[[index]]
[[wirelessness]]

## Radio tools

### Software defined radio (SDR)
The main idea behind SDR is that to replace components in radios that are traditionally hardware (such as filters, mixers and amplifiers) by software algorithms. An SDR thus receives 'everything' it can receive and sends that to the computer to be processed.

SDR recently became popular and affordable through RTL-SDR. RTL-SDR uses DVB dongles based on [RTL chips](http://www.rtl-sdr.com/ ) Depending on the chipsets SDR can receive roughly between 22mhz and 2200mhz.

The list of supported RTL chips and tuner frequency range ([source](http://sdr.osmocom.org/trac/wiki/rtl-sdr)):

- Elonics E4000                                        52 - 2200 MHz with a gap from 1100 MHz to 1250 MHz (varies)
- Rafael Micro R820T                        24 - 1766 MHz
- Rafael Micro R828D                        24 - 1766 MHz
- Fitipower FC0013                                22 - 1100 MHz 
- Fitipower FC0012                                22 - 948.6 MHz
- FCI FC2580                                        146 - 308 MHz and 438 - 924 MHz (gap in between) 

**Other SDR hardware**
- [HackRF](http://greatscottgadgets.com/hackrf/ ), 1 MHz to 6 GHz, receive and transmit(!), open hardware
- [HackRF Blue](http://hackrfblue.com/ ), Clone of HackRF
- [BladeRF](http://www.nuand.com/ ), 300mhz - 3.8 Ghz
- [rad1o]( https://rad1o.badge.events.ccc.de/ ), 50 MHz - 4000 MHz
    
**Buying hardware**
if you wish to buy one of the RTL-SDR dongles make sure the DVB device has one of the chipsets listed [here](http://sdr.osmocom.org/trac/wiki/rtl-sdr)

### Software for SDR (sorted by interface)
There are various programs to interface with SDR both GUI and non-gui, here's a brief description.

### The Flowchart

##### [GnuRadio + GnuRadio Companion](http://gnuradio.org)

GnuRadio is a set of libraries for doing SDR. GQRX is built on top of it. Mostly C++ but with a with a lot of python bindingings

**GnuRadio Companion** is a visual programming tool (think: pure data / maxmsp interface) to control the SDR on a pretty low level. It has quite a steep learning curve but it is extremely powerfull. The software allows to use 'blocks' of various signal processing functions and connect them together. The blocks are then 'compiled' to a python script.
These blocks can also be modified or expanded easily withing the GRC by just writing more python to them. It's a very easy way to create specific/custom GUI SDR programs.
Some examples: https://github.com/argilo/sdr-examples

<!--![](
A screenshot of GRC with the flowchart on the left and the 'compiled'output on the right. 

#### The Waterfall

The typical interface for SDR is the so-called waterfall, which is a spectrogram of the signal to noise ratio on a slice of the spectrum, plotted in time. Usually showing blue as the noise floor and any signals als yellow/red/. As time passes the past signals scroll downwards like a waterfall. This allows one to visually discover signals, even after they have stopped transmitting, rathter than having to be tuned in at the right time to hear them.


#### [CubicSDR] (http://cubicsdr.com/) for OSX

• https://github.com/cjcliffe/CubicSDR/releases
• https://github.com/cjcliffe/CubicSDR/wiki/Build-Linux Build on LINUX
• 
  
• 
  

##### [GQRX](http://gqrx.dk/)
a GUI receiver that is easily installed on your favorite distro or OSX. Uses The Waterfall as a way to visually represent activity on the radio spectrum.
debian:
sudo apt-get install gqrx-sdr OSX and Ubuntu >14:
http://gqrx.dk/download

old ubuntu:
     (not working still :O)
sudo add-apt-repository ppa:gqrx/releases sudo apt-get update sudo apt-get install gqrx

There are however some downsides to the Waterfall, the slice of spectrum that you can plot is limited to the native bandwith of the SDR receiver (in the case of RTL-SDR this is usually around 8mhz). At around 20 seconds or so, the amount of time that gets visualized is rather limited. That means it is also easy to 'miss' transmissions if you didn't see them in time, or if they broadcast very sporadically. (from [here](http://kmkeen.com/rtl-power/)).




#### The Commandline
There are some command line tools for SDR. Most of these generate raw datasets which then need to be piped into either sound players or plotting software. One of the big advantages of cli radio software is that it is often light enough to be run on old or not so powerful hardware like the RaspberryPi.

#### **[rtl_power](http://kmkeen.com/rtl-power/)**
a tool which can log the signal strenght on any given frequency for any given amount of time. The data can be used to make [plots](kmkeen.com/rtl-power/airband.jpg).

To take a 10 minute measuring of FM frequencies between 88Mhz and 110Mhz in steps of 8Khz and save to output.csv: `rtl_power -f 88M:110M:8k -e 10m output.csv` To make a visual plot have a look at [this script](https://github.com/keenerd/rtl-sdr-misc/blob/master/heatmap/heatmap.py).

A plot of airport communications made with heatmap.py

#### **[rtl_fm](http://kmkeen.com/rtl-demod-guide/)**
general purpose analog radio demodulator. Outputs digital audio data which can be piped into a variety other tools. Tune to 103.1mhz FM and pipe into [Sox](https://en.wikipedia.org/wiki/SoX) to hear the audio: `rtl_fm -M wbfm -f 103.1M | play -r 32k -t raw -e s -b 16 -c 1 -V1 -` Additionally the digital audio data can be piped into software used for demodulating signals such as digitally encoded speech etc 


Both are packaged into the rtl-sdr software package, so to install them like so `sudo apt-get install rtl-sdr`

#### [RTLSDR-Airband](https://github.com/microtony/RTLSDR-Airband)
Designed for monitoring airtraffic signals. The main feature is that it allows for monitoring up ot 8 different signals simultaneously per dongle and also supports using multiple dongles. Also allows to convert audio to MP3 or stream to Icecast or SHOUT. As with other SDR applications have a look at the forks for more features etc.

On x86 linux has following dependencies ([source](https://github.com/szpajder/RTLSDR-Airband#linux-x86)):
`libmp3lame-dev libvorbis-dev libshout-dev libfftw3-dev librtlsdr`

https://github.com/microtony/RTLSDR-Airband <- original repo
https://github.com/szpajder/RTLSDR-Airband <- usefull fork (x86 install instructions)
.

### Decoding

Increasignly many signals that can be picked up are not analog but rather digital. An analog signal can be easily 'heard' and identified by a listener, think of FM broadcast radio or walkie talkie signals. Digital signals however are encoded as they represent binary information, which to the ear can often sound like noise but with the help of additional software can be decoded into audio or data.

Some of the decoders are gui based and directly take input from the sound card while others are only command-line based and read from stdin or from a file.

Below an overview of (multi-purpose) decoders for common signals:

**MINIMODEM**
http://www.whence.com/minimodem/
A general-purpose software audio FSK modem which can decode and encode various standard FSK protocols such as Bell103, Bell202, RTTY, NOAA SAME, and Caller-ID.

It expects (audio)input from a file or stdin:`rtl_fm -M nfm -f  14467.3K | minimodem -r -a rtty`

Minimodem can also be used to encode: `man minimoden | minimodem -t 200`
This encodes the minimodem manpage in 200 baud FSK audio.

**MULTIMON NG**
https://github.com/EliasOenal/multimon-ng

Can be used to decode the following transmissionmodes:

- POCSAG512 POCSAG1200 POCSAG2400 (pager systems)
- EAS
- UFSK1200 CLIPFSK AFSK1200 AFSK2400 AFSK2400_2 AFSK2400_3
- HAPN4800
- FSK9600
- DTMF
- ZVEI1 ZVEI2 ZVEI3 DZVEI PZVEI
- EEA EIA CCIR
- MORSE CW (morse code)

Since multimon-ng is being actively developed it might be useful to regularly check for updates. Also have a look at some of the forks, [since these might support other encodings such as FLEX/P2000](http://https://github.com/craigshelley/multimon-ng)

Also expects input from a file or stdin:
`rtl_fm -f 157.950e6 -g 100 -s 22050 -l 310 - |./multimon-ng -t raw -c -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -a SCOPE /dev/stdin` This was used to receive signals from a pager and decode them. 

In this example GQRX (right) is used to tune into 169.6Mh using a Wide FM filter. The resulting audio is then streamed over a local server. In the terminal window on the left `nc` ('netcat') is used to listen to the local server and pipe the output into `sox`, which converts the audio to the required sample rate and pipes it into `multimon-ng`. For more info on streaming from GQRX  [check this out](https://groups.google.com/forum/#!topic/gqrx/I6tdeDS5Gjc).

**DSD (Digital Speech Decoder)**
https://github.com/szechyjs/dsd

Some signals include speech that has been digitally encoded. DSD can decode these protocols and synthesize the speech.

Supported protocols ([source + details](https://github.com/szechyjs/dsd/wiki/Supported-formats))
- P25
- ProVoice
- X2-TDMA
- DMR/MOTOTRBO
- D-STAR
- NXDN

Use it by piping audio into the application:
`rtl_fm -f 157.950e6 -g 100 -s 48000 -l 310 - | dsd -i /dev/stdin -fa -w output.wav`

Find a detailed description of options [here](https://github.com/szechyjs/dsd/wiki/Operation).

**FLDIGI**
Fldigi (Fast Light Digital Modem Application) is a cross-platform modem (=MOdulatorDEModulator) program that supports most of the so called 'digital modes' (signals generated on a computer, usually by keyboard input, and then sent to the radio) used on the amateur radio bands ([source](https://fedorahosted.org/fldigi/)).

This software is specifically aimed towards HAM radio, which is evident throughout the interface.

This software uses the Waterfall interface. To demodulate, use the filter to tune in to the frequency of the signal and select the right protocol. Fldigi can also be used to transmit messages using the modulator. 

The following encodings are supported ([source + additional details](http://www.w1hkj.com/FldigiHelp-3.21/Modes/)):
- BPSK/QPSK
- Contestia
- CW (Morse code)
- DominoEX
- Feld Hell (Hellschreiber)
- MFSK
- MT-63
- Olivia
- RTTY
- Thor
- Throb

There is an extensive user manual which can be found [here](http://www.w1hkj.com/FldigiHelp-3.22/index.html)



**SIGMIRA**
http://www.saharlow.com/technology/sigmira/

A standalone GUI application. Included in this list because it seems to be the only one that includes support for decoding protocols like NATO STANAG 4285 (military) and the 'Slot Machine' (it sounds like one) by the Japanese Navy.

Linux packages are available but not supported.

Haven't tried it.

**OSMOCOM decoding projects**

There are a few initiatives under the umbrella of OSMOCOM (Open Sources Mobile Communication) that aim to reverse engineer commerical protocols. Most of these projects include software to demodulate the signal and forward te demodulated packets to wireshark 

TETRA
http://tetra.osmocom.org/trac/
Terrestrial Trunked Radio, used for expensive walkie talkies (b/c encryption) by police, security etc. Works similarly to cell(phone)networks with base stations that relay to other basestations


P25
http://op25.osmocom.org/trac/wiki

" APCO Project 25 is the digital communications standard used by many police and emergency services throughout the world." [source](http://op25.osmocom.org/trac/wiki)


GSM
https://svn.berlin.ccc.de/projects/airprobe/ (self-signed)

Decodes GSM and can forward the packets to wireshark. Also has the ability to decrypt (altough not in realtime).

[Extremely detailed write-up on how to decode GSM with rtl-sdr ](https://ferrancasanovas.wordpress.com/cracking-and-sniffing-gsm-with-rtl-sdr-concept/).


DVBT
https://wiki.archlinux.org/index.php/DVB-T

### Encoding vs Encrypting

The tools described above are used for decoding, which is not the same as decrypting. Decoding is the process of turning the modulation of the carrier signal into information, which might still be scrambled or encrypted. In the case of protocols like TETRA, GSM etc the signals can be decoded so the packet headers become legible, but the content of the packets themselves remain encrypted.

Calibratring your SDR
https://github.com/steve-m/kalibrate-rtl
Radio is data
but also possible with HackRF 
If you 
https://wiki.hacdc.org/index.php/Notes_on_Soundmodem 

### Legality

http://www.bipt.be/public/files/nl/1011/939_nl_scannernl.pdf

Scanning the spectrum, listening to anything other than CB ([citizen's band](https://en.wikipedia.org/wiki/Citizens_band_radio)), Broadcast radio, or amateur radio frequencies without consent is illegal. It is not allowed to own equipment with other frequencies pre-programmed and when caught in the street it can lead to fines etc.

Interestingly scanning is illegal in Belgium because of 'privacy' concerns. Yet the radio frequencies one isn't allowed to listen to are either owned by government or companies. It is also not clear how privacy applies to an increasingly pervasive scenario where you have machines talking to machines.

## Pointers for Infrastructure

Online information:

http://radiontvangst.freehostia.com - Belgian resource for 'scanners'
[Dutch forum for radio scanners](http://scannerforum.nl), which has a [subforum about belgium](http://www.scannerforum.nl/index.php?PHPSESSID=lq6tmdhjvljul0r4stbccitdg0&board=63.0)
http://frequentiedatabase.tk/ - Tool made by scannerforum.nl (look for a placename to find frequencies)
[Brussels map about GSM antennas](http://www.environnement.brussels/thematiques/ondes-et-antennes/ou-sont-les-antennes/carte-des-antennes-emettrices)



## Drawing with FREQUENCIES Spectrum Painter

Using a SDR transmitter you can draw with frequencies.

https://github.com/polygon/spectrum_painter



https://raw.githubusercontent.com/polygon/spectrum_painter/master/doc/smiley.jpg]


#Drawing with Frequencies 2

https://github.com/drmpeg/gr-paint


[[https:]]