As most people will be aware, it is not currently possible to connect an RTL-SDR dongle directly to an Apple mobile device. So the app is designed to be used with an instance of rtl_tcp running on a Mac, PC or maybe a raspberry pi.
It is also possible to install the app directly on an Apple Silicon Mac, so that is one with an M1, M2, ... etc. In that situation obviously rtl_tcp can be hosted on the same Mac too if needed.
Anyone needing help with this app or any of our existing Android SDR apps should contact [email protected]
For comparison, the Android version is available here:
OsmocomBB is an open-source project that replaces the stock baseband firmware on old Motorola phones (C118, C139, etc.) that use the Texas Instruments Calypso chipset. By flashing custom "layer23" firmware over serial, these cheap legacy handsets become capable of accessing raw GSM radio data at the baseband level, enabling cell scanning, burst capture, and passive subscriber identity harvesting.
SPECTRAL-GSM builds on this by wrapping OsmocomBB into a full GSM intelligence suite controlled from a single browser tab. The system supports up to five phones simultaneously and provides a structured pipeline: scan local GSM cells, capture raw bursts on a target channel, crack the A5/1 encryption using rainbow tables on a 2 TB SSD, and then use the recovered session key for real-time voice and SMS decryption. Additional modules handle passive IMSI catching, targeted single-IMSI surveillance, silent SMS location probing via a USB modem, and OpenCellID cell tower mapping.
The developer notes that the platform is intended for authorized research, law enforcement, and educational use. At the moment, Mini0com has not provided a link or website to the software, only providing a PDF file, and video demonstrations of the system on their YouTube channel. Contact details for Mini0com can be found in the description on the YouTube videos below.
Spectral-GSM OsmocomBB
OTP Capture Demonstration Using Spectral-GSM OsmocomBB
Thank you to reader "EN53" for submitting news about a newly released open source Android app called Pocket 25. Pocket 25 is an Android-based APCO Project 25 (P25) phase 1 digital voice decoder based on the DSD-Neo decoder engine. It was developed by Sarah Rose (aka SignalsEverywhere), whose other software we have posted about in the past.
APCO P25 phase 1 trunked digital voice systems are commonly used in the United States, Canada, Australia, and other countries by emergency services. As long as the P25 network is unencrypted, it is commonly decoded to audio with an RTL-SDR and decoding software such as DSDPlus or SDRTrunk.
Pocket 25 allows users to now decode P25 signals on portable Android devices. An RTL-SDR can be connected to an Android device via a USB-OTG cable, or a remote networked RTL-SDR can be used via an rtl_tcp connection. The app also supports RadioReference accounts, automatic GPS site hopping, smart filtering, and logging.
In the readme, Sarah also notes that, because Pocket 25 is based on the DSD-Neo engine, it supports additional digital voice protocols, including DMR, NXDN, and others. However, the interface is designed around P25, so non-P25 systems may show incorrect metadata.
The software is open source and code can be found on the GitHub. There is also an active discussion about the app on RadioReference.
Recently, Sarah Rose Giddings (aka SignalsEverywhere) has been actively developing several radio and SDR based projects for Android, and she would like to provide an update on them.
First, as mentioned in a previous post, Sarah has been developing APRS.chat, an online mailbox system for APRS messages sent over RF. She has also been making progress on various other projects, including various useful Android apps, which she has updated interested people on in her latest livestream.
Hangout Chat | Linux | HackRF NTSC Transmission | Android APPS and More!
Some of the links to the Android software she's working on have been provided below:
Thank you to James Mainwaring of Knowle Consultants for submitting news of the release of his latest Android app called "Spectrum SDR" for RTL-SDR. Knowle Consultants have previously released a range of RTL-SDR Android apps for FM, Airband, Ham FM and ADS-B reception. The new Spectrum SDR app has a spectrum viewer, as well as the ability to demodulate AM and FM signals.
James writes the following about Spectrum SDR:
This application is about having a bit of fun with those amazing little RTL-SDR dongles, whilst listening to AM/FM radio signals. It's nice and easy to use so why not give it a try?
- Covers the full frequency range of your RTL-SDR dongle - AM and FM, wide and narrow - FFT display - Sample rates 240000 Hz to 2160000 Hz - Bias tee control - 75 presets over 5 pages - Gain controls - Squelch - Built-in help
A new RTL-SDR compatible DRM decoding Android app called "STARWAVES DRM SoftRadio" has recently been released on the Google Play store for US$5.49, and on Amazon DE for EUR4.49. The author notes that a Windows version will also be published soon. Digital Radio Monodial (DRM) is a type of digital audio shortwave radio signal that is used by some international shortwave radio broadcasters.
The STARWAVES DRM SoftRadio allows you to conveniently enjoy any DRM live radio broadcast on your Android smartphone or tablet. No Internet connection required. All you need is an SDR RF dongle or receiver connected to your device via USB.
DRM or Digital Radio Mondiale is the global digital radio standard used for all digital international transmissions as well as for national and local services in many countries. To learn more about DRM and its features visit www.drm.org.
The STARWAVES DRM SoftRadio is designed for ease-of-use and supports all core features of the DRM standard:
Listener-centric and easy to navigate app design and user interface
Multiple user interface languages. Currently supported: English, German, Simplified Chinese
Convenient frequency tuning and DRM Service selection
DRM Service labels and graphical service logos
Full service metadata: programme/app type, language, country of origin, etc.
All standardized DRM audio codecs incl. xHE-AAC with optimized tune-in performance for a quick start of audio playback
Journaline, DRM’s advanced text application, allows to interactively browse through latest news, sports and weather updates, programme background information and schedules, distance learning/RadioSchooling text books, travel information, and much more
Full Journaline feature set including hot-button interactivity, geo-references and embedded/linked images
Convenient and fast Journaline information access with update notifications for page-content (and automatic updates for menus), as well as persistent caching for instant content access when switching between DRM services
DRM text messages incl. DL+ support
Slideshow images
Unicode support for all textual elements: service labels, text messages, Journaline
DRM EWF – Emergency Warning Functionality within the DRM transmission: in case of an emergency alarm signal, automatically re-tunes from the current service to the emergency programme; presents the emergency audio along with multi-lingual Journaline content to provide in-depth instructions with interactive access and to serve non-native speakers or hearing impaired users
In addition, STARWAVES DRM SoftRadio is designed for maximum tuning flexibility and performance:
Free tuning to any DRM broadcast frequency
Supports all DRM frequency bands – from the former AM bands (LW/MW/SW) to the VHF bands (including the FM band), depending only on RF dongle functionality
Supports all DRM robustness modes (A-E), modulation parameters and on-air signal bandwidths
Optimized frequency tuning and re-sync performance
Graphical spectrum view to check the signal on the tuned frequency
For live reception, an SDR RF dongle must be connected to the device’s USB port (with USB host functionality). The following SDR RF dongle families are currently supported, along with a range of specifically tested models:
Airspy HF+ family: Airspy HF Discovery, Airspy HF+ (Dual Port). (Note: Airspy Mini and R2 are NOT supported.)
SDRplay family: SDRPlay RSP1A, SDRPlay RSPdx, SDRPlay RSPduo, SDRPlay RSP1, SDRPlay RSP2, SDRPlay RSP2pro, MSI.SDR Panadapter (Note: SDRPlay family support on Android is currently limited to the 32-bit version of this app.)
RTL-SDR family: The experimental support for RTL-SDR based RF dongles requires that you manually start the following separate tool before opening this app (on standard port '14423'): The app 'SDR driver' can be installed from the Google Play Store and other Android app stores.
Ars Technica recently ran a story about how University researchers have been able to eavesdrop on LTE mobile phone calls using a USRP B210 software defined radio which runs the Airscope software. The technique exploits a flaw in how some LTE carriers are implementing their keystream. A keystream is a stream of random data combined with the actual voice data, resulting in encrypted data.
It turns out that many LTE carriers reuse the same keystream when two calls are made within a single radio connection. An attacker can then record an encrypted conversation, then immediately call the victim after that conversation. The attacker can now access the encrypted keystream, and as the keystream is identical to the first conversation, the first conversation can now be decoded.
The ReVoLTE attacks exploit the reuse of the same keystream for two subsequent calls within one radio connection. This weakness is caused by an implementation flaw of the base station (eNodeB). In order to determine how widespread the security gap was, we tested a number of randomly selected radio cells mainly across Germany but also other countries. The security gap affected 12 out of 15 base stations.
The ReVoLTE attack aims to eavesdrop the call between Alice and Bob. We will name this call the target or first call. To perform the attack, the attacker sniffs the encrypted radio traffic of Alice within the cell of a vulnerable base station. Shortly after the first call ends, the attacker calls Alice and engages her in a conversation. We name this second call, or keystream call. For this call, the attacker sniffs the encrypted radio traffic of Alice and records the unencrypted sound (known plaintext).
For decrypting the target call, the attacker must now compute the following: First, the attacker xors the known plaintext (recorded at the attacker's phone) with the ciphertext of the keystream call. Thus, the attacker computes the keystream of the keystream call. Due to the vulnerable base station, this keystream is the same as for the target (first) call. In a second step, the attacker decrypts the first call by xoring the keystream with the first call's ciphertext. It is important to note that the attacker has to engage the victim in a longer conversation. The longer he/she talked to the victim, the more content of the previous communication he/she can decrypt. For example, if the attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.
The ReVoLTE Attack
Demonstration of the ReVoLTE attack in a commerical LTE network.
In political news 75 year old Buffalo protestor Martin Gugino has been generating controversy due to a video of him being pushed to the ground by a police officer, then subsequently lying motionless while bleeding from the head and being ignored by other officers.
Trump's tweet reads "Buffalo protester shoved by Police could be an ANTIFA provocateur. 75 year old Martin Gugino was pushed away after appearing to scan police communications in order to black out the equipment @OANN
I watched, he fell harder than was pushed. Was aiming scanner. Could be a set up?".
We're not entirely sure where this theory from OAN came from as there is no need to get so close in order to listen to police radio communications, since if unencrypted, they can be listened to from anywhere in the city. It's also unclear as to what microphones police would be using, and how these could be "skimmed" with an RTL-SDR. As for blacking out the equipment, an RTL-SDR cannot transmit so it would be impossible to use to jam the radios. An illegal jammer could be used after scanning, but police frequencies are already well known anyway, and there would be no need to scan for them so close even if low power comm links were used.
The video also shows that he appears to be filming police badge numbers with his phone before he was pushed, so it is unlikely that he was using an RTL-SDR and running SDR Touch at the same time as the camera app. No cables, antenna or dongle can be seen in the video either.
EDIT: Please note that this is not a political post or blog. We only post it to highlight the severe lack of understanding that can surround SDR and our technical hobbies. Comments inciting violence against protestors or anyone are NOT OK, and will be removed. Please keep discussions technical and civil in nature.
OAN indicates that Martin Gugino may have used an RTL-SDR "capture scanner" on police
