Sunday, June 23, 2013


In the Hacker Lounge at Open Source Bridge last week, the well-stocked LEGO table caught my eye. In particular, I spotted an antenna protruding from the pile, and I followed it down to a radio-controlled LEGO car platform! The controller was quickly located, a battery replaced, and I found that it worked pretty well.

The controller was clearly marked with a sticker indicating operation at 27 MHz (FCC ID: NPI71646). That would have been my first guess anyway as it is a very popular frequency for radio-controlled toys. Since several of us were having a HackRF party, I decided to see if I could control the car with my HackRF Jawbreaker.

After verifying that the car worked with the original controller, I recorded several waveforms with the hackrf-transfer utility. I made eight separate recordings, one for each active controller state: forward, backward, left, right, forward/left, forward/right, backward/left, and backward/right.

The recordings were quite clean even though 27 MHz is below Jawbreaker's official operating range (30 MHz to 6000 MHz). In fact, I had captured some apparently good recordings of NFC transactions at 13.56 MHz just the day before. The major drop-off in performance I've observed on Jawbreakers I've tested has been just below 10 MHz.

The first HackRF transmission I tried was by building a small flowgraph in GNU Radio Companion to replay the captured waveforms with my Jawbreaker one at a time. With the car's controller switched off, I was able to make the car move with a simple replay! The best waveform worked at a distance of up to 20 meters even though I put very little effort into cleaning up the waveform or adjusting the power level.

Although I didn't have much time left before I had to catch my flight home, I wanted to see if I could synthesize control transmissions in software on my laptop instead of replaying captured waveforms (that included received noise and minor defects such as quantization and DC offset).

The first step toward synthesizing control transmissions was to analyze the captured waveforms. I found that each transmission consisted of a series of pulses at 27.145 MHz. The pulses were all at the same power level. Each pulse lasted one of two durations and was followed by a pause of consistent length. It looked like On-Off Keying (OOK) with data encoded in the number of consecutive short pulses.

Each transmission featured a repeated pattern of four long pulses (each 1.875 ms long, separated by 0.625 ms pauses) followed by some number of short pulses (each 0.625 ms long, separated by 0.625 ms pauses). The repeated pattern continued for as long as the controller was held in a particular state. The number of consecutive short pulses depended on the state of the controller:

  • forward: 10 short pulses
  • forward/left: 28 short pulses
  • forward/right: 34 short pulses
  • backward: 40 short pulses
  • backward/left: 52 short pulses
  • backward/right: 46 short pulses
  • left: 58 short pulses
  • right: 64 short pulses

That's as far as I got.

Saturday, June 22, 2013

HackRF Beta Distribution

I've been working day and night to test, rework (You don't mind a few scorch marks, do you?), and ship HackRF beta units over the last four weeks. It has been a bigger job than I planned on, but the end is near. I expect to ship the last of the beta units before the end of June. I will have shipped a total of 500 units with more than 200 of those going to people who signed up for the waiting list.

The main reason that it has taken so long is that there has been more testing and rework required than I expected. The test procedure I gave to the contract manufacturer wasn't good enough, mostly because it performed RF tests over the air instead of over a cable with fixed characteristics. Since changing the procedure to operate over an RF cable with an attenuator, I am getting very consistent results. Unfortunately those results aren't always positive, so I've had to do a lot of rework. Plus, I've had to spend a great deal of time running the tests at my kitchen table.

Allergy warning: cats have climbed into boxes full of HackRF Jawbreakers!

I've fallen a bit behind on email while doing all this work, but many of those messages contain frequently asked questions about beta distribution that I will list here:

Q: How many people registered for the beta and how many beta units will ship?

A: I received a total of 2288 registrations. Over 400 units have shipped already. A total of approximately 500 units will ship. About 225 of those will go to people on the waiting list (those who registered without a valid beta invitation code). I wish I could give a board to all 2288 of you, but unfortunately supplies are limited. Still, I am proud to have accomplished such a large give-away of open source hardware.

Q: What are my odds of receiving a Jawbreaker?

A: If you registered with a valid beta invitation code, a beta unit should have been shipped to you already (100%). If you registered without a code, you will receive a Jawbreaker only if you were among the first 11% or so of people who registered. If you heard about beta registration from the GSG-announce mailing list, irc (#hackrf on freenode), or by following me on twitter and acted quickly, you have a good chance of getting a board. If you signed up later without a code, you probably will not get a board.

Q: Will I receive a confirmation email even if I do not get a beta unit?

A: Yes. If you included a valid email address with your registration you will receive an email either way. If a beta unit is shipped to you, I will send you an email that day. As soon as beta supplies are exhausted I will send an email to everyone still on the waiting list letting you know that you will not receive a unit.

Q: How are beta units shipped?

A: I'm shipping all beta units via USPS First-Class Mail or First-Class Package International Service. I realize that this isn't the speediest service for international beta testers and that time in customs can vary greatly, but keeping the cost low is part of how I am able to ship so many total beta units.

Q: What if my Jawbreaker fails?

A: Unfortunately I expect some hardware failures in the field. Even units that passed my improved test procedure might fail in the future. I've already seen (and replaced) one such unit that had a weak solder joint that failed after being shipped to a beta tester. I can't guarantee you a working beta unit, but I will do my best to repair or replace units that fail. If you suspect a hardware failure or have any other technical concerns, post your question or test results to the hackrf-dev mailing list.

Q: When can I buy a HackRF board?

A: I will make an announcement about commercial availability soon. If you want to be among the first to hear about it, sign up for the GSG-announce mailing list.