What is heard on the radio? Receive and decode the most interesting signals. Part 2, VHF
Hi, Habr.
In the first part , some signals have been described that can be received on long and short waves. No less interesting is the range of VHF, where you can also find something interesting.
As in the first part, those signals that can be decoded using a computer will be considered. Who cares how it works, continued under the cut.
In the first part, we used a Dutch online receiver to receive long and short waves. Unfortunately, there are no similar services on VHF - the frequency range is too large. Therefore, those who wish to repeat the experiments described below will have to acquire their own receiver. Of the cheapest ones, RTL SDR V3 can be noted, which can be purchased for $ 30. Such a receiver covers the range up to 1.7 GHz, all the signals described below were received on it.
')
So let's get started. As in the first part, the signals will be considered in increasing frequency.
FM radio itself is unlikely to surprise anyone, but we will be interested in RDS in it. The presence of RDS (Radio Data System) provides the transmission of digital data “inside” the FM signal. The spectrum of the FM station after demodulation looks like this:
The pilot-tone is located at 19KHz, and the RDS signal is transmitted at its tripled frequency 57KHz. On the waveform, if you output both signals together, it looks like this:
With the help of phase modulation, a low-frequency signal with a frequency of 1187.5 Hz is encoded here (by the way, the frequency of 1187.5 Hz is also not chosen by chance - it is the frequency of the 19 KHz pilot tone divided by 16). Further, after bit-by-bit decoding, data packets are decrypted, there are quite a few types - in addition to text, alternative broadcasting frequencies of a radio station can be transmitted, for example, and when entering another area, the receiver can automatically tune into a new frequency.
You can receive RDS data from local stations using RDS Spy . It can be connected via HDSDR, if you choose FM modulation, a signal width of 120 kHz and a bitrate of 192 kHz, as shown in the figure.
Then it is enough to redirect the signal using Virtual Audio Cable from HDSDR to RDS Spy (in the VAC settings, you also need to specify the 192 kHz bitrate). If everything was done correctly, we will see all the information about RDS, much more than a regular household radio shows:
In addition to FM, by the way, you can decode and DAB +, about this was a separate article . In Russia, it does not work yet, but in other countries it may be relevant.
Historically, aviation has used amplitude modulation (AM) and a frequency range of 118-137 MHz. Negotiations between pilots and controllers are not encrypted, and anyone can accept them. About 20 years ago, for this purpose, ordinary cheap Chinese radio receivers were “tugging” - it was enough to push the heterodyne coils apart, and the band shifted, if they were lucky, towards higher frequencies. Those interested in “digital archeology” can read the 2004 radioscanner discussion forum . Later, the Chinese manufacturers met the users, and simply added the Air band to the receivers (in the comments to the first part, they recommended Tecsun PL-660 or PL-680). But of course, the use of more specialized devices (for example, AOR, Icom receivers) is more preferable - they have a noise (the sound is turned off when there is no signal and there is no constant hissing) and a higher frequency search speed.
Each large airport uses quite a lot of frequencies, for example, the frequencies of Pulkovo Airport, taken from the site radioscanner:
By the way, you can listen to the broadcast of negotiations from different Russian cities (Moscow, St. Petersburg, Chelyabinsk and some others) online at http://live.radioscanner.net .
For us, in the aviation range, the digital protocol ACARS (Aircraft Communications Addressing and Reporting System) is interesting. Its signals are transmitted at frequencies of 131.525 and 131.725 MHz (European standard, frequencies of different regions may vary ). These are digital parcels with a bit rate of 2400 or 1200bps, with the help of such a system, pilots can exchange messages with the dispatcher. To decode in MultiPSK, you need to tune to the signal in AM mode (you need an SDR receiver, because the signal bandwidth is more than 5KHz) and redirect the sound using the Virtual Audio Card.
The result is shown in the screenshot.
The format of ACARS signals is fairly simple, and can be viewed in the SA Free program. To do this, just open a fragment of the recording, and we will see that in the “inside” AM recording there is actually frequency modulation.
Next, by applying a frequency detector to the recording, we easily get a bitstream. In real life, you hardly have to do it, because ready programs for decoding ACARS have long been written.
After listening to the talks of the aviators, you can climb even higher - into space. In which we are interested in NOAA 15 , NOAA 18 and NOAA 19 meteorological satellites, transmitting images of the Earth’s surface at 137.620, 137.9125 and 137.100 MHz. You can decode the signal using the WXtoImg program.
The received picture may look something like this (photo from radioscanner):
Unfortunately (the laws of physics cannot be fooled, and the Earth is still round, although not everyone believes in it), a satellite signal can be received only when it flies over us, and not always these spans have convenient time and angle above the horizon. Previously, to find out the date and time of the next flight, it was required to install the Orbitron program (a long-lived program existing already since 2001), now it is easier to do it online via the links https://www.n2yo.com/passes/?s=25338 , https: //www.n2yo.com/passes/?s=28654 and https://www.n2yo.com/passes/?s=33591 respectively.
The satellite signal is quite loud, and can be heard on almost any antenna and on any receiver. But in order to take a picture in good quality, a special antenna and a good view of the horizon is still desirable. Those interested can see the English language tutorial on youtube or read a detailed description . Personally, I still did not have the patience to bring the matter to the end, but others may have better luck.
Does the paging service still work for corporate clients in Russia, I don’t know, in Europe it functions perfectly, it is used by firefighters, police and various services.
FLEX and POCSAG signals can be received using HDSDR and Virtual Audio Cable, PDW is used for decoding. It was written already in 2004, and the interface has a corresponding, but oddly enough, it still works quite well.
There is also a multimon-ng decoder that runs under Linux, its sources are available on github . There was also a separate article about the POCSAG transmission protocol, those who wish can read it in more detail .
Even higher in frequency, at 433 MHz, there is a whole variety of different devices - wireless switches and sockets, door bells, car tire pressure sensors, etc.
These are often cheap Chinese devices with the simplest modulation. There is no encryption, and a simple binary code (OOK - on-off keying) is used. The decoding of such signals was considered in a separate article . We can use the ready-made decoder rtl_433, which can be downloaded from here .
By running the program, you can see various devices, and (if there is a parking lot nearby) find out for example the pressure in the tires of a neighboring car. There is little practical sense in this, but from a purely mathematical point of view, it is quite interesting - the protocols of these signals are simple to decode.
By the way, those who buy such wireless switches should be aware that they are not protected at all, and theoretically your hacker neighbor, if you have a HackRF or similar device, can maliciously turn off the toilet light at the most inopportune moment or do something similar. Personally, I do not bother, but if the security issue is relevant, you can use more serious and expensive devices with full-fledged keys and authentication (Z-Wave, Philips Hue, etc.).
TETRA (Terrestrial Trunked Radio) is a professional corporate radio communication system with quite large capabilities (group calls, encryption, connection of several networks, etc.). And its signals, if they are not encrypted, can also be received using a computer and an SDR receiver.
The TETRA decoder for Linux existed for a long time , but its configuration was far from trivial, and about a year ago a Russian programmer created a TETRA receiving plugin for SDR #. Now this task is solved almost literally in two clicks, the program allows you to display information about the system, listen to voice messages, collect statistics, etc.
The plugin does not implement all the features of the standard, but the main functions more or less work.
According to Wikipedia, Tetra can be used in ambulance, police, railway transport, etc. I don’t know about its distribution in Russia (like the Tetra network was used at FM2018, but this is not accurate), those who want can check for themselves - Tetra signals are easily recognizable, and have a width of 25kHz, as seen in the screenshot.
Of course, if encryption is enabled on the network (there is such a possibility in Tetra), the plug-in will not work - instead of speech there will be only “gurgling”.
Let us go even higher in frequency, at 1.09 GHz, signals from aircraft transponders are transmitted, which allows sites like FlightRadar24 to show flying aircraft. This protocol has already been understood before, so I will not repeat here (the article turned out to be a big one), those who wish can read the first and second parts.
As you can see, even with a $ 30 receiver you can find a lot of interesting things on the air. I am sure that far from everything is listed here, and I probably missed something or do not know. Those who wish can try it on their own - this is a good way to deal with the principle of operation of this or that system better.
I did not consider amateur radio communication, although it also exists on VHF, but the article is still about service communication.
PS: Especially for kulkhackers, it can be noted that nothing really secret in the open air has already been transmitted for perhaps 50 years, so from "this" point of view, it is not worth spending time and money. But from the point of view of studying the principles of communication and various engineering systems, familiarization with the real work of real networks is quite interesting and informative.
In the first part , some signals have been described that can be received on long and short waves. No less interesting is the range of VHF, where you can also find something interesting.
As in the first part, those signals that can be decoded using a computer will be considered. Who cares how it works, continued under the cut.
In the first part, we used a Dutch online receiver to receive long and short waves. Unfortunately, there are no similar services on VHF - the frequency range is too large. Therefore, those who wish to repeat the experiments described below will have to acquire their own receiver. Of the cheapest ones, RTL SDR V3 can be noted, which can be purchased for $ 30. Such a receiver covers the range up to 1.7 GHz, all the signals described below were received on it.
')
So let's get started. As in the first part, the signals will be considered in increasing frequency.
FM radio
FM radio itself is unlikely to surprise anyone, but we will be interested in RDS in it. The presence of RDS (Radio Data System) provides the transmission of digital data “inside” the FM signal. The spectrum of the FM station after demodulation looks like this:
The pilot-tone is located at 19KHz, and the RDS signal is transmitted at its tripled frequency 57KHz. On the waveform, if you output both signals together, it looks like this:
With the help of phase modulation, a low-frequency signal with a frequency of 1187.5 Hz is encoded here (by the way, the frequency of 1187.5 Hz is also not chosen by chance - it is the frequency of the 19 KHz pilot tone divided by 16). Further, after bit-by-bit decoding, data packets are decrypted, there are quite a few types - in addition to text, alternative broadcasting frequencies of a radio station can be transmitted, for example, and when entering another area, the receiver can automatically tune into a new frequency.
You can receive RDS data from local stations using RDS Spy . It can be connected via HDSDR, if you choose FM modulation, a signal width of 120 kHz and a bitrate of 192 kHz, as shown in the figure.
Then it is enough to redirect the signal using Virtual Audio Cable from HDSDR to RDS Spy (in the VAC settings, you also need to specify the 192 kHz bitrate). If everything was done correctly, we will see all the information about RDS, much more than a regular household radio shows:
In addition to FM, by the way, you can decode and DAB +, about this was a separate article . In Russia, it does not work yet, but in other countries it may be relevant.
Air band
Historically, aviation has used amplitude modulation (AM) and a frequency range of 118-137 MHz. Negotiations between pilots and controllers are not encrypted, and anyone can accept them. About 20 years ago, for this purpose, ordinary cheap Chinese radio receivers were “tugging” - it was enough to push the heterodyne coils apart, and the band shifted, if they were lucky, towards higher frequencies. Those interested in “digital archeology” can read the 2004 radioscanner discussion forum . Later, the Chinese manufacturers met the users, and simply added the Air band to the receivers (in the comments to the first part, they recommended Tecsun PL-660 or PL-680). But of course, the use of more specialized devices (for example, AOR, Icom receivers) is more preferable - they have a noise (the sound is turned off when there is no signal and there is no constant hissing) and a higher frequency search speed.
Each large airport uses quite a lot of frequencies, for example, the frequencies of Pulkovo Airport, taken from the site radioscanner:
By the way, you can listen to the broadcast of negotiations from different Russian cities (Moscow, St. Petersburg, Chelyabinsk and some others) online at http://live.radioscanner.net .
For us, in the aviation range, the digital protocol ACARS (Aircraft Communications Addressing and Reporting System) is interesting. Its signals are transmitted at frequencies of 131.525 and 131.725 MHz (European standard, frequencies of different regions may vary ). These are digital parcels with a bit rate of 2400 or 1200bps, with the help of such a system, pilots can exchange messages with the dispatcher. To decode in MultiPSK, you need to tune to the signal in AM mode (you need an SDR receiver, because the signal bandwidth is more than 5KHz) and redirect the sound using the Virtual Audio Card.
The result is shown in the screenshot.
The format of ACARS signals is fairly simple, and can be viewed in the SA Free program. To do this, just open a fragment of the recording, and we will see that in the “inside” AM recording there is actually frequency modulation.
Next, by applying a frequency detector to the recording, we easily get a bitstream. In real life, you hardly have to do it, because ready programs for decoding ACARS have long been written.
NOAA meteorological satellites
After listening to the talks of the aviators, you can climb even higher - into space. In which we are interested in NOAA 15 , NOAA 18 and NOAA 19 meteorological satellites, transmitting images of the Earth’s surface at 137.620, 137.9125 and 137.100 MHz. You can decode the signal using the WXtoImg program.
The received picture may look something like this (photo from radioscanner):
Unfortunately (the laws of physics cannot be fooled, and the Earth is still round, although not everyone believes in it), a satellite signal can be received only when it flies over us, and not always these spans have convenient time and angle above the horizon. Previously, to find out the date and time of the next flight, it was required to install the Orbitron program (a long-lived program existing already since 2001), now it is easier to do it online via the links https://www.n2yo.com/passes/?s=25338 , https: //www.n2yo.com/passes/?s=28654 and https://www.n2yo.com/passes/?s=33591 respectively.
The satellite signal is quite loud, and can be heard on almost any antenna and on any receiver. But in order to take a picture in good quality, a special antenna and a good view of the horizon is still desirable. Those interested can see the English language tutorial on youtube or read a detailed description . Personally, I still did not have the patience to bring the matter to the end, but others may have better luck.
FLEX / POCSAG paging messages
Does the paging service still work for corporate clients in Russia, I don’t know, in Europe it functions perfectly, it is used by firefighters, police and various services.
FLEX and POCSAG signals can be received using HDSDR and Virtual Audio Cable, PDW is used for decoding. It was written already in 2004, and the interface has a corresponding, but oddly enough, it still works quite well.
There is also a multimon-ng decoder that runs under Linux, its sources are available on github . There was also a separate article about the POCSAG transmission protocol, those who wish can read it in more detail .
Keychains / Wireless Switches
Even higher in frequency, at 433 MHz, there is a whole variety of different devices - wireless switches and sockets, door bells, car tire pressure sensors, etc.
These are often cheap Chinese devices with the simplest modulation. There is no encryption, and a simple binary code (OOK - on-off keying) is used. The decoding of such signals was considered in a separate article . We can use the ready-made decoder rtl_433, which can be downloaded from here .
By running the program, you can see various devices, and (if there is a parking lot nearby) find out for example the pressure in the tires of a neighboring car. There is little practical sense in this, but from a purely mathematical point of view, it is quite interesting - the protocols of these signals are simple to decode.
By the way, those who buy such wireless switches should be aware that they are not protected at all, and theoretically your hacker neighbor, if you have a HackRF or similar device, can maliciously turn off the toilet light at the most inopportune moment or do something similar. Personally, I do not bother, but if the security issue is relevant, you can use more serious and expensive devices with full-fledged keys and authentication (Z-Wave, Philips Hue, etc.).
Tetra
TETRA (Terrestrial Trunked Radio) is a professional corporate radio communication system with quite large capabilities (group calls, encryption, connection of several networks, etc.). And its signals, if they are not encrypted, can also be received using a computer and an SDR receiver.
The TETRA decoder for Linux existed for a long time , but its configuration was far from trivial, and about a year ago a Russian programmer created a TETRA receiving plugin for SDR #. Now this task is solved almost literally in two clicks, the program allows you to display information about the system, listen to voice messages, collect statistics, etc.
The plugin does not implement all the features of the standard, but the main functions more or less work.
According to Wikipedia, Tetra can be used in ambulance, police, railway transport, etc. I don’t know about its distribution in Russia (like the Tetra network was used at FM2018, but this is not accurate), those who want can check for themselves - Tetra signals are easily recognizable, and have a width of 25kHz, as seen in the screenshot.
Of course, if encryption is enabled on the network (there is such a possibility in Tetra), the plug-in will not work - instead of speech there will be only “gurgling”.
ADSB
Let us go even higher in frequency, at 1.09 GHz, signals from aircraft transponders are transmitted, which allows sites like FlightRadar24 to show flying aircraft. This protocol has already been understood before, so I will not repeat here (the article turned out to be a big one), those who wish can read the first and second parts.
Conclusion
As you can see, even with a $ 30 receiver you can find a lot of interesting things on the air. I am sure that far from everything is listed here, and I probably missed something or do not know. Those who wish can try it on their own - this is a good way to deal with the principle of operation of this or that system better.
I did not consider amateur radio communication, although it also exists on VHF, but the article is still about service communication.
PS: Especially for kulkhackers, it can be noted that nothing really secret in the open air has already been transmitted for perhaps 50 years, so from "this" point of view, it is not worth spending time and money. But from the point of view of studying the principles of communication and various engineering systems, familiarization with the real work of real networks is quite interesting and informative.
Source: https://habr.com/ru/post/450578/
All Articles