An introduction to Software Defined Radios.
A thread for beginners on:
1. What a SDR is
2. What you can do with SDRs
3. How it plays a role in the security/hacking world
4. How it’s used in ham radio.
5. How to choose/buy one
6. Link to more reading material
0/21
A thread for beginners on:
1. What a SDR is
2. What you can do with SDRs
3. How it plays a role in the security/hacking world
4. How it’s used in ham radio.
5. How to choose/buy one
6. Link to more reading material
0/21
Disclaimer: I need to oversimplify many concepts, and also omit/skip some advanced ones. This is a huge topic that can’t be covered in a few posts, and my target audience is beginners.
What is SDR? If you’ve heard of RTL-SDR or HackRF but aren’t sure why they’re so popular among hackers, ham radio enthusiasts, and the SIGINT community, this thread is for you.
Traditionally, radios were fixed-function, and all implemented in hardware. An FM radio did just that: receive FM in the 88-108 MHz range. If you wanted to listen to let’s say shortwave (3-30MHZ), then you needed a new radio that had that functionality. You were limited to the hardware.
SDRs change this. With SDR, the hardware is controlled by software, giving you flexibility. Basically, many functions that traditionally were done in electronics circuits (e.g. filtering, demodulation, etc) are done digitally in SDRs.
Want to listen to FM? Easy. Want to explore Bluetooth or decode satellite downlink? Same device, just different software, or different settings in your SDR app. You define the functionality in software (e.g. which frequency to dial to, which modulation to use to demodulate the signals, what bandwidth to use to receive the signal, etc). Think of it like this: all the physical knobs that you had in the older radios, are now replaced with UI elements in software.
1/21
What is SDR? If you’ve heard of RTL-SDR or HackRF but aren’t sure why they’re so popular among hackers, ham radio enthusiasts, and the SIGINT community, this thread is for you.
Traditionally, radios were fixed-function, and all implemented in hardware. An FM radio did just that: receive FM in the 88-108 MHz range. If you wanted to listen to let’s say shortwave (3-30MHZ), then you needed a new radio that had that functionality. You were limited to the hardware.
SDRs change this. With SDR, the hardware is controlled by software, giving you flexibility. Basically, many functions that traditionally were done in electronics circuits (e.g. filtering, demodulation, etc) are done digitally in SDRs.
Want to listen to FM? Easy. Want to explore Bluetooth or decode satellite downlink? Same device, just different software, or different settings in your SDR app. You define the functionality in software (e.g. which frequency to dial to, which modulation to use to demodulate the signals, what bandwidth to use to receive the signal, etc). Think of it like this: all the physical knobs that you had in the older radios, are now replaced with UI elements in software.
1/21
This brings up a world of possibilities: you could prototype systems in software, that were only possible to be made in hardware in the past. You can use the same SDR that is used to listen to FM radio, to sniff modern wireless protocols (e.g. Bluetooth). This hugely shortens the time to implement a new proof of concept for many use cases (production, research, idea validation, testing etc), and also saves you hardware cost, as most of your time would be spent in software (assuming that you’re using a commercial SDR, already built by another company, like what we cover in this thread)
2/21
2/21
What can you do with SDRs? A few examples:
* Listen to FM radio.
* Decode weather satellite imagery (e.g. NOAA)
* Track airplanes with ADS-B signals
* Listen to amateur radio bands (CW, SSB, digital modes)
* Sniff Bluetooth, Wi-Fi and other wireless protocols
* Find and listen to satellite communications
* Transmit anything (e.g. audio, data, etc) on any frequency, within the SDR’s frequency range [could be illegal depending on the jurisdiction, the frequency, the transmit power, and other factors. Consult your local regulatory laws]
3/21
* Listen to FM radio.
* Decode weather satellite imagery (e.g. NOAA)
* Track airplanes with ADS-B signals
* Listen to amateur radio bands (CW, SSB, digital modes)
* Sniff Bluetooth, Wi-Fi and other wireless protocols
* Find and listen to satellite communications
* Transmit anything (e.g. audio, data, etc) on any frequency, within the SDR’s frequency range [could be illegal depending on the jurisdiction, the frequency, the transmit power, and other factors. Consult your local regulatory laws]
3/21
At its core, an SDR captures signals with an antenna, digitizes them, and sends them to your PC for software-based signal processing. Some SDRs include extras like filters (for better selectivity), or FPGAs (for faster signal handling)
This flexibility opens up endless possibilities. An SDR isn’t just a radio; it’s a toolkit for hacking, experimenting, and prototyping wireless systems that once required expensive hardware.
4/21
This flexibility opens up endless possibilities. An SDR isn’t just a radio; it’s a toolkit for hacking, experimenting, and prototyping wireless systems that once required expensive hardware.
4/21
Here's a few famous/popular SDR apps:
1. GQRX: good for Linux and macOS. Supports many SDRs.
2. SDR#: great app for AirSpy devices and also RTL-SDR, on Windows
3. SDRConnect: for SDRPlay (cross platform)
4. CubicSDR: cross-platform
5. GNU Radio: advanced tool to build various DSP tools from building blocks.
6. Urh: wireless protocol analysis and reverse engineering
7. SDRConsole: Windows app. Supports many SDRs
5/21
1. GQRX: good for Linux and macOS. Supports many SDRs.
2. SDR#: great app for AirSpy devices and also RTL-SDR, on Windows
3. SDRConnect: for SDRPlay (cross platform)
4. CubicSDR: cross-platform
5. GNU Radio: advanced tool to build various DSP tools from building blocks.
6. Urh: wireless protocol analysis and reverse engineering
7. SDRConsole: Windows app. Supports many SDRs
5/21
Which SDR should you get? Here’s my advice:
•Absolute beginner: RTL-SDR ($30-40). Best SDR for beginners. Covers 24MHZ-1.7GHZ. It is cheap, is supported by many apps, has lots of tutorials and videos. Gives you an affordable entry, so you can experiment with apps, antennas, and basics.
•Ham radio enthusiasts: AirSpy HF+ Discovery or SDRPlay RSPdx are good for HF reception. Skip pricey options like WinRadio unless you’re serious in this hobby (if you want high-performance HF receivers, look at Perseus, WinRadio, and Elad products. They come at a price however)
•Wireless hacking: You need something that covers a broader range, to cover higher frequencies (Bluetooth, parts of 4G, etc), and also has transmit support. LimeSDR Mini, PlutoSDR, bladeRF, or USRP B200 are good options. HackRF is good for beginners too, but not my favorite (it has a big community, though)
6/21
•Absolute beginner: RTL-SDR ($30-40). Best SDR for beginners. Covers 24MHZ-1.7GHZ. It is cheap, is supported by many apps, has lots of tutorials and videos. Gives you an affordable entry, so you can experiment with apps, antennas, and basics.
•Ham radio enthusiasts: AirSpy HF+ Discovery or SDRPlay RSPdx are good for HF reception. Skip pricey options like WinRadio unless you’re serious in this hobby (if you want high-performance HF receivers, look at Perseus, WinRadio, and Elad products. They come at a price however)
•Wireless hacking: You need something that covers a broader range, to cover higher frequencies (Bluetooth, parts of 4G, etc), and also has transmit support. LimeSDR Mini, PlutoSDR, bladeRF, or USRP B200 are good options. HackRF is good for beginners too, but not my favorite (it has a big community, though)
6/21
What to look for in an SDR when buying one:
•ADC resolution (8-bit for HackRF, 12-bit for most, 14-16-bit for high-end ones)
•Frequency range (ensure it covers your target signals). A majority of commercial low(er) cost SDRs stop at 6GHZ, because many of them use the same RF chipsets inside (e.g. many SDRs use Analog Devices AD936x). If you’re mainly interested in the lower frequencies (HF), make sure the device supports it, because many SDRs (like bladeRF) don’t support those lower ranges.
•Bandwidth (how much spectrum you can receive at once). For example it’s 2.4MHZ for RTL-SDR, 10MHZ for AirSpy R2, 56MHZ for bladeRF 2.0 etc.
•Interface (USB is the most common; some use Ethernet as well. A few also have PCIe interface)
•Antenna ports: by default an RX-only SDR has 1 antenna port (SMA is the most common connector used on SDRs). When you have a full-duplex SDR (like LimeSDR Mini), you have 2 antenna ports, 1 for receive, 1 for transmit. A half-duplex SDR (like HackRF) only has 1 antenna port, and uses it for both receive and transmit. Some SDRs have more than 1 RX or TX port; For example bladeRF 2.0 has 2 RX antenna ports, and 2 TX antenna ports (4 in total. Called 2x2 MIMO)
◦Some SDRs may have other ports as well. For example for clock reference input, or for GPIO, etc.
•Dynamic range, and selectivity: higher-end SDRs are better at picking weak signals in presence of strong signals (I will write a separate thread about concepts like sensitivity, selectivity, and dynamic range, with real world examples)
•Special needs: make sure the SDR has the extra features you need. E.g. clock reference inputs, built-in filters, built-in bias-Tee, etc.
7/21
•ADC resolution (8-bit for HackRF, 12-bit for most, 14-16-bit for high-end ones)
•Frequency range (ensure it covers your target signals). A majority of commercial low(er) cost SDRs stop at 6GHZ, because many of them use the same RF chipsets inside (e.g. many SDRs use Analog Devices AD936x). If you’re mainly interested in the lower frequencies (HF), make sure the device supports it, because many SDRs (like bladeRF) don’t support those lower ranges.
•Bandwidth (how much spectrum you can receive at once). For example it’s 2.4MHZ for RTL-SDR, 10MHZ for AirSpy R2, 56MHZ for bladeRF 2.0 etc.
•Interface (USB is the most common; some use Ethernet as well. A few also have PCIe interface)
•Antenna ports: by default an RX-only SDR has 1 antenna port (SMA is the most common connector used on SDRs). When you have a full-duplex SDR (like LimeSDR Mini), you have 2 antenna ports, 1 for receive, 1 for transmit. A half-duplex SDR (like HackRF) only has 1 antenna port, and uses it for both receive and transmit. Some SDRs have more than 1 RX or TX port; For example bladeRF 2.0 has 2 RX antenna ports, and 2 TX antenna ports (4 in total. Called 2x2 MIMO)
◦Some SDRs may have other ports as well. For example for clock reference input, or for GPIO, etc.
•Dynamic range, and selectivity: higher-end SDRs are better at picking weak signals in presence of strong signals (I will write a separate thread about concepts like sensitivity, selectivity, and dynamic range, with real world examples)
•Special needs: make sure the SDR has the extra features you need. E.g. clock reference inputs, built-in filters, built-in bias-Tee, etc.
7/21
Now, having talked about SDRs, note that it is just one part of the equation. You also need some accessories for receiving or transmitting signals:
1. Antenna: different frequencies need specific antennas. You have to have an antenna to receive the desired signal. Beginners can start playing with the basic telescopic antenna provided with RTL-SDR.
2. Filters: bandpass filters could reduce noise/interference.
3. Amplifiers and LNAs: used to boost weak signals
4. Reference clocks: improve accuracy for certain applications that need frequency stability.
8/21
1. Antenna: different frequencies need specific antennas. You have to have an antenna to receive the desired signal. Beginners can start playing with the basic telescopic antenna provided with RTL-SDR.
2. Filters: bandpass filters could reduce noise/interference.
3. Amplifiers and LNAs: used to boost weak signals
4. Reference clocks: improve accuracy for certain applications that need frequency stability.
8/21
How can SDR be useful for hackers?
Well, think of all the things that you can do now with a SDR that you couldn’t do in the past: you can receive the signals of a device and analyse or reverse engineer them (e.g. a car keyfob, or an IoT sensor sending some data over 433MHZ, or Bluetooth, or Wi-Fi, or satellite downlink, etc.). You can also emulate a device or perform replay attack or reconstruct a fake wireless command and send it over a specific frequency.
You can even do jamming.
I will link to an example at the end of the thread.
9/21
Well, think of all the things that you can do now with a SDR that you couldn’t do in the past: you can receive the signals of a device and analyse or reverse engineer them (e.g. a car keyfob, or an IoT sensor sending some data over 433MHZ, or Bluetooth, or Wi-Fi, or satellite downlink, etc.). You can also emulate a device or perform replay attack or reconstruct a fake wireless command and send it over a specific frequency.
You can even do jamming.
I will link to an example at the end of the thread.
9/21
How can SDR be useful for the ham radio community?
Well, its use cases are endless. Ham radio operators use SDRs to listen to the shortwave spectrum, to receive NOAA, to decode various sorts of digital modulations (e.g. FT8), to receive amateur satellite communications (e.g. QO-100). Some also use SDR-based transceivers to transmit. There are some high-end SDR-based transceivers built for ham radio use. Some are computer-based (like FlexRadio or Apache) and some are standalone and have physical knobs and displays (like Icom 7300)
10/21
Well, its use cases are endless. Ham radio operators use SDRs to listen to the shortwave spectrum, to receive NOAA, to decode various sorts of digital modulations (e.g. FT8), to receive amateur satellite communications (e.g. QO-100). Some also use SDR-based transceivers to transmit. There are some high-end SDR-based transceivers built for ham radio use. Some are computer-based (like FlexRadio or Apache) and some are standalone and have physical knobs and displays (like Icom 7300)
10/21
SDR architectures, and how they differ from the older receiver architectures:
Majority of older radio systems and even many modern ones use the superheterodyne architecture.
The ideal SDR is just an ADC (analog to digital converter) : basically signals go into the ADC from the antenna, and then the output is sent to an FPGA or PC for processing. In reality however, we need more things.
I will have another thread to dive deeper into SDR architectures, their pros and cons, which SDR uses which architecture, etc. For now, I would just say this: direct sampling SDR is the architecture that basically is close to ideal: it digitises the whole signal, with no mixing or downconversion to intermediate frequencies.
11/21
Majority of older radio systems and even many modern ones use the superheterodyne architecture.
The ideal SDR is just an ADC (analog to digital converter) : basically signals go into the ADC from the antenna, and then the output is sent to an FPGA or PC for processing. In reality however, we need more things.
I will have another thread to dive deeper into SDR architectures, their pros and cons, which SDR uses which architecture, etc. For now, I would just say this: direct sampling SDR is the architecture that basically is close to ideal: it digitises the whole signal, with no mixing or downconversion to intermediate frequencies.
11/21
I only scratched the surface in this thread. I will write more detailed threads in the future, to go deeper on more advanced things (e.g. SDR architectures and their differences, concepts like selectivity and sensitivity, how to test some specs of SDRs, etc)
In the next posts in this thread, I link to my previous threads that are relevant to this topic. I would suggest you check the pinned thread in my profile, as many of the RF basics that I cover, are relevant for this topic (even if you’re just a security engineer and not much interested in RF topics in general)
12/21
In the next posts in this thread, I link to my previous threads that are relevant to this topic. I would suggest you check the pinned thread in my profile, as many of the RF basics that I cover, are relevant for this topic (even if you’re just a security engineer and not much interested in RF topics in general)
12/21
Here’s a thread on best resources to learn more about SDRs:
13/21
13/21
https://twitter.com/mehdihacks/status/1876737712511742130
Can we use a SDR as a spectrum analyzer and vice versa? The short answer is not exactly. You can read more about it here:
14/21
14/21
https://twitter.com/lambdaprog/status/1869369188252582165
How to receive a signal using a SDR, with different methods:
16/21
16/21
https://twitter.com/mehdihacks/status/1877823990892240945
How to transmit a signal using a SDR, with different methods:
17/21
17/21
https://twitter.com/mehdihacks/status/1878203374744551839
How to expand the frequency of your SDR:
19/21
19/21
https://twitter.com/mehdihacks/status/1872673371084730858
• • •
Missing some Tweet in this thread? You can try to
force a refresh
