To begin the investigation stdw first opened the case and looked for a serial UART port. After finding one he connected the UART up to a Raspberry Pi and was almost immediately able to connect to the device's terminal. From the information displayed during the boot process, stdw was able to determine that the modem was running the eCos operating system on a Broadcom BCM3383 SoC. Unfortunately after receiving that information the UART connection is dropped, preventing any further terminal investigation.
To get around this issue, stdw decided to dump the flash memory via an SPI memory chip he saw on the board. Again using the Raspberry Pi he was able to connect via SPI and use the flashrom tool to read the memory. Next using a tool called bcm2-utils, stdw was able to parse and actually modify the configuration information stored in the flash memory. With this he was able to modify the configuration so that the serial connection did not drop after boot.
With terminal access gained, stdw was now able to reverse engineer the firmware, and after a lot of searching eventually find a console command which would perform a bandpower measurement for a given frequency range. He found that IQ data for this scan was stored in a buffer which he could then stream out via a TCP connection. With the IQ data finally available on another PC he was then able to use Python libraries to compute an FFT and actually visualize the scanned spectrum. Some further investigation yielded actually demodulated FM audio, and the realization that the usable bandwidth is 7.5 MHz.
Unfortunately there were some limitations. There is only enough RAM to store less than a second of data at a time at max bandwidth and precision, which meant that a lot of data needed to be dropped in between captures. Further investigation yielded methods to reduce the sample rate down to 464 kHz which meant that only 12% of data was ever dropped - enough to stream a wideband FM radio signal.
If you wanted to try investigating the modem yourself, the Motorola MB7220 is available second hand on eBay for prices ranging between US$15 - US$40, and new on Amazon for $46.99. Although the usability of the modem for any real SDR applications may not be great, further investigation may yield better results. And if not, following along with the process stdw took looks to be a great reverse engineering learning experience. Other modems that use similar Broadcom chips may also be worth investigating.
A lot of affordable Chinese clone SDRs have been coming onto the market recently, and the RX-888 is one of the most interesting. The RX-888 appears to be an improved clone of the RX-666 which in turn is a clone derived from Oscar Steila (IK1XPV)'s BBRF103 original open source design.
The RX-888 is based on the LTC2208 16-bit ADC chip which is capable of streaming the entire 1 kHz to 32 MHz frequency range to the PC over USB 3.0 with direct sampling. Frequencies from 32 MHz to 1.8 GHz can also be received via an R820T2 tuner which is on the board (the same tuner used in most RTL-SDRs). Due to the bandwidth restrictions of the R820T2 silicon, the bandwidth above 32 MHz is restricted to 8 - 10 MHz. The main change when compared to the RX-666 appears to be that there is an LNA which improves medium wave and small antenna performance which was a problem on the RX-666. The RX-888 also adds several heat sinks to the enclosure, as excessive heat generation of the LTC2208 ADC appears to also be an issue.
Recently Nils Shiffhauer (DK80K) wrote up a great review of the RX-888. In the review he covers the specs, shows a few screenshots of some signals he's received and also provides multiple audio samples of signals received.
The RX-888 is currently available on marketplace sites like Aliexpress and eBay priced at around US$180. In the past SDRs that could receive the entire HF band at once were rare, with the only affordable SDR with this capability being the KiwiSDR. So it is good to see that we may now be entering a stage of new advancement in affordable SDRs.
One thing to note is that this design can be considered a clone. However the original design by Oscar is open source and from this post on his blog he seems happy and accepting of the clones.
We note that we have ordered a unit and will be uploading a review once we test it.
OpenWiFi is a Linux mac80211 compatible full-stack IEEE802.11/Wi-Fi design based on an FPGA and SDR (Software Defined Radio). It aims to be the first full open source implementation of the entire WiFi stack. While the current design does not provide any feature benefits over commercial closed source chips, it is beneficial from an education standpoint, and also from a security view as any open source FPGA code can be verified to not have backdoors. The SDRs used in the project are typically not ones seen on this blog as they mostly exist on research dev boards optimized for the 2.4 GHz band.
Recently the FOSDEM 2020 conference talks from February 2020 have been released on YouTube and a talk titled Opensource "Wi-Fi chip design" and Linux drivers by Xianjun Jiao was uploaded. The talk explains OpenWiFi in detail, and why or why not you might want to use it.
Individuals, SMEs, opensource communities and big companies have shown big interests on the openwifi project. They also asked many questions, such as MIMO support, CSI information support, roadmap and opensource license consideration. One new interesting message, which is not expected before, is that: People are willing to pay more for a WiFi chip not because the chip’s performance is better but just because they can check the chip silicon source code (Verilog/VHDL/C) on github if they have privacy/security concern. So far, not any commercial WiFi chip discloses their silicon source code. After the FOSDEM, the project has reached 545 stars on github.
The talks are typically very technical in nature, but if you're interested in cutting edge SDR research and applications then these are good talks to get caught up on. Currently there are seven videos that have been uploaded, but we are expecting that there are more to come since there are more talks listed in their programme. They appear to be uploading one video per day at the moment so get subscribed to their YouTube channel for the upcoming videos.
The currently uploaded talks include:
A Keynote interview with N1UL Dr. Ulrich Rohde
Laurence Barker G8NJJ: Using Xilinx Vivado for SDR Development
Edwin Richter DC9OE, Crt Valentincic S56GYK: Usage of higher order Nyquist Zones with Direct Sampling Devices
Prof. Dr. Michael Hartje DK5HH: Signalprocessing in the man made noise measurement system ENAMS
Bart Somers PE1RIK: Long term spectrum monitoring using GNUradio and Python
We are looking forward to the upcoming talks like the one by Dr. Bastian Bloessl DF1BBL that discusses the GNU Radio on Android implementation.
SDRA2020 - 03/04 - Laurence Barker: Using Xilinx Vivado for SDR Development
HamSCI is an organization dedicated citizen radio science and specifically the "publicity and promotion of projects that advance scientific research and understanding through amateur radio activities". Recently they held their HamSCI 2020 workshop online, and the videos are now available on the Ham Radio 2.0 YouTube channel. Several of the projects mentioned in the talks involve the use of software defined radios.
Come join HamSCI at its third annual workshop! Due to restrictions caused by the COVID-19 Coronavirus, this year's workshop will he held as a virtual, eletronic workshop. The meeting will take place March 20-21, 2020 using Zoom Webinar Services hosted by The University of Scranton in Scranton, PA . The primary objective of the HamSCI workshop is to bring together the amateur radio community and professional scientists. The theme of the 2020 HamSCI Workshop is "The Auroral Connection: How does the aurora affect amateur radio, and what can we learn about the aurora from radio techniques?" Invited speakers include Dr. Elizabeth MacDonald, NASA Scientist and founder of Aurorasaurus, Dr. James LaBelle, Dartmouth Space Scientist and expert on radio aurora, and Dave Hallidy K2DH, an expert in ham radio auroral communication.
One talk discusses the HamSCI personal weather station project, which is an SDR and Raspberry Pi based solution that monitors HF signals like WSPR, as well as characterizing HF noise, detecting lightning and ionospheric disturbances.
HamSCI 2020 Overview of the Personal Space Weather Station and Project Update
Another talk discusses the TangerineSDR, which is an open source SDR currently in development by TAPR. The goal of the TangerineSDR is to be a sub $500 SDR with a focus on space science, academic research as well as general amateur use.
HamSCI 2020 TangerineSDR Data Engine and Overall Architecture
Radenso is a company that sells radar detectors. These are used to help motorists avoid speeding fines from Police using radar speed detectors in their cruisers. Their latest upcoming product is called the "Radenso Theia" and is a software defined radio based solution.
In one of their latest YouTube videos they explain how SDR is used in the Theia, noting that the SDR ADC chip they are using is an AD9248. The use of an SDR allows them to more easily apply advanced digital signal processing algorithms to the radar detection task. In particular they note that they can now apply deep learning artificial intelligence filtering which helps to classify different radar gun FFT signatures and avoid false positives from other radar sources such as automatic doors.
While the Theia is designed to be a radar detector, they note that the device could also be used by hardware hackers as a standalone software defined radio. They have thought about this use case and have added a separate uFL connector that can be enabled by soldering a zero ohm connector, and this allows users to connect any antenna to it.
What is a software defined radio and why does it matter for Radenso Theia?
DARPA (Defense Advanced Research Projects Agency) has recently released video from their Spectrum Collaboration Challenge Championship Event where team GatorWings took home a two million dollar prize. In the original DARPA grand challenge teams competed to produce an autonomous car that can get through an obstacle course. In this spectrum challenge DARPA poses the questions, what if there was no FCC to control the band plan, and how do we make more efficient use of a scarce spectrum?
Given those questions the goal is for software defined radios driven by artificial intelligence's created by each team to autonomously find ways to manage and share the spectrum all by themselves. The AI's are required to find ways to listen and learn the patterns of other AI SDRs using differing wireless standards all of which are competing for the same slice of spectrum at the same time. The competition asks the AI's to provide simulated wireless services (phone calls, data link, videos, images) during a simulation run with all the AI's running at once. Whichever AI is able to provide the most stable services and at the same time share the spectrum fairly with the other AI's wins.
On October 23, 2019, ten teams of finalists gathered to compete one last time in the Championship Event of DARPA's Spectrum Collaboration Challenge (SC2), a three-year competition designed to unlock the true potential of the radio frequency (RF) spectrum with artificial intelligence. DARPA held the Championship Event at Mobile World Congress 2019 Los Angeles in front of a live audience.
Team GatorWings from University of Florida took home the $2 million first prize, followed by MarmotE from Vanderbilt University in second with $1 million, and Zylinium, a start-up, in third with $750,000.
Throughout the competition, SC2 demonstrated how AI can help to meet spiking demand for spectrum. As program manager Paul Tilghman noted in his closing remarks from the SC2 stage: "Our competitors packed 3.5 times more wireless signals into the spectrum than we're capable of today. Our teams outperformed static allocations and demonstrated greater performance than current wireless standards like LTE. The paradigm of collaborative AI and wireless is here to stay and will propel us from spectrum scarcity to spectrum abundance."
The highlights video is shown below, and the full two hour competition stream can be viewed here.
Highlights from the Spectrum Collaboration Challenge Championship Event
The competition was run on the DARPA Colosseum, the worlds largest test bed for performing repeatable radio experiments. Capable of running up to 128 two channel software defined radios with 3 peta-ops of computing power it allows experimenters to accurately simulate real world RF environments. It works by connecting special "channel emulator" RF computing hardware to each physical SDR, which can emulate any RF environment.
SDR Makerspace is a community based in Greece that is run by the European Space Agency and Libre Space Foundation (who are responsible for the SatNOGS project). It provides funding and resources for Software Defined Radio based space communication projects.