Tagged: rtl2832

New RTL-SDR Driver for Android Developers

Android developers have a new RTL-SDR driver wrapper available to use called "RTL-SDR CP Driver". This driver by Evgeni Karalamov is designed to have an additional feature over the current Android RTL-SDR drivers in that it implements client application permission management. The overview reads:

RTL-SDR CP Driver utilises the rtl-sdr codebase and is meant to be kept in sync with the developments there. The provided interface mirrors the functionality of rtl_tcp in an Android way. Instead of via a TCP socket, the communication is carried out through file descriptors returned by a ContentProvider.

Since some potentially sensitive information could be captured through the SDR receivers, like indications of the device location, the RTL-SDR CP Driver implements permission control similar to that of the Android framework. Prior to accessing receivers, client applications have to ask the user for permission to access the driver by starting the driver's permission flow via startActivityForResult. Once the user grants access, their answer is remembered and they are not prompted again. The user has the ability to later revoke the permission from the driver's UI, accessible via the Android launcher.

The actual driver app can be downloaded from the Google Play Store. Note that this doesn't provide any functionality by itself. We will need to wait until apps take advantage of it.

RTL-SDR CP Driver Screenshots

Unlocking a Car with an RTL-SDR and Yardstick One

Over on his YouTube channel Kalle Hallden has uploaded a video demonstrating how to perform a replay and "rolljam" attack on a wireless car key with an RTL-SDR and Yardstick One. His first experiment is a simple replay attack which involves recording the unlock signal from the car key with the Yardstick One in a place far away from the car so that it is not received, then replaying it close by.

This works well, but Kalle then explains rolling code security and how this would easily thwart any replay attack in the real world. However, he then goes on to explain and demonstrate the "rolljam" technique, which is one known way to get around rolling code security. The demonstrations are obviously not full tutorials, but are just high level overviews of how wireless security can be defeated.

Hacking Into A Car!

TechMinds: Decoding GPS with an RTL-SDR

Over on his YouTube channel Tech Minds has uploaded a video showing how it's possible to receive and decode GPS signals with an RTL-SDR. To do this he uses one of our RTL-SDR Blog V3 dongles and a GPS patch antenna which is powered via the bias tee on the dongle.

On the software side he uses GNSS-SDRLIB and RTKLIB to decode the GPS signal. The result of the two programs is your current GPS coordinates which can be plotted on a map. Unfortunately in the video Tech Minds was unable to get the Google Maps display to work, but you can easily type the coordinates into Google maps yourself.

Decoding GPS using an RTL SDR Receiver


New ExtIO For rtl_tcp: Control R820T Bandwidth, Decimation, Auto Reconnect

A few days ago we posted about Hayati and others' work in creating a new release of the librtlsdr drivers which implemented some new interesting features. However, at the time of the post there was no GUI for actually making use of the features easily. Now Hayati has released a new rtl_tcp ExtIO interface

The interface exposes the ability to manually adjust the filtering within the R820T tuner. This is quite useful for managing out of band interference and raising overall dynamic range especially when trying to listen to a narrowband signal. It also exposes decimation controls, tcp connection features like auto reconnect and persistent connection, manual IF gain control, the ability to choose USB vs LSB tuning, and the ability to choose the highest stable sample rate of 2.56 MSPS.

The ExtIO interface is only available for SDR programs that support ExtIO, such as HDSDR. To test the ExtIO, first download and extract the latest librtlsdr release then run rtl_tcp from the command line. Extract and run the new ExtIO dll into the HDSDR folder, then run HDSDR, making sure to select the new dll when it asks on startup. You can then set the desired bandwidth and the matching decimation settings for that bandwidth.

The new ExtIO exposing new features

Automatically Starting rtl_tcp on a Remote PC via Android

Over on his YouTube channel M Khanfar has put together a tutorial for an interesting idea. The idea is to use an automatic SSH connection to tell your Windows PC to run rtl_tcp whenever you open SDRTouch or RFAnalyzer on your Android device. SDRTouch and RFAnalyzer are both Android based SDR applications and rtl_tcp is a server which allows both apps to connect to a remote RTL-SDR over a network connection.

To set this up, Khanfar first sets up OpenSSH on his Windows PC which allows a secure remote connection to the PC. On his Android device he then installs MacroDroid and RaspController. MacroDroid is an app that help you automate tasks on your Android device, and RaspController is an app designed for remotely controlling a Raspberry Pi, but also works on Windows via the SSH connection. These apps are then setup so that an SSH connection to the Windows PC is automatically opened whenever SDRTouch is run. From within the SSH connection rtl_tcp is then started.

Full text instructions are available in the video description.

Automate MacroDroid with RTL_TCP through OpenSSH under Windows 10

KerberosSDR Tracking a Drone Carrying an FM Beacon

KerberosSDR is our 4-channel phase coherent capable RTL-SDR unit that we previously successfully crowdfunded back in 2018.  With a 4-channel phase coherent RTL-SDR interesting applications like radio direction findingpassive radar and beam forming become possible. It can also be used as 4 separate RTL-SDRs for multichannel monitoring. KerberosSDR is currently in stock and available on the Othernet store.

Recently Zuokun Li et al from the University of East China Normal University published an open access conference paper that documents their results at using a KerberosSDR to track a drone. As typical drone control frequencies at 2.4 GHz are outside the range of the RTL-SDRs used on the KerberosSDR, they carried a 446 MHz FM beacon on the drone.

In their experiment they set up both circular and linear antenna arrays for the KerberosSDR, then flew the drone in front of the antenna array while recording the bearings calculated by the KerberosSDR system. The results showed that the KerberosSDR was able to successfully track the drone's bearing with either antenna array, however the linear array produced more accurate results as expected.

We note that a linear array cannot differentiate if an object is in front or behind the array. However, if this knowledge is known it can be used instead of a circular array to get more accurate bearings that are less affected by multipath.

If you're interested in this, you might also like our articles on using a KerberosSDR to track a weather balloon, to locate a P25 transmitter, or our Android app in car demos

The KerberosSDR + Drone Setup
Results from the drones at three locations.

New Updates to the librtlsdr RTL-SDR Driver Fork

Thank you to Hayati Ayguen for letting us know that he and others have submitted a slew of updates to the "librtlsdr" fork of the librtlsdr RTL-SDR drivers. The improvements made to the development branch are extensive and are pasted below, and Hayati also has also created some presentation slides about his improvements. Hayati also notes that there are several open issues being tracked, and he has labelled some as "help wanted" where help and testing would be appreciated.

If you have tested any of the new features of tools, please let us know how they work in the comments!

"Driver" Library Features

  • added support for special USB (vendor) VID 0x1209 (product) PID 0x2832: "Generic RTL2832U":
  • added support for using RTLSDR-Dongle from remote - see rtl_rpcd and README.rtlsdr_rpc
  • improvements for R820T/2 tuner also see https://codingspirit.de/librtlsdr-driver.pdf
    • added better bandwidth support
      • added smaller bandwidths, improving selectivity: 290, 375, 420, 470, 600, 860, 950, 1100, 1300, 1500, 1600, 1750, 1950 kHz. These are coarse measured values .. which might get adjusted in future.
      • bandwidth filters utilize tuner's low- and highpass filters at IF
    • added spectrum flipping (inside tuner) - and back in RTL2832
      • the band edges (low/high-pass) have different steepness; the steeper edge can be selected with the mixer sideband (rtlsdr_set_tuner_sideband()), to achieve better attenuation depending on signal scenario
    • added (automatic) control over VGA (variable gain amplifier)
      • VGA gain (besides LNA and Mixer) can be utilized and set to automatic, letting it controlled from RTL2832U. Having all automatic (AGC) including activation of digital AGC in RTL2832 (rtlsdr_set_agc_mode()), oversteering effects got reduced (a lot).
      • gain range now up to 100 dB
    • deactivated "Filter extension under weak signal" for a stable filter characteristic
    • added shifting of IF-center, to receive away from DC. See rtlsdr_set_tuner_band_center()
  • probably some more: it's highly probable, that this list is incomplete

"Driver" Library API

  • added rtlsdr_set_and_get_tuner_bandwidth(), which also delivers the bandwidth. [ with rtlsdr_set_tuner_bandwidth() does not deliver the bandwidth ]
  • added rtlsdr_set_tuner_band_center(), to set center of the filtered tuner band
  • added rtlsdr_set_tuner_sideband(), to set mixer sideband
  • added rtlsdr_set_tuner_gain_ext(), special for R820T/2 tuner
  • added rtlsdr_set_tuner_if_mode(), sets AGC modes in detail
  • added rtlsdr_set_ds_mode() including threshold frequency
  • added rtlsdr_ir_query()
  • added rtlsdr_set_opt_string() and rtlsdr_get_opt_help() for configuration of 'driver' - especially from command line
  • added rtlsdr_set_tuner_i2c_register(), rtlsdr_get_tuner_i2c_register() and rtlsdr_set_tuner_i2c_override() exposing hacking of tuner-specific I2C registers
  • added rtlsdr_get_ver_id(), to allow discrimination between osmocom library - or this fork
  • added rtlsdr_get_version()

Added Tools

  • added rtl_ir: display received IR signals.
    • requires the IR diode of an RTL-SDR - which might not exist!
  • added rtl_rpcd: a Remote Procedure Call server for RTL-SDR dongles.
    • for use, set environment variable "RTLSDR_RPC_IS_ENABLED"
    • optionally set environment varibales "RTLSDR_RPC_SERV_ADDR" and "RTLSDR_RPC_SERV_PORT". These default to "" and "40000".
    • requires cmake option WITH_RPC
  • added rtl_raw2wav: save rtl_sdr or rtl_fm's output (pipe) into a wave file, including some meta information like timestamp and frequency
  • added rtl_udp: same as rtl_tcp - just using UDP instead of TCP
  • added rtl_wavestat: display wave file meta information
  • added rtl_wavestream: stream raw data (in specified format)

Improved Tools

  • rtl_fm:
    • added command file option '-C', which can trigger actions depending on signal. have a look at README.rtlfm_cmdfile.
    • added command line interface option '-E rdc', to enable dc blocking on raw I/Q data at capture rate
    • added CLI option '-E rtlagc', to enable rtl2832's digital agc
    • added CLI option '-E bclo', to use tuner bandwidths low corner as band center
    • added CLI option '-E bchi', to use tuner bandwidths high corner as band center
    • added CLI option '-O', to set RTL driver options seperated with ':', e.g. -O 'bc=30000:agc=0'
    • added CLI option '-R', to specify number of seconds to run
    • added CLI option '-H', to write wave Header to file, producing a wave file with meta information, compatible with several SDR programs
    • added CLI option '-o', to request oversampling (4 recommended) for processing gain
  • not just rtl_fm, but many tools have more options. compare all the details by starting with command line option '-h'.

"Driver" Library's UDP-Server - only on Windows

  • enabled by cmake option PROVIDE_UDP_SERVER for tests. OFF by default
  • activated by rtlsdr_set_opt_string(): "port=1" or "port=<udp_port>", default port number: 32323
  • purpose is to allow configuration at runtime with a simple text protocol, e.g. with netcat
  • for detailed protocol, see comment section in parse() of librtlsdr.c. or look for sections with '#ifdef WITH_UDP_SERVER'


  • allows non-GPL programs, e.g. QIRX, to utilize the RTLSDR stuff in a license compliant way
  • added several control functions in rtl_tcp, not existing in osmocom release: UDP_ESTABLISH, UDP_TERMINATE, SET_I2C_TUNER_REGISTER, SET_I2C_TUNER_OVERRIDE, SET_TUNER_BW_IF_CENTER, SET_TUNER_IF_MODE, SET_SIDEBAND, REPORT_I2C_REGS
  • control functions documented in rtl_tcp.h
  • (by default) control port number 1234, configurable via command-line-interface (CLI)
  • response(s) at +1 of control port: 1235, configurable via CLI
  • protocol details in protocol_rtl_tcp.txt

YouTube Guide to Setting up and Running RTLion

RTLion is a software framework for RTL-SDR dongles that currently supports various features such as a power spectrum plot and frequency scanning. The software can run on a Raspberry Pi 3 and all features are intended to be accessed via an easy to use web browser interface, or via an Android app. The software can also be run with Docker, making it useful for IoT applications.

Over on YouTube M Khanfar has uploaded a comprehensive tutorial video explaining how to setup and run the RTLion server software on a Linux computer. He goes on to demonstrate and explain how to use the server via the web interface and also via the RTLion Android app.


RTLion Setup and Running Guide