-
35C3 preroll music
-
Friederike: I will give you
a short introduction to
-
software defined radio. So some basics
about this technology and some modulation
-
technology which your also always need if
you want to transmit something. First of
-
all before we come to the software defined
radio let's first have a look about what
-
generally happens in a radio transmission,
so the parts you always need to get
-
something over the air. Normally you have
some input signal you want to transmit, an
-
audio signal, a radio for example, a video
signal or just any data. Then you do some
-
compression. Mostly you do this if you
have some digital stuff in analog. You
-
don't do this so much, some error
correction, modulation and then the
-
frequency assignment to the frequency you
want to use for the transmission.
-
Then you have a radio channel. Sometimes
you have mobility if you move. You have a
-
multi-path propagation. You always have
some noise added and often there are also
-
like other signals in the air which also
share the channel. And then at the other
-
side it goes the other way round. You get
the demodulation, error correction if
-
there are errors and the decompression and
hopefully outcomes here original audio or
-
video signal or the data you had
transmitted. A bit to the frequency
-
assignment: there are frequency plans.
Here you can see a frequency plan of the
-
US. They had a nice chart like this here
for example you can see the frequency band
-
from 88 to 108 megahertz then some
aeronautical services and other stuff at
-
the other frequencies for Europe. They
have a really huge table. You can find it
-
on the website of the ECO - the European
Communications Office. Yeah it's quite
-
large. But if you want to look what's
probably on this frequency in the air you
-
can have a look there. So now let's start
with a not software defined radio to get a
-
bit more used to the principles. What does
happen there. Here's for example an old AM
-
receiver in this on this side. So we get
the signal in the air, the AM
-
transmission. There are still some but
they are actually switched off at the
-
moment. Here now we have a superheterodyne
receiver, it's called like this. So what
-
we have, we have where is my mouse, here
is my mouse. So we have here at the
-
antenna, here is the antenna, we have our
signal S1. That's the signal we want to
-
receive. Then we have some filtering to
get rid of all the other signals which are
-
farther away.
Then we have our mixer here. So the LO
-
frequency of this mixer, like the local
oscillator frequency here, is always
-
chosen in the way that the wanted signal
always falls in the same intermediate
-
frequency. With this you can have a very
sharp filter here. The IF filter. So at
-
your IF fillter output you only get the
wanted signal which then, after the
-
filtering, again some amplification, goes
to the demodulator and in the case of AM
-
now all your information is actually in
the amplitude of the signal. So for
-
decoding and listening the easiest way
would be just an envelope detector which
-
could look like this. You have a diode
which actually puts the negative part of
-
the signal to the positive side. And then
here we just use a low pass to get rid of
-
the intermediate frequency which you can
still see here. And afterwards you can
-
just listen to your audio signal. So in
the case of software defined radio we stay
-
to the to the RX front end in these
examples. The TX path would be nearly
-
similar the other way around. So again, we
have the antenna. Antennas are also really
-
important. Always take a good well adapted
antenna to the frequency you want to
-
receive or the frequency you want to
transmit, because otherwise you won't get
-
any signal out of the air or only a very
low part of the signal. I gave a talk on
-
antennas at 31C3. So if you're interested
in antennas you can have a look on
-
media.ccc.de. Then again we again have
some filteirng, an amplifier, and now we
-
have an IQ mixer.
Here you can see it actually consists of
-
two mixers and this local oscillator
signal is shifted by 90 degrees to the
-
lower part here of our signal. Then again
some filtering, amplification and then we
-
get the analog to digital converters here
to get our IQ signal then to the computer
-
for decoding and software.
We still have actually a big analog part
-
here. So most of the front end is still an
analog and the digital part actually is
-
only this after the analog to digital
converter. In this case of a classical
-
software defined radio front end. IQ data
are pretty cool, they contain actually the
-
raw signal that is coming out of the air.
You could also record the raw signal. It's
-
fastly getting huge. And for example do
then the demodulation later. If you put
-
those IQ signals on a coordinate plane,
which you can see here on the right side,
-
you can see also the phase shift of 90
degrees between the I, which is the
-
inphase component, and the Q which is the
quadrature component of the signal. If you
-
assigns some numbers, we can also combine
them with a vector. We can use Pythagoras
-
for example to get the amplitude of the
resulting vector, we can do some
-
trigonometry to get the angle.
Actually those two parameters like the
-
angle and the amplitude are the main
parameters you can put information in. So
-
in the example before, like the AM
modulation, you only use actually the
-
amplitude of the signal. In contrast to
this an FM modulation for example has a
-
constant amplitude and all the information
is put to the to the phase or the
-
frequency. So no matter what kind of
modulation is used, these IQ data actually
-
contain all the necessary information. A
nice example of a modulation which is
-
often used nowadays and that also uses
both of those parameters is the QAM
-
modulation. OK, I already told this. The
QAM modulation here for example is a
-
constellation diagram out of the program
GNURadio.
-
Oh it's a bit shifted everything, doesn't
matter. So here again we have our inphase
-
component on the x axis and the quadrature
component on the vertical axis with the
-
4-QAM we have four symbols, so we can put
in two bits per symbol. A 16-QAM for
-
example you can put in four bits per
symbol. If we go further, 64-QAM we can
-
put in six bits per symbol. This for
example is used in DVB-T or DAB like
-
broadcasting systems or in Wi-Fi 802.11n
uses up to 64-QAM. LTE also uses up to
-
64-QAM. When we go for father 802.11ac
uses 256-QAM, so even more dots. You can
-
put in eight bits then per symbol and so
does LTE Advanced and so the more data you
-
want to transmit, the more symbols you
need. 802.11ax uses up to ten 1024-QAM
-
with 10 bits per symbol. And so does
successor of 4G like the 5G New Radio also
-
uses up to 1024-QAM. Becomes interesting
when we add some noise.
-
So you always, as I told you, always got
the channel you always got noise. This is
-
what happens if we add some noise to the
64-QAM. You could still like estimate
-
where the original symbol would be. This
becomes even more difficult if we go to
-
the 1024-QAM. That's also why those
broadband systems always use an adaptive
-
modulation like within the first data
exchange they communicate about the
-
quality of the signal and only if you get
a really good signal level at the
-
receiver, you choose the highest order
modulation. Otherwise it ramped down to
-
lower orders. So these high order
modulations only work with really good
-
signal levels. So let's go back to the IQ
data. Those IQ data are closely related to
-
complex numbers. So to get the complex
number let's add some imaginary unit j. So
-
we get our complex number actually a C = I
+ j * Q which are again our inphase and
-
quadrature component.
So a complex number you can write them in
-
the Cartesian form which I
showed. The mostly often used form is
-
actually the polar form where are we add
Euler's number. So it becomes like C quals
-
a multiplied by e, Euler's number, to the
power of j * phi which is our phase here
-
again. So in this case like our real axis,
the inphase axis here becomes our real
-
axis and the Q axis becomes our imaginary
axis. This property of this polar form,
-
which is often needed in digital signal
processing, is the multiplication. Like if
-
you multiply two polar formed complex
numbers this ends up in an addition of the
-
elevated parts here. And this is often
used for example in Fourier
-
transformations or if you mix signals to
get them from one frequency to the other.
-
One this later it looks quite complex but
it's really worth using it at the end.
-
So um the first step in the software
defined radio is then to get the right
-
parts of the signal through the front end,
because if you don't get your IQ data
-
actually properly, afterwards decoding in
software becomes very very difficult or
-
even impossible. So let's have a look at
the different parts of our software
-
defined receiver. After the antenna,
filtering and amplifier, we have this IQ
-
mixer. To keep it a bit more simple for
now we just skip the IQ part and have a
-
look what a mixer in general is doing. To
get the signal from the transmitted
-
frequency to the IF, to the intermediate
frequency, it is multiplied with an LO
-
signal and then filtered. This
multiplication actually ends up here in an
-
addition. Here this higher part and in a
subtraction of the two frequencies we put
-
in here. And with the filter we actually
get rid of of the higher part here. The
-
mixer defines the frequency range the SDL
front end is working on. For example there
-
are those quite cheap RTL SDR USB sticks
which were originally made for DVB-T
-
reception. They work for example from 24
megahertz up to 1766 megahertz.
-
Then there's the HackRF, which is also an
often used SDR font end, works from 1 MHz
-
up to 6 GHz. And the radio badge from the
CCC camp 2015 works from 50 MHz up to 4
-
GHz. As I told, the mixer here is a bit
simplified. Here is for example the the
-
mixer chipset of the HackRF. Here you can
see the IQ mixing part here.
-
Next step then, after again some filtering
amplification is the analog to digital
-
converter. We get the analog signal in
here. And what the computer actually needs
-
are samples of the signal. So they have to
be taken at dedicated times t here. We get
-
the sampling rate here: 1 divided by T.
This sampling rate must comply with the
-
Nyquist Shannon sampling theorem.
Otherwise your signal can't be
-
reconstructed properly. You get effects
like aliasing where you have frequencies
-
that actually are not there, but are
caused by the undersampling of the signal
-
and for complying this Nyquist Shannon
theorem, like the the bandwidth of your
-
signal, of the signal you want to
digitize, has to be smaller than one
-
divided by 2*T. Here an example of an DAB+
signal. DAB+ is nice because it always has
-
a bandwidth of 1.5 MHz, it has quite sharp
edges because it uses an OFDM modulation.
-
This here was received with an RTL SDR
DAB/DVB-T stick, with the software Gqrx
-
which has a maximum sampling rate of 3.2
MHz. So let's check for Nyquist. We have
-
our bandwidth of 1.5 MHz, we have the
sampling rate of 3.2 MHz. So 1 divided by
-
2*T is 1.6 MHz and 1.5 MHz is smaller than
1.6 MHz. Great! We can receive a DAB+
-
signal with a DAB receiver. You might ask
now, this is also for the DVB-T reception
-
which has a bandwidth of 8 MHz. So you
would need a sampling rate of 60 MHz to
-
receive or to digitize this. That's
actually a nice example of the usage of
-
SDR in comparison to dedicated chipsets.
So DVB-T here doesn't use the SDR mode of
-
this chipset, but it has a dedicated DVB-T
chipset in here. So chipset development is
-
quite expensive, but if there is a mass
market and for television there is a mass
-
market, they can be produced very cheap.
So actually the SDR mode was probably
-
added for the DAB reception. Also with the
growing bandwidth the power consumption of
-
the SDR mode becomes quite high, because
you have always to digitize the whole
-
bandwidth of your signal.
So if it comes for example to LTE with 20
-
or 40 MHz bandwidth this becomes quite
relevant. OK, we can get the DAB signal
-
here.
The next relevant parameter here is the
-
resolution of the ADC. With a 3 bit
resolution for example you would get 8
-
discrete values from your signal. With an
8 bit resolution you get 256 values. With
-
60 bit you get a lot of values and those
parts of the step here, you can see for
-
example the 3 bit resolution and the 6 bit
resolution of a sine signal and all those
-
parts of the steps, of the 3 bit
resolution, actually end up in noise,
-
which is called quantization noise.
Here for example you see the spectral view
-
of the signal. The first one with a 6 bit
resolution. You can see the noise floor
-
here at -68 dB and below with the 8 bit
resolution, the noise floor falls down by
-
12 dB. So we get a noise floor down at -80
dB. What we also see here is actually here
-
are some examples. The RTL SDR has two 8
bit ADCs, the HackRF and the Rad1o have a
-
dual 8 bit receive ADCs and, as they are
also transmitting purposes, they have a
-
dual 10 bit transmit DAC, so the other way
round to get your digital signal in the
-
analog domain again. The RTL SDR is only
for receiving purposes.
-
What we also see here is on the right
side, we get our signal in the time
-
domain, on the left side we get the
frequency domain. So how do we get the
-
frequency view of our signal? Here for
example in the form of a spectral view and
-
down here is this with a nice colors, this
part is called a waterfall diagram. Here
-
in the spectrum view we see the level of
our signal components over the frequency
-
and the waterfall diagram then shows the
different levels and different colors
-
plotted over the time here.
So how do we get the frequency view of our
-
signal? Actually uh we use a Fourier
transformation to convert the time the
-
main signal into the frequency domain.
Wikipedia actually had a nice animation
-
about this in public domain, so we have a
square wave signal which is a linear
-
combination of sines of different
frequencies here in blue. And the
-
component frequencies of these sines then
are spread across the frequency spectrum
-
and they are represented here as peaks in
the frequency domain.
-
So mathematically this looks like this:
here we get the different components, the
-
sine components of our square wave signal.
For the sake of simplicity, we just skip
-
the harmonics here, just take the sine
signal, calculate the Fourier
-
transformation which is an integral of our
function. The sine signal here multiplied
-
by e^(-j2pift) and integrated over t.
We also use again the polar form here,
-
which then ends up in a multiplication of
these components and the integral of this
-
multiplication then ends up in delta
impulses at a frequency here of a and -a
-
and we still have half of an inverse
imaginary unit here.
-
If we have a look at the Fourier transform
of a complex constant wave signal, this
-
actually simplifies to 1 delta impulse
here at the frequency of a. For practical
-
purposes um computational purposes we use
a DFT, like a discrete Fourier
-
transformation, so the integral ends up in
a summation of the signal components. And
-
actually normally we use a fast Fourier
transformation which you also see in all
-
the software, which is actually an
algorithm to efficiently calculate a DFT.
-
So let's have a view again at the DAB
signal here with the Gqrx software. We
-
have the waterfall view and because it's a
bit small, no here it's actually quite
-
seen. Yeah it's a bit bigger. So on the
left side we have an FFT size of 32768 and
-
on the right side an FFT size of 512 and
actually with the FFT length you define
-
afterwards the resolution of the bandwidth
of the spectrum. So you can see here, it's
-
much more coarser than with a higher radio
resolution bandwidth here on the left
-
side.
Then the sliders down here, you can find
-
those sliders and stuff here in the FTT
settings of Gqrx if you want to have a
-
look at this software. The sliders here
down, I also have them a bit bigger here
-
you can define the reference level. So if
you have a very low signal, you have to
-
put it a bit down. And also the, range
like the range you see your signal. If you
-
have a high dynamic signal, you need a
large range to see all the parts of the
-
signal. If you have a very very low signal
power you need to switch it down to a
-
smaller range to actually see anything of
your signal.
-
So the possibility is actually to
efficiently calculate an FFT or IFFT, like
-
the inverse Fourier transformation, also
gave the possibility to a wider use of
-
multi carrier modulation methods as OFDM
here, orthogonal frequency division
-
multiplex.
Nowadays this is often used in mobile
-
communication systems such as LTE due to
its resistance to the effects of the
-
propagation channel. For example multi-
path propagation um often causes
-
destructive interferences so some of your
carriers actually are in an destructive
-
interference part, so they are actually
attenuated a lot.
-
And if you if you distribute your
information over several carriers, you
-
still have the chance to receive some of
the carriers and then you can afterwards
-
use some error correction mechanisms to
repair actually the data and get something
-
out of the data. And so here the FFT or in
the TX case, in the the transmission case,
-
an inverse FFT is used actually to
distribute the, for example the QAM data
-
to the different frequencies to the
different carriers. Then it's again the
-
regular IQ mixer and in the case of the
reception we use the FFT to get the
-
symbols, the QAM symbols for example, out
of our different carriers. Here again you
-
see I like DAB, again the DAB signal. Here
we have a DAB uses 1536 subcarriers and
-
the number of subcarriers here actually is
also always a compromise of how close your
-
subcarriers are, which defines how much
Doppler shifts, in case of mobile
-
reception, your system is capable to scope
with and on the other hand it defines how
-
long your signal is in the air. So the
more carrier you have the longer your
-
signal is and that has an effect on how
much delay your signal can scope with.
-
Additionall, often there is a guard
interval added to the symbol to scope with
-
more delays, for example DAB is a
broadcasting system with a capability of
-
single frequency networks, so you can run
different transmitters on the same
-
frequency with the same program but
especially in the overlapping areas this
-
results in very large delays So that's why
the broadcasting system has very much
-
carriers. LTE in contrast only has in the
downlink with a 10 MHz bandwidth 601
-
carriers, in the uplink 600. And 802.11ac
for example with 40 MHz bandwidth has 128
-
carriers.
So now let's come back from this quite
-
complex world of software defined radio to
the real world. So what SDR actually
-
brings are quite cheap and flexible
solutions of formerly very expensive
-
technology. That's why it's actually often
used in academia are also for prototyping
-
purposes. But there's also a quite big
community developing open source software
-
for software defined radio. I want to show
you now like two examples where those SDR
-
technologies facilitated community driven
projects. One is digital radio which goes
-
digital in Switzerland or Community Radio
goes digital In Switzerland. Like
-
digitizing local community radio has
actually long been a problem, community
-
radios are a non-profit making media
produced by a local community and serving
-
a local community.
There's also one here in Leipzig which are
-
also doing a program from the Congress
here. I think they are actually starting
-
now for I think for 3 hours today. It's
called Fairydust.FM, so if you want to
-
listen you can look at the wiki where to
receive them. They mostly do not have a
-
huge budget for running a radio. The
development was facilitated by a low
-
threshold cheap transmitter. So FM
transmitters are really cheap now or they
-
can be built. With DAB now, digital audio
broadcast, the possibilities of running
-
your own cheap transmitter became quite
difficult for a long long time. DAB was
-
developed by the big broadcasting
corporations like BBC or the German public
-
media.
And it's actually adapted to their needs.
-
You can put in a lot of programs in
multiplexes, you can run huge single
-
frequency networks. There is a national
SFN in Germany for example. Local
-
community radios, so does local commercial
radios, need more like flexible cheap
-
radio transmission. So you might argue
that digital radio isn't relevant anymore
-
but actually there are countries that
start to switch off FM and only streaming
-
through the Internet is also not an
appropriate solution. So what happened
-
some years ago was, that people started to
write open source DAB SDR software to
-
build up quite cheap DAB transmitters. You
can find the software here on
-
opendigitalradio.org. They have this nice
penguin with a transmission tower as a
-
logo and in Switzerland the FM switch-off
is set to 2024. So it's quite coming
-
closer and a lot of communities are
already on the digital airwaves there with
-
this solution of software defined radio
based transmitter technologies.
-
The UK is also on the way to switch off FM
and there the Ofcom actually recently
-
started a survey about the demand for
small scale DAB. Also based on this SDR
-
solution which makes it affordable to
community radios. Another example is
-
community-driven cellular telephone
telephony. In remote areas, for example in
-
Mexico and probably in a lot of more
countries, often there is no cellular
-
network connection at all as it's just not
a good business for mobile broadband
-
providers if you have only a few hundred
clients to use it or customers who pay for
-
it. I was some years ago in the south of
Mexico for an article about the first
-
community driven cellular network which
was also built on open source SDR
-
technology like OpenBSC and OpenBTS which
made it then quite affordable for the
-
communities there. Today this "association
telecommunications inaudible comunitarias" has
-
a license to run autonomous telephone
networks in different parts of Mexico as
-
Chapels (inaudible Mexican region), Vera Cruz
and Puebla and nowadays they are already
-
running nearly 20 cellular networks there
and they also do a lot of trainings and
-
write a lot of manuals. So if you want to
learn how to run your own GSM networks,
-
they are actually only, you can have a
look on their site. So these are only two
-
examples of projects where SDR facilitated
low budget communication, so you might
-
ask, if you now want to have a look on SDR
yourself, where to start. So for radio
-
reception this cheap RTL SDR USB sticks
are your friend.
-
They cost around 10 to 20 euros depending
on where you get it. And there's software
-
like this Gqrx, which I already had a lot
of examples in my slides, which runs on
-
Linux and Mac. Here's an example of Gqrx
for FM reception for example. It has also
-
an built-in FM decoder, so you can really
listen to FM radio. There are also AM
-
decoder and some others also. You can also
dump the IQ data with this Gqrx for
-
decoding it later. There's also software
for Windows like SDR# or HSDR or WinSDR.
-
Always keep in mind that listening to non-
public broadcasts is forbidden! The next
-
level then would be GNURadio, I already
showed in between the talk plots from
-
GNURadio, like the constellation plots of
QAM modulation. GNURadio actually offers a
-
very large framework for software defined
radio functions. Also to build your own
-
applications. There are sources. For
example here is a source where you can
-
connect your RTL SDR USB stick, define
here the sampling rate, the frequency and
-
different and other stuff here. Then you
have a lot of function here, for example
-
the FM demodulation, you have a spectrum
viewer, here the FFT sink, different
-
resamplers and then you have different
sinks here. You you connect it to your
-
sound card with the audio sink and in this
case listen to FM radio. You can also
-
define a sink to connect your HackRF to
transmit something. You can also write
-
your own functions. So it's quite easy in
this graphical front, the GNU Radio
-
Companion to add own functions.
There are many tutorials also in the
-
Internet and very active community and
it's also very often used in academia. So
-
if you are perhaps studying or are
planning to study, there are very often
-
projects around GNURadio which you can
work on if you're interested. There is
-
also a lot of different SDR hardware
available. So the HackRF I already
-
mentioned, the Rad1o badge from the CCC
camp. So if you don't have one, you can
-
ask around perhaps someone still have one
lying around. There are more expensive
-
ones, which then have for example better
resolutions, the ADCs, DACs have better
-
resolutions.
Um there is the USRP family which is much
-
more expensive but, yeah you can do a lot
more with this and it's also very often
-
used in academia. I also knew it from my
time I worked at the university. So
-
further information, if you are now
becoming really interesting, there are
-
lots of massive open online courses. For
example I saw one from the University of
-
Madrid but in English. So there are video
tutorials for example from the makers of
-
the HackRF at their website. There also
nice, free available books on SDR by
-
Analog Devices for example, if you look
for "SDR4 engineers". And if you are now
-
here, there is an SDR challenge at the
congress. They have a table in Hall 3 in
-
the wastelands there. If we have a look at
the small brand(???) so there are various
-
different SDR challenges from quite easy
to difficult. There's a game server to
-
claim your flag in a team and if you don't
have an SDR you can borrow one, like these
-
RTLS SDR sticks, for a deposit and there
also if you don't like all this GNURadio
-
stuff, there are also Bluetooth
challenges. So thanks for your attention.
-
And feel free to ask questions if you
want!
-
Applause
-
Herald: Thank you. We have at least 15
-
minutes left for Q and A. So walk to a
microphone and let's see what you got
-
questionwise. OK, microphone number five.
Question: Yeah. You mentioned that
-
listening to a non-public broadcast is
forbidden. What's your basis for this.
-
Because if I recall correctly the European
Convention of Human Rights has an article
-
about being free to conduct journalism.
And there was a claim that journalism
-
includes just listening to the entire FM
spectrum.
-
Answer: Yeah. The FM spectrum is public so
there's no problem. But there are other
-
services like that are not encrypted
because in former times this technology
-
just wasn't available or affordable for
normal persons. So nowadays you have much
-
more possibilities to receive other
frequencies for example quite easily which
-
are not public. And so it's forbidden to
listen to them actually.
-
Q: Yeah but by what? Is there a law?
A: The law? Oh I'm not a lawyer so I don't
-
know exactly what law it is.
Q: Okay.
-
H: Okay, any other questions? Does the
Internet have questions by now? If you
-
have a question by the way just go to a
microphone.
-
Signal: The Internet doesn't have any
questions but MCR of open digital radio
-
would like to thank you for speaking with
them.
-
H: OK. That's not a question.
A: Sorry, what? I didn't get it.
-
S: No questions.
A: Okay. Okay great.
-
H: Well that's a quick one then. Thank you
all for your attention. Oh sorry.
-
Microphone number two.
Q: Yeah. It's not a question either. It's
-
just a clarification of the legal
situation. So basically you're allowed to
-
listen to non-public broadcasts or non-
public radio traffic for example like a
-
aero nautical. But you're not allowed
to record it and to to publish the
-
information that you gathered.
A: Ah OK, thanks.
-
Q: So, theoretically sitting at home and
listening to, yeah, I mean the tower
-
talking to the pilots or whatever or even
to to police is allowed. You're just not
-
allowed to basically make a profit from
it. That's the legal situation in Germany.
-
I don't know how it looks in other parts
of Europe.
-
H: Since we are violating the protocol of
Q and A anyway by not asking questions.
-
Laughter
H: I am a lawyer and various member states
-
of member state you could question that as
attention if the European Convention of
-
Human Rights or not. But it really varies
from member state to member state.
-
Laughter
Q: Well, in that case.
-
Applause
Herald: Now I really would like to have a
-
genuine question. Something that starts
with a sentence, ends with a question
-
mark. Do we have any takers? Oh in that
case, thank you so much for your
-
attention.
-
35c3 postroll music
-
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!
