Remove USRP filters

Hello all,

Not sure if this belongs here, but I found an old wireless gameboy
messager (

) and would like to intercept the messages. It uses a CC1020 RF modem
in the 915MHz band. The problem is it uses FHSS in a 26Mhz bandwidth.
When listening with my USRP I get mostly aliasing noise form out of
band hops ( I can only hear 16MHz with the USRP ). I don’t think I
need to find the hopping code as I can just listen to all channels at
once. So my plan is to somehow remove at least one stage of filtering
from the FPGA so I can sample at ~4MSPS and have all out of band
signals aliased into that bandwidth. My questions is can this be done
and is my DSP info correct ( Can this work? ).

Thank you all.

On Sun, Jul 01, 2012 at 04:01:48PM -0400, Andrew D. wrote:

So my plan is to somehow remove at least one stage of filtering from
the FPGA so I can sample at ~4MSPS and have all out of band signals
aliased into that bandwidth. My questions is can this be done and is
my DSP info correct ( Can this work? ).

I used that trick to sniff all Bluetooth channels with a single USRP2 a
few years back. I described the technique in this talk at ShmooCon 2009
(179 MB):

http://shmoocon.org/2009/videos/Bluetooth-Ossman.m4v

I don’t think you’ll have to hack a daughterboard like I did, so you’ll
only need to work on the FPGA. My old FPGA mod is here:

http://gr-bluetooth.git.sourceforge.net/git/gitweb.cgi?p=gr-bluetooth/gr-bluetooth;a=blob_plain;f=doc/usrp2_alias.patch;hb=HEAD

It is out of date, but you should be able to get the idea. I just had
to zero out some filter coefficients.

Really cool presentation! Thanks for the info. Now i’m running into
another problem, I sample at about 4MSPS for a bit and try to capture
the signal as it passes though my window, but I never seem to get it,
just a huge mess of noise, aliasing and ghosts.
http://i.imgur.com/w3oBP.jpg as you can see it looks like the are
about 400ms long bursts that just shake in frequencies, It also raises
the noise floor about 10db and throws images all over some lines break
up, I really can tell what i’m looking at, doesn’t look like FHSS to
me. I think it is a really strong carrier just outside of the band
that causes all these images. I did capture what I think is a sync
preamble followed by FSK ( http://i.imgur.com/EpMim.jpg ) but as you
see it is mirrored many times all the way to the noise floor. Could
someone with more DSP background help me figure out what I am looking
at?

Thank you all
~Andrew

On Mon, Jul 02, 2012 at 08:27:01PM -0400, Andrew D. wrote:

Really cool presentation! Thanks for the info. Now i’m running into
another problem, I sample at about 4MSPS for a bit and try to capture
the signal as it passes though my window, but I never seem to get it,
just a huge mess of noise, aliasing and ghosts.
http://i.imgur.com/w3oBP.jpg

That actually doesn’t look so bad to me. Do you know anything about the
transmissions from your target device? Are they supposed to be in 400
ms long packets? Do they use a slow FSK modulation? Are packets
supposed to happen as often as every 600 ms? If you don’t know that
stuff, try looking up the FCC test report for the device.

You can ignore all the spurs and images in the frequency domain that are
20 dB or more below the loudest thing going on at any particular moment.
You’ll see stuff like that with a USRP, much more so when you are
intentionally aliasing.

What daughterboard are you using? Have you modified the FPGA?

I really can tell what i’m looking at, doesn’t look like FHSS to me.

It does to me. First there is a short burst I not sure about, but then
there are two events of the same duration, the first was received at a
lower power than the second. The first event could be a packet outside
your band that you are not receiving properly, and the second is within
your band. Oh, sorry. I read the time ruler in reverse.

I did capture what I think is a sync preamble followed by FSK (
http://i.imgur.com/EpMim.jpg )

That looks beautiful! Except I think it is the time ruler itself that
is reversed, not my reading of it. The image is much lower power than
the main signal. Just ignore it. That packet is decodable by eyeball
in the spectrogram, which is kind of a rare treat.

Throw that thing into grc and decode it!

If you need help, post the raw file shown in EpMim.jpg somewhere.

Hey Michael,

I just purchased an Ubertooth One and it came in the mail today, pumped
to
play around with it! I was excited to find the project. It fills in a
huge gap of commodity bluetooth sensing.

In downloading the ubertooth code, I stumbled in to your gr-bluetooth
code
and then just so happened to find this thread active here. You should
consider putting gr-bluetooth up on CGRAN (https://www.cgran.org). It’s
where a lot of GNU Radio users go to find projects, and I know that this
is
one a lot of people would like to use, and possibly keep up to date!

• George

Are they supposed to be in 400ms long packets?

Well that is supposed to be the maximum time a FHSS is allowed to
dwell in a channel according to the FCC, so it makes sense.

Do they use a slow FSK modulation?

According to the FCC test report is uses a CC1020 chip modem which in
its data sheet says it can use slow FSK.

What daughterboard are you using? Have you modified the FPGA?

WBX and nope.

First there is a short burst I not sure about

I was thinking about using a 400ms hop time and I realized how long it
would take for synchronization to occur listening to any one
frequency, what I would do is use a quick burst on a listening
frequency to sync. That may be what that is?

I read the time ruler in reverse.

Yeah it’s strange, the waterfall is flowing up away from the
spectrogram ( as is should ), baudline is counting ms back in time
form the present ( I’m scrolling back in time to find the burst ).

I think I now need to find another old gameboy so I can start a
conversation between them to see if messages are plain text. I am
currently just probably getting the one announcing its presence
signal.

Thanks
~Andrew