Tagged: mobile

STARWAVES DRM SoftRadio: A new Android DRM Decoder for RTL-SDR, Airspy, SDRPlay

A new RTL-SDR compatible DRM decoding Android app called "STARWAVES DRM SoftRadio" has recently been released on the Google Play store for US$5.49, and on Amazon DE for EUR4.49. The author notes that a Windows version will also be published soon. Digital Radio Monodial (DRM) is a type of digital audio shortwave radio signal that is used by some international shortwave radio broadcasters.

The STARWAVES DRM SoftRadio allows you to conveniently enjoy any DRM live radio broadcast on your Android smartphone or tablet. No Internet connection required. All you need is an SDR RF dongle or receiver connected to your device via USB.

DRM or Digital Radio Mondiale is the global digital radio standard used for all digital international transmissions as well as for national and local services in many countries. To learn more about DRM and its features visit www.drm.org.

The STARWAVES DRM SoftRadio is designed for ease-of-use and supports all core features of the DRM standard:

  • Listener-centric and easy to navigate app design and user interface
  • Multiple user interface languages. Currently supported: English, German, Simplified Chinese
  • Convenient frequency tuning and DRM Service selection
  • DRM Service labels and graphical service logos
  • Full service metadata: programme/app type, language, country of origin, etc.
  • All standardized DRM audio codecs incl. xHE-AAC with optimized tune-in performance for a quick start of audio playback
  • Journaline, DRM’s advanced text application, allows to interactively browse through latest news, sports and weather updates, programme background information and schedules, distance learning/RadioSchooling text books, travel information, and much more
  • Full Journaline feature set including hot-button interactivity, geo-references and embedded/linked images
  • Convenient and fast Journaline information access with update notifications for page-content (and automatic updates for menus), as well as persistent caching for instant content access when switching between DRM services
  • DRM text messages incl. DL+ support
  • Slideshow images
  • Unicode support for all textual elements: service labels, text messages, Journaline
  • DRM EWF – Emergency Warning Functionality within the DRM transmission: in case of an emergency alarm signal, automatically re-tunes from the current service to the emergency programme; presents the emergency audio along with multi-lingual Journaline content to provide in-depth instructions with interactive access and to serve non-native speakers or hearing impaired users

In addition, STARWAVES DRM SoftRadio is designed for maximum tuning flexibility and performance:

  • Free tuning to any DRM broadcast frequency
  • Supports all DRM frequency bands – from the former AM bands (LW/MW/SW) to the VHF bands (including the FM band), depending only on RF dongle functionality
  • Supports all DRM robustness modes (A-E), modulation parameters and on-air signal bandwidths
  • Optimized frequency tuning and re-sync performance
  • Graphical spectrum view to check the signal on the tuned frequency

For live reception, an SDR RF dongle must be connected to the device’s USB port (with USB host functionality). The following SDR RF dongle families are currently supported, along with a range of specifically tested models:

  • Airspy HF+ family: Airspy HF Discovery, Airspy HF+ (Dual Port). (Note: Airspy Mini and R2 are NOT supported.)
  • SDRplay family: SDRPlay RSP1A, SDRPlay RSPdx, SDRPlay RSPduo, SDRPlay RSP1, SDRPlay RSP2, SDRPlay RSP2pro, MSI.SDR Panadapter (Note: SDRPlay family support on Android is currently limited to the 32-bit version of this app.)
  • RTL-SDR family: The experimental support for RTL-SDR based RF dongles requires that you manually start the following separate tool before opening this app (on standard port '14423'): The app 'SDR driver' can be installed from the Google Play Store and other Android app stores.
Starwaves DRM Decoder App Screenshots

Eavesdropping on LTE Calls with a USRP Software Defined Radio

Ars Technica recently ran a story about how University researchers have been able to eavesdrop on LTE mobile phone calls using a USRP B210 software defined radio which runs the Airscope software. The technique exploits a flaw in how some LTE carriers are implementing their keystream. A keystream is a stream of random data combined with the actual voice data, resulting in encrypted data.

It turns out that many LTE carriers reuse the same keystream when two calls are made within a single radio connection. An attacker can then record an encrypted conversation, then immediately call the victim after that conversation. The attacker can now access the encrypted keystream, and as the keystream is identical to the first conversation, the first conversation can now be decoded. 

The Ars Technica article, the original paper and a website created about the ReVoLTE technique and software go into detail about how the attack works. On the website the team explain the attack in simple terms:

The ReVoLTE attacks exploit the reuse of the same keystream for two subsequent calls within one radio connection. This weakness is caused by an implementation flaw of the base station (eNodeB). In order to determine how widespread the security gap was, we tested a number of randomly selected radio cells mainly across Germany but also other countries. The security gap affected 12 out of 15 base stations.

The ReVoLTE attack aims to eavesdrop the call between Alice and Bob. We will name this call the target or first call. To perform the attack, the attacker sniffs the encrypted radio traffic of Alice within the cell of a vulnerable base station. Shortly after the first call ends, the attacker calls Alice and engages her in a conversation. We name this second call, or keystream call. For this call, the attacker sniffs the encrypted radio traffic of Alice and records the unencrypted sound (known plaintext).

For decrypting the target call, the attacker must now compute the following: First, the attacker xors the known plaintext (recorded at the attacker's phone) with the ciphertext of the keystream call. Thus, the attacker computes the keystream of the keystream call. Due to the vulnerable base station, this keystream is the same as for the target (first) call. In a second step, the attacker decrypts the first call by xoring the keystream with the first call's ciphertext. It is important to note that the attacker has to engage the victim in a longer conversation. The longer he/she talked to the victim, the more content of the previous communication he/she can decrypt. For example, if the attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.

The ReVoLTE Attack
Demonstration of the ReVoLTE attack in a commerical LTE network.

Trump Tweets about Pushed Buffalo Protestor Scanning to Jam Police Radios with an RTL-SDR and Android Phone

In political news 75 year old Buffalo protestor Martin Gugino has been generating controversy due to a video of him being pushed to the ground by a police officer, then subsequently lying motionless while bleeding from the head and being ignored by other officers.

Recently US president Donald Trump tweeted about a video news report by "One America News" (OAN) indicating that Gugino may have been trying to scan police with a "capture scanner". Whilst talking about the capture scanner they show an image of an RTL-SDR dongle and Android phone running the SDR Touch software. OAN go on to say that these capture scanners are designed to "skim microphones" in order to capture police communications, and are a tool commonly used by Antifa. Credit to @hackerfantastic for initially tweeting about the RTL-SDR being featured in the video.

Trump's tweet reads "Buffalo protester shoved by Police could be an ANTIFA provocateur. 75 year old Martin Gugino was pushed away after appearing to scan police communications in order to black out the equipment @OANN
I watched, he fell harder than was pushed. Was aiming scanner. Could be a set up?".

We're not entirely sure where this theory from OAN came from as there is no need to get so close in order to listen to police radio communications, since if unencrypted, they can be listened to from anywhere in the city. It's also unclear as to what microphones police would be using, and how these could be "skimmed" with an RTL-SDR. As for blacking out the equipment, an RTL-SDR cannot transmit so it would be impossible to use to jam the radios. An illegal jammer could be used after scanning, but police frequencies are already well known anyway, and there would be no need to scan for them so close even if low power comm links were used.

The video also shows that he appears to be filming police badge numbers with his phone before he was pushed, so it is unlikely that he was using an RTL-SDR and running SDR Touch at the same time as the camera app. No cables, antenna or dongle can be seen in the video either.

In the past we have seen a Slovenian researcher almost jailed for performing University research with an RTL-SDR, and a UN expert arrested for possessing an RTL-SDR in Tunisia. So this is a timely reminder to be careful as police and media do not always understand what an SDR is.

EDIT: Please note that this is not a political post or blog. We only post it to highlight the severe lack of understanding that can surround SDR and our technical hobbies. Comments inciting violence against protestors or anyone are NOT OK, and will be removed. Please keep discussions technical and civil in nature.

OAN indicates that Martin Gugino may have used an RTL-SDR on police
OAN indicates that Martin Gugino may have used an RTL-SDR "capture scanner" on police

New Apple iOS (iPhone/iPad) RTL-SDR rtl_tcp Client App in Beta Testing

Over on our forums poster hotpaw2 has released news about his new RTL-SDR app for iOS (iPhones/iPads). If we're not mistaken, this will be the first app that enables RTL-SDR usage on iOS. However, as iOS devices don't allow RTL-SDRs (or any arbitrary USB device) to connect directly to devices, you still need to use a Raspberry Pi or other network connected computing device as an rtl_tcp server. So the RTL-SDR does not plug directly into the iOS device. Currently he is looking for beta testers to help test a pre-release of the software. Hotpaw2 writes:

Hi. A first version of my iOS SDR app is nearing completion. So I'm interested finding a few users who would like to beta test a pre-release of the app, and provide some feedback. The beta test requirements are having a 64-bit iOS device (iPhone or iPad) running iOS 11.2.x or newer, having Apple's TestFlight app installed, having a Mac, PC, Raspberry Pi (or other Linux box) that already has rtl_tcp installed and ready to run. (And an RTL-SDR obviously.) The rtl_tcp server must be on a fast WiFi network reachable by your iOS device. Note that iOS TestFlight app distributions do have an expiration date.

iOS does not recognize arbitrary USB devices such as an RTL-SDR. This is even true when using Apple's Lightning Camera Connection kit to provide an iPhone with a wired USB port. So an adapter must be used. I use a headless Raspberry Pi 3 running rtl_tcp as the USB adapter to provide raw IQ samples from the RTL-SDR to the iOS app. A Raspberry Pi Zero W would also work. I then connect to the server either over WiFi, or via wired ethernet. 

This iOS SDR app is fairly simple. I've been experimenting with developing low-level DSP code in Swift. So this SDR app was written from scratch in the Swift programming language. Because the app is targeted for the iOS App store, it uses none of the existing SDR C++ code base. 

The app currently demodulates AM, N-FM, and mono W-FM. It also displays a spectrum and rudimentary waterfall, and allows one to swipe-to-tune. There are not a lot of controls, as screen real-estate on an iPhone is quite limited. But I can walk around the house and, from my iPhone, monitor if my RTL-SDR or AirSpy HF+ are picking up any interesting signals.

Contact info for beta testing can be found here: http://www.hotpaw.com/rhn/hotpaw/ 

Source code to librtlsdr and rtl_tcp can be found in many repositories on github, but zero support for finding or installing such, and/or setting up your Raspberry Pi, will be provided by me.

Screenshot of the RTL-SDR iOS app
Screenshot of the RTL-SDR iOS app

 

A Portable SDR Transceiver with LimeSDR Mini, Android Phone and QRadioLink

QRadioLink is a Linux and Android compatible radio app that can run on smartphones. It can be used to receive and transmit digital radio signals with a compatible SDR such as an RTL-SDR (RX only), or a LimeSDR Mini (TX and RX). The following video by Adrian M shows QRadioLink running on an Android phone with a LimeSDR Mini connected to it. An external battery pack is also connected to maintain power levels over a longer time.

In the video Adrian shows how this combination can be used as a fully portable radio transceiver. The video first shows him receiving broadcast FM, digital amateur radio voice (Codec2 & Opus is supported), narrowband FM and SSB signals. Later in the video he transmits a digital voice signal using the microphone on his Android phone. He notes that an external amplifier would still be needed if you wanted more transmission power.

Portable SDR transceiver: LimeSDR-mini, mobile phone and QRadioLink

 

Video showing SMS Texts and Voice Calls being sniffed with an RTL-SDR

Over on YouTube user Osama SH has uploaded a video briefly showing the steps needed to use an RTL-SDR dongle to sniff some SMS text messages and voice calls made from his own phone. This can be done if some encryption data is known about the phone sending the messages, so it cannot be used to listen in on any phone – just ones you have access to. In the video he uses Airprobe and Wireshark to initially sniff the data, and find the information needed to decode the text message. Once through the process he is able to recover the SMS message and some voice audio files.

Sniffing and Analyzing GSM Signals with GR-GSM

Over a year ago we wrote a tutorial on how to analyze GSM cellular phone signals using a RTL-SDR, a Linux computer with GNU Radio, Wireshark and a GSM decoder called Airprobe. With this combination it is possible to easily decode GSM system messages. Setting up Airprobe is can be difficult as it is unmaintained and incompatible with the new version of GNU Radio without patches.

Now a new software package called gr-gsm has been released on GitHub which seems to be a newer and improved version of Airprobe. The gr-gsm software is also much easier to install, uses the newer GNU Radio 3.7 and seems to decode the system data with much less trouble than Airprobe did. We will soon update our tutorial to use gr-gsm, but the instructions on the GitHub are already quite good. The author of gr-gsm also appears to be actively adding new features to the software as well. The video below shows gr-gsm in action.

Sniffing GSM data with gr-gsm and cheap RTL-SDR receivers

SDR Touch Updated to Version 2.0

SDR Touch, the popular Android based software defined radio software for the RTL-SDR has been updated to version 2.0. This new version is a complete rewrite with many optimizations listed below.

  • 100% rewritten from scratch
  • Improved reception sensitivity and quality
  • Optimized engine
  • GUI overhaul (Landscape mode, more flexible)
  • 16 bit audio
  • FIR filtering

The author also writes that the rewrite allows for new features coming out in the future such as adjustable bandwidth, FFT size, plugins and a separate GUI for in-car use. SDR Touch is available from the Android Play store.

SDR Touch Android GUI for RTL-SDR
SDR Touch Android GUI for RTL-SDR