A new high-end small form factor software defined radio (SDR) transceiver called the Matchstiq has been announced by engineering firm Epiq Solutions. Pricing starts at a costly $4500 USD, as it seems to be aimed more at the professional market. It’s key features are

• Single RF transceiver covering 300 MHz to 3.8 GHz
• Supports RF channel bandwidths up to 28 MHz
• Integrated CPU/FPGA for signal processing applications
• Integrated GPS receiver with 1PPS
• Run time loadable/executable software applications
• Full suite of specialty applications available
• SDK available for custom application development uSD provides up to 32 GB of onboard data and application storage
• USB interface to host for system access
• Size: 2.2” x 4.6” x 0.9” Power: <3 W (typical)
• Optional external battery pack

It also has the ability to wirelessly interface with and Android host

With this and the BladeRF and HackRF, 2013 is looking like a good year for SDR.

The post New Software Defined Radio “Matchstiq” by Epiq Solutions Announced appeared first on rtl-sdr.com.

The BladeRF, a transmit capable software defined radio similar to the HackRF is now shipping. BladeRF is a $420 USD SDR designed for hobbyists and RF enthusiasts.

The post BladeRF Units now Shipping appeared first on rtl-sdr.com.

To help you decide which of the recently released software defined radios is right for you, blogger Taylor Killian has written an article discussing and comparing the HackRF, BladeRF and new USRP models.

The HackRF, BladeRF and USRP are all high end SDRs which range in cost from $300 (HackRF) to $1100 USD (USRP B210). They differ from the RTL-SDR in that each is specifically designed for the purpose of software defined radio, and they all have large bandwidths and transmit capabilities.

The post HackRF vs. BladeRF vs. USRP appeared first on rtl-sdr.com.

The BladeRF is a software defined radio that has transmit and receive capability. Over on his blog, Clayton Smith has recently posted about his experiments which involve using the BladeRF to transmit DVB-T digital TV on one laptop to another laptop running an RTL-SDR in DVB-T mode. This is one of the few applications where the RTL-SDR is used as a DVB-T receiver as it was originally intended. Clayton used GNU Radio, a DVB-T package for GNU Radio and some python scripts to create the BladeRF transmitter.

The newer Linux kernels have DVB-T support for the RTL2832U chip, so the latest version of Ubuntu 13.10 will be able to recognize the RTL-SDR stick as a DVB-T receiver easily. Clayton used VLC in Ubuntu 13.10 to receive the DVB-T signal transmitted by the BladeRF which was tested on the 70cm, 33cm and 23cm bands.

The post Transmitting DVB-T with the BladeRF and Receiving it on a RTL-SDR appeared first on rtl-sdr.com.

Using an RTL-SDR Clayton Smith was able to reverse engineer his remote controlled ceiling fan. To do this he first used his BladeRF to determine that the remote control was transmitting a signal at 303.747 MHz. He then used a simple GNU Radio flow graph with the RTL-SDR to plot the amplitude of the signal over time which suggested that the signal was using on-off keying. From the plot he was then able to visually determine the bit pattern sent from each button on the ceiling fan remote.

Next he used his bladeRF and another GNU Radio flowgraph to replicate and transmit the the bit pattern which was able to control the ceiling fan from the PC.

Clayton notes that all this reverse engineering was done in half an hour, demonstrating the power of software defined radio.

The post Reverse Engineering a RF Controlled Ceiling Fan with the RTL-SDR appeared first on rtl-sdr.com.

The programmer of Linrad (aka Leif sm5bsz) has uploaded a video to YouTube that compares several software defined radios on dynamic range and compression performance in the presence of strong nearby signals. In the video Leif tests the Airspy, BladeRF with B200, FDM-S1, Funcube Pro+, rtlsdr/E4000, rtlsdr/FC0013, rtlsdr/R820T, SDR-14 and SDRplay.

The main test works by tuning to a broadcast band FM frequency and then injecting a strong carrier signal at distances of 500 kHz, 1 MHz, 2 MHz and 5 MHz from the center frequency. The carrier signal strength is slowly increased until the SDR shows signs of complete degradation of reception of the FM signal. Better SDRs will tolerate stronger nearby signals without degradation.

The results are summarized at 34:20, 1:21:38 and 1:48:30. We have also taken screencaps of the results at 1:21:38 and 1:48:30 and they are shown below. The first column is when a higher gain is used, and the second column is when a lower but still barely copyable gain level is used. In the Levels for loss of performance columns smaller numbers are better and in the Dynamic range columns larger numbers are better. Finally, at the end of the video starting at 1:45:55 Leif also tests the spur performance of the SDRs.

The post Comparison of several SDRs on degradation from nearby strong signals at broadcast FM frequencies appeared first on rtl-sdr.com.

Last month we posted about an experimenter who showed us a tutorial on how to use an RTL-SDR and rtl_entropy to generate random passwords. Now another experimenter, Sean Cassidy has used a BladeRF to generate entropy and used it to seed /dev/random. In the post Sean explains what /dev/random is, and how important it is to provide a good entropy source in Linux, or risk having encryption keys discovered.

He writes that Linux usually gets entropy from activity such as mouse movements, network activity or even hardware random number generators that are available on some Intel CPUs. However, he mentions that hardware random number generators are likely to be back doored by the government for spying purposes and so cannot be trusted. To get around this Sean decided to use his BladeRF as a hardware random number generator, but he also writes that the RTL-SDR will also work.

The set up simply involves installing the software brf_entropy, or rtl_entropy for the RTL-SDR, and then using the “rngd” command to sample randomness for /dev/random from the BladeRF’s output.

The post Using a BladeRF or RTL-SDR to Gather Entropy for /dev/random in Linux appeared first on rtl-sdr.com.

PHDays (Positive Hack Days) is a yearly forum with a focus on ethical hacking and security. During this years forum which took place in June, the organizers set up a competition where the goal was to “steal” or take control of a Syma X8C quadcopter drone. The drone runs on the nRF24L01 module, which from previous posts we have seen can easily be sniffed and decoded with an RTL-SDR or other SDR.

To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. The post goes into further detail on the specifics of the reverse engineering.

The post Stealing a Drone with Software Defined Radio appeared first on rtl-sdr.com.

Nuand is the company responsible for the bladeRF software defined radio. The bladeRF x40 is a SDR that usually costs $420. It uses a LimeMicro LMS6002D chip, which has a 12-bit ADC and a tuning range of 300MHz – 3.8GHz.

For one day only they have released a special price for the bladeRF x40 of $199 USD, for the first 50 customers only. At the time of this post the deal still seems to be active, and the coupon code of “MHZ” is still working. Of note is that the recently successfully crowdfunded LimeSDR uses the newer and better LimeMicro LMS7002M chip, so Nuand may be testing the waters for a lower price point on their bladeRF. However, one thing to note is that the bladeRF is proven hardware with active software applications, whereas the LimeSDR is not yet proven. 

Nuand also recently released an update which saw the source released for an ADS-B decoder that can be run on the bladeRF’s onboard FPGA, and also an update which allows the bladeRF to display up to 124 MHz of bandwidth at any one time. The large bandwidth display appears to work in a similar way to rtl_power or SpectrumSpy for the Airspy, by quickly switching between multiple chunks of frequency. The difference is that the bladeRF can do this by using onboard HDL accelerators which allow it retune extremely fast at several thousand times a second.

The post 50 Units of a $199 Nuand bladeRF x40 for Sale: 1-Day Only appeared first on rtl-sdr.com.

Developer R. X. Seger has recently released rx_tools which provides SDR independent ports for the popular command line RTL-SDR tools rtl_power, rtl_fm and rtl_sdr. This means that these tools can now be used on almost any SDR, such as the bladeRF, HackRF, SDRplay, Airspy and LimeSDR. If you don’t know what the tools do, then here is a quick break down:

rtl_fm / rx_fm: Allows you to decode and listen to FM/AM/SSB radio.
rtl_sdr / rx_sdr: Allows you to record raw samples for future processing.
rtl_power / rx_power: Allows you to do wideband scans over arbitrarily wide swaths of bandwidth by hopping over and recording signal power levels over multiple chunks of spectrum.

rx_tools is based on SoapySDR which is an SDR abstraction layer. If software is developed with SoapySDR, then the software can be more easily used with any SDR, assuming a Soapy plugin for that particular SDR is written. This stops the need for software to be re-written many times for different SDR’s as instead the plugin only needs to be written once.

The post rx_tools: RTL-SDR Command Line Tools (rtl_power, rtl_fm, rtl_sdr) Now Compatible With Almost Any SDR appeared first on rtl-sdr.com.

On YouTube user CrazyDanishHacker has been uploading some tutorial videos showing how to perform several experiments with the BladeRF. Some things he shows are GPS spoofing, broadcasting digital TV, getting 124 MHz bandwidth, using spectrum painter and how to use the BladeRF on Windows 10, Kali Linux and Ubuntu.

You might remember CrazyDanishHacker from our previous post where we posted about his in depth YouTube tutorial on GSM sniffing and cracking. That series now appears to be complete ending on episode #16 of his software defined radio series. The BladeRF tutorials start on episode #17.

The bladeRF is a $420 software defined radio which is capable of transmit and receive. It uses a LimeMicro LMS6002D chip, which has a 12-bit ADC and a tuning range of 300 MHz – 3.8 GHz. Along with the HackRF we eventually expect that it will be superseded by the upcoming LimeSDR.

The post YouTube Tutorial about using the BladeRF for Several Experiments appeared first on rtl-sdr.com.

Over on his blog author Simone Margaritelli has added a tutorial that shows how to set up a bladeRF to act as a GSM basestation (cell tower). Having your own GSM basestation allows you to create your own private and free GSM network, or for more malicious illegal users it can allow you to create a system for intercepting peoples calls and data. Simone stresses that it is well known that GSM security is broken (and is probably broken by design), and now it is about time that these flaws were fixed.

In his tutorial he uses a single bladeRF x40 and a Raspberry Pi 3 as the processing hardware. The bladeRF is a $420 transmit and receive capable software defined radio with a tuning range of 300 MHz – 3.8 GHz and 12-bit ADC. He also uses a battery pack which makes the whole thing portable. The software used is Yate and YateBTS which is open source GSM basestation software. Installation as shown in the tutorial is as simple as doing a git clone, running a few compilation lines and doing some simple text configuration. Once set up mobile phones will automatically connect to the basestation due to the design of GSM.

Once setup you can go further and create your own private GSM network, or make the whole thing act as a “man-in-the-middle” proxy to a legitimate GSM USB dongle, which would allow you to sniff the traffic on anyone who unknowingly connects to your basestation. This is similar to how a “Stingray” operates, which is a IMSI-catcher device used by law enforcement to intercept and track GSM communications. More information on using the bladeRF as an IMSI catcher with YateBTS can be found in this white paper.

The post Building your own Rogue GSM Basestation with a BladeRF appeared first on rtl-sdr.com.

Over on YouTube well known SDR tester Leif (SM5BSZ) has uploaded a video that compares the performance of several HF receivers with two tone tests and real antennas. He compares a Perseus, Airspy + SpyVerter, BladeRF + B200, BladeRF with direct ADC input, Soft66RTL and finally a ham-it-up + RTLSDR. The Perseus is a $900 USD high end HF receiver, whilst the other receivers are more affordable multi purpose SDRs.

If you are interested in only the discussion and results then you can skip to the following points:

24:06 – Two tone test @ 20 kHz. These test for dynamic range. The ranking from best to worst is Perseus, Airspy + SpyVerter, Ham-it-up + RTLSDR, Soft66RTL, BladeRF ADC, BladeRF + B200. The Perseus is shown to be significantly better than all the other radios in terms of dynamic range. However Leif notes that dynamic range on HF is no longer as important as it once was in the past, as 1) the average noise floor is now about 10dB higher due to many modern electronic interferers, and 2) there has been a reduction in the number of very strong transmitters due to reduced interest in HF. Thus even though the Perseus is significantly better, the other receivers are still not useless as dynamic range requirements have reduced by about 20dB overall.

33:30 – Two tone test @ 200 kHz. Now the ranking is Perseus, Airspy + SpyVerter, Soft66RTL, BladeRF+B200, Ham-it-up + RTLSDR, BladeRF ADC.

38:30 – Two tone test @ 1 MHz. The ranking is Perseus, Airspy + SpyVerter, BladeRF + B200, ham-it-up + RTLSDR, Soft66RTL, bladeRF ADC. 

50:40 – Real antenna night time SNR test @ 14 MHz. Since the Perseus is know to be the best, here Leif uses it as the reference and compares it against the other receivers. The ranking from best to worst is Airspy + SpyVerter, ham-it-up + RTLSDR, BladeRF B200, Soft66RTL, BladeRF ADC. The top three units have similar performance. Leif notes that the upconverter in the Soft66RTL seems to saturate easily in the presence of strong signals.

1:13:30 – Real antenna SNR ranking for Day and Night tests @ 14 MHz. Again with the Perseus as the reference. Ranking is the same as in 3).

In a previous video Leif also uploaded a quick video showing why he has excluded the DX patrol receiver from his comparisons. He writes that the DX patrol suffers from high levels of USB noise.

The post Leif (SM5BSZ) Compares Several HF Receivers appeared first on rtl-sdr.com.

Last month we posted about an experimenter who showed us a tutorial on how to use an RTL-SDR and rtl_entropy to generate random passwords. Now another experimenter, Sean Cassidy has used a BladeRF to generate entropy and used it to seed /dev/random. In the post Sean explains what /dev/random is, and how important it is to provide a good entropy source in Linux, or risk having encryption keys discovered.

He writes that Linux usually gets entropy from activity such as mouse movements, network activity or even hardware random number generators that are available on some Intel CPUs. However, he mentions that hardware random number generators are likely to be back doored by the government for spying purposes and so cannot be trusted. To get around this Sean decided to use his BladeRF as a hardware random number generator, but he also writes that the RTL-SDR will also work.

The set up simply involves installing the software brf_entropy, or rtl_entropy for the RTL-SDR, and then using the “rngd” command to sample randomness for /dev/random from the BladeRF’s output.

The post Using a BladeRF or RTL-SDR to Gather Entropy for /dev/random in Linux appeared first on rtl-sdr.com.

PHDays (Positive Hack Days) is a yearly forum with a focus on ethical hacking and security. During this years forum which took place in June, the organizers set up a competition where the goal was to “steal” or take control of a Syma X8C quadcopter drone. The drone runs on the nRF24L01 module, which from previous posts we have seen can easily be sniffed and decoded with an RTL-SDR or other SDR.

To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. The post goes into further detail on the specifics of the reverse engineering.

The post Stealing a Drone with Software Defined Radio appeared first on rtl-sdr.com.

Nuand is the company responsible for the bladeRF software defined radio. The bladeRF x40 is a SDR that usually costs $420. It uses a LimeMicro LMS6002D chip, which has a 12-bit ADC and a tuning range of 300MHz – 3.8GHz.

For one day only they have released a special price for the bladeRF x40 of $199 USD, for the first 50 customers only. At the time of this post the deal still seems to be active, and the coupon code of “MHZ” is still working. Of note is that the recently successfully crowdfunded LimeSDR uses the newer and better LimeMicro LMS7002M chip, so Nuand may be testing the waters for a lower price point on their bladeRF. However, one thing to note is that the bladeRF is proven hardware with active software applications, whereas the LimeSDR is not yet proven. 

Nuand also recently released an update which saw the source released for an ADS-B decoder that can be run on the bladeRF’s onboard FPGA, and also an update which allows the bladeRF to display up to 124 MHz of bandwidth at any one time. The large bandwidth display appears to work in a similar way to rtl_power or SpectrumSpy for the Airspy, by quickly switching between multiple chunks of frequency. The difference is that the bladeRF can do this by using onboard HDL accelerators which allow it retune extremely fast at several thousand times a second.

The post 50 Units of a $199 Nuand bladeRF x40 for Sale: 1-Day Only appeared first on rtl-sdr.com.

Developer R. X. Seger has recently released rx_tools which provides SDR independent ports for the popular command line RTL-SDR tools rtl_power, rtl_fm and rtl_sdr. This means that these tools can now be used on almost any SDR, such as the bladeRF, HackRF, SDRplay, Airspy and LimeSDR. If you don’t know what the tools do, then here is a quick break down:

rtl_fm / rx_fm: Allows you to decode and listen to FM/AM/SSB radio.
rtl_sdr / rx_sdr: Allows you to record raw samples for future processing.
rtl_power / rx_power: Allows you to do wideband scans over arbitrarily wide swaths of bandwidth by hopping over and recording signal power levels over multiple chunks of spectrum.

rx_tools is based on SoapySDR which is an SDR abstraction layer. If software is developed with SoapySDR, then the software can be more easily used with any SDR, assuming a Soapy plugin for that particular SDR is written. This stops the need for software to be re-written many times for different SDR’s as instead the plugin only needs to be written once.

The post rx_tools: RTL-SDR Command Line Tools (rtl_power, rtl_fm, rtl_sdr) Now Compatible With Almost Any SDR appeared first on rtl-sdr.com.

On YouTube user CrazyDanishHacker has been uploading some tutorial videos showing how to perform several experiments with the BladeRF. Some things he shows are GPS spoofing, broadcasting digital TV, getting 124 MHz bandwidth, using spectrum painter and how to use the BladeRF on Windows 10, Kali Linux and Ubuntu.

You might remember CrazyDanishHacker from our previous post where we posted about his in depth YouTube tutorial on GSM sniffing and cracking. That series now appears to be complete ending on episode #16 of his software defined radio series. The BladeRF tutorials start on episode #17.

The bladeRF is a $420 software defined radio which is capable of transmit and receive. It uses a LimeMicro LMS6002D chip, which has a 12-bit ADC and a tuning range of 300 MHz – 3.8 GHz. Along with the HackRF we eventually expect that it will be superseded by the upcoming LimeSDR.

The post YouTube Tutorial about using the BladeRF for Several Experiments appeared first on rtl-sdr.com.

Over on his blog author Simone Margaritelli has added a tutorial that shows how to set up a bladeRF to act as a GSM basestation (cell tower). Having your own GSM basestation allows you to create your own private and free GSM network, or for more malicious illegal users it can allow you to create a system for intercepting peoples calls and data. Simone stresses that it is well known that GSM security is broken (and is probably broken by design), and now it is about time that these flaws were fixed.

In his tutorial he uses a single bladeRF x40 and a Raspberry Pi 3 as the processing hardware. The bladeRF is a $420 transmit and receive capable software defined radio with a tuning range of 300 MHz – 3.8 GHz and 12-bit ADC. He also uses a battery pack which makes the whole thing portable. The software used is Yate and YateBTS which is open source GSM basestation software. Installation as shown in the tutorial is as simple as doing a git clone, running a few compilation lines and doing some simple text configuration. Once set up mobile phones will automatically connect to the basestation due to the design of GSM.

Once setup you can go further and create your own private GSM network, or make the whole thing act as a “man-in-the-middle” proxy to a legitimate GSM USB dongle, which would allow you to sniff the traffic on anyone who unknowingly connects to your basestation. This is similar to how a “Stingray” operates, which is a IMSI-catcher device used by law enforcement to intercept and track GSM communications. More information on using the bladeRF as an IMSI catcher with YateBTS can be found in this white paper.

The post Building your own Rogue GSM Basestation with a BladeRF appeared first on rtl-sdr.com.

Over on YouTube well known SDR tester Leif (SM5BSZ) has uploaded a video that compares the performance of several HF receivers with two tone tests and real antennas. He compares a Perseus, Airspy + SpyVerter, BladeRF + B200, BladeRF with direct ADC input, Soft66RTL and finally a ham-it-up + RTLSDR. The Perseus is a $900 USD high end HF receiver, whilst the other receivers are more affordable multi purpose SDRs.

If you are interested in only the discussion and results then you can skip to the following points:

24:06 – Two tone test @ 20 kHz. These test for dynamic range. The ranking from best to worst is Perseus, Airspy + SpyVerter, Ham-it-up + RTLSDR, Soft66RTL, BladeRF ADC, BladeRF + B200. The Perseus is shown to be significantly better than all the other radios in terms of dynamic range. However Leif notes that dynamic range on HF is no longer as important as it once was in the past, as 1) the average noise floor is now about 10dB higher due to many modern electronic interferers, and 2) there has been a reduction in the number of very strong transmitters due to reduced interest in HF. Thus even though the Perseus is significantly better, the other receivers are still not useless as dynamic range requirements have reduced by about 20dB overall.

33:30 – Two tone test @ 200 kHz. Now the ranking is Perseus, Airspy + SpyVerter, Soft66RTL, BladeRF+B200, Ham-it-up + RTLSDR, BladeRF ADC.

38:30 – Two tone test @ 1 MHz. The ranking is Perseus, Airspy + SpyVerter, BladeRF + B200, ham-it-up + RTLSDR, Soft66RTL, bladeRF ADC. 

50:40 – Real antenna night time SNR test @ 14 MHz. Since the Perseus is know to be the best, here Leif uses it as the reference and compares it against the other receivers. The ranking from best to worst is Airspy + SpyVerter, ham-it-up + RTLSDR, BladeRF B200, Soft66RTL, BladeRF ADC. The top three units have similar performance. Leif notes that the upconverter in the Soft66RTL seems to saturate easily in the presence of strong signals.

1:13:30 – Real antenna SNR ranking for Day and Night tests @ 14 MHz. Again with the Perseus as the reference. Ranking is the same as in 3).

In a previous video Leif also uploaded a quick video showing why he has excluded the DX patrol receiver from his comparisons. He writes that the DX patrol suffers from high levels of USB noise.

The post Leif (SM5BSZ) Compares Several HF Receivers appeared first on rtl-sdr.com.