Software-defined radio (SDR) is a radio communication system where components that have been traditionally implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system.
Experimenting with software defined radio used to be expensive, but now it is cheap. Nowadays it is very cheap to start experimenting with SDR. Most receivers use a variable-frequency oscillator, mixer, and filter to tune the desired signal to a common intermediate frequency or baseband, where it is then sampled by the analog-to-digital converter. Cheapest wide receiving range well working device is to use suitable DVB-T receiver stick (10-20 Euros/Dollars) and suitable software (very many alternatives, for example SDRsharp and Gnu Radio).
My article Software defined radio with USB DVB-T stick started the long list of SDR related postings. The newest postings now are Filter measurements with RF noise source and Antenna measurements with RF noise source.
432 Comments
Tomi Engdahl says:
RFSoC Delivers FPGA Flexibility with High-Speed RF
https://www.electronicdesign.com/industrial-automation/rfsoc-delivers-fpga-flexibility-high-speed-rf?NL=ED-003&Issue=ED-003_20190221_ED-003_901&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000002750211&utm_campaign=23494&utm_medium=email&elq2=c5bcfd23c1724f909f6bf610af8b7076
Combining high-speed RF with FPGA functionality was never easier or more power-efficient than with Xilinx’s RFSoC family.
Xilinx’s initial RFSoC release combined the programmability of Zynq Ultrascale+ with RF support that reached up to 4 GHz. The family can eliminate the RF sampling component in many millimeter-wave (mmWave) applications where JESD204 interfaces abound (Fig. 1). Not only does this reduce the parts count, but it cuts out almost 8 W of power for the JESD buffers alone. Bringing the RF inside the FPGA package simplifies system design as well as delivers a higher-performance RF analog connection.
Tomi Engdahl says:
Commission Delegated Regulation on the Application of Article 3 (3) (i) and 4 of Directive 2014/53/EU relating to Reconfigurable Radio Systems
https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=PI_COM:Ares(2019)476957
Tomi Engdahl says:
MIT IAP Tackles Radio
https://hackaday.com/2019/02/18/mit-iap-tackles-radio/
MIT is well known for rigorous courses, but they also have a special four-week term at the start of each year called the IAP — Independent Activities Period. This year, the MIT Radio Society had several interesting presentations on both the history and application of radio. You weren’t there? No problem, as the nine lecture were all recorded for you to watch at your leisure. You can see one of the nine, below.¨
Tomi Engdahl says:
This SDR Uses A Tube
https://hackaday.com/2019/03/07/this-sdr-uses-a-tube/
When you think of a software defined radio (SDR) setup, maybe you imagine an IC or two, maybe feeding a computer. You probably don’t think of a vacuum tube. [Mirko Pavleski] built a one-tube shortwave SDR using some instructions from [Burkhard Kainka] which are in German, but Google Translate is good enough if you want to duplicate his feat. You can see a video of [Mirko’s] creation, below.
According to [Burkhard] his build drifts less than 1 Hz per minute, which isn’t bad. As you can see in the video, it works well enough.
Tomi Engdahl says:
Justin McAllister’s Simple, Post-Apocalypse-Friendly Antennas
https://hackaday.com/2019/03/04/justin-mcallisters-simple-post-apocalypse-friendly-antennas/
Tomi Engdahl says:
KiwiSDR for BeagleBone
https://hackaday.io/project/10345-kiwisdr-for-beaglebone
Turn your BeagleBone Black into a wide-band (0-30 MHz) SDR with a multi-user web interface. Includes a software-defined GPS receiver.
KiwiSDR is a software-defined radio (SDR) covering shortwave, the longwave & AM broadcast bands, various utility stations, and amateur radio transmissions, world-wide, in the spectrum from 10 kHz to 30 MHz. The KiwiSDR is a custom circuit board you connect to an inexpensive BeagleBone Black or Green computer. Add an antenna, power supply, internet connection, then install the software package and be running in minutes.An HTML5-capable browser and internet connection will let you listen to a public KiwiSDR anywhere in the world. Up to four people can listen simultaneously to one receiver — each listener tunes independently.
Tomi Engdahl says:
Executing A Vehicle Keyless Entry Attack
https://hackaday.com/2019/03/30/executing-a-vehicle-keyless-entry-attack/
You read about well-publicised security exploits, but they always seem to involve somebody with a deity’s grasp of whatever technology is being employed, as well as a pile of impossibly exotic equipment. Surely a mere mortal could never do that!
Happily, that’s not always the case, and to prove it [Gonçalo Nespral] replicated an attack against RF devices such as some garage doors and motor vehicle locks that use a rolling code.
[Gonçalo]’s set-up uses a YARD stick One transceiver dongle as its transmitter, and an RTL-SDR for receive.
How to hack a car
A recreation of Samy Kamkar’s rolljam attack
https://hackaday.io/project/164566-how-to-hack-a-car
Tomi Engdahl says:
HIGH END PER VICES CYAN SOFTWARE DEFINED RADIO RELEASED
https://www.rtl-sdr.com/high-end-per-vices-cyan-software-defined-radio-released/
Tomi Engdahl says:
Building a Passive IMSI Catcher
https://harrisonsand.com/imsi-catcher/
An IMSI catcher is a device commonly used by law enforcement and intelligence agencies around the world to track mobile phones.
The purpose of this post is to be educational – to highlight the ease of which these devices can be built, and to practically show how privacy is already being compromised today. Nothing in this post is necessarily new, and those with less than honest intentions are most certainly already using these (or similar) devices.
passive IMSI catcher, which is distinctly different from traditional IMSI catchers in that it does not transmit nor does it interfere with cellular networks in any way.
Traditional IMSI catchers are illegal in most jurisdictions
The passive IMSI catcher works by capturing IMSI numbers when a phone initializes a connection to a base station
The IMSI is only disclosed during this initial connection.
you will only collect IMSI numbers for devices as they move between base stations
The only hardware required is a PC and SDR receiver that supports GSM frequencies. Generally this means 850/900/1,800/1,900 MHz. Most of the inexpensive RTL2832U based receivers have an upper-frequency range of about 1700 MHz.
I recommend something like the Nooelec NESDR SMArt XTR, which has an extended frequency range. The HackRF One is another popular option.
The project is based on a few main components:
GNU Radio – signal processing framework
gr-gsm – blocks and tools for GNU Radio that process GSM transmissions
IMSI-catcher – Python script that processes data from gr-gsm and extracts IMSI numbers
Wireshark – can be used to view raw GSM packets from gr-gsm
Tomi Engdahl says:
Full Earth Disc Images From GOES-17 Harvested By SDR
https://hackaday.com/2019/05/03/full-earth-disc-images-from-goes-17-harvested-by-sdr/
Rather than capturing images from polar satellites that pass overhead a few times a day, this article looks at capturing images from GOES-17, a geostationary satellite that looks down on the Pacific Ocean.
The fact that GOES-17 is a geostationary satellite means that it is a bit more involved. While polar satellites that orbit at an altitude of 800km or so can be received with a random piece of wire, the 35,800 km altitude of geostationary satellites means that you need a better antenna. That doesn’t have to be that expensive, though: [Eric] used a $100 parabolic antenna and a $100 Airspy Mini SDR receiver connected to an Ubuntu laptop running some open source software to receive and decode the 1.7GHz signal of the satellite.
http://esorensen.com/goes-part-1/
Tomi Engdahl says:
A DIY EMC Probe From Semi-Rigid Coax And An SDR
https://hackaday.com/2019/04/24/a-diy-emc-probe-from-semi-rigid-coax-and-an-sdr/
Do you have an EMC probe in your toolkit? Probably not, unless you’re in the business of electromagnetic compatibility testing or getting a product ready for the regulatory compliance process. Usually such probes are used in anechoic chambers and connected to sophisticated gear like spectrum analyzers – expensive stuff. But there are ways to probe the electromagnetic mysteries of your projects on the cheap, as this DIY EMC testing setup proves.
EMC probe using RTL-SDR
https://www.stupid-projects.com/emc-probe-using-rtl-sdr/
Tomi Engdahl says:
Eavesdropping On Cosmonauts With An SDR
https://hackaday.com/2019/03/28/eavesdropping-on-cosmonauts-with-an-sdr/
Tomi Engdahl says:
https://hackaday.com/2019/03/17/ebay-modules-and-custom-pcbs-make-a-plug-and-play-ham-transceiver/
Tomi Engdahl says:
Executing A Vehicle Keyless Entry Attack
https://hackaday.com/2019/03/30/executing-a-vehicle-keyless-entry-attack/
Tomi Engdahl says:
The radio navigation planes use to land safely is insecure and can be hacked
Radios that sell for $600 can spoof signals planes use to find runways.
https://arstechnica.com/information-technology/2019/05/the-radio-navigation-planes-use-to-land-safely-is-insecure-and-can-be-hacked/
Like many technologies built in earlier decades, the ILS was never designed to be secure from hacking. Radio signals, for instance, aren’t encrypted or authenticated. Instead, pilots simply assume that the tones their radio-based navigation systems receive on a runway’s publicly assigned frequency are legitimate signals broadcast by the airport operator. This lack of security hasn’t been much of a concern over the years, largely because the cost and difficulty of spoofing malicious radio signals made attacks infeasible.
Now, researchers have devised a low-cost hack that raises questions about the security of ILS, which is used at virtually every civilian airport throughout the industrialized world. Using a $600 software defined radio, the researchers can spoof airport signals in a way that causes a pilot’s navigation instruments to falsely indicate a plane is off course.
ILS malfunctions are a known threat to aviation safety, and experienced pilots receive extensive training in how to react to them. A plane that’s misaligned with a runway will be easy for a pilot to visually notice in clear conditions, and the pilot will be able to initiate a missed approach fly-around.
Another reason for measured skepticism is the difficulty of carrying out an attack. In addition to the SDR, the equipment needed would likely require directional antennas and an amplifier to boost the signal. It would be hard to sneak all that gear onto a plane in the event the hacker chose an onboard attack.
Tomi Engdahl says:
How to Hack Those Restaurant Pagers and Get Your Table Fast
https://blog.hackster.io/how-to-hack-those-restaurant-pagers-and-get-your-table-fast-d2aefd59e212
Tomi Engdahl says:
Lime Microsystems Releases Their LimeFRE Software-Definable RF Front-End Module
https://blog.hackster.io/lime-microsystems-releases-their-limefre-software-definable-rf-front-end-module-a8b59e66a431
Tomi Engdahl says:
Broadcast Signal Intrusion with RPi Zero and an old rusty Guitar String
https://pentestmag.com/broadcast-signal-intrusion-with-rpi-zero-and-an-old-rusty-guitar-string/
The good news here is that every Raspberry Pi device can be used to transmit FM signals within the 1-250 MHz range without any additional hardware!
Tomi Engdahl says:
Presenting QCSuper: a tool for capturing your 2G/3G/4G air traffic on Qualcomm-based phones
https://labs.p1sec.com/2019/07/09/presenting-qcsuper-a-tool-for-capturing-your-2g-3g-4g-air-traffic-on-qualcomm-based-phones/
most USB dongles with a Qualcomm processor exposed a special diagnostic protocol, called Diag (or DM, or QCDM – for Qualcomm Diagnostic monitor).But I have also discovered that this proprietary protocol was also present inside Android phones (through a device called /dev/diag) and it allowed a couple good things, such as obtaining raw captures of network air traffic or, in older models, reading/writing at arbitrary offsets of the radio chip’s memory (!).
Tomi Engdahl says:
QCSuper is a tool communicating with Qualcomm-based phones and modems, allowing to capture raw 2G/3G/4G radio frames, among other things.
https://github.com/P1sec/QCSuper
Tomi Engdahl says:
Universal Radio Hacker
https://hackaday.com/2017/02/23/universal-radio-hacker/
If you are fascinated by stories you read on sites like Hackaday in which people reverse engineer wireless protocols, you may have been tempted to hook up your RTL-SDR stick and have a go for yourself. Unfortunately then you may have encountered the rather steep learning curve that comes with these activities
You could then be interested by [Jopohl]’s Universal Radio Hacker. It’s a handy piece of software for investigating unknown wireless protocols. It supports a range of software defined radios including the dirt-cheap RTL-SDR sticks, quickly demodulates any signals you identify, and provides a whole suite of tools to help you extract the data they contain. And for those of you scarred by dependency hell, installation is simple, at least for this Hackaday scribe. If you own an SDR transceiver, it can even send a reply.
Universal Radio Hacker: investigate wireless protocols like a boss
The Universal Radio Hacker (URH) is a software for investigating unknown wireless protocols. Features include
hardware interfaces for common Software Defined Radios
easy demodulation of signals
assigning participants to keep overview of your data
customizable decodings to crack even sophisticated encodings like CC1101 data whitening
assign labels to reveal the logic of the protocol
automatic reverse engineering of protocol fields
fuzzing component to find security leaks
modulation support to inject the data back into the system
simulation environment to perform stateful attacks
Universal Radio Hacker can be installed via pip or using the package manager of your distribution (if included).
On Windows, URH can be installed with it’s MSI Installer.
https://github.com/jopohl/urh
Tomi Engdahl says:
RTL-SDR: Seven Years Later
https://hackaday.com/2019/07/31/rtl-sdr-seven-years-later/
Before swearing my fealty to the Jolly Wrencher, I wrote for several other sites, creating more or less the same sort of content I do now. In fact, the topical overlap was enough that occasionally those articles would get picked up here on Hackaday. One of those articles, which graced the pages of this site a little more than seven years ago, was Getting Started with RTL-SDR.
Hardware Evolution
Even though the project is called RTL-SDR, the Realtek RTL2832U chip is in reality just half of the equation; it’s a USB demodulator chip that needs to be paired with a tuner to function. In the early days, there were a number of different tuners in use, and figuring out which one you were getting was a pretty big deal. The Elonics E4000 was the most desirable tuner as it had the widest frequency range, but it could be difficult to know ahead of time what you were getting.
These days, you don’t need to wade through pages of nearly identical looking USB TV tuners to find compatible hardware. There are now several RTL2832U-based receivers which are specifically designed for RTL-SDR use, generally selling for around $30. These devices not only address the shortcomings of the original hardware offerings, but in many cases add in new capabilities that simply wouldn’t have made sense to include back when they were just for watching TV on your computer.
https://hackaday.com/2012/06/27/getting-started-with-software-defined-radio/
Tomi Engdahl says:
Pluto (SDR) Goes Ethernet
https://hackaday.com/2019/05/10/pluto-sdr-goes-ethernet/
Tomi Engdahl says:
https://hackaday.com/2019/06/05/mobile-sigint-hacking-on-a-civilians-budget/
Tomi Engdahl says:
https://hackaday.com/2019/06/08/panadaptors-didnt-start-with-sdrs/
The must-have accessory on a modern all-singing, all-dancing amateur radio transceiver is a panadaptor. Inevitably driven by SDR technology, it’s a view of a band in the frequency domain, and it will usually be displayed as a “waterfall” giving a time dimension to see transmissions over a period.
Tomi Engdahl says:
HackRF One
https://www.sparkfun.com/products/13001
YARD Stick One – USB Wireless Transceiver
https://www.sparkfun.com/products/14777
The YARD Stick One (Yet Another Radio Dongle) is a palm-sized, low-speed USB wireless transceiver (similar to a Software Defined Radio or SDR) from Great Scott Gadgets that can transmit or receive digital wireless signals at frequencies below 1GHz. It uses the same radio circuit as the popular IM-Me. The radio functions that are possible by customizing IM-Me firmware are now at your fingertips when you attach YARD Stick One to a computer via USB.
With official operating frequencies of 300-348MHz, 391-464MHz, and 782-928MHz, the YARD Stick One is a half-duplex SDR that can transmit and receive under ASK, OOK, GFSK, 2-FSK, 4-FSK, MSK at data rates up to 500kb per second.
Tomi Engdahl says:
https://en.wikipedia.org/wiki/HackRF_One
The HackRF One integrates with GNU Radio and SDR# projects to provide its graphical user interface.[3] The popularity of HackRF One as a security research platform has made it featured in many information security conference talks such as BlackHat, DEF CON and BSides.[4][5][6]
https://www.banggood.com/HackRF-One-1MHz-to-6GHz-USB-Open-Source-Software-Radio-Platform-SDR-RTL-Development-Board-Reception-of-Signals-p-1545357.html?p=27131452996820140438
Tomi Engdahl says:
https://www.banggood.com/PortaPack-H1-For-HackRF-One-1MHz-6GHz-SDR-Receiver-and-Transfer-AM-FM-SSB-ADS-B-SSTV-Ham-Radio-Transceiver-p-1545380.html?p=27131452996820140438
Tomi Engdahl says:
FlexRadio Teams with Raytheon Team to Develop Airborne HF Radio
http://www.arrl.org/news/flexradio-teams-with-raytheon-team-to-develop-airborne-hf-radio
In a strategic partnership with Raytheon, US Amateur Radio equipment manufacturer FlexRadio®has been selected by the US Air Force to adapt its off-the-shelf SmartSDR/FLEX-6000 architecture for HF modernization of airborne communications platforms. The new radio will provide beyond line-of-sight, long distance communications for air crews.
“We are excited to convey that our proven modular direct sampling hardware, Open Waveform API, and IP-based architecture provide a ready platform for agile development to meet 21st century communication needs,”
Tomi Engdahl says:
An SDR Transceiver The Old-School Way
https://hackaday.com/2019/06/29/an-sdr-transceiver-the-old-school-way/
Tomi Engdahl says:
A Briefcase Pentesting Rig For The Discerning Hacker
https://hackaday.com/2019/07/03/a-briefcase-pentesting-rig-for-the-discerning-hacker/
In the movies, the most-high tech stuff is always built into a briefcase. It doesn’t whether whether it’s some spy gear or the command and control system for a orbiting weapons platform; when an ordinary-looking briefcase is opened up and there’s an LCD display in the top half, you know things are about to get interesting. So is it any surprise that hackers in the real-world would emulate the classic trope?
An all-in-one briefcase for pentesting, OSINT and radio exploration
https://github.com/Sekhan/NightPi
Tomi Engdahl says:
Mobile SIGINT Hacking On A Civilian’s Budget
https://hackaday.com/2019/06/05/mobile-sigint-hacking-on-a-civilians-budget/
Signals Intelligence (SIGINT) refers to performing electronic reconnaissance by eavesdropping on communications, and used to be the kind of thing that was only within the purview of the military or various three letter government agencies. But today, for better or for worse, the individual hacker is able to pull an incredible amount of information out of thin air with low-cost hardware and open source software. Now, thanks to [Josh Conway], all that capability can be harnessed with a slick all-in-one device: the RadioInstigator.
https://gitlab.com/crankylinuxuser/siginttablet
Tomi Engdahl says:
Fairwaves Set to Launch XCOM Embedded x86 Platform for SDR Applications
https://www.hackster.io/news/fairwaves-set-to-launch-xcom-embedded-x86-platform-for-sdr-applications-ffef549d0dfa
Tomi Engdahl says:
#HackaCurtain:– “Hack” radio-controlled curtains with an SDR.
This repo contains #tools for #listening and #transmitting messages for the somfy curtains #system. Smofy transmits on 433.42Mhz and uses the amplitude shift key for #modulation (ASK/OOK), and encodes it with Manchester code.
Hardware used:–
1. #HackRF One
2. Homemade #antennas
#Download #Link:-
https://github.com/adligeerik/HackaCurtain
Tomi Engdahl says:
Salil Tembe Demonstrates Arbitrary Text Transmission Over-the-Air via LimeSDR, RTL-SDR and GNU Radio
https://www.hackster.io/news/salil-tembe-demonstrates-arbitrary-text-transmission-over-the-air-via-limesdr-rtl-sdr-and-gnu-radio-8f8310d7d515
Tembe’s article goes through creating a GNU Radio flow graph to take the file, encode it with binary phase shift keying (BPSK), and transmit it through the LimeSDR — complete with a background on the mathematics behind the process. A second flow graph demonstrates the reception and decoding – including the use of an equaliser to compensate for multipath signalling effects.
Tembe’s full write-up is available on his website Nuclear Rambo, along with downloads for the GNU Radio flow graphs. “If you don’t have a LimeSDR Mini,” he writes, “you could try this setup on a PlutoSDR or even HackRF One.”
https://nuclearrambo.com/wordpress/transferring-a-text-file-over-the-air-with-limesdr-mini/
Tomi Engdahl says:
Paweł Spychalski’s RTL-SDR Analysis Finds Action Cameras to Blame for GPS Signal Loss on Drones
https://www.hackster.io/news/pawel-spychalski-s-rtl-sdr-analysis-finds-action-cameras-to-blame-for-gps-signal-loss-on-drones-323c859fec9a
Drone enthusiast Paweł Spychalski has published a video which demonstrates a surprising source of navigational noise in GPS-equipped devices, proving his point with measurements captured by a low-cost RTL-SDR software defined radio: high-definition video cameras.
“You might believe it or not (today I will prove it, however) that HD cameras, especially cheap ones, can be responsible for GPS problems on your drones and model airplanes,” Spychalski explains. “The majority of HD cameras (RunCam Split, Runcam Split Mini, Foxeer Mix, Caddx Tarsier) generate RF noise on different frequencies. Some of them on 433 MHz, some on 900 MHz, but most of them also at around 1 GHz – just where one of the frequencies used by GPS signal sits. As a result, many GPS modules are reported to have problems getting a fix when the HD camera is running.”
Tomi Engdahl says:
https://hackaday.com/2019/08/12/the-death-of-a-weather-satellite-as-seen-by-sdr/
Tomi Engdahl says:
Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised
https://hackaday.com/2019/08/23/alarm-system-defeated-by-2-wireless-dongle-nobody-surprised/
Tomi Engdahl says:
Easy Direction Finding Thanks To Quad SDRs
https://hackaday.com/2019/08/22/__trashed-3/
Tomi Engdahl says:
https://hackaday.com/2019/08/31/a-radio-transceiver-from-a-cable-modem-chipset/
Tomi Engdahl says:
https://hackaday.com/2019/09/03/ham-radio-gets-embedded-rtl-sdr/
Tomi Engdahl says:
Hams In Space: Gearing Up For The Lunar Gateway
https://hackaday.com/2019/09/16/hams-in-space-gearing-up-for-the-lunar-gateway/
Tomi Engdahl says:
https://hackaday.com/2019/10/01/bouncing-signals-off-the-moon/
Tomi Engdahl says:
Build a Long-Distance Data Network Using Ham Radio
https://spectrum.ieee.org/geek-life/hands-on/build-a-longdistance-data-network-using-ham-radio
Tomi Engdahl says:
https://hackaday.com/2019/07/11/the-physics-behind-antennas/
Tomi Engdahl says:
A DIY Step Attenuator, By Gluing Together Two Smaller Ones
https://hackaday.com/2019/06/04/a-diy-step-attenuator-by-gluing-together-two-smaller-ones/
Tomi Engdahl says:
Broadcast Signal Intrusion with RPi Zero and an old rusty Guitar String
https://pentestmag.com/broadcast-signal-intrusion-with-rpi-zero-and-an-old-rusty-guitar-string/
#pentest #magazine #pentestmag #pentestblog #PTblog #broadcast #signal #intrusion #RPi #zero #cybersecurity #infosecurity #infosec
Tomi Engdahl says:
Keep An Eye On The Neighborhood With This Passive Radar
https://hackaday.com/2019/11/08/keep-an-eye-on-the-neighborhood-with-this-passive-radar/
If your neighborhood is anything like ours, walking across the street is like taking your life in your own hands. Drivers are increasingly unconcerned by such trivialities as speed limits or staying under control, and anything goes when they need to connect Point A to Point B in the least amount of time possible. Monitoring traffic with this passive radar will not do a thing to slow drivers down, but it’s a pretty cool hack that will at least yield some insights into traffic patterns.
Measuring Traffic in a Neighborhood with KerberosSDR and Passive Radar
https://www.rtl-sdr.com/measuring-traffic-in-a-neighborhood-with-kerberossdr-and-passive-radar/
Tomi Engdahl says:
Arduino as AM transmitter
https://create.arduino.cc/projecthub/michalin70/ab-use-an-arduino-as-am-music-transmitter-d3b6e3
Tomi Engdahl says:
Arduino as FM transmitter
http://tiny.cc/vzfwgz