Inmarsat is a communications service provider with several geostationary satellites in orbit. They provide services such as satellite phone communications, broadband internet, and short text and data messaging services. Geostationary means that the satellites are in a fixed position in the sky and do not move. From almost any point on earth at least one Inmarsat satellite should be receivable.

SATCOM Terminals: Hacking by Air, Sea, and Land. Ruben Santamarta Principal Security Consultant. Abstract Satellite Communications (SATCOM) plays a vital role in the global telecommunications system. IOActive evaluated the security posture of the most widely deployed Inmarsat, Iridium, and Thuraya SATCOM terminals. The @sdrsharp plugin for Inmarsat-C has now the ability to record the frames for. Afternoon playing with the new #scytalec Inmarsat Std-C decoder software.

Inmarsat transmits in the L-band at around 1.5 GHz. With an RTL-SDR dongle, a cheap $10 modified GPS antenna OR 1-2 LNA’s and a patch or dish antenna you can listen to these Inmarsat signals, and in particular decode one channel known as STD-C NCS. This channel is mainly used by vessels at sea and contains Enhanced Group Call (EGC) messages which contain information such as search and rescue (SAR) and coast guard messages as well as news, weather and incident reports. See the end of this post for a tutorial on modifying a GPS antenna for Inmarsat reception.

Also as a small aside, you might want to use this tutorial to practice your L-band reception since Outnernet are planning to begin their L-band broadcasts later this year, which may be possibly be broadcast from Inmarsat or equivalent satellites. These broadcasts will be at a nearby frequency and will contain about 10 megabytes of daily data. The RTL-SDR should also be able to receive these broadcasts if a compatible decoder is written.

Some examples of the EGC messages you can receive on the STD-C NCS channel are shown below:

Equipment and Software

• An R820T2 or E4000 RTL-SDR dongle (you can use one of our improved R820T2’s with optional bias-tee built in so that powering the LNA’s or GPS antenna is as easy as plugging them in. However, note that the R820T2 may not receive well above 1.5 GHz if the ambient temperature is too hot.). If you have an Airspy SDR then this is even better.
• An L-band antenna with 1 – 2 Low Noise Amplifiers (LNA’s) OR a modified GPS active antenna. We tested two antennas, one was a prototype air gap L-band patch antenna supplied by Outernet together with one or two 15 dB LNA’s. The second antenna was a modified active GPS antenna. Both worked well, with the Outernet air gap patch antenna being a little better. (Note that we received this antenna for testing purposes, it is not yet currently on sale)
  • You can use a $10 28 – 30 dB gain modified GPS active antenna. We show you how to modify such an antenna at the end of this post.
  • If using a patch antenna then you will need about 15-30 dB’s of total amplifier gain which is supplied by one or two LNA’s. If a short cable run is used 15 dB should be enough, if a longer coax run is used 30 dB may be needed.
  • To power the LNA’s and active GPS antennas you will need a bias tee or external power source near the antenna.
• The Inmarsat decoder from inmarsatdecoder.com. Note that Chrome and many virus detectors class this website and software as a virus, but we believe that it is a false positive. If you don’t want to risk it then an alternative with similar functions is the Tekmanoid Java based STD-C EGC decoder, but we note the first decoder appears to work much better.
• You will also need to have installed SDR# or similar and Audio piping software like Virtual Audio Cable, VB Cable, or have enabled stereo mix.

The Outernet L band patch antenna will be sold by Outernet in the future. It is based on air gap dielectric patch antenna designs which give higher gains than ceramic patches (like the smaller ones used in the active GPS antennas). Here is what the prototype they sent us looks like. It has a VSWR of about 1.1 at 1.5 GHz and 1.45 at 1.56 GHz.

The prototype Outernet Patch Antenna

Tutorial

1. The first step is to find out where in the sky your local Inmarsat satellites are. We think that the easiest way to do this is to use a free Android app called “Satellite AR“. Simply open this app and search the satellite database for “Inmarsat”. Choose Inmarsat 3-F or 4-F and use the augmented reality camera view to spot the position of these satellites. Note that the satellite position is fixed so the satellite will not move over time – there is no need to do any antenna tracking.
2. Point the L-band antenna towards the satellite and get it in an unobtructed view of the sky.
3. Connect the LNA’s near the antenna. We suggest using a few meters of coax to get the RTL-SDR a few meters away from the antenna as it’s own unintentional emissions tend to cause interference at L band frequencies. We recommend using low loss RG6 or similar, but if you have two LNA’s lower quality cable may be acceptable. Another option to prevent the interference is to shield the RTL-SDR with a metal box.
4. Choose and set your default audio piping method in Windows sound recording properties (e.g. Stereo Mix, Virtual Audio Cable or VB Cable).
5. Set the audio piping method to have a sample rate of 48 kHz by setting it in the Playback and Recording properties tabs.
6. Open SDR# and set the output audio dropdown box to the audio piping method that you have chosen to use.
7. Start SDR# and tune to 1.541450 GHz. You should see a thin signal that is about 2.5 kHz in bandwidth, this is the STD-C NCS channel. Since the signal is circularly polarized you might try rotating the antenna you are using for best reception.
8. If the signal is not at the correct frequency due to oscillator drift and PPM offset, then carefully center the signal on your tuning bar using the PPM correction in SDR#. Note that at these L band frequencies a 1 PPM adjustment can be quite large for a narrowband signal like this (1 PPM = 1.5 kHz @ 1.5 GHz). If you cannot exactly center the signal using PPM correction alone, then just manually center the signal with the mouse or tuning bar.
9. Now set the mode to USB and tune exactly 2 kHz below the center frequency. E.g. in SDR# if the center frequency was exactly 1.541.450.000 kHz then tune to 1.541.448.000 kHz.
10. Set the bandwidth to about 4 kHz (4000).
11. Open the Inmarsat decoder demo program called tdma-demo.exe. Watch the QUAL values in the lower left. If it is near zero, turn up the volume in SDR# until you start see a number above zero. Keep adjusting the volume until the QUAL value peaks. (Alternatively open the tekamnoid decoder and adjust the volume so that the volume bar is green).
12. After a few seconds you should begin to see information in the command window. Check in the Inmarsat decoder folder for automatically saved .txt files of the actual received messages, like the ones in the examples shown above.

Below is an example of what an Inmarsat STD-C NCS channel sounds like when tuned in USB mode, 2 kHz below the center frequency. Also a screenshot showing what running SDR# and Inmarsatdecoder should look like.

http://www.rtl-sdr.com/wp-content/uploads/2015/08/inmarsat_stdc.mp3SDR# tuned to the Inmarsat STD-C NCS channel with Inmarsat decoder running

Note that if you don’t have a TCXO dongle then the frequency may drift significantly for the first half hour or so. Even with a TCXO a 1 – 2 PPM temperature drift at 1.5 GHz is 1.5 kHz which can be large enough to cause enough trouble with decoding a 2.5 kHz narrowband signal like this. We recommend waiting long enough for the temperature drift to settle before tuning, probably 5 to 10 minutes with a TCXO dongle and up to 30 minutes for a non-TCXO oscillator dongle. After the inmarsatdecoder program gets a lock it will continue to track the signal for drifts of about 500 Hz.

The paid version of the Inmarsat decoder can also decode private messages that are sent through the channel. This includes stuff like personal messaging and emails with attachments like office documents. The full version costs 100 euros. Note that decoding these private messages may not be legal in all countries, so please respect your local laws.

How to Modify a GPS Antenna for Inmarsat Reception

A cheap $10 USD active GPS antenna can be modified for Inmarsat reception. Active GPS antennas contain a ceramic patch antenna, LNA and bandpass filter which is tuned for 1575 MHz. The bandpass filter prevents reception from signals more than 1-2 MHz away from 1575 MHz. All that is needed to modify a GPS antenna for wide band reception is for the bandpass filter to be removed. Below we show how this is done on a cheap GPS antenna that we bought.

First carefully remove the plastic case. On some antennas this can just be pulled apart with a flat head screwdriver, but on others you may need to cut apart the plastic with pliers. Inside will be the antenna. On the top will be a ceramic patch antenna, and on the bottom will be a metal reflector which will be covering the circuitry.

Inside the antenna case. A ceramic patch antenna. Reflector on the back of the GPS antenna. Soldered down at the four corners.

Using a soldering iron carefully remove the bottom reflector by desoldering the joints in the four corners. This is all that holds the reflector down. Removing the reflector will reveal the circuit.

You should be able to notice the bandpass filter on the circuit. It should be the largest component on the board and it may be labelled with the number 1575. On our antenna it was labelled with 1575P.

GPS antenna circuit. Bandpass filter visible – the large white component marked 1575P.

Carefully remove the bandpass filter. If you have the tools you can do it carefully with hot air. If you don’t have the tools you can just rip it from the board by levering and twisting it off. Just note that this will probably pull up some of the PCB pads too.

Now with the filter removed, bridge together the IN and OUT filter pads by soldering on a wire. These are usually the pads in the center of the filter. If the pads got completely removed when you ripped off the filter, then you can still bridge the gap by soldering to the connected components.

Bandpass filter removed and IN and OUT pins connected together with a wire short. Download film little thing called love.

Now solder back on the reflector and put the whole thing back into the plastic case and your done! You may also want to experiment with reducing the length of the RG-174 coax used on most cheap active GPS antennas, or with instead using lower loss coax like RG6.

Solder the reflector back on.

The GPS antenna is not as good as the dedicated L-band patch antenna with LNA(s), but it was still good enough to decode the signal. See below for a waterfall comparison between the two antennas. Mouse over to see the GPS antenna waterfall. The STD-C NCS channel is the first thin line to the left of the red tuning bar. In this setup we used two LNA’s on the patch antenna, and 3M of extension RG174. Without the extension cable only one LNA was needed for similar SNR levels. The GPS antenna used the 3M of RG174 coax that it came with.

Source: RTL SDR