Thank you to qewer33, who has written in to share the release of his new Terminal User Interface (TUI) program for RTL-SDR and HackRF SDRs. The program is called sdrrat, and it provides a complete TUI with FFT graph, waterfall spectrogram, VFO, and basic WBFM/NBFM/AM demodulation.
qewer33 notes that the software is built with Rust, Ratatui, and FutureSDR and is completely free and open source. The code is available on GitHub.
Over on GitHub, programmer blantonl has released p25-survey, a Python tool that scans a frequency range with an RTL-SDR, Airspy or HackRF and identifies any P25 control channels present. For each one found, it logs the WACN, System ID, NAC, RFSS ID and Site ID, the full IDEN_UP band plan, neighbor sites with resolved frequencies, and signal quality metrics including RSSI, BER and decode rate.
The tool also has an optional RadioReference cross-reference mode that annotates results with the RR system name and site description, flags frequency offsets versus the database, and generates a Markdown submission report for data not yet in RadioReference. An auto-gain feature sweeps gain values on each confirmed control channel and recommends the optimal setting for your SDR and location based on BER.
Researchers from Hunan University, Boise State, and UT Arlington have published a paper called "GPSBuster" (PDF link), demonstrating how a HackRF One can sniff out covert GPS trackers by their unintended electromagnetic radiation. Hidden trackers are hard to find since they only receive satellite signals and may store coordinates locally rather than transmit. Instead of looking for transmissions, GPSBuster targets side-channel leakage from the tracker's mixed-signal SoC, specifically the coupling between the quartz oscillator, local oscillator, and mixer used to downconvert the 1575.42 MHz L1 signal.
The team found that an active tracker leaks two characteristic spectra: a low band around 26 to 104 MHz and a high band around 1545 to 1625 MHz, each with a strong peak and evenly spaced harmonics. The low band reflects coupling between the quartz oscillator (typically 26 MHz) and the IF, while the high band contains LO plus IF spacing that always sums to 1575.42 MHz, giving a database-free detection rule. The setup consists of a HackRF, an NFP-3 near-field probe, and a 35 dB LNA. The use of the near-field probe means that sweeping the probe over an area to find the tracker is necessary, and the maximum detection range was 0.61 m.
Tested against the top 10 trackers available on a popular online marketplace, GPSBuster hit a 98.4% detection rate, working through plastic, cotton, canvas, and leather, and alongside phones, laptops, and speakers. It also extended to L1+L5 modules like the Quectel LC29H series, and even metal-shielded chips still leaked enough via PCB traces to be picked up.
Over on the saveitforparts YouTube channel, Gabe has recently posted two videos where he attempts to receive the Artemis 2 signal. His setup consists of a surplus satellite dish inside a geodesic radar dome at his "Sandland" radio observatory, a 3D-printed feed, a HackRF One SDR, and various LNAs, including a dedicated S-band unit from LMA Scientific. He used GPredict for tracking and SDR++ for spectrum analysis, targeting the expected downlink frequency around 2216.5 MHz.
The main challenges were the capsule's low elevation angle from his location in Minnesota, rapidly changing orbital elements that made TLE-based tracking unreliable during the trans-lunar injection burn, and the fact that all telemetry is encrypted. During his first overnight session, he was only able to detect what appeared to be an extremely faint carrier at approximately 2216.49 MHz, which is consistent with the expected Doppler-shifted frequency, which disappeared when the dish was moved off-target. In a second session timed to catch a handover between NASA's Goldstone and Canberra Deep Space Network stations, he received a noticeably stronger carrier signal and even observed sideband activity, though still not strong enough to resolve any modulation detail.
He notes that NASA's original citizen science RFP called for ~9 meter dishes, far larger than his ~2.5 meter setup, and that the capsule also uses a laser communications system for high-bandwidth data. The Canadian Space Dashboard and DSN Now websites proved useful for predicting optimal observation windows during ground station handovers.
Joel (jLynx), known for his work on the HackRF Mayhem firmware, has released an open-source project called BrowSDR that turns a HackRF or RTL-SDR into a fully browser-based SDR receiver. The application connects to your SDR directly via WebUSB and uses a high-performance Rust/WebAssembly DSP pipeline running in Web Workers for smooth, real-time spectrum and waterfall display. It supports WFM, NFM, AM, SSB, CW, and raw IQ demodulation, along with RDS decoding and POCSAG pager decoding. A standout feature is the ability to open unlimited simultaneous VFOs, each with independent demodulation and DSP settings, with the developer having tested up to 62 running at once.
The real killer feature is remote access. Using WebRTC, you can share your locally connected SDR and access it from anywhere in the world through a browser with no server setup required. BrowSDR also includes built-in Whisper AI transcription that can live-transcribe audio from each VFO independently. The project currently supports HackRF, HackRF Pro, and the RTL-SDR Blog V4, with AirSpy and LimeSDR support coming soon. It also works on Android devices with a USB-C cable. BrowSDR is open source under the AGPL-3.0 license and a live demo is available at browsdr.jlynx.net.
Over on GitHub and YouTube, we've seen the release of Sarah Rose's new program called DeDECTive, a DECT 6.0 scanner and voice decoder for the HackRF running on Linux systems. DECT (Digital Enhanced Cordless Telecommunications) is a digital wireless protocol typically used by modern cordless phones.
Back in 2019, Sarah (previously known as Corrosive) demonstrated how to use gr-dect2 to decode DECT in a previous video. In her latest work, she's ported gr-dect2 to C++ and written a nice GUI for the decoder. This makes running and setting up the decoder a significantly better experience. The GUI has a wideband scanner and the ability to tune for a single DECT channel for full voice decoding. There is also a CLI version that will automatically tune to the first active voice channel.
We note that many DECT cordless phones use encryption, so this software may not work with those devices. In any case, please be aware that intercepting phone calls may be illegal in many jurisdictions.
Thank you to Janble for writing in and sharing with us their new software called "RDF-J / ECM-J SYSTEM". These are two distinct programs in a package.
The software is not open source, and it appears that Janble wishes to sell the software to interested parties. Currently, they do not have a website, and they wish to refer interested parties to their X post for more information on pricing and how to obtain the software. As with any closed-source software, we can only recommend that interested parties do their own due diligence on the safety of the software.
RDF-J is a Time Difference of Arrival (TDoA) and signal strength-based radio direction finding program, which utilizes multiple HackRF software-defined radios spread out over an area. Janble writes that the radio direction finding system can operate using either TDoA and signal strength methods independently or together, with a minimum of three nodes being required, and ideally five.
We clarified with Janble that the TDoA system uses a GPS synchronization approach to achieve the required timing accuracy.
The second program, part of the same package, is ECM-J, which is an electronic countermeasure system. It appears to use a HackRF to transmit a jamming signal. Obviously, jamming is illegal in most countries, so this is to be used at your own risk.
Janble has sent us a PDF showing the software in more detail, and they have uploaded a YouTube video, shown below.
Recently, M. Khanfar released a new free program, "Analog Radio Hunter," described as a "professional RF analysis and monitoring application built around GNU Radio and Fosphor." The software currently supports RTL-SDR, Airspy, and HackRF. Khanfar writes:
Analog Radio Hunter is a professional RF analysis and monitoring application built around GNU Radio and Fosphor.
It is designed to scan large RF spans, quickly lock onto active signals, and monitor analog transmissions with NFM, AM, or WFM audio demodulation.
- Real-time FFT + waterfall spectrum display
- Fast scan with dwell, pause-on-squelch, and skip-ignored channels
- Detection list with hits, timestamps, and smart deactivation
- Favorites profiles with monitor and favorites-only scan modes
- Built-in recorder with auto-record and event log
- Dedicated WFM broadcast receiver with presets
- Multi-SDR device support (RTL-SDR, Airspy, HackRF) with auto-detect and device switching
- NFM and AM audio demodulation (in addition to WFM)
- Peak-follow in span (auto-tune to strongest signal inside the current MS/s window)
- Frequency list filtering to skip/mute ignored channels
- Scan and detection profiles (save/load named presets)
- PPM correction for RTL-SDR calibration
- Spectrum interaction controls (cursor readout, click-to-tune, wheel step, drag-pan)
- Recorder options (record when muted, timestamp/frequency in filename, beep on favorite)
- WFM de-emphasis selection (50/75 µs) and preset management
- Audio Output menu with refresh (route audio to speakers, VB-Cable, or USB output)
- Signal Stability Filter with Min Open + Grace timing and per-target routing
- Histogram IQ Rec with live IQ follow controls and inspectrum integration
- Auto Squelch Calibrate (noise floor + margin) for faster field setup
- Smart Deactivate dual-layer logic (time-based + hit-rate busy rule)
- Favorites cooldown auto-reactivation for busy channels
- Favorite TX tones (Tone 1-9), edge selection, and tone test buttons
- Learning Mode hover guidance for faster onboarding
- Status bar live metrics for Last, Active, Favorite, Peak SNR, and Level
Unique scanning and detection approach: Traditional sweep scanners only see the center frequency they step to. Analog Radio Hunter monitors an entire chunk of spectrum at once and reacts to peaks inside it. That is a major differentiator.High-Impact Capabilities
- Wide-span reactive scan engine that hunts activity across a full chunk, not one center point at a time.
- One-click IQ capture and histogram visualization with follow and idle flow controls.
- Carrier-resilient channel management using Smart Deactivate + favorites cooldown logic.
- Field-ready setup speed using Auto Cal squelch and persistent live status metrics.
- Operator-selectable audio routing to speakers, VB-Cable, or USB audio output devices.
- Operational clarity from GUI color heatmaps, scan debug reasons, and learning-mode tips.
Signal Stability Filter: Logic and Tuning
- Purpose: reject short squelch flicker and noisy open/close chatter before actions trigger.
- Min Open (ms): raw squelch must stay open this long before stable-open is accepted.
- Grace (ms): stable-open is held briefly after raw close to avoid tiny dropouts.
- Apply targets: Detection, Rec+Alerts, Scan Hold, and optional Audio Out gating.
- Start values: Min Open 150-250 ms, Grace 40-80 ms, then tune by channel behavior.
Like his other software, which we previously covered, it is free but not open source. Anti-virus programs may flag the software as suspicious due to heuristics. We believe this to be a false positive, but as with all software that isn't open source, we recommend being highly suspicious and only run it in a sandboxed environment like a VM to be sure.
