Hardware

HackRF

1MHz - 6GHz, RX/TX half-duplex, BW 20MHz, ADC/DAC 8bit
https://github.com/mossmann/hackrf/wiki
Bias-T supply can deliver 3.3V 50mA
BW & filtering: https://github.com/mossmann/hackrf/wiki/Tips-and-Tricks
FW flashing

$ hackrf_info
Found HackRF board.
Board ID Number: 2 (HackRF One)
Firmware Version: 2014.08.1
Part ID Number: 0xa000cb3c 0x0067434c
Serial Number: 0x00000000 0x00000000 0x15d463dc 0x383f8125

Airspy

24MHz - 1.750GHz, RX, BW 10MHz (9MHz alias free), ADC 12bit (10.4 ENOB)
Bias-T supply can deliver 4.5V
FW flashing

$ airspy_info

Found AirSpy board 1
Board ID Number: 0 (AIRSPY)
Firmware Version: AirSpy NOS v1.0.0-rc5-0-g648c14f 2015-05-20
Part ID Number: 0x6906002B 0x00000030
Serial Number: 0x618C63C82F7424A7
Supported sample rates:
	10.000000 MSPS
	2.500000 MSPS
Close board 1

RTL-SDR

~25MHz - 2GHz, RX, BW 2.4-2.8MHz, ADC 8bit
Mine: 52-2212 MHz with gap @ 1107-1241 MHz

LNA: Low Noise Amplifiers

LNA4ALL
- 28-2500MHz, gain about 22dB from 28MHz to 600MHz then gain drops to ~16dB @ 1400MHz and ~11dB @ 2500MHz, 0.75dB NF @ 1 GHz and 0.98dB NF @ 2 GHz
- 6-9 V, 55-65 mA (5V if regulator bridged)
- can be powered by HackRF or Airspy if modified, 10uH SMD on OUT and regulator bridged (because we deliver <5V) or bridged by 100mA fuse, just in case.
LNA4HF
- 150kHz - 30MHz, gain 18-20 dB, NF 1-2 dB
- 6-9 V, 18 mA (5V if regulator bridged)
- up to 2GHz if low-pass filter removed
Better to position LNA near antenna than near receiver, more useful info here

Antennas

ANT500

50 ohms, 75 MHz - 1 GHz, 20cm - 88cm

Software

https://github.com/mossmann/hackrf/wiki/Operating-System-Tips -> PyBOMBS
HackRF specific: https://github.com/mossmann/hackrf/wiki/Software-with-HackRF-Support

Reverse engineering

Info

Generic

GQRX

Baudline

With hackrf

Add offset to avoid DC, e.g. to monitor 440MHz -> 442MHz
E.g. somewhere around 100MHz @ 8MHz:

hackrf_transfer -r /dev/stdout -f 100000000 -s 8000000 | \
  baudline -stdin -quadrature -channels 2 -flipcomplex -format u8 -samplerate 8000000 -memory 256

With airspy

Freq is given in MHz, sample rate is given by fw offset: -a 0 = 10M, -a 1 = 2.5M
By default airspy_rx & baudline work with 16bit LSB samples

airspy_rx -r /dev/stdout -f 100 -a 0  | \
  baudline -stdin -quadrature -channels 2 -flipcomplex -samplerate 10000000 -memory 256

airspy_rx -r /dev/stdout -f 100 -a 1  | \
  baudline -stdin -quadrature -channels 2 -flipcomplex -samplerate 2500000 -memory 256

After demodulation with GQRX

In GQRX, choose to stream audio through UDP (icon on left of recording button)

nc -l -u -p 7355  | \
  baudline -stdin -samplerate 48000

Tuning

input / color aperture
zoom: alt+arrows
Hz zoom: require larger FFT (process / transform size), trade-off with temporal resolution

27MHz RC

http://ossmann.blogspot.be/2013/06/hackrf-lego-car.html

87MHz to 108MHz FM band

fm_radio_rx.py & fm_radio_rx.grc

315MHz car keyfob

http://blog.kismetwireless.net/2013/08/playing-with-hackrf-keyfobs.html

480MHz interferences

Stripes around 480MHz are because of poorly shielded USB cable

https://github.com/mossmann/hackrf/wiki/USB-Cables-(and-why-to-use-a-noise-reducing-one)

524 to 542 MHz wireless microphones

http://www.sharebrained.com/2013/06/15/wireless-microphones-and-hackrf/
- microphone_shure.grc FM demodulator

1090MHz ADS-B

gr-air-modes

POCSAG Pagers

https://web.archive.org/web/20130825000155/http://binaryrf.com/viewtopic.php?f=9&t=8

SDR

Contents