Finding interesting signals: heat maps and callsigns

With an SDR such as the RTL2832, you can receive a wide swath of spectrum from megahertz to gigahertz, but how to know what to look for? One approach is to consult online databases of frequencies and locations:

• AM/FM: radio-locator
• ATC: LiveATC.net
• ADS-B: FlightAware, FlightRadar24, FlightStats, PlaneFinder
• Wi-Fi 802.11a/b/g/n/ac: wigle.net
• Cellular GSM/CDMA: wigle.net
• DTV/ATSC: transition.fcc.gov
• FCC Databases
• RadioReference.com

and attempt to tune into each frequency individually. However, not all transmitters may be transmitting continuously, or at all in your area. Another approach is to use rtl_power to scan the full spectrum receivable by an RTL-SDR, for example:

rtl_power -f 13M:1750M:200k -i 100 -e 24h data.csv

This produces a comma-separated values file, convert to a graphical representation with keenerd’s rtl-sdr-misc heatmap generation tool:

python rtl-sdr-misc/heatmap/heatmap.py data.csv heatmap.png

Generates an image something like this:

tholin’s 24-hour annotated full-range scan

Here’s what mine looks like:

13–1750 MHz, 14-hour scan, 200k bin_size

Another scan a day later, zooming out using 100M bin sizes instead of 200k:

13–1750 MHz, 11-hour scan, 1M bin size

You can then use this graph as follows:

1. Visually inspect the waterfall, identifying ranges of periodic, continuous, and intermittent signals of interest
2. Lookup nearby exact frequencies in the above reference databases
3. Recapture signal data live and decode with appropriate software

If a signal cannot be identified, try sigidwiki or /r/signalidentification

Periodic: 72 MHz Primex Time Sync Signal

On my scan, there is a ~30 min periodic signal visible at about 72 MHz:

Tuning in with GQRX after the fact (fortunately it was still transmitting later), shows the frequency is 72.320 MHz, and demodulating with FM, repeated beeping sound, listen here. The signal turned off at approximately 8:06 pm local time.

Researching finds it is likely a wireless clock system, from Primex Wireless. The WWVB time signal in Fort Collins, CO transmits continuously at 60 kHz; this signal is retransmitted locally as FM for better reception:

With the Primex Wireless system, the GPS signal is locally rebroadcast in a building at a 72.1- to 72.4 MHz frequency that is less prone to noise signals than the WWVB broadcast frequency of 60 kHz and more easily penetrates walls and metal structures. The GPS signal is also less affected by weather conditions, and the receiver can pick it up anywhere in the world

Since the WWVB signal is amplitude-modulated (AM), it is susceptible to electrical noise, both man-made and weather-related. This interference can mask synchronizations of WWVB clocks. Primex Wireless clocks are synchronized by an FM signal, which is less prone to interference. Furthermore, GPS clocks can receive synchronization six times a day, whereas most WWVB clocks only look for a signal GPS clocks will be inherently more accurate just because they synchronize more often and won’t drift as far.

TODO: is there any SDR decoder for these time signals? 60 kHz, 72 MHz?

To confirm, looked up the FCC registered frequencies from RadioReference in my area, and sure enough there was a site transmitting 72.320 MHz for wireless clock synchronization. By clicking on the callsign, you can view the location, usage notes, and other frequencies registered to the same callsign.

WWVB

WWVB’s 60 kHz is below what I could successfully tune to with my SDRs (HackRF and RTL-SDR/RTL2832), but @5UP7 recorded it with a custom receiver here: The Sound of WWVB (60 KHz).

WWV

2.5, 5, 10, 15, and 20 MHz WWV shortwave station, located at same site as WWVB, barely receive it.

Continuous: broadcast radio

Broadcast FM radio is visible as solid bands, high powered and continuous:

FM broadcast radio bands, 87.5–108.0 MHz

Receiving these FM stations is straightforward in CubicSDR:

Nothing too interesting, your mundate FM radio broadcast

These are some of the strongest signals I receive. TODO: try using an FM trap to reduce interference with other signals

Intermittent: Two-way radio, 150–156 MHz

Two-way radio frequencies

Two-way radio bands are visible on the heatmap as shown to the left. Power is only transmitted when the mic is keyed on and someone is speaking, hence the intermittent irregular blips.

150–156 MHz encompasses the “VHF business band, public safety, the unlicensed Multi-Use Radio Service (MURS), and other 2-way land mobile”. Many frequencies here were registered to the public safety pool. The FCC database helpfully includes the emission type designator code:

The “emission” field on the RadioReference FCC database

The code is documented on Wikipedia: types of radio emissions, including the bandwidth and modulation. 11K0 = 11.0 kHz bandwidth, F3E = FM speech. This corresponds to “narrow FM” in GQRX, and the speech can be heard loud and clear, an officer asking for a van number in this case.

Note that if you demodulate a FM signal as AM, you may be able to vaguely hear speech, but can’t quite make it out. Using the FCC database and emission type can be helpful to ensure you are demodulating correctly. Another tip: when no one is transmitting, press the “A” button in GQRX to set the squelch to the background noise level, then you can give your ears a break from static, only emitting audio when there is a real signal:

Squelching when there is no transmission

Many interesting frequencies were from the county or city, but a private taxi dispatch service for a local cab company (for those not using Uber or Lyft) was also heard somewhere on this band.

Morse code signal at 150–156 MHz

Not all communication in the 150–156 MHz VHF band is speech. This signal from a municipal service is modulated with FM, transmitting what sounds to be none other than morse code:

Morse code FM signal in 150–156 MHz VHF band

… … — — would decode to “SSM”, whatever that means. Immediately after, and during most of the airtime, is a loud grinding sound. Unknown if this is a preamble for a longer transmission, and the grinding is the actual payload, or just noise. The FCC emission type is 7K60FXE, meaning 7.6 kHz bandwidth (7K60), FM modulation (F), type of modulating signal “none of the above” (X), but type of transmitted information is telephony (E).

7K60FXE is used by the Motorola digital radio product MOTOTRBO, this may be where this signal is coming from. TODO: confirm, try decoding

Amateur radio at 70 cm, 420–450 MHz

Much chatter is visible at upper ends of the 70-centimeter band and beyond:

At 443.575 MHz, hams were discussing the 2-meter band and a P25 system.

This is clearly a busy area of the radio spectrum, worth investigating further. Many of the signals appeared not to be AM or FM speech, but data.

Cellular

Cellular bands: LTE 730/750 MHz, GSM 850 MHz, etc.

Packets: ADS-B at 1090 MHz

Transmissions from aircraft, these are digital messages, the packets are faintly visible:

ADS-B at 1090 MHz

For how to receive & decode these messages: flight tracking with dump1090. There is some traffic on the related 978 MHz UAT band, sometimes used by smaller aircraft:

Try decoding the UAT signals with dump978

Higher frequencies, beyond RTL-SDR

tholin’s heatmap showed not much between 1–1.7 GHz, then GSM-1800 at 1.8 GHz, DECT cordless phones 1.9 GHz, and UMTS 3G up to 2.1 GHz. But my NooElec NESDR Mini 2+ topped out at about 1.7 GHz, so I couldn’t show these on the heatmap. The HackRF One has a whopping 6 GHz maximum frequency (or possibly higher, 7 GHz+), but unfortunately, the powerful rtl_power utility included with librtlsdr is only for RTL-SDRs.

If there was an analogous HackRF-compatible tool, we may see WiFi at 2.4 and 5 GHz, as well as ZigBee and Bluetooth and microwaves at 2.4 GHz.

TODO: find and try out such a tool, if one exists