SDR

From YobiWiki
Jump to navigation Jump to search

Hardware

HackRF

$ hackrf_info
Found HackRF board.
Board ID Number: 2 (HackRF One)
Firmware Version: 2014.08.1
Part ID Number: 0xa000cb3c 0x0067434c
Serial Number: 0x00000000 0x00000000 0x15d463dc 0x383f8125

Airspy

  • 24MHz - 1.750GHz, RX, BW 10MHz (9MHz alias free), ADC 12bit (10.4 ENOB), sampling rates: 2.5Msps or 8Msps
  • Bias-T supply can deliver 4.5V
  • FW flashing
$ airspy_info

Found AirSpy board 1
Board ID Number: 0 (AIRSPY)
Firmware Version: AirSpy NOS v1.0.0-rc5-0-g648c14f 2015-05-20
Part ID Number: 0x6906002B 0x00000030
Serial Number: 0x618C63C82F7424A7
Supported sample rates:
	10.000000 MSPS
	2.500000 MSPS
Close board 1

RTL-SDR

  • ~25MHz - 2GHz, RX, BW 2.4-2.8MHz, ADC 8bit
  • Mine: 52-2212 MHz with gap @ 1107-1241 MHz

LNA: Low Noise Amplifiers

  • LNA4ALL
    • 28-2500MHz, gain about 22dB from 28MHz to 600MHz then gain drops to ~16dB @ 1400MHz and ~11dB @ 2500MHz, 0.75dB NF @ 1 GHz and 0.98dB NF @ 2 GHz
    • 6-9 V, 55-65 mA (5V if regulator bridged)
    • can be powered by HackRF or Airspy if modified, 10uH SMD on OUT and regulator bridged (because we deliver <5V) or bridged by 100mA fuse, just in case.
  • LNA4HF
    • 150kHz - 30MHz, gain 18-20 dB, NF 1-2 dB
    • 6-9 V, 18 mA (5V if regulator bridged)
    • up to 2GHz if low-pass filter removed
  • Better to position LNA near antenna than near receiver, more useful info here

Antennas

ANT500

  • 50 ohms, 75 MHz - 1 GHz, 20cm - 88cm

Software

Understanding SDR

Understanding GNU Radio

Resources

GNU Radio tips

Config

If you install it from your distro, make sure it'll look for manually installed modules as we'll build a few of them:
Edit /etc/gnuradio/conf.d:

global_blocks_path = /usr/share/gnuradio/grc/blocks:/usr/local/share/gnuradio/grc/blocks

Or better, do it locally in ~/.gnuradio/config.conf:

[grc]
local_blocks_path=/usr/local/share/gnuradio/grc/blocks

Interface

  • underlined parameters can change at run time (e.g. via variable slider)
  • / to search in modules
  • use 1.0 instead of 1 for floats, yeah python...

Design

  • Add a throttle block if there is no real hardware involved in the circuit, to enforce a real time constraint and not run at 100% CPU. One is enough.

Legal

Be aware of the local legislation!
Emitting is strongly regulated (in terms of frequency, power, modulation, content,...) and may require a license.
Receiving may also be regulated!
See ITU and regional laws.
E.g. in Belgium, check the 13/06/2005 law: you can't listen to communications else than public broadcasts, CB and HAM and your material can be seized if programmed/tuned to listen to those frequencies.
So it's safer to play in the allowed bands and to reverse-engineer your own stuff (RC toys,...).

Reverse engineering

Info

  • FCC
    • If Grantee Code unknown, look in "Grantee Search". Use it also to find alternate Grantee Codes (e.g. same address, same company under another legal name)
    • Look at other devices from same Grantee Code
  • https://fcc.io quick alternative
  • Signal Identification Guide

Generic

GQRX

Baudline

With hackrf


Add offset to avoid DC, e.g. to monitor 440MHz -> 442MHz
E.g. somewhere around 100MHz @ 8MHz:

hackrf_transfer -r /dev/stdout -f 100000000 -s 8000000 | \
  baudline -stdin -quadrature -channels 2 -flipcomplex -format u8 -samplerate 8000000 -memory 256

With airspy


Freq is given in MHz, sample rate is given by fw offset: -a 0 = 10M, -a 1 = 2.5M
By default airspy_rx & baudline work with 16bit LSB samples

airspy_rx -r /dev/stdout -f 100 -a 0  | \
  baudline -stdin -quadrature -channels 2 -flipcomplex -samplerate 10000000 -memory 256
airspy_rx -r /dev/stdout -f 100 -a 1  | \
  baudline -stdin -quadrature -channels 2 -flipcomplex -samplerate 2500000 -memory 256

After demodulation with GQRX

In GQRX, choose to stream audio through UDP (icon on left of recording button)

nc -l -u -p 7355  | \
  baudline -stdin -samplerate 48000

Tuning

  • input / color aperture
  • zoom: alt+arrows
  • Hz zoom: require larger FFT (process / transform size), trade-off with temporal resolution

multimon-ng

MultimonNG a fork of multimon. It decodes the following digital transmission modes:

    POCSAG512 POCSAG1200 POCSAG2400
    EAS
    UFSK1200 CLIPFSK AFSK1200 AFSK2400 AFSK2400_2 AFSK2400_3
    HAPN4800
    FSK9600
    DTMF
    ZVEI1 ZVEI2 ZVEI3 DZVEI PZVEI
    EEA EIA CCIR
    MORSE CW

See also http://eliasoenal.com/2012/05/24/multimonng/

After demodulation with GQRX


In GQRX, choose to stream audio through UDP (icon on left of recording button)

nc -l -u -p 7355  | \
  sox -r 48000 -t raw -b 16 -c 1 -e signed-integer /dev/stdin -r 22050 -t raw -b 16 -c 1 -e signed-integer - | \
  multimon-ng -t raw -c -a AFSK2400 -a SCOPE /dev/stdin

After demodulation with rtl_fm

Only for FM modulated packets obviously.
Clock drift may be quite important with RTL-SDR and kal gives sometimes strange results so I prefer to first find the exact frequency to tune on with GQRX

rtl_fm -f 466.175M -s 22.05k - | \
  multimon-ng -a POCSAG1200 -f alpha -t raw /dev/stdin

27.150MHz RC

Replay example for a 27.150MHz RC:

hackrf_transfer -r rc27_up_a1_l16_g20_s8 -f 27000000 -a 1 -l 16 -g 20 -s 8000000
hackrf_transfer -t rc27_up_a1_l16_g20_s8 -f 27000000 -a 1 -x 40 -s 8000000

GRC example from gr-remotecar/examples/example_TX_II.py works OOB for me, using those build instructions.

27.195MHz RC

Garage doors, AM/ASK
cf http://boutique.ed-diamond.com/home/861-hackable-magazine-6.html
rtl_433

rtl_433 -f 27195000

87MHz to 108MHz FM band

315MHz car keyfob

433MHz doorbell

433MHz sensors

Weather sensors etc
rtl_433

rtl_433

480MHz interferences

Stripes around 480MHz are because of poorly shielded USB cable

524 to 542 MHz wireless microphones

1090MHz ADS-B

POCSAG Pagers