THP Entry: SatNOGS

NOGS Here’s an interesting thought: it’s possible to build a cubesat for perhaps ten thousand dollars, and hitch a ride on a launch for free thanks to a NASA outreach program. Tracking that satellite along its entire orbit would require dozens of ground stations, all equipped with antennas, USB TV tuners, and a connection to the Internet. It’s actually more expensive to build and launch a cubesat than it costs to build a network of ground stations to get reasonably real-time telemetry from a cubesat. The future is awesome and weird, it seems.

This is the observation the guys behind SatNOGS have made. They’re developing a platform for a completely open source ground station network, with the idea being people an institutions along every longitude and latitude would build a simple satellite tracking antenna mount, connect it to the Internet, and become part of an open source Near Space Network, capable of receiving telemetry from any one of the small cubesats whizzing around in low earth orbit.

Despite being what is probably one of the most ambitious and far-reaching projects in open source hardware, the design of the system is relatively simple: the hardware is a 3D printed alt-az mount, capable of pointing a pair of antennas anywhere in the sky. The stepper motor driver board is based on the Arduino, and the computer running each antenna node is powered by a BeagleBone Black or a WR703N router. The antenna receiver is, of course, an RTL-SDR dongle, capable of listening to all the common cubesat bands. Even the software is derived from open source projects. Tracking a satellite across the sky can be calculated with GPredict, and the team is working on an observation scheduling and management system that combines multiple ground stations for coverage across the globe.

It’s a great idea, crowdsourcing satellite tracking from people around the globe, and something that could be used by hundreds of institutions lucky enough to launch a small cube of electronics into orbit.

SpaceWrencherThe project featured in this post is an entry in The Hackaday Prize. Build something awesome and win a trip to space or hundreds of other prizes.

ISEE-3: On Track To Come Home

Intended trajectory from ICE team in 1986 (blue), 2001 ephemeris of ISEE-3 (white) and current ephemeris (red/green). Click to embiggen.

When last we heard of the progress of commanding the derelict ISEE-3 satellite into stable orbit between the Earth and the sun, the team had just made contact with the probe using the giant dish in Arecibo, sent a few commands, and started gathering data to plot where the spacecraft is and where it will be. A lot has happened in a week, and the team is now happy to report the spacecraft is alive and well, and much, much closer to the intended trajectory than initially believed.

Before last week, the best data on where ISEE-3 was heading was from a 13-year-old data set, leaving the project coordinators to believe a maneuver of about 50-60  m/s was necessary to put the spacecraft into the correct orbit between the Earth and the sun. With new data from Arecibo, that figure has been reduced to about 5.8 m/s, putting it extremely close to where the original ICE navigation team intended it to go, all the way back in 1986. This also gives the team a bit of breathing room; the original planned maneuver to capture the spacecraft required nearly a third of the available fuel on board. The new plan only requires the spacecraft expend about 5% of its fuel stores. This, of course, brings up the idea of continuing the planned mission of the rebooted ISEE-3 beyond the Earth-Sun L1 point, but that is very much putting the cart before the horse.

Of course, getting ranging data of the spacecraft is only a small part of what has happened with the ISEE-3 part this week. Thanks to the ‘away team’ sent to Arecibo to install hardware and attempt to make contact with the satellite, both transceivers are working, telemetry is being downloaded from the probe, and work has begun on refining the exact position of ISEE-3 to compute where and when the spacecraft needs to make its maneuver.

Regular Hackaday feature and software defined radio god [Balint] was on hand with the away team at Arecibo to install his company’s SDR unit on the largest dish on the planet. His happy dance of the first data from ISEE-3 made the blog rounds, but the presentation (PDF) and photo gallery tell the story of working on the largest dish on the planet much better.

There’s still a lot of work to be done by the ISEE-3 team as they figure out how best to capture the spacecraft and prepare for the burn in the following week. They should have the exact orbit of ISEE-3 nailed down early this week, and after that, ISEE-3 could on a path back home in less than two weeks.

Building A Software Defined Radio With A Teensy


[Rich, VE3MKC] has been wanting to get into Software Defined Radio for a while now, but didn’t want to go the usual PC route. He initially thought the Raspberry Pi would be the best platform for a small, embedded device that could manipulate audio, but after discovering the ARM-powered Teensy 3.0, had an entirely different project in mind.

[Rich] is using a SoftRock SDR to take RF from an antenna and downconvert it into the audio range. Doing DSP for SDR is fairly computationally intensive, but he found a Teensy 3.0 with the audio adapter board was more than up to the task.

So far, [Rich] is running the audio from the SoftRock to the Teensy where the audio is digitized and multiplied with a VFO, sent through a filter and then sent to the output of the headphone jack to a speaker. The volume pot on the audio adapter board is used to tune the VFO, something [Rich] be replacing with a proper encoder sometime in the future.

In the videos below, you can see [Rich] listening in on a contest with a tiny TFT display showing everybody on the air. It’s a very cool build, and even though it’s still very early in development, there’s still a whole lot of CPU cycles for the Teensy to do some very cool stuff.

Continue reading “Building A Software Defined Radio With A Teensy”

[Balint]‘s GNU Radio Tutorials


[Balint] has a bit of history in dealing with software defined radios and cheap USB TV tuners turned into what would have been very expensive hardware a few years ago. Now [Balint] is finally posting a few really great GNU Radio tutorials, aimed at getting software defined radio beginners up and running with some of the coolest hardware around today.

[Balint] is well-known around these parts for being the first person to create a GNU Radio source block for the implausibly inexpensive USB TV tuners, allowing anyone with $20 and enough patience to wait for a package from China to listen in on everything from 22 to 2200 MHz. There’s a lot of interesting stuff happening in that band, including the ACARS messages between airliners and traffic control, something that allowed [Balint] to play air traffic controller with a minimal amount of hardware.

Right now the tutorials are geared towards the absolute beginner, starting at the beginning with getting GNU Radio up and running. From there the tutorials continue to receiving FM radio, and with a small hardware investment, even transmitting over multiple frequencies.

It’s not much of an understatement to say software defined radio is one of the most versatile and fun projects out there. [Balint] even demonstrated triggering restaurant pagers with a simple SDR project, a fun project that is sure to annoy his coworkers.

Continue reading “[Balint]‘s GNU Radio Tutorials”

Hacking Radio Controlled Outlets

Decoding NRZ ASK

It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.

He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface. After flashing the CC1111 with the RFCat firmware, the device was ready to use. Next up, [Gordon] goes into detail about replaying amplitude shift keying messages using the RFCat. He used an Arduino and the rc-switch library to generate signals that are compatible with the outlets.

In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle. By exporting the sniffed signal and analyzing it, the modulation could be determined. The final step was writing a Python script to replay the messages using the RFCat.

The hack is a good combination of software defined radio techniques, ending with a successful attack. Watch a video of the replay attack after the break.

Continue reading “Hacking Radio Controlled Outlets”

Verifying A Wireless Protocol With RTLSDR


[Texane] is developing a system to monitor his garage door from his apartment. Being seven floors apart, running wires between the door and apartment wasn’t an option, so he turned to a wireless solution. Testing this wireless hardware in an apartment is no problem, but testing it in situ is a little more difficult. For that, he turned to software defined radio with an RTLSDR dongle.

The hardware for this project is based around a TI Stellaris board and a PTR8000 radio module. All the code for this project was written from scratch (Github here), making it questionable if the code worked on the first try. To test his code, [Texane] picked up one of those USB TV tuner dongles based around the RTL2832U chipset. This allowed him to monitor the frequencies around 433MHz for the packets his hardware should be sending.

After that, the only thing left to do was to write a frame decoder for his radio module. Luckily, the datasheet for the module made this task easy.

[Texane] has a frame decoder for the NRF905 radio module available in his Git. It’s not quite ready for serious applications, but for testing a simple radio link it’s more than enough.

Cracking GSM with RTL-SDR for Thirty Dollars

Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.

Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.

The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of   receiving a message.

From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.

[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.