Software-defined radio (SDR) has been a hot topic for many years. Software-defined radio (SDR) is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system.
There has been many even free software implementations of SDR (for example Gnu Radio), but to use them you have needed some special hardware that has been quite expensive. But now there are also inexpensive hardware options for receiving: rtl-sdr is a creative form of using consumer-grade DVB-T USB receivers, turning them into fully-fledged software defined radios. At a street price of about 20 Euros/USD they are undoubtedly the most capable low-cost SDR hardware that can be bought.
RTL-SDR: Inexpensive Software Defined Radio article gives an introduction how to built software radio this way. Hare is a good picture from that article the gives overview of the hardware.
Those DVB-T receivers supported by rtl-sdr are based on the Realtek RTL2832U chipset plus a tuner IC like the Elonics E4000 (can tune from 54-2200 MHz with gap at 1100-1250 MHz). The RTL2832U is a high-performance DVB-T COFDM demodulator that supports a USB 2.0 interface. It has some undocumented commands/registers, by which it can be placed into a mode where it simply forwards the unprocessed raw baseband samples (up to 2.8 MS/s 8-bit I+Q) via high-speed USB into the PC so they can be routed to suitable receiving program.
Of course you need suitable software to decode those samples. Suitable Windows Software for the application is the very nice, fast and open source SDR#. It can natively support RTLSDR hardware. Other option to connect to SDR hardware is through TCP connection: The Osmocom RTLSDR utilities include the program rtl_tcp. This allows you to run the dongle on one PC (be it Windows or Linux) or an embedded ARM/MIPS board and pump the ADC data over a TCP connection to another computer running a compatible client such as SDR#.
To test software defined radio I got quite many months ago suitable rtl2832u-sdr hardware: Ezcap EZTV645 DVB-T Digital TV USB 2.0 Dongle with FM/DAB/Remote Controller. Here is a picture of dongle and the antenna that comes with it.
Here is what the USB dongle looks like inside. As you can see there are not too many components in it.
Here is a close-up of the tuner and receiving chips.
To make the software to work the hardware, the original USB drivers for the dongle needs to be replaced with Zadig WinUSB drivers. WinUSB is a generic USB driver aimed at simple devices that are accessed by only one application at a time directly through a simple software library.
I had some problems in installing Zadig drivers to my systems. That slowed down staring to use the hardware quite a bit. The official driver instructions say to select “Bulk-In, Interface (Interface 0)” from the drop down list, but on my system the device I had showed on my system system as REALTEK 2832U (0). Zadig needed to be “run as administrator” to work as well Zadig needed to be “run as administrator” (quite slow and needed reboot).
Replacing the original driver it with Zardig (zadig_v.2.0.1.161.exe) made it work with SDR# (old Nightly built of SDR# with built-in REALTEK 2832U drivers). Here is the screen-shot of the software in use listening to FM radio (SDR# v1.0.0.357 Nighly with RTL-SDR/RTL2832U).
SDR# seemed to work well in listening to FM stations. I could also easily use it to listen to the transmissions from different 433 MHz RF remote controllers as well. The software can decode AM, NFM, LSB, USB, WFM, DSB, CW-L and CW-U signals.
The spectrum and waterfall displays give a good overview on the received signal. The spectrum display shows around 2 MHz frequency band (+-1 MHz from center frequency).
As you can see on the spectrum, the dynamic range between the noise floor and strongest signals is quite limited (due to 7 or 8 bits resolution of samples), which means you can listen to strong signals but weaker stations can easily be lost under the sample noise. Because the E4000 is a Direct Conversion Receiver, it has an Image Rejection problem. By switching on Correct IQ in SDR# a more or less acceptable 50dBs are reached. The E4000 shows many signals actually not present at its input (“birdies”).
I got pretty cheaply pretty nice radio receiver that can receive very many radio signals and do spectrum analysis for radio signals.
243 Comments
Tomi Engdahl says:
Hackaday seems to have today a related posting:
Cracking GSM with RTL-SDR for Thirty Dollars
http://hackaday.com/2013/10/22/cracking-gsm-with-rtl-sdr-for-thirty-dollars/
Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.
Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.
Tomi Engdahl says:
Eavesdropping on and decrypting of GSM
communication using readily available low-cost
hardware and free open-source software in practice
https://www.os3.nl/_media/2011-2012/students/jeffrey_bosma/ot_report.pdf
Abstract
This paper evaluates the current practical pos-
sibilities of eavesdropping on Global System for
Mobile Communications (GSM) networks us-
ing hardware in the range of low-cost (tens of
euros) to relatively cheap (1500 euros), in com-
bination with available free open-source soft-
ware initiatives. These have been the sub-
ject of several live demonstrations over the
past few years. By using regular phones
loaded with OsmocomBB (an open-source base-
band rmware), a Universal Software Radio
Peripheral (USRP) with mandatory daughter-
boards, Airprobe (for air-interface analysis)
and other tools available we attempt to repro-
duce the results shown in these demonstrations.
While we conclude that this is certainly pos-
sible with the correct software, not all needed
software components are publicly available.
Tomi Engdahl says:
Open-Source Radio Links Mexican Village
http://www.eetimes.com/author.asp?section_id=36&doc_id=1320012&
September 27 brought a small but significant milestone for the rural network access needed to connect a significant proportion of the 2 billion people without affordable mobile coverage. The people of Santa Maria Yaviche made the first calls from their tiny, remote village deep in Mexico’s northern Oaxaca mountains, a five-hour drive from Oaxaca City.
The milestone followed advances in open-source RF technologies and considerable work by the Rhizomatica project. For the past two years, Rhizomatica has been working with Mexican communities and the Mexican government to obtain concessions (ordinarily costing operators several hundred million dollars) so approximately 5,000 small, indigenous communities could build their own local mobile networks in the Oaxaca, Veracruz, Puebla, Guerrero, and Tlaxcala states of Mexico. The project cost just a few thousand dollars thanks to open-source technologies and low-cost construction materials.
A base station with a built-in PBX ensures no external infrastructure is needed to connect calls.
The network in Yaviche runs with the UmDESK open-source base station, which is built on top of the open-source hardware platform UmTRX. It allows up to 14 concurrent voice connections. When this capacity is exhausted, the system switches settings to nearly double its capacity, making a tradeoff in voice quality.
A flexible RF platform is essential for the service to run effectively and to negate interference from competing networks that may be built in the future. So the base station uses field-programmable RF transceivers, allowing the network to be calibrated across a wide range of frequencies from 0.3 GHz to 3.8 GHz.
Software reliability is also vital. For this, the system runs a variant of the Osmocom open-source software.
Surprisingly, in a village of just 700 people with no mobile coverage, the network immediately detected more than 100 active phones. The phones were used as calculators, alarm clocks, game machines, and more.
“We finally have a low-cost, stable solution that meets the demands of rural deployments and is in line with local budgets,” said Rhizomatica’s head, Peter Bloom.
Rhizomatica
http://rhizomatica.org/
Rhizomatica’s mission is to increase access to mobile telecommunications to the over 2 billion people without affordable coverage and the 700 million with none at all.
Tomi says:
Transmitting data with a Pi and RTL-SDR
http://hackaday.com/2013/11/09/transmitting-data-with-a-pi-and-rtl-sdr/
Sometimes the best builds aren’t anything new, but rather combining two well-developed hacks. [Marc] was familiar with RTL-SDR, the $30 USB TV tuner come software defined radio, but was surprised no one had yet combined this cheap radio dongle with the ability to transmit radio from a Raspberry Pi.
Turning the Raspi into a transmitter isn’t really that hard; it only requires a 20cm wire inserted into a GPIO pin, then toggling this pin at about 100 MHz. This resulting signal can be picked up fifty meters away, and through walls, even.
[Marc] combined this radio transmitter with minimodem, a program that generates audio modem tones at the required baud rate.
Tomi Engdahl says:
Build a Cheap Airplane ADS-B Radio Receiving Tracking Station
http://hackaday.com/2014/01/16/build-a-cheap-airplane-ads-b-radio-receiving-tracking-station/
Do you have commercial or general aviation flying over your home or near your home? Would you like to know more about these airplanes: identity, heading, speed, altitude and maybe GPS data along with even more information? Well then [Rich Osgood] has just the project for you and it’s not that expensive to set up. [Rick] demonstrates using a cheap USB dongle European TV tuner style SDR (software defined radio) tuner that you can get for under $30 to listen in on the Automatic Dependent Surveillance-Broadcast (ADS-B) 1090 MHz mode “S” or 978 MHz mode “UAT” signals being regularly transmitted from these aircraft.
Tomi Engdahl says:
Sniffing and Decoding NRF24L01+ and Bluetooth LE Packets For Under $30
http://hardware.slashdot.org/story/14/01/21/1557243/sniffing-and-decoding-nrf24l01-and-bluetooth-le-packets-for-under-30
“I was able to decode NRF24L01+ and Bluetooth Low Energy protocols using RTL-SDR.”
Tomi Engdahl says:
Sniffing and decoding NRF24L01+ and Bluetooth LE packets for under $30
http://blog.cyberexplorer.me/2014/01/sniffing-and-decoding-nrf24l01-and.html
In this long post I am going to describe my journey to sniff and decode popular digital wireless protocols off the air for very cheap. So cheap practicality anyone can obtain the equipment quickly.
A lot of work have been done to decode bluetooth using dedicated hardware and I am sure this software can be adapted to output the right format as input to the existing Bluetooth decoders such as Wireshark.
As far as I can see, this is also the first time BTLE can be decoded using a very cheap generic device.
The main software repository for this project is at https://github.com/omriiluz/NRF24-BTLE-Decoder
Recently I’ve been working on a project to create a super cheap (<$5) sensor node
I decided to use the extremely popular NRF24L01+ transceiver from Nordics Semiconductor
While working on the mesh network code, my progress slowed to nearly a halt. The code is extremely complex and depends on external conditions like signal strength, noise, etc. But worst of all? I was completely blind on what really happens once packets leave the safety of my micro controller using SPI to the transceiver.
having experience with rtl-sdr, I immediately started thinking how can I use it to sniff packets off the air. This is impossible using any version of the rtl-sdr as the highest you can buy reach 2.2Ghz. just shy of the 2.4Ghz we need.
I started looking for a way to convert the signal down to a frequency usable by the rtl-sdr.
The MMDS LNB can be found for a variety of frequencies and LO frequencies.
Based on the specification, it would do EXACTLY what we need – take 2.2-2.4Ghz signal and down convert it to around 400Mhz. Then we can use the rtl-sdr and some code to decode packets off the air.
As it was very cheap ($12+shipping at Aliexpress) I took the chances and ordered one.
I used SDR# with the new radio setup to see if I can find signals where I expect them to. The easiest one to find was my Logitech wireless mouse (which uses nrf of course). Tuning to 2,405Mhz (or 407Mhz after down conversion using LO of 1998Mhz) clearly show a strong signal when I move my mouse.
Once rtl_fm works, simply pipe the output into my software to see packets decoded -
rtl_fm -f 402m -s 2000k -g 0 -p 239 | nrf24-btle-decoder -d 1
Tomi Engdahl says:
Hackaday SDR articles
http://hackaday.com/?s=SDR
Tomi Engdahl says:
Verifying A Wireless Protocol With RTLSDR
http://hackaday.com/2014/01/31/verifying-a-wireless-protocol-with-rtlsdr/
To test his code, [Texane] picked up one of those USB TV tuner dongles based around the RTL2832U chipset. This allowed him to monitor the frequencies around 433MHz for the packets his hardware should be sending.
[Texane] has a frame decoder for the NRF905 radio module available in his Git.
Tomi Engdahl says:
Using a RTLSDR dongle to validate NRF905 configuration
http://www.embeddedrelated.com/showarticle/548.php
Tomi Engdahl says:
New suit for SDR
http://roteno.com/?q=rtl-sdr-new-suit
I use it as as a general purpose spectrum analyzer, ham radio receiver, scanner, & RF capture tool to record captures into Matlab.
The USB flash drive form factor didn’t work for me & I wanted something a bit more durable
Tomi Engdahl says:
From vacuum cleaner hacking to weather station reverse engineering
http://hackaday.com/2014/02/11/from-vacuum-cleaner-hacking-to-weather-station-reverse-engineering/
[Spock] wanted to do a little reverse engineering of his Miele brand remote control vacuum cleaner, so he broke out his DVB-T SDR dongle to use as a spectrum analyser. Sure enough, he found a 433.83Mhz signal that his vacuum cleaner remote control was using
From remote vacuum cleaner to my weather station
http://blog.omegastar.eu/2014/01/from-remote-vacuum-cleaner-to-my.html
Tomi Engdahl says:
Using SDR to Read Your Smart Meter
http://hackaday.com/2014/02/25/using-sdr-to-read-your-smart-meter/
[BeMasher] was dissatisfied with the cost of other solutions to read his smart meter, so he made a project to read it himself using an rtl-sdr dongle.
Using his hacking and reverse engineering skills along with a $20 RTL-SDR dongle, [BeMasher] wrote rtlamr to automatically detect and report the consumption information reported by smart meters within range. Though designed for his Itron C1SR, [BeMasher] claims that any electronic receiver transmitter (ERT) capable smart meter should work.
Tomi Engdahl says:
RTLAMR
An rtl-sdr receiver for smart meters operating in the 900MHz ISM band.
http://bemasher.github.io/rtlamr/
Smart meters continuously transmit consumption information in the 900MHz ISM band allowing utilities to simply send readers driving through neighborhoods to collect commodity consumption information. The protocol used to transmit these messages is fairly straight forward
Tomi Engdahl says:
Hacking Radio Controlled Outlets
http://hackaday.com/2014/03/10/hacking-radio-controlled-outlets/
It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.
He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface.
In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle.
Tomi Engdahl says:
Jam Intercept and Replay Attack against Rolling Code Key Fob Entry Systems using RTL-SDR
http://spencerwhyte.blogspot.ca/2014/03/delay-attack-jam-intercept-and-replay.html
The oscillators used in these key fobs are typically low cost, meaning that they may not operate at exactly their design frequency throughout the full temperature range. For this reason, the receiver in the car, or home security system is designed to accept signals within a certain pass band. The trick of the attack is for the adversary to jam at some frequency within the receivers passband, but not too close to the frequency of the remote.
If you jam in this manor, when the victim presses the unlock button on their key fob, nothing will happen because the receiver is being jammed by an adversary. The adversary can then use a SDR such as the RTL-SDR, to record the whole transaction.
The signal obtained is the Nth rolling code, it is still valid because the receiver has not yet received the Nth rolling code. Therefore the adversary can replay the signal at a later time and unlock the car. But how does one replay the signal on the cheap?
Tomi Engdahl says:
Listening to Electromagnetic Interference with a RTLSDR Dongle
http://hackaday.com/2014/03/18/listening-to-electromagnetic-interference-with-a-rtlsdr-dongle/
Being curious by nature, [Marios] decided to see what kind of radio-frequency emissions may be generated by an Arduino connected to a simple breadboard wire, and more importantly try to pick them up using a RTLSDR dongle.
Fast PWM and Electromagnetic Interference
fun with ATMega328 and rtl-sdr
http://withinspecifications.30ohm.com/2014/03/09/Fast-PWM-EMI/
Tomi Engdahl says:
Transmitting AM radio using a microcontroller
http://amcinnes.info/2012/uc_am_xmit/
It has previously been shown that transmitting radio and TV from an ordinary VGA port is possible [1][2]. These transmitters provided some inspiration for this project.
In this project I transmit using a microcontroller I/O pin instead.
The microcontroller board I’m using is the Teensy 2.0. The microcontroller on this board is an Atmel AVR (ATMEGA32U4), which supports full-speed USB 1.1 (12Mbps) and has a maximum clock rate of 16MHz.
The microcontroller receives bytes over USB and outputs them to its USART (universal synchronous/asynchronous receiver/transmitter). The USART is configured in SPI master mode, in which it can continuously output 8 bits per byte, one bit at a time, to the antenna pin. It can run as fast as 8Mbps (one bit every two clock cycles).
The microcontroller receives bytes over USB and outputs them to its USART (universal synchronous/asynchronous receiver/transmitter). The USART is configured in SPI master mode, in which it can continuously output 8 bits per byte, one bit at a time, to the antenna pin. It can run as fast as 8Mbps (one bit every two clock cycles).
Tomi Engdahl says:
Sniffing pH Sensor RF Signals for Feedback Re: Your Esophagus
http://hackaday.com/2014/03/31/sniffing-ph-sensor-rf-signals-for-feedback-re-your-esophagus/
For about a week [Justin] had a wireless acidity level sensor in his esophagus and a pager-looking RF receiver in his pocket. So he naturally decided to use an RTL-SDR dongle to sniff the signals coming out of him.
[Justin] then used gqrx and Audacity to manually decode the packets before writing a browser-based tool which uses an audio file
Tomi Engdahl says:
Welcome to gqrx
http://gqrx.dk/
Gqrx is a software defined radio receiver powered by the GNU Radio SDR framework and the Qt graphical toolkit.
Gqrx supports many of the SDR hardware available, including Funcube Dongles, rtl-sdr, HackRF and USRP devices.
available for Linux, FreeBSD and Mac
Tomi Engdahl says:
Measuring Frequency Response with an RTL-SDR Dongle and a Diode
http://hackaday.com/2014/04/17/measuring-frequency-response-with-an-rtl-sdr-dongle-and-a-diode/
Using an RTL-SDR dongle, some software and a quickly made noise generator, he still managed to get a rough idea of the filter’s characteristics.
Tomi Engdahl says:
RTLSDR Scanner
http://eartoearoak.com/software/rtlsdr-scanner
A cross platform Python frequency scanning GUI for USB TV dongles, using the OsmoSDR rtl-sdr library.
In other words a cheap, simple Spectrum Analyser.
The scanner attempts to overcome the tuner’s frequency response by averaging scans from both the positive and negative frequency offsets of the baseband data.
Tomi Engdahl says:
[Balint]‘s GNU Radio Tutorials
http://hackaday.com/2014/04/22/balints-gnu-radio-tutorials/
[Balint] has a bit of history in dealing with software defined radios and cheap USB TV tuners turned into what would have been very expensive hardware a few years ago. Now [Balint] is finally posting a few really great GNU Radio tutorials, aimed at getting software defined radio beginners up and running with some of the coolest hardware around today.
Balint’s SDR Tutorials
http://files.ettus.com/tutorials/
GNU Radio Tutorial Series on YouTube
https://www.youtube.com/playlist?list=PL618122BD66C8B3C4
Tomi Engdahl says:
Interesting application example:
Continued ISEE-3 Detection With an 8 Foot DIsh
http://spacecollege.org/isee3/continued-isee-3-detection-with-an-8-foot-dish.html
Tomi Engdahl says:
FM Signal Generation and Analysis
http://www.eeweb.com/company-blog/rigol_technologies/fm-signal-generation-and-analysis/
Tomi Engdahl says:
How To: Hack Your Way Into Your Own Gated Community
http://hackaday.com/2014/07/14/how-to-hack-your-way-into-your-own-gated-community/
Residents of such Gated Communities in Poland are now shaking in fear since [Tomasz] has hacked into his own neighborhood by emulating the signal that opens the entrance gate. Shockingly, this only took about 4 hours from start to finish and only about $20 in parts.
Most of these type of systems use RF communication and [Tomasz's] is no difference. The first step was to record the signal sent out by his remote. A USB Software Defined Radio transmitter/receiver coupled with a program called SDR# read and recorded the signal without a hitch.
[Tomasz] has to figure out a way to send that signal to the receiver. He has done this by making an RF transmitter from just a handful of parts
Tomi Engdahl says:
Android RTL2832U driver
https://play.google.com/store/apps/details?id=marto.rtl_tcp_andro
An Android port of rtl-sdr’s rtl_tcp
This driver could be used by third party applications to implement Software Defined Radio (like SDR Touch)
Tomi Engdahl says:
SDR Touch – Live radio via USB
https://play.google.com/store/apps/details?id=marto.androsdr2
Turn your mobile phone or tablet into an affordable and portable software defined radio scanner. Listen and record live on air FM STEREO radio stations, weather reports, police, fire department and emergency stations, taxi traffic, airplane communications, audio of analogue TV broadcasts, HAM radio amateurs, digital broadcasts and many more! Depending on the hardware used, its radio frequency coverage could span between 50 MHz and 2.2 GHz. It currently demodulates WFM, AM, NFM, USB, LSB, CWU and CLW signals.
You need:
- USB digital TV (DVB-T) dongle with the RTL2832U chip. You may already have one of them laying around. They cost less than $10
- USB OTG (On-The-Go) cable – if you’ve ever connected a USB thumb drive to your Android device, you already have it. They are extremely cheap
Then you just need to connect the USB dongle to an antenna, and via the OTG cable to you Android device and run SDR Touch
Tomi Engdahl says:
A Lesson in Blind Reverse Engineering – Signals Intelligence
http://hackaday.com/2014/07/24/a-lesson-in-blind-reverse-engineering-signals-intelligence/
While others were out and about playing games and doing whatever non-hackers do to entertain themselves, [Rory O'hare] decided to reach out and grab some random wireless signals for a little fun and excitement. And what he found was not just a strong, repeating signal at 433Mhz.
Tomi Engdahl says:
HackRF
https://greatscottgadgets.com/hackrf/
HackRF One from Great Scott Gadgets is a Software Defined Radio peripheral capable of transmission or reception of radio signals from 10 MHz to 6 GHz. Designed to enable test and development of modern and next generation radio technologies, HackRF One is an open source hardware platform that can be used as a USB peripheral or programmed for stand-alone operation.
Tomi Engdahl says:
PortableSDR
http://hackaday.io/project/1538-PortableSDR
Fully stand-alone HF (Shortwave) Software Defined Transceiver & Vector Network Analyzer. Designed for rugged portable use. Highly hackable.
The PSDR is a completely stand-alone (no computer needed), compact, Portable Software Defined Transceiver (hence the name, sorta). Originally designed for backpacking use by Ham Radio operators. It includes complete coverage up to about 30Mhz (plus 144Mhz), it has a 168Mhz ARM processor, color display, and an innovative interface.
Vector Network Analysis (which includes antenna analysis) and GPS functions are included.
The entire design is Open Source. The electronics are designed and laid out to be easy to understand and tinker with. In addition to source code, schematics, board layout and parts lists, articles and videos describing the theory of the design are being created.
The project code is still very much in development.
Comments:
Very cool project. So whats the cost breakdown like?
Hard to say for certain. I had some of the parts already. In low volumes, if you source everything yourself, I imagine parts cost will be in the realm of $150. Checkout the BOM on github, it includes the costs for almost all the parts (except for the PCB and LCD, I think)
Tomi Engdahl says:
SDR: Satellite Death Receiver
http://hackaday.com/2014/11/04/sdr-satellite-death-receiver/
He’s using an RTL-SDR dongle and a QFH antenna to detect the death throes of decommissioned navigation and space research satellites.
[happysat] was listening to NOAA/Meteor on the 137MHz band when he made this discovery.
Receiving Dead Satellites with the RTL-SDR
http://www.rtl-sdr.com/receiving-dead-satellites-rtl-sdr/
Recently happysat, a reader of RTL-SDR.com wrote in to let us know about an unusual hobby he has found with the RTL-SDR. Happysat has been using the RTL-SDR together with a QFH antenna to detect old decommissioned satellites in the 136-138 MHz and 150-400 MHz frequency ranges.
Although these satellite’s batteries have long been expired, because of some sort of chemical reaction due to thousands of failed recharge cycles the batteries begin to conduct over time and allow the satellite to be powered directly from the solar panels thus activating the transmitter.
Tomi Engdahl says:
Hackaday Prize Finalist: A PortableSDR
http://hackaday.com/2014/11/05/hackaday-prize-finalist-a-portablesdr/
No other project to make it to The Hackaday Prize has people throwing money at their computer screen hoping something would happen than [Michael Colton]‘s PortableSDR. It’s a software defined radio designed for coverage up to 30MHz. Amateur radio operators across the world are interested in this project, going so far as to call this the first Baofeng UV-5R killer. That’s extremely high praise.
PortableSDR
http://hackaday.io/project/1538-portablesdr
Fully stand-alone HF (Shortwave) Software Defined Transceiver & Vector Network Analyzer. Designed for rugged portable use. Highly hackable.
Tomi Engdahl says:
RTL SDR As A Spectrum Analyzer
http://hackaday.com/2014/11/19/rtl-sdr-as-a-spectrum-analyzer/
RTL-SDR, the USB TV tuner turned software-defined radio is an amazing device, capable of listening to nearly anything from 25MHz to 1750MHz, fits in your pocket, and costs about $20. Even more astonishing is that it’s also a kinda-okay spectrum analyzer. [Kerry D. Wong] tested out one of these USB TV tuner, and the results are exactly what you would expect: it lacks a little precision, and sampling bandwidth is only a tiny bit terrible, but it does work.
RTL-SDR, the USB TV tuner turned software-defined radio is an amazing device, capable of listening to nearly anything from 25MHz to 1750MHz, fits in your pocket, and costs about $20. Even more astonishing is that it’s also a kinda-okay spectrum analyzer. [Kerry D. Wong] tested out one of these USB TV tuner, and the results are exactly what you would expect: it lacks a little precision, and sampling bandwidth is only a tiny bit terrible, but it does work.
Testing an RTL-SDR Spectrum Analyzer
http://www.kerrywong.com/2014/11/16/testing-an-rtl-sdr-spectrum-analyzer/
While the typical operating frequency range for these SDR’s is specified as 25MHz-1750MHz, the actual performance varies depending on the particular unit as this frequency range is not guaranteed (particularly on the high frequency side) by the chip.
There are many open source software packages we can choose from for spectrum analysis. One thing to note though is that many of the “scanner” software actually are not quite suitable for this task. For instance, I tried rtlsdr-scanner and noticed that the measured spectrum is distorted regardless of the FFT length and dwell time settings. A few other scanner packages I tried also exhibit similar issue.
So I turned to some of the more popular SDR radio software packages such as SDR# and Gqrx SDR. SDR# renders the spectrum reasonably well but the signal amplitude reading seems to be off, at least I couldn’t seem to be able to find a way to set the gain correctly to reflect the actual signal strength. Gqrx SDR is the first software suite I found that rendered the spectrum correctly and reported the signal strength in the ballpark. It also has a quite polished user interface and is extremely easy to use.
One significant limitation of the RTL-SDR is that it’s real-time sampling bandwidth is limited to 3 MHz, which means if the frequency range is wider than 3 MHz multiple hops must be made in order to cover the entire spectrum. Since switching frequency band is a relatively slow operation scanning a frequency span of 30 MHz can take significant amount of time especially when the FFT size is large.
So RTL-SDR based spectrum analyzer is best suited for analyzing quasi-stationary signals and in situations where accurate absolute power measurement is not critical. Also, because the LNA can be overloaded easily RTL-SDR is best suited for analyzing small signals below -10 dBm. Otherwise, external attenuators will be needed.
Tomi Engdahl says:
RTLSDR Scanner
http://eartoearoak.com/software/rtlsdr-scanner
A cross platform Python frequency scanning GUI for USB TV dongles, using the OsmoSDR rtl-sdr library.
In other words a cheap, simple Spectrum Analyser.
The scanner attempts to overcome the tuner’s frequency response by averaging scans from both the positive and negative frequency offsets of the baseband data.
Download the Windows installer from Sourceforge.
Download the latest source from GitHub.
Linux and Mac users will need to manually install dependencies, Windows users can use the installer.
Tomi Engdahl says:
RTL-SDR With Upconverter and Case
http://hackaday.io/project/3075-rtl-sdr-with-upconverter-and-case
The Junk Box SDR: a simple project to illustrate how it is possible to mount and mod an RTL-SDR and upconverter into a case.
Tomi Engdahl says:
Keep Tabs on Passing Jets with Pi and SDR
http://hackaday.com/2014/11/27/keep-tabs-on-passing-jets-with-pi-and-sdr/
[Simon Aubury] has been using a Raspberry Pi and SDR to record video of planes passing overhead.
Simon used two hobby servos and some brackets to gimbal his Pi camera board. A DVB dongle allows the rig to listen in on the Automatic Dependent Surveillance Broadcast (ADS-B) coming from the planes. This system is mandated for most commercial aircraft
The Pi Plane Project
http://simonaubury.com/the-pi-plane-project1-introduction/
The Pi Plane Project tracks planes the fly over my house; records a short video – and uploads the clips onto the web.
Using some inexpensive components, we can build a receiver to listen to these ADS-B signals to track these aircraft as they fly overhead.
To create your own (or if you plan to rob me; you can score) …
Raspberry Pi – a very inexpensive credit-card sized computer
Powered USB hub – allows the peripheral parts to connect and be fed
DVB-T & RTL-SDR Receiver, RTL2832U – helps receive and decode aircraft transmissions
GPIO Kit for Raspberry Pi, T-Cobbler – connects the Raspberry Pi to outputs such as the servo motors
PT Pan/Tilt Camera Platform Camera Mount w/ 2 Servo – a pre-assembled platform to allow 2-axis of movement for the camera
Raspberry Pi Camera Board – a CMOS camera suitable for the Raspberry Pi
LCD Display: lcd1602 – an LCD display panel
I used a RTL2832U as a software defined radio (SDR). This is a USB stick (a TV “dongle”), designed for digital TV on a computer.
On the Pi I installed Dump1090 – which does a fine job of understanding the data packets transmitter by a planes transponders. The Dump1090 suite of programs can also display the locations and track of aircraft on a map, but all of this visual trickery was unnecessary for my project
Tomi Engdahl says:
Using librtlsdr Over TCP
http://hackaday.com/2015/01/13/using-librtlsdr-over-tcp/
[Texane] built a low-cost software defined radio rig which could be remotely controlled. This allows the hardware to be placed outside for better reception, while being controlled from any PC that can connect over TCP. To do this, he created a fork of librtlsdr, the library used to turn cheap TV tuners into software defined radios.
The official release of rtl-sdr includes the rtl_tcp utility, which is meant for this purpose. Unfortunately, not all of the SDR tools for Linux support this. By modifying the library itself, remote devices interact with software in the same way as local devices. This means that any software that supports librtlsdr should work.
The outdoor rig contains a BeagleBone Black and the SDR hardware, sealed up in a weather-resistant box.
Tomi Engdahl says:
Check this article on receiving wireless data with SDR:
Reading the AcuRite 5n1 Sensor Set, This time with RF
http://www.desert-home.com/2015/02/reading-acurite-5n1-sensor-set-this.html
I’ve managed to read the RF signal coming from the AcuRite weather head.
This the tuner chip that is used in digital TV that has been hooked to a USB interface and enclosed in a plastic case. The chip is a RTL2832 and has a huge bandwidth; it can be used to receive AM, FM, SSB, etc all the way up past the 900MHz range that the AcuRite transmits on.
So, I downloaded a great tool for doing this kind of thing called SDRsharp and installed it on my laptop.
Notice in the bottom panel that there are three different signals that are on almost exactly the same frequency? Yep, I’m picking up three devices up in the 433MHz area and any one of them could be what I’m looking for. After a bunch of looking, it turns out the first one I found is the one I want, but how to I get the data out of it? Heck, how do I separate the one I want from the others?
This has already been solved for us under Linux by a tool called rtl_433.
Next, there’s a Linux library that supports this and a really cool tool you can run on your PC to play around. The tool is called SDRsharp and has a dedicated website
The Linux library is called rtl_sdr
Just build rtl_433 from my copy.
Now, you are almost ready to actually read the RF from the weatherstation, but (another one of those) the decoder included with rtl_433 is wrong.
So, I put together my own version that decodes my weatherhead and corresponds with the console. These changes are part of the zip file you downloaded; you don’t have to do anything special.
Remember way above I told you to write down the frequency you found the weather head transmitting on? This is where you may have to use it. If it drifted far enough, you won’t get a good signal from the transmitter up on the roof or out in the yard. You can simply specify the frequency you want to listen to with the ‘-f’ parameter like this:
rtl_433 -f 433.915e6
This means to set the receiver at 433.915 MHz.
There’s still some stuff to be done from my perspective, I want to put some code in to present the data as a JSON string
Comments:
Back in Dec I ordered a 433mhz receiver and transmitter from e-Bay that I was going to hook to my Raspi to read my Acurite 5-in-1. After about 6 weeks I finally received it from China. I paid $1.56
I’ve had a chance to play with these SDR “dongles” for awhile now off and on. For those truly into it, there’s a software package called GNU Radio that’s worth looking into. Back to the dongle, be sure to “calibrate” it first. Listen to a known frequency, for example the weather.
Tomi Engdahl says:
PortableSDR Needs a Cinderella Story to Finish its Kickstarter
http://hackaday.com/2015/02/09/portablesdr-needs-a-cinderella-story-to-finish-its-kickstarter/
We especially like it that you don’t need a license to operate the basic model — the transmitting circuits aren’t enabled when it arrives. This means you can learn about SDR, explore what’s going on over the airwaves, and only then take the leap by applying for your license and hack the unit to transmit.
PSDR – Pocket HF SDR Transceiver with VNA and GPS
https://www.kickstarter.com/projects/1703258614/psdr-pocket-hf-sdr-transceiver-with-vna-and-gps
Tomi Engdahl says:
Why You Should Care About Software Defined Radio
http://hackaday.com/2015/02/12/why-you-should-care-about-software-defined-radio/
It hasn’t become a household term yet, but Software-Defined Radio (SDR) is a major player on the developing technology front. Whether you’re building products for mass consumption, or just playing around for fun, SDR is worth knowing something about and I’ll prove it to you.
Radio used to be a lot harder. On the communications side of things you could buy an expensive radio receiver and/or transmitter that required a skilled operator to use. At a lower level, you would be looking at choosing a specific band and dealing with things like modulator, mixer, and filter design, along with plenty of roadblocks to manufacturing which would also lock you into a specific application.
Software-Defined Radio solves some of these problems by allowing you to control how the radio hardware functions based on software. The advent of this has also been boosted by the availability of inexpensive hardware produced at scale. It is not the end-all of radio, but it makes the problem easier. That has led to wider adoption but we think what has been seen so far is only the tip of the iceberg.
The whole point of SDR is less need for specialized hardware. One module can address a wide range of uses, even those that are currently unknown.
In the next section I’m going to talk about the DVB-T dongle seen here. But one important thing to realize about it is that the chip inside this device is an SDR and is already in use commercially. The versatility of the chipset inside proves the point that SDR is a viable choice in consumer hardware
The thing that really turned my head was the advent of what is known as RTL-SDR. This is the practice of using television tuner USB dongles for Software-Defined Radio. That’s right, these “DVB Sticks” are made to watch broadcast television on a computer but inside is a Realtek 2832U.
Connecting the dongle to your computer and launching some software allows you to listen in — both audible signals and transmitted data — on all kinds of things.
Don’t be afraid of this, these are receivers-only so you need no license or prior training. We’ve seen these morph into automated airplane filming rigs and you could end up adding to the flight tracking data network of FlightAware. The Grand Prize winners of the 2014 Hackaday Prize even built a satellite receiving station around a DVB dongle!
For getting started, and well-targetted applications, these dongles are a good option. But they are limited from around 22MhZ to 2200Mhz depending on which particular dongle you have. Going beyond those limits requires a jump to different hardware.
Tomi Engdahl says:
Testing 433Mhz RF antennas with RTL-SDR
http://nerdralph.blogspot.ca/2014/07/testing-433mhz-rf-antennas-with-rtl-sdr.html
A couple months ago I picked up a RTL2832U dongle to use with SDR#. I’ve been testing 433Mhz RF modules, and wanted to figure out what kind of wire antenna works best.
Antenna theory is rather complicated, and designing an efficient antenna involves a number of factors including matching the output impedance of the transmitter. Since I don’t have detailed specs on the RF transmitter modules, I decided to try a couple different antenna designs, and use RTL-SDR to measure their performance.
I tried a 1/4-wave monopole wire antenna on the RTL dongle, and got 2-3dB better signal reception at 433Mhz than the stock antenna. I tried a full-wave (69cm) wire antenna, and it performed better than the stock antenna, but slightly worse than the 1/4-wave monopole.
Tomi Engdahl says:
Developers Disclose Schematics For 50-1000 MHz Software-Defined Transceiver
http://hardware.slashdot.org/story/15/02/25/2255225/developers-disclose-schematics-for-50-1000-mhz-software-defined-transceiver
Chris Testa KD2BMH and I have been working for years on a software-defined transceiver that would be FCC-legal and could communicate using essentially any mode and protocol up to 1 MHz wide on frequencies between 50 and 1000 MHz.
http://linux.slashdot.org/story/15/01/07/232232/learn-gate-array-programming-in-python-and-software-defined-radio
Chris Testa KB2BMH taught a class on gate-array programming the SmartFusion chip, a Linux system and programmable gate-array on a single chip, using MyHDL, the Python Hardware Design Language to implement a software-defined radio transceiver.
http://algoram.com/presentations/Hamcation2015.pdf
Tomi Engdahl says:
Reverse Engineering Wireless Temperature Probes
http://hackaday.com/2015/03/01/reverse-engineering-wireless-temperature-probes/
[bhunting] lives right up against the Rockies, and for a while he’s wanted to measure the temperature variations against the inside of his hour against the temperature swings outside. The sensible way to do this would be to put a few wireless temperature-logging probes around the house, and log all that data with a computer. A temperature sensor, microcontroller, wireless module, battery, case, and miscellaneous parts meant each node in the sensor grid would cost about $10. The other day, [bhunting] came across the exact same thing in the clearance bin of Walmart – $10 for a wireless temperature sensor, and the only thing he would have to do is reverse engineer the protocol.
Hacking the Acurite 0077XW / 00592TX Wireless Remote Temperature Probe – Part 1 – hacking the hardware
http://www.techspin.info/archives/985
Hacking the Acurite 0077XW / 00592TX Wireless Remote Temperature Probe – Part 2 – decoding the protocol
http://www.techspin.info/archives/1049
Tomi Engdahl says:
Receiving RDS with the RTL-SDR
http://www.windytan.com/2015/02/receiving-rds-with-rtl-sdr.html
redsea is a command-line RDS decoder
Redsea is on GitHub. It has minimal dependencies (perl core modules, C standard library, rtl-sdr command-line tools) and has been tested to work on OSX and Linux with good enough FM reception.
The program prints out decoded RDS groups, one group per line. Each group will contain a PI code identifying the station plus varying other data, depending on the group type.
The DSP side of my program, named rtl_redsea, is written in C99. It’s a synchronous DBPSK receiver that first bandpass filters ① the multiplex signal. A PLL locks onto the 19 kHz stereo pilot tone; its third harmonic (57 kHz) is used to regenerate the RDS subcarrier. Dividing it by 16 also gives us the 1187.5 Hz clock frequency.
Tomi Engdahl says:
Rtl_fm Guide
http://kmkeen.com/rtl-demod-guide/
Rtl_fm is a little utility I wrote for the rtl-sdr project. The program was made to fill a gap in software defined radio: all the computers weaker than a Pentium 4. Basically, an Atom processor processor does not have enough oomph to demodulate something as simple as narrow band FM using the standard tools. (Recently a high performance FM demodulator was released, Simple FM but it works only passably on newer Atoms.) So rtl_fm was written with one goal, efficiency, in mind.
As an unexpected bonus, it ended up being efficient enough to easily run on small ARM boards such as the Raspberry Pi. GnuRadio is a really great program easily worth a thousand bucks. But it was designed to run on $500 computers with $500 SDR hardware. Where as this is made for $20 SDRs plugged into $20 computers.
Rtl_fm is a general purpose analog demodulator. It can handle FM, AM and SSB. It can scan more than a hundred frequencies a second.
Tomi Engdahl says:
Eavesdropping on a wireless keyboard
http://www.windytan.com/2013/03/eavesdropping-on-wireless-keyboard.html
To investigate this, I bought an old Logitech iTouch PS/2 cordless keyboard at an online auction. It’s dated July 2000. Back in those days, wireless desktops used the 27 MHz shortwave band; later they’ve largely moved to 2.4 GHz.
I’ll use my RTL2838-based television receiver dongle, which can be tuned to an arbitrary frequency and commanded to just dump the I/Q sample stream
The transmission is clearly visible at 27.14 MHz. Zooming closer and taking a spectrogram, the binary FM/FSK nature of the transmission becomes obvious
The sample length of one bit indicates a bitrate of 850 bps.
One keypress produces about 85 bits of data. The bit pattern seems to always correlate with the key being pressed, so there’s no encryption at all.
Tomi Engdahl says:
Using The Red Pitaya As An SDR
http://hackaday.com/2015/03/02/using-the-red-pitaya-as-an-sdr/
The Red Pitaya is a credit-card sized board that runs Linux, has Ethernet, and a good bit of RAM. This sounds a lot like a Raspberry Pi and BeagleBone Black, but the similarities end there. The Red Pitaya also has two RF inputs, two RF outputs, and a load of digital IOs, all connected to an Xilinx SoC that includes an FPGA. [Pavel] realized the Pitaya had all the components of a software-defined radio, and built an implementation to prove it.
The input for the SDR taps directly into one of the high impedance inputs with a simple loop antenna made out of telephone cable. The actual software-defined part of this radio borrows heavily from an Xilinx application note, while everything is controlled by either SDR# or HDSDR.
Shame it doesn’t have a Raspberry Pi or BeagleBone Black price tag
Red Pitaya Notes: SDR receiver
http://pavel-demin.github.io/red-pitaya-notes/sdr-receiver/
Red Pitaya has all the components of a Software Defined Radio (SDR).
Tomi Engdahl says:
Design & Build Part 2: Multi-Band, Phasing SSB, and SDR
http://hackaday.com/2015/03/04/get-serious-with-amateur-radio-design-build-a-single-sideband-transceiver-from-scratch-part-2/
In this post I will discuss a multi-band SSB transceiver, an entire homemade amateur station including amplifiers, and conclude with software defined radio (SDR) that you can make in one weekend.
Tomi Engdahl says:
The fully Digital radio transmitter: Is it real or more hype?
http://www.edn.com/design/analog/4438807/The-fully-Digital-radio-transmitter–Is-it-real-or-more-hype-?_mc=NL_EDN_EDT_EDN_analog_20150305&cid=NL_EDN_EDT_EDN_analog_20150305&elq=8433534c519b47ccb201e86f2d5241f9&elqCampaignId=21940&elqaid=24634&elqat=1&elqTrackId=b29e6967f02244b18fdb0512dd0f08be
Cambridge Consultants are claiming the world’s first fully digital radio transmitter built only from computing power. There are no analog components like a high-speed D to A converter with amplifier, although I would think they would need a Power Amplifier (PA) to broadcast a great distance. This is a Digital Radio transmitter and not part of a Software Defined Radio (SDR) architecture which requires analog components.
They are demonstrating the transmitter at the Mobile World Congress (MWC)
Many so-called All-Digital Radios have been tried in the past. Here are some that stand out, but in my skeptical analog brain I find it hard to conceive a truly All-Digital Radio
Cambridge Consultants All-Digital Radio transmitter
Cambridge Consultants just demonstrated their all-digital radio transmitter at the Mobile World Congress.
Their creation, called “Pizzicato”, greatly intrigued me because unlike the previous attempts at the All-Digital radio outlined above and in the five references, Cambridge has taken the design to a new level with their proprietary patented software algorithms and mathematical software prowess.
An interesting note is that they started this design with an old, 3Gbps bitstream from a Xilinx Virtex-5 FPGA serdes port. They use a bandpass sigma-delta converter in the bitstream like the early one bit audio sigma-delta devices.
Watch this company because they have some really bright innovator geeks (our brethren) and I expect to see many new enhancements in this technology over the next few years. These types of Digital radios can fully take advantage of Moore’s Law leading to smaller sizes, lower cost and lower power consumption using next-gen digital IC technology node advancements. An example of the architectures that can benefit from this is the 14 simultaneous cellular base station signals they were able to create with this first prototype.