Over on YouTube the BSides Halifax channel has uploaded a recent talk given by Security Engineer Grant Colgan titled "Hacking RF Breaking what we can't see". In the talk Grant first shows the various bits of wireless devices that he tests, as well as the receiver equipment that he uses which includes a HackRF and RTL-SDR dongles. He goes on to show various live demos.
An often overlooked aspect of security is what happens when information is moving magically from one device to another with no wires. We know this as (usually) Wifi or Bluetooth and any attacks are usually based on these technologies. However when you widen the scope to RF wireless communication, A lot more tools become available. In this talk I will be talking about the attack and doing live demos.
Back in September 2020 we posted about the release of an X-Band decoder for the Elektro-L2 and Elektro-L3 Russian geostationary satellites. These satellites are receivable from Europe, the Middle East, Asia, Africa, South America and Australia. Unlike the HRIT and LRIT L-band transmissions from other geosynchronous satellites like GOES and GK-2A, the X-band Elektro signal is quite difficult to receive, requiring a large dish and more expensive hardware.
However we've recently seen exciting news on Twitter that a new L-band LRIT transmission has been activated on Elektro-L3. Like the Korean GK-2A satellite, this L-band LRIT transmission at 1691 MHz should be much easier to receive requiring only a WiFi dish, SAWBird GOES LNA and an RTL-SDR. We haven't yet confirmed if like GK-2A, the smaller 600 x 400 mm WiFi dish is sufficient, or if Elektro requires the larger 600 x 1000 mm dish size. (See our GOES satellite and GK-2A tutorial for information about the hardware being discussed in this paragraph.)
We note that the Elektro-L3 signal appears to be in testing, and the transmission could be turned on and off, or even turned off permanently. The transmission schedule is also not yet clear although in this recent tweet @HRPTEgor has mapped out some current transmission times for Eletro-L3.
It is hoped that LRIT will also eventually be activated on Elektro-L2, and perhaps even HRIT will be activated too. It is also exciting that more Elektro-L satellites are planned to be launched from 2022 onwards and we expect those to have hopefully LRIT and HRIT transmissions as well. To add further excitement, it is hoped that the L3 LRIT activation means that a LRIT or HRIT signal will be activated on the high elliptical orbit (HEO) northern hemisphere Arctic monitoring ARKTIKA-M1 satellite launched in Feb 2021, as this satellite is derived from the Elektro-L design.
The LRIT activation of Elektro-L3 hopefully means that Europeans should finally have access to a geostationary weather satellite that can be easily received with modest low cost hardware. The current coverage map from Orbitron of the two Elektro satellites is shown below (note that Elektro-L2 LRIT does not appear to have been activated yet).
Elektro-L2 and Elektro-L3 Coverage (Currently only Elektro-L3 LRIT transmissions have been discovered)
Over on Twitter @aang254 has noted that he has already updated his satdump software, adding support for Elektro LRIT decoding, and adding support for all of the available channels and for color. Satdump is available as a binary for Windows, and on Linux can be built from source. Experimentally, Satdump can also be built and run on Android.
The Tweet from @aang254 provides a nice sample image of what can be received.
I turns out ELEKTRO-L LRIT contains all 3 Visible channels and apparently 2 IR channels.
Over on YouTube we've seen a good video from channel Ham Radio DX where presenter Hayden shows how to use an RTL-SDR to receive slow scan television (SSTV) images from the International Space Station (ISS). Often the ISS will transmit SSTV images down to earth on the VHF 2 meter bands as part of an event. With an RTL-SDR and simple antenna it's possible to receive those images.
In the video Hayden discusses the SSTV transmission, and demonstrates some SSTV decoding happening in real time as the ISS passes over his location. If you're looking to get started in ISS SSTV reception, this is a good video to get an idea of what's involved. He finishes the video with some useful tips for reception.
Using a RTL SDR Dongle to receive pictures from the ISS! | Software Defined Radio
The company ebcTech who makes AIS Share for Android has recently come out with a new app which is an Android App version of Dump1090. Dump1090 is a popular command line based ADS-B decoder for RTL-SDR dongles which allows you to receive and plot the locations of nearby aircraft on a map.
The app directly accesses the RTL-SDR via a USB OTG connection and provides a list of aircraft with planespotters.net image lookup, and a Google map display. The app is free however there is a message limit on received aircraft which can be unlocked via a low cost in-app purchase.
The author also wrote in and wanted to make a note about a special feature "In the app you can add Airport layers – This consist now 4480 Airports – most of them with corresponding homepage address / or Wikipedia link."
Thank you to Antonio from the Polytechnic University of Madrid, Department of Photonic Technology and Bioengineering for writing in and sharing with us his teams latest research titled "Dual-Comb Spectrometer Based on Gain-Switched Semiconductor Lasers and a Low-Cost Software-Defined Radio". The research involves the use of an RTL-SDR Blog V3 dongle in place of an expensive digital oscilloscope for measuring the output of a dual-comb spectrometer. The abstract of the paper reads as follows:
Dual-comb spectroscopy has become a topic of growing interest in recent years due to the advantages it offers in terms of frequency resolution, accuracy, acquisition speed, and signal-to-noise ratio, with respect to other existing spectroscopic techniques. In addition, its characteristic of mapping the optical frequencies into radio-frequency ranges opens up the possibility of using non-demanding digitizers.
In this paper, we show that a low-cost software defined radio platform can be used as a receiver to obtain such signals accurately using a dual-comb spectrometer based on gain-switched semiconductor lasers.
We compare its performance with that of a real-time digital oscilloscope, finding similar results for both digitizers. We measure an absorption line of a H13C14N cell and obtain that for an integration time of 1 s, the deviation obtained between the experimental data and the Voigt profile fitted to these data is around 0.97% using the low-cost digitizer while it is around 0.84% when using the high-end digitizer.
The use of both technologies, semiconductor lasers and low-cost software defined radio platforms, can pave the way towards the development of cost-efficient dual-comb spectrometers.
Back at home he pulled up the FCC filing for the device, which unveiled that it is OOK-PWM modulated, and operates at 433.92 MHz. The rest of the filing also had information noting that the implant transmits a 59-bit data packet every 12 seconds, and contained a nice breakdown of the packet structure, making it easy for decoding.
With all the information about the device's wireless transmissions now known, James grabbed his RTL-SDR and fired up SDR# to confirm that the signal was indeed transmitting every 12 seconds at 433.92 MHz. Next he was able to decode the data from the device by inputting the protocol information learned from the FCC filing into an rtl_433 command line string.
After a bit of further work James discovered that the pH data was actually two readings in one data string. At this stage he finally had the pH reading, however it was represented as an 8-bit ADC reading with a value between 0 to 255. James plotted the relationship between the 8-bit raw ADC reading, and the pH value shown on the official Medtronic receiver. With this he was able to determine a linear relationship between the ADC reading and real pH reading, but notes that there may be a more accurate calibration curve required for actual medical use.
Decoding pH readings from a stomach implant with an RTL-SDR
Thank you to Viol Tailor for submitting news about the release of his general purpose multimode software defined radio receiver program for Windows called "uSDR" or "microSDR". Viol writes that uSDR is designed as a lightweight binary with a simple and compact user interface and highly optimized DSP to minimize CPU, hence the "micro" part of the name.
The software is compatible with RTL-SDR, Airspy, BladeRF, HackRF and LimeSDR radios. It has features including demodulation, base band and pass band recording, playback, and spectrum and waterfall visualizations.
uSDR aka microSDR. A lightweight SDR receiver program from Windows.
Thank you to Jasper for writing in and letting us know about the release of his new open source software called "AIS-Catcher". AIS-Catcher is a MIT licensed dual band AIS receiver for Linux, Windows and Raspberry Pi. It is compatible with RTL-SDR dongles and the Airspy HF+.
AIS stands for Automatic Identification System and is used by marine vessels to broadcast their GPS locations in order to help avoid collisions and aide with rescues. An RTL-SDR with the right software can be used to receive and decode these signals, and plot ship positions on a map.
Jasper notes that his software was intended to be a platform for him to experiment with different receiving model algorithms. On the GitHub readme he explains how he's experimented with a coherent demodulation model that estimates the phase offset, a non-coherent model which is similar to what most existing decoders use, a modified non-coherent model with aggressive PLL, and an FM discriminator model which assumes the input is the output of an FM discriminator.
The readme goes on to show some comparison results indicating that the coherent model is the best although it uses 20% more computation time. He also compares AIS-Catcher against some other AIS decoders like AISRec and rtl-ais, showing that AIS-Catcher appears to be comparable or better than AISRec, which is one of the most sensitive decoders available for SDR dongles.
A Windows binary is provided on the releases page and compilation instructions for Linux are provided on the Github Readme.
Some results from AIS-Catcher. Different algorithms and different software compared.
