Tagged: rpitx

SDR Academy Talks: RPiTX TX for the Masses, Transmitter Localization with TDOA, HackRF as a Signal Generator and more

Over on YouTube the Software Defined Radio Academy channel has uploaded some new interesting SDR related conference talks, some of which may be of interest to readers. Some of our favorites are posted below. Other new interesting talks from channel include:

  • Derek Kozel, AG6PO, Ettus: Hardware Accelerated SDR: Using FPGAs for DSP (Link)
  • Mario Lorenz, DL5MLO: Across the Solar System – using SDRs for real long-distance communication (Link)
  • Andras Retzler, HA7ILM: Demodulators from scratch: BPSK31 and RTTY (Link)
  • Gerald Youngblood, K5SDR (President of FlexRadio): Direct Sampling and Benefits of the Architecture (Link)
  • Dr. Selmeczi Janos, HA5FT: A new lightweight data flow system (Link)
  • Chris Dindas, DG8DP: Standalone SDR-TRX, Highend – Lowcost – Homebrew (Link)
  • Erwin Rauh, DL1FY: Charly25 – SDR Transceiver Project – Community Development (Link)
  • Črt Valentinčič, S56GYC, Red Pitaya: HamLab (Link)

Evariste Courjaud, F5OEO: Rpitx : Raspberry Pi SDR transmitter for the masses

Low cost RTL-SDR democratize access to SDR reception, but is there an equivalent low cost solution for transmission : Rpitx is a software running on Raspberry Pi which use only GPIO to transmit HF. This presentation describes how to use it as a SDR sink but also describes details of how it is implemented using PLL available on the Raspberry Pi board. Warnings and limits of this simple SDR are also provided before going “on air”. Last paragraph shows what are potential evolutions of this system : low cost DAC and third party software integration.

Stefan Scholl, DC9ST: Introduction and Experiments on Transmitter Localization with TDOA

Time-Difference-of-Arrival (TDOA) is a well-known technique to localize transmitters using several distributed receivers. A TDOA system measures the arrival time of the received signal at the different receivers and calculates the transmitter’s position from the delays. The talk first introduces the basics of TDOA localization. It shows how to measure signal delay with correlation and how to determine the position using multilateration. It also covers further aspects and challenges, like the impact of signal bandwidth and errors in delay measurement, receiver placement and synchronization as well as the requirements on the network infrastructure. Furthermore, an experimental TDOA system consisting of three receivers is presented, that has been setup to localize signals in the city of Kaiserslautern, Germany. The three receivers are simple low-cost devices, each built from a Raspberry PI and a RTL/DVB-USB-Stick. They are connected via internet to a master PC, which performs the complete signal processing. The results demonstrate, that even with a simple system and non-ideal receiver placement, localization works remarkably well.

Frank Riedel, DJ3FR: The HackRF One as a Signal Generator

The usability and performance of the HackRF One SDR experimental platform as a signal generator up to 6 GHz is examined by means of an HPIB driven measurement system. The effective circuit of the HackRF One used in the CW TX mode is described and its components are linked to the parameters of the command line tool ‘hackrf_transfer’. The frequency accuracy of the HackRF One is measured against a frequency standard, output signal levels and spurious emissions are determined using a spectrum analyzer.

Tutorial: Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX

With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.

In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX.  With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.

Note that we’ve only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.

A video demo is shown below:

Hardware used and wireless ISM band devices tested with RPiTX
Hardware used and wireless ISM band devices tested with RPiTX


RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.

Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).

For testing, a short wire antenna shouldn’t radiate much further than a few meters past the room you’re in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.

In the past we’ve seen RPiTX used for things like controlling an RC car, building a home made FM repeater, creating a ham transceiver and transmitting WSPR (via a well made filter). We’ve also seen people perform replay attacks using the cleaner but harder way by reverse engineering a 433 MHz signal, and then generating the RPiTX OOK modulation manually.

Continue reading

Controlling an RC Car with RPiTX

RPiTX is a piece of software that you can run on your Raspberry Pi unit, which with no additional hardware turns it into a full radio transmitter, capable of transmitting FM, AM, SSB and other signals anywhere from 5 kHz to 500 MHz. Of course remember that the methods used to do this emit a lot of harmonics, so to be legal and safe filtering should be used on the signal output.

Over on Twitter Cyril‏ @kotzebuedog has been experimenting with RPiTX and his radio controlled toy car. From the videos and images, it appears that he’s used GNU Radio to create the required control signals which then transmits the data to the RC car via RPiTX. With this he’s been able to create a program to control his RC car with his computer gaming joystick.

Video Tutorial: Transmitting Signals with a Raspberry Pi

Over on YouTube Crazy Danish Hacker, who earlier brought us an excellent video tutorial series on GSM sniffing, has now uploaded a two part series that shows how to transmit signals with a Raspberry Pi and the PiFM and RPiTX software. We’ve featured RPiTX several times on this blog before as a cheap TX complement to the RTL-SDR. The software allows you to modulate a GPIO pin on your Raspberry Pi in such a way that it produces AM/FM/SSB etc radio signals at a frequency of choice.

Crazy Danish Hackers tutorial shows us how to set up RPiTX, starting from installing Raspbian and enabling SSH to installing the software and actually transmitting something. Some useful tips to get around common problems are also presented.

Building an SDR Transmitter using GPIO Pins on an FPGA

Recently an RTL-SDR.com reader named Jon wrote in and wanted to share his project called FPGA-TX. FPGA-TX is software that provides low-cost SDR transmit capabilities on an FPGA. It works in a similar way to RPiTX which is by simply turning the GPIO pins on and off very quickly in such as way that it generates any desired AM/FM/SSB transmission. These methods are crude and require external analog filtering, but can be used for creating almost any sort of RF transmission at a wide range of frequencies extremely cheaply. These sorts of cheap transmitters are great companions to low cost SDR dongles like the RTL-SDR.

Jon’s project runs on FPGA boards and currently supports the Digilent Nexys 4 and Digilent CMOD A7 ($75) FPGA boards. An FPGA is an integrated circuit that can be easily reconfigured to implement various different digital circuits.

FPGA-TX can transmit at frequencies of up to 400 MHz and current supports AM, FM, LSB, USB, Wideband FM and Wideband FM Stereo transmission modes. It runs on Linux. The FPGA transmitter has been tested combined together with an amplifier and filter. It can also interface with a GPS unit for clock calibration.

An FPGA Based Transmitter. In the photo: FPGA, Amplifier, Filter, Attenuator, TX/RX Switch.
An FPGA Based Transmitter. In the photo: FPGA, Amplifier, Filter, Attenuator, TX/RX Switch.
The FPGA-TX Ubuntu Interface.
The FPGA-TX Ubuntu Interface.

A Guide to Using RPiTX and an RTL-SDR to Reverse Engineer and Control ASK/OOK Devices

Erhard E. has been experimenting with capturing, analyzing, reverse engineering and then transmitting new ASK/OOK signals with his RTL-SDR and Raspberry Pi running RPiTX. Erhard has written a very informative guide/tutorial (pdf) that explains how he did it for wireless doorbell and for remote control toy cars. RPiTX is software for the Raspberry Pi which allows it to transmit almost any signal via modulation of a GPIO pin. RPiTX related posts have been featured on this blog several times in the past.

First Erhard records a copy of the doorbell signal using his RTL-SDR and then views the waveform in Audacity. He then writes that you’ll need to find the waveform characteristics either manually using Audacity, or by using the rtl_433 decoder. In the tutorial he uses rtl_433 which automatically gives his the pulse width, gap width and pulse period.

Next in order to actually generate the signal using RPiTX he uses the waveform characteristics that he found out and manually creates a .ft hex file that describes the signal to be generated. Then using using the rpitx command, the .ft file can be transmitted.

Later in the tutorial he also shows how he performed the same reverse engineering process with a cheap RC car toy (forward/reverse commands only), which uses OOK encoding on the wireless controller.

The tutorial can be downloaded in PDF form here.

Showing the Pulse Width, Gap Width and Symbol Period of a signal in Audacity.
Showing the Pulse Width, Gap Width and Symbol Period of a signal in Audacity.

Building a Homemade FM Repeater with a Raspberry Pi, Rpitx and RTL-SDR Dongle

A radio repeater is usually a radio tower that receives weak signals from handheld, desktop or other radio, and rebroadcasts the same signal at a higher power over a wide area at a different frequency. This allows communications to be extended over a much greater area.

Repeaters are generally made from expensive professional grade radio equipment, however ZR6AIC has been experimenting with creating an ultra low cost repeater out of a RTL-SDR and Raspberry Pi. In his system the RTL-SDR dongle is set up to receive a signal on the 70 cm (420 – 450 MHz) amateur radio band, and then retransmit it using Rpitx on the 2M (144 – 148 MHz) amateur radio band.  He also adds a 2M low pass filter to the output of the Raspberry Pi to keep the signal clean.

RTL-SDR + Rpitx Block Diagram
RTL-SDR + Rpitx Block Diagram

Rpitx is software for the Raspberry Pi which we have featured on this blog several times in the past. We’ve also seen the qtcsdr software which also uses Rpitx and an RTL-SDR to create a transceiver. Rpitx allows the Raspberry Pi to transmit radio signals without the need for any transmitting radio hardware at all. It works by modulating signals onto a General Purpose I/O (GPIO) pin on the Raspberry Pi. If the GPIO pin is modulated in just the right way, FM/AM/SSB or other signal modulation approximations can be created at a specified frequency. The signal is however not clean, as this type of modulation generates many harmonics which could be dangerous if amplified. If you use Rpitx, always use appropriate filtering hardware.

ZR6AIC’s post goes into detail about how to install and set up the required software onto the Raspberry Pi and how to set up the script to piece all the programs together into a repeater. He’s also uploaded a video demonstrating the system in action on YouTube.