# Hello, World. 快速上手

## HackRF的FM广播接收

### 在Windows系统

• 将HackRF与电脑连接，按一下HackRF的电源/Reset按钮使其开机
• 下载最新版本的SDR#
• (可选)下载Windows平台的hackrf-tools
• 需要安装Microsoft Visual C++ 2012 Redistributable Package

## osmocom_fft osmocom_siggen

osmocom_siggen 则提供了一个简单的信号发生器

## FM 广播的发射

### WAV Source

1. samp_rate采样率要设置为250kHz，这个与我们的wav文件采样率为44.1kHz有关。实际试验，如果samp_rate设置为500kHz，放出来的声音会加速一倍。
2. N Channels表示Wav文件的声道数，填2
3. File里填写你在上一步制备的Wav文件地址

### Stream Mux

Stream Mux的作用是把两条数据流合并为一条流，例如N0是来自第一条流的采样点，N1来自第二条流采样点，则Stream Mux会将两条流以如下方式输出:

### Osmocom Sink

• Device Arguments可以填上hackrf=0
• sample rate设置为samp_rate*4
• Ch0 Freq Corr (ppm)
• HackRF的频率较正值，在没有经过仪表校正时，可以直接先填0，有条件的同学可以使用频谱仪或信号源进行标定。
• Ch0 Frequency 要发射的频率，此处我填了93e6，表示93MHz
• Ch0 RF Gain(dB)
• 表示HackRF放大器是否开启
• 尽管此处Gain可任意输入，但事实上只有两档，0和14dB，并不是连续可调的，在此我们填14
• Ch0 IF Gain(dB)
• 表示HackRF的中频增益
• 从电路上来看，应试指的是进入MAX2837收发器后给的增益
• 在此我们填40
• Ch0 BB Gain(dB)
• 表示HackRF的基带增益
• 在此我们填20
• Ch0 BandWidth，填250e3

# 预备知识

## CW / 莫尔斯码

Morse Code，又称CW，是最古老但是也最广泛的无线电通信方式了。由于CW通信方式所占用的带宽小、抗干扰能力强。作为一种信息编码标准，摩尔斯电码拥有其他编码方案无法超越的长久生命。摩尔斯电码在海事通讯中被作为国际标准一直使用到1999年。1997年，当法国海军停止使用摩尔斯电码时，发送的最后一条消息是：所有人注意，这是我们在永远沉寂之前最后的一声呐喊！

## 业余无线电

qrz.com提供了全球无线电爱好者的呼号查询服务。

## gMFSK

gMFSK是一个非常强大的Linux平台下的业余无线电调制解调软件。

## DTMF

DTMF(Dual-Tone Multi-Frequency, 双音多频)的原理是键盘上的所有按键由高音部分(1209Hz, 1336Hz, 1477Hz, 1633Hz)和低音部分(697Hz, 770Hz, 852Hz, 941Hz)

• 注意各个模块的端口颜色，代表了不同的数据类型。黄色表示float，搭建的时候需要做修改。
• 最后加入Multipy Const来减小声音的响度

TODO:接线图?

TODO: 补充QPSK的示意图

## 其它常用的通信概念

### dB / dBm

dB(decibel)是一个表征相对值的单位。计算方法为

$10 \times \log_{10}{(\frac{A}{B})}$

$10 \times \log_{10}{\frac{1000Kg}{1Kg}} = 30 dB$

dBm则是将被衡量的功率值与1mW的功率进行比较，30dBm也即1W。

$30 dBm = 10 * \log_{10}{\frac{1W}{1mW}}$

### IQ采样 / 复采样

I 指的是 in-phase(同相)数据， Q指的是quadrature(正交)data (because the carrier is offset by 90 degrees)

#### 硬件设计上的考虑

$A\sin(2 \pi f_c t + \phi) = A\cos(\phi)\cos(2\pi f_c t) – A\sin(\phi)(2\pi f_c t)$

$I = A\cos(\phi)$

$Q = A\sin(\phi)$

$\cos(\alpha+\beta) = \cos(\alpha)\cos(\beta) – \sin(\alpha)\sin(\beta)$

TODO: FIXME!!

### 变频

$\cos(\omega_1 t) * \cos(\omega_2 t) =$ TODO

### FFT

FFT(Fast Fourier Transform, 快速傅里叶变换)

## 背景

### HackRF

FIXME: 参考PDF

FIXME: 参考kickstarter的介绍

HackRF是一款由Michael Ossmann发起的开源软件无线电外设，旨在从30MHz到6GHz，于2012年从DARPA处拿了一笔经费，制作了500块测试版本Jawbreaker，并向社会分发测试。在经过用户对Jawbreaker的反馈后，作者对硬件板卡做了重新布线，改善了射频性能，这一点我们将会在后文详细讨论。 随后于2013年7月31日至9月4日共计35天的时间，在著名的社会化融资平台Kickstarter上，迅速地获得多达1991人的预订，共预订出价值为\$602,960的HackRF One。

• 30MHz – 6GHz
• 与RTL2832U(RTLSDR)不同，HackRF可以进行发射
• 比USRP更廉价
• 最大采样率: 20 Msps (10倍于电视棒RTLSDR)
• 接口: High Speed USB
• USB供电
• 硬件/软件全部开源
• 获得了DARPA的Cyber Fast Track项目的支持
• 已经在KickStarter上拿到投资

#### HackRF 的硬件原理

TODO: 插图 硬件主要由以下几部分组成

• RFFC5072: 混频器提供80MHz到4200MHz的本振
• MAX2837: 2.3GHz to 2.7GHz 无线宽带射频收发器
• LPC4320/4330: ARM Cortex M4处理器, 主频204MHz
• Si5351B: I2C可编程任意CMOS时钟生成器，由800MHz分频提供40MHz 50MHz 及采样时钟
• MGA-81563: 0.1–6GHz 3V, 14 dBm 放大器
• SKY13317: 20 MHz-6.0 GHz 射频单刀三掷(SP3T)开关
• SKY13350: 0.01-6.0 GHz 射频单刀双掷(SPDT)开关

• 由射频开关决定是否经由14dB的放大器进行放大
• 经过镜像抑制滤波器对信号进行高通或低通滤波
• 信号进行RFFC5072芯片混频到2.6GHz固定中频
• 信号送入MAX2837芯片混频到基带，输出差分的IQ信号
• 其间MAX2837芯片可以对信号进行带宽限制
• MAX5864芯片对基带信号进行数字化后送入CPLD和单片机 TODO FIXME
• CPLD干了什么?
• LPC4320/4330处理器将采样数据通过USB送至计算机

#### HackRF One针对Jawbreaker做了哪些改进

• 删除了板载废柴微带天线
• 将RFFC5072和MAX2837放入屏蔽罩内保护起来，防止外界及板上其它芯片的干扰，并试图防止静电击穿部分芯片
• 重新布局，使得射频连线更紧凑

TODO: 上对比图

## 应用示例

gqrx

#### HackRF LTE-Cell-Scanner

http://v.youku.com/v_show/id_XNjc1MjIzMDEy.html

#### 解析Pocsag Pagers

http://binaryrf.com/viewtopic.php?f=9&t=8

#### Washington DC HackRF

http://www.openmhz.com/

Tech

There is a lot going on behind this simple looking website. Here is a high level overview of how it works, but shot me an email if you want details.

The radio signals are received using the HackRF Software Defined Radio (SDR). The SDR receives a wide swath of radio spectrum and passes it to a computer to process and decode. Using this approach, it is possible to receive all of the transmission from the radio system and decode them simultaneously. Without the SDR a separate radio receiver would be need for each channel.

In a Trunking system, one of the radio channels is set aside for to manage the assignment of radio channels to talkgroups. When someone wants to talk, they send a message on the control channel. The system then assigns them a channel and sends a Channel Grant message on the control channel. This lets the talker know what channel to transmit on and anyone who is a member of the talkgroup know that they should listen to that channel.

In order to follow all of the transmissions, this system constantly listens to and decodes the control channel. When a channel is granted to a talkgroup, the system creates a monitoring process. This process will start to process and decode the part of the radio spectrum for that channel which the SDR is already pulling in.

No message is transmitted on the control channel when a talkgroup’s conversation is over. So instead the monitoring process keeps track of transmissions and if there has been no activity for 5 seconds, it ends the recording and uploads to the webserver.

The monitoring and recording is being run off of a laptop in my apartment and uses a crappy antenna. The website is run off a VPS I have running up in the magical cloud.

The webserver is pretty simple. It is written in NodeJs. The audio is stored as WAV files and indexed using MongoDB. The server simply watches for new files being placed in a directory and then moves them and adds them to the DB. Socket.io is used to updated all of the browsers visiting the site that a new transmission has been added. See – Easy, Peasy!

#### 解析大车的信号

http://binaryrf.com/viewtopic.php?f=3&t=20 http://blog.kismetwireless.net/2013/08/playing-with-hackrf-keyfobs.html

#### DECT手机?

Cellular GSM base station

Digital Television (ATSC/DVB-T)

#### 1090

gr-air-modes osmocom modes_gui

-d, –dcblock Use a DC blocking filter (best for HackRF Jawbreaker) [default=False]

## 控制信号分析结果

27.145MHz的遥控小车的信号大致可以认为是如下的PPM/AM波形:

PPM意为Pulse Position Modulation，脉冲位置调制

TIME3的时间长度控制了小车的左右 TIME4的时间长度控制了小车的油门量

TODO

# HackRF硬件分析及射频指标测试

## HackRF硬件分析

### 芯片简介

#### RFFC5072

Product Description The RFFC5071 and RFFC5072 are re-configurable frequency conversion devices with integrated fractional-N phased locked loop (PLL) synthesizer, voltage con- trolled oscillator (VCO) and either one or two high linearity mixers. The fractional-N synthesizer takes advantage of an advanced sigma-delta modulator that delivers ultra-fine step sizes and low spurious products. The PLL/VCO engine combined with an external loop filter allows the user to generate local oscillator (LO) signals from 85MHz to 4200MHz. The LO signal is buffered and routed to the integrated RF mix- ers which are used to up/down-convert frequencies ranging from 30MHz to 6000MHz. The mixer bias current is programmable and can be reduced for applica- tions requiring lower power consumption. Both devices can be configured to work as signal sources by bypassing the integrated mixers. Device programming is achieved via a simple 3-wire serial interface. In addition, a unique programming mode allows up to four devices to be controlled from a common serial bus. This eliminates the need for separate chip-select control lines between each device and the host controller. Up to six general purpose outputs are provided, which can be used to access internal signals (the LOCK signal, for example) or to control front end components. Both devices operate with a 2.7V to 3.3V power supply

#### MAX2837

The MAX2837 direct-conversion zero-IF RF transceiver is designed specifically for 2.3GHz to 2.7GHz wireless broadband systems. The MAX2837 completely inte- grates all circuitry required to implement the RF trans- ceiver function, providing RF-to-baseband receive path; and baseband-to-RF transmit path, VCO, frequency synthesizer, crystal oscillator, and baseband/control interface. The device includes a fast-settling sigma- delta RF synthesizer with smaller than 20Hz frequency steps and a crystal oscillator, which allows the use of a low-cost crystal in place of a TCXO. The transceiver IC also integrates circuits for on-chip DC offset cancella- tion, I/Q error, and carrier-leakage detection circuits. Only an RF bandpass filter (BPF), crystal, RF switch, PA, and a small number of passive components are needed to form a complete wireless broadband RF radio solution. The MAX2837 completely eliminates the need for an external SAW filter by implementing on-chip monolithic filters for both the receiver and transmitter. The baseband filters along with the Rx and Tx signal paths are optimized to meet stringent noise figure and linearity specifications. The device supports up to 2048 FFT OFDM and imple- ments programmable channel filters for 1.75MHz to 28MHz RF channel bandwidths. The transceiver requires only 2μs Tx-Rx switching time, which includes frequency transient settling. The IC is available in a small, 48-pin thin QFN package measuring only 6mm x 6mm x 0.8mm.

#### MAX5864

The MAX5864 ultra-low-power, highly integrated analog front end is ideal for portable communication equipment such as handsets, PDAs, WLAN, and 3G wireless termi- nals. The MAX5864 integrates dual 8-bit receive ADCs and dual 10-bit transmit DACs while providing the high- est dynamic performance at ultra-low power. The ADCs’ analog I-Q input amplifiers are fully differential and accept 1V P-P full-scale signals. Typical I-Q channel phase matching is ±0.1° and amplitude matching is ±0.03dB. The ADCs feature 48.5dB SINAD and 69dBc spurious-free dynamic range (SFDR) at f IN = 5.5MHz and f CLK = 22Msps. The DACs’ analog I-Q outputs are fully differential with ±400mV full-scale output, and 1.4V com- mon-mode level. Typical I-Q channel phase match is ±0.15° and amplitude match is ±0.05dB. The DACs also feature dual 10-bit resolution with 71.7dBc SFDR, and 57dB SNR at f OUT = 2.2MHz and f CLK = 22MHz. The ADCs and DACs operate simultaneously or indepen- dently for frequency-division duplex (FDD) and time-divi- sion duplex (TDD) modes. A 3-wire serial interface controls power-down and transceiver modes of opera- tion. The typical operating power is 42mW at f CLK = 22Msps with the ADCs and DACs operating simultane- ously in transceiver mode. The MAX5864 features an internal 1.024V voltage reference that is stable over the entire operating power-supply range and temperature range. The MAX5864 operates on a +2.7V to +3.3V ana- log power supply and a +1.8V to +3.3V digital I/O power supply for logic compatibility. The quiescent current is 5.6mA in idle mode and 1μA in shutdown mode. The MAX5864 is specified for the extended (-40°C to +85°C) temperature range and is available in a 48-pin thin QFN package.

# 高级话题

### 如何使用两个HackRF

Here’s a tricky method about duplex.

If you plug in two hackrf device, hackrf_info will only show one hackrf device.

But, if you plug in one first, run something with this hackrf to occupy it. Then plug in another hackrf device, then run another program , and the ‘duplex’ works.

### 对HackRF做贡献

https://github.com/mossmann/hackrf/pull/108

HackRF One外壳设计

### 滤波器

compare image1 image2 -compose src diff.png compare image1 image2 -compose src diff.pdf

diffpdf

### 串扰问题

It looks like you’re getting the hang of it, but here is an answer to your earlier question about how to predict the bad spurs.

The IF is the intermediate frequency the MAX2837 is tuned to. The RF is the radio frequency of interest at the antenna port. The LO is the local oscillator frequency of the RFFC5072. (Technically there is another LO in the MAX2837, but it is the same frequency as IF. When I refer to LO, I am talking about the LO in the RFFC5072.)

RF = |IF+LO| or RF = |IF – LO|

Which one (the sum or the difference) depends on the configuration of the image reject filter stage.

Bad spurs occur when LO or an integer multiple of LO is within 10 MHz (or half of your baseband filter bandwidth) of RF. This happens due to leakage of the LO into the RF side of the RFFC5072.

Bad spurs occur when LO or an integer multiple of LO is within 10 MHz (or half of your baseband filter bandwidth) of IF. This happens due to leakage of the LO into the IF side of the RFFC5072.

To be safe, it is probably best to keep LO harmonics 20 MHz or further away from RF or IF. Right now our automatic tuning code (which is already fairly complicated) does not take LO leakage into account.

### RF IF 干扰

example: Center = 1277MHz IF = 2560MHz

1283 – 1277 = 6

When Sampling Rate = 20M: Spur = 1283MHz = 2560 – 1277

When Sampling Rate = 8M: 1277 + 8/2 = 1281 < 1283 so it is sub sampling: Spur = 1277 – [ 8 – (1283 – 1277) ]= 1277 – 2 = 1275 M

NOTE: the spur can be filtered by MAX2837 bandwidth filter.

When Sampling Rate = 10M: 1277 + 10/2 = 1282 < 1283 sub sampling: Spur = 1277 – [10 – (1283 – 1277)] = 1277 – 4 = 1273

1. Pingback: HackRF One 在中国 | xfossdotcom

2. 本来使用原先安装的gqrx软件是可以用的，使用那个傻瓜式安装脚本安装完毕，发现gqrx不能正常运行了，提示gqrx: error while loading shared libraries: libgnuradio-audio.so.3.7.2.1: cannot open shared object file: No such file or directory，但是在/usr/local/lib/目录下面，存在的libgnu-audo.so是3.7.3版本。这个问题怎么解决

3. 切记hackrf_tranfser出来的data是带符号的…我忘记这里的那篇文章说是无符号的了…

4. 这个脚本装gnuradio装不上 也不提示为什么失败 最后来一个 This script will fetch Gnu Radio version 3.7/maint from the repositories, along with compatible
extras.
Is this OK?OK
然后就没有然后了