Free hardware from the sky? An introduction to tracking weather balloons

time is now so hi there I'm Jordan Bush I work on embedded system engineering to build RF mutation devices I've been learning about a very broadly range of topics with an SDR ever since I built my first police scanner in 2017 because States digital modulation since then I continue to learn more about RL technology and it's only bloomed I got my amateur license in 2021 and I kept going from there I got into chase some weather balloons in 2021 and I've enjoyed chasing them since starting reverse engineering them and trying to learn what we can do with them post launch so what is a weather balloon a weather balloon is used to collect some measurements in the from the ground to

near space and includes temperature humidity wind sometimes pressure uh here in the United States they typically launch two balloons daily although currently with special conditions with the hurricanes and stuff they're actually launching them four times a day currently there is one in the air headed toward Holden Missouri I believe could change this data is used to calculate things such as storm severity wind models that are used to predict what wind patterns will go through cold fronts Etc the data is collected from up to 100 000 feet in the air and after that the Weather Service doesn't collect any more data from that uh it's pretty much just falling back down from a parachute to Earth uh it's still transmitting so

we're able to collect the data and uh find it ourselves um let's see so in terms of what a weather balloon is I've lived with components here on an image so we can kind of get an idea of what we're looking at uh so right here is the balloon typically it's just a latex Bloom up in the air they can expand to about 50 some feet so about a two-car garage once it's fully at atmosphere um here we have the parachute rigging uh typically we'll probably just see a parachute on North American models but in other countries they might have different ways of handling the cord um some I believe Australia uses radio reflectors to help show the weather

balloons on radar for their air traffic on and then we have a little payload which I'll refer to as a radio song uh radio songs standing for radio and then it's French for Communicator so where you communicator uh Radio Pro my mistake um and then just for the Nerds out here that is a accu-lock radio song that was flown around the 1980s

so chasing a radio song what do you need to know here's a little comprehensive guide I thought it might cover this first because I'm sure this is going to be a question if I don't answer it now um reading songs are completely like once the Weather Service uses them they don't have the resources to go recover them so once they're done they just have a little label that says please dispose it properly um so really there's no issue with collecting them um the national weather service has actually helped us try to get things set up so there's been times where frequency has been kind of the best of where a frequency was misaligning with the

software defined radios we used so for example one of them has a issue where it can't receive a certain frequency well I believe Omaha is using that frequency and they helped out so they're supportive of what we do they like to see us recycling them and using them for better purposes um I will say the rules of trespassing do not change so don't just go have a fence trying to find a weather balloon you might get in trouble uh you know that happening when you can try to knock on people's doors ask for permission and explain what you're doing and make sure it's obvious pretty much everything on this slide otherwise people will make your strange so

uh to start chasing one of the balloons uh you'll want to go to sondhelp.org this is a website that basically has crowdsourced information about weather balloons and it shows you kind of all over the country all over the world where where the balloons are going this image is a little outdated um this was taken probably about a month ago uh back then the weather balloon was actually going south west uh if you go to the website right now you'll be able to track the current one in the air I'll go ahead and uh pull that up so you can see it better so right here you have little green dots that's our crowdsource receivers uh

somebody's a donator over here this is Topeka Kansas where they have their National Weather Service launch station uh they have multiple around the area 92 in total in the United States and then with the website you're able to generate predictions so this was taken about a week ago and it shows basically kind of in the area where things are expected to go so right now we're probably around here uh when you click on Topeka there's a button you can click to generate predictions up to two weeks which allow you to kind of Judge where you like is it going to go to your area and whether or not it's worth trying to chase so right now conditions are pretty optimal

to findings around the Kansas City area um and not much equipment's required essentially what you need to have is a Raspberry Pi maybe a esp32 with a radio attached to it or even a hacker ref although I'll tell you this it's not good to use because they don't have I mean they built a decoder but it's not the best in terms of the other two that I mentioned um I'll go ahead and go into more detail so here's what I recommend so for the PC software it's called radioson Auto RX it's made by a couple group a couple guys um Australia um and it's basically a web interface built in Python it takes an RTL SDR and

it will decode and show you where weather glutens are automatically so for this example I don't think I have a zoomed in picture but I was out in Arkansas I had a antenna just sitting out out in the open and I was able to pick up four different weather balloons from all the neighboring states uh for cheaper barrier to entry there is a microcontroller board that you can buy it costs about 25 bucks on Alibaba and you can load up firmware to it and it automatically tracks the weather balloons around you I will say there is a caveat it only tracks two different kinds of weather balloons lucky for us in the United States those are the kind

that we receive although if there's like a rare launch or if you go to Europe with this one it would be a chance that it might not be able to pick up every single one I'll mention that now it didn't work until recently because it didn't pick up the ones that Topeka was launching until they switched it yeah they just recently switched over in July so consider yourself is lucky and I'll get into that in a minute uh so when you get to the landing area of the radius on you need to consider what you might have to encounter when you try to go get it on some circumstances you'll probably have to get permission to enter wherever you're

going um when finding the weather balloon I would highly recommend looking at a satellite view of the area that you're going to go into so you can kind of Judge what kind of terrain you might have to face there has been times when I had a cross for like brush and creaks so you really have to consider what you're going to be looking for if you know you can go up to an area where it's kind of open it's easy to get sometimes you have to wear a sleeve clothing just to kind of stay out of the brush and uh lastly there are times when weather balloons will fall into trees now sometimes you can just go up to the

tree and pick it out other times you'll need to get like a pole and take like a retractable pole fish it out and most of the time that works but there has been instances where a weather balloon has fallen 50 feet in the air and I wasn't able to get it out um yes no and I have avoided catching a weather balloon out of some place that did have dogs I was going to try to get permission to get on the property but they were barking at the door and I was like not worth it uh here's a couple finds I've found uh if you look that one's actually falling into a link that was the first

one I actually chased uh and we have some that just kind of fall on the ground nothing special to get that one how'd you get the one in the water out uh so me and another guy we took like an extension cord just a plain old extension cord and we uh took a little piece of copper wire and bent it into a hook attached it to the end and we literally chucked at it probably for 20 minutes until we hooked the little uh cord so you have to keep in mind between the parachute and the actual payload there's about a 50 foot cord so we hooked into it and reeled it in and that was probably my most unique experience

trying to find one um if you see here some of them landed too high in a tree where I can't get it uh that one was actually in a tree for months on end and I just happened to hear about it I drove out got it uh that was one that I was able to get with my pole kind of easy Once you know how to do it uh that was in a tree I was able to just walk up and pick it out so it can vary dramatically so let's get into the fun stuff hacking and modifying these weather balloons so I'll be talking about three different models today we have the Lockheed Martin

we have visala and we have the Graw the Lockheed Martin was uh used primarily in the United States from about 2011 to 2022 they just kind of finished up that cycle with the contracts we were one of the last stations to still use it like I said we discontinued use of this one in July so you probably won't find it except maybe at Nasa launches uh they use both 400 free megahertz and 1.6 gigahertz uh one reason they're also switching over is cellular bands I believe changed with that um and uh We've also kind of moved on from other Technologies uh one thing to know about these they use older technology uh they actually adapted to design from the 90s

they changed a couple things around over the years but if you look at like their version from earlier you can kind of see the same kind of designs for the Visalia rs41 it's currently in use worldwide we recently transitioned to it the Kansas City area so if you want to go hunt a weather balloon this is most likely what you'll find they're all on 400 free megahertz um they use newer chipsets such as an stm32 uh u-blocks 8th generation or sixth generation GPS and uh sub gigahertz transmitter uh for the girl dfm17 that's another kind that's also kind of split between the rs41 and the dfm17 they're seeing the United States as well Omaha and

Springfield launched them so if you're up north or down south you'll most likely find these um currently the firmware is not as good as the visala has been doing um mainly because this is a newer Tech this one just got recently released in 2020 um started flying this year I'll get into more about custom firmware later in this talk but that's kind of a brief overview of each model

so this is the Lockheed Martin lms6 radio song they ran a st-7 8-bit CPU and it required a special dongle in order to flash it um which didn't run cheap compared to the other options it also required special software to develop and write software just for it which were licensed you couldn't just do anything with it so ended up using a virtual machine and we had to reset the license every time we wanted to change anything with it um it has a Texas Instruments UHF transmitter you might recognize the CC 1050 it's similar to what's used in The Flipper zero if anyone has one that's the CC 1100 I believe um and for programming this one

you basically have to use a edge interface and that was developed by uh or got read right over here so give a good thanks around later essentially uh The Edge connector provided test and calibration interfaces to assist the development and Q a for this weather balloon um in order for us to program it we had to build out a header and we connected up to a st7 flasher again I mentioned that one takes special software and isn't the easiest to develop for some kind of glad that's gone uh although I will say in order for the firmware uh this one was actually the easiest to dump firmware there was no readout protection so we were able to

dump and modify the firmware uh looking at it we saw that the version number was May 2017. the other one the 1.6 gigahertz model was dated 2009 I believe um it isn't supported by uh gahibra so we had to use either Pro in order to engineer it and I'll go ahead and give a little visual representation of the firmware uh you can definitely see there was some optimization made they had most of the drivers in this block at code they had like their transmission software in this block of code and then customization data such as calibration offsets and serial numbers was stored in that block of code so it's a lot more optimized than any of the other models

we'll look at although I think this is really the only one I have a full firmware done for uh so about that customization block I was able to essentially dump the firmware and I was able to use a Search tool to find that there's a certain offset where I could set the hex bits to change my serial number so what do I do one two three four five six seven uh no one will find my thing now um so flashing me is it's very easy you just dump change flash uh for the lms6 we were also able to change the frequency this one actually was a little more advanced it took me a little more time to understand but

essentially we don't put firmware and on this firmware uh in order to change the frequency there are certain dip switches so there's four different dip switches to change the firmware and I don't believe I attached an image but on the back of it it gives you a little readout you can change which switch to change the frequency um for this one I basically just looked at that and I set one of the presets so when you have all the switches split up I was able to change the frequency register using a calculator um provided by Texas Instruments and I was able to change the frequency to an amateur frequency band so we're able to transmit semi-legally I mean I don't

believe we were able to figure out how to identify pulse of official firmware but it got closer and out of band from what the National Weather Service used at the time um moving forward uh one thing I'd like to see happen if we ever do have somebody work on the LMS 6 radio song uh on the official firmware we never fully decoded the temperature of humidity we got very close we had the information in order to change the offsets of the temperature and humidity for this weather balloon although I believe by the time we were actually planning on implementing it the changeover process started happening and most people kind of went over to the next Generation I know I did

although I think we got close I'll say that um so that's kind of a wrap up for that one for the rs-41 this is probably the one you're going to see most commonly uh it's got the stm32 F-100 CPU and it has a couple vulnerabilities I believe um it's got CV 2028004 which is a vulnerability where you can actually go into the debugging interface and cause a dump in a certain way we'll actually dump bytes of the memory um now we can't fully bypass readout protection with that one um 2020 free one three four six six uh talks about voltage glitching on another series of stm32 boards that is very similar to this one essentially you take voltage glitching

to change the firmware and or change the uh bytes whenever it's uh booting up I haven't I haven't been able to test that one yet but that's something to be tested with in the future uh for the GPS it's using a sixth generation ublox GPS which has a 2.5 meter accuracy roughly um and this one makes hunting these a lot easier to find in terms of accuracy when you're trying to find them on the ground uh it hasn't been a huge challenge if you kind of know the approximate area but it only makes it easier especially when you're trying to find ones that are lodged in trees and you can't see the parachute on the ground

um it's got a silicon Labs 4032 ISM transmitter it goes from 200 to I believe around 800 megahertz so unfortunately we can't use this one with the VHF band which if you were going to try to use this with the ham radio apers Transmissions it's out of picture um if you get one of these please don't try to power your badge using the double a batteries they won't work for the programming interface this is probably going to be a piece of cake this is the easiest one to do um behind this little styrofoam thing there's a programming interface just a couple pins uh highly recommend just picking up a 10 St link and trying to program one of these

it's super easy to do all you have to do is just take some jumper wires and hook into it and you'll be having your own custom firmware in a couple minutes um I will say about custom firmware this is the only one feature a fully featured custom firmware at the moment it's called rs41 NG not related to the model number that the United States uses but that just happened to be coincidence it supports uh apers which is very common with amateur radio position reporting um one thing you can do with that is you can actually take the weather balloon Flash the firmware put in your car and you can track your car I know a lot of

amateurs like to do that it's a very cheap entry point for a lot of people um another one is the four frequency ship key method um that is a kind of transmission that a lot of amateur balloonists like to use to track their weather balloons it allows them to transmit certain kinds of data and I believe I think you can transmit pictures with it too I'm not too sure I gotta look into that but it's a commonly used whenever people are transmitting on static balloons where they want to try to travel the world and that's one way to test it ah let's see

uh right now I'm actually working on a project to try to bring Laura over to the rs41 balloon uh I found that I could attach a lower chip to the SPI bus as they had a little trace for their military model where they had SPI flash because they would store and forward the data so I essentially built a little botch wire going to a lower chip that I stick bugged and so far I'm working on writing the firmware for That official firmware didn't accept it it actually caused a crash and I'm guessing because it probably received an invalid response although at some point I'd like to make this because we have more Laura win receivers than we do

or is 4sk or four frequency shift key receivers so I want to try to get this working so we have a Global Network that we can receive from and to do right now the sensor boom that contains the proprietary sensors is not supported um as you can see it has a temperature and humidity sensor on the end I believe some efforts were made to reverse engineer it but we haven't figured out the offsets or maybe it was the command that we use to pull the temperature from it [Music] um and one thing I'd like to see this is more of a dream if anything is something in Kansas City where people are launching balloons uh kind of ironic

actually I believe somebody recorded a video uh somebody launched a balloon just down the street while we were here um I'm not sure who was affiliated with but I don't think it was immature um and then for the dfm17 so this is kind of why I've been all over I started reverse engineering this one back when it first launched in October 2021 it's got a very similar chipset and board layout to the rs41 it's got a Stanford II F100 just like the other cars and one it's probably vulnerable to the same kind of exploits um I've been able to do a partial dump of firmware however that's something I'll probably have to consult somebody else to help me with

uh it's got a new blocks gift generation GPS chip that's pretty state-of-the-art as we speak I believe it has I think like 0.1 meter accuracy so it's a lot more accurate than previous models we got a silicon Labs 406 free transmitter um this one supports VHF Transmissions so you will be able to possibly use this for apers once that firmware is built for it and then it also uses two CR one two three a batteries not the same that the the one used um which these are kind of like the old camera flash batteries you probably won't see them used in pretty much anything except maybe specific purpose devices

and uh kind of looking at the program interface it wasn't as pretty as the rs-41 some assembly is required it's a really bad photo um but I had to add a little debug interface to the card and once I did that I was able to hook up an st link right to it and program it and it also had something that I thought was a USB port I mean who else would think oh yeah that has to be it and uh it turns out it's actually running serial over that which I believe they used for programming and potential expansions so ozone sensors for example um I spent a while looking at that thinking oh yeah that has to be how they

program it because it took five volts and identify the board but uh turns out they're using that in a different way and I have a feeling they're doing that so they can sell a dongle my words not theirs uh I'm doing work I'm currently working on recording rs41 NG over to the ef-17 uh pretty much everything is currently working except for the transmitter uh so I'm kind of just trying different experiments trying to get it working I think that image kind of relates to how I feel right now um So eventually it'll probably have the same kind of features as the other one does with the addition of being able to transmit lower frequency bands which

might be very beneficial to the radio amateur so here's a little overview um the lms6 kind of has a couple things you can do to it but in terms of being able to have the same flexibility it's just not there uh partially has something to do with the fact that it's using older chimps that are kind of harder to program [Music] and most people don't want to download proprietary software and learn how to program for a very you know into life chip uh for the vasela rs41 you're probably at the cream of the crop right there at the moment it's got fully featured hardware and software uh I believe there's even schematics on the internet

you can download for this one if you want to build anything custom onto it uh easiest to program by far with the programming pins being right there and for the dfm17 it's making its way it still has a little to do I just have to write the firmware fully for it I will say the programming interface isn't the best to work with but it's okay I'd really like to see this one be used as like an apers tracker eventually we'll see where that goes so it's kind of an overview of what you can do with these when you find them um I'm sure there's probably more things we can find for example right now we

actually have a little challenge going on you can go look around if you have like a radio handheld uh I believe talk to the RF Village you can get the frequencies but there are a couple of these if I sell rs41s around the building transmitting a challenge and if you're close enough you can pick up the signal and do some radio Direction finding to find it and snap a picture and get some sort of reward I'm not sure what it is off the top of my head uh additional projects so outside of just working on the weather balloons themselves there are a couple things that the community has done that kind of help facilitate catching and chasing

weather balloons as well as launching weather balloons um so like one of those is sawing how to amateur so as you can see here I flew my own balloon kind of like the up movie you've seen that um so essentially you can register and launch your own payloads so for example that's the rs41 NG firmware that's running on that rs31 um I believe that flew almost to Tennessee although I didn't have any tracker to verify that but it was kind of on the uh pressure the static pressure layer so it was being held up where it wasn't really ascending or descending and it wasn't bursting in the air here is a project that I worked on

called balloony it's essentially a Discord bot that monitors and alerts people whenever weather balloons are up in the air it also tracks and tells you where a balloon is expected to go and what time it's expected to go it's basically a briefing uh in fact it went off earlier today before I gave this talk saying that Topeka had launched a weather balloon and it's currently flying in the air maybe later today you might be able to go chase it if you're interested it might be a little bit of a drive unless you live out east so that was a nice little project that I think is kind of useful for both me and other people in this community it's open

source and yes do you ever go get a balloon or somebody else there ah so there has been an instance where I went after a balloon and it was like in a field area somebody on a combine had already picked up a balloon it was on the back of their tractor and I was trying to get their attention I couldn't get it so that was kind of a waste of time for me but I did get to see it at least that one actually drove out to Fort Riley and it was right outside and I still didn't get it but I got to see them I got a photo somewhere on my phone uh but as I mentioned this is open source

if you live outside the Kansas City Community and you like to use this for your own purpose is up there when it's Docker so it's really easy to set up I encourage it uh spread the word uh song predict is another software program written by another fellow in the second DC Community it provides a prediction system for people who want to attract weather balloons and this also works locally so you don't need to use sonthub.com or org whatever you want to try to find them so say you're out on the go where internet might not be the easiest to come by you can download prediction data for up to two weeks usually you're able to track

it and it's a nice little software suite uh it's already pre-configured for certain areas so any of those areas apply to you well congratulations you can go to that website and it will show you kind of where the launches are without having to rely on one website so it's a nice little way to decentralize predictions uh any questions yes how long do the batteries usually last coming out of you know uh typically they last about 10 or 11 hours so you will have a decent chance for the current models uh there are some models that last about six and I think I've encountered rare occurrences where some last only four free but usually they'll last enough for

the flight and then like the ones that currently launched by Topeka they have a long track record according to what people have done research so yeah you'll have a good time trying to find one if you wait a little bit after it reaches the ground anything else

uh yeah um I thought about that and there has been a group that I know I believe Independence Kansas which is kind of South Kansas they actually launched a crosstalk repeater where people were able to voice up and hear their voice down I believe I did try to transmit to it but I didn't get through um that was a really cool project and I know there are other people around the area that probably have done similar things but you're probably gonna have to make custom hardware for that you can't modify one of these to do that unless you really change a lot of stuff about it

yes what's typical flight duration for balloons it launches goes to burst height so typically in the spring the fall sometimes the winter they'll usually Head East um usually last about 50 to 100 miles and they'll travel for about two hours um during the summer this is usually kind of the phase when the pressure up up high is kind of different and the balloons will kind of go in a circular pattern around where they were launched and they'll usually fall about 20 miles from where they went so chasing their during the summer isn't really good time especially considering the vegetation is all over the place so you have to go through that it's a pain during the coldest parts of the winter

the balloons will actually have a tendency to travel very far east so there has been times when a Topeka balloon has made all the way to Illinois and uh there's been a time when I was able to grab a balloon out of Dodge City Kansas all the way from Riverside Missouri that was almost 500 miles so it can be really crazy sometimes but typically it's going to be around two hours or 50 to 100 miles

all right well if you have any more questions you can hit me up on the twitters um there's the chasing website for quick reference this QR code will go to all the links that I've mentioned on my talk so yeah if you want to see more about what I've done or you want to participate I highly encourage you to scan that link and it will basically contain everything you need to know about what I just talked about um thank you