Remote ADS-B Install Listens In On All The Aircraft Transmissions With RTL-SDR Trio, Phones Home On Cellular

When installing almost any kind of radio gear, the three factors that matter most are the same as in real estate: location, location, location. An unobstructed location at the highest possible elevation gives the antenna the furthest radio horizon as well as the biggest bang for the installation buck. But remote installations create problems, too, particularly with maintenance, which can be a chore.

So when [tsimota] got a chance to relocate one of his Automatic Dependent Surveillance-Broadcast (ADS-B) receivers to a remote site, he made sure the remote gear was as bulletproof as possible. In a detailed write up with a ton of pictures, [tsimota] shows the impressive amount of effort he put into the build.

The system has a Raspberry Pi 3 with solid-state drive running the ADS-B software, a powered USB hub for three separate RTL-SDR dongles for various aircraft monitoring channels, a remote FlightAware dongle to monitor ADS-B, and both internal and external temperature sensors. Everything is snuggled into a weatherproof case that has filtered ventilation fans to keep things cool, and even sports a magnetic reed tamper switch to let him know if the box is opened. An LTE modem pipes the data back to the Inter, a GSM-controlled outlet allows remote reboots, and a UPS keeps the whole thing running if the power blips atop the 15-m building the system now lives on.

Nobody appreciates a quality remote installation as much as we do, and this is a great example of doing it right. Our only quibble would be the use of a breadboard for the sensors, but in a low-vibration location, it should work fine. If you’ve got the itch to build an ADS-B ground station but don’t want to jump in with both feet quite yet, this beginner’s guide from a few years back is a great place to start.

The Death Of A Weather Satellite As Seen By SDR

What is this world coming to when a weather satellite that was designed for a two-year mission starts to fail 21 years after launch? I mean, really — where’s the pride these days?

All kidding aside, it seems like NOAA-15, a satellite launched in 1998 to monitor surface temperatures and other meteorologic and climatologic parameters, has recently started showing its age. This is the way of things, and generally the decommissioning of a satellite is of little note to the general public, except possibly when it deorbits in a spectacular but brief display across the sky.

But NOAA-15 and her sister satellites have a keen following among a community of enthusiasts who spend their time teasing signals from them as they whiz overhead, using homemade antennas and cheap SDR receivers. It was these hobbyists who were among the first to notice NOAA-15’s woes, and over the past weeks they’ve been busy alternately lamenting and celebrating as the satellite’s signals come and go. Their on-again, off-again romance with the satellite is worth a look, as is the what exactly is going wrong with this bird in the first place.

Continue reading “The Death Of A Weather Satellite As Seen By SDR”

Hackaday Podcast 030: Seven Years Of RTL-SDR, 3D Printing Optimized For The Eye, Sega Audiophile, Swimming In Brighteners

Hackaday Editors Mike Szczys and Elliot Williams curate the awesome hacks from the past week. On this episode, we marvel about the legacy RTL-SDR has had on the software-defined radio scene, turn a critical ear to 16-bit console audio hardware, watch generative algorithms make 3D prints beautiful, and discover why printer paper is so very, very bright white.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Direct download (58 MB)

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 030: Seven Years Of RTL-SDR, 3D Printing Optimized For The Eye, Sega Audiophile, Swimming In Brighteners”

RTL-SDR: Seven Years Later

Before swearing my fealty to the Jolly Wrencher, I wrote for several other sites, creating more or less the same sort of content I do now. In fact, the topical overlap was enough that occasionally those articles would get picked up here on Hackaday. One of those articles, which graced the pages of this site a little more than seven years ago, was Getting Started with RTL-SDR. The original linked article has long since disappeared, and the site it was hosted on is now apparently dedicated to Nintendo games, but you can probably get the gist of what it was about from the title alone.

An “Old School” RTL-SDR Receiver

When I wrote that article in 2012, the RTL-SDR project and its community were still in their infancy. It took some real digging to find out which TV tuners based on the Realtek RTL2832U were supported, what adapters you needed to connect more capable antennas, and how to compile all the software necessary to get them listening outside of their advertised frequency range. It wasn’t exactly the most user-friendly experience, and when it was all said and done, you were left largely to your own devices. If you didn’t know how to create your own receivers in GNU Radio, there wasn’t a whole lot you could do other than eavesdrop on hams or tune into local FM broadcasts.

Nearly a decade later, things have changed dramatically. The RTL-SDR hardware and software has itself improved enormously, but perhaps more importantly, the success of the project has kicked off something of a revolution in the software defined radio (SDR) world. Prior to 2012, SDRs were certainly not unobtainable, but they were considerably more expensive. Back then, the most comparable device on the market would have been the FUNcube dongle, a nearly $200 USD receiver that was actually designed for receiving data from CubeSats. Anything cheaper than that was likely to be a kit, and often operated within a narrower range of frequencies.

Today, we would argue that an RTL-SDR receiver is a must-have tool. For the cost of a cheap set of screwdrivers, you can gain access to a world that not so long ago would have been all but hidden to the amateur hacker. Let’s take a closer look at a few obvious ways that everyone’s favorite low-cost SDR has helped free the RF hacking genie from its bottle in the last few years.

Continue reading “RTL-SDR: Seven Years Later”

An SDR Transceiver The Old-School Way

Software-defined radios or SDRs have provided a step-change in the way we use radio. From your FM broadcast receiver which very likely now has single-application SDR technology embedded in a chip through to the all-singing-all-dancing general purpose SDR you’d find on an experimenter’s bench, control over signal processing has moved from the analogue domain into the digital. The possibilities are limitless, and some of the old ways of building a radio now seem antiquated.

[Pete Juliano N6QW] is an expert radio home-brewer of very long standing, and he’s proved there’s plenty of scope for old-fashioned radio homebrewing in an SDR with his RADIG project.  It’s an SDR transceiver for HF which does all the work of quadrature splitting and mixing with homebrewed modules rather than the more usual technique of hiding it in an SDR chip. It’s a very long read in a diary format from the bottom up, and what’s remarkable is that he’s gone from idea to working SDR over the space of about three weeks.

A block diagram of the N6QW SDR
A block diagram of the N6QW SDR

So what goes into a homebrew SDR? Both RF preamplifier, filters, and PA are conventional as you might expect, switched between transmit and receive with relays. A common transmit and receive signal path is split into two and fed to a pair of ADE-1 mixers where they are mixed with quadrature local oscillator signals to produce I and Q that is fed to (or from in the case of transmit) a StarTech sound card. The local oscillator is an Si5351 synthesiser chip in the form of an SDR-Kits USB-driven module, and the 90 degree phased quadrature signals are generated with a set of 74AC74 flip-flops as a divider.

Running the show is a Raspberry Pi running Quisk, and though he mentions using a Teensy to control the Si5351 at the start of his diary it seems from the pictures of the final radio that the Pi has taken on that work. It’s clear that this is very much an experimental radio as it stands with wired-together modules on a wooden board, so we look forward to whatever refinements will come. This has the feel of a design that could eventually be built by many other radio amateurs, so it’s fascinating to be in at the start.

If I and Q leave you gasping when it comes to SDR technology, maybe we can help.

Thanks [Bill Meara N2CQR] for the tip!

Impersonate The President With Consumer-Grade SDR

In April of 2018, the Federal Emergency Management Agency sent out the very first “Presidential Alert”, a new class of emergency notification that could be pushed out in addition to the weather and missing child messages that most users were already familiar with. But while those other messages are localized in nature, Presidential Alerts are intended as a way for the Government to reach essentially every mobile phone in the country. But what if the next Presidential Alert that pops up on your phone was actually sent from somebody with a Software Defined Radio?

According to research recently released by a team from the University of Colorado Boulder, it’s not as far-fetched a scenario as you might think. In fact, given what they found about how the Commercial Mobile Alert Service (CMAS) works, there might not be a whole lot we can even do to prevent it. The system was designed to push out these messages in the most expedient and reliable way possible, which meant that niceties like authentication had to take a backseat.

The thirteen page report, which was presented at MobiSys 2019 in Seoul, details their findings on CMAS as well as their successful efforts to send spoofed Presidential Alerts to phones of various makes and models. The team used a BladeRF 2.0 and USRP B210 to perform their mock attacks, and even a commercially available LTE femtocell with modified software. Everything was performed within a Faraday cage to prevent fake messages from reaching the outside world.

So how does the attack work? To make a long story short, the team found that phones will accept CMAS messages even if they are not currently authenticated with a cell tower. So the first phase of the attack is to spoof a cell tower that provides a stronger signal than the real ones in the area; not very difficult in an enclosed space. When the phone sees the stronger “tower” it will attempt, but ultimately fail, to authenticate with it. After a few retries, it will give up and switch to a valid tower.

This negotiation takes around 45 seconds to complete, which gives the attacker a window of opportunity to send the fake alerts. The team says one CMAS message can be sent every 160 milliseconds, so there’s plenty of time to flood the victim’s phone with hundreds of unblockable phony messages.

The attack is possible because the system was intentionally designed to maximize the likelihood that users would receive the message. Rather than risk users missing a Presidential Alert because their phones were negotiating between different towers at the time, the decision was made to just push them through regardless. The paper concludes that one of the best ways to mitigate this attack would be to implement some kind of digital signature check in the phone’s operating system before the message gets displayed to the user. The phone might not be able to refuse the message itself, but it can at least ascertain it’s authentic before showing it to the user.

All of the team’s findings have been passed on to the appropriate Government agencies and manufacturers, but it will likely be some time before we find out what (if any) changes come from this research. Considering the cost of equipment that can spoof cell networks has dropped like a rock over the last few years, we’re hoping all the players can agree on a software fix before we start drowning in Presidential Spam.

Panadaptors Didn’t Start With SDRs

The must-have accessory on a modern all-singing, all-dancing amateur radio transceiver is a panadaptor. Inevitably driven by SDR technology, it’s a view of a band in the frequency domain, and it will usually be displayed as a “waterfall” giving a time dimension to see transmissions over a period.

[Bill Meara, N2CQR] reminds us that panadaptors are nothing new, indeed that they date back to the first half of the last century and don’t even need an SDR to work. And to prove it, he’s produced one for part of the 40-metre amateur band.

The principle behind an analogue panadaptor is simple enough, it’s a normal receiver whose local oscillator is given a linear periodic sweep over the desired frequency band and whose output drives the Y axis of an oscilloscope whose X axis is driven by the sweep. In [Bill]’s case the receiver is a BitX homebrew transceiver, and the swept local oscillator is provided by his Foeltech signal generator. A neat touch comes in the ‘scope being synchronised by triggering on a marker frequency at the bottom of the range being swept. He’s created a video showing it in action, which you can see below the break.

There are quite a few routes into making this type of simple spectrum analyser, indeed some of us have tried ti with TV tuners.

Continue reading “Panadaptors Didn’t Start With SDRs”