Triple Threat RTL-SDR System Reads Trunked Radio

March 7, 2016 by Al Williams 20 Comments

In the old days, if you wanted to listen to police, fire, or other two-way radio users, you didn’t need much more than a simple receiver. Today, you are more likely to need something a little more exotic thanks to the adoption of trunked radio systems. To pick up the control channels and all the threads of a talk group conversation, you might need a wide bandwidth receiver.

[Luke Berndt] found he needed 6 MHz to monitor the stations he wanted to hear. This is easily in the reach of dedicated software defined radios (SDR). However, [Luke] wanted to use cheap RTL-SDRs and their bandwidth is about 2 MHz. The obvious hacker solution? Use three of them!

If you haven’t looked at a trunked system before, it essentially allows a large number of users to share a relatively small number of channels. When someone wants to talk, they move to an unused channel just for that transmission. Suppose Alice asks Bob a question that happens to be on channel 12. Bob’s reply might be on channel 4. A follow up from Alice could be on channel 3.

In practice, this means that receiving the signal isn’t difficult to decode. It is just difficult to find (and follow as it jumps around). This is an excellent job for multiple SDRs and the approach even reduces the burden on the CPU, which doesn’t have to decode signals that aren’t essential to the conversation.

[Luke] includes source code and also notes how to change the serial numbers of the dongles since each has to be unique. We have seen so many great projects with the RTL-SDR that it is hard to choose our favorite. It is especially great knowing that the dongle was only meant to receive television, and all these projects are hacks in the best sense of the word.

Thanks [WA5RRior] for the tip.

RF Hacking: How-To Bypass Rolling Codes

March 6, 2016 by Brandon Dunson 19 Comments

The RF signal transmitted from a modern key fob and received by the associated vehicle is only used once. If the vehicle sees the same code again it rejects the command, however there is a loophole in those carefully chosen words. The code must be received by the vehicle’s computer before it can be added to the list of spent codes. [AndrewMohawk] goes through the process of intercepting a code sent from a key fob transmitter and preventing the vehicle from receiving it in a thorough post to his blog. You can see this attack working in his studio quality reenactment video after the break.

[Andrew] uses the YARD Stick One (YS1) which is a sub-GHz wireless tool that is controlled from a computer. The YS1 uses RfCat firmware, which is an interactive python shell that acts as the controller for the wireless transceiver.

This system is not without its problems: different frequencies are often used for different commands, [Andrew]’s scripts are designed to work with On-Off keying (OOK) leaving it useless when attacking a system that uses Frequency-Shift Keying (FSK). There is also the issue of rendering a target key fob non-functional but you’ll have to pop over to [Andrew]’s blog to read more about that.

Continue reading “RF Hacking: How-To Bypass Rolling Codes” →

Teensy 3.1 Controlled VFO

March 5, 2016 by Rud Merriam 27 Comments

[Tom Hall], along with many hams around the world, have been hacking the Silicon Labs Si5351 to create VFOs (variable frequency oscillators) to control receivers and transmitters. You can see the results of his work in a video after the break.

[Tom] used a Teensy 3.1 Arduino compatible board, to control the Si5351 mounted on an Adafruit breakout board. An LCD display shows the current frequency and provides a simple interface display for changing the output. A dial encoder allows for direct adjustment of the frequency. The ham frequency band and the frequency increment for each encoder step are controlled by a joystick. When you get into the 10 meter band you definitely want to be able to jump by kHz increments, at least, since the band ranges from 28 MHz to 29.7 MHz.

So what is the Si5351? The data sheet calls it an I2C-Programmable Any-Frequency CMOS Clock Generator + VCXO. Phew! Let’s break that down a bit. The chip can be controlled from a microprocessor over an I2C bus. The purpose of the chip is to generate clock outputs from 8 kHz to 160 MHz. Not quite any frequency but a pretty good range. The VCXO means voltage controlled crystal oscillator. The crystal is 25 MHz and provides a very stable frequency source for the chip. In addition, the Si5351 will generate three separate clock outputs.

[Tom] walks through the code for his VFO and provides it via GitHub. An interesting project with a lot of the details explained for someone who wants to do their own hacks. His work is based on work done by others that we’ve published before, which is what hacking is all about.

Continue reading “Teensy 3.1 Controlled VFO” →

Sage Advice For The New Ham

March 5, 2016 by Elliot Williams 39 Comments

If you’re on the edge about getting your amateur radio license, just go do it and worry about the details later. But once you’ve done that, you’re going to need to know a little bit about the established culture and practices of the modern ham — the details.

Toward that end, [McSteve] has written up a (so far) two-part introductory series about ham radio. His first article is fairly general, and lays out many of the traditional applications of ham radio: chatting with other humans using the old-fashioned analog modes. You know, radio stuff.

The second article focuses more on using repeaters. Repeaters can be a confusing topic for new radio operators: there are two frequencies — one for transmitting and one for receiving — and funny control tones (CTCSS) etc. This article is particularly useful for the new ham, because you’re likely to have a relatively low powered radio that would gain the most from using a repeater, and because the technology and traditions of repeater usage are a bit arcane.

So if you’re thinking about getting your license, do it already. And then read through these two pages and you’re good to go. We can’t wait to see what [McSteve] writes up next.

Serial Telemetry To Wi-Fi With An ESP8266

March 4, 2016 by Jenny List 12 Comments

Hackaday.io user [J. M. Hopkins] had a problem with his rocketry. Telemetry from the rockets came down to Earth via a 433MHz serial link, but picking just the bits he needed from a sea of data for later analysis on a laptop screen on bright sunny days was getting a little difficult.

His solution was to bring the serial data from his transceiver module to an ESP8266, and from that both share it over WiFi and display pertinent information via I2C to an LCD for easy reference. And he’s put the whole lot with a power supply in a rather splendid wooden case with an SMA socket on the back to attach his Yagi.

All information received from the telemetry is passed to a client connecting via Telnet over the WiFi, but pertinent information for the LCD is selected by sending it from the rocket enclosed in square brackets. We hope that the source code will be forthcoming in time.

This isn’t the first time we’ve featured rocket telemetry here at Hackaday. And we’d be missing a trick if we didn’t point out that this project is using our own Hackaday-branded Huzzah ESP8266 breakout board from the Hackaday Store.

Swarm Of Tiny Pirate Transmitters Gets The Message Out In Syria

March 3, 2016 by Dan Maloney 76 Comments

They say that the first casualty of war is the truth, and that’s probably only more the case in a civil war. When one side in a conflict controls the message, the other side is at a huge disadvantage. Technology can level the playing field, and in the case of the Syrian Civil War, a swarm of tiny Raspberry Pi transmitters is helping one side get their message out.

We won’t pretend to understand the complexities of this war, but it’s clear that the Syrian government controls broadcast media and access to the internet, and is using them for propaganda while denying the opposition access to the same. A decentralized medium can get the message out under these conditions, and that’s exactly what Pocket FM does. Built around a Raspberry Pi and a frequency-agile FM transmitter, a Pocket FM can take multiple audio feeds and transmit them out to a 5km radius. Small enough to be packed up and deployed quickly and able to be powered by batteries or solar panels, the pirate transmitters can be here one minute and gone the next, yielding a robust network resistant to takedown attempts.

The network built around Pocket FM in Syria is small but growing, and it appears to be making a difference in the conflict. We find the concept of a decentralized network intriguing and potentially empowering, at least in situations where the letter of the law regarding broadcasting is not a prime consideration. That’s where projects like Airchat seek to build an unsanctioned network. The same goes for Tweeting on the Amateur Radio Band in a project aptly named HamRadioTweets.

We wonder how a fleet of these Pi-based transmitters could aid in recovery from natural disasters?

[via r/amateurradio and TomHiggins]

Google Is Building A 100kW Radio Transmitter At A Spaceport And No One Knows Why

March 2, 2016 by Brian Benchoff 154 Comments

You can find the funniest things in public government documents. There’s always ample evidence your local congress critter is working against the interests of their constituency, nation, and industry controlled by the commission they’re chairperson of. Rarely, though, do you find something surprising, and rarer still does it portend some sort of experiments conducted by Google at a spaceport in New Mexico.

In a publication released last week, Google asked the FCC to treat some information relating to radio experiments as confidential. These experiments involve highly directional and therefore high power transmissions at 2.5 GHz, 5.8GHz, 24GHz, 71-76GHz, and 81-86GHz. These experiments will take place at Spaceport America, a 12,000 foot runway in the middle of New Mexico occasionally used by SpaceX, Virgin Galactic, and now Google.

For the most part, this document only tells the FCC that Google won’t be causing harmful interference in their radio experiments. There few other details, save for what bands and transmitters Google will be using and an experimental radio license call sign (WI9XZE) that doesn’t show up in the FCC database.

Of the few details listed in the documents, one thing does pop out as exceptionally odd: a 70-80 GHz transmitter with an effective radiated power (ERP) 96,411 W. That’s close enough to 100 kilowatts to call it as such. This is the maximum effective radiated power of the highest power FM stations in the US, but radio stations are omnidirectional, whereas Google is using very high gain antennas with a beam width of less than half a degree. The actual power output of this transmitter is a mere half watt.

The best guess for what Google is doing out in the New Mexico desert is Project Skybender, a project to use millimeter waves to bring faster Internet to everyone. There aren’t many details, but there is a lot of speculation ranging from application in low Earth orbit to something with Google Loon.