RDS stands for Radio Data System and is a mechanism for sending digital signals through FM broadcasts to add enriching information. The RDS protocol allows for a variety of information to be transmitted, but its typically used for sending station information and song titles from FM radio stations. Before smart phone navigation dominated, older GPS units could receive traffic information over RDS.

Sample RDS results.

As a matter of fact, back in 2007, researchers from InversePath demonstrated the injection of spoofed traffic data over RDS (pdf) to manipulate nearby routing. Their paper is pretty thorough and details how they reversed the protocols and built hardware for doing the injection. As a grand finale, their injection demonstration was able to make maps show roads as closed, display terrorist strikes, and other weird events like a bull run. NOTE: The original RDS protocol was European so they must have anticipated Spain.

Needless to say, 13 years later, messing with RDS is a lot easier using Michael Ossman's HackRF. Even with an RTL-SDR, the RDS signal can be analyzed with a GNU Radio configuration from "The Machine Geek." A far more detailed explanation of using GNU Radio for RDS-TMC (pdf) was written by Dimitrios Symeonidis. But even easier than GNU Radio is the PortaPack H1 with the Havoc firmware. The Havoc firmware by furrtek supports a variety of reception and transmission applications but isn't always updated frequently. Erwin Reid's fork of the Havoc firmware has more recent updates and is worth looking at. There is a community forum for the PortaPak on a FaceBook group page here

Firstly, select the transmitters page and then the RDS application. Depending on the firmware variation you've selected, sometimes it appears as tiled icons and sometimes it appears as a list.

Selecting the RDS Transmitter on the PortaPak.

Once the RDS application is open, you're presented with a four tabbed interface. At this time, the Time and Audio tabs are present but not implemented. About the only settings you can configure are the Program Service Name (PSN), the Radiotext, Program Type, and Program ID. There are checkbox options for Stereo, Music, and Traffic Announcements but they are somewhat irrelevant for now. The defaults will be set as seen below.

Default settings on the PortaPak's RDS tool.

Click on the Text tab. This screen will enable the ability to set the Radiotext. That field controls what appears on a target FM radio for the Artist and Song Title. Use the PortaPack's control buttons to click on the Set button in order to configure the string.

The options for adjusting transmitted text.

The Radiotext setting screen is pretty simple. Either use the PortaPack's touchscreen or the control buttons to navigate around the screen keyboard. When your message is complete, click OK.

RDS text entry screen.

After setting the Radiotext string, you can confirm the message. Enable the Transmit Radiotext checkbox.

Final text configuration for RDS.

Go back to the Name tab. Here is where you set the Program Station Name and the transmission frequency. Setting the PSN is a little annoying based on the sequence of buttons to press to get there. What may seem obvious in terms of "ups" and "downs" will never get you to the Set button. To get there, get the cursor on the left most digit of the Program ID, then press "left" which puts the cursor on "Stereo," and then "up" to put the cursor on Set. From there, setting the PSN is the same keypad interface as setting the Radiotext only the string is much shorter. This one is typically used for a radio station's call sign but was intended to name the broadcast program.

After defining a PSN, make sure the Transmit PSN checkbox is set. Then click down to the frequency at the bottom. Set that to the FM frequency of the broadcast you're attempting to override and then click on the START button to begin transmitting your new RDS data. A standard HackRF only has the power output to broadcast this signal and override a real FM broadcast up to about 50 feet.

Last configurations for RDS.

What does setting the Program Type do? Some radios will display an additional field of information letting the listener know whether the current broadcast is News, Music, Sports, or any variety of categories. The protocol itself just uses a 5 bit number to map 32 various categories but the mapping differs between Europe and America. The PortaPack is programmed to display the European mappings so if you choose the Information option, it will actually appear as Sports on North American radios.

What does changing the Program ID do? For general spoofing of displayed text on a listener's radio, it really doesn't affect anything. The feature is meant for more advanced radios to do things like automatically tuning. For example, say a listener enjoys a particular show, their radio (if compatible) could detect that a PID was received over RDS indicating the show was available and it could automatically change stations. Or on road trips, perhaps a particular program is carried by multiple FM broadcasts and the radio can determine which frequency is coming in the strongest with that program and automatically tune to it, allowing the listener to always have a clear listening experience. That said, if one knew the PID of a particular program the target was listening for, the transmitter could advertise an alternate and get their radio to change. This is not a particularly common feature in North American radios.