Software-Defined Radio Signal Processing with a $5 Microcontroller

indeed yeah so I'm gonna speak about my experiences developing a sort of stand-alone SDR software-defined radio platform that isn't dependent upon a computer to do to do its magic but first let me review what a radio is in general you know radio receiver typically amplifies a chunk of spectrum filters it uses a frequency translation technique called mixing to convert it to some other frequency and then performs a demodulation operation on it in order to recover the information whether it be audio or television or Bluetooth or whatever software-defined radio simply changes the last box into an A to D converter digitized as a signal and then does all of the demodulation and decoding using general-purpose computing

hardware and software and typically that winds up looking something like this you know additional filtering decimating of the signal bandwidth in order to make processing easier demodulation algorithms and decoding if it's digital data into packets or whatever whatever the data scheme happens to be so this is my chosen platform this is the hack RF one from great Scot gadgets this wait where'd you go there he is right there Michael Osmonds Radio applause line I didn't didn't expect that so what this device boils down to is you've got a radio inside the little sort of golden dotted line area there it's got a bunch of amplification a couple of intermediate frequency mixers and then there's a chip up at the

top nearest to the hacker logo that is the actual A to D and D to a converter and then there's a little bit of glue logic you know large chip and then the largest chip is a dual-core arm microcontroller and that normally in common use case the original use case of the hacker off' is designed to just shoot all the baseband data that was digitized out to a PC for processing I got the bright idea of sticking an LCD panel navigation controls audio interface and an SD card slot on to that board because it comes with headers built in so you can have do modulating analog signals you know like narrowband FM like walkie-talkies Pam

yeah pretty much any kind of narrowband audio signal and also doing a few digital modes including boats aircraft and tire pressure monitors on cars which I'm somewhat notorious for and I'm also I'll also speak about my intent for the future for this device which is to be able to do more digital modes including maybe APRs and Bluetooth le beacons and a bunch of other interesting things that are simple enough to be able to be accomplished on a device like this I would also like to be able to do capture and replay and signal generation and transmitting so let's get into more detail about what we have to play with on the hack RF the LPC 4300 series

consists of two-hour microcontrollers there cortex-m controllers one core is the m4 F which has hardware DSP instructions and hardware floating-point and then there's an m0 which really isn't very good at math at all but it runs at 200 megahertz which you know is is really nothing to sneeze at I grew up in or had computers in the 80s and learned how to program in the 80s and people were doing amazing stuff in the demo scene and writing video games on 7.16 megahertz 68 thousands in amigas and stuff unfortunately I didn't find the greatest demo picture so this is how I wound up breaking down the architecture of the device since we've got two processors and one's

really good at math and one really isn't it seemed fitting to do all the signal processing on the m4f on the left side here and to do all the user interface stuff side so the m0 sets up all the hardware reads and writes to the LCD panel renders the user interface and then performs miscellaneous IO to control the radios set up the real-time clock all that stuff and then the m4 F does the heavy heavy lifting of receiving or sending samples to the radio portion of the device of the hardware and all the signal processing involved in that so it would be nice to have some form of an operating system especially because we've got two

processors we've got to work with and they need to communicate data back and forth I need to be able to receive interrupts handle them defer them to the extent necessary for processing later on without choking response time for new interrupts coming in so I poked around a bunch and found an operating system that it turns out is I really like it it's called chip eos ch ibi OS and it's got a ton of operating system features you might ask well why didn't you use Linux well that's because this cortex-m series part has got only 200k worth of RAM which is not even I don't even know what the Linux kernel takes in its minimum configuration these days but I imagine

it's well above 200k however there's a little bit of Linux in the design in order to communicate between the two processors I implemented a FIFO scheme and I've basically ripped off the K FIFO implementation in the kernel because it's brilliant and I talk about it every opportunity I can't so we don't have a whole lot of RAM and if you're writing a user interface that tends to eat a lot of program space fortunately the hacker f has got a 1 megabyte SPI flash on it and it has a quad mode that allows you to pull 4 bits out of the out of this little serial flash part at one time and you can operate it at a 100 megahertz so if you

do the math you've got roughly a 400 megabit interface still not superfast that means I think what's the math 410 220 32-bit instructions per second so sorry 10 to 20 million instructions per second but if you're writing a user interface and you're modest about what you asked it to do it turns out to be plenty fast oh and this was the site I meant to show when I was explaining that this is basically the the wire protocol for an SPI flash device so as I said RAM is very limited it's broken into four different chunks and there's two regions that are considered local they're tied in really closely to the microcontroller core that's executing the code and so I

opted to use those of course to run the code for the baseband since that's where I really need the performance there are other blocks that I have dedicated to holding the stack for the m0 processor the the user-interface processor it's running code out of flash and it's using the slower chunk of ram to to as its stack now a nice design about this ARM processor it's got this matrix configuration where any bus master can connect any slave device independent of any other connection as long as you don't have to masters trying to reach the same slave at the same time at which point there's you know a contention arbitration scheme that takes place and you wind up losing a lot of performance

so by cordoning off certain chunks of rammed to certain tasks and to specific processors I was a pretty much as much throughput as is possible theoretically and by the way if I'm losing anyone you just raise your hand like that I'm happy to answer questions as we go along so we've got two cores it's kind of a challenging situation to debug in especially when we're talking about the computing device that does not have a screen can't doesn't have enough memory to implement SSH or frankly even something like telnet or a tcp/ip stack there's really none of that so best option is to go with JTAG or serial wire debugging serial i/o debugging is a little bit

easier because you only need two wires plus ground to make that happen but it turns out the way the chip is implemented you can only access the m4 core from the serial wire debug interface so I went with a JTAG interface I can reach both cores and debug them both simultaneously and I used this device which is called a Blackmagic probe which I highly recommend what it does is it provides an interface directly to gdb so you start up your arm gdb and you just point it at the serial port that the Blackmagic probe exposes and your debugging and that's all there is to it no open OCD configuration or other hinky software that Blackmagic probe I don't know

Gareth McMullen I I think he's busy with a whole lot of other stuff so the Blackmagic probe is a little hard to acquire although one bit squared carries it and and so Peters happy to sell Blackmagic probes to the hilt but yeah I don't think Aerith is really supporting it as well as you could now let's get into signal processing more so in software-defined radio you're dealing with much smaller bit depths or sample sizes than you would and say audio an audio you're doing 16 or 24 bits at a time with the hack RF it produces 8-bit samples and it turns out the cortex m4 has got a lot of these vector instructions that are finely tuned to

doing exactly this type of signal processing here's an example where you've got two 16-bit values packed into a two-bit word and another and then you can multiply either 16-bit chunk accumulated into another register and then write it to a fourth register I guess it is yeah fifth rate is fourth I can't count and all that happens in one instruction cycle which for a $5 microcontroller is pretty amazing if you ask me doing doing software-defined radio also requires doing a lot of complex math complexes and complex numbers and imaginary numbers and all that this is typically how you multiply two complex numbers together you can see there's four multiplications and two additions one is actually a subtraction the same

difference and there are instructions perfectly optimized for that too that also executes in a single instruction cycle you take 16-bit integers packed into 32-bit integers you can multiply them in different combinations sorry wrong way so you've got a whole smattering of instructions that combine your your operands in different ways in order to implement things like complex multiplication F of T butterflies it's it's it's ideal so I turns out on a Mac you can't actually see your notes at the same time that you're showing your slides so I emailed my notes to myself and I'm reading them on my phone so next thing I want to talk about is what Osman refers to as the hacker if

middle finger this is the DC offset spike which is an artifact of the way the radio is designed and it's it's very common place in radios with the same architecture the trouble is is that it tends to sit right on the top of the signal you're tuned to so a common technique to deal with that is to tune a little bit off to the side so maybe instead of tuning right to 852 megahertz which is where this is set up right now you tune to 851 and your your signal shows up not in the middle but offset a little bit and that has you know obvious benefits you don't have the spike sort of sitting sitting there cluttering up

your your your data as you're collecting it but it also turns out if if you shift exactly one quarter of your sample rate up or down the math to do that gets really easy instead of using the common technique of multiplying this spectrum that you've captured by a complex sinusoid of the frequency that you want to shift all you have to do is do a bunch of simple arithmetic and and sorry addition and subtraction so something that would have taken a bunch of sines and cosines and a bunch of four multiplies in two ads per sample turns into basically a single addition per sample saves a lot of time if if you plan things out so that you're shifting

exactly one quarter of your sampling rate another common technique that's used is what's called a CIC filter which is a comb integrator I should have actually looked up what's that yes cascade integrator comb which it turns out is nothing but an adder and an accumulator instead of the common way of implementing filters by doing a lot of multiplications and additions per sample deters you just set up an accumulator or a series of accumulators that sit there and just accumulate the value coming in and it turns out they'll even don't even overflow but it turns out the overflow is part of the magic and it's way too deep of a subject to go into now but the

net effect is you get this kind of interesting comb filter effect and if you're trying to pick out a very narrow band signal like the region shown in yellow they're out of a very wideband capture or wide capture bandwidth CIC filters turn out to be pretty much ideal require almost no hardware to to accomplish they just require a little bit of planning to make sure that when you when you down sample your data you don't wind up with the folding effect which is represented in the graph on the bottom folding into region where you're getting significant signals into the radio now there's another trick that you can play with CIC filters which is basically to flatten them out into F IR

filters which looks a bit like this and instead of having this integrator if you already have code to do a finite impulse response filter you can just do it this way and that's neither here nor there except that by combining this this translation trick that I talked about earlier shifting the frequencies just using adds and subtracts you can combine them with filters like these to do both of the processes in a single step and so I use that in the Porta Pak code to take the signal coming in from the radio decimate it by 2 from typically 3 mega Hertz sampling rate down to 1.5 and at the same time shift that DC offset that

middle finger out of the way so that I could just pick up the signal I wanted right out of the middle of the spectrum oh wow I'm blowing through this okay so this is my really really really really weak slide I just ran out of time to draw a good pretty picture of clock recovery so when you're doing when you're working with digital data you need to recover the clock that the data was was output with and the trouble is you know in a in a purely digital environment there really is no clock in an analog environment you've got these gently curving waveform and you have to somehow Devine where is the beginning of each bit and there's a technique that

I'm fond of called early late gait which basically sums up the the waveform in two regions slightly offset within a single bit time and then compares them and if it's too high or too low it but does is it basically shifts the window so it's kind of a form of a phase lock loop but it works really well and it turns out is very easy to implement also because of the way I've implemented the code I can do it in floating point because I've whittled down the data rate the sample rate with a whole bunch of filtering and decimation the stuff I described earlier before I have to do this and then I can drop over to using

the hardware floating point which is a little bit slower but really deals with this very simply and elegantly here is a bit of an eye chart this is where I actually learned a lot of these techniques there was a company called Harris which I don't think is the Stingray Harris that was purchased by or at least if it is apparently they sold off their chip making portion of their company to a company called Intersil which is making these chips from the 90s which were basically software defined radio chips and if you spend a lot of time studying this most of the techniques I've just spoken about are all represented in this diagram and in the roughly eighty page data sheet that

goes with the chip it's called the HS p5 0 to 1 0 uh-uh Wow gonna have a lot of time for questions and answers so a lot of the lot of where I learned about the DSP instructions available on the arm cortex-m for is from this book it's now and it's I I think they may have come out with a fourth edition I've got the third edition and the best part about this book is in the very back they've got diagrams that show you all of the different DSP instructions and an entire data flow in fact I lifted about three of my diagrams from this book then of course the book I always like talking

about this is understanding digital signal processing by Richard Lyons and it's a pretty good signal processing book in general but really I would just buy it for chapter 13 which is great once you've kind of mastered signal processing in general and you want to start optimizing like crazy and trying to get something to work in a very resource limited environment chapter 13 is packed with I think 60 or 70 50 or 60 different tips on how to do things more simply in just about every form of digital signal processing so it's it's great and I am out of slides so can I answer any questions about in general what it is I just said or what I'm

trying to accomplish or yes as a okay yeah so so this is designed to plug into the hack RF it takes advantage of a bunch of GPIO ports or pins a couple serial ports and drives a bunch of hardware I've got a four-way navigation control a jog wheel that rotates clockwise and counterclockwise a select button in the middle this LCD panel has a parallel interface which is a little bit different than most LCDs the size I can actually send 16 bits worth of pixels to it at the same time and at a rate of about five or six megahertz so the refresh rate on the display is really good compared to most of this place I've seen which are all

SPI based it's got a resistive touch screen I don't I'm not really fond of resistive touch screen so I've been trying not to design the user interface around it but there are places where say you want to type in a frequency to tune to and instead of having to run this jog wheel around for two minutes trying to get up to five gigahertz you can just type it right in so that's that's a positive feature the micro SD card I've tested to write speeds of about two to mega two megabytes a second which should be good for doing a lot of lower bandwidth SDR logging if if you're demodulating a signal you want to go and

log packets that you've received based on timestamp there's a real-time clock in here that you can use to get the timestamp and then there's certainly enough i/o to go and log all those packets to the SD card and in an earlier version of the firmware I actually had all that stuff working and was logging tire pressure monitors and boats and stuff because ivory baked all of the firmware on top of chip eos I've ditched a few of the features and I'm trying to get back up to parity with the firmware I had before yes well you know first of all just not having to juggle with the laptop in general I I go to a coffee

shop near my house where there's one of these four-way crossing signals but they're linked wirelessly and if I were stand out there on a busy intersection with my laptop then I would probably attract attention fairly quickly so the ability to both do a spectrum analysis and do a capture of signals that were present in the range of spectrum I thought they're transmitting in would be a way for me to rather innocuously do a little bit of hacking on on that setup without having to cart my laptop there so that's that's one example that that itrod III also and this is firmware that still has to come about I'm I'm probably about three or four weeks from

implementing this and beakers do a wideband spectrum analysis where instead of just sitting on a particular frequency and capturing the spectrum around that frequency I want to go and tune across the entire band capturing both the received signal strength that comes out of the second intermediate frequency chip and also digitize the spectrum itself and do an F of T on it and then accumulate all of that stuff and do wideband surveys kind of like what Mike was talking about today in his talk and in that case I could imagine hooking the thing up to a big battery and just leaving it somewhere you know at a site where you want to figure out if there are interesting and perhaps not

permitted signals that you want to you want to tackle so that's another example um I'm also I just got my ham radio license and I would really like to thank you another applause line I didn't expect it thank you I I really I'm a space nerd and I bought a YAG II and I'm like find me some satellites I something that's a longer-term goal would be to decode things like apt transmissions from the weather service satellites so instead of getting your weather satellites off of banal internet websites how how very crude I would like to just pick it up and have it display on the screen and that would be totally feasible I would love to use this thing

camping go out and and make contacts I mean the power output on the hacker Earth is very low so if you were to do that you would have to use something like PSK 31 or whisper or something like that in order to really get some serious range and of course good antenna so I envision that being another use case not quite so security privacy focus but still fun yes yeah I completely glossed over that didn't I so this is an open source design like the hack RF the hardware was designed in kicad and the kicad files are in a github repo so if you just go to github and you look for porta pack you should

find it in fact I think that actual repo repo name is porta pack - hacker

extensibility in this in the firmware or oh so I tried really hard and that's part of the reason I introduced the operating system was to have a certain amount of common API underneath that you could take advantage of and I've been trying hard to kind of smoosh things into sort of an application paradigm where you could build something on top of this application class and it would have the services necessary to act and and work with the radio and and the display and all that and then show up in the menu so you can pick it and and have full access to the widget set all that stuff so the intent is for people to

write additional apps I would like to see people who are in a different legal environment than the u.s. do things like implement aapko p25 with the appropriate codecs and and what's there's a DSD I think that's the name of a library that is that the name of the library that does p25 digital codec stuff okay cool and on that note I also I'm reminded that I would love to you at some point port the codec to library over so that ham radio people can use codec to to transmit very narrow band audio yes

yeah so I my intuition and it's only intuition that I might be able to deal with some forms of modulation like Bluetooth Low Energy that have a pretty high bitrate but ultimately your band limited to maybe about a megahertz and have a simple modulation like you know to FF SK I have thoughts on how to accomplish it at that rate but I think above that it's just not going to happen so I think if you if you're talking about signals that have more than about a megahertz worth of bandwidth or symbol rate I don't think it's likely you're gonna be able to do that under any circumstances but it still it's there's a lot of stuff here my name oh yes it

was never enabled because it was never implemented so that is something that I would like to do in the medium to short term in the next four weeks I would say in fact I might try if there aren't too many other outstanding bugs that are freaking people out would like to try and do something like that for the CTF at DEFCON because I think there might be a little bit of replay attack fund that could be had and so I'm gonna give it a shot that the the sdcard Leiper or the the SD card code is there so I I can read anything card and in fact the test jigs that I used to test all the porta

packs to date uses the SD card interface and the fat FS library from Elm Chan to write at speeds of up to two megabytes a second so I figure doing significant you know pre white man captures should be feasible yes

damn near impossible have you ever played a video game from the 80s that's that's what I'm thinking yeah it's not it's not great but I think it'd be better than like you know the like Apple TV and stuff we have to move left and right pick out the letter and then there is a touchscreen and there may be a way to do some sort of t9 input

that is a difficult subject because the the hardware on the LPC 4320 I believe supports OTG functionality and can act as a host but there isn't any hardware on the hack RF to power a device so you'd have to supply power and you'd also need to get a full USB host stack operating on on the in the firmware which you know it's not impossible but it is definitely an undertaking so there might be a way if you have some way to inject power to pull something like that off but I haven't given it a whole lot of thought yes yeah maybe using all the serial ports so I wound up having to repurpose pretty much every available

pin on the hack RF interface to get all of the functionality that I've got in there now I probably could have it was pretty rough I want to I ran a wound of reusing one of the audio codec interfaces interface pins to also go to the CPL D for programming there's a little glue logic Cpl D on the porta pack that it I want to be able to program but it comes at the it excludes operation of the audio codec and at the same time which I didn't think was going to be a big deal but I was that pinched for four extra pins Dominick about six years which is to do people stuff for

you so you could probably say yes processor yeah you need some sort of weird-ass keyword I think the idea is to module to do some sort of digital modulation of key presses and then decode it in an external device so you'd almost have like a Eau de clock okay that might be feasible it'd be sick and twisted but it would be feasible that's okay hmm Wireless yeah yep some some wireless keyboard a yeah yes sir [Music] are you a plant okay so I believe it was two days ago I committed a change that allows it adds a extra menu item at the top level that says hack RF and you go in there and it says do you want to run

the hack RF from where you say yes and half a second later it's a hack RF so it's got an embedded image of the hacker it shuts down all the hardware to make sure that the handoff is safe and then kick-starts the hacker firmware into business so but as of two days ago before Tuesday's two days ago you would have had to reflash it or run the RAM only hack RF code either way was not it wasn't really owned oppressed but it was kind of lame so I it's fixed there's a reset button and so by default it boots out of the SPI flash which is where the hacker of code or sorry Porter pack code

lives with also this image of the hacker of the hacker affirmed where anyone else him first

are you talking about the Kickstarter prototype that should be the same same thing now jawbreaker that that won't work so if you got a jawbreaker from jor Con 2012 then that the form factor is completely different I would love to adapt it design to draw breakers because people keep asking about it but it's it would be a big undertaking so yeah the the prototype version I mean really it was just mechanical small mechanical changes not okay yeah no no changes to speak of so yeah you should be fine [Music]

you maybe take a look back at that other stuff

that's for yeah as soon as I get my video back I

get out get back in again that's positive development

okay this might be better done with wireless wireless microphone there I am okay so this is just a receiver there's no transmitter here to speak of but this is the Harris chip that I mentioned before and it's pretty much an entire software-defined radio in a single chip way over here we've got a level detector that's good for just setting the gain on the analog circuitry that feeds it there's a complex multiplier which I was talking about doing frequency translation moving a signal from anywhere in the captured spectrum down to around zero Hertz where you can start to filter it with low-pass filters that's what goes on here and it produces its own complex sinusoid to perform that

mixing operation using a sine of cosine that's driven by a numerical oscillator down here controlled by some sort of input from a PLL the tracks carrier and yadda then we're going into a series of filters which are used to recover digital symbols so there's a raised route cosine filter which is kind of the ideal way to recover shaped shaped symbols from like Bluetooth and and such you're doing this off of a cuff so I may say things that aren't entirely true that's typically these are typically used if you've got a shaped waveform that is designed to consume less bandwidth and be a better neighbor on the spectrum thank you Mike for that phrase if you don't use this if you're dealing

with a strict FSK signal where it's just slamming back and forth between two frequencies typically you would use something like an integrate and dump setup which is what happens over here and it just is it's effectively an accumulator that accumulates the sample values over a single symbol time and then dumps the accumulated value and for a like a two frequency FSK setup you would do that for two filters that one that was at the positive deviation frequency and one that was at the negative deviation frequency and then you compare them and whichever one was stronger that indicates whether you've got a one or a zero I'm not going to talk about the PSK stuff because I kind

of ignored it because I don't do a lot of PS case but then we get into more damad where where among other things we're we're figuring out what the amplitude of the signal is and also what the angle of the complex sample is so that if we wanted to do instantaneous carrier tracking we could look at that value and feed it back into the numeric oscillator over here to track the carrier as it changes soft decision slicers kind of ninja for me it my understanding of how soft decision slicers work is they they kind of they produce outputs that represent it's kind of a 1 and it's or it's kind of a 0 and then folds back into that knowledge of

prior samples or prior symbols and makes a weighted decision based on the encoding scheme and various other bits of information that may help it be more sure that it is in fact a 1 or a 0 that that it's trying to recover from the stream this is game control it's used just to basically maintain a good amplitude of signal so that the later signal processing here has enough signal to work with in particular I believe that this computation of the angle of the sample will be negatively affected if you don't keep the gain of the signal the samples high enough I think I've run out it turns out there's actually a whole other diagram and

that's all the all the symbol tracking and carrier tracking registers and setup so there's other magic I didn't put it into the slides because I didn't I wasn't actually planning to talk about it good and then Dominic you had a question is there capacity to do anything on the CP LD and that's there now in this stack in this stack there are now two Cpl DS there's one on the Porta pack and there's one on the hacker and the hack RF Cpl D has just enough logic to do what it's doing already and that amount of logic to begin with is almost nothing effectively it's just a register and a little bit of logic to invert one channel of samples

depending and then also reverse the flow if you're transmitting and that's about it so there's almost nothing in there and the Porta pack CP LD there's a little bit more space but it's it's a similar type of part where there's virtually no logic there's certainly no multipliers there's no none of these fancy DSP blocks that you get in real FPGAs so the the answer unfortunately is no there's no programming logic really that you could or Cpl the FPGA programming logic you could use to do signal processing

any more questions yes sir it uses the the the part is actually on the hacker ruff do you know what how many ppm you specified on that right but but it uses 32 killer it's crystal that is on the hacker is specified by I I would imagine it's it you know in the you know 20 30 parts per million so it'll it'll drift you know ideally you'd hook it up to a GPS or something like that if it had a serial port spare to do that anyone else yes

that's a good question so is is there is the compiler that I'm using smart enough or is there a compiler smart enough to automatically vectorize instructions for the ARM Cortex for em or for F my I'm using GCC because I'm trying to keep with only open source tools so in my experience I have not been able to get it to produce good vectorized code and I have hand coded a lot of stuff in fact I believe I'll have some if I can get yeah that's too small there's basically I'm using intrinsics wrapped up in functions inside GCC to write C C++ code but be able to specifically insert instructions where necessary to get some of the

clever instructions to appear in the stream so yeah I've had to write stuff by hand but at the end of the day it's only been maybe a hundred instructions and once I got them working I just didn't touch them so it's it's a bit onerous but but it's a dirty job that you just get through and and then if you don't have to deal with it all right thank you