SDRSoftware Defined Radio

Introduction and Demo by Jay Clegg

My Background• Software developer, co-owner of Red Tree Labs • Hobbies: embedded dev, electronics, robotics, reverse engineering….

generally either “building stuff” or voiding warrantees • A few of my older hobby projects are documented at planetclegg.com • I’m not a radio expert, my dad is the radio engineer in the family… • …but I’ve been playing around with SDRs since 2015 • NB: I may over-simplify some things in this discussion, either from my

own lack of knowledge, or just for brevity.

SDR: what is it?• Software-defined radio (SDR) is a

radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system. (Wikipedia)

Photo By Dsimic (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)],

via Wikimedia Commons

wut?• Traditional radios are purpose built for receiving certain types of

signals. Adding more functionality means more electronics or a different receiver

• With SDRs, the electronics are sort of “dumb”, all the “smarts” of demodulating and decoding signals is done with software

• Because of this, a low-cost SDR can do the work of many different types of specialized radios and other more expensive equipment

• Trade-off: Affordable SDRs are not generally as sensitive or selective as a good purpose-built radio

SDR: why should I care?• It’s a fun way to learn about and explore a hidden world, probably many things on the airwaves you never realized

• There are interesting/useful digital signals that can be decoded, many are simple and unencrypted, and software already exists

• New/old frontier for hacking, pen-testing, sniffing/SIGINT, reverse-engineering, now “democratized” due to low cost.

• You may be able to repurpose dumb devices into “Internet of Things” devices

• Cost to get started is very low (~$25 + your computer)

History• SDR has been around in some form since the 80’s or 90’s, but until recently SDR rigs were very

expensive, most software and hardware was very proprietary. The signal processing required FPGAs back then.

• Inexpensive SDRs are relatively new; some clever people realized around 2010 that mass-produced European HDTV (DVB-T) USB receivers had general purpose radios with a broad frequency range in them.

• First SDR drivers for what became known as “RTL-SDR” (Realtek 2832U ADC + R820T or E4000 tuners) showed up around 2012

• Early RTL-SDRs were just repurposed or repackaged DVB-T dongles, some sold as SDRs even came with a IR TV remote (that served no purpose for an SDR)

• In the last 2-3 years, scene has exploded, many custom offerings available in the <$500 range.

Caveats

Know the law(s)• Radio communications generally governed by Federal Law in the US, and regulated by the

FCC. Individual States may add to this (e.g. some states, illegal to listen to police frequencies)

• Listening in on cellphones or pager traffic, or “private conversations”, can be a felony. Breaking encryption may be illegal as well. Of interest: “1986 Electronic Communications Privacy Act (ECPA)”. Title 47 of Codes of Federal Regulation (47 CFR) for “Telecommunications”. Some laws are vague and dated and ambiguous.

• Transmitting is highly regulated, even the “unlicensed” and amateur bands have complex rules for not interfering with other signals.

• You should probably get amateur (HAM) radio license(s) before playing around with transmitters of any kind, and understand all the rules. Google “ARRL” for more info.

• IANAL. Be smart: do a little research and use common sense.

SDR misconceptions• More expensive SDRs, or SDRs with larger frequency ranges are not necessarily

better than cheaper ones. e.g. a >$300 HackRF is a poor receiver compared to a decent ~$20 RTL-SDR)

• Most SDRs are receive-only. And they don’t cover all possible frequency ranges.

• Learning how to transmit using TX-capable SDRs is much more difficult than RX, not for novices.

• Receiving a signal ≠ decoding it. Some signals are very difficult to decode into a useful format without specialized software or hardware. (e.g. GPS, Wifi)

• There are better (non-SDR) tools for Wifi/Bluetooth hacking. (e.g. WiFi radio with monitor/promiscuous-mode support; ubertooth, or BLE sniffer)

Hardwarewhat do they look like?

Hardware

• Typical ones look like a USB wifi dongle with a connector for an external antenna

• Some expensive or specialized ones are larger, a few are quite tiny

• A few are sold separately from the enclosure

• (Typical-sized ones on next slide)

Hardware Notes• Not all SDR software works with all SDR hardware. RTL-SDRs are

still the most widely supported

• Not all RTL-SDRs are created equal. Some companies have advanced the RF characteristics, added features and improved discrete components of these instead of just repackaging cheap DVB-T dongles.

• Lots of repackaged DVB-T dongles still being sold (avoid these)

SDR SoftwareGraphical / General Purpose

(An incomplete list)

SDR#• Probably the most popular, or at

least was at some point

• Plugin API plus lots of third party plugins give it a LOT of flexibility

• Free as in beer

• Very complex UI, but very configurable

• Windows only :-( Doesn’t really work with Mono, maybe can run in a VM.

GQRX• Very capable software for Linux,

Mac, even Raspi. Windows port as part of PothosSDR (not official supported by gqrx devs)

• Lots of device support. Free as in speech. (GNU license)

• I personally find the UI to be clunky, but not as complex as SDR#

• “Based on GNU radio”

CubicSDR• My Personal favorite: Win, Linux,

Mac. I’ve personally compiled on Ras-Pi 3 (sorta works)

• Unusual but simple UI; very graphical/modern. OpenGL based

• Broad hardware support via SoapySDR abstraction library

• Free as in speech (GNU)

• Plugin support planned, but not available yet

Other general RX software• HDSDR (Windows only)

• Linrad

• SDRDX

• SDR Touch (Android, use USB-OTG cable)

• Many, many more..

SDR Softwarecommand-line and/or esoteric

librtlsdr• driver/library plus command-line tools to interface to RTL-SDR dongles

• rtl_fm will demodulate signals and produce an audio stream for a wide range of signals. This is most useful to pipe into other software for processing, or SoX for listening.

• rtl_power can be run to produce heat maps of signals over a large swath of spectrum

• rtl_sdr can record raw I/Q samples for later processing

• rtl_tcp is a simple server, allowing the SDR dongle to be controlled remotely by another machine

• includes other utilities that may or may not be useful to you.

RTL_433• “433.92MHz generic data receiver”. Decodes signals from simple wireless

devices, typically in the unlicenced/ISM band at 433.92 Mhz

• 68 devices supported (and growing), mostly wireless temperature/humidity sensors, but also some remote entry keyfobs, wireless security devices, power meters, etc

• Has an analysis mode that can dump the raw hex from devices it doesn’t fully recognize (so that you can write/add your own protocol decoder)

• Useful for capturing multiple temp sensors for home automation

• There are LOTS of consumer devices out there that this software has the potential to decode

dump1090• Track airplanes via their ADS-B transmissions (!!)

• Not all aircraft send GPS coords, the ones that don’t can be tracked by becoming a node in the FlightAware network (uses trilateration between multiple SDRs running dump1090 + PiAware)

• Range can be increased greatly with a specialized filter, LNA (low-noise amplifier), tuned antenna up to 300+ miles.

• Command-line, but some forks have a web interface, can be run as a service

• AFAICT, legal to receive, but people will think you’re up to no good ;-)

• See also: News articles about discovering/tracking surveillance craft with ADS-B

More aircraft signals• You can pick up voice transmissions between aircraft and traffic control towers in the

“Aircraft Band” between 108-137 Mhz, using almost any SDR software intended for audio. Typically AM modulation. Lots of channels, so “scanner” emulation is helpful. ACARS data is at the top end of this range.

• Also of interest might be 978 Mhz UAT (Universal Access Transceiver) transmissions, similar to ADS-B but may include weather and traffic info from ground stations. It’s used exclusively in the US for aircraft below 18,000 feet (generally smaller aircraft). Software: Dump978, Stratux, EFB apps, others?

• UAT is supposed to have Weather and Traffic information via FIS-B and TIS-B

• Receiving UAT + ADS-B simultaneously requires two SDRs. A lot of small aircraft pilots build “stratux receivers” with RasPis and two SDRs for this purpose.

SDR SoftwareSignals from outer space (satellites)

Satellite reception• Low-end SDRs can receive transmissions from some satellites, with

a bit of extra work/equipment.

• In addition to specialized software, you’ll need a custom circularly-polarized antenna(s) (which you may be able to build or buy cheaply), and possibly a LNA (low-noise amplifier), as the signals will be very weak.

• Tell your friends you receive signals from outer space.

WXtoImg (NOAA imagery)• WXtoImg is used for decoding weather imagery from

older NOAA satellites (APT and WEFAX transmissions around 137-138Mhz)

• Free as in beer, with paid upgrade. Multi-platform.

• You’ll need to build a special polarized antenna to have much luck with this

• WxToImg will download kepler data to calculate a satellite flyover list for NOAA 15-19, possibly others. This will allow you to determine when to start capturing transmissions

• Operates on audio input, requires you use separate receiver software, as well as a way to pipe audio into it. It may be a little tricky to setup, but there are guides.

• Produces a “strip” of regional imagery, not “full disk”

My lame WXtoImg attempt…• Decided to try it without a proper polarized antenna, using just a long length of

wire stretched out on the ground (cut to match wavelength)

My lame WXtoImg attempt..

• Waited until there was a promising looking flyover.

• I received *something* from a satellite making a near-90 degree flyover…

• …but a very weak signal

Fail• didn’t get a strong enough signal for

WXtoImg to generate anything useful.

• This was with of my first SDRs which suffered from some problems, I may have to revisit this with a newer/better one….

• …. and build a proper polarized antenna:

Outernet• “Outernet” (outernet.is) provides an information service that includes news,

weather and other info, at 1.5ghz using Inmarsat satellites.

• They sell a kit that includes a CHIP computer, SDR, LNA and Antenna for <$100. Or you can piece parts together yourself.

• Very low bandwidth: maximum of about 15-20mb per day.

• Watching paint dry is more exciting. Leave it running for a day or two and check back.

• But if you are somewhere in the world where the internet can’t reach… might be better than nothing

Other Satellites• Amateur experimenters are actively working out techniques for

receiving info from the newer GOES satellites (some send “full disk” images!). Requires a big dish and extra equipment.

• As well as various geosynchronous satellite transmissions that aren’t encrypted (Most commonly L-Band transmissions around 1.5 Ghz)

• And low-orbit cube-sats (particularly around 437mhz)

• Others?

• Most of this work probably done with GNU Radio

SDR SoftwareHacking the RFs

GNU Radio• If you want to get into analyzing and

decoding complex signals that there is no software for yet, this is what most people use.

• Steep learning curve, and can be a little tricky to get the whole toolchain working

• assemble flow graphs graphically with GNU Radio Companion, generates python scripts you can run separately

• PyBOMBS used to distribute “out-of-tree” projects

There’s lots more software, almost all freeI’ve barely scratched the surface

DEMO TIME!CubicSDR

rtl_433 dump1090

etc

RecommendationsWhat to look for, what to buy, what not to buy

Things to look for• Buy a brand respected by the community. Lots of dubious SDRs out there, usually poor quality

• An “RTL-SDR” device (based on Realtek 2832U ADC + R820T or R820T2 tuner) will enjoy the widest range of software support. It will RX from 24Mhz - 1766 MHz (above 1.2ghz may require additional cooling). 2.8 Mhz usable bandwidth. Considering the low-cost, this is the best way to get started.

• Get a dongle with a SMA connector. If it has a smaller connector (e.g. MCX) it is probably a repackaged off-the-shelf DVB-T adapter (with no improvements), and the MCX connector will wear out or break pretty quickly

• A temperature compensated oscillator (TCXO) is helpful. Without one, the signals will “drift” off-frequency as the device heats up, and will have less accurate tuning. Look for 1-2 PPM precision or better

• Metal enclosure can help reduce spurs (spurious signals), and often helps with heat-sinking

• An optional bias-T allows the dongle to power LNAs via the antenna connector. Software selectable is better, because you will need to be able to turn it off!

• Other important characteristics: noise floor, spurs, sensitivity, filtering, built in amplifiers, etc…

Best buy: RTL-SDR Blog’s SDR• I’ve purchased several SDRs over the last 2

years… Currently for the money the RTL-SDR.COM SDR is hard to beat (as of Feb 2017).

• 24Mhz - 1766 MHz, with ~3Mhz bandwidth. Lower frequencies “possible” in raw I/Q mode.

• They’ve continually tried to improve their hardware since originally selling generic DVB-T adapters. “v3” has a metal case, SMA connector, software bias-T, TCXO, much lower noise floor and less spurs than anything else less than $100

• ~$20 on amazon, but spend the extra $5 and get the kit with an antenna

• Back in stock this month.

Runner up: NooElec NeSDR SMArt

• Similar price and specs to RTL-SDR Blog’s SDR

• Lacks bias-T, i/q mode ?

• Not quite a good a noise floor as the RTL-SDR Blog v3

• Selling point: Can plug in two side-by-side into a Raspberry PI

ADS-B only: FlightAware Pro Stick• An RTL-SDR customized with a

1090Mhz Bandpass filter + LNA, this is specific to ADS-B reception

• Alternative to RTL-SDR + Filter + LNA for ADS-B, and probably the best performing. Bargain at $21

• Useless for anything other than ADS-B !

• Older (orange) version no longer worth buying, lacks filter

More expensive SDR receivers• SDR-Play (RSP1/2) 1kHz-2Ghz, up to 10 Mhz bandwidth ($130-

$170). has preselection filters and LNA

• AirSpy/AirSpy mini: 24 Mhz-1.8 Ghz, with 10 or 6 Mhz bandwidth ($100-$170)

• NB: Neither of the above will work with software specific to RTL-SDRs, so range of software somewhat reduced.

• Many more coming out and on the way

Transceivers (RX + TX)• Not for beginners. You should get an Amateur radio license and work up to

these.

• HackRF One: 1Mhz-6Ghz, with half-duplex TX, but poor RX. $300-$350, esoteric

• LimeSDR: $300+ 100khz-3.8Ghz, TX+RX, not shipped yet, HackRF competitor, very esoteric

• BladeRF: $400 and up, 300mhz-3.8Ghz, TX+RX, HackRF competitor, very esoteric

• None of the above will work with software specific to RTL-SDRs. Probably even less software support than Airplay/SDR-Play

AccessoriesExtending your SDR’s capabilities

Filters• External filters can help block strong signals that can

drown out weaker ones

• FM Broadcast stations are usually the strongest source of interference, particularly at harmonic frequencies.

• A good FM Band-Stop filter will help with this. RTL-SDR.com now sells one for $20.

• Old F-Connector filters, like the ones previously sold by Radio Shack, don’t seem to work too well.

• FlightAware sells a ADS-B Band-Pass filter, if you want to block everything except ADS-B signals (FA Pro Stick is be a better option tho).

• Other filters are available, but harder to find or expensive. You may be able to build one yourself with some effort. Online calculators are out there to help with this.

Upconverters• Want to receive signals below ~25Mhz? (AM, Shortwave,

HF, etc). You can either buy an more expensive SDR, *or*, buy an upconverter

• An upconverter will shift a broad section of spectrum, into the range that your SDR can receive (typically 0-30Mhz shifted up to start around 120-125Mhz)

• Two well known choices: Nooelec’s Ham-it-up, and Airspy’s SpyVerter.

• I can’t speak to the relative performance of either of these. The Ham-it-up requires an extra USB-B cable for power, the SpyVerter is Bias-T powered. The Ham-it-up enclosure is sold separately, but otherwise cost is similar ($50-$65)

• NB: Not many (any?) digital signals below 25Mhz. You’ll need different antenna(s) than the stock monopole to get good reception.

Low Noise Amplifiers (LNA)• LNAs generally come in a couple forms, wide-

bandwidth, and narrow band width with built in filters

• Bias-T support is much more convenient (if your SDR supports it), but separate power sources have the possibility of causing less interference

• Example wide-band: LNA4ALL (with many clones/variants). You probably want a filter for use with this.

• Example narrow-band: Outernet or NooElec 1.542Ghz LNA made for specifically Outernet and other L-Band Inmarsat reception.

• Prices usually around $25

Antennas• Too large of a topic for this talk, but there’s always a better antenna

• Variety of characteristics, the most obvious are:

• Gain

• Frequency ranges, Wideband vs Narrowband

• Directional or not

• Polarized varieties (circular or linear), esp. for satellite RX

Tips & Tricks• Windows users: Don’t let Windows automatically install a driver for your SDR unless your

SDR instructions say to do so, it may be a DVB-T driver and will just break things.

• Go Outside, or put the antenna outside. Walls attenuate RF signals, appliances interfere, etc

• Monopole antennas: adjust the antenna to 1/4 wavelength of signal and try adding a metal ground plane

• There’s probably a better antenna for a specific signal than the basic monopole

• AC/Power, USB interference cause spurs: try unplugging the laptop

• USB and SMA cable quality varies greatly. Poor cables will cause massive interference and spurs. RF Chokes may help.

Resources• RTL-SDR.COM is sort of a SDR-specific hack-a-day

• https://www.reddit.com/r/RTLSDR/https://www.reddit.com/r/sdr ..etc..

• radioforeveryone.com blog has lots of tutorials

• sigidwiki.com - signal identification wiki

• FCC search tools (google it, there are several types, based on FCC-ID, licensee, etc).

• ARRL (American Radio Relay League) national association for amateur radio/HAM radio

Q & A