WEBVTT

00:00:00.110 --> 00:00:17.690
<i>35C3 preroll music</i>


00:00:17.690 --> 00:00:20.040
Friederike: I will give you
a short introduction to

00:00:20.040 --> 00:00:25.279
software defined radio. So some basics
about this technology and some modulation

00:00:25.279 --> 00:00:34.289
technology which your also always need if
you want to transmit something. First of

00:00:34.289 --> 00:00:39.590
all before we come to the software defined
radio let's first have a look about what

00:00:39.590 --> 00:00:44.890
generally happens in a radio transmission,
so the parts you always need to get

00:00:44.890 --> 00:00:51.039
something over the air. Normally you have
some input signal you want to transmit, an

00:00:51.039 --> 00:00:59.629
audio signal, a radio for example, a video
signal or just any data. Then you do some

00:00:59.629 --> 00:01:06.570
compression. Mostly you do this if you
have some digital stuff in analog. You

00:01:06.570 --> 00:01:11.579
don't do this so much, some error
correction, modulation and then the

00:01:11.579 --> 00:01:17.140
frequency assignment to the frequency you
want to use for the transmission.

00:01:17.140 --> 00:01:24.940
Then you have a radio channel. Sometimes
you have mobility if you move. You have a

00:01:24.940 --> 00:01:30.810
multi-path propagation. You always have
some noise added and often there are also

00:01:30.810 --> 00:01:36.420
like other signals in the air which also
share the channel. And then at the other

00:01:36.420 --> 00:01:42.080
side it goes the other way round. You get
the demodulation, error correction if

00:01:42.080 --> 00:01:49.540
there are errors and the decompression and
hopefully outcomes here original audio or

00:01:49.540 --> 00:01:57.810
video signal or the data you had
transmitted. A bit to the frequency

00:01:57.810 --> 00:02:05.049
assignment: there are frequency plans.
Here you can see a frequency plan of the

00:02:05.049 --> 00:02:11.400
US. They had a nice chart like this here
for example you can see the frequency band

00:02:11.400 --> 00:02:20.040
from 88 to 108 megahertz then some
aeronautical services and other stuff at

00:02:20.040 --> 00:02:26.250
the other frequencies for Europe. They
have a really huge table. You can find it

00:02:26.250 --> 00:02:34.720
on the website of the ECO - the European
Communications Office. Yeah it's quite

00:02:34.720 --> 00:02:40.349
large. But if you want to look what's
probably on this frequency in the air you

00:02:40.349 --> 00:02:51.439
can have a look there. So now let's start
with a not software defined radio to get a

00:02:51.439 --> 00:02:58.069
bit more used to the principles. What does
happen there. Here's for example an old AM

00:02:58.069 --> 00:03:02.240
receiver in this on this side. So we get
the signal in the air, the AM

00:03:02.240 --> 00:03:06.969
transmission. There are still some but
they are actually switched off at the

00:03:06.969 --> 00:03:16.419
moment. Here now we have a superheterodyne
receiver, it's called like this. So what

00:03:16.419 --> 00:03:22.099
we have, we have where is my mouse, here
is my mouse. So we have here at the

00:03:22.099 --> 00:03:28.450
antenna, here is the antenna, we have our
signal S1. That's the signal we want to

00:03:28.450 --> 00:03:35.010
receive. Then we have some filtering to
get rid of all the other signals which are

00:03:35.010 --> 00:03:44.190
farther away.
Then we have our mixer here. So the LO

00:03:44.190 --> 00:03:50.640
frequency of this mixer, like the local
oscillator frequency here, is always

00:03:50.640 --> 00:03:57.310
chosen in the way that the wanted signal
always falls in the same intermediate

00:03:57.310 --> 00:04:05.170
frequency. With this you can have a very
sharp filter here. The IF filter. So at

00:04:05.170 --> 00:04:11.620
your IF fillter output you only get the
wanted signal which then, after the

00:04:11.620 --> 00:04:18.130
filtering, again some amplification, goes
to the demodulator and in the case of AM

00:04:18.130 --> 00:04:26.720
now all your information is actually in
the amplitude of the signal. So for

00:04:26.720 --> 00:04:32.530
decoding and listening the easiest way
would be just an envelope detector which

00:04:32.530 --> 00:04:38.190
could look like this. You have a diode
which actually puts the negative part of

00:04:38.190 --> 00:04:44.530
the signal to the positive side. And then
here we just use a low pass to get rid of

00:04:44.530 --> 00:04:50.830
the intermediate frequency which you can
still see here. And afterwards you can

00:04:50.830 --> 00:04:57.440
just listen to your audio signal. So in
the case of software defined radio we stay

00:04:57.440 --> 00:05:05.570
to the to the RX front end in these
examples. The TX path would be nearly

00:05:05.570 --> 00:05:13.280
similar the other way around. So again, we
have the antenna. Antennas are also really

00:05:13.280 --> 00:05:21.010
important. Always take a good well adapted
antenna to the frequency you want to

00:05:21.010 --> 00:05:26.330
receive or the frequency you want to
transmit, because otherwise you won't get

00:05:26.330 --> 00:05:34.450
any signal out of the air or only a very
low part of the signal. I gave a talk on

00:05:34.450 --> 00:05:42.110
antennas at 31C3. So if you're interested
in antennas you can have a look on

00:05:42.110 --> 00:05:52.780
media.ccc.de. Then again we again have
some filteirng, an amplifier, and now we

00:05:52.780 --> 00:05:59.680
have an IQ mixer.
Here you can see it actually consists of

00:05:59.680 --> 00:06:05.800
two mixers and this local oscillator
signal is shifted by 90 degrees to the

00:06:05.800 --> 00:06:14.350
lower part here of our signal. Then again
some filtering, amplification and then we

00:06:14.350 --> 00:06:24.480
get the analog to digital converters here
to get our IQ signal then to the computer

00:06:24.480 --> 00:06:32.240
for decoding and software.
We still have actually a big analog part

00:06:32.240 --> 00:06:38.620
here. So most of the front end is still an
analog and the digital part actually is

00:06:38.620 --> 00:06:44.440
only this after the analog to digital
converter. In this case of a classical

00:06:44.440 --> 00:06:54.070
software defined radio front end. IQ data
are pretty cool, they contain actually the

00:06:54.070 --> 00:07:02.880
raw signal that is coming out of the air.
You could also record the raw signal. It's

00:07:02.880 --> 00:07:11.470
fastly getting huge. And for example do
then the demodulation later. If you put

00:07:11.470 --> 00:07:18.280
those IQ signals on a coordinate plane,
which you can see here on the right side,

00:07:18.280 --> 00:07:24.250
you can see also the phase shift of 90
degrees between the I, which is the

00:07:24.250 --> 00:07:32.220
inphase component, and the Q which is the
quadrature component of the signal. If you

00:07:32.220 --> 00:07:44.590
assigns some numbers, we can also combine
them with a vector. We can use Pythagoras

00:07:44.590 --> 00:07:49.780
for example to get the amplitude of the
resulting vector, we can do some

00:07:49.780 --> 00:07:57.330
trigonometry to get the angle.
Actually those two parameters like the

00:07:57.330 --> 00:08:04.270
angle and the amplitude are the main
parameters you can put information in. So

00:08:04.270 --> 00:08:09.460
in the example before, like the AM
modulation, you only use actually the

00:08:09.460 --> 00:08:15.740
amplitude of the signal. In contrast to
this an FM modulation for example has a

00:08:15.740 --> 00:08:21.590
constant amplitude and all the information
is put to the to the phase or the

00:08:21.590 --> 00:08:28.640
frequency. So no matter what kind of
modulation is used, these IQ data actually

00:08:28.640 --> 00:08:34.419
contain all the necessary information. A
nice example of a modulation which is

00:08:34.419 --> 00:08:40.578
often used nowadays and that also uses
both of those parameters is the QAM

00:08:40.578 --> 00:08:48.660
modulation. OK, I already told this. The
QAM modulation here for example is a

00:08:48.660 --> 00:08:54.650
constellation diagram out of the program
GNURadio.

00:08:54.650 --> 00:08:59.500
Oh it's a bit shifted everything, doesn't
matter. So here again we have our inphase

00:08:59.500 --> 00:09:07.310
component on the x axis and the quadrature
component on the vertical axis with the

00:09:07.310 --> 00:09:14.160
4-QAM we have four symbols, so we can put
in two bits per symbol. A 16-QAM for

00:09:14.160 --> 00:09:23.290
example you can put in four bits per
symbol. If we go further, 64-QAM we can

00:09:23.290 --> 00:09:32.140
put in six bits per symbol. This for
example is used in DVB-T or DAB like

00:09:32.140 --> 00:09:45.839
broadcasting systems or in Wi-Fi 802.11n
uses up to 64-QAM. LTE also uses up to

00:09:45.839 --> 00:09:57.161
64-QAM. When we go for father 802.11ac
uses 256-QAM, so even more dots. You can

00:09:57.161 --> 00:10:07.089
put in eight bits then per symbol and so
does LTE Advanced and so the more data you

00:10:07.089 --> 00:10:19.310
want to transmit, the more symbols you
need. 802.11ax uses up to ten 1024-QAM

00:10:19.310 --> 00:10:26.709
with 10 bits per symbol. And so does
successor of 4G like the 5G New Radio also

00:10:26.709 --> 00:10:37.720
uses up to 1024-QAM. Becomes interesting
when we add some noise.

00:10:37.720 --> 00:10:43.100
So you always, as I told you, always got
the channel you always got noise. This is

00:10:43.100 --> 00:10:48.709
what happens if we add some noise to the
64-QAM. You could still like estimate

00:10:48.709 --> 00:10:56.699
where the original symbol would be. This
becomes even more difficult if we go to

00:10:56.699 --> 00:11:06.540
the 1024-QAM. That's also why those
broadband systems always use an adaptive

00:11:06.540 --> 00:11:11.820
modulation like within the first data
exchange they communicate about the

00:11:11.820 --> 00:11:18.249
quality of the signal and only if you get
a really good signal level at the

00:11:18.249 --> 00:11:24.739
receiver, you choose the highest order
modulation. Otherwise it ramped down to

00:11:24.739 --> 00:11:30.129
lower orders. So these high order
modulations only work with really good

00:11:30.129 --> 00:11:41.600
signal levels. So let's go back to the IQ
data. Those IQ data are closely related to

00:11:41.600 --> 00:11:52.040
complex numbers. So to get the complex
number let's add some imaginary unit j. So

00:11:52.040 --> 00:12:01.390
we get our complex number actually a C = I
+ j * Q which are again our inphase and

00:12:01.390 --> 00:12:08.120
quadrature component.
So a complex number you can write them in

00:12:08.120 --> 00:12:12.490
the Cartesian form which I
showed. The mostly often used form is

00:12:12.490 --> 00:12:21.799
actually the polar form where are we add
Euler's number. So it becomes like C quals

00:12:21.799 --> 00:12:28.540
a multiplied by e, Euler's number, to the
power of j * phi which is our phase here

00:12:28.540 --> 00:12:40.240
again. So in this case like our real axis,
the inphase axis here becomes our real

00:12:40.240 --> 00:12:52.990
axis and the Q axis becomes our imaginary
axis. This property of this polar form,

00:12:52.990 --> 00:13:01.080
which is often needed in digital signal
processing, is the multiplication. Like if

00:13:01.080 --> 00:13:13.779
you multiply two polar formed complex
numbers this ends up in an addition of the

00:13:13.779 --> 00:13:18.600
elevated parts here. And this is often
used for example in Fourier

00:13:18.600 --> 00:13:24.990
transformations or if you mix signals to
get them from one frequency to the other.

00:13:24.990 --> 00:13:29.820
One this later it looks quite complex but
it's really worth using it at the end.

00:13:29.820 --> 00:13:38.889
So um the first step in the software
defined radio is then to get the right

00:13:38.889 --> 00:13:44.100
parts of the signal through the front end,
because if you don't get your IQ data

00:13:44.100 --> 00:13:51.420
actually properly, afterwards decoding in
software becomes very very difficult or

00:13:51.420 --> 00:13:58.019
even impossible. So let's have a look at
the different parts of our software

00:13:58.019 --> 00:14:05.970
defined receiver. After the antenna,
filtering and amplifier, we have this IQ

00:14:05.970 --> 00:14:14.279
mixer. To keep it a bit more simple for
now we just skip the IQ part and have a

00:14:14.279 --> 00:14:22.220
look what a mixer in general is doing. To
get the signal from the transmitted

00:14:22.220 --> 00:14:27.769
frequency to the IF, to the intermediate
frequency, it is multiplied with an LO

00:14:27.769 --> 00:14:33.790
signal and then filtered. This
multiplication actually ends up here in an

00:14:33.790 --> 00:14:42.059
addition. Here this higher part and in a
subtraction of the two frequencies we put

00:14:42.059 --> 00:14:49.839
in here. And with the filter we actually
get rid of of the higher part here. The

00:14:49.839 --> 00:14:57.509
mixer defines the frequency range the SDL
front end is working on. For example there

00:14:57.509 --> 00:15:06.389
are those quite cheap RTL SDR USB sticks
which were originally made for DVB-T

00:15:06.389 --> 00:15:14.370
reception. They work for example from 24
megahertz up to 1766 megahertz.

00:15:14.370 --> 00:15:24.769
Then there's the HackRF, which is also an
often used SDR font end, works from 1 MHz

00:15:24.769 --> 00:15:35.279
up to 6 GHz. And the radio badge from the
CCC camp 2015 works from 50 MHz up to 4

00:15:35.279 --> 00:15:43.930
GHz. As I told, the mixer here is a bit
simplified. Here is for example the the

00:15:43.930 --> 00:15:57.209
mixer chipset of the HackRF. Here you can
see the IQ mixing part here.

00:15:57.209 --> 00:16:02.869
Next step then, after again some filtering
amplification is the analog to digital

00:16:02.869 --> 00:16:11.269
converter. We get the analog signal in
here. And what the computer actually needs

00:16:11.269 --> 00:16:18.240
are samples of the signal. So they have to
be taken at dedicated times t here. We get

00:16:18.240 --> 00:16:24.519
the sampling rate here: 1 divided by T.
This sampling rate must comply with the

00:16:24.519 --> 00:16:29.769
Nyquist Shannon sampling theorem.
Otherwise your signal can't be

00:16:29.769 --> 00:16:36.139
reconstructed properly. You get effects
like aliasing where you have frequencies

00:16:36.139 --> 00:16:45.939
that actually are not there, but are
caused by the undersampling of the signal

00:16:45.939 --> 00:16:53.550
and for complying this Nyquist Shannon
theorem, like the the bandwidth of your

00:16:53.550 --> 00:16:58.759
signal, of the signal you want to
digitize, has to be smaller than one

00:16:58.759 --> 00:17:13.609
divided by 2*T. Here an example of an DAB+
signal. DAB+ is nice because it always has

00:17:13.609 --> 00:17:22.520
a bandwidth of 1.5 MHz, it has quite sharp
edges because it uses an OFDM modulation.

00:17:22.520 --> 00:17:34.680
This here was received with an RTL SDR
DAB/DVB-T stick, with the software Gqrx

00:17:34.680 --> 00:17:41.450
which has a maximum sampling rate of 3.2
MHz. So let's check for Nyquist. We have

00:17:41.450 --> 00:17:49.410
our bandwidth of 1.5 MHz, we have the
sampling rate of 3.2 MHz. So 1 divided by

00:17:49.410 --> 00:18:02.050
2*T is 1.6 MHz and 1.5 MHz is smaller than
1.6 MHz. Great! We can receive a DAB+

00:18:02.050 --> 00:18:15.280
signal with a DAB receiver. You might ask
now, this is also for the DVB-T reception

00:18:15.280 --> 00:18:22.340
which has a bandwidth of 8 MHz. So you
would need a sampling rate of 60 MHz to

00:18:22.340 --> 00:18:28.890
receive or to digitize this. That's
actually a nice example of the usage of

00:18:28.890 --> 00:18:37.930
SDR in comparison to dedicated chipsets.
So DVB-T here doesn't use the SDR mode of

00:18:37.930 --> 00:18:46.210
this chipset, but it has a dedicated DVB-T
chipset in here. So chipset development is

00:18:46.210 --> 00:18:52.830
quite expensive, but if there is a mass
market and for television there is a mass

00:18:52.830 --> 00:19:00.170
market, they can be produced very cheap.
So actually the SDR mode was probably

00:19:00.170 --> 00:19:08.550
added for the DAB reception. Also with the
growing bandwidth the power consumption of

00:19:08.550 --> 00:19:15.640
the SDR mode becomes quite high, because
you have always to digitize the whole

00:19:15.640 --> 00:19:20.950
bandwidth of your signal.
So if it comes for example to LTE with 20

00:19:20.950 --> 00:19:31.640
or 40 MHz bandwidth this becomes quite
relevant. OK, we can get the DAB signal

00:19:31.640 --> 00:19:36.370
here.
The next relevant parameter here is the

00:19:36.370 --> 00:19:44.430
resolution of the ADC. With a 3 bit
resolution for example you would get 8

00:19:44.430 --> 00:19:53.640
discrete values from your signal. With an
8 bit resolution you get 256 values. With

00:19:53.640 --> 00:20:02.670
60 bit you get a lot of values and those
parts of the step here, you can see for

00:20:02.670 --> 00:20:11.560
example the 3 bit resolution and the 6 bit
resolution of a sine signal and all those

00:20:11.560 --> 00:20:18.260
parts of the steps, of the 3 bit
resolution, actually end up in noise,

00:20:18.260 --> 00:20:25.020
which is called quantization noise.
Here for example you see the spectral view

00:20:25.020 --> 00:20:31.480
of the signal. The first one with a 6 bit
resolution. You can see the noise floor

00:20:31.480 --> 00:20:41.970
here at -68 dB and below with the 8 bit
resolution, the noise floor falls down by

00:20:41.970 --> 00:20:52.200
12 dB. So we get a noise floor down at -80
dB. What we also see here is actually here

00:20:52.200 --> 00:21:03.520
are some examples. The RTL SDR has two 8
bit ADCs, the HackRF and the Rad1o have a

00:21:03.520 --> 00:21:11.450
dual 8 bit receive ADCs and, as they are
also transmitting purposes, they have a

00:21:11.450 --> 00:21:19.520
dual 10 bit transmit DAC, so the other way
round to get your digital signal in the

00:21:19.520 --> 00:21:28.400
analog domain again. The RTL SDR is only
for receiving purposes.

00:21:28.400 --> 00:21:32.880
What we also see here is on the right
side, we get our signal in the time

00:21:32.880 --> 00:21:40.990
domain, on the left side we get the
frequency domain. So how do we get the

00:21:40.990 --> 00:21:49.460
frequency view of our signal? Here for
example in the form of a spectral view and

00:21:49.460 --> 00:22:03.470
down here is this with a nice colors, this
part is called a waterfall diagram. Here

00:22:03.470 --> 00:22:09.560
in the spectrum view we see the level of
our signal components over the frequency

00:22:09.560 --> 00:22:18.860
and the waterfall diagram then shows the
different levels and different colors

00:22:18.860 --> 00:22:26.010
plotted over the time here.
So how do we get the frequency view of our

00:22:26.010 --> 00:22:34.680
signal? Actually uh we use a Fourier
transformation to convert the time the

00:22:34.680 --> 00:22:42.260
main signal into the frequency domain.
Wikipedia actually had a nice animation

00:22:42.260 --> 00:22:49.710
about this in public domain, so we have a
square wave signal which is a linear

00:22:49.710 --> 00:22:55.590
combination of sines of different
frequencies here in blue. And the

00:22:55.590 --> 00:23:01.970
component frequencies of these sines then
are spread across the frequency spectrum

00:23:01.970 --> 00:23:07.030
and they are represented here as peaks in
the frequency domain.

00:23:07.030 --> 00:23:13.900
So mathematically this looks like this:
here we get the different components, the

00:23:13.900 --> 00:23:20.700
sine components of our square wave signal.
For the sake of simplicity, we just skip

00:23:20.700 --> 00:23:27.880
the harmonics here, just take the sine
signal, calculate the Fourier

00:23:27.880 --> 00:23:36.240
transformation which is an integral of our
function. The sine signal here multiplied

00:23:36.240 --> 00:23:48.810
by e^(-j<i>2</i>pi<i>f</i>t) and integrated over t.
We also use again the polar form here,

00:23:48.810 --> 00:23:59.170
which then ends up in a multiplication of
these components and the integral of this

00:23:59.170 --> 00:24:10.770
multiplication then ends up in delta
impulses at a frequency here of a and -a

00:24:10.770 --> 00:24:16.620
and we still have half of an inverse
imaginary unit here.

00:24:16.620 --> 00:24:25.160
If we have a look at the Fourier transform
of a complex constant wave signal, this

00:24:25.160 --> 00:24:35.600
actually simplifies to 1 delta impulse
here at the frequency of a. For practical

00:24:35.600 --> 00:24:43.960
purposes um computational purposes we use
a DFT, like a discrete Fourier

00:24:43.960 --> 00:24:55.170
transformation, so the integral ends up in
a summation of the signal components. And

00:24:55.170 --> 00:24:59.860
actually normally we use a fast Fourier
transformation which you also see in all

00:24:59.860 --> 00:25:09.530
the software, which is actually an
algorithm to efficiently calculate a DFT.

00:25:09.530 --> 00:25:16.921
So let's have a view again at the DAB
signal here with the Gqrx software. We

00:25:16.921 --> 00:25:23.100
have the waterfall view and because it's a
bit small, no here it's actually quite

00:25:23.100 --> 00:25:32.851
seen. Yeah it's a bit bigger. So on the
left side we have an FFT size of 32768 and

00:25:32.851 --> 00:25:41.890
on the right side an FFT size of 512 and
actually with the FFT length you define

00:25:41.890 --> 00:25:47.851
afterwards the resolution of the bandwidth
of the spectrum. So you can see here, it's

00:25:47.851 --> 00:25:58.110
much more coarser than with a higher radio
resolution bandwidth here on the left

00:25:58.110 --> 00:26:04.680
side.
Then the sliders down here, you can find

00:26:04.680 --> 00:26:14.100
those sliders and stuff here in the FTT
settings of Gqrx if you want to have a

00:26:14.100 --> 00:26:20.280
look at this software. The sliders here
down, I also have them a bit bigger here

00:26:20.280 --> 00:26:26.040
you can define the reference level. So if
you have a very low signal, you have to

00:26:26.040 --> 00:26:35.330
put it a bit down. And also the, range
like the range you see your signal. If you

00:26:35.330 --> 00:26:40.340
have a high dynamic signal, you need a
large range to see all the parts of the

00:26:40.340 --> 00:26:47.540
signal. If you have a very very low signal
power you need to switch it down to a

00:26:47.540 --> 00:26:57.490
smaller range to actually see anything of
your signal.

00:26:57.490 --> 00:27:03.190
So the possibility is actually to
efficiently calculate an FFT or IFFT, like

00:27:03.190 --> 00:27:09.230
the inverse Fourier transformation, also
gave the possibility to a wider use of

00:27:09.230 --> 00:27:15.360
multi carrier modulation methods as OFDM
here, orthogonal frequency division

00:27:15.360 --> 00:27:20.410
multiplex.
Nowadays this is often used in mobile

00:27:20.410 --> 00:27:27.270
communication systems such as LTE due to
its resistance to the effects of the

00:27:27.270 --> 00:27:34.220
propagation channel. For example multi-
path propagation um often causes

00:27:34.220 --> 00:27:46.420
destructive interferences so some of your
carriers actually are in an destructive

00:27:46.420 --> 00:27:53.100
interference part, so they are actually
attenuated a lot.

00:27:53.100 --> 00:27:58.990
And if you if you distribute your
information over several carriers, you

00:27:58.990 --> 00:28:06.040
still have the chance to receive some of
the carriers and then you can afterwards

00:28:06.040 --> 00:28:11.980
use some error correction mechanisms to
repair actually the data and get something

00:28:11.980 --> 00:28:20.830
out of the data. And so here the FFT or in
the TX case, in the the transmission case,

00:28:20.830 --> 00:28:31.000
an inverse FFT is used actually to
distribute the, for example the QAM data

00:28:31.000 --> 00:28:40.020
to the different frequencies to the
different carriers. Then it's again the

00:28:40.020 --> 00:28:52.220
regular IQ mixer and in the case of the
reception we use the FFT to get the

00:28:52.220 --> 00:29:01.780
symbols, the QAM symbols for example, out
of our different carriers. Here again you

00:29:01.780 --> 00:29:15.090
see I like DAB, again the DAB signal. Here
we have a DAB uses 1536 subcarriers and

00:29:15.090 --> 00:29:21.760
the number of subcarriers here actually is
also always a compromise of how close your

00:29:21.760 --> 00:29:28.270
subcarriers are, which defines how much
Doppler shifts, in case of mobile

00:29:28.270 --> 00:29:35.870
reception, your system is capable to scope
with and on the other hand it defines how

00:29:35.870 --> 00:29:44.110
long your signal is in the air. So the
more carrier you have the longer your

00:29:44.110 --> 00:29:52.230
signal is and that has an effect on how
much delay your signal can scope with.

00:29:52.230 --> 00:30:01.560
Additionall, often there is a guard
interval added to the symbol to scope with

00:30:01.560 --> 00:30:08.120
more delays, for example DAB is a
broadcasting system with a capability of

00:30:08.120 --> 00:30:13.380
single frequency networks, so you can run
different transmitters on the same

00:30:13.380 --> 00:30:20.220
frequency with the same program but
especially in the overlapping areas this

00:30:20.220 --> 00:30:26.600
results in very large delays So that's why
the broadcasting system has very much

00:30:26.600 --> 00:30:39.820
carriers. LTE in contrast only has in the
downlink with a 10 MHz bandwidth 601

00:30:39.820 --> 00:30:50.470
carriers, in the uplink 600. And 802.11ac
for example with 40 MHz bandwidth has 128

00:30:50.470 --> 00:30:57.420
carriers.
So now let's come back from this quite

00:30:57.420 --> 00:31:03.820
complex world of software defined radio to
the real world. So what SDR actually

00:31:03.820 --> 00:31:09.670
brings are quite cheap and flexible
solutions of formerly very expensive

00:31:09.670 --> 00:31:17.050
technology. That's why it's actually often
used in academia are also for prototyping

00:31:17.050 --> 00:31:25.740
purposes. But there's also a quite big
community developing open source software

00:31:25.740 --> 00:31:31.510
for software defined radio. I want to show
you now like two examples where those SDR

00:31:31.510 --> 00:31:40.540
technologies facilitated community driven
projects. One is digital radio which goes

00:31:40.540 --> 00:31:49.480
digital in Switzerland or Community Radio
goes digital In Switzerland. Like

00:31:49.480 --> 00:31:54.750
digitizing local community radio has
actually long been a problem, community

00:31:54.750 --> 00:32:00.170
radios are a non-profit making media
produced by a local community and serving

00:32:00.170 --> 00:32:05.160
a local community.
There's also one here in Leipzig which are

00:32:05.160 --> 00:32:10.200
also doing a program from the Congress
here. I think they are actually starting

00:32:10.200 --> 00:32:17.870
now for I think for 3 hours today. It's
called Fairydust.FM, so if you want to

00:32:17.870 --> 00:32:28.660
listen you can look at the wiki where to
receive them. They mostly do not have a

00:32:28.660 --> 00:32:35.321
huge budget for running a radio. The
development was facilitated by a low

00:32:35.321 --> 00:32:39.660
threshold cheap transmitter. So FM
transmitters are really cheap now or they

00:32:39.660 --> 00:32:48.710
can be built. With DAB now, digital audio
broadcast, the possibilities of running

00:32:48.710 --> 00:32:54.170
your own cheap transmitter became quite
difficult for a long long time. DAB was

00:32:54.170 --> 00:32:59.280
developed by the big broadcasting
corporations like BBC or the German public

00:32:59.280 --> 00:33:03.630
media.
And it's actually adapted to their needs.

00:33:03.630 --> 00:33:08.770
You can put in a lot of programs in
multiplexes, you can run huge single

00:33:08.770 --> 00:33:15.680
frequency networks. There is a national
SFN in Germany for example. Local

00:33:15.680 --> 00:33:22.640
community radios, so does local commercial
radios, need more like flexible cheap

00:33:22.640 --> 00:33:32.950
radio transmission. So you might argue
that digital radio isn't relevant anymore

00:33:32.950 --> 00:33:40.020
but actually there are countries that
start to switch off FM and only streaming

00:33:40.020 --> 00:33:46.140
through the Internet is also not an
appropriate solution. So what happened

00:33:46.140 --> 00:33:51.440
some years ago was, that people started to
write open source DAB SDR software to

00:33:51.440 --> 00:33:57.020
build up quite cheap DAB transmitters. You
can find the software here on

00:33:57.020 --> 00:34:04.500
opendigitalradio.org. They have this nice
penguin with a transmission tower as a

00:34:04.500 --> 00:34:14.230
logo and in Switzerland the FM switch-off
is set to 2024. So it's quite coming

00:34:14.230 --> 00:34:21.049
closer and a lot of communities are
already on the digital airwaves there with

00:34:21.049 --> 00:34:29.639
this solution of software defined radio
based transmitter technologies.

00:34:29.639 --> 00:34:35.770
The UK is also on the way to switch off FM
and there the Ofcom actually recently

00:34:35.770 --> 00:34:42.169
started a survey about the demand for
small scale DAB. Also based on this SDR

00:34:42.169 --> 00:34:51.429
solution which makes it affordable to
community radios. Another example is

00:34:51.429 --> 00:34:59.079
community-driven cellular telephone
telephony. In remote areas, for example in

00:34:59.079 --> 00:35:05.309
Mexico and probably in a lot of more
countries, often there is no cellular

00:35:05.309 --> 00:35:10.079
network connection at all as it's just not
a good business for mobile broadband

00:35:10.079 --> 00:35:19.390
providers if you have only a few hundred
clients to use it or customers who pay for

00:35:19.390 --> 00:35:24.930
it. I was some years ago in the south of
Mexico for an article about the first

00:35:24.930 --> 00:35:30.459
community driven cellular network which
was also built on open source SDR

00:35:30.459 --> 00:35:39.250
technology like OpenBSC and OpenBTS which
made it then quite affordable for the

00:35:39.250 --> 00:35:47.750
communities there. Today this "association
telecommunications <i>inaudible</i> comunitarias" has

00:35:47.750 --> 00:35:54.779
a license to run autonomous telephone
networks in different parts of Mexico as

00:35:54.779 --> 00:35:59.809
Chapels (<i>inaudible</i> Mexican region), Vera Cruz
and Puebla and nowadays they are already

00:35:59.809 --> 00:36:06.440
running nearly 20 cellular networks there
and they also do a lot of trainings and

00:36:06.440 --> 00:36:16.829
write a lot of manuals. So if you want to
learn how to run your own GSM networks,

00:36:16.829 --> 00:36:24.210
they are actually only, you can have a
look on their site. So these are only two

00:36:24.210 --> 00:36:33.669
examples of projects where SDR facilitated
low budget communication, so you might

00:36:33.669 --> 00:36:43.589
ask, if you now want to have a look on SDR
yourself, where to start. So for radio

00:36:43.589 --> 00:36:49.599
reception this cheap RTL SDR USB sticks
are your friend.

00:36:49.599 --> 00:36:58.400
They cost around 10 to 20 euros depending
on where you get it. And there's software

00:36:58.400 --> 00:37:06.730
like this Gqrx, which I already had a lot
of examples in my slides, which runs on

00:37:06.730 --> 00:37:15.119
Linux and Mac. Here's an example of Gqrx
for FM reception for example. It has also

00:37:15.119 --> 00:37:23.769
an built-in FM decoder, so you can really
listen to FM radio. There are also AM

00:37:23.769 --> 00:37:32.610
decoder and some others also. You can also
dump the IQ data with this Gqrx for

00:37:32.610 --> 00:37:43.210
decoding it later. There's also software
for Windows like SDR# or HSDR or WinSDR.

00:37:43.210 --> 00:37:50.220
Always keep in mind that listening to non-
public broadcasts is forbidden! The next

00:37:50.220 --> 00:37:59.260
level then would be GNURadio, I already
showed in between the talk plots from

00:37:59.260 --> 00:38:07.279
GNURadio, like the constellation plots of
QAM modulation. GNURadio actually offers a

00:38:07.279 --> 00:38:13.690
very large framework for software defined
radio functions. Also to build your own

00:38:13.690 --> 00:38:21.430
applications. There are sources. For
example here is a source where you can

00:38:21.430 --> 00:38:29.670
connect your RTL SDR USB stick, define
here the sampling rate, the frequency and

00:38:29.670 --> 00:38:36.339
different and other stuff here. Then you
have a lot of function here, for example

00:38:36.339 --> 00:38:43.619
the FM demodulation, you have a spectrum
viewer, here the FFT sink, different

00:38:43.619 --> 00:38:50.970
resamplers and then you have different
sinks here. You you connect it to your

00:38:50.970 --> 00:38:58.759
sound card with the audio sink and in this
case listen to FM radio. You can also

00:38:58.759 --> 00:39:08.319
define a sink to connect your HackRF to
transmit something. You can also write

00:39:08.319 --> 00:39:14.519
your own functions. So it's quite easy in
this graphical front, the GNU Radio

00:39:14.519 --> 00:39:22.380
Companion to add own functions.
There are many tutorials also in the

00:39:22.380 --> 00:39:29.829
Internet and very active community and
it's also very often used in academia. So

00:39:29.829 --> 00:39:34.950
if you are perhaps studying or are
planning to study, there are very often

00:39:34.950 --> 00:39:41.410
projects around GNURadio which you can
work on if you're interested. There is

00:39:41.410 --> 00:39:48.400
also a lot of different SDR hardware
available. So the HackRF I already

00:39:48.400 --> 00:39:53.670
mentioned, the Rad1o badge from the CCC
camp. So if you don't have one, you can

00:39:53.670 --> 00:40:01.030
ask around perhaps someone still have one
lying around. There are more expensive

00:40:01.030 --> 00:40:06.829
ones, which then have for example better
resolutions, the ADCs, DACs have better

00:40:06.829 --> 00:40:12.460
resolutions.
Um there is the USRP family which is much

00:40:12.460 --> 00:40:21.239
more expensive but, yeah you can do a lot
more with this and it's also very often

00:40:21.239 --> 00:40:30.020
used in academia. I also knew it from my
time I worked at the university. So

00:40:30.020 --> 00:40:34.170
further information, if you are now
becoming really interesting, there are

00:40:34.170 --> 00:40:39.900
lots of massive open online courses. For
example I saw one from the University of

00:40:39.900 --> 00:40:48.059
Madrid but in English. So there are video
tutorials for example from the makers of

00:40:48.059 --> 00:40:55.099
the HackRF at their website. There also
nice, free available books on SDR by

00:40:55.099 --> 00:41:03.109
Analog Devices for example, if you look
for "SDR4 engineers". And if you are now

00:41:03.109 --> 00:41:13.799
here, there is an SDR challenge at the
congress. They have a table in Hall 3 in

00:41:13.799 --> 00:41:20.339
the wastelands there. If we have a look at
the small brand(???) so there are various

00:41:20.339 --> 00:41:26.730
different SDR challenges from quite easy
to difficult. There's a game server to

00:41:26.730 --> 00:41:32.679
claim your flag in a team and if you don't
have an SDR you can borrow one, like these

00:41:32.679 --> 00:41:39.970
RTLS SDR sticks, for a deposit and there
also if you don't like all this GNURadio

00:41:39.970 --> 00:41:48.220
stuff, there are also Bluetooth
challenges. So thanks for your attention.

00:41:48.220 --> 00:41:52.360
And feel free to ask questions if you
want!

00:41:52.360 --> 00:42:01.770
<i>Applause</i>

00:42:01.770 --> 00:42:03.590
Herald: Thank you. We have at least 15

00:42:03.590 --> 00:42:08.799
minutes left for Q and A. So walk to a
microphone and let's see what you got

00:42:08.799 --> 00:42:21.230
questionwise. OK, microphone number five.
Question: Yeah. You mentioned that

00:42:21.230 --> 00:42:29.240
listening to a non-public broadcast is
forbidden. What's your basis for this.

00:42:29.240 --> 00:42:37.559
Because if I recall correctly the European
Convention of Human Rights has an article

00:42:37.559 --> 00:42:43.640
about being free to conduct journalism.
And there was a claim that journalism

00:42:43.640 --> 00:42:49.989
includes just listening to the entire FM
spectrum.

00:42:49.989 --> 00:42:54.830
Answer: Yeah. The FM spectrum is public so
there's no problem. But there are other

00:42:54.830 --> 00:43:00.170
services like that are not encrypted
because in former times this technology

00:43:00.170 --> 00:43:09.049
just wasn't available or affordable for
normal persons. So nowadays you have much

00:43:09.049 --> 00:43:14.630
more possibilities to receive other
frequencies for example quite easily which

00:43:14.630 --> 00:43:19.089
are not public. And so it's forbidden to
listen to them actually.

00:43:19.089 --> 00:43:27.040
Q: Yeah but by what? Is there a law?
A: The law? Oh I'm not a lawyer so I don't

00:43:27.040 --> 00:43:33.379
know exactly what law it is.
Q: Okay.

00:43:33.379 --> 00:43:40.869
H: Okay, any other questions? Does the
Internet have questions by now? If you

00:43:40.869 --> 00:43:45.210
have a question by the way just go to a
microphone.

00:43:45.210 --> 00:43:50.069
Signal: The Internet doesn't have any
questions but MCR of open digital radio

00:43:50.069 --> 00:43:53.369
would like to thank you for speaking with
them.

00:43:53.369 --> 00:43:59.310
H: OK. That's not a question.
A: Sorry, what? I didn't get it.

00:43:59.310 --> 00:44:05.160
S: No questions.
A: Okay. Okay great.

00:44:05.160 --> 00:44:10.420
H: Well that's a quick one then. Thank you
all for your attention. Oh sorry.

00:44:10.420 --> 00:44:16.679
Microphone number two.
Q: Yeah. It's not a question either. It's

00:44:16.679 --> 00:44:21.089
just a clarification of the legal
situation. So basically you're allowed to

00:44:21.089 --> 00:44:28.079
listen to non-public broadcasts or non-
public radio traffic for example like a

00:44:28.079 --> 00:44:37.170
aero nautical. But you're not allowed
to record it and to to publish the

00:44:37.170 --> 00:44:40.910
information that you gathered.
A: Ah OK, thanks.

00:44:40.910 --> 00:44:47.650
Q: So, theoretically sitting at home and
listening to, yeah, I mean the tower

00:44:47.650 --> 00:44:53.499
talking to the pilots or whatever or even
to to police is allowed. You're just not

00:44:53.499 --> 00:45:01.980
allowed to basically make a profit from
it. That's the legal situation in Germany.

00:45:01.980 --> 00:45:06.719
I don't know how it looks in other parts
of Europe.

00:45:06.719 --> 00:45:10.970
H: Since we are violating the protocol of
Q and A anyway by not asking questions.

00:45:10.970 --> 00:45:13.240
<i>Laughter</i>
H: I am a lawyer and various member states

00:45:13.240 --> 00:45:16.829
of member state you could question that as
attention if the European Convention of

00:45:16.829 --> 00:45:21.460
Human Rights or not. But it really varies
from member state to member state.

00:45:21.460 --> 00:45:23.680
<i>Laughter</i>
Q: Well, in that case.

00:45:23.680 --> 00:45:30.439
<i>Applause</i>
Herald: Now I really would like to have a

00:45:30.439 --> 00:45:33.359
genuine question. Something that starts
with a sentence, ends with a question

00:45:33.359 --> 00:45:45.660
mark. Do we have any takers? Oh in that
case, thank you so much for your

00:45:45.660 --> 00:45:46.862
attention.

00:45:46.862 --> 00:45:51.747

<i>35c3 postroll music</i>

00:45:51.747 --> 00:46:08.812
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!