Over on YouTube user Crazy Danish Hacker has been working on uploading an entire series on GSM Sniffing with an RTL-SDR. His series is explained in a slow and clear presenting style, and it starts at the very beginning from installing the RTL-SDR. The tutorial series is not yet complete, however he is uploading a new video almost daily. Presumably the series will end with showing you how to receive text messages and voice calls originating from your own cellphone.
So far he has shown how to install the RTL-SDR, identify GSM downlinks, install and use GQRX and kalibrate, locate nearby cell towers, install and use GR-GSM and how to extract the TMSI & KC keys from your cell phone. To obtain the TMSI & KC keys he shows us how to use an Android tool called usbswitcher which forces the phone to use its USB modem interface, from which the keys can be obtained.
The video below shows his teaser video on the series. Check out his GSM playlist to view the full series.
GSM Sniffing Teaser - Software Defined Radio Series!
Valo is a software service for real time big data streaming analytics of data from many sensors. On their website they explain their service as follows.
Valo is a single platform for streaming (real time) and batch (historical) data analysis. Valo provides multi-paradigm big data storage for both semi-structured and numerical data. Valo contains a powerful analytics engine for processing all of this data. Finally Valo is super simple – a single tool that can be up and running in minutes.
Rémi writes that what he’s done is simply a proof of concept that shows the power of Valo. He writes that one such interesting future development could be using Valo to detect FBI/CIA surveillance aircraft. Previously we posted about how an RTL-SDR user discovered these surveillance aircraft by their odd circular flight paths. The analytics engine of Valo could be used to automatically detect odd flight patterns such as from these surveillance aircraft.
Plotting the history of aircraft coming into land at HK airport
Network transparency. Process the data remotely and send to the client only waterfall pixels and filtered narrowband channels instead of the entire SDR baseband. With this, you can use the SDR remotely over WAN.
Multiple demodulators running at once. How the hell can this be missing?
History browsing. It happens to me all the time: I see a new station scrolling on the waterfall. Before I manage to tune to it, it disappears (or at least the callsign is over). I have 8 GB of RAM, so why can’t I store the last minute of the entire SDR baseband for future reference?
Pluggable demodulators. Why is it so much pain to add GSM, Tetra, Tetrapol and other modes to existing software? I just want to provide a binary and have the data piped to stdin.
Squelch sucks. The squelch should not care about absolute signal level, but about level relative to surrounding channels. Additionally, it should have hysteresis and a small buffer, so when it triggers, it correctly replays the beginning of the conversation. Oh, and when recording, the squelch should timestamp the parts of conversation.
Histogram. It is difficult to see clipping on the FFT output. Why don’t we have histogram of samples?
Autotune/AFC. Obvious.
Scanner. Both for automatic demodulating all peaks in the spectrum and for retuning the SDR and finding stations. Even the crappiest rtl-sdr has 2 MHz bandwidth and can retune in 50 ms. This means 1600 channels per second. Compare this with commercial scanners.
At the moment one interesting plugin for Kukuruku is the TETRA plugin. The plugin appears to use tetra-listener and TERAPOL-kit as the demodulators, and simply passes the signal data to them for decoding and audio output.
The installation instructions can be found on the user guide. So far we unfortunately haven’t been able to install and test the software due to several compilation errors occurring, so if anyone tries this out and gets it to work, please post any installation tips in the comments.
Kukuruku running and demodulating TETRA audio with a plugin.
rtl_fm / rx_fm: Allows you to decode and listen to FM/AM/SSB radio. rtl_sdr / rx_sdr: Allows you to record raw samples for future processing. rtl_power / rx_power: Allows you to do wideband scans over arbitrarily wide swaths of bandwidth by hopping over and recording signal power levels over multiple chunks of spectrum.
rx_tools is based on SoapySDR which is an SDR abstraction layer. If software is developed with SoapySDR, then the software can be more easily used with any SDR, assuming a Soapy plugin for that particular SDR is written. This stops the need for software to be re-written many times for different SDR’s as instead the plugin only needs to be written once.
rx_power scan with the HackRF at 5 GHz over 9 hours.
Akos also points out how most of the “full band” direct sampling based RTL-SDR’s are incredibly overpriced. We note that for the same or an even cheaper price you could pick up a regular RTL-SDR dongle plus an upconverter, and enjoy much better performance, or as Akos notes purchase a Soft66RTL3 or RSP. He also points out overpriced dedicated ADS-B sticks, which are now outperformed by even the cheapest of RTL-SDR dongles. Finally he mentions to avoid some sellers who are simply combining RTL-SDR dongles into strange contraptions mounted on a small camera tripod and selling them at high prices.
Strange RTL-SDR ripoff contraption at a much higher price.
IBM’s “Horizon” is an Internet of Things (IoT) networking technology based on decentralized peer to peer technologies that are already used in successful apps like BitCoin and BitTorrent. It works by using a Horizon app which accesses your local data and sends and receives data from the Horizon P2P system. Currently Horizon is an experimental project, but they already have up and running two proof of concept projects that utilize the RTL-SDR.
The second RTL-SDR based proof of concept is a radio spectrum analysis application which scans the spectrum from 24 MHz to 1.75 GHz and sends the waterfall data to the cloud. This also runs on the Raspberry Pi 2. You can contribute spectrum to the cloud and you can also search the cloud for a device anywhere in the world that will allow you to listen to its RTL-SDR server. Currently the implementation allows you to view the waterfall of a remote RTL-SDR server and capture a 30 burst of audio from any frequency.
Remote Radio Scan with IBM Horizon and an RTL-SDR.
To try the radio spectrum app on a real server go to bluehorizon.network/map/, click the cog icon in the top left and deselect everything but the ‘sdr’ check box. Then search the map for an SDR (there are only contributors in the USA and one in Germany at the moment), click on the blue dot, and select the radio tower icon that pops up. In the new screen you can use the mouse wheel and click and drag on the mouse to move the frequency. You can use the capture waterfall and Radio capture buttons on the left menu. After clicking the button the job will take a few seconds to run and complete.
It will be an interesting future when SDRs all over the world are accessible on the cloud and this could lead to many new interesting applications. Apart from RTL-SDR based applications, they are write about using Horizon to share weather station data, and to measure internet network speed.
In the June edition of The Spectrum Monitor, SDR enthusiast and ham Mario Filippi N2HUN published an article titled “Your New CB ‘Good Buddy’, the SDR Dongle”. While the CB radio heyday is well and truly over, Mario discusses how an RTL-SDR dongle can be used to have some fun listening to CB without needing to go out and buy a full CB radio. If you don’t know what CB radio is, Mario explains what it is, and its rise and fall in these excerpts:
In the mid-1970’s an early form of social media was sweeping across the country known as CB (Citizens Band) radio. In those years the FCC required CB radio operators to obtain a license, easily gotten by filling out FCC form 505, paying the fee ($20 or $4 depending on what year you applied), and waiting very patiently, usually two to three months for your license to arrive by mail with your call sign.
The concept of wirelessly communicating with others without studying for a licensing exam somehow caught on and was embraced by the American public. As a result, in the mid-70’s CB sets started flying off the shelves by the millions to appease this new insatiable appetite of Americans to talk over the air with their “good buddies” (CB slang for friend). Other major factors played into the oncoming tsunami of CB’ers: gasoline was getting scarce as a result of the recent oil embargo, prices were quickly escalating at the pump, and the Interstate Highway maximum speed was lowered to 55 MPH prompting drivers with heavy feet to communicate the whereabouts of radar-enabled local police (CB slang: Smokies or Smokey Bears) or the cheapest place to fill up. In addition, traffic information such as road conditions, accidents, speed traps and the best greasy spoon location was now available to the commuting public by simply turning on the CB radio and tuning to the trucker’s Channel 19, the epicenter for the latest road-related poop.
By the late ‘70’s there were so many CB’ers congregating on the air causing non-stop channel chatter and ignoring FCC regulations (C.F.R. Part 95) that Uncle Charlie (CB slang for the FCC) eventually dropped the license requirement. The American public now ruled the airways with expanded 40 channel radios and pandemonium. Call signs were replaced by nicknames or “handles” and everyone prided themselves with their own, unique self-descriptive moniker when “ratchet-jawing” (slang for talking a lot) on their CB radio. But when the early 80’s rolled around the public’s fleeting romance with this mode of communication had dwindled markedly and only the diehards remained on the air in happy solitude.
The article goes over several points which may be useful to those who did not play around on CB back in its popular days. He explains how CB radio exists on frequencies between 26.965 MHz to 27.115 MHz and how you should use an appropriate (large) CB antenna, such as an 43 foot S9 vertical antenna. He also notes how CB radio conditions can be affected by ionospheric conditions, and how on a good day (CB is usually open during the day as opposed to the night for the lower frequencies) you can actually receive CB radio from all over the world including Europe, the Caribbean and the US.
As the article is a part of The Spectrum Monitor magazine it is not free to read, but each monthly edition only costs $3 USD, and comes with multiple articles from other authors too, which makes it quite a good bargain read every month. You can find the June edition at http://www.thespectrummonitor.com/june2015tsm.aspx.
CB Radio coming in with an RTL-SDR and CB antenna on SDRSharp.
RTL-SDR enthusiast and blogger Akos has recently uploaded three new articles. In his first article he discusses what he believes is the differences and advantages of Generic vs Premium branded RTL-SDR dongles.
In his second article he shows how easy it can be to perform the direct sampling mod on newer dongles, as most have the direct sampling break out pads. He shows how it can be as easy as sticking a wire into these holes. Please note that if doing this we would caution you to take decent ESD precautions as these pins are not ESD protected.
In the third article he reviews the recently release Nooelec SMArt dongle. The SMArt is a new RTL-SDR variant which comes in a smaller black case, cooling via thermal pads and with an SMA connector. With these modifications it is very similar to our RTL-SDR.com units, however the one advantage of the SMArt is that it is small enough to fit two side by side on closely spaced USB ports, like on the Raspberry Pi. In the post he shows what is inside the SMArt and discusses various points such as heat generated, included antennas and performance.
