RTL-SDR.com reader Mike wrote in to us today to let us know that he has released his AIS decoder for MATLAB and the RTL-SDR. MATLAB is a technical computing language used by many scientists and engineers in the world. Mike writes the following about his work:
Automatic Identification System (AIS) is a communication standard that is used by commercial and recreational maritime vessels to report a ship’s ID, position, course and other information. This data is used for collision avoidance, search and rescue and many other applications. AIS has the following characteristics:
Access protocol: Self-organizing Time Division Multiple Access (SOTDMA)
Transmission frequencies: 161.975 MHz and 162.025 MHz
Transmit Power: 2 W or 12.5 W
Modulation: Gaussian Minimum Shift Keying (GMSK)
Data Rate: 9600 bits per second
An AIS decoder that uses the RTL-SDR and MATLAB to capture AIS transmissions is posted on MATLAB Central, the MathWorks file sharing exchange. The decoder has three main components
The MATLAB Central post includes MATLAB source code for the AIS decoder, captured data files from Boston and San Francisco, an app for easy configuration and operation of the decoder, and instructions for installing the RTL-SDR Hardware Support Package and AIS Decoder app.
If you want to learn how AIS works, and how to write a decoder, then a MATLAB example like this is an excellent resource.
Earlier this week wired.com released a story indicating that researchers from the University of Birmingham have discovered two vulnerabilities that can be used to unlock almost any car. The first vulnerability concerns Volkswagen Group vehicles (VW, Audi, SEAT, Skoda) sold since 1995. Essentially their research found that the keyless entry systems of VW Group vehicles relies only on a few global master keys which they have been able to recover through reverse engineering of an undisclosed component used in a VW car. Then by sniffing the wireless key’s signal with an RF module or SDR like the RTL-SDR or HackRF they are able to recover the cryptographic algorithms used and then using the global key clone the wireless key signal, which can then be re-transmitted with a simple Arduino.
In their second research findings, the researcher’s write how they have been able to crack the Hitag2 rolling code system which is used in many vehicles such as Alfa Romeo, Chevrolet, Citroen, Dacia, Fiat, Ford, Lancia, Mitsubishi, Nissan, Opel, Peugot and Renault. Again, the hack works by sniffing a few wireless keyfob rolling code signals with an SDR or other device. Once the signals have been sniffed a simple laptop computer can reportedly break the encryption within one minute.
Here are some interesting excerpts from the conclusions of the paper:
The results of this paper show that major manufacturers have used insecure schemes over more than 20 years. Due to the widespread use of the analyzed systems, our findings have worldwide impact. Owners of affected vehicles should be aware that unlocking the doors of their car is much simpler than commonly assumed today. Both for the VW Group and the Hitag2 rolling code schemes, it is possible to clone the original remote control and gain unauthorized access to the vehicle after eavesdropping one or a few rolling codes, respectively. The necessary equipment to receive and send rolling codes, for example SDRs like the USRP or HackRF and off-the-shelf RF modules like the TI Chronos smart watch, are widely available at low cost.
A successful attack on the RKE and anti-theft system would also enable or facilitate other crimes:
– theft of the vehicle itself by circumventing the immobilizer system or by programming a new key into the car via the OBD port with a suitable tool
– compromising the board computer of a modern vehicle, which may even affect personal safety, e.g., by deactivating the brakes while switching on the wiping system in a bend
– inconspicuously placing an object or a person inside the car. The car could be locked again after the act
– on-the-road robbery, affecting the personal safety of the driver or passengers if they (incorrectly) assume that the vehicle is securely locked
Note that due to the long range of RKE systems it is technically feasible to eavesdrop the signals of all cars on a parking lot or at a car dealer by placing an eavesdropping device there overnight. Afterwards, all vulnerable cars could be opened by the adversary. Practical experiments suggest that the receiving ranges can be substantially increased: The authors of [18] report eavesdropping of a 433 MHz RFID system, with technology comparable to RKE, from up to 1 km using low-cost equipment.
The findings were presented at the Usenix Advanced Computing Systems Association conference during August 10-12, 2016 in Austin, TX. The white paper is titled “Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems” and can be downloaded here. Of course they did not publish the actual VW master keys in their paper and they have notified VW and NXP who make the Hitag2 chips in advance, noting that Hitag2 had actually been broken for several years prior.
Back in February we showed how Smay Kamkar was able to bypass rolling codes with his RollJam device, however the findings by these researcher’s is different in that they are actually able to generate new rolling codes, such that a simple Arduino with transmitter can act as a second wireless remote.
A $40 Arduino which can be used to record wireless rolling codes, then transmit new ones once the encryption has been broken.
Outernet is a new satellite service that aims to be a free “library in the sky”. They continuously broadcast services such as news, weather, videos and other files from satellites. Their aim is to provide up to date information to users in locations with little to no internet (rural, third world and sea), or in countries with censored internet. It may also be of interest to disaster preppers. Currently they have an active Ku (12 – 18 GHz, though due to be discontinued shortly) and C-band (4 – 8 GHz) satellite service, and now recently have their L-band (1.5 GHz) service active. The L-band signal is currently broadcasting at 1539.8725 MHz over the Americas, 1545.525 MHz over Europe/Africa/India and 1545.9525 MHz over Asia/Pacific.
To receive their L-Band service you will need an RTL-SDR capable of receiving 1.5 GHz, like a R820T/2 RTL-SDR (preferably at least passively cooled like our RTL-SDR Blog models as some R820T/2 units tend to fail at 1.5 GHz without cooling) or an E4000 dongle. You will also need an appropriate L-Band antenna and L-Band amplifier.
To help with these hardware requirements, Outernet have just released for sale an E4000 RTL-SDR with bias tee enabled ($39), an L-band satellite patch antenna ($24) and an L-Band LNA ($19). There is also a E4000 + LNA bundle ($49) available. The E4000 comes in a metal case, and has the bias tee always on. The LNA requires bias tee power and is also compatible with our RTL-SDR Blog units that have the bias tee. The patch antenna is tuned for 1525 – 1559 MHz and is the production version of the prototype antenna we used in our Inmarsat STD-C tutorial. Combined with an LNA we found that the patch antenna gives good performance and can also be used to receive other services such as Inmarsat STD-C and AERO. Currently shipping is only available within the USA, but they write that they will have international shipping available shortly.
EDIT: For international buyers the Outernet store is now started selling these products at http://store.outernet.is.
The L-Band Outernet signal decoders aren’t finalized yet, but we expect them to be released in a matter of days to weeks. They will have decoders available for the $9 CHIP computer and Raspberry Pi 3 platforms. They way it works is that you plug your RTL-SDR with L-band LNA and patch antenna connected into the CHIP or Raspberry Pi 3 which is running their customized image. The CHIP/Pi3 then broadcasts a WiFi access point which you can then connect to with any device, and access the files as they are downloaded. Once these decoders are released we’ll do a full tutorial on receiving the Outernet L-Band service with an RTL-SDR.
The Outernet L-Band Patch AntennaThe Outernet L-Band LNAThe Outernet E4000 RTL-SDR in metal case with bias tee.
Over on his YouTube channel user Gareth has uploaded a video that shows a full tutorial on quickly decoding an On Off Keyed (OOK) signal with a HackRF (or RTL-SDR) and the Inspectrum software. Once decoded he then shows how to use a Yardstick One to duplicate the signal.
Inspectrum is a Linux based program that allows you to easily determine various parameters of a digital modulated signal by positioning an overlay over the waveform of a signal recorded with an SDR. Basically Gareth’s process is to first extract signal level values using Inspectrum, then secondly use a simple Python program to turn these values into binary bits, which gives him the data packet. He is then finally able to write another quick Python program to interface with the Yardstick One and retransmit the string.
The Yardstick One is a multipurpose radio (not a SDR) for transmitting modulated signals like OOK.
My quickest and easiest method for OOK signal decoding & replication in 2016
Over on his blog Michael Carden has produced a tutorial showing us how to use SDR-J on the Raspberry Pi 3 for receiving Digital Audio Broadcast (DAB) radio. DAB is a type of digital broadcast radio used in several countries outside of the USA for general broadcast radio programs. It usually provides clearer digital audio compared to FM broadcast.
His post starts from scratch, showing how to create a Raspberry Pi image file and configure the Pi, then shows how to install and use SDR-J.
SDR-J is also available for Windows and is compatible with the RTL-SDR and other radios such as the Airspy and SDRplay.
Akos from the RTLSDR4Everyone blog has recently posted three new articles. The first article reviews the Janilab LNA Preamp which has a frequency range of 1 MHz to 3 GHz and an adjustable gain. In the review he compares reception with and without the preamp at shortwave frequencies and at ADS-B frequencies. Finally he also compares it against the LNA4ALL and LNA4HF, and notes that they generally have better specs than the Janilab preamp, but the disadvantage is needing two to cover HF + VHF/UHF, meaning an increase in costs.
In his third post Akos does a review on small ADS-B antennas. These are small whip type antennas that are tuned for 1090 MHz. In his testing he found that a telescopic antenna gave significantly better results that the ADS-B whip, but recognizes that these are designed for pilots and light aircraft owners who need a small sturdy antenna.
One handy thing about using our bias tee enabled RTL-SDR dongles is that you can easily power a remote LNA, such as Adam’s LNA4ALL. The bias tee sends DC power down the coax cable eliminating the need for a remote power supply. However, in our current iteration of the dongle the bias tee must be soldered on via a jumper, and once soldered it is permanently providing DC power down the coax cable. This is fine if you are always using a LNA, but if you want to one day remove the LNA and use a shorted antenna, you cannot. A shorted antenna is an antenna designed with the center and shield of the coax connected together creating a DC short (e.g. J-pole and QFH antennas). If you connected a dongle with the bias tee on to a DC shorted antenna you would short circuit the 5V bias tee.
Over on his blog Adam shows that a solution is to create a simple DC block component. A DC block component is nothing more than a series capacitor. However Adam points out some important tips including the need to use a small 0603 sized SMD capacitor with 100pF of capacitance in order to ensure operation over the entire frequency range that the RTL-SDR covers.
A commercial DC block component (TOP) vs. Adams home made DC block component (BOTTOM)
AmaateurRadio.com and NooElec are currently running a big competition to give away 50 of their new SMA RTL-SDR dongles (branded as NooElec SMArt). To enter simply go to the competition post on amateurradio.com and comment on theirpost (not ours!). The compeition closes on August 7 at 20:00 UTC.
They are giving away a total of 50 units: two bundles that come with their SMA RTL-SDR and Ham-It-Up Upconverter, one bundle with a Raspberry Pi and RTL-SDR dongle, three double pack RTL-SDR + antenna bundles, ten double packs of RTL-SDR dongles, ten RTL-SDR + antenna sets, and ten sets of just the RTL-SDR dongle itself.
The NooElec SMART is NooElec’s latest RTL-SDR variant which like ours comes with an SMA coax plug and metal enclosure.
