Tagged: hackrf

Detecting Hidden GPS Trackers via Electromagnetic Unintentional Emissions with a HackRF

Researchers from Hunan University, Boise State, and UT Arlington have published a paper called "GPSBuster" (PDF link), demonstrating how a HackRF One can sniff out covert GPS trackers by their unintended electromagnetic radiation. Hidden trackers are hard to find since they only receive satellite signals and may store coordinates locally rather than transmit. Instead of looking for transmissions, GPSBuster targets side-channel leakage from the tracker's mixed-signal SoC, specifically the coupling between the quartz oscillator, local oscillator, and mixer used to downconvert the 1575.42 MHz L1 signal.

The team found that an active tracker leaks two characteristic spectra: a low band around 26 to 104 MHz and a high band around 1545 to 1625 MHz, each with a strong peak and evenly spaced harmonics. The low band reflects coupling between the quartz oscillator (typically 26 MHz) and the IF, while the high band contains LO plus IF spacing that always sums to 1575.42 MHz, giving a database-free detection rule. The setup consists of a HackRF, an NFP-3 near-field probe, and a 35 dB LNA. The use of the near-field probe means that sweeping the probe over an area to find the tracker is necessary, and the maximum detection range was 0.61 m.

Tested against the top 10 trackers available on a popular online marketplace, GPSBuster hit a 98.4% detection rate, working through plastic, cotton, canvas, and leather, and alongside phones, laptops, and speakers. It also extended to L1+L5 modules like the Quectel LC29H series, and even metal-shielded chips still leaked enough via PCB traces to be picked up.

Covert GPS Tracker Detection with a HackRF and Near Field Probe
Covert GPS Tracker Detection with a HackRF and Near Field Probe
GPSBuster Field Prototype
GPSBuster Field Prototype

Saveitforparts: Receiving Artemis 2 Signals

Over on the saveitforparts YouTube channel, Gabe has recently posted two videos where he attempts to receive the Artemis 2 signal. His setup consists of a surplus satellite dish inside a geodesic radar dome at his "Sandland" radio observatory, a 3D-printed feed, a HackRF One SDR, and various LNAs, including a dedicated S-band unit from LMA Scientific. He used GPredict for tracking and SDR++ for spectrum analysis, targeting the expected downlink frequency around 2216.5 MHz.

The main challenges were the capsule's low elevation angle from his location in Minnesota, rapidly changing orbital elements that made TLE-based tracking unreliable during the trans-lunar injection burn, and the fact that all telemetry is encrypted. During his first overnight session, he was only able to detect what appeared to be an extremely faint carrier at approximately 2216.49 MHz, which is consistent with the expected Doppler-shifted frequency, which disappeared when the dish was moved off-target. In a second session timed to catch a handover between NASA's Goldstone and Canberra Deep Space Network stations, he received a noticeably stronger carrier signal and even observed sideband activity, though still not strong enough to resolve any modulation detail.

He notes that NASA's original citizen science RFP called for ~9 meter dishes, far larger than his ~2.5 meter setup, and that the capsule also uses a laser communications system for high-bandwidth data. The Canadian Space Dashboard and DSN Now websites proved useful for predicting optimal observation windows during ground station handovers.

Can I Overhear The Artemis II Moon Mission With SDR?

Listening To Artemis II's Return To Earth With DIY Satellite Station

BrowSDR: Turn Your HackRF or RTL-SDR Into a Browser-Based Remote WebSDR

Joel (jLynx), known for his work on the HackRF Mayhem firmware, has released an open-source project called BrowSDR that turns a HackRF or RTL-SDR into a fully browser-based SDR receiver. The application connects to your SDR directly via WebUSB and uses a high-performance Rust/WebAssembly DSP pipeline running in Web Workers for smooth, real-time spectrum and waterfall display. It supports WFM, NFM, AM, SSB, CW, and raw IQ demodulation, along with RDS decoding and POCSAG pager decoding. A standout feature is the ability to open unlimited simultaneous VFOs, each with independent demodulation and DSP settings, with the developer having tested up to 62 running at once.

The real killer feature is remote access. Using WebRTC, you can share your locally connected SDR and access it from anywhere in the world through a browser with no server setup required. BrowSDR also includes built-in Whisper AI transcription that can live-transcribe audio from each VFO independently. The project currently supports HackRF, HackRF Pro, and the RTL-SDR Blog V4, with AirSpy and LimeSDR support coming soon. It also works on Android devices with a USB-C cable. BrowSDR is open source under the AGPL-3.0 license and a live demo is available at browsdr.jlynx.net.

BrowSDR Interface with POCSAG Decoding
BrowSDR Interface with POCSAG Decoding

DeDECTive: A DECT 6.0 Cordless Phone Scanner and Voice Decoder for the HackRF

Over on GitHub and YouTube, we've seen the release of Sarah Rose's new program called DeDECTive, a DECT 6.0 scanner and voice decoder for the HackRF running on Linux systems. DECT (Digital Enhanced Cordless Telecommunications) is a digital wireless protocol typically used by modern cordless phones.

Back in 2019, Sarah (previously known as Corrosive) demonstrated how to use gr-dect2 to decode DECT in a previous video. In her latest work, she's ported gr-dect2 to C++ and written a nice GUI for the decoder. This makes running and setting up the decoder a significantly better experience. The GUI has a wideband scanner and the ability to tune for a single DECT channel for full voice decoding. There is also a CLI version that will automatically tune to the first active voice channel.

We note that many DECT cordless phones use encryption, so this software may not work with those devices. In any case, please be aware that intercepting phone calls may be illegal in many jurisdictions.

DeDECTive: The DECT Toolkit

RDF-J / ECM-J System: TDoA Signal Location Finding and Electronic Jamming with HackRF

Thank you to Janble for writing in and sharing with us their new software called "RDF-J / ECM-J SYSTEM". These are two distinct programs in a package.

The software is not open source, and it appears that Janble wishes to sell the software to interested parties. Currently, they do not have a website, and they wish to refer interested parties to their X post for more information on pricing and how to obtain the software. As with any closed-source software, we can only recommend that interested parties do their own due diligence on the safety of the software.

RDF-J is a Time Difference of Arrival (TDoA) and signal strength-based radio direction finding program, which utilizes multiple HackRF software-defined radios spread out over an area. Janble writes that the radio direction finding system can operate using either TDoA and signal strength methods independently or together, with a minimum of three nodes being required, and ideally five.

We clarified with Janble that the TDoA system uses a GPS synchronization approach to achieve the required timing accuracy.

The second program, part of the same package, is ECM-J, which is an electronic countermeasure system. It appears to use a HackRF to transmit a jamming signal. Obviously, jamming is illegal in most countries, so this is to be used at your own risk.

Janble has sent us a PDF showing the software in more detail, and they have uploaded a YouTube video, shown below.

📡 RDF-J / ECM-J SYSTEM(Radio Direction Findi-Electronic Countermeasures)

Khanfar Software: Analog Radio Hunter

Recently, M. Khanfar released a new free program, "Analog Radio Hunter," described as a "professional RF analysis and monitoring application built around GNU Radio and Fosphor." The software currently supports RTL-SDR, Airspy, and HackRF. Khanfar writes:

Analog Radio Hunter is a professional RF analysis and monitoring application built around GNU Radio and Fosphor.

It is designed to scan large RF spans, quickly lock onto active signals, and monitor analog transmissions with NFM, AM, or WFM audio demodulation.

  • Real-time FFT + waterfall spectrum display
  • Fast scan with dwell, pause-on-squelch, and skip-ignored channels
  • Detection list with hits, timestamps, and smart deactivation
  • Favorites profiles with monitor and favorites-only scan modes
  • Built-in recorder with auto-record and event log
  • Dedicated WFM broadcast receiver with presets
  • Multi-SDR device support (RTL-SDR, Airspy, HackRF) with auto-detect and device switching
  • NFM and AM audio demodulation (in addition to WFM)
  • Peak-follow in span (auto-tune to strongest signal inside the current MS/s window)
  • Frequency list filtering to skip/mute ignored channels
  • Scan and detection profiles (save/load named presets)
  • PPM correction for RTL-SDR calibration
  • Spectrum interaction controls (cursor readout, click-to-tune, wheel step, drag-pan)
  • Recorder options (record when muted, timestamp/frequency in filename, beep on favorite)
  • WFM de-emphasis selection (50/75 µs) and preset management
  • Audio Output menu with refresh (route audio to speakers, VB-Cable, or USB output)
  • Signal Stability Filter with Min Open + Grace timing and per-target routing
  • Histogram IQ Rec with live IQ follow controls and inspectrum integration
  • Auto Squelch Calibrate (noise floor + margin) for faster field setup
  • Smart Deactivate dual-layer logic (time-based + hit-rate busy rule)
  • Favorites cooldown auto-reactivation for busy channels
  • Favorite TX tones (Tone 1-9), edge selection, and tone test buttons
  • Learning Mode hover guidance for faster onboarding
  • Status bar live metrics for Last, Active, Favorite, Peak SNR, and Level
Unique scanning and detection approach: Traditional sweep scanners only see the center frequency they step to. Analog Radio Hunter monitors an entire chunk of spectrum at once and reacts to peaks inside it. That is a major differentiator.
 

High-Impact Capabilities

  • Wide-span reactive scan engine that hunts activity across a full chunk, not one center point at a time.
  • One-click IQ capture and histogram visualization with follow and idle flow controls.
  • Carrier-resilient channel management using Smart Deactivate + favorites cooldown logic.
  • Field-ready setup speed using Auto Cal squelch and persistent live status metrics.
  • Operator-selectable audio routing to speakers, VB-Cable, or USB audio output devices.
  • Operational clarity from GUI color heatmaps, scan debug reasons, and learning-mode tips.

Signal Stability Filter: Logic and Tuning

  • Purpose: reject short squelch flicker and noisy open/close chatter before actions trigger.
  • Min Open (ms): raw squelch must stay open this long before stable-open is accepted.
  • Grace (ms): stable-open is held briefly after raw close to avoid tiny dropouts.
  • Apply targets: Detection, Rec+Alerts, Scan Hold, and optional Audio Out gating.
  • Start values: Min Open 150-250 ms, Grace 40-80 ms, then tune by channel behavior.

Like his other software, which we previously covered, it is free but not open source. Anti-virus programs may flag the software as suspicious due to heuristics. We believe this to be a false positive, but as with all software that isn't open source, we recommend being highly suspicious and only run it in a sandboxed environment like a VM to be sure.

M Khanfar Analog Radio Hunter
M Khanfar Analog Radio Hunter

Iridium-Sniffer: A Standalone Iridium Satellite Burst Detector and Demodulator

Thank you to Aaron, who is most well known for creating the DragonOS distribution, for writing in and sharing with us a new open-source program he's recently released over on GitHub.

The program is called 'Iridium-Sniffer', and it is a standalone Iridium satellite burst detector and demodulator written in C. Typically, gr-iridium has been used for Iridium demodulation in the past, but it can be clunky and slow on lower-power embedded systems like the Raspberry Pi, as it requires the large GNU Radio dependency.

The program is compatible with iridium-toolkit, which performs the actual decoding and analysis of the Iridium packets demodulated by iridium-sniffer.

If you're not familiar with it, Iridium is a large global communications satellite constellation that provides services such as voice, messaging, and data. An antenna like our RTL-SDR Blog Active Patch antenna, combined with an SDR, can be used to receive these signals. Some data on Iridium is encrypted, but there is some unencrypted data that can be decoded when combining tools like iridium-sniffer and iridium-toolkit.

Iridium-sniffer is compatible with the HackRF, BladeRF, USRP (UHD), and SoapySDR (which includes RTL-SDR). Note that higher-bandwidth SDRs can receive much more of the ~30 MHz Iridium band, and therefore decode more data at once.

The Iridium Satellite Constellation
The Iridium Satellite Constellation

Spectrum Slit: A Wall Art Display That Visualizes Wi-Fi Activity via a HackRF

Over on YouTube, RootKid, who specializes in creating engineering-based art projects, has developed an interesting wall-mounted art display panel that visualizes Wi-Fi activity by using a HackRF as the monitoring software-defined radio. The display uses a Raspberry Pi, a HackRF, and a custom-made LED light bar. The HackRF receives a 5 GHz Wi-Fi channel, and the Pi translates this into activity on the LED display, creating a visual piece that lets those around know when Wi-Fi activity is high.

The idea is to show that "we live surrounded by ghosts of our own making", which refers to the invisible storm of electromagnetic signals that we created to serve us in our modern lives.

If you are interested in other projects that combine SDR and art, you might enjoy our posts on HolyPager, Hystérésia, Signs of Life, Ghosts in the Airglow, and Open Weather.

I built a light that can see radio waves