Tagged: rtl-sdr

Salamandra: A modern study of microphone bugs operation and detection with an RTL-SDR

A couple of weeks ago we posted about Salamandra, an RTL-SDR compatible piece of software which can be used to help detect and locate microphone bugs that are used for spying. Recently we discovered that the two authors of Salamandra, Veronic Valeros and Sebastian Garcia both from the MatesLab Hackerspace in Buenos Aires, Argentina have written a paper on their experiences with microphone bugs, and about the development of Salamandra. The abstract reads:

In 2015, artist Ai Weiwei was bugged in his home, presumably by government actors. This situation raised our awareness on the lack of research in our community about operating and detecting spying microphones. Our biggest concern was that most of the knowledge came from fictional movies. Therefore, we performed a deep study on the state-of-the-art of microphone bugs, their characteristics, features and pitfalls. It included real life experiments trying to bug ourselves and trying to detect the hidden mics. Given the lack of open detection tools, we developed a free software SDR-based program, called Salamandra, to detect an locate hidden microphones in a room. After more than 120 experiments we concluded that placing mics correctly and listening is not an easy task, but it has a huge payoff when it works. Also, most mics can be detected easily with the correct tools (with some exceptions on GSM mics). In our experiments the average time to locate the mics in a room was 15 minutes. Locating mics is the novel feature of Salamandra, which is released to the public with this work. We hope that our study raises awareness on the possibility of being bugged by a powerful actor and the countermeasure tools available for our protection.

The paper first outlines the history of microphone bugs and tries to dispel some of the myths about them which originate from movies and other fictional sources. They then perform a survery of the current state-of-the-art microphone bugging techniques, and later go on to discuss the development of Salamandra and some experiments that they performed with it.

In their experiments they show that the Salamandra software and RTL-SDR is able to outperform a commercial bug detector. They also performed several real world simulations where one researcher would hide a bug in a room, and then another would have to use Salamandra to determine if a bug was present, and then locate it using the location feature of Salamandra. They concluded that Salamandra was a very useful tool as they were able to detect the location of the bugs in under 40 minutes in 4/5 tests.

An example waterfall of a microphone bug transmitting and being received with an RTL-SDR
An example waterfall of a microphone bug transmitting and being received with an RTL-SDR
Location of a hidden bug in one of their tests.
Location of a hidden bug in one of their tests.

Outernet SDRx Clearance Sale $15: RTL-SDR with built in L-band LNA and Filter

Recently the Outernet project transitioned from using RTL-SDR dongles and C.H.I.P single board computers to using their Dreamcatcher board, which is an RTL-SDR and computing board all in one. In between the transition they also produced a number of ‘SDRx’ dongles. These were custom RTL-SDR dongles with a built in L-band LNA and filter. As they no longer need the SDRx they have them on clearance at their store.

The clearance price is $15 USD which is an excellent deal. Remember though, that the SDRx is limited in frequency range – it is designed for receiving L-band satellites between 1525 – 1559 MHz and the filter will cut off all other frequencies.

The Outernet SDRx on Clearance
The Outernet SDRx on Clearance

Just add a simple L-band tuned antenna to the port and you should be able to receive Inmarsat and a signal like STD-C, AERO or the Outernet signal. A suitable antenna might be a homebrew patch, helix, cooking pot antenna or even a small tuned V-dipole antenna can work for the stronger AERO signals.

We also see that the price of their L-band Outernet active ceramic patch antenna has been dropped down slightly to $25 USD. This antenna is bias tee powered and can be used with a V3 dongle or their Dreamcatcher hardware. The Dreamcatcher itself is also now reduced in price to $59 USD.

We have a review of the Dreamcatcher and active ceramic patch antenna available here.

Outernet Dreamcatcher and L-Band Active Ceramic Patch
Outernet Dreamcatcher and L-Band Active Ceramic Patch

We also now list Outernet products in our store. These are commission sales so we receive a little bit per purchase which supports the blog, and the items are shipped by Outernet within the USA.

If you were unaware, Outernet is a free L-band based satellite service that provides content such as news, weather data, APRS repeats and more. Currently you can get about 20MB of data a day. Outernet receivers are also all based around the RTL-SDR, allowing for very cheap receivers to be built

A “Ham Radio Go Box” with RTL-SDR, Solar, Bluetooth Speaker, Touchscreen and Transceiver

Over on YouTube user Fuzz has uploaded a short video showing his “Ham Radio Go Box”. This is a plastic box containing inside many pieces of mounted equipment, all hooked up and ready to go. Inside he has a Raspberry Pi connected to a 7-inch touch screen and RTL-SDR Blog V3 dongle. The Raspberry Pi is used for satellite tracking and for driving an external bluetooth speaker. He also has inside a Baofeng BTECH tri-band radio which connects to an external speaker. The box also seems to have battery charging via an external solar panel.

Ham Radio Go Box With Raspberry Pi And Bluetooth speaker and SDR

deinvert: A Voice Inversion Descrambler

Voice inversion scrambling is a simple and old security method used on analog radios to try and obscure conversations from being listened in on by people with scanners. It works simply by by moving the low frequencies higher and the high frequencies lower, or in other words inverting the audio. A descrambler is then required to recover the true audio, otherwise you will only hear garbled audio. Voice inversion provides little real security, as it is very simply to descramble, and many scanner radios already have descrambling features built in. These days most secure communications are digital and encrypted, but voice inversion scrambling is still available on many analog radios, and could still be in use by some users looking for protection against casual eavesdroppers.

Oona Räisänen (aka windytan) has recently released a simple program called ‘deinvert’ over on GitHub. This program is a descrambler that reads in a scrambled wav file and outputs a descrambled audio file. The audio file could be easily recorded with an RTL-SDR and rtl_fm, or a similar SDR.

Way back in 2013 she also did a post on her blog about voice inversion scrambling which is a good read for further information on how it works, and how to descramble it.

Voice Inversion Scrambling Spectrograph Example
Voice Inversion Scrambling Spectrograph Example

Monitoring Train Railway Lines with an RTL-SDR and ATCS Monitor

Back in June Gus Gorman showed us via a YouTube tutorial and demo how to monitor ATCS (Advanced Train Control System) signals from trains. ATCS is found in the USA and is used for things like communications between trains, rail configuration data, train location data, speed enforcement, fuel monitoring, train diagnostics and general instructions and messages. Gus used an RTL-SDR and the ATCS Monitor software to decode the signals and give us a view of the current state of the railway line.

In his latest video Gus gives a better demonstration of the software by parking outside a train station so that he can receive many more signals from the trains. At the start of the video he shows the track view of BNSF trains, and then later switches over to the Union Pacific track view.

ATCS Monitor RTL-SDR at Omaha Train Station

Decoding the ALERT Protocol from a USGS Streamgage with an RTL-SDR

Over on his YouTube channel GusGorman402 has uploaded a video that shows how he was able to capture and decode data from a USGS (United States Geological Service) streamgage.

A streamgage is a sensor for streams and rivers that is used for measuring the amount of water flowing. In particular the ALERT (Automated Local Evaluation in Real-Time) streamgages are designed for the warning of flooding. The ALERT streamgages are wireless with some transmitting data upwards to the GOES-15 geosynchronous satellite with a cross Yagi and some transmitting locally via a standard Yagi. Gus shows if you’re close to a streamgage antenna then you can still receive the signal on the ground with an RTL-SDR. Gus also mentions that all streamgages in his area are slowly being converted to satellite uplink.

His first video simply shows the RTL-SDR receiving a Streamgage satellite uplink signal at 400 MHz. In his second video he moves to a streamgage with terrestrial link at 170 MHz and shows that the data can actually be decoded into a binary string using minimodem. Another program called udfc-node can then be used to turn the data into a human readable format. The binary packets consist of an address that identifies the particular streamgage, and some data that describes the current level of the stream and how much precipitation it has counted.

USGS Streamgage GOES-15 Uplink RTL-SDR Capture

USGS Streamgage 170MHz RTL-SDR decode

3D Printing a V-Dipole Bracket

Over on his YouTube channel user Tysonpower has uploaded a video that shows how to make a V-Dipole antenna. Back in March we posted about the V-Dipole which Adam 9A4QV first described. A V-Dipole is a simple antenna that normally consists of two metal rods, a terminal block and coax cable. It is particularly effective for reception of low Earth orbit satellites like the NOAA and Meteor M2 weather image satellites with an RTL-SDR or other similar SDR.

In his video Tysonpower shows how to build a slightly more rugged version using a 3D printed part instead of a terminal block. Aluminum welding rods are used for the elements. The 3D printed part ensures that the correct 120 degree ‘V’ angle is maintained and also provides a means for mounting the antenna to a pole. The 3D printing STL files are available on Thingiverse. Note that the video is in German, but English subtitles are available.

Note that we will also have a dipole antenna capable of being used as a V-Dipole available in our store in a few weeks time.

[EN subs] Bau einer V-Dipole Antenne - 3D Druck für mehr Genauigkeit und Stabilität

Nongles.com N3 RTL-SDR Available in our Store

Late last year the ThumbNet team announced their custom RTL-SDR dongle which they named the “Nongles N3”. This is a standard R820T2 RTL-SDR, but with some interesting additional features. Some of the changes they made include:

  • Shielding can on the PCB
  • Thick rugged metal case
  • F-Type connector
  • External 5V power input
  • Low noise PCB design

As explained in our previous reviews (prototype review, production review) the N3 is a rugged dongle, probably best suited to applications where the SDR could take a beating. The F-Type connector is also preferred by some people as it is fairly commonly used on TV equipment in most parts of the world. Shielding against local strong signals is also excellent due to its double shielding with a shielding can on the PCB and with the metal case.

Probably the most defining feature other than its ruggedness and low noise floor is that it can be optionally powered by 5V external power. So it could be used at the end of a very long active USB cable, with power provided locally. Or if very low power noise is desired, a linear power supply could be used.

We now have these N3 dongles available for purchase in our store. Please note that this is a commission sale, so the N3 will actually be shipped by the Nongles team in the USA once a week. The current price of the Nongles N3 is $33.5 USD + $4.5USD shipping in the USA, or $10 USD shipping worldwide.

Please Visit our Store

The ThumbNet N3
The ThumbNet N3
ThumbNet N3 with RFI Shield
ThumbNet N3 with RFI Shield