Over on his YouTube channel ModernHam has created a video showing him using an RTL-SDR and Raspberry Pi with RPiTX to record and replay the signal generated by the remote of a wireless power plug. A wireless power plug allows you to turn an AC wall outlet on/of remotely via a remote control. Controlling them with a Raspberry Pi can be a simple way to add home automation. One example ModernHam gives is that he hopes to use RPiTX and the wireless power plugs to create a smart coffee pot that will automatically turn on at 7 am, and turn off at 9 am.

In the past we have created a similar tutorial here, but new updates to RPiTX now make this process much easier and more reliable and ModernHam's video shows the new procedure. The new process is simply to look up the FCC frequency of the remote control transmitter, record an IQ file of the transmissions for the ON and OFF buttons, and then use the RPiTX sendiq command to replay the signal. You can then use simple Linux shell scripts to create automation.

If you weren't already aware, over the past few months we've been working with the engineering team at Othernet.is to create a 4x Coherent RTL-SDR that we're calling KerberosSDR. A coherent RTL-SDR allows you to perform interesting experiments such as RF direction finding, passive radar and beam forming. In conjunction with developer Tamas Peto, we have also had developed open source demo software for the board, which allows you to test direction finding and passive radar. The open source software also provides a good DSP base for extension.

If you're interested and missed out in the early campaign, don't worry we still have about 250 units left from this batch for sale at a price of $140 + shipping over on our Indiegogo Campaign.

Demo Program Updates

Over the past few weeks we've been working on a few code speed improvements to the demo software, and we now believe that it should be fast enough to run on a Pi 3 B+ at decent update rates.  In particular the passive radar display frame rate has been improved and we're able to get about 1 FPS on a Tinkerboard now.

We will soon release the full code, but for now you can see the main two libraries developed by Tamas' that are used in the KerberosSDR code. These libraries contain the direction finding and passive radar processing algorithms.

pyAPRIL - Python Advanced Passive Radar Library. Available on PyPi and GitHub

pyArgus - Python Beamforming and Direction Finding Algorithms. Available on PyPi and GitHub.

Android Direction Finding Companion App Updates

Over the holidays we've been working on a simple companion Android app for the direction finding feature. Using the GPS and/or compass sensors on the Android phone, and the transmitter bearing given by the KerberosSDR we can plot a bearing towards the transmitter that we are tuned to.

The phone connects to a laptop/SBC WiFi hotspot running the KerberosSDR Linux software, and reads the bearing via a simple php HTML server.

Driving around with the KerberosSDR gives better results than when stationary as we can take multiple readings at different points which helps to average out multipath distortions.

In the image below we used a linear antenna array of four dipoles attached to the windscreen of a car. KerberosSDR was tuned to a TETRA transmitter at 858 MHz.

We drove down a street and then back up it. The red lines indicate the direction of the car as determined by GPS, the blue lines indicate the forward direction towards the transmitter, and the green lines the reverse direction. (a linear antenna array won't know if the transmitter is in front or behind it). 

You can see that the majority of blue/green lines point towards the TETRA transmitter which we've marked with a red location marker at the known location.

Getting a bearing from GPS requires that you are moving. However if you are stationary it is also possible to use the compass sensor in the Android app, but Android compass sensors are not particularly accurate.

We also tested the app with a circular array of antennas and found it to work well too. A circular array has the benefit over a linear array of providing only one direction towards the detected signal, but may be more susceptible to multipath issues. In our test the circular array was simply four magnetic whips placed on top of a car.

This time we then drove around for a longer time while logging the data in the Android app. We can see that the majority of blue lines point towards the known transmitter location. Blue lines pointing away from the transmitter may be due to multipath or a briefly incorrect GPS heading (e.g. during a turn). Sometimes reflections or refractions of the signal can be more likely to be picked up if the direct path to the transmitter is really blocked. However if you have enough data points from driving around, it becomes much more clear where the actual transmitter is. 

Manufacturing Updates

We now have some pictures of the boards being manufactured at the factory. Unfortunately we are behind our initial shipping target of mid-Jan due to the previous unexpected payment delays from Indiegogo, and because of this we may hit the Chinese New Year holidays which could delay us further as factories take a 2 week holiday starting late Jan. We're really hoping to have them shipped off just before then, but we don't know if we can beat the clock. I know some of you are anxious to get started with KerberosSDR, and so I do apologize for the delay.

GNU Radio is a very powerful open source platform for implementing various digital signal processing (DSP) algorithms. It is very commonly used with software defined radios like the RTL-SDR, as well as much higher end units. The community that uses GNU Radio is very large, and so every year they hold a conference that highlights some of the most interesting applications and developments related to GNU Radio. The 2018 GNU Radio conference was held in Las Vegas during September 2018. Recently they have uploaded the talks to YouTube, and below we're posting some of our favorites. The full list can be found on their YouTube channel.

Keynote Talk: SatNOGs

In this keynote talk Manolis Surligas discusses the SatNOGs project. SatNOGs is a non-profit organization creating an open source and volunteer based satellite ground station network.

Open Source Radio Telescopes

John L. Makous discusses his work in creating low cost and home made horn antenna radio telescopes designed to receive the 21cm hydrogen line and other astronomical objects and phenomena. The idea is to provide a low cost solution and easy to build telescope to use in schools.

Enter the Electromagic Spectrum with the USRP

Nate Temple gives us an overview of several signals that have been decoded with GNU Radio flowgraphs.

Software Defined Radar Remote Sensing and Space Physics

Juha Vierinen discusses using a USRP to measure propagation conditions with ionospheric chip sounders, and improvements to chirp sounders by using spread spectrum noise. He also discusses various other radar techniques and applications.

Over on the SWLing post, Thomas has shared an interesting video showing aircraft scatter reception in action. Alps DX [FR] shows on his YouTube channel a broadcast FM signal coming in clearly as a plane passes by, then fading away to nothing as it leaves. This effect is due to the scattering of radio waves that occurs when radio waves reflect off aircraft.

In order to predict when the scattering occurs he uses the free AirScout software which allows you to do the following:

• Calculate a propagation path as a cross circle path between two QSO – partners
• Calculate a path profile between both QSO – partners using a Digital Elevation Model
  (DEM)
• Calculate the mutual visibility of an aircraft from both QSO – partners for each point on the path using their elevation and any possible obstruction between them
• Calculate a “hot area” in which an aircraft is mutually visible from both QSO –
  partners where a reflection is theoretically possible
• Show calculated path and aircrafts in real time on a map
• Predict Aircraft Scatter potential for each single aircraft according to position, track and altitude

We also saw another interesting video of a 23cm QSO being made by predicting when aircraft scatter will happen with Air Scout.

Thank you to Florent for submitting his website which contains a live log of his meteor scatter observations. Meteor scatter occurs when radio signals reflect off the ionized trail left behind by meteors when they enter the atmosphere. This trail is highly RF reflective, so it can allow distant radio stations to be briefly received.

His set up consists of an RTL-SDR dongle running on a Raspberry Pi 3. His antenna is a homemade 6 element Yagi. Florent is based in France and listens for reflections from the Graves radar at 143.05 MHz. His software captures 768 Hz worth of bandwidth every 0.5s, and then uploads and displays the spectrum plot on his website. When the Graves radar signal is visible on the spectrum, it is an indication of a meteor having entered the atmosphere (or possibly an aircraft).

If you are interested in other peoples live meteor scatter streams, then there is another site at livemeteors.com which displays a live video of an SDR# screen looking for meteor echoes.

Thanks to "Lolo sdr" for submitting his videos that show his process for receiving and decoding Meteor M2 weather satellite images in Windows with an SDRplay and SDR-Console V3. Since the SDRplay is not supported by SDR#, it is not possible to use Vasilli's excellent Meteor Demodulator plugin (site in Russian, please use the Google Translate option) which is only available for SDR#.

Lolo's method gets around this limitation by initially recording an IQ file of the satellite pass in SDR-Console V3, then opening that IQ file in SDR# via the Fileplayer plugin, which is also by Vasilli and available here. The process is a bit of extra work, and the image isn't live, but the image comes out clearly in the end.

The videos are shown below, and subtitles are available in English, French and Italian via the YouTube player options.

RadarBox24.com is a flight data aggregation service similar to sites like FlightAware.com and FlightRadar24.com. They aggregate ADS-B aircraft data obtained from (mostly) volunteer RTL-SDR based feeders based all over the world and use this to power their flight tracking map and flight information database.

Last year RadarBox24 came out with a specialty ADS-B RTL-SDR dongle. This is a custom RTL-SDR which contains a built in 1090 MHz tuned amplifier and filter. We have not tested this dongle yet, but we expect that the design and performance would be very similar to the FlightAware ADS-B dongles.

These dongles can only receive 1090 MHz and do so better than a standard RTL-SDR due to the built in LNA and filter. This results in greater reception range, and more flights tracked. Please note that they cannot be used as wideband general purpose RTL-SDRs due to the filtering.

Recently in an attempt to gather more volunteer contributors, RadarBox24 has decided to sell their ADS-B dongles at a loss, pricing them at only US$9.95 + shipping (or on Amazon USA with Prime). Shipping appears to be anywhere from US$5-$8 depending where you are in the world, and shipping does not increase with two or more dongles being ordered.

ADS-B data can easily be shared to RadarBox24 with their Raspberry Pi image and RadarBox24 write that if you share data to their site, you will receive the following kickbacks:

• Free Business Account while sharing (worth $39.95 /mo). This allows you to access RAW and historic flight data as well as enabling other features such as more advanced data filtering, and a weather layer.
• Strong and enthusiastic Community on Whatsapp
• Track your own station's flights in real-time not only on website but also on RadarBox apps

Es'hail 2 was launched last November and it is the first geostationary satellite to contain an amateur radio transponder. The satellite is positioned at 25.5°E which is over Africa. It's reception footprint covers Africa, Europe, the Middle East, India, eastern Brazil and the west half of Russia/Asia.

Although the satellite was launched last year, turning on the amateur transponders has been slow because the commercial systems of the satellite have higher priority for testing and commissioning. However, within the last day the Es'hail 2 team have now begin testing the amateur transponder, and the test signal has been successfully received by several enthusiasts (just check out the Twitter feed). There also appears to have already been a suspected pirate CW signal broadcasting "WELCOME DE ES2HAIL". Actual uplink use of the satellite is not currently wanted, and from the Amsat forums one of the engineers writes:

Before the IOT starts there will be a TRR (test readyness review) in front of the customer. All the testplans and test-specifications will be reviewed. When the test is done there will be a TRB (test readyness board). In the TRB they have to show/present all the measurement results (e.g. inband performance like Gainflatness, Groupdelay... aso.) and compare these results with the specification in the contract. Each unwanted signal makes the measurement difficult and needs to be explained or leads to a so named NCR (non conformance report).

The IOT will be done in shifts/nightshifts and with unwanted signals (if not explain able) some measurements needs to start again and again and leads in addition to a delay for the handover and operation of the satellite.

Maybe that helps to understand why it is really important to have only the IOT uplink signal.

To measure the pattern of each antenna the satellite will be moved east/west by the propulsion system of the DS2000 Bus and the signal level is measured by the IOT station on ground (some cuts) .

The commercial beacon can maybe be switched from LEOP Omni antenna to on station antenna when the satellite is placed in the final slot. This should be the reason for the change of the commercial Ku Band beacon signal level the last days.

If you are interested in receiving Es'hail 2, but live outside the footprint, or don't have a receiver then you can use Zoltan's OpenwebRX live stream of the narrow band portion of the Es'hail 2 downlink. At the moment the beacon doesn't appear to be transmitting, but we expect it to be on and off during the next few days. In his set up he uses an RTL-SDR V3, Inverto LNB, 90cm dish, a DIY bias tee and a Raspberry Pi 3.

He also took a recording of the pirates CW transmission shown in the video below.

Over on YouTube Corrosive from channel SignalsEverywhere has uploaded a new video in his series on Digital Amateur Television (DATV). The new video shows us how to use a transmit capable SDR like a LimeSDR or PlutoSDR to transmit DATV with a free Windows program called DATV Express.

In the video he explains the various transmit and video encoding settings, and then demonstrates the signal being received on SDRAngel with an RTL-SDR (which he explained in his previous video)

Last week we posted about some videos of talks from the 2018 GNU Radio Conference which had been release on YouTube. This week a few more videos have been released and we display a small selection below. The full collection of videos can be found on their YouTube channel.

RF Ranging with LoRa Leveraging RTL-SDRs and GNU Radio

Wil Myrick discusses the use of RTL-SDRs and GNU Radio to create a low cost LoRa RF ranging prototype, to aid in the localization of IoT transmitters.

Using GNU Radio and Red Pitaya for Citizen Science

Robert W McGwier discusses the use of Red Pitaya SDRs and GNU Radio for use in citizen science ionosphere measurement experiments.

SETI Breakthrough Listen

Steve Croft discusses the Search for Extraterrestrial Intelligence (SETI) project and how software defined radio is being used in the search.

Recently, the RF research team at Trend Micro released a very nice illustrated report, technical paper and several videos demonstrating how they were able to take control of building cranes, excavators, scrapers and other large industrial machines with a simple bladeRF software defined radio. Trend Micro is a well known security company mostly known for their computer antivirus products.

Trend write that the main problem stems from the fact that these large industrial machines tend to rely on proprietary RF protocols, instead of utilizing modern standard secure protocols. It turns out that many of the proprietary RF commands used to control these machines have little to no security in place.

A Forbes article written about the research writes:

Five different kinds of attack were tested. They included: a replay attack, command injection, e-stop abuse, malicious re-pairing and malicious reprogramming. The replay attack sees the attackers simply record commands and send them again when they want. Command injection sees the hacker intercept and modify a command. E-stop abuse brings about an emergency stop, while malicious re-pairing sees a cloned controller take over the functions of the legitimate one. And malicious reprogramming places a permanent vulnerability at the heart of the controller so it can always be manipulated.

So straightforward were the first four types of attack, they could be carried out within minutes on a construction site and with minimal cost. The hackers only required PCs, the (free) code and RF equipment costing anywhere between $100 and $500. To deal with some of the idiosyncracies of the building site tech, they developed their own bespoke hardware and software to streamline the attacks, called RFQuack.

Being a responsible security firm, Trend Micro has already notified manufacturers of these vulnerabilities, and government level advisories (1, 2) and patches have already been rolled out over the last year. However the Forbes article states that some vulnerabilities still remain unpatched to this day. Of interest, the Forbes articles writes that for some of these vendors the simple idea of patching their system was completely new to them, with the firmware version for some controllers still reading 0.00A.

The videos showing the team taking control of a model crane, real crane and excavator are shown below. The video shows them using bladeRF 2.0 SDRs which are relatively low cost TX/RX capable software defined radios. We also recommend taking a look at Trends web article as it very nicely illustrates several different RF attack vectors which could apply to a number of different RF devices.

In the past we've also posted about similar serious RF attacks to infrastructure and machines that reveal the vulnerability and disregard to wireless security present in everyday systems. These include vulnerabilities like taking control of city disaster warning sirens, GPS spoofing of car navigation systems, hacking wireless door systems on cars, and revealing hospital pager privacy breaches.

Vasilli has recently released the SDR# TETRA plugin on his website RTL-SDR.RU (note that the site is in Russian, but can be translated with the Google Translate option in the top right of the page). Previously it was only available via ever changing forum links, so it's good to see that it has a permanent home now for the latest version. This plugin allows you to listen to TETRA digital voice via SDR#, without needing to set up any complicated GNU Radio based receivers which were necessary in the past.

The features include (note Translated from Russian):

• Receiving a signal from the BS band 25kHz and modulation Pi / 4-DQPSK;
• Automatic adjustment of the reception frequency;
• Displays information about the BS;
• Displays ISSI, GSSI subscribers in the channels (for open channels only);
• Displays a service exchange network (for open channels only);
• It allows you to listen to the channels in manual or automatic mode selection (only open channels);
• It allows to filter and distribute the listening priority specified for groups (GSSI);
• It displays a message with the location (just a short message format)

The current features not yet implemented are:

• And listen to correctly display any encoded information in a network;
• Display SDS type 4 (short messages);
• Record audio from the channels (menu added, but does not work);

We also note that as discussed in a previous post there is a companion program for this plugin called TETRA Trunk Tracker.

Over on YouTube user hubmartin has uploaded a video showing how to use an RTL-SDR and the Universal Radio Hacker (URH) software to reverse engineer and clone a 433 MHz remote control. URH is used to extract the signal timing and modulation characteristics as well as the binary/hex code.

Then in order to clone the signal hubmartin uses a cheap IoT microcontroller with button and 433 MHz transmitter attachments. Some C code is then used to program the microcontroller and 433 MHz transmitter with the extracted signal information and to transmit on a press of the button. In his example hubmartin uses his cloned dongle to control a wireless power plug and a motorized projector screen.

Thank you to M Khanfar for submitting news about his custom Linux kernel which allows an RTL-SDR and GQRX to run smoothly and with sound on an Intel Compute Stick. The Intel Compute Stick is a full dongle based computer the size of a pack of gum with pricing that starts from US$120. It has a Quad Core Atom Processor, 2GB RAM, 32 GB of built in storage and an HDMI out port. By default the stick comes with Windows 10 installed, but M Khanfar notes that it is very sluggish.

Instead of the sluggish Windows 10 OS, M Khanfar decided that he wanted to run Ubuntu Linux instead. However he found that the standard Ubuntu image did not have support for audio over HDMI or WiFi on the Compute stick. So he built his own custom kernel with some patches to fix this issue. With the issue fixed, GQRX with an RTL-SDR now runs smoothly with full audio support, and rtl_tcp can also be run over WiFi.

M Khanfar has uploaded the patched ISO to his Google Drive here.

Thank you to 'KeyLo99' for submitting news of the release of his new RTL-SDR based program called rtl_map. rtl_map is a currently a simple app that uses an RTL-SDR to display an FFT frequency graph. It is based on the gnuplot and fftw3 libraries.

Over on our forums KeyLo99 describes the motivation behind the project as mostly being a good reference program for people wanting to learn how to read and process IQ data from the RTL-SDR:

I'm a RTL-SDR researcher and DSP learner currently working on a project for properly figuring RTL2832 and I/Q fundamentals out. The project is about reading raw I/Q samples, processing samples and creating FFT graph from them. I tried to explain what I'm doing in detail with comment lines. I'm hoping that I will be helpful to RTL-SDR beginners with this rtl_map [C] project. Another purpose of the rtl_map project is making a frequency scanner application for signal security researches.

Over on YouTube user TheGazLab has uploaded a video that reviews the Airspy HF+, and also shows how to use the HF+ with SDR# and WSJT-X in order to create a FT8 monitor. The Airspy HF+ is high dynamic range HF/VHF receiver designed for DXing.

In the video TheGazLab demonstrates to us the decoding in real time, and explains the CAT control SDR# plugin that he's using. The CAT control plugin when combined with a virtual serial port driver allows the WSJT-X program to automatically tune SDR# to the FT8 frequency selected in WSJT-X.

Later in the video he also discusses the SpyServer network which allows SDR# users to connect to remote public Airspy and RTL-SDR units over the internet. He demonstrates connecting to a public server in the UK, and decoding FT8 via the remote server. The video also shows the new SpyServer interface by @zakhttp which nicely lays out the world SpyServer network on a map, making it easy to choose a desired location to listen to.

Last year in December we posted about Matt's element14 sponsored video which showed us how to create a portable briefcase contained NOAA satellite received based on a Raspberry Pi and RTL-SDR dongle. The build consisted of a heavy duty briefcase, modified ATX PSU and stripped down LCD monitor panel. This build resulted in a rugged and portable receiver. The full series of videos demonstrating the briefcase, ATX PSU conversion, LCD teardown, and NOAA satellite receiver demo can be found on his YouTube Playlist.

In his latest video Matt goes over the software installation procedure for creating an automated NOAA weather satellite receiver on the Raspberry Pi. He uses gpredict for predicting the satellite passes, and the Raspberry Pi version of WXtoImg for decoding the images. The rest of the video shows how to set up the software for your particular location, and how to set up decoding automation.

Osmo-FL2K can be considered as the [evil] transmit-side brother of RTL-SDRs. It is a driver that allows cheap $5 - $15 USB 3.0 VGA adapters to be used as a transmit-only capable SDR. It might be considered [evil] as transmitting illegally and without filtering can pollute the RF spectrum, but being responsible with it and using appropriate filters could enable extremely low cost transmitters.

Recently at the October 2018 Osmocom Conference, Steve M, the man behind the Osmo-FL2K discovery and software (and heavily responsible for the development of RTL-SDR too) has given a talk titled "osmo-fl2k - the [evil] transmit-side brother of RTL-SDR". In the past he's also given a similar talk that we posted about previously.

The talk goes over the discovery and reverse engineering of Osmo-FL2k, discussion of the application itself, some signals that have been successfully transmitted and some measurements.

Osmocom is behind the discoveries of RTL-SDR and OsmoFL2K. If you'd like to support them please donate at OpenCollective, and check out their other projects at osmocom.org.

Thanks to John Jackson of JRMagnetics for writing in and letting us know about his post on installing SDR# onto a Windows Virtual Machine (VM) running on Fedora Linux.

As John notes, running SDR software from within a virtual machine essentially freezes a working version of your setup in a virtual image. It's then possible to put the image on a memory stick and take your entire working software setup with you and run it on another PC. Using a fixed image then also avoids problems with OS updates breaking things, as updates can be safely turned off on the virtual machine. Any damage from viruses is localized to the virtual machine only.

During his research John found many people who have been running Linux from within a virtual machine running on Windows, but not the reverse. Originally he tried running a Windows VM from within Windows, but he experienced crashes. Only when using Linux as the base OS was his Windows VM stable.

In his setup he runs Fedora 26 as the base Linux OS (although other Linux versions should also work), and Windows 7 in the Virtual Machine. He uses Oracle VirtualBox as the virtualization software. Once Windows 7 is installed on the Virtual Machine, setting up software like SDR# is as simple as going through our quickstart guide.

Over on the SignalsEverywhere YouTube channel, Corrosive has uploaded two new videos about the PlutoSDR. The PlutoSDR is a low cost (typically $99 - $149) RX/TX capable SDR with up to 56 MHz of bandwidth and 70 MHz to 6 GHz frequency range. It also has an onboard FPGA and ARM Cortex-A9 CPU.

By default the bandwidth and frequency range of the PlutoSDR is limited to only 20 MHz and 325 MHz - 3.8 GHz. A minor hack which requires some commands to be input via a terminal screen is required to unlock its full potential, and in the first video Corrosive runs through how this hack can be applied. He also shows an additional hack which unlocks a second CPU core which can be useful for increasing the available CPU power for apps running on the PlutoSDR's ARM processor.

In the second video Corrosive shows how to install the PlutoSDR SDR# plugin, which allows the PlutoSDR to run in SDR#. He then shows how to actually use the plugin to connect to the PlutoSDR.