Recently we posted about bladeRF-wiphy which is open source code that can turn a bladeRF software defined radio into a software defined WiFi access point. The bladeRF 2.0 is a relatively low cost SDR which costs $420 for the low end version. It is capable of both transmit and receive (2x2 MIMO) with a 47 MHz to 6 GHz frequency range and 61.44 MHz sampling rate.
Over on YouTube Aaron who created DragonOS has uploaded a video demonstrating bladeRF-wiphy in action. He writes:
This video demonstrates Nuand’s new open source 802.11 modem/FPGA available for the bladeRFxA9. Everything will be Pre included in DragonOS Focal to setup an open AP and hopefully whatever’s required for use within Kismet.
Minor configuration is needed for the open AP, while Kismet integration should be pretty straight forward.
This is an awesome addition to the bladeRF and I look forward to seeing what else is possible with this new open source 802.11 compatible modem!
DragonOS Focal BladeRF-wiphy w/ Open Wi-Fi AP and Splash page (bladeRFxA9)
Back in August 2020 we posted about OpenWiFi , an open source implementation of the full IEEE802.11/Wi-Fi stack for FPGA and SDR combo board. Recently the team at Nuand have released their own WiFi implementation called "bladeRF-wiphy" for their bladeRF 2.0 software defined radio. The code is implemented in VHDL, which runs directly on the bladeRF's on board micro xA9 FPGA.
The bladeRF-wiphy project is an open-source IEEE 802.11 compatible software defined radio VHDL modem. The modem is able to modulate and demodulate 802.11 packets (the protocol WiFi is based on), and run directly on the bladeRF 2.0 micro xA9’s FPGA.
The bladeRF-wiphy coupled with Linux mac80211 allows the bladeRF 2.0 micro xA9 to become a software defined radio 802.11 access point! 802.11 packets (PDUs) are modulated and demodulated directly on the FPGA, so only 802.11 packets are transferred between the FPGA and libbladeRF.
OpenWiFi is a Linux mac80211 compatible full-stack IEEE802.11/Wi-Fi design based on an FPGA and SDR (Software Defined Radio). It aims to be the first full open source implementation of the entire WiFi stack. While the current design does not provide any feature benefits over commercial closed source chips, it is beneficial from an education standpoint, and also from a security view as any open source FPGA code can be verified to not have backdoors. The SDRs used in the project are typically not ones seen on this blog as they mostly exist on research dev boards optimized for the 2.4 GHz band.
Recently the FOSDEM 2020 conference talks from February 2020 have been released on YouTube and a talk titled Opensource "Wi-Fi chip design" and Linux drivers by Xianjun Jiao was uploaded. The talk explains OpenWiFi in detail, and why or why not you might want to use it.
Individuals, SMEs, opensource communities and big companies have shown big interests on the openwifi project. They also asked many questions, such as MIMO support, CSI information support, roadmap and opensource license consideration. One new interesting message, which is not expected before, is that: People are willing to pay more for a WiFi chip not because the chip’s performance is better but just because they can check the chip silicon source code (Verilog/VHDL/C) on github if they have privacy/security concern. So far, not any commercial WiFi chip discloses their silicon source code. After the FOSDEM, the project has reached 545 stars on github.
The Electrosense network is an open source project aiming to deploy radio spectrum sensors worldwide. The idea is to help analyze and understand radio spectrum usage across the globe. Each sensor consists of an RTL-SDR, Raspberry Pi and an optional downconverter to receive the higher bands. If you're interested we wrote an overview of the project in a previous post.
Recently we received a sample of their Up/Downconverter expansion board which is used to expand the frequency range of the RTL-SDR to 0 MHz to 6 GHz. The converter board is entirely open source with the design files available on GitHub. The team note that they are also working on a V2 version which will be cheaper and smaller. The schematic and Firmware for the V2 is also available right now, but it is still under early testing and may change.
The board is not for sale, however you can apply to be considered for a free unit if you want to host your own Electrosense node and meet their criteria. If you do not you can still produce the board yourself. The team mention that the design is easily hand soldered, but there are a few difficult LGA components like the PLL, crystals and mixer which require a heat gun to solder. A the same time they also note that it is possible to get PCB manufacture and SMT assembly done for you for dirt cheap by PCB prototype companies like JLC PCB.
The Expansion Up/Downconverter Board
The converter board has 4-input SMA ports (only 3 are used) and one output port which connects to the RTL-SDR. The first input port is for the HF antenna input. This input connects to the circuit which converts 0 - 30 MHz into a higher frequency which can be received by the RTL-SDR. The second port is simply a pass through for the standard 24 MHz - 1.766 GHz range of a normal SDR. The third port is unused, and the fourth port connects the antenna to the downconverter circuit which allows us to receive from 1.766 GHz to 6 GHz.
Suspecting interference generated by the HDMI clock, Mike Walters (@assortedhackery) used a HackRF and a near field probe antenna to investigate. By placing the near field probe on the Raspberry Pi 4's PCB and running a screen at 1440p resolution he discovered a large power spike showing up at 2.415 GHz. This interferes directly with 2.4 GHz WiFi Channel 1.
There's an interesting story doing the rounds about the Raspberry Pi 4 WiFi not working at higher HDMI resolutions. I had a quick look with a HackRF & near-field probe and there's definitely a big spike that stamps right on channel 1 pic.twitter.com/FXRebYYJxw
There’s a giant spike that could easily interfere with Channel 1 of a Wi-Fi adapter. So why is this happening? Because a 2560×1440@60Hz has a pixel clock of 241.5MHz and has a TMDS (transition-minimized differential signaling) clock of 2.415GHz, according to Hector Martin (@Marcan42). And what frequency does the RBP4 use for Wi-Fi? 2.4GHz. Which means… outputting on HDMI over 1440p can cause interference in a Wi-Fi channel.
The ExtremeTech article also notes that this problem is not unique to the Raspberry Pi 4 only. It turns out that USB 3.0 hardware is to blame, and this problem has occurred before with USB3.0 hard driver and on some MacBooks.
While the interference appears to be localized to the near field around the Pi4 PCB, we suspect that you could use TempestSDR to remotely eavesdrop on the Pi 4's video output if the interfering signal was boosted.
Over on GitHub Ian Wraith has released his design and microcontroller code for a low cost 2.4 GHz downconverter circuit. A downconverter is a hardware device that shifts the signals that it receives into a lower frequency band. This is useful in the case of RTL-SDRs and Airspy SDRs, as their maximum frequency range is only 1.7 GHz. Ian's 2.4 GHz downconverter reduces those 2.4 GHz signals down to 1 GHz, which can then be received with his Airspy.
Rather than designing a circuit from scratch, Ian's design makes use of several very cheap Chinese evaluation/development boards that he found on eBay. It costs of a mixer board, oscillator board, and an STM32 development board for controlling the oscillator board via SPI. The whole set of hardware cost him less than £30 (~37 USD).
After spending some time working through the difficulties in programming the SPI interface on the STM32 board, he was able to get the downconverter circuit fully working. He notes that he's been able to receive WiFi, Zigbee, Bluetooth and ISM band signals at 2.4 GHz, as well as 3G and 4G cellular signals at 2.6 GHz.
Ian Wraith's Downconverter consisting of three off the shelf cheap Chinese eBay boards.
For a while now researchers at MIT and several other universities have been investigating methods for using frequencies in the WiFi bands to see through walls using a form of low power radar. The basic concept is to track and process the reflections of these signals from peoples bodies.
Recently researchers at MIT have taken this idea a step further, combining the radar results with machine learning in a project they call RF-Pose. The result is the ability to recreate and track full human post information through walls. The abstract from their paper reads:
This paper demonstrates accurate human pose estimation through walls and occlusions. We leverage the fact that wireless signals in the WiFi frequencies traverse walls and reflect off the human body. We introduce a deep neural network approach that parses such radio signals to estimate 2D poses. Since humans cannot annotate radio signals, we use state-of-the-art vision model to provide cross-modal supervision.
Specifically, during training the system uses synchronized wireless and visual inputs, extracts pose information from the visual stream, and uses it to guide the training process. Once trained, the network uses only the wireless signal for pose estimation. We show that, when tested on visible scenes, the radio-based system is almost as accurate as the vision-based system used to train it. Yet, unlike vision-based pose estimation, the radio-based system can estimate 2D poses through walls despite never trained on such scenarios.
The hope is that this technology could one day be used as a replacement for camera based computer vision. It would be a non-intrusive method for applications like gaming, monitoring the elderly for falls, motion capture during film making without the need for suits and of course for gathering data on peoples movements.
It is not mentioned in the paper, but it is likely that they are using some sort of SDR like a USRP for receiving the signals. It's possible that a lower resolution system could be set up cheaply with a HackRF and some passive radar software.
RF Pose Estimating Human Pose Behind walls using RF signals in the WiFi frequencies.Multiple people tracked with RF-Pose
Over on YouTube The Thought Emporium channel has been working on creating a "WiFi Camera" over the past few weeks. The idea is to essentially create a small radio telescope that can "see" WiFi signals, by generating a heatmap of WiFi signal strength. This is done with a directional helical 2.4 GHz antenna and motorized rotator that incrementally steps the antenna through various angles. After each movement step a HackRF and Python script is used to measure WiFi signal strength for a brief moment, and then the rotator moves onto the next angle. The helical antenna and rotator that they created are made out of PVC pipe plastic and wood, and are designed to be built by anyone with basic workshop tools like a bandsaw.
The final results show that they've been able to successfully generate heatmaps that can be overlaid on top of a photo. The areas that show higher signal strength correlate with areas on the photo where WiFi routers are placed, so the results appear to be accurate. In the future they hope to expand this idea and create a skyward pointing radio telescope for generating images of the galactic hydrogen line, and of satellites.
The Thought Emporiums' WiFi Heatmap Building Scan Results
The videos are split into three parts. The first two videos show the build process of the antennas and rotator, whilst the third video shows the final results.
DIY Radio Telescope Version 2: Wifi vision - Part 1
The Angriest Radio Telescope - Wifi Camera Part 2
Building a Camera That Can See Wifi | Part 3 SUCCESS!
