Thursday, December 06, 2012

HackRF Beta Update

Sorry, folks! HackRF beta manufacturing (that I had hoped would take place in December) has been delayed until late January or early February. The reason for the delay is the most mundane that you can imagine: ordering components and getting them all delivered to the factory.

Generally speaking, it's pretty easy to buy a handful of parts for prototyping, and it is easy to buy tens of thousands for manufacturing. Buying 500 units of a part at a reasonable price for low volume manufacturing isn't always easy, however. A few of the components took several weeks to source, but they are all on order as of this week.

One component was particularly problematic, the Si5351C clock generator IC. We weren't sure why we were having so much trouble locating 500 units of Si5351C-A until the Si5351C-B suddenly appeared on the market. The new revision is only a little different than the old one, but it has some advantages; the biggest advantage is availability! I had a few units overnighted to me and tested them. Unfortunately changing to the new revision required that I add a single resistor to the Jawbreaker design. It's a very minor change, but even small changes have the potential to cause delays. In this case, the long lead time for some of the components has given us enough extra time that we can make such a change as necessary.

The good news is that we were finally able to order everything at pricing close to what I anticipated. Beta units will likely be shipped in February, so look for an announcement around that time.

Wednesday, November 14, 2012

So You Want to Track People with Ubertooth. . .

Dominic started a blog for Project Ubertooth recently, so I will publish most future Ubertooth related content over there. My first post is a FAQ for people wanting to use Ubertooth to track the movements of Bluetooth devices.

Friday, October 26, 2012

The ToorCon 14 Badge

I designed an electronic badge for ToorCon again this year. It features a CC1111 sub-1 GHz wireless transceiver IC with USB connectivity. This chip has the same radio as the CC1110 in the popular IM-Me. While the badge is certainly hackable hardware-wise, I hoped that it would allow people to explore radio applications without having to heat up any soldering irons.

The ToorCon 14 Badge shipped with RfCat firmware and a USB bootloader installed, so conference attendees were able to start experimenting with just a USB cable, a laptop, and the RfCat software. Although I am a fan of software defined radio, sometimes a wireless transceiver IC is all you need to do some interesting things, and RfCat is the easiest way I know to get started.

The badge is designed to be similar to and firmware compatible with the CC1111 EMK (aka "Don's Dongle"), but it has a few extra goodies. Most notably, it shipped with RfCat firmware and CC Bootloader installed. It also features a GoodFET compatible programming header and a row of test points that would have been compatible with the GIMME had I measured correctly. (Oops! Aren't you glad there is a USB bootloader?) The badge also has an option to install an external antenna connector, allowing better performance across the whole frequency range of the CC1111 than previous designs.

I held a badge hacking contest and was happy to see several people working on interesting ideas at the con. One group blew everyone else away: the Root the Box team built a multi-user wireless chat system. They implemented their own network protocol, user interface, and even HTTP tunneling from the ground up using RFCat's rflib Python library. (in two days!) Check out my video of the demonstration they gave me. They even posted the source code for their winning entry.

These were the same guys who won the ToorCon 13 badge hacking contest by implementing a simple game with 2.4 GHz wireless connectivity. Check out their Root the Box CTF event coming up in January!

There were a few extra badges made. Look for them to go on sale soon at HakShop and Ada's Technical Books.

Thursday, October 25, 2012

Announcing the HackRF Beta

Jared Boone and I had the honor of presenting the keynote at ToorCon 14 over the weekend. In our talk, HackRF: A Low Cost Software Defined Radio Platform, we described our project to build a low cost, open source, wideband, portable Software Defined Radio peripheral. You can watch video of the presentation or download the slides.

In addition to introducing HackRF to the ToorCon audience, we announced the HackRF beta test program. Thanks to DARPA's Cyber Fast Track (CFT) program, we are able to build a few hundred HackRF Jawbreakers and will distribute them to ToorCon attendees as soon as they are completed (hopefully around December). Each attendee of ToorCon 14 (and also the recent GNU Radio Conference) received a unique beta invitation code that can be redeemed for a Jawbreaker as soon as the hardware is ready to ship.

Jared and I are very excited to be able to give away so many beta units. I'm not sure if any open source hardware project has had such a well funded beta program, but we think that giving away hardware in exchange for feedback (and hopefully some code) is a good trade in keeping with open source ideals.

If you have an invitation code, look for an announcement on the HackRF page around December telling you how to redeem your code for a Jawbreaker. I know there are many of you out there who wish you had an invitation code, and I'm sorry that our funding for the beta program is finite! The redemption system, once it is live, will include a way to sign up for a waiting list if you do not have a code. There will probably be some extra beta units that we will distribute to as many on the waiting list as we can.

My hope for the beta program is to validate HackRF Jawbreaker, resulting in a well-tested open source design that anyone can build or modify. I also plan to release a commercial HackRF product (similar to Jawbreaker) that will be available for purchase after the beta.

Thanks for all the kind words of support at ToorCon and since!

Wednesday, October 17, 2012

Programming Pink Pagers in Style

After two and a half years of programming the IM-Me by soldering wires to the test points in the battery compartment, I finally got around to making a GoodFET/IM-Me spring pin adapter. I call it GIMME. Now I can install my spectrum analyzer application or any other firmware onto an IM-Me by simply removing the batteries and pressing the GIMME against the test points while the attached GoodFET does all the tricky stuff. GIMME is designed with KiCad. You can find the design files in the contrib directory of the GoodFET repo.

To mark this occasion, I decided it was high time to post the video from my talk with Travis Goodspeed at ToorCon 12, Real Men Carry Pink Pagers. It was probably the most fun I've ever had giving a talk at a hacker con. Maybe it was the song. Maybe it was the bourbon in pink shot glasses. Maybe it was the total lack of preparation resulting from Travis injuring himself the day before. Maybe it was the ridiculous T-shirt Nick DePetrillo made me wear. (I still haven't figured out how to get him back. I don't believe it is possible to embarrass the man.)

With ToorCon 14 coming up, I decided to have several GIMME PCBs made to give away. If you see me at the con this weekend and would like one, just ask. I also took it upon myself to make some GoodFET41 boards since Travis won't be around being his usual Johnny Appleseed of open source hardware. Plus, I will have a GIMME and GoodFET available to borrow, so bring that IM-Me that has been sitting in a drawer with factory firmware!

Monday, October 01, 2012

HackRF Jawbreaker

Last week at the GNU Radio Conference I showed off Jawbreaker, the first unified HackRF board. I had assembled it just prior to leaving for the conference. It is completely built (including a couple of minor corrections), and I am about three-quarters of the way through validating the design.

Jawbreaker integrates three separate designs into a single circuit board, making it smaller and easier to handle. Since my previous post, I tested multiple wideband front-end designs, eventually settling on one called Licorice. Jawbreaker is a combination of Licorice, Lemondrop, and Jellybean into a single USB-powered software radio transceiver peripheral designed to operate from 30 MHz to 6 GHz.

This week I plan to finish validating the design and ordering PCBs of the next (likely final) revision. While I validate and revise the hardware design, Jared is hard at work on a USB driver for the LPC43xx microcontroller on the board. Prior to combining the three boards into Jawbreaker, I successfully tested both transmit and receive paths from the antenna all the way to the microcontroller, but the "last mile" USB communication from the microcontroller to the host computer was still incomplete.

I had planned to bring a finished Jawbreaker for everyone attending my software radio workshop at ToorCon San Diego later this month, but unfortunately it doesn't look like I'll have enough working units by then. Instead I will provide alternative hardware that will fully enable everyone to participate in the workshop exercises, and I will send Jawbreakers to the attendees when they are finished later. (There are still a couple of seats open in the workshop, by the way.)

A puzzling feature you might have noticed on Jawbreaker is the integration of a PCB trace antenna for the 900 MHz band. Although the board is designed for operation over a much wider frequency range, this antenna allows people to start experimenting with the board in the 900 MHz band immediately without any antennas, connectors, or anything at all other than a USB cable and computer. I want it to be easy for people to get started with the device because Jawbreaker is intended as the beta test platform for the HackRF project. We plan to assemble quite a few Jawbreakers and will distribute them to beta testers in the coming weeks. Beta hardware availability will be announced at ToorCon.

Monday, July 02, 2012

Handing Over the Reins

Dominic Spill is now the lead developer of Project Ubertooth. I am so excited that he has agreed to take on the job!

A little over a year ago I packed hundreds of Ubertooth Ones into boxes and shipped them to my generous Kickstarter backers. Since then, I have worked to improve the Ubertooth software, but it has been hard to devote as much time to the project as I would like while simultaneously concentrating on other projects to keep Great Scott Gadgets going. A few months ago I realized I simply wouldn't be able to accomplish my goals unless I could get some help, so I started talking to Dominic about taking over. Thanks to everyone who has purchased Ubertooth One and the Throwing Star LAN Tap, we have finally made the arrangement a reality.

Dominic has been involved in Project Ubertooth since before it was Project Ubertooth. His work on gr-bluetooth and his paper with Andrea Bittau were the starting point for my early Bluetooth research, and Dominic and I made great strides together in a short period of time before presenting our results at ShmooCon 2009. As I started working on developing a low cost platform for Bluetooth monitoring, Dominic was there at every step along the way. His many behind-the-scenes contributions helped make Project Ubertooth what it is today.

Dominic's first task is to review a number of code contributions and modifications since the last software release and to make a new release. After that, he will focus on adding new features such as frequency hopping. Meanwhile he will be the primary person handling questions on the mailing list and coordinating contributions from other developers. I will continue to be involved (you can often catch us both on #ubertooth at, but Dominic is the lead developer going forward.

Thanks to everyone who has supported the project for helping us make this happen! We will do our best to make Project Ubertooth better than ever.

Friday, June 22, 2012

Introducing HackRF

I'd like to take a moment to properly introduce the project that is consuming most of my time this year: HackRF, a software radio peripheral. Software radio or Software Defined Radio (SDR) is the application of Digital Signal Processing (DSP) to radio waveforms. It is analogous to the software-based digital audio techniques that became popular a couple of decades ago. Just like a sound card in a computer digitizes audio waveforms, a software radio peripheral digitizes radio waveforms. It's like a very fast sound card with the speaker and microphone replaced by an antenna. A single software radio platform can be used to implement virtually any wireless technology (Bluetooth, GSM, ZigBee, etc.).

Digital audio capabilities in general purpose computers enabled a revolution in the sound and music industries with advances such as hard disk recording and MP3 file sharing. Today's computers are fast enough to process radio waveforms in similar ways, and the radio communications industry is going through the same sorts of changes. One critical advance has yet to take place, and that is the availability of low cost tools enabling any computer user to take part in the revolution.

HackRF project goals:

  • transmit and receive
  • operating frequency: 100 MHz to 6 GHz
  • maximum sample rate: 20 Msps
  • resolution: 8 bits
  • interface: High Speed USB
  • power supply: USB bus power
  • portable
  • open source hardware and software
  • low cost

There have been some exciting developments in the world of low cost software radio hardware in recent months, but the HackRF project will go much further. A key advance will be the ability to transmit as well as receive radio signals, and HackRF will also enable operation at higher frequencies, including the popular 2.4 GHz band. Most importantly, HackRF is an open source project, so people will always be able to use and modify the hardware design and software in the future. We are being very careful to only use electronic components with published documentation (no NDAs!) and to avoid software libraries without open source licenses. This means more work for us, but we think that it will be worth it in the long run.

Speaking of us, I should mention that I have some help on this project. My primary partner in this effort is Jared Boone of ShareBrained Technology (who has already written a bit about some of our development challenges). We've had some additional help from a few other people who hang out in #hackrf on, notably Benjamin Vernoux.

Ultimately, the HackRF project aims to produce a single device that meets the goals above, but right now it consists of multiple development boards that connect together. The microcontroller, USB interface, and power supply are on the largest board called Jellybean. The Intermediate Frequency (IF) transceiver, Analog to Digital Converter (ADC), Digital to Analog Converter (DAC), and clock generator are on a board called Lemondrop. Most recently, a wideband front-end called Lollipop is being tested. HackRF is based on a dual conversion architecture with a high IF (between 2.3 and 2.7 GHz), allowing us to take advantage of the excellent capabilities (per size, cost, and power consumption) of a wireless transceiver IC.

I have used software radio techniques for wireless security research for years, and I teach a workshop each year at ToorCon San Diego to help more people in the information security community become familiar with the technology. Both for my own use and to promote wireless security research, I have long dreamed of building a low cost, portable platform. Now, with support from DARPA's CFT program, I am finally able to make this project a reality.

Personally, I want a single device that can fit in my laptop bag, that doesn't require a bulky power supply, and that I can use to hack on whatever wireless systems I encounter. I'm hoping it will be about the size of a portable USB hard drive, and it will probably end up with a retail price in the neighborhood of $300, higher than technology-specific solutions like Ubertooth One but much less than any software radio transceiver on the market today.

The project is going well, and we are likely to meet most or all of the goals. If there is one we miss, it will probably be the operating frequency range. 100 MHz to 6 GHz is quite ambitious! At the very least, we will produce a platform that allows operation over a wide range including both the 2.4 GHz and 900 MHz bands.

HackRF is being developed on github. Documentation is coming together slowly on the wiki.

Thursday, May 10, 2012

An Indoor Photovoltaic Energy Harvesting Solution

I've posted a video describing technical details of the indoor photovoltaic energy harvesting solution implemented in the Firefly Cap. I hope you like it!

Sunday, May 06, 2012

Firefly Cap on Kickstarter

I've launched a new project on Kickstarter called the Firefly Cap. It is a fun electronics kit you can use to build a jar of fireflies or power your own project with indoor photovoltaic energy harvesting. Thanks for your support!

Friday, February 24, 2012

The Icetweets Cometh

On Sunday I will leave for Fairbanks for another year of carving ice with Lars Hansen at the World Ice Art Championships. After taking last year off, we will once again compete in the Single Block Classic next Tuesday through Thursday.

I'm going to do one thing differently this year: Instead of blogging about our progress (and struggling to post up-to-date information), I'm going to try tweeting. I've only been on Twitter for about a year, and this will be my first ice carving event since then. It should be easier for me to post quick updates and photos that way without having to take as much time away from the competition to prepare blog entries.

So, for those of you who have followed our ice sculpting escapades on this blog in the past, you should keep an eye on my Twitter feed this time around. I may post a little bit (like hopefully a web cam link) here, but most of my updates will be over there. My poor Twitter followers (who mostly know me for things unrelated to ice) have no idea what's coming!

Oh, and here's a photo from Lars, a sneak peek at what we'll be doing next week!