Triple Threat RTL-SDR System Reads Trunked Radio

In the old days, if you wanted to listen to police, fire, or other two-way radio users, you didn’t need much more than a simple receiver. Today, you are more likely to need something a little more exotic thanks to the adoption of trunked radio systems. To pick up the control channels and all the threads of a talk group conversation, you might need a wide bandwidth receiver.

[Luke Berndt] found he needed 6 MHz to monitor the stations he wanted to hear. This is easily in the reach of dedicated software defined radios (SDR). However, [Luke] wanted to use cheap RTL-SDRs and their bandwidth is about 2 MHz. The obvious hacker solution? Use three of them!

If you haven’t looked at a trunked system before, it essentially allows a large number of users to share a relatively small number of channels. When someone wants to talk, they move to an unused channel just for that transmission. Suppose Alice asks Bob a question that happens to be on channel 12. Bob’s reply might be on channel 4. A follow up from Alice could be on channel 3.

In practice, this means that receiving the signal isn’t difficult to decode. It is just difficult to find (and follow as it jumps around). This is an excellent job for multiple SDRs and the approach even reduces the burden on the CPU, which doesn’t have to decode signals that aren’t essential to the conversation.

[Luke] includes source code and also notes how to change the serial numbers of the dongles since each has to be unique. We have seen so many great projects with the RTL-SDR that it is hard to choose our favorite. It is especially great knowing that the dongle was only meant to receive television, and all these projects are hacks in the best sense of the word.

Thanks [WA5RRior] for the tip.

RTLSDR

Decoding Satellite-based Text Messages With RTL-SDR And Hacked GPS Antenna

[Carl] just found a yet another use for the RTL-SDR. He’s been decoding Inmarsat STD-C EGC messages with it. Inmarsat is a British satellite telecommunications company. They provide communications all over the world to places that do not have a reliable terrestrial communications network. STD-C is a text message communications channel used mostly by maritime operators. This channel contains Enhanced Group Call (EGC) messages which include information such as search and rescue, coast guard, weather, and more.

Not much equipment is required for this, just the RTL-SDR dongle, an antenna, a computer, and the cables to hook them all up together. Once all of the gear was collected, [Carl] used an Android app called Satellite AR to locate his nearest Inmarsat satellite. Since these satellites are geostationary, he won’t have to move his antenna once it’s pointed in the right direction.

Hacked GPS antenna
Hacked GPS antenna

As far as antennas go, [Carl] recommends a dish or helix antenna. If you don’t want to fork over the money for something that fancy, he also explains how you can modify a $10 GPS antenna to work for this purpose. He admits that it’s not the best antenna for this, but it will get the job done. A typical GPS antenna will be tuned for 1575 MHz and will contain a band pass filter that prevents the antenna from picking up signals 1-2MHz away from that frequency.

To remove the filter, the plastic case must first be removed. Then a metal reflector needs to be removed from the bottom of the antenna using a soldering iron. The actual antenna circuit is hiding under the reflector. The filter is typically the largest component on the board. After desoldering, the IN and OUT pads are bridged together. The whole thing can then be put back together for use with this project.

Once everything was hooked up and the antenna was pointed in the right place, the audio output from the dongle was piped into the SDR# tuner software. After tuning to the correct frequency and setting all of the audio parameters, the audio was then decoded with another program called tdma-demo.exe. If everything is tuned just right, the software will be able to decode the audio signal and it will start to display messages. [Carl] posted some interesting examples including a couple of pirate warnings.

If you can’t get enough RTL-SDR hacks, be sure to check out some of the others we’ve featured in the past. And don’t forget to send in links to your own hacking!

Measuring Filters And VSWR With RTL-SDR

Once again the ubiquitous USB TV tuner dongle has proved itself more than capable of doing far more than just receiving broadcast TV. Over on the RTL-SDR blog, there’s a tutorial covering the measurement of filter characteristics using a cheap eBay noise source and an RTL-SDR dongle.

For this tutorial, the key piece of equipment is a BG7TBL noise source, acquired from the usual online retailers. With a few connectors, a filter can be plugged in between this noise source and the RTL-SDR dongle. With the hardware out of the way, the only thing remaining is the software. That’s just rtl_power and this wonderful GUI. The tutorial is using a cheap FM filter, and the resulting plot shows a clear dip between 50 and 150 MHz. Of course this isn’t very accurate; there’s no comparison to the noise source and dongle without any attenuation. That’s just a simple matter of saving some scans as .csv files and plugging some numbers in Excel.

The same hardware can be used to determine the VSWR of an antenna, replacing the filter with a directional coupler; just put the coupler between the noise source and the dongle measure the attenuation through the range of the dongle. Repeat with the antenna connected, and jump back into Excel.

Measuring Frequency Response With An RTL-SDR Dongle And A Diode

[Hans] wanted to see the frequency response of a bandpass filter but didn’t have a lot of test equipment. Using an RTL-SDR dongle, some software and a quickly made noise generator, he still managed to get a rough idea of the filter’s characteristics.

How did he do it? He ‘simply’ measured his noise generator frequency characteristics with and without the bandpass filter connected to its output and then subtracted one curve with the other. As you can see in the diagram above, the noise generator is based around a zener diode operating at the reverse breakdown voltage. DC blocking is then done with a simple capacitor.

Given that a standard RTL-SDR dongle can only sample a 2-3MHz wide spectrum gap at a time, [Hans] used rtlsdr-scanner to sweep his region of interest. In his write-up, he also did a great job at describing the limitations of such an approach: for example, the dynamic range of the ADC is only 48dB.

Transmitting Data With A Pi And RTL-SDR

Sometimes the best builds aren’t anything new, but rather combining two well-developed hacks. [Marc] was familiar with RTL-SDR, the $30 USB TV tuner come software defined radio, but was surprised no one had yet combined this cheap radio dongle with the ability to transmit radio from a Raspberry Pi. [Marc] combined these two builds and came up with the cheapest portable radio modem for the Raspberry Pi.

Turning the Raspi into a transmitter isn’t really that hard; it only requires a 20cm wire inserted into a GPIO pin, then toggling this pin at about 100 MHz. This resulting signal can be picked up fifty meters away, and through walls, even.

[Marc] combined this radio transmitter with minimodem, a program that generates audio modem tones at the required baud rate. Data is encoded in this audio stream, sent over the air, and decoded again with an RTL-SDR dongle.

It’s nothing new, per se, but if you’re looking for a short-range, low-bandwidth wireless connection between a computer and a Raspberry Pi, this is most certainly the easiest and cheapest method.

Cracking GSM With RTL-SDR For Thirty Dollars

Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.

Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.

The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of   receiving a message.

From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.

[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.

An RTL-SDR Spectrum Analyzer

With the combination of small, powerful, and pocketable computers and cheap, off-the-shelf software defined radio receivers, it was only a matter of time before someone built a homebrew spectrum analyzer with these ingredients. This great build is the project of [Stephen Ong] and he’s even released all the softwares for you to build this on your own.

The two main components of this build are a BeagleBone Black and its 7″ Touchscreen cape. The BeagleBone is running Angstrom Linux, a blazingly fast Linux distro for small embedded devices. The radio hardware consists of only a USB TV tuner supported by RTL-SDR. In his demo video, [Stephen] shows off his project and by all accounts it is remarkable, with a UI better than most desktop-oriented SDR software suites.

You can grab the BeagleBone image [Stephen] is using over on his blog, but for more enterprising reader, he’s also put up the source of his ViewRF software up on GitHub.