On this weeks episode of SignalsEverywhere, host Corrosive tests out our KerberosSDR coherent RTL-SDR unit for radio direction finding. If you didn't already know KerberosSDR is our experimental 4x Coherent RTL-SDR product. With it, coherent applications like radio direction finding (RDF) and passive radar are possible. Together with the KerberosSDR direction finding Android app it is possible to visualize the direction finding data produced by a KerberosSDR running on a Pi3/Tinkerboard.
In the video Corrosive uses the KerberosSDR together with the recently updated companion Android app to determine the location of a P25 control channel. By driving around with the app constantly collecting data he's able to pinpoint the location within about 15 minutes.
In addition to his video, Corrosive has also created a very useful calculator that can be used to calculate the required antenna spacing for a circular or linear direction finding array that can be used with the KerberosSDR.
We have just released an updated version of the KerberosSDR Android direction finding app. If you didn't already know KerberosSDR is our experimental 4x Coherent RTL-SDR product. With it, coherent applications like radio direction finding (RDF) and passive radar are possible. Together with the KerberosSDR direction finding Android app it is possible to visualize the direction finding data produced by a KerberosSDR running on a Pi3/Tinkerboard.
The KerberosSDR hardware is currently in preorder status on Indiegogo for the second production batch, and we expect it to be ready to ship out this month. If you preorder then you'll be able to purchase a KerberosSDR at a reduced price of USD$130. After shipping for batch two begins the price will rise to USD$150.
The new version of the KerberosSDR Android app adds the following features:
Heatmap Grid Plotting
Precise TX location pinpointing when enough data points are gathered
Turn by turn navigation to the RDF bearing direction / TX location
Bearing moving average smoothing
To understand what these features are, we've released two demo videos showing them in action. In the first video we use the new features to find an 858 MHz TETRA transmitter, and in the second video we find a 415 MHz DMR transmitter. The first video explains the new features so we recommend watching that first.
KerberosSDR Radio Direction Finding: Heatmap + Auto Navigation to Transmitter Location Demo 1
KerberosSDR Radio Direction Finding: Heatmap + Auto Navigation to Transmitter Location Demo 2
Last week we posted about Micheal Ossmann and Schuyler St. Leger's talk on Pseudo-Doppler direction finding with the HackRF. The talk was streamed live from Schmoocon 18, but there doesn't seem to be an recorded version of the talk available as of yet. However, Hackaday have written up a decent summary of their talk.
In their direction finding experiments they use the 'Opera Cake' add-on board for the HackRF, which is essentially an antenna switcher board. It allows you to connect multiple antennas to it, and choose which antenna you want to listen to. By connecting several of the same type of antennas to the Opera Cake and spacing them out in a square, pseudo-doppler measurements can be taken by quickly switching between each antenna. During the presentation they were able to demonstrate their setup by finding the direction of the microphone used in the talk.
If/when the talk is released for viewing we will be sure to post it on the blog for those who are interested.
Over on YouTube a video titled “Hunting Rogue WiFi Devices using the HackRF SDR” has been uploaded. The talk is given by Mike Davis at the OWASP (Open Web Application Security Project) Cape Town. The talk’s abstract reads:
Rogue WiFi Access Points are a serious security risk for today’s connected society. Devices such as the Hak5 Pineapple, ESP8266-based ‘throwies’, or someone with the right WiFi card and software can be used to intercept users’ traffic and grab all of their credentials. Finding these rogue devices is a very difficult thing to achieve without specialised equipment. In this talk Mike will discuss the work he has been doing over the past year, to use the HackRF SDR as a RF Direction-finding device, with the goal of hunting down various malicious RF devices, including car remote jammers.
The talk starts off with the basics, explaining what the problems with WiFi devices are, what the HackRF and SDR is, and then goes on to explain some direction finding methods that Mike has been using.
Hunting rogue WiFi devices using the HackRF SDR – Part 1 of 2
Hunting rogue WiFi devices using the HackRF SDR – Part 2 of 2
Over on YouTube user Tatu Peltola has uploaded a video showing his RTL-SDR based phase correlative direction finder in action. This set up uses three RTL-SDR dongles and three antennas to measure phase differences and thus determine the direction towards a signal source. All three RTL-SDR’s must be coherent, meaning that all three of their 28.8 MHz clock signals must come from the same source.
In the video Tatu walks around the three antennas with a handheld radio. An arrow on a laptop screen points in the direction of the transmitter.
A known problem with RTL-SDR’s is that even with the clock sources synchronized there is still an unknown cause of additional phase shift. To solve this problem Tatu writes:
Each rtl-sdr is fed from the same reference clock to make their phase shift remain constant. They still have unknown phase shifts and sampling time differences relative to each other. This is calibrated by disconnecting them from antennas and connecting every receiver to the same noise source. Cross correlation of the noise gives their time and phase differences so that it can be corrected.
Over on Reddit, user tautology2 has linked to his project which is software that can create a heatmap of signal strengths. His software uses the data that is output from RTLSDR Scanner which is a program that will collect signal strength data over any desired bandwidth and at the same time also record GPS coordinates using an external GPS receiver. RTLSDR Scanner can also create a heatmap by itself, but tautology2’s heatmap is much clearer and has good web controls for choosing the heatmap signal frequency.
The RTLSDR scanner software has been updated and now supports connection to an external GPS receiver. With a GPS receiver attached to a laptop, the RTL-SDR can be used to make signal strength maps by driving around in a car and monitoring the radio spectrum with RTLSDR Scanner running. The signal strength map can then be viewed in Google Earth, a GIS program or any image viewer.
After checking for local causes of interference and finding nothing, they decided that the interferer must be coming from further away. To find the location of the jamming signal they did some radio direction finding. This involved driving around with Yagi and magnetic loop antennas and RTL-SDR and USRP N200 SDRs and then measuring the signal strength at various points.
For the software they used a custom GNURadio block which calculated the power spectra using the FFTW C library, and averaged the results to disk. They then post processed the data to calculated the RFI power, and correlated the data with GPS coordinates recorded on his phone.
After all the data was processed, they discovered that the interference originated from an FM radio tower which had a faulty FSK telemetry link. They notified the engineer responsible who then replaced the link and the interference disappeared.