For those of us whose interests lie in radio, encountering our first software defined radio must have universally seemed like a miracle. Here is a surprisingly simple device, essentially a clever mixer and a set of analogue-to-digital or digital-to-analogue converters, that can import all the complex and tricky-to-set-up parts of a traditional radio to a computer, in which all signal procession can be done using software.
When your curiosity gets the better of you and you start to peer into the workings of a software defined radio though, you encounter something you won’t have seen before in a traditional radio. There are two mixers fed by a two local oscillators on the same frequency but with a 90 degree phase shift, and in a receiver the resulting mixer products are fed into two separate ADCs. You encounter the letters I and Q in relation to these two signal paths, and wonder what on earth all that means.
The usual way of adding GPS capabilities to a project is grabbing an off-the-shelf GPS module, plugging it into a UART, and reading the stream of NMEA sentences coming out of a serial port. Depending on how much you spend on a GPS module, this is fine: the best modules out there start up quickly, and a lot of them recognize the logical AND in ITAR regulations.
For [Mike], grabbing an off-the-shelf module is out of the question. He’s building his own GPS receiver from the ground up using a bit of hardware and FPGA hacking. Already he’s getting good results, and he doesn’t have to futz around with those messy, ‘don’t build ballistic missiles’ laws.
The hardware for this build includes a Kiwi SDR ‘cape’ for the BeagleBone and a Digilent Nexus-2 FPGA board. The SDR board captures raw 1-bit samples taken at 16.268 MHz, and requires a full minute’s worth of data to be captured. That’s at least 120 Megabytes of data for the FPGA to sort through.
The software for this project first acquires the GPS signal by finding the approximate frequency and phase. The software then locks on to the carrier, figures out the phase, and receives the 50bps ‘NAV’ message that’s required to find a position solution for the antenna’s location. The first version of this software was exceptionally slow, taking over 6 hours to process 200 seconds of data. Now, [Mike] has improved the channel tracking code and made it 300 times faster. That’s real-time processing of GPS data, using commodity off-the-shelf hardware. All the software is available on the Gits, making this a project that can very easily be replicated by anyone. We would expect the US State Department or DOD to pay [Mike] a visit shortly.
Have you got a spare Dish Network antenna lying about? They’re not too hard to come by, either curbside on bulk waste day or perhaps even on Freecycle. If you can lay hands on one, you might want to try this fun radio telescope build.
Now, don’t expect much from [Justin]’s minimalist build. After all, you’ll be starting with a rather small dish and an LNB for the Ku band, so you won’t be doing serious radio astronomy. In fact, the BOM doesn’t include a fancy receiver – just a hacked satellite finder. The idea is to just get a reading of the relative “brightness” of a radio source without trying to demodulate the signal. To that end, the signal driving the piezo buzzer in the sat finder is fed into an Arduino through a preamp. The Arduino also controls stepper motors for the dish’s azimuth and elevation control, which lets it sweep the sky and build up a map of signal intensity. The result is a clear band of bright spots representing the geosynchronous satellites visible from [Justin]’s location in Brazil.
If you live in a city, you’re constantly swimming in a thick soup of radio-frequency energy. FM radio stations put out hundreds of kilowatts each into the air. Students at the University of Washington, [Anran Wang] and [Vikram Iyer], asked themselves if they could harness this background radiation to transmit their own FM radio station, if only locally. The answer was an amazing yes.
The trailer video, embedded below, demos a couple of potential applications, but the paper (PDF) has more detail for the interested. Basically, they turn on and off an absorbing antenna at a frequency that’s picked so that it modulates a strong FM signal up to another adjacent channel. Frequency-modulating this backscatter carrier frequency adds audio (or data) to the product station.
One of the cooler tricks that they pull off with this system is to inject a second (stereo) channel into a mono FM station. Since FM radio is broadcast as a mono signal, with a left-minus-right signal sent alongside, they can make a two-channel stereo station by recreating the stereo pilot carrier and then adding in their own difference channel. Pretty slick. Of course, they could send data using this technique as well.
Why do this? A small radio station using backscatter doesn’t have to spend its power budget on the carrier. Instead, the device can operate on microwatts. Granted, it’s only for a few feet in any given direction, but the station broadcasts to existing FM radios, rather than requiring the purchase of an RFID reader or similar device. It’s a great hack that piggybacks on existing infrastructure in two ways. If this seems vaguely familiar, here’s a similar idea out of the very same lab that’s pulling off essentially the same trick indoors with WiFi signals.
So who’s up for local reflected pirate radio stations?
[Dan Englender] was working on implementing a home automation and security system, and while his house was teeming with sensors, they used a proprietary protocol which was not supported by the open source system he was trying to implement. The problem with home automation and security systems is the lack of standardization – or rather, the large number of (often incompatible) standards used to ensure consumers get tied in to one specific system. He has shared the result of his efforts at getting the two to talk to each other via his project decode345.
The result enabled him to receive signals from Honeywell’s 5800 series of wireless products and interface them with OpenHAB — a vendor and technology agnostic open source automation software. OpenHAB offers “bindings” that allow a wide variety of systems and hardware to be integrated. Unfortunately for [Dan], this exhaustive list does not yet include support for the (not very popular) 345MHz protocol used by the Honeywell 5800 system, hence his project. Continue reading “Using SDR to Take Control of Your Home Security System”→
If you want to eavesdrop on GSM phone conversations or data, it pays to have deep pockets, because you’re going to need to listen to a wide frequency range. Or, you can just use two cheap RTL-SDR units and some clever syncing software. [Piotr Krysik] presented his work on budget GSM hacking at Camp++ in August 2016, and the video of the presentation just came online now (embedded below). The punchline is a method of listening to both the uplink and downlink channels for a pittance.
[Piotr] knows his GSM phone tech, studying it by day and hacking on a GnuRadio GSM decoder by night. His presentation bears this out, and is a great overview of GSM hacking from 2007 to the present. The impetus for Multi-RTL comes out of this work as well. Although it was possible to hack into a cheap phone or use a single RTL-SDR to receive GSM signals, eavesdropping on both the uplink and downlink channels was still out of reach, because it required more bandwidth than the cheap RTL-SDR had. More like the bandwidth of two cheap RTL-SDR modules.
Getting two RTL-SDR modules to operate in phase is as easy as desoldering a crystal from one and slaving it to the other. Aligning the two absolutely in time required a very sweet hack. It turns out that the absolute timing is retained after a frequency switch, so both RTL-SDRs switch to the same channel, lock together on a single signal, and then switch back off, one to the uplink frequency and the other to the downlink. Multi-RTL is a GnuRadio source that takes care of this for you. Bam! Hundreds or thousands of dollar’s worth of gear replaced by commodity hardware you can buy anywhere for less than a fancy dinner. That’s a great hack, and a great presentation. Continue reading “GSM Sniffing on a Budget with Multi-RTL”→
Most old-school remote controlled cars broadcast their controls on 27 MHz. Some software-defined radio (SDR) units will go that low. The rest, as we hardware folks like to say, is a simple matter of coding.
So kudos to [watson] for actually doing the coding. His monster drift project starts with the basics — sine and cosine waves of the right frequency — and combines them in just the right durations to spit out to an SDR, in this case a HackRF. Watch the smile on his face as he hits the enter key and the car pulls off an epic office-table 180 (video embedded below).