Read Home Power Meters With RTL-SDR

December 21, 2017 by 61 Comments

[k-roy] hates electricity. Especially the kind that can be lethal if you’re not careful. Annoyed by the constant advertisements for the popular Sense Home Energy monitors (which must be installed in the main breaker box by an electrician), [k-roy] set out to find a cheaper and easier way. He wondered how the power company monitored his meter, and guessed correctly that it must be transmitting the information wirelessly. Maybe he could just listen in?

Using a cheap RTL-SDR, it didn’t take long for [k-roy] to tap into this transmission and stumbled across the power readings for his entire neighborhood using a simple command:

~/gocode/bin/rtlamr -msgtype=idm --format=json -msgtype=scm+

Ironically, the hardest part wasn’t snooping on everyone’s power and water usage patterns in the neighborhood, it was trying to figure out which meter was his. In the end, he was able to make some nice graphical layouts of the data with PHP.

We’ve seen some righteous power meter hacks in our time, but this one stands out for its simplicity and elegance. Be sure to check out [k-roy’s] blog for more details, and [rtlamr’s] github for the program used to read the meters.

Thanks to [Jasper J] for the tip!

Attack Some Wireless Devices With A Raspberry Pi And An RTL-SDR

September 10, 2017 by 5 Comments

If you own one of the ubiquitous RTL-SDR software defined radio receivers derived from a USB digital TV receiver, one of the first things you may have done with it was to snoop on wide frequency bands using the waterfall view present in most SDR software. Since the VHF and UHF bands the RTL covers are sometimes a little devoid of signals, chances are you homed in upon one of the ISM bands as used by plenty of inexpensive wireless devices for all sorts of mundane control tasks. Unless you reside in the depths of the wilderness, ISM band sniffing will show a continuous procession of chirps; short bursts of digital data. It is surprising, the number of radio-controlled devices you weren’t aware were in your surroundings.

Some of these devices, such as car security keys, are protected by rolling encryption schemes to deter would-be attackers. But many of the more harmless devices simply send a command in the open without the barest of encryption. The folks at RTL-SDR.com put up a guide to recording these open data bursts on a Raspberry Pi and playing them back by transmitting them from the Pi itself.

It’s not the most refined of attack because all it does is take the recorded file and retransmit it with the [F5OEO] RPiTX software. But they do demonstrate it in action with a wireless lightbulb, a door bell, a wireless relay, and a remote-controlled switched socket. Since the data in question is transmitted as OOK, or on-off keying, the RPiTX AM mode stands in for the transmitter.

You can see it in action in the video below the break. Now, have you investigated the ISM band chirps in your locality?

Continue reading “Attack Some Wireless Devices With A Raspberry Pi And An RTL-SDR”

19 RTL-SDR Dongles Reviewed

September 5, 2017 by 44 Comments

Blogger [radioforeveryone] set out to look at 19 different RTL-SDR dongles for use in receiving ADS-B (that’s the system where airplanes determine their position and broadcast it). Not all of the 19 worked, but you can read the detailed review of the 14 that did.

Granted, you might not want to pick up ADS-B, but the relative performance of these inexpensive devices is still interesting. The tests used Raspberry PI 3s and a consistent antenna and preamp system. Since ADS-B is frequently sent, the tests were at least 20 hours in length. The only caveat: the tests were only done two at a time, so it is not fair to directly compare total results across days.

Continue reading “19 RTL-SDR Dongles Reviewed”

One Transistor RTL-SDR Upconverter

August 7, 2017 by 25 Comments

Even if you haven’t used one, you’ve probably seen the numerous projects with the inexpensive RTL-SDR USB dongle. Originally designed for TV use, the dongle is a software defined radio that many have repurposed for a variety of radio hacking projects. However, there’s one small issue. By default, the device only works down to about 50 MHz or so. There are some hacks to change that, but the cleanest way to get operation is to add an upconverter to shift the frequency you want higher. Sounds complicated? [Qrp-Gaijin] shows how to do it with a single transistor. You can see some videos of the results, below.

Actually, [Qrp-Gaijin] built an earlier version but wasn’t satisfied with the performance. He found that his original oscillator was driving an overtone crystal at its fundamental frequency. The device worked, but only because the oscillator was putting out harmonics, including the third harmonic at the actual needed frequency (49.8 MHz).

Continue reading “One Transistor RTL-SDR Upconverter”

An Amateur Radio Repeater Using An RTL-SDR And A Raspberry Pi

December 5, 2016 by 12 Comments

An amateur radio repeater used to be a complex assemblage of equipment that would easily fill a 19″ rack. There would be a receiver and a separate transmitter, usually repurposed from commercial units, a home-made logic unit with a microprocessor to keep an eye on everything, and a hefty set of filters to stop the transmitter output swamping the receiver. Then there would have been an array of power supply units to provide continued working during power outages, probably with an associated bank of lead-acid cells.

More recent repeaters have been commercial repeater units. The big radio manufacturers have spotted a market in amateur radio, and particularly as they have each pursued their own digital standards there has been something of an effort to provide repeater equipment to drive sales of digital transceivers.

But what if you fancy setting up a simple repeater and you have neither a shed full of old radios or a hotline to the sales department of a large Japanese manufacturer? If you are [Anton Janovsky, ZR6AIC], you make your own low-powered repeater using an RTL-SDR, a low-pass filter, and a Raspberry Pi.

[Anton]’s repeater is a clever assemblage through pipes of rtl_sdr doing the receiving, csdr demodulating, and [F5OEO]’s rpitx doing the transmitting. As far as we can see it doesn’t have a toneburst detector or CTCSS to control its transmission so it is on air full-time, however we suspect that may be a feature that will be implemented in due course.

With only a 10 mW output this repeater is more of a toy than a useful device, and we’d suggest any licensed amateur wanting to have a go should read the small print in their licence schedule before doing so. But it’s a neat usage of a Pi and an RTL stick, and with luck it’ll inspire others in the same vein.

We’ve touched on the Pi as a transmitter before, from a straightforward broadcast FM unit to crossing continents with WSPR, and even transmitting digital TV in another [F5OEO] hack.

Improving The RTL-SDR

March 28, 2016 by 29 Comments

The RTL-SDR dongle is a real workhorse for radio hacking. However, the 28.8 MHz oscillator onboard isn’t as stable as you might wish. It is fine for a lot of applications and, considering the price, you shouldn’t complain. However, there are some cases where you need a more stable reference frequency.

[Craig] wanted a stable solution and immediately thought of a TCXO (Temperature Compensated “Xtal” Oscillator). The problem is, finding these at 28.8 MHz is difficult and, if you can find them, they are relatively expensive. He decided to make an alternate oscillator using an easier-to-find 19.2 MHz crystal.

Continue reading “Improving The RTL-SDR”

Triple Threat RTL-SDR System Reads Trunked Radio

March 7, 2016 by 20 Comments

In the old days, if you wanted to listen to police, fire, or other two-way radio users, you didn’t need much more than a simple receiver. Today, you are more likely to need something a little more exotic thanks to the adoption of trunked radio systems. To pick up the control channels and all the threads of a talk group conversation, you might need a wide bandwidth receiver.

[Luke Berndt] found he needed 6 MHz to monitor the stations he wanted to hear. This is easily in the reach of dedicated software defined radios (SDR). However, [Luke] wanted to use cheap RTL-SDRs and their bandwidth is about 2 MHz. The obvious hacker solution? Use three of them!

If you haven’t looked at a trunked system before, it essentially allows a large number of users to share a relatively small number of channels. When someone wants to talk, they move to an unused channel just for that transmission. Suppose Alice asks Bob a question that happens to be on channel 12. Bob’s reply might be on channel 4. A follow up from Alice could be on channel 3.

In practice, this means that receiving the signal isn’t difficult to decode. It is just difficult to find (and follow as it jumps around). This is an excellent job for multiple SDRs and the approach even reduces the burden on the CPU, which doesn’t have to decode signals that aren’t essential to the conversation.

[Luke] includes source code and also notes how to change the serial numbers of the dongles since each has to be unique. We have seen so many great projects with the RTL-SDR that it is hard to choose our favorite. It is especially great knowing that the dongle was only meant to receive television, and all these projects are hacks in the best sense of the word.

Thanks [WA5RRior] for the tip.