Over on YouTube Double A Labs has posted a new video demonstrating how to use an RTL-SDR and Android device to receive broadcast FM stations, and to decode any associated RDS data.
In the video Double A uses the SDR Touch Android app and the Advanced RDS function to show the RDS information. He goes on to explain the various pieces of information RDS data provides including clock time, active RDS groups and alternative frequencies.
Tune broadcast FM radio and decode Radio Data System (RDS) information using your Android phone and an RTL-SDR USB (see parts list below). RDS can include station identification, song name, the current time for a receiver to sync its clock, alternative frequencies the same program is on, and more!
Tuning FM Radio & Decoding RDS Data on ANDROID using RTL-SDR USB
Back in September 2021 we posted about Manahiyo's software that allows the RF spectrum and related graphs to be viewed in virtual reality, using a VR headset and an RTL-SDR. Back then the software was only demonstrated on YouTube, but not released.
A few days ago Manahiyo released the VR software on GitHub. The software requires a Oculus/Meta Quest2 VR headset, and the it is able to run directly on the headset's computing hardware. This makes it possible to have the RTL-SDR attached to the headset itself.
Over on his YouTube channel Frugal Radio, Rob has uploaded a new video whilst on holiday travelling through the USA. In the video he shows what sort of scanner radios, antennas and SDR gear he carries with him on his travels. His gear includes a Uniden SDS-100 scanner, a BCD325 scanner, a Radio-Tone RT4 internet network radio and of course an RTL-SDR Blog V3 and laptop.
He goes on to demonstrate the hardware in action from his Hotel room, decoding local digital audio.
A peek in Frugal's Travel Bag : SDR & Scanner gear on the road
A few months ago University student Ayyappan Rajesh and HackingIntoYourHeart reported cybersecurity vulnerability CVE-2022-27254. This vulnerability demonstrates how unsecure the remote keyless locking system on various Honda vehicles is, and how it is easily subject to very simple wireless replay attacks. A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR.
Most car manufacturers implement rolling code security on their wireless keyfobs which makes replay attacks significantly more difficult to implement. However, it appears that Honda Civic models (LX, EX, EX-L, Touring, Si, Type R) from years 2016-2020 come with zero rolling code security:
This is a proof of concept for CVE-2022-27254, wherein the remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start(if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack.
Various news agencies reported on the story, with "The Record" and bleepingcomputer contacting Honda for comment. Honda spokesperson Chris Martin replied that it “is not a new discovery” and “doesn’t merit any further reporting.” further noting that "legacy technology utilized by multiple automakers” may be vulnerable to “determined and very technologically sophisticated thieves.”. Martin went on to further note that Honda has no plans to update their vehicles to fix this vulnerability at this time.
In the past we've seen similar car hacks, but they have mostly been more advanced techniques aimed at getting around rolling code security, and have been difficult to actually implement in the field by real criminals. This Honda vulnerability means that opening a Honda Civic could be an extremely simple task achievable by almost anyone with a laptop and HackRF. It's possible that a HackRF and laptop is not even required. A simple RTL-SDR, and Raspberry Pi with the free RPiTX software may be enough to perform this attack for under $100.
Recording the "unlock" command from the target and replaying (this works on most if not all of Honda's produced FOBs) will allow me to unlock the vehicle whenever I'd like to, and it doesn't stop there at all On top of being able to start the vehicle's ENGINEWhenever I wished through recording the "remote start", it seems possible to actually (through Honda's "Smart Key" which uses FSK) demodulate any command, edit it, and retransmit in order to make the target vehicle do whatever you wish.
Tech YouTuber Lon.TV has recently uploaded a video demonstrating how to identify and decode various digital transmissions with an RTL-SDR dongle. In the video he explains how to use VB Cable to pipe audio from SDR# into various decoders, and then goes on to show DMR, APRS, POCSAG, L-Band AERO, FT8, and JS8/JS8CALL all being decoded via an RTL-SDR Blog V3 dongle.
Software Defined Radio Part 2 - Decoding Digital Transmissions with an RTL-SDR USB Radio
Thanks to all who submitted, we recently received some interesting tip offs about the Netflix TV Show Yakamoz S-245 featuring a scene with various hobbyist SDR and ham radio programs clearly visible. Yakamoz S-245 is a show about a submarine research mission, and the scene appears to depict military intelligence specialists using the programs.
The Financial Times has recently run a video story on how hobbyist WebSDR setups are being use to record Russian radio communications during the war on Ukraine.
In these modern times, we would expect the Russian military to be making full use of encrypted radio communications on the battlefield. But early on in the invasion it came to be clear that much of the Russian forces are much less advanced than first thought, and are using cheap civilian unencrypted radios that anyone nearby can listen to with an RTL-SDR or via a web connected SDR.
The FT story focuses on how open source contributors from all over the world are helping to monitor internet connected WebSDRs that are close enough to receive Russian radio communications. And how volunteers are helping translate, confirm authenticity, and collect information about possible war crimes.
DragonOS is a ready to use Ubuntu Linux image that comes preinstalled with multiple SDR software packages. The creator Aaron also runs a YouTube channel showing how to use the various packages installed.
In his latest video Aaron tests his Pi64 image with GR-GSM and IMSI Catcher running with the GNU Radio 3.10 platform on a Raspberry Pi 4. He tests operation with an RTL-SDR and LimeSDR.
GR-GSM is a GNU Radio based program capable of receiving and analyzing mobile GSM data. We note that it cannot decode actual messages without additional information about the encryption key, but it can be interesting to investigate the metadata. GSM is mostly outdated these days, but still used in some areas by some older phones and devices. IMSI Catcher is a script that will record all detected GSM 'IMSI' numbers received by the mobile tower which can be used to uniquely identify devices.
Short video setting up and testing GR-GSM on DragonOS Pi64 w/ GNU Radio 3.10 and the RTL-SDR. The current DragonOS Pi64 build has GNU Radio 3.8 and all the necessary tools to accomplish what's shown in this video. If you'd like to test the build shown in this video, it's temporarily available here until I finish and put it on Source Forge.
A LimeSDR and DragonOS Focal's Osmo-NITB-Scripts was used to create the GSM900 lab environment. The RTL-SDR was able to see and decode the GSM900 network and although only briefly shown in the video, the IMSI Catcher script works.
Here's the fork used for this video and for testing. There's also a pull request on the main GR-GSM repo for this code to be added.