What is heard on the air? We receive and decode the most interesting signals. Part 2, VHF
Hello, Habr.
In the first part , some signals that can be received at long and short waves were described. Equally interesting is the VHF band, where you can also find something interesting.
As in the first part, we will consider those signals that can be independently decoded using a computer. Who cares how it works, continued under the cut.
In the first part, we used the Dutch online receiver to receive long and short waves. Unfortunately, there are no similar services on VHF - the frequency range is too large. Therefore, those who want to repeat the experiments described below will have to get their own receiver, of the cheapest you can note the RTL SDR V3 , which can be purchased for $ 30. Such a receiver covers the range up to 1.7 GHz, all the signals described below are received precisely on it.
So let's get started. As in the first part, the signals will be considered in increasing frequency.
The FM radio itself is unlikely to surprise anyone, but we will be interested in RDS in it. The presence of RDS (Radio Data System) provides the transfer of digital data “inside” the FM signal. The spectrum of the FM station signal after demodulation looks like this:
A pilot tone is located at a frequency of 19KHz, and an RDS signal is transmitted at its tripled frequency of 57KHz. On the waveform, if you output both signals together, it looks something like this:
Using phase modulation, a low-frequency signal with a frequency of 1187.5 Hz is encoded here (by the way, the frequency of 1187.5 Hz is also not chosen by chance - this is the 19-kHz pilot-tone frequency divided by 16). Further, after bit-by-bit decoding, data packets of quite a few types are decrypted - in addition to text, for example, alternative broadcasting frequencies of a radio station can be transmitted, and when entering another area, the receiver can automatically tune to a new frequency.
You can receive RDS data of local stations using the RDS Spy program . It can be connected via HDSDR if you select FM modulation, a signal width of 120KHz and a bitrate of 192KHz, as shown in the figure.
Then it is enough to redirect the signal using Virtual Audio Cable from HDSDR to RDS Spy (in the VAC settings you also need to specify the bitrate of 192KHz). If everything was done correctly, we will see all the information about RDS, much more than an ordinary household radio will show:
In addition to FM, by the way, you can also decode DAB +, about it was a separate article . In Russia, it does not work yet, but in other countries it may be relevant.
So historically, in aviation, amplitude modulation (AM) and a frequency range of 118-137 MHz are used. The negotiations between pilots and controllers are not encrypted in any way, and anyone can accept them. About 20 years ago, ordinary cheap Chinese radios “pulled” for this - it was enough to push the local oscillator coils, and the range would shift, if you were lucky, towards higher frequencies. Those interested in “digital archeology” can read the discussion on the radioscanner forumfor the year 2004. Later, Chinese manufacturers went to meet the users, and simply added the Air range to the receivers (in the comments to the first part they recommended Tecsun PL-660 or PL-680). But of course, the use of more specialized devices (for example, AOR, Icom receivers) is more preferable - they have noise reduction (the sound turns off when there is no signal and there is no constant hissing) and a higher frequency search speed.
Each major airport uses quite a lot of frequencies, for example, the Pulkovo airport frequencies taken from the radioscanner website:
By the way, you can listen to broadcasts of talks from different Russian cities (Moscow, St. Petersburg, Chelyabinsk and some others) online at http: // live .radioscanner.net .
For us, in the air range, the digital protocol is interestingACARS (Aircraft Communications Addressing and Reporting System). Its signals are transmitted at frequencies of 131.525 and 131.725 MHz (European standard, frequencies of different regions may vary ). These are digital parcels with a bitrate of 2400 or 1200bps, with the help of such a system pilots can exchange messages with the dispatcher. For decoding in MultiPSK, you need to tune to the signal in AM mode (you need an SDR receiver, because the signal bandwidth is more than 5KHz) and redirect the sound using the Virtual Audio Card.
The result is shown in the screenshot.
The ACARS signal format is quite simple and can be viewed in SA Free. To do this, just open the recording fragment, and we will see that the “inside” AM recording actually contains frequency modulation.
Further, applying a frequency detector to the recording, we easily get the bitstream. In real life, it is unlikely to have to do this, because ready-made programs for decoding ACARS have long been written.
After listening to the negotiations of the aviators, you can climb even higher - into space. In which we are interested in the NOAA 15 , NOAA 18 and NOAA 19 weather satellites transmitting images of the Earth’s surface at frequencies of 137.620, 137.9125 and 137.100 MHz. You can decode a signal using the WXtoImg program .
The received picture may look something like this (photo from the radioscanner website):
Unfortunately (the laws of physics cannot be fooled, and the Earth is round, although not everyone believes in it), you can receive a satellite signal only when it flies over us, and not always these flights have a convenient time and angle above the horizon. Previously, to find out the date and time of the next flight, it was necessary to install the Orbitron program(long-lived program, existing since 2001), now it is easier to do it online at https://www.n2yo.com/passes/?s=25338 , https://www.n2yo.com/passes/?s = 28654 and https://www.n2yo.com/passes/?s=33591 respectively.
The signal from the satellites is quite loud, and can be heard on almost any antenna and any receiver. But in order to take a picture in good quality, a special antenna and a good view of the horizon are still desirable. Those interested can see the English-language tutorial on youtube or read a detailed description . Personally, I didn’t have the patience to get things done, but others may be more lucky.
I still do not know whether paging communication is still working for corporate clients in Russia; in Europe, it is fully operational, it is used by firefighters, police and various services.
You can receive FLEX and POCSAG signals using HDSDR and Virtual Audio Cable, PDW is used for decoding . It was written already in 2004, and the interface has a corresponding one, but strangely enough, it still works quite well.
There is also a multimon-ng decoder running on Linux, its source is available on github . There was also a separate article about the POCSAG transfer protocol; those who wish can read it in more detail .
Even higher in frequency, at 433 MHz, there are a number of different devices - wireless switches and sockets, door bells, car tire pressure sensors, etc.
These are often cheap Chinese devices with simple modulation. There is no encryption, and uses simple binary code (OOK - on-off keying). The decoding of such signals was considered in a separate article . We can use the ready-made rtl_433 decoder, which can be downloaded from here .
By running the program, you can see various devices, and (if there is a nearby parking lot) find out, for example, the pressure in the tires of a neighboring car. There is little practical sense in this, but from a purely mathematical point of view, it is quite interesting - the protocols of these signals are simple for decoding.
By the way, those who buy such wireless switches should keep in mind that they are not protected in any way, and theoretically, your neighbor hacker in the presence of HackRF or a similar device can maliciously turn off the light in the toilet at the most inopportune moment or do something similar. Personally, I do not bother, but if the security issue is relevant, you can use more serious and expensive devices with full keys and authentication (Z-Wave, Philips Hue, etc.).
TETRA (Terrestrial Trunked Radio) is a professional corporate radio communication system with sufficiently large capabilities (group calls, encryption, combining several networks, etc.). And its signals, if they are not encrypted, can also be received using a computer and an SDR receiver.
The TETRA decoder for Linux existed for a long time , but its configuration was far from trivial, and about a year ago a Russian programmer created a plug-in for receiving TETRA for SDR #. Now this task is solved almost literally in two clicks, the program allows you to display information about the system, listen to voice messages, collect statistics, etc.
The plugin does not implement all the features of the standard, but the basic functions more or less work.
According to Wikipedia, Tetra can be used in ambulance, police, railway transport, etc. I don’t know about its distribution in Russia (like the Tetra network was used at World Cup 2018, but this is inaccurate), anyone can check for themselves - Tetra signals are easily recognizable, and have a width of 25KHz, as can be seen in the screenshot.
Of course, if encryption is enabled on the network (there is such an opportunity in Tetra), the plug-in will not work - instead of speech, there will only be “gurgling”.
Rising even higher in frequency, the signals of aircraft transponders are transmitted at a frequency of 1.09 GHz, which allows sites such as FlightRadar24 to display flying aircraft. This protocol has already been studied before, so I won’t repeat here (the article turned out to be large), those who wish can read the first and second parts.
As you can see, even with a $ 30 receiver you can find a lot of interesting things on the air. I’m sure that not all are listed here, and I probably missed something or don’t know. Those who wish can try it on their own - this is a good way to deal with the principle of a particular system working better.
I did not consider amateur radio communication, although it is also on VHF, but the article is still about official communication.
PS: Especially for kulkhackers, it’s possible to say that nothing really secret has been broadcast on air for about 50 years, so from this point of view, you should not waste time and money. But from the point of view of studying the principles of communication and various engineering systems, familiarization with the real work of real networks is quite interesting and informative.
In the first part , some signals that can be received at long and short waves were described. Equally interesting is the VHF band, where you can also find something interesting.
As in the first part, we will consider those signals that can be independently decoded using a computer. Who cares how it works, continued under the cut.
In the first part, we used the Dutch online receiver to receive long and short waves. Unfortunately, there are no similar services on VHF - the frequency range is too large. Therefore, those who want to repeat the experiments described below will have to get their own receiver, of the cheapest you can note the RTL SDR V3 , which can be purchased for $ 30. Such a receiver covers the range up to 1.7 GHz, all the signals described below are received precisely on it.
So let's get started. As in the first part, the signals will be considered in increasing frequency.
Fm radio
The FM radio itself is unlikely to surprise anyone, but we will be interested in RDS in it. The presence of RDS (Radio Data System) provides the transfer of digital data “inside” the FM signal. The spectrum of the FM station signal after demodulation looks like this:
A pilot tone is located at a frequency of 19KHz, and an RDS signal is transmitted at its tripled frequency of 57KHz. On the waveform, if you output both signals together, it looks something like this:
Using phase modulation, a low-frequency signal with a frequency of 1187.5 Hz is encoded here (by the way, the frequency of 1187.5 Hz is also not chosen by chance - this is the 19-kHz pilot-tone frequency divided by 16). Further, after bit-by-bit decoding, data packets of quite a few types are decrypted - in addition to text, for example, alternative broadcasting frequencies of a radio station can be transmitted, and when entering another area, the receiver can automatically tune to a new frequency.
You can receive RDS data of local stations using the RDS Spy program . It can be connected via HDSDR if you select FM modulation, a signal width of 120KHz and a bitrate of 192KHz, as shown in the figure.
Then it is enough to redirect the signal using Virtual Audio Cable from HDSDR to RDS Spy (in the VAC settings you also need to specify the bitrate of 192KHz). If everything was done correctly, we will see all the information about RDS, much more than an ordinary household radio will show:
In addition to FM, by the way, you can also decode DAB +, about it was a separate article . In Russia, it does not work yet, but in other countries it may be relevant.
Air range
So historically, in aviation, amplitude modulation (AM) and a frequency range of 118-137 MHz are used. The negotiations between pilots and controllers are not encrypted in any way, and anyone can accept them. About 20 years ago, ordinary cheap Chinese radios “pulled” for this - it was enough to push the local oscillator coils, and the range would shift, if you were lucky, towards higher frequencies. Those interested in “digital archeology” can read the discussion on the radioscanner forumfor the year 2004. Later, Chinese manufacturers went to meet the users, and simply added the Air range to the receivers (in the comments to the first part they recommended Tecsun PL-660 or PL-680). But of course, the use of more specialized devices (for example, AOR, Icom receivers) is more preferable - they have noise reduction (the sound turns off when there is no signal and there is no constant hissing) and a higher frequency search speed.
Each major airport uses quite a lot of frequencies, for example, the Pulkovo airport frequencies taken from the radioscanner website:
By the way, you can listen to broadcasts of talks from different Russian cities (Moscow, St. Petersburg, Chelyabinsk and some others) online at http: // live .radioscanner.net .
For us, in the air range, the digital protocol is interestingACARS (Aircraft Communications Addressing and Reporting System). Its signals are transmitted at frequencies of 131.525 and 131.725 MHz (European standard, frequencies of different regions may vary ). These are digital parcels with a bitrate of 2400 or 1200bps, with the help of such a system pilots can exchange messages with the dispatcher. For decoding in MultiPSK, you need to tune to the signal in AM mode (you need an SDR receiver, because the signal bandwidth is more than 5KHz) and redirect the sound using the Virtual Audio Card.
The result is shown in the screenshot.
The ACARS signal format is quite simple and can be viewed in SA Free. To do this, just open the recording fragment, and we will see that the “inside” AM recording actually contains frequency modulation.
Further, applying a frequency detector to the recording, we easily get the bitstream. In real life, it is unlikely to have to do this, because ready-made programs for decoding ACARS have long been written.
Weather satellites NOAA
After listening to the negotiations of the aviators, you can climb even higher - into space. In which we are interested in the NOAA 15 , NOAA 18 and NOAA 19 weather satellites transmitting images of the Earth’s surface at frequencies of 137.620, 137.9125 and 137.100 MHz. You can decode a signal using the WXtoImg program .
The received picture may look something like this (photo from the radioscanner website):
Unfortunately (the laws of physics cannot be fooled, and the Earth is round, although not everyone believes in it), you can receive a satellite signal only when it flies over us, and not always these flights have a convenient time and angle above the horizon. Previously, to find out the date and time of the next flight, it was necessary to install the Orbitron program(long-lived program, existing since 2001), now it is easier to do it online at https://www.n2yo.com/passes/?s=25338 , https://www.n2yo.com/passes/?s = 28654 and https://www.n2yo.com/passes/?s=33591 respectively.
The signal from the satellites is quite loud, and can be heard on almost any antenna and any receiver. But in order to take a picture in good quality, a special antenna and a good view of the horizon are still desirable. Those interested can see the English-language tutorial on youtube or read a detailed description . Personally, I didn’t have the patience to get things done, but others may be more lucky.
Paging messages FLEX / POCSAG
I still do not know whether paging communication is still working for corporate clients in Russia; in Europe, it is fully operational, it is used by firefighters, police and various services.
You can receive FLEX and POCSAG signals using HDSDR and Virtual Audio Cable, PDW is used for decoding . It was written already in 2004, and the interface has a corresponding one, but strangely enough, it still works quite well.
There is also a multimon-ng decoder running on Linux, its source is available on github . There was also a separate article about the POCSAG transfer protocol; those who wish can read it in more detail .
Keychains / Wireless Switches
Even higher in frequency, at 433 MHz, there are a number of different devices - wireless switches and sockets, door bells, car tire pressure sensors, etc.
These are often cheap Chinese devices with simple modulation. There is no encryption, and uses simple binary code (OOK - on-off keying). The decoding of such signals was considered in a separate article . We can use the ready-made rtl_433 decoder, which can be downloaded from here .
By running the program, you can see various devices, and (if there is a nearby parking lot) find out, for example, the pressure in the tires of a neighboring car. There is little practical sense in this, but from a purely mathematical point of view, it is quite interesting - the protocols of these signals are simple for decoding.
By the way, those who buy such wireless switches should keep in mind that they are not protected in any way, and theoretically, your neighbor hacker in the presence of HackRF or a similar device can maliciously turn off the light in the toilet at the most inopportune moment or do something similar. Personally, I do not bother, but if the security issue is relevant, you can use more serious and expensive devices with full keys and authentication (Z-Wave, Philips Hue, etc.).
TETRA
TETRA (Terrestrial Trunked Radio) is a professional corporate radio communication system with sufficiently large capabilities (group calls, encryption, combining several networks, etc.). And its signals, if they are not encrypted, can also be received using a computer and an SDR receiver.
The TETRA decoder for Linux existed for a long time , but its configuration was far from trivial, and about a year ago a Russian programmer created a plug-in for receiving TETRA for SDR #. Now this task is solved almost literally in two clicks, the program allows you to display information about the system, listen to voice messages, collect statistics, etc.
The plugin does not implement all the features of the standard, but the basic functions more or less work.
According to Wikipedia, Tetra can be used in ambulance, police, railway transport, etc. I don’t know about its distribution in Russia (like the Tetra network was used at World Cup 2018, but this is inaccurate), anyone can check for themselves - Tetra signals are easily recognizable, and have a width of 25KHz, as can be seen in the screenshot.
Of course, if encryption is enabled on the network (there is such an opportunity in Tetra), the plug-in will not work - instead of speech, there will only be “gurgling”.
ADSB
Rising even higher in frequency, the signals of aircraft transponders are transmitted at a frequency of 1.09 GHz, which allows sites such as FlightRadar24 to display flying aircraft. This protocol has already been studied before, so I won’t repeat here (the article turned out to be large), those who wish can read the first and second parts.
Conclusion
As you can see, even with a $ 30 receiver you can find a lot of interesting things on the air. I’m sure that not all are listed here, and I probably missed something or don’t know. Those who wish can try it on their own - this is a good way to deal with the principle of a particular system working better.
I did not consider amateur radio communication, although it is also on VHF, but the article is still about official communication.
PS: Especially for kulkhackers, it’s possible to say that nothing really secret has been broadcast on air for about 50 years, so from this point of view, you should not waste time and money. But from the point of view of studying the principles of communication and various engineering systems, familiarization with the real work of real networks is quite interesting and informative.