Tagged: LoRa

GridDown: An Offline-First Situational Awareness Platform with RTL-SDR, SARSAT, Meshtastic

Thank you to Cameron from BlackAtlas LLC for submitting their project GridDown, which is an open source Android tablet-based situational awareness system designed to operate without an internet connection. At its core, it appears to be a tablet with custom software, and then you can add sensors such as an RTL-SDR for ADS-B+Remote ID, a SARSAT receiver, and a Meshtastic ESP32-S3+SX1262 device. A demonstration of the UI can be found at https://griddown.blackatlas.tech.

Cameron writes:

[GridDown is] an offline-first situational awareness platform built for emergency preparedness, field response, and tactical operations in infrastructure-degraded environments — designed to work when cell towers are down, internet is unavailable, and operators are fully off-grid.

The platform is a Progressive Web App (~120,000 lines of vanilla JavaScript, no frameworks) that runs on Samsung Galaxy tablets, laptops/PCs, and works completely offline after initial setup. It's built by BlackAtlas LLC and is available for trial at https://griddown.blackatlas.tech.

The system has many facets to it, including:

  • Encrypted voice and text messaging via an ESP32-S3 with SX1262 LoRa transceiver
  • Passive RF sensing with the ESP32-S3 and SX1262.
  • Three passive drone detection methods: WiFi fingerprinting, FAA Remote ID reception, and 900 MHz control/telemetry link detection
  • Automatic gunshot detection via a ES7210 quad-channel I2S microphone on the ESP32-S3.
  • Automatic RF jamming detection
  • SARSAT beacon receiver
  • SSTV Encode/Decode
  • Meshtastic integration
  • APRS via Bluetooth TNC
  • ADS-B reception
  • RadioCode gamma spectrometer integration
  • Offline maps

ADS-B detection is handled by a Raspberry Pi 5 running an RTL-SDR Blog V4 dongle. Cameron writes:

The Pi connects to the tablet's built-in WiFi hotspot (no internet required — the hotspot functions as a local network only), and a Node.js bridge reads aircraft data from readsb and subscribes to the Remote ID receiver's MQTT output, then serves a unified WebSocket and REST API to the tablet. GridDown renders aircraft and drone tracks as heading-rotated silhouette icons on its offline map with altitude labels, age-based alpha fade, and emergency squawk alerting (7500/7600/7700). A 10,000 mAh USB-C PD battery provides approximately 5 hours of field runtime for the Pi.

The full setup script, hub bridge, and hotspot connection scripts ship with the project.

The software is dual-licensed, with it being open source GPL v3 (note that the GitHub link appears to be broken - we have asked for clarification) for non-commercial use, or a commercial licence for hardware bundles and business deployments. 

Alternatively, BlackAtlas LLC is selling ready-to-use kits, with the core tablet coming in at $799. Other bundles include the Tablet + SARSAT receiver for $1,299, the Tablet + Meshtastic bundle for $1,299, and the Tablet + ADS-B/Remote ID bundle for $1,999.

The GridDown Web Interface
The GridDown Web Interface

TEMPEST-LoRa: Emitting LoRa Packets from VGA or HDMI Cables

University researchers from China have recently shown in a research paper that it is possible to maliciously cause a VGA or HDMI cable to emit LoRa compatible packets by simply displaying a full-screen image or video. This has potential security implications as a malicious program could be used to leak sensitive information over the air, completely bypassing any internet or air-gap security systems.

In the past, we have demonstrated that TEMPEST techniques can be used to spy on monitors and security cameras by analyzing the unintentional signals they emit. This research takes the idea a step further by determining what particular images need to be displayed to create a LoRa packet with data. 

In the paper, the researchers mention using either off-the-shelf LoRa devices or low-cost SDRs such as the HackRF to receive the packets. The advantage of the SDR method is that it allows for customization of the frequency and the use of LoRa-like packets, which can achieve even longer ranges and higher data rates. The team show that they were able to achieve a receive range of up to 132 meters and up to 180 kbps of data rate.

TEMPEST-LoRa Test Setup
TEMPEST-LoRa Test Setup
(Demo video) TEMPEST-LoRa: Cross-Technology Covert Communication

Hackaday Supercon 2024: Microcontrollers Are Just Radios in Disguise

Thank you to RTL-SDR.COM reader David for letting us know about an excellent talk from Charles Lohr (@cnlohr) at the 2024 Hackaday Supercon about turning microcontrollers into radios by abusing their output GPIOs to create RF generators.

This talk explores ways to leverage every cycle of underpowered microcontrollers to get them doing the work of parts ten times their price, including operations normally done with dedicated radio hardware.

This is a concept we have seen quite often before in projects like RPiTX and Osmo-FL2K which turns a Raspberry Pi and cheap VGA adapter respectively, into an arbitrary RF signal transmitter with no transmit components required.

In his talk Charles Lohr takes this concept further, showing how almost any microcontroller like an ATTiny85, ESP8266, CH32v203, and ESP32-S2 can be turned into a transmitter. In the talk, Charles shows how he used the I2S bus on an ESP8266 to transmit NTSC color video to a TV and transmit LoRa via his LoLRa software. He then notes that he was able to use the ESP32-S2 to transmit LoRa over 2.5 miles away.

Finally, Charles shows how the CH32v203 microcontroller can also be used as a receiver. With some code he wrote he is able to display the received signal on an FFT computed directly on the CH32v203, and even have a web interface to tune to specific frequencies and playback AM audio.

Hackaday Supercon 2024 - Microcontrollers Are Just Radios in Disguise - Charles Lohr

CNLohr's own YouTube video on the topic is also an excellent overview.

How far can I broadcast LoRa packets WITHOUT a radio? - LoLRa

Tech Minds: Testing Meshtastic Compatible Lilygo LoRa Devices

In the latest video on the Tech Minds YouTube channel Matt tests out the Meshtastic software running on varius Lilygo LoRa devices. Meshtastic is software that can run on cheap LoRa hardware that enables off-grid mesh network based communications.

Being mesh network based means that there are no central repeaters, and instead each device can extend the range of the network by being a repeater itself. Meshtastic can run on various cheap 'Lilygo' branded LoRa devices that come in 433, 868 or 915 MHz license free frequencies depending on your regional band plan.

In his video Matt tests out various models in the Lilygo range, including a ESP32 based wrist watch and he also shows how to install the firmware on each using the online flasher.

Meshtastic Compatible Lilygo Lora Devices

Tech Minds: Demonstrating RTL_433 Running on ESP32 Devices

Earlier in the month we posted about how rtl_433 has been ported to ESP32 devices that are combined with CC1101 or SC127X transceiver chips, such as the low cost LILYGO LoRa 32 boards available on Aliexpress.

Over on YouTube Matt from the Tech Minds channel has uploaded a video showing how to set up rtl_433 on an ESP32 device, and how to set it up with a home automation service like Home Assistant, Node Red or OpenHAB via an MQTT broker.

RTL 433 ON ESP32 DEVICE - MQTT HOME ASSISTANT

rtl_433 ported to ESP32 microcontrollers with CC1101 or SX127X Transceiver Chips

Receiving wireless sensors operating in the unlicensed ISM band has been made almost universal with rtl_433 and RTL-SDRs. However, recently rtl_433 has been ported over for use on ESP32 microcontrollers that are combined with CC1101 or SC127X transceiver chips.

PCB boards that combine these two chips can be found cheaply on Aliexpress as LoRa boards, under the name "LILYGO LoRa 32". If you are unaware, ESP32 chips cheaply combine a WiFi and Bluetooth modem with a microcontroller that is capable of hosting a webserver. CC1101 and SC127X are low cost low power hardware transceiver chips made for IOT devices. We've posted about LILYGO boards in the past as they've been used with interesting projects such as Meshtastic, and for weather balloon tracking.

This project could be useful for home automation as a module has been made available for openMQTTGateway. Instead of dedicating a more powerful Raspberry Pi and RTL-SDR, you can now dedicate a much cheaper and much lower power device to the task. 

[Also seen on Hackaday.]

RTL_433 running on a LILYGO LoRa V2 Board
RTL_433 running on a LILYGO LoRa V2 Board

SDRangel Now Available on Android: Mobile ADS-B, AIS, APT, Digital Voice, POCSAG, APRS, RS41 Radiosonde Decoders

SDRangel is a free open source software defined radio program that is compatible with many SDRs, including RTL-SDRs. SDRAngel is set apart from other programs because of it's huge swath of built in demodulators and decoders.

Thank you to reader Jon for writing in and noting that SDRangel has recently been released for Android as a free Google Play download. This is an amazing development that could open up many doors into portable decoding setups as the Android version supports almost every decoder implemented on the desktop version. Jon writes:

It includes most of the functionality of the desktop version of SDRangel, including:

  • AM, FM, SSB, Broadcast FM and DAB, AIS, ADS-B, Digital Voice (DMR, dPMR, D-Star, FreeDV), Video (DVB-S, DVB-S2, NTSC, PAL), VOR, LoRa, M17, Packet (AX.25), Pager (POCSAG), Radiosonde (RS41), Time signal (MSF, DCF77, TDF and WWVB) modems.
  • RTL SDR, Airspy, Airspy HF, LimeSDR, HackRF and SDRplay support via USB OTG as well as networked SDRs
  • 2D and 3D signal analysis in both time and frequency domain with statistical measurements of SNR, THD, THD+N, SINAD, SFDR and channel power
  • Satellite tracker, star tracker, maps and rotator controller

It should work on Android 6 and up. It’s a straight port of the desktop application, so although it will run on a phone, probably best used on a large tablet with a stylus or mouse.

SDRangel on Android
SDRangel on Android
SDRangel

Evaluating LoRaWAN Security with an RTL-SDR

Over on their blog Trend Micro have uploaded a post describing how they evaluated the security of LoRaWAN communications using an RTL-SDR. LoRaWAN is a wireless communications technology that allows for Internet of Things (IoT) connectivity at a much lower cost compared to cellular infrastructure. However, as described in their post LoRaWAN incorporates very little security, making connected devices an easy target for hackers.

The researchers at Trend Micro used an RTL-SDR together with the LoRaPWN software tool which is an improved version of the LoRa Craft Project. With LoRaPWN the researchers were able to intercept uplink and downlink packets. Then when combined with a brute force dictionary attack, they were then able to recover the encryption keys allowing them to decode the data.  Finally they were also able to demonstrate a denial of service attack which results in a device being unable to send further data.

For more information the technical paper (pdf) describing their full setup and tests is available, as well as an older post describing possible LoRaWAN attacks. There is also a YouTube video from "The Things Conference" which we have embedded below. In the video researcher Sebastian Dudek presents some of his findings on LoRaWAN security.

An RTL-SDR Blog V3 Intercepting LoRaWAN packets.
LoRaPWNing: Practical radio attacks on LoRaWAN - Sebastian Dudek (Trend Micro)