Tagged: rpitx

Video Tutorial and Overview of RPiTX Version 2

Over on YouTube channel Tech Minds has uploaded a video that shows how to install and use RPiTX version 2. RPiTX is software for the Raspberry Pi which can turn it into a 5 kHz to 1500 MHz transmitter which can transmit any arbitrary signal. RPiTX requires no additional hardware, but a filter is required for transmitting with any power or gain. Back in November RPiTX was updated to version 2 which brought with it a new GUI, and improved spectral purity.

In his video Tech Minds goes over the installation of RPiTX, and then goes on to demonstrate it in action with an RTL-SDR and SDRUno used as the receiver. He shows the several TX modes available such as the tone/chirp generator, spectrum painter FM with RDS, SSB and FreeDV.

Raspberry Pi Transmitter with RPITX Version 2

RPiTX v2 Released: Easily Record and Replay with RTL-SDR and a Raspberry Pi

RPiTX is software for the Raspberry Pi which can turn it into a 5 kHz to 1500 MHz transmitter which can transmit any arbitrary signal. In order to transmit the software does not require any additional hardware apart from a wire plugged into a GPIO pin on the expansion header. It works by modulating the GPIO pin with square waves in such a way that the desired signal is generated. However, although additional hardware isn't required, if RPiTX is to be used in any actual application a band-pass filter is highly recommended in order to remove any harmonics which could interfere and jam other radio systems.

Earlier this month RPiTX was upgraded to version 2. One of the changes is a new GUI for testing the various transmission modes. Currently it is possible to transmit a chirp, FM with RDS, USB, SSTV, Opera, Pocsag, SSTV, Freedv. There is also a spectrum painter which allows you to display an image on a SDR's waterfall.

The RPiTX V2 GUI
The RPiTX V2 GUI
Painting an Image on a SDR Waterfall Display with RPiTX v2
Painting an Image on a SDR Waterfall Display with RPiTX v2

The RPiTX v2 update also makes recording a signal with an RTL-SDR, and replaying that signal with RPiTX significantly easier. Previously it was necessary to go through a bunch of preprocessing steps (as described in our previous tutorial) in order to get a transmittable file, but now RPiTX is capable of transmitting a recorded IQ file directly. This makes copying things like 433 MHz ISM band remotes significantly easier. One application might be to use RPiTX as an internet connected home automation tool which could control all your wireless devices.

Finally, another application of the RPiTX and RTL-SDR combination is a live RF relay. The software is able to receive a signal at one frequency from the RTL-SDR, and then re-transmit it at another frequency in real time. Additionally, it is also capable of live transmodulation, where it receives an FM radio station, demodulates and then remodulates it as SSB to transmit on another frequency.

The RPiTX V2 RTL-SDR Menu
The RPiTX V2 RTL-SDR Menu
RPiTX v2 re-transmitting a broadcast FM signal live at 434 MHz.
RPiTX v2 re-transmitting a broadcast FM signal live at 434 MHz.

Testing the RTL-SDR V3 Direct Sampling Mode for use in a 2-FSK RPiTX Modem

Over on his blog, Rowetel has been testing our RTL-SDR Blog V3 in order to possibly use as a cheap FSK receiver for his RPiTX 2-FSK modem project. His post details some measurements that he's done in order to determine the lower HF band performance of the RTL-SDR V3 running in direct sampling mode, and it's viability for use in his 2-FSK modem system.

In the first test he uses RPiTX to generate a 2-FSK signal, which is then received and decoded by a RTL-SDR V3 connected to an attenuator and laptop. The Bit Error Rate (BER) is then measured while the attenuation is increased until the decoder fails. With this test he found a MDS somewhere between -115 dBm and -125 dBm, and a maximum input power of -30 dBm before clipping.

In another test he measures the RTL-SDR's ability to withstand a blocking CW signal. The results show that even with a 65 dB stronger signal just 7 kHz away, the 2-FSK modem system was able to continue working.

Finally he concludes:

So I figure for the lower HF bands this receivers performance is OK – the ADC quantisation noise isn’t likely to impact performance and the strong signal performance is good enough. An overload of -30dBm (S9+40dB) is also acceptable given the use case is remote communications where there is unlikely to be any nearby transmitters in the input filter passband.

Test Setup
Test Setup

Using RPiTX as a 2FSK Transmitter

Over on his blog, Rowetel has been experimenting with 2FSK transmissions and the new v2beta branch of RPiTX. RPiTX is a piece of software for the Raspberry Pi that enables it to transmit RF signals via a GPIO port, with no other hardware required.

In his tests he's been creating 100bit/s 2FSK test frames, transmitting them at 7.177 MHz, and receiving and decoding them on another PC with a hardware radio. The results show that the transmission is working perfectly, with only minor artefacts caused by RPiTX. Rowetel also notes that the narrow band spectral purity of the RPiTX output is remarkably clean. The only worry is the wide band harmonics which can easily be removed with filtering.

This shows that RPiTX could easily be used as a transmitter for amateur radio purposes, assuming proper external filtering is applied. Rowetel also mentions that he hopes that cheap radio technologies like RPiTX could one day be used to help reduce the cost and difficulty in covering the 'last 100 miles' of communications in the developing world.

RPiTX 2FSK apectrum analyzer measurement showing good narrow band spectral purity.
RPiTX 2FSK apectrum analyzer measurement showing good narrow band spectral purity.

Creating a High Altitude Balloon Telemetry System with Raspberry Pi, RPiTX and RTL-SDR

The 2M TX Filter by ZR6AIC
The 2M TX Filter by ZR6AIC

Over on his blog ZR6AIC explains how he's created a full HAB (high altitude balloon) telemetry transmit and receive system using RPiTX and an RTL-SDR dongle running on a Raspberry Pi 3.

RPiTX is software that enables the Raspberry Pi to transmit any modulated signal over a wide range of frequencies using just a single GPIO pin. However, the transmission contains multiple harmonics and thus requires sufficient filtering in order to transmit legally within the 2M ham band. To solve this ZR6AIC uses a 2M Raspberry Pi Hat kit which he designed and created that contains two low pass filters as well at the option for an additional power amplifier.

The rest of ZR5AIC's post explains how his HAB telemetry system combines the Raspberry Pi 3, RPiTX 2M Hat, RTL-SDR, a GPS unit, battery, temperature sensor and optional camera into a full HAB transmitting system. He also explains the software and terminal commands that he uses which allows him to transmit via RPiTX a CW beacon and GPS and temperature sensor APRS telemetry data with the Direwolf software. Full instructions on setting up the alsa-loopback audio routing is also provided.

Launching the High Altitude Balloon.
Launching the High Altitude Balloon.

Explaining and Demonstrating Jam and Replay Attacks on Keyless Entry Systems with RTL-SDR, RPiTX and a Yardstick One

Thank you to Christopher for submitting to us an article that he's written for a project of his that demonstrates how vulnerable vehicle keyless entry systems are to jam and replay attacks. In the article he explains what a jam and replay attack is, the different types of keyless entry security protocols, and how an attack can be performed with low cost off the shelf hardware. He explains a jam and replay attack as follows:

The attacker utilises a device with full-duplex RF capabilities (simultaneous transmit and receive) to produce a jamming signal, in order to prevent the car from receiving the valid code from the key fob. This is possible as RKEs are often designed with a receive band that is wider than the bandwidth of the key fob signal (refer Figure 3, right). The device simultaneously intercepts the rolling code by using a tighter receive band, and stores it for later use. When the user presses the key fob again, the device captures the second code, and transmits the first code, so that the user’s required action is performed (lock or unlock) (Kamkar, 2015). This results in the attacker possessing the next valid rolling code, providing them with access to the vehicle. The process can be repeated indefinitely by placing the device in the vicinity of the car. Note that if the user unlocks the car using the mechanical key after the first try, the second code capture is not required, and the first code can be used to unlock the vehicle.

In his demonstrating the attack he uses the RTL-SDR to initially find the frequency that they keyfob operates at and to analyze the signal and determine some of it's properties. He then uses a Raspberry Pi running RPiTX to generate a jamming signal, and the YardStick One to capture and replay the car keyfob signal.

Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.
Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.

SDR Academy Talks: RPiTX TX for the Masses, Transmitter Localization with TDOA, HackRF as a Signal Generator and more

Over on YouTube the Software Defined Radio Academy channel has uploaded some new interesting SDR related conference talks, some of which may be of interest to readers. Some of our favorites are posted below. Other new interesting talks from channel include:

  • Derek Kozel, AG6PO, Ettus: Hardware Accelerated SDR: Using FPGAs for DSP (Link)
  • Mario Lorenz, DL5MLO: Across the Solar System – using SDRs for real long-distance communication (Link)
  • Andras Retzler, HA7ILM: Demodulators from scratch: BPSK31 and RTTY (Link)
  • Gerald Youngblood, K5SDR (President of FlexRadio): Direct Sampling and Benefits of the Architecture (Link)
  • Dr. Selmeczi Janos, HA5FT: A new lightweight data flow system (Link)
  • Chris Dindas, DG8DP: Standalone SDR-TRX, Highend – Lowcost – Homebrew (Link)
  • Erwin Rauh, DL1FY: Charly25 – SDR Transceiver Project – Community Development (Link)
  • Črt Valentinčič, S56GYC, Red Pitaya: HamLab (Link)

Evariste Courjaud, F5OEO: Rpitx : Raspberry Pi SDR transmitter for the masses

Low cost RTL-SDR democratize access to SDR reception, but is there an equivalent low cost solution for transmission : Rpitx is a software running on Raspberry Pi which use only GPIO to transmit HF. This presentation describes how to use it as a SDR sink but also describes details of how it is implemented using PLL available on the Raspberry Pi board. Warnings and limits of this simple SDR are also provided before going “on air”. Last paragraph shows what are potential evolutions of this system : low cost DAC and third party software integration.

Evariste Courjaud, F5OEO: Rpitx : Raspberry Pi SDR transmitter for the masses

Stefan Scholl, DC9ST: Introduction and Experiments on Transmitter Localization with TDOA

Time-Difference-of-Arrival (TDOA) is a well-known technique to localize transmitters using several distributed receivers. A TDOA system measures the arrival time of the received signal at the different receivers and calculates the transmitter’s position from the delays. The talk first introduces the basics of TDOA localization. It shows how to measure signal delay with correlation and how to determine the position using multilateration. It also covers further aspects and challenges, like the impact of signal bandwidth and errors in delay measurement, receiver placement and synchronization as well as the requirements on the network infrastructure. Furthermore, an experimental TDOA system consisting of three receivers is presented, that has been setup to localize signals in the city of Kaiserslautern, Germany. The three receivers are simple low-cost devices, each built from a Raspberry PI and a RTL/DVB-USB-Stick. They are connected via internet to a master PC, which performs the complete signal processing. The results demonstrate, that even with a simple system and non-ideal receiver placement, localization works remarkably well.

Stefan Scholl, DC9ST: Introduction and Experiments on Transmitter Localization with TDOA

Frank Riedel, DJ3FR: The HackRF One as a Signal Generator

The usability and performance of the HackRF One SDR experimental platform as a signal generator up to 6 GHz is examined by means of an HPIB driven measurement system. The effective circuit of the HackRF One used in the CW TX mode is described and its components are linked to the parameters of the command line tool ‘hackrf_transfer’. The frequency accuracy of the HackRF One is measured against a frequency standard, output signal levels and spurious emissions are determined using a spectrum analyzer.

Frank Riedel, DJ3FR: The HackRF One as a Signal Generator

Tutorial: Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX

UPDATE: Version 2 of RPiTX renders this tutorial obsolete, as it is now very easy to copy and replay signals using the RPiTX GUI (or the "sendiq" command) and an RTL-SDR. This tutorial is still valid for the overall concept.

With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.

In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX.  With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.

Note that we've only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.

A video demo is shown below:

Replay Attacks at 433 MHz with RTL-SDR and a Raspberry Pi running RPiTX

Hardware used and wireless ISM band devices tested with RPiTX
Hardware used and wireless ISM band devices tested with RPiTX

RpiTX

RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.

Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).

For testing, a short wire antenna shouldn't radiate much further than a few meters past the room you're in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.

In the past we've seen RPiTX used for things like controlling an RC car, building a home made FM repeater, creating a ham transceiver and transmitting WSPR (via a well made filter). We've also seen people perform replay attacks using the cleaner but harder way by reverse engineering a 433 MHz signal, and then generating the RPiTX OOK modulation manually.

Continue reading