A Better Spectrum Analyzer for your Rigol Scope

The Rigol DS1000 series of oscilloscopes are popular with hobbyists for good reason: they provide decent specs at a low price. However, their spectrum analysis abilities are lacking. While these scopes do have a Fast Fourier Transform (FFT) function, it’s limited and nearly useless for RF.

A FFT plotted by the PyDSA tool and a Rigol oscilloscope[Rich] wanted a spectrum analyzer for amateur radio purposes, but didn’t want to build his own sampling hardware for it. Instead, he wrote PyDSA, a software spectrum analyzer for Rigol DS1000 oscilloscopes. This tool uses the USB connection on the scope to fetch samples, and does the number crunching on a far more powerful PC. It’s able to plot a 16,000 point FFT at two sweeps per second when run on a decent computer.

PyDSA is a Python script that makes use of the Virtual Instrument Software Architecture (VISA) interface to control the scope and fetch the sample data. Fortunately there’s some Python libraries that take care of the protocol.

[Rich] is now able to use his scope to measure amateur radio signals, which makes a nice companion to his existing Teensy based SDR project. If you have a Rigol, you can grab the source on Github and try it out.

Reverse Engineering Traffic Lights with Software Defined Radio

Construction crews tearing up the street to lay new internet fiber optic cable created a unique opportunity for [Bastian Bloessl]. The workers brought two mobile traffic lights to help keep the road safe while they worked. [Bastian] had heard that these lights use the 2 meter band radios, so he grabbed his RTL-SDR USB stick and started hacking. Mobile traffic lights are becoming more common in Europe. They can be controlled by a clock, traffic volume via an on-board camera, wire or radio. They also transmit status data, which is what [Bastian] was hoping to receive.

A quick scan with GQRX revealed a strong signal on 170.760 MHz. Using baudline and audacity, [Bastian] was able to determine that Audio Frequency Shift Keying was used to modulate the data. He created a simple receiver chain in GNU radio, and was greeted with a solid data stream from the lights. By watching the lights and looking at the data frames, [Bastian] was able to determine which bits contained the current light status. A quickly knocked up web interface allowed him to display the traffic light status in real-time.

It’s a bit scary that the data was sent in plaintext, however this is just status data. We hope that any command data is sent encrypted through a more secure channel.

Continue reading “Reverse Engineering Traffic Lights with Software Defined Radio”

Hacking 2.4GHz Radio Control

Many modern radio control (RC) systems use frequency hopping to prevent interference. Unfortunately, hopping all over the 2.4GHz band can interfere with video or WiFi using the same frequency band. [Befinitiv] was trying to solve this problem when he realized that most of the systems used a TI CC2500 chip and a microcontroller. The microcontroller commands the chip via SPI and controls the frequency by writing into a frequency register.

Updating the microcontroller firmware was impractical. The firmware is encrypted, for one thing. In addition, the change would have to be reinserted on any future updates and repeated for every RC vendor. So [Befinitiv] took a different approach. He did a classic man in the middle attack by inserting an CPLD in between the controller and the CC2500.

Continue reading “Hacking 2.4GHz Radio Control”

Reverse Engineering An Obsolete Security System

[Veghead] recently went to a surplus warehouse filled with VHS editing studios, IBM keyboards, electronic paraphernalia from 40 years ago, and a lot of useless crap. His haul included a wooden keypad from an old alarm system that exuded 1980s futurism, and he figured it would be cool to hook this up to an alarm system from 2015. How did he do that? With software defined radio.

After pulling apart the alarm panel, [Veghead] found only a single-sided board with a 9V battery connector. There were no screw terminals for an alarm loop, meaning this entire system was wireless – an impressive achievement for the mid-80s hardware. A quick search of the FCC website showed this alarm panel was registered to two bands, 319MHz and 340MHz, well within the range of an RTL-SDR USB TV tuner dongle.

After capturing some of the raw data and playing it back in Audacity, [Veghead] found a simple OOK protocol that sends two identical binary patterns for each key. A simple program takes the raw bit patterns for each key press and codes them into a map for each of the twelve buttons.

Although the radio still works, [Veghead] found the waveforms captured by his RTL-SDR were an abomination to RF. All the components in this security system are more than 30 years old at this point, and surely some of the components must be out of spec by now. Still, [Veghead] was able to get the thing working again, a testament to the usefulness of a $20 USB TV tuner.

Thanks [Jose] for sending this one in

Arduino Masters Ham Radio Digital Mode

[jmilldrum] really gets a lot of use out of his Si5351A breakout board. He’s a ham [NT7S], and the Si5351A can generate multiple square waves ranging from 8 kHz to 160 MHz, so it only stands to reason that it is going to be a useful tool for any RF hacker. His most recent exploit is to use the I2C-controllable chip to implement a Fast Simple QSO (FSQ) beacon with an Arduino.

FSQ is a relatively new digital mode that uses a form of low rate FSK to send text and images in a way that is robust under difficult RF propagation. There are 32 different tones used for symbols so common characters only require a single tone. No character takes more than two tones.

Continue reading “Arduino Masters Ham Radio Digital Mode”

Strange Signals? Sigidwiki!

If you’ve gotten into software-defined radio (SDR) in the last five years, you’re not alone. A lot of hackers out there are listening in to the previously unheard. But what do you do when you find an interesting signal and you don’t know what it is? Head on over to the Signal Identification Wiki! You’ll find recordings and waterfall plots for a ton of radio signals categorized by frequency band as well as their use.

Or, conversely, maybe you’ve just got a new radio and you want to test it out. What would be a fun challenge to receive? Signals in the catalog range from the mundane, like this smart home energy meter from California, or a Chrysler tire-pressure monitoring system to (probably) secret military or intelligence transmissions.

If you’re looking at a waterfall plot and you’re not sure what to make of it, the sigidwiki is worth a look. And it’s a wiki, so if you’ve got a cool signal and you want to add it, create an account and get to it!

Thanks to [mkie] for the tip!

See Actual Microwaves — No More Faking It

Last week we saw a lot of interest in faux visualization of wireless signals. It used a tablet as an interface device to show you what the wireless signals around you looked like and was kind of impressive if you squinted your eyes and didn’t think too much about it. But for me it was disappointing because I know it is actually possible to see what radio waves look like. In this post I will show you how to actually do it by modifying a coffee can radar which you can build at home.

The late great Prof. David Staelin from MIT once told me once that, ‘if you make a new instrument and point it at nature you will learn something new.’ Of all the things I’ve pointed Coffee Can Radars at, one of the most interesting thus far is the direct measurement and visualization of 2.4 GHz radiation which is in use in our WiFi, cordless phones (if you still have one) and many other consumer goods. There is no need to fool yourself with fake visualizations when you can do it for real.

Continue reading “See Actual Microwaves — No More Faking It”