Triple Threat RTL-SDR System Reads Trunked Radio

In the old days, if you wanted to listen to police, fire, or other two-way radio users, you didn’t need much more than a simple receiver. Today, you are more likely to need something a little more exotic thanks to the adoption of trunked radio systems. To pick up the control channels and all the threads of a talk group conversation, you might need a wide bandwidth receiver.

[Luke Berndt] found he needed 6 MHz to monitor the stations he wanted to hear. This is easily in the reach of dedicated software defined radios (SDR). However, [Luke] wanted to use cheap RTL-SDRs and their bandwidth is about 2 MHz. The obvious hacker solution? Use three of them!

If you haven’t looked at a trunked system before, it essentially allows a large number of users to share a relatively small number of channels. When someone wants to talk, they move to an unused channel just for that transmission. Suppose Alice asks Bob a question that happens to be on channel 12. Bob’s reply might be on channel 4. A follow up from Alice could be on channel 3.

In practice, this means that receiving the signal isn’t difficult to decode. It is just difficult to find (and follow as it jumps around). This is an excellent job for multiple SDRs and the approach even reduces the burden on the CPU, which doesn’t have to decode signals that aren’t essential to the conversation.

[Luke] includes source code and also notes how to change the serial numbers of the dongles since each has to be unique. We have seen so many great projects with the RTL-SDR that it is hard to choose our favorite. It is especially great knowing that the dongle was only meant to receive television, and all these projects are hacks in the best sense of the word.

Thanks [WA5RRior] for the tip.

Hacking the Internet of Things: Decoding LoRa

Getting software-defined radio (SDR) tools into the hands of the community has been great for the development and decoding of previously-cryptic, if not encrypted, radio signals the world over. As soon as there’s a new protocol or modulation method, it’s in everyone’s sights. A lot of people have been working on LoRa, and [bertrik] at RevSpace in The Hague has done some work of his own, and put together an amazing summary of the state of the art.

LoRa is a new(ish) modulation scheme for low-power radios. It’s patented, so there’s some information about it available. But it’s also proprietary, meaning that you need a license to produce a radio that uses the encoding. In keeping with today’s buzzwords, LoRa is marketed as a wide area network for the internet of things. HopeRF makes a LoRa module that’s fairly affordable, and naturally [bertrik] has already written an Arduino library for using it.

So with a LoRa radio in hand, and a $15 RTL-SDR dongle connected to a laptop, [bertrik] got some captures, converted the FM-modulated chirps down to audio, and did a bunch of hand analysis. He confirmed that an existing plugins for sdrangelove did (mostly) what they should, and he wrote it all up, complete with a fantastic set of links.

There’s more work to be done, so if you’re interested in hacking on LoRa, or just having a look under the hood of this new modulation scheme, you’ve now got a great starting place.

Art for Planespotters

We don’t know art, but we know what we like. And this gizmo by [Johan Kanflo] is right up our alley.

First, [Johan] gutted an old Macintosh Classic computer and stuffed a Raspberry Pi inside. Now this is not really a new idea, but [Johan] did a very nice job with the monitor and his attention to detail shows in the rebuilt floppy-drive eject mechanism. He gives it back that characteristic “schlurp” noise.

Then he outfitted the Raspberry Pi with an RTL dongle running dump1090 software to listen to the ADS-B radio signals. The data extracted from the SDR is piped off to an MQTT server with all sorts of data about the airplanes overhead. Another script subscribes to the MQTT topic and figures out which is the closest and runs an image search for the plane type in question, publishing the results back to another MQTT topic. One final script subscribes to this last topic and displays the relevant images on the screen. Pshwew!

The end result is a Macintosh Classic that’s continually updated with whatever planes are closest to being overhead. We’re not at all sure if this is fine art, or part of the useful arts, or maybe even none of the above. But we really like the nice case job and think that using MQTT as a back-end for coordinating multiple concurrent Python scripts (on the same computer) is pretty cool.

Improving WiFi Throughput with FM Radio

WiFi networking is one of those things that is reasonably simple to use, but has a lot of complex hidden features (dare we say, hacks) that make it work, or work better. For example, consider the Distributed Coordination Function (DCF) specified in the standard. Before a station can send, it has to listen for a certain time period. If the channel is clear, the station sends. If not, it has to delay a random amount of time before trying again. This is a form of Carrier Sense Multiple Access (CSMA) channel management.

Unfortunately, listening time is dead time when–at least potentially–there is no data transmitted on the network. DCF allows you to use various handshaking packets to do virtual carrier detection and ready/clear to send, but these are also less efficient use of bandwidth. There are other optional coordination functions available in the WiFi standard, but they all have their drawbacks.

[Aleksandar Kuzmanovic] at Northwestern University and two of his students have recently published a paper with a new way to coordinate multiple unrelated wireless networks using ubiquitous FM broadcast radio signals called WiFM. Instead of trying to synchronize to the WiFi data channel, this new scheme selects a strong FM radio station that broadcasts Radio Data Service (RDS) data (the data that populates the song titles and other information on modern radios).

Continue reading “Improving WiFi Throughput with FM Radio”

Etch-A-SDR

What do you get if you cross a software defined radio (SDR) and an iconic children’s drawing toy that we are sure is a trademarked name? If you are [devnulling], you wind up with the Etch-A-SDR. The box uses an Odroid C1, a Teensy, and the ubiquitous RTL-SDR.

The knobs work well as control knobs (as you can see in the video below). When you are bored listening to the radio, you can reset the box and go into Etch-a… um, drawing mode. The knobs work like you’d expect and you can even erase the screen with a vigorous shake.

Continue reading “Etch-A-SDR”

Reverse Engineering Traffic Lights with Software Defined Radio

Construction crews tearing up the street to lay new internet fiber optic cable created a unique opportunity for [Bastian Bloessl]. The workers brought two mobile traffic lights to help keep the road safe while they worked. [Bastian] had heard that these lights use the 2 meter band radios, so he grabbed his RTL-SDR USB stick and started hacking. Mobile traffic lights are becoming more common in Europe. They can be controlled by a clock, traffic volume via an on-board camera, wire or radio. They also transmit status data, which is what [Bastian] was hoping to receive.

A quick scan with GQRX revealed a strong signal on 170.760 MHz. Using baudline and audacity, [Bastian] was able to determine that Audio Frequency Shift Keying was used to modulate the data. He created a simple receiver chain in GNU radio, and was greeted with a solid data stream from the lights. By watching the lights and looking at the data frames, [Bastian] was able to determine which bits contained the current light status. A quickly knocked up web interface allowed him to display the traffic light status in real-time.

It’s a bit scary that the data was sent in plaintext, however this is just status data. We hope that any command data is sent encrypted through a more secure channel.

Continue reading “Reverse Engineering Traffic Lights with Software Defined Radio”

Reverse Engineering An Obsolete Security System

[Veghead] recently went to a surplus warehouse filled with VHS editing studios, IBM keyboards, electronic paraphernalia from 40 years ago, and a lot of useless crap. His haul included a wooden keypad from an old alarm system that exuded 1980s futurism, and he figured it would be cool to hook this up to an alarm system from 2015. How did he do that? With software defined radio.

After pulling apart the alarm panel, [Veghead] found only a single-sided board with a 9V battery connector. There were no screw terminals for an alarm loop, meaning this entire system was wireless – an impressive achievement for the mid-80s hardware. A quick search of the FCC website showed this alarm panel was registered to two bands, 319MHz and 340MHz, well within the range of an RTL-SDR USB TV tuner dongle.

After capturing some of the raw data and playing it back in Audacity, [Veghead] found a simple OOK protocol that sends two identical binary patterns for each key. A simple program takes the raw bit patterns for each key press and codes them into a map for each of the twelve buttons.

Although the radio still works, [Veghead] found the waveforms captured by his RTL-SDR were an abomination to RF. All the components in this security system are more than 30 years old at this point, and surely some of the components must be out of spec by now. Still, [Veghead] was able to get the thing working again, a testament to the usefulness of a $20 USB TV tuner.

Thanks [Jose] for sending this one in