Decoding Satellite-based Text Messages With RTL-SDR And Hacked GPS Antenna

August 21, 2015 by Rick Osgood 19 Comments

[Carl] just found a yet another use for the RTL-SDR. He’s been decoding Inmarsat STD-C EGC messages with it. Inmarsat is a British satellite telecommunications company. They provide communications all over the world to places that do not have a reliable terrestrial communications network. STD-C is a text message communications channel used mostly by maritime operators. This channel contains Enhanced Group Call (EGC) messages which include information such as search and rescue, coast guard, weather, and more.

Not much equipment is required for this, just the RTL-SDR dongle, an antenna, a computer, and the cables to hook them all up together. Once all of the gear was collected, [Carl] used an Android app called Satellite AR to locate his nearest Inmarsat satellite. Since these satellites are geostationary, he won’t have to move his antenna once it’s pointed in the right direction.

As far as antennas go, [Carl] recommends a dish or helix antenna. If you don’t want to fork over the money for something that fancy, he also explains how you can modify a $10 GPS antenna to work for this purpose. He admits that it’s not the best antenna for this, but it will get the job done. A typical GPS antenna will be tuned for 1575 MHz and will contain a band pass filter that prevents the antenna from picking up signals 1-2MHz away from that frequency.

To remove the filter, the plastic case must first be removed. Then a metal reflector needs to be removed from the bottom of the antenna using a soldering iron. The actual antenna circuit is hiding under the reflector. The filter is typically the largest component on the board. After desoldering, the IN and OUT pads are bridged together. The whole thing can then be put back together for use with this project.

Once everything was hooked up and the antenna was pointed in the right place, the audio output from the dongle was piped into the SDR# tuner software. After tuning to the correct frequency and setting all of the audio parameters, the audio was then decoded with another program called tdma-demo.exe. If everything is tuned just right, the software will be able to decode the audio signal and it will start to display messages. [Carl] posted some interesting examples including a couple of pirate warnings.

If you can’t get enough RTL-SDR hacks, be sure to check out some of the others we’ve featured in the past. And don’t forget to send in links to your own hacking!

Measuring Filters And VSWR With RTL-SDR

March 14, 2015 by Brian Benchoff 5 Comments

Once again the ubiquitous USB TV tuner dongle has proved itself more than capable of doing far more than just receiving broadcast TV. Over on the RTL-SDR blog, there’s a tutorial covering the measurement of filter characteristics using a cheap eBay noise source and an RTL-SDR dongle.

For this tutorial, the key piece of equipment is a BG7TBL noise source, acquired from the usual online retailers. With a few connectors, a filter can be plugged in between this noise source and the RTL-SDR dongle. With the hardware out of the way, the only thing remaining is the software. That’s just rtl_power and this wonderful GUI. The tutorial is using a cheap FM filter, and the resulting plot shows a clear dip between 50 and 150 MHz. Of course this isn’t very accurate; there’s no comparison to the noise source and dongle without any attenuation. That’s just a simple matter of saving some scans as .csv files and plugging some numbers in Excel.

The same hardware can be used to determine the VSWR of an antenna, replacing the filter with a directional coupler; just put the coupler between the noise source and the dongle measure the attenuation through the range of the dongle. Repeat with the antenna connected, and jump back into Excel.

Measuring Frequency Response With An RTL-SDR Dongle And A Diode

April 17, 2014 by Mathieu Stephan 17 Comments

[Hans] wanted to see the frequency response of a bandpass filter but didn’t have a lot of test equipment. Using an RTL-SDR dongle, some software and a quickly made noise generator, he still managed to get a rough idea of the filter’s characteristics.

How did he do it? He ‘simply’ measured his noise generator frequency characteristics with and without the bandpass filter connected to its output and then subtracted one curve with the other. As you can see in the diagram above, the noise generator is based around a zener diode operating at the reverse breakdown voltage. DC blocking is then done with a simple capacitor.

Given that a standard RTL-SDR dongle can only sample a 2-3MHz wide spectrum gap at a time, [Hans] used rtlsdr-scanner to sweep his region of interest. In his write-up, he also did a great job at describing the limitations of such an approach: for example, the dynamic range of the ADC is only 48dB.

Transmitting Data With A Pi And RTL-SDR

November 9, 2013 by Brian Benchoff 31 Comments

Sometimes the best builds aren’t anything new, but rather combining two well-developed hacks. [Marc] was familiar with RTL-SDR, the $30 USB TV tuner come software defined radio, but was surprised no one had yet combined this cheap radio dongle with the ability to transmit radio from a Raspberry Pi. [Marc] combined these two builds and came up with the cheapest portable radio modem for the Raspberry Pi.

Turning the Raspi into a transmitter isn’t really that hard; it only requires a 20cm wire inserted into a GPIO pin, then toggling this pin at about 100 MHz. This resulting signal can be picked up fifty meters away, and through walls, even.

[Marc] combined this radio transmitter with minimodem, a program that generates audio modem tones at the required baud rate. Data is encoded in this audio stream, sent over the air, and decoded again with an RTL-SDR dongle.

It’s nothing new, per se, but if you’re looking for a short-range, low-bandwidth wireless connection between a computer and a Raspberry Pi, this is most certainly the easiest and cheapest method.

Cracking GSM With RTL-SDR For Thirty Dollars

October 22, 2013 by Brian Benchoff 60 Comments

Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.

Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.

The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of receiving a message.

From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.

[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.

An RTL-SDR Spectrum Analyzer

September 9, 2013 by Brian Benchoff 15 Comments

With the combination of small, powerful, and pocketable computers and cheap, off-the-shelf software defined radio receivers, it was only a matter of time before someone built a homebrew spectrum analyzer with these ingredients. This great build is the project of [Stephen Ong] and he’s even released all the softwares for you to build this on your own.

The two main components of this build are a BeagleBone Black and its 7″ Touchscreen cape. The BeagleBone is running Angstrom Linux, a blazingly fast Linux distro for small embedded devices. The radio hardware consists of only a USB TV tuner supported by RTL-SDR. In his demo video, [Stephen] shows off his project and by all accounts it is remarkable, with a UI better than most desktop-oriented SDR software suites.

You can grab the BeagleBone image [Stephen] is using over on his blog, but for more enterprising reader, he’s also put up the source of his ViewRF software up on GitHub.

Hackaday Links: March 31, 2024

March 31, 2024 by Dan Maloney 5 Comments

Battlelines are being drawn in Canada over the lowly Flipper Zero, a device seen by some as an existential threat to motor vehicle owners across the Great White North. The story started a month or so ago, when someone in the government floated the idea of banning devices that could be “used to steal vehicles by copying the wireless signals for remote keyless entry.” The Flipper Zero was singled out as an example of such a nefarious device, even though relatively few vehicles on the road today can be boosted using the simple replay attack that a Flipper is capable of, and the ones that are vulnerable to this attack aren’t all that desirable — apologies to the 1993 Camry, of course. With that threat hanging in the air, the folks over at Flipper Devices started a Change.org petition to educate people about the misperceptions surrounding the Flipper Zero’s capabilities, and to urge the Canadian government to reconsider their position on devices intended to explore the RF spectrum. That last bit is important, since transmit-capable SDR devices like the HackRF could fall afoul of a broad interpretation of the proposed ban; heck, even a receive-only SDR dongle might be construed as a restricted device. We’re generally not much for petitions, but this case might represent an exception. “First they came for the Flipper Zero, but I did nothing because I don’t have a Flipper Zero…”

Continue reading “Hackaday Links: March 31, 2024” →