This post presents the RTL-SDR setup on Raspberry Pi 3 with Raspbian
Setting up the environment
Open the terminal, then:
pi@raspberrypi:~ $ sudo apt-get install gnuradio % take some time to install all packages
pi@raspberrypi:~ $ gnuradio-companion % if it opens the gnuradio-companion, everything is ok
Installing RTL-SDR and gr-osmosdr packages
pi@raspberrypi:~ $ sudo apt-get install rtl-sdr gr-osmosdr
After successfully installing the packages, plug the RTL-SDR to the Raspberry Pi 3 USB Port, then list the USB devices connected to the Raspberry Pi 3:
pi@raspberrypi:~ $ lsusb
Look for Realtek device (RTL), in my case “Realtek Semiconductor Corp. RTL2838 DVB-T”:
Now it is time to check if RTL-SDR is working:
pi@raspberrypi:~ $ rtl_test
In my case it is working by the first time on Raspberry Pi 3, but there is a known issue (on Ubuntu) related to driver conflict (it uses the Digital TV Driver – dvb_usb_rtl28xxu), if this is your case, do the following:
pi@raspberrypi:~ $ sudo rmmod dvb_usb_rtl28xxu % to make this fix permanent, you have to move driver dvb_usb_rtl28xxu to blacklist
and, try again:
pi@raspberrypi:~ $ rtl_test
Testing time :)
Install the GQRX, through apt-get:
pi@raspberrypi:~ $ sudo apt-get install gqrx-sdr
Then run GQRX:
pi@raspberrypi:~ $ gqrx
If not asked to select I/O Device, go to “File” > “I/O Devices” then select Realtek RTL-SDR, now you can click “Power” button then you can hear noise and see FFT live graph (up) and waterfall live graph (bottom).
Due to processing limitations from Raspberry Pi, to avoid crashes, you have to reduce the sample rate for GQRX, to do it go to: “File” > “I/O Devices” > “Sample Rate” or edit /home/pi/.config/gqrx/default.conf
RTL-SDR known to works up to 2.4 Msps on Raspberry Pi 3 and up to 1.44 Msps on Raspberry Pi 2.
In most cases you can reduce the CPU load further by reducing the window size, sample rate, FFT rate and FFT size (try 2048 at 10-15 Hz). If you are only interested in the FFT, set Mode to “Demod Off”. This will greatly reduce the CPU load.
- git clone https://github.com/ha7ilm/qtcsdr
- cd qtcsdr
If rpi-test.sh succeeds, then type qtcsdr on command line.
pi@raspberrypi:~ $ qtcsdr
Congratulations, your RTL-SDR is working on Raspberry Pi 3! Now you can use available SDR tools on Raspberry Pi 3.
Recently I bought a low cost wireless doorbell so I decided to analyze the RF communication and reproduce a replay attack.
To accomplish the attack I used an Ettus USRP2 N210 SDR (Software Defined Radio), a Voye wireless doorbell and GNU Radio.
The replay attack (also called as playback attack) is simple and very interesting attack, it works by simply recording a signal and then rebroadcasting it once it used a “fix code” signal to activate the doorbell.
(Ettus USRP2 N210 SDR (Software Defined Radio)
(Voye wireless doorbell)
GNU Radio Companion (GRC) is a graphical tool for creating signal flow graphs and generating flow-graph source code.
Identifying the signal
Usually doorbells operates at frequencies of 433Mhz (Europe) or 315Mhz (America), it was first noticed the frequency of 433Mhz in order to get signal but nothing was found. Analyzing the 315MHz frequency we found the signal from the doorbell transmitter.
We used GQRX to clearly identify the frequency:
(GQRX – identify the frequency)
Capturing the signal
We recorded the signal from the doorbell transmitter in GNU Radio into a RAW file.
We’re using 2e6 (2M) as Sample Rate and this value should be used in every step.
(flow-graph capturing the signal)
Opening this up in AUDACITY we can see groups of pulses making up a single button press and we can identify this is a OOK (On-Off Keying) Signal.
(Audacity – Raw File)
On zooming in to a button press, we can see these button presses are made up of similar looking groups.
(Audacity – Raw File – Zoom in)
Isolating the signal
Now we are going to export this slice of signal (4 sequences):
(Audacity – Isolating the signal)
Notice that we’ve exported 4 sequences because the receiver has a error rate and it needs to receive more than 1 package of bits.
We gonna export using the following configuration:
(Audacity – Export Configuration)
Transmitting the signal
Finally, the last step was to create a flow graph to transmit the raw signal isolated.
(flow-graph transmitting the signal)
After executing the doorbell will ring…
Video of replay attack: