Hacker News new | past | comments | ask | show | jobs | submit login
Intro to SDR and RF Signal Analysis (elttam.com.au)
246 points by pentestercrab on June 19, 2017 | hide | past | web | favorite | 41 comments

If you want to dabble for _cheap_ with SDR, the RTL-SDR [1] is a < $10 USB receiver that works from 24 to 1766 MHz.

It allows to listen to FM radio, decode most 433MHz devices (weather stations), car keys signals, and even NOAA weather satellites [2] with a DIY antenna [3].

[1] https://osmocom.org/projects/sdr/wiki/rtl-sdr

[2] http://www.rtl-sdr.com/rtl-sdr-tutorial-receiving-noaa-weath...

[3] http://tinhatranch.com/how-to-build-a-qfh-quadrifilar-helix-...

You can also track your neighbors' energy usage by decoding their smart meter transmissions (around here, they transmit about every minute). https://github.com/bemasher/rtlamr

I can read about 40 smart meters from inside my home using the antenna that comes with it.

Is there an easy way to confirm which one's yours? Serial number visible from the exterior of the meter e.g.?

yes, the serial number is printed on the outside of every meter (so you can use a telescope to read your neighbor's meter serial number)

For what it's worth, you can get very good reception from NOAA satellites using a much simpler antenna: http://www.rtl-sdr.com/simple-noaameteor-weather-satellite-a...

Said from experience of having built something more complicated and having it perform worse than two pieces of copper tubing stuck in a piece of scrap plastic.

I've been dabbling with RF, but I don't quite understanding the appeal of downloading NOAA sat images. It is simply 'hello world' for receiving sat downlinks?

For me it's a "hello world" for experimenting with building VHF antennas. It's nice, because they are on a schedule that you can plan around and more interesting than listening to the local dispatch systems.

As an aviation enthusiast, I've got a Raspberry Pi in my attic hooked up to two RTL-SDR radios, each connected to homemade antennas mounted on my roof (one VHF to listen to airband transmissions and the other receiving ADS-B[1]). No signal processing required--both are pretty easily achieved by just cobbling together existing open source packages. Also have a GPS receiver on the roof so that Raspberry Pi is also a stratum-1 NTP time server[2]. But that one's not using an SDR. Fun hobby.

EDIT: Added links I found helpful, for the curious:

1: http://www.rtl-sdr.com/adsb-aircraft-radar-with-rtl-sdr/

2: http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html

Can you suggest something that could be used to read or reprogram wireless access cards, such as the HID Proxcard II? I want to clone my apartment's key fob into a bracelet I can wear when I go jogging.

Clarification for the audience: "RFID" has very little to do with radio or SDR. Communications are done with a coil in the "near field", which also powers the tag.

If you have an Android phone, grab a NFC reader app - this should at least tell you if the card is able to be cloned.

Not all RFID cards are created the same. Most RFID cards that are some kind of "smart" (i.e. contactless bank cards, subway tickets) conform to ISO/IEC 14443 standard that mandates the use of ~13.5MHz carrier to communicate between the reader and the card. This is "the NFC" as your phone understands it.

Proximity cards used for door access usually have the 125kHz carrier compatible with the EM-Marin EM4100. No cell phones I know of have an antenna for this frequency range; therefore, no phone can read, clone or emulate an EM-Marin proximity card.

Since the HID Proxcard II is a "value priced 125 kHz proximity card", you cannot use a phone to read it.

Assuming you could read signals to/from a key-fob/HID-card, isn't there some encryption involved that would prevent merely repeating the signal to "clone" a key-fob?

You can't clone it as many do challenge response but you can relay it - check out NFCgate for example.

This would allow you to say, hold one device to the reader and one against someone's pocket to open a door.

Or to share an NFC transit pass between multiple people over the internet.

Search for "distance bound protocol" if you want to read about current crypto research to prevent relaying.

There are some interesting attempts at these protocols but most of them rely on multiple powered devices, not induction powered smartcards which inherently adds delay and not necessarily predictable delay.

No one has a proven system for doing this in today's smartcards to my knowledge. Though there is some research which promises this may be possible in the future.

Even those proximity car locks do a horrible job of distance bounding - many of them do it off RF level which means an attacker merely needs an amplifier to steal your car - and that offers an almost optimal situation for the application. So I think we'll probably see it there before smart cards. Maybe the timers necessary make this cost prohibitive though. I'm not in a position to say one way or the other.

Nope, an EM4100-compatible card (or a key fob) is just a 64-bit ROM with radio interface. You can read its value and replay it to a reader; the latter won't be able to tell the difference between the original card and your spoofed one.

Better (and more expensive) RFID tags may have an encrypted communication protocol.


I heard of dvbt USB that could be used as sdr interface. I just wonder if the dvbt support under Linux is OK.

For what it's worth, Great Scott Gadgets (Michael Ossman's group) put out a great series of primers [1] on Software Defined Radio (SDR) and the fundamentals of Digital Signal Processing (DSP) a while back, that are some of the best I've seen out there to date.

[1] https://greatscottgadgets.com/sdr/

For anyone interested in Software-defined radio (SDR) I can also highly recommend the Cyberspectrum YouTube channel [1].

[1] https://www.youtube.com/playlist?list=PLPmwwVknVIiXGzKhtimTM...

There is also meetup groups in San Francisco [1] and Melbourne (Australia) [2].

[1] https://www.meetup.com/en-US/Cyberspectrum/

[2] https://www.meetup.com/en-US/Cyberspectrum-Melbourne/

Not at _all_ surprised to see Balint Seeber's name prominently in some of those links...

That guy gives some _amazingly_ interesting talks - I got into SDR pretty much purely based on a presentation of his at DorkBot in Sydney a long time back...

Thanks for posting links to the videos and the meetup group, would've joined it years ago if I'd known about it. Quick question, anything radar related in the videos?

Have you seen this: http://www.rtl-sdr.com/passive-radar-dual-coherent-channel-r...

I can't find the link here right now, but there's some more recent work that's doing that without needing the two clock synced receivers too...

Looking at http://www.rtl-sdr.com/tag/passive-radar/ and youtube, it seems like some progress has been made. Not sure if any of the code is open sourced in GNU Radio, Desktop SDR or http://www.rtl-sdr.com/big-list-rtl-sdr-supported-software/ Will look into it more, it's been 2+ years since the last time.

Thanks for the links. I's also recommend http://www.desktopsdr.com/

It's a course that relies heavily on MATLAB though.

This discussion from 6 months ago brought together a bunch of introductory info and example applications:


If you want to see a lot of HF signals, field day is this weekend: http://www.arrl.org/field-day

Anyone know the story behind why baudline hasn't been updated in seven years? The site has promised a beta version with some highly desirable features for a LONG time, but nothing. Also, since it's closed source, there's nothing we can do but hope and wait (unless someone were to start an open source equivalent project).

Are there companies/sectors that look for candidates with these skills, or is this more focused towards hackers and hobbyists?

Virtually every professional radio is software defined to some extent these days, so every company that designs radios wants signal processing and information theory skills, more so if they are doing proprietary protocols rather than implementing a standard. It's pretty well the same skill set, whether you are designing or analysing systems. There is a surprising amount of reverse engineering in building radio systems, as the big players (looking at you Motorola) often drop speed humps into their implemetations to try and break compatability with the smaller players' products.

Where can I read more about this?

It's always nice to see RF and Signal Processing stuff on HN.

Best thing is to just jump in and do it. You don't even need hardware to start with.

If you're seriously interested, download Octave (Matlab replacement) and write a program from scratch to simulate a BPSK system and generate a "waterfall" (bit error vs. noise) curve. Don't stop until you can get your curve to perfectly match the one in a text book [1]. By doing this, you will learn about modulation, demodulation and and "Additive White Gaussian Noise" (AWGN) channel models. If you can get the waterfall curve to match exactly, you will also be covering concepts such as "energy per bit". A BPSK should be quite doable for an amateur.

Once you have the BPSK simulation, try extending your simulation in different directions and matching the textbook curves. The following challeges are roughly in order of increasing difficulty

1) Add a block code, such as Hamming or BCH.

2) Replace the simple AWGN channel model with a Rayleigh or Ricean model

3) Add a convolutional code (with Viterbi decoder)

4) Implement Orthogonal Frequency Division Multiplexing (OFDM)

5) Implement an LMS receiver

6) Implement a Low-Density Parity Check code (use the one from the WiFi standard)

7) Implement a complete 802.11a simulation

8) Implement a complete DVB-T simulation

9) Implement a MIMO system, assuming perfect channel knowledge

10) Implement a MIMO system with channel estimation

Get to number 10, and you will know more about radio signal processing than most engineers.

[1] eg. "Lin and Costello" Error Control Coding or "Proakis" DSP

> Where can I read more about this?

there is the canonical Fundamentals of Wireless Communication (https://people.eecs.berkeley.edu/~dtse/book.html) which is pretty good. also, iirc, there is a book by oppenheim as well (signals and systems, i think)

edit-00k : yes, oppneheim book is called 'signals and systems' and it is available on ocw as well (https://ocw.mit.edu/resources/res-6-007-signals-and-systems-...)

I am always looking for people with SDR skills :-). Constraint being I need US citizens (naturalized or native) given that the company I'm working for is doing contracts for customers that require that.

Beside HackRF One, I've been looking at LimeSDR.

Are there any other comparable options?

I have a LimeSDR and although multiple channels is nice, the device/software is a bit buggy and I wish I'd gotten a HackRF instead.

BladeRF is pretty cool. It doesn't have quite the frequency range of HackRF, but it's full duplex, and uses 12-bit ADC/DAC (vs. HackRF's 8-bit ones). Also it uses USB 3 so the bandwidth is not limited to 20MHz. (I think it's around 40MHz.)

Analog Devices has done the ADALM-PLUTO which is less expensive than the HackRF-One. I don't have one of those but I do have the HackRF one, and if UPS is to be believed a LimeSDR :-). The cost/capability matrix is sort of

RTL Dongles -> ADALM -> HackRF-1 -> LimeSDR -> Ettus SRP

The RTL's don't transmit but all of the other ones can.

Great intro, and nice links in the comments, excellent!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact