NFM

Bandwidth: 12500 Hz

Description: Radio trunking control channel.

Decoding Software: UniTrunker

Video Examples:

APCO P25 Trunking Channel

AFSK1200

Sample Audio:

Typical Frequency: ~144 MHz

Mode: NFM

Bandwidth: 10000 Hz

Description: Audio frequency-shift keying (AFSK). Used by amateur radio hams for packet radio, Automatic Packet Reporting System (APRS) and telemetry.

Decoding Software: QTMM

Video Examples: [1]

AFSK1200

AIS

Sample Audio:

Typical Frequency:

Marine Channel 87 – 161.975 MHz
Marine Channel 88 – 162.025 MHz

Mode: NFM

Bandwidth: 12500 Hz OR 25000 Hz

Description: Automatic Identification System (AIS). Used by ships to broadcast position and vessel information. Uses 9.6 kbit GMSK modulation.

Decoding Software: ShipPlotter, AISMon (In the Files Section of the Yahoo Group)

Video Examples: [1], [2]

AIS Waterfall

NOAA Weather Satellite (APT)

Sample Audio:

Typical Frequency:

NOAA 15 137.620
NOAA 18 137.9125
NOAA 19 137.100

Mode: WFM

Bandwidth: 30000 Hz

Description: NOAA Automatic Picture Transmission (APT) signal. Used to by the NOAA weather satellites to transmit satellite weather photos.

Only transmits at certain times throughout the day when the satellite passes overhead at your location.

Decoding Software: WXtoImg

Video Examples: [1], [2], [3]

 NOAA APT Waterfall Screenshot

Stereo Wideband FM (WFM)

Sample Audio: –

Typical Frequency:

Common – 87.5 to 108.0 MHz
OIRT – 65 to 74 MHz
Japan – 76 to 90 MHz
Consumer Wireless Devices – ~860 MHz

Mode: WFM

Bandwidth: 30000 Hz

Description: Stereo Wideband FM signal. Used for typical broadcast radio, and in some wireless headsets and speakers. This particular signal is from an AKG headset.

Top signal is WFM transmitted with low amplification. Bottom signal is WFM transmitted with high amplification.

Thanks to Tobby for the submission.

Decoding Software: Unencoded

Video Examples: [1], [2]

 WFM

Amplitude Modulation (AM)

Sample Audio: –

Typical Frequency:

Long wave – 153 to 279 kHz
Medium wave – 531 to 1,611 kHz in ITU regions 1 and 3 and 540 to 1610 kHz in ITU region 2.
Short wave – 2.3 to 26.1 MHz

Aircraft – 108 to 137 MHz

Mode: AM

Bandwidth: 10000 Hz

Description: Amplitude Modulation broadcast audio radio station.

Thanks to rtlsdr_is_fun for the submission.

Decoding Software: Unencoded

Video Examples: [1], [2]

 AM Waterfall

Weatherfax (HFFAX)

Sample Audio:

Typical Frequency: HF ~3 to 16 KHz. Location dependant.

Mode: Upper side band (USB)

Bandwidth: ~1900 KHz

Description: HF Weatherfax. Used by boats for weather reports. Also Kyodo News, a Japanese newspaper transmits entire pages via HFFAX.

Decoding Software: FLDIGI

Video Examples: [1], [2]

 WeatherfaxWaterfall

Upper Side Band Voice (USB)

Sample Audio:

Typical Frequency: All HF band.

Mode: USB

Bandwidth: ~1900 Hz

Description: Single side band, specifically upper side band. Used in the HF band by amateur radio hams and aircraft weather reports. Single side band saves bandwidth.

Decoding Software: Unecoded

Video Examples: [1], [2]

 UpperSideBandWaterfall

Over the Horizon (OTH) Radar

Sample Audio:

Typical Frequency: All over HF Band

Mode: –

Bandwidth: 

Description: Over the horizon radar. Used by governments for very long range radar systems.

Decoding Software: Unencoded

 OTHRadar

Analogue PAL TV

Sample Audio:

Typical Frequency: Multiple

Mode: PAL TV

Bandwidth: 5 MHz

Description: Analogue PAL TV. Color TV signal.

Decoding Software: TVSharp

Video Examples: [1]

 Analogue PAL TV

Digital Audio Broadcast (DAB+)

Sample Audio: No Audible Sound Produced

Typical Frequency: 

Multiple channels.
Block 13F – 239.200 MHz

Mode: DAB

Bandwidth: 1,537 KHz

Description: Digital Audio Broadcast (DAB+). A type of digital broadcast radio signal, containing multiple digital radio stations in the signal.

Decoding Software: SDR-J

Video Examples: [1]

 DAB+ Digital Audio Broadcast

Baby Monitor (NFM)

Sample Audio: –

Typical Frequency: ~40 MHz, 49.5 – 50 MHz

Mode: NFM

Bandwidth: < 15 KHz

Description: NFM signal from a baby monitor. Periodically bursts signal when no audio is detected. Thanks to Dean for some extra info.

Decoding Software: Unencoded

Video Examples: [1]

 BabyMonitorNFMSpikes

Digital Radio Mondiale (DRM)

Sample Audio:

Typical Frequency: Below 30 MHz on HF, near other shortwave radio stations.

Mode: USB

Bandwidth: 10000 Hz

Description: Digital Radio Mondiale (DRM). A form of international digital shortwave radio. Replaces AM shortwave radio.

Thanks to Will P. for the contribution.

Decoding Software: DREAM, SODIRA

Video Examples: [1], [2]

 Digital Radio Monodiale Waterfall Digital Radio Monodiale Waterfall

STANAG 4285

Sample Audio:

Typical Frequency: All over HF.

Mode: USB

Bandwidth: 2500 Hz

Description: Standardization Agreement (STANAG) 4285. NATO standard for HF communication.

Decoding Software: Sorcerer (Waring: Potential Virus Alert), Sigmira

Video Examples: [1]

 STANAG 4285 Waterfall Example

GSM Downlink (Non-Hopping)

Sample Audio:

Typical Frequency: 900 MHz and 1800 MHz Band OR 850 MHz and 1900 MHz Band

Mode: –

Bandwidth: 200 KHz

Description: GSM Cell Phone Downlink (Non Hopping Signal). Audio sample used NFM mode.

Decoding Software: Airprobe

 GSM Non Hopping Waterfall Image

GSM Uplink

Sample Audio: No Audible Sound Produced.

Typical Frequency: ~890 MHz

Mode: –

Bandwidth: 200 KHz

Description: Initial connection GSM signal sent from a cellphone.

Decoding Software: 

 GSMUplinkFrequencyHopping

GSM Downlink (Hopping)

Sample Audio: No Audible Sound Produced

Typical Frequency: 900 MHz and 1800 MHz Band OR 850 MHz and 1900 MHz Band

Mode: –

Bandwidth: Each channel 200 KHz

Description: GSM cell phone hopping.

Decoding Software: 

 GSM Hopping Waterfall

“Japanese Slot Machine” (XSL)

Sample Audio:

Typical Frequency: Between 4 MHz and 9 MHz

Mode: USB?

Bandwidth:

Description: Known as the Japanese Slot Machine. Thought to be data originating from the Japanese Navy.

Decoding Software: Sigmira (But Cannot Decrypt)

Video Examples: [1], [2]

 Japanese Slot Machine Waterfall

Automatic Dependent Surveillance-Broadcast (ADS-B)

Sample Audio: No Audible Sound Produced

Typical Frequency: 1090 MHz

Mode: –

Bandwidth: 2 MHz

Description: Automatic Dependent Surveillance-Broadcast (ADS-B). Used by aircraft to broadcast their latitude, longitude and altitude.

Decoding Software: ADSB#, Dump1090, RTL1090

Video Examples: [1], [2], [3]

 ADSBWaterfallScreenShot

Cuban Numbers Station HM01

Sample Audio: 

Typical Frequency: 11.530 MHz.

Mode: AM

Bandwidth:

Description: (Previously Unidentified Signal 5). Numbers stations are thought to transmit encoded information for various spy agencies around the world. They are recognized by a voice reading a sequence of numbers or words. This is a Cuban Numbers Station which has a data portion and a voice portion. Sound sample recorded in AM mode.

Thanks to Andrew from the comments section for the ID.

Decoding Software: Information Here

Video Examples: [1], [2], [3], [4], [5]

UnknownSignalWaterfall_5

High Frequency Data Link (HFDL)

Sample Audio: 

Typical Frequency:  HF Band

Mode: USB (1440 Hz below center)

Bandwidth: ~2800 Hz

Description:  (Previously Unidentified Signal 2). An Aircraft Communications Addressing and Reporting System (ACARS) data link that aircraft use to communicate short messages over long distances using HF signals.

Thanks to Andrew from the comments section for the ID.

Decoding Software: PC-HFDL

Video Examples: [1], [2], [3]

UnknownSignalWaterfall_1

Binary Phase Shift Keying (BPSK31)

Sample Audio: 

Typical Frequency:  HF Amateur Band

Mode: SSB

Bandwidth: ~31 Hz

Description:  A digital amateur radio mode based on Phase Shift Keying (PSK) modulation

Thanks to Patrick for the submission.

Decoding Software: Fldigi, MixW, HRD Digital Master 780, MultiPSK

Video Examples: [1], [2][3]

BPSK Waterfall Example

AFSK Paging Link

Sample Audio: 

Typical Frequency: 72-76 MHz

Description: (Previously unidentified signal 10). Identified in the comments section by Ronen as an Asynchronous Frequency Shift Keying (AFSK) pager link. It is easier to transmit the FSK pager signal to the transmitter site as AFSK.

unknown_10_waterfall

Pulse Code Modulated (PCM) RC Toy Signal

Sample Audio: 

Typical Frequency: 27.145 MHz, 72 MHz

Description: (Previously unidentified signal 9). Identified in the comments section by W1BMW as a Pulse-code modulated (PCM) signal used for remote control (RC) Toys. Link to IQ file http://i.nyx.cz/files/00/00/09/99/999880_c640d91142db39ee7d57.zip?name=SDRSharp_20130613_113322Z_27186kHz_IQ.zip. Sample audio recorded in USB mode.

UnknownSigna_9

Overlapping RTTY Signals

Sample Audio: 

Typical Frequency: HF band

Description: Previously unidentified signal (11). Identified in the comments by various contributors as multiple overlapping RTTY signals sent by ham radios.

Unknown CW #3

Voice Frequency Telegraph

Sample Audio: 

Typical Frequency: 7453.50 KHz USB

Description: Previously unidentified signal (13). VFT or Voice Frequency Telegraph is one of several systems for sending multiple RTTY signals over one voice-bandwidth radio channel.

74535khzusb

Portable Traffic Lights

Sample Audio: 

Found Frequency: 154.463 MHz

Description: Previously unidentified signal (17). Identified by Peter via email as being signals sent from portable traffic lights that are often used at roadworks.

unid17

X2 on iDEN

Sample Audio: 

Found Frequency: 154.463 MHz

Description: iDEN is an acronym for Integrated Digital Enhanced Network and is a technology developed by Motorola. It is a type of trunked radio with cellular phone benefits.

Link to RR identification discussion from submission email.

Thanks to Mike (VE3HER) for the submission.

x2 on iden

Funcube-1 Satellite

Sample Audio:

Found Frequency: 145.950 – 145.970 MHz

Mode: USB

Bandwidth: ~2 kHz

Description: The Funcube-1 is a Cubesat amateur radio satellite.

Decoding Software: Funcube Telemetry Dashboard

funcube-1_waterfall

Swedish Pocsag Minicall

Sample Audio:

Typical Frequency: ~161 MHz

Mode: NFM

Bandwidth: 20 kHz

Description: A short Pocsag 1200 signal used in electric plants and remote transformer and insulation stations.

Thanks to Joni for the submission.

Decoding Software: PDW

Video Examples: [1], [2]

swedish_minicall_pocsag

Unidentified Signals

If you know what any of these signals are please write in the comments. You can also submit any unidentified signals you would like to be added to [email protected]

(1)

Sample Audio: 

Found Frequency: 171.3 MHz

Description: Recognized by DSD as a NXDN96 signal, but is disputed in the comments section. (Possibly a bug in DSD).

QPSK2

(3) – ALE?

Sample Audio: 

Found Frequency:  HF Band

Description: Sound sample recorded in USB mode. Potentially some sort of 2G ALE signal. Similar signal shown in balints HF tour video. Possible a weather map transmitted from Tokyo as noted in the comments section by Syd, or 4xFSK from China as identified by K2RCN in the comments.

UnknownSignalWaterfall_2

(4)

Sample Audio: 

Found Frequency: HF Band

Description: Periodic pulses. Sound sample recorded in USB mode. Possibly a GlobeWireless signal as identified in the comments section by K2RCN.

 UnknownSignalWaterfall_4

(6)

Sample Audio: 

Found Frequency: 152.652 MHz

Description: Continuous signal. Audio sample recorded in NFM.

UnknownSignal_6

(7)

Sample Audio: 

Found Frequency: 162.863 MHz

Description: Continuous bursts. Audio sample recorded in NFM.

UnknownSignal_7

(8)

Sample Audio: 

Found Frequency: 457.168 MHz

Description: Audio sample recorded in NFM.

UnknownSignal_8

(10)

Sample Audio: 

Found Frequency: 452.325 Mhz

Description: Sent in over email. Sounds like Motorola Type II smartnet, but Unitrunker does not recognize.

unid_10

(12)

Sample Audio: 

Found Frequency: 154.646 MHz

Description: Sent in over email. Repeats every minute.

154646

(14)

Sample Audio: 

Found Frequency: 433 MHz

Description: Sent in over email.

Hello! I was listening in the 433MHz band and saw this blip (about 1-2sec) on the waterfall on 433.873 (Millville, MA). It repeats about every 30-50 seconds, though doesn’t seem to be the same every time. Maybe a wireless instrument of some type (weather or something?). The only clear sound of it I could get was with AM, about a 4.2kHz wide filter (rtl-sdr, gqrx linux). Any ideas? Thanks!

 

(15)

Sample Audio: 

Found Frequency: 455 MHz

Description: Sent in over email.

unid15

(16)

Sample Audio: 

Found Frequency: 173.262 MHz

Description: Sent in over email.

unid16

(18)

Sample Audio: None

Found Frequency: ~856 MHz

Description: Sent in over email.

The antenna has a Yagi pointed to West from 23.5° South latitude, 47.46° West longitude.
The signal can be local or from the sky. The signal is horizontal polarized.

uid16

(19)

Sample Audio: 

Found Frequency: ~409.6 MHz

Description: Sent in over email. Recorded in NFM mode.

screen