Recently nullwolf (T.J. Acton) wrote in to let us know about a very useful wrapper for Inspectrum that he has created, called DSpectrum. Inspectrum is a Linux/Mac based tool that makes it very easy to extract a binary string from a digital transmission which can be recorded with any SDR like an RTL-SDR. DSpectrum builds on Inspectrum and further automates the reverse engineering process. He writes:
The wrapper [DSpectrum] assesses the amplitude measurements, or frequency shifts, that are reported by Inspectrum. The wrapper uses the average of the provided values as a threshold. When a cell’s value falls below the threshold, the wrapper determines that the value is a binary ‘0’, and when it is above the threshold, it records the value as a ‘1’. It then returns this raw binary data as output, in addition to the binary’s hex and ascii translations.
…
Another two features were included: the semi-automatic comparison of two portions of a transmission in the same file, and the semi-automatic comparison of two signals in separate files.
Nullwolf notes that with DSpectrum the time taken for him to reverse engineer signals has dropped from 1 hour down to 5 minutes in some cases.
Earlier in the month we posted about the “Unallocated Space” free four week class on signal analysis taking place in the Baltimore-DC area. The course has now started and they are live streaming the lectures and saving them on YouTube. The first two classes have already passed, and two videos are uploaded.
The first class went over installing the RTL-SDR as well as showing a few examples of decoding some signals. The second class covers various modulation types and digital encoding schemes. They show how to learn how to identify various digital signals by listening to them and viewing them on the waterfall. The class slides are also available on links placed in the video description.
The third and fourth classes have not yet streamed. The third class will be live streamed on October 4, 7PM local time. Visit their YouTube channel for the videos.
TETRA is a type of digital voice and trunked radio communications system that stands for “Terrestrial Trunked Radio”. It is used heavily in many parts of the world, except for the USA. Telive is a decoder for TETRA which is compatible with RTL-SDR dongles, and has been around and in use for almost 2 years now. If you have unencrypted TETRA signals available in your area it can be used to listen in on them.
However, now a TETRA experimenter by the handle of “cURLy bOi” has released a new prototype of a telive modification that works on Windows systems. It makes use of the GNU Radio for Windows development. The telive Windows file can be downloaded from curly’s webserver. His reademe file shows how to install and use the software and it reads:
This has been put together as lowest-effort configuration to run telive on Windows system. I have also optimized to process (for example adding the CQPSK block to GRC since the python code in the original telive package is IN FACT some unused part of GNU Radio)
Warning: ——— This package contains pre-compiled binaries that work on my 64-bit system. I have compiled them inside the M-SYS2 package. If you don’t trust me, you can follow the installation guide from telive docs, just be prepared you are going to need a lot of packages for the M-SYS2 (pacman -S gcc automake git wget, etc.)
Install: ——— 1) Download GNU Radio for Windows from http://www.gcndevelopment.com/gnuradio/downloads.htm and install 2) Copy contents of gnuradio_mod to c:\Program Files\GNURadio-3.7\ 3) Download and install M-SYS2 from https://sourceforge.net/projects/msys2/ and install 4) Copy contents of msys_root to your M-SYS2 installation directory 5) Download FFmpeg for Windows (64-bit Shared) from https://ffmpeg.zeranoe.com/builds/ and extract everything from bin to usr\bin in your M-SYS2 installation directory 6) In M-SYS2 shell execute “pacman -S socat” 7) Get GNU Radio Companion (GRC) projects from original telive package at https://github.com/sq5bpf/telive/tree/master/gnuradio-companion (only udp or xmlrpc, pipes won’t work) 8) Open whatever GRC project you want to use and edit it: – Delete the link between (all) Fractional Resampler and UDP Sink – From the modules on the right (ctrl-f to search) drag CQPSK Demod to project (If you don’t see CQPSK Demod then you have messed up #2) – Connect Fractional Resampler -> CQPSK Demod -> UDP Sink – Change UDP Sink Input Type to Float in its properties – Save
Use: —— 1) Open GRC project of your choice (already with the CQPSK Demod box) 2) Use the Project/Execute to run the project from the GRC – OR - If you had headless (without GUI) project, use Project/Generate option to generate top_block.py file in the GRC project directory. Then open GNURadio Command Prompt from Start menu, the use this command c:\Program Files\GNURadio-3.7\gr-python27\python.exe -u c:\path\to\grc\project\top_block.py This will enhance performance. 3) Open new M-SYS2 shell for every channel in that project and execute command “receiver1udp X” where X is the number of each channel in GRC project 4) Open new M-SYS2 shell, resize it to 203×60 and execute: – cd /tetra/bin – ./rxx OR ./rxx_xmlrpc (if you are using XMLRPC GRC project) You can edit these files to match your preferences 5) That’s it, should work.
Note that we have not tested this out ourselves yet and can’t guarantee the file safety or that it works, but we have no reason to believe that it wouldn’t be safe or not work.
Oona Räisänen is a RF hacker and enthusiast who has in the past brought us posts about decoding burger pagers in restaurants, decoding wireless bus signs and FM-RDS with SDR’s like the RTL-SDR. This time she has written an interesting post that shows how she can “fingerprint” radio transmitters by analysing their CTCSS transmissions. CTCSS is short for “Continuous Tone-Coded Squelch System” and is a low frequency tone added on to some transmissions used in handheld radio systems shared by several distinct groups. The CTCSS tone prevents users of a shared system from having to listen to other users talking if they are not part of the same group with the same CTCSS tone frequency. CTCSS provides no means for actually individually identifying a radio.
Frequency vs power heatmap identifying 8 different radios.
With the individual radios identifiable by their cluster centers, each cluster can be assigned a name. Now each subsequent transmission can be compared to each cluster center, and assigned to the closest matching cluster, thus matching a new unknown transmission with a known radio. This makes it easier for someone listening in with no context to follow a conversation.
A typical broadcast FM station can sometimes contain “hidden” subcarriers embedded within the main signal. The subcarriers contain data or audio services.
An example of a data subcarrier hidden within broadcast FM is the “Traffic Message Channel” (TMC). The TMC contains traffic data, and is used on GPS devices that advertise as having live traffic capabilities. TMC data is encrypted so that it can be sold, but is very easily broken. Another data service is RDS-RT+ data which transmits song information, for radios that can display it.
An example of a voice subcarrier (SCA/ACS) might be niche radio stations, such as ethnic stations, elevator music, music for doctors offices etc. Usually a specialized radio is required to receive a SCA channel. In a previous post we showed how a user was able to receive SCA on Windows.
Over on his blog Gough Lui has been investigating the broadcast FM subcarriers in his home town of Sydney, Australia. In his post he looks at TMC, RDS-RT+ and SCA subcarriers and explains a bit about what they are and how they work. He also goes on to receive and decode the subcarriers with an RTL-SDR, gr-rds and GNU Radio. While Gough doesn’t bother to decrypt the TMC service, he can still see when an event occurs and what the even was. Without decryption he just doesn’t know where the location on the event is. For SCA he wrote a GNU Radio program to extract the audio subcarrier and was able to decode audio from a local Indian station for migrants.
Earlier this month we posted about “cURLy bOi”’s release of his Windows port of telive. Telive is a popular TETRA decoder created by SQ5BPF which until recently only ran on Linux systems. TETRA is a digital voice radio system used in many countries other than the USA.
Now cURLy bOi has just updated his software adding new Windows GUI features and simplifying the install process. The software and text install instructions can be downloaded from his web server, and the code can be found on GitHub.
In order to show the new features and how to use the software cURLy bOi has also created a tutorial video up on YouTube, which is shown below.
First he explains how he used Python to extract the data from the RTL-SDR I/Q samples. From those samples he calculates the amplitude data, and plots it on a graph which shows the digital signal. He then decimates the signal to reduce the number of samples and figures out how to detect the preamble, data bits and packet repetitions. Then to decode the signal he explains how he does clock recovery, convolution and thresholding, and also the importance and meaning of those steps.
If you’re new to reverse engineering signals and don’t have a DSP background, then spenmcgee’s write up is an excellent starting point. It’s written in a way that even a layman should be able to understand with a little effort. If you have a Lacross TX29 wireless temperature meter that you just want to decode, then his code will also be of use.
Back in September 2015 we made a post about how Bastian Bloessl was able to use his RTL-SDR dongle to reverse engineer and decode the signals coming from portable wirelessly synchronized traffic lights which are commonly set up around road construction zones.
To reverse engineer these new lights he made a recording of the signals in GQRX and then opened them up in Inspectrum, which is a very nice tool for helping to reverse engineer digital signals. Thanks to Inspectrum he was easily able to extract the preamble and decode the data in GNU Radio.
Bastian has also uploaded a video that shows him reverse engineering the binary frame format in the Vim text editor which may be useful for those wishing to understand how it’s done.
Once the frame format was reverse engineered, he was able to use the program he created last year which allows him to view the status of the lights remotely in real time.
The software can automatically detect and recognize the wireless protocol being received. It can then be used to catalog what protocols are operating in a network, what frequency they are on and how active they are. That information can then be used for frequency and spectrum planning for new network setups. It can also be used for error diagnosis, intrusion detection and detection of interference.
Numerous applications like smart metering, home automation, building automation, demand side management, ambient assisted living and industrial automation require reliable and cost effective technologies for wireless data transmission. For this purpose the license-free European 868 MHz Short Range Device (SRD) frequency band is prevalently used. Many different and incompatible communication standards and RF-protocols simultaneously occupy this part of the frequency spectrum. Possible negative effects could be interferences, over-occupancy, data collisions and as a result data loss. Special attention must be paid whenever wireless sensor networks are planned or operated. Therefore, network specialists need powerful and flexible tools that provide insights into the wireless data traffic for network planning, operation, fault detection and error diagnosis. The Traffic Detective is such a tool which is easy to use and does not need any knowledge of the different network protocols.
The 868 MHz Traffic Detective is a software-based solution with a user-friendly graphical user interface for monitoring wireless data traffic. A cost-effective and commercially available DVBT USB stick based on a Realtek RTL2832U receiver chip can be used as an analog frontend. In addition to a PC-based implementation, the monitoring software is also available as an app for Android-based mobile devices.
The researchers behind the software have also released an academic paper describing the technology used in the system.
Unfortunately it seems that the app is not actually available for public download yet as we could not see any download links, or find it on Google Play. If you are interested in the app your best bet may be to contact the researchers by email directly.
BY70-1 is a Chinese amateur Cubesat satellite which was recently launched on December 29, 2016. It is expected to stay in orbit for only 1 – 2 months due to a partial failure with the satellite releasing into an incorrect orbit. The purpose of the satellite is for education in schools and for amateur radio use. The receivable signals include an FM repeater and BPSK telemetry beacon both of which can be received at 436.2 MHz. The telemetry beacon is interesting because it also transmits images from an on board visible light camera. These signals can easily be received with an RTL-SDR or other SDR with an appropriate antenna.
Over on his blog Daneil Estevez has been posting about decoding these telemetry images. He’s been using telemetry data collected by other listeners, and the gr-satellites GNU Radio decoder which is capable of decoding the telemetry beacons on many amateur radio satellites. So far the decoded images haven’t been great, they’re just mostly black with nothing really discernible. Hopefully future decodes will show better images.
If you want to track the satellite and attempt a decode, the Satellite AR Android app has the satellite in its database.
Not many people seem to have gotten telemetry decodes or images yet, but below we show an image decoded by @bg2bhc on Twitter.
Recently we heard about the PandwaRF Portable Analyzer (previously known as the GollumRF). This is not an SDR, but can probably be described as a programmable and computer controlled radio. It appears to be based on the Yardstick One design which is made by Scott Ossmann, the creator of the HackRF. Both the Yardstick One and PandwaRF are based on the CC1111 sub-1 GHz RF transceiver chip. These types of pseudo-sdr’s can be very useful for reverse engineerin, analyzing and experimenting with simple digital signals.
For example it could be used to capture data from any ASK/OOK/MSK/2-FSK/GFSK modulation in the 300 – 928 MHz band. You can then easily analyze the data, and the restransmit the same or a modified signal. The same could be done with a TX capable SDR like the HackRF, but doing so tends to require a lot more work.
The difference between the Yardstick One and PandwaRF appears to be mainly in the connection interface. The PandwaRF is essentially the Yardstick One with a Bluetooth LE connectivity and an Android/iOS smartphone app. USB connectivity for Linux still exists. It also has an internal battery whereas the Yardstick One does not. They wrote a post comparing the RTL-SDR, Yardstick One and PandwaRF here.
The device seems to be new, as it just starting shipping in November and the first batch is still being sold. It costs 145 euros and appears to originate from the EU. There is also a ‘mini’ version in pre-order which also costs 145 euros. In comparison the Yardstick One costs about $99 – $145 USD depending on the shop you choose.
WaveConverter is a tool that helps you extract digital data from RF transmissions that have been captured via Software Defined Radio (SDR). After the user defines the modulation parameters, framing and encoding, WaveConverter will process a stored I-Q file and extract the data from any transmissions that match this definition. Using programmable timing tolerances and glitch filters, WaveConverter is able to extract data from signals that would otherwise appear corrupted.
This software will make the process of reverse engineering signals easier and more error-proof. Because WaveConverter includes the ability to store and retrieve signal protocols (modulation + encoding parameters), we have been generating a database of protocols that we can quickly use to iteratively attack unknown signals.
This tool should be very useful for reverse engineering digital signals, such as those found in keyfobs, wireless doorbells, wireless temperature sensors and any other simple RF device. Simply use an SDR device like an RTL-SDR to capture a sample of the signal of interest and then open it up in WaveConverter to first easily analyze the signal and determine it’s properties, then to automatically demodulate any subsequent signal into a binary string. For more information the documentation can be found here (pdf).
WaveConverter seems to be quite similar in purpose to Inspectrum and DSpectrum which are two Linux tools that are also designed for reverse engineering digital signals.
Over on his blog Andy writes how he wanted a smart way to control his central heating system with a Raspberry Pi and Arduino microcontroller. He discovered that if he could reverse engineer his existing wireless thermostat then he would have an easy way to control the boiler in his house and with that a smart controller could be made. By reverse engineering the thermostat he also avoids the need to rig up his own control system.
The existing thermostat wireless receiver is a Danfoss RX2. In order to reverse engineer the protocol Andy opened up an older that one he had and saw that it used an Infineon TDA5210 RF receiver chip. Armed with this part number he was able to look up the datasheet and determine the operating frequency. Then by using an RTL-SDR he captured some packets while pressing buttons on the thermostat transmitter and piped the audio file into audacity, where he was able to clearly see the digital waveform.
Andy then wrote a Python program using the ‘wave’ library, which allowed him to easily read binary values for a .wav file. With his code he was able to extract the data from the signal and determine the preamble, sync word, thermostat ID and the instruction code (on/off/learn).
In a future post Andy hopes to show us how he’ll use an RF69 module with an Arduino to actually control the thermostat using the reverse engineered packet knowledge.
Danfoss Wireless Thermostat and a Received Binary Waveform in Audacity
Watson has uploaded the code to GitHub under the name monster-drift. The code is based on Node.js which is an event-driven JavaScript programming environment. The software allows you use a HackRF to control any radio controlled car that uses a simple On-Off Keying (OOK) protocol and which operates at a frequency of 27 MHz. Most cheap RC cars do use this frequency and protocol, but high-end models may use something a little more sophisticated. Some information about the protocol implementation is given here. We look forward to hopefully seeing interesting projects like remotely controlled autonomous RC cars in the future.
Keith Maton (G6NHU) wrote in and wanted to share his new ready to go APRS RX iGate image for the Raspberry Pi. APRS stands for “Amateur Packet Reporting System”, and is a type of packet radio communications system used by Amateur Radio operators. They often use them to transmit short mail messages, weather sensor updates, track vehicles and for various other purposes. An iGate allows APRS messages to be transmitted over the all world via the internet via a signal chain such as: RF->iGate RX->Internet->iGate TX->RF. To run an iGate you should be a radio amateur with a callsign. A global aggregation of APRS broadcasts received by iGates can be seen at aprs.fi.
An RTL-SDR can be used to receive APRS packets easily and many amateur radio enthusiasts have been setting up APRS RX only iGates using the “direwolf” decoding software. Keith’s image simplifies the process of installing and configuring software significantly by proving a plug and play image that you just burn to an SDcard and plug into your Raspberry Pi. His post also explains how to configure the iGate correctly.
OpenHAB is an open source home automation software program which is designed to interface and manage all the various sensors and systems in an automated house. One problem however, is that many wireless sensors and actuators utilize a proprietary communications protocol that is not supported by OpenHAB.
In his home, Dan Englender had several Honeywell 5800 series 345 MHz wireless security door sensors, all of which interface using a proprietary protocol that is not yet implemented in OpenHAB. In order to get around this, Dan decided to reverse engineer the protocol and implement a decoder into OpenHAB himself.
Dan’s four part write up covers the RF capture & demodulation, protocol reverse engineering and implementation into OpenHAB. First he looked up the frequency and bandwidth of the signal via the FCC filing information on fcc.io. Then he captured some packets from a door sensor using his RTL-SDR and GNU Radio, and then wrote a short Python program to decode the protocol and transmit the door open/closed information to OpenHAB. In the future he hopes to optimize the decoder so that it can comfortably run on a Raspberry Pi as the GNU Radio script uses quite a bit of computing power.
The final project is called decode345 and the code is available over on his GitHub.
Honeywell 345 MHz Door SensorCustom Door Sensor Status in OpenHAB
[Also seen on Hackaday]
The audio codec specifications are not public and is thus not implemented here, so this code has very little use outside of being a good learning tool. But Phil does write that if anyone if able to figure out how to decode the codec, then this code may be a good starting point.
Phil writes:
I wrote this because I wanted to learn about digital broadcasts. Despite the fact that the audio codec used is iBiquity’s proprietary HDC codec, I decided that writing a receiver that could decode the air interface would be a great learning experience.
iBiquity’s HDC codec is supposedly based upon some of the same technologies as HE-AAC codec so it may be possible for some audio codec gurus, given access to the raw HDC audio packets, to write a decoder for the codec.
The receiver is somewhat limited. It only decodes FM MP1 profile transmissions (which happens to includes every IBOC FM transmitter in my area). It is also somewhat limited in the Layer2 packet demultiplexing. It likely needs a strong signal in order to decode signals reasonably well. However it is just enough to get access to the main program stream.
The VHF Data Link mode 2 (VDL2) is a relatively new wireless transmission mode used on aircraft for sending short messages, position data (similar to ADS-B) and also for allowing traffic controllers to communicate to pilots via text and data. VDL2 is an evolution of ACARS and is eventually supposed to replace it entirely. The advantage over ACARS is that VDL2 can transmit data 10 times faster, and supports a much wider range of services. The main default channel is at 136.975 MHz, but channels could exist on other air band frequencies too.
Over on GitHub Tomasz Lemiech (szpajder – also the author of RTL-Airband) has uploaded a new VDL2 decoder called dumpvdl2. This is a lightweight command line Linux based VDL2 decoder and protocol analyzer. The features include:
Runs under Linux (tested on: x86, x86-64, Raspberry Pi)
Supports following SDR hardware:
RTLSDR (via rtl-sdr library)
Mirics SDR (via libmirisdr-4)
reads prerecorded IQ data from file
Decodes up to 8 VDL2 channels simultaneously
Outputs messages to standard output or to a file (with optional daily or hourly file rotation)
Outputs ACARS messages to PlanePlotter over UDP/IP socket
Supports message filtering by type or direction (uplink, downlink)
Outputs decoding statistics using Etsy StatsD protocol
In a previous post we showed how VDL2 could be decoded with MultiPSK on Windows. But the advantage of dumpvdl2 is that it allows you to set up a lightweight monitoring station on something like a Raspberry Pi. dumpvdl2 can also be interfaced with PlanePlotter, and statistics can be graphed with another program such as Grafana.
Over on GitHub programmer ‘znuh’ has uploaded a new RTL-SDR compatible GNURadio based tool for DECT decoding. DECT is an acronym for ‘Digital Enhanced Cordless Telecommunications’, and is the wireless standard used by modern digital cordless phones. In most countries DECT communications take place at 1880 – 1900 MHz, and in the USA at 1920 – 1930 MHz. So in order to receive these frequencies you’ll need an RTL-SDR with an E4000 chip, or some other compatible SDR that can tune this high.
It appears that the decoder is not actually able to decode audio (at least not yet or without extra work perhaps), but it can at least output the DECT packets to Wireshark for analysis. This may be of interest to those wanting to learn more about the DECT protocol.
Update: Over on the Reddit thread for this software the original poster ‘sanjuro’ has given a hint on how to (in theory) decode the audio, he writes:
Over on YouTube use radiosification has uploaded a video showing the Windows TETRA decoder ‘wintelive’ in action. Wintelive is a Windows port of the popular RTL-SDR compatible Linux based ‘telive’ TETRA decoder. Back in October 2016 we posted about its release and we have a tutorial for telive and the RTL-SDR available here.
