Over on YouTube SignalsEverywhere has just uploaded his latest video about using a HackRF and Airspy R2/Mini to explore the signals coming out of an internet cable modem's coax cable. In the video he performs a wideband scan with his Airspy R2 and the SpectrumSpy software which shows not only his, but the downstream signals from other users in his neighborhood on the cable network too.

Next using his HackRF with Spectrum Analyzer and the hackrf_sweep fast sweeping software, he was able to determine the uplink portion of his cable modem. By running an internet speed test in the background he was also able to visualize the increased cable data activity on the spectrum waterfall display.

Over on YouTube user kwon lee has uploaded a video demonstrating a replay attack against a parking barrier arm. The tools he uses are a HackRF and Portapack running the Havok firmware. A replay attack involves recording a control signal with the HackRF+Portapack, and then replaying it later with the transmit function of the HackRF. If no wireless security mechanism like rolling-codes are used, simply replaying the signal will result in the transmission being accepted by the controller receiver.

As he has access to the remote control he records the transmission that is sent when the open button is pressed on the remote. Later once outside he shows how transmitting with the HackRF+Portapack results in the barrier arm opening.

This reminds us of a previous post where we noted how a HackRF was used to jam a garage door keyfob to prevent people from leaving in the TV show "Mr. Robot".

Thank you to Aaron for submitting news about his latest project called "DragonOS" which he's been working on while in COVID-19 lock down. DragonOS is a Debian Linux based operating system which comes with many open source software defined radio programs pre-installed. It supports SDRs like the RTL-SDR, HackRF and LimeSDR.

Aaron's video below shows how to set up DragonOS in a VirtualBox, and he has two other videos on his channel showing how to set up ADS-B reception with Kismet, and how to run GR-RDS in GNURadio. He aims to continue with more tutorial videos that make use of the software installed on DragonOS in the near future.

Last month we posted about Aaron's "DragonOS" project, which is a ready to install Linux ISO aimed to make getting started with SDR software easy by providing several programs preinstalled, as well as providing multiple video tutorials. Recently he's updated the build, this time basing it on Lubuntu 18.04 allowing for Legacy and UEFI support, along with disk encryption. The OS supports RTL-SDRs as well as the HackRF and bladeRF and probably supports most other SDRs via the SoapySDR interface.

In terms of software he's also added OP25 and bladeRF support. Other programs pre-installed include rtl_433, Universal Radio Hacker, GNU Radio, Aircrack-ng, GQRX, Kalibrate, hackrf, wireshare, gr-gsm, rtl-sdr, HackRF, IMSI-catcher, Zenmap, inspectrum, qspectrumanalyzer, LTE-Cell-Scanner, CubicSDR, Limesuite, ShinySDR, SDRAngel, SDRTrunk, Kismet, BladeRF.

His DragonOS YouTube tutorial channel is also growing fast, with several tutorials showing you how to use DragonOS to perform tasks like listen to trunked mobile radios, use QSpectrumAnalyzer with a HackRF, receive NOAA APT weather satellite images, retrieve cellular network information via a rooted Samsung Galaxy S5, create a ShinySDR server with rtl_433 and how to capture and replay with a HackRF.

Over on YouTube TechMinds has uploaded a video where he explores the QT-DAB software (formerly known as SDR-J), which is a program capable of decoding Digital Audio Broadcast (DAB) signals. QT-DAB is compatible with several SDRs including the RTL-SDR, HackRF, Airspy and SDRplay units. 

DAB stands for Digital Audio Broadcast and is a digital broadcast radio signal that is available in many countries outside of the USA. The digital signal encodes several radio stations, and it is considered a modern alternative or future replacement for standard analog broadcast FM.

In the video TechMinds explains how to download, install and use the software on a Windows machine. He goes on to demonstrate some DAB decoding in action with various SDRs and then shows how to connect QT-DAB to a remote RTL-SDR via rtl_tcp.

Over on his YouTube channel Aaron has uploaded a video showing how we can SigDigger to decode analog NTSC video from a drone camera which is transmitted at 5.7 GHz. SigDigger is a rapidly evolving SDR program for Linux and MacOS that has a lot of built in functionality for inspecting signals in more depth. Although not specifically designed for it, the Symbol Stream viewer in SigDigger can be used to display NTSC Analog Video. Aaron writes:

For the most part, the older an analog modulation is, the easier it is to get basic results when decoding. TV receivers were rather dumb back in the day, basically fast fax machines glued to an off-band FM radio receiver. Receiver circuits were also slow, and the signal had lots of invisible blank spaces in the borders so that the cheapest TVs could switch to the next line in time. The invention of Teletext leveraged those blanks in order to carry digital information and color information was embedded as an additional narrowband signal in the gaps in the spectrum.With this in mind I wanted to take a look at decoding analog video transmissions from drones. While some drones have moved to more effective digital compression and channel transmission technologies allowing for high definition video, there’s still drones using RC-like communications and the FPV video link is pure FM-modulated NTSC.

Searching the internet provided few results on how I could go about using low cost equipment, such as the HackRF One, to decode drone feeds. After an extensive search I decided to start looking at Linux based software defined radio applications I was already familiar with. By chance I happened to be working with SigDigger, a free digital signal analyzer. It has been discussed on RTL-SDR.com and more recently on Signal Lounge (https://signal-lounge.com/2020/05/05/sigdigger-for-signal-analysis/). It is also included in my own creation, DragonOS (https://sourceforge.net/projects/dragonos-lts/)

After a brief email exchange with the developer it was brought to my attention that visualizing analog video transmission is possible in SigDigger (although with no color information, of course). Since SigDigger supports the HackRF and the HackRF provides coverage in the 5ghz band, it was now possible for me to try to decode a 5ghz drone video feed. I’ve documented the process and my results on my YouTube channel. I should point out that this is currently a side feature of SigDigger and currently lacks synchronization. The symbol view area I used in the video is not made for this. It is meant to display symbols and symbols patterns which, due to its behavior, can incidentally show the contents of analog TV and weather faxes with lots of manual adjustments.

While the SigDigger developer makes mention of plans to include an embedded generic analog TV viewer and possibly add the ability to automatically sync video, there’s currently no timeframe on when that might become available.

We note that if you're interested in PAL/NTSC decoding, there is also the excellent TVSharp plugin for SDR# available.

Derpcon is a COVID-19 inspired information security conference that was held virtually between April 30 - May 1 2020. Recently the talks have been uploaded to their YouTube channel. One interesting SDR talk we've seen was by Kelly Albrink and it is titled "Ham Hacks: Breaking into the World of Software Defined Radio". The talk starts by giving a very clear introduction to software defined radio, and then moves on to more a complex topic where Kelly shows how to analyze and reverse engineer digital signals using a HackRF and Universal Radio Hacker.

RF Signals are basically magic. They unlock our cars, power our phones, and transmit our memes. You’re probably familiar with Wifi and Bluetooth, but what happens when you encounter a more obscure radio protocol? If you’re a hacker who has always been too afraid of RF protocols to try getting into SDRs, or you have a HackRF collecting dust in your closet, this talk will show you the ropes. This content is for penetration testers and security researchers to introduce you to finding, capturing, and reverse engineering RF signals. I’ll cover the basics of RF so you’re familiar with the terminology and concepts needed to navigate the wireless world. We’ll compare SDR hardware from the $20 RTLSDR all the way up to the higher end radios, so you get the equipment that you need without wasting money. I’ll introduce some of the software you’ll need to interact with and analyze RF signals. And then we’ll tie it all together with a step by step demonstration of locating, capturing, and reverse engineering a car key fob signal.

The Portapack is an add on for the HackRF SDR that allows the HackRF to be used portably without a PC. If you're interested, in the past we reviewed the Portapack with the Havok firmware, which enables many TX features such as POCSAG transmissions as well as various other RX modes.

In a recent video Tech Minds reviews a Portapack clone, which is essentially exactly the same as the original Portapack. In the video he shows how to connect the Portapack to the HackRF, how download the Firmware and flash it to the HackRF. He then goes on to show some of the Portapack RX features in action. In this review he uses the official Portapack firmware, but notes that he will test the third party Havok and Mayhem firmware which have many more features in a future video.

In a video uploaded to YouTube last week, Tech Minds explored the HackRF Portapack, which is an add on for the HackRF SDR that allows the HackRF to be used portably without a PC. In that video he demonstrated it running the stock firmware.

In his latest video Tech Minds explores the Mayhem firmware, which is firmware developed by a third party in order to add significantly more features. The Mayhem firmware is a fork of the Havok firmware which is no longer maintained. If you're interested, back in 2018 we did our own review of the Havok firmware.

In the video Tech Minds first explains how to install the Mayhem firmware which also requires you to add an external SD card into your portapack. He goes on to demonstrate the various RX decoders available including ADS-B, ACARS, AIS, AFSK, BTLE, FM/AM/SSB audio, analog TV, ERT meters, POCSAG, Radiosonde and TPMS. Next he shows the various transmittable signals available including, ADS-B, APRS, BHT, GPS Sim, Jammer, Key Fob, LGE, Mic, Morse, Burger Pagers, OOK, POCSAG, RDS, Sounds, SSTV, TEDI/LCR and TouchTune.

Over on his latest video Tech Minds' explores the use of TempestSDR to eavesdrop on video monitors with his Airspy Mini. TempestSDR is a program that we've posted about several times in the past. With an RTL-SDR or other compatible SDR like a HackRF it allows you to reconstruct an image from a computer monitor or TV just from the radio waves unintentionally emitted by the screen or cable. SDRs with larger bandwidths like the HackRF or Airspy are better at reconstructing the image as they can collect more information.

In his video Tech Minds shows how to download and setup one of the newer branches of TempestSDR which unlike older versions doesn't require much installation work. Using an Airspy Mini he shows that he is able to view what is on his screen via the emitted RF waves.

A new project called "RadioSlate" has recently been announced by Yian IT, a Chinese IoT company. RadioSlate will be an SDR-enabled tablet designed to be used with a HackRF or LimeSDR software defined radio that will be mounted internally behind the screen under some metal shielding. The tablet uses a 1024 x 600 touchscreen and runs an Intel M3 8100Y 1.1 to 3.4 GHz dual core CPU with 8GB of RAM, 64GB of storage and it supports both Linux and Windows. Batteries will not be included, but it supports batteries in the standard 18650 form factor which can be purchased anywhere.

The project is due to be crowdfunded on CrowdSupply in the near future, and you can currently sign up to receive updates and be notified when the project launches. They write:

RadioSlate is a sturdy aluminum tablet with an industry-favorite software-defined radio (SDR) board—your choice of HackRF or LimeSDR—tucked away behind its touchscreen. Whether you’re a Ham radio operator, a network engineer, a mobile base station designer, a security auditor, or some other variety of SDR enthusiast, RadioSlate lets you do your thing, even if that thing requires you to go outside and walk around, get unusually close to transmitters and receivers, keep one hand free for other tasks, or manage all of the above without drawing undue attention to yourself.

Explore the spectrum, while on the go, without having to drag along your laptop, an SDR board, and cables.

SDR++ is an open source general purpose cross platform SDR program that Alexandre Rouma (@WhatsTheGeekYT) has been working on for the past few months. Recently he released his first Windows Alpha version to the public which is available from the GitHub release page. The SDR++ GUI is inspired by SDR#, however, SDR++ as you might guess is programmed in C++ instead of C#.

In order to use SDR++ on Windows you will first need to have installed PothosSDR for the SoapySDR and volk support. To do this you can follow the instructions here. Thanks to the SoapySDR support it is able to run with most SDRs including the RTL-SDR.

To start the program, select your SDR from the source menu, change the sample rate (which is set to the minimum value by default), then click the play button. We tested it with both an RTL-SDR and HackRF, and both units worked just fine, although at lower sample rates the waterfall was a bit choppy. We do note that the software is very much in the alpha phase with only a few features implemented, and most menu items do not work yet. But the main features including WFM, FM, AM, SSB, CW demodulation as well as the spectrum and waterfall are all functional. Unfortunately there do seem to be a few stability issues as we experienced frequent crashes on our PC.

We'll be watching this software with interest to see how it progresses.

Current Features

• Uses SoapySDR for wide hardware support
• Hardware accelerated graphics (OpenGL + ImGui)
• SIMD accelerated DSP (parts of the DSP are still missing)
• Cross-platform
• Full waterfall update when possible. Makes browsing signals easier and more pleasant

Coming soon

• Multi-VFO
• Plugins
• Digital demodulators and decoders
• Quick replay (replay last n seconds, cool if you missed a short signal)

Small things to add

• Switchable bandwidth for demodulators
• Switchable audio output device and sample rate
• Recording
• Light theme (I know you weirdos exist lol)
• Waterfall color scheme editor
• Switchable fft size
• Bias-T enable/disable
• other small customisation options
• Save waterfall and demod settings between sessions
• "Hide sidebar" option
• Input filter bandwidth option

Known issues (please check before reporting)

• Random crashes (yikes)
• Gains aren't stepped
• The default gains might contain a bogus value before being adjusted
• Clicks in the audio
• In some cases, it takes a long time to select a device (RTL-SDR in particular)
• Min and Max buttons can get unachievable values (eg. min > max or min = max);

Over on his YouTube channel TechMinds has uploaded a new video showing how to use RF amplifiers to extend the transmit range of transmit capable SDRs like the LimeSDR, HackRF and PlutoSDR. Whilst they are transmit capable, most low cost SDRs like those mentioned above can only transmit at very low power levels typically much less than 30 mW. In the video TechMinds tests a wideband SPF5189Z and filtered 2.4 - 2.5 GHZ CN0417 based amplifier, and shows the output power obtained using an inline power meter.

He also notes that these wideband amplifier will also amplify harmonics so filtering is recommended. At the same time we note that you should only transmit if you are licenced to do so (for example with a ham radio licence), especially if you are amplifying the output.

Over on her YouTube channel, SignalsEverywhere, Sarah has uploaded a new video showing how she uses a PlutoSDR, HackRF and mixer to transmit DVB-S digital amateur TV to a standard satellite set top box. In this video the idea is to get a little more range by using the PlutoSDR to transmit in the 70cm band, then upconverting that to the 23cm band right at the satellite receiver. Transmitting at the lower frequency yields a higher power output from the PlutoSDR and less cable loss. The mixer consists of a passive mixer chip and a HackRF is used as the mixer LO signal source as a temporary test solution.

The Search for Extraterrestrial Intelligence (SETI) is an ongoing project that aims to detect radio signals originating from intelligent species somewhere in the universe. Recently Alberto Caballero, a SETI researcher has been proposing a distributed search (project pdf document) with amateur and/or professional radio telescopes. The idea is that multiple stations around the world would monitor a single star for a period of time in order to collect data 24/7. To participate the requirements are a dish 2.1 meters or larger, a motorized mount, and a feed, LNA and radio system able to receive 1 - 4.5 GHz.

An example of a SETI station can be found at SETI Net. Here the owner has a 3M dish on a rotor connected to a HackRF. An LNA and band pass filter are also used at the feed end. SDR Console or SDR# is used to monitor a specific frequency, and the audio is sent into a special automatic SETI analysis program as well as spectrum analysis software. If an interesting signal is detected the software notifies the user, then further analysis can be undertaken.

If you have a suitable radio telescope available and want to participate, you can contact the SETI project via their contact form.

The Portapack is an add on for the popular HackRF SDR which allows the HackRF to be used portably without a PC. Recently the cost of this hardware duo has come down to below US$150 due to low cost Chinese clones now being available on the market. Generally the clones are of good quality too.

Once you have the hardware it is possible to install third party custom firmware such as "Mayhem" on the Portapack which enables many features such as the ability to receive and transmit various different types of RF protocols. Back in 2018 we did a review of Mayhems predecessor which was known as the "Havok" firmware. More recently Tech Minds did a video overview of Mayhem.

Now over on his blog A. Petazzoni has started a new blog series which aims to introduce the basics of the Mayhem firmware, including installation and some hands on testing with RF spoofing, denial-of-service (DoS) and replay attacks. Currently only his first post is out, and in the post he show how to install Mayhem onto the Portapack, then goes on to briefly overview some applications such as RF replay attacks, replicating wireless remote controls, receiving and transmitting POCSAG, receiving and transmitting ADS-B, and creating a jammer.

Obviously a lot of what you can do with a Portapack and the Mayhem firmware is extremely illegal and very dangerous, so please do be careful with what and where you transmit especially if you are new to RF hobby. These signals should remain in your test area only, and not leak out into the wider environment.

[Also seen on Hackaday]

Over on YouTube popular science content creator Steve Mould has uploaded a video showing how he was able to open his own car using a HackRF software defined radio. In the video Steve first uses the Universal Radio Hacker software to perform a simple replay attack by using his HackRF (and also an RTL-SDR V3) to record the car's keyfob signal away from the car and replay it near the car.

Steve goes on to note that most cars use rolling code security, so a simple replay attack like the above is impractical in most situations. Instead he notes how a more advanced technique called "rolljam" can be used, which we have posted about a few times in the past. Later in the video Steve interviews Samy Kamkar who was the security researcher who first popularized the rolljam technique at Defcon 2015. 

DragonOS is a ready to use Ubuntu Linux image that comes preinstalled with multiple SDR program. The creator of DragonOS, Aaron, uploads various YouTube tutorials showing how to use some of the preinstalled software. This month one of his tutorials covers how to use a SDRplay RSP1A or a HackRF to receive and decode FT8 with the preinstalled software WSJT-X or JS8Call. Aaron also notes that an RTL-SDR could also be used as the SDR.

In the video he covers how to set up a virtual audio cable sink in Linux for getting audio from GQRX into WSJT-X, setting up rigctld to allow WSJT-X to control GQRX, configuring GQRX, CubicSDR and WSJT-X, and finally downloading and using GridTracker.

Back in March last year we first posted about the release of SATSAGEN, and program by Frank (HB9FXQ) that allowed the PlutoSDR to work as a spectrum analyzer. SATSAGEN has recently been updated to version 0.5, and it now supports the RTL-SDR, HackRF and Simple Spectrum Analyzer hardware as well. 

Spectrum analyzer software allows you to monitor spectrum activity over a bandwidth much larger than what your SDR supports. It works by rapidly sweeping over multiple frequencies and stitching the spectrum slices together.

Some highlights of the new features include:

• Works with:
  • ADALM-PLUTO
  • HackRF One
  • RTL-SDR Dongles
  • Simple Spectrum Analyzer series like NWT4000, D6 JTGP-1033, Simple Spectrum Analyzer, and so on.
• Video trigger, real-time trigger, and fast-cycle feature
• ADALM-PLUTO custom gain table and Extended linearization table for all devices
• Transmit from raw format files
• I/Q balance panel
• Waterfall

Over on the Reddit /r/SpaceXLounge discussion board user /u/Xerbot has made an interesting post showing how u/derekcz was able to receive the telemetry signals from the latest SpaceX Falcon 9 rocket launch using a HackRF and a 1.2m prime focus dish with homebuilt feed designed for the 2232.5 MHz downlink frequency. Then after demodulating the signal with GNU Radio, /u/Xerbot was able to convert that signal into binary data, and then into plain text strings. 

Another user /u/Origin_of_Mind then figured out that these strings are debug messages being sent by the software-defined GPS receiver, which amongst other data contains the GPS coordinates of the second stage. The GPS data indicates that the second stage was tracking over the north of Siberia at an altitude of 219 km and velocity of 7483m/s. /u/derekcz was able to then confirm that he was indeed recording the signal when the satellite would have been crossing Serbia, confirming the received telemetry was correct.

The entire thread is an interesting read, with multiple users dissecting the plaintext and finding out information about the launch. /u/Origin_of_Mind's post in particular explains the meaning of each of the data fields, which includes the system time, the XYZ coordinates in the earth-centered earth-fixed (ECEF) coordinate system, the loss of precision due to unfavorable GPS satellite positions and the number of GPS satellites currently received.

Another user /u/softwaresaur even notes that there was an "radiation_fdir_activation_guard" event. FDIR stands for Fault Detection, Isolation and Recovery (FDIR) and this event was triggered due to 0.06 s mission time discrepancy between the rocket and GPS true time.