GNU Radio Stuff


Posted in Applications by gnuradio on November 1, 2008


Headset Attack Demo At SANS NS2007 Las Vegas

LinkPresentation (PDF – 500KB)

At the SANS NS2007 conference in Las Vegas last week I demonstrated a live attack against a Bluetooth headset. Worn by Ed Skoudis (thanks Ed!), I was able to inject audio into the headset and record everything the wearer said.

The screenshot above is a sample from the GNURadio usrp-oscope tool in the gr-utils package. In order to demodulate Bluetooth using the gr-bluetooth stack, it is necessary to identify the correct gain to use, where the Bluetooth signal appears similar to that shown in this image. Note the use of the letter ā€œGā€ following 2.432 for center frequency.


BlueSniff (gr-bluetooth)

Paper (PDF – 156KB) – Source Code (TAR – 3.7MB)

For the past year I’ve been looking at the possibility of sniffing Bluetooth
using GNU Radio. Receiving and demodulating packets took most of the time and was made possible
using the CSR test modes (bccmd). The rest of the time, and most of the gr-bluetooth code, went into packet unwhitening (we don’t know the clock to unwhiten) and extracting the MAC address (also unknown).

Andrea and I have written a paper detailing how it all works, and giving some suggestions of where to take it from here. The paper and code can be found at


Implementation of the Bluetooth stack for software defined radio, with a view to sniffing and injecting packets

Report (PDF – 441 KB)

The ability to receive and demodulate a stream of data from a Bluetooth connection is achieved, using the USRP to receive the signal, and the GNU Radio Gaussian Minimum Shift Keying (GMSK) demodulator to convert the complex signal to binary. The control and settings of these parts of the system are found through experimentation with signal processing.
The binary data is then converted to packets and data is extracted from them in order to gather information about the devices in the piconet so that the MAC address and value of the clock of the piconet can be obtained. Data from higher levels of the protocol stack can also be extracted from these packets, which could lead to possible attacks on a system.

And finally check out this old GNU Radio mailing list thread which discussed the possibilities of Bluetooth on GNU Radio back in 2006.


Important Books

Posted in Miscellaneous by gnuradio on November 1, 2008


Software Defined Radio: with GNU Radio and USRP (Hardcover)

Publisher: McGraw-Hill | Pages: 320 | January 2009 | ISBN 0071498834 | 1st edition | by Cory Clark

Amazon / McGraw-Hill Professional

Chapter 1. What is Software Defined Radio
Chapter 2. SDR Block Diagrams
Chapter 3. SDR Applications
Chapter 4. The GNU Radio Project
Chapter 5. Downloading and Installing the GNU Radio
Chapter 6. Using Hardware with GNU Radio
Chapter 7. Bandwidth and Sample Rate Considerations
Chapter 8. FPGAs
Chapter 9. Generic A/Ds
Chapter 10. The USRP Hardware Boards
Chapter 11. Getting Started with Simple Analog Signals
Chapter 12. GSM
Chapter 13. 802.xx
Chapter 14. OFDM
Chapter 15. Working Examples
Chapter 16. HD Radio
Chapter 17. Spectrum Analyser

source1 / source2


Signal Processing Techniques for Software Radio (Softcover)

Publisher: Self-published Lulu | Pages: 380 | 2008 | by Behrouz Farhang-Boroujeny

Buy / Table of Content / Book’s CD

This book puts together a collection of signal processing algorithms, filter design methods, and signal processing techniques (tricks) to provide the practicing engineers with the tools necessary for efficient implementation of software defined radios. To demonstrate the implementation of various algorithms on a software radio platform and also to demonstrate their performance, MATLAB scripts (programs) are presented throughout the book.


You could also check out GNU Radio’s own list of Suggested Reading.

GNU Radio and the Law

Posted in Miscellaneous by gnuradio on October 20, 2008

Do I need a FCC license?

Hi, guys. I’m a newbie.
I’m planning to buy some USRPs and start learning gnu radio. By the way, somebody told me that I need a license from FCC to use gnu radio. And he said that getting a license is not the manufacturer’s duty but mine. Is this true? Do you guys have licenses?

If you’re using USRP for receiving, no licensing is required. But if you’re using it for transmitting in the amateur-radio bands, then you’ll definitely need to get yourself an amateur-radio license. If you’re using it for transmitting in bands other than amateur-radio, then the rules become much more complicated. In the U.S., any devices must be type-accepted (certified by the FCC) in order to transmit anywhere other than the amateur-radio bands. In many of those non-amateur-radio bands, you’ll also need a seperate “user” license.

Matt Ettus’s USRP is sold as test equipment, and given the low level (I believe 10 or 100 mW of RF is the highest emission from any of the current daughter cards from Matt) this is not a concern IMHO without the usage of high gain antenna or power amplification.


FCC broadcast flag?

The nice thing about GNU Radio is that you can build things like an ATSC digital television receiver, all in software. The problem is that, thanks to the heavy weight of the MPAA and other media lobbies, the FCC gave us the broadcast flag, meaning that a programmer can set a bit that says “do not record” such-and-such.

But to make the broadcast flag effective, you also have to mandate that equipment pay attention to it, and be robust against user modification. You’ve got to make it otherwise illegal to make an ATSC receiver that doesn’t obey it. And sure enough, that’s what the FCC has done; July 2005, any equipment that doesn’t obey the flag is illegal to sell, trade, create, etc.

And with GNU Radio, you write an ATSC receiver that does or doesn’t pay attention to it … at your own peril. It makes specific uses of GNU Radio illegal, and even if you wrote your GNU Radio software to pay attention to the flag, a simple programming error would make your product illegal. Heck, it might even be said that GNU Radio itself will be illegal this year, since it fails the robustness rules.


Receive police and emergency radio frequencies?

Now, whether or not receiving particular frequencies is allowed or not will obviously depend on the FCC and similar regulatory organizations (in most, if not all countries, for instance, receiving police radio frequencies is illegal). Maybe the FCC regulation you mentioned is taking things a bit too far… cell phone standards like GSM are encrypted anyway (unless, of course, you go for a man in the middle attack).

With an amateur radio license it is still legal to receive police and emergency radio frequencies and under certain circumstances it is legal to transmit on them.


What can I legally scan?

A common question that we get is “what can I legally scan?” You’ll be happy to know that it is legal to listen to almost every transmission your scanner can receive. You can hear police and fire departments, ambulance services, government agencies, private companies, amateur radio services, aircraft, and military operations.
However, there are some electronic and wire communications that are illegal to intentionally intercept. These include: telephone conversations (cellular, cordless, or other private means of telephone signal transmission), pager transmissions, and scrambled or encrypted transmissions. According to the Federal Electronic Communications Privacy Act (ECPA), as amended, you could be fined and possibly imprisoned for intentionally listening to, using, or disclosing the contents of such a transmission unless you have the consent of a party to the communication (unless such activity is otherwise illegal).


Assembling the USRP

Posted in Setup by gnuradio on October 20, 2008

The Universal Software Radio Peripheral, or USRP (pronounced “usurp”) is designed to allow general purpose computers to function as high bandwidth software radios. In essence, it serves as a digital baseband and IF section of a radio communication system. In addition, it has a well-defined electrical and mechanical interface to RF front-ends (daughterboards) which can translate between that IF or baseband and the RF bands of interest. The basic design philosophy behind the USRP has been to do all of the waveform-specific processing, like modulation and demodulation, on the host CPU. All of the high-speed general purpose operations like digital up- and down-conversion, decimation and interpolation are done on the FPGA.

Ettus Research

To assemble the USRP, start with this page on Cornell university where it begins with the USRP in box and talks about how to assemble it with the BasicRX/BasicTX daughterboards.

Then Continue to this picture set from flickr where some one shows the finished product.

When assembling be careful of static electricity that you generate – it could potentially destroy the boards. Consider using anti static mats to prevent such situations. Also remember to only plug in or unplug daughterboards when the power is off. If you forget this, you’ll blow the tiny on-board fuse and the board will stop working.

The USRP motherboard is capable of handling anything from DC to 2.9 GHz, but you need
the matching daughterboards for specific ranges. Daughterboards [] include:

  • BasicRX, 0.1-300 MHz receive
  • BasicTX, 0.1-200 MHz transmit
  • LFRX, DC-30 MHz receive
  • LFTX, DC-30 MHz transmit
  • TVRX, 50-860 MHz receive
  • DBSRX, 800-2400 MHz receive
  • RFX400, 400-500 MHz Transceiver
  • RFX900, 800-1000 MHz Transceiver
  • RFX1200, 1150-1400 MHz Transceiver
  • RFX1800, 1500-2100 MHz Transceiver
  • RFX2400, 2250-2900 MHz Transceiver

Also, you obviously need to have the matching antenna to actually receive something useful in
a given frequency range.


For more information on the daughterboards read through these two pdfs which have a list of TX and RX daughterboards and Transceiver daughterboards along with their features. Furthermore check out the USRP Documentation on which focuses mainly on the internal hardware structure of the USRP.

Finally as an example, using a telescopic antenna attached via a BNC to SMA converter hooked up to the USRP, you can listen to FM radio or watch analog TV.

Installing GNU Radio

Posted in Setup by gnuradio on October 20, 2008

The Faster Method (no compilation needed)

After a clean installation of Fedora Core 8 (or 9), let it do its automatic updates (this might take a while). After it has done all the updates open a command prompt.

yum groupinstall "Engineering and Scientific" "Development Tools"
yum install fftw-devel cppunit-devel wxPython-devel libusb-devel guile boost-devel alsa-lib-devel numpy gsl-devel python-devel pygsl python-cheetah python-lxml
yum install sdcc

add this to .bashrc

export PATH=/usr/libexec/sdcc:$PATH
export PYTHONPATH=/usr/local/lib/python2.5/site-packages

then either do this

. ~/.bashrc

or logout and log back in so the changes propagate the system. After logging back in, you could take two approaches: follow the build guide which is on the GNU Radio wiki or follow on for the quicker setup. In a command prompt:

yum install gnuradio
yum install gnuradio-examples
yum install usrp

(or just yum install gnuradio gnuradio-examples usrp)
The GNU Radio examples will be copied here:


some of the other packages you could also install:

gnuradio-devel (containg gnuradio header)
usrp-devel (containg usrp header)
gnuradio-doc (containg gnuradio documentation)

to make sure GNU Radio has been installed successfully try this:

python /usr/share/gnuradio/examples/audio/

and if you can hear a dial tone sound then all is well.

Connecting to the USRP

Now you need to set up permissions for users to use the USRP Board. To do so we need to add a new group which will have access to the USRP (Note: You may need to use /usr/bin instead of /usr/sbin).

/usr/sbin/groupadd usrp

Now add a user to that group

/usr/sbin/usermod -G usrp -a

Now you need to create the read/write access to USRP. To do this, a file needs to be created.
Create a new text file and name it


then add this line to it:

ACTION=="add", BUS=="usb", SYSFS{idVendor}=="fffe", SYSFS{idProduct}=="0002", GROUP:="usrp", MODE:="0660"

Then copy that file to the rules.d folder (in my case I’m copying from desktop to the destination)

cp /home/jon/Desktop/10-usrp.rules /etc/udev/rules.d/

You are almost done. Again log out and log back in. Now plug in the USRP and test the connection.
Keep in mind that the USRP 1 only works with computers with USB 2.0, so anything lower and your setup won’t work (more info including how to potentially fix this). Now enter the following command and you should see root and USRP under the user groups.

ls -lR /dev/bus/usb

[root@localhost jon]# ls -lR /dev/bus/usb
total 0
drwxr-xr-x 2 root root 80 2008-06-05 06:23 001
drwxr-xr-x 2 root root 60 2008-06-05 05:02 002
drwxr-xr-x 2 root root 120 2008-06-05 05:02 003
drwxr-xr-x 2 root root 60 2008-06-05 05:02 004

total 0
crw-r--r-- 1 root root 189, 0 2008-06-05 05:02 001
crw-rw---- 1 root usrp 189, 3 2008-06-05 06:23 004

to test that you indeed have a connection with the USRP you can run the benchmark_usb example which is in the examples/usrp/. I personally like to use the FM radio example:

python /usr/share/gnuradio/examples/usrp/

If you can hear statics (or even a radio station) then you have successfully installed GNU Radio and USRP! Congrats…

Some Common Errors (when running example python demos)

RuntimeError: can't open usrp1

Solution: First unplug and plug back in the USRP’s USB connection, if that didn’t work then unplug and plug back in the power cord.

RunTimeError: audio_alsa_sink

Solution: You could first try running that demo again with the plughw option. Example:

$ ./ -O plughw:0,0

If that didn’t resolve the problem then it is very likely that the sound card is in use by some other application (flash in a browser, mp3 player) or possibly a previous run of a gnuradio app that didn’t
exit clearly (just get rid of them). And if so run:

$ killall esd

which will effectively kill your Esound daemon thereby only allowing one application at a time to use the sound card. Or you could check see which process is keeping the sound card busy:

lsof -V /dev/dsp

and kill the pid that’s keeping it busy.

Series of "aUaUaU"'s printing out

Solution: Consider running the demo with the -O plughw:0,0 option. Check this wiki page to find out what those “aU”‘s mean or check out this GNU Radio mailing list thread for more information on the solution given.

Reference for the GNU radio installation:

Introduction to GNU Radio

Posted in Introduction by gnuradio on October 20, 2008

What is the GNU Radio Project?

The normal way of implementing waveforms and radio functions is having hardware-based
systems do all the work. Generation, modulation/demodulation, alter functions, up/down-
conversion of frequencies, everything is done with electronics in some way. Therefore, there
are some limitations to what a specific machine can do. For example, your normal FM-radio
in your kitchen knows how to do exactly one thing, convert FM radio waves into sound you
can listen to.

Now imagine a radio technology that can turn your kitchen radio into a GSM telephone,
or a GPS receiver, or maybe a satellite communications terminal. Or why not a garage door
opener? Thats exactly the opportunities that emerge with software radios!

Thomas Sundquist

Straight From the Masterminds Themselves:

Eric Blossom and Matt Ettus on cccamp 2007

Presenting on GNU Radio and the USRP2

Eric Blossom and Matt Ettus on cccamp 2007

LinkWatch (M4V – 98MB)

Matt Ettus on TechTV

Talking about Software Radio – Gnuradio

Matt Ettus on TechTV
Watch (youtube)

The GNU radio project was the brainchild of Eric Blossom, who wanted to create a software HDTV receiver… He teamed up with Ettus, but they lacked a radio platform that was cheap enough… Ettus secured National Science Foundation funding through the University of Utah to design what would become the USRP.

Wired Article on GNU Radio

The idea behind soft-radio is that you grab a signal from the air and use software to ‘decode’ it instead of hardware. So all decoding becomes an issue of software and not hardware.

You can grab an FM signal from an antenna, use some software ‘stuff’, and get your favorite local
station to come out the computer speaker. The only hardware you need is an antenna and a frontend
to pump the signal into your computer. This device is that frontend interface between the RF capture
device (antenna, dish, etc) and the computer, via a USB2 plug. The reason it was developed was that
this kind of hardware was either very specific (grab only FM signals or TV signals) or very expensive
(the cost of a new computer or two).

Geeks will lament as not only is this device a reciever but it’s a transmiter as well. Want to
make an ad-hoc WiFi-like network on some other frequency? What about a smart ‘cell’ phone that
makes it’s own network so you don’t need a common provider (think p2p phones)? As it’s so new,
the possibilities have not been well thought out, but technologies like this are a solution
looking for a problem, kinda like the PC in the 1980s.

-Anonymous on Slashdot

Some More Resources:

GNU Radio – An introduction

(PDF – 3MB)

Eric Blossom answering questions on Slashdot

(HTML – 500KB)

Reddit Comments on GNU Radio

(HTML – 300KB)

1on1 with Eric Blossom

(MPEG – 108 MB)

GNU Radio: Free Software Radio Collides with Hollywood’s Lawyers (Eric Blossom)

(MP3 – 6MB)

Mark Petrovic interviews Eric Blossom on GNU Radio

(MP3 – 26MB)

All modern ham radio transceivers connect to computers anyway, so the connectivity
between radio and computers is already there and has been for a long time. That’s
not the real innovation. The real innovation here, with SDR technology, is that modulation and demodulation of radio signals is conducted via software, instead of hardware.

Traditional radio transceivers work like this : receive the signal, then pass it through
another circuit that demodulates. For transceivers that can receive AM, FM, USB, LSB, CW,
there are separate demodulation circuits for each mode of modulation. Then, after
demodulation, the signal is usually passed through filtering and DSP (digital signal processing)
circuits that clean up the signal and aid in reception of weak signals. All that crammed into a single traditional transceiver adds up! Most amateur radio transceivers range in price from $1500 – $10,000, simply because of the complexity involved.

Enter SDR. Instead of having all these individual circuits, an SDR radio can have 1 circuit,
yet be capable of everything a traditional transceiver can do. Receive the signal, downconvert
it to a frequency range appropriate for digital sampling via an ADC (analog to digital converter),
then perform all demodulation, filtering, DSP, etc. within software!

The USRP covered in the wired article utilizes it’s own ADC chips capable of sampling wide
bandwith signals, such as “wide FM” (broadcast) and HDTV. Such chips are expensive, and thus, contributes to the $500 cost of these SDR devices.

-csb92376 on Digg

How Do You Start?

You’ll need a frontend hardware to capture the signal, preferably the USRP (which could cost as much as $1500 with daughterboards), a regular computer to connect it up and run the software on, and finally the software, GNU Radio (which is a free download) and you are ready to begin! But before that check out some of the applications that GNU Radio and the USRP were used in.