Comparing High-Performance Software-Defined Radios

Introduction

Highmesh are exported all over the world and different industries with quality first. Our belief is to provide our customers with more and better high value-added products. Let's create a better future together.

Software Defined Radios (SDRs) have revolutionized how radio systems are designed and implemented. With their inherent flexibility and versatility, these transceivers have become increasingly prevalent in various RF applications, including telecommunications, device testing, 5G stations, and the internet of things (IoT). In particular, high-performance SDRs have become an essential tool in critical defense applications such as radar, spectrum monitoring, signals intelligence (SIGINT), electronic warfare (EW), and satellite communications (SatCom). This article aims to compare three top-performing commercial off-the-shelf (COTS) SDRs based on their hardware capabilities, focusing on critical performance parameters such as tuning range, channel count, bandwidth, and digital backhaul. By evaluating these figures of merit, designers can better select the right SDR for their applications, as no solution can fit every possible use case.

While our focus here is the key performance specifications of the top-performing SDRs, it is worth noting that other factors can impact their effectiveness and cost-benefit in specific applications. Factors such as size, weight, power (SWaP), FPGA resources, accessibility, form factor, cost, lead time, and the ability to be modified can all affect an SDR’s performance differently. Depending on the exact requirements of an application, one SDR may offer more benefits than others regarding these characteristics. Nevertheless, we discuss the critical performance specifications essential in the vital applications in EW and defense, including radars, spectrum monitoring, and SIGINT.

Performance Factors

Four key figures of merit are essential when selecting SDRs for EW and defense systems: tuning range, channel count, sampling bandwidth, and digital backhaul. These parameters are crucial in determining the SDR’s ability to operate effectively in these applications. The tuning range defines the range of frequencies that an SDR can receive and transmit signals with nominal gain. A wide tuning range is essential for applications such as spectrum monitoring and electronic warfare, where the ability to automatically tune and quickly switch between different frequencies is crucial for accuracy, safety, and operability. For example, an SDR with a wide tuning range in EW systems can rapidly detect enemy radar systems and automatically tune the Tx chain to generate jamming signals. Likewise, radars can use frequency hopping protocols to avoid jamming. The SDR channel count is another important parameter, which refers to the number of independent radio chains that an SDR can support. In applications such as radar and SIGINT, a high channel count allows for the simultaneous processing of multiple signals, also called multiple-input multiple-output (MIMO) operation. For example, in radar applications, MIMO SDR can simultaneously process numerous radar signals simultaneously, allowing for more accurate target tracking, identification, and beamforming/beam-steering techniques through antenna arrays. The sampling bandwidth defines the maximum frequency range that an SDR can sample, ultimately limiting the range of instantaneous frequency detection per channel. A high sampling bandwidth is essential for applications such as radar and spectrum monitoring, where capturing and processing large amounts of data is crucial. For example, in spectrum monitoring applications, an SDR with a high sampling bandwidth can capture a large portion of the RF spectrum concurrently, increasing the probability of intercepting a signal. The digital backhaul refers to the SDR’s ability to transmit and receive data over a digital interface. This characteristic is particularly critical in applications such as electronic warfare, where the ability to process and analyze large amounts of data rapidly is essential. An SDR with a high-speed digital backhaul can quickly transmit data to other systems for further analysis, processing, and storage with minimum loss of information.

Per Vices Cyan

The Cyan SDR is a high-end COTS SDR with unique features that make it well-suited for a broad range of critical applications. Being the power horse of the Per Vices portfolio, this transceiver boasts a tuning range from near DC to up to 18 GHz, making it ideal for high-frequency applications in EW and radars. The SDR also has a high channel count of up to 16 independent radio chains, allowing for multiple simultaneous Tx and Rx channels, which enables the device to work as an all-in-one solution, or significantly scaling the captured bandwidth in spectrum monitoring by assigning different portions of the spectrum to each channel – with each channel offering either 1 GHz or 3 GHz of instantaneous bandwidth with 32 bit or 24-bit resolution. Regarding dynamic range, the Cyan SDR provides 25-70 dB, with a spurious-free dynamic range (SFDR) of 65 dB. Additionally, the Cyan SDR has a wideband digital backhaul capability of up to 4x40Gbps (or 4x100Gbps in the high bandwidth version) over optical qSFP+ links, providing increased data throughput and low latency for applications such as real-time spectrum analysis and large-scale data acquisition. With these specifications, the Cyan SDR is a powerful tool for high-speed data capture applications, including signal analysis, beamforming, and target tracking. The digital backend is based on the Intel Stratix 10 FPGA SoC, making it highly versatile in terms of available FPGA resources while also providing onboard DSP capabilities that are unmatched and a ready-to-use host interface capable of working with powerful host software applications as well as a host system solution also offered by the manufacturer.

Because of its powerful capabilities, the Cyan SDR may not be the best choice for applications requiring a strictly small SWaP (size, weight, and power) profile. In these cases, other SDR models, such as the Crimson TNG and the Chestnut (also from Per Vices), are more suitable for the job, as they have lower channel counts and smaller form factors while still maintaining high-performance capabilities. Overall, the Per Vices Cyan SDR is a versatile and powerful tool well-suited for a wide range of applications in the defense industry, making it a strong contender in the high-performance SDR markets.

National Instruments USRP X410

The next SDR in our list is a powerful representative of the popular Universal Software Radio Peripheral (USRP) family of SDRs, developed by National Instruments: the USRP X410. This device implements a Xilinx Zynq-Ultrascale+ ZU28DR RFSoC as the digital backend, with 12-bit resolution DAC and 14-bit ADC, providing powerful computation capabilities and fair resolution. It contains 4 Rx and 4 Tx channels in a half-wide RU form factor, which offers high channel density, although the number of channels per device is significantly smaller than the others being compared. Each channel can tune from 1MHz to near 8GHz, with up to 400 MHz of instantaneous bandwidth, which is enough for many applications but is limited in critical scenarios, such as spectrum monitoring. Its relatively low power consumption and form factor make it an attractive option for portable, onboard, and battery-powered applications. Compared to other SDRs, the USRP X410 is particularly suited for applications that require real-time signal processing and rapid prototyping. Its compatibility with popular software platforms like LabVIEW and MATLAB makes it easy for engineers and researchers to develop and test new applications. Regarding backhaul, the USRP X410 offers two QSFP28 ports with 10/100 GbE, providing a solid host interface for high-throughput data communication.

Figure 3: National Instruments USRP X410. Source: https://www.ni.com/pt-pt/support/model.ettus-usrp-x410.html

One of the main advantages of this transceiver is that USRP SDRs, in general, are designed to be open-source, enabling users to modify and customize the firmware and software to meet their specific needs. USRP SDRs offer a powerful and flexible platform for RF experimentation and development. However, the USRP X410 is limited regarding channel count compared to other high-performance SDRs, like the Cyan. This may make it less suitable for applications that require a high number of independent RF chains. Its bandwidth is also not as high as some other SDRs on the market, although 400 MHz of instantaneous bandwidth is sufficient for many applications. Overall, the USRP X410 is a powerful and flexible SDR well-suited for a wide range of applications in the defense and telecommunications industries.

Herrick Labs HTLw

Herrick Labs HTLw is another high-performance SDR with exceptional application capabilities, including radar, electronic warfare, and spectrum monitoring. Its tuning range extends from 20 MHz to 18 GHz with instantaneous bandwidth up to 1 GHz per channel. With four Rx and four Tx channels, it may not match the channel count of Per Vices Cyan, but it offers a more focused and dedicated solution for specific applications. A significant advantage of the HTLw is its low phase noise, which, combined with the high bandwidth, makes it ideal for applications that require accurate and reliable frequency measurements, such as spectrum monitoring. The digital backend provides a powerful FPGA with integrated ARM9 cores with NEON coprocessors, capable of implementing modern waveforms and heavy signal processing. Regarding digital backhaul, the HTLw provides 2×10 GbE Ethernet ports, meaning that it supports lower throughput of data than the other SDRs in our list and limits the utility of the high bandwidth unless the processing is completed onboard the device. The HTLw also provides a significantly small form factor, which makes it suitable for onboard applications and low SWaP requirements.

A significant advantage of this transceiver is its open architecture, which includes an SDK with a board support package to enable fast development of new features and capabilities, making it highly versatile for user adaptations and upgrades. It also provides up to 80dB SFDR at the front end, which is fairly higher than some other SDRs, providing accurate operation and reliable signal integrity.

Conclusion

In this article, we compared three top-performing COTS SDRs in the market for critical EW and defense applications such as radar, spectrum monitoring, and SIGINT. We evaluated each SDR based on four key hardware specifications: tuning range, channel count, sampling bandwidth, and digital backhaul. Per Vices Cyan, NI USRP X410 and Herrick Labs HTLw have been compared, and each one demonstrated exceptional hardware capabilities in the analyzed parameters and a broad applicability range in the target industry.

The table shows that the Per Vices Cyan has the highest instantaneous bandwidth and the highest number of channels of all three, making it very suitable for radar, spectrum monitoring, SIGINT equipment, jammers, anti-jammers, and general EW devices. The high bandwidth also makes it useful for processing large amounts of data in real-time, which is further enabled by the powerful qSFP+-based backhaul. However, it may not be the most suitable option for applications with size, weight, and power (SWaP) constraints. The Herrick Labs HTLw, for instance, provides similar frequency specifications with a much smaller form factor at the cost of lower channel count and digital backhaul throughput, making it better suited for applications that require very low SWaP and high-frequency performance. The HTLw provides higher SFDR, which is excellent for increased accuracy and precision. However, the backhaul speed is lower than our other contestants, which may be a limitation for high-speed applications with vast amounts of data. Although the NI USRP X410 provides slightly less overall performance in terms of frequency, its small form factor and open-source architecture make it an excellent choice for fast prototyping and non-critical applications, as it offers more onboard development. Comparing the top-performing SDRs for these applications, all three transceivers provide impressive capabilities and features. While each SDR has pros and cons, understanding the performance parameters and their application-specific benefits is crucial when selecting the most appropriate solution for a particular use case.

Table 1: SDR comparison.

Company Info

Per Vices has extensive experience designing, developing, and building SDRs for radars, spectrum monitoring and recording, data acquisition, signals intelligence, and EW applications. Contact today to see how we can help you with your testing needs.

Note

This article was written based on publicly available information. Any names and trademarks are the property of their respective owners.

Introduction

This blog is part of the “IoT Security” series. If you haven’t read the previous blogs (parts 1 – 8) in the series, I urge you to go through them first unless you are already familiar with those concepts and want to only read about the current topic.

For more information, please visit SDR for IoT Applications.

IoT Security – Part 1 (101 – IoT Introduction And Architecture)

IoT Security – Part 8 (Introduction to software defined radio) previous blog in the series.

This blog will be a continuation of the previous blog. In this, we will be looking into some of the software SDR tools available out there. We’ll also define an approach on how to go about an RF target.

Software

With a great open-source community, SDR has a variety of software tools with all signal processing functionality available. Let’s look into some of the widely used SDR software available and what set’s them apart. We’ll be focusing on tools that are mainly available for Linux.

Recon tools:

• GQRX GQRX is a spectrum analyzer used for frequency band browsing and finding the operating frequency of the target. It comes with common demodulators like AM, CW, FM. Due to the demodulation functionality, it is possible to record demodulated signal streams which can be further analyzed in tools like Audacity and Inspectrum in the next phase of assessment. It is compatible with all major SDR hardware available. There are other alternatives to GQRX with more or less the same functionality, mentioned below:
• HDSDR/ SDR# (SDR-Sharp) [for windows]
• Qspectrum analyser (with automatic peak detection)
• Osmocom-FFT (spectrum analyzer included in the Osmocom GNU Radio blocks)

Basic assessment:

• Universal Radio Hacker(URH): URH is a complete suite for wireless protocol investigation with native support to major SDR hardware. Almost everything is automated here, from spectrum analysis to even sending manipulated signals. One can effortlessly recognize the modulation type and get automatic decoding of the signal. For manual inspection, a differential view of received bitstreams is also there, which is very useful in interpreting the signal’s data. Other major functionalities include the protocol analyzer (automated and manual). Here’s where it gets interesting, It has a simulation environment for stateful attacks and a fuzzing element aimed at stateless protocols!


Another alternative to URH is Inspectrum.

• Audacity: Audacity is a multichannel audio editing tool but it turns into a radio signal analyzer when clubbed with GQRX. Audacity is open-source and is available for all common OS. It accepts only recorded signals however the signal has to be demodulated, like a recorded signal from GQRX.

Advanced assessment:

• GNU Radio GNU Radio is an open-source toolkit to implement SDRs. It provides basic blocks to perform different steps of signal processing, for example, filters, decoders, demodulators, and many more. It works with all of the major SDR hardware. The major benefit is the huge extensibility of the framework. It is possible to write blocks in C++, or Python.
• GNU radio companion (GRC): GNU Radio Companion (GRC) is a frontend visualization tool that is part of the Gnu radio framework. We should keep in the back of our mind that GRC was created to simplify the use of GNU Radio by allowing us to create python files graphically as opposed to creating them in code alone. It allows one to simply drag, modify parameters, and start processing the signal. We’ll focus on it more as we proceed.

Other Points of Interest:

• Android SDR is making its way into the mobile device as the processing capabilities of the mobile devices increases significantly over time. Although still very limited, but simply loading a few libraries of the device, connecting your SDR hardware via OTG cable to your android will do the job. Devices like RTL-SDR dongle, Lime SDR mini, and HackRF and a few other work fine with the android devices.
• SDR touch: Similar to GQRX, is used as a spectrum analyzer for the mobile device.
• GNU Radio Android: More Recently GNU Radio for android came out. It’s all your SDR solution in your mobile device. Although it has limited supported mobile devices as of now, major device coverage is expected over time.
• Scapy-radio: Scapy-radio is an extension to Scapy, an open-source network packet manipulation tool, written in Python. This extension uses Scapy as a back end for radio packet manipulation. As the gateway from Scapy to the SDR device, GNU Radio is used.

How to approach a target:

We’ll be breaking down how you can approach an RF target, capture, reverse-engineer it and launch your attacks!

• SDR Hardware: HackRF One
• SDR Software: GQRX, GNURadio Companion
• Target: For this, we picked a locally manufactured $6 wireless doorbell, which turned out to be analog. Let’s see how we go about it…

Image source:https://xkcd.com//

1. Recon

In case you have the device, most of the task is done because you can simply look up the FCC ID of the device from here, which will give you a lot of details about the device i.e. operating frequency, the internals of the device so on and so forth which will ease up a lot for the assessment.

In our case, since it was a locally manufactured device, it didn’t come with any FCC ID ????

2. Seek

You need to analyze the spectrum to find where is the signal being transmitted. You can use any spectrum analyzer you are comfortable with. Here’s a list of common operating frequencies that will help you in finding the target frequency:

• 300MHz
• 433Mhz
• 868Mhz
• 915Mhz

All these are commonly used ISM and license-free bands. Bodies like WPC (Wireless planning and coordination wing of the Department of Telecommunications (DOT) of the Government of India and US Federal Communications Commission (FCC) allow such bands to be license-free provided that these will only be used by low powered wireless equipment with specifics defined for bandwidth, output power and maximum effective radiated power.

In our case, we used GQRX for this step. We observed the peak at 302MHz, which is a little unusual for any operating device.

3. Record

Capturing the signal is a good practice to preserve the signal for analysis. One can easily run signal processing operation on a recorded signal, without the need for any RF target producing a live signal. In our case, we are using the below GRC flowgraph. We saved the signal in a .cfile.

Recording the analog doorbell signal (flowgraph)

4. De-Modulation

The best way to do it is just by simply looking at the signal. If you’re well versed in the modulation techniques you can easily understand the type of modulation being used i.e. compressions and decompressions in FSK. Below are some commonly used modulations:

• FSK (Frequency shift keying)
• ASK (Amplitude shift keying)
• OOK (On-off keying)
• PSK (Phase shift keying)

5. Process

Once we have figured out the modulation and operating frequency, we can start to process the signal using the GRC blocks and creating flow graphs. This usually includes things like demodulating the live/captured signal, amplifying the signal, porting it to Wireshark, and so on. We will discuss GRC in much more detail as we proceed covering things like usage of GRC blocks required to process a specific signal.

6. Decode

So once you get your hands on the bits/bitstream you can start decoding it. Commonly used encoding techniques are

• NRZ
• NRZI
• Bipolar AMI
• Manchester

To name a few. You’ll find them already present and ready to use in Universal Radio Hacker(URH).

7. Attack!

Once you are done reversing your signal i.e. figuring out things like modulation, encoding, data bytes, and other specifics. You can launch your attacks now! A most common one is the replay attack wherein one sends back the captured signal.

Steps 3 & 5 are not applicable for our target (since it is analog) But we have an attack for our target, we’ll do a replay attack using GRC. Below is the respective GRC flowgraph. We replayed the captured signal .cfile.

Replaying the analog door bell signal (flowgraph)

Conclusion:

We hope you got a clear understanding of what are the major SDR software tools available and why is one better than the other. Also, a sneak-peak into how to approach an RF target would have given you an idea of the steps involved in an RF target assessment using SDR.

Continue to the next part – IoT Security – Part 10 (Introduction To MQTT Protocol and Security)

For more USRP For Saleinformation, please contact us. We will provide professional answers.

Resources: