Measuring Frequency Response with an RTL-SDR Dongle and a Diode

[Hans] wanted to see the frequency response of a bandpass filter but didn’t have a lot of test equipment. Using an RTL-SDR dongle, some software and a quickly made noise generator, he still managed to get a rough idea of the filter’s characteristics.

How did he do it? He ‘simply’ measured his noise generator frequency characteristics with and without the bandpass filter connected to its output and then subtracted one curve with the other. As you can see in the diagram above, the noise generator is based around a zener diode operating at the reverse breakdown voltage. DC blocking is then done with a simple capacitor.

Given that a standard RTL-SDR dongle can only sample a 2-3MHz wide spectrum gap at a time, [Hans] used rtlsdr-scanner to sweep his region of interest. In his write-up, he also did a great job at describing the limitations of such an approach: for example, the dynamic range of the ADC is only 48dB.

Sniffing pH Sensor RF Signals for Feedback Re: Your Esophagus

For about a week [Justin] had a wireless acidity level sensor in his esophagus and a pager-looking RF receiver in his pocket. So he naturally decided to use an RTL-SDR dongle to sniff the signals coming out of him. As most of our Hackaday readers know, these cheap RTL2382U-based DVB-T receivers are very handy when it comes to listening to anything between 50MHz and 1800MHz. [Justin] actually did a great job at listing all the things these receivers can be used for (aircraft traffic monitoring, weather images download, electric meter reading, pacemaker monitoring…).

After some Googling he managed to find his Bravo pH sensor user’s guide and therefore discovered its main frequency and modulation scheme (433.92MHz / ASK). [Justin] then used gqrx and Audacity to manually decode the packets before writing a browser-based tool which uses an audio file. Finally, a few additional hours of thinking allowed him to extract his dear esophagus’ pH value.

Hacking Rolling Code Keyfobs

Most keyfobs out there that open cars, garage doors, and gates use a rolling code for security. This works by transmitting a different key every time you press the button. If the keys line up, the signal is considered legitimate and the door opens.

[Spencer] took a look into hacking rolling code keyfobs using low cost software-defined radio equipment. There’s two pars of this attack. The first involves jamming the frequency the keyfob transmits on while recording using a RTL-SDR dongle. The jamming signal prevents the receiver from acknowledging the request, but it can be filtered out using GNU Radio to recover the key.

Since the receiver hasn’t seen this key yet, it will still be valid. By replaying the key, the receiver can be tricked. To pull off the replay, GNU Radio was used to demodulate the amplitude shift keying (ASK) signal used by the transmitter. This was played out of a computer sound card into a ASK transmitter module, which sent out a valid key.

Hacking Radio Controlled Outlets

Decoding NRZ ASK

It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.

He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface. After flashing the CC1111 with the RFCat firmware, the device was ready to use. Next up, [Gordon] goes into detail about replaying amplitude shift keying messages using the RFCat. He used an Arduino and the rc-switch library to generate signals that are compatible with the outlets.

In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle. By exporting the sniffed signal and analyzing it, the modulation could be determined. The final step was writing a Python script to replay the messages using the RFCat.

The hack is a good combination of software defined radio techniques, ending with a successful attack. Watch a video of the replay attack after the break.

Continue reading “Hacking Radio Controlled Outlets”

Using SDR to Read Your Smart Meter


[BeMasher] was dissatisfied with the cost of other solutions to read his smart meter, so he made a project to read it himself using an rtl-sdr dongle.

Using his hacking and reverse engineering skills along with a $20 RTL-SDR dongle, [BeMasher] wrote rtlamr to automatically detect and report the consumption information reported by smart meters within range. Though designed for his Itron C1SR, [BeMasher] claims that any electronic receiver transmitter (ERT) capable smart meter should work.

[BeMasher]’s Itron C1SR smart meter broadcasts both interval data and standard consumption in the 915MHz ISM band using a Manchester encoded, frequency hopping spread spectrum protocol. [BeMasher] used the RTL-SDR dongle to do the signal capture and analysed the resulting signal in software afterwards. [BeMasher] did a great job of going through the theory and implementation of analysing the resulting data capture, so be sure to check it for an in-depth analysis.

If the RTL-SDR dongles are too limited for you taste, you might want to check out some hacker friendly SDRs with a little more punch.

Sniffing and Decoding Bluetooth LE Advertising Packets and NRF24L01+ Comms. for under $30

[Omri] just documented his journey to sniff and decode the protocol used by the popular NRF24L01+ transceiver off the air for very cheap. As he was designing a mesh network code and needed a way to monitor/debug the overall network performance, [Omri] decided to look for some RF hardware.

We’re sure that most of our readers are familiar with Software Defined Radio (SDR), which not so long ago became popular when some engineer discovered hidden registers inside Realtek RTL2832U chip, allowing many DVB-T dongles to be converted into RF listening devices. Unfortunately for [Omri], most of them have a maximum listening frequency of 2.2GHz, while the NRF24L01+ emits at 2.4GHz. The solution? Buy a 2.2-2.4GHz antenna from Aliexpress with a low-noise block downconverter (LNB), used for a Multichannel Multipoint Distribution Service (MMDS). The LNB therefore takes the 2.2-2.4GHz signal and downconverts it to around 400MHz, allowing any RTL-SDR-compatible DVB-T dongle to listen to the NRF communications. A program was then written to decode the RF signal and output the sniffed data in realtime.

Transmitting data with a Pi and RTL-SDR

Sometimes the best builds aren’t anything new, but rather combining two well-developed hacks. [Marc] was familiar with RTL-SDR, the $30 USB TV tuner come software defined radio, but was surprised no one had yet combined this cheap radio dongle with the ability to transmit radio from a Raspberry Pi. [Marc] combined these two builds and came up with the cheapest portable radio modem for the Raspberry Pi.

Turning the Raspi into a transmitter isn’t really that hard; it only requires a 20cm wire inserted into a GPIO pin, then toggling this pin at about 100 MHz. This resulting signal can be picked up fifty meters away, and through walls, even.

[Marc] combined this radio transmitter with minimodem, a program that generates audio modem tones at the required baud rate. Data is encoded in this audio stream, sent over the air, and decoded again with an RTL-SDR dongle.

It’s nothing new, per se, but if you’re looking for a short-range, low-bandwidth wireless connection between a computer and a Raspberry Pi, this is most certainly the easiest and cheapest method.