A few weeks ago (I’ve been meaning to do this post for ages, few weeks ago is give or take 2 months) there was a post on reddit regarding a new software defined radio that cost around $20. After reading a few topics on the discussion (now all avail at http://www.reddit.com/r/RTLSDR now http://rtlsdr.reddit.com) my interest was peaked. RF was a whole new world of WTF for me. I think it offers the same awe and wonder that I had putting a tape into my very first tape into my vomit brown fischer-price tape player:
The basic gist of how it all works is as follows:
* There is a common chip found in video cards known as an RTL2832U
* This chip is commonly used for specific frequencies used for Television signals (and then software decodes this so you could watch TV on your pc)
* A bunch of cool guys ™ found a way to read the data coming into the card directly with drivers
* These cards also offered some tuners that allowed tuning beyond the basic TV ranges
So there are 2 basic sections:
* RTL2832U chips – reading data
* Tuner (E4K,other) – allows changing frequencies to various ranges
With such I started hunting around in Centurion for a Video card that had these options, after phoning a few places (read 5/6) I eventually found a TV card known as a Compro VisionMate U650F. It costs around R250 from pcpalace in centurion which offers a RTL2832U as well as the E4K tuner (the best one at this stage). *update* the cheaper visionmates (without remote) go for about R100 less than this!
* I can tune to frequencies from around 55MHz to 1800Mhz
* For R250!
This was super, ordered my card and a few days later it arrived!
Following some _really_ easy guides for installing a few tools in windows:
* HDSDR, WRPlus, ExtIO, zadig ( http://spench.net/ has all the info but at time of writing was having some issues, try one of these: http://rtlsdr.org/ http://rtlsdr.reddit.com)
And on linux:
* GnuRadio (install guide: http://gnuradio.org/redmine/projects/gnuradio/wiki/InstallingGR)
Off the bat I loaded up HDSDR (after all the config and setup – zadig for drivers, extIO copied) and immediately got that sinking feeling of ‘I know absolutely nothing’:
After a few hours of playing around it become pretty easy to see a few things:
* LO was the tuning band (100MHz on either side)
* Tuner tuned into the specific frequency
* The various options for demodulating the audio with AM/FM(NFM)/CW
So I started with the basics, I figured I’d try listen to some radio, so I tuned to my HDSDR to 90.5 and immediately noticed that setting ‘FM’ demodulation was far too narrow for what i saw:
After doing a bit of research as to why my audio was coming out very ‘choppy’ it turns out that FM has many different modes and can be modulated on NFM (narrow fm – default in HDSDR), WFM (wideband) and custom bandwidths. Seriously, had no idea on this, I thought FM was FM! So it turns out WFM (wideband FM) is what we use for normal radio stations.
I switched to WRPlus and tuned to the frequency again and found that not only could I listen, but I could also receive RDS. Level 1 was unlocked:
Next up was asking around to see what I could listen to in audio, various people in the IRC channel suggested I listen to either the ‘airband’ (air traffic control channels) or see if there were HAM channels running nearby.
I started using, as my mom often likes to say, “the google” and found that there were a few places that offered a listing of what was available near me, including Waterkloof airbase, OR Tambo and other — http://www.bi-comm.com/documents/Frequencies.htm. I tried to tune to these and set the modulation to AM. After a few hours of giving up on OR Tambo I tuned to Waterkloof airbase (about 5km away from me) and even with the default antenna that shipped with my card I could occasionally pick up the traffic (hear planes clearing with ground control etc). Level 2 was suddenly available, I was merely missing a few coins for the level up – these coins came in the form of an antenna.
After being in the IRC channel and understanding how far out of my depth I really was, I identified that the missing element to me being able to listen to ‘the coolness’ was an antenna. I spoke to some people on IRC including one chap from ‘the Australia’ known as Roklobster who gave a full description of how to build what is known as a discone antenna. I evaluated this, and even bought the requirements (< R200), but unfortunately soldering gavlanised steel with my soldering-101 soldering iron was impossible (the burns on my hands can testify for this). I again reverted back to “the google” to try and find an antenna I could buy that would be ‘totes amazeballs’. However I quickly found that antennas were pricey! The card can do 50mhz-1800mhz roughly, and the basic antennas i found could do say 137-146 Mhz and cost around R800. If that worked per frequency this was looking far too costly! Back to level 1.5 (I just cant get past this boss!)
I started asking around and found that there were some _really_ basic antenna that could be built from nothing more than PVC tubing as a base and some Co-ax! I gathered my team (namely i dragged Roelof to Builders warehouse with me) and bought a bit of Co-ax (At < R1/m its almost free like beer) and started building my ‘antenna’. Up-Down-Down-UpperPunch-LowerKick-F-A-T-A-L-I-T-Y
I built what is known as a quaterplane groundplane antenna. The basic gist of it is that you have a piece of metal that is of a specific length ( 1/4 of the wavelength that you need to tune to), and 3 or 4 pieces that extend below it to be the ‘ground’, this is then hoisted in a non conductive environment (some people hang em, others just attach em to PVC pipe – like I did). The basic formula is 300 (speed of light ~ roughly) / <frequency in MHz) * 0.25 (or div 4.. ‘whatevs.’) gives you the length in meters. So one of the stations I wanted to listen to was the airbands at around 122Mhz. The formula become (300/122) * 0.25 = 0.6 meters.
The basic idea is:
* Remove outer insulation and shielding (apart from right at the bottom)
* Exposed length of inner insulation and core is the size you want (see above)
* Then solder/attach various radials of the same length to the inner shielding (not insulation)
* Point radials down at ~45 degrees and spaced 120degrees apart (depending on how many you have)
In Ascii Thats:
In pictures, it ends up like this:
Basically then you hook up an F-connector (avail at almost anywhere – builders warehouse, spar, chamberlains, etc) from the antenna center piece (Its all co-ax) to the RTL-SDR device. Additionally to do that you need to get a IEC (thats the standard TV antenna connector) to an F-connector cable – luckily these are everywhere and cost ~R20.
I changed my design slightly and got a PVC tube cap and drilled a hole in it to hold an F-connector join so that I could have one cable going to the PC and at the top of the PVC (where i’d normally keep the antenna anyway) I had another F-connector to join the antenna to, I wont go into detail but these pictures should make it pretty self explanatory:
After that I fired up my HDSDR and wow was there a *ton* of signals near me. Using the guide found earlier I could quickly listen to the Amplitude modulated (AM) transmissions from Airports near me, or the hundreds (okay maybe not hundreds, but atleast 20) frequency modulated 2-way-comms (commonly used for security guards on the ground, towtruck operaters, random people with 2-way-radios).
Here are a few that I have picked out with the wavs that I could easily identify:
Basic Plane-to-Tower comms:
Hand held radios:
Security Guards Checking in with OB number:
Automated Air Information (no idea on the real name for this)
Two microlights talking:
Commercial Airline Approach:
Automated Weather/Other forcast:(from San Jose where I am for this week)
The basics of what I assume now are (lesbiserious, its only been a few days, take everything with a pinch of salt):
* If its gov/country related and analog its gonna be Amplitude Modulated (AM)
* If its private sector its gonna be FM – And then you are kinda interested in say 150-170Mhz and 440-450Mhz – there are tons of things to listen to.
From here there is still about 99 more levels for me to look at, such as:
* How to build and transmitter (its cool that tuning to 144Mhz shows you gate remotes going off – but how can you ‘replay’ it?).
* How antenna design really works (without guessing) – and getting a real antenna.
* What different type of signals look like (I can merely identify AM and FM)
* Decoding something digital
While it appears all fun and games here, it is interesting to note that security companies are running their base<->guard communications essentially ‘in the clear’ (http for the rest of us). Which for $20 I can clearly listen to, additionally I can also listen and find out where the guards are and if there are any issues at the moment, seems perfect for crime? Most police forces are using TETRA (including Gauteng), read https, which at least means criminals can’t simply listen in, however most places of importance (banks, offices) where someone might want to steal data are protected by private companies – with all data in the clear.
But thats an update. Game saved to Slot 1.
People seem to have switched from using WRPlus to SDR# which seems to be the new up and coming kid on the block! http://sdrsharp.com/
I have the same usb tv tuner stick, its showing as vmu6xx in device manager, i have tried installing all the different options in zadig which take away the hazard sign in device manager. When i open hdsdr i get failed to create device, could not find compatible device. i tried setting the hint of RTL but it doesnt make a difference…any idea’s?
So it should be pretty easy to do, just install it as WinUSB in zadig. Then for your hint I use:
“RTL vid=0x185B pid=0x0650 tuner=e4k”
Where vid and pid I can get from zadig. Here is what my zadig looks like: http://imgur.com/e7n1V
Let me know if that gets you sorted out!
Hey Andrew, Thanks for the fast response,
…Nope :( i’m like a kid in a candy store that cant eat candy :(
Steps i followed:
– Plugged int the stick
– Downloaded the all in 1 installer and clicked include hdsdr
– first pop up was Zadig, click view all device, highlighted the VMU6xx, chose winusb and hit install driver
– copied the Dll’s to the hdsdr folder
– opened hdsdr where it prompted that it couldn’;f find the device
– input RTL vid=0x185B pid=0×0650 tuner=e4k into device hint
– hit create
– fails with the error could not find a compatible device
same problem here why does the bulk interface never show up in windows 7 only ever seen this come up once while trying every version of zadig with the 620. I get the VU6XX displaying every time. did you find a way to get it to show bulk interface o?
tried on multiple machines, i am leaning towards the Australian version of the Compro VisionMate U650F not having the correct chips ;(
Adam / Chris,
Try open the devices (they come apart quite easily) and you can see the chips, I’d be very surprised if they are different, I’d assume that manufacturing is all done in the same place with the same components. On the off chance that they are different and you’d be prepared to pay for shipping and the item I can get you one here in South Africa and post it over.
adam: Your settings look almost identical to mine, you can try run as administrator (perhaps your account is more locked down in terms of what the dlls can access – but I doubt it). On my windows 7 everything seems fine. Additionally perhaps we can go on skype and i’ll send you my exact HDSDR folder so you have the exact same setup as mine?
Chris: not sure what you mean about bulk interface, on win 7 I just select options->show all devices, install WinUSB and im good to go.
Sorry for the late replies, work and all.
Sorry for the late response, attached is the picture of my chipset.. is it the same as yours?
I think i sorted the problem, there was something in the hint field that the application was passing…possibly from a cut and paste.
Ill let you know how i go, the little antenna that came with the device isnt even picking up any radio at the moment so i am not sure if it is working.
Thanks for your help.
Adam, just for now try use a standard TV antenna, should at least “see” the FM stations in HDSDR or SDR#. Just remember that they are WFM which HDSDR doesn’t support!
After setting the bandwidth to 9600 I can now hear the choppy radio and TV broadcasts. I am yet to hear a ham radio amature broadcast. Do you know if there is a way for hdsdr to scan through a range untill it finds a big signal? Based on your specs I will build and mount an antenna this weekend :)
There is so much to learn, I am really loving this! It’s a new field for security experts to get excited about!
At the moment I do not know of a way to ‘scan’ with HDSDR but if you are comfortable using GRC apparently you can let multimode.py scan from a specific frequency to the first range it finds. There is also most likely a way to do it with a GRC script as it does offer a lot more flexibility with regards to interacting with the devices.
The antenna is very basic but should get you a lot better signal and provides you a lot more things to play with :) If you have some DIY skills Id recommend googling for some better antennas (like a groundplane from copper or a nice turnstile)
Where can one get a Discone Antenna 2GHz in SA?
eBay is probably going to be a bunch cheaper, but you can get one going up to 1300mhz at Fort777 ( http://www.fort777.co.za/index.php?main_page=index&cPath=245_258_260_1033 )
Thats gonna cover most of the range of things, but when you really want to play you will most likely need to get an antenna for a specific frequency.
sdrsharp There is a patched version with scan tool, the basic version is not got
I have been trying to get my ezcap running for days now with the same error “Failed to create device: Could not find compitble device.
The main chip is the RTL 2832U but the other chip is quite different, where as most seem to have the E4000, mine is FC0012 G0944 9ASIL.
Could this difference be the reason for the errors>
I have tried many of the different input strings without any luck. But I notice they all end in E4k which I assume is the E4000 tuner. This being the case, I’m wondering what should be put in there for my tuner?
Any assistance gratefully received
Having a quick look at the RTLSDR extIO page ( http://wiki.spench.net/wiki/RTL2832 ), I believe you can just use tuner=fc0012 instead of e4k :)
Awesome post, Andrew! I’m curious to see if you’ve managed to build a transmitter for the signals you’ve been receiving. I want to pick your brain for a pretty cool project I’m working on. It could potentially be the mother of all “hado-kens” to get you waaay past Bison…
The automated air information is called an ATIS / Automatic Terminal Information Service
Thanks for letting us know!
I wonder if anybody out there has trouble with multipsk software
Nice article. I had done much as you did, went straight to SDR#, and built a dipole antenna as opposed to your ground plane thingy, for ~120MHz but can’t hear any airband in spite of seeing Rand Airport from the kitchen window, about 10 of the crow’s kilometres. Perhaps my crow’s sick like a Weasly owl? Most annoying, since FM stations below the airband and those very chatty security guards* above, all work fine. Loads of peeps have got airband with SDR# out the box.
Next step is to load laptop in car and drive there, beard the lion in his den so to speak, that way I’ll hopefully find if it’s a setting thing or a signal thing.
And – or, I might find another app like HDSDR and see if I can figure it out. I should at least see Johannesburg ATIS on 126.65 grrrrrrr.
* one guy on 155.275 today, thinks he needs to say “over” after each sentence…. perhaps like “stop” in the old telex days…..
Just remember to be careful Jim: http://www.iol.co.za/saturday-star/plane-spotter-who-listened-in-to-air-traffic-control-fined-1.1115151
Yeah well the bloody thing doesn’t work anyway. So I’m sticking to using it as a convenient radio receiver for 88-108 WFM broadcast at work.
[…] Previously I discussed using my RTL-SDR to merely listen for analog audio signals. In this entry I’ll discuss using it to decode digital signals (this example on fixed remote signals often used for garages / gates ) so that they can be replayed/brute forced with something like the RFCat project (based on TI’s CC1111EMK module). This has probably been done to death already but I figured since I struggled with it maybe this will help someone else do it a lot quicker (and mostly cause I think its cool). […]