Art Eavesdrops on Life and Pagers

Before cell phones, pagers were the way to communicate on the go. At first, they were almost a status symbol. Eventually, they became the mark of someone who couldn’t or wouldn’t carry a cell phone. However, apparently, there are still some users that clutch their pagers with a death grip, including medical professionals. In an art project called HolyPager, [Brannon Dorsey] intercepted all the pager messages in a city and printed them on a few old-style roll printers. The results were a little surprising. You can check out the video below.

Almost all the pages were medical and many of them had sensitive information. From a technical standpoint, [Brannon’s] page doesn’t shed much light, but an article about the project says that it and other art projects that show the hidden world or radio waves are using our old friend the RTL-SDR dongle.

Pagers use a protocol — POCSAG — that predates our modern (and well-founded) obsession with privacy and security. That isn’t surprising although the idea that private medical data is flying through the air like this is. Decoding POCSAG isn’t hard. GNU Radio, for example, can easily handle the task.

We’ve looked at pager hacking in the past. You can even run your own pager network, but don’t blame us if you get fined.

Continue reading “Art Eavesdrops on Life and Pagers”

Read Home Power Meters With RTL-SDR

[k-roy] hates electricity. Especially the kind that can be lethal if you’re not careful. Annoyed by the constant advertisements for the popular Sense Home Energy monitors (which must be installed in the main breaker box by an electrician), [k-roy] set out to find a cheaper and easier way. He wondered how the power company monitored his meter, and guessed correctly that it must be transmitting the information wirelessly. Maybe he could just listen in?

Using a cheap RTL-SDR, it didn’t take long for [k-roy] to tap into this transmission and stumbled across the power readings for his entire neighborhood using a simple command:

~/gocode/bin/rtlamr -msgtype=idm --format=json -msgtype=scm+

Ironically, the hardest part wasn’t snooping on everyone’s power and water usage patterns in the neighborhood, it was trying to figure out which meter was his. In the end, he was able to make some nice graphical layouts of the data with PHP.

We’ve seen some righteous power meter hacks in our time, but this one stands out for its simplicity and elegance. Be sure to check out [k-roy’s] blog for more details, and [rtlamr’s] github for the program used to read the meters.

Thanks to [Jasper J] for the tip!

Neural Network Learns SDR Ham Radio

Identifying ham radio signals used to be easy. Beeps were Morse code, voice was AM unless it sounded like Donald Duck in which case it was sideband. But there are dozens of modes in common use now including TV, digital data, digital voice, FM, and more coming on line every day. [Randaller] used CUDA to build a neural network that could interface with an RTL-SDR dongle and can classify the signals it hears. Since it is a neural network, it isn’t so much programmed to do it as it is trained. The proof of concept has training to distinguish FM, SECAM, and tetra. However, you can train it to recognize other modulation schemes if you want to invest the time into it.

Continue reading “Neural Network Learns SDR Ham Radio”

Tapping into a Ham Radio’s Potential with SDRPlay

Software-defined radios are great tools for the amateur radio operator, allowing visualization of large swaths of spectrum and letting hams quickly home in on faint signals with the click of a mouse. High-end ham radios often have this function built in, but by tapping into the RF stage of a transceiver with an SDR, even budget-conscious hams can enjoy high-end features.

With both a rugged and reliable Yaesu FT-450D and the versatile SDRPlay in his shack, UK ham [Dave (G7IYK)] looked for the best way to link the two devices. Using two separate antennas was possible but inelegant, and switching the RF path between the two devices seemed clumsy. So he settled on tapping into the RF stage of the transceiver with a high-impedance low-noise amplifier (LNA) and feeding the output to the SDRPlay. The simple LNA was built on a milled PCB. A little sleuthing with the Yaesu manual — ham radio gear almost always includes schematics — led him to the right tap point in the RF path, just before the bandpass filter network. This lets the SDRPlay see the signal before the IF stage. He also identified likely points to source power for the LNA only when the radio is not transmitting. With the LNA inside the radio and the SDRPlay outside, he now has a waterfall display and thanks to Omni-Rig remote control software, he can tune the Yaesu at the click of a mouse.

If you need to learn more about SDRPlay, [Al Williams]’ guide to GNU Radio and SDRPlay is a great place to start.

Continue reading “Tapping into a Ham Radio’s Potential with SDRPlay”

Eavesdropping With An ESP8266

In the old days, spies eavesdropped on each other using analog radio bugs. These days, everything’s in the cloud. [Sebastian] from [Hacking Beaver]  wondered if he could make a WiFi bug that was small and cheap besides. Enter the ESP8266 and some programming wizardry.

[Sebastian] is using a NodeMCU but suggests that it could be pared down to any ESP8266 board — with similar cuts made to the rest of the electronics — but has this working as a proof of concept. A PIC 18 MCU samples the audio data from a microphone at 10 kHz with an 8-bit resolution, dumping it into a 512-byte buffer. Once that fills, a GPIO pin is pulled down and the ESP8266 sends the data to a waiting TCP server over the WiFi which either records or plays the audio in real-time.

[Sebastian] has calculated that he needs at least 51.2 ms to transfer the data which this setup easily handles, but there are occasional two to three second glitches that come out of the blue. To address this and other hangups, [Sebastian] has the ESP8266 control the PIC’s reset pin so that the two are always in sync.

Continue reading “Eavesdropping With An ESP8266”

Scratch That SDR!

When you think of a software defined radio, what language might you consider reaching for to create the software part of the equation? C? C++, maybe?

How about Scratch?

“What, Scratch as in the visual programming language aimed at young people?”, we hear you cry incredulously. It’s not exactly the answer you’d expect for an SDR, but thanks to [Andrew Back]’s work there is now ScratchRadio, a set of Scratch extensions for software defined radio. Why on earth do this? The aim is to lower the barrier to entry for software defined radio as far as possible, and to place it in a learning environment such as Scratch seems an ideal way to achieve that.

Of course, Scratch itself isn’t powerful enough for the heaviest of heavy lifting, so in reality this is a Scratch wrapper for a LuaRadio backend. It was created with the LimeSDR Mini in mind, but given that LuaRadio is not specific to that hardware we’d expect it to work with other SDRs such as the ever-popular RTL chipset TV sticks. It gives an owner of a Raspberry Pi 3 the ability to experiment with SDR coding without the need for a huge level of experience, and that to our mind can only be a good thing.

If you fancy trying ScratchRadio, you can find the code in its GitHub repository, and take it from there. Meanwhile we covered LuaRadio last year, so if Scratch is a little basic for you and GNU Radio too advanced, give it a try.

Radio icon: [Sakurambo], (CC BY-SA 3.0).

Scratch cat logo: MIT Media Lab.

Cheap, Full-Duplex Software Defined Radio With The LimeSDR

A few years ago, we saw the rise of software-defined radios with the HackRF One and the extraordinarily popular RTL-SDR USB TV tuner dongle. It’s been a few years, and technology is on a never-ending upwards crawl to smaller, cheaper, and more powerful widgets. Now, some of that innovation is making it to the world of software-defined radio. The LimeSDR Mini is out, and it’s the cheapest and most capable software defined radio yet. It’s available through a Crowd Supply campaign, with units shipping around the beginning of next year.

The specs for the LimeSDR mini are quite good, even when compared to kilobuck units from Ettus Research. The frequency range for the LimeSDR Mini is 10 MHz – 3.5 GHz, bandwidth is 30.72 MHz, with a 12-bit sample depth and 30.72 MSPS sample rate. The interface is USB 3.0 (the connector is male, and soldered to the board, but USB extension cables exist), and the LimeSDR is full duplex. That last bit is huge — the RTL-SDR can’t transmit at all, and even the HackRF is only half duplex. This enormous capability is thanks to the field programmable RF transceiver found in all of the LimeSDR boards. We first saw these a year or so ago, and now these boards are heading into the hands of hackers. Someone’s even building a femtocell out of a Lime board.

The major selling point for the LimeSDR is, of course, the price. The ‘early bird’ rewards for the Crowd Supply campaign disappeared quickly at $99, but there are still plenty available at $139. This is very inexpensive and very fun — on the Crowd Supply page, you can see a demo of a LimeSDR mini set up as an LTE base station, streaming video between two mobile phones. These are the golden days of hobbyist SDR.