Manualslib.

com - Simplified Manuals

Manuals / Brands / Great Scott Gadgets Manuals / Transceiver / HackRF / Manual / PDF

GREAT SCOTT GADGETS HACKRF MANUAL

Quick Links
Try Your Hackrf with Pentoo Linux
Getting Started with Hackrf and Gnu Radio
Software Setup
Hackrf_Sweep
Table of Contents
Table of Contents
Try Your HackRF with Pentoo Linux
Software Setup
Examples
Usage
Output fields
Package managers
Building from source
Features
Differences between Jawbreaker and HackRF One
Enclosure Options
Using HackRF One's Buttons
SMA, not RP-SMA
Transmit Power
Receive Power
External Clock Interface (CLKIN and CLKOUT)
Hardware Documentation
Expansion Interface
Using Opera Cake
Opera Glasses
Updating the SPI Flash Firmware
Updating the CPLD
Only if Necessary: DFU Boot
Only if Necessary: Recovering the SPI Flash Firmware
Obtaining DFU-Util
I can't seem to access my HackRF under Linux
hackrf_set_sample_rate fails
What is the big spike in the center of my received spectrum
How do I deal with the DC offset
Purchasing HackRF
Making sense of gain settings
System Requirements
LEDs
Half-Duplex, Full-Duplex
What is the receive sensibility of HackRF
Troubleshooting
USB Cables (and why to use a noise reducing one)
Sampling Rate and Baseband Filters
Black Magic Probe
LPC-Link
ST-LINK/V2
Run ARM GDB
Frequently Asked Questions
Setup
Usage Notes
Jellybean Notes
Initial Experimentation and Discovery
Block Diagrams
Purpose
Related work
Requirements
Opening your HackRF
Connect the clocks
Identify the pin headers
Wire up the pin headers
Upgrade
Testing with hackrf_transfer
What next
Software with HackRF Support
GNU Radio Based
Direct Support
Can use HackRF data
HackRF Tools
Handling HackRF data
Setup, Initialization and Shutdown
Using the Radio
Reading and Writing Registers
Updating Firmware
Board Identifiers
Miscellaneous
Data Structures
Enumerations
Features
Set your Jawbreaker Free
SMA, not RP-SMA
Transmit Power
Hardware Documentation
Expansion Interface
Antenna
Baseband
CPLD
Clocking
USB
Power Management
Regulators
Buttons
Shielding
Footprints
Shield Support
Si5351 I2C
SGPIO Examples
 HackRF

Great Scott Gadgets

Jul 15, 2021

 USER DOCUMENTATION

1 Getting Started with HackRF and GNU Radio 1

1.1 Try Your HackRF with Pentoo Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Software Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 hackrf_sweep 3
2.1 Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Output fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3 Operating System Tips 5

3.1 Package managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2 Building from source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4 HackRF One 9
4.1 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.2 Differences between Jawbreaker and HackRF One . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3 Enclosure Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.4 Using HackRF One’s Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.5 SMA, not RP-SMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.6 Transmit Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.7 Receive Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.8 External Clock Interface (CLKIN and CLKOUT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.9 Hardware Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.10 Expansion Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

5 Opera Cake 17
5.1 Using Opera Cake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.2 Opera Glasses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

6 Updating Firmware 19
6.1 Updating the SPI Flash Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.2 Updating the CPLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.3 Only if Necessary: DFU Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6.4 Only if Necessary: Recovering the SPI Flash Firmware . . . . . . . . . . . . . . . . . . . . . . . . . 20
6.5 Obtaining DFU-Util . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

7 FAQ 23
7.1 I can’t seem to access my HackRF under Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.2 hackrf_set_sample_rate fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
7.3 What is the big spike in the center of my received spectrum? . . . . . . . . . . . . . . . . . . . . . . 25
7.4 How do I deal with the DC offset? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

i
 7.5 Purchasing HackRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.6 Making sense of gain settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.7 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.8 LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.9 Half-Duplex, Full-Duplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.10 What is the receive sensibility of HackRF? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7.11 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

8 HackRF Hacks 29

9 Getting Help 31

10 Tips and Tricks 33

10.1 USB Cables (and why to use a noise reducing one) . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
10.2 Sampling Rate and Baseband Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

11 Firmware Development Setup 35

12 LPC43xx Debugging 37
12.1 Black Magic Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
12.2 LPC-Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
12.3 ST-LINK/V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
12.4 Run ARM GDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

13 LPC43xx SGPIO Configuration 41

13.1 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

14 LPC43xx USB DFU Notes 43

14.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
14.2 Usage Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
14.3 Jellybean Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

15 LPC43xx USB Implementation 45

15.1 Initial Experimentation and Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

16 Hardware Components 47
16.1 Block Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

17 Clocking 51

18 Multiple device hardware level synchronization 53

18.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
18.2 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
18.3 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
18.4 Opening your HackRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
18.5 Connect the clocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
18.6 Identify the pin headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
18.7 Wire up the pin headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
18.8 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
18.9 Testing with hackrf_transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
18.10 What next? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

19 Software Support 63
19.1 Software with HackRF Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
19.2 GNU Radio Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
19.3 Direct Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

ii
 19.4 Can use HackRF data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
19.5 HackRF Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
19.6 Handling HackRF data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

20 libhackRF API 65
20.1 Setup, Initialization and Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
20.2 Using the Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
20.3 Reading and Writing Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
20.4 Updating Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
20.5 Board Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
20.6 Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
20.7 Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
20.8 Enumerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

21 Jawbreaker 75
21.1 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
21.2 Set your Jawbreaker Free! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
21.3 SMA, not RP-SMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
21.4 Transmit Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
21.5 Hardware Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
21.6 Expansion Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

22 Design Goals 83

23 Future Hardware Modifications 85

23.1 Antenna . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
23.2 Baseband . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
23.3 CPLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
23.4 Clocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
23.5 USB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
23.6 Power Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
23.7 Regulators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
23.8 Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
23.9 Shielding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
23.10 Footprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
23.11 Shield Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

24 Lemondrop Bring Up 89
24.1 Si5351 I2C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

25 LPC4350 SGPIO Experimentation 95

25.1 SGPIO Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

iii
iv
 CHAPTER

ONE

GETTING STARTED WITH HACKRF AND GNU RADIO

We recommend getting started by watching the Software Defined Radio with HackRF video series. This series will
introduce you to HackRF One, software including GNU Radio, and teach you the fundamentals of Digital Signal
Processing (DSP) needed to take full advantage of the power of Software Defined Radio (SDR). Additional helpful
information follows.

1.1 Try Your HackRF with Pentoo Linux

The easiest way to get started with your HackRF and ensure that it works is to use Pentoo, a Linux distribution with
full support for HackRF and GNU Radio. Download the latest Pentoo .iso image from one of the mirrors listed at
http://pentoo.ch/downloads/. Then burn the .iso to a DVD or use UNetbootin to install the .iso on a USB flash drive.
Boot your computer using the DVD or USB flash drive to run Pentoo. Do this natively, not in a virtual machine.
(Unfortunately high speed USB operation invariably fails when people try to run HackRF from a virtual machine.)
Once Pentoo is running, you can immediately use it to update firmware on your HackRF or use other HackRF command
line tools. For a walkthrough, watch SDR with HackRF, Lesson 5: HackRF One.
To verify that your HackRF is detected, type hackrf_info at the command line. It should produce a few lines of
output including “Found HackRF board.” The 3V3, 1V8, RF, and USB LEDs should all be illuminated and are various
colors.
You can type startx at the command line to launch a desktop environment. Accept the “default config” in the first
dialog box. The desktop environment is useful for GNU Radio Companion and other graphical applications but is not
required for basic operations such as firmware updates.
Now you can use programs such as gnuradio-companion or gqrx to start experimenting with your HackRF. Try the
Examples below. If you are new to GNU Radio, an excellent place to start is with the SDR with HackRF video series
or with the GNU Radio guided tutorials.
Alternative: GNU Radio Live SDR Environment
The GNU Radio Live SDR Environment is another nice bootable Linux .iso with support for HackRF and, of course,
GNU Radio.

1
HackRF

1.2 Software Setup

As mentioned above, the best way to get started with HackRF is to use Pentoo Linux. Eventually you may want to
install software to use HackRF with your favorite operating system.
If your package manager includes the most recent release of libhackrf and gr-osmosdr, then use it to install those
packages in addition to GNU Radio. Otherwise, the recommended way to install these tools is by using PyBOMBS.
See the Operating System Tips page for information on setting up HackRF software on particular Operating Systems
and Linux distributions.
If you have any trouble, make sure that things work when booted to Pentoo. This will allow you to easily determine if
your problem is being caused by hardware or software, and it will give you a way to see how the software is supposed
to function.

1.3 Examples

A great way to get started with HackRF is the SDR with HackRF video series. Additional examples follow:
Testing the HackRF
1. Plug in the HackRF
2. run the hackrf_info command $ hackrf_info
If everything is OK, you should see something similar to the following:

hackrf_info version: 2017.02.1

libhackrf version: 2017.02.1 (0.5)
Found HackRF
Index: 0
Serial number: 0000000000000000################
Board ID Number: 2 (HackRF One)
Firmware Version: 2017.02.1 (API:1.02)
Part ID Number: 0x######## 0x########

FM Radio Example
This Example was derived from the following works:
• RTL-SDR FM radio receiver with GNU Radio Companion
• How To Build an FM Receiver with the USRP in Less Than 10 Minutes
1. Download the FM Radio Receiver python file here
2. Run the file $ python ./fm_radio_rx.py
3. You can find the GNU Radio Companion source file here

2 Chapter 1. Getting Started with HackRF and GNU Radio

 CHAPTER

TWO

HACKRF_SWEEP

2.1 Usage

[-h] # this help

[-d serial_number] # Serial number of desired HackRF
[-a amp_enable] # RX RF amplifier 1=Enable, 0=Disable
[-f freq_min:freq_max] # minimum and maximum frequencies in MHz
[-p antenna_enable] # Antenna port power, 1=Enable, 0=Disable
[-l gain_db] # RX LNA (IF) gain, 0-40dB, 8dB steps
[-g gain_db] # RX VGA (baseband) gain, 0-62dB, 2dB steps
[-n num_samples] # Number of samples per frequency, 8192-4294967296
[-w bin_width] # FFT bin width (frequency resolution) in Hz
[-1] # one shot mode
[-B] # binary output
[-I] # binary inverse FFT output
-r filename # output file

2.2 Output fields

date, time, hz_low, hz_high, hz_bin_width, num_samples, dB, dB, ...

Running hackrf_sweep -f 2400:2490 gives the following example results:

Date Time Hz Hz Hz bin Num dB dB dB dB dB

Low High width Sam-
ples
2019- 11:57:34.967805
2400000000
2405000000
1000000.0020 -64.72 -63.36 -60.91 -61.74 -58.58
01-03
2019- 11:57:34.967805
2410000000
2415000000
1000000.0020 -69.22 -60.67 -59.50 -61.81 -58.16
01-03
2019- 11:57:34.967805
2405000000
2410000000
1000000.0020 -61.19 -70.14 -60.10 -57.91 -61.97
01-03
2019- 11:57:34.967805
2415000000
2420000000
1000000.0020 -72.93 -79.14 -68.79 -70.71 -82.78
01-03
2019- 11:57:34.967805
2420000000
2425000000
1000000.0020 -67.57 -61.61 -57.29 -61.90 -70.19
01-03
2019- 11:57:34.967805
2430000000
2435000000
1000000.0020 -56.04 -59.58 -66.24 -66.02 -62.12
01-03

3
HackRF

Two ranges of 5 MHz are analyzed at once from the same set of samples, so a single timestamp applies to the whole
range.
The fifth column tells you the width in Hz (1 MHz in this case) of each frequency bin, which you can set with -w. The
sixth column is the number of samples analyzed to produce that row of data.
Each of the remaining columns shows the power detected in each of several frequency bins. In this case there are five
bins, the first from 2400 to 2401 MHz, the second from 2401 to 2402 MHz, and so forth.

4 Chapter 2. hackrf_sweep
 CHAPTER

THREE

OPERATING SYSTEM TIPS

Here are some software setup tips for particular Operating Systems and Linux distributions.

3.1 Package managers

We highly recommend that, unless developing or testing new features of HackRF, most users use build systems or
package management provided for their operating system.

3.1.1 Linux

Ubuntu / Debian

sudo apt install gqrx-sdr

Fedora / Red Hat

sudo dnf install gnuradio gr-osmosdr hackrf gqrx -y

Gentoo Linux

emerge -a net-wireless/hackrf-tools
USE="hackrf" emerge -a net-wireless/gr-osmosdr

Arch Linux

pacman -S gnuradio gnuradio-osmosdr

pacman -S gnuradio-companion

5
HackRF

3.1.2 OS X (10.5+)

MacPorts

sudo port install gr-osmosdr

Homebrew

brew install gr-osmosdr

3.1.3 Windows

Binaries are provided as part of the PothosSDR project, they can be downloaded here.

3.1.4 FreeBSD

You can use the binary package: # pkg install hackrf

You can build and install from ports:

# cd /usr/ports/comms/hackrf
# make install

3.2 Building from source

3.2.1 Linux / OS X / *BSD

Preparing Your System

First of all, make sure that your system is up to date using your operating system provided update method.

3.2.2 Installing using PyBOMBS

The GNU Radio project has a build system that covers the core libraries, drivers for SDR hardware, and many out of
tree modules. PyBOMBs will take care of installing dependencies for you.

3.2.3 Building HackRF tools from source

Acquire the source for the HackRF tools from either a release archive or git: git clone https://github.com/
mossmann/hackrf.git
Once you have the source downloaded, the host tools can be built as follows:

cd hackrf/host
mkdir build
cd build
cmake ..
(continues on next page)

6 Chapter 3. Operating System Tips

 HackRF

(continued from previous page)

make
sudo make install
sudo ldconfig

If you have HackRF hardware, you may need to update the firmware to match the host tools versions.

3.2.4 Windows

Prerequisites for Cygwin, MinGW, or Visual Studio

• cmake-2.8.12.1 or later from http://www.cmake.org/cmake/resources/software.html

• libusbx-1.0.18 or later from http://sourceforge.net/projects/libusbx/files/latest/download?source=files
• fftw-3.3.5 or later from http://www.fftw.org/install/windows.html
• Install Windows driver for HackRF hardware or use Zadig see http://sourceforge.net/projects/libwdi/files/zadig

– If you want to use Zadig select HackRF USB device and just install/replace it with WinUSB driver.
Note for Windows build: You shall always execute hackrf-tools from Windows command shell and not from Cygwin
or MinGW shell because on Cygwin/MinGW Ctrl+C is not managed correctly and especially for hackrf_transfer the
Ctrl+C (abort) will not stop correctly and will corrupt the file.

For Visual Studio 2015 x64

Create library definition for MSVC to link to C:\fftw-3.3.5-dll64> lib /machine:x64 /def:libfftw3f-3.
def

c:\hackrf\host\build> cmake ../ -G "Visual Studio 14 2015 Win64" \

-DLIBUSB_INCLUDE_DIR=c:\libusb-1.0.21\libusb \
-DLIBUSB_LIBRARIES=c:\libusb-1.0.21\MS64\dll\lib\libusb-1.0.lib \
-DTHREADS_PTHREADS_INCLUDE_DIR=c:\pthreads-w32-2-9-1-release\Pre-built.2\include \
-DTHREADS_PTHREADS_WIN32_LIBRARY=c:\pthreads-w32-2-9-1-release\Pre-built.2\lib\x64\
˓→pthreadVC2.lib \

-DFFTW_INCLUDES=C:\fftw-3.3.5-dll64 \
-DFFTW_LIBRARIES=C:\fftw-3.3.5-dll64\libfftw3f-3.lib

CMake will produce a solution file named HackRF.sln and a series of project files which can be built with msbuild
as follows: c:\hackrf\host\build> msbuild HackRF.sln

Cygwin

mkdir host/build
cd host/build
cmake ../ -G "Unix Makefiles" -DCMAKE_LEGACY_CYGWIN_WIN32=1 -DLIBUSB_INCLUDE_DIR=/usr/
˓→local/include/libusb-1.0/

make
make install

3.2. Building from source 7

HackRF

MinGW

mkdir host/build
cd host/build
cmake ../ -G "MSYS Makefiles" -DLIBUSB_INCLUDE_DIR=/usr/local/include/libusb-1.0/
make
make install

8 Chapter 3. Operating System Tips

 CHAPTER

FOUR

HACKRF ONE

HackRF One is the current hardware platform for the HackRF project. It is a Software Defined Radio peripheral capable
of transmission or reception of radio signals from 1 MHz to 6 GHz. Designed to enable test and development of modern
and next generation radio technologies, HackRF One is an open source hardware platform that can be used as a USB
peripheral or programmed for stand-alone operation.

4.1 Features

• half-duplex transceiver
• operating freq: 1 MHz to 6 GHz
• supported sample rates: 2 Msps to 20 Msps (quadrature)
• resolution: 8 bits
• interface: High Speed USB (with USB Micro-B connector)
• power supply: USB bus power
• software-controlled antenna port power (max 50 mA at 3.3 V)
• SMA female antenna connector (50 ohms)
• SMA female clock input and output for synchronization
• convenient buttons for programming
• pin headers for expansion
• portable
• open source

4.2 Differences between Jawbreaker and HackRF One

Jawbreaker was the beta platform that preceded HackRF One. HackRF One incorporates the following changes and
enhancements:
• Antenna port: No modification is necessary to use the SMA antenna port on HackRF One.
• PCB antenna: Removed.
• Size: HackRF One is smaller at 120 mm x 75 mm (PCB size).
• Enclosure: The commercial version of HackRF One from Great Scott Gadgets ships with an injection molded
plastic enclosure. HackRF One is also designed to fit other enclosure options.

9
HackRF

• Buttons: HackRF One has a RESET button and a DFU button for easy programming.
• Clock input and output: Installed and functional without modification.
• USB connector: HackRF One features a new USB connector and improved USB layout.
• Expansion interface: More pins are available for expansion, and pin headers are installed on HackRF One.
• Real-Time Clock: An RTC is installed on HackRF One.
• LPC4320 microcontroller: Jawbreaker had an LPC4330.
• RF shield footprint: An optional shield may be installed over HackRF One’s RF section.
• Antenna port power: HackRF One can supply up to 50 mA at 3.3 V DC on the antenna port for compatibility
with powered antennas and other low power amplifiers.
• Enhanced frequency range: The RF performance of HackRF One is better than Jawbreaker, particularly at the
high and low ends of the operating frequency range. HackRF One can operate at 1 MHz or even lower.

4.3 Enclosure Options

The commercial version of HackRF One from Great Scott Gadgets ships with an injection molded plastic enclosure,
but it is designed to fit two optional enclosures:
• Hammond 1455J1201: HackRF One fits this extruded aluminum enclosure and other similar models from Ham-
mond Manufacturing. In order to use the enclosure’s end plates, you will have to drill them. An end plate
template can be found in the HackRF One KiCad layout.
• Acrylic sandwich: You can also use a laser cut acrylic enclosure with HackRF One. This is a good option for
access to the expansion headers. A design can be found in the HackRF One hardware directory. Use any laser
cutting service or purchase from a reseller.

4.4 Using HackRF One’s Buttons

The RESET button resets the microcontroller. This is a reboot that should result in a USB re-enumeration.
The DFU button invokes a USB DFU bootloader located in the microcontroller’s ROM. This bootloader makes it
possible to unbrick a HackRF One with damaged firmware because the ROM cannot be overwritten.
To invoke DFU mode: Press and hold the DFU button. While holding the DFU button, reset the HackRF One either
by pressing and releasing the RESET button or by powering on the HackRF One. Release the DFU button.
The DFU button only invokes the bootloader during reset. This means that it can be used for other functions by custom
firmware.

4.5 SMA, not RP-SMA

Some connectors that appear to be SMA are actually RP-SMA. If you connect an RP-SMA antenna to HackRF One, it
will seem to connect snugly but won’t function at all because neither the male nor female side has a center pin. RP-SMA
connectors are most common on 2.4 GHz antennas and are popular on Wi-Fi equipment. Adapters are available.

10 Chapter 4. HackRF One

 HackRF

4.6 Transmit Power

HackRF One’s absolute maximum TX power varies by operating frequency:

• 1 MHz to 10 MHz: 5 dBm to 15 dBm, generally increasing as frequency increases (see this blog post)
• 10 MHz to 2150 MHz: 5 dBm to 15 dBm, generally decreasing as frequency increases
• 2150 MHz to 2750 MHz: 13 dBm to 15 dBm
• 2750 MHz to 4000 MHz: 0 dBm to 5 dBm, decreasing as frequency increases
• 4000 MHz to 6000 MHz: -10 dBm to 0 dBm, generally decreasing as frequency increases
Through most of the frequency range up to 4 GHz, the maximum TX power is between 0 and 10 dBm. The frequency
range with best performance is 2150 MHz to 2750 MHz.
Overall, the output power is enough to perform over-the-air experiments at close range or to drive an external amplifier.
If you connect an external amplifier, you should also use an external bandpass filter for your operating frequency.
Before you transmit, know your laws. HackRF One has not been tested for compliance with regulations governing
transmission of radio signals. You are responsible for using your HackRF One legally.

4.7 Receive Power

The maximum RX power of HackRF One is -5 dBm. Exceeding -5 dBm can result in permanent damage!
In theory, HackRF One can safely accept up to 10 dBm with the front-end RX amplifier disabled. However, a simple
software or user error could enable the amplifier, resulting in permanent damage. It is better to use an external attenuator
than to risk damage.

4.8 External Clock Interface (CLKIN and CLKOUT)

HackRF One produces a 10 MHz clock signal on CLKOUT. The signal is a 10 MHz square wave from 0 V to 3 V
intended for a high impedance load.
The CLKIN port on HackRF One is a high impedance input that expects a 0 V to 3 V square wave at 10 MHz. Do
not exceed 3.3 V or drop below 0 V on this input. Do not connect a clock signal at a frequency other than 10 MHz
(unless you modify the firmware to support this). You may directly connect the CLKOUT port of one HackRF One to
the CLKIN port of another HackRF One.
HackRF One uses CLKIN instead of the internal crystal when a clock signal is detected on CLKIN. The switch to or
from CLKIN only happens when a transmit or receive operation begins.
To verify that a signal has been detected on CLKIN, use hackrf_debug –si5351c -n 0 -r. The expected output with a
clock detected is [ 0] -> 0x01. The expected output with no clock detected is [ 0] -> 0x51.

4.6. Transmit Power 11

HackRF

4.9 Hardware Documentation

Schematic diagram, assembly diagram,and bill of materials can be found at https://github.com/mossmann/hackrf/tree/

master/doc/hardware

4.10 Expansion Interface

The HackRF One expansion interface consists of headers P9, P20, P22, and P28. These four headers are installed on
the commercial HackRF One from Great Scott Gadgets.

4.10.1 P9 Baseband

A direct analog interface to the high speed dual ADC and dual DAC.

Pin Function
1 GND
2 GND
3 GND
4 RXBBQ-
5 RXBBI-
6 RXBBQ+
7 RXBBI+
8 GND
9 GND
10 TXBBI-
11 TXBBQ+
12 TXBBI+
13 TXBBQ-
14 GND
15 GND
16 GND

12 Chapter 4. HackRF One

 HackRF

4.10.2 P20 GPIO

Providing access to GPIO, ADC, RTC, and power.

Pin Function
1 VBAT
2 RTC_ALARM
3 VCC
4 WAKEUP
5 GPIO3_8
6 GPIO3_0
7 GPIO3_10
8 GPIO3_11
9 GPIO3_12
10 GPIO3_13
11 GPIO3_14
12 GPIO3_15
13 GND
14 ADC0_6
15 GND
16 ADC0_2
17 VBUSCTRL
18 ADC0_5
19 GND
20 ADC0_0
21 VBUS
22 VIN

4.10.3 P22 I2S

I2S, SPI, I2C, UART, GPIO, and clocks.

4.10. Expansion Interface 13

HackRF

Pin Function
1 CLKOUT
2 CLKIN
3 RESET
4 GND
5 I2C1_SCL
6 I2C1_SDA
7 SPIFI_MISO
8 SPIFI_SCK
9 SPIFI_MOSI
10 GND
11 VCC
12 I2S0_RX_SCK
13 I2S_RX_SDA
14 I2S0_RX_MCLK
15 I2S0_RX_WS
16 I2S0_TX_SCK
17 I2S0_TX_MCLK
18 GND
19 U0_RXD
20 U0_TXD
21 P2_9
22 P2_13
23 P2_8
24 SDA
25 CLK6
26 SCL

4.10.4 P28 SD

SDIO, GPIO, clocks, and CPLD.

14 Chapter 4. HackRF One

 HackRF

Pin Function
1 VCC
2 GND
3 SD_CD
4 SD_DAT3
5 SD_DAT2
6 SD_DAT1
7 SD_DAT0
8 SD_VOLT0
9 SD_CMD
10 SD_POW
11 SD_CLK
12 GND
13 GCK2
14 GCK1
15 B1AUX14
16 B1AUX13
17 CPLD_TCK
18 BANK2F3M2
19 CPLD_TDI
20 BANK2F3M6
21 BANK2F3M12
22 BANK2F3M4

Additional unpopulated headers and test points are available for test and development, but they may be incompatible
with some enclosure or expansion options.
Refer to the schematics and component documentation for more information.

4.10. Expansion Interface 15

HackRF

16 Chapter 4. HackRF One

 CHAPTER

FIVE

OPERA CAKE

Opera Cake is an antenna switching add on board for HackRF.

5.1 Using Opera Cake

5.1.1 Board Address

As communication with Opera Cake is based on I2C, each board has an address. The default address is 24, but this
can be changed by setting jumpers on P1. To list the address of one or more opera cake boards:

hackrf_operacake -l

5.1.2 Ports

Opera cake has two input ports, PA0 and PB0, which can be switched to any of the eight output ports, PA1-PA4 and
PB1-PB4. Each input is always connected to an output, PA0 is connected to PA1 by default, and PB0 to PB1. It is not
possible to connect both inputs to ports in the same bank.
When configuring the opera cake board you must always specify the connection for both ports. For example:

hackrf_operacake -o 24 -a 3 -b 4

will connect PA0 to PA4 and PB0 to PB1.

hackrf_operacake -o 24 -a 5 -b 2

will connect PA0 to PB2 and PB0 to PA3.

hackrf_operacake -o 24 -a 1 -b 2

is invalid as it attempts to connect both inputs to bank A.

The available ports are:

17
HackRF

Port Number
PA1 0
PA2 1
PA3 2
PA4 3
PB1 4
PB2 5
PB3 6
PB4 7

5.2 Opera Glasses

As no other software is opera cake aware, it is possible to pre-configure HackRF to support frequency bands and have
opera cake automatically switch antenna when the radio retunes. The bands are specified in priority order, the final
band specified will be used for frequencies not covered by the other bands specified.
To configure ports to frequency bands you must use the -f min:max:port argument for each band, with the frequen-
cies specified in MHz. For example:

hackrf_operacake -f 100:600:0 -f 600:1200:2 -f 0:4000:5

will use PA1 for 100MHz to 600MHz, PA3 for 600MHz to 1200MHz, and PB2 for 0MHz to 4GHz. If tuning to
precisely 600MHz PA1 will be used as it is listed first. Tuning to anything over 4GHz will use PB2 as it is the last
listed, and therefore the default antenna.

18 Chapter 5. Opera Cake

 CHAPTER

SIX

UPDATING FIRMWARE

HackRF devices ship with firmware on the SPI flash memory. The firmware can be updated with nothing more than a
USB cable and host computer.
These instructions allow you to upgrade the firmware in order to take advantage of new features or bug fixes.
If you have any difficulty making this process work from your native operating system, you can use Pentoo or the GNU
Radio Live DVD to perform the updates.

6.1 Updating the SPI Flash Firmware

To update the firmware on a working HackRF One, use the hackrf_spiflash program:

hackrf_spiflash -w hackrf_one_usb.bin

You can find the firmware binary (hackrf_one_usb.bin) in the firmware-bin directory of the latest release package or
you can compile your own from the source. For Jawbreaker, use hackrf_jawbreaker_usb.bin. If you compile from
source, the file will be called hackrf_usb.bin.
The hackrf_spiflash program is part of hackrf-tools.
When writing a firmware image to SPI flash, be sure to select firmware with a filename ending in “.bin”.
After writing the firmware to SPI flash, you may need to reset the HackRF device by pressing the RESET button or by
unplugging it and plugging it back in.
If you get an error that mentions HACKRF_ERROR_NOT_FOUND, check out the FAQ. It’s often a permissions
problem that can be quickly solved.

6.2 Updating the CPLD

Older versions of HackRF firmware (prior to release 2021.03.1) require an additional step to program a bitstream into
the CPLD.
To update the CPLD image, first update the SPI flash firmware, libhackrf, and hackrf-tools to the version you are
installing. Then:

hackrf_cpldjtag -x firmware/cpld/sgpio_if/default.xsvf

After a few seconds, three LEDs should start blinking. This indicates that the CPLD has been programmed successfully.
Reset the HackRF device by pressing the RESET button or by unplugging it and plugging it back in.

19
HackRF

6.3 Only if Necessary: DFU Boot

DFU boot mode is normally only needed if the firmware is not working properly or has never been installed.
The LPC4330 microcontroller on HackRF is capable of booting from several different code sources. By default,
HackRF boots from SPI flash memory (SPIFI). It can also boot HackRF in DFU (USB) boot mode. In DFU boot
mode, HackRF will enumerate over USB, wait for code to be delivered using the DFU (Device Firmware Update)
standard over USB, and then execute that code from RAM. The SPIFI is normally unused and unaltered in DFU mode.
To start up HackRF One in DFU mode, hold down the DFU button while powering it on or while pressing and releasing
the RESET button. Release the DFU button after the 3V3 LED illuminates. The 1V8 LED should remain off. At this
point HackRF One is ready to receive firmware over USB.
To start up Jawbreaker in DFU mode, short two pins on one of the “BOOT” headers while power is first supplied.
The pins that must be shorted are pins 1 and 2 of header P32 on Jawbreaker. Header P32 is labeled “P2_8” on most
Jawbreakers but may be labeled “2” on prototype units. Pin 1 is labeled “VCC”. Pin 2 is the center pin. After DFU
boot, you should see VCCLED illuminate and note that 1V8LED does not illuminate. At this point Jawbreaker is ready
to receive firmware over USB.
You should only use a firmware image with a filename ending in “.dfu” over DFU, not firmware ending in “.bin”.

6.4 Only if Necessary: Recovering the SPI Flash Firmware

If the firmware installed in SPI flash has been damaged or if you are programming a home-made HackRF for the first
time, you will not be able to immediately use the hackrf_spiflash program as listed in the above procedure. Follow
these steps instead:
1. Follow the DFU Boot instructions to start the HackRF in DFU boot mode.
2. Type dfu-util --device 1fc9:000c --alt 0 --download hackrf_one_usb.dfu to load firmware
from a release package into RAM. If you have a Jawbreaker, use hackrf_jawbreaker_usb.dfu instead. Alterna-
tively, use make -e BOARD=HACKRF_ONE RUN_FROM=RAM program to load the firmware into RAM and start
it.
3. Follow the SPI flash firmware update procedure above to write the “.bin” firmware image to SPI flash.

6.5 Obtaining DFU-Util

On fresh installs of your OS, you may need obtain a copy of DFU-Util. For most Linux distributions it should be
available as a package, for example on Debian/Ubuntu

sudo apt-get install dfu-util

If you are using a platform without a dfu-util package, build instruction can be found here on the dfu-util source forge
build page.

cd ~
sudo apt-get build-dep dfu-util
sudo apt-get install libusb-1.0-0-dev
git clone git://git.code.sf.net/p/dfu-util/dfu-util
cd dfu-util
./autogen.sh
./configure
(continues on next page)

20 Chapter 6. Updating Firmware

 HackRF

(continued from previous page)

make
sudo make install

Now you will have the current version of DFU Util installed on your system.

6.5. Obtaining DFU-Util 21

HackRF

22 Chapter 6. Updating Firmware

 CHAPTER

SEVEN

FAQ

7.1 I can’t seem to access my HackRF under Linux

Question: When running hackrf_info or any other command which tries to communicate with the HackRF, I get
the following error message, although the board seems to be enumerated properly by the Linux kernel:

hackrf_open() failed: HACKRF_ERROR_NOT_FOUND (-5)

or:

hackrf_open() failed: HACKRF_ERROR_LIBUSB (-1000)

Answer:

7.1.1 Using the latest version

First make sure that you are running the latest version of libhackrf and hackrf-tools. HackRF One, for example, is only
supported by release 2014.04.1 or newer. Then check to see if hackrf_info is successful when running as root. If it
is, then your other user is lacking permission.

7.1.2 Permission Problem

A normal user under Linux doesn’t have the permissions to access arbitrary USB devices because of security reasons.
The first solution would be to run every command which tries to access the HackRF as root which is not recommended
for daily usage, but at least shows you if your HackRF really works.
To fix this issue, you can write a udev rule to instruct udev to set permissions for the device in a way that it can be
accessed by any user on the system who is a member of a specific group.
(The following things have been tested on Ubuntu and Gentoo and may need to be adapted to other Linux distributions.
In particular, your distro may have a group named something other than plugdev for this purpose.) To do that, you need
to create a new rules file in the /etc/udev/rules.d folder. I called mine 52-hackrf.rules. Here is the content:

ATTR{idVendor}=="1d50", ATTR{idProduct}=="604b", SYMLINK+="hackrf-jawbreaker-%k", MODE=

˓→"660", GROUP="plugdev"
ATTR{idVendor}=="1d50", ATTR{idProduct}=="6089", SYMLINK+="hackrf-one-%k", MODE="660",␣
˓→GROUP="plugdev"

ATTR{idVendor}=="1fc9", ATTR{idProduct}=="000c", SYMLINK+="hackrf-dfu-%k", MODE="660",␣

˓→GROUP="plugdev"

23
HackRF

The content of the file instructs udev to look out for devices with Vendor ID and Product ID matching HackRF devices.
It then sets the UNIX permissions to 660 and the group to plugdev and creates a symlink in /dev to the device.
After creating the rules file you can either reboot or run the command udevadm control --reload-rules as root
to instruct udev to reload all rule files. After replugging your HackRF board, you should be able to access the device
with all utilities as a normal user. If you still can’t access the device, make sure that you are a member of the plugdev
group.

7.1.3 PyBOMBs

If you are using PyBOMBS, note that the HackRF recipe intentionally does not install the udev rules to avoid installation
failures when run as non-root.

7.1.4 Power saving and USB autosuspend

A common problem for laptop users could power management enabling USB autosuspend, which is likely if
hackrf_info returns an error of hackrf_open() failed: Input/Output Error (-1000) on the first execu-
tion, and works if you run it a second time directly afterwards. This can be confirmed by running LIBUSB_DEBUG=3
hackrf_info and checking that the error is a broken pipe.
To fix this, you need to disable USB autosuspend for HackRF. If you use the TLP power manager you can add the
HackRF USB VID/PIDs to the USB_BLACKLIST line in /etc/default/tlp (under Archlinux create a file /etc/
tlp.d/10-usb-blacklist.conf, under Ubuntu the config file can be found at /etc/tlp.conf):

USB_BLACKLIST="1d50:604b 1d50:6089 1d50:cc15 1fc9:000c"

and restart TLP using tlp restart or systemctl restart tlp.

7.1.5 hackrf kernel module

If the command hackrf_info failed with “hackrf_open() .. HACKRF_ERROR_NOT_FOUND” error message, this
could be also a problem of a kernel driver. Some ubuntu versions, like Ubuntu 15.04 with installed gnuradio has a
kernel driver pre-installed. In this case you probably will get some syslog kernel messages like:
• kernel: [ 8932.297074] hackrf 1-9.4:1.0: Board ID: 02
• kernel: [ 8932.297076] hackrf 1-9.4:1.0: Firmware version: 2014.08.1
• kernel: [ 8932.297261] hackrf 1-9.4:1.0: Registered as swradio0
• kernel: [ 8932.297262] hackrf 1-9.4:1.0: SDR API is still slightly experimental and functionality changes may
follow
when you plug in the the HackRF module. Use the command dmesg to check the last system log entries. If you try to
start hackrf_info it will terminate with the error message and the system log will show a message like:
• kernel: [ 8967.263268] usb 1-9.4: usbfs: interface 0 claimed by hackrf while ‘hackrf_info’ sets config #1
To solve this issue check under root account if is there is a kernel module hackrf loaded: lsmod | grep hackrf. If
there is a hackrf kernel module, try to unload it with rmmod hackrf. You must do this command as root, too. After
this the command hackrf_info (and all other hackrf related stuff) should work and the syslog usbfs massage should
vanish.
After a reset or USB unplug/plug this kernel module will load again and block the access again. To solve this you have
to blacklist the hackrf kernel module in /etc/modprobe.d/blacklist(.conf) The current filename of the blacklist file may
differ, it depends on the current ubuntu version. In ubuntu 15.04 it is located in /etc/modprobe.d/blacklist.conf. Open
this file under root account with a text editor an add the following line at the end:

24 Chapter 7. FAQ
 HackRF

blacklist hackrf

After a system-restart, to get the updated modprobe working, the hackrf worked under ubuntu 15.04 with the upstream
packages (Firmware version: 2014.08.1) out-of-the-box.

7.2 hackrf_set_sample_rate fails

Question: I’m trying to run hackrf_transfer and hackrf_set_sample_rate fails. The libusb_control_transfer call in
hackrf_set_sample_rate_manual is returning with LIBUSB_ERROR_PIPE.
Answer: Follow the instructions to update your firmware.

7.3 What is the big spike in the center of my received spectrum?

Question: I see a large spike in the center of my FFT display regardless of the frequency my HackRF is tuned to. Is
there something wrong with my HackRF?
Answer: You are seeing a DC offset (or component or bias). The term “DC” comes from “Direct Current” in elec-
tronics. It is the unchanging aspect of a signal as opposed to the “alternating” part of the signal (AC) that changes over
time. Take, for example, the signal represented by the digital sequence:

-2, -1, 1, 6, 8, 9, 8, 6, 1, -1, -2, -1, 1, 6, 8, 9, 8, 6, 1, -1, -2, -1, 1, 6, 8, 9, 8,␣

˓→6, 1, -1

This periodic signal contains a strong sinusoidal component spanning from -2 to 9. If you were to plot the spectrum
of this signal, you would see one spike at the frequency of this sinusoid and a second spike at 0 Hz (DC). If the signal
spanned from values -2 to 2 (centered around zero), there would be no DC offset. Since it is centered around 3.5 (the
number midway between -2 and 9), there is a DC component.
Samples produced by HackRF are measurements of radio waveforms, but the measurement method is prone to a DC
bias introduced by HackRF. It’s an artifact of the measurement system, not an indication of a received radio signal. DC
offset is not unique to HackRF; it is common to all quadrature sampling systems.
There was a bug in the HackRF firmware (through release 2013.06.1) that made the DC offset worse than it should
have been. In the worst cases, certain Jawbreakers experienced a DC offset that drifted to a great extreme over several
seconds of operation. This bug has been fixed. The fix reduces DC offset but does not do away with it entirely. It is
something you have to live with when using any quadrature sampling system like HackRF.
A high DC offset is also one of a few symptoms that can be caused by a software version mismatch. A common problem
is that people run an old version of gr-osmosdr with newer firmware.

7.2. hackrf_set_sample_rate fails 25

HackRF

7.4 How do I deal with the DC offset?

Question: Okay, now that I understand what that big spike in the middle of my spectrum is, how do I handle it?
Answer: There are a few options:
1. Ignore it. For many applications it isn’t a problem. You’ll learn to ignore it.
2. Avoid it. The best way to handle DC offset for most applications is to use offset tuning; instead of tuning to your
exact frequency of interest, tune to a nearby frequency so that the entire signal you are interested in is shifted
away from 0 Hz but still within the received bandwidth. If your algorithm works best with your signal centered
at 0 Hz (many do), you can shift the frequency in the digital domain, moving your signal of interest to 0 Hz and
your DC offset away from 0 Hz. HackRF’s high maximum sampling rate can be a big help as it allows you to
use offset tuning even for relatively wideband signals.
3. Correct it. There are various ways of removing the DC offset in software. However, these techniques may degrade
parts of the signal that are close to 0 Hz. It may look better, but that doesn’t necessarily mean that it is better from
the standpoint of a demodulator algorithm, for example. Still, correcting the DC offset is often a good choice.

7.5 Purchasing HackRF

Question: Where can I buy HackRF?

Answer: HackRF is designed and manufactured by Great Scott Gadgets. Please see http://greatscottgadgets.com/
hackrf/ for availability. HackRF is open source hardware, so you could also build your own.

7.6 Making sense of gain settings

Question: What gain controls are provided by HackRF?

Answer: HackRF (both Jawbreaker and One) provides three different analog gain controls on RX and two on TX. The
three RX gain controls are at the RF (“amp”, 0 or 14 dB), IF (“lna”, 0 to 40 dB in 8 dB steps), and baseband (“vga”, 0
to 62 dB in 2 dB steps) stages. The two TX gain controls are at the RF (0 or 14 dB) and IF (0 to 47 dB in 1 dB steps)
stages.
Question: Why is the RF gain setting restricted to two values?
Answer: HackRF has two RF amplifiers close to the antenna port, one for TX and one for RX. These amplifiers have
two settings: on or off. In the off state, the amps are completely bypassed. They nominally provide 14 dB of gain
when on, but the actual amount of gain varies by frequency. In general, expect less gain at higher frequencies. For fine
control of gain, use the IF and/or baseband gain options.
Question: How should I set the gain controls for RX?
Answer: A good default setting to start with is RF=0 (off), IF=16, baseband=16. Increase or decrease the IF and
baseband gain controls roughly equally to find the best settings for your situation. Turn on the RF amp if you need help
picking up weak signals. If your gain settings are too low, your signal may be buried in the noise. If one or more of
your gain settings is too high, you may see distortion (look for unexpected frequencies that pop up when you increase
the gain) or the noise floor may be amplified more than your signal is.

26 Chapter 7. FAQ
 HackRF

7.7 System Requirements

Question: What are the minimum system requirements for using HackRF?
Answer: The most important requirement is that you supply 500 mA at 5 V DC to your HackRF via the USB port. If
your host computer has difficulty meeting this requirement, you may need to use a powered USB hub.
Most users will want to stream data to or from the HackRF at high speeds. This requires that the host computer supports
Hi-Speed USB. Some Hi-Speed USB hosts are better than others, and you may have multiple host controllers on your
computer. If you have difficulty operating your HackRF at high sample rates (10 Msps to 20 Msps), try using a different
USB port on your computer. If possible, arrange things so that the HackRF is the only device on the bus.
There is no specific minimum CPU requirement for the host computer, but SDR is generally a CPU-intensive applica-
tion. If you have a slower CPU, you may be unable to run certain SDR software or you may only be able to operate at
lower sample rates.
Question: Why doesn’t HackRF work properly with a virtual machine (VM)?
Answer: HackRF requires the ability to stream data at very high rates over USB. Unfortunately VM software typically
has problems with continuous high speed USB transfers.
There are some known bugs with the HackRF firmware’s USB implementation. It is possible that fixing these bugs
will improve the ability to operate HackRF with a VM, but there is a very good chance that operation at higher sample
rates will still be limited.

7.8 LEDs

Question: What LEDs should be illuminated?

Answer: When HackRF One is plugged in to a USB host, four LEDs should turn on: 3V3, 1V8, RF, and USB. The
3V3 LED indicates that the primary internal power supply is working properly. The 1V8 and RF LEDs indicate that
firmware is running and has switched on additional internal power supplies. The USB LED indicates that the HackRF
One is communicating with the host over USB.
The RX and TX LEDs indicate that a receive or transmit operation is currently in progress.
Question: Why are the LEDs different colors?
Answer: Each LED is a single color. There are no multi-colored LEDs on HackRF One. Adjacent LEDs are different
colors in order to make them easier to distinguish from one another. The colors do not mean anything.

7.9 Half-Duplex, Full-Duplex

Question: Is HackRF One half-duplex or full-duplex?

Answer: HackRF One is a half-duplex transceiver. This means that it can transmit or receive but not both at the same
time.
Question: Why isn’t HackRF One full-duplex?
Answer: HackRF One is designed to support the widest possible range of SDR applications in a single, low cost,
portable device. Many applications do not require full-duplex operation. Full-duplex support would have made HackRF
larger and more expensive, and it would have required an external power supply. Since full-duplex needs can be met by

7.7. System Requirements 27

HackRF

simply using a second HackRF One, it made sense to keep the device small, portable, and low cost for everyone who
does not require full-duplex operation.
Question: How could the HackRF One design be changed to make it full-duplex?
Answer: The HackRF One hardware design is actually full-duplex (at lower sample rates) from the USB connection
through the ADC/DAC. The RF section is the only part of the design that cannot support full-duplex operation. The
easiest way to make HackRF One full-duplex would be to create an add-on board that duplicates the RF section and
also provides an external power input (from a wall wart, for example) for the additional power required. This would
also require software effort; the firmware, CPLD, libhackrf, and other host software would all need work to support
full-duplex operation.
If you were to try to redesign the RF section on HackRF One to support full-duplex, the main thing to focus on would
be the MAX2837 (intermediate frequency transceiver). This part is half-duplex, so you would either need two of them
or you would have to redesign the RF section to use something other than the MAX2837, likely resulting in a radically
different design. If you used two MAX2837s you might be able to use one RFFC5071 instead of two RFFC5072s.

7.10 What is the receive sensibility of HackRF?

Question: What is the minimum signal power level that can be detected by HackRF?
Answer: This isn’t a question that can be answered for a general purpose SDR platform such as HackRF. Any answer
would be very specific to a particular application. For example, an answerable question might be: What is the minimum
power level in dBm of modulation M at frequency F that can be detected by HackRF One with software S under
configuration C at a bit error rate of no more than E%? Changing any of those variables (M, F, S, C, or E) would
change the answer to the question. Even a seemingly minor software update might result in a significantly different
answer. To learn the exact answer for a specific application, you would have to measure it yourself.
HackRF’s concrete specifications include operating frequency range, maximum sample rate, and dynamic range in
bits. These specifications can be used to roughly determine the suitability of HackRF for a given application. Testing
is required to finely measure performance in an application. Performance can typically be enhanced significantly by
selecting an appropriate antenna, external amplifier, and/or external filter for the application.

7.11 Troubleshooting

Question: Why is a known signal at an incorrect frequency which changes at a surprising rate when changing the
center frequency?
Answer: You may have a version mismatch between the firmware and CPLD bitstream. [Update your firmware to the
latest release](Updating Firmware) to solve this problem.

28 Chapter 7. FAQ
 CHAPTER

EIGHT

HACKRF HACKS

Have you done something cool with HackRF? Let us know and we will post a link here!
• Jawbreaker/VFD spectrum analyzer (Jared Boone), see also the extended demo on Hak5
• wireless microphones (Jared Boone)
• LEGO car (Michael Ossmann)
• automotive remote keyless entry systems (Mike Kershaw)
• Sniffing GSM with HackRF (BinaryRF - Unavailable as of 19Nov2014: archived version)
• Decoding Pocsag Pagers With The HackRF (BinaryRF - Unavailable as of 19Nov2014: archived version)
• HackRF vs. Tesla Model S (Sam Edwards)

29
HackRF

30 Chapter 8. HackRF Hacks

 CHAPTER

NINE

GETTING HELP

Before asking for help with HackRF, check to see if your question is listed in the FAQ or has already been answered in
GitHub issues or the mailing list archives.
For assistance with HackRF use or development, please look at the issues on the GitHub project. This is the preferred
place to ask questions so that others may locate the answer to your question in the future.
If you prefer email then you may use the HackRF-dev mailing list instead. You can view the list archives for past
discussions.
Many users spend time in the #hackrf channel on Discord. This channel is bridged to #hackrf on Libera Chat for folks
who are more comfortable with IRC.

31
HackRF

32 Chapter 9. Getting Help

 CHAPTER

TEN

TIPS AND TRICKS

10.1 USB Cables (and why to use a noise reducing one)

The USB cable you choose can make a big difference in what you see when using your HackRF and especially when
using it around between 120 and 480 MHz where USB is doing all its work.
1. Use a shielded USB cable. The best way to guarantee RF interference from USB is to use an unshielded cable.
You can test that your cable is shielded by using a continuity tester to verify that the shield on one connector has
continuity to the shield on the connector at the other end of the cable.
2. Use a short USB cable. Trying anything larger than a 6ft cable may yield poor results. The longer the cable, the
more loss you can expect and when making this post a 15ft cable was tried and the result was the HackRF would
only power up half way.
3. For best results, select a cable with a ferrite core. These cables are usually advertised to be noise reducing and
are recognizable from the plastic block towards one end.
Screenshot before and after changing to a noise reducing cable (view full size image):

A shielded cable with ferrite core was used in the right-hand image.
The before and after images were both taken with the preamp on and the LNA and VGA both set to 24db.

10.2 Sampling Rate and Baseband Filters

Using a sampling rate of less than 8MHz is not recommended. Partly, this is because the MAX5864 (ADC/DAC chip)
isn’t specified to operate at less than 8MHz, and therefore, no promises are made by Maxim about how it performs. But
more importantly, the baseband filter in the MAX2837 has a minimum bandwidth of 1.75MHz. It can’t provide enough
filtering at 2MHz sampling rate to remove substantial signal energy in adjacent spectrum (more than +/-1MHz from
the tuned frequency). The MAX2837 datasheet suggests that at +/-1MHz, the filter provides only 4dB attenuation, and
at +/-2MHz (where a signal would alias right into the center of your 2MHz spectrum), it attenuates about 33dB. That’s
significant. Here’s a picture:

33
HackRF

At 8MHz sampling rate, and using the minimum 1.75MHz bandwidth filter, this is the response:

You can see that the attenuation is more than 60dB at +/-2.8MHz, which is more than sufficient to remove significant
adjacent spectrum interference before the ADC digitizes the baseband. If using this configuration to get a 2MHz
sampling rate, use a GNU Radio block after the 8MHz source that performs a 4:1 decimation with a decently sharp
low pass filter (complex filter with a cut-off of <1MHz).

34 Chapter 10. Tips and Tricks

 CHAPTER

ELEVEN

FIRMWARE DEVELOPMENT SETUP

Firmware build instructions are included in the repository under firmware/README:

https://github.com/mossmann/hackrf/blob/master/firmware/README

35
HackRF

36 Chapter 11. Firmware Development Setup

 CHAPTER

TWELVE

LPC43XX DEBUGGING

Various debugger options for the LPC43xx exist.

12.1 Black Magic Probe

https://github.com/blacksphere/blackmagic
An example of using gdb with the Black Magic Probe:

arm-none-eabi-gdb -n blinky.elf
target extended-remote /dev/ttyACM0
monitor swdp_scan
attach 1
set {int}0x40043100 = 0x10000000
load
cont

It is possible to attach to the M0 instead of the M4 if you use jtag_scan instead of swdp_scan, but the Black Magic
Probe had some bugs when trying to work with the M0 the last time I tried it.

12.2 LPC-Link

(included with LPCXpresso boards)

TitanMKD has had some success. See the tutorial in hackrf/doc/LPCXPresso_Flash_Debug_Tutorial.pdf or .odt (PDF
and OpenOffice document) Doc Link [https://github.com/mossmann/hackrf/tree/master/doc)

12.3 ST-LINK/V2

12.3.1 Hardware Configuration

Start with an STM32F4-Discovery board. Remove the jumpers from CN3. Connect the target’s SWD interface to CN2
“SWD” connector.

37
HackRF

12.3.2 Software Configuration

I’m using libusb-1.0.9.

Install OpenOCD-0.6.0 dev

# Cloned at hash a21affa42906f55311ec047782a427fcbcb98994

git clone git://openocd.git.sourceforge.net/gitroot/openocd/openocd
cd openocd
./bootstrap
./configure --enable-stlink --enable-buspirate --enable-jlink --enable-maintainer-mode
make
sudo make install

OpenOCD configuration files

openocd.cfg
#debug_level 3
source [find interface/stlink-v2.cfg]
source ./lpc4350.cfg

lpc4350.cfg

set _CHIPNAME lpc4350

set _M0_CPUTAPID 0x4ba00477
set _M4_SWDTAPID 0x2ba01477
set _M0_TAPID 0x0BA01477
set _TRANSPORT stlink_swd

transport select $_TRANSPORT

stlink newtap $_CHIPNAME m4 -expected-id $_M4_SWDTAPID

stlink newtap $_CHIPNAME m0 -expected-id $_M0_TAPID

target create $_CHIPNAME.m4 stm32_stlink -chain-position $_CHIPNAME.m4

#target create $_CHIPNAME.m0 stm32_stlink -chain-position $_CHIPNAME.m0

target.xml, nabbed from an OpenOCD mailing list thread, to fix a communication problem between GDB and newer
OpenOCD builds.

<?xml version="1.0"?>
<!DOCTYPE target SYSTEM "gdb-target.dtd">
<target>
<feature name="org.gnu.gdb.arm.core">
<reg name="r0" bitsize="32" type="uint32"/>
<reg name="r1" bitsize="32" type="uint32"/>
<reg name="r2" bitsize="32" type="uint32"/>
<reg name="r3" bitsize="32" type="uint32"/>
<reg name="r4" bitsize="32" type="uint32"/>
<reg name="r5" bitsize="32" type="uint32"/>
<reg name="r6" bitsize="32" type="uint32"/>
(continues on next page)

38 Chapter 12. LPC43xx Debugging

 HackRF

(continued from previous page)

<reg name="r7" bitsize="32" type="uint32"/>
<reg name="r8" bitsize="32" type="uint32"/>
<reg name="r9" bitsize="32" type="uint32"/>
<reg name="r10" bitsize="32" type="uint32"/>
<reg name="r11" bitsize="32" type="uint32"/>
<reg name="r12" bitsize="32" type="uint32"/>
<reg name="sp" bitsize="32" type="data_ptr"/>
<reg name="lr" bitsize="32"/>
<reg name="pc" bitsize="32" type="code_ptr"/>
<reg name="cpsr" bitsize="32" regnum="25"/>
</feature>
<feature name="org.gnu.gdb.arm.fpa">
<reg name="f0" bitsize="96" type="arm_fpa_ext" regnum="16"/>
<reg name="f1" bitsize="96" type="arm_fpa_ext"/>
<reg name="f2" bitsize="96" type="arm_fpa_ext"/>
<reg name="f3" bitsize="96" type="arm_fpa_ext"/>
<reg name="f4" bitsize="96" type="arm_fpa_ext"/>
<reg name="f5" bitsize="96" type="arm_fpa_ext"/>
<reg name="f6" bitsize="96" type="arm_fpa_ext"/>
<reg name="f7" bitsize="96" type="arm_fpa_ext"/>
<reg name="fps" bitsize="32"/>
</feature>
</target>

12.4 Run ARM GDB

Soon, I should dump this stuff into a .gdbinit file.

arm-none-eabi-gdb -n
target extended-remote localhost:3333
set tdesc filename target.xml
monitor reset init
monitor mww 0x40043100 0x10000000
monitor mdw 0x40043100 # Verify 0x0 shadow register is set properly.
file lpc4350-test.axf # This is an ELF file.
load # Place image into RAM.
monitor reset init
break main # Set a breakpoint.
continue # Run to breakpoint.
continue # To continue from the breakpoint.
step # Step-execute the next source line.
stepi # Step-execute the next processor instruction.
info reg # Show processor registers.

More GDB tips for the GDB-unfamiliar:

# Write the variable "buffer" (an array) to file "buffer.u8".

dump binary value buffer.u8 buffer

# Display the first 32 values in buffer whenever you halt

(continues on next page)

12.4. Run ARM GDB 39

HackRF

(continued from previous page)

# execution.
display/32xh buffer

# Print the contents of a range of registers (in this case the

# CGU peripheral, starting at 0x40050014, for 46 words):
x/46 0x40050014

And still more, for debugging ARM Cortex-M4 Hard Faults:

# Assuming you have a hard-fault handler wired in:

display/8xw args

# Examine fault-related registers:

# Configurable Fault Status Register (CFSR) contains:

# CFSR[15:8]: BusFault Status Register (BFSR)
# "Shows the status of bus errors resulting from instruction
# prefetches and data accesses."
# BFSR[7]: BFARVALID: BFSR contents valid.
# BFSR[5]: LSPERR: fault during FP lazy state preservation.
# BFSR[4]: STKERR: derived bus fault on exception entry.
# BFSR[3]: UNSTKERR: derived bus fault on exception return.
# BFSR[2]: IMPRECISERR: imprecise data access error.
# BFSR[1]: PRECISERR: precise data access error, faulting
# address in BFAR.
# BFSR[0]: IBUSERR: bus fault on instruction prefetch. Occurs
# only if instruction is issued.
display/xw 0xE000ED28

# BusFault Address Register (BFAR)

# "Shows the address associated with a precise data access fault."
# "This is the location addressed by an attempted data access that
# was faulted. The BFSR shows the reason for the fault and whether
# BFAR_ADDRESS is valid..."
# "For unaligned access faults, the value returned is the address
# requested by the instruction. This might not be the address that
# faulted."
display/xw 0xE000ED38

40 Chapter 12. LPC43xx Debugging

 CHAPTER

THIRTEEN

LPC43XX SGPIO CONFIGURATION

The LPC43xx SGPIO peripheral is used to move samples between USB and the ADC/DAC chip (MAX5864). The
SGPIO is a peripheral that has a bunch of 32-bit shift registers. These shift registers can be configured to act as a
parallel interface of different widths. For HackRF, we configure the SGPIO to transfer eight bits at a time. The SGPIO
interface can also accept an external clock, which we use to synchronize transfers with the sample clock.
In the current HackRF design, there is a CPLD which manages the interface between the MAX5864 and the SGPIO
interface. There are four SGPIO signals that control the SGPIO data transfer:
• Clock: Determines when a value on the SGPIO data bus is transferred.
• Direction: Determines whether the MAX5864 DA (ADC) data is driven onto the SGPIO lines, or if the SGPIO
lines drive the data bus with data for the MAX5864 DD (DAC) signals.
• Data Valid: Indicates a sample on the SGPIO data bus is valid data.
• Transfer Enable: Allows SGPIO to synchronize with the I/Q data stream. The MAX5864 produces/consumes
two values (quadrature/complex value) per sample period – an I value and a Q value. These two values are
multiplexed on the SGPIO lines. This signal suspends data valid until the I value should be transferred.

13.1 Frequently Asked Questions

13.1.1 Why not use GPDMA to transfer samples through SGPIO?

It would be great if we could, as that would free up lots of processor time. Unfortunately, the GPDMA scheme in
the LPC43xx does not seem to support peripheral-to-memory and memory-to-peripheral transfers with the SGPIO
peripheral.
You might observe that the SGPIO peripheral can generate requests from SGPIO14 and SGPIO15, using an arbitrary bit
pattern in the slice shift register. The pattern in the slice determines the request interval. That’s a good start. However,
how do you specify which SGPIO shadow registers are read/written at each request, and in which order those registers
are transferred with memory? It turns out you can’t. In fact, it appears that an SGPIO request doesn’t cause any transfer
at all, if your source or destination is “peripheral”. Instead, the SGPIO request is intended to perform a memory-to-
memory transfer synchronized with SGPIO. But you’re on your own as far as getting data to/from the SGPIO shadow
registers. I believe this is why the SGPIO camera example in the user manual describes an SGPIO interrupt doing the
SGPIO shadow register transfer, and the GPDMA doing moves from one block of RAM to another.
Perhaps if we transfer only one SGPIO shadow register, using memory-to-memory? Then we don’t have to worry
about the order of SGPIO registers, or which ones need to be transferred. It turns out that when you switch over to
memory-to-memory transfers, you lose peripheral request generation. So the GPDMA will transfer as fast as possible
– far faster than words are produced/consumed by SGPIO.

41
HackRF

I’d really love to be wrong about all this, but all my testing has indicated there’s no workable solution to using GPDMA
that’s any better than using SGPIO interrupts to transfer samples. If you want some sample GPDMA code to experiment
with, please contact Jared (sharebrained on #hackrf in Discord or IRC).

42 Chapter 13. LPC43xx SGPIO Configuration

 CHAPTER

FOURTEEN

LPC43XX USB DFU NOTES

The LPC43xx contains USB DFU bootloader support in ROM. By selecting the appropriate boot mode (USB0), the
device will come up on USB at power-up or reset, and implement the popular and well-documented USB DFU protocol.

14.1 Setup

14.1.1 Boot Mode Jumpers

Set the boot mode jumpers to USB0: BOOT[0:3] = “1010”. Jumper setting takes effect at the next power-on or reset.
(You can rig up a reset button to P2 “LPC_JTAG” or P14 “LPC_ISP”.)

14.1.2 USB DFU Utility

http://dfu-util.gnumonks.org/
You need the latest source from git for some reason.

14.2 Usage Notes

14.2.1 Makefile

The firmware Makefile contains a “%.dfu” and a “program” target. The program target will make the DFU file and
then attempt to load the code to a device that’s attached via USB and in DFU mode.

14.2.2 Manually

DFU boot downloads to RAM then executes. Need a DFU suffix, but also a header

cp blinky.bin blinky.dfu

Add DFU suffix and address prefix:

/usr/local/bin/dfu-suffix --pid=0x000c --vid=0x1fc9 --did=0x0 -s 0 -a blinky.dfu

Create header (based on UM10503 section 5.3.3 “Boot image header format”):

43
HackRF

echo "0000000: da ff {blocksL} {blocksH} {hash0} {hash1} {hash2} {hash3}" | xxd -g1 -r >␣
˓→header.bin

where {blocksL} and {blocksH} are the low and high bytes of the length of the .bin file + 16 bytes, measured in 512-byte
frames. “02 00” means 2 x 512 + 16 bytes. (this should be automated.) Assume rounded up.
{hash0}..{hash3} = 0xFF. The value is not used, based on the HASH_ACTIVE field in the first two bytes.
Add header

cat header.bin blinky.dfu > load.dfu

Check for device:

/usr/local/bin/dfu-util -l

Download (I used the latest dfu-util from git)

/usr/local/bin/dfu-util -d 1fc9:000c -a 0 -D load.dfu

Also make sure that the binary is linked for execution at address 0x00000000. This is the default for our linker scripts.

14.3 Jellybean Notes

A 12 MHz clock signal must be supplied to the LPC4330 at boot time.

The April 16, 2012 Jellybean design has a voltage divider for VBUS that is fed to the LPC43xx to detect that a USB host
is present. Measuring the divided voltage, the USB0_VBUS only reaches 0.4V, which fails to trip the USB bootloader
code. It looks like NXP’s intent is to directly connect VBUS to the USB0_VBUS. Indeed, when I shorted R10 with
tweezers, the USB bootloader sprung into action. I would recommend changing R10 to 0 Ohms and R11 to DNP, or
removing R10 and R11 altogether.

44 Chapter 14. LPC43xx USB DFU Notes

 CHAPTER

FIFTEEN

LPC43XX USB IMPLEMENTATION

The NXP LPC43xx has a fairly sophisticated USB peripheral. It can transmit and receive chains of large buffers (by
microcontroller standards), completely independently of the processor. This is excellent, as we’ll want to reserve the
processor’s computational power for doing interesting things with the data.

15.1 Initial Experimentation and Discovery

My first attempt at USB device software was to use the built-in, ROM-based USB API. I got the part to show up on my
host, but quickly ran into problems with old headers that didn’t match the API function signatures and data structures.
I got a much better, more up-to-date set of code to work with from the LPCware Web site’s git repository. I then
attempted to use the USB DFU support built in to the ROM, but quickly abandoned that in favor of doing some basic
performance-testing of the USB peripheral.
To save time, I started with the nxpUSBLib USB library, which is a port of Dean Camera’s LUFA. This port had
LPC18xx support already, but no official LPC43xx support. I hacked together support by copying, renaming, and
modifying the LPC18xx-specific parts. For USB descriptors, I emulated the FT2232H, a high-speed USB-to-FIFO IC
that uses large bulk transfers to move data at a rate of 35MiB/second or more.
(more to come)

45
HackRF

46 Chapter 15. LPC43xx USB Implementation

 CHAPTER

SIXTEEN

HARDWARE COMPONENTS

Major parts used in HackRF One:

• MAX2837 2.3 to 2.7 GHz transceiver
– Datasheet
– There’s also a register map document that Mike received directly from Maxim. Send an email to Mike
or submit a support request to Maxim if you want a copy.
• MAX5864 ADC/DAC
– Datasheet
• Si5351 clock generator
– AN619: Manually Generating an Si5351 Register Map
– Datasheet - this document is a mess of typos, and best used in conjunction with AN619, which has its
own typos. Usually, you can reconcile what’s true by comparison and a bit of thought.
– Other Documentation - includes application notes, user guides, and white papers.
• CoolRunner-II CPLD
• LPC43xx ARM Cortex-M4 microcontroller
– User Manual
– Datasheet
– Other Documentation (LPC4330FBD144) - includes errata and application notes.
– ARM-standard JTAG/SWD connector pinout
– BSDL file for the LPC43xx (For boundary scan)
• RFFC5072 mixer/synthesizer
– Datasheet
– Other Documentation ; click “Technical Documents” - includes programming guides and application
notes.
• W25Q80BV 8M-bit Flash

47
HackRF

16.1 Block Diagrams

48 Chapter 16. Hardware Components

 HackRF

16.1. Block Diagrams 49

HackRF

50 Chapter 16. Hardware Components

 CHAPTER

SEVENTEEN

CLOCKING

HackRF clock signals are generated by the Si5351. The plan so far:
• crystal frequency: 25 MHz (supports 25 or 27 MHz)
• optional clock input frequency: 10 MHz recommended (supports 10 to 40 MHz, or higher with division)
• VCO frequency: 800 MHz (supports 600 to 900 MHz)
• MAX2837 clock: 40 MHz
• preferred MAX5864 clocks: 8, 10, 12.5, 16, 20 MHz
• A clock at double the MAX5864 rate will be delivered to the CPLD and SGPIO.
• LPC43xx clock: 12 MHz (from separate crystal so the ROM-based USB DFU will work)
Lemondrop+Jellybean Si5351 output mapping:
• CLK0 -> MAX2837
• CLK1 -> MAX5864/CPLD
• CLK2 -> CPLD
• CLK3 -> CPLD
• CLK4 -> LPC4330
• CLK5 -> RFFC5072
• CLK6 -> extra
• CLK7 -> extra
Jawbreaker output mapping:
• CLK0 -> MAX5864/CPLD
• CLK1 -> CPLD
• CLK2 -> SGPIO
• CLK3 -> external clock output
• CLK4 -> RFFC5072
• CLK5 -> MAX2837
• CLK6 -> none
• CLK7 -> LPC4330 (but LPC4330 will start up on its own crystal)

51
HackRF

52 Chapter 17. Clocking

 CHAPTER

EIGHTEEN

MULTIPLE DEVICE HARDWARE LEVEL SYNCHRONIZATION

18.1 Purpose

This page describes the modifications required to get multiple HackRF hardware-level synchronisation working. Syn-
chronisation is required for many applications where a single HackRF isn’t sufficient:
• phase correlation
• oversampling using multiple devices
• 40MHz (or more) protocols such as WiFi
The HackRFs will start transmitting USB packets at the same time, which results in an inter-device offset of ~50 samples
at a sample rate of 20MSps. Without this synchronisation, the offset is in the range of thousands to tens of thousands of
samples. This is due to the USB start command being called sequentially for each device, along with USB buffering,
OS-level timing etc.
BE WARNED you will have to open your HackRFs, which is most likely going to destroy the plastic case it comes in.
You will also be electrically connecting them together. If you do this incorrectly, there is a good chance one or all of
the devices will be permanently destroyed.

18.2 Related work

"bardi_" on the #hackrf channel pointed out his paper on synchronising HackRFs. This uses the HackRF CPLD to
synchronise multiple devices.

18.3 Requirements

For this to work you will need:

• at least two devices
• a clock sync cable
• some connecting cables (pin header-type)
• a breadboard

53
HackRF

18.4 Opening your HackRF

The HackRF case has small plastic clips holding it together. These are usually destroyed when the case is opened.
Please follow the instructions in this video by Jared Boone.

18.5 Connect the clocks

Connecting the HackRF clocks together will force them to sample at precisely the same rate. The individual samples
will most likely be sampled at slightly different times due to phase offsets in the clock ICs, but for most purposes this
is acceptable.
Choose a primary HackRF, and connect the clock sync cable from the clock out connector to the clock in connector
of the second HackRF. If you’re using another HackRF, connect the second HackRF’s clock out to the third HackRF’s
clock in.
Your HackRFs should look like this:

54 Chapter 18. Multiple device hardware level synchronization

 HackRF

18.6 Identify the pin headers

Firstly, this has only been tested on official HackRF Ones. If you have a jawbreaker, HackRF blue or another HackRF-
inspired device, you will have to figure out how to connect the devices correctly, using the schematics.
The hackrf has four pin headers, three of which are arranged in a ‘C’ shape. On the board these are marked as P28, P22
and P20. P20 is the header closest to the clock in/clock out connectors. For this exercise we will only be discussing
P20. The hackrf schematics are a very good reference for this activity. The relevant part can been seen in the following
image:

This is the P20 schematic diagram:

18.6. Identify the pin headers 55

HackRF

56 Chapter 18. Multiple device hardware level synchronization

 HackRF

18.7 Wire up the pin headers

As mentioned before BE WARNED, this step could easily result in one or all of your HackRFs being permanently
damaged.
Now that’s out of the way, let me describe what we’re doing here. The first part of this exercise is to give both devices
a common ground. This is really important for any inter-device electrical connections, as it prevents ICs from seeing
slight differences in the respective GND levels as legitimate signals. As shown on the schematic, many of the pins in
P20 are GND pins. We use P20-PIN19 on both devices and connect them together like so:

We then need a positive (+5v) connection to ‘fake’ the third hackrf if it’s not present. We use P20-PIN3 from the
primary hackrf for this, and bring it down to the breadboard. primary:P20-PIN8 and secondary:P20-PIN8 are ready
input GPIO pins for the missing third HackRF. Connect these to the breadboard positive line. After this your setup
should look like so:

18.7. Wire up the pin headers 57

HackRF

Next we connect the primary:P20-PIN7 ready GPIO pin input to the secondary:P20-PIN5 ready GPIO pin output, and
the primary:P20-PIN5 ack GPIO pin output to the secondary:P20-PIN7 ack GPIO pin input. This is the final step, and
should look as follows:

58 Chapter 18. Multiple device hardware level synchronization

 HackRF

18.8 Upgrade

Now that the hardware is setup, you need to upgrade your HackRFs’ firmware, and your libhackrf to at least v2017.02.1
as per this documentation page.

18.9 Testing with hackrf_transfer

The latest version of hackrf_transfer includes the ‘-H’ flag, which will activate hardware synchronisation (via libhackrf
via the firmware). Testing this way is a little tricky because neither HackRF will start sending data until they are synched,
and hackrf_transfer will time out if it hasn’t received any data within one second. So the test requires that two copies
of _hackrf_transfer are started within 1 second of each other. My approach is to have two terminal windows with the
relevant commands waiting, and quickly run them.
This test will fail if:
• your hackrf firmware or libhackrf are out of date
• your connectors are incorrectly set up
• your timing is too slow when running hackrf_transfer

18.8. Upgrade 59
HackRF

Run the following command:

• hackrf_transfer -d <device A> -r <filename-A> -H &; hackrf_transfer -d <device B> -r <filename-B> -H
If the test runs correctly, you have successfully streamed synchronised data from two HackRFs!
The two streams can be merged into one using GnuRadio, and then viewed using this hacky piece of PyQt.

18.10 What next?

Obviously the method of wiring up multiple HackRFs described above is fragile and prone to error. Perhaps a PCB
could be designed that will connect up to four HackRFs together by plugging into the ‘C-shape’ pin headers.
Usually the Osmocom source can be used for multi-device streaming, as it can be configured to pull from more than
one device. Unfortunately the current version does not have hardware synchronisation built in. Work is being done to
make the Osmocom source compatible with these changes.

60 Chapter 18. Multiple device hardware level synchronization

 HackRF

18.10. What next? 61

HackRF

62 Chapter 18. Multiple device hardware level synchronization

 CHAPTER

NINETEEN

SOFTWARE SUPPORT

19.1 Software with HackRF Support

This is intended to be a list of software known to work with the HackRF. There are three sections, GNU Radio Based
software, those that have support directly, and those that can work with data from the HackRF.

19.2 GNU Radio Based

GNU Radio Mode-S/ADS-B - https://github.com/bistromath/gr-air-modes

GQRX - http://gqrx.dk/

19.3 Direct Support

SDR# (Windows only) - https://airspy.com/download/

• Only nightly builds currently support HackRF One - http://sdrsharp.com/downloads/sdr-nightly.zip
SDR_Radio.com V2 - http://v2.sdr-radio.com/Radios/HackRF.aspx
Universal Radio Hacker (Windows/Linux) - https://github.com/jopohl/urh
QSpectrumAnalyzer - https://github.com/xmikos/qspectrumanalyzer
Spectrum Analyzer GUI for hackrf_sweep for Windows - https://github.com/pavsa/hackrf-spectrum-analyzer

19.4 Can use HackRF data

Inspectrum https://github.com/miek/inspectrum
• Capture analysis tool with advanced features
Baudline http://www.baudline.com/ (Can view/process HackRF data, e.g. hackrf_transfer)

63
HackRF

19.5 HackRF Tools

In addition to third party tools that support HackRF, we provide some commandline tools for interacting with HackRF.
For information on how to use each tool look at the help information provided (e.g. hackrf_transfer -h) or the
manual pages.
The first two tools (hackrf_info and hackrf_transfer) should cover most usage. The remaining tools are provided
for debugging and general interest; beware, they have the potential to damage HackRF if used incorrectly.
• hackrf_info Read device information from HackRF such as serial number and firmware version.
• hackrf_transfer Send and receive signals using HackRF. Input/output can be 8bit signed quadrature files or wav
files.
• hackrf_max2837 Read and write registers in the Maxim 2837 transceiver chip. For most tx/rx purposes
hackrf_transfer or other tools will take care of this for you.
• hackrf_rffc5071 Read and write registers in the RFFC5071 mixer chip. As above, this is for curiosity or debug-
ging only, most tools will take care of these settings automatically.
• hackrf_si5351c Read and write registers in the Silicon Labs Si5351C clock generator chip. This should also be
unnecessary for most operation.
• hackrf_spiflash A tool to write new firmware to HackRF. This is mostly used for Updating Firmware.
• hackrf_cpldjtag A tool to update the CPLD on HackRF. This is needed only when Updating Firmware to a
version prior to 2021.03.1.

19.6 Handling HackRF data

19.6.1 Matlab

fid = open('samples.bin', 'r');

len = 1000; % 1000 samples
y = fread(fid, 2*len, 'int8');
y = y(1:2:end) + 1j*y(2:2:end);
fclose(fid)

64 Chapter 19. Software Support

 CHAPTER

TWENTY

LIBHACKRF API

This document describes the functions, data structures and constants that libHackRF provides. It should be used as a
reference for using libHackRF and the HackRF hardware.
If you are writing a generic SDR application, i.e. not tied to the HackRF hardware, we strongly recommend that you use
either gr-osmosdr or SoapySDR to provide support for the broadest possible range of software defined radio hardware.
For example usage of many of these functions, see the hackrf_transfer tool.

20.1 Setup, Initialization and Shutdown

20.1.1 HackRF Init

Initialize libHackRF, including global libUSB context to support multiple HackRF hardware devices.
Syntax: int hackrf_init()
Returns: A value from the hackrf_error constants listed below.

20.1.2 HackRF Open

Syntax: int hackrf_open(hackrf_device** device)

Returns: A value from the hackrf_error constants listed below.

20.1.3 HackRF Device List

Retrieve a list of HackRF devices attached to the system. This function finds all devices, regardless of permissions or
availability of the hardware.
Syntax: hackrf_device_list_t* hackrf_device_list()
Returns: A pointer to a hackrf_device_list_t struct, a list of HackRF devices attached to the system. The contents of
the hackrf_device_list_t struct are decribed in the data structures section below.

65
HackRF

20.1.4 HackRF Device List Open

Open and acquire a handle on a device from the hackrf_device_list_t struct.

Syntax: int hackrf_device_list_open(hackrf_device_list_t* list, int idx, hackrf_device**
device)
Params:
list - A pointer to a hackrf_device_list_t returned by hackrf_device_list()
idx - The list index of the HackRF device to open
device - Output location for hackrf_device pointer. Only valid when return value is HACKRF_SUCCESS.
Returns: A value from the hackrf_error constants listed below.

20.1.5 HackRF Device List Free

Syntax: void hackrf_device_list_free(hackrf_device_list_t* list)

Params:
list - A pointer to a hackrf_device_list_t returned by hackrf_device_list()

20.1.6 HackRF Open By Serial

Syntax: int hackrf_open_by_serial(const char* const desired_serial_number, hackrf_device**

device)
Returns:

20.1.7 HackRF Close

Syntax: int hackrf_close(hackrf_device* device)

Returns: A value from the hackrf_error constants listed below.

20.1.8 HackRF Exit

Cleanly shutdown libHackRF and the underlying USB context. This does not stop in progress transfers or close the
HackRF hardware. hackrf_close() should be called before this to cleanly close the connection to the hardware.
Syntax: int hackrf_exit()
Returns: A value from the hackrf_error constants listed below.

66 Chapter 20. libhackRF API

 HackRF

20.2 Using the Radio

20.2.1 HackRF Start Rx

Syntax: int hackrf_start_rx(hackrf_device*, hackrf_sample_block_cb_fn, void* rx_ctx)

Params:
Returns: A value from the hackrf_error constants listed below.

20.2.2 HackRF Stop Rx

Syntax: int hackrf_stop_rx(hackrf_device*)

Params:
Returns: A value from the hackrf_error constants listed below.

20.2.3 HackRF Start Tx

Syntax: int hackrf_start_tx(hackrf_device*, hackrf_sample_block_cb_fn, void* tx_ctx)

Params:
Returns: A value from the hackrf_error constants listed below.

20.2.4 HackRF Stop Tx

Syntax: int hackrf_stop_tx(hackrf_device*)

Params:
Returns: A value from the hackrf_error constants listed below.

20.2.5 HackRF Set Baseband Filter Bandwidth

Syntax: int hackrf_set_baseband_filter_bandwidth(hackrf_device*, const uint32_t

bandwidth_hz)
Params:
Returns: A value from the hackrf_error constants listed below.

20.2.6 HackRF Compute Baseband Filter BW

Compute best default value depending on sample rate (auto filter).

Syntax: uint32_t hackrf_compute_baseband_filter_bw(const uint32_t bandwidth_hz)
Params:
Returns: A valid baseband filter width available from the Maxim MAX2837 frontend used by the radio.

20.2. Using the Radio 67

HackRF

20.2.7 HackRF Compute Baseband Filter BW Round Down LT

Compute nearest freq for bw filter (manual filter)

Syntax: uint32_t hackrf_compute_baseband_filter_bw_round_down_lt(const uint32_t
bandwidth_hz)
Params:
Returns: A valid baseband filter width available from the Maxim MAX2837 frontend used by the radio.

20.3 Reading and Writing Registers

20.3.1 HackRF MAX2837 Read

Read register values from the MAX2837 Baseband IC.

Syntax: int hackrf_max2837_read(hackrf_device* device, uint8_t register_number, uint16_t*
value)
Params:
Returns:

20.3.2 HackRF MAX2837 Write

Write register values to the MAX2837 Baseband IC.

Syntax: int hackrf_max2837_write(hackrf_device* device, uint8_t register_number, uint16_t
value)
Params:
Returns:

20.3.3 HackRF Si5351C Read

Read register values from the Si5351C clock generator IC.

Syntax: int hackrf_si5351c_read(hackrf_device* device, uint16_t register_number, uint16_t*
value)
Params:
Returns:

68 Chapter 20. libhackRF API

 HackRF

20.3.4 HackRF Si5351C Write

Write register values to the Si5351C clock generator IC.

Syntax: int hackrf_si5351c_write(hackrf_device* device, uint16_t register_number, uint16_t
value)
Params:
Returns:

20.3.5 HackRF RFFC5071 Read

Read register values from the RFFC5071 mixer IC.

Syntax: int hackrf_rffc5071_read(hackrf_device* device, uint8_t register_number, uint16_t*
value)
Params:
Returns:

20.3.6 HackRF RFFC5071 Write

Write register values to the RFFC5071 mixer IC.

Syntax: int hackrf_rffc5071_write(hackrf_device* device, uint8_t register_number, uint16_t
value)
Params:
Returns:

20.4 Updating Firmware

20.4.1 HackRF CPLD Write

Device will need to be reset after hackrf_cpld_write.

Syntax: int hackrf_cpld_write(hackrf_device* device, unsigned char* const data, const
unsigned int total_length)
Params:
Returns:

20.4. Updating Firmware 69

HackRF

20.4.2 HackRF SPI Flash Erase

Syntax: int hackrf_spiflash_erase(hackrf_device* device)

Params:
Returns:

20.4.3 HackRF SPI Flash Write

Syntax: int hackrf_spiflash_write(hackrf_device* device, const uint32_t address, const

uint16_t length, unsigned char* const data)
Params:
Returns:

20.4.4 HackRF SPI Flash Read

Syntax: int hackrf_spiflash_read(hackrf_device* device, const uint32_t address, const

uint16_t length, unsigned char* data)
Params:
Returns:

20.5 Board Identifiers

20.5.1 HackRF Board ID Read

Syntax: int hackrf_board_id_read(hackrf_device* device, uint8_t* value)

Params:
Returns:

20.5.2 HackRF Version String Read

Syntax: int hackrf_version_string_read(hackrf_device* device, char* version, uint8_t

length)
Params:
Returns:

70 Chapter 20. libhackRF API

 HackRF

20.5.3 HackRF Board Part ID Serial Number Read

Syntax: int hackrf_board_partid_serialno_read(hackrf_device* device,

read_partid_serialno_t* read_partid_serialno)
Params:
Returns:

20.6 Miscellaneous

20.6.1 HackRF Error Name

Syntax: const char* hackrf_error_name(enum hackrf_error errcode)

Params:
Returns:

20.6.2 HackRF Board ID Name

Syntax: const char* hackrf_board_id_name(enum hackrf_board_id board_id)

Params:
Returns:

20.6.3 HackRF USB Board ID Name

Syntax: const char* hackrf_usb_board_id_name(enum hackrf_usb_board_id usb_board_id)

Params:
Returns:

20.6.4 HackRF Filter Path Name

Syntax: const char* hackrf_filter_path_name(const enum rf_path_filter path)

Params:
Returns:

20.7 Data Structures

typedef struct hackrf_device hackrf_device

typedef struct {
hackrf_device* device;
uint8_t* buffer;
int buffer_length;
int valid_length;
(continues on next page)

20.6. Miscellaneous 71
HackRF

(continued from previous page)

void* rx_ctx;
void* tx_ctx;
} hackrf_transfer;

typedef struct {
uint32_t part_id[2];
uint32_t serial_no[4];
} read_partid_serialno_t;

typedef struct {
char **serial_numbers;
enum hackrf_usb_board_id *usb_board_ids;
int *usb_device_index;
int devicecount;

void **usb_devices;
int usb_devicecount;
} hackrf_device_list_t;

typedef int (*hackrf_sample_block_cb_fn)(hackrf_transfer* transfer)

20.8 Enumerations

20.8.1 Supported board versions

These values identify the board type of the connected hardware. This value can be used as an indicator of capabilities,
such as frequency range, bandwidth or antenna port power.

Board Frequency range Bandwidth Antenna port power

HackRF One 1MHz - 6Ghz 20MHz Yes
Jawbreaker 10MHz - 6GHz 20MHz No
Rad1o 50MHz - 4GHz 20MHz Unknown
Jellybean N/A 20MHz No

Most boards will identify as HackRF One, Jawbreaker or Rad1o. Jellybean was a pre-production revision of HackRF.
No hardware device should intentionally report itself with an invalid board ID.

enum hackrf_board_id {
BOARD_ID_JELLYBEAN = 0,
BOARD_ID_JAWBREAKER = 1,
BOARD_ID_HACKRF_ONE = 2,
BOARD_ID_RAD1O = 3,
BOARD_ID_INVALID = 0xFF,
};

72 Chapter 20. libhackRF API

 HackRF

20.8.2 USB Product IDs

enum hackrf_usb_board_id {
USB_BOARD_ID_JAWBREAKER = 0x604B,
USB_BOARD_ID_HACKRF_ONE = 0x6089,
USB_BOARD_ID_RAD1O = 0xCC15,
USB_BOARD_ID_INVALID = 0xFFFF,
};

20.8.3 Transceiver Mode

HackRF can operate in three main transceiver modes, Receive, Transmit and Signal Source. There is also a CPLD
update mode which is used to write firmware images to the CPLD.
The transceiver mode can be changed with hackrf_set_transceiver_mode with the value parameter set to one of
the following:

enum transceiver_mode_t {
TRANSCEIVER_MODE_OFF = 0,
TRANSCEIVER_MODE_RX = 1,
TRANSCEIVER_MODE_TX = 2,
TRANSCEIVER_MODE_SS = 3,
TRANSCEIVER_MODE_CPLD_UPDATE = 4
};

Receive mode (TRANSCEIVER_MODE_RX) is used to stream samples from the radio to the host system. Use
hackrf_set_freq to set the center frequency of receiver and hackrf_set_sample_rate to set the sample rate
(effective bandwidth).
Transmit mode (TRANSCEIVER_MODE_TX) is used to stream samples from the host to the radio.
See hackrf_transfer for an example of setting transmit and receive mode and transferring data over USB.

20.8.4 Function return values

20.8.5 RF Filter Path

enum rf_path_filter {
RF_PATH_FILTER_BYPASS = 0,
RF_PATH_FILTER_LOW_PASS = 1,
RF_PATH_FILTER_HIGH_PASS = 2,
};

20.8. Enumerations 73
HackRF

74 Chapter 20. libhackRF API

 CHAPTER

TWENTYONE

JAWBREAKER

HackRF Jawbreaker is the beta test hardware platform for the HackRF project.

21.1 Features

• half-duplex transceiver
• operating freq: 30 MHz to 6 GHz
• supported sample rates: 8 Msps to 20 Msps (quadrature)
• resolution: 8 bits
• interface: High Speed USB (with USB Micro-B connector)
• power supply: USB bus power
• portable
• open source

21.2 Set your Jawbreaker Free!

Jawbreaker has an SMA antenna connector but also includes a built-in PCB antenna intended for operation near 900
MHz. It isn’t a very good antenna. Seriously. A paperclip stuck into the SMA connector would probably be better.
You can free your Jawbreaker to operate with better antennas by cutting the PCB trace to the PCB antenna with a knife.
This enables the SMA connector to be used without interference from the PCB antenna.
A video that demonstrates the antenna modification is on YouTube: HackRF Antenna Modification
The trace to be cut is between the two solder pads inside a box labeled R44 in the assembly diagram. There is an arrow
pointing to it printed on the board.
Due to a manufacturing error, there is solder on R44. R44 may appear as a single solder blob. If you have a soldering
iron and solder wick/braid, use a soldering iron and fine solder wick to remove as much solder as you can from the
two R44 pads. Then, use a pen knife to gently cut away the area between the two R44 pads. Make multiple, gentle
cuts, instead of one or two forceful cuts. As you cut, you’ll break through the black solder mask, then the copper trace
between the pads, and stop when you reach fiberglass. Remove the copper trace completely, so just the two R44 pads
remain. Use a multimeter or continuity tester to verify that the two R44 pads are no longer connected.
If you don’t have a soldering iron, you can cut through the copper trace and the solder blob all at once, but it requires
a bit more effort.
The only reason not to do this is if you want to try Jawbreaker but don’t have any antenna with an SMA connector (or
adapter).

75
HackRF

If you want to restore the PCB antenna for some reason, you can install a 10 nF capacitor or a 0 ohm resistor on the
R44 pads or you may be able to simply create a solder bridge.

21.3 SMA, not RP-SMA

Some connectors that appear to be SMA are actually RP-SMA. If you connect an RP-SMA antenna to Jawbreaker, it
will seem to connect snugly but won’t function at all because neither the male nor female side has a center pin. RP-SMA
connectors are most common on 2.4 GHz antennas and are popular on Wi-Fi equipment.

21.4 Transmit Power

The maximum TX power varies by operating frequency:

• 30 MHz to 100 MHz: 5 dBm to 15 dBm, increasing as frequency decreases
• 100 MHz to 2300 MHz: 0 dBm to 10 dBm, increasing as frequency decreases
• 2300 MHz to 2700 MHz: 10 dBm to 15 dBm
• 2700 MHz to 4000 MHz: -5 dBm to 5 dBm, increasing as frequency decreases
• 4000 MHz to 6000 MHz: -15 dBm to 0 dBm, increasing as frequency decreases
Overall, the output power is enough to perform over-the-air experiments at close range or to drive an external amplifier.
If you connect an external amplifier, you should also use an external bandpass filter for your operating frequency.
Before you transmit, know your laws. Jawbreaker has not been tested for compliance with regulations governing trans-
mission of radio signals. You are responsible for using your Jawbreaker legally.

21.5 Hardware Documentation

Schematic diagram, assembly diagram,and bill of materials can be found at https://github.com/mossmann/hackrf/tree/

master/doc/hardware

21.6 Expansion Interface

21.6.1 LPC

Boot config

Default boot configuration is SPIFI. Install headers and jumpers (and optionally resistors) to reconfigure.

Pin P43 P32 P42 P27

1 VCC VCC VCC VCC
2 P2_9 P2_8 P1_2 P1_1
3 GND GND GND GND

The table below shows which pins to short per header for a given selection.

76 Chapter 21. Jawbreaker

 HackRF

Selection P43 P32 P42 P27

USART0 2-3 2-3 2-3 2-3
SPIFI 2-3 2-3 2-3 1-2
USB0 2-3 1-2 2-3 1-2
USSP0 2-3 1-2 1-2 1-2
USART3 1-2 2-3 2-3 2-3

P19 SPIFI Intercept header

Traces may be cut to install header and jumpers or use off-board SPI flash.

Pin Function
1 Flash DO
2 SPIFI_MISO
3 Flash DI
4 SPIFI_MOSI
5 Flash CLK
6 SPIFI_SCK
7 Flash CS
8 SPIFI_CS
9 Flash Hold
10 SPIFI_SIO3
11 Flash WP
12 SPIFI_SIO2

P20 GPIO

Pin Function
1 GPIO3_8
2 GPIO3_9
3 GPIO3_10
4 GPIO3_11
5 GPIO3_12
6 GPIO3_13
7 GPIO3_14
8 GPIO3_15
9 GND
10 GND

21.6. Expansion Interface 77

HackRF

P21 Analog

Pin Function
1 GND
2 ADC0_6
3 GND
4 ADC0_2
5 GND
6 ADC0_5
7 GND
8 ADC0_0

P22 I2S

Pin Function
1 VCC
2 I2S0_TX_SDA
3 I2S0_TX_WS
4 I2S0_TX_SCK
5 I2S0_TX_MCLK
6 GND

P25 LPC_ISP

Pin Function
1 GND
2 ISP
3 NC
4 U0_RXD
5 U0_TXD
6 RESET

P26 LPC_JTAG

Pin Function
1 VCC
2 TMS
3 GND
4 TCK
5 GND
6 TDO
7 NC
8 TDI
9 GND
10 RESET

78 Chapter 21. Jawbreaker

 HackRF

P28 SD

Pin Function
1 GND
2 VCC
3 SD_CD
4 SD_DAT3
5 SD_DAT2
6 SD_DAT1
7 SD_DAT0
8 SD_VOLT0
9 SD_CMD
10 SD_POW
11 SD_CLK
12 NC

21.6.2 CPLD

P29 CPLD_JTAG

Pin Function
1 CPLD_TMS
2 CPLD_TDI
3 CPLD_TDO
4 CPLD_TCK
5 GND
6 NCC

P30 BANK2_AUX

Pin Function
1 B2AUX1
2 B2AUX2
3 B2AUX3
4 B2AUX4
5 B2AUX5
6 B2AUX6
7 B2AUX7
8 B2AUX8
9 B2AUX9
10 B2AUX10
11 B2AUX11
12 B2AUX12
13 B2AUX13
14 B2AUX14
15 B2AUX15
16 B2AUX16

21.6. Expansion Interface 79

HackRF

P31 BANK1_AUX

Pin Function
1 B1AUX9
2 B1AUX10
3 B1AUX11
4 B1AUX12
5 B1AUX13
6 B1AUX14
7 B1AUX15
8 B1AUX16
9 GND
10 GND

21.6.3 External clock

P2 CLKOUT

Install C165 and R92 as necessary to match output. For CMOS output, install 0 ohm resistor in place of C165; do not
install R92.

Pin Function
1 CLKOUT
2 GND
3 GND
4 GND
5 GND

P16 CLKIN

Install C118, C164, R45, R84 and R85 as necessary to match input.
For CMOS input, install 0 ohm resistors in place of C118 and C164; do not install R45, R84, or R85.

Pin Function
1 CLKIN
2 GND
3 GND
4 GND
5 GND

80 Chapter 21. Jawbreaker

 HackRF

P17 CLKIN_JMP

Cut P17 short (trace) to enable external clock input. If short is cut, a jumper should be used on P17 at all times when
an external clock is not connected to P16.

Pin Function
1 GND
2 CLKIN

21.6.4 More

Additional headers are available. See the board files for additional details.

21.6. Expansion Interface 81

HackRF

82 Chapter 21. Jawbreaker

 CHAPTER

TWENTYTWO

DESIGN GOALS

Eventually, the HackRF project may result in multiple hardware designs, but the initial goal is to build a single wideband
transceiver peripheral that can be attached to a general purpose computer for software radio functions.
Primary goals:
• half-duplex transceiver
• operating freq: 100 MHz to 6 GHz
• maximum sample rate: 20 Msps
• resolution: 8 bits
• interface: High Speed USB
• power supply: USB bus power
• portable
• open source
Wish list:
• full-duplex (at reduced max sample rate)
• external clock reference
• dithering
• parallel interface for external FPGA, etc.
If there is a primary goal we miss, it will probably be the operating frequency range. The wideband front end is the
part of the design furthest from completion. At an absolute minimum, the board should do 900 MHz and 2.4 GHz.
The design is FPGA-less. There will be a tiny bit of DSP capability (ARM Cortex-M4), but mostly we’re just trying to
get samples to and from a host computer.
We are trading resolution and DSP capability for cost, portability, and frequency range. Considering that we’ll be able
to support oversampling for many applications and that we should be able to implement AGC, it should be a pretty
good trade.

83
HackRF

84 Chapter 22. Design Goals

 CHAPTER

TWENTYTHREE

FUTURE HARDWARE MODIFICATIONS

Things to consider for post-Jawbreaker hardware designs:

23.1 Antenna

The PCB antenna on Jawbreaker was included to facilitate beta testing. Future designs likely will not include a PCB
antenna.
SMA connectors will be PCB edge-mounted.

23.2 Baseband

The interfaces between the MAX2837 and MAX5864 have some signals inverted. Theoretically, that’s fine if compen-
sated for in software. However, I’m theorizing that RX/ADC DC offset compensation assumes that both channels have
the same DC polarity. I’ve fixed the inversion in the CPLD. However, a PCB experiment should be conducted to see if
the DC offset is reduced by un-inverting the RX Q channel connections to the MAX5864.

23.3 CPLD

The CPLD could be removed, but some sort of multiplexer would be needed to meet the MAX5864 i/o requirements.
Depending on the particular LPC43xx part used, it might be possible to use the System Control Unit (SCU) for this.

23.4 Clocking

The clock signal from the Si5351C to the LPC43xx’s GP_CLKIN pin may need different passives, but the documen-
tation on that clock input is thin (acceptable peak-to-peak voltage anyone?).
An unpopulated footprint for a 32.768 kHz RTC crystal would be nice. Also break out RTC battery pins to an expansion
header.

85
HackRF

23.5 USB

Would support for host mode on the second USB PHY be useful somehow? This is only possible with a larger LPC43xx
package that exposes the second PHY’s ULPI signals. Unless, of course, a mere full-speed PHY is acceptable.

23.6 Power Management

The MAX5864 appears to come up in “Tx” or “Rcvr” mode – I have observed that the part will pass DA bus data
to ID/QD without any SPI configuration. If we’re worried about USB power and minimizing current consumption, it
might be good to have this device on a power regulator with an ENABLE pin, or have a FET power switch. Yes, let’s
add a high side switch for the whole RF section.

23.7 Regulators

U21 (the TPS62410) FB1 pin is connected on the far side of jumper P8 (VCC), which puts the jumper inside the
feedback path. If the jumper trace is cut, the regulator may go nuts because the FB pin is floating.

23.8 Buttons

Add a reset button (for the LPC43xx). Maybe add a DFU button too.

23.9 Shielding

Maybe add a can around the RF section.

23.10 Footprints

Tighten up holes for USB connector support legs to improve placement consistency. Make some of the QFN pads
bigger (especially on the RF switches) for better soldering.

86 Chapter 23. Future Hardware Modifications

 HackRF

23.11 Shield Support

If support for add-on shields is considered valuable, here are some tweaks I’d suggest:
Any reason P28 (SD) pin 12 isn’t grounded or doing something useful? Same goes for P25 (LPC_ISP) pin 3 – maybe
make it VCC, the signaling voltage for the ISP interface? The SPIFI connector could also use a reference voltage
(GND?).
I’d like to see an I2C bus exposed somewhere, and perhaps an I2S0_RX_SDA signal, so I don’t have to steal it from
the CPLD interface. The I2S0 will function in “four-wire mode” with only one more pin (RX_SDA), so why not?
Provide a way to inject a supply voltage into the board? Having diodes managing multiple voltage sources would be
lossy, so a more expensive solution would be necessary on the Jawbreaker board, adding cost.
If an LPC43xx package with a higher pin-count is used, it would be stellar to expose the LCD interface and quadrature
encoder peripheral pins.
The RTC would be handy for stand-alone use. This would require a crystal (32.768kHz) between RTCX1 and RTCX2,
and exposing VBAT to a shield for battery backup (disconnecting it from VCC) or providing a coin cell footprint on
the HackRF PCB.
Coalesce separate headers into fewer, larger banks of headers, to reduce the number of unique, small header receptacles
required for mating? Reducing the header count will also increase the amount of board space around the perimeter of
a shield for components and connectors.

23.11. Shield Support 87

HackRF

88 Chapter 23. Future Hardware Modifications

 CHAPTER

TWENTYFOUR

LEMONDROP BRING UP

Board draws approximately 24mA from +3V3 when power is applied. This seems a bit high, but may be expected if not
all parts are capable of low-power mode, or aren’t configured for low power at power-on. I need to review the schematic
and datasheets and see what can be done.
When I put my finger on the MAX2837, current consumption goes up. This suggests there may be floating nodes in
that region of the circuit.

24.1 Si5351 I2C

Attached crystal is 25MHz. For now, I’m assuming 10pF “internal load capacitance” is good enough to get the crystal
oscillating. The crystal datasheet should be reviewed and measurements made. . .
Be sure to reference Silicon Labs application note 619 (AN619). The datasheet is a terrible mess (typos and lack of
some details). AN619 appears to be less of a mess, on the whole. And as a bonus, AN619 has PDF bookmarks for
each register.

24.1.1 Connections

• Bus Pirate GND to P7 pin 1

• Bus Pirate +3V3 to P7 pin 2 (through multimeter set to 200mA range)
• Bus Pirate CLK to P7 pin 3
• Bus Pirate MOSI to P7 pin 5

24.1.2 Bus Pirate I2C Initialization

# set mode
m
# I2C mode
4
# ~100kHz speed
3
# power supplies ON
W
# macro 1: 7-bit address search
(1)
(continues on next page)

89
HackRF

(continued from previous page)

Searching I2C address space. Found devices at:
0xC0(0x60 W) 0xC1(0x60 R)

I2C A0 address configuration pin (not available on QFN20 package) is apparently forced to “0”.

24.1.3 Reading registers

# Read register 0
I2C>[0xc0 0[0xc1 r]]
...
# Register 0: SYS_INIT=0, LOL_B=0, LOL_A=0, LOS=1, REVID=0
READ: 0x10
...
# Read 16 registers, starting with register 0
I2C>[0xc0 0[0xc1 r:16]]
...
READ: 0x10 ACK 0xF8 ACK 0x03 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x8F ACK 0x01 ACK
0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x90 ACK 0x00
...
# Read 16 registers, starting with register 16
I2C>[0xc0 16[0xc1 r:16]]
...
READ: 0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK
0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x00 ACK 0x00
...

24.1.4 Writing registers

Simple XTAL passthrough to CLK0

# Disable all CLKx outputs.

[0xC0 3 0xFF]

# Turn off OEB pin control for all CLKx

[0xC0 9 0xFF]

# Power down all CLKx

[0xC0 16 0x80 0x80 0x80 0x80 0x80 0x80 0x80 0x80]

# Register 183: Crystal Internal Load Capacitance

# Reads as 0xE4 on power-up
# Set to 10pF (until I find out what loading the crystal/PCB likes best)
[0xC0 183 0xE4]

# Register 187: Fanout Enable

# Turn on XO fanout only.
[0xC0 187 0x40]

# Register 15: PLL Input Source

(continues on next page)

90 Chapter 24. Lemondrop Bring Up

 HackRF

(continued from previous page)

# CLKIN_DIV=0 (Divide by 1)
# PLLB_SRC=0 (XTAL input)
# PLLA_SRC=0 (XTAL input)
[0xC0 15 0x00]

# Registers 16 through 23: CLKx Control

# CLK0:
# CLK0_PDN=0 (powered up)
# MS0_INT=1 (integer mode)
# MS0_SRC=0 (PLLA as source for MultiSynth 0)
# CLK0_INV=0 (not inverted)
# CLK0_SRC=0 (XTAL as clock source for CLK0)
# CLK0_IDRV=3 (8mA)
[0xC0 16 0x43 0x80 0x80 0x80 0x80 0x80 0x80 0x80]

# Enable CLK0 output only.

[0xC0 3 0xFE]

Clocking Scheme (Work In Progress)

From AN619: If Fxtal=25MHz, Fvco = Fxtal * (a + (b / c)). If we want Fvco = 800MHz, a = 32, b = 0, c = don’t care.

MSNA_P1[17:0] = 128 * a + floor(128 * b / c) - 512

= 128 * a + floor(0) - 512
= 128 * 32 + 0 - 512
= 3584 = 0xE00
MSNA_P1[17:16] (register 28) = 0x00
MSNA_P1[15: 8] (register 29) = 0x0E
MSNA_P1[ 7: 0] (register 30) = 0x00
MSNA_P2[19:0] = 128 * b - c * floor(128 * b / c)
= 128 * 0 - 0 * floor(128 * 0 / X)
= 0
MSNA_P3[19:0] = 0

MultiSynth0 should output 40MHz (800MHz VCO divided by 20):

a = 20, b = 0, c = X
MS0_P1[17: 0] = 128 * a + floor(128 * b / c) - 512
= 2048 = 0x800
MS0_P1[17:16] (register 44) = 0x00
MS0_P1[15: 8] (register 45) = 0x08
MS0_P1[ 7: 0] (register 46) = 0x00
MS0_P2[19:0] = 0
MS0_P3[19:0] = 0

MultiSynth1 should output 20MHz (800MHz VCO divided by 40) or some smaller integer fraction of the VCO:

a = 40, b = 0, c = X
MS1_P1[17: 0] = 128 * a + floor(128 * b / c) - 512
= 4608 = 0x1200
MS1_P1[17:16] (register 52) = 0x00
(continues on next page)

24.1. Si5351 I2C 91

HackRF

(continued from previous page)

MS1_P1[15: 8] (register 53) = 0x12
MS1_P1[ 7: 0] (register 54) = 0x00
MS1_P2[19:0] = 0
MS1_P3[19:0] = 0

Initialization:

# Disable all CLKx outputs.

[0xC0 3 0xFF]

# Turn off OEB pin control for all CLKx

[0xC0 9 0xFF]

# Power down all CLKx

[0xC0 16 0x80 0x80 0x80 0x80 0x80 0x80 0x80 0x80]

# Register 183: Crystal Internal Load Capacitance

# Reads as 0xE4 on power-up
# Set to 10pF (until I find out what loading the crystal/PCB likes best)
[0xC0 183 0xE4]

# Register 187: Fanout Enable

# Turn on XO and MultiSynth fanout only.
[0xC0 187 0x50]

# Register 15: PLL Input Source

# CLKIN_DIV=0 (Divide by 1)
# PLLB_SRC=0 (XTAL input)
# PLLA_SRC=0 (XTAL input)
[0xC0 15 0x00]

# MultiSynth NA (PLL1)
[0xC0 26 0x00 0x00 0x00 0x0E 0x00 0x00 0x00 0x00]

# MultiSynth NB (PLL2)
...

# MultiSynth 0
[0xC0 42 0x00 0x00 0x00 0x08 0x00 0x00 0x00 0x00]

# MultiSynth 1
[0xC0 50 0x00 0x00 0x00 0x12 0x00 0x00 0x00 0x00]

# Registers 16 through 23: CLKx Control

# CLK0:
# CLK0_PDN=0 (powered up)
# MS0_INT=1 (integer mode)
# MS0_SRC=0 (PLLA as source for MultiSynth 0)
# CLK0_INV=0 (not inverted)
# CLK0_SRC=3 (MS0 as input source)
# CLK0_IDRV=3 (8mA)
# CLK1:
(continues on next page)

92 Chapter 24. Lemondrop Bring Up

 HackRF

(continued from previous page)

# CLK1_PDN=0 (powered up)
# MS1_INT=1 (integer mode)
# MS1_SRC=0 (PLLA as source for MultiSynth 1)
# CLK1_INV=0 (not inverted)
# CLK1_SRC=3 (MS1 as input source)
# CLK1_IDRV=3 (8mA)
[0xC0 16 0x4F 0x4F 0x80 0x80 0x80 0x80 0x80 0x80]

# Enable CLK0 output only.

[0xC0 3 0xFC]

24.1.5 Si5351 output phase relationships

Tested CLK4 and CLK5 (integer division only):

With CLK4 set to MS4 and CLK5 set to MS5, even with both multisynths configured identically, there was no consistent
phase between the two. Once started, the clocks maintained relative phase with each other, but when stopped and
restarted the initial phase offset was unpredictable.
With CLK4 and CLK5 both set to MS4, the phase of both outputs was identical when no output (R) divider was
selected. When an output divider was selected on both MS4 and MS5, the relative phase became predictable only
within the constraints of the divider (e.g. with R=2 the relative phase was always either 0 or half a cycle, with R=4 the
relative phase was always either 0, a quarter, a half, or three quarters of a cycle). With R=1 on MS4 and R=2 on MS5,
the two outputs were consistently in phase with each other. The output (R) dividers supposedly tied to the multisynths
are actually tied to the outputs.

24.1. Si5351 I2C 93

HackRF

94 Chapter 24. Lemondrop Bring Up

 CHAPTER

TWENTYFIVE

LPC4350 SGPIO EXPERIMENTATION

The NXP LPC43xx microcontrollers have an interesting, programmable serial peripheral called the SGPIO (Serial
GPIO). It consists of a slew of counters and shift registers that can be configured to serialize and deserialize many
channels of data. Channels can be grouped to create multi-bit parallel data streams.
The current HackRF design entails using the SGPIO peripheral to move quadrature baseband receive and transmit data
between the USB interface and the baseband ADC/DAC IC. Because the baseband ADC/DAC IC (MAX5864) uses
DDR signaling, we expect to use a CPLD to convert bus signaling. The CPLD may also help manage bus turnaround
(between transmit and receive modes) or interfacing two narrower but faster interfaces to the LPC43xx to facilitate
full-duplex.
Because the Jellybean board wasn’t completed at the time of these experiments, I used the Diolan LPC-4350-DB1-A
development board. Despite using an LPC4350 in an BGA256 package, the SGPIO peripheral’s signals can be mapped
to many different pins. So reworking code to a new set of SGPIO pins should be a trivial matter of switching the SGU
configuration for the affected pins.

25.1 SGPIO Examples

Some SGPIO peripheral examples can be found in the LPCWare repository. All source I’ve found so far is focused on
generating many I2S interfaces, which is not very similar to HackRF’s needs. But reviewing the code is still valuable
in grasping how the SGPIO peripheral operates.
There are a few common details to setting up the SGPIO peripheral:

// Configure the PLL to generate a reasonable clock. The SGPIO

// will operate with a clock of up to 204MHz (the same as the
// M4 clock.
CGU_SetPLL1(12);

// Set the BASE_PERIPH clock to come from PLL1.

CGU_EnableEntity(CGU_BASE_PERIPH, ENABLE);
CGU_EntityConnect(CGU_CLKSRC_PLL1, CGU_BASE_PERIPH);

// Compute and commit clock configuration changes.

CGU_UpdateClock();

95
HackRF

25.1.1 Jiggle SGPIO Pins From GPIO Mode

My first test was to ensure I had the right pin(s) hooked up to my scope:

// Jiggle one of the SGPIO pins in GPIO mode, to make sure

// I'm looking at the right pin on the scope.
scu_pinmux(9, 0, MD_PLN_FAST, 0);

GPIO_SetDir(4, 1L << 12, 1);

while(1) {
volatile int i;
GPIO_SetValue(4, 1L << 12);
for(i=0; i<1000; i++);
GPIO_ClearValue(4, 1L << 12);
for(i=0; i<1000; i++);
}

25.1.2 Jiggle Pins from SGPIO Mode

You can also control SGPIO pins, GPIO-style, from within the SGPIO peripheral. This helped me understand the
basics of operating the SGPIO output mux.

// Set pin to SGPIO mode, toggle output using SGPIO

// peripheral registers.
scu_pinmux(9, 0, MD_PLN_FAST, 6); // SGPIO0

// P_OUT_CFG = 4, gpio_out
// P_OE_CFG = X
LPC_SGPIO->OUT_MUX_CFG[0] = (0L << 4) | (4L << 0);
LPC_SGPIO->GPIO_OENREG |= (1L << 0);

while(1) {
volatile int i;
LPC_SGPIO->GPIO_OUTREG |= (1L << 0);
for(i=0; i<1000; i++);
LPC_SGPIO->GPIO_OUTREG &= ~(1L << 0);
for(i=0; i<1000; i++);
}

25.1.3 Serializing Data With Slice Clock Source

My first full-on SGPIO experiment involved serializing a data pattern from slice A, using slice D to generate a SG-
PIO_CLK/2 data rate. I derived the code from examples that configured the SGPIO as I2S interfaces:

// Disable all counters during configuration

LPC_SGPIO->CTRL_ENABLED = 0;

// Configure pin functions.

scu_pinmux(9, 0, MD_PLN_FAST, 6); // SGPIO0
scu_pinmux(2, 3, MD_PLN_FAST, 0); // SGPIO12
(continues on next page)

96 Chapter 25. LPC4350 SGPIO Experimentation

 HackRF

(continued from previous page)

// Enable SGPIO pin outputs.

LPC_SGPIO->GPIO_OENREG =
(1L << 12) | // SGPIO12
(1L << 0); // SGPIO0

// SGPIO pin 0 outputs slice A bit 0.

LPC_SGPIO->OUT_MUX_CFG[0] =
(0L << 4) | // P_OE_CFG = X
(0L << 0); // P_OUT_CFG = 0, dout_doutm1 (1-bit mode)

// SGPIO pin 12 outputs slice D bit 0.

LPC_SGPIO->OUT_MUX_CFG[12] =
(0L << 4) | // P_OE_CFG = X
(0L << 0); // P_OUT_CFG = 0, dout_doutm1 (1-bit mode)

// Slice A
LPC_SGPIO->SGPIO_MUX_CFG[0] =
(0L << 12) | // CONCAT_ORDER = 0 (self-loop)
(1L << 11) | // CONCAT_ENABLE = 1 (concatenate data)
(0L << 9) | // QUALIFIER_SLICE_MODE = X
(0L << 7) | // QUALIFIER_PIN_MODE = X
(0L << 5) | // QUALIFIER_MODE = 0 (enable)
(0L << 3) | // CLK_SOURCE_SLICE_MODE = 0, slice D
(0L << 1) | // CLK_SOURCE_PIN_MODE = X
(0L << 0); // EXT_CLK_ENABLE = 0, internal clock signal (slice)

LPC_SGPIO->SLICE_MUX_CFG[0] =
(0L << 8) | // INV_QUALIFIER = 0 (use normal qualifier)
(0L << 6) | // PARALLEL_MODE = 0 (shift 1 bit per clock)
(0L << 4) | // DATA_CAPTURE_MODE = 0 (detect rising edge)
(0L << 3) | // INV_OUT_CLK = 0 (normal clock)
(0L << 2) | // CLKGEN_MODE = 0 (use clock from COUNTER)
(0L << 1) | // CLK_CAPTURE_MODE = 0 (use rising clock edge)
(0L << 0); // MATCH_MODE = 0 (do not match data)

LPC_SGPIO->PRESET[0] = 1;
LPC_SGPIO->COUNT[0] = 0;
LPC_SGPIO->POS[0] = (0x1FL << 8) | (0x1FL << 0);
LPC_SGPIO->REG[0] = 0xAAAAAAAA; // Primary output data register
LPC_SGPIO->REG_SS[0] = 0xAAAAAAAA; // Shadow output data register

// Slice D (clock for Slice A)

LPC_SGPIO->SGPIO_MUX_CFG[3] =
(0L << 12) | // CONCAT_ORDER = 0 (self-loop)
(1L << 11) | // CONCAT_ENABLE = 1 (concatenate data)
(0L << 9) | // QUALIFIER_SLICE_MODE = X
(0L << 7) | // QUALIFIER_PIN_MODE = X
(0L << 5) | // QUALIFIER_MODE = 0 (enable)
(0L << 3) | // CLK_SOURCE_SLICE_MODE = 0, slice D
(0L << 1) | // CLK_SOURCE_PIN_MODE = X
(0L << 0); // EXT_CLK_ENABLE = 0, internal clock signal (slice)
(continues on next page)

25.1. SGPIO Examples 97

HackRF

(continued from previous page)

LPC_SGPIO->SLICE_MUX_CFG[3] =
(0L << 8) | // INV_QUALIFIER = 0 (use normal qualifier)
(0L << 6) | // PARALLEL_MODE = 0 (shift 1 bit per clock)
(0L << 4) | // DATA_CAPTURE_MODE = 0 (detect rising edge)
(0L << 3) | // INV_OUT_CLK = 0 (normal clock)
(0L << 2) | // CLKGEN_MODE = 0 (use clock from COUNTER)
(0L << 1) | // CLK_CAPTURE_MODE = 0 (use rising clock edge)
(0L << 0); // MATCH_MODE = 0 (do not match data)

LPC_SGPIO->PRESET[3] = 0;
LPC_SGPIO->COUNT[3] = 0;
LPC_SGPIO->POS[3] = (0x1FL << 8) | (0x1FL << 0);
LPC_SGPIO->REG[0] = 0xAAAAAAAA; // Primary output data register
LPC_SGPIO->REG_SS[0] = 0xAAAAAAAA; // Shadow output data register

// Start SGPIO operation by enabling slice clocks.

LPC_SGPIO->CTRL_ENABLED =
(1L << 3) | // Slice D
(1L << 0); // Slice A

98 Chapter 25. LPC4350 SGPIO Experimentation