Superbowl Sweep: a proof of concept to answer a common question

[sempai]

I found an old RadioShack "Pro-97" while tossing junk out and had an extra antenna suitable-ish for CB, and had a moment of curious inspiration about some of the more incessant yappers I've been hearing lately. There's been some conversations here about whether or not some of these jackwagons are actually transmitting, or if there's a hashtag for antisocial weirdos that have decided they will play recordings of people known solely for being Why We Can't Have Nice Things? I thought it was a really good question! And I suspected one that could be answered, so I spent a couple hours on a Friday night that I would rather have spent in an AirBNB with an outdoor hottub in the Poconos with my special lady, but that's Employed Person stuff, so here i am.

having just confirmed the '97 was still functional, i let it run while i was hacking on something else until a recognizable distinctive voice came in all loud and proud for me, and i set to work. i had already staged a lot of this so that i could run with it when the moment came.

# dashboards and monitoring

this is the view of a station in Chicago, IL that I like to use for sanity checking wide-area activity. last summer from 5:30am to 6:50am every morning i was hearing a GMRS repeater in indianapolis, and my house in iowa city is 222 miles away from Chicago and for the sort of activity i'm interested in i should be able to hear a very similar superbowl in iowa city as this station in chicago.

i created a quick workspace in my web browser (arc) and started dragging in some of my favorite KiwiSDR nodes around the United States from my bookmarks, and started lining them up so i could quickly split and stack ~9 stations, watch their waterfalls, and even record them in real time with my scanner screaming at me on my desk beside me.

as i was doing this it occurred to me that if someone gets super serious about this, or if i continue to be unemployed 😂, that the delay from when i hear something with my ears from my local receiver and when other stations hear it and stream it to me (while also noting and watching latency) should be measured and recorded as well if you want to locate likely origins and geography of the person making the transmission. but even just playing around tonight i think you could realistically determine if a particular transmission is someone with more wattage than friends, or if it's a really unfortunate cult of personality that you've discovered. those delays are short though, a transmission originating in chicago takes 0.0011 seconds to get to me in iowa city, and if i zoom in on the tuner i can see when they open the mic. if you dial in the ceiling and floor and width enough you can even see when they take a breath sometimes!

i grabbed the first voice i could recognize easily after paying more attention to CB lately, and i was able to hear them from my house in Iowa (Iowa City), Georgia (Mansfield), Wisconsin (Rudolph), and Illinois (hells yes, ORD). At that point, I made bigger jumps. I couldn't hear them in Montana, Utah or Texas. In fact, that part of the US had a whole different pool of narcissists! I actually recognized someone camped on ch6 wild west, but I very rarely hear him myself in IA. i've seen some of the superbowl youtube videos people post and he's definitely a villain of note. i think it might be a guy that lives in new mexico selling "modified" CB radios that people have strong opinions about? he loves reverb a little too much for my liking but i'm opinionated about everything too.

## ki-wat ?

if anyone is confused what I'm talking about right now with all of this i assume most users of these forums are familiar with a software-defined radio (SDR) and the very approachable rtl-sdr devices and their work-a-likes out there that allow you to create as many receivers as you have antennas, and it's very common for people that have decided to build or buy something like (or some other variety of SDR with IP connectivity), many of those enthusiasts use software called KiwiSDR or something similar, it's most often installed on a computer of some sort (usually something like a raspberry pi but not always) that they then plug their usb rtl-sdr devices into, and you can then operate the software in a web browser to tune to what you're interested in, pick decoders or modulation one one or many attached devices, etc.

in this case, this particular loudmouth was a live transmission that i heard with a measurable delay (within 0.5 second (guessing) across multiple stations in the united states. if you're methodical and consistent in what you measure and record you could probably get a really good idea of where the transmission is originating from, and what likely wattage and antenna could be, considering you can watch as many waterfalls as you have pixels and video cards, and you can record the audio on each along with your own local receivers.

apologies for not catching a name but he's hard to understand sometimes.

audio sample from WI station i believe: Dropbox

### still wat

okay how about this: it's fox-hunting at scale that can be automated and orchestrated if you know what you're looking for.

and as always, when you're relying on the generosity of others it helps to contact them and talk to them about your project if you want cooperation or don't want to be fighting with 5 people over 3 receivers. it also gives you a chance to tell them how much you appreciate them making their station available to you.

fwiw i legitimately had fun doing this tonight, if i were going to get serious about this and start publishing findings i'd go about it more rigorously and gather a lot more data (delay timings, latency of audio stream, the latency of audio interfaces enabling those audio streams, awareness of audio codecs in use (the record button will hand you a .wav file), and i'd record the entire session across my desk with a visible timecode the whole time because it's very easy to get lost in screenshots later. sometimes when you first login you've been left at a talking clock or numbers station and i always peek around a bit. tonight one of the stations i use in WI apparently is monumentally disinterest in CB traffic at all. from like 25.9 to 28.0 it was totally black 😂 the rest of the entire dial was vibrant 😂 usually people don't bother to do an exclusion like that.

good hunting?

 

[slowmover]

Worthy thread topic.

It’s wrong in an ethical sense to “re-broadcast”, and its definitely, morally wrong to jam up the travelers channel (AM-19 27.185) use of which by as many as a million or more men are — or would like to be — in communication with those around them in identifying, dissecting and solving road dangers. But are prevented by this form of signal-jamming.

This is done with purpose, with the money to fund it, and has a recognizable coterie of azzwipes coast-to-coast who jam things up daily. Without cease. Years on end.

— This is the way USAID funds were being used as recently come to light for those never paid attention. Abroad, and here. Different venues, same effect.

Thanks.

I think there’s more to it, and that more than one method is being employed. I haven’t the training or knowledge to do more than guess. But it doesn’t much to understand that signals which almost never fade in intensity aren’t following propagation map predictions.


Was literally blown off my seat by this one:

11-Meter AM-19 Repeater in Colorado

Southbound thru Colorado Springs tonight and asked some base station locals if they could hear me across the sorry antenna built-in to this Freightliner. The louder one replied he was hearing me from an antenna to the north of town, but I was hearing him via repeater 1,000-ft above valley floor...

forums.radioreference.com

.

 

[sempai]

It is absolutely possible to orchestrate synchronized transmissions remotely. I am curious on using the delay/drift and other modulation/compression artifacts. There are occasionally a sound I would call a "banded whirrney" sound in some of the feeds I had up. I didn't pay attention to if that was happening in more than one site To measure and to stack as many stations as I can around IL and maybe like Louisville or Memphis. This is kind of like metadata of an artifact or headers of a packet if I were doing forensics or working an incident. There are probably qualified RF engineers here that could fill in any gaps on if this could be from a single origin or not but please remember each of these sites has different gear, different environments, and different antennas. Some of them share that information, some don't, and anyone that has bought an rtl-sdr can tell you there's a lot of variety and counterfeiting of names with good reputations for good reason.

I read an offhand comment about a bunch of Clear Channel (Inc., not allocation or reputation) stations that did a spree of upgrades and there were a few people picking them up and I guess they were station owners or engineers people in that biz might know or something.

I know that anecdote isn't the singular form of data, and this is the sort of thing that I might get a little obsessive about.

Wait. Doesn't RadioReference or Broadcastify have a fleet of likely as-uniform-as-possible stations already deployed everywhere? Could we ask someone to sample a couple of cb channels for 2 minutes every hour and toss those into virtual audio interface and scrub around looking for stacking spikes on the meter? 😂 That would be kind of awesome 😂

 

[jcrmadden]

Brother, I can't even spell SDR, but I like what you're doing. If I can be of any help I would be glad to (laces up the hunting boots). Since you've opted for the light saber I'll bring the scatter gun.

 

[sempai]

be still my heart.

 

[RFI-EMI-GUY]

Doesn't the KiwiSDR have a built in centralized Time Direction Of Arrival feature? The reason I wonder this is because if you try to do this by picking various receivers on your browser, the inherent delays of the internet and even your own OS will distort the results. The receivers must have a time stamp and send that along for processing.

 

[sempai]

absolutely, and I mentioned that more rigorous (i.e. proper) way to do this would involve gathering a lot of metrics i didn't bother for my exercise like latency. To elaborate a little, KiwiSDR added a feature in ~2018 called `TDoA` [^tdoa], or "Time Difference of Arrival" which is intended to facilitate some directional awareness of a transmission.

there are people doing some interesting work on processing this data using machine learning/AI tooling, if you start digging in on TDOA/KiwiSDR and AI, you'll find a bunch of threads on reddit and some repositories that inspired me to be more curious. it's clearly an area of interest for me. however, the feature isn't a trivial matter. the other differences of a station influence the collected data but there isn't consensus on the relevance for TDoA. personally I would think a station's antenna, design, and which receivers are involved, and on what compute platform, architecture as well. musicians are probably yelling "clocks!" and they'd probably be right. TDoA uses what KiwiSDR knows, but there are so many things KiwiSDR doesn't know about itself that TDoA requires diligence and a lot of attention and effort. It's probability and likelihood.

mil and commercial UAV-detection tools use pipelines like this too. I don't know if this is common knowledge but the telecom industry is in an all-out sprint into AI and intend to re-design their services entirely using it. everything from how phones behave on the air (like, performance tuning signaling to handsets) all the way up to acquiring licenses for use of spectrum on-demand (It reads to me like how license grants for flying my UAVs work more or less) but I'd defer to people implementing these systems. but there is a lot of research to make more profitable services for the operators and they intend to automate all of it. I have worked with teams building 5G networks (private and public) and I understand the IP networking and security/privacy end more than the RF end but clearly I'm trying to understand that better.
so much of that work is off the table to the public though, and the people working on anti-UAV systems are definitely not chatty about it. i have used KiwiSDRs within range of the jersey shore surf cameras to try to separate a UAV from a plane from a UAP of some sort 😂, but i haven't yet found an LLM released to the public that is specialized in RF engineering, analysis of RF captures, or anything like that. when i'm hacking on SDR projects or wireless networking of other sorts I do use `phi2-electrical-engineering` [^p2ee] which is capable of writing code for KiwiSDR (as long as you don't mind python) that's also how I did my math on how much delay via speed of light to expect based on possible origins. i'm terrible at math. everyone thought i'd be a computer scientist or something but g-d help me if it isn't geometry i'll need help.
one of my annotations on this topic (markdown syntax; the `==` indicate highlighted portions:

``` ---- source-uri: https://www.hfunderground.com/board/index.php?topic=117872.0 author: Ray Lalleu tags: [ TDoA, SDR, threads, KiwiSDR, analysis, collection, radio, RF, environmental ] --- # A theory on Kiwi TDoA ambiguity [Re: A theory on Kiwi TDoA ambiguity](https://www.hfunderground.com/board/index.php/topic,117872.msg376350.html#msg376350) > « **Reply #9 on:** November 14, 2023, 2216 UTC » > ⁠⁠>==The length of the coax line can just move the receiving location a few meters. Nothing that counts==. This wrong idea comes from the usual combination of identical antennas close to each other for standard goniometry. Once, I set two FM antennas 1 wavelength apart on top of a rotor. All bearings were 15 degrees false, and that was because I did not care to make coax lines of exactly equal length for both antennas to the combiner.⁠⁠ > > ==⁠⁠In TDOA, the phase of the RF signal is anything and unknown. What is important is the phase (or delay) of the recovered audio after detection. A difference of 1 millisecond means a difference of distance of 300 kilometers between the TX and the two receivers, thus giving an hyperbola for possible TX locations==. With at least ==a third KiwiSDR (or more), several hyperbolas can be drawn, and where they encounter is the probable place of the TX==. Of course, ==with signals reflected by the ionosphere layers, the hyperbolas should be blurred==, and so is the 'point' where they encounter. ==The error can be much larger when the propagation is quickly changing between daytime and nightime conditions.⁠⁠== > > ==BTW, note that only modulated signals can be treated by TDOA. If there is no modulation (or even if the S/N is too bad), TDOA can't do anything. Only the traditional goniometers can give some bearings.== > > On the other hand, ==TDOA can be accurate with direct propagation along/just above the ground==. And ==setting a TDOA receiving station is easier than a goniometer station, so FCC (and alike elsewhere) could easily relie on many stations, wherever there is a powerline and an internet connection. Less easy where solar PV panels (and batteries) and radio or satellite links are needed.== As you know, ==shortwave signals have a short direct range, particularly when the polarisation is really only horizontal. No, an horizontal dipole is not enough to achieve such a goal.== ```

> only modulated signals can be treated by TDoA. If there is no modulation [snip] only traditional goniometers can give some bearings

I had no idea wtf a `goniometer` was, so I read this (with my notes: Passive Direction Finding [DF] Techniques – General | annotated by Emory L.) and tl;dr: an RF Goniometer is a passive device used to determine the angle and direction of a signal it can receive. there are mundane goniometers used by various trades like physicians or engineers, to measure and determine angles of all sorts of things. you'll find some search results relevant to X-Ray techs and using a radio goniometer to properly align imaging so read carefully.
I am still looking at collected data and have hoped to find some tools to assist in using TDoA data and validating it's usable/useful data so I'm not contaminating my own pool. I'm using a RAG system that the AI(s) have access to for filling in some gaps since the model was published. Many academic journal publications and published works that have been stalking like this one GitHub - brysef/rfml: Radio Frequency Machine Learning with PyTorch (RFML: radio frequency machine learning) I want more tooling like this to be available:

``` --- created: 2025-02-16T10:51:08 (UTC -06:00) tags: [ rfml, radio, tools, analysis, github, repostiory, monitoring, ML, AI, pytorch, infosec, cybersecurity ] source: https://github.com/brysef/rfml --- # brysef/rfml: Radio Frequency Machine Learning with PyTorch This code was released in support of a tutorial offered at MILCOM 2019 ([Adversarial Radio Frequency Machine Learning (RFML) with PyTorch](https://events.afcea.org/MILCOM19/Public/SessionDetails.aspx?FromPage=Sessions.aspx&SessionID=7815&SessionDateID=564)). While the code contained in the library can be applied more broadly, the tutorial was focused on adversarial evasion attacks and defenses on deep learning enabled signal classification systems. The learning objectives and course outline of that tutorial are provided below. Of particular interest, three Jupyter Notebooks are included that demonstrate how to: train an Automatic Modulation Classification Neural Network, evade signal classification with the Fast Gradient Sign Method, and perform adversarial training. ```

I would love if someone with a lot of familiarity with the KiwiSDR TDoA data could aim me in the right direction, I still feel like I'm collecting anecdotes and papers while waiting for someone to release a model that is suitable for my hardware that can ride shotgun with me as I experiment and hack on this. This is one of those things that I find extremely interesting and will take more of my attention than i'm willing to admit when some of the gaps I have are filled in 😂

[tdoa]: KiwiSDR TDoA Direction Finding Now Freely Available for Public Use
[p2ee]: TheBloke/phi-2-electrical-engineering-GGUF · Hugging Face is the one i prefer for that

 

[sempai]

apologies for that firehose, sometimes i include my thought process so someone can share their own conclusions, i learn and retain information best by talking through it as opposed to reading or listening to it. learning that about myself was amazing, but it really sucked i had about 38 years on this planet before i knew that about myself. it's one of the reasons i always tell a team i'm going to be working with that i do my best work partnered and ask for them to assign me one 😂 i mean, i've managed on my own as needed, but i enjoy the rush of being amazing, so i tend to keep my eyes open for those partners

 

[sempai]

## tools and sample code

some tooling for recording and processing TDoA data: GitHub - llinkz/directTDoA: a Python 2/3 GUI for automated TDoA recording & processing

if you are a MATLAB user these evaluation scripts will even draw the map for you: GitHub - DC9ST/tdoa-evaluation-rtlsdr: Matlab Scripts for Evaluation of a TDOA System based on RTL-SDRs (i don't have matlab and have no business using it)

someone's purpose-built SDR for TDoA, untouched for 8 years: GitHub - atx/mlsdr: SDR for my TDOA radiolocator
sample code, 8-9 years untouched: GitHub - swkrueger/Thrifty: Thrifty is proof-of-concept SDR software for TDOA positioning using inexpensive SDR hardware such as the RTL-SDR. with raspi installation guide: Thrifty/rpi/installation.md at master · swkrueger/Thrifty

an interesting paper written about using rtl-sdr to track wildlife: An inexpensive hyperbolic positioning system for tracking wildlife using off-the-shelf hardware | annotated by Emory L. (my annotations)

an article and guide with methodology for using TDoA data (really interesting reading, link has my annotations) TDOA Transmitter Localization with RTL-SDRs | annotated by Emory L.

 

[RFI-EMI-GUY]

You can easily test or calibrate a TDoA with a known reference station. The modulation is needed because you need to see the starting point of a signal Time T=0. As far as Goniometers . The same theory is applied in electrically steered antennas, a technology used today in everything from radar to cellular radio. I have a doppler direction finder, DDF4000 that I would say is a form of beam steering as it used 4 separate dipoles switched at an audio rate to induce a pseudo doppler tone from which degrees of a compass rose can be displayed.

 

[sempai]

ty!
i've been rummaging around a bit more and found some examples of orchestration of collecting TDoA data from KiwiSDR instances, but most of what you need to get isn't easily retrieved from the web interface of a KiwiSDR station. most of the sample code or guides to get started (and phi2-ee's suggestions and code it will crank out for you) assume you have interactive logins to the platform running the station.

e.g. you need the owner of the station to trust you enough to run a blob of code on your behalf, often with multiple iterations and tweaks to dial it in better, so it would be much easier if they're yours and you already know the storage available on that device, what types of receivers are attached to it, etc.

 

[sempai]

You can easily test or calibrate a TDoA with a known reference station. The modulation is needed because you need to see the starting point of a signal Time T=0.

(thinking out loud):

If I'm understanding correctly, I need a confirmed transmission on AM CB that is occurring while I am cycling waterfalls looking for the designated loudmouth? this post: TDoA Direction Finding using KiwiSDR - Making It Up the author uses a known shortwave station.

related: if anyone here has anything they don't want the FCC to know they've got and willing to make scheduled and/or ad hoc transmissions from that station, that would be helpful 😂 I'm willing to prep and flash a raspberry pi that someone could plug in a couple of rtl-sdr devices and boot it up. i have a tailnet (SD-WAN/software-defined VPN) dedicated for my radio and IOT lab, so i can ship them places and access them safely once they're powered on and plugged into a network without needing network configuration changes and port forwarding or anything.

Otherwise we need an identified douchebag that we know the location of and has such total disregard for others they are incessantly keying up regularly, ideally early morning or evening in the United States.

The Mark Sherman aka Fine Tune CB dude that gets sued a lot for hawking "modified" Anytones that he claims allow him to be heard in Florida? it seems like most people with an opinion on him think he's got some setup in New Mexico. He probably wouldn't cooperate with someone attempting to get him to do something helpful for others, though. It's been hypothesized that he's got an outrageously

i guess i can camp on Utah/AZ/NM stations and try to catch him if he's still out there yappin' but in the case of the transmission in the first post of this thread i couldn't hear them in the far west stations, so for I'd need something originating between philly (i have a station there) and iowa city (same) and following the MSP > ORD > DTW > PHL routes might be helpful because i could use commercial flights for additional telemetry (we could use to ensure accuracy of data (because we can also grab ADS-B data and collide that with FlightAware's data for example) but that is pricey unless you're also hosting one of their nodes at your house, and i guess i could do that because the KIOW muni airfield is about two miles from my roof.
IMPORTANT NOTE i am talking about two different things as if they're the same a bit and that can be confusing - KiwiSDR is a platform/appliance, and there are tons of them out there. that's what i use a lot when i'm just looking for a way to listen to something in particular, but personally i use raspberry Pis and RTL-SDR usb devices for my research and i'm probably confusing people by also talking about using raspis with rtl-sdrs to collect TDoA data as well as KiwiSDR's feature. i'll try to be more clear going forward.

i do have a friend with a KiwiSDR in Sunnyvale that would be willing to give me a shell on the thing which would help but my stations i have sent out are rtl-sdr/raspis not KiwiSDR appliances. nothing against the KiwiSDR devices they're great, but I'm less inclined to give away $300 than $50, so I favor that for selfish reasons.

an example of yet another purpose-built SDR appliance, this one with a stack entirely devoted to locating origins of transmissions would be KrakenSDR: KrakenSDR | KrakenRF but those are $400 each without giving it any ears.
Edit: there are threads here on RR with posts from people that own/use Kraken devices. They don't have low enough range for CB loudmouths it looks like though.

 

[sempai]

how could i also forget about an alternative to KiwiSDR: OpenWebRX. they have a directory of stations running it on their website here: Receiverbook | online receiver directory | Home not sure if they have TDoA tooling yet, i haven't looked at OpenWebRX in several years.

 

[mmckenna]

WWV periodically runs on 25MHz. That's a good strong steady signal you could use to test your equipment, and is close enough in frequency that the antennas would be passable.

IP networking delays are pretty easy to deal with, all the big radio manufacturers and companies like JPS solved this a long time ago.

Would be interested in seeing this go.

 

[slowmover]

Mark Sherman is pretty much kaput. State went after him for fraud.

Plenty of others. A whole bunch in FL, several in SoCal. And yet others scattered farther.

.

 

[jcrmadden]

What is this language that you people are speaking?

"it sure ain't the hillbilly that pappy taught me..."

 

[slowmover]

What is this language that you people are speaking?

"it sure ain't the hillbilly that pappy taught me..."

The cross-link for some of them down south of you.

Georgia Sex Offender Registry

In accordance with O.C.G.A. § 42-1-12, the Georgia Bureau of Investigation (GBI) is the central repository for Georgia's Violent Sexual Offender Registry. The Georgia Bureau of Investigation makes every effort to ensure that the information contained in the Georgia Sex...

state.sor.gbi.ga.gov

.

 

[MUTNAV]

Please help me out understanding some of this.... It sounds really interesting, but what is the objective.... It sounds like just RDFing some CB transmitters. Is there something extra weird being done to hinder the RDFing (distributed antennas / sites)?


or
I'm listening to stuff way over my head (which is more likely)....

Thanks
Joel

 

[sempai]

Well it started as an exercise to determine how much superbowler traffic is single origin or if people are replaying samples and other recordings of the world's most antisocial people. One accessible relatively easy ways to do this is using a distributed collection of software defined radio receiver stations to listen in realtime nationwide or globally.