Tagged: radio direction finding

Pseudo-Doppler Direction Finding with a HackRF and Opera Cake

Last week we posted about Micheal Ossmann and Schuyler St. Leger's talk on Pseudo-Doppler direction finding with the HackRF. The talk was streamed live from Schmoocon 18, but there doesn't seem to be an recorded version of the talk available as of yet. However, Hackaday have written up a decent summary of their talk.

In their direction finding experiments they use the 'Opera Cake' add-on board for the HackRF, which is essentially an antenna switcher board. It allows you to connect multiple antennas to it, and choose which antenna you want to listen to. By connecting several of the same type of antennas to the Opera Cake and spacing them out in a square, pseudo-doppler measurements can be taken by quickly switching between each antenna. During the presentation they were able to demonstrate their setup by finding the direction of the microphone used in the talk.

If/when the talk is released for viewing we will be sure to post it on the blog for those who are interested.

OperaCake running with four antennas
OperaCake running with four antennas
Schyler's Poster on Pseudo Doppler from GNU Radio Con 17.
Schyler's Poster on Pseudo Doppler from GNU Radio Con 17.

 

YouTube Talk: Hunting Rogue WiFi Devices using the HackRF SDR

Over on YouTube a video titled “Hunting Rogue WiFi Devices using the HackRF SDR” has been uploaded. The talk is given by Mike Davis at the OWASP (Open Web Application Security Project) Cape Town. The talk’s abstract reads:

Rogue WiFi Access Points are a serious security risk for today’s connected society. Devices such as the Hak5 Pineapple, ESP8266-based ‘throwies’, or someone with the right WiFi card and software can be used to intercept users’ traffic and grab all of their credentials. Finding these rogue devices is a very difficult thing to achieve without specialised equipment. In this talk Mike will discuss the work he has been doing over the past year, to use the HackRF SDR as a RF Direction-finding device, with the goal of hunting down various malicious RF devices, including car remote jammers.

The talk starts off with the basics, explaining what the problems with WiFi devices are, what the HackRF and SDR is, and then goes on to explain some direction finding methods that Mike has been using. 

Hunting rogue WiFi devices using the HackRF SDR - Part 1 of 2

Hunting rogue WiFi devices using the HackRF SDR - Part 2 of 2

An RTL-SDR Phase Correlative Direction Finder

Over on YouTube user Tatu Peltola has uploaded a video showing his RTL-SDR based phase correlative direction finder in action. This set up uses three RTL-SDR dongles and three antennas to measure phase differences and thus determine the direction towards a signal source. All three RTL-SDR’s must be coherent, meaning that all three of their 28.8 MHz clock signals must come from the same source. 

In the video Tatu walks around the three antennas with a handheld radio. An arrow on a laptop screen points in the direction of the transmitter.

A known problem with RTL-SDR’s is that even with the clock sources synchronized there is still an unknown cause of additional phase shift. To solve this problem Tatu writes:

Each rtl-sdr is fed from the same reference clock to make their phase shift remain constant. They still have unknown phase shifts and sampling time differences relative to each other. This is calibrated by disconnecting them from antennas and connecting every receiver to the same noise source. Cross correlation of the noise gives their time and phase differences so that it can be corrected.

The three antennas used for direction finding.
The three antennas used for direction finding.
RTL-SDR phase correlative direction finder

Creating a Signal Strength Heatmap with an RTL-SDR

Over on Reddit, user tautology2 has linked to his project which is software that can create a heatmap of signal strengths. His software uses the data that is output from RTLSDR Scanner which is a program that will collect signal strength data over any desired bandwidth and at the same time also record GPS coordinates using an external GPS receiver. RTLSDR Scanner can also create a heatmap by itself, but tautology2’s heatmap is much clearer and has good web controls for choosing the heatmap signal frequency.

Tautology2 writes about his program:

Eartoearoak’s rtl-sdr scanner can save GPS location data along with spectrum samples, I had put USB GPS unit and SDR’s antenna on the top of my car, put my notebook with running scanner on the front seat and driven it around.

Then I saved results both as an image sequence (which you can see at the bottom of the map) and as the raw data in json format. My script (scan2web.rb[3] ) parses raw data, filters out redundant samples (which were captured standing at the traffic lights etc) and computes normalized spectrum power for eight 300-KHz bands for each spatial sample. Results are saved in heatmap.json[4] , which is rendered using Google maps v.3 heatmap API.

The Reddit thread discussing his project can be found here.

Tools used for making the heatmap: Laptop, RTL-SDR with stock antenna and a GPS.
Tools used for making the heatmap: Laptop, RTL-SDR with stock antenna and a GPS.
Heatmap of GSM Signal Strengths
Heatmap of GSM Signal Strengths

RTLSDR Scanner Now Supports GPS for Signal Strength Mapping

The RTLSDR scanner software has been updated and now supports connection to an external GPS receiver. With a GPS receiver attached to a laptop, the RTL-SDR can be used to make signal strength maps by driving around in a car and monitoring the radio spectrum with RTLSDR Scanner running. The signal strength map can then be viewed in Google Earth, a GIS program or any image viewer.

RTLSDR Scanner GPS Signal Strength Heatmap
RTLSDR Scanner GPS Signal Strength Heatmap

Locating an Interfering Signal with Radio Direction Finding and the RTL-SDR

The people at the MIT Haystack Observatory discovered recently that someone was transmitting an interfering signal on their licensed radar band. The interferer was effectively jamming the radar, preventing them from carrying out any experiments.

After checking for local causes of interference and finding nothing, they decided that the interferer must be coming from further away. To find the location of the jamming signal they did some radio direction finding. This involved driving around with Yagi and magnetic loop antennas and RTL-SDR and USRP N200 SDRs and then measuring the signal strength at various points.

For the software they used a custom GNURadio block which calculated the power spectra using the FFTW C library, and averaged the results to disk. They then post processed the data to calculated the RFI power, and correlated the data with GPS coordinates recorded on his phone.

After all the data was processed, they discovered that the interference originated from an FM radio tower which had a faulty FSK telemetry link. They notified the engineer responsible who then replaced the link and the interference disappeared.

RFI strength at various geographic locations
RFI strength at various geographic locations