Building a Software Defined Radio from Scratch

Over on his blog Lukas Lao Beyer has uploaded a post that shows his journey with designing and building a software defined radio from scratch. Lukas’ finished SDR design is called the FreeSRP and is based on the Analog Deviced AD9364 transceiver and a Xlinx FPGA.

In his post Lukas describes how he designed the PCB with Altium Designer, routing the traces carefully to ensure the shortest path was used, and to ensure impedance matching was correct. Then after producing the PCB’s with OSH park he writes how he assembled the board by carefully placing the components down by hand and using his reflow oven. This was no easy task due to the manual nature of the operation and the high possibility for undetectable solder problems to arise. Despite the difficulties he found that the SDR powered up as expected.

His next steps were to start work on the FPGA controller design, however he discovered that he had failed to properly route some clock pins on the FPGA. On his third revision of the PCB he was able to fix this. Finally he was able to program the FPGA and get his SDR to work.

Designing an SDR from scratch is no easy task, especially if you have little design experience like Lukas did. However, in the end despite some mistakes he was able to build a working SDR that interfaces with GNU Radio. 

Lukas' FreeSRP SDR.
Lukas’ FreeSRP SDR.
Tweet19
Share
Reddit
Vote
Email
19 Shares

ADS-B Traffic Analytics with Valo and an RTL-SDR

Valo is a software service for real time big data streaming analytics of data from many sensors.  On their website they explain their service as follows.

Valo is a single platform for streaming (real time) and batch (historical) data analysis. Valo provides multi-paradigm big data storage for both semi-structured and numerical data. Valo contains a powerful analytics engine for processing all of this data. Finally Valo is super simple – a single tool that can be up and running in minutes.

Recently Rémi Selva wrote in to let us know about an interesting use-case for Valo which involves the RTL-SDR. In his post Rémi shows us how he uses an RTL-SDR, Raspberry Pi running dump1090, and Valo to create interesting data visualizations of the ADS-B aircraft data. He not only shows how to visualize the data in Valo, but also how to use queries to dig deeper into the data, looking for patterns.

Valo ADS-B Data Flow
Valo ADS-B Data Flow

Rémi writes that what he’s done is simply a proof of concept that shows the power of Valo. He writes that one such interesting future development could be using Valo to detect FBI/CIA surveillance aircraft. Previously we posted about how an RTL-SDR user discovered these surveillance aircraft by their odd circular flight paths. The analytics engine of Valo could be used to automatically detect odd flight patterns such as from these surveillance aircraft. 

Plotting the history of aircraft coming into land at HK airport
Plotting the history of aircraft coming into land at HK airport
Tweet21
Share
Reddit
Vote
Email
21 Shares

Building an S-Band Antenna for the HackRF

Mario Filippi, a regular contributor to our blog and to the SDR community recently wrote in with an article showing how he built an S-Band (2 – 4 GHz) antenna for use with the HackRF. Of course the antenna can be used with any other SDR that can receive in this range, or with an RTL-SDR and downconverter. We post his article below.

S -Band Antenna for use with the HackRF One
Author: Mario Filippi, N2HUN

Ever since purchasing a HackRF One, which receives from 1 MHz – 6.0 GHz I’ve always wanted to explore the world above 1 Gig, specifically the 2.0 – 2.7 GHz portion of the S-band. This portion of the band is populated with satellite communications, ISM, amateur radio, and wireless networks. A good, homebrew antenna for S-band was needed, so with parts mostly from the junk box, a 2250 MHz S-band right hand circularly polarized omni-directional antenna was built. Below is a step by step tutorial on building this antenna. Plans were from UHF-Satcom’s site.

The final S-band antenna
The final S-band antenna

Continue reading

Tweet100
Share
Reddit1
Vote
Email
101 Shares

Kukuruku: A new SDR client that supports RTL-SDR

A new general purpose SDR software package called “Kukuruku” has recently been released. It appears to be a Linux only based client which is based on GNURadio. The authors write that they have several interesting features which we quote below:

Network transparency. Process the data remotely and send to the client only waterfall pixels and filtered narrowband channels instead of the entire SDR baseband. With this, you can use the SDR remotely over WAN.

Multiple demodulators running at once. How the hell can this be missing?

History browsing. It happens to me all the time: I see a new station scrolling on the waterfall. Before I manage to tune to it, it disappears (or at least the callsign is over). I have 8 GB of RAM, so why can’t I store the last minute of the entire SDR baseband for future reference?

Pluggable demodulators. Why is it so much pain to add GSM, Tetra, Tetrapol and other modes to existing software? I just want to provide a binary and have the data piped to stdin.

Squelch sucks. The squelch should not care about absolute signal level, but about level relative to surrounding channels. Additionally, it should have hysteresis and a small buffer, so when it triggers, it correctly replays the beginning of the conversation. Oh, and when recording, the squelch should timestamp the parts of conversation.

Histogram. It is difficult to see clipping on the FFT output. Why don’t we have histogram of samples?

Autotune/AFC. Obvious.

Scanner. Both for automatic demodulating all peaks in the spectrum and for retuning the SDR and finding stations. Even the crappiest rtl-sdr has 2 MHz bandwidth and can retune in 50 ms. This means 1600 channels per second. Compare this with commercial scanners.

At the moment one interesting plugin for Kukuruku is the TETRA plugin. The plugin appears to use tetra-listener and TERAPOL-kit as the demodulators, and simply passes the signal data to them for decoding and audio output.

The installation instructions can be found on the user guide. So far we unfortunately haven’t been able to install and test the software due to several compilation errors occurring, so if anyone tries this out and gets it to work, please post any installation tips in the comments. 

Kukuruku running and demodulating TETRA audio with a plugin.
Kukuruku running and demodulating TETRA audio with a plugin.
Tweet
Share
Reddit
Vote
Email

rx_tools: RTL-SDR Command Line Tools (rtl_power, rtl_fm, rtl_sdr) Now Compatible With Almost Any SDR

Developer R. X. Seger has recently released rx_tools which provides SDR independent ports for the popular command line RTL-SDR tools rtl_power, rtl_fm and rtl_sdr. This means that these tools can now be used on almost any SDR, such as the bladeRF, HackRF, SDRplay, Airspy and LimeSDR. If you don’t know what the tools do, then here is a quick break down:

rtl_fm / rx_fm: Allows you to decode and listen to FM/AM/SSB radio.
rtl_sdr / rx_sdr: Allows you to record raw samples for future processing.
rtl_power / rx_power: Allows you to do wideband scans over arbitrarily wide swaths of bandwidth by hopping over and recording signal power levels over multiple chunks of spectrum.

rx_tools is based on SoapySDR which is an SDR abstraction layer. If software is developed with SoapySDR, then the software can be more easily used with any SDR, assuming a Soapy plugin for that particular SDR is written. This stops the need for software to be re-written many times for different SDR’s as instead the plugin only needs to be written once.

rx_power scan with the HackRF at 5 GHz over 9 hours.
rx_power scan with the HackRF at 5 GHz over 9 hours.
Tweet19
Share
Reddit
Vote
Email
19 Shares

Cheating at Pokémon Go with a HackRF and GPS Spoofing

"Pokémon Go" is the latest in smartphone augmented reality gaming crazes. You may have already heard about the game on the news, or seen kids playing it in your neighborhood. To play, players must walk around in the real world with their GPS enabled smartphone, collecting different virtual Pokémon which appear at random spots in the real world, replenishing the virtual items need to collect Pokemon at "Pokéstops" and putting Pokémon to battle at "Gyms". Pokéstops and gyms are often city landmarks such as popular shops, fountains, statues, signs etc. For those who have no idea what "Pokémon" are: Pokémon are fictional animals from a popular children's cartoon and comic.

Since the game is GPS based, Stefan Kiese decided to see if he could cheat at the game by spoofing his GPS location using a HackRF software defined radio. The HackRF is a relatively low cost multipurpose TX and RX capable software defined radio. When playing the game, players often walk from Pokéstop to Pokéstop, collecting Pokémon along the way, and replenishing their items. By spoofing the GPS signal he is able to simulate walking around in the physical world, potentially automating the collection of Pokémon and replenishment of items at Pokéstops.

To do this he used the off the shelf "GPS-SDR-Sim" software by Takuji Ebinuma which is a GPS Spoofing tool for transmit capable SDR's like the HackRF, bladeRF and USRP radios. At first, when using the software Stefan noticed that the HackRF was simply jamming his GPS signals, and not simulating the satellites. He discovered the problem was with the HackRF's clock not being accurate enough. To solve this he used a function generator to input a stable 10 MHz square wave into the HackRF's clock input port. He also found that he needed to disable "Assisted GPS (a-gps)" on his phone which uses local cell phone towers to help improve GPS location tracking.

Next he was able to use the GPS-SDR-Sim tools to plot a simulated walking route and see his virtual character walking around on the real world map. A warning if you intend on doing this: Remember that 1) spoofing or jamming GPS is highly illegal in most countries outside of a shielded test lab setting, so you must ensure that your spoofed GPS signal does not interfere with anything, and 2) the game likely has cheating detection and will probably ban you if you don't simulate a regular walking speed.

GPS spoofing is not new. One attempt in 2013 allowed university researchers to send a 80 million dollar 213-foot yacht off course, and it is suspected that hackers from the Iranian government have used GPS spoofing to divert and land an American stealth drone back in 2011. In past posts we also showed how security researcher Lin Huang was able to spoof GPS and bypass drone no fly restrictions.

[Also seen on Hackaday.com] / [Russian Readers: There is a translation of this article by softdroid now available]

The "Pokemon Go" GPS spoofing set up.
The "Pokemon Go" GPS spoofing set up.
Tweet196
Share
Reddit40
Vote2
Email
238 Shares

RTLSDR4Everyone: Avoiding RTL-SDR Rip Off’s Part 2

Over on his blog Akos has uploaded a new post that discusses the topic of avoiding RTL-SDR rip off’s on sites like eBay. On auction sites there are many dishonest sellers who sell or resell items at overly high prices, hoping that someone will make a mistake and purchase from them.

Akos also points out how most of the “full band” direct sampling based RTL-SDR’s are incredibly overpriced. We note that for the same or an even cheaper price you could pick up a regular RTL-SDR dongle plus an upconverter, and enjoy much better performance, or as Akos notes purchase a Soft66RTL3 or RSP. He also points out overpriced dedicated ADS-B sticks, which are now outperformed by even the cheapest of RTL-SDR dongles. Finally he mentions to avoid some sellers who are simply combining RTL-SDR dongles into strange contraptions mounted on a small camera tripod and selling them at high prices.

Strange RTL-SDR ripoff contraption at a much higher price.
Strange RTL-SDR ripoff contraption at a much higher price.
Tweet
Share
Reddit
Vote
Email

Using the Airspy as a Network Analyzer for Characterizing Antennas

Over on YouTube user Mile Kokotov has uploaded a very nice tutorial video that shows how the Airspy can be used as a low cost scalar network analzyer from between 0.1 – 1800 MHz. A network analyser allows you to characterize the performance of antennas, by determining the antenna SWR curve. A low point on an SWR graph indicates the frequency at which an antenna is resonant/tuned, so a network analyzer is very useful for tuning homemade or adjustable antennas.

Dedicated scalar network analyzers can costs thousands of dollars. Together with a cheap noise source and cheap directional coupler, the Airspy can be used as a very low cost scalar network analyzer for analyzing antennas. If you are interested in this we also have a similar tutorial on our blog that shows how to do this with an RTL-SDR. However, the Airspy R2 or Mini is of course a better tool for this job as it can scan the spectrum much faster than the RTL-SDR with its Spectrum Spy software. Mile writes:

In this video I am showing how Airspy SDR can be used for measuring Return Loss, Antenna SWR and Antenna Bandwidth of several commercial and homemade antennas.

The impedance of the Radio Station (transmitter or receiver) must be well matched to the antenna’s impedance if we want maximum available power to be delivered to antenna.

The return loss and SWR measurements show us the match of the system.

A poorly matched antenna will reflect costly RF energy which will not be available for transmission and will instead end up in the transmitter. This extra energy returned to the transmitter will not only distort the signal but it will also affect the efficiency of the transmitted power and the corresponding coverage area.

Return Loss and SWR both display the match of the system, but they show it in different ways. The return loss displays the ratio of reflected power to reference power in dB.

The return loss view is usually preferred over the SWR linear scale, because is easier to compare a small and large number on a logarithmic scale.

More than 20 dB system return loss is considered very efficient as only less than 1% of the power is returned and more than 99% of the power is transmitted. In that case the SWR is around 1.2

For radio amateur usage, Return loss more than 14 dB is acceptable. This is adequate to SWR of 1.5 which means that 4% of the power is returned and 96% of the power is transmitted.

0 dB Return loss represent an open or a short antenna terminal, while 45 or more dB Return loss would be close to a perfect match.

Many different methods can be used to measure standing wave ratio. Professionals usually use a vector network analyzer or frequency analyzer with sweep signal generator and directional coupler.

In this video I will show you very cheap and very good method for antenna characterizing which means measuring the Return loss versus frequency and usable antenna bandwidth like measuring with much, much more expensive, state of the art Network Analyzers and similar measuring equipment.

Airspy SDR as a Network Analyzer using for Antenna Characterization

EDIT: It has been pointed out that we incorrectly used the term vector network analyzer in the previous title, when we should have instead used scalar network analyzer. A scalar network analyzer can measure amplitude, but a vector network analyzer can measure amplitude and phase and is a more complex device. Apologies for any confusion.

Tweet16
Share
Reddit
Vote
Email
16 Shares