Difference between revisions of "SDR"

From YobiWiki
Jump to navigation Jump to search
 
(45 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
=Hardware=
 
=Hardware=
 
==HackRF==
 
==HackRF==
* 1MHz - 6GHz, RX/TX half-duplex, BW 20MHz, ADC/DAC 8bit
+
* 1MHz - 6GHz, RX/TX half-duplex, BW 20MHz, ADC/DAC 8bit, sampling rates between 2Msps and 20Msps
 
* https://github.com/mossmann/hackrf/wiki
 
* https://github.com/mossmann/hackrf/wiki
 
* Bias-T supply can deliver 3.3V 50mA
 
* Bias-T supply can deliver 3.3V 50mA
Line 14: Line 14:
 
Serial Number: 0x00000000 0x00000000 0x15d463dc 0x383f8125
 
Serial Number: 0x00000000 0x00000000 0x15d463dc 0x383f8125
 
</pre>
 
</pre>
  +
* [https://www.youtube.com/watch?v=4Lgdtr7ylNY 18 SDR Tricks with the hackrf]
  +
 
==Airspy==
 
==Airspy==
* 24MHz - 1.750GHz, RX, BW 10MHz (9MHz alias free), ADC 12bit (10.4 ENOB)
+
* 24MHz - 1.750GHz, RX, BW 10MHz (9MHz alias free), ADC 12bit (10.4 ENOB), sampling rates: 2.5Msps or 8Msps
 
* Bias-T supply can deliver 4.5V
 
* Bias-T supply can deliver 4.5V
 
* [https://github.com/airspy/firmware/wiki/Linux-how-to-flash-airspy-firmware FW flashing]
 
* [https://github.com/airspy/firmware/wiki/Linux-how-to-flash-airspy-firmware FW flashing]
Line 31: Line 33:
 
Close board 1
 
Close board 1
 
</pre>
 
</pre>
  +
 
==[[RTL-SDR]]==
 
==[[RTL-SDR]]==
 
* ~25MHz - 2GHz, RX, BW 2.4-2.8MHz, ADC 8bit
 
* ~25MHz - 2GHz, RX, BW 2.4-2.8MHz, ADC 8bit
Line 43: Line 46:
 
** 6-9 V, 18 mA (5V if regulator bridged)
 
** 6-9 V, 18 mA (5V if regulator bridged)
 
** up to 2GHz if low-pass filter removed
 
** up to 2GHz if low-pass filter removed
  +
* Better to position LNA near antenna than near receiver, more useful info [http://lna4all.blogspot.be/ here]
 
  +
Better to position LNA near antenna than near receiver, more useful info [http://lna4all.blogspot.be/ here]
  +
  +
On Ali:
  +
  +
* 1-2000MHz LNA RF Broadband Low Noise Amplifier Module 32dB
  +
** power supply: 12V DC (current 35mA)
  +
** Gain: 32dB
  +
** Input Output Impedance: 50 Ohm
  +
** Maximum output power: 10dBm (2VPP with 50 ohm load)
  +
** Input signal: <= -22dBm
  +
** Bandwidth: 1MHz to 2GHz
  +
** Noise figure: 2dB (at 0.5GHz measurements)
  +
  +
* 0.1-2000MHz LNA RF wideband amplifier gain 30dB
  +
** Operating frequency:0.1-2000MHz
  +
** Amplifier gain: F=0.1MHz, gain=32dB; F=500Mhz, gain=31dB; F=1000MHz, gain=29dB; F=1500Mhz, gain=25dB; F=2000MHz, gain=20dB
  +
** Maximum power output:+10dBm (10mW)
  +
** Power supply voltage: 6-12 VDC
  +
** System impedance:50Ω
  +
  +
Tips from Ali vendor
  +
# When working frequency is less than 500 MHZ,it get well gain flatness, can make it less than 1dB after careful adjustment. The lower frequency the higher gain consistency.
  +
# Amplifier working frequency of the lower limit is subject to input and output capacitor, the default value is 0.1 uF, working to 0.1 MHz. Increase the input and output capacitance appropriately,can extend the cut-off frequency, such as 10uF capacitance can work to 5KHz.
  +
# When the power supply voltage changes in 5-8 v, it can be used as a variable gain amplifier, gain increases with the increase of the power supply voltage, which suitable for radio frequency receive front-end circuit, using DA control power supply voltage, to control the gain of the amplifier, automatic gain control
  +
# When the power supply voltage in the 8-10 v, the low frequency end gain up to 30 db, at this time the amplifier has a low noise coefficient and good stability.
  +
# When the voltage is 12 v, reach maximum gain, the low frequency end gain of 32.5 dB,
  +
 
==Antennas==
 
==Antennas==
 
===[https://greatscottgadgets.com/ant500/ ANT500]===
 
===[https://greatscottgadgets.com/ant500/ ANT500]===
 
* 50 ohms, 75 MHz - 1 GHz, 20cm - 88cm
 
* 50 ohms, 75 MHz - 1 GHz, 20cm - 88cm
  +
==Other==
  +
Other materials for reference, but that I don't own.
  +
===[http://openhpsdr.org/wiki/index.php?title=HERMES Hermes]===
  +
* 10kHz - 55MHz, full duplex, up to 55Msps (full spectrum at once), 125dB of dynamics, 350 to 500mW TX output
  +
===[https://github.com/softerhardware/Hermes-Lite Hermes-lite]===
  +
* 0 - 30MHz, full duplex
   
 
=Software=
 
=Software=
  +
==Understanding SDR==
* https://github.com/mossmann/hackrf/wiki/Operating-System-Tips -> PyBOMBS
 
  +
* http://www.nonstopsystems.com/radio/pdf-radio/article-sdr-is-qs.pdf
* HackRF specific: https://github.com/mossmann/hackrf/wiki/Software-with-HackRF-Support
 
  +
* https://sites.google.com/site/thesdrinstitute/A-Software-Defined-Radio-for-the-Masses
  +
* https://greatscottgadgets.com/sdr/
  +
  +
==Understanding GNU Radio==
  +
* http://hak5.org/episodes/hak5-1601
  +
* http://www.ettus.com/kb/detail/software-defined-radio-usrp-and-gnu-radio-tutorial-set
  +
** on older GNU Radio version but really nice!
  +
* http://gnuradio.org/redmine/projects/gnuradio/wiki/Guided_Tutorial_GRC
  +
* http://gnuradio.org/redmine/projects/gnuradio/wiki/Guided_Tutorial_GNU_Radio_in_Python
  +
* http://gnuradio.org/redmine/projects/gnuradio/wiki/TutorialsWritePythonApplications
  +
  +
==Resources==
  +
* Gnuradio-related install management system: PyBOMBS
  +
** https://github.com/mossmann/hackrf/wiki/Operating-System-Tips
  +
** http://gnuradio.org/redmine/projects/pybombs/wiki
  +
* HackRF specific:
  +
** https://github.com/mossmann/hackrf/wiki/Software-with-HackRF-Support
  +
** https://github.com/wzyy2/py-hackrf-ctypes
  +
  +
==GNU Radio tips==
  +
===Config===
  +
If you install it from your distro, make sure it'll look for manually installed modules as we'll build a few of them:
  +
<br>Edit /etc/gnuradio/conf.d:
  +
global_blocks_path = /usr/share/gnuradio/grc/blocks:/usr/local/share/gnuradio/grc/blocks
  +
Or better, do it locally in ~/.gnuradio/config.conf:
  +
[grc]
  +
local_blocks_path=/usr/local/share/gnuradio/grc/blocks
  +
===Interface===
  +
* underlined parameters can change at run time (e.g. via variable slider)
  +
* / to search in modules
  +
* use 1.0 instead of 1 for floats, yeah python...
  +
===Design===
  +
* Add a throttle block if there is no real hardware involved in the circuit, to enforce a real time constraint and not run at 100% CPU. One is enough. Don't if some real hardware (sdr, audio) is involved.
  +
* Notebook to have tabs in GUI, then for each graphical block, specify notebook: notebook_id,tab_number
  +
* Selector + Variable_chooser with radio buttons to change connections at run time
  +
* Variable + Variable config to save to/restore from file
  +
  +
=Legal=
  +
Be aware of the local legislation!
  +
<br>Emitting is strongly regulated (in terms of frequency, power, modulation, content,...) and may require a license.
  +
<br>Receiving may also be regulated!
  +
<br>See [https://www.itu.int/en/publications/ITU-R/pages/publications.aspx?parent=R-REG-RR-2012&media=electronic ITU] and regional laws.
  +
<br>E.g. in Belgium, check the 13/06/2005 law: you can't listen to communications else than public broadcasts, CB and HAM and your material can be seized if programmed/tuned to listen to those frequencies.
  +
<br>So it's safer to play in the allowed bands and to reverse-engineer your own stuff (RC toys,...).
  +
 
=Reverse engineering=
 
=Reverse engineering=
 
==Info==
 
==Info==
 
* [https://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm FCC]
 
* [https://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm FCC]
  +
** If Grantee Code unknown, look in "Grantee Search". Use it also to find alternate Grantee Codes (e.g. same address, same company under another legal name)
  +
** Look at other devices from same Grantee Code
  +
* https://fcc.io quick alternative
  +
* http://www.srrc.org.cn/WP_Search.aspx
 
* [http://www.sigidwiki.com/wiki/Signal_Identification_Guide Signal Identification Guide]
 
* [http://www.sigidwiki.com/wiki/Signal_Identification_Guide Signal Identification Guide]
  +
 
==Generic==
 
==Generic==
 
===[http://gqrx.dk/ GQRX]===
 
===[http://gqrx.dk/ GQRX]===
Line 68: Line 154:
 
airspy_rx -r /dev/stdout -f 100 -a 0 | \
 
airspy_rx -r /dev/stdout -f 100 -a 0 | \
 
baudline -stdin -quadrature -channels 2 -flipcomplex -samplerate 10000000 -memory 256
 
baudline -stdin -quadrature -channels 2 -flipcomplex -samplerate 10000000 -memory 256
  +
  +
airspy_rx -r /dev/stdout -f 100 -a 1 | \
  +
baudline -stdin -quadrature -channels 2 -flipcomplex -samplerate 2500000 -memory 256
  +
 
====After demodulation with GQRX====
 
====After demodulation with GQRX====
 
In GQRX, choose to stream audio through UDP (icon on left of recording button)
 
In GQRX, choose to stream audio through UDP (icon on left of recording button)
Line 77: Line 167:
 
* zoom: alt+arrows
 
* zoom: alt+arrows
 
* Hz zoom: require larger FFT (process / transform size), trade-off with temporal resolution
 
* Hz zoom: require larger FFT (process / transform size), trade-off with temporal resolution
  +
===[https://github.com/EliasOenal/multimon-ng multimon-ng]===
  +
MultimonNG a fork of multimon. It decodes the following digital transmission modes:
  +
POCSAG512 POCSAG1200 POCSAG2400
  +
EAS
  +
UFSK1200 CLIPFSK AFSK1200 AFSK2400 AFSK2400_2 AFSK2400_3
  +
HAPN4800
  +
FSK9600
  +
DTMF
  +
ZVEI1 ZVEI2 ZVEI3 DZVEI PZVEI
  +
EEA EIA CCIR
  +
MORSE CW
  +
See also http://eliasoenal.com/2012/05/24/multimonng/
   
  +
===After demodulation with GQRX===
==27MHz RC==
 
  +
<br>In GQRX, choose to stream audio through UDP (icon on left of recording button)
  +
nc -l -u -p 7355 | \
  +
sox -r 48000 -t raw -b 16 -c 1 -e signed-integer /dev/stdin -r 22050 -t raw -b 16 -c 1 -e signed-integer - | \
  +
multimon-ng -t raw -c -a AFSK2400 -a SCOPE /dev/stdin
  +
===After demodulation with rtl_fm===
  +
Only for FM modulated packets obviously.
  +
<br>Clock drift may be quite important with RTL-SDR and kal gives sometimes strange results so I prefer to first find the exact frequency to tune on with GQRX
  +
rtl_fm -f 466.175M -s 22.05k - | \
  +
multimon-ng -a POCSAG1200 -f alpha -t raw /dev/stdin
  +
  +
==27.150MHz RC==
 
* http://ossmann.blogspot.be/2013/06/hackrf-lego-car.html
 
* http://ossmann.blogspot.be/2013/06/hackrf-lego-car.html
  +
* http://dangerousprototypes.com/2014/03/13/hackrf-one-with-gr-remotecar/
  +
* https://github.com/scateu/gr-remotecar
  +
Replay example for a 27.150MHz RC:
  +
hackrf_transfer -r rc27_up_a1_l16_g20_s8 -f 27000000 -a 1 -l 16 -g 20 -s 8000000
  +
hackrf_transfer -t rc27_up_a1_l16_g20_s8 -f 27000000 -a 1 -x 40 -s 8000000
  +
GRC example from gr-remotecar/examples/example_TX_II.py works OOB for me, using [https://github.com/scateu/gr-remotecar/issues/1 those build instructions].
  +
  +
==27.195MHz RC==
  +
Garage doors, AM/ASK
  +
<br>cf http://boutique.ed-diamond.com/home/861-hackable-magazine-6.html
  +
<br>[https://github.com/merbanan/rtl_433 rtl_433]
  +
rtl_433 -f 27195000
  +
 
==87MHz to 108MHz FM band==
 
==87MHz to 108MHz FM band==
 
* [https://raw.githubusercontent.com/rrobotics/hackrf-tests/master/fm_radio/fm_radio_rx.py fm_radio_rx.py] & [https://raw.githubusercontent.com/rrobotics/hackrf-tests/master/fm_radio/fm_radio_rx.grc fm_radio_rx.grc]
 
* [https://raw.githubusercontent.com/rrobotics/hackrf-tests/master/fm_radio/fm_radio_rx.py fm_radio_rx.py] & [https://raw.githubusercontent.com/rrobotics/hackrf-tests/master/fm_radio/fm_radio_rx.grc fm_radio_rx.grc]
 
==315MHz car keyfob==
 
==315MHz car keyfob==
 
* http://blog.kismetwireless.net/2013/08/playing-with-hackrf-keyfobs.html
 
* http://blog.kismetwireless.net/2013/08/playing-with-hackrf-keyfobs.html
  +
==433MHz car keyfob==
  +
* http://phasenoise.livejournal.com/3822.html
  +
  +
==433MHz doorbell==
  +
* [https://bytebucket.org/rootbsd/433mhz-ask-signal-analysis/raw/5f4937e4efb2198abcc375b8aefee41421941fca/pdf/433MHz_ASK_sginal_analysis-Wireless_door_bell_adventure-1.0.pdf Wireless door bell adventure (pdf)] by RootBSD
  +
  +
==433MHz sensors==
  +
Weather sensors etc
  +
<br>[https://github.com/merbanan/rtl_433 rtl_433]
  +
rtl_433
  +
 
==480MHz interferences==
 
==480MHz interferences==
 
Stripes around 480MHz are because of poorly shielded USB cable
 
Stripes around 480MHz are because of poorly shielded USB cable
Line 95: Line 232:
 
==POCSAG Pagers==
 
==POCSAG Pagers==
 
* https://web.archive.org/web/20130825000155/http://binaryrf.com/viewtopic.php?f=9&t=8
 
* https://web.archive.org/web/20130825000155/http://binaryrf.com/viewtopic.php?f=9&t=8
  +
=Side-Channel Analysis=
  +
* [http://www.tau.ac.il/~tromer/radioexp/index.html Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation]

Latest revision as of 14:53, 30 July 2018

Hardware

HackRF

$ hackrf_info
Found HackRF board.
Board ID Number: 2 (HackRF One)
Firmware Version: 2014.08.1
Part ID Number: 0xa000cb3c 0x0067434c
Serial Number: 0x00000000 0x00000000 0x15d463dc 0x383f8125

Airspy

  • 24MHz - 1.750GHz, RX, BW 10MHz (9MHz alias free), ADC 12bit (10.4 ENOB), sampling rates: 2.5Msps or 8Msps
  • Bias-T supply can deliver 4.5V
  • FW flashing
$ airspy_info

Found AirSpy board 1
Board ID Number: 0 (AIRSPY)
Firmware Version: AirSpy NOS v1.0.0-rc5-0-g648c14f 2015-05-20
Part ID Number: 0x6906002B 0x00000030
Serial Number: 0x618C63C82F7424A7
Supported sample rates:
	10.000000 MSPS
	2.500000 MSPS
Close board 1

RTL-SDR

  • ~25MHz - 2GHz, RX, BW 2.4-2.8MHz, ADC 8bit
  • Mine: 52-2212 MHz with gap @ 1107-1241 MHz

LNA: Low Noise Amplifiers

  • LNA4ALL
    • 28-2500MHz, gain about 22dB from 28MHz to 600MHz then gain drops to ~16dB @ 1400MHz and ~11dB @ 2500MHz, 0.75dB NF @ 1 GHz and 0.98dB NF @ 2 GHz
    • 6-9 V, 55-65 mA (5V if regulator bridged)
    • can be powered by HackRF or Airspy if modified, 10uH SMD on OUT and regulator bridged (because we deliver <5V) or bridged by 100mA fuse, just in case.
  • LNA4HF
    • 150kHz - 30MHz, gain 18-20 dB, NF 1-2 dB
    • 6-9 V, 18 mA (5V if regulator bridged)
    • up to 2GHz if low-pass filter removed

Better to position LNA near antenna than near receiver, more useful info here

On Ali:

  • 1-2000MHz LNA RF Broadband Low Noise Amplifier Module 32dB
    • power supply: 12V DC (current 35mA)
    • Gain: 32dB
    • Input Output Impedance: 50 Ohm
    • Maximum output power: 10dBm (2VPP with 50 ohm load)
    • Input signal: <= -22dBm
    • Bandwidth: 1MHz to 2GHz
    • Noise figure: 2dB (at 0.5GHz measurements)
  • 0.1-2000MHz LNA RF wideband amplifier gain 30dB
    • Operating frequency:0.1-2000MHz
    • Amplifier gain: F=0.1MHz, gain=32dB; F=500Mhz, gain=31dB; F=1000MHz, gain=29dB; F=1500Mhz, gain=25dB; F=2000MHz, gain=20dB
    • Maximum power output:+10dBm (10mW)
    • Power supply voltage: 6-12 VDC
    • System impedance:50Ω

Tips from Ali vendor

  1. When working frequency is less than 500 MHZ,it get well gain flatness, can make it less than 1dB after careful adjustment. The lower frequency the higher gain consistency.
  2. Amplifier working frequency of the lower limit is subject to input and output capacitor, the default value is 0.1 uF, working to 0.1 MHz. Increase the input and output capacitance appropriately,can extend the cut-off frequency, such as 10uF capacitance can work to 5KHz.
  3. When the power supply voltage changes in 5-8 v, it can be used as a variable gain amplifier, gain increases with the increase of the power supply voltage, which suitable for radio frequency receive front-end circuit, using DA control power supply voltage, to control the gain of the amplifier, automatic gain control
  4. When the power supply voltage in the 8-10 v, the low frequency end gain up to 30 db, at this time the amplifier has a low noise coefficient and good stability.
  5. When the voltage is 12 v, reach maximum gain, the low frequency end gain of 32.5 dB,

Antennas

ANT500

  • 50 ohms, 75 MHz - 1 GHz, 20cm - 88cm

Other

Other materials for reference, but that I don't own.

Hermes

  • 10kHz - 55MHz, full duplex, up to 55Msps (full spectrum at once), 125dB of dynamics, 350 to 500mW TX output

Hermes-lite

  • 0 - 30MHz, full duplex

Software

Understanding SDR

Understanding GNU Radio

Resources

GNU Radio tips

Config

If you install it from your distro, make sure it'll look for manually installed modules as we'll build a few of them:
Edit /etc/gnuradio/conf.d:

global_blocks_path = /usr/share/gnuradio/grc/blocks:/usr/local/share/gnuradio/grc/blocks

Or better, do it locally in ~/.gnuradio/config.conf:

[grc]
local_blocks_path=/usr/local/share/gnuradio/grc/blocks

Interface

  • underlined parameters can change at run time (e.g. via variable slider)
  • / to search in modules
  • use 1.0 instead of 1 for floats, yeah python...

Design

  • Add a throttle block if there is no real hardware involved in the circuit, to enforce a real time constraint and not run at 100% CPU. One is enough. Don't if some real hardware (sdr, audio) is involved.
  • Notebook to have tabs in GUI, then for each graphical block, specify notebook: notebook_id,tab_number
  • Selector + Variable_chooser with radio buttons to change connections at run time
  • Variable + Variable config to save to/restore from file

Legal

Be aware of the local legislation!
Emitting is strongly regulated (in terms of frequency, power, modulation, content,...) and may require a license.
Receiving may also be regulated!
See ITU and regional laws.
E.g. in Belgium, check the 13/06/2005 law: you can't listen to communications else than public broadcasts, CB and HAM and your material can be seized if programmed/tuned to listen to those frequencies.
So it's safer to play in the allowed bands and to reverse-engineer your own stuff (RC toys,...).

Reverse engineering

Info

Generic

GQRX

Baudline

With hackrf


Add offset to avoid DC, e.g. to monitor 440MHz -> 442MHz
E.g. somewhere around 100MHz @ 8MHz:

hackrf_transfer -r /dev/stdout -f 100000000 -s 8000000 | \
  baudline -stdin -quadrature -channels 2 -flipcomplex -format u8 -samplerate 8000000 -memory 256

With airspy


Freq is given in MHz, sample rate is given by fw offset: -a 0 = 10M, -a 1 = 2.5M
By default airspy_rx & baudline work with 16bit LSB samples

airspy_rx -r /dev/stdout -f 100 -a 0  | \
  baudline -stdin -quadrature -channels 2 -flipcomplex -samplerate 10000000 -memory 256
airspy_rx -r /dev/stdout -f 100 -a 1  | \
  baudline -stdin -quadrature -channels 2 -flipcomplex -samplerate 2500000 -memory 256

After demodulation with GQRX

In GQRX, choose to stream audio through UDP (icon on left of recording button)

nc -l -u -p 7355  | \
  baudline -stdin -samplerate 48000

Tuning

  • input / color aperture
  • zoom: alt+arrows
  • Hz zoom: require larger FFT (process / transform size), trade-off with temporal resolution

multimon-ng

MultimonNG a fork of multimon. It decodes the following digital transmission modes:

    POCSAG512 POCSAG1200 POCSAG2400
    EAS
    UFSK1200 CLIPFSK AFSK1200 AFSK2400 AFSK2400_2 AFSK2400_3
    HAPN4800
    FSK9600
    DTMF
    ZVEI1 ZVEI2 ZVEI3 DZVEI PZVEI
    EEA EIA CCIR
    MORSE CW

See also http://eliasoenal.com/2012/05/24/multimonng/

After demodulation with GQRX


In GQRX, choose to stream audio through UDP (icon on left of recording button)

nc -l -u -p 7355  | \
  sox -r 48000 -t raw -b 16 -c 1 -e signed-integer /dev/stdin -r 22050 -t raw -b 16 -c 1 -e signed-integer - | \
  multimon-ng -t raw -c -a AFSK2400 -a SCOPE /dev/stdin

After demodulation with rtl_fm

Only for FM modulated packets obviously.
Clock drift may be quite important with RTL-SDR and kal gives sometimes strange results so I prefer to first find the exact frequency to tune on with GQRX

rtl_fm -f 466.175M -s 22.05k - | \
  multimon-ng -a POCSAG1200 -f alpha -t raw /dev/stdin

27.150MHz RC

Replay example for a 27.150MHz RC:

hackrf_transfer -r rc27_up_a1_l16_g20_s8 -f 27000000 -a 1 -l 16 -g 20 -s 8000000
hackrf_transfer -t rc27_up_a1_l16_g20_s8 -f 27000000 -a 1 -x 40 -s 8000000

GRC example from gr-remotecar/examples/example_TX_II.py works OOB for me, using those build instructions.

27.195MHz RC

Garage doors, AM/ASK
cf http://boutique.ed-diamond.com/home/861-hackable-magazine-6.html
rtl_433

rtl_433 -f 27195000

87MHz to 108MHz FM band

315MHz car keyfob

433MHz car keyfob

433MHz doorbell

433MHz sensors

Weather sensors etc
rtl_433

rtl_433

480MHz interferences

Stripes around 480MHz are because of poorly shielded USB cable

524 to 542 MHz wireless microphones

1090MHz ADS-B

POCSAG Pagers

Side-Channel Analysis