Tagged: rtl2832u

GQRX and gr-osmosdr now with support for SpyServer

Thanks to the work of Lucas Teske, GQRX is now able to connect to SpyServer servers. SpyServer is the IQ streaming server software solution developed by the Airspy SDR developers. It can support Airspy and RTL-SDR devices, and can be used to access these SDRs remotely over a network connection. It is similar to rtl_tcp, but a lot more efficient in terms of network usage, meaning that it performs well over an internet connection. On a previous post we have a tutorial about setting up a SpyServer with an RTL-SDR.

The code modified by Lucas is the gr-osmosdr module, and Lucas' code can be downloaded from his GitHub at github.com/racerxdl/gr-osmosdr. It doesn't yet appear to have been merged into the official osmocom branch. The gr-osmosdr module is a generic block used to access various SDR hardware, so any software that utilizes it (such as GNU Radio) should be able to connect to a SpyServer connection too.

Building an RF Direction Finding Robot with an RTL-SDR

Over on Hackaday.io, project logger Humpelstilzchen has been writing about his attempts to create an autonomous RF direction finding robot RC car with an RTL-SDR. The goal is to set up an ISM band transmitter as a beacon, and use the RTL-SDR on the robot as the receiver. It will then use direction finding techniques to drive towards the beacon. The robot is a 4WD RC toy car with some autonomous navigational features like GPS, ultrasonic, IMU and vision sensors.

In his latest project log Humpelstilzchen describes his first semi-successful attempt at getting RF direction finding working. In the experiment he uses a 433 MHz module to send out an FSK beacon. On the robot two antennas are used for the time difference of arrival/pseudo-doppler direction finding technique, and PIN diodes are used to rapidly switch between the antennas. A GNU Radio script running on a HummingBoard single board computer computes the TDOA/pseudo-doppler algorithm.

Psuedo-doppler direction finding works by rapidly switching between several antennas. The difference in the time that the signal arrives at each antenna can be used to calculate the transmitter's direction.

With the current set up he's been able to get the robot to distinguish if the beacon is closer to the left, or closer to the right, or equidistant. However, he notes that there are still problems with reflections of the beacon signal which can cause the robot to drive in the wrong direction.

This is still a work in progress and we look forward to his future results.

Humpelstilzchen's RF direction finding robot
Humpelstilzchen's RF direction finding robot

Tutorial: Setting up a Low Cost QRP (FT8, JT9, WSPR etc) Monitoring Station with an RTL-SDR V3 and Raspberry Pi 3

QRP is amateur radio slang for 'low transmit power'. QRP digital modes such as FT8, JT9, JT65 and WSPR are modes designed to be transmit and received across the world on low transmit powers (although not everyone uses only low power). The special design of these modes allows even weak signals to be decodable by the receiving software. Released in 2017, FT8 has shown itself to now be the most popular mode by far with JT9 and JT65 taking a backseat. WSPR is also not as active as FT8, although WSPR is more of a beacon mode rather one used for making contacts. 

Apart from being used by hams to make contacts, these weak signal modes are also valuable indicators of the current HF propagation conditions. Each packet contains information on the location of the transmitter, so you can see where and how far away the packet you've received comes from. You also don't need to be a ham to set up a monitoring station. As an SWL (shortwave listener), it can be quite interesting to simply see how far away you can receive from, and how many countries in the world you can 'collect' signals from.

This tutorial is inspired by dg0opk's videos and blog post on monitoring QRP with single board computers. We'll show you how to set up a super cheap QRP monitoring station using an RTL-SDR V3 and a Raspberry Pi 3. The total cost should be about US $56 ($21 for the RTL-SDR V3, and $35 for the Pi 3).

With this setup you'll be able to continuously monitor multiple modes within the same band simultaneously (e.g. monitor 20 meter FT8, JT65+JT9 and WSPR all on one dongle at the same time). The method for creating multiple channels in Linux may also be useful for other applications. If you happen to have an upconverter or a better SDR to dedicate to monitoring such as an SDRplay or an Airspy HF+, then this can substitute for the RTL-SDR V3 as well. The parts you'll need are as follows:

  • RTL-SDR V3 (or upconverter, or other HF & Linux capable SDR)
  • Raspberry Pi 3 (or other SBC with similar performance)
  • Internet connection
  • Band filter (optional but recommended)
  • HF antenna (this could be as simple as a long wire)

Examples of QRP Receivers with an RTL-SDR

Monitoring FT8, JT9, JT65 and WSPR simultaneously with an RTL-SDR V3 and Pi 3
Monitoring FT8, JT9, JT65 and WSPR simultaneously with an RTL-SDR V3 and Pi 3


Continue reading

CrowPi: Raspberry Pi Experimenters Kit Review (With RTL-SDR and RPiTX Tests)

CrowPi is a Raspberry Pi all-in-one experimenters kit that is currently crowd funding on Kickstarter. The idea behind CrowPi is to combine a touchscreen, various sensors, actuators and interfaces into a clutter free kit mounted on a PCB in an easy to carry hard shell case. It's mostly intended to be used in STEM learning environments, however it could also be used for rapid prototyping of Raspberry Pi based ideas, or simply as a portable computer. 

The CrowPi
The CrowPi

The kit has 4 days left on Kickstarter and has already met its minimum goal. Pledging $1,169 HKD (~USD $150) gets you the basic kit which does not include a Raspberry Pi. Higher pledge levels (up to US$250) get you models that include a Raspberry Pi as well as extras such as a 5V power supplies, earphones, heatsinks, keyboards, game controllers etc. Shipping of the units is expected to commence in July.

Elecrow, the Shenzhen based company behind CrowPi kindly sent us a free kit for an honest review. While not directly related to RTL-SDR or RF, we thought that there might be several applications that might make the CrowPi kit useful for prototyping some simple low cost RF based ideas. For example:

  • Prototyping IoT based modules that use the RTL-SDR as a receiver. For example receiving a 433 MHz ISM signal and writing received information to the LCD/LED array or activating the relay.
  • Similarly, using FL2K-SDR or RPiTX to transmit a signal when a sensor is activated, or to transmit telemetry from that sensor (e.g. distance data from the ultrasonic sensor, humidity levels from the DH11 sensor, or light levels from the light sensor)
  • Using an RTL-SDR to prototype an ADS-B plane camera tracker using the two servo module interfaces.

To get an idea of what's packed into the CrowPi, the kit includes the following modules:

  • Everything that came with our CrowPi Demo Kit (Except the Raspberry Pi)
    Everything that came with our CrowPi Demo Kit (Except the Raspberry Pi)
    1920 x 1080 Capable HDMI 7" Touch Screen
  • LCD Module
  • 8x8 Matrix LED
  • Breadboard
  • 4 character 7-seg LED
  • Vibration motor
  • Light Sensor
  • Buzzer
  • Sound Sensor
  • Motion Sensor
  • Ultrasonic Sensor
  • Servo Interface
  • Step Motor Interface
  • UART
  • Tilt Sensor
  • IR Sensor
  • Touch Sensor
  • DH11 Humidity Sensor
  • Relay
  • Matrix of buttons
  • RFID Module

With our kit we also received:

  • 2x GPIO Flex Cables
  • 1x Stepper Motor
  • 1x Servo
  • 1x Charger
  • 1x IR diode
  • 1x NFC Tag
  • 1x Mini HDMI for the Raspberry Pi Zero
  • 1x IR Remote control

Setup, Initial Testing and Thoughts

Setup: Setup was simple and consisted of downloading their customized Raspberry Pi image onto an SD card, connecting the Raspberry Pi to the HDMI, USB and GPIO pins, and then powering it up using the power jack on the CrowPi Board. A user manual is available for download.

Initial Testing: CrowPi provide a set of lessons that show how to use each of the modules on the board. All modules also have Python code examples that are ready to run as soon as you boot up. Immediately after booting up we were able to run their demo code which allowed us to test all the various sensors, print text to the LCD module, activate the 7-seg display, and actuate a servo and stepper motor. 

The tutorials are easy to understand and provide a good basic rundown of the sensors. You will need to have some basic Python skills to understand the Python code however.

Thoughts: The CrowPi is built sturdy, and is definitely easy to use. The touch screen is bright and clear. It is capable of running in 1080P mode, but is a bit too small and hard on the eyes to use at this resolution. We kept the screen in 720P mode. In order to use the Raspberry Pi, you'll need to plug in a USB keyboard and mouse which is not included in the basic kit. A wireless keyboard/mouse combo is ideal. There appear to be speaker holes next to the monitor, but it seems that our demo model is the basic model which does not include built in speakers. The kit is impressive looking and appears to be priced reasonably for what you get.

RTL-SDR and RF Testing

Unfortunately when it came to run the RTL-SDR we instantly ran into a problem. With the one 5V 3A power supply running the Pi, HDMI Screen and modules, it seems that there just isn't enough power budget left over to run the RTL-SDR which draws about 270 - 290 mA current. The RTL-SDR connects fine, but when trying to run GQRX, the Pi 3 shuts down. To get around this problem we have to connect a second power supply directly to the Raspberry Pi 3's input. After doing this the board and kit runs smoothly with the RTL-SDR. Using a powered USB hub would also work.

RPiTX is software for the Raspberry Pi that allows you to transmit RF signals directly via PIN12 or PIN7 from the GPIO ports. On CrowPi PIN12 is already connected to the buzzer, and PIN7 is connected to the humidity sensor. Using PIN12 causes the buzzer to sound, so we tried PIN7. Even though it's connected to the humidity sensor, it doesn't seem to mind the GPIO bit flipping going on. The traces within the board and cable radiate sufficiently to transmit signals strongly enough to use within a room, so no external antenna is needed. Use of PIN7 can be activated in RPiTX by using the "-c 1" flag.

Using our Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX tutorial, we copied  the signal from the remote control of a 433 MHz alarm/door bell, and used RPiTX to replay the signal. Then by modifying some of the supplied CrowPi Python code we were able to get the doorbell to sound on a touch of the touch sensor, activation of the sound sensor and via activation the RFID sensor. We could see the CrowPi being used as a general tool for learning how to prototype simple IoT or home automatic devices. The video below shows a brief demonstration. 

It would have been nice if these RPiTX GPIO pins could have been exposed, and not connected to a sensor, but the developers of the board had probably not heard of RPiTX as the goal is for a more general classroom application.

CrowPi Demo
CrowPi Demo


If you're looking to get kids or STEM students/hobbyists interested in what Raspberry Pi's can do, then this kit couldn't make it simpler. The single board and briefcase design makes the whole thing very tidy and portable and the kit looks and feels sturdy and professional. If you know a kid interested in electronics, then this kit would make a great present.

You could probably purchase all the components cheaper individually, but at the end of the day an all-in-one kit just makes sense as it is a lot tidier, and much easier to get up and running quickly.

For RF experiments, it's possible to use the RTL-SDR with the minor annoyance of having to connect two power supplies or use a powered USB hub. RPiTX also functions fine on the device and can be used to transmit an RF signal on activation of any one of the sensor modules. This could easily be used to prototype simple home automation or IoT ideas.

Using an RTL-SDR and moRFeus as a Tracking Generator to Measure Filters And Antenna VSWR

The Outernet moRFeus

As Outernet is currently having a sale and selling their their moRFeus product at only US $99 (see next post for details - or simply use coupon code "rtlsdrblog" on their checkout - valid until Saturday 09 May 18), we thought that we'd show an interesting use for the moRFeus when combined with an RTL-SDR.

Outernet's moRFeus is a signal generator and frequency mixer that can be controlled either by it's built in LCD screen, or via software on a Windows or Linux PC. It can generate a clean low phase noise tone anywhere between 85 to 5400 MHz. Because it can be computer controlled it is possible to use moRFeus as a tracking generator for characterizing filters and measuring antenna SWR. A tracking generator is just a signal generator that can be set to output at the same frequency that the measurement receiver is tuned to.

In the past we've posted a tutorial showing how to use a wideband noise source for measuring filters and antenna SWR. However, if available, a tracking generator is usually preferred over a noise source. A wideband noise source outputs high power at all frequencies, and so can easily overload an RTL-SDR causing reduced dynamic range and accuracy in measurements. This is especially the case when measuring bandstop filters as they pass all frequencies, apart from a small blocking band. Since so much noise gets through to the dongle, dynamic range is reduced.

This post shows how to use the moRFeus as a tracking generator together with an RTL-SDR for making RF measurements. This could be called a scalar network analyzer. The set up uses GQRX and a Python script, but in the future it is possible that someone may develop a standalone app.

Equipment Required

  1. A directional coupler like the minicircuits ZFDC-20-5, or an RF Bridge with 50 Ohm dummy load.
  2. moRFeus or other computer controllable wideband signal generator.
  3. An RTL-SDR
  4. A ~20dB attenuator

Since the output of the moRFeus is quite strong, an attenuator is required to keep signal levels low enough to not overload the RTL-SDR.

The cheapest RF bridge we've found is available on eBay for about $7. With an RF Bridge you'll need a 50 Ohm dummy load as well to connect to the 'REF' port. Directional couplers seem to work more accurately however, and second hand minicircuits ones can often be found on eBay. A $2 TV 'tap' is also a directional coupler, and may also work, although we have not tested this.

Software Setup

In this tutorial we're using the method first described by 'LamaBleu' in his post to the Outernet forums. The method uses Linux and involves reading power levels from the RTL-SDR by using GQRX and it's remote telnet connection capabilities. The telnet command "F freq" can be used to change frequency in GQRX, and the command "l" can be used to read out the current power level in dbFS.

To control moRFeus we use Outernet's official "morfeus_tool",  which is a command line based tool.

A basic Python script was written to set the frequency in moRFeus and GQRX at the same time. After a 500 ms settling time the power level is measured and recorded in a CSV file, then the script iterates to the next frequency. We iterate at 1 MHz intervals.

If you have a moRFeus and want to try this project out, copy and paste the script from pastebin, and name the file morfeus_scalar.py. Place the morfeus_scalar.py file and the morfeus_tool_linux_x32 tool into the home folder.

To get the software started:

  1. Open GQRX and connect the dongle and required RF components for the test (shown below).
  2. Set the RTL-SDR gain to zero or just low enough so that the signal doesn't cause overload (moRFeus signal levels are fairly high).
  3. In the GQRX GUI ensure that the "Remote control via TCP" button is pressed in. (Looks like two computer screens).
  4. Edit the Python script and choose the frequency range that you'd like to scan by setting variable FREQ_MIN and FREQ_MAX.
  5. In a terminal run "sudo python morfeus_scalar.py".
  6. When the script completes you'll have a file "out.txt" which is a CSV file of frequency and signal power levels.

Characterizing Filters

To characterize a filter (find the response of a filter) simply connect the system like so:

moRFeus Filter Test
moRFeus Filter Test
  1. But first connect just the moRFeus, attenuator and RTL-SDR together.
  2. In GQRX increase the gain until just a few dB before the RTL-SDR overloads and starts showing signal images. This will maximize the available dynamic range.
  3. Run an initial calibration scan with morfeus_scalar.py. Save the results in out.txt into a spreadsheet.
  4. Connect the filter in the RF chain, and then run a second scan with morfeus_scalar.py. Save the results into another column in the spreadsheet.

  5. Subtract the calibration scan results from the filtered results. Plot the resulting values using the spreadsheet software. This will show the response of the filter.

Download Example Spreadsheet (.xls) (.ods)

Continue reading

Using the RTL-SDR as a tool to Measure Crystals

Over on YouTube OM0ET has shown how he uses his RTL-SDR for measuring crystals. While working on his home made HF 6-band SSB transceiver, OM0ET needed a way to measure the frequency of some 8 MHz crystals that he needed for his IF filter.

To perform the measurement he simply inserts the crystal into a homemade oscillator circuit, and measures the output with an RTL-SDR V3 operating in direct sampling mode. With the measurements he's able to figure out if the crystal is actually working in the first place, and secondly determine an accurate frequency measurement.

RTL-SDR USB receiver - cheap tool for matching crystals
RTL-SDR USB receiver - cheap tool for matching crystals

Tracking Planes with RTL-SDR, Apache Kafka, KSQL, Kibana and a Raspberry Pi

Inspired by a low flying aircraft that kept waking his cat in the morning, Simon Aubury decided to use an RTL-SDR and ADS-B tracking software dump1090 to determine which plane was the culprit. This is all now standard stuff, however, Simon's software implementation and management of the received ADS-B data is quite unique, as he uses Apache Kafka, KSQL and Kibana as his tools for processing and visualizing the ADS-B data.

Apache Kafka is a 'distributed streaming platform', and KSQL enables real time processing of the data from Kafka. Kibana is a data visualization tool. Essentially these technologies are just ways to manage, process and digest in a human readable way large amounts of real time data coming into a database.

So with some clever database coding Simon was able to create a constantly updating dashboard in Kibana that plots aircraft positional heat maps, displays data such as spotted airlines and destination frequencies in a text cloud, and displays aircraft height data in a line graph. Finally using a database lookup and his gathered data Simon was able to determine that an A380 aircraft flying over his house was waking his cat in the morning.

Using RTL_433 to Decode SimpliSafe Home Security Systems

SimpliSafe is an American DIY home security system company that claims over 2 million customers. Their system relies on 433/315 MHz ISM band wireless radio communications between its various sensors, control panels and remote controls. Back in 2016 we already posted about research from Dr. Andrew Zonenberg and Micheal Ossmann who showed that the SimpliSafe wireless communications are unencrypted, and can easily be intercepted, decoded, and spoofed. SimpliSafe responded to those concerns by downplaying them and mentioning that sophisticated hardware was required.

However, now Adam of simpleorsecure.net has recently disclosed a security advisory and a blog post discussing how easy it is to decode SimpliSafe wireless communications with an RTL-SDR and the rtl_433 software. He also also released slides from a recent talk that he did that go over his entire process and findings.

Adam began with some initial manual RF analysis with an RTL-SDR, and then later worked with rtl_433 dev Christian Zuckschwerd to add PiWM demodulation capability, which is the modulation used by SimpliSafe systems. Now Adam is able to easily decode the serial number, pin codes, and status codes transmitted by SimpliSafe sensors and key pads in real time with just an RTL-SDR.

This is very concerning as not only could a burglar easily learn the alarm disarm pincode, but they could also profile your behavior to find an optimal time to break in. For example if you arm your alarm before bed, and disarm in the morning your sleep schedule is being broadcast. It is also possible to determine if a particular door or window has been left open. With a tuned Yagi antenna Adam was able to receive signals from 200+ feet (60m) in free space, and 115 feet (35m) through walls.

In addition to the lack of encryption, Adam also discovered that the SimpliSafe system was susceptible to jamming attacks, and that the tamper detection system can be easily compromised. Adam has disclosed all concerns and findings to SimpliSafe who are aware of the problems. They assure him that next generation systems will not suffer from these flaws. But unfortunately for current generation owners, the hardware will need to be eventually replaced as there is no over the air update capability. 

An RTL-SDR and SimpliSafe KeyPad
An RTL-SDR and SimpliSafe KeyPad