HackRF One 101

SUMMARY

This is an introduction to Software Defined Radios (SDR), a type of radio system widely used in RF hacking. The HackRF One is an SDR that offers the possibility to be used connected to a computer USB port or in a portable standalone mode. For this, it has to be coupled to the PortaPack add-on running the Mayhem firmware. These three components coupled together allow the HackRF One SDR to be used outdoors. This document provides an introduction to the system components and instructions for an initial setup and firmware upgrade, as well as instructions on how to adjust the gain and choose the right antenna for a successful signal reception.

KEYWORDS

Software Defined Radio (SDR), RTL-SDR, RTL2832U, HackRF, PortaPack, Mayhem firmware.

REFERENCES

https://web.archive.org/web/20240102005711/https://www.realtek.com/en/products/communications-network-ics/item/rtl2832u

https://www.rtl-sdr.com

https://www.rtl-sdr.com/big-list-rtl-sdr-supported-software/

https://airspy.com/download/

https://www.gnuradio.org/

https://www.sdrangel.org/

https://greatscottgadgets.com/

https://www.sharebrained.com/portapack/

https://www.youtube.com/watch?v=9jw44trQyHg

https://github.com/portapack-mayhem/mayhem-firmware

https://hackrf.readthedocs.io/en/latest/faq.html#what-gain-controls-are-provided-by-hackrf

https://hackrf.readthedocs.io/en/latest/hardware_components.html#hackrf-one-r9-block-diagram

https://hackrf.readthedocs.io/en/latest/list_of_hardware_revisions.html#hackrf-one-r10

https://www.wavewalkerdsp.com/2022/05/18/adc-saturation-why-more-gain-isnt-always-better/

https://github.com/portapack-mayhem/mayhem-firmware/wiki/Help!-Im-not-receiving-anything!---Receive-Quality-Issues#description-of-the-gain-settings

https://github.com/portapack-mayhem/mayhem-firmware/wiki/antennas

SOFTWARE DEFINED RADIO

In traditional analog radios waves are detected by antennas. The induced signals are filtered, demodulated, amplified and passed to an audio speaker. Typical hardware electronic components of these radio receptors are amplifiers, tuners, capacitors, inductors, demodulators, filters, etc.

In modern times, thanks to the development of electronics, new hardware devices called software defined radios (SDR) based on digital signal processing provide advanced signal reception capabilities. Analog signals are received in antennas, then converted to digital so it can be processed by computers. Basically, RF signals are received, translated to digital by an ADC (analog-to-digital converted), then processed by a DSP (Digital Signal Processor) or by a SDR software running in a computer. Finally, the digital signal is converted again to analog by a sound card and passed to a speaker. Typical components of an SDR are ADC/DAC converters, DSP, digital filters, computers, SDR software and sound cards.

Modern electronics allow all these components to be integrated in small chips. For example, Realtek RTL2832U, a chipset originally designed as a DVB-T (Digital Video Broadcasting - Terrestrial) tuner for TV reception, has been repurposed for SDR applications due to its interesting features: ADC/DAC conversion, wide range of frequencies for reception (24 MHz to 1.75 MHz), low energy consumption and interesting availability in terms of cost. On top of this, it provides capability to connect by USB 2.0 to a computer.

The RTL-SDR is a popular SDR device based on the RTL2832U chipset, it is integrated in a USB 2.0 dongle and provides an SMA female connector for the antenna.

Last but not least, once you have your SDR dongle connected to your computer USB port, you need an SDR software to process the digital signals sent by the SDR hardware. There are literally dozens of them, and some are open source or free for personal use such as SDR#, GNU Radio, SDRangel or OpenEar.

HACK RF ONE

Components

HackRF On is an open-source SDR hardware made by Great Scott Gadgets, capable of receiving and transmitting signals in an half-duplex scheme (it can transmit or receive, but not both at the same time). Also, it supports USB 2.0, operates between 1 MHz and 6 GHz and provides SMA female antenna connector. Being open-source means that anyone can modify its design to improve or customize it, so it is common to find clones or custom versions based on the Great Scott Gadgets original design.

In the following picture a HackRF One rev. R9 is shown. It includes an ADC/DAC chip to convert analog signals to digital (and vice versa), a microcontroller, an RF transceiver and a programmable CPLD.

When connected to an USB port, it will operate as a hardware SDR with one of the SDR software packages suggested before. However, one interesting complement is an accessory called PortaPack designed to enable the HackRF One a portable device. The PortaPack is an add-on board that provides a battery, an LCD display, an SD card slot and a custom firmware (that works as a portable SDR software).

It is stacked on the HackRF board enhancing its capabilities and adding new features. Once both boards are coupled, the HackRF One + PortaPack stack does not need to be can to be connected to a computer and can be taken outdoors.

In addition to the HackRF One and the PortaPack, the third leg of the set is the Mayhem firmware. It is a custom firmware for the PortaPack, based on the original PortaPack firmware, that is controllable by means of the LCS touchscreen and acts as an SDR software loaded in the the device.

SD card installation

One of the first actions to do with the HackRF + PortaPack is to install an SD card with additional files such as maps, applications, etc. Navigate to the releases web site and choose one of them, download the file mayhem_vx.x.x_COPY_TO_SDCARD.zip, open the file and extract its contents in the SD card root folder.

Keep the same folder structure so, after the process, the root SD card folder looks similar to this.

Mayhem firmware update

The version of the installed Mayhem firmware appears in the lower left corner of the initial menu.

In the aforementioned Mayhem releases web site, choose the last official release and download the file mayhem_vx.x.x_FIRMWARE.ZIP. Open the file and extract the firmware .bin file, copy it into the FIRMWARE folder in the SD card. Then navigate to Utilities -> Flash Utility in the Mayhem menu. A screen appears with the available firmware options to flash, depending on the number of BIN files in the FIRMWARE folder.

Choose the desired firmware and let the process finish.

Once the firmware is updated, the new version appears in the lower left corner.

Gain controls

HackRF provides three stages of amplification for reception (RX) and two for transmission (TX).

If we review the HackRF One R9 block diagram, we see, next to the antenna port, an ~11 dB amplifier for RX and another one for TX. Moreover, in the MAX2839 transceiver chipset, we see in the RX channel there is an IF/LNA (Intermediate Frequency/Low-Noise Amplifier) amplifier adjustable from 0-40 dB. Further in the same RX path there is a baseband VGA (Variable Gain Amplifier) adjustable from 0-62 dB. In the TX path, the MAX2839 equips an IF amplifier adjustable from 0-47 dB.

• TX/RF RF AMP. They nominally provides ~11 dB of gain to the received or transmitted signal; however, the real gain depends on the frequency (decreases as frequency increases). These amplifiers are not adjustable and they can only be set to ON or OFF (in this case they are completely bypassed). The setting is usually labeled as AMP in the HackRF One display, and it can be set to two values: 0 or 1 for RX, and 0 or 14 for TX.

• RX IF/LNA. The intermediate frequency amplifier operates at frequencies from tens of KHz to hundreds of MHz. It deals with modulated signals, where a baseband signal is mixed with a carrier frequency to form an intermediate frequency. Being also an LNA amplifier, its primary goal is to minimize noise and increase the signal-to-noise ratio. It amplifies the signal to a usable level while keeping noise to a minimum. For RX signals, the IF/LNA AMP is placed at the entry of the MAX2839 transceiver, where the signal is has not yet been demodulated. Its gain setting can be adjusted from 0 to 40 dB in 8 dB steps. The value is normally labeled as LNA in the HackRF One display. In certain screens it is not labeled and it is displayed instead next to the VGA setting, forming a couple of values. In this case, the RX IF/LNA value is always the one on the left.

• TX IF. This amplifier is placed at the output of the MAX2839, and applied to the TX signal after it has been already converted to analog and modulated. It is adjustable from 0 to 47 dB in 1 dB steps and it is usually labeled as Gain in the HackRF One display.

• RX VGA. Baseband variable gain amplifiers operate at low frequencies, from 0 Hz to low hundreds of Hz. They are useful when dealing with baseband signals: unmodulated audio, video and data communication signals. The VGA are used after the LNA in the RX path, after the baseband signal has been demodulated, to adjust it to an optimal level. It amplifies everything, so it makes sense to place them after noise has been minimized by the LNA as a fine-tune adjustment. In the HackRF One display the VGA gain can be set from 0 to 62 dB in 2 dB steps and it is usually labeled as VGA on the display. Sometimes it is not labeled, instead it is displayed next to the IF/LNA setting. In this case the VGA value is always the one on the right.

The RF amplifiers for both RX and TX are very close to the antenna port, therefore electrostatic discharges in the connector can induce a voltage spike that will damage them. This is because amplifiers are usually designed to work with small signals and have a high input impedance, which is beneficial for preserving signal quality, but makes them more prone to damage from voltage spikes. Always cover the SMA antenna port with a plastic cap when not used, and make sure to power off the device when manipulating or replacing the antenna. It seems it has been modified in the HackRF One revision R10, adding a surge protection diode to the antenna port power supply to clamp the voltage to safe levels.

In this example we see the RX RF AMP set to 0, the RX IF/LNA to 24 dB and the RX VGA setting to 52 dB.

The next screenshot is another variant for reception signals where the three settings are grouped in the order: RX RF AMP (set to 0), RX IF/LNA (set to 16 dB) and RX VGA (50 dB).

In this ADS-B RX screen the three values are labeled separately.

Finally, in this POCSAG TX screen the TX RF AMP is labeled as Amp" whereas the TX IF setting is labeled as Gain

RX signal quality

Received waves are usually captured as weak low-quality signals; however, for ADC to process them correctly, we need the best quality signals possible. We have presented 3 ways of amplifying received waves, but more gain does not mean better quality signals. Instead, the parameter to check is the signal saturation.

Signal saturation is normally measured in %, and represents the percentage of the maximum input signal that the system can handle without problems. A very strong signal at the input of an ADC may cause distortion, non-linearities and noise, which will degrade overall performance. Therefore, it is not advisable to over-amplify the signals before handling them to the ADC.

To correctly process signals in an SDR system, it's generally advisable to keep the signal saturation level around 70-80% of the maximum input level. This ensures that the system operates within its linear range, preserving signal integrity and minimizing distortion.

In order to check the saturation of the received signal, press the DFU button on the top side of the HackRF One (next to the SMA antenna connector).

Then look for the RX Satu% value.

Adjust AMP, LNA and VGA gain values so the saturation is always around 80%. You can start by setting AMP to 0, LNA between 8-16 dB and VGA between 24-32 dB, then play with the values until you reach the optimum saturation. Keep in mind that setting AMP to 1 dramatically increases the saturation, whereas VGA is more suitable for fine-tune adjustment.

Antenna length calculation

As discussed in the radio communications write-up, choosing the right antenna length is mandatory before trying to intercept (or transmit) signals, especially when we are far from the emission source and the signals received are weak.

Normally, you can choose an antenna specifically designed for a certain frequency, or an extensible telescopic antenna that allows you to adjust the length. To calculate it you can either do the calculation manually or use one of the available online antenna length calculators or use a cool utility included in the Mayhem firmware called "Antenna Length", available in Utilities -> Antenna Length.

Basically, the application works by taking the desired frequency and providing the number of elements you have to extend in your adjustable antenna. By default, the application supports three types of antennas: ATN500, ANT700 and telescopic standard, but you can add your own antennas in the config file by entering the length of each segment of your extensible antenna.

Here is an example of an ANTENNAS.TXT file.

#antenna label,elements length in mm, separated by a commas

ANT700,95,134,175,206,230,245

ANT500,185,315,450,586,724,862
Telescopic,118,183,253,326,399,476

Which corresponds to the following collection of antennas.

The differences between them are the total length when completely extended, and the length of each extensible element.

And this would be the calculation made for the three antenna types working at 433 MHz.

If we used an ANT500 antenna we had to extend three elements, one element in case we used an ANT700 antenna, and the first element plus three quarters of the second in case we were using a telescopic antenna. All of these correspond to a length of 17.3 cm for a monopole quarter-wavelength antenna tuned to 433 MHz.