The RTL-SDR compatible multi-mode digital decoder OpenEar has recently been updated to version 1.6. The latest version currently supports the decoding of FM/AM, TETRA, DMR, Pocsag and ADS-B. New features include a zoomable waterfall and other GUI and functionality improvements. The changelog reads:
6/4/2020 version 1.6.0 - saving last settings - waterfall - zoom on spectrum and waterfall with mouse wheel - better list placement (pocsag & ads-b) - wav(I/Q) loading (only 1024000 Sample/sec) - voice volume & mute button - spectrum range and offset - rtl gain and correction (ppm) - top menu - frequency list - some DMR improvement on SYNC detection - solved center frequency issue (DC problem) - and other few UI improvements
Back in March we posted about "OpenEar" which was a newly released Windows TETRA decoder for RTL-SDR dongles. Back then the author "moneriomaa" noted that he planned to add several new modes. In the release that is currently available, OpenEar now supports TETRA, DMR, Pocsag, ADS-B as well as standard AM and NFM modes. We tested the software, and all modes appear to decode as advertised. In the future the author plans to add more modes such as MPT-1327 and AERO.
In the previous post we added an update noting that OpenEar appeared to be violating the GPL licence of OsmocomTETRA, and the author noted that he would remove the TETRA functionality until licencing was resolved. As TETRA decoding is back in the recent releases we assume these legal issues have been solved.
In the current release you also need to provide your own rtlsdr.dll file, which can be obtained from your SDR# folder, or directly from the Osmocom windows release (rename librtlsdr.dll to rtlsdr.dll).
Over on YouTube user HackedExistence has uploaded a video explaining how POCSAG pager signals work, and he also shows some experiments that he's been performing with his HackRF PortaPack and an old pager.
The Portapack is an add on for the HackRF SDR that allows the HackRF to be used without the need for a PC. If you're interested in the past we reviewed the PortaPack with the Havok Firmware, which enables many TX features such as POCSAG transmissions.
POCSAG is a common RF protocol used by pagers. Pagers have been under the scrutiny of information security experts for some time now as it is common for hospital pagers to spew out unencrypted patient data [1][2][3] into the air for anyone with a radio and computer to decode.
In the video HackedExistence first shows that he can easily transmit to his pager with the HackRF PortaPack and view the signals on the spectrum with an RTL-SDR. Later in the video he explains the different types of pager signals that you might encounter on the spectrum, and goes on to dissect and explain how the POCSAG protocol works.
Canadian based researchers from the "Open Privacy Research Society" recently rang the alarm on Vancouver based hospitals who have been broadcasting patient data in the clear over wireless pagers for several years. These days almost all radio enthusiasts know that with a cheap RTL-SDR, or any other radio, it is possible to receive pager signals, and decode them using a program called PDW. Pager signals are completely unencrypted, so anyone can read the messages being sent, and they often contain sensitive pager data.
Open Privacy staff disclosed their findings in 2018, but after no action was taken for over a year they took their findings to a journalist.
Encryption is available for pagers, but upgrading the network and pagers to support it can be costly. Pagers are also becoming less common in the age of mobile phones, but they are still commonly used in hospitals in some countries due to their higher reliability and range.
In the past we've seen several similar stories, such as this previous post where patient data was being exposed over the pager network in Kansas City, USA. There was also an art installation in New York called Holypager, that continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.
HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
Pager systems are famously known to be insecure, and due to the lack of encryption and high transmit power anyone with an RTL-SDR or other SDR can receive and decode pager messages. The users of pagers are mostly hospitals and doctors, and IT infrastructure professionals who need to be notified of server warnings and errors quickly. We have a text tutorial on decoding these messages with an RTL-SDR available here, and there are several previousposts discussing how insecure they are.
If you prefer a video tutorial, M6LME on YouTube has recently uploaded one where he explains the PDW pager decoding software, the VB-Audio 'banana' audio mixing software, and how to use SDR-Console with an RTL-SDR and the aforementioned software to receive and decode the signal.
How to Decode POCSAG & FLEX using an RTL-SDR Dongle
RPiTX is software for the Raspberry Pi which can turn it into a 5 kHz to 1500 MHz transmitter which can transmit any arbitrary signal. In order to transmit the software does not require any additional hardware apart from a wire plugged into a GPIO pin on the expansion header. It works by modulating the GPIO pin with square waves in such a way that the desired signal is generated. However, although additional hardware isn't required, if RPiTX is to be used in any actual application a band-pass filter is highly recommended in order to remove any harmonics which could interfere and jam other radio systems.
Earlier this month RPiTX was upgraded to version 2. One of the changes is a new GUI for testing the various transmission modes. Currently it is possible to transmit a chirp, FM with RDS, USB, SSTV, Opera, Pocsag, SSTV, Freedv. There is also a spectrum painter which allows you to display an image on a SDR's waterfall.
The RPiTX V2 GUIPainting an Image on a SDR Waterfall Display with RPiTX v2
The RPiTX v2 update also makes recording a signal with an RTL-SDR, and replaying that signal with RPiTX significantly easier. Previously it was necessary to go through a bunch of preprocessing steps (as described in our previous tutorial) in order to get a transmittable file, but now RPiTX is capable of transmitting a recorded IQ file directly. This makes copying things like 433 MHz ISM band remotes significantly easier. One application might be to use RPiTX as an internet connected home automation tool which could control all your wireless devices.
Finally, another application of the RPiTX and RTL-SDR combination is a live RF relay. The software is able to receive a signal at one frequency from the RTL-SDR, and then re-transmit it at another frequency in real time. Additionally, it is also capable of live transmodulation, where it receives an FM radio station, demodulates and then remodulates it as SSB to transmit on another frequency.
The RPiTX V2 RTL-SDR MenuRPiTX v2 re-transmitting a broadcast FM signal live at 434 MHz.
Over on YouTube Jack Riley has created a video that documents his system which uses an RTL-SDR to receive POCSAG pager messages and forward messages sent to specific pager addresses to an email address. He uses his RTL-SDR on a Raspberry Pi, together with rtl_fm and multimon-ng to receive and decode the pager messages.
Then using a custom program that is available on his website he filters messages for a particular 'capcode' which indicates the address of a particular pager. When a pager message to the specified capcode address is received, the program turns the message into an email which is instantly sent out.
This is a nice way to forward pager messages on to a more modern device such as a smart phone.
Creating a Pager using a Raspberry Pi and RTL-SDR to send alerts via Email.
Over on YouTube the web show Hacker Warehouse have created a video explaining wireless pagers and how RTL-SDRs can be used to sniff them. In the video host Troy Brown starts by explaining what pagers are and how they work, and then he shows how to decode them with SDR# and PDW. We have a tutorial on this project available here too.
Later in the video he shows some examples of pager messages that he's received. He shows censored messages such as hospital patient data being transmitted in plain text, sports scores, a memo from a .gov address claiming allegations of abuse from a client, office gossip about a hookup, a message about a drunk man with a knife, a message from a Windows server with IP address and URL, a message from a computer database, and messages from banks.
In the past we've also seen an art installation in New York which used SDR to highlight the blatant breach of privacy that these pager messages can contain.
